Re: [syzbot] [kernel?] WARNING in __static_key_slow_dec_cpuslocked (3)

[Josh Poimboeuf]

On Wed, Mar 04, 2026 at 12:35:42PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4d310797262f Merge tag 'pm-6.19-rc8' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b5045a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=df890e720d1bb80
> dashboard link: https://syzkaller.appspot.com/bug?extid=feb9ce36a95341bb47a4
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/bd4c893282fd/disk-4d310797.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/0e6e33a27e48/vmlinux-4d310797.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/457b27877eef/bzImage-4d310797.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+feb9ce36a95341bb47a4@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> ------------[ cut here ]------------
> val == 0
> WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
> Modules linked in:
> CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G     U       L      syzkaller #0 PREEMPT(full) 
> Tainted: [U]=USER, [L]=SOFTLOCKUP
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311
> Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00
> RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4
> RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000
> RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a
> R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98
> FS:  00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
>  __static_key_slow_dec kernel/jump_label.c:321 [inline]
>  static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
>  aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
>  short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
>  vfs_write+0x2aa/0x1070 fs/read_write.c:684
>  ksys_pwrite64 fs/read_write.c:793 [inline]
>  __do_sys_pwrite64 fs/read_write.c:801 [inline]
>  __se_sys_pwrite64 fs/read_write.c:798 [inline]
>  __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f530cf9aeb9
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
> RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9
> RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010
> RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000
> R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978
>  </TASK>

This was a static key increment/decrement race condition, I have just
now posted a fix here:

  https://lore.kernel.org/890b1c1e0eec8f97426c1443745853250dc80737.1772827269.git.jpoimboe@xxxxxxxxxx


-- 
Josh