watchdog: BUG: soft lockup - CPU#1 stuck for 118s! [syz.1.885:9415]
Modules linked in:
irq event stamp: 12038169
hardirqs last  enabled at (12038168): [<ffffffff8b46ec14>] irqentry_exit+0x74/0x90 kernel/entry/common.c:214
hardirqs last disabled at (12038169): [<ffffffff8b46d84e>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1052
softirqs last  enabled at (11326402): [<ffffffff8184cefa>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (11326402): [<ffffffff8184cefa>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (11326402): [<ffffffff8184cefa>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
softirqs last disabled at (11326405): [<ffffffff8184cefa>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (11326405): [<ffffffff8184cefa>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (11326405): [<ffffffff8184cefa>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
CPU: 1 UID: 0 PID: 9415 Comm: syz.1.885 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:109 [inline]
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:227 [inline]
RIP: 0010:unwind_next_frame+0x2b4/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: 00 00 fc ff df 0f 84 03 02 00 00 4a 8d 14 ad 00 78 8a 8f 45 29 e8 4a 8d 1c 82 48 83 c3 fc 49 89 d5 48 39 da 0f 86 1c 10 00 00 <49> 29 d5 e9 80 00 00 00 31 db e9 eb 16 00 00 49 81 fc 00 50 de 90
RSP: 0018:ffffc90000a06db8 EFLAGS: 00000212
RAX: ffffffff8f90dfb8 RBX: ffffffff8f90dfbc RCX: ffffffff8f90dfc0
RDX: ffffffff8f90dfac RSI: ffffffff900b8b16 RDI: ffffffff8bbf0e00
RBP: ffffffff8f90dfc0 R08: 0000000000000005 R09: ffffffff81738c45
R10: ffffc90000a06b60 R11: ffffffff81ac31b0 R12: ffffffff8184cef9
R13: ffffffff8f90dfbc R14: ffffc90000a06e88 R15: ffffffff8f90dfbc
FS:  00007f0b929ab6c0(0000) GS:ffff888126238000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006315c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000200000000300 DR2: 0000200000000300
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2543 [inline]
 slab_free mm/slub.c:6642 [inline]
 kmem_cache_free+0x19b/0x690 mm/slub.c:6752
 skb_release_all net/core/skbuff.c:1150 [inline]
 __kfree_skb net/core/skbuff.c:1166 [inline]
 sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1204
 kfree_skb_reason include/linux/skbuff.h:1322 [inline]
 dev_kfree_skb_any_reason+0x111/0x120 net/core/dev.c:3442
 dev_kfree_skb_any include/linux/netdevice.h:4169 [inline]
 team_dummy_transmit+0x1a/0x30 drivers/net/team/team_core.c:503
 team_xmit+0x2e9/0x490 drivers/net/team/team_core.c:1732
 __netdev_start_xmit include/linux/netdevice.h:5248 [inline]
 netdev_start_xmit include/linux/netdevice.h:5257 [inline]
 xmit_one net/core/dev.c:3845 [inline]
 dev_hard_start_xmit+0x2d7/0x830 net/core/dev.c:3861
 __dev_queue_xmit+0x1b99/0x3b90 net/core/dev.c:4763
 dev_queue_xmit include/linux/netdevice.h:3365 [inline]
 br_dev_queue_push_xmit+0x6c5/0x890 net/bridge/br_forward.c:53
 NF_HOOK+0x61b/0x6b0 include/linux/netfilter.h:318
 br_nf_post_routing+0xb66/0xfe0 net/bridge/br_netfilter_hooks.c:966
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x215/0x3c0 include/linux/netfilter.h:316
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 br_nf_hook_thresh net/bridge/br_netfilter_hooks.c:-1 [inline]
 br_nf_forward_finish+0xa40/0xe60 net/bridge/br_netfilter_hooks.c:662
 NF_HOOK+0x61b/0x6b0 include/linux/netfilter.h:318
 br_nf_forward_ip+0x647/0x7e0 net/bridge/br_netfilter_hooks.c:716
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x215/0x3c0 include/linux/netfilter.h:316
 __br_forward+0x41e/0x600 net/bridge/br_forward.c:115
 br_handle_frame_finish+0x15a3/0x1c90 net/bridge/br_input.c:229
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x999/0xd60 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x96e/0x14f0 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x10b9/0x4390 net/core/dev.c:5966
 __netif_receive_skb_one_core net/core/dev.c:6077 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6192
 process_backlog+0x60e/0x14f0 net/core/dev.c:6544
 __napi_poll+0xc7/0x360 net/core/dev.c:7594
 napi_poll net/core/dev.c:7657 [inline]
 net_rx_action+0x5f7/0xdf0 net/core/dev.c:7784
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:check_kcov_mode kernel/kcov.c:185 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:246 [inline]
RIP: 0010:__sanitizer_cov_trace_switch+0xb3/0x130 kernel/kcov.c:351
Code: 77 4e 8b 54 ce 10 65 44 8b 1d 39 73 ae 10 41 81 e3 00 01 ff 00 74 13 41 81 fb 00 01 00 00 75 d9 41 83 b8 7c 16 00 00 00 74 cf <45> 8b 98 58 16 00 00 41 83 fb 03 75 c2 4d 8b 98 60 16 00 00 45 8b
RSP: 0018:ffffc900044cef88 EFLAGS: 00000246
RAX: 0000000000000020 RBX: ffff88801d2c00d8 RCX: 0000000000000005
RDX: ffffffff81c3eef0 RSI: ffffffff8df93e90 RDI: 0000000000000004
RBP: 0000003f23ab9dff R08: ffff88802d190000 R09: 000000000000001f
R10: 000000000000001f R11: 0000000000000000 R12: ffff88801d2c0010
R13: 0000000000000004 R14: 00000000053b2764 R15: 00000000000000c8
 rb_read_data_buffer+0x110/0x580 kernel/trace/ring_buffer.c:1827
 check_buffer+0x28a/0x750 kernel/trace/ring_buffer.c:4394
 __rb_reserve_next+0x592/0xdb0 kernel/trace/ring_buffer.c:4493
 rb_reserve_next_event kernel/trace/ring_buffer.c:4630 [inline]
 ring_buffer_lock_reserve+0xbb5/0x1010 kernel/trace/ring_buffer.c:4689
 __trace_buffer_lock_reserve kernel/trace/trace.c:1081 [inline]
 trace_event_buffer_lock_reserve+0x1d0/0x6f0 kernel/trace/trace.c:2799
 trace_event_buffer_reserve+0x248/0x340 kernel/trace/trace_events.c:672
 do_trace_event_raw_event_bpf_trace_printk kernel/trace/bpf_trace.h:11 [inline]
 trace_event_raw_event_bpf_trace_printk+0x100/0x260 kernel/trace/bpf_trace.h:11
 __traceiter_bpf_trace_printk+0x74/0xc0 kernel/trace/bpf_trace.h:11
 __do_trace_bpf_trace_printk kernel/trace/bpf_trace.h:11 [inline]
 trace_bpf_trace_printk+0x170/0x1d0 kernel/trace/bpf_trace.h:11
 ____bpf_trace_printk kernel/trace/bpf_trace.c:379 [inline]
 bpf_trace_printk+0x11e/0x190 kernel/trace/bpf_trace.c:362
 bpf_prog_930ede9872f2967c+0x3e/0x44
 bpf_dispatcher_nop_func include/linux/bpf.h:1376 [inline]
 __bpf_prog_run include/linux/filter.h:723 [inline]
 bpf_prog_run include/linux/filter.h:730 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2075 [inline]
 bpf_trace_run2+0x284/0x4c0 kernel/trace/bpf_trace.c:2116
 __bpf_trace_contention_begin+0xdc/0x130 include/trace/events/lock.h:95
 __do_trace_contention_begin include/trace/events/lock.h:95 [inline]
 trace_contention_begin+0xf4/0x120 include/trace/events/lock.h:95
 __mutex_lock_common kernel/locking/mutex.c:600 [inline]
 __mutex_lock+0x198/0x1350 kernel/locking/mutex.c:760
 perf_event_exit_task+0xaa/0x390 kernel/events/core.c:14183
 do_exit+0x643/0x2300 kernel/exit.c:952
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1107
 get_signal+0x1285/0x1340 kernel/signal.c:3034
 arch_do_signal_or_restart+0xa0/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x72/0x130 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b91b8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0b929ab038 EFLAGS: 00000246 ORIG_RAX: 0000000000000035
RAX: 0000000000000000 RBX: 00007f0b91de6090 RCX: 00007f0b91b8f749
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: 00007f0b91c13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000200000000200 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0b91de6128 R14: 00007f0b91de6090 R15: 00007ffe677ad968
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:move_right+0x89/0xa0 lib/vsprintf.c:-1
Code: e8 9c 97 7c f6 5b 41 5c 41 5e 41 5f 5d e9 4f 56 06 00 cc e8 89 97 7c f6 eb 08 e8 82 97 7c f6 4d 89 f7 48 89 df be 20 00 00 00 <4c> 89 fa 5b 41 5c 41 5e 41 5f 5d e9 87 ad e2 f6 0f 1f 80 00 00 00
RSP: 0018:ffffc90000a772a0 EFLAGS: 00000246
RAX: ffffc90000a775f3 RBX: ffffc90000a775ef RCX: ffffffff8b436f3d
RDX: 0000000000000002 RSI: 0000000000000020 RDI: ffffc90000a775ef
RBP: 0000000000000002 R08: ffffc90000a775f1 R09: 1ffff9200014eebe
R10: dffffc0000003143 R11: fffff52000143143 R12: 000000007ffffffa
R13: 0000000000000000 R14: 0000000000000004 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff888126138000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006315c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 widen_string+0x85/0x2a0 lib/vsprintf.c:634
 vsnprintf+0x739/0xf00 lib/vsprintf.c:2926
 sprintf+0xd9/0x120 lib/vsprintf.c:3089
 print_caller kernel/printk/printk.c:1365 [inline]
 info_print_prefix+0x1f3/0x310 kernel/printk/printk.c:1382
 record_print_text+0x154/0x420 kernel/printk/printk.c:1429
 printk_get_next_message+0x26d/0x7b0 kernel/printk/printk.c:2997
 console_emit_next_record kernel/printk/printk.c:3065 [inline]
 console_flush_all+0x4ca/0xb10 kernel/printk/printk.c:3199
 __console_flush_and_unlock kernel/printk/printk.c:3258 [inline]
 console_unlock+0xbb/0x190 kernel/printk/printk.c:3298
 vprintk_emit+0x4c5/0x590 kernel/printk/printk.c:2423
 _printk+0xcf/0x120 kernel/printk/printk.c:2448
 check_hung_task kernel/hung_task.c:247 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:323 [inline]
 watchdog+0xaf8/0xfa0 kernel/hung_task.c:495
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>