| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6811e6f.a4a0.19bad756108.Coremail.baishuoran@hrbeu.edu.cn> Date: Sun, 11 Jan 2026 22:28:29 +0800 (GMT+08:00) From: 白烁冉 <baishuoran@...eu.edu.cn> To: "Johannes Berg" <johannes@...solutions.net> Cc: "Kun Hu" <huk23@...udan.edu.cn>, "Jiaji Qin" <jjtan24@...udan.edu.cn>, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com, "Felix Fietkau" <nbd@...nwrt.org> Subject: rcu: INFO: rcu_preempt self-detected stall on CPU Dear Maintainers, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/report1.txt Kernel config: https://github.com/pghk13/Kernel-Bug/blob/main/0219_6.13rc7_todo/config.txt C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/1repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/1%20rcu%3A%20INFO%3A%20rcu_preempt%20self-detected%20stall%20on%20CPU/1repro.txt The RCU self-detected stall (rcu_preempt self-detected stall) triggered by syzkaller is possibly caused by a blockage when releasing a spinlock in the mac80211 receive path's wiphy work queue. The core call may occurs in include/linux/spinlock_api_smp.h at __raw_spin_unlock_irqrestore (line 152, inline) and in kernel/locking/spinlock.c at _raw_spin_unlock_irqrestore (line 194). The specific trigger happens in the wireless subsystem at net/wireless/core.c in wiphy_work_queue (line 1671) while processing received frames, concurrently with user-space tasks running in mm/mprotect.c at change_protection (line 560) and its inline functions, causing CPU0 in softirq context to hold the spinlock for an extended period, thus triggering the RCU stall. We have reproduced this issue several times on 6.17-rc3 again. If you confirm or fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@...udan.edu.cn>, Jiaji Qin <jjtan24@...udan.edu.cn>, Shuoran Bai <baishuoran@...eu.edu.cn> rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (2486 ticks this GP) idle=03fc/1/0x4000000000000000 softirq=6226/6226 fqs=460 rcu: hardirqs softirqs csw/system rcu: number: 612959 1 0 rcu: cputime: 0 24009 0 ==> 24020(ms) rcu: (t=10502 jiffies g=5353 q=6659 ncpus=4) CPU: 0 UID: 0 PID: 10082 Comm: syz-executor136 Not tainted 6.17.0-rc3 #4 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194 Code: 74 24 10 e8 2a a9 e9 fb 48 89 ef e8 32 db e9 fb 81 e3 00 02 00 00 75 29 9c 58 f6 c4 02 75 35 48 85 db 74 01 fb bf 01 00 00 00 <e8> e3 1e e4 fb 65 8b 05 74 76 23 04 85 c0 74 0e 5b 5d e9 4c d7 a7 RSP: 0018:ffa0000000003b88 EFLAGS: 00000206 RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000303 RDI: 0000000000000001 RBP: ff110000276186b8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ff11000026fb5978 R13: ff110000276186b8 R14: ff11000021cf9800 R15: ffa0000000003e60 FS: 00007fe30146a700(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055556b7bbc48 CR3: 000000004b064000 CR4: 0000000000751ef0 PKRU: 55555554 Call Trace: <IRQ> spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] wiphy_work_queue+0xa6/0x240 net/wireless/core.c:1671 __ieee80211_queue_skb_to_iface+0x6a/0xa0 net/mac80211/rx.c:233 ieee80211_queue_skb_to_iface net/mac80211/rx.c:244 [inline] ieee80211_rx_h_mgmt net/mac80211/rx.c:4085 [inline] ieee80211_rx_handlers+0x85e/0x3cd0 net/mac80211/rx.c:4160 ieee80211_invoke_rx_handlers net/mac80211/rx.c:4190 [inline] ieee80211_prepare_and_rx_handle+0x1372/0x2820 net/mac80211/rx.c:5044 ieee80211_rx_for_interface+0x7d/0xf0 net/mac80211/rx.c:5129 __ieee80211_rx_handle_packet net/mac80211/rx.c:5285 [inline] ieee80211_rx_list+0x82d/0x1530 net/mac80211/rx.c:5420 ieee80211_rx_napi+0x82/0x270 net/mac80211/rx.c:5443 ieee80211_rx include/net/mac80211.h:5185 [inline] ieee80211_handle_queued_frames+0xa9/0x100 net/mac80211/main.c:441 tasklet_action_common+0xeb/0x340 kernel/softirq.c:829 handle_softirqs+0xc8/0x460 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu kernel/softirq.c:680 [inline] irq_exit_rcu+0xc4/0x100 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:578 RIP: 0010:__sanitizer_cov_trace_pc+0x1e/0x50 kernel/kcov.c:217 Code: 90 90 90 90 90 90 90 90 90 90 90 90 55 bf 02 00 00 00 53 65 48 8b 1d d1 9a 28 08 48 8b 6c 24 10 48 89 de e8 44 ff ff ff 84 c0 <74> 20 48 8b 93 08 16 00 00 8b 8b 04 16 00 00 48 8b 02 48 83 c0 01 RSP: 0018:ffa00000024afbf0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ff110000164cc700 RCX: ffffffff818851ab RDX: 0000000000000000 RSI: ff110000164cc700 RDI: 0000000000000002 RBP: ffffffff81884fa5 R08: 0000000000000000 R09: d211bc2f56fc6dcc R10: 0000000000000078 R11: 0000000000000000 R12: 0000000000000041 R13: 00000000201f6000 R14: 0000000000000000 R15: 0000000000000000 change_pte_range mm/mprotect.c:283 [inline] change_pmd_range mm/mprotect.c:409 [inline] change_pud_range mm/mprotect.c:472 [inline] change_p4d_range mm/mprotect.c:498 [inline] change_protection_range mm/mprotect.c:526 [inline] change_protection+0x1025/0x2120 mm/mprotect.c:560 change_prot_numa+0x3a/0x2e0 mm/mempolicy.c:826 task_numa_work+0x597/0xb50 kernel/sched/fair.c:3495 task_work_run+0x95/0x100 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xcf/0xf0 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x3bb/0x480 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe301cd130d Code: c3 e8 e7 2e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe301469cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: 0000000000000003 RBX: 00007fe301d66380 RCX: 00007fe301cd130d RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000080 RBP: 00007fe301d66388 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fe301d6638c R13: 00007ffe3471214f R14: 00007ffe34712200 R15: 00007fe301469dc0 </TASK> 2026/01/10 23:00:01 reproducing crash 'BUG: corrupted list in __netif_napi_del_locked': final repro crashed as (corrupted=false): rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 0-....: (2486 ticks this GP) idle=03fc/1/0x4000000000000000 softirq=6226/6226 fqs=460 rcu: hardirqs softirqs csw/system rcu: number: 612959 1 0 rcu: cputime: 0 24009 0 ==> 24020(ms) rcu: (t=10502 jiffies g=5353 q=6659 ncpus=4) CPU: 0 UID: 0 PID: 10082 Comm: syz-executor136 Not tainted 6.16.0-rc7 #4 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194 Code: 74 24 10 e8 2a a9 e9 fb 48 89 ef e8 32 db e9 fb 81 e3 00 02 00 00 75 29 9c 58 f6 c4 02 75 35 48 85 db 74 01 fb bf 01 00 00 00 <e8> e3 1e e4 fb 65 8b 05 74 76 23 04 85 c0 74 0e 5b 5d e9 4c d7 a7 RSP: 0018:ffa0000000003b88 EFLAGS: 00000206 RAX: 0000000000000006 RBX: 0000000000000200 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000303 RDI: 0000000000000001 RBP: ff110000276186b8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ff11000026fb5978 R13: ff110000276186b8 R14: ff11000021cf9800 R15: ffa0000000003e60 FS: 00007fe30146a700(0000) GS:ff110000b5156000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055556b7bbc48 CR3: 000000004b064000 CR4: 0000000000751ef0 PKRU: 55555554 Call Trace: <IRQ> spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] wiphy_work_queue+0xa6/0x240 net/wireless/core.c:1671 __ieee80211_queue_skb_to_iface+0x6a/0xa0 net/mac80211/rx.c:233 ieee80211_queue_skb_to_iface net/mac80211/rx.c:244 [inline] ieee80211_rx_h_mgmt net/mac80211/rx.c:4085 [inline] ieee80211_rx_handlers+0x85e/0x3cd0 net/mac80211/rx.c:4160 ieee80211_invoke_rx_handlers net/mac80211/rx.c:4190 [inline] ieee80211_prepare_and_rx_handle+0x1372/0x2820 net/mac80211/rx.c:5044 ieee80211_rx_for_interface+0x7d/0xf0 net/mac80211/rx.c:5129 __ieee80211_rx_handle_packet net/mac80211/rx.c:5285 [inline] ieee80211_rx_list+0x82d/0x1530 net/mac80211/rx.c:5420 ieee80211_rx_napi+0x82/0x270 net/mac80211/rx.c:5443 ieee80211_rx include/net/mac80211.h:5185 [inline] ieee80211_handle_queued_frames+0xa9/0x100 net/mac80211/main.c:441 tasklet_action_common+0xeb/0x340 kernel/softirq.c:829 handle_softirqs+0xc8/0x460 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu kernel/softirq.c:680 [inline] irq_exit_rcu+0xc4/0x100 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:578 RIP: 0010:__sanitizer_cov_trace_pc+0x1e/0x50 kernel/kcov.c:217 Code: 90 90 90 90 90 90 90 90 90 90 90 90 55 bf 02 00 00 00 53 65 48 8b 1d d1 9a 28 08 48 8b 6c 24 10 48 89 de e8 44 ff ff ff 84 c0 <74> 20 48 8b 93 08 16 00 00 8b 8b 04 16 00 00 48 8b 02 48 83 c0 01 RSP: 0018:ffa00000024afbf0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ff110000164cc700 RCX: ffffffff818851ab RDX: 0000000000000000 RSI: ff110000164cc700 RDI: 0000000000000002 RBP: ffffffff81884fa5 R08: 0000000000000000 R09: d211bc2f56fc6dcc R10: 0000000000000078 R11: 0000000000000000 R12: 0000000000000041 R13: 00000000201f6000 R14: 0000000000000000 R15: 0000000000000000 change_pte_range mm/mprotect.c:283 [inline] change_pmd_range mm/mprotect.c:409 [inline] change_pud_range mm/mprotect.c:472 [inline] change_p4d_range mm/mprotect.c:498 [inline] change_protection_range mm/mprotect.c:526 [inline] change_protection+0x1025/0x2120 mm/mprotect.c:560 change_prot_numa+0x3a/0x2e0 mm/mempolicy.c:826 task_numa_work+0x597/0xb50 kernel/sched/fair.c:3495 task_work_run+0x95/0x100 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xcf/0xf0 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x3bb/0x480 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe301cd130d Code: c3 e8 e7 2e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe301469cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: 0000000000000003 RBX: 00007fe301d66380 RCX: 00007fe301cd130d RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000080 RBP: 00007fe301d66388 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fe301d6638c R13: 00007ffe3471214f R14: 00007ffe34712200 R15: 00007fe301469dc0 </TASK> ------------------------------ thanks, Kun Hu
Powered by blists - more mailing lists