[syzbot] [mm?] WARNING: suspicious RCU usage in usb_tx_block
1 view
Skip to first unread message
syzbot
Mar 8, 2026, 6:54:49āÆPMĀ (13 hours ago)Ā Mar 8
to anna-...@linutronix.de, fred...@kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, tg...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: bb375c251ab4 dt-bindings: usb: st,st-ohci-300x: convert to..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13e19552580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1500201919951cc
dashboard link: https://syzkaller.appspot.com/bug?extid=602b46de41ef3a75dfb3
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2475c3172471/disk-bb375c25.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/30449aa672dd/vmlinux-bb375c25.xz
kernel image: https://storage.googleapis.com/syzbot-assets/46d3937d1c16/bzImage-bb375c25.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+602b46...@syzkaller.appspotmail.com
=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
kernel/sched/core.c:8846 Illegal context switch in RCU-sched read-side critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
8 locks held by syz-executor/16541:
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}
, at: spin_lock include/linux/spinlock.h:341 [inline]
, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pte_range mm/memory.c:1269 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pmd_range mm/memory.c:1405 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pud_range mm/memory.c:1442 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_p4d_range mm/memory.c:1466 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
stack backtrace:
CPU: 0 UID: 0 PID: 16541 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
lockdep_rcu_suspicious.cold+0x4f/0xb1 kernel/locking/lockdep.c:6876
__might_resched+0x2e0/0x330 kernel/sched/core.c:8846
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70 kernel/kcov.c:213
Code: 5a 00 be 03 00 00 00 5b e9 e2 26 1a 01 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 25 16 43 0b <48> 8b 34 24 65 48 8b 15 01 16 43 0b a9 00 01 ff 00 74 1b f6 c4 01
RSP: 0018:ffffc9001495f398 EFLAGS: 00000202
RAX: 0000000080000003 RBX: 00000000001475a1 RCX: ffffffff821a7c7e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88811632ba00
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
rcu_read_unlock_sched include/linux/rcupdate.h:970 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_set+0x86d/0xa10 mm/page_table_check.c:105
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:215
page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
set_ptes include/linux/pgtable.h:413 [inline]
__copy_present_ptes mm/memory.c:1115 [inline]
copy_present_ptes+0xcc4/0x4590 mm/memory.c:1194
copy_pte_range mm/memory.c:1317 [inline]
copy_pmd_range mm/memory.c:1405 [inline]
copy_pud_range mm/memory.c:1442 [inline]
copy_p4d_range mm/memory.c:1466 [inline]
copy_page_range+0xe45/0x2630 mm/memory.c:1552
dup_mmap+0xcb9/0x1f30 mm/mmap.c:1841
dup_mm kernel/fork.c:1530 [inline]
copy_mm kernel/fork.c:1582 [inline]
copy_process+0x459f/0x7800 kernel/fork.c:2223
kernel_clone+0xfc/0x9a0 kernel/fork.c:2654
__do_sys_clone+0xd9/0x120 kernel/fork.c:2795
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e86fc5212
Code: 89 e7 e8 71 8b f7 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 89 c5 85 c0 75 3b 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff99746eb0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fff99746eb0 RCX: 00007f3e86fc5212
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fff9974703c R08: 0000000000000000 R09: 0000000000000001
R10: 00005555833b67d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000301ae6 R15: 00007fff99747090
</TASK>
BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:705
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 16541, name: syz-executor
preempt_count: 103, expected: 0
RCU nest depth: 2, expected: 0
8 locks held by syz-executor/16541:
#0:
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2:
ffff88811c64b340 (&mm->mmap_lock
/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)
#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6: ffff88813be78978 (ptlock_ptr(ptdesc)
#2/1){+.+.}-{3:3}
, at: copy_pte_range mm/memory.c:1269 [inline]
, at: copy_pmd_range mm/memory.c:1405 [inline]
, at: copy_pud_range mm/memory.c:1442 [inline]
, at: copy_p4d_range mm/memory.c:1466 [inline]
, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
, at: pfn_valid include/linux/mmzone.h:2197 [inline]
, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
irq event stamp: 4986957
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 16541 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8884
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70 kernel/kcov.c:213
Code: 5a 00 be 03 00 00 00 5b e9 e2 26 1a 01 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 25 16 43 0b <48> 8b 34 24 65 48 8b 15 01 16 43 0b a9 00 01 ff 00 74 1b f6 c4 01
RSP: 0018:ffffc9001495f398 EFLAGS: 00000202
RAX: 0000000080000003 RBX: 00000000001475a1 RCX: ffffffff821a7c7e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88811632ba00
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
rcu_read_unlock_sched include/linux/rcupdate.h:970 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_set+0x86d/0xa10 mm/page_table_check.c:105
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:215
page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
set_ptes include/linux/pgtable.h:413 [inline]
__copy_present_ptes mm/memory.c:1115 [inline]
copy_present_ptes+0xcc4/0x4590 mm/memory.c:1194
copy_pte_range mm/memory.c:1317 [inline]
copy_pmd_range mm/memory.c:1405 [inline]
copy_pud_range mm/memory.c:1442 [inline]
copy_p4d_range mm/memory.c:1466 [inline]
copy_page_range+0xe45/0x2630 mm/memory.c:1552
dup_mmap+0xcb9/0x1f30 mm/mmap.c:1841
dup_mm kernel/fork.c:1530 [inline]
copy_mm kernel/fork.c:1582 [inline]
copy_process+0x459f/0x7800 kernel/fork.c:2223
kernel_clone+0xfc/0x9a0 kernel/fork.c:2654
__do_sys_clone+0xd9/0x120 kernel/fork.c:2795
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e86fc5212
Code: 89 e7 e8 71 8b f7 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 89 c5 85 c0 75 3b 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff99746eb0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fff99746eb0 RCX: 00007f3e86fc5212
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fff9974703c R08: 0000000000000000 R09: 0000000000000001
R10: 00005555833b67d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000301ae6 R15: 00007fff99747090
</TASK>
BUG: scheduling while atomic: syz-executor/16541/0x00000104
8 locks held by syz-executor/16541:
#0: ffffffff898137d0
(dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
(dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
(dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)#2
){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6:
ffff88813be78978
(ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}
, at: copy_pte_range mm/memory.c:1269 [inline]
, at: copy_pmd_range mm/memory.c:1405 [inline]
, at: copy_pud_range mm/memory.c:1442 [inline]
, at: copy_p4d_range mm/memory.c:1466 [inline]
, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched
){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
){....}-{1:2}, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
Modules linked in:
irq event stamp: 4986957
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
----------------
Code disassembly (best guess):
0: 5a pop %rdx
1: 00 be 03 00 00 00 add %bh,0x3(%rsi)
7: 5b pop %rbx
8: e9 e2 26 1a 01 jmp 0x11a26ef
d: 66 90 xchg %ax,%ax
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: f3 0f 1e fa endbr64
23: 65 8b 05 25 16 43 0b mov %gs:0xb431625(%rip),%eax # 0xb43164f
* 2a: 48 8b 34 24 mov (%rsp),%rsi <-- trapping instruction
2e: 65 48 8b 15 01 16 43 mov %gs:0xb431601(%rip),%rdx # 0xb431637
35: 0b
36: a9 00 01 ff 00 test $0xff0100,%eax
3b: 74 1b je 0x58
3d: f6 c4 01 test $0x1,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: bb375c251ab4 dt-bindings: usb: st,st-ohci-300x: convert to..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13e19552580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1500201919951cc
dashboard link: https://syzkaller.appspot.com/bug?extid=602b46de41ef3a75dfb3
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2475c3172471/disk-bb375c25.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/30449aa672dd/vmlinux-bb375c25.xz
kernel image: https://storage.googleapis.com/syzbot-assets/46d3937d1c16/bzImage-bb375c25.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+602b46...@syzkaller.appspotmail.com
=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
kernel/sched/core.c:8846 Illegal context switch in RCU-sched read-side critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
8 locks held by syz-executor/16541:
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
#0: ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}
, at: spin_lock include/linux/spinlock.h:341 [inline]
, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pte_range mm/memory.c:1269 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pmd_range mm/memory.c:1405 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_pud_range mm/memory.c:1442 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_p4d_range mm/memory.c:1466 [inline]
#6: ffff88813be78978 (ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
stack backtrace:
CPU: 0 UID: 0 PID: 16541 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
lockdep_rcu_suspicious.cold+0x4f/0xb1 kernel/locking/lockdep.c:6876
__might_resched+0x2e0/0x330 kernel/sched/core.c:8846
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70 kernel/kcov.c:213
Code: 5a 00 be 03 00 00 00 5b e9 e2 26 1a 01 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 25 16 43 0b <48> 8b 34 24 65 48 8b 15 01 16 43 0b a9 00 01 ff 00 74 1b f6 c4 01
RSP: 0018:ffffc9001495f398 EFLAGS: 00000202
RAX: 0000000080000003 RBX: 00000000001475a1 RCX: ffffffff821a7c7e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88811632ba00
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
rcu_read_unlock_sched include/linux/rcupdate.h:970 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_set+0x86d/0xa10 mm/page_table_check.c:105
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:215
page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
set_ptes include/linux/pgtable.h:413 [inline]
__copy_present_ptes mm/memory.c:1115 [inline]
copy_present_ptes+0xcc4/0x4590 mm/memory.c:1194
copy_pte_range mm/memory.c:1317 [inline]
copy_pmd_range mm/memory.c:1405 [inline]
copy_pud_range mm/memory.c:1442 [inline]
copy_p4d_range mm/memory.c:1466 [inline]
copy_page_range+0xe45/0x2630 mm/memory.c:1552
dup_mmap+0xcb9/0x1f30 mm/mmap.c:1841
dup_mm kernel/fork.c:1530 [inline]
copy_mm kernel/fork.c:1582 [inline]
copy_process+0x459f/0x7800 kernel/fork.c:2223
kernel_clone+0xfc/0x9a0 kernel/fork.c:2654
__do_sys_clone+0xd9/0x120 kernel/fork.c:2795
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e86fc5212
Code: 89 e7 e8 71 8b f7 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 89 c5 85 c0 75 3b 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff99746eb0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fff99746eb0 RCX: 00007f3e86fc5212
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fff9974703c R08: 0000000000000000 R09: 0000000000000001
R10: 00005555833b67d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000301ae6 R15: 00007fff99747090
</TASK>
BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:705
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 16541, name: syz-executor
preempt_count: 103, expected: 0
RCU nest depth: 2, expected: 0
8 locks held by syz-executor/16541:
#0:
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
ffffffff898137d0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2:
ffff88811c64b340 (&mm->mmap_lock
/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)
#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6: ffff88813be78978 (ptlock_ptr(ptdesc)
#2/1){+.+.}-{3:3}
, at: copy_pte_range mm/memory.c:1269 [inline]
, at: copy_pmd_range mm/memory.c:1405 [inline]
, at: copy_pud_range mm/memory.c:1442 [inline]
, at: copy_p4d_range mm/memory.c:1466 [inline]
, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
, at: pfn_valid include/linux/mmzone.h:2197 [inline]
, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
irq event stamp: 4986957
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 16541 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8884
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70 kernel/kcov.c:213
Code: 5a 00 be 03 00 00 00 5b e9 e2 26 1a 01 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 25 16 43 0b <48> 8b 34 24 65 48 8b 15 01 16 43 0b a9 00 01 ff 00 74 1b f6 c4 01
RSP: 0018:ffffc9001495f398 EFLAGS: 00000202
RAX: 0000000080000003 RBX: 00000000001475a1 RCX: ffffffff821a7c7e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88811632ba00
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
rcu_read_unlock_sched include/linux/rcupdate.h:970 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_set+0x86d/0xa10 mm/page_table_check.c:105
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:215
page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
set_ptes include/linux/pgtable.h:413 [inline]
__copy_present_ptes mm/memory.c:1115 [inline]
copy_present_ptes+0xcc4/0x4590 mm/memory.c:1194
copy_pte_range mm/memory.c:1317 [inline]
copy_pmd_range mm/memory.c:1405 [inline]
copy_pud_range mm/memory.c:1442 [inline]
copy_p4d_range mm/memory.c:1466 [inline]
copy_page_range+0xe45/0x2630 mm/memory.c:1552
dup_mmap+0xcb9/0x1f30 mm/mmap.c:1841
dup_mm kernel/fork.c:1530 [inline]
copy_mm kernel/fork.c:1582 [inline]
copy_process+0x459f/0x7800 kernel/fork.c:2223
kernel_clone+0xfc/0x9a0 kernel/fork.c:2654
__do_sys_clone+0xd9/0x120 kernel/fork.c:2795
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e86fc5212
Code: 89 e7 e8 71 8b f7 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 89 c5 85 c0 75 3b 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff99746eb0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fff99746eb0 RCX: 00007f3e86fc5212
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fff9974703c R08: 0000000000000000 R09: 0000000000000001
R10: 00005555833b67d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000301ae6 R15: 00007fff99747090
</TASK>
BUG: scheduling while atomic: syz-executor/16541/0x00000104
8 locks held by syz-executor/16541:
#0: ffffffff898137d0
(dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1529 [inline]
(dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1582 [inline]
(dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x4594/0x7800 kernel/fork.c:2223
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
#1: ffff888114e4cb40 (&mm->mmap_lock){++++}-{4:4}, at: dup_mmap+0x11f/0x1f30 mm/mmap.c:1740
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: mmap_write_lock_nested include/linux/mmap_lock.h:544 [inline]
#2: ffff88811c64b340 (&mm->mmap_lock/1){+.+.}-{4:4}, at: dup_mmap+0x1ba/0x1f30 mm/mmap.c:1747
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#3: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#4: ffff8881356161f8 (ptlock_ptr(ptdesc)#2
){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#5: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#6:
ffff88813be78978
(ptlock_ptr(ptdesc)#2/1){+.+.}-{3:3}
, at: copy_pte_range mm/memory.c:1269 [inline]
, at: copy_pmd_range mm/memory.c:1405 [inline]
, at: copy_pud_range mm/memory.c:1442 [inline]
, at: copy_p4d_range mm/memory.c:1466 [inline]
, at: copy_page_range+0xc75/0x2630 mm/memory.c:1552
#7: ffffffff896e04e0 (rcu_read_lock_sched
){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
){....}-{1:2}, at: page_table_check_set+0x4f/0xa10 mm/page_table_check.c:105
Modules linked in:
irq event stamp: 4986957
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (4986956): [<ffffffff876b20b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (4986957): [<ffffffff876b1dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (4986950): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (4986953): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
----------------
Code disassembly (best guess):
0: 5a pop %rdx
1: 00 be 03 00 00 00 add %bh,0x3(%rsi)
7: 5b pop %rbx
8: e9 e2 26 1a 01 jmp 0x11a26ef
d: 66 90 xchg %ax,%ax
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: f3 0f 1e fa endbr64
23: 65 8b 05 25 16 43 0b mov %gs:0xb431625(%rip),%eax # 0xb43164f
* 2a: 48 8b 34 24 mov (%rsp),%rsi <-- trapping instruction
2e: 65 48 8b 15 01 16 43 mov %gs:0xb431601(%rip),%rdx # 0xb431637
35: 0b
36: a9 00 01 ff 00 test $0xff0100,%eax
3b: 74 1b je 0x58
3d: f6 c4 01 test $0x1,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages