BUG: soft lockup in rt6_probe_deferred
From: syzbot
Date: Sun Sep 08 2019 - 03:19:13 EST
Hello,
syzbot found the following crash on:
HEAD commit: 3b47fd5c Merge tag 'nfs-for-5.3-4' of git://git.linux-nfs...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=128438d1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=b89bb446a3faaba4
dashboard link: https://syzkaller.appspot.com/bug?extid=73944791f9cee53358f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+73944791f9cee53358f6@xxxxxxxxxxxxxxxxxxxxxxxxx
watchdog: BUG: soft lockup - CPU#0 stuck for 123s! [kworker/0:5:10035]
Modules linked in:
irq event stamp: 0
hardirqs last enabled at (0): [<0000000000000000>] 0x0
hardirqs last disabled at (0): [<ffffffff81436da5>]
copy_process+0x1815/0x6b00 kernel/fork.c:1960
softirqs last enabled at (0): [<ffffffff81436e4c>]
copy_process+0x18bc/0x6b00 kernel/fork.c:1963
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 0 PID: 10035 Comm: kworker/0:5 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events rt6_probe_deferred
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:656 [inline]
RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:84 [inline]
RIP: 0010:native_queued_spin_lock_slowpath+0x132/0x9f0
kernel/locking/qspinlock.c:325
Code: 00 00 00 48 8b 45 d0 65 48 33 04 25 28 00 00 00 0f 85 37 07 00 00 48
81 c4 98 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 f3 90 <e9> 73 ff ff ff
8b 45 98 4c 8d 65 d8 3d 00 01 00 00 0f 84 e5 00 00
RSP: 0018:ffff88805f6e6d90 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: ffff88808bb57328 RCX: ffffffff81595c37
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88808bb57328
RBP: ffff88805f6e6e50 R08: 1ffff1101176ae65 R09: ffffed101176ae66
R10: ffffed101176ae65 R11: ffff88808bb5732b R12: 0000000000000001
R13: 0000000000000003 R14: ffffed101176ae65 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c537e8000 CR3: 000000009a0c6000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:654 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:50 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:81 [inline]
do_raw_spin_lock+0x20e/0x2e0 kernel/locking/spinlock_debug.c:113
__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_lock+0x37/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
__dev_xmit_skb net/core/dev.c:3502 [inline]
__dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838
dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
br_dev_queue_push_xmit+0x3f3/0x5c0 net/bridge/br_forward.c:52
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
br_forward_finish+0xfa/0x400 net/bridge/br_forward.c:65
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
__br_forward+0x641/0xb00 net/bridge/br_forward.c:109
deliver_clone+0x61/0xc0 net/bridge/br_forward.c:125
maybe_deliver+0x2c7/0x390 net/bridge/br_forward.c:181
br_flood+0x13a/0x3d0 net/bridge/br_forward.c:223
br_dev_xmit+0x98c/0x15a0 net/bridge/br_device.c:100
__netdev_start_xmit include/linux/netdevice.h:4406 [inline]
netdev_start_xmit include/linux/netdevice.h:4420 [inline]
xmit_one net/core/dev.c:3280 [inline]
dev_hard_start_xmit+0x1a3/0x9c0 net/core/dev.c:3296
__dev_queue_xmit+0x2b15/0x3650 net/core/dev.c:3869
dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
neigh_hh_output include/net/neighbour.h:500 [inline]
neigh_output include/net/neighbour.h:509 [inline]
ip6_finish_output2+0xf58/0x2520 net/ipv6/ip6_output.c:116
__ip6_finish_output+0x444/0xa50 net/ipv6/ip6_output.c:142
ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x235/0x7c0 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0xf29/0x1450 net/ipv6/ndisc.c:504
ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:646
rt6_probe_deferred+0xe3/0x1a0 net/ipv6/route.c:615
process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 0 to CPUs 1:
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.530
msecs
NMI backtrace for cpu 1
CPU: 1 PID: 10038 Comm: kworker/1:3 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events rt6_probe_deferred
RIP: 0010:__list_del_entry_valid+0x74/0xf5 lib/list_debug.c:51
Code: 00 48 b8 00 01 00 00 00 00 ad de 4d 8b 2e 49 39 c5 0f 84 e1 00 00 00
48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 e2 00 00 00 <48> b8 00 00 00
00 00 fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00 75
RSP: 0018:ffff8880ae908b20 EFLAGS: 00000212
RAX: dead000000000122 RBX: ffff88808bb57538 RCX: ffffffff85c64b39
RDX: 1ffff1101176aea7 RSI: ffffffff85c65006 RDI: ffff88808bb57540
RBP: ffff8880ae908b38 R08: ffff88805c72e500 R09: 0000000000000000
R10: fffffbfff134af8f R11: ffff88805c72e500 R12: ffff88808bb575d0
R13: ffff88808bb575d0 R14: ffff88808bb57538 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c537e8000 CR3: 000000009a0c6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_del_entry include/linux/list.h:131 [inline]
list_move_tail include/linux/list.h:213 [inline]
hhf_dequeue+0x5c5/0xa20 net/sched/sch_hhf.c:439
dequeue_skb net/sched/sch_generic.c:258 [inline]
qdisc_restart net/sched/sch_generic.c:361 [inline]
__qdisc_run+0x1e7/0x19d0 net/sched/sch_generic.c:379
__dev_xmit_skb net/core/dev.c:3533 [inline]
__dev_queue_xmit+0x16f1/0x3650 net/core/dev.c:3838
dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
br_dev_queue_push_xmit+0x3f3/0x5c0 net/bridge/br_forward.c:52
br_nf_dev_queue_xmit+0x34e/0x1470 net/bridge/br_netfilter_hooks.c:796
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
br_nf_post_routing+0x1502/0x1d30 net/bridge/br_netfilter_hooks.c:844
nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
nf_hook_slow+0xbc/0x1e0 net/netfilter/core.c:512
nf_hook include/linux/netfilter.h:260 [inline]
NF_HOOK include/linux/netfilter.h:303 [inline]
br_forward_finish+0x215/0x400 net/bridge/br_forward.c:65
br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1015
br_nf_forward_finish+0x66c/0xa90 net/bridge/br_netfilter_hooks.c:560
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
br_nf_forward_ip net/bridge/br_netfilter_hooks.c:630 [inline]
br_nf_forward_ip+0xc74/0x21e0 net/bridge/br_netfilter_hooks.c:571
nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
nf_hook_slow+0xbc/0x1e0 net/netfilter/core.c:512
nf_hook include/linux/netfilter.h:260 [inline]
NF_HOOK include/linux/netfilter.h:303 [inline]
__br_forward+0x393/0xb00 net/bridge/br_forward.c:109
deliver_clone+0x61/0xc0 net/bridge/br_forward.c:125
br_flood+0x325/0x3d0 net/bridge/br_forward.c:232
br_handle_frame_finish+0xb46/0x1670 net/bridge/br_input.c:162
br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1015
br_nf_pre_routing_finish_ipv6+0x6fb/0xd80
net/bridge/br_netfilter_ipv6.c:206
NF_HOOK include/linux/netfilter.h:305 [inline]
br_nf_pre_routing_ipv6+0x456/0x832 net/bridge/br_netfilter_ipv6.c:236
br_nf_pre_routing+0x1743/0x2355 net/bridge/br_netfilter_hooks.c:501
nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:223 [inline]
br_handle_frame+0x806/0x133e net/bridge/br_input.c:348
__netif_receive_skb_core+0xfc1/0x3060 net/core/dev.c:4905
__netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5002
__netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5118
process_backlog+0x206/0x750 net/core/dev.c:5929
napi_poll net/core/dev.c:6352 [inline]
net_rx_action+0x4d6/0x1030 net/core/dev.c:6418
__do_softirq+0x262/0x98c kernel/softirq.c:292
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
</IRQ>
do_softirq.part.0+0x11a/0x170 kernel/softirq.c:337
do_softirq kernel/softirq.c:329 [inline]
__local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
local_bh_enable include/linux/bottom_half.h:32 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:681 [inline]
ip6_finish_output2+0x10a0/0x2520 net/ipv6/ip6_output.c:117
__ip6_finish_output+0x444/0xa50 net/ipv6/ip6_output.c:142
ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x235/0x7c0 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0xf29/0x1450 net/ipv6/ndisc.c:504
ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:646
rt6_probe_deferred+0xe3/0x1a0 net/ipv6/route.c:615
process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.