From: Thomas Gleixner <tglx@linutronix.de>
To: syzbot <syzbot+416b3bb7740906d1fb1e@syzkaller.appspotmail.com>,
anna-maria@linutronix.de, frederic@kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Cc: Lee Jones <lee@kernel.org>, Pavel Machek <pavel@kernel.org>,
linux-leds@vger.kernel.org,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: Re: [syzbot] [kernel?] BUG: soft lockup in tmigr_handle_remote
Date: Fri, 12 Dec 2025 15:41:34 +0900 [thread overview]
Message-ID: <87bjk4dwwx.ffs@tglx> (raw)
In-Reply-To: <6937b688.a70a0220.38f243.00c1.GAE@google.com>
On Mon, Dec 08 2025 at 21:41, syzbot wrote:
> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT
> Hardware name: ARM-Versatile Express
> PC is at __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline]
> PC is at _raw_spin_unlock_irq+0x28/0x54 kernel/locking/spinlock.c:202
> LR is at tmigr_handle_remote_cpu kernel/time/timer_migration.c:1038 [inline]
> LR is at tmigr_handle_remote_up+0x268/0x4b0 kernel/time/timer_migration.c:1074
> pc : [<81abb53c>] lr : [<80346df4>] psr: 60000113
> sp : 82801be0 ip : 82801bf0 fp : 82801bec
> r10: 00000001 r9 : 00000031 r8 : b7f9d100
> r7 : ddddb488 r6 : 82801cb8 r5 : 830bf3b0 r4 : 830bf380
> r3 : 000085d1 r2 : 00000103 r1 : 830bf3b0 r0 : ddddb488
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
> Control: 30c5387d Table: 85dd6940 DAC: fffffffd
> Call trace:
> [<81abb514>] (_raw_spin_unlock_irq) from [<80346df4>] (tmigr_handle_remote_cpu kernel/time/timer_migration.c:1038 [inline])
> [<81abb514>] (_raw_spin_unlock_irq) from [<80346df4>] (tmigr_handle_remote_up+0x268/0x4b0 kernel/time/timer_migration.c:1074)
> [<80346b8c>] (tmigr_handle_remote_up) from [<803450a4>] (__walk_groups_from+0x3c/0xe4 kernel/time/timer_migration.c:566)
> r10:8281b500 r9:8280c820 r8:80346b8c r7:82801cb8 r6:830bf380 r5:00000002
> r4:830bf380
> [<80345068>] (__walk_groups_from) from [<8034743c>] (__walk_groups kernel/time/timer_migration.c:583 [inline])
> [<80345068>] (__walk_groups_from) from [<8034743c>] (tmigr_handle_remote+0xe8/0x108 kernel/time/timer_migration.c:1133)
> r9:82804d80 r8:00000102 r7:00000001 r6:00000082 r5:00000002 r4:dddc7488
> [<80347354>] (tmigr_handle_remote) from [<80327600>] (run_timer_softirq+0x30/0x34 kernel/time/timer.c:2408)
> r4:82804084
> [<803275d0>] (run_timer_softirq) from [<8025b55c>] (handle_softirqs+0x140/0x458 kernel/softirq.c:622)
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (__do_softirq kernel/softirq.c:656 [inline])
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (invoke_softirq kernel/softirq.c:496 [inline])
> [<8025b41c>] (handle_softirqs) from [<8025b9d0>] (__irq_exit_rcu+0x110/0x1d0 kernel/softirq.c:723)
> r10:00000000 r9:8281b500 r8:00000000 r7:82801dd8 r6:82443e68 r5:8247ef9c
> r4:8281b500
> [<8025b8c0>] (__irq_exit_rcu) from [<8025bd48>] (irq_exit+0x10/0x18 kernel/softirq.c:751)
> r5:8247ef9c r4:826c3a9c
> [<8025bd38>] (irq_exit) from [<81aad164>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:295)
> [<81aad0e8>] (generic_handle_arch_irq) from [<80200bdc>] (__irq_svc+0x7c/0xbc arch/arm/kernel/entry-armv.S:228)
> Exception stack(0x82801dd8 to 0x82801e20)
> 1dc0: 00000001 00000000
> 1de0: 00008872 00008870 84121368 00000004 00000001 84121368 842d1a88 84121240
> 1e00: 00000000 82801e3c 82801e28 82801e28 81abb6cc 81abb6f4 80000013 ffffffff
> r9:8281b500 r8:842d1a88 r7:82801e0c r6:ffffffff r5:80000013 r4:81abb6f4
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (class_raw_spinlock_constructor include/linux/spinlock.h:535 [inline])
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (gpio_mmio_set+0x44/0x80 drivers/gpio/gpio-mmio.c:234)
> r5:00000004 r4:84121240
So this holds the gpio chip lock, with interrupts enabled, so the timer
interrupt can hit in the lock held region....
> [<809c7474>] (gpio_mmio_set) from [<809b7c74>] (gpiochip_set+0x1c/0x44 drivers/gpio/gpiolib.c:2919)
> r7:00000001 r6:00000000 r5:00000002 r4:841e1028
While on the other CPU:
> CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT
> Hardware name: ARM-Versatile Express
> PC is at arch_spin_lock arch/arm/include/asm/spinlock.h:74 [inline]
> PC is at do_raw_spin_lock include/linux/spinlock.h:187 [inline]
> PC is at __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
> PC is at _raw_spin_lock+0x40/0x58 kernel/locking/spinlock.c:154
> LR is at __raw_spin_lock include/linux/spinlock_api_smp.h:132 [inline]
> LR is at _raw_spin_lock+0x18/0x58 kernel/locking/spinlock.c:154
> pc : [<81abb6f4>] lr : [<81abb6cc>] psr: 80000113
> sp : df805d68 ip : df805d68 fp : df805d7c
> r10: 81c05450 r9 : 84121240 r8 : 842d1a88
> r7 : 84121368 r6 : 00000001 r5 : 00000001 r4 : 84121368
> r3 : 00008870 r2 : 00008871 r1 : 00000000 r0 : 00000001
> Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 30c5387d Table: 84d295c0 DAC: 00000000
> Call trace: frame pointer underflow
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (class_raw_spinlock_constructor include/linux/spinlock.h:535 [inline])
> [<81abb6b4>] (_raw_spin_lock) from [<809c74b8>] (gpio_mmio_set+0x44/0x80 drivers/gpio/gpio-mmio.c:234)
> r5:00000001 r4:84121240
> [<809c7474>] (gpio_mmio_set) from [<809b7c74>] (gpiochip_set+0x1c/0x44 drivers/gpio/gpiolib.c:2919)
> r7:00000001 r6:00000000 r5:00000000 r4:841e1000
> [<809b7c58>] (gpiochip_set) from [<809ba53c>] (gpiod_set_raw_value_commit+0x78/0x218 drivers/gpio/gpiolib.c:3662)
> [<809ba4c4>] (gpiod_set_raw_value_commit) from [<809bbddc>] (gpiod_set_value_nocheck+0x44/0x58 drivers/gpio/gpiolib.c:3881)
> r10:81c05450 r9:df805ebc r8:00000102 r7:ffffde37 r6:00000007 r5:00000001
> r4:841e1000
> [<809bbd98>] (gpiod_set_value_nocheck) from [<809bbe2c>] (gpiod_set_value+0x3c/0x88 drivers/gpio/gpiolib.c:3903)
> [<809bbdf0>] (gpiod_set_value) from [<809cc5c8>] (gpio_led_set+0x5c/0x60 drivers/leds/leds-gpio.c:57)
> r5:83315844 r4:83315844
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (__led_set_brightness drivers/leds/led-core.c:52 [inline])
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (led_set_brightness_nopm drivers/leds/led-core.c:335 [inline])
> [<809cc56c>] (gpio_led_set) from [<809c9e60>] (led_set_brightness_nosleep+0x38/0x44 drivers/leds/led-core.c:369)
> r5:83315844 r4:8444c58c
> [<809c9e28>] (led_set_brightness_nosleep) from [<809ccec4>] (led_heartbeat_function+0x84/0x144 drivers/leds/trigger/ledtrig-heartbeat.c:90)
> [<809cce40>] (led_heartbeat_function) from [<80326f70>] (call_timer_fn+0x30/0x220 kernel/time/timer.c:1748)
> r7:ffffde37 r6:809cce40 r5:8444c58c r4:83216000
> [<80326f40>] (call_timer_fn) from [<80327424>] (expire_timers kernel/time/timer.c:1799 [inline])
> [<80326f40>] (call_timer_fn) from [<80327424>] (__run_timers+0x2c4/0x3f8 kernel/time/timer.c:2373)
> r9:df805ebc r8:ffffde37 r7:00000000 r6:809cce40 r5:dddd9f00 r4:8444c58c
The timer soft interrupt tries to aquire the same lock...
7e061b462b3d ("gpio: mmio: use lock guards") got this wrong:
- unsigned long flags;
- raw_spin_lock_irqsave(&chip->lock, flags);
+ guard(raw_spinlock)(&chip->lock);
No?
Thanks,
tglx
parent reply other threads:[~2025-12-12 6:41 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <6937b688.a70a0220.38f243.00c1.GAE@google.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjk4dwwx.ffs@tglx \
--to=tglx@linutronix.de \
--cc=anna-maria@linutronix.de \
--cc=bartosz.golaszewski@linaro.org \
--cc=frederic@kernel.org \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-leds@vger.kernel.org \
--cc=pavel@kernel.org \
--cc=syzbot+416b3bb7740906d1fb1e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).