[syzbot] [kernel?] WARNING in request_threaded_irq

[syzbot] [kernel?] WARNING in request_threaded_irq

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1166f6e6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
dashboard link: https://syzkaller.appspot.com/bug?extid=1f1c9d0fa117b165b233
compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f1c9d0fa117b165b233@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: [irq_settings_is_per_cpu_devid(desc)] kernel/irq/manage.c:2125 at request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125, CPU#1: syz.0.10/3870
Modules linked in:
CPU: 1 UID: 0 PID: 3870 Comm: syz.0.10 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
 ra : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
epc : ffffffff8032d750 ra : ffffffff8032d750 sp : ffff8f800ac67810
 gp : ffffffff89f9df20 tp : ffffaf801c74cf80 t0 : ffffffff86391c0a
 t1 : ffffffff9136c6e0 t2 : ffffffff8016a132 s0 : ffff8f800ac67870
 s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff8032d750 a4 : ffff8f8004d6e1e8
 a5 : 00000000002041e8 a6 : 0000000000000003 a7 : ffffffff86660460
 s2 : 0000000000200000 s3 : ffffaf8011e8d000 s4 : 0000000000000005
 s5 : ffffffff84b56ef4 s6 : ffffaf801cd37000 s7 : 0000000000000000
 s8 : ffffffff87597e60 s9 : 0000000000020000 s10: ffffaf801cd37000
 s11: 0000000000000001 t3 : 0000000000000001 t4 : 0000000000001fff
 t5 : 00000000000000c8 t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff8032d750 cause: 0000000000000003
[<ffffffff8032d750>] request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
[<ffffffff84b58918>] request_irq include/linux/interrupt.h:176 [inline]
[<ffffffff84b58918>] parport_attach drivers/comedi/drivers/comedi_parport.c:235 [inline]
[<ffffffff84b58918>] parport_attach+0x780/0xb14 drivers/comedi/drivers/comedi_parport.c:224
[<ffffffff84b492bc>] comedi_device_attach+0x350/0x7ec drivers/comedi/drivers.c:1069
[<ffffffff84b35136>] do_devconfig_ioctl+0x1a2/0x654 drivers/comedi/comedi_fops.c:928
[<ffffffff84b3dfd8>] comedi_unlocked_ioctl+0x338/0x2c10 drivers/comedi/comedi_fops.c:2240
[<ffffffff80ca9130>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff80ca9130>] __do_sys_ioctl fs/ioctl.c:597 [inline]
[<ffffffff80ca9130>] __se_sys_ioctl fs/ioctl.c:583 [inline]
[<ffffffff80ca9130>] __riscv_sys_ioctl+0x17c/0x1e4 fs/ioctl.c:583
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] WARNING in request_threaded_irq

[Thomas Gleixner]

On Fri, Feb 20 2026 at 05:13, syzbot wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1166f6e6580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
> dashboard link: https://syzkaller.appspot.com/bug?extid=1f1c9d0fa117b165b233
> compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1f1c9d0fa117b165b233@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: [irq_settings_is_per_cpu_devid(desc)] kernel/irq/manage.c:2125 at request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125, CPU#1: syz.0.10/3870
> Modules linked in:
> CPU: 1 UID: 0 PID: 3870 Comm: syz.0.10 Not tainted syzkaller #0 PREEMPT 
> Hardware name: riscv-virtio,qemu (DT)
> epc : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
>  ra : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> epc : ffffffff8032d750 ra : ffffffff8032d750 sp : ffff8f800ac67810
>  gp : ffffffff89f9df20 tp : ffffaf801c74cf80 t0 : ffffffff86391c0a
>  t1 : ffffffff9136c6e0 t2 : ffffffff8016a132 s0 : ffff8f800ac67870
>  s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
>  a2 : 0000000000080000 a3 : ffffffff8032d750 a4 : ffff8f8004d6e1e8
>  a5 : 00000000002041e8 a6 : 0000000000000003 a7 : ffffffff86660460
>  s2 : 0000000000200000 s3 : ffffaf8011e8d000 s4 : 0000000000000005
>  s5 : ffffffff84b56ef4 s6 : ffffaf801cd37000 s7 : 0000000000000000
>  s8 : ffffffff87597e60 s9 : 0000000000020000 s10: ffffaf801cd37000
>  s11: 0000000000000001 t3 : 0000000000000001 t4 : 0000000000001fff
>  t5 : 00000000000000c8 t6 : 0000000000000002 ssp : 0000000000000000
> status: 0000000200000120 badaddr: ffffffff8032d750 cause: 0000000000000003
> [<ffffffff8032d750>] request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> [<ffffffff84b58918>] request_irq include/linux/interrupt.h:176 [inline]
> [<ffffffff84b58918>] parport_attach drivers/comedi/drivers/comedi_parport.c:235 [inline]
> [<ffffffff84b58918>] parport_attach+0x780/0xb14 drivers/comedi/drivers/comedi_parport.c:224
> [<ffffffff84b492bc>] comedi_device_attach+0x350/0x7ec drivers/comedi/drivers.c:1069
> [<ffffffff84b35136>] do_devconfig_ioctl+0x1a2/0x654 drivers/comedi/comedi_fops.c:928

So do_devconfig_ioctl() copies the device configuration from user space
and hands it to the comedi parport driver, which takes the random
provided interrupt number unvalidated and requests the interrupt which
trips the warning in the core code as the interrupt is marked as per CPU.

> [<ffffffff84b3dfd8>] comedi_unlocked_ioctl+0x338/0x2c10 drivers/comedi/comedi_fops.c:2240
> [<ffffffff80ca9130>] vfs_ioctl fs/ioctl.c:51 [inline]
> [<ffffffff80ca9130>] __do_sys_ioctl fs/ioctl.c:597 [inline]
> [<ffffffff80ca9130>] __se_sys_ioctl fs/ioctl.c:583 [inline]
> [<ffffffff80ca9130>] __riscv_sys_ioctl+0x17c/0x1e4 fs/ioctl.c:583
> [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
> [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
> [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [kernel?] WARNING in request_threaded_irq

[Ian Abbott]

On 24/02/2026 18:24, Thomas Gleixner wrote:
> On Fri, Feb 20 2026 at 05:13, syzbot wrote:
> 
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1166f6e6580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
>> dashboard link: https://syzkaller.appspot.com/bug?extid=1f1c9d0fa117b165b233
>> compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>> userspace arch: riscv64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> Downloadable assets:
>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+1f1c9d0fa117b165b233@syzkaller.appspotmail.com
>>
>> ------------[ cut here ]------------
>> WARNING: [irq_settings_is_per_cpu_devid(desc)] kernel/irq/manage.c:2125 at request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125, CPU#1: syz.0.10/3870
>> Modules linked in:
>> CPU: 1 UID: 0 PID: 3870 Comm: syz.0.10 Not tainted syzkaller #0 PREEMPT
>> Hardware name: riscv-virtio,qemu (DT)
>> epc : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
>>   ra : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
>> epc : ffffffff8032d750 ra : ffffffff8032d750 sp : ffff8f800ac67810
>>   gp : ffffffff89f9df20 tp : ffffaf801c74cf80 t0 : ffffffff86391c0a
>>   t1 : ffffffff9136c6e0 t2 : ffffffff8016a132 s0 : ffff8f800ac67870
>>   s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
>>   a2 : 0000000000080000 a3 : ffffffff8032d750 a4 : ffff8f8004d6e1e8
>>   a5 : 00000000002041e8 a6 : 0000000000000003 a7 : ffffffff86660460
>>   s2 : 0000000000200000 s3 : ffffaf8011e8d000 s4 : 0000000000000005
>>   s5 : ffffffff84b56ef4 s6 : ffffaf801cd37000 s7 : 0000000000000000
>>   s8 : ffffffff87597e60 s9 : 0000000000020000 s10: ffffaf801cd37000
>>   s11: 0000000000000001 t3 : 0000000000000001 t4 : 0000000000001fff
>>   t5 : 00000000000000c8 t6 : 0000000000000002 ssp : 0000000000000000
>> status: 0000000200000120 badaddr: ffffffff8032d750 cause: 0000000000000003
>> [<ffffffff8032d750>] request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
>> [<ffffffff84b58918>] request_irq include/linux/interrupt.h:176 [inline]
>> [<ffffffff84b58918>] parport_attach drivers/comedi/drivers/comedi_parport.c:235 [inline]
>> [<ffffffff84b58918>] parport_attach+0x780/0xb14 drivers/comedi/drivers/comedi_parport.c:224
>> [<ffffffff84b492bc>] comedi_device_attach+0x350/0x7ec drivers/comedi/drivers.c:1069
>> [<ffffffff84b35136>] do_devconfig_ioctl+0x1a2/0x654 drivers/comedi/comedi_fops.c:928
> 
> So do_devconfig_ioctl() copies the device configuration from user space
> and hands it to the comedi parport driver, which takes the random
> provided interrupt number unvalidated and requests the interrupt which
> trips the warning in the core code as the interrupt is marked as per CPU.

That is by design.  It does require CAP_SYSADMIN privileges, though. 
There is similar functionality in the TTY serial drivers, for example 
(TIOCSSERIAL ioctl), although that does have a security lock-down reason 
associated with it, at least in the "serial_core" module.

> 
>> [<ffffffff84b3dfd8>] comedi_unlocked_ioctl+0x338/0x2c10 drivers/comedi/comedi_fops.c:2240
>> [<ffffffff80ca9130>] vfs_ioctl fs/ioctl.c:51 [inline]
>> [<ffffffff80ca9130>] __do_sys_ioctl fs/ioctl.c:597 [inline]
>> [<ffffffff80ca9130>] __se_sys_ioctl fs/ioctl.c:583 [inline]
>> [<ffffffff80ca9130>] __riscv_sys_ioctl+0x17c/0x1e4 fs/ioctl.c:583
>> [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
>> [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
>> [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>>
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>>
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>>
>> If you want to undo deduplication, reply with:
>> #syz undup


-- 
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-