syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1325]
Subsystems
🐞 Fixed [7177]
🐞 Invalid [18965]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

INFO: rcu detected stall in qrtr_tun_write_iter

Status: auto-obsoleted due to no activity on 2026/06/18 20:27
Subsystems: arm-msm net
Labels: prio:high
[Documentation on labels]
First crash: 92d, last: 92d
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
935cc7f0-eb73-4d2f-860d-a1b076cfc191 assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ✅ VMHostTrigger: ❌ INFO: rcu detected stall in qrtr_tun_write_iter 2026/05/30 11:50 2026/05/30 11:50 2026/05/30 12:40 6b4a844333e83556da95d61d7f207e7ef5cd4bc6 

			
				
	

	
	

		fc5d8594-0a6d-41a3-95fc-df182610f08e
		assessment-security
		
			
		
		💥
		INFO: rcu detected stall in qrtr_tun_write_iter
		2026/05/14 10:05
		2026/05/14 10:05
		2026/05/14 10:06
		6ccb967e465e832a7bfd7a116ad00d52a0923a5d
		
			
failed to run ["git" "pull" "origin" "HEAD" "--depth=1" "--allow-unrelated-histories"]: exit status 128
From /app/workdir/repo/linux
 * branch                HEAD       -> FETCH_HEAD
Updating files:  ...

			
				
truncated to first 200 bytes; open job for full error

			
				
	

	
	



			

		

	

	

	
	
Sample crash report:

	
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P19996/1:b..l P20065/1:b..l P20327/2:b..l
rcu: 	(detected by 0, t=10502 jiffies, g=132233, q=4539 ncpus=1)
task:syz.5.3163      state:R  running task     stack:26256 pid:20327 tgid:20318 ppid:18850  task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0xfee/0x6120 kernel/sched/core.c:6911
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7238
 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:202 [inline]
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:232 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:folio_test_readahead include/linux/page-flags.h:604 [inline]
RIP: 0010:next_uptodate_folio+0x7ec/0xd00 mm/filemap.c:3721
Code: e8 f9 40 ff ff be 08 00 00 00 49 89 c6 48 89 c7 e8 f9 26 32 00 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 <0f> 85 5f 04 00 00 4d 8b 36 31 ff 49 c1 ee 10 41 83 e6 01 44 89 f6
RSP: 0018:ffffc900039175b0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffea0001d7c540 RCX: ffffffff82418eb7
RDX: 1ffffd40003af8a8 RSI: 0000000000000008 RDI: ffffea0001d7c540
RBP: ffffc90003917720 R08: 0000000000000000 R09: fffff940003af8a8
R10: ffffea0001d7c547 R11: 0000000000000000 R12: ffffea0001d7c548
R13: dffffc0000000000 R14: ffffea0001d7c540 R15: 000000000000012f
 filemap_map_pages+0x1b4/0x2020 mm/filemap.c:3887
 do_fault_around mm/memory.c:5757 [inline]
 do_read_fault mm/memory.c:5790 [inline]
 do_fault+0x9a7/0x1990 mm/memory.c:5933
 do_pte_missing mm/memory.c:4477 [inline]
 handle_pte_fault mm/memory.c:6317 [inline]
 __handle_mm_fault+0x180f/0x2b60 mm/memory.c:6455
 handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
 do_user_addr_fault+0x74c/0x12f0 arch/x86/mm/fault.c:1385
 handle_page_fault arch/x86/mm/fault.c:1474 [inline]
 exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0010:rep_movs_alternative+0x4a/0x90 arch/x86/lib/copy_user_64.S:74
Code: 93 04 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 db 83 f9 08 73 e8 eb c5 <f3> a4 e9 cf 93 04 00 48 8b 06 48 89 07 48 8d 47 08 48 83 e0 f8 48
RSP: 0018:ffffc90003917ba8 EFLAGS: 00050206
RAX: 0000000000000001 RBX: ffff8880a9c00000 RCX: 00000000002da000
RDX: 0000000000000001 RSI: 0000000000126000 RDI: ffff8880a9d26000
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10153fffff
R10: ffff8880a9ffffff R11: 0000000000000000 R12: ffffc90003917d78
R13: 0000000000000000 R14: 0000000000400000 R15: 0000000000000000
 copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
 raw_copy_from_user arch/x86/include/asm/uaccess_64.h:141 [inline]
 copy_from_user_iter lib/iov_iter.c:67 [inline]
 iterate_ubuf include/linux/iov_iter.h:30 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
 iterate_and_advance include/linux/iov_iter.h:330 [inline]
 __copy_from_iter lib/iov_iter.c:261 [inline]
 _copy_from_iter+0x355/0x1690 lib/iov_iter.c:272
 copy_from_iter include/linux/uio.h:228 [inline]
 copy_from_iter_full include/linux/uio.h:245 [inline]
 qrtr_tun_write_iter+0xe7/0x1b0 net/qrtr/tun.c:103
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x6ac/0x1070 fs/read_write.c:688
 ksys_pwrite64 fs/read_write.c:795 [inline]
 __do_sys_pwrite64 fs/read_write.c:803 [inline]
 __se_sys_pwrite64 fs/read_write.c:800 [inline]
 __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:800
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f71a079c799
RSP: 002b:00007f719e9b4028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f71a0a16180 RCX: 00007f71a079c799
RDX: 0000000000400000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007f71a0832c99 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000000
R13: 00007f71a0a16218 R14: 00007f71a0a16180 R15: 00007ffd1fa1e2a8
 </TASK>
task:syz.2.3125      state:R  running task     stack:24840 pid:20065 tgid:20065 ppid:16325  task_flags:0x40064c flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0xfee/0x6120 kernel/sched/core.c:6911
 preempt_schedule_notrace+0x5f/0xd0 kernel/sched/core.c:7188
 preempt_schedule_notrace_thunk+0x16/0x30 arch/x86/entry/thunk.S:13
 rcu_is_watching+0x8e/0xc0 kernel/rcu/tree.c:753
 trace_lock_release include/trace/events/lock.h:69 [inline]
 lock_release+0x263/0x320 kernel/locking/lockdep.c:5879
 rcu_lock_release include/linux/rcupdate.h:322 [inline]
 rcu_read_unlock include/linux/rcupdate.h:881 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1193 [inline]
 unwind_next_frame+0x3c3/0x1ea0 arch/x86/kernel/unwind_orc.c:495
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556
 slab_free_hook mm/slub.c:2646 [inline]
 slab_free mm/slub.c:6165 [inline]
 kmem_cache_free+0x434/0x6a0 mm/slub.c:6295
 tear_down_vmas+0x2a5/0x600 mm/mmap.c:1264
 exit_mmap+0x469/0xa30 mm/mmap.c:1322
 __mmput+0x12a/0x410 kernel/fork.c:1175
 mmput+0x67/0x80 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x819/0x2b60 kernel/exit.c:964
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:98 [inline]
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline]
 irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline]
 irqentry_exit+0x1f8/0x670 kernel/entry/common.c:219
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x4021000
RSP: 002b:0000000000000011 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007f9c63416180 RCX: 00007f9c6319c799
RDX: 9999999999999999 RSI: 0000000000000009 RDI: 0000000100000008
RBP: 00007f9c63232c99 R08: 0000000004000006 R09: 0000000000000000
R10: ffffffff81000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9c63416218 R14: 00007f9c63416180 R15: 00007ffcda5182d8
 </TASK>
task:udevd           state:R  running task     stack:25384 pid:19996 tgid:19996 ppid:5194   task_flags:0x40014c flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0xfee/0x6120 kernel/sched/core.c:6911
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7238
 irqentry_exit+0x17b/0x670 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x5e/0x380 kernel/locking/lockdep.c:5872
Code: 05 3b 0f 29 12 83 f8 07 0f 87 f0 00 00 00 48 0f a3 05 06 6b f5 0e 0f 82 c2 02 00 00 8b 35 ce 9e f5 0e 85 f6 0f 85 dd 00 00 00 <48> 8b 44 24 30 65 48 2b 05 dd 0e 29 12 0f 85 02 03 00 00 48 83 c4
RSP: 0018:ffffc90004f1f340 EFLAGS: 00000206
RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8de5a083 RDI: ffffffff8c1b0aa0
RBP: ffffffff8e7e7660 R08: 00000000a1bbbf67 R09: 0000000000000007
R10: 0000000000000200 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 rcu_read_lock include/linux/rcupdate.h:850 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1193 [inline]
 unwind_next_frame+0xd1/0x1ea0 arch/x86/kernel/unwind_orc.c:495
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 save_stack+0x162/0x1e0 mm/page_owner.c:165
 __reset_page_owner+0x84/0x190 mm/page_owner.c:320
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 free_unref_folios+0xaea/0x1790 mm/page_alloc.c:3040
 folios_put_refs+0x53c/0x840 mm/swap.c:1002
 free_pages_and_swap_cache+0x242/0x480 mm/swap_state.c:423
 __tlb_batch_free_encoded_pages+0xe9/0x280 mm/mmu_gather.c:138
 tlb_batch_pages_flush mm/mmu_gather.c:151 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:398 [inline]
 tlb_flush_mmu mm/mmu_gather.c:405 [inline]
 tlb_finish_mmu+0x1b0/0x810 mm/mmu_gather.c:530
 exit_mmap+0x454/0xa30 mm/mmap.c:1315
 __mmput+0x12a/0x410 kernel/fork.c:1175
 mmput+0x67/0x80 kernel/fork.c:1198
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x819/0x2b60 kernel/exit.c:964
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 __do_sys_exit_group kernel/exit.c:1129 [inline]
 __se_sys_exit_group kernel/exit.c:1127 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
 x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f895c4f16c5
RSP: 002b:00007ffd5799b3a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000558e8e9cdd60 RCX: 00007f895c4f16c5
RDX: 00000000000000e7 RSI: fffffffffffffe68 RDI: 0000000000000000
RBP: 0000558e8e9bc910 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd5799b3f0 R14: 0000000000000000 R15: 0000000000000000
 </TASK>



	

	



	Crashes (1):
		
		

			Time
			Kernel
			Commit
			Syzkaller
			Config
			Log
			Report
			Syz repro
			C repro
			VM info
			Assets (help?)
			Manager
			Title
		

		
		
		
		

			2026/03/20 20:24
			upstream
			0e4f8f1a3d08
			85bf2a64
			.config
			console log
			report
			
			
			info
			
				[disk image]
			
				[vmlinux]
			
				[kernel image]
			
			ci-qemu-gce-upstream-auto
			INFO: rcu detected stall in qrtr_tun_write_iter
		

		
		


* Struck through repros no longer work on HEAD.