From: sanan.hasanou@gmail.com
To: tj@kernel.org, jiangshanlai@gmail.com, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, contact@pgazz.com
Subject: WARNING in delayed_work_timer_fn
Date: Fri, 26 Jun 2026 14:27:35 -0700 (PDT) [thread overview]
Message-ID: <6a3eeec7.ade5411d.badf0.e138@mx.google.com> (raw)
Good day, dear maintainers,
We found a bug using a modified version of syzkaller.
Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1zJHAs5GUroGFBkxAlzfDaWAd_NVPZTfJ>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!
Best regards,
Sanan Hasanov
------------[ cut here ]------------
workqueue: cannot queue hci_conn_timeout on wq hci4
WARNING: kernel/workqueue.c:2271 at __queue_work+0xd2b/0xff0 kernel/workqueue.c:2269, CPU#1: pool_workqueue_/3
Modules linked in:
CPU: 1 UID: 0 PID: 3 Comm: pool_workqueue_ Tainted: G L 7.0.0-rc1 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__queue_work+0xd57/0xff0 kernel/workqueue.c:2269
Code: c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 db 15 a0 00 49 8b 75 00 48 8b 55 a8 48 81 c2 78 01 00 00 4c 89 f7 <67> 48 0f b9 3a e9 f3 fe ff ff e8 4a cd 36 00 48 8d 3d 43 9a 06 0e
RSP: 0018:ffffc900001f8bb0 EFLAGS: 00010086
RAX: 1ffff1100341314b RBX: 0000000000000100 RCX: ffff8880192f1d00
RDX: ffff88805f5fd978 RSI: ffffffff8a67ba00 RDI: ffffffff8f90ef60
RBP: ffffc900001f8c40 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: dffffc0000000000
R13: ffff88801a098a58 R14: ffffffff8f90ef60 R15: 0000000000000008
FS: 0000000000000000(0000) GS:ffff8880ef136000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005646cf5e23c0 CR3: 0000000060a4c000 CR4: 00000000000006f0
Call Trace:
<IRQ>
delayed_work_timer_fn+0x65/0x90 kernel/workqueue.c:2500
call_timer_fn+0x167/0x640 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1794 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x641/0x860 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0xc0/0x180 kernel/time/timer.c:2404
handle_softirqs+0x226/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x64/0x150 kernel/softirq.c:723
irq_exit_rcu+0xd/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x9b/0xc0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
RIP: 0010:preempt_schedule_irq+0x4c/0xa0 kernel/sched/core.c:7234
Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 54 bf 01 00 00 00 e8 5f df 27 f6 e8 1a 9b 60 f6 fb bf 01 00 00 00 <e8> 4f a7 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 e0 9c 60 f6 bf 01
RSP: 0018:ffffc9000014fb28 EFLAGS: 00000202
RAX: 00000000000ca7b5 RBX: ffffc9000014fbd8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8d71009e RDI: 0000000000000001
RBP: ffffc9000014fb38 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000
raw_irqentry_exit_cond_resched+0x48/0x50 kernel/entry/common.c:196
irqentry_exit+0x155/0x610 kernel/entry/common.c:239
sysvec_reschedule_ipi+0xae/0xc0 arch/x86/kernel/smp.c:248
asm_sysvec_reschedule_ipi+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lockdep_unregister_key+0x2d2/0x350 kernel/locking/lockdep.c:6616
Code: 0b fe ff ff 89 c6 48 c7 c7 10 ea d6 92 e8 a6 c6 cb 09 90 e9 66 fe ff ff e8 2b 32 c9 09 41 f7 c4 00 02 00 00 74 bc fb 45 84 ff <75> bb eb cc 90 0f 0b 90 e9 2b ff ff ff 90 0f 0b 90 e9 38 ff ff ff
RSP: 0018:ffffc9000014fc80 EFLAGS: 00000246
RAX: 0000000000000046 RBX: ffff888026d8b138 RCX: 0000000000000046
RDX: ffffffff90926578 RSI: ffffffff8d723c2c RDI: ffffffff8be59a80
RBP: ffffc9000014fcc0 R08: 0000000000000000 R09: ffffffff8df5b3e0
R10: ffffffff81ab1668 R11: fffffbfff1f1bfb7 R12: 0000000000000a47
R13: 0000000000001000 R14: ffff888026d8b139 R15: ffffffff90d26500
wq_unregister_lockdep kernel/workqueue.c:4902 [inline]
pwq_release_workfn+0x6e9/0x870 kernel/workqueue.c:5198
kthread_worker_fn+0x4fb/0xbe0 kernel/kthread.c:1056
kthread+0x37d/0x470 kernel/kthread.c:467
ret_from_fork+0x507/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:245
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 18 4c 89 e8 sbb %cl,-0x18(%rcx,%rcx,4)
4: 48 c1 e8 03 shr $0x3,%rax
8: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
d: 74 08 je 0x17
f: 4c 89 ef mov %r13,%rdi
12: e8 db 15 a0 00 call 0xa015f2
17: 49 8b 75 00 mov 0x0(%r13),%rsi
1b: 48 8b 55 a8 mov -0x58(%rbp),%rdx
1f: 48 81 c2 78 01 00 00 add $0x178,%rdx
26: 4c 89 f7 mov %r14,%rdi
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: e9 f3 fe ff ff jmp 0xffffff26
33: e8 4a cd 36 00 call 0x36cd82
38: 48 8d 3d 43 9a 06 0e lea 0xe069a43(%rip),%rdi # 0xe069a82
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
kthread_worker_fn+0x4fb/0xbe0
kthread+0x37d/0x470
ret_from_fork+0x507/0xb90
ret_from_fork_asm+0x11/0x20
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 1 UID: 0 PID: 3 Comm: pool_workqueue_ Tainted: G L 7.0.0-rc1 #1 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack+0x21/0x30
dump_stack_lvl+0x2b/0x150
dump_stack+0x19/0x20
vpanic+0x53e/0xa20
panic+0xb9/0xc0
__warn+0x320/0x500
__report_bug+0x28d/0x500
report_bug_entry+0x1a5/0x290
handle_bug+0xce/0x200
exc_invalid_op+0x1f/0x50
asm_exc_invalid_op+0x1f/0x30
RIP: 0010:__queue_work+0xd57/0xff0
Code: c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 db 15 a0 00 49 8b 75 00 48 8b 55 a8 48 81 c2 78 01 00 00 4c 89 f7 <67> 48 0f b9 3a e9 f3 fe ff ff e8 4a cd 36 00 48 8d 3d 43 9a 06 0e
RSP: 0018:ffffc900001f8bb0 EFLAGS: 00010086
RAX: 1ffff1100341314b RBX: 0000000000000100 RCX: ffff8880192f1d00
RDX: ffff88805f5fd978 RSI: ffffffff8a67ba00 RDI: ffffffff8f90ef60
RBP: ffffc900001f8c40 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: dffffc0000000000
R13: ffff88801a098a58 R14: ffffffff8f90ef60 R15: 0000000000000008
delayed_work_timer_fn+0x65/0x90
call_timer_fn+0x167/0x640
__run_timer_base+0x641/0x860
run_timer_softirq+0xc0/0x180
handle_softirqs+0x226/0x870
__irq_exit_rcu+0x64/0x150
irq_exit_rcu+0xd/0x30
sysvec_apic_timer_interrupt+0x9b/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1f/0x30
RIP: 0010:preempt_schedule_irq+0x4c/0xa0
Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 54 bf 01 00 00 00 e8 5f df 27 f6 e8 1a 9b 60 f6 fb bf 01 00 00 00 <e8> 4f a7 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 e0 9c 60 f6 bf 01
RSP: 0018:ffffc9000014fb28 EFLAGS: 00000202
RAX: 00000000000ca7b5 RBX: ffffc9000014fbd8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8d71009e RDI: 0000000000000001
RBP: ffffc9000014fb38 R08: ffffffff8f8dfdb7 R09: 1ffffffff1f1bfb6
R10: dffffc0000000000 R11: fffffbfff1f1bfb7 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000
raw_irqentry_exit_cond_resched+0x48/0x50
irqentry_exit+0x155/0x610
sysvec_reschedule_ipi+0xae/0xc0
asm_sysvec_reschedule_ipi+0x1f/0x30
RIP: 0010:lockdep_unregister_key+0x2d2/0x350
Code: 0b fe ff ff 89 c6 48 c7 c7 10 ea d6 92 e8 a6 c6 cb 09 90 e9 66 fe ff ff e8 2b 32 c9 09 41 f7 c4 00 02 00 00 74 bc fb 45 84 ff <75> bb eb cc 90 0f 0b 90 e9 2b ff ff ff 90 0f 0b 90 e9 38 ff ff ff
RSP: 0018:ffffc9000014fc80 EFLAGS: 00000246
RAX: 0000000000000046 RBX: ffff888026d8b138 RCX: 0000000000000046
RDX: ffffffff90926578 RSI: ffffffff8d723c2c RDI: ffffffff8be59a80
RBP: ffffc9000014fcc0 R08: 0000000000000000 R09: ffffffff8df5b3e0
R10: ffffffff81ab1668 R11: fffffbfff1f1bfb7 R12: 0000000000000a47
R13: 0000000000001000 R14: ffff888026d8b139 R15: ffffffff90d26500
pwq_release_workfn+0x6e9/0x870
kthread_worker_fn+0x4fb/0xbe0
kthread+0x37d/0x470
ret_from_fork+0x507/0xb90
ret_from_fork_asm+0x11/0x20
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
reply other threads:[~2026-06-26 21:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a3eeec7.ade5411d.badf0.e138@mx.google.com \
--to=sanan.hasanou@gmail.com \
--cc=contact@pgazz.com \
--cc=jiangshanlai@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox