From: Thomas Gleixner <tglx@linutronix.de>
To: syzbot <syzbot+416b3bb7740906d1fb1e@syzkaller.appspotmail.com>,
anna-maria@linutronix.de, frederic@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Cc: Lee Jones <lee@kernel.org>, Pavel Machek <pavel@kernel.org>,
linux-leds@vger.kernel.org,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: Re: [syzbot] [kernel?] BUG: soft lockup in tmigr_handle_remote
Date: Fri, 12 Dec 2025 15:41:34 +0900 [thread overview]
Message-ID: <87bjk4dwwx.ffs@tglx> (raw)
In-Reply-To: <6937b688.a70a0220.38f243.00c1.GAE@google.com>
On Mon, Dec 08 2025 at 21:41, syzbot wrote:
> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT
> Hardware name: ARM-Versatile Express
> PC is at __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline]
> PC is at _raw_spin_unlock_irq+0x28/0x54 kernel/locking/spinlock.c:202
> LR is at tmigr_handle_remote_cpu kernel/time/timer_migration.c:1038 [inline]
> LR is at tmigr_handle_remote_up+0x268/0x4b0 kernel/time/timer_migration.c:1074
> pc : [<81abb53c>] lr : [<80346df4>] psr: 60000113
> sp : 82801be0 ip : 82801bf0 fp : 82801bec
> r10: 00000001 r9 : 00000031 r8 : b7f9d100
> r7 : ddddb488 r6 : 82801cb8 r5 : 830bf3b0 r4 : 830bf380
> r3 : 000085d1 r2 : 00000103 r1 : 830bf3b0 r0 : ddddb488
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
> Control: 30c5387d Table: 85dd6940 DAC: fffffffd
> Call trace:
> [<81abb514>] (_raw_spin_unlock_irq) from [<80346df4>] (tmigr_handle_remote_cpu kernel/time/timer_migration.c:1038 [inline])
> [<81abb514>] (_raw_spin_unlock_irq) from [<80346df4>] (tmigr_handle_remote_up+0x268/0x4b0 kernel/time/timer_migration.c:1074)
> [<80346b8c>] (tmigr_handle_remote_up) from [<803450a4>] (__walk_groups_from+0x3c/0xe4 kernel/time/timer_migration.c:566)
> r10:8281b500 r9:8280c820 r8:80346b8c r7:82801cb8 r6:830bf380 r5:00000002
> r4:830bf380
> [<80345068>] (__walk_groups_from) from [<8034743c>] (__walk_groups kernel/time/timer_migration.c:583 [inline])
> [<80345068>] (__walk_groups_from) from [<8034743c>] (tmigr_handle_remote+0xe8/0x108 kernel/time/timer_migration.c:1133)
> r9:82804d80 r8:00000102 r7:00000001 r6:00000082 r5:00000002 r4:dddc7488
> [<80347354>] (tmigr_handle_remote) from [<80327600>] (run_timer_softirq+0x30/0x34 kernel/time/timer.c:2408)
> r4:82804084
> [<803275d0>] (run_timer_softirq) from [<8025b55c>] (handle_softirqs+0x140/0x458 kernel/softirq.c:622)
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (__do_softirq kernel/softirq.c:656 [inline])
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (invoke_softirq kernel/softirq.c:496 [inline])
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (__irq_exit_rcu+0x110/0x1d0 kernel/softirq.c:723)
> r10:00000000 r9:8281b500 r8:00000000 r7:82801dd8 r6:82443e68 r5:8247ef9c
> r4:8281b500
> [<8025b8c0>] (__irq_exit_rcu) from [<8025bd48>] (irq_exit+0x10/0x18 kernel/softirq.c:751)
> r5:8247ef9c r4:826c3a9c
> [<8025bd38>] (irq_exit) from [<81aad164>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:295)
> [<81aad0e8>] (generic_handle_arch_irq) from [<80200bdc>] (__irq_svc+0x7c/0xbc arch/arm/kernel/entry-armv.S:228)
> Exception stack(0x82801dd8 to 0x82801e20)
> 1dc0: 00000001 00000000
> 1de0: 00008872 00008870 84121368 00000004 00000001 84121368 842d1a88 84121240
> 1e00: 00000000 82801e3c 82801e28 82801e28 81abb6cc 81abb6f4 80000013 ffffffff
> r9:8281b500 r8:842d1a88 r7:82801e0c r6:ffffffff r5:80000013 r4:81abb6f4
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (class_raw_spinlock_constructor include/linux/spinlock.h:535 [inline])
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (gpio_mmio_set+0x44/0x80 drivers/gpio/gpio-mmio.c:234)
> r5:00000004 r4:84121240
So this holds the gpio chip lock, with interrupts enabled, so the timer
interrupt can hit in the lock held region....
> [<809c7474>] (gpio_mmio_set) from [<809b7c74>] (gpiochip_set+0x1c/0x44 drivers/gpio/gpiolib.c:2919)
> r7:00000001 r6:00000000 r5:00000002 r4:841e1028
While on the other CPU:
> CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT
> Hardware name: ARM-Versatile Express
> PC is at arch_spin_lock arch/arm/include/asm/spinlock.h:74 [inline]
> PC is at do_raw_spin_lock include/linux/spinlock.h:187 [inline]
> PC is at __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
> PC is at _raw_spin_lock+0x40/0x58 kernel/locking/spinlock.c:154
> LR is at __raw_spin_lock include/linux/spinlock_api_smp.h:132 [inline]
> LR is at _raw_spin_lock+0x18/0x58 kernel/locking/spinlock.c:154
> pc : [<81abb6f4>] lr : [<81abb6cc>] psr: 80000113
> sp : df805d68 ip : df805d68 fp : df805d7c
> r10: 81c05450 r9 : 84121240 r8 : 842d1a88
> r7 : 84121368 r6 : 00000001 r5 : 00000001 r4 : 84121368
> r3 : 00008870 r2 : 00008871 r1 : 00000000 r0 : 00000001
> Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 30c5387d Table: 84d295c0 DAC: 00000000
> Call trace: frame pointer underflow
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (class_raw_spinlock_constructor include/linux/spinlock.h:535 [inline])
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (gpio_mmio_set+0x44/0x80 drivers/gpio/gpio-mmio.c:234)
> r5:00000001 r4:84121240
> [<809c7474>] (gpio_mmio_set) from [<809b7c74>] (gpiochip_set+0x1c/0x44 drivers/gpio/gpiolib.c:2919)
> r7:00000001 r6:00000000 r5:00000000 r4:841e1000
> [<809b7c58>] (gpiochip_set) from [<809ba53c>] (gpiod_set_raw_value_commit+0x78/0x218 drivers/gpio/gpiolib.c:3662)
> [<809ba4c4>] (gpiod_set_raw_value_commit) from [<809bbddc>] (gpiod_set_value_nocheck+0x44/0x58 drivers/gpio/gpiolib.c:3881)
> r10:81c05450 r9:df805ebc r8:00000102 r7:ffffde37 r6:00000007 r5:00000001
> r4:841e1000
> [<809bbd98>] (gpiod_set_value_nocheck) from [<809bbe2c>] (gpiod_set_value+0x3c/0x88 drivers/gpio/gpiolib.c:3903)
> [<809bbdf0>] (gpiod_set_value) from [<809cc5c8>] (gpio_led_set+0x5c/0x60 drivers/leds/leds-gpio.c:57)
> r5:83315844 r4:83315844
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (__led_set_brightness drivers/leds/led-core.c:52 [inline])
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (led_set_brightness_nopm drivers/leds/led-core.c:335 [inline])
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (led_set_brightness_nosleep+0x38/0x44 drivers/leds/led-core.c:369)
> r5:83315844 r4:8444c58c
> [<809c9e28>] (led_set_brightness_nosleep) from [<809ccec4>] (led_heartbeat_function+0x84/0x144 drivers/leds/trigger/ledtrig-heartbeat.c:90)
> [<809cce40>] (led_heartbeat_function) from [<80326f70>] (call_timer_fn+0x30/0x220 kernel/time/timer.c:1748)
> r7:ffffde37 r6:809cce40 r5:8444c58c r4:83216000
> [<80326f40>] (call_timer_fn) from [<80327424>] (expire_timers kernel/time/timer.c:1799 [inline])
> [<80326f40>] (call_timer_fn) from [<80327424>] (__run_timers+0x2c4/0x3f8 kernel/time/timer.c:2373)
> r9:df805ebc r8:ffffde37 r7:00000000 r6:809cce40 r5:dddd9f00 r4:8444c58c
The timer soft interrupt tries to aquire the same lock...
7e061b462b3d ("gpio: mmio: use lock guards") got this wrong:
- unsigned long flags;
- raw_spin_lock_irqsave(&chip->lock, flags);
+ guard(raw_spinlock)(&chip->lock);
No?
Thanks,
tglx
prev parent reply other threads:[~2025-12-12 6:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-09 5:41 [syzbot] [kernel?] BUG: soft lockup in tmigr_handle_remote syzbot
2025-12-12 6:41 ` Thomas Gleixner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjk4dwwx.ffs@tglx \
--to=tglx@linutronix.de \
--cc=anna-maria@linutronix.de \
--cc=bartosz.golaszewski@linaro.org \
--cc=frederic@kernel.org \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-leds@vger.kernel.org \
--cc=pavel@kernel.org \
--cc=syzbot+416b3bb7740906d1fb1e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.