From: sanan.hasanou@gmail.com
To: tj@kernel.org, jiangshanlai@gmail.com, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, contact@pgazz.com
Subject: WARNING in delayed_work_timer_fn
Date: Fri, 26 Jun 2026 14:27:35 -0700 (PDT) [thread overview]
Message-ID: <6a3eeec7.ade5411d.badf0.e138@mx.google.com> (raw)
Good day, dear maintainers,
We found a bug using a modified version of syzkaller.
Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1zJHAs5GUroGFBkxAlzfDaWAd_NVPZTfJ>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!
Best regards,
Sanan Hasanov
------------[ cut here ]------------
workqueue: cannot queue hci_conn_timeout on wq hci4
WARNING: kernel/workqueue.c:2271 at __queue_work+0xd2b/0xff0 kernel/workqueue.c:2269, CPU#1: pool_workqueue_/3
Modules linked in:
CPU: 1 UID: 0 PID: 3 Comm: pool_workqueue_ Tainted: G L 7.0.0-rc1 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__queue_work+0xd57/0xff0 kernel/workqueue.c:2269
Code: c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 db 15 a0 00 49 8b 75 00 48 8b 55 a8 48 81 c2 78 01 00 00 4c 89 f7 <67> 48 0f b9 3a e9 f3 fe ff ff e8 4a cd 36 00 48 8d 3d 43 9a 06 0e
RSP: 0018:ffffc900001f8bb0 EFLAGS: 00010086
RAX: 1ffff1100341314b RBX: 0000000000000100 RCX: ffff8880192f1d00
RDX: ffff88805f5fd978 RSI: ffffffff8a67ba00 RDI: ffffffff8f90ef60
RBP: ffffc900001f8c40 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: dffffc0000000000
R13: ffff88801a098a58 R14: ffffffff8f90ef60 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff8880ef136000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005646cf5e23c0 CR3: 0000000060a4c000 CR4: 00000000000006f0
Call Trace:
<IRQ>
delayed_work_timer_fn+0x65/0x90 kernel/workqueue.c:2500
call_timer_fn+0x167/0x640 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1794 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x641/0x860 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0xc0/0x180 kernel/time/timer.c:2404
handle_softirqs+0x226/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x64/0x150 kernel/softirq.c:723
irq_exit_rcu+0xd/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x9b/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
RIP: 0010:preempt_schedule_irq+0x4c/0xa0 kernel/sched/core.c:7234
Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 54 bf 01 00 00 00 e8 5f df 27 f6 e8 1a 9b 60 f6 fb bf 01 00 00 00 <e8> 4f a7 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 e0 9c 60 f6 bf 01
RSP: 0018:ffffc9000014fb28 EFLAGS: 00000202
RAX: 00000000000ca7b5 RBX: ffffc9000014fbd8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8d71009e RDI: 0000000000000001
RBP: ffffc9000014fb38 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000
raw_irqentry_exit_cond_resched+0x48/0x50 kernel/entry/common.c:196
irqentry_exit+0x155/0x610 kernel/entry/common.c:239
sysvec_reschedule_ipi+0xae/0xc0 arch/x86/kernel/smp.c:248
asm_sysvec_reschedule_ipi+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lockdep_unregister_key+0x2d2/0x350 kernel/locking/lockdep.c:6616
Code: 0b fe ff ff 89 c6 48 c7 c7 10 ea d6 92 e8 a6 c6 cb 09 90 e9 66 fe ff ff e8 2b 32 c9 09 41 f7 c4 00 02 00 00 74 bc fb 45 84 ff <75> bb eb cc 90 0f 0b 90 e9 2b ff ff ff 90 0f 0b 90 e9 38 ff ff ff
RSP: 0018:ffffc9000014fc80 EFLAGS: 00000246
RAX: 0000000000000046 RBX: ffff888026d8b138 RCX: 0000000000000046
RDX: ffffffff90926578 RSI: ffffffff8d723c2c RDI: ffffffff8be59a80
RBP: ffffc9000014fcc0 R08: 0000000000000000 R09: ffffffff8df5b3e0
R10: ffffffff81ab1668 R11: fffffbfff1f1bfb7 R12: 0000000000000a47
R13: 0000000000001000 R14: ffff888026d8b139 R15: ffffffff90d26500
wq_unregister_lockdep kernel/workqueue.c:4902 [inline]
pwq_release_workfn+0x6e9/0x870 kernel/workqueue.c:5198
kthread_worker_fn+0x4fb/0xbe0 kernel/kthread.c:1056
kthread+0x37d/0x470 kernel/kthread.c:467
ret_from_fork+0x507/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:245
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 18 4c 89 e8 sbb %cl,-0x18(%rcx,%rcx,4)
4: 48 c1 e8 03 shr $0x3,%rax
8: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
d: 74 08 je 0x17
f: 4c 89 ef mov %r13,%rdi
12: e8 db 15 a0 00 call 0xa015f2
17: 49 8b 75 00 mov 0x0(%r13),%rsi
1b: 48 8b 55 a8 mov -0x58(%rbp),%rdx
1f: 48 81 c2 78 01 00 00 add $0x178,%rdx
26: 4c 89 f7 mov %r14,%rdi
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: e9 f3 fe ff ff jmp 0xffffff26
33: e8 4a cd 36 00 call 0x36cd82
38: 48 8d 3d 43 9a 06 0e lea 0xe069a43(%rip),%rdi # 0xe069a82
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
kthread_worker_fn+0x4fb/0xbe0
kthread+0x37d/0x470
ret_from_fork+0x507/0xb90
ret_from_fork_asm+0x11/0x20
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 1 UID: 0 PID: 3 Comm: pool_workqueue_ Tainted: G L 7.0.0-rc1 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack+0x21/0x30
dump_stack_lvl+0x2b/0x150
dump_stack+0x19/0x20
vpanic+0x53e/0xa20
panic+0xb9/0xc0
__warn+0x320/0x500
__report_bug+0x28d/0x500
report_bug_entry+0x1a5/0x290
handle_bug+0xce/0x200
exc_invalid_op+0x1f/0x50
asm_exc_invalid_op+0x1f/0x30
RIP: 0010:__queue_work+0xd57/0xff0
Code: c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 db 15 a0 00 49 8b 75 00 48 8b 55 a8 48 81 c2 78 01 00 00 4c 89 f7 <67> 48 0f b9 3a e9 f3 fe ff ff e8 4a cd 36 00 48 8d 3d 43 9a 06 0e
RSP: 0018:ffffc900001f8bb0 EFLAGS: 00010086
RAX: 1ffff1100341314b RBX: 0000000000000100 RCX: ffff8880192f1d00
RDX: ffff88805f5fd978 RSI: ffffffff8a67ba00 RDI: ffffffff8f90ef60
RBP: ffffc900001f8c40 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: dffffc0000000000
R13: ffff88801a098a58 R14: ffffffff8f90ef60 R15: 0000000000000008
delayed_work_timer_fn+0x65/0x90
call_timer_fn+0x167/0x640
__run_timer_base+0x641/0x860
run_timer_softirq+0xc0/0x180
handle_softirqs+0x226/0x870
__irq_exit_rcu+0x64/0x150
irq_exit_rcu+0xd/0x30
sysvec_apic_timer_interrupt+0x9b/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30
RIP: 0010:preempt_schedule_irq+0x4c/0xa0
Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 54 bf 01 00 00 00 e8 5f df 27 f6 e8 1a 9b 60 f6 fb bf 01 00 00 00 <e8> 4f a7 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 e0 9c 60 f6 bf 01
RSP: 0018:ffffc9000014fb28 EFLAGS: 00000202
RAX: 00000000000ca7b5 RBX: ffffc9000014fbd8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8d71009e RDI: 0000000000000001
RBP: ffffc9000014fb38 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000
raw_irqentry_exit_cond_resched+0x48/0x50
irqentry_exit+0x155/0x610
sysvec_reschedule_ipi+0xae/0xc0
asm_sysvec_reschedule_ipi+0x1f/0x30
RIP: 0010:lockdep_unregister_key+0x2d2/0x350
Code: 0b fe ff ff 89 c6 48 c7 c7 10 ea d6 92 e8 a6 c6 cb 09 90 e9 66 fe ff ff e8 2b 32 c9 09 41 f7 c4 00 02 00 00 74 bc fb 45 84 ff <75> bb eb cc 90 0f 0b 90 e9 2b ff ff ff 90 0f 0b 90 e9 38 ff ff ff
RSP: 0018:ffffc9000014fc80 EFLAGS: 00000246
RAX: 0000000000000046 RBX: ffff888026d8b138 RCX: 0000000000000046
RDX: ffffffff90926578 RSI: ffffffff8d723c2c RDI: ffffffff8be59a80
RBP: ffffc9000014fcc0 R08: 0000000000000000 R09: ffffffff8df5b3e0
R10: ffffffff81ab1668 R11: fffffbfff1f1bfb7 R12: 0000000000000a47
R13: 0000000000001000 R14: ffff888026d8b139 R15: ffffffff90d26500
pwq_release_workfn+0x6e9/0x870
kthread_worker_fn+0x4fb/0xbe0
kthread+0x37d/0x470
ret_from_fork+0x507/0xb90
ret_from_fork_asm+0x11/0x20
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
reply other threads:[~2026-06-26 21:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a3eeec7.ade5411d.badf0.e138@mx.google.com \
--to=sanan.hasanou@gmail.com \
--cc=contact@pgazz.com \
--cc=jiangshanlai@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.