[syzbot] [mm?] WARNING: lock held when returning to user space in __pte_offset_map

[syzbot <syzbot+2e8b7c8cf82134e81378@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    dd6c438c3e64 Merge tag 'vfs-7.1-rc1.fixes' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=145bec36580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ed9f32dc64d6a2f2
dashboard link: https://syzkaller.appspot.com/bug?extid=2e8b7c8cf82134e81378
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/926b34cf03cd/disk-dd6c438c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/020eae7c763c/vmlinux-dd6c438c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8f652b84678d/bzImage-dd6c438c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e8b7c8cf82134e81378@syzkaller.appspotmail.com

================================================
WARNING: lock held when returning to user space!
syzkaller #0 Not tainted
------------------------------------------------
udevd/5800 is leaving the kernel with locks still held!
1 lock held by udevd/5800:
 #0: ffffffff8dfc80c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #0: ffffffff8dfc80c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8dfc80c0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x29/0x200 mm/pgtable-generic.c:290
------------[ cut here ]------------
Voluntary context switch within RCU read-side critical section!
WARNING: kernel/rcu/tree_plugin.h:332 at rcu_note_context_switch+0xcac/0xf40 kernel/rcu/tree_plugin.h:332, CPU#0: udevd/5800
Modules linked in:
CPU: 0 UID: 0 PID: 5800 Comm: udevd Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:rcu_note_context_switch+0xcac/0xf40 kernel/rcu/tree_plugin.h:332
Code: 00 41 c6 45 00 00 48 8b 3d 21 24 e1 0d 48 81 c4 b8 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d e9 bb 5f ff ff 48 8d 3d 24 e7 e4 0d <67> 48 0f b9 3a e9 1b f4 ff ff 90 0f 0b 90 45 84 e4 0f 84 ea f3 ff
RSP: 0000:ffffc90004477b90 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff888039ac9ec0 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffffffff8ba73c40 RDI: ffffffff8f8f4250
RBP: dffffc0000000000 R08: ffffffff8f8bd1f7 R09: 1ffffffff1f17a3e
R10: dffffc0000000000 R11: fffffbfff1f17a3f R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8880b883c800 R15: ffff888039aca384
FS:  00007f74fc12d880(0000) GS:ffff8881260fb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055de63bc0d08 CR3: 0000000031232000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __schedule+0x291/0x54c0 kernel/sched/core.c:7043
 __schedule_loop kernel/sched/core.c:7267 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7282
 __exit_to_user_mode_loop kernel/entry/common.c:54 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:98 [inline]
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:252 [inline]
 irqentry_exit_to_user_mode include/linux/irq-entry-common.h:323 [inline]
 irqentry_exit+0x263/0x730 kernel/entry/common.c:162
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0033:0x7f74fc8d1a9a
Code: 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 53 48 85 ff 74 2f 48 8b 47 08 48 39 c7 74 21 48 8b 1f 48 39 df 74 19 48 89 18 <48> 89 43 08 e8 8d d9 ff ff 48 89 d8 5b c3 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffceb76a200 EFLAGS: 00010283
RAX: 000055de63bbd0b0 RBX: 000055de63bc0d00 RCX: 0000000000000000
RDX: 000055de63bbf070 RSI: 000055de63bc5ae0 RDI: 000055de63bbcf10
RBP: 000055de63bbcf10 R08: 000055de63bc5af0 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000297 R12: 000055de3e623588
R13: 00007ffceb76a2b0 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 41 c6             	add    %al,-0x3a(%rcx)
   3:	45 00 00             	add    %r8b,(%r8)
   6:	48 8b 3d 21 24 e1 0d 	mov    0xde12421(%rip),%rdi        # 0xde1242e
   d:	48 81 c4 b8 00 00 00 	add    $0xb8,%rsp
  14:	5b                   	pop    %rbx
  15:	41 5c                	pop    %r12
  17:	41 5d                	pop    %r13
  19:	41 5e                	pop    %r14
  1b:	41 5f                	pop    %r15
  1d:	5d                   	pop    %rbp
  1e:	e9 bb 5f ff ff       	jmp    0xffff5fde
  23:	48 8d 3d 24 e7 e4 0d 	lea    0xde4e724(%rip),%rdi        # 0xde4e74e
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 1b f4 ff ff       	jmp    0xfffff44f
  34:	90                   	nop
  35:	0f 0b                	ud2
  37:	90                   	nop
  38:	45 84 e4             	test   %r12b,%r12b
  3b:	0f                   	.byte 0xf
  3c:	84 ea                	test   %ch,%dl
  3e:	f3                   	repz
  3f:	ff                   	.byte 0xff


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup