[syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c942a0cd3603 Merge tag 'for_linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12ef0aef180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=545d4b3e07d6ccbc
dashboard link: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11c4d490980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=138bf96b180000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-c942a0cd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/02773b27b0d3/vmlinux-c942a0cd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/669bed7ebf5d/bzImage-c942a0cd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com

=============================
WARNING: suspicious RCU usage
6.9.0-rc5-syzkaller-00159-gc942a0cd3603 #0 Not tainted
-----------------------------
kernel/events/callchain.c:161 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor305/5180:
 #0: ffffffff8d7b04c0 (rcu_read_lock_trace){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #0: ffffffff8d7b04c0 (rcu_read_lock_trace){....}-{0:0}, at: rcu_read_lock_trace include/linux/rcupdate_trace.h:57 [inline]
 #0: ffffffff8d7b04c0 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x345/0x770 net/bpf/test_run.c:1508

stack backtrace:
CPU: 3 PID: 5180 Comm: syz-executor305 Not tainted 6.9.0-rc5-syzkaller-00159-gc942a0cd3603 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
 lockdep_rcu_suspicious+0x20b/0x3b0 kernel/locking/lockdep.c:6712
 get_callchain_entry+0x274/0x3f0 kernel/events/callchain.c:161
 get_perf_callchain+0xdc/0x5a0 kernel/events/callchain.c:187
 __bpf_get_stack+0x4d9/0x700 kernel/bpf/stackmap.c:435
 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline]
 bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975
 ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
 __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 bpf_prog_run_pin_on_cpu include/linux/filter.h:681 [inline]
 bpf_prog_test_run_syscall+0x3ae/0x770 net/bpf/test_run.c:1509
 bpf_prog_test_run kernel/bpf/syscall.c:4269 [inline]
 __sys_bpf+0xd56/0x4b40 kernel/bpf/syscall.c:5678
 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
 __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5765
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f54610dc669
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4b9fae08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fff4b9fafd8 RCX: 00007f54610dc669
RDX: 000000000000000c RSI: 00000000200004c0 RDI: 000000000000000a
RBP: 00007f546114f610 R08: 00007fff4b9fafd8 R09: 00007fff4b9fafd8
R10: 00007fff4b9fafd8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff4b9fafc8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[Qing Wang]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index da3d328f5c15..6e53c2d916cd 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -460,8 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 
 	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
-	if (may_fault)
-		rcu_read_lock(); /* need RCU for perf's callchain below */
+	rcu_read_lock(); /* need RCU for perf's callchain below */
 
 	if (trace_in) {
 		trace = trace_in;
@@ -474,8 +473,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
-		if (may_fault)
-			rcu_read_unlock();
+		rcu_read_unlock();
 		goto err_fault;
 	}
 

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[Qing Wang]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index da3d328f5c15..f97d4aa9d038 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -460,7 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 
 	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
 
-	if (may_fault)
+	if (!trace_in)
 		rcu_read_lock(); /* need RCU for perf's callchain below */
 
 	if (trace_in) {
@@ -474,7 +474,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	if (unlikely(!trace) || trace->nr < skip) {
-		if (may_fault)
+		if (!trace_in)
 			rcu_read_unlock();
 		goto err_fault;
 	}
@@ -494,7 +494,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}
 
 	/* trace/ips should not be dereferenced after this point */
-	if (may_fault)
+	if (!trace_in)
 		rcu_read_unlock();
 
 	if (user_build_id)

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in bpf_prog_test_run_syscall

BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:201
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 6641, name: syz.0.17
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
1 lock held by syz.0.17/6641:
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: __bpf_get_stack+0x269/0xab0 kernel/bpf/stackmap.c:463
CPU: 1 UID: 0 PID: 6641 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 __might_resched+0x329/0x480 kernel/sched/core.c:8829
 __might_fault+0x76/0x130 mm/memory.c:7175
 _inline_copy_to_user include/linux/uaccess.h:201 [inline]
 _copy_to_user+0x2c/0xb0 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:236 [inline]
 bpf_prog_test_run_syscall+0x337/0x4c0 net/bpf/test_run.c:1642
 bpf_prog_test_run+0x2cd/0x340 kernel/bpf/syscall.c:4703
 __sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efdae6faeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efdadd5e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007efdae975fa0 RCX: 00007efdae6faeb9
RDX: 000000000000000c RSI: 00002000000004c0 RDI: 000000000000000a
RBP: 00007efdae768c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efdae976038 R14: 00007efdae975fa0 R15: 00007fffcdbbfb78
 </TASK>

=============================
[ BUG: Invalid wait context ]
syzkaller #0 Tainted: G        W          
-----------------------------
syz.0.17/6641 is trying to lock:
ffff88803daa5cf0 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7177
other info that might help us debug this:
context-{5:5}
1 lock held by syz.0.17/6641:
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8dbc77c0 (rcu_read_lock){....}-{1:3}, at: __bpf_get_stack+0x269/0xab0 kernel/bpf/stackmap.c:463
stack backtrace:
CPU: 1 UID: 0 PID: 6641 Comm: syz.0.17 Tainted: G        W           syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
 check_wait_context kernel/locking/lockdep.c:4902 [inline]
 __lock_acquire+0xec1/0x2cf0 kernel/locking/lockdep.c:5187
 lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
 __might_fault+0xcb/0x130 mm/memory.c:7177
 _inline_copy_to_user include/linux/uaccess.h:201 [inline]
 _copy_to_user+0x2c/0xb0 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:236 [inline]
 bpf_prog_test_run_syscall+0x337/0x4c0 net/bpf/test_run.c:1642
 bpf_prog_test_run+0x2cd/0x340 kernel/bpf/syscall.c:4703
 __sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efdae6faeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efdadd5e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007efdae975fa0 RCX: 00007efdae6faeb9
RDX: 000000000000000c RSI: 00002000000004c0 RDI: 000000000000000a
RBP: 00007efdae768c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efdae976038 R14: 00007efdae975fa0 R15: 00007fffcdbbfb78
 </TASK>


Tested on:

commit:         1f97d9dc Merge tag 'vfio-v6.19-rc8' of https://github...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1573a6ef980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=151a39927f1e10b4
dashboard link: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14eb785a580000

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com
Tested-by: syzbot+72a43cdb78469f7fbad1@syzkaller.appspotmail.com

Tested on:

commit:         1f97d9dc Merge tag 'vfio-v6.19-rc8' of https://github...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=170ba6ef980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=151a39927f1e10b4
dashboard link: https://syzkaller.appspot.com/bug?extid=72a43cdb78469f7fbad1
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13b7718a580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[Peter Zijlstra]

On Wed, Jan 28, 2026 at 11:55:08AM +0800, Qing Wang wrote:
> #syz test
> 
> diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
> index da3d328f5c15..f97d4aa9d038 100644
> --- a/kernel/bpf/stackmap.c
> +++ b/kernel/bpf/stackmap.c
> @@ -460,7 +460,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>  
>  	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);
>  
> -	if (may_fault)
> +	if (!trace_in)
>  		rcu_read_lock(); /* need RCU for perf's callchain below */
>  
>  	if (trace_in) {
> @@ -474,7 +474,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>  	}
>  
>  	if (unlikely(!trace) || trace->nr < skip) {
> -		if (may_fault)
> +		if (!trace_in)
>  			rcu_read_unlock();
>  		goto err_fault;
>  	}
> @@ -494,7 +494,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
>  	}
>  
>  	/* trace/ips should not be dereferenced after this point */
> -	if (may_fault)
> +	if (!trace_in)
>  		rcu_read_unlock();
>  
>  	if (user_build_id)
> 

This is just papering over more bugs. There was a series out there
somewhere trying to fix up this code, let me see if I can find it in
this shitshow called an inbox :/

Re: [syzbot] [perf?] WARNING: suspicious RCU usage in get_callchain_entry

[Qing Wang]

On Wed, 28 Jan 2026 at 16:52, Peter Zijlstra <peterz@infradead.org> wrote:
> This is just papering over more bugs. There was a series out there
> somewhere trying to fix up this code, let me see if I can find it in
> this shitshow called an inbox :/

Thank you for reminding me. I found that fix you said.

https://lore.kernel.org/bpf/fb745675-e25c-4dcc-be4b-4a4411056755@linux.dev/T/#mf901967ebe77506f1bd6e3d876c2a85824d9519d

Let's ignore this patch :)

--
Best regards,
Qing