=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
kernel/sched/core.c:8850 Illegal context switch in RCU-sched read-side critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
4 locks held by sed/7731:
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline]
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x124/0xa30 mm/mmap.c:1286
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: page_table_check_clear+0x4b/0x9e0 mm/page_table_check.c:70
stack backtrace:
CPU: 0 UID: 0 PID: 7731 Comm: sed Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
lockdep_rcu_suspicious.cold+0x4f/0xb1 kernel/locking/lockdep.c:6876
__might_resched+0x2e0/0x330 kernel/sched/core.c:8850
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
RIP: 0010:rcu_is_watching+0x5c/0xc0 kernel/rcu/tree.c:752
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 03 1c ed e0 7b 1a 89 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 24 8b
RSP: 0018:ffffc90014337660 EFLAGS: 00000a02
RAX: dffffc0000000000 RBX: ffff8881f5633928 RCX: ffffffff821ac39e
RDX: 1ffff1103eac6725 RSI: ffffffff87afc620 RDI: ffffffff891a7be0
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: ffff888114ed51e0
trace_lock_release include/trace/events/lock.h:69 [inline]
lock_release+0x263/0x320 kernel/locking/lockdep.c:5879
rcu_lock_release include/linux/rcupdate.h:322 [inline]
rcu_read_unlock_sched include/linux/rcupdate.h:972 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_clear+0x17a/0x9e0 mm/page_table_check.c:70
__page_table_check_pte_clear+0xf1/0x100 mm/page_table_check.c:155
page_table_check_pte_clear include/linux/page_table_check.h:55 [inline]
ptep_get_and_clear_full arch/x86/include/asm/pgtable.h:1271 [inline]
get_and_clear_full_ptes include/linux/pgtable.h:846 [inline]
zap_present_folio_ptes mm/memory.c:1643 [inline]
zap_present_ptes mm/memory.c:1725 [inline]
do_zap_pte_range mm/memory.c:1827 [inline]
zap_pte_range mm/memory.c:1929 [inline]
zap_pmd_range mm/memory.c:2021 [inline]
zap_pud_range mm/memory.c:2049 [inline]
zap_p4d_range mm/memory.c:2070 [inline]
unmap_page_range+0x2283/0x3d80 mm/memory.c:2091
unmap_single_vma+0x153/0x240 mm/memory.c:2133
unmap_vmas+0x295/0x590 mm/memory.c:2171
exit_mmap+0x1ef/0xa30 mm/mmap.c:1302
__mmput kernel/fork.c:1175 [inline]
mmput+0xe0/0x430 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x819/0x2b60 kernel/exit.c:964
do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
__do_sys_exit_group kernel/exit.c:1129 [inline]
__se_sys_exit_group kernel/exit.c:1127 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff7533816c5
Code: Unable to access opcode bytes at 0x7ff75338169b.
RSP: 002b:00007ffdfa78b148 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff753482fe8 RCX: 00007ff7533816c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff753481680 R15: 00007ff753483000
</TASK>
BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:705
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 7731, name: sed
preempt_count: 103, expected: 0
RCU nest depth: 1, expected: 0
4 locks held by sed/7731:
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline]
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x124/0xa30 mm/mmap.c:1286
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: page_table_check_clear+0x4b/0x9e0 mm/page_table_check.c:70
irq event stamp: 11419
hardirqs last enabled at (11418): [<ffffffff876bc0e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (11418): [<ffffffff876bc0e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (11419): [<ffffffff876bbdf2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (11419): [<ffffffff876bbdf2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (11412): [<ffffffff8177040d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (11412): [<ffffffff8177040d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (11412): [<ffffffff8177040d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (11415): [<ffffffff8177040d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (11415): [<ffffffff8177040d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (11415): [<ffffffff8177040d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 7731 Comm: sed Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8888
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
RIP: 0010:rcu_is_watching+0x5c/0xc0 kernel/rcu/tree.c:752
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 03 1c ed e0 7b 1a 89 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 24 8b
RSP: 0018:ffffc90014337660 EFLAGS: 00000a02
RAX: dffffc0000000000 RBX: ffff8881f5633928 RCX: ffffffff821ac39e
RDX: 1ffff1103eac6725 RSI: ffffffff87afc620 RDI: ffffffff891a7be0
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000001 R14: 0000000000000001 R15: ffff888114ed51e0
trace_lock_release include/trace/events/lock.h:69 [inline]
lock_release+0x263/0x320 kernel/locking/lockdep.c:5879
rcu_lock_release include/linux/rcupdate.h:322 [inline]
rcu_read_unlock_sched include/linux/rcupdate.h:972 [inline]
pfn_valid include/linux/mmzone.h:2207 [inline]
page_table_check_clear+0x17a/0x9e0 mm/page_table_check.c:70
__page_table_check_pte_clear+0xf1/0x100 mm/page_table_check.c:155
page_table_check_pte_clear include/linux/page_table_check.h:55 [inline]
ptep_get_and_clear_full arch/x86/include/asm/pgtable.h:1271 [inline]
get_and_clear_full_ptes include/linux/pgtable.h:846 [inline]
zap_present_folio_ptes mm/memory.c:1643 [inline]
zap_present_ptes mm/memory.c:1725 [inline]
do_zap_pte_range mm/memory.c:1827 [inline]
zap_pte_range mm/memory.c:1929 [inline]
zap_pmd_range mm/memory.c:2021 [inline]
zap_pud_range mm/memory.c:2049 [inline]
zap_p4d_range mm/memory.c:2070 [inline]
unmap_page_range+0x2283/0x3d80 mm/memory.c:2091
unmap_single_vma+0x153/0x240 mm/memory.c:2133
unmap_vmas+0x295/0x590 mm/memory.c:2171
exit_mmap+0x1ef/0xa30 mm/mmap.c:1302
__mmput kernel/fork.c:1175 [inline]
mmput+0xe0/0x430 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x819/0x2b60 kernel/exit.c:964
do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
__do_sys_exit_group kernel/exit.c:1129 [inline]
__se_sys_exit_group kernel/exit.c:1127 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0x7b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff7533816c5
Code: Unable to access opcode bytes at 0x7ff75338169b.
RSP: 002b:00007ffdfa78b148 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff753482fe8 RCX: 00007ff7533816c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff753481680 R15: 00007ff753483000
</TASK>
BUG: scheduling while atomic: sed/7731/0x00000104
4 locks held by sed/7731:
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline]
#0: ffff888122c2bf40 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x124/0xa30 mm/mmap.c:1286
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#1: ffffffff896de6e0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:288
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
#2: ffff888115a71078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:948 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2197 [inline]
#3: ffffffff896de620 (rcu_read_lock_sched){....}-{1:2}, at: page_table_check_clear+0x4b/0x9e0 mm/page_table_check.c:70
Modules linked in:
irq event stamp: 11419
hardirqs last enabled at (11418): [<ffffffff876bc0e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (11418): [<ffffffff876bc0e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (11419): [<ffffffff876bbdf2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (11419): [<ffffffff876bbdf2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (11412): [<ffffffff8177040d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (11412): [<ffffffff8177040d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (11412): [<ffffffff8177040d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (11415): [<ffffffff8177040d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (11415): [<ffffffff8177040d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (11415): [<ffffffff8177040d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
----------------
Code disassembly (best guess):
0: 00 fc add %bh,%ah
2: ff lcall (bad)
3: df 48 89 fisttps -0x77(%rax)
6: fa cli
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 75 5c jne 0x6d
11: 48 03 1c ed e0 7b 1a add -0x76e58420(,%rbp,8),%rbx
18: 89
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 da mov %rbx,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 d8 mov %rbx,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 04 jl 0x3f
3b: 84 d2 test %dl,%dl
3d: 75 24 jne 0x63
3f: 8b .byte 0x8b