syzbot

bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P6312/1:b..l P5767/1:b..l P5773/1:b..l
rcu: 	(detected by 0, t=10503 jiffies, g=9989, q=668 ncpus=2)
task:syz-executor    state:R  running task     stack:21544 pid:5773  ppid:5769   flags:0x00004002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5381 [inline]
 __schedule+0x1553/0x45a0 kernel/sched/core.c:6700
 preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
 preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
 preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_unlock+0x3a/0x40 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 copy_pte_range mm/memory.c:1107 [inline]
 copy_pmd_range mm/memory.c:1168 [inline]
 copy_pud_range mm/memory.c:1205 [inline]
 copy_p4d_range mm/memory.c:1229 [inline]
 copy_page_range+0x2ba0/0x3670 mm/memory.c:1323
 dup_mmap kernel/fork.c:769 [inline]
 dup_mm kernel/fork.c:1694 [inline]
 copy_mm+0x1281/0x1d80 kernel/fork.c:1743
 copy_process+0x16f7/0x3dc0 kernel/fork.c:2508
 kernel_clone+0x24b/0x8a0 kernel/fork.c:2917
 __do_sys_clone kernel/fork.c:3060 [inline]
 __se_sys_clone kernel/fork.c:3044 [inline]
 __x64_sys_clone+0x1b7/0x230 kernel/fork.c:3044
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbe63fc58d2
RSP: 002b:00007ffc06dcc750 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffc06dcc750 RCX: 00007fbe63fc58d2
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffc06dcc8dc R08: 0000000000000000 R09: 0000000000000001
R10: 00005555678887d0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000000927c0 R14: 0000000000017893 R15: 00007ffc06dcc930
 </TASK>
task:syz-executor    state:R  running task     stack:24232 pid:5767  ppid:5760   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5381 [inline]
 __schedule+0x1553/0x45a0 kernel/sched/core.c:6700
 preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
 preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
 preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_unlock+0x3a/0x40 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 zap_pte_range mm/memory.c:1523 [inline]
 zap_pmd_range mm/memory.c:1571 [inline]
 zap_pud_range mm/memory.c:1600 [inline]
 zap_p4d_range mm/memory.c:1621 [inline]
 unmap_page_range+0x2315/0x3000 mm/memory.c:1642
 unmap_vmas+0x286/0x3f0 mm/memory.c:1732
 exit_mmap+0x238/0xb90 mm/mmap.c:3302
 __mmput+0x118/0x3c0 kernel/fork.c:1357
 exit_mm+0x24a/0x350 kernel/exit.c:570
 do_exit+0x8dd/0x2460 kernel/exit.c:871
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1026
 get_signal+0x12fc/0x13f0 kernel/signal.c:2902
 arch_do_signal_or_restart+0xc2/0x800 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f1831357fd7
RSP: 002b:00007ffd28a078d0 EFLAGS: 00000202 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 000055556830f500 RCX: 00007f1831357fd7
RDX: 0000000040000000 RSI: 00007ffd28a0792c RDI: ffffffffffffffff
RBP: 00007ffd28a0792c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000008
R13: 0000000000000003 R14: 00007ffd28a07b88 R15: 0000000000000000
 </TASK>
task:syz.0.156       state:R  running task     stack:26216 pid:6312  ppid:5774   flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5381 [inline]
 __schedule+0x1553/0x45a0 kernel/sched/core.c:6700
 preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
 preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
 preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_unlock+0x3a/0x40 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 zap_pte_range mm/memory.c:1523 [inline]
 zap_pmd_range mm/memory.c:1571 [inline]
 zap_pud_range mm/memory.c:1600 [inline]
 zap_p4d_range mm/memory.c:1621 [inline]
 unmap_page_range+0x2315/0x3000 mm/memory.c:1642
 unmap_vmas+0x286/0x3f0 mm/memory.c:1732
 exit_mmap+0x238/0xb90 mm/mmap.c:3302
 __mmput+0x118/0x3c0 kernel/fork.c:1357
 exit_mm+0x24a/0x350 kernel/exit.c:570
 do_exit+0x8dd/0x2460 kernel/exit.c:871
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1026
 get_signal+0x12fc/0x13f0 kernel/signal.c:2902
 arch_do_signal_or_restart+0xc2/0x800 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f183139ce59
RSP: 002b:00007f18321c4028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: 0000000000000034 RBX: 00007f1831616090 RCX: 00007f183139ce59
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000200000000500
RBP: 00007f1831432d6f R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1831616128 R14: 00007f1831616090 R15: 00007ffd28a073e8
 </TASK>
rcu: rcu_preempt kthread starved for 9301 jiffies! g9989 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:27656 pid:17    ppid:2      flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5381 [inline]
 __schedule+0x1553/0x45a0 kernel/sched/core.c:6700
 schedule+0xbd/0x170 kernel/sched/core.c:6774
 schedule_timeout+0x188/0x2d0 kernel/time/timer.c:2168
 rcu_gp_fqs_loop+0x313/0x1590 kernel/rcu/tree.c:1667
 rcu_gp_kthread+0x9d/0x3b0 kernel/rcu/tree.c:1866
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 6311 Comm: syz.1.155 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:arch_irqs_disabled_flags arch/x86/include/asm/irqflags.h:126 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:133 [inline]
RIP: 0010:lock_release+0x56d/0x8c0 kernel/locking/lockdep.c:5777
Code: ff ff ff 65 0f c1 05 da d2 99 7e 83 f8 01 75 7f 43 c6 44 2f 04 00 48 c7 84 24 80 00 00 00 00 00 00 00 9c 8f 84 24 80 00 00 00 <f7> 84 24 80 00 00 00 00 02 00 00 43 c6 44 2f 04 f8 75 70 f7 44 24
RSP: 0018:ffffc900001ef300 EFLAGS: 00000046
RAX: 0000000000000001 RBX: 3ab6d40026a7fe15 RCX: e9fcaa9f39a5ba00
RDX: 0000000000000008 RSI: ffffffff8acadd60 RDI: ffffffff8b1c9c20
RBP: ffffc900001ef410 R08: ffffffff8e8b666f R09: 1ffffffff1d16ccd
R10: dffffc0000000000 R11: fffffbfff1d16cce R12: ffff888024a7e620
R13: dffffc0000000000 R14: ffff888024a7e4d0 R15: 1ffff9200003de6c
FS:  00007f4c8d6e86c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2da23e68 CR3: 000000002719e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 debug_objects_fill_pool+0xcc/0x730 lib/debugobjects.c:617
 debug_object_activate+0x36/0x4f0 lib/debugobjects.c:705
 debug_hrtimer_activate kernel/time/hrtimer.c:450 [inline]
 debug_activate kernel/time/hrtimer.c:504 [inline]
 enqueue_hrtimer+0x34/0x380 kernel/time/hrtimer.c:1100
 __run_hrtimer kernel/time/hrtimer.c:1771 [inline]
 __hrtimer_run_queues+0x63c/0xc40 kernel/time/hrtimer.c:1818
 hrtimer_interrupt+0x3c9/0x9c0 kernel/time/hrtimer.c:1880
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1077 [inline]
 __sysvec_apic_timer_interrupt+0xfb/0x3b0 arch/x86/kernel/apic/apic.c:1094
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0x51/0xc0 arch/x86/kernel/apic/apic.c:1088
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:virt_to_folio include/linux/mm.h:1289 [inline]
RIP: 0010:virt_to_slab mm/slab.h:218 [inline]
RIP: 0010:kmem_cache_free+0x70/0x270 mm/slub.c:3852
Code: 83 f8 08 0f 83 1f 01 00 00 89 c0 48 0f a3 05 bf c9 ac 0c 73 0d e8 30 4d 92 ff 84 c0 0f 84 23 01 00 00 48 89 df e8 60 05 5e ff <48> c1 e8 06 48 83 e0 c0 48 ba 00 00 00 00 00 ea ff ff 48 8b 4c 10
RSP: 0018:ffffc900001ef990 EFLAGS: 00000246
RAX: 000000007bec7a00 RBX: ffff88807bec7a00 RCX: ffff888024a7da00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffff88807bec7a03 R09: 1ffff1100f7d8f40
R10: dffffc0000000000 R11: ffffed100f7d8f41 R12: ffff8880267585d0
R13: 00000000000005dc R14: ffff888142e6aa00 R15: ffffffff896bd272
 skb_ext_del include/linux/skbuff.h:4830 [inline]
 nf_bridge_info_free net/bridge/br_netfilter_hooks.c:152 [inline]
 br_nf_dev_queue_xmit+0x492/0x1b80 net/bridge/br_netfilter_hooks.c:-1
 NF_HOOK+0x66e/0x700 include/linux/netfilter.h:304
 br_nf_post_routing+0xb41/0xfb0 net/bridge/br_netfilter_hooks.c:977
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_slow+0xbd/0x200 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:259 [inline]
 NF_HOOK+0x23e/0x3e0 include/linux/netfilter.h:302
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 br_nf_hook_thresh net/bridge/br_netfilter_hooks.c:1184 [inline]
 br_nf_forward_finish+0xa51/0xe80 net/bridge/br_netfilter_hooks.c:684
 NF_HOOK+0x66e/0x700 include/linux/netfilter.h:304
 br_nf_forward_ip+0xcc1/0x1110 net/bridge/br_netfilter_hooks.c:754
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_slow+0xbd/0x200 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:259 [inline]
 NF_HOOK+0x23e/0x3e0 include/linux/netfilter.h:302
 __br_forward+0x433/0x610 net/bridge/br_forward.c:115
 br_handle_frame_finish+0x13c5/0x18f0 net/bridge/br_input.c:215
 br_nf_hook_thresh+0x3cd/0x4a0 net/bridge/br_netfilter_hooks.c:1184
 br_nf_pre_routing_finish_ipv6+0x9dc/0xd00 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:304 [inline]
 br_nf_pre_routing_ipv6+0x349/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
 br_handle_frame+0x1245/0x14d0 net/bridge/br_input.c:424
 __netif_receive_skb_core+0xfab/0x3af0 net/core/dev.c:5540
 __netif_receive_skb_one_core net/core/dev.c:5644 [inline]
 __netif_receive_skb+0x74/0x290 net/core/dev.c:5760
 process_backlog+0x391/0x6f0 net/core/dev.c:6088
 __napi_poll+0xc0/0x460 net/core/dev.c:6650
 napi_poll net/core/dev.c:6717 [inline]
 net_rx_action+0x616/0xc40 net/core/dev.c:6853
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:__sanitizer_cov_trace_switch+0x7/0x120 kernel/kcov.c:330
Code: ca 77 1e 49 ff c0 4c 89 02 48 c7 44 0a 08 07 00 00 00 48 89 7c 0a 10 48 89 74 0a 18 48 89 44 0a 20 c3 90 f3 0f 1e fa 48 8b 06 <48> 8b 4e 08 48 83 c1 f8 48 c1 c1 3d 48 83 f9 02 7f 1e 48 85 c9 74
RSP: 0018:ffffc9000cb6eea8 EFLAGS: 00000202
RAX: 0000000000000002 RBX: ffffffff8f0d3360 RCX: 0000000000080000
RDX: ffffc9000d29a000 RSI: ffffffff8cfa0800 RDI: 0000000000000002
RBP: ffffc9000cb6f038 R08: ffff888024a7da00 R09: 0000000000000003
R10: 0000000000000004 R11: 0000000000000002 R12: ffffc9000cb6efe8
R13: dffffc0000000000 R14: 0000000000000002 R15: ffffffff8f0d3365
 unwind_next_frame+0x655/0x2970 arch/x86/kernel/unwind_orc.c:505
 __unwind_start+0x66a/0x7e0 arch/x86/kernel/unwind_orc.c:760
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xf8/0x190 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0xaa/0x100 kernel/stacktrace.c:122
 save_stack+0x125/0x230 mm/page_owner.c:128
 __reset_page_owner+0x4e/0x190 mm/page_owner.c:149
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1181 [inline]
 free_unref_page_prepare+0x7b2/0x8c0 mm/page_alloc.c:2365
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2458
 discard_slab mm/slub.c:2127 [inline]
 __unfreeze_partials+0x1cf/0x210 mm/slub.c:2667
 put_cpu_partial+0x17c/0x250 mm/slub.c:2743
 __slab_free+0x319/0x400 mm/slub.c:3700
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x75/0xd0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:306
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook+0x6e/0x4b0 mm/slab.h:767
 slab_alloc_node mm/slub.c:3495 [inline]
 __kmem_cache_alloc_node+0x13a/0x250 mm/slub.c:3534
 kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
 kmalloc include/linux/slab.h:600 [inline]
 __kthread_create_on_node+0x116/0x3f0 kernel/kthread.c:435
 kthread_create_on_node+0xec/0x140 kernel/kthread.c:512
 rxrpc_open_socket net/rxrpc/local_object.c:227 [inline]
 rxrpc_lookup_local+0xff3/0x1610 net/rxrpc/local_object.c:296
 rxrpc_sendmsg+0x30a/0x5b0 net/rxrpc/af_rxrpc.c:562
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
 ___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
 __sys_sendmsg net/socket.c:2677 [inline]
 __do_sys_sendmsg net/socket.c:2686 [inline]
 __se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4c8c79ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4c8d6e8028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f4c8ca15fa0 RCX: 00007f4c8c79ce59
RDX: 0000000020000000 RSI: 0000200000000140 RDI: 000000000000000a
RBP: 00007f4c8c832d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4c8ca16038 R14: 00007f4c8ca15fa0 R15: 00007ffd73eff198
 </TASK>
net_ratelimit: 94 callbacks suppressed
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:20, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:20, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:20, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:20, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:20, vlan:0)
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
net_ratelimit: 93 callbacks suppressed
bridge0: received packet on team0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)