watchdog: BUG: soft lockup - CPU#0 stuck for 143s! [syz.4.5870:20786]
Modules linked in:
irq event stamp: 13798269
hardirqs last  enabled at (13798268): [<ffffffff89e00d06>] asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
hardirqs last disabled at (13798269): [<ffffffff89bcc30a>] sysvec_apic_timer_interrupt+0xa/0xc0 arch/x86/kernel/apic/apic.c:1108
softirqs last  enabled at (21304): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last  enabled at (21304): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last  enabled at (21304): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
softirqs last disabled at (22215): [<ffffffff81495b1b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last disabled at (22215): [<ffffffff81495b1b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last disabled at (22215): [<ffffffff81495b1b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
CPU: 0 PID: 20786 Comm: syz.4.5870 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:unwind_next_frame+0x1165/0x1d90 arch/x86/kernel/unwind_orc.c:-1
Code: e8 03 42 0f b6 04 28 84 c0 0f 85 15 0b 00 00 49 0f bf 04 24 48 01 c6 48 89 df 4c 89 fa e8 33 0c 00 00 84 c0 0f 84 b4 03 00 00 <49> bd 00 00 00 00 00 fc ff df 48 8b 44 24 48 42 0f b6 04 28 84 c0
RSP: 0018:ffffc900000074e8 EFLAGS: 00000202
RAX: 1ffff92000000e01 RBX: ffffc900000075a8 RCX: 0000000000000001
RDX: ffffc900000075e8 RSI: ffffc900033d7748 RDI: ffffc900033d7748
RBP: ffffc900000075f0 R08: ffffc90000007607 R09: ffffc900000075f8
R10: dffffc0000000000 R11: fffff52000000ec1 R12: 1ffffffff1c075da
R13: dffffc0000000000 R14: ffffc900000075f8 R15: ffffffff8e03aed4
FS:  00007fb3a4d346c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1240d08dac CR3: 00000000666c2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3520
 tcp_write_queue_purge+0x13d/0x3e0 net/ipv4/tcp.c:2967
 tcp_done_with_error+0x3f/0xc0 net/ipv4/tcp_input.c:4400
 tcp_write_err net/ipv4/tcp_timer.c:70 [inline]
 tcp_write_timeout net/ipv4/tcp_timer.c:273 [inline]
 tcp_retransmit_timer+0x1195/0x2540 net/ipv4/tcp_timer.c:543
 tcp_write_timer_handler+0x205/0x9a0 net/ipv4/tcp_timer.c:655
 tcp_write_timer+0x126/0x280 net/ipv4/tcp_timer.c:675
 call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
 expire_timers kernel/time/timer.c:1699 [inline]
 __run_timers+0x53e/0x800 kernel/time/timer.c:1970
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
 handle_softirqs+0x339/0x830 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x4/0x60 kernel/kcov.c:205
Code: 84 00 00 00 00 00 53 48 89 fb e8 17 00 00 00 48 8b 3d 50 c4 10 0c 48 89 de 5b e9 27 55 44 00 00 00 cc cc 00 00 cc 48 8b 04 24 <65> 48 8b 0d a4 39 89 7e 65 8b 15 a5 39 89 7e 81 e2 00 01 ff 00 74
RSP: 0018:ffffc900033d7320 EFLAGS: 00000246
RAX: ffffffff81372b4a RBX: 0000000018bbd067 RCX: 1ffff11002db8801
RDX: ffffc90010922000 RSI: 000000000000bce0 RDI: 0000000018bbd067
RBP: fffff52000268000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff203ac19 R12: 0000000018bbd000
R13: ffff888018bbd338 R14: ffff888016dc4008 R15: fffff52000267000
 pmd_huge+0xa/0x40 arch/x86/mm/hugetlbpage.c:66
 apply_to_pte_range mm/memory.c:2566 [inline]
 apply_to_pmd_range mm/memory.c:2617 [inline]
 apply_to_pud_range mm/memory.c:2653 [inline]
 apply_to_p4d_range mm/memory.c:2689 [inline]
 __apply_to_page_range+0x8f2/0xd10 mm/memory.c:2725
 kasan_release_vmalloc+0x93/0xb0 mm/kasan/shadow.c:485
 __purge_vmap_area_lazy+0xafc/0x1950 mm/vmalloc.c:1711
 _vm_unmap_aliases+0x410/0x4a0 mm/vmalloc.c:2114
 change_page_attr_set_clr+0x323/0xca0 arch/x86/mm/pat/set_memory.c:1740
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1797 [inline]
 set_memory_ro+0x89/0xd0 arch/x86/mm/pat/set_memory.c:1943
 bpf_jit_binary_lock_ro include/linux/filter.h:919 [inline]
 bpf_int_jit_compile+0xc6d8/0xcd80 arch/x86/net/bpf_jit_comp.c:2478
 bpf_prog_select_runtime+0x46f/0x7c0 kernel/bpf/core.c:1977
 bpf_prog_load+0x1017/0x1510 kernel/bpf/syscall.c:2358
 __sys_bpf+0x532/0x6f0 kernel/bpf/syscall.c:4657
 __do_sys_bpf kernel/bpf/syscall.c:4761 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4759 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4759
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fb3a6adae59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb3a4d34028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fb3a6d53fa0 RCX: 00007fb3a6adae59
RDX: 0000000000000080 RSI: 0000200000000200 RDI: 0000000000000005
RBP: 00007fb3a6b70d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb3a6d54038 R14: 00007fb3a6d53fa0 R15: 00007ffdbd8b1e68
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 20792 Comm: syz.0.5873 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:434 [inline]
RIP: 0010:__pv_queued_spin_lock_slowpath+0x527/0x9c0 kernel/locking/qspinlock.c:508
Code: 00 41 c6 45 00 00 48 8b 44 24 10 42 0f b6 04 38 84 c0 0f 85 1c 01 00 00 48 8b 44 24 08 c6 00 01 41 bd 00 80 ff ff eb 07 f3 90 <41> ff c5 74 47 43 0f b6 04 3e 84 c0 75 2b 80 3b 00 75 eb 48 89 df
RSP: 0018:ffffc900034078c0 EFLAGS: 00000206
RAX: 0000000000000000 RBX: ffffffff8c3dd260 RCX: fa36129cb89ab500
RDX: dffffc0000000000 RSI: ffffffff8a2b3100 RDI: ffffffff8a7a0700
RBP: ffffc900034079b8 R08: ffffffff901d60c7 R09: 1ffffffff203ac18
R10: dffffc0000000000 R11: fffffbfff203ac19 R12: 1ffff11017220001
R13: 00000000ffffa956 R14: 1ffffffff187ba4c R15: dffffc0000000000
FS:  00007f6cacb4f6c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c31a873 CR3: 0000000067fe8000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:585 [inline]
 queued_spin_lock_slowpath+0x43/0x50 arch/x86/include/asm/qspinlock.h:51
 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
 do_raw_spin_lock+0x265/0x2f0 kernel/locking/spinlock_debug.c:115
 spin_lock include/linux/spinlock.h:364 [inline]
 preload_this_cpu_lock mm/vmalloc.c:1507 [inline]
 alloc_vmap_area+0x23c/0x1a10 mm/vmalloc.c:1549
 __get_vm_area_node+0x14f/0x2d0 mm/vmalloc.c:2430
 get_vm_area_caller mm/vmalloc.c:2473 [inline]
 vmap+0xd4/0x290 mm/vmalloc.c:2758
 bpf_ringbuf_area_alloc kernel/bpf/ringbuf.c:109 [inline]
 bpf_ringbuf_alloc+0x33b/0x510 kernel/bpf/ringbuf.c:136
 ringbuf_map_alloc+0x1d1/0x300 kernel/bpf/ringbuf.c:176
 find_and_alloc_map kernel/bpf/syscall.c:129 [inline]
 map_create+0x485/0x2350 kernel/bpf/syscall.c:881
 __sys_bpf+0x30a/0x6f0 kernel/bpf/syscall.c:4639
 __do_sys_bpf kernel/bpf/syscall.c:4761 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4759 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4759
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6cae8f5e59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6cacb4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f6caeb6efa0 RCX: 00007f6cae8f5e59
RDX: 0000000000000050 RSI: 0000200000000100 RDI: 0000000000000000
RBP: 00007f6cae98bd6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6caeb6f038 R14: 00007f6caeb6efa0 R15: 00007fff2e6db9a8
 </TASK>