syzbot

map[ReproOpts:{"threaded":true,"collide":true,"repeat":true,"procs":1,"sandbox":"namespace","fault_call":-1,"fault_nth":0} ReproSyz:r0 = socket(0x10, 0x3, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={'tun0\x00', 0x1002})
sendmsg(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={0x3c, 0x10, 0x605, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x3, "wg0\x00"}, {0x14, 0x12, {{0xe, 0x1, "wireguard\x00"}}}}}, 0x1, 0x0, 0x0, 0x0}, 0x20040084)
ioctl$SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000080)={'wg0\x00', 0x1})
ioctl$SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000a0)={'tun0\x00', 0x1})
 SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/0673e8e2d0cbee3c149e04b8200be38e4c7661d2]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/76fb530020c528a559b69149abd51dd63d442831]

gemini-3-pro-preview

map[ReproOpts:{"threaded":true,"collide":true,"repeat":true,"procs":1,"sandbox":"namespace","fault_call":-1,"fault_nth":0}]

You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug.
Print only the syz program that could be executed directly, without backticks.




Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Bug Title: INFO: task hung in __tun_chr_ioctl

Original Crash Report:
INFO: task syz.0.244:6909 blocked for more than 143 seconds.
      Tainted: G             L      syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.244       state:D stack:28152 pid:6909  tgid:6908  ppid:5846   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x14bc/0x5000 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 __mutex_lock_common kernel/locking/mutex.c:692 [inline]
 __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:776
 __tun_chr_ioctl+0x37a/0x1df0 drivers/net/tun.c:3078
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f013278f749
RSP: 002b:00007f01336cc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f01329e5fa0 RCX: 00007f013278f749
RDX: 0000200000000040 RSI: 00000000400454ca RDI: 0000000000000003
RBP: 00007f0132813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01329e6038 R14: 00007f01329e5fa0 R15: 00007f0132b0fa28
 </TASK>
INFO: task syz.0.244:6911 blocked for more than 143 seconds.
      Tainted: G             L      syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.244       state:D stack:27608 pid:6911  tgid:6908  ppid:5846   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x14bc/0x5000 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 __mutex_lock_common kernel/locking/mutex.c:692 [inline]
 __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:776
 rtnl_lock net/core/rtnetlink.c:80 [inline]
 rtnetlink_rcv_msg+0x71c/0xb70 net/core/rtnetlink.c:6964
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 ____sys_sendmsg+0x505/0x820 net/socket.c:2592
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f013278f749
RSP: 002b:00007f01336ab038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f01329e6090 RCX: 00007f013278f749
RDX: 0000000020040084 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f0132813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f01329e6128 R14: 00007f01329e6090 R15: 00007f0132b0fa28
 </TASK>

Showing all locks held in the system:
1 lock held by kthreadd/2:
4 locks held by kworker/0:0/9:
4 locks held by kworker/u8:0/12:
4 locks held by kworker/u8:1/13:
1 lock held by khungtaskd/31:
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
3 locks held by kworker/u8:2/36:
 #0: ffff88814d9db148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88814d9db148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc90000ac7b80 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc90000ac7b80 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #2: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4734
4 locks held by kworker/u8:3/50:
4 locks held by kworker/u8:4/60:
5 locks held by kworker/1:2/888:
4 locks held by kworker/u8:5/1027:
 #0: ffff888032aa9948 ((wq_completion)wg-kex-wg1#7){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff888032aa9948 ((wq_completion)wg-kex-wg1#7){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc9000408fb80 ((work_completion)(&peer->transmit_handshake_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc9000408fb80 ((work_completion)(&peer->transmit_handshake_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffff888077b7d308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_create_initiation+0x105/0x750 drivers/net/wireguard/noise.c:529
 #3: ffff888058d4f030 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_create_initiation+0x116/0x750 drivers/net/wireguard/noise.c:530
8 locks held by kworker/u8:6/1134:
3 locks held by kworker/u8:7/1146:
3 locks held by kworker/u8:8/1306:
3 locks held by kworker/u8:9/1339:
3 locks held by kworker/u8:10/2124:
3 locks held by kworker/R-krdsd/3397:
3 locks held by kworker/u8:11/3486:
3 locks held by kworker/u8:12/3500:
4 locks held by kworker/u8:13/3830:
2 locks held by kworker/u8:14/4539:
3 locks held by kworker/u8:15/4586:
1 lock held by klogd/5190:
2 locks held by udevd/5201:
2 locks held by dhcpcd/5495:
1 lock held by dhcpcd/5496:
3 locks held by crond/5573:
2 locks held by getty/5586:
 #0: ffff8880342250a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x449/0x1460 drivers/tty/n_tty.c:2211
2 locks held by syz-executor/5817:
2 locks held by udevd/5827:
3 locks held by kworker/0:4/5833:
2 locks held by syz-executor/5847:
1 lock held by syz-executor/5848:
4 locks held by syz-executor/5849:
4 locks held by kworker/1:3/5886:
 #0: ffff88807d561148 ((wq_completion)wg-kex-wg2#6){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88807d561148 ((wq_completion)wg-kex-wg2#6){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc900043afb80 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc900043afb80 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffff888077b79308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x1c7/0xab0 drivers/net/wireguard/noise.c:742
 #3: ffff888058d4d278 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x262/0xab0 drivers/net/wireguard/noise.c:753
2 locks held by kworker/1:5/5894:
3 locks held by kworker/1:6/5901:
3 locks held by kworker/0:5/5914:
 #0: ffff88813ff16948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88813ff16948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc9000458fb80 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc9000458fb80 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0xa1/0xf00 net/wireless/reg.c:2453
3 locks held by kworker/u8:16/5947:
4 locks held by kworker/0:9/5953:
3 locks held by kworker/u8:17/5965:
2 locks held by kworker/u8:18/5975:
 #0: ffff88802069d148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88802069d148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc9000461fb80 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc9000461fb80 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
2 locks held by kworker/u8:19/6276:
5 locks held by kworker/1:8/6405:
4 locks held by syz.2.242/6896:
2 locks held by syz.2.242/6897:
1 lock held by syz.1.243/6898:
 #0: ffffffff8e77b6a8 (tty_mutex){+.+.}-{4:4}, at: tty_release_struct+0xae/0xd0 drivers/tty/tty_io.c:1691
1 lock held by syz.0.244/6909:
 #0: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: __tun_chr_ioctl+0x37a/0x1df0 drivers/net/tun.c:3078
1 lock held by syz.0.244/6911:
 #0: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff8f311b48 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x71c/0xb70 net/core/rtnetlink.c:6964
2 locks held by kworker/0:10/6914:
4 locks held by kworker/0:11/6916:
 #0: ffff88807cec4548 ((wq_completion)wg-kex-wg2#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88807cec4548 ((wq_completion)wg-kex-wg2#2){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc90005577b80 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc90005577b80 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffff8880779b5308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x150/0x900 drivers/net/wireguard/noise.c:598
 #3: ffff888058ce2ad8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x4bf/0x900 drivers/net/wireguard/noise.c:632
4 locks held by kworker/1:11/6921:
3 locks held by kworker/1:12/6924:

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xf95/0xfe0 kernel/hung_task.c:515
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 101 PID: 5495 Comm: dhcpcd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:stackdepot_memcmp lib/stackdepot.c:576 [inline]
RIP: 0010:find_stack lib/stackdepot.c:610 [inline]
RIP: 0010:stack_depot_save_flags+0x1c1/0x850 lib/stackdepot.c:668
Code: 24 04 85 db 75 5d 4d 8b 3f 4d 39 e7 74 52 41 39 6f 10 75 f2 45 39 57 14 75 ec 31 c0 49 8b 0c c6 49 3b 4c c7 20 75 df 48 ff c0 <41> 39 c5 75 ed 83 fe 02 72 2f 49 8d 7f 1c 41 8b 5f 1c 85 db 74 11
RSP: 0018:ffffc90003516fd8 EFLAGS: 00000206
RAX: 0000000000000003 RBX: ffff88802d5de100 RCX: ffffffff821d84e2
RDX: 000000006aa1d46b RSI: 0000000000000001 RDI: 000000008979cdac
RBP: 00000000a6ec21e8 R08: 00000000931913d8 R09: 00000000303f2c3e
R10: 0000000000000010 R11: ffffffff81ada000 R12: ffff88823ba21e80
R13: 0000000000000010 R14: ffffc90003517080 R15: ffff888049b99fd0
FS:  00007f205d253740(0000) GS:ffff888125f35000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000003b5030 CR3: 0000000031296000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 save_stack+0x103/0x1f0 mm/page_owner.c:166
 __reset_page_owner+0x71/0x1f0 mm/page_owner.c:320
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
 discard_slab mm/slub.c:3346 [inline]
 __put_partials+0x146/0x170 mm/slub.c:3886
 put_cpu_partial+0x1f2/0x2d0 mm/slub.c:3961
 __slab_free+0x288/0x2a0 mm/slub.c:5952
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4953 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_node_track_caller_noprof+0x526/0x820 mm/slub.c:5764
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:608
 __alloc_skb+0x27e/0x430 net/core/skbuff.c:690
 alloc_skb include/linux/skbuff.h:1383 [inline]
 alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6712
 sock_alloc_send_pskb+0x84d/0x980 net/core/sock.c:2995
 unix_dgram_sendmsg+0x454/0x1840 net/unix/af_unix.c:2130
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 sock_write_iter+0x279/0x360 net/socket.c:1195
 do_iter_readv_writev+0x623/0x8c0 fs/read_write.c:-1
 vfs_writev+0x31a/0x960 fs/read_write.c:1057
 do_writev+0x14d/0x2d0 fs/read_write.c:1103
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f205d2dd407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc64a386b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f205d253740 RCX: 00007f205d2dd407
RDX: 0000000000000005 RSI: 00007ffc64a38710 RDI: 000000000000000a
RBP: 000055b407894870 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000055b4329b91f0
R13: 000000000000012c R14: 0000000000004801 R15: 000055b4329b88a4
 </TASK>


The list of existing description files:
acpi_thermal_rel.txt
aio.txt
auto.txt
binfmt.txt
bpf.txt
bpf_prog.txt
bpf_trace.txt
cgroup.txt
damon.txt
dev_ashmem.txt
dev_bifrost.txt
dev_binder.txt
dev_binderfs.txt
dev_block.txt
dev_bsg.txt
dev_bus_usb.txt
dev_camx.txt
dev_cdrom.txt
dev_cec.txt
dev_char_usb.txt
dev_comedi.txt
dev_dma_heap.txt
dev_dri.txt
dev_dsp.txt
dev_dvb_demux.txt
dev_dvb_dvr.txt
dev_dvb_frontend.txt
dev_fb.txt
dev_floppy.txt
dev_hidraw.txt
dev_i2c.txt
dev_i915.txt
dev_img_rogue.txt
dev_infiniband_rdma.txt
dev_infiniband_rdma_cm.txt
dev_input.txt
dev_iommu.txt
dev_kvm.txt
dev_kvm_amd64.txt
dev_kvm_arm64.txt
dev_kvm_extra.txt
dev_kvm_riscv64.txt
dev_loop.txt
dev_mali.txt
dev_media.txt
dev_msm.txt
dev_msr.txt
dev_nbd.txt
dev_net_tun.txt
dev_panthor.txt
dev_ppp.txt
dev_ptmx.txt
dev_ptp.txt
dev_qat_adf_ctl.txt
dev_qrtr_tun.txt
dev_random.txt
dev_rfkill.txt
dev_rtc.txt
dev_sequencer.txt
dev_sg.txt
dev_snapshot.txt
dev_snd_control.txt
dev_snd_hw.txt
dev_snd_midi.txt
dev_snd_pcm.txt
dev_snd_seq.txt
dev_snd_timer.txt
dev_sr.txt
dev_sw_sync.txt
dev_tlk_device.txt
dev_trusty.txt
dev_udmabuf.txt
dev_uhid.txt
dev_uinput.txt
dev_usb_hiddev.txt
dev_usbmon.txt
dev_userio.txt
dev_vfio.txt
dev_vga_arbiter.txt
dev_vhci.txt
dev_video4linux.txt
dev_video4linux_vim2m.txt
dev_virtual_nci.txt
dev_vtpm.txt
fanotify.txt
filesystem.txt
fs_9p.txt
fs_fuse.txt
fs_incfs.txt
fs_ioctl.txt
fs_ioctl_autofs.txt
fs_ioctl_btrfs.txt
fs_ioctl_ext4.txt
fs_ioctl_f2fs.txt
fs_ioctl_fat.txt
fs_ioctl_fscrypt.txt
fs_ioctl_fsverity.txt
fs_ioctl_xfs.txt
futex.txt
hafnium.txt
inotify.txt
io_uring.txt
ipc.txt
key.txt
kfuzztest.txt
l2cap.txt
landlock.txt
lsm.txt
namespaces.txt
net_80211.txt
netfilter.txt
netfilter_arp.txt
netfilter_bridge.txt
netfilter_ipv4.txt
netfilter_ipv6.txt
netfilter_ipvs.txt
netfilter_targets.txt
pagemap_ioctl.txt
perf.txt
prctl.txt
quotactl.txt
seccomp.txt
security_apparmor.txt
security_selinux.txt
security_smack.txt
socket.txt
socket_alg.txt
socket_ax25.txt
socket_bluetooth.txt
socket_caif.txt
socket_can.txt
socket_ieee802154.txt
socket_inet.txt
socket_inet6.txt
socket_inet_dccp.txt
socket_inet_icmp.txt
socket_inet_igmp.txt
socket_inet_l2tp.txt
socket_inet_sctp.txt
socket_inet_tcp.txt
socket_inet_udp.txt
socket_ip_tunnel.txt
socket_isdn.txt
socket_kcm.txt
socket_key.txt
socket_llc.txt
socket_netlink.txt
socket_netlink_audit.txt
socket_netlink_crypto.txt
socket_netlink_generic.txt
socket_netlink_generic_80211.txt
socket_netlink_generic_batadv.txt
socket_netlink_generic_devlink.txt
socket_netlink_generic_ethtool.txt
socket_netlink_generic_fou.txt
socket_netlink_generic_gtp.txt
socket_netlink_generic_mptcp.txt
socket_netlink_generic_net_dm.txt
socket_netlink_generic_netlabel.txt
socket_netlink_generic_nfc.txt
socket_netlink_generic_seg6.txt
socket_netlink_generic_smc.txt
socket_netlink_generic_team.txt
socket_netlink_generic_wireguard.txt
socket_netlink_netfilter.txt
socket_netlink_netfilter_acct.txt
socket_netlink_netfilter_conntrack.txt
socket_netlink_netfilter_conntrack_exp.txt
socket_netlink_netfilter_conntrack_helper.txt
socket_netlink_netfilter_ipset.txt
socket_netlink_netfilter_log.txt
socket_netlink_netfilter_nft_compat.txt
socket_netlink_netfilter_nftables.txt
socket_netlink_netfilter_osf.txt
socket_netlink_netfilter_queue.txt
socket_netlink_netfilter_timeout.txt
socket_netlink_rdma.txt
socket_netlink_route.txt
socket_netlink_route_sched.txt
socket_netlink_route_sched_retired.txt
socket_netlink_sock_diag.txt
socket_netlink_xfrm.txt
socket_netrom.txt
socket_nfc.txt
socket_nvme_of_tcp.txt
socket_packet.txt
socket_phonet.txt
socket_pppox.txt
socket_qipcrtr.txt
socket_rds.txt
socket_rose.txt
socket_rxrpc.txt
socket_tipc.txt
socket_tipc_netlink.txt
socket_unix.txt
socket_vnet.txt
socket_x25.txt
socket_xdp.txt
sys.txt
uffd.txt
usbip.txt
vmw_vmci.txt
vnet.txt
vnet_mptcp.txt
vusb.txt
watch_queue.txt
xattr.txt

r0 = socket(0x10, 0x3, 0x0)
r1 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0)
ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={'tun0\x00', 0x1002})
sendmsg(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000000)={0x3c, 0x10, 0x605, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {{0x8, 0x3, "wg0\x00"}, {0x14, 0x12, {{0xe, 0x1, "wireguard\x00"}}}}}, 0x1, 0x0, 0x0, 0x0}, 0x20040084)
ioctl$SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000080)={'wg0\x00', 0x1})
ioctl$SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000a0)={'tun0\x00', 0x1})

gemini-3-pro-preview

							input: 10546
							output: 52
							thoughts: 22403
						

**Analysis of a "Task Hung in __tun_chr_ioctl" Bug in Linux Kernel (syzkaller)**

Okay, so I'm looking at this crash report, and it screams a classic deadlock scenario, likely triggered by a race condition between `TUNSETIFF` and `rtnetlink` operations, possibly exacerbated by WireGuard interactions. My primary thought is that this is due to a worker thread that holds `rtnl_mutex` and gets stuck, which then causes the tasks attempting to acquire the mutex to hang. It looks like `addrconf_verify_work` might be the root cause; it seems to be in a D state while it holds `rtnl_mutex`.

The `TUNSETIFF` ioctl and a `sendmsg` (Netlink) are the triggers. The `TUNSETIFF` is trying to manipulate a TUN interface. `sendmsg` seems to create a WireGuard interface or, perhaps, is adding an IPv6 address that's getting it to call `addrconf_verify_work` via network configuration notifiers. Both are trying to access resources protected by the `rtnl_mutex`, and `kworker` thread seems to be the culprit as it's the one holding the `rtnl_mutex` and causing the hang.

I'm thinking about the scenario. If that `kworker` holds `rtnl_mutex`, then the two syzkaller tasks attempting to do `TUNSETIFF` and the `sendmsg` syscall, get blocked waiting on the same `rtnl_mutex`. `addrconf_verify_work` could be stuck in a loop, or it might be waiting for some other resource, like memory, to be available. Or it's waiting for some other workqueue item to complete, a potential lock dependency. The fact that the report mentions the `wg-kex` workers suggests WireGuard's handshake process might be somehow involved. Could be a memory exhaustion issue.

My instinct tells me there's something about the interaction between the TUN device creation/configuration, the WireGuard interface, and the IPv6 address configuration (due to the `ipv6_addrconf`). A potential repro would be to create and configure WireGuard, trigger the IPv6 address assignment, and then race the `TUNSETIFF` operation to trigger the issue.

Let's say I need a test program that does the following. First, I want a `socket` and a `sendmsg` syscall. Second, I need an `open` and `ioctl` (TUNSETIFF). Let's start with a WireGuard interface and then add the TUN, potentially with names or flags that trigger a bad state.

I'll be able to produce a simple syzkaller program, with a threaded race, to create a WireGuard interface with netlink then add a TUN and set its flags. This code is designed to reproduce the bug.

map[ReproOpts:{"threaded":true,"collide":true,"repeat":true,"procs":1,"sandbox":"namespace","fault_call":-1,"fault_nth":0}]

map[ReproOpts:{"threaded":true,"collide":true,"repeat":true,"procs":1,"sandbox":"namespace","fault_call":-1,"fault_nth":0}]

gemini-3-pro-preview

							input: 33657
							output: 438
							thoughts: 0