syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| d40588c5-6f05-448a-9da5-d70155848661 | repro | ❓ | INFO: rcu detected stall in sys_recvmmsg (3) | 2026/03/06 05:25 | 2026/03/06 05:25 | 2026/03/06 05:34 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"fault_nth":0}r0 = socket(0x2, 0x1, 0x0)
bind(r0, &(0x7f0000000000)={0x2, 0x1234, @loopback}, 0x10)
listen(r0, 0x1)
r1 = socket(0x2, 0x1, 0x0)
connect(r1, &(0x7f0000000100)={0x2, 0x1234, @loopback}, 0x10)
r2 = accept(r0, 0x0, 0x0)
close(r1)
syscall(0x12b, r2, &(0x7f0000000200), 0x10106, 0x0, 0x0, 0x0)31e9c887f7dc24e04b3ca70d0d54fc34141844b0
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P10470/1:b..l rcu: (detected by 1, t=10503 jiffies, g=35897, q=1106962 ncpus=2) task:syz.0.1240 state:R running task stack:26456 pid:10470 tgid:10467 ppid:5803 task_flags:0x400040 flags:0x00080000 Call Trace: <TASK> context_switch kernel/sched/core.c:5295 [inline] __schedule+0xfee/0x6120 kernel/sched/core.c:6908 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7235 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:lock_acquire+0x5e/0x380 kernel/locking/lockdep.c:5872 Code: 05 7b d2 28 12 83 f8 07 0f 87 f0 00 00 00 48 0f a3 05 46 a6 f4 0e 0f 82 c2 02 00 00 8b 35 2e da f4 0e 85 f6 0f 85 dd 00 00 00 <48> 8b 44 24 30 65 48 2b 05 1d d2 28 12 0f 85 02 03 00 00 48 83 c4 RSP: 0018:ffffc9000381ebe0 EFLAGS: 00000206 RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff8de4ce0f RDI: ffffffff8c1af6a0 RBP: ffffffff8e7e93e0 R08: 00000000dacd92cc R09: 0000000000000007 R10: 0000000000000200 R11: 0000000000000000 R12: 0000000000000002 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:312 [inline] rcu_read_lock include/linux/rcupdate.h:850 [inline] class_rcu_constructor include/linux/rcupdate.h:1193 [inline] unwind_next_frame+0xd1/0x1ea0 arch/x86/kernel/unwind_orc.c:495 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 save_stack+0x162/0x1e0 mm/page_owner.c:165 __set_page_owner+0x8c/0x540 mm/page_owner.c:341 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2484 folio_alloc_mpol_noprof+0x36/0x340 mm/mempolicy.c:2503 vma_alloc_folio_noprof+0xed/0x1d0 mm/mempolicy.c:2538 folio_prealloc mm/memory.c:1204 [inline] wp_page_copy mm/memory.c:3780 [inline] do_wp_page+0xf28/0x4f00 mm/memory.c:4241 handle_pte_fault mm/memory.c:6332 [inline] __handle_mm_fault+0x1ac8/0x2b60 mm/memory.c:6454 handle_mm_fault+0x36d/0xa20 mm/memory.c:6623 do_user_addr_fault+0x74c/0x12f0 arch/x86/mm/fault.c:1385 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0010:__put_user_nocheck_4+0x3/0x10 arch/x86/lib/putuser.S:104 Code: d9 0f 01 cb 89 01 31 c9 0f 01 ca e9 97 d0 03 00 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 01 cb <89> 01 31 c9 0f 01 ca c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000381f9d8 EFLAGS: 00050246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000020000022c030 RDX: 0000000000080000 RSI: ffffffff8954dbe1 RDI: ffff88802e1c4980 RBP: ffffc9000381fd78 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: 000020000022c000 R14: ffffc9000381fdbc R15: 0000000000000002 ____sys_recvmsg+0x2ec/0x6b0 net/socket.c:2825 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854 do_recvmmsg+0x301/0x760 net/socket.c:2949 __sys_recvmmsg net/socket.c:3023 [inline] __do_sys_recvmmsg net/socket.c:3046 [inline] __se_sys_recvmmsg net/socket.c:3039 [inline] __x64_sys_recvmmsg+0x22a/0x280 net/socket.c:3039 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f95d7d9c799 RSP: 002b:00007f95d8cf8028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00007f95d8016090 RCX: 00007f95d7d9c799 RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003 RBP: 00007f95d7e32bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f95d8016128 R14: 00007f95d8016090 R15: 00007ffec104f578 </TASK>
| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/03/06 05:25 | flow | repro |
9mResults:map[ReproOpts:{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"fault_nth":0} ReproSyz:r0 = socket(0x2, 0x1, 0x0)
bind(r0, &(0x7f0000000000)={0x2, 0x1234, @loopback}, 0x10)
listen(r0, 0x1)
r1 = socket(0x2, 0x1, 0x0)
connect(r1, &(0x7f0000000100)={0x2, 0x1234, @loopback}, 0x10)
r2 = accept(r0, 0x0, 0x0)
close(r1)
syscall(0x12b, r2, &(0x7f0000000200), 0x10106, 0x0, 0x0, 0x0) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 1/1 | 2026/03/06 05:25 | action | provide-var |
0mResults:map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 2/1 | 2026/03/06 05:25 | action | kernel-checkouter |
0mResults:map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/3ea2b3c0cb884f2c4ef738badeb1c102e6abd69e] |
| 3/1 | 2026/03/06 05:25 | action | kernel-builder |
5mResults:map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/a7f2a59e5e3b8f0775588b3dd81c2877ce6ff30a] |
| 4/1 | 2026/03/06 05:31 | agent | crash-repro-finder |
3mModel:gemini-3-pro-preview Results: map[ReproOpts:{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"fault_nth":0}]Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: INFO: rcu detected stall in sys_recvmmsg Original Crash Report: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P10470/1:b..l rcu: (detected by 1, t=10503 jiffies, g=35897, q=1106962 ncpus=2) task:syz.0.1240 state:R running task stack:26456 pid:10470 tgid:10467 ppid:5803 task_flags:0x400040 flags:0x00080000 Call Trace: <TASK> context_switch kernel/sched/core.c:5295 [inline] __schedule+0xfee/0x6120 kernel/sched/core.c:6908 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7235 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:lock_acquire+0x5e/0x380 kernel/locking/lockdep.c:5872 Code: 05 7b d2 28 12 83 f8 07 0f 87 f0 00 00 00 48 0f a3 05 46 a6 f4 0e 0f 82 c2 02 00 00 8b 35 2e da f4 0e 85 f6 0f 85 dd 00 00 00 <48> 8b 44 24 30 65 48 2b 05 1d d2 28 12 0f 85 02 03 00 00 48 83 c4 RSP: 0018:ffffc9000381ebe0 EFLAGS: 00000206 RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff8de4ce0f RDI: ffffffff8c1af6a0 RBP: ffffffff8e7e93e0 R08: 00000000dacd92cc R09: 0000000000000007 R10: 0000000000000200 R11: 0000000000000000 R12: 0000000000000002 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:312 [inline] rcu_read_lock include/linux/rcupdate.h:850 [inline] class_rcu_constructor include/linux/rcupdate.h:1193 [inline] unwind_next_frame+0xd1/0x1ea0 arch/x86/kernel/unwind_orc.c:495 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 save_stack+0x162/0x1e0 mm/page_owner.c:165 __set_page_owner+0x8c/0x540 mm/page_owner.c:341 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2484 folio_alloc_mpol_noprof+0x36/0x340 mm/mempolicy.c:2503 vma_alloc_folio_noprof+0xed/0x1d0 mm/mempolicy.c:2538 folio_prealloc mm/memory.c:1204 [inline] wp_page_copy mm/memory.c:3780 [inline] do_wp_page+0xf28/0x4f00 mm/memory.c:4241 handle_pte_fault mm/memory.c:6332 [inline] __handle_mm_fault+0x1ac8/0x2b60 mm/memory.c:6454 handle_mm_fault+0x36d/0xa20 mm/memory.c:6623 do_user_addr_fault+0x74c/0x12f0 arch/x86/mm/fault.c:1385 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0010:__put_user_nocheck_4+0x3/0x10 arch/x86/lib/putuser.S:104 Code: d9 0f 01 cb 89 01 31 c9 0f 01 ca e9 97 d0 03 00 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 01 cb <89> 01 31 c9 0f 01 ca c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000381f9d8 EFLAGS: 00050246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000020000022c030 RDX: 0000000000080000 RSI: ffffffff8954dbe1 RDI: ffff88802e1c4980 RBP: ffffc9000381fd78 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: 000020000022c000 R14: ffffc9000381fdbc R15: 0000000000000002 ____sys_recvmsg+0x2ec/0x6b0 net/socket.c:2825 ___sys_recvmsg+0x16a/0x1a0 net/socket.c:2854 do_recvmmsg+0x301/0x760 net/socket.c:2949 __sys_recvmmsg net/socket.c:3023 [inline] __do_sys_recvmmsg net/socket.c:3046 [inline] __se_sys_recvmmsg net/socket.c:3039 [inline] __x64_sys_recvmmsg+0x22a/0x280 net/socket.c:3039 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f95d7d9c799 RSP: 002b:00007f95d8cf8028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00007f95d8016090 RCX: 00007f95d7d9c799 RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003 RBP: 00007f95d7e32bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f95d8016128 R14: 00007f95d8016090 R15: 00007ffec104f578 </TASK> The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: r0 = socket(0x2, 0x1, 0x0)
bind(r0, &(0x7f0000000000)={0x2, 0x1234, @loopback}, 0x10)
listen(r0, 0x1)
r1 = socket(0x2, 0x1, 0x0)
connect(r1, &(0x7f0000000100)={0x2, 0x1234, @loopback}, 0x10)
r2 = accept(r0, 0x0, 0x0)
close(r1)
syscall(0x12b, r2, &(0x7f0000000200), 0x10106, 0x0, 0x0, 0x0) |
| 5/2 | 2026/03/06 05:31 | llm | crash-repro-finder |
3mModel:gemini-3-pro-preview Tokens: input: 4658 output: 48 thoughts: 22731 Thoughts: **Reproducing the RCU Stall in sys_recvmmsg**
Okay, so I've been given a crash report that points to an RCU stall within `sys_recvmmsg`. It looks like the stall is happening deep in the memory allocation path, specifically during a page fault that's triggered by a `put_user` call inside `____sys_recvmsg`. That `put_user` is writing the `msg_flags` back to user space after a call to `sock_recvmsg` within the `recvmmsg` loop.
I see that the `recvmmsg` is called with a huge value for `vlen`, like, 65k messages, and that seems to be a crucial hint. The task is in the `R` state and showing as running, the key is it seems to be in a lock acquire. The RCU lock in question is `rcu_read_lock`, which is being called inside the unwinder. This `rcu_read_lock` is being called via `unwind_next_frame` in `set_page_owner`. That call is part of `save_stack`, which is part of the `set_page_owner` call that happens on the memory allocation path. So it seems that the page fault is what causes this sequence.
The issue is that for each of the 65k entries, we are faulting. Then we are allocating pages to store those faults, and we are also saving a stack trace each time, which involves RCU. So for each page fault (which are triggered by our large `mmsg` array), we are doing a stack trace, which is slowing the kernel down. It may take a long time to unwind the stack for so many allocations. Because of the large number of faults, `cond_resched` may not be called as often. I can confirm this by checking `do_recvmmsg`. We are in a loop for each message, and then `cond_resched` is called.
The trace suggests that the task is in an RCU section, or the code path in the fault handler's unwinder takes a while and the stall is being detected on top. The crash report indicates a TCP socket at EOF (TCP close by the peer) causes an infinite loop in `do_recvmmsg`. With a zero-length `recvmsg`, this triggers an EOF and a loop within the syscall. This loop, coupled with page faults in the `mmsg` struct array, seems to cause the problem.
Given that the crash report specifically mentions `rcu_preempt detected stalls`, I need to create a test case that stresses this path, especially since `preempt_schedule_irq` is on the trace, which requires `CONFIG_PREEMPT`. It is possible that the sheer amount of work, combined with the RCU, means that `cond_resched()` doesn't have time to interrupt and reschedule the process and the RCU stall detector is triggered.
So, I need to create a test program in syzkaller. I need to use `recvmmsg` with a large `vlen` (65798), and a socket that returns messages quickly. I also need to make sure the memory pointed to by `mmsg` is not yet accessed to trigger page faults. This means I create a TCP connection, accept it, then close one end to simulate the EOF and then pass a large `vlen` to the `recvmmsg` syscall. I will map memory using syzkaller mmap region, and then point `mmsg` to uninitialized memory.
Because `recvmmsg` is calling `sock_recvmsg` and then `__put_user` to write back `msg_flags`, it needs to actually complete and not return a fault. This means valid `mmsg` entries with no data. If all the pointers are NULL or zeroed, it is considered a valid entry.
Given that `vlen` is explicitly set to 65798 in the crash report, I need to reproduce this exactly, which is why I'll use the generic syscall. Here's the syzkaller program I came up with:
```
r0 = socket(0x2, 0x1, 0x0)
bind(r0, &(0x7f0000000000)={0x2, 0x1234, @loopback}, 0x10)
listen(r0, 0x1)
r1 = socket(0x2, 0x1, 0x0)
connect(r1, &(0x7f0000000100)={0x2, 0x1234, @loopback}, 0
|
| 6/2 | 2026/03/06 05:34 | tool | set-results |
0mArgs:map[ReproOpts:{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"fault_nth":0}]Results: map[ReproOpts:{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"fault_nth":0}] |
| 7/2 | 2026/03/06 05:34 | llm | crash-repro-finder |
0mModel:gemini-3-pro-preview Tokens: input: 28508 output: 217 thoughts: 0 |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|