Re: [syzbot] [kernel?] WARNING in request_threaded_irq

[Thomas Gleixner <tglx@kernel.org>]

On Fri, Feb 20 2026 at 05:13, syzbot wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1166f6e6580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
> dashboard link: https://syzkaller.appspot.com/bug?extid=1f1c9d0fa117b165b233
> compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1f1c9d0fa117b165b233@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: [irq_settings_is_per_cpu_devid(desc)] kernel/irq/manage.c:2125 at request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125, CPU#1: syz.0.10/3870
> Modules linked in:
> CPU: 1 UID: 0 PID: 3870 Comm: syz.0.10 Not tainted syzkaller #0 PREEMPT 
> Hardware name: riscv-virtio,qemu (DT)
> epc : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
>  ra : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> epc : ffffffff8032d750 ra : ffffffff8032d750 sp : ffff8f800ac67810
>  gp : ffffffff89f9df20 tp : ffffaf801c74cf80 t0 : ffffffff86391c0a
>  t1 : ffffffff9136c6e0 t2 : ffffffff8016a132 s0 : ffff8f800ac67870
>  s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
>  a2 : 0000000000080000 a3 : ffffffff8032d750 a4 : ffff8f8004d6e1e8
>  a5 : 00000000002041e8 a6 : 0000000000000003 a7 : ffffffff86660460
>  s2 : 0000000000200000 s3 : ffffaf8011e8d000 s4 : 0000000000000005
>  s5 : ffffffff84b56ef4 s6 : ffffaf801cd37000 s7 : 0000000000000000
>  s8 : ffffffff87597e60 s9 : 0000000000020000 s10: ffffaf801cd37000
>  s11: 0000000000000001 t3 : 0000000000000001 t4 : 0000000000001fff
>  t5 : 00000000000000c8 t6 : 0000000000000002 ssp : 0000000000000000
> status: 0000000200000120 badaddr: ffffffff8032d750 cause: 0000000000000003
> [<ffffffff8032d750>] request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> [<ffffffff84b58918>] request_irq include/linux/interrupt.h:176 [inline]
> [<ffffffff84b58918>] parport_attach drivers/comedi/drivers/comedi_parport.c:235 [inline]
> [<ffffffff84b58918>] parport_attach+0x780/0xb14 drivers/comedi/drivers/comedi_parport.c:224
> [<ffffffff84b492bc>] comedi_device_attach+0x350/0x7ec drivers/comedi/drivers.c:1069
> [<ffffffff84b35136>] do_devconfig_ioctl+0x1a2/0x654 drivers/comedi/comedi_fops.c:928

So do_devconfig_ioctl() copies the device configuration from user space
and hands it to the comedi parport driver, which takes the random
provided interrupt number unvalidated and requests the interrupt which
trips the warning in the core code as the interrupt is marked as per CPU.

> [<ffffffff84b3dfd8>] comedi_unlocked_ioctl+0x338/0x2c10 drivers/comedi/comedi_fops.c:2240
> [<ffffffff80ca9130>] vfs_ioctl fs/ioctl.c:51 [inline]
> [<ffffffff80ca9130>] __do_sys_ioctl fs/ioctl.c:597 [inline]
> [<ffffffff80ca9130>] __se_sys_ioctl fs/ioctl.c:583 [inline]
> [<ffffffff80ca9130>] __riscv_sys_ioctl+0x17c/0x1e4 fs/ioctl.c:583
> [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
> [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
> [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup