Re: [syzbot] [kernel?] WARNING in request_threaded_irq

[Ian Abbott]

On 24/02/2026 18:24, Thomas Gleixner wrote:
> On Fri, Feb 20 2026 at 05:13, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
> > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1166f6e6580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
> > dashboard link: https://syzkaller.appspot.com/bug?extid=1f1c9d0fa117b165b233
> > compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > userspace arch: riscv64
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+1f1c9d0fa117b165b233@xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > ------------[ cut here ]------------
> > WARNING: [irq_settings_is_per_cpu_devid(desc)] kernel/irq/manage.c:2125 at request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125, CPU#1: syz.0.10/3870
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 3870 Comm: syz.0.10 Not tainted syzkaller #0 PREEMPT
> > Hardware name: riscv-virtio,qemu (DT)
> > epc : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> >   ra : request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> > epc : ffffffff8032d750 ra : ffffffff8032d750 sp : ffff8f800ac67810
> >   gp : ffffffff89f9df20 tp : ffffaf801c74cf80 t0 : ffffffff86391c0a
> >   t1 : ffffffff9136c6e0 t2 : ffffffff8016a132 s0 : ffff8f800ac67870
> >   s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
> >   a2 : 0000000000080000 a3 : ffffffff8032d750 a4 : ffff8f8004d6e1e8
> >   a5 : 00000000002041e8 a6 : 0000000000000003 a7 : ffffffff86660460
> >   s2 : 0000000000200000 s3 : ffffaf8011e8d000 s4 : 0000000000000005
> >   s5 : ffffffff84b56ef4 s6 : ffffaf801cd37000 s7 : 0000000000000000
> >   s8 : ffffffff87597e60 s9 : 0000000000020000 s10: ffffaf801cd37000
> >   s11: 0000000000000001 t3 : 0000000000000001 t4 : 0000000000001fff
> >   t5 : 00000000000000c8 t6 : 0000000000000002 ssp : 0000000000000000
> > status: 0000000200000120 badaddr: ffffffff8032d750 cause: 0000000000000003
> > [<ffffffff8032d750>] request_threaded_irq+0x320/0x38c kernel/irq/manage.c:2125
> > [<ffffffff84b58918>] request_irq include/linux/interrupt.h:176 [inline]
> > [<ffffffff84b58918>] parport_attach drivers/comedi/drivers/comedi_parport.c:235 [inline]
> > [<ffffffff84b58918>] parport_attach+0x780/0xb14 drivers/comedi/drivers/comedi_parport.c:224
> > [<ffffffff84b492bc>] comedi_device_attach+0x350/0x7ec drivers/comedi/drivers.c:1069
> > [<ffffffff84b35136>] do_devconfig_ioctl+0x1a2/0x654 drivers/comedi/comedi_fops.c:928
>
> So do_devconfig_ioctl() copies the device configuration from user space
> and hands it to the comedi parport driver, which takes the random
> provided interrupt number unvalidated and requests the interrupt which
> trips the warning in the core code as the interrupt is marked as per CPU.

That is by design.  It does require CAP_SYSADMIN privileges, though. 
There is similar functionality in the TTY serial drivers, for example 
(TIOCSSERIAL ioctl), although that does have a security lock-down reason 
associated with it, at least in the "serial_core" module.

> > [<ffffffff84b3dfd8>] comedi_unlocked_ioctl+0x338/0x2c10 drivers/comedi/comedi_fops.c:2240
> > [<ffffffff80ca9130>] vfs_ioctl fs/ioctl.c:51 [inline]
> > [<ffffffff80ca9130>] __do_sys_ioctl fs/ioctl.c:597 [inline]
> > [<ffffffff80ca9130>] __se_sys_ioctl fs/ioctl.c:583 [inline]
> > [<ffffffff80ca9130>] __riscv_sys_ioctl+0x17c/0x1e4 fs/ioctl.c:583
> > [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
> > [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
> > [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup


--
-=( Ian Abbott <abbotti@xxxxxxxxx> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-