[syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 46ae4d0a4897 Merge git://git.kernel.org/pub/scm/linux/kern..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=106a549f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=3e10d80c64e440c0
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144e27c7980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c16ef5753326/disk-46ae4d0a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4a3a038d0ccf/vmlinux-46ae4d0a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/244ada956332/bzImage-46ae4d0a.xz

The issue was bisected to:

commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <viniciu...@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000

tc: Add support for configuring the taprio scheduler

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10311900580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12311900580000
console output: https://syzkaller.appspot.com/x/log.txt?x=14311900580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")

rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-...D } 2685 jiffies s: 3289 root: 0x1/.
rcu: blocking rcu_node structures (internal RCU debug):
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 5444 Comm: syz-executor Not tainted 6.11.0-rc7-syzkaller-01396-g46ae4d0a4897 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:taprio_set_budgets+0x116/0x370 net/sched/sch_taprio.c:666
Code: 44 24 10 4c 89 74 24 18 4d 89 f5 45 31 ff 48 89 5c 24 08 bf 10 00 00 00 4c 89 fe e8 74 8f d2 f7 49 83 ff 0f 0f 87 63 01 00 00 <4c> 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74
RSP: 0018:ffffc90000007c30 EFLAGS: 00000093
RAX: 0000000000010000 RBX: ffff888028fdb130 RCX: ffff888030aada00
RDX: 0000000000010000 RSI: 0000000000000001 RDI: 0000000000000010
RBP: 0000000000000000 R08: ffffffff89c1021c R09: 1ffff110051cea10
R10: dffffc0000000000 R11: ffffed10051cea11 R12: 0000000000000004
R13: ffff888028e75008 R14: ffff888028e75000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb58963cff8 CR3: 00000000311f6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
advance_sched+0x98d/0xca0 net/sched/sch_taprio.c:977
__run_hrtimer kernel/time/hrtimer.c:1689 [inline]
__hrtimer_run_queues+0x59b/0xd50 kernel/time/hrtimer.c:1753
hrtimer_interrupt+0x396/0x990 kernel/time/hrtimer.c:1815
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
__sysvec_apic_timer_interrupt+0x110/0x3f0 arch/x86/kernel/apic/apic.c:1049
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:unwind_next_frame+0x9/0x2a00 arch/x86/kernel/unwind_orc.c:469
Code: 4c 89 f7 e8 69 ad b9 00 e9 53 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 41 57 41 56 <41> 55 41 54 53 48 81 ec a0 00 00 00 48 89 fd 49 bd 00 00 00 00 00
RSP: 0018:ffffc9000422f120 EFLAGS: 00000202
RAX: 0000000000000001 RBX: ffffffff820edaf2 RCX: ffff888030aada00
RDX: dffffc0000000000 RSI: ffffffff820edaf2 RDI: ffffc9000422f140
RBP: ffffc9000422f1d0 R08: 000000000000000a R09: ffffc9000422f230
R10: 0000000000000003 R11: ffffffff817f2f80 R12: ffff888030aada00
R13: ffffffff817f2f80 R14: ffffc9000422f220 R15: ffffc9000422f140
arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
__call_rcu_common kernel/rcu/tree.c:3106 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210
remove_vma mm/mmap.c:189 [inline]
remove_mt mm/mmap.c:2415 [inline]
do_vmi_align_munmap+0x155c/0x18c0 mm/mmap.c:2758
do_vmi_munmap+0x261/0x2f0 mm/mmap.c:2830
__vm_munmap+0x1fc/0x400 mm/mmap.c:3109
elf_map fs/binfmt_elf.c:383 [inline]
elf_load+0x2d8/0x6f0 fs/binfmt_elf.c:408
load_elf_binary+0xeba/0x2680 fs/binfmt_elf.c:1141
search_binary_handler fs/exec.c:1827 [inline]
exec_binprm fs/exec.c:1869 [inline]
bprm_execve+0xaf8/0x1770 fs/exec.c:1920
do_execveat_common+0x55f/0x6f0 fs/exec.c:2027
do_execve fs/exec.c:2101 [inline]
__do_sys_execve fs/exec.c:2177 [inline]
__se_sys_execve fs/exec.c:2172 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2172
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb5887b0df7
Code: Unable to access opcode bytes at 0x7fb5887b0dcd.
RSP: 002b:00007fb58963ce78 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00007fb588815ef0 RCX: 00007fb5887b0df7
RDX: 00007ffedbc5b9b0 RSI: 00007ffedbc5bbf0 RDI: 00007ffedbc5cef5
RBP: 00007ffedbc5ba20 R08: 00007fb58963cf20 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 000055558020fa80
R13: 0000000000000100 R14: 00007ffedbc5b9d0 R15: 00007ffedbc5b780
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: a74c7a58ca2c net: freescale: ucc_geth: Return early when T..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16fdf39a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d8639a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154863fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/50a3e60a3908/disk-a74c7a58.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ee6a6a2a52e4/vmlinux-a74c7a58.xz
kernel image: https://storage.googleapis.com/syzbot-assets/033a07d12b3e/bzImage-a74c7a58.xz

The issue was bisected to:

commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <viniciu...@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000

tc: Add support for configuring the taprio scheduler

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10311900580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12311900580000
console output: https://syzkaller.appspot.com/x/log.txt?x=14311900580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 1-...!: (1 GPs behind) idle=b674/1/0x4000000000000000 softirq=16193/16205 fqs=2
rcu: (detected by 0, t=10502 jiffies, g=13757, q=3905 ncpus=2)
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6128 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
RIP: 0010:rcu_is_watching+0x3a/0xb0 kernel/rcu/tree.c:751
Code: e8 bb 0d b3 09 89 c3 83 f8 08 73 65 49 bf 00 00 00 00 00 fc ff df 4c 8d 34 dd d0 0d 9b 8d 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 <74> 08 4c 89 f7 e8 8c 1d 80 00 48 c7 c3 d8 56 81 92 49 03 1e 48 89
RSP: 0018:ffffc90000a08c70 EFLAGS: 00000046
RAX: 1ffffffff1b361bb RBX: 0000000000000001 RCX: 0000000000010002
RDX: 0000000000000000 RSI: ffffffff8bc086c0 RDI: ffffffff8bc08680
RBP: ffffffff81ae6da2 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: 0000000000000000
R13: ffff8880b8728258 R14: ffffffff8d9b0dd8 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f9426807ff8 CR3: 0000000077a18000 CR4: 00000000003526f0
Call Trace:
<IRQ>
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0x5f/0x340 kernel/locking/lockdep.c:5831
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x3d/0x50 kernel/locking/spinlock.c:170
__run_hrtimer kernel/time/hrtimer.c:1781 [inline]
__hrtimer_run_queues+0x5e2/0xc30 kernel/time/hrtimer.c:1841
hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x102/0x3e0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:deref_stack_reg+0x3/0x230 arch/x86/kernel/unwind_orc.c:418
Code: e8 12 f8 b2 00 48 8b 4c 24 18 e9 f2 fe ff ff 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 <41> 56 41 55 41 54 53 48 83 ec 20 48 89 54 24 18 49 89 f0 49 89 ff
RSP: 0018:ffffc90002f16e00 EFLAGS: 00000283
RAX: fffffffffffffff0 RBX: ffffffff9025420e RCX: 0000000000000000
RDX: ffffc90002f16f28 RSI: ffffc90002f17ad0 RDI: ffffc90002f16ee8
RBP: dffffc0000000000 R08: ffffc90002f16f47 R09: 0000000000000000
R10: ffffc90002f16f38 R11: fffff520005e2de9 R12: ffffc90002f16f38
R13: 1ffff920005e2ddf R14: ffffc90002f16ee8 R15: 1ffffffff204a842
unwind_next_frame+0x18cc/0x23d0 arch/x86/kernel/unwind_orc.c:-1
arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x37d/0x710 mm/slub.c:5270
mt_alloc_one lib/maple_tree.c:174 [inline]
mas_alloc_nodes+0x291/0x350 lib/maple_tree.c:1110
mas_preallocate+0x2e0/0x670 lib/maple_tree.c:5194
vma_iter_prealloc mm/vma.h:502 [inline]
vma_shrink+0x18d/0x510 mm/vma.c:1200
relocate_vma_down+0x4d4/0x4f0 mm/vma_exec.c:91
setup_arg_pages+0x5cf/0xa90 fs/exec.c:690
load_elf_binary+0xba4/0x2740 fs/binfmt_elf.c:1028
search_binary_handler fs/exec.c:1669 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x92e/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
do_execve fs/exec.c:1933 [inline]
__do_sys_execve fs/exec.c:2009 [inline]
__se_sys_execve fs/exec.c:2004 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2004
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f94259c2e17
Code: Unable to access opcode bytes at 0x7f94259c2ded.
RSP: 002b:00007f9426807df8 EFLAGS: 00000206 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00007ffd48e33ef5 RCX: 00007f94259c2e17
RDX: 00007ffd48e32ba0 RSI: 00007ffd48e32de0 RDI: 00007ffd48e33ef5
RBP: 00007f9426807e70 R08: 00007f9426807f20 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000206 R12: 00007ffd48e32de0
R13: 00007ffd48e32ba0 R14: 0000000000000000 R15: 0000000000000000
</TASK>
rcu: rcu_preempt kthread starved for 10495 jiffies! g13757 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:27480 pid:16 tgid:16 ppid:2 task_flags:0x208040 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6960
schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 5203 Comm: udevd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcc5/0x1260 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 <42> 0f b6 04 2b 84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 63 93
RSP: 0000:ffffc90003057820 EFLAGS: 00000293
RAX: ffffffff81b5654d RBX: 1ffff110170e8129 RCX: ffff88807d153d00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90003057950 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001
FS: 00007f6e0f393880(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055ec54628550 CR3: 000000007d7b8000 CR4: 00000000003526f0
Call Trace:
<TASK>
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
__flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline]
flush_tlb_mm_range+0x60a/0x1170 arch/x86/mm/tlb.c:1472
flush_tlb_page arch/x86/include/asm/tlbflush.h:324 [inline]
ptep_clear_flush+0x120/0x170 mm/pgtable-generic.c:103
wp_page_copy mm/memory.c:3785 [inline]
do_wp_page+0x1bb1/0x5810 mm/memory.c:4180
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault mm/memory.c:6411 [inline]
handle_mm_fault+0x14c5/0x32b0 mm/memory.c:6580
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f6e0ecb5dfe
Code: 00 00 66 0f ef c0 41 0f 11 44 24 20 49 89 54 24 10 49 89 74 24 18 4c 89 66 10 4c 89 62 18 48 89 c2 48 83 ca 01 49 89 54 24 08 <49> 89 04 04 48 83 c4 10 5b 41 5c 41 5d c3 0f 1f 40 00 48 89 cf 48
RSP: 002b:00007fff1a84f050 EFLAGS: 00010206
RAX: 0000000000002a20 RBX: 0000000000000740 RCX: 000055ec54627e10
RDX: 0000000000002a21 RSI: 00007f6e0edf1b20 RDI: 000055ec54627e10
RBP: 00007f6e0edf1ac0 R08: 0000000000000740 R09: 0000000000000010
R10: 000055ec24e255e0 R11: 0000000000000004 R12: 000055ec54625b30
R13: 00007f6e0edf1ac0 R14: 0000000000000740 R15: 00007f6e0edf1ac0
</TASK>


---

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoor...@gmail.com

#syz test

From 4e8268fd6319d5b97ba6334b7f66fd0b1719b863 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoor...@gmail.com>
Date: Mon, 19 Jan 2026 03:15:46 +0530
Subject: [PATCH] fs/exec: add cond_resched() in setup_arg_pages to prevent
RCU
stalls

Syzbot reported an RCU stall in sys_execve. The issue occurs when
setup_arg_pages() calls expand_stack_locked() which can perform memory
allocations that take significant time without yielding to the scheduler.
This prevents RCU grace periods from completing, leading to RCU stalls.

The fix is minimal: add cond_resched() after expand_stack_locked() returns,
allowing the scheduler to preempt if needed and permitting RCU grace periods
to complete.

Reported-by: syzbot+af59ca6e6cfb5db2946e165031b25d7f52ee60e9
Closes:
https://syzkaller.appspot.com/bug?id=af59ca6e6cfb5db2946e165031b25d7f52ee60e9
Signed-off-by: Arnav Kapoor <kapoor...@gmail.com>
---
fs/exec.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 9d5ebc9d1..fb7ae929d 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -712,6 +712,8 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack_locked(vma, stack_base);
+ /* Allow RCU and scheduler to make progress. */
+ cond_resched();
if (ret)
ret = -EFAULT;

--
2.43.0

On Sunday, 18 January 2026 at 04:48:24 UTC+5:30 syzbot wrote:

syzbot has found a reproducer for the following issue on:

HEAD commit: a74c7a58ca2c net: freescale: ucc_geth: Return early when T..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16fdf39a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5

dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd

compiler: Debian clang version 20.1.8
(++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD
20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d8639a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154863fa580000

Downloadable assets:
disk image:

https://storage.googleapis.com/syzbot-assets/50a3e60a3908/disk-a74c7a58.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/ee6a6a2a52e4/vmlinux-a74c7a58.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/033a07d12b3e/bzImage-a74c7a58.xz

The issue was bisected to:

commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <viniciu...@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000

tc: Add support for configuring the taprio scheduler

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10311900580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=12311900580000
console output: https://syzkaller.appspot.com/x/log.txt?x=14311900580000

IMPORTANT: if you fix the issue, please add the following tag to the
commit:
Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio
scheduler")

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 1-...!: (1 GPs behind) idle=b674/1/0x4000000000000000
softirq=16193/16205 fqs=2
rcu: (detected by 0, t=10502 jiffies, g=13757, q=3905 ncpus=2)
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6128 Comm: syz-executor Not tainted syzkaller #0
PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128
[inline]
RIP: 0010:rcu_is_watching+0x3a/0xb0 kernel/rcu/tree.c:751
Code: e8 bb 0d b3 09 89 c3 83 f8 08 73 65 49 bf 00 00 00 00 00 fc ff df 4c
8d 34 dd d0 0d 9b 8d 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 <74> 08 4c 89 f7
e8 8c 1d 80 00 48 c7 c3 d8 56 81 92 49 03 1e 48 89
RSP: 0018:ffffc90000a08c70 EFLAGS: 00000046
RAX: 1ffffffff1b361bb RBX: 0000000000000001 RCX: 0000000000010002
RDX: 0000000000000000 RSI: ffffffff8bc086c0 RDI: ffffffff8bc08680
RBP: ffffffff81ae6da2 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: 0000000000000000
R13: ffff8880b8728258 R14: ffffffff8d9b0dd8 R15: dffffc0000000000

FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcc5/0x1260 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd
00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 <42> 0f b6 04 2b
84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 63 93
RSP: 0000:ffffc90003057820 EFLAGS: 00000293
RAX: ffffffff81b5654d RBX: 1ffff110170e8129 RCX: ffff88807d153d00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90003057950 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001

FS: 00007f6e0f393880(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in worker_thread

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:

rcu: 0-...0: (1 ticks this GP) idle=1544/1/0x4000000000000000 softirq=21116/21116 fqs=7
rcu: hardirqs softirqs csw/system
rcu: number: 0 0 0
rcu: cputime: 0 0 0 ==> 21980(ms)
rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6477/1:b..l
rcu: (detected by 1, t=10502 jiffies, g=15529, q=2686 ncpus=2)

Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Workqueue: events_power_efficient gc_worker
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
RIP: 0010:queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]
RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]
RIP: 0010:do_raw_spin_unlock+0x59/0x240 kernel/locking/spinlock_debug.c:141
Code: 84 01 00 00 41 81 3e ad 4e ad de 0f 85 f3 00 00 00 48 89 df be 04 00 00 00 e8 53 8a 88 00 48 89 d8 48 c1 e8 03 42 0f b6 04 20 <84> c0 0f 85 74 01 00 00 83 3b 00 0f 84 ea 00 00 00 4c 8d 73 10 4d
RSP: 0018:ffffc90000007c28 EFLAGS: 00000806
RAX: 0000000000000000 RBX: ffff888030b1e2a8 RCX: ffffffff819e93bd
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888030b1e2a8
RBP: ffff88805a66a150 R08: ffff888030b1e2ab R09: 1ffff11006163c55
R10: dffffc0000000000 R11: ffffed1006163c56 R12: dffffc0000000000
R13: ffff888030b1e000 R14: ffff888030b1e2ac R15: ffff88805d10fc00
FS: 0000000000000000(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffdb6036498 CR3: 000000000dd3a000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:391 [inline]
advance_sched+0x99f/0xc90 net/sched/sch_taprio.c:987
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x51c/0xc30 kernel/time/hrtimer.c:1841

hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x102/0x3e0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

RIP: 0010:seqcount_lockdep_reader_access+0xed/0x100 include/linux/seqlock.h:75
Code: 00 75 11 e8 05 82 3e f8 4d 85 f6 75 16 e8 fb 81 3e f8 eb 15 e8 f4 81 3e f8 e8 5f 7a d7 01 4d 85 f6 74 ea e8 e5 81 3e f8 fb 5b <41> 5e e9 4c 59 da 01 cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90
RSP: 0018:ffffc900000e7910 EFLAGS: 00000293
RAX: ffffffff898276cb RBX: 0000000000000001 RCX: ffff88801c2c8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000e7a70 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b863a080
R13: ffff88801be91418 R14: 0000000000000200 R15: 0000000000040000
nf_conntrack_get_ht include/net/netfilter/nf_conntrack.h:342 [inline]
gc_worker+0x308/0x1380 net/netfilter/nf_conntrack_core.c:1548
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421

kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

task:dhcpcd-run-hook state:R running task stack:27640 pid:6477 tgid:6477 ppid:6464 task_flags:0x40004c flags:0x00080000

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863

preempt_schedule_irq+0x4d/0xa0 kernel/sched/core.c:7190
irqentry_exit+0x5e3/0x670 kernel/entry/common.c:216
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x222/0x340 kernel/locking/lockdep.c:5872
Code: ff ff ff e8 70 00 bc 09 f7 44 24 08 00 02 00 00 0f 84 3a ff ff ff 65 48 8b 05 5a 2f e2 10 48 3b 44 24 58 75 33 fb 48 83 c4 60 <5b> 41 5c 41 5d 41 5e 41 5f 5d e9 3f df be 09 cc 48 8d 3d 97 82 e7
RSP: 0018:ffffc900031073f8 EFLAGS: 00000282
RAX: 8aa7093569192b00 RBX: 0000000000000000 RCX: 0000000000000046
RDX: 00000000bfbdb79f RSI: ffffffff8d9774de RDI: ffffffff8bc086e0
RBP: ffffffff8173fdd5 R08: ffffffff8173fdd5 R09: ffffffff8df41aa0
R10: ffffc90003107558 R11: ffffffff81acf4d0 R12: 0000000000000002
R13: ffffffff8df41aa0 R14: 0000000000000000 R15: 0000000000000246
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
unwind_next_frame+0xc2/0x23d0 arch/x86/kernel/unwind_orc.c:495

arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78

kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kmem_cache_free+0x197/0x620 mm/slub.c:6781
anon_vma_chain_free mm/rmap.c:146 [inline]
unlink_anon_vmas+0x2cc/0x670 mm/rmap.c:420
free_pgtables+0x57f/0x9d0 mm/memory.c:399
exit_mmap+0x431/0xb10 mm/mmap.c:1288
__mmput+0x118/0x430 kernel/fork.c:1173
exit_mm+0x169/0x230 kernel/exit.c:581
do_exit+0x627/0x22f0 kernel/exit.c:959
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121
x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe808c126c5
RSP: 002b:00007ffdb60363a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffdb6036604 RCX: 00007fe808c126c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00007ffdb60364a0 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffdb60366e0 R14: 00007fe808e22000 R15: 000055f28d607d98
</TASK>
rcu: rcu_preempt kthread starved for 2154 jiffies! g15529 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1

rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:27480 pid:16 tgid:16 ppid:2 task_flags:0x208040 flags:0x00080000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6960
schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
rcu: Stack dump where RCU GP kthread last ran:

CPU: 1 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Workqueue: writeback wb_workfn (flush-8:0)

RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcc5/0x1260 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 <42> 0f b6 04 2b 84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 63 93

RSP: 0018:ffffc90000126540 EFLAGS: 00000293
RAX: ffffffff81b5654d RBX: 1ffff110170c856d RCX: ffff88801c2f0000

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000

RBP: ffffc90000126670 R08: ffff888076e16d87 R09: 1ffff1100edc2db0
R10: dffffc0000000000 R11: ffffffff8175f0c0 R12: ffff8880b8642b68
R13: dffffc0000000000 R14: ffff8880b873bb00 R15: 0000000000000000

FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f8357b4de9c CR3: 0000000075acc000 CR4: 00000000003526f0

Call Trace:
<TASK>
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
__flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline]
flush_tlb_mm_range+0x60a/0x1170 arch/x86/mm/tlb.c:1472
flush_tlb_page arch/x86/include/asm/tlbflush.h:324 [inline]
ptep_clear_flush+0x120/0x170 mm/pgtable-generic.c:103

page_vma_mkclean_one+0x401/0x790 mm/rmap.c:1017
page_mkclean_one+0x1c0/0x280 mm/rmap.c:1065
__rmap_walk_file+0x467/0x620 mm/rmap.c:2927
rmap_walk mm/rmap.c:2971 [inline]
folio_mkclean+0x297/0x390 mm/rmap.c:1097
folio_clear_dirty_for_io+0x1a5/0x710 mm/page-writeback.c:2932
mpage_submit_folio+0x86/0x2b0 fs/ext4/inode.c:2068
mpage_map_and_submit_buffers fs/ext4/inode.c:2330 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2520 [inline]
ext4_do_writepages+0x1fe9/0x4500 fs/ext4/inode.c:2932
ext4_writepages+0x203/0x350 fs/ext4/inode.c:3026
do_writepages+0x32e/0x550 mm/page-writeback.c:2598
__writeback_single_inode+0x133/0x1240 fs/fs-writeback.c:1737
writeback_sb_inodes+0x93a/0x1870 fs/fs-writeback.c:2030
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2107
wb_writeback+0x43f/0xaa0 fs/fs-writeback.c:2218
wb_check_old_data_flush fs/fs-writeback.c:2322 [inline]
wb_do_writeback fs/fs-writeback.c:2375 [inline]
wb_workfn+0xad2/0xed0 fs/fs-writeback.c:2403
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421

kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

Tested on:

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check ..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=105ff522580000

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1077f522580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoor...@gmail.com

#syz test

From be1f91fc995cb0dc6a78b89a970c69640ad9e629 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoor...@gmail.com>
Date: Mon, 19 Jan 2026 03:53:16 +0530
Subject: [PATCH] netfilter: nf_conntrack: add cond_resched() in gc_worker to
prevent RCU stalls

The gc_worker processes conntrack entries in batches, and for large
hash buckets, it can hold RCU read lock for extended periods without
yielding, leading to RCU stalls. Add cond_resched() inside the entry
processing loop to allow scheduler preemption and RCU grace periods
to complete.

Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
---
net/netfilter/nf_conntrack_core.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index d1f8eb725..a3ef8eae7 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1608,6 +1608,7 @@ static void gc_worker(struct work_struct *work)
}

nf_ct_put(tmp);
+ cond_resched();
}

/* could check get_nulls_value() here and restart if ct
--
2.43.0

On Monday, 19 January 2026 at 03:51:05 UTC+5:30 syzbot wrote:

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering
an issue:
INFO: rcu detected stall in worker_thread

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 0-...0: (1 ticks this GP) idle=1544/1/0x4000000000000000
softirq=21116/21116 fqs=7
rcu: hardirqs softirqs csw/system
rcu: number: 0 0 0
rcu: cputime: 0 0 0 ==> 21980(ms)
rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6477/1:b..l
rcu: (detected by 1, t=10502 jiffies, g=15529, q=2686 ncpus=2)

Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0
PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
Workqueue: events_power_efficient gc_worker
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457
[inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33
[inline]
RIP: 0010:queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]
RIP: 0010:debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]
RIP: 0010:do_raw_spin_unlock+0x59/0x240 kernel/locking/spinlock_debug.c:141
Code: 84 01 00 00 41 81 3e ad 4e ad de 0f 85 f3 00 00 00 48 89 df be 04 00
00 00 e8 53 8a 88 00 48 89 d8 48 c1 e8 03 42 0f b6 04 20 <84> c0 0f 85 74
01 00 00 83 3b 00 0f 84 ea 00 00 00 4c 8d 73 10 4d
RSP: 0018:ffffc90000007c28 EFLAGS: 00000806
RAX: 0000000000000000 RBX: ffff888030b1e2a8 RCX: ffffffff819e93bd
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888030b1e2a8
RBP: ffff88805a66a150 R08: ffff888030b1e2ab R09: 1ffff11006163c55
R10: dffffc0000000000 R11: ffffed1006163c56 R12: dffffc0000000000
R13: ffff888030b1e000 R14: ffff888030b1e2ac R15: ffff88805d10fc00

FS: 0000000000000000(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcc5/0x1260 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd
00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 <42> 0f b6 04 2b
84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 63 93
RSP: 0018:ffffc90000126540 EFLAGS: 00000293
RAX: ffffffff81b5654d RBX: 1ffff110170c856d RCX: ffff88801c2f0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000126670 R08: ffff888076e16d87 R09: 1ffff1100edc2db0
R10: dffffc0000000000 R11: ffffffff8175f0c0 R12: ffff8880b8642b68
R13: dffffc0000000000 R14: ffff8880b873bb00 R15: 0000000000000000

FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: workqueue lockup

BUG: workqueue lockup - pool cpus=1 node=0 flags=0x0 nice=-20 stuck for 141s!
Showing busy workqueues and worker pools:
workqueue events: flags=0x100
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=6 refcnt=7
pending: 3*nsim_dev_hwstats_traffic_work, psi_avgs_work, vmstat_shepherd, ovs_dp_masks_rebalance
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=4 refcnt=5
in-flight: 5940:nsim_fib_event_work nsim_fib_event_work ,39:nsim_fib_event_work nsim_fib_event_work
workqueue events_long: flags=0x100
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=4 refcnt=5
pending: 4*defense_work_handler
workqueue events_unbound: flags=0x2
pwq 8: cpus=0-1 flags=0x6 nice=0 active=2 refcnt=3
in-flight: 3887:toggle_allocation_gate
pending: flush_memcg_stats_dwork
workqueue events_unbound: flags=0x2
pwq 8: cpus=0-1 flags=0x6 nice=0 active=8 refcnt=9
in-flight: 60:cfg80211_wiphy_work ,3910:nsim_dev_trap_report_work ,1136:nsim_dev_trap_report_work ,4325:nsim_dev_trap_report_work ,3517:cfg80211_wiphy_work ,1101:nsim_dev_trap_report_work ,3469:crng_reseed
pending: nsim_dev_trap_report_work
workqueue events_freezable: flags=0x104
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=1 refcnt=2
pending: update_balloon_stats_func
workqueue events_power_efficient: flags=0x180
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=8 refcnt=9
in-flight: 794:reg_check_chans_work
pending: neigh_managed_work, neigh_periodic_work, 2*check_lifetime, do_cache_clean, 2*check_lifetime
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=2 refcnt=3
in-flight: 5865:neigh_periodic_work ,24:gc_worker
workqueue kvfree_rcu_reclaim: flags=0xa
pwq 8: cpus=0-1 flags=0x6 nice=0 active=2 refcnt=3
in-flight: 1013:kfree_rcu_monitor
pending: kfree_rcu_monitor
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=2
in-flight: 1141:kfree_rcu_monitor
workqueue mm_percpu_wq: flags=0x8
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=1 refcnt=2
pending: vmstat_update
workqueue writeback: flags=0x4a
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=2
in-flight: 4346:wb_workfn
workqueue kblockd: flags=0x18
pwq 3: cpus=0 node=0 flags=0x0 nice=-20 active=1 refcnt=2
pending: blk_mq_run_work_fn
pwq 7: cpus=1 node=0 flags=0x0 nice=-20 active=2 refcnt=3
pending: blk_mq_timeout_work, blk_mq_requeue_work
workqueue ipv6_addrconf: flags=0x6000a
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=231
in-flight: 340:addrconf_dad_work
inactive: 221*addrconf_dad_work, addrconf_verify_work, addrconf_dad_work, 4*addrconf_verify_work
workqueue krxrpcd: flags=0x2001a
pwq 9: cpus=0-1 node=0 flags=0x4 nice=-20 active=1 refcnt=9
pending: rxrpc_peer_keepalive_worker
inactive: 5*rxrpc_peer_keepalive_worker
workqueue bat_events: flags=0x6000a
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=40
pending: batadv_mcast_mla_update
inactive: 4*batadv_mcast_mla_update, 7*batadv_iv_send_outstanding_bat_ogm_packet, 5*batadv_purge_orig, 5*batadv_iv_send_outstanding_bat_ogm_packet, 5*batadv_tt_purge, batadv_dat_purge, 2*batadv_bla_periodic_work, batadv_dat_purge, batadv_bla_periodic_work, batadv_dat_purge, batadv_bla_periodic_work, batadv_dat_purge, batadv_bla_periodic_work, batadv_dat_purge
workqueue hci0: flags=0x20012
pwq 9: cpus=0-1 node=0 flags=0x4 nice=-20 active=1 refcnt=4
pending: hci_conn_timeout
workqueue hci2: flags=0x20012
pwq 9: cpus=0-1 node=0 flags=0x4 nice=-20 active=1 refcnt=4
pending: hci_conn_timeout
workqueue wg-kex-wg0: flags=0x124
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=1 refcnt=2
pending: wg_packet_handshake_receive_worker
workqueue wg-kex-wg0: flags=0x6
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=2
pending: wg_packet_handshake_send_worker
workqueue wg-crypt-wg0: flags=0x128
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=1 refcnt=2
pending: wg_packet_encrypt_worker
workqueue wg-crypt-wg1: flags=0x128
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=1 refcnt=2
in-flight: 9:wg_packet_tx_worker
workqueue wg-kex-wg2: flags=0x6
pwq 8: cpus=0-1 flags=0x6 nice=0 active=1 refcnt=2
pending: wg_packet_handshake_send_worker
workqueue wg-crypt-wg2: flags=0x128
pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=2 refcnt=3
in-flight: 5963:wg_packet_tx_worker
pending: wg_packet_encrypt_worker
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=5 refcnt=6
in-flight: 6465:wg_packet_encrypt_worker wg_packet_encrypt_worker ,5964:wg_packet_tx_worker wg_packet_tx_worker
pending: wg_packet_decrypt_worker
workqueue wg-kex-wg0: flags=0x6
pwq 8: cpus=0-1 flags=0x6 nice=0 active=3 refcnt=4
in-flight: 1045:wg_packet_handshake_send_worker ,13:wg_packet_handshake_send_worker wg_packet_handshake_send_worker
workqueue wg-crypt-wg1: flags=0x128
pwq 6: cpus=1 node=0 flags=0x2 nice=0 active=2 refcnt=3
pending: wg_packet_tx_worker, wg_packet_encrypt_worker
pool 2: cpus=0 node=0 flags=0x0 nice=0 hung=64s workers=6 idle: 5889 5941 10
pool 6: cpus=1 node=0 flags=0x2 nice=0 hung=65s workers=7 manager: 128
pool 8: cpus=0-1 flags=0x6 nice=0 hung=65s workers=18 manager: 36 idle: 12 1341 50
Showing backtraces of running workers in stalled CPU-bound worker pools:

Tested on:

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check ..
git tree: net

console output: https://syzkaller.appspot.com/x/log.txt?x=15a7db9a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=143ff522580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoor...@gmail.com

#syz test

From 533b3d1bb14517adf13a2a99aedb60ecf9fb8402 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoor...@gmail.com>
Date: Mon, 19 Jan 2026 04:22:49 +0530
Subject: [PATCH] netfilter: nf_conntrack: limit buckets processed per
gc_worker call

The gc_worker may process many hash buckets in a single call, leading
to long execution times and workqueue lockups. Limit the number of
buckets processed per call to 10 to ensure timely completion and
rescheduling.

This complements the existing time-based limit and cond_resched()
calls to prevent stalls.

Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
---

net/netfilter/nf_conntrack_core.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index a3ef8eae7..8a2cdd172 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1517,6 +1517,7 @@ static void gc_worker(struct work_struct *work)
struct conntrack_gc_work *gc_work;
unsigned int expired_count = 0;
unsigned long next_run;
+ unsigned int bucket_count = 0;
s32 delta_time;
long count;

@@ -1617,6 +1618,7 @@ static void gc_worker(struct work_struct *work)
*/
rcu_read_unlock();
cond_resched();
+ bucket_count++;
i++;

delta_time = nfct_time_stamp - end_time;
@@ -1626,6 +1628,10 @@ static void gc_worker(struct work_struct *work)
gc_work->next_bucket = i;
next_run = 0;
goto early_exit;
+ if (bucket_count > 10) {
+ gc_work->next_bucket = i;
+ goto early_exit;
+ }
}
} while (i < hashsz);

--
2.43.0

dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: rcu detected stall in corrupted

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:

rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6251/3:b..l
rcu: (detected by 0, t=10502 jiffies, g=16273, q=1513 ncpus=2)
task:udevd state:R running task stack:25432 pid:6251 tgid:6251 ppid:5199 task_flags:0x400140 flags:0x00080000

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863

preempt_schedule_common+0x83/0xd0 kernel/sched/core.c:7047
preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12
__raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_unlock+0x3f/0x50 kernel/locking/spinlock.c:186
spin_unlock include/linux/spinlock.h:391 [inline]
filemap_map_pages+0x192d/0x1fd0 mm/filemap.c:3931
do_fault_around mm/memory.c:5713 [inline]
do_read_fault mm/memory.c:5746 [inline]
do_fault mm/memory.c:5889 [inline]
do_pte_missing+0x20b0/0x3330 mm/memory.c:4401
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault mm/memory.c:6411 [inline]
handle_mm_fault+0x1b26/0x32b0 mm/memory.c:6580

do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618

RIP: 0033:0x7fdbcbf6be80
RSP: 002b:00007ffc0ad89938 EFLAGS: 00010246
RAX: 0000000000000006 RBX: 00005588ef53c568 RCX: 0000000000000019
RDX: 0000000000000191 RSI: 00007fdbcb9f1ca0 RDI: 00005589070c4e70
RBP: 00005589070a7910 R08: 0000000002000000 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000297 R12: 00005588ef53c588
R13: 00007ffc0ad899b0 R14: 0000000000000000 R15: 0000000000000000
</TASK>
rcu: rcu_preempt kthread starved for 7525 jiffies! g16273 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0

rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:

task:rcu_preempt state:R running task stack:28008 pid:16 tgid:16 ppid:2 task_flags:0x208040 flags:0x00080000

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6960
schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
rcu: Stack dump where RCU GP kthread last ran:

CPU: 0 UID: 0 PID: 6318 Comm: udevd Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]

RIP: 0010:smp_call_function_many_cond+0xcce/0x1260 kernel/smp.c:877
Code: 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 42 0f b6 04 2b 84 c0 75 11 <41> f7 04 24 01 00 00 00 74 1e e8 63 93 0b 00 eb e4 44 89 e1 80 e1
RSP: 0000:ffffc90003d0f820 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110170e8129 RCX: ffff888026fc3d00

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000

RBP: ffffc90003d0f950 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce

R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001

FS: 00007fdbcbf47880(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005589070d6f28 CR3: 0000000076b96000 CR4: 00000000003526f0

Call Trace:
<TASK>
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
__flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline]
flush_tlb_mm_range+0x60a/0x1170 arch/x86/mm/tlb.c:1472
flush_tlb_page arch/x86/include/asm/tlbflush.h:324 [inline]
ptep_clear_flush+0x120/0x170 mm/pgtable-generic.c:103

wp_page_copy mm/memory.c:3785 [inline]
do_wp_page+0x1bb1/0x5810 mm/memory.c:4180
handle_pte_fault mm/memory.c:6289 [inline]
__handle_mm_fault mm/memory.c:6411 [inline]
handle_mm_fault+0x14c5/0x32b0 mm/memory.c:6580
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618

RIP: 0033:0x7fdbcb8b5b69
Code: 10 48 81 f9 ff 03 00 00 76 28 48 8b 57 20 48 85 d2 74 1f 48 3b 7a 28 75 76 48 8b 4f 28 48 3b 79 20 75 6c 48 83 78 20 00 74 17 <48> 89 4a 28 48 89 51 20 48 83 c4 08 c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc0ad89870 EFLAGS: 00010202
RAX: 00007fdbcb9f2070 RBX: 00000000000009b0 RCX: 00005589070d6f00
RDX: 00005589070d6f00 RSI: 00007fdbcb9f2070 RDI: 00005589070d6f00
RBP: 00007fdbcb9f1ac0 R08: 00000000000009b0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00005589070d47a0
R13: 00007fdbcb9f1ac0 R14: 00000000000009b0 R15: 00007fdbcb9f1ac0
</TASK>

Tested on:

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check ..
git tree: net

console output: https://syzkaller.appspot.com/x/log.txt?x=160153fa580000

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=118fa852580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoor...@gmail.com

#syz test

From e0dd0088f4b871d8c44d5b9ba17dd9eba1f770a0 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoor...@gmail.com>
Date: Mon, 19 Jan 2026 04:48:19 +0530
Subject: [PATCH] netfilter: nf_conntrack: add entry limit and cond_resched
in
gc_worker

Further limit the gc_worker to process at most 100 entries per bucket
and add cond_resched() at the start of each entry processing to ensure
frequent yielding and prevent RCU stalls.

Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
---

net/netfilter/nf_conntrack_core.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index 8a2cdd172..ff901a2b4 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1552,13 +1552,17 @@ static void gc_worker(struct work_struct *work)
break;
}

+ int entry_count = 0;
hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) {
struct nf_conntrack_net *cnet;
struct net *net;
long expires;

tmp = nf_ct_tuplehash_to_ctrack(h);
+ entry_count++;

+ if (entry_count > 100) break;
+ cond_resched();
if (expired_count > GC_SCAN_EXPIRED_MAX) {
rcu_read_unlock();

--
2.43.0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcce/0x1260 kernel/smp.c:877
Code: 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75
07 e8 7f 93 0b 00 eb 38 f3 90 42 0f b6 04 2b 84 c0 75 11 <41> f7 04 24 01
00 00 00 74 1e e8 63 93 0b 00 eb e4 44 89 e1 80 e1
RSP: 0000:ffffc90003d0f820 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110170e8129 RCX: ffff888026fc3d00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90003d0f950 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001

FS: 00007fdbcbf47880(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: rcu detected stall in worker_thread

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:

rcu: 1-...!: (1 GPs behind) idle=3fa4/1/0x4000000000000000 softirq=23801/23814 fqs=1
rcu: (detected by 0, t=10503 jiffies, g=17209, q=7435 ncpus=2)

Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1

CPU: 1 UID: 0 PID: 5941 Comm: kworker/1:5 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Workqueue: events_power_efficient gc_worker
RIP: 0010:check_region_inline mm/kasan/generic.c:185 [inline]
RIP: 0010:kasan_check_range+0x19/0x2c0 mm/kasan/generic.c:200
Code: cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 41 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 ba 01 00 00 <4c> 8d 04 37 49 39 f8 0f 82 82 02 00 00 49 b9 00 00 00 00 00 80 ff
RSP: 0018:ffffc90000a08ba8 EFLAGS: 00000002
RAX: 00000000ffffff01 RBX: ffffffff99b74750 RCX: ffffffff819e9061
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000a08c20
RBP: ffffc90000a08c98 R08: ffffffff99b74753 R09: 1ffffffff336e8ea
R10: dffffc0000000000 R11: fffffbfff336e8eb R12: ffffffff99b74760
R13: ffffffff99b74758 R14: 1ffffffff336e8ec R15: 1ffffffff336e8eb
FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ff7a7c27432 CR3: 0000000073668000 CR4: 00000000003526f0
Call Trace:
<IRQ>
instrument_read_write include/linux/instrumented.h:54 [inline]
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1301 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
do_raw_spin_lock+0x121/0x290 kernel/locking/spinlock_debug.c:116
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
_raw_spin_lock_irqsave+0x4c/0x60 kernel/locking/spinlock.c:162
debug_object_deactivate+0x6d/0x360 lib/debugobjects.c:873
debug_hrtimer_deactivate kernel/time/hrtimer.c:443 [inline]
debug_deactivate+0x1d/0x1e0 kernel/time/hrtimer.c:483
__run_hrtimer kernel/time/hrtimer.c:1745 [inline]
__hrtimer_run_queues+0x2b0/0xc30 kernel/time/hrtimer.c:1841

hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x102/0x3e0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:-1 [inline]
RIP: 0010:rcu_is_watching+0x44/0xb0 kernel/rcu/tree.c:751
Code: 73 65 49 bf 00 00 00 00 00 fc ff df 4c 8d 34 dd d0 0d 9b 8d 4c 89 f0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 f7 e8 8c 1d 80 00 <48> c7 c3 d8 56 81 92 49 03 1e 48 89 d8 48 c1 e8 03 42 0f b6 04 38
RSP: 0018:ffffc90003d77860 EFLAGS: 00000246
RAX: 1ffffffff1b361bb RBX: 0000000000000001 RCX: 0000000080000001

RDX: 0000000000000000 RSI: ffffffff8bc086c0 RDI: ffffffff8bc08680

RBP: ffffffff8983265b R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: 0000000000000002
R13: ffffffff8df41aa0 R14: ffffffff8d9b0dd8 R15: dffffc0000000000

trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0x5f/0x340 kernel/locking/lockdep.c:5831

rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]

gc_worker+0x28c/0x13d0 net/netfilter/nf_conntrack_core.c:1546

process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421

kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

rcu: rcu_preempt kthread starved for 10479 jiffies! g17209 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0

rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:

task:rcu_preempt state:R running task stack:27416 pid:16 tgid:16 ppid:2 task_flags:0x208040 flags:0x00080000

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x149b/0x4fd0 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6960
schedule_timeout+0x12b/0x270 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
rcu: Stack dump where RCU GP kthread last ran:

CPU: 0 UID: 0 PID: 6390 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcce/0x1260 kernel/smp.c:877
Code: 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 7f 93 0b 00 eb 38 f3 90 42 0f b6 04 2b 84 c0 75 11 <41> f7 04 24 01 00 00 00 74 1e e8 63 93 0b 00 eb e4 44 89 e1 80 e1

RSP: 0018:ffffc900031374a0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110170e8129 RCX: ffff8880254c9e80

RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000

RBP: ffffc900031375e0 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce

R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948
R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001

FS: 0000000000000000(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055fad049c6d8 CR3: 000000000dd3a000 CR4: 00000000003526f0

Call Trace:
<TASK>
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
__flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline]
flush_tlb_mm_range+0x60a/0x1170 arch/x86/mm/tlb.c:1472

tlb_flush arch/x86/include/asm/tlb.h:23 [inline]
tlb_flush_mmu_tlbonly include/asm-generic/tlb.h:490 [inline]
tlb_flush_mmu+0x1a7/0x680 mm/mmu_gather.c:403
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
free_ldt_pgtables+0x17b/0x320 arch/x86/kernel/ldt.c:411
arch_exit_mmap arch/x86/include/asm/mmu_context.h:234 [inline]
exit_mmap+0x174/0xb10 mm/mmap.c:1263

__mmput+0x118/0x430 kernel/fork.c:1173
exit_mm+0x169/0x230 kernel/exit.c:581
do_exit+0x627/0x22f0 kernel/exit.c:959
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112

get_signal+0x1285/0x1340 kernel/signal.c:3034
arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x87/0x4e0 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x2c1/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f175fd915dc
Code: Unable to access opcode bytes at 0x7f175fd915b2.
RSP: 002b:00007ffd6bb31250 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: 0000000000000040 RBX: 00007f1760b14620 RCX: 00007f175fd915dc
RDX: 0000000000000040 RSI: 00007f1760b14670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffd6bb312a4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f1760b14670 R15: 0000000000000000

</TASK>


Tested on:

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check ..
git tree: net

console output: https://syzkaller.appspot.com/x/log.txt?x=16b06852580000

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1688eb9a580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [mm?] INFO: rcu detected stall in sys_execve (6)
Author: kapoor...@gmail.com

#syz test

From ec692e7200eec47b1067ac865b5350125acf8c48 Mon Sep 17 00:00:00 2001
From: Arnav Kapoor <kapoor...@gmail.com>
Date: Mon, 19 Jan 2026 05:30:53 +0530
Subject: [PATCH] netfilter: nf_conntrack: limit total entries processed per
gc_worker call

Limit the gc_worker to process at most 1000 entries per call to prevent
excessive run times and RCU stalls. If the limit is exceeded, reschedule
the worker to continue from the next bucket.

Reported-by: syzbot+8bb3e2...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
---

net/netfilter/nf_conntrack_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index ff901a2b4..4ca315e8b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c

@@ -1517,6 +1517,7 @@ static void gc_worker(struct work_struct *work)
struct conntrack_gc_work *gc_work;
unsigned int expired_count = 0;
unsigned long next_run;

+ bool early_break = false;

unsigned int bucket_count = 0;
s32 delta_time;
long count;

@@ -1561,13 +1562,18 @@ static void gc_worker(struct work_struct *work)
tmp = nf_ct_tuplehash_to_ctrack(h);
entry_count++;

- if (entry_count > 100) break;
+ if (entry_count > 1000) { early_break = true;
break; }

cond_resched();
if (expired_count > GC_SCAN_EXPIRED_MAX) {
rcu_read_unlock();

gc_work->next_bucket = i;
gc_work->avg_timeout = next_run;
+ if (early_break) {
+ rcu_read_unlock();

+ gc_work->next_bucket = i;
+ goto early_exit;
+ }

gc_work->count = count;

delta_time = nfct_time_stamp -
gc_work->start_time;
--
2.43.0

On Monday, 19 January 2026 at 05:29:05 UTC+5:30 syzbot wrote:

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering
an issue:
INFO: rcu detected stall in worker_thread

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 1-...!: (1 GPs behind) idle=3fa4/1/0x4000000000000000
softirq=23801/23814 fqs=1
rcu: (detected by 0, t=10503 jiffies, g=17209, q=7435 ncpus=2)
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5941 Comm: kworker/1:5 Not tainted syzkaller #0
PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
Workqueue: events_power_efficient gc_worker
RIP: 0010:check_region_inline mm/kasan/generic.c:185 [inline]
RIP: 0010:kasan_check_range+0x19/0x2c0 mm/kasan/generic.c:200
Code: cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 41
57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 ba 01 00 00 <4c> 8d 04 37 49
39 f8 0f 82 82 02 00 00 49 b9 00 00 00 00 00 80 ff
RSP: 0018:ffffc90000a08ba8 EFLAGS: 00000002
RAX: 00000000ffffff01 RBX: ffffffff99b74750 RCX: ffffffff819e9061
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000a08c20
RBP: ffffc90000a08c98 R08: ffffffff99b74753 R09: 1ffffffff336e8ea
R10: dffffc0000000000 R11: fffffbfff336e8eb R12: ffffffff99b74760
R13: ffffffff99b74758 R14: 1ffffffff336e8ec R15: 1ffffffff336e8eb

FS: 0000000000000000(0000) GS:ffff888125f1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS

Google 10/25/2025
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xcce/0x1260 kernel/smp.c:877
Code: 01 31 ff e8 d4 97 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75
07 e8 7f 93 0b 00 eb 38 f3 90 42 0f b6 04 2b 84 c0 75 11 <41> f7 04 24 01
00 00 00 74 1e e8 63 93 0b 00 eb e4 44 89 e1 80 e1
RSP: 0018:ffffc900031374a0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110170e8129 RCX: ffff8880254c9e80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900031375e0 R08: ffffffff8f822e77 R09: 1ffffffff1f045ce
R10: dffffc0000000000 R11: fffffbfff1f045cf R12: ffff8880b8740948

R13: dffffc0000000000 R14: ffff8880b863bb00 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888125e1e000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/netfilter/nf_conntrack_core.c
Hunk #1 FAILED at 1517.
patch: **** unexpected end of file in patch

Tested on:

commit: f40ddcc0 Revert "nfc/nci: Add the inconsistency check ..
git tree: net

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=8bb3e2bee8a429cc76dd
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=15706852580000