INFO: task hung in fsnotify_destroy

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	INFO: task hung in fsnotify_destroy_group fs	1				3	483d	608d	0/29	auto-obsoleted due to no activity on 2025/01/04 16:49

INFO: task syz.2.1127:10749 blocked for more than 143 seconds. Tainted: G U syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.1127 state:D stack:26840 pid:10749 tgid:10748 ppid:5868 task_flags:0x40054c flags:0x00080003 Call Trace: <TASK> context_switch kernel/sched/core.c:5325 [inline] __schedule+0x1190/0x5de0 kernel/sched/core.c:6929 __schedule_loop kernel/sched/core.c:7011 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:7026 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121 __flush_work+0x7d7/0xcc0 kernel/workqueue.c:4273 fsnotify_destroy_group+0x145/0x390 fs/notify/group.c:76 fanotify_release+0x3ad/0x4d0 fs/notify/fanotify/fanotify_user.c:1150 __fput+0x402/0xb70 fs/file_table.c:468 task_work_run+0x150/0x240 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x86f/0x2bf0 kernel/exit.c:966 do_group_exit+0xd3/0x2a0 kernel/exit.c:1107 get_signal+0x2671/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x85/0x130 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x426/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe0f1d8efc9 RSP: 002b:00007fe0f2c190e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007fe0f1fe5fa8 RCX: 00007fe0f1d8efc9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fe0f1fe5fa8 RBP: 00007fe0f1fe5fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe0f1fe6038 R14: 00007ffcaa8afce0 R15: 00007ffcaa8afdc8 </TASK> Showing all locks held in the system: 1 lock held by pool_workqueue_/3: #0: ffffffff8e3cf878 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x1a3/0x3c0 kernel/rcu/tree_exp.h:343 1 lock held by khungtaskd/31: #0: ffffffff8e3c42e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8e3c42e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline] #0: ffffffff8e3c42e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775 4 locks held by kworker/1:1/49: #0: ffff88814679f948 ((wq_completion)wg-kex-wg2#2){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc90000b97d00 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff888076c25308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x22b/0x950 drivers/net/wireguard/noise.c:742 #3: ffff88805a8e1708 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x2f7/0x950 drivers/net/wireguard/noise.c:753 3 locks held by kworker/0:2/938: 1 lock held by kworker/R-krxrp/3391: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x27/0x420 kernel/workqueue.c:2678 4 locks held by syz-executor/5858: #0: ffff888078a59d08 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x117/0x530 mm/mmap_lock.c:238 #1: ffff88814d6ac518 (sb_pagefaults){.+.+}-{0:0}, at: do_page_mkwrite+0x174/0x380 mm/memory.c:3488 #2: ffff888079a32bc0 (mapping.invalidate_lock#2){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1045 [inline] #2: ffff888079a32bc0 (mapping.invalidate_lock#2){++++}-{4:4}, at: ext4_page_mkwrite+0x353/0x1880 fs/ext4/inode.c:6685 #3: ffff888079a328b0 (&ei->i_data_sem){++++}-{4:4}, at: ext4_da_map_blocks fs/ext4/inode.c:1956 [inline] #3: ffff888079a328b0 (&ei->i_data_sem){++++}-{4:4}, at: ext4_da_get_block_prep+0x69e/0x11e0 fs/ext4/inode.c:2020 4 locks held by kworker/0:0/5863: #0: ffff88814679f948 ((wq_completion)wg-kex-wg2#2){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000431fd00 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff888076c25308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff88805a8e1708 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632 4 locks held by kworker/1:2/5876: #0: ffff88813ff16948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc900043efd00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x91/0x11f0 net/wireless/reg.c:2453 #3: ffff888032100788 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: class_wiphy_constructor include/net/cfg80211.h:6358 [inline] #3: ffff888032100788 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: reg_leave_invalid_chans net/wireless/reg.c:2441 [inline] #3: ffff888032100788 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: reg_check_chans_work+0x11b/0x11f0 net/wireless/reg.c:2456 4 locks held by kworker/1:3/5879: #0: ffff8881413d9948 ((wq_completion)wg-kex-wg0#8){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000440fd00 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff88807e881308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff88805a8ec890 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632 4 locks held by kworker/1:4/5884: #0: ffff88805b9c2148 ((wq_completion)wg-kex-wg2#6){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000445fd00 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff88805b4a9308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff88805a8ef030 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632 1 lock held by kworker/R-wg-cr/5904: 1 lock held by kworker/R-wg-cr/5908: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline] #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x839/0xea0 kernel/workqueue.c:3556 3 locks held by kworker/1:5/5924: #0: ffff88813ff15948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc90004687d00 (drain_vmap_work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffffffff8e55d428 (vmap_purge_lock){+.+.}-{4:4}, at: drain_vmap_area_work+0x17/0x40 mm/vmalloc.c:2395 3 locks held by kworker/0:3/5937: 1 lock held by kworker/1:2H/6028: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: set_pf_worker kernel/workqueue.c:3352 [inline] #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_thread+0x7d6/0xf10 kernel/workqueue.c:3385 3 locks held by kworker/u10:0/8270: 1 lock held by kworker/u11:0/8271: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x27/0x420 kernel/workqueue.c:2678 3 locks held by kworker/u10:1/8275: 2 locks held by kworker/u10:2/8277: #0: ffff88813ff29948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc900043afd00 ((reaper_work).work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 4 locks held by kworker/u10:4/8291: #0: ffff88803442c948 ((wq_completion)ext4-rsv-conversion){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc90017dffd00 ((work_completion)(&ei->i_rsv_conversion_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff888034850950 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x5e4/0x1410 fs/jbd2/transaction.c:444 #3: ffff888079a328b0 (&ei->i_data_sem){++++}-{4:4}, at: ext4_map_blocks+0x46f/0x1400 fs/ext4/inode.c:810 3 locks held by kworker/u11:1/8293: #0: ffff888026884148 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc90017dcfd00 ((work_completion)(&hdev->power_on)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff88807df7cdc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_open+0x22/0x90 net/bluetooth/hci_core.c:428 4 locks held by kworker/u10:5/8319: 3 locks held by kworker/u11:2/8449: #0: ffff888026885948 ((wq_completion)hci3){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000e41fd00 ((work_completion)(&hdev->power_on)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff88807fb48dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_open+0x22/0x90 net/bluetooth/hci_core.c:428 4 locks held by kworker/u10:6/8516: #0: ffff88801ba9f148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000b297d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffffffff900d3a70 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xad/0x8b0 net/core/net_namespace.c:669 #3: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline] #3: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x7e9/0xab0 net/core/net_namespace.c:248 3 locks held by kworker/u10:7/8843: 4 locks held by kworker/u10:9/8845: 3 locks held by kworker/u10:10/8846: 4 locks held by kworker/u10:11/8848: 3 locks held by kworker/u10:12/8849: 4 locks held by kworker/u10:13/8850: 3 locks held by kworker/u10:14/8851: 3 locks held by kworker/u10:15/8852: 3 locks held by kworker/u10:16/8853: #0: ffff88802ffa3948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000ce77d00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] #2: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4734 2 locks held by kworker/u10:17/8854: #0: ffff88813ff29948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000b507d00 ((work_completion)(&pool->idle_cull_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 3 locks held by kworker/u10:19/8856: 6 locks held by kworker/u10:20/8858: 3 locks held by kworker/u10:21/8859: 3 locks held by kworker/u10:22/8860: 5 locks held by kworker/u10:23/8861: 3 locks held by kworker/u10:24/8862: 3 locks held by kworker/u10:25/8863: 3 locks held by kworker/u10:26/8866: 3 locks held by kworker/u10:27/9027: 3 locks held by kworker/u10:28/9028: 4 locks held by kworker/u10:29/9031: 4 locks held by kworker/u10:30/9032: 1 lock held by kworker/R-wg-cr/10285: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x27/0x420 kernel/workqueue.c:2678 1 lock held by kworker/R-wg-cr/10286: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x27/0x420 kernel/workqueue.c:2678 1 lock held by kworker/R-wg-cr/10287: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline] #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x839/0xea0 kernel/workqueue.c:3556 3 locks held by kworker/u10:31/10563: 2 locks held by kworker/u10:32/10565: 2 locks held by kworker/u10:33/10567: #0: ffff88813ff29948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc90000b37d00 (connector_reaper_work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 3 locks held by kworker/u10:34/10569: 3 locks held by kworker/u10:35/10570: 2 locks held by getty/10622: #0: ffff88814d2fc0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc900032552f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x41b/0x14f0 drivers/tty/n_tty.c:2222 5 locks held by syz.4.1118/10710: #0: ffff888026a94dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:499 #1: ffff888026a940b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ae/0x11d0 net/bluetooth/hci_sync.c:5291 #2: ffffffff9035db48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2118 [inline] #2: ffffffff9035db48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xbb/0x260 net/bluetooth/hci_conn.c:2602 #3: ffff888053489b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x80/0x730 net/bluetooth/l2cap_core.c:1762 #4: ffffffff8e3cf878 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x284/0x3c0 kernel/rcu/tree_exp.h:311 1 lock held by syz.1.1120/10714: #0: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline] #0: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x38/0x230 drivers/net/tun.c:3436 3 locks held by syz.2.1127/10748: #0: ffff888033b80dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:499 #1: ffff888033b800b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ae/0x11d0 net/bluetooth/hci_sync.c:5291 #2: ffffffff9035db48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2118 [inline] #2: ffffffff9035db48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xbb/0x260 net/bluetooth/hci_conn.c:2602 1 lock held by syz.0.1128/10752: #0: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline] #0: ffffffff900e9e88 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x38/0x230 drivers/net/tun.c:3436 3 locks held by kworker/u11:3/10768: #0: ffff8880289b1948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3238 #1: ffffc9000a9ffd00 ((work_completion)(&hdev->power_on)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3239 #2: ffff88804ea44dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_open+0x22/0x90 net/bluetooth/hci_core.c:428 3 locks held by kworker/0:5/10776: 1 lock held by kworker/1:6/10788: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x27/0x420 kernel/workqueue.c:2678 1 lock held by kworker/u10:36/10789: #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: set_pf_worker kernel/workqueue.c:3352 [inline] #0: ffffffff8e27a188 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_thread+0x6c/0xf10 kernel/workqueue.c:3378 ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G U syzkaller #0 PREEMPT(full) Tainted: [U]=USER Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline] watchdog+0xf3f/0x1170 kernel/hung_task.c:495 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 8861 Comm: kworker/u10:23 Tainted: G U syzkaller #0 PREEMPT(full) Tainted: [U]=USER Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker RIP: 0010:rcu_read_lock_any_held+0x0/0xa0 kernel/rcu/update.c:381 Code: 3c 8e 48 89 44 24 08 e8 fe e4 35 03 48 8b 44 24 08 e9 4f fe ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa e8 c7 e6 bc 09 89 c2 b8 01 00 00 00 85 d2 75 05 e9 17 RSP: 0018:ffffc90000007290 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff88802fb70e28 RCX: ffffffff8a2b1bb7 RDX: ffff8880522d0000 RSI: ffffffff8a2b1bc4 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88805e8635b8 R12: ffff888022f4a3c8 R13: 0000000000000000 R14: ffff88802fdc7a00 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888124a10000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5088c5bf98 CR3: 000000000e182000 CR4: 00000000003526f0 Call Trace: <IRQ> __rhashtable_lookup include/linux/rhashtable.h:602 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] fdb_find_rcu+0x479/0x7e0 net/bridge/br_fdb.c:216 br_fdb_update+0x170/0x7c0 net/bridge/br_fdb.c:994 br_handle_frame_finish+0xdc0/0x1ec0 net/bridge/br_input.c:144 br_nf_hook_thresh+0x307/0x410 net/bridge/br_netfilter_hooks.c:1167 br_nf_pre_routing_finish_ipv6+0x76a/0xfc0 net/bridge/br_netfilter_ipv6.c:154 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x3cd/0x8c0 net/bridge/br_netfilter_ipv6.c:184 br_nf_pre_routing+0x860/0x15b0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0xad8/0x14b0 net/bridge/br_input.c:442 __netif_receive_skb_core.constprop.0+0xa25/0x4bd0 net/core/dev.c:5966 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6077 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6192 process_backlog+0x439/0x15e0 net/core/dev.c:6544 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x97f/0xef0 net/core/dev.c:7784 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:510 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] fpregs_unlock arch/x86/include/asm/fpu/api.h:77 [inline] kernel_fpu_end+0x5e/0x70 arch/x86/kernel/fpu/core.c:479 blake2s_compress+0x7b/0xe0 lib/crypto/x86/blake2s.h:44 blake2s_final+0xc9/0x150 lib/crypto/blake2s.c:148 hmac.constprop.0+0x335/0x420 drivers/net/wireguard/noise.c:333 kdf.constprop.0+0x1a1/0x280 drivers/net/wireguard/noise.c:375 mix_precomputed_dh drivers/net/wireguard/noise.c:426 [inline] wg_noise_handshake_create_initiation+0x406/0x610 drivers/net/wireguard/noise.c:560 wg_packet_send_handshake_initiation+0x19a/0x360 drivers/net/wireguard/send.c:34 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> net_ratelimit: 10420 callbacks suppressed bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) net_ratelimit: 13781 callbacks suppressed bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on veth0_to_bridge with own address as source address (addr:fa:3c:c6:63:11:78, vlan:0)

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/10/25 06:30	upstream	d2818517e348	c0460fcd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-qemu-gce-upstream-auto	INFO: task hung in fsnotify_destroy_group

Crashes (1):

Assets (help?)