watchdog: BUG: soft lockup - CPU#1 stuck for 143s! [syz.9.524:9328]
Modules linked in:
irq event stamp: 10844517
hardirqs last  enabled at (10844516): [<ffffffff8b78bbbc>] irqentry_exit+0x59c/0x620 kernel/entry/common.c:219
hardirqs last disabled at (10844517): [<ffffffff8b78a5ce>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1056
softirqs last  enabled at (2339232): [<ffffffff8186296f>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (2339232): [<ffffffff8186296f>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (2339232): [<ffffffff8186296f>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
softirqs last disabled at (2339235): [<ffffffff8186296f>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (2339235): [<ffffffff8186296f>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (2339235): [<ffffffff8186296f>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
CPU: 1 UID: 0 PID: 9328 Comm: syz.9.524 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:its_return_thunk+0x0/0x10 arch/x86/lib/retpoline.S:417
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc <c3> cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 e9 9b bf b7 f5 cc
RSP: 0000:ffffc90000a07e50 EFLAGS: 00000202
RAX: ffffffff8186220a RBX: ffffc90000a08f38 RCX: 1ffff92000140f01
RDX: ffffffff90637930 RSI: 0000000000000002 RDI: ffffc90000a08f38
RBP: 1ffff92000140fe6 R08: 0000000000000001 R09: ffffffff8e35a360
R10: ffffc90000a07bc0 R11: ffffffffa020874c R12: ffffc90000a09000
R13: 1ffff92000140fe7 R14: ffffc90000a07f28 R15: ffffc90000a01000
FS:  00007fa0bf0866c0(0000) GS:ffff888125a28000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33d24000 CR3: 00000000776b0000 CR4: 00000000003526f0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff1 DR7: 0000000000000600
Call Trace:
 <IRQ>
 deref_stack_reg arch/x86/kernel/unwind_orc.c:422 [inline]
 unwind_next_frame+0xe52/0x23c0 arch/x86/kernel/unwind_orc.c:600
 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 cfg80211_inform_single_bss_data+0x934/0x1ab0 net/wireless/scan.c:2345
 cfg80211_inform_bss_data+0x233/0x3bb0 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x794/0xa40 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x552/0xa40 net/mac80211/scan.c:364
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2508/0x3050 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1b1/0x3e0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:memcg_rstat_updated+0xd5/0x220 mm/memcontrol.c:-1
Code: ff 48 8b 1b 4a 8d 2c 2b 48 83 c5 10 49 89 ee 49 c1 ee 03 4d 89 fc 43 80 3c 3e 00 74 08 48 89 ef e8 40 02 f8 ff 48 89 6c 24 10 <4c> 8b 7d 00 b8 a8 06 00 00 49 01 c7 4c 89 ff be 04 00 00 00 e8 92
RSP: 0000:ffffc90003f4f8b0 EFLAGS: 00000246
RAX: 1ffffffff1baf9bb RBX: ffff888125a28000 RCX: 0000000080000002
RDX: ffffc90020405000 RSI: ffffffff8be73860 RDI: ffffffff8be73820
RBP: ffffe8ffffd3d490 R08: ffffffff8231a21f R09: ffffffff8e35a360
R10: ffffc90003f4f6c0 R11: ffffffffa020874c R12: dffffc0000000000
R13: 0000607eda315480 R14: 1ffffd1ffffa7a92 R15: dffffc0000000000
 mod_memcg_lruvec_state+0x16f/0x320 mm/memcontrol.c:753
 mod_lruvec_state mm/memcontrol.c:777 [inline]
 lruvec_stat_mod_folio+0x196/0x2d0 mm/memcontrol.c:797
 __folio_mod_stat+0x6b/0x1c0 mm/rmap.c:1215
 folio_add_new_anon_rmap+0x68f/0x1a10 mm/rmap.c:1575
 wp_page_copy mm/memory.c:3789 [inline]
 do_wp_page+0x1bf9/0x57b0 mm/memory.c:4183
 handle_pte_fault mm/memory.c:6292 [inline]
 __handle_mm_fault mm/memory.c:6414 [inline]
 handle_mm_fault+0x1520/0x32a0 mm/memory.c:6583
 do_user_addr_fault+0xa73/0x1360 arch/x86/mm/fault.c:1334
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x6a/0xc0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7fa0be0612af
Code: 3d 48 44 ee 00 00 0f b6 35 3e 44 ee 00 75 0e 80 3d 39 44 ee 00 00 75 05 40 84 f6 74 0a 31 d2 4c 89 ef e8 54 f6 fe ff 48 89 ef <e8> 2c fa ff ff 8b 45 0c 85 c0 75 26 48 8d 75 0c b9 40 42 0f 00 ba
RSP: 002b:00007fa0bf0860f0 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 00007fa0be415fa8 RCX: 00007fa0be19acb9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0be415fa0
RBP: 00007fa0be415fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa0be416038 R14: 00007ffe30cbc390 R15: 00007ffe30cbc478
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
net_ratelimit: 2310 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 7087 Comm: kworker/u8:23 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:number+0x293/0xf80 lib/vsprintf.c:507
Code: 24 28 ba 18 00 00 00 48 8d bc 24 80 00 00 00 31 f6 e8 51 f2 b4 f6 41 0f b6 df 4c 89 ef 48 89 de e8 12 ed 4d f6 49 39 dd 73 46 <e8> a8 ea 4d f6 49 8d 9d a0 8d e6 8b 48 89 d8 48 c1 e8 03 48 b9 00
RSP: 0018:ffffc90000006880 EFLAGS: 00000293
RAX: ffffffff8b74ae3e RBX: 000000000000000a RCX: ffff888056325b80
RDX: 0000000000000100 RSI: 000000000000000a RDI: 0000000000000001
RBP: ffffc900000069a0 R08: ffffc90000006917 R09: 0000000000000000
R10: ffffc90000006900 R11: fffff52000000d23 R12: 0000000000000001
R13: 0000000000000001 R14: ffffc90000006b81 R15: 00ffffffffffff0a
FS:  0000000000000000(0000) GS:ffff888125928000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f349ad77990 CR3: 0000000047ee2000 CR4: 00000000003526f0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000200000000300 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 vsnprintf+0x8e5/0xee0 lib/vsprintf.c:2911
 snprintf+0xe8/0x140 lib/vsprintf.c:3041
 print_caller kernel/printk/printk.c:1366 [inline]
 info_print_prefix+0x1fd/0x360 kernel/printk/printk.c:1385
 record_print_text+0x176/0x450 kernel/printk/printk.c:1432
 printk_get_next_message+0x29c/0x880 kernel/printk/printk.c:3018
 console_emit_next_record kernel/printk/printk.c:3083 [inline]
 console_flush_one_record kernel/printk/printk.c:3215 [inline]
 console_flush_all+0x501/0xb20 kernel/printk/printk.c:3289
 __console_flush_and_unlock kernel/printk/printk.c:3319 [inline]
 console_unlock+0xd1/0x1c0 kernel/printk/printk.c:3359
 vprintk_emit+0x485/0x560 kernel/printk/printk.c:2426
 _printk+0xdd/0x130 kernel/printk/printk.c:2451
 br_fdb_update+0x62d/0x690 net/bridge/br_fdb.c:1003
 br_handle_frame_finish+0x573/0x1b40 net/bridge/br_input.c:144
 br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0xa3a/0xd70 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x374/0x6f0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x989/0x1520 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x98f/0x30a0 net/core/dev.c:6039
 __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
 __netif_receive_skb+0x72/0x370 net/core/dev.c:6265
 process_backlog+0x54e/0x1340 net/core/dev.c:6617
 __napi_poll+0xae/0x320 net/core/dev.c:7681
 napi_poll net/core/dev.c:7744 [inline]
 net_rx_action+0x696/0xe30 net/core/dev.c:7896
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 cfg80211_inform_single_bss_data+0x13b9/0x1ab0 net/wireless/scan.c:2389
 cfg80211_inform_bss_data+0x233/0x3bb0 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x794/0xa40 net/mac80211/scan.c:230
 ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x1901/0x2c80 net/mac80211/ibss.c:1602
 ieee80211_iface_process_skb net/mac80211/iface.c:1740 [inline]
 ieee80211_iface_work+0x85e/0x12b0 net/mac80211/iface.c:1794
 cfg80211_wiphy_work+0x2ab/0x450 net/wireless/core.c:438
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
 worker_thread+0x89f/0xd90 kernel/workqueue.c:3421
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
bridge0: received packet on veth0_to_bridge with own address as source address (addr:6a:b9:b0:15:de:05, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:6a:b9:b0:15:de:05, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
net_ratelimit: 1594 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:6a:b9:b0:15:de:05, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:6a:b9:b0:15:de:05, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:6a:b9:b0:15:de:05, vlan:0)