From: Thomas Gleixner <tglx@linutronix.de>
To: syzbot <syzbot+8b3a2e23253b50098164@syzkaller.appspotmail.com>,
anna-maria@linutronix.de, frederic@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Cc: Peter Zijlstra <peterz@infradead.org>, Juri Lelli <jlelli@redhat.com>
Subject: Re: [syzbot] [kernel?] WARNING in hrtimer_forward (4)
Date: Wed, 10 Sep 2025 22:07:13 +0200 [thread overview]
Message-ID: <87qzwers0e.ffs@tglx> (raw)
In-Reply-To: <68b25b42.a70a0220.1c57d1.00f6.GAE@google.com>
On Fri, Aug 29 2025 at 19:00, syzbot wrote:
> HEAD commit: b6add54ba618 Merge tag 'pinctrl-v6.17-2' of git://git.kern..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1130eef0580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e1e1566c7726877e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8b3a2e23253b50098164
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/102656909b6f/disk-b6add54b.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/fa30d1d80a47/vmlinux-b6add54b.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/c25ee8abf30a/bzImage-b6add54b.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8b3a2e23253b50098164@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 1186 at kernel/time/hrtimer.c:1052 hrtimer_forward+0x1d6/0x2b0 kernel/time/hrtimer.c:1052
> Modules linked in:
> CPU: 1 UID: 0 PID: 1186 Comm: irq/33-virtio1- Not tainted syzkaller #0 PREEMPT_{RT,(full)}
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> RIP: 0010:hrtimer_forward+0x1d6/0x2b0 kernel/time/hrtimer.c:1052
It compains that the timer is enqueued when it is attempted to be forwarded
> Code: 4c 89 33 48 8b 04 24 eb 07 e8 86 34 12 00 31 c0 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 01 d8 4d 09 cc e8 6b 34 12 00 90 <0f> 0b 90 eb df 48 89 e8 4c 09 f8 48 c1 e8 20 74 0a 48 89 e8 31 d2
> RSP: 0018:ffffc90000a78bd0 EFLAGS: 00010006
> RAX: ffffffff81ac27e5 RBX: ffff8880b883b508 RCX: ffff888026c19dc0
> RDX: 0000000000000100 RSI: 0000000000010000 RDI: 0000000000010100
> RBP: 000000000009d057 R08: 0000000000010000 R09: 0000000000010100
> R10: dffffc0000000000 R11: ffffffff8167a890 R12: ffff8880b883b520
> R13: 0000000000184487 R14: 1ffff110171076a4 R15: 0000000000000001
> FS: 0000000000000000(0000) GS:ffff8881269c2000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f95323cbf98 CR3: 0000000064088000 CR4: 00000000003526f0
> Call Trace:
> <IRQ>
> hrtimer_forward_now include/linux/hrtimer.h:366 [inline]
> dl_server_timer kernel/sched/deadline.c:1193 [inline]
which is strange as this is with the timer callback itself, so it
shouldn't be enqueued, unless there is a possiblilty to have:
CPU0 CPU1
timer_expires()
callback() ????
dl_task_timer() rq_lock()
rq_lock() hrtimer_start()
rq_unlock()
hrtimer_forward()
No idea whether that's possible, but that's the only sensible
explanation.
> dl_task_timer+0xa42/0x12d0 kernel/sched/deadline.c:1234
> __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
> __hrtimer_run_queues+0x503/0xd40 kernel/time/hrtimer.c:1825
> hrtimer_interrupt+0x45d/0xa90 kernel/time/hrtimer.c:1887
> local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
> __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1056
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
> sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1050
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
next prev parent reply other threads:[~2025-09-10 20:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-30 2:00 [syzbot] [kernel?] WARNING in hrtimer_forward (4) syzbot
2025-09-10 20:07 ` Thomas Gleixner [this message]
2025-09-11 9:15 ` Juri Lelli
2025-10-21 4:42 ` Shrikanth Hegde
2025-10-21 12:18 ` Juri Lelli
2025-10-21 12:35 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87qzwers0e.ffs@tglx \
--to=tglx@linutronix.de \
--cc=anna-maria@linutronix.de \
--cc=frederic@kernel.org \
--cc=jlelli@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=syzbot+8b3a2e23253b50098164@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.