rcu: INFO: rcu_preempt self-detected stall on CPU
白烁冉
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered.
HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/report1.txt
Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/1repro.c
Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/1repro.txt
The RCU self-detected stall (rcu_preempt self-detected stall) triggered by syzkaller is possibly caused by a blockage when releasing a spinlock in the mac80211 receive path's wiphy work queue. The core call may occurs in include/linux/spinlock_api_smp.h at __raw_spin_unlock_irqrestore (line 152, inline) and in kernel/locking/spinlock.c at _raw_spin_unlock_irqrestore (line 194). The specific trigger happens in the wireless subsystem at net/wireless/core.c in wiphy_work_queue (line 1671) while processing received frames, concurrently with user-space tasks running in mm/mprotect.c at change_protection (line 560) and its inline functions, causing CPU0 in softirq context to hold the spinlock for an extended period, thus triggering the RCU stall.
We have reproduced this issue several times on 6.17-rc3 again.
If you confirm or fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <hu...@m.fudan.edu.cn>, Jiaji Qin <jjt...@m.fudan.edu.cn>, Shuoran Bai <baish...@hrbeu.edu.cn>
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 0-....: (2486 ticks this GP) idle=03fc/1/0x4000000000000000 softirq=6226/6226 fqs=460
rcu: hardirqs softirqs csw/system
rcu: number: 612959 1 0
rcu: cputime: 0 24009 0 ==> 24020(ms)
rcu: (t=10502 jiffies g=5353 q=6659 ncpus=4)
CPU: 0 UID: 0 PID: 10082 Comm: syz-executor136 Not tainted 6.17.0-rc3 #4 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 2a a9 e9 fb 48 89 ef e8 32 db e9 fb 81 e3 00 02 00 00 75 29 9c 58 f6 c4 02 75 35 48 85 db 74 01 fb bf 01 00 00 00 <e8> e3 1e e4 fb 65 8b 05 74 76 23 04 85 c0 74 0e 5b 5d e9 4c d7 a7
RSP: 0018:ffa0000000003b88 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000303 RDI: 0000000000000001
RBP: ff110000276186b8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ff11000026fb5978
R13: ff110000276186b8 R14: ff11000021cf9800 R15: ffa0000000003e60
FS: 00007fe30146a700(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055556b7bbc48 CR3: 000000004b064000 CR4: 0000000000751ef0
PKRU: 55555554
Call Trace:
<IRQ>
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
wiphy_work_queue+0xa6/0x240 net/wireless/core.c:1671
__ieee80211_queue_skb_to_iface+0x6a/0xa0 net/mac80211/rx.c:233
ieee80211_queue_skb_to_iface net/mac80211/rx.c:244 [inline]
ieee80211_rx_h_mgmt net/mac80211/rx.c:4085 [inline]
ieee80211_rx_handlers+0x85e/0x3cd0 net/mac80211/rx.c:4160
ieee80211_invoke_rx_handlers net/mac80211/rx.c:4190 [inline]
ieee80211_prepare_and_rx_handle+0x1372/0x2820 net/mac80211/rx.c:5044
ieee80211_rx_for_interface+0x7d/0xf0 net/mac80211/rx.c:5129
__ieee80211_rx_handle_packet net/mac80211/rx.c:5285 [inline]
ieee80211_rx_list+0x82d/0x1530 net/mac80211/rx.c:5420
ieee80211_rx_napi+0x82/0x270 net/mac80211/rx.c:5443
ieee80211_rx include/net/mac80211.h:5185 [inline]
ieee80211_handle_queued_frames+0xa9/0x100 net/mac80211/main.c:441
tasklet_action_common+0xeb/0x340 kernel/softirq.c:829
handle_softirqs+0xc8/0x460 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu kernel/softirq.c:680 [inline]
irq_exit_rcu+0xc4/0x100 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:578
RIP: 0010:__sanitizer_cov_trace_pc+0x1e/0x50 kernel/kcov.c:217
Code: 90 90 90 90 90 90 90 90 90 90 90 90 55 bf 02 00 00 00 53 65 48 8b 1d d1 9a 28 08 48 8b 6c 24 10 48 89 de e8 44 ff ff ff 84 c0 <74> 20 48 8b 93 08 16 00 00 8b 8b 04 16 00 00 48 8b 02 48 83 c0 01
RSP: 0018:ffa00000024afbf0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ff110000164cc700 RCX: ffffffff818851ab
RDX: 0000000000000000 RSI: ff110000164cc700 RDI: 0000000000000002
RBP: ffffffff81884fa5 R08: 0000000000000000 R09: d211bc2f56fc6dcc
R10: 0000000000000078 R11: 0000000000000000 R12: 0000000000000041
R13: 00000000201f6000 R14: 0000000000000000 R15: 0000000000000000
change_pte_range mm/mprotect.c:283 [inline]
change_pmd_range mm/mprotect.c:409 [inline]
change_pud_range mm/mprotect.c:472 [inline]
change_p4d_range mm/mprotect.c:498 [inline]
change_protection_range mm/mprotect.c:526 [inline]
change_protection+0x1025/0x2120 mm/mprotect.c:560
change_prot_numa+0x3a/0x2e0 mm/mempolicy.c:826
task_numa_work+0x597/0xb50 kernel/sched/fair.c:3495
task_work_run+0x95/0x100 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xcf/0xf0 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3bb/0x480 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe301cd130d
Code: c3 e8 e7 2e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe301469cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: 0000000000000003 RBX: 00007fe301d66380 RCX: 00007fe301cd130d
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000080
RBP: 00007fe301d66388 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fe301d6638c
R13: 00007ffe3471214f R14: 00007ffe34712200 R15: 00007fe301469dc0
</TASK>
2026/01/10 23:00:01 reproducing crash 'BUG: corrupted list in __netif_napi_del_locked': final repro crashed as (corrupted=false):
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 0-....: (2486 ticks this GP) idle=03fc/1/0x4000000000000000 softirq=6226/6226 fqs=460
rcu: hardirqs softirqs csw/system
rcu: number: 612959 1 0
rcu: cputime: 0 24009 0 ==> 24020(ms)
rcu: (t=10502 jiffies g=5353 q=6659 ncpus=4)
CPU: 0 UID: 0 PID: 10082 Comm: syz-executor136 Not tainted 6.16.0-rc7 #4 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 2a a9 e9 fb 48 89 ef e8 32 db e9 fb 81 e3 00 02 00 00 75 29 9c 58 f6 c4 02 75 35 48 85 db 74 01 fb bf 01 00 00 00 <e8> e3 1e e4 fb 65 8b 05 74 76 23 04 85 c0 74 0e 5b 5d e9 4c d7 a7
RSP: 0018:ffa0000000003b88 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000303 RDI: 0000000000000001
RBP: ff110000276186b8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ff11000026fb5978
R13: ff110000276186b8 R14: ff11000021cf9800 R15: ffa0000000003e60
FS: 00007fe30146a700(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055556b7bbc48 CR3: 000000004b064000 CR4: 0000000000751ef0
PKRU: 55555554
Call Trace:
<IRQ>
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
wiphy_work_queue+0xa6/0x240 net/wireless/core.c:1671
__ieee80211_queue_skb_to_iface+0x6a/0xa0 net/mac80211/rx.c:233
ieee80211_queue_skb_to_iface net/mac80211/rx.c:244 [inline]
ieee80211_rx_h_mgmt net/mac80211/rx.c:4085 [inline]
ieee80211_rx_handlers+0x85e/0x3cd0 net/mac80211/rx.c:4160
ieee80211_invoke_rx_handlers net/mac80211/rx.c:4190 [inline]
ieee80211_prepare_and_rx_handle+0x1372/0x2820 net/mac80211/rx.c:5044
ieee80211_rx_for_interface+0x7d/0xf0 net/mac80211/rx.c:5129
__ieee80211_rx_handle_packet net/mac80211/rx.c:5285 [inline]
ieee80211_rx_list+0x82d/0x1530 net/mac80211/rx.c:5420
ieee80211_rx_napi+0x82/0x270 net/mac80211/rx.c:5443
ieee80211_rx include/net/mac80211.h:5185 [inline]
ieee80211_handle_queued_frames+0xa9/0x100 net/mac80211/main.c:441
tasklet_action_common+0xeb/0x340 kernel/softirq.c:829
handle_softirqs+0xc8/0x460 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu kernel/softirq.c:680 [inline]
irq_exit_rcu+0xc4/0x100 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:578
RIP: 0010:__sanitizer_cov_trace_pc+0x1e/0x50 kernel/kcov.c:217
Code: 90 90 90 90 90 90 90 90 90 90 90 90 55 bf 02 00 00 00 53 65 48 8b 1d d1 9a 28 08 48 8b 6c 24 10 48 89 de e8 44 ff ff ff 84 c0 <74> 20 48 8b 93 08 16 00 00 8b 8b 04 16 00 00 48 8b 02 48 83 c0 01
RSP: 0018:ffa00000024afbf0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ff110000164cc700 RCX: ffffffff818851ab
RDX: 0000000000000000 RSI: ff110000164cc700 RDI: 0000000000000002
RBP: ffffffff81884fa5 R08: 0000000000000000 R09: d211bc2f56fc6dcc
R10: 0000000000000078 R11: 0000000000000000 R12: 0000000000000041
R13: 00000000201f6000 R14: 0000000000000000 R15: 0000000000000000
change_pte_range mm/mprotect.c:283 [inline]
change_pmd_range mm/mprotect.c:409 [inline]
change_pud_range mm/mprotect.c:472 [inline]
change_p4d_range mm/mprotect.c:498 [inline]
change_protection_range mm/mprotect.c:526 [inline]
change_protection+0x1025/0x2120 mm/mprotect.c:560
change_prot_numa+0x3a/0x2e0 mm/mempolicy.c:826
task_numa_work+0x597/0xb50 kernel/sched/fair.c:3495
task_work_run+0x95/0x100 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xcf/0xf0 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3bb/0x480 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe301cd130d
Code: c3 e8 e7 2e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe301469cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: 0000000000000003 RBX: 00007fe301d66380 RCX: 00007fe301cd130d
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000080
RBP: 00007fe301d66388 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fe301d6638c
R13: 00007ffe3471214f R14: 00007ffe34712200 R15: 00007fe301469dc0
</TASK>
------------------------------
thanks,
Kun Hu
白烁冉
白烁冉
Johannes Berg
This is the third such useless report you created within less than 24
hours - please audit them before posting if they're even useful.
Also, pretty sure upstream syzkaller has been reporting the same or very
similar issues in the past, having duplicates isn't really useful.
From my perspective, this gets us nothing at all, so please stop.
johannes