syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1335]
Subsystems
🐞 Fixed [7141]
🐞 Invalid [18887]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

INFO: rcu detected stall in brk (2)

Status: upstream: reported syz repro on 2024/10/31 16:03
Subsystems: mm
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+7402e6c8042635c93ead@syzkaller.appspotmail.com
First crash: 587d, last: 53d
✨ AI Jobs (2)
ID Workflow Result Correct Bug Created Started Finished Revision Error
e569ebd1-2291-4d1c-9d33-def750275372 assessment-security DenialOfService: ✅ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ✅ PeripheralTrigger: ✅ RemoteTrigger: ✅ Unprivileged: ❌ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ INFO: rcu detected stall in brk (2) 2026/06/02 02:53 2026/06/02 02:53 2026/06/02 03:52 386cc6dacdf7e3ebce9507beed6755d7e999554d
f7ebfd9e-d4a2-4789-98a7-36559daa96ac assessment-security 💥 INFO: rcu detected stall in brk (2) 2026/05/21 06:07 2026/05/21 06:07 2026/05/21 06:30 cf874a1cf36318c06202027159ddac14acf00db7 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/aaa6a9ace0cb292d0e6cc78523a24beb4e1a65f5" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General architecture-dependent options * Kprobes (KPROBES) [N/y/?] n Optimize very unlikely/likely branches (JUMP_LABEL) [Y/n/?] y Static key selftest (STATIC_KEYS_SELFTEST) [N/y/?] n Static call selftest (STATIC_CALL_SELFTEST) [N/y/?] n Enable seccomp to safely execute untrusted bytecode (SECCOMP) [Y/n/?] y Show seccomp filter cache status in /proc/pid/seccomp_cache (SECCOMP_CACHE_DEBUG) [N/y/?] n Stack Protector buffer overflow detection (STACKPROTECTOR) [Y/n/?] y Strong Stack Protector (STACKPROTECTOR_STRONG) [Y/n/?] y Link Time Optimization (LTO) > 1. None (LTO_NONE) choice[1]: 1 Enable Clang's AutoFDO build (EXPERIMENTAL) (AUTOFDO_CLANG) [N/y/?] (NEW) Error in reading or end of file. Enable Clang's Propeller build (PROPELLER_CLANG) [N/y/?] (NEW) Error in reading or end of file. Use Clang's Control Flow Integrity (CFI) (CFI_CLANG) [N/y/?] (NEW) Error in reading or end of file. Number of bits to use for ASLR of mmap base address (ARCH_MMAP_RND_BITS) [28] 28 Number of bits to use for ASLR of mmap base address for compatible applications (ARCH_MMAP_RND_COMPAT_BITS) [8] 8 MMU page size > 1. 4KiB pages (PAGE_SIZE_4KB) choice[1]: 1 Provide system calls for 32-bit time_t (COMPAT_32BIT_TIME) [Y/n/?] y Use a virtually-mapped stack (VMAP_STACK) [Y/n/?] y Support for randomizing kernel stack offset on syscall entry (RANDOMIZE_KSTACK_OFFSET) [Y/n/?] y Default state of kernel stack offset randomization (RANDOMIZE_KSTACK_OFFSET_DEFAULT) [N/y/?] n Locking event counts collection (LOCK_EVENT_COUNTS) [N/y/?] n * * Kernel hardening options * Randomize layout of sensitive kernel structures > 1. Disable structure layout randomization (RANDSTRUCT_NONE) 2. Fully randomize structure layout (RANDSTRUCT_FULL) (NEW) choice[1-2?]: Error in reading or end of file. * * Compile-time checks and compiler options * Debug information 1. Disable debug information (DEBUG_INFO_NONE) 2. Rely on the toolchain's implicit default DWARF version (DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT) > 3. Generate DWARF Version 4 debuginfo (DEBUG_INFO_DWARF4) 4. Generate DWARF Version 5 debuginfo (DEBUG_INFO_DWARF5) choice[1-4?]: 3 Reduce debugging information (DEBUG_INFO_REDUCED) [N/y/?] n Compressed Debug information > 1. Don't compress debug information (DEBUG_INFO_COMPRESSED_NONE) 2. Compress debugging information with zlib (DEBUG_INFO_COMPRESSED_ZLIB) 3. Compress debugging information with zstd (DEBUG_INFO_COMPRESSED_ZSTD) (NEW) choice[1-3?]: Error in reading or end of file. Produce split debuginfo in .dwo files (DEBUG_INFO_SPLIT) [N/y/?] n Generate BTF type information (DEBUG_INFO_BTF) [N/y/?] n Provide GDB scripts for kernel debugging (GDB_SCRIPTS) [N/y/?] n Warn for stack frames larger than (FRAME_WARN) [2048] 2048 Strip assembler-generated symbols during link (STRIP_ASM_SYMS) [N/y/?] n Install uapi headers to usr/include (HEADERS_INSTALL) [N/y/?] n Make section mismatch errors non-fatal (SECTION_MISMATCH_WARN_ONLY) [Y/n/?] y Force all function address 64B aligned (DEBUG_FORCE_FUNCTION_ALIGN_64B) [N/y/?] n Generate vmlinux.map file when linking (VMLINUX_MAP) [N/y/?] n Force weak per-cpu definitions (DEBUG_FORCE_WEAK_PER_CPU) [N/y/?] n In file included from /app/workdir/cache/src/ee2778967f6621c3aaac67d29ab61a119d614100/io_uring/io_uring.c:96: In file included from /app/workdir/cache/src/ee2778967f6621c3aaac67d29ab61a119d614100/io_uring/napi.h:8: In file included from /app/workdir/cache/src/ee2778967f6621c3aaac67d29ab61a119d614100/include/net/busy_poll.h:18: /app/workdir/cache/src/ee2778967f6621c3aaac67d29ab61a119d614100/include/net/ip.h:481:14: warning: default initialization of an object of type 'typeof (rt->dst.expires)' (aka 'const unsigned long') leaves the object uninitialized [-Wdefa
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] [input?] [usb?] INFO: rcu detected stall in brk (2) 8 (10) 2024/11/01 12:14
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream INFO: rcu detected stall in brk mm 1 1 777d 777d 0/29 auto-obsoleted due to no activity on 2024/07/20 02:57
linux-6.1 INFO: rcu detected stall in brk 1 2 115d 157d 0/3 auto-obsoleted due to no activity on 2026/05/23 03:49
Last patch testing requests (11)
Created Duration User Patch Repo Result
2026/05/21 05:40 30m retest repro upstream OK log
2026/03/12 05:15 19m retest repro upstream report log
2026/01/01 04:33 21m retest repro upstream report log
2025/10/23 04:10 20m retest repro upstream report log
2025/08/14 03:23 20m retest repro upstream report log
2025/06/05 02:58 20m retest repro upstream report log
2025/04/02 09:13 20m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2025/03/27 02:34 20m retest repro upstream report log
2025/01/20 18:54 14m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2025/01/16 01:52 16m retest repro upstream report log
2024/10/31 16:23 14m lorenzo.stoakes@oracle.com git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/ mm-hotfixes-unstable OK log

Sample crash report:
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P17961/1:b..l
rcu: 	(detected by 0, t=10502 jiffies, g=172885, q=722 ncpus=1)
task:syz-executor    state:R  running task     stack:26872 pid:17961 tgid:17961 ppid:5812   task_flags:0x400000 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x10e9/0x6820 kernel/sched/core.c:7183
 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7507
 irqentry_exit+0x27e/0x740 kernel/entry/common.c:240
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x5e/0x370 kernel/locking/lockdep.c:5872
Code: 05 7b aa 2a 12 83 f8 07 0f 87 d9 02 00 00 48 0f a3 05 46 ee f5 0e 0f 82 a4 02 00 00 8b 35 ce 21 f6 0e 85 f6 0f 85 bf 00 00 00 <48> 8b 44 24 30 65 48 2b 05 1d aa 2a 12 0f 85 ed 02 00 00 48 83 c4
RSP: 0018:ffffc9000371f6f0 EFLAGS: 00000206
RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffffffff8de619ea RDI: ffffffff8c1b3d60
RBP: ffffffff8e7e66a0 R08: 00000000375d970a R09: 0000000000000007
R10: 0000000000000200 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:309 [inline]
 rcu_read_lock include/linux/rcupdate.h:847 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1190 [inline]
 unwind_next_frame+0xd1/0x2090 arch/x86/kernel/unwind_orc.c:495
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 save_stack+0x162/0x1e0 mm/page_owner.c:165
 __reset_page_owner+0x84/0x190 mm/page_owner.c:320
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 kmem_cache_alloc_noprof+0x241/0x6e0 mm/slub.c:4873
 vm_area_alloc+0x1f/0x160 mm/vma_init.c:32
 do_brk_flags+0x296/0x10c0 mm/vma.c:2906
 __do_sys_brk+0x6da/0xa80 mm/mmap.c:195
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f786ffa69e6
RSP: 002b:00007ffd09553570 EFLAGS: 00000246 ORIG_RAX: 000000000000000c
RAX: ffffffffffffffda RBX: 0000000000000e80 RCX: 00007f786ffa69e6
RDX: 0000555558cbb000 RSI: 000000000000000c RDI: 0000555558cbbe80
RBP: 0000000000000002 R08: 00007f78701e5178 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd095535f8
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
rcu: rcu_preempt kthread starved for 473 jiffies! g172885 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:28200 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x10e9/0x6820 kernel/sched/core.c:7183
 __schedule_loop kernel/sched/core.c:7262 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7277
 schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x1a9/0x900 kernel/rcu/tree.c:2095
 rcu_gp_kthread+0x179/0x230 kernel/rcu/tree.c:2297
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 3408 Comm: kworker/R-bat_e Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: bat_events batadv_dat_purge
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70 kernel/kcov.c:213
Code: 5f 00 be 03 00 00 00 5b e9 62 57 ec 02 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 85 bb 06 12 <48> 8b 34 24 65 48 8b 15 61 bb 06 12 a9 00 01 ff 00 74 1b f6 c4 01
RSP: 0018:ffffc90000006958 EFLAGS: 00000293
RAX: 0000000080000101 RBX: 0000000000000001 RCX: ffffffff8a3861bf
RDX: 000000000000000d RSI: 0000000000000005 RDI: ffff888033b10000
RBP: ffff8880386f8cc8 R08: 0000000000000004 R09: 0000000000000005
R10: 000000000000000d R11: 0000000000000000 R12: 000000000000000d
R13: 0000000000000003 R14: 0000000000000005 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88812432e000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f786fff0820 CR3: 0000000079574000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 rt6_score_route+0x99/0xa60 net/ipv6/route.c:756
 find_match net/ipv6/route.c:785 [inline]
 __find_rr_leaf+0x270/0x1070 net/ipv6/route.c:868
 find_rr_leaf net/ipv6/route.c:889 [inline]
 rt6_select net/ipv6/route.c:933 [inline]
 fib6_table_lookup+0x50f/0xa10 net/ipv6/route.c:2247
 ip6_pol_route+0x1cc/0x1230 net/ipv6/route.c:2283
 pol_lookup_func include/net/ip6_fib.h:636 [inline]
 fib6_rule_lookup+0x52f/0x720 net/ipv6/fib6_rules.c:120
 ip6_route_input_lookup net/ipv6/route.c:2352 [inline]
 ip6_route_input+0x662/0xc50 net/ipv6/route.c:2655
 ip6_rcv_finish_core.isra.0+0x1a9/0x5a0 net/ipv6/ip6_input.c:66
 ip6_rcv_finish+0x130/0x300 net/ipv6/ip6_input.c:77
 ip_sabotage_in+0x21e/0x290 net/bridge/br_netfilter_hooks.c:990
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xbf/0x220 net/netfilter/core.c:623
 nf_hook.constprop.0+0x2a6/0x750 include/linux/netfilter.h:273
 NF_HOOK include/linux/netfilter.h:316 [inline]
 ipv6_rcv+0xa4/0x3d0 net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:6181
 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6294
 netif_receive_skb_internal net/core/dev.c:6380 [inline]
 netif_receive_skb+0x13b/0x7f0 net/core/dev.c:6439
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 br_pass_frame_up+0x346/0x490 net/bridge/br_input.c:70
 br_handle_frame_finish+0xa74/0x1f60 net/bridge/br_input.c:235
 br_nf_hook_thresh+0x30d/0x420 net/bridge/br_netfilter_hooks.c:1167
 br_nf_pre_routing_finish_ipv6+0x769/0xfb0 net/bridge/br_netfilter_ipv6.c:154
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x39c/0x8b0 net/bridge/br_netfilter_ipv6.c:184
 br_nf_pre_routing+0x90d/0x1550 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0xcdd/0x1520 net/bridge/br_input.c:442
 __netif_receive_skb_core.constprop.0+0x6c5/0x3530 net/core/dev.c:6068
 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6179
 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6294
 process_backlog+0x37a/0x1580 net/core/dev.c:6645
 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7709
 napi_poll net/core/dev.c:7772 [inline]
 net_rx_action+0xa40/0xf20 net/core/dev.c:7929
 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622
 do_softirq kernel/softirq.c:523 [inline]
 do_softirq+0xac/0xe0 kernel/softirq.c:510
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 __batadv_dat_purge.part.0+0x294/0x3c0 net/batman-adv/distributed-arp-table.c:185
 __batadv_dat_purge net/batman-adv/distributed-arp-table.c:166 [inline]
 batadv_dat_purge+0x4b/0xa0 net/batman-adv/distributed-arp-table.c:204
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3288
 process_scheduled_works kernel/workqueue.c:3371 [inline]
 rescuer_thread+0x905/0x14a0 kernel/workqueue.c:3595
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
net_ratelimit: 13854 callbacks suppressed
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
net_ratelimit: 11217 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:72:63:ed:74:5a:27, vlan:0)

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/15 04:53 upstream 883af1f8e878 e2e976a8 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto INFO: rcu detected stall in brk
2025/01/02 01:50 upstream 56e6a3499e14 d3ccff63 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto INFO: rcu detected stall in brk
2024/10/27 16:00 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing c6d9e43954bf 65e8686b .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-upstream-usb INFO: rcu detected stall in brk
* Struck through repros no longer work on HEAD.