================================================ WARNING: lock held when returning to user space! syzkaller #0 Not tainted ------------------------------------------------ udevd/2854 is leaving the kernel with locks still held! 1 lock held by udevd/2854: #0: ffffffff896ddaa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #0: ffffffff896ddaa0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #0: ffffffff896ddaa0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x300 mm/pgtable-generic.c:290 ------------[ cut here ]------------ Voluntary context switch within RCU read-side critical section! WARNING: kernel/rcu/tree_plugin.h:332 at rcu_note_context_switch+0x859/0x19c0 kernel/rcu/tree_plugin.h:332, CPU#0: udevd/2854 Modules linked in: CPU: 0 UID: 0 PID: 2854 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:rcu_note_context_switch+0x859/0x19c0 kernel/rcu/tree_plugin.h:332 Code: c1 ea 03 80 3c 02 00 0f 85 9b 0b 00 00 48 8b 53 28 b9 01 00 00 00 4c 89 ef e8 a3 cf fe ff e9 1d f9 ff ff 48 8d 3d 57 62 59 09 <67> 48 0f b9 3a e9 99 f8 ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d RSP: 0000:ffffc9000161fd70 EFLAGS: 00010002 RAX: 0000000000000001 RBX: ffff8881f563a540 RCX: ffffffff81984ca1 RDX: 0000000000000000 RSI: ffffffff87b040e0 RDI: ffffffff8af22320 RBP: ffff88811797bb80 R08: 0000000000000000 R09: fffffbfff15e133a R10: ffffffff8af099d7 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88811797bffc R14: ffffffff8cf90680 R15: ffffffff8af0a964 FS: 00007f810195c880(0000) GS:ffff8882686a9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555578887528 CR3: 0000000117ac6000 CR4: 00000000003506f0 Call Trace: __schedule+0x25e/0x4840 kernel/sched/core.c:7043 __schedule_loop kernel/sched/core.c:7267 [inline] schedule+0xdd/0x390 kernel/sched/core.c:7282 __exit_to_user_mode_loop kernel/entry/common.c:54 [inline] exit_to_user_mode_loop kernel/entry/common.c:98 [inline] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:252 [inline] irqentry_exit_to_user_mode include/linux/irq-entry-common.h:323 [inline] irqentry_exit+0x2f7/0x6c0 kernel/entry/common.c:162 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x55e20bfc046c Code: 00 00 00 e8 d6 68 fd ff 48 83 c4 18 c3 b8 ea ff ff ff eb f4 66 2e 0f 1f 84 00 00 00 00 00 53 48 89 fb 8b 7f 0c e8 44 69 fd ff 43 0c ff ff ff ff 89 c2 31 c0 85 d2 78 05 5b c3 0f 1f 00 e8 bb RSP: 002b:00007fff7fa186f0 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 000055e20dd0f430 RCX: e7fa5d1188143200 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000c RBP: 000055e20da4f2c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000b90 R13: 000055e20dd10d70 R14: 000055e20dc97430 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: c1 ea 03 shr $0x3,%edx 3: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 7: 0f 85 9b 0b 00 00 jne 0xba8 d: 48 8b 53 28 mov 0x28(%rbx),%rdx 11: b9 01 00 00 00 mov $0x1,%ecx 16: 4c 89 ef mov %r13,%rdi 19: e8 a3 cf fe ff call 0xfffecfc1 1e: e9 1d f9 ff ff jmp 0xfffff940 23: 48 8d 3d 57 62 59 09 lea 0x9596257(%rip),%rdi # 0x9596281 * 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: e9 99 f8 ff ff jmp 0xfffff8cd 34: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 3b: fc ff df 3e: 48 rex.W 3f: 8d .byte 0x8d