watchdog: BUG: soft lockup - CPU#0 stuck for 143s! [syz.2.931:9677]
Modules linked in:
irq event stamp: 14064491
hardirqs last  enabled at (14064490): [<ffffffff8b5c1ffd>] irqentry_exit+0x5dd/0x660 kernel/entry/common.c:219
hardirqs last disabled at (14064491): [<ffffffff8b5c086e>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1056
softirqs last  enabled at (13974818): [<ffffffff81858caa>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (13974818): [<ffffffff81858caa>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (13974818): [<ffffffff81858caa>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
softirqs last disabled at (13974821): [<ffffffff81858caa>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (13974821): [<ffffffff81858caa>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (13974821): [<ffffffff81858caa>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
CPU: 0 UID: 0 PID: 9677 Comm: syz.2.931 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:get_current arch/x86/include/asm/current.h:25 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:245 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x8/0x90 kernel/kcov.c:314
Code: 48 89 44 11 20 e9 48 45 9d 09 cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 14 25 08 e0 7e 92 65 8b 0d a8 29 bd 10 81 e1 00 01 ff 00
RSP: 0018:ffffc900000070b0 EFLAGS: 00000246
RAX: ffffffff84422ee3 RBX: ffffc900000072f4 RCX: ffff88802ff85b80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88802ff85b80 R09: 0000000000000002
R10: 000000000000003a R11: 0000000000000100 R12: ffff888027e563c0
R13: ffff88806e25a140 R14: ffff88806e25a140 R15: 1ffff92000000e24
FS:  00007eff0ffd06c0(0000) GS:ffff888125e32000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fef6f319000 CR3: 000000004e2ce000 CR4: 00000000003526f0
DR0: 0000200000000100 DR1: 0000200000000100 DR2: 0000200000000240
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 security_xfrm_decode_session+0xa3/0x2c0 security/security.c:4989
 __xfrm_decode_session+0x712/0xb80 net/xfrm/xfrm_policy.c:3536
 xfrm_decode_session include/net/xfrm.h:1337 [inline]
 vti6_tnl_xmit+0x442/0x1ae0 net/ipv6/ip6_vti.c:-1
 __netdev_start_xmit include/linux/netdevice.h:5273 [inline]
 netdev_start_xmit include/linux/netdevice.h:5282 [inline]
 xmit_one net/core/dev.c:3853 [inline]
 dev_hard_start_xmit+0x2cd/0x800 net/core/dev.c:3869
 __dev_queue_xmit+0x1493/0x3140 net/core/dev.c:4817
 neigh_output include/net/neighbour.h:556 [inline]
 ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ndisc_send_skb+0xbce/0x1510 net/ipv6/ndisc.c:512
 addrconf_rs_timer+0x369/0x6a0 net/ipv6/addrconf.c:4037
 call_timer_fn+0x16e/0x590 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2373 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2385
 run_timer_base kernel/time/timer.c:2394 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2404
 handle_softirqs+0x27d/0x850 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:7190
Code: 24 20 f6 44 24 21 02 74 0c 90 0f 0b 48 f7 03 10 00 00 00 74 64 bf 01 00 00 00 e8 8b c6 33 f6 e8 26 44 6c f6 fb bf 01 00 00 00 <e8> 1b a8 ff ff 48 c7 44 24 40 00 00 00 00 9c 8f 44 24 40 8b 44 24
RSP: 0018:ffffc900040afa00 EFLAGS: 00000286
RAX: 93b08c2adb0f7200 RBX: 0000000000000000 RCX: 93b08c2adb0f7200
RDX: 0000000000000000 RSI: ffffffff8d792e98 RDI: 0000000000000001
RBP: ffffc900040afaa0 R08: ffffffff8f822477 R09: 1ffffffff1f0448e
R10: dffffc0000000000 R11: fffffbfff1f0448f R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff92000815f40
 irqentry_exit+0x5d8/0x660 kernel/entry/common.c:216
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]
RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:389 [inline]
RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:432 [inline]
RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
RIP: 0010:put_task_struct include/linux/sched/task.h:130 [inline]
RIP: 0010:wake_up_q+0x8c/0xd0 kernel/sched/core.c:1088
Code: df e8 d8 3c 97 00 48 8d bb 70 f5 ff ff 4c 8b 23 48 c7 03 00 00 00 00 be 03 00 00 00 31 d2 e8 4b a4 00 00 4c 8d b3 98 f5 ff ff <4c> 89 f7 be 04 00 00 00 e8 47 3f 97 00 b8 ff ff ff ff f0 0f c1 83
RSP: 0018:ffffc900040afbb8 EFLAGS: 00000292
RAX: 0000000000000001 RBX: ffff8880302d8a90 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8d792e98 RDI: 00000000ffffffff
RBP: ffffc900040afcf0 R08: ffffffff8f822477 R09: 1ffffffff1f0448e
R10: dffffc0000000000 R11: fffffbfff1f0448f R12: 0000000000000001
R13: 0000000000000001 R14: ffff8880302d8028 R15: dffffc0000000000
 futex_wake+0x4a0/0x560 kernel/futex/waitwake.c:198
 do_futex+0x395/0x420 kernel/futex/syscalls.c:135
 __do_sys_futex kernel/futex/syscalls.c:207 [inline]
 __se_sys_futex+0x36f/0x400 kernel/futex/syscalls.c:188
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7eff0f18f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007eff0ffd00e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007eff0f3e5fa8 RCX: 00007eff0f18f749
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007eff0f3e5fac
RBP: 00007eff0f3e5fa0 R08: 3fffffffffffffff R09: 0000000000000000
R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000000
R13: 00007eff0f3e6038 R14: 00007ffde8f16a00 R15: 00007ffde8f16ae8
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5837 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_cmd_timeout
RIP: 0010:format_decode+0x3f3/0xe10 lib/vsprintf.c:2739
Code: 00 00 e8 60 a8 69 f6 4c 8b 6c 24 08 48 ba 00 00 00 00 00 fc ff df 4d 8d 65 01 4c 89 e0 48 c1 e8 03 48 89 44 24 20 0f b6 04 10 <84> c0 0f 85 5c 05 00 00 41 c6 04 24 0a 48 89 e8 48 c1 e8 03 0f b6
RSP: 0018:ffffc9000418eef0 EFLAGS: 00000a06
RAX: 0000000000000000 RBX: 0000000000000073 RCX: ffff88807e281e80
RDX: dffffc0000000000 RSI: 0000000000000073 RDI: 000000000000002e
RBP: ffffffff8b6bb903 R08: ffff88807e281e80 R09: 0000000000000002
R10: 0000000000000025 R11: 0000000000000000 R12: ffffc9000418ef99
R13: ffffc9000418ef98 R14: 0000000000000006 R15: ffffffff8b6bb903
FS:  0000000000000000(0000) GS:ffff888125f32000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560d4f3b2a38 CR3: 0000000075e8a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000200000000100 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 vsnprintf+0x102/0xee0 lib/vsprintf.c:2889
 sprintf+0xd9/0x120 lib/vsprintf.c:3110
 print_caller kernel/printk/printk.c:1368 [inline]
 info_print_prefix+0x1f3/0x310 kernel/printk/printk.c:1385
 record_print_text+0x154/0x420 kernel/printk/printk.c:1432
 printk_get_next_message+0x26d/0x7b0 kernel/printk/printk.c:3018
 console_emit_next_record kernel/printk/printk.c:3083 [inline]
 console_flush_one_record kernel/printk/printk.c:3215 [inline]
 console_flush_all+0x514/0xb60 kernel/printk/printk.c:3289
 __console_flush_and_unlock kernel/printk/printk.c:3319 [inline]
 console_unlock+0xbb/0x190 kernel/printk/printk.c:3359
 vprintk_emit+0x4f8/0x5f0 kernel/printk/printk.c:2426
 _printk+0xcf/0x120 kernel/printk/printk.c:2451
 bt_err+0x10b/0x160 net/bluetooth/lib.c:296
 hci_cmd_timeout+0xd8/0x1e0 net/bluetooth/hci_core.c:1469
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>