[v6.1] general protection fault in htb_qlen_notify
16 views
Skip to first unread message
syzbot
Jul 10, 2025, 2:56:38 PM7/10/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15dfda8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1be8ab...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000037: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
CPU: 1 PID: 5155 Comm: syz.2.267 Not tainted 6.1.144-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc90003256e90 EFLAGS: 00010202
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: 0000000000080000
RDX: ffffc9000f3aa000 RSI: 0000000000000903 RDI: 0000000000000904
RBP: dffffc0000000000 R08: ffff888070fa8000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807d666000
FS: 00007fa09d1e06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe7276b000 CR3: 000000007bdf7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x287/0x470 net/sched/sch_api.c:807
codel_change+0x970/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1d4/0x3a0 net/sched/sch_codel.c:196
qdisc_create+0x7cb/0x1090 net/sched/sch_api.c:1310
tc_modify_qdisc+0xb0f/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x79b/0xed0 net/core/rtnetlink.c:6153
netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2493
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x74c/0x8c0 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x89e/0xbc0 net/netlink/af_netlink.c:1859
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x59b/0x970 net/socket.c:2519
___sys_sendmsg+0x21c/0x290 net/socket.c:2573
__sys_sendmsg net/socket.c:2602 [inline]
__do_sys_sendmsg net/socket.c:2611 [inline]
__se_sys_sendmsg+0x19e/0x270 net/socket.c:2609
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa09c38e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa09d1e0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa09c5b6080 RCX: 00007fa09c38e929
RDX: 000000000000c010 RSI: 0000200000000280 RDI: 0000000000000003
RBP: 00007fa09c410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fa09c5b6080 R15: 00007fff04449ce8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc90003256e90 EFLAGS: 00010202
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: 0000000000080000
RDX: ffffc9000f3aa000 RSI: 0000000000000903 RDI: 0000000000000904
RBP: dffffc0000000000 R08: ffff888070fa8000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807d666000
FS: 00007fa09d1e06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe7276b000 CR3: 000000007bdf7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
17: e8 f1 a5 38 f9 call 0xf938a60d
1c: 49 8d 9e b8 01 00 00 lea 0x1b8(%r14),%rbx
23: 49 89 dd mov %rbx,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 75 48 jne 0x7c
34: 8b 2b mov (%rbx),%ebp
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
3a: e8 2e a9 38 f9 call 0xf938a96d
3f: 85 .byte 0x85
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15dfda8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1be8ab...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000037: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
CPU: 1 PID: 5155 Comm: syz.2.267 Not tainted 6.1.144-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc90003256e90 EFLAGS: 00010202
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: 0000000000080000
RDX: ffffc9000f3aa000 RSI: 0000000000000903 RDI: 0000000000000904
RBP: dffffc0000000000 R08: ffff888070fa8000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807d666000
FS: 00007fa09d1e06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe7276b000 CR3: 000000007bdf7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x287/0x470 net/sched/sch_api.c:807
codel_change+0x970/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1d4/0x3a0 net/sched/sch_codel.c:196
qdisc_create+0x7cb/0x1090 net/sched/sch_api.c:1310
tc_modify_qdisc+0xb0f/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x79b/0xed0 net/core/rtnetlink.c:6153
netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2493
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x74c/0x8c0 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x89e/0xbc0 net/netlink/af_netlink.c:1859
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x59b/0x970 net/socket.c:2519
___sys_sendmsg+0x21c/0x290 net/socket.c:2573
__sys_sendmsg net/socket.c:2602 [inline]
__do_sys_sendmsg net/socket.c:2611 [inline]
__se_sys_sendmsg+0x19e/0x270 net/socket.c:2609
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa09c38e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa09d1e0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa09c5b6080 RCX: 00007fa09c38e929
RDX: 000000000000c010 RSI: 0000200000000280 RDI: 0000000000000003
RBP: 00007fa09c410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fa09c5b6080 R15: 00007fff04449ce8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc90003256e90 EFLAGS: 00010202
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: 0000000000080000
RDX: ffffc9000f3aa000 RSI: 0000000000000903 RDI: 0000000000000904
RBP: dffffc0000000000 R08: ffff888070fa8000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807d666000
FS: 00007fa09d1e06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe7276b000 CR3: 000000007bdf7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
17: e8 f1 a5 38 f9 call 0xf938a60d
1c: 49 8d 9e b8 01 00 00 lea 0x1b8(%r14),%rbx
23: 49 89 dd mov %rbx,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 75 48 jne 0x7c
34: 8b 2b mov (%rbx),%ebp
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
3a: e8 2e a9 38 f9 call 0xf938a96d
3f: 85 .byte 0x85
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 10, 2025, 2:58:33 PM7/10/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2f693b607545 Linux 5.15.187
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=113fda8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c91c2d91ea1a4388
dashboard link: https://syzkaller.appspot.com/bug?extid=a1df3cc78604c4228e1d
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7769e50dbae7/disk-2f693b60.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/ca8639ca4ec3/vmlinux-2f693b60.xz
kernel image: https://storage.googleapis.com/syzbot-assets/34e626fbb90f/bzImage-2f693b60.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000036: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001b0-0x00000000000001b7]
CPU: 0 PID: 6490 Comm: syz.0.719 Not tainted 5.15.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:htb_deactivate net/sched/sch_htb.c:609 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1507
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 c1 49 7a f9 49 8d 9e b0 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 4a 8b 2b 31 ff 89 ee e8 fe 4c 7a f9 85
RSP: 0018:ffffc900033fef38 EFLAGS: 00010206
RAX: ffffffff87fd895f RBX: 00000000000001b0 RCX: 0000000000080000
RDX: ffffc90003902000 RSI: 00000000000002cf RDI: 00000000000002d0
RBP: 1ffffffff1604bb0 R08: ffff88802212bb80 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000036 R14: 0000000000000000 R15: ffff88801f946000
FS: 00007f01c1a8a6c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3134c7 CR3: 0000000069b8b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x25f/0x430 net/sched/sch_api.c:799
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
codel_change+0x8d1/0xc00 net/sched/sch_codel.c:183
codel_init+0x190/0x330 net/sched/sch_codel.c:202
qdisc_create+0x7bd/0x1170 net/sched/sch_api.c:1260
tc_modify_qdisc+0xaad/0x16c0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x9b9/0xe60 net/core/rtnetlink.c:5650
netlink_rcv_skb+0x1e0/0x430 net/netlink/af_netlink.c:2489
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x77c/0x920 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x8ab/0xbc0 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x5a2/0x8c0 net/socket.c:2436
___sys_sendmsg+0x1f0/0x260 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg+0x190/0x250 net/socket.c:2526
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f01c3c22929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01c1a8a038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f01c3e49fa0 RCX: 00007f01c3c22929
RDX: 000000000000c010 RSI: 0000200000000280 RDI: 0000000000000003
RBP: 00007f01c3ca4b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f01c3e49fa0 R15: 00007fff85fca9b8
</TASK>
Modules linked in:
---[ end trace ceada52d7eca228f ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:609 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1507
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 c1 49 7a f9 49 8d 9e b0 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 4a 8b 2b 31 ff 89 ee e8 fe 4c 7a f9 85
RSP: 0018:ffffc900033fef38 EFLAGS: 00010206
RAX: ffffffff87fd895f RBX: 00000000000001b0 RCX: 0000000000080000
RDX: ffffc90003902000 RSI: 00000000000002cf RDI: 00000000000002d0
RBP: 1ffffffff1604bb0 R08: ffff88802212bb80 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000036 R14: 0000000000000000 R15: ffff88801f946000
FS: 00007f01c1a8a6c0(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3134c7 CR3: 0000000069b8b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
17: e8 c1 49 7a f9 call 0xf97a49dd
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
1c: 49 8d 9e b0 01 00 00 lea 0x1b0(%r14),%rbx
23: 49 89 dd mov %rbx,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 75 4a jne 0x7e
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
34: 8b 2b mov (%rbx),%ebp
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
3a: e8 fe 4c 7a f9 call 0xf97a4d3d
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
syzbot
Jul 10, 2025, 10:28:36 PM7/10/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 2f693b607545 Linux 5.15.187
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12a3868c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffb429fe3ba39a3c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a3868c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16973a8c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/129cdeb1c037/disk-2f693b60.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f163e8700a20/vmlinux-2f693b60.xz
kernel image: https://storage.googleapis.com/syzbot-assets/22c8c0cbe264/Image-2f693b60.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a1df3c...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz.0.16'.
Unable to handle kernel paging request at virtual address dfff800000000036
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000036] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4186 Comm: syz.0.16 Not tainted 5.15.187-syzkaller #0
pc : htb_deactivate net/sched/sch_htb.c:609 [inline]
pc : htb_qlen_notify+0x3c/0xc8 net/sched/sch_htb.c:1507
lr : htb_qlen_notify+0x2c/0xc8 net/sched/sch_htb.c:1504
sp : ffff80001f9d6da0
x29: ffff80001f9d6da0 x28: 1ffff000025a8aa8 x27: dfff800000000000
x26: 0000000000000000 x25: ffff800012d45548 x24: 0000000000000036
x23: dfff800000000000 x22: ffff8000162edce0 x21: ffff0000d74b0000
x20: 0000000000000000 x19: 00000000000001b0 x18: 0000000000000201
x17: 0000000000000000 x16: ffff8000082bf708 x15: 00000000ffffffff
x14: 0000000000ff0100 x13: ffffffffffffffff x12: 0000000000ff0100
x11: 0000000000000201 x10: 0000000000000000 x9 : 0000000000000003
x8 : ffff0000d193d1c0 x7 : ffff80000f8d3b08 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff0000d74b0000
Call trace:
htb_deactivate net/sched/sch_htb.c:609 [inline]
htb_qlen_notify+0x3c/0xc8 net/sched/sch_htb.c:1507
qdisc_tree_reduce_backlog+0x250/0x410 net/sched/sch_api.c:799
sfq_change net/sched/sch_sfq.c:737 [inline]
sfq_init+0x1338/0x1da4 net/sched/sch_sfq.c:801
qdisc_create+0x6e4/0xf24 net/sched/sch_api.c:1260
tc_modify_qdisc+0x8bc/0x1308 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x9d4/0xd04 net/core/rtnetlink.c:5650
netlink_rcv_skb+0x208/0x3c4 net/netlink/af_netlink.c:2489
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:5668
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x60c/0x89c net/netlink/af_netlink.c:1337
netlink_sendmsg+0x6e8/0x9cc net/netlink/af_netlink.c:1905
___sys_sendmsg+0x1d0/0x240 net/socket.c:2490
__arm64_sys_sendmsg+0x1a8/0x254 net/socket.c:2526
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 9106c293 d343fe78 12000a69 11000d29 (38f76b08)
---[ end trace 8309f27fdbe5c677 ]---
4: d343fe78 lsr x24, x19, #3
8: 12000a69 and w9, w19, #0x7
c: 11000d29 add w9, w9, #0x3
* 10: 38f76b08 ldrsb w8, [x24, x23] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 2f693b607545 Linux 5.15.187
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=ffb429fe3ba39a3c
dashboard link: https://syzkaller.appspot.com/bug?extid=a1df3cc78604c4228e1d
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a3868c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16973a8c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/129cdeb1c037/disk-2f693b60.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f163e8700a20/vmlinux-2f693b60.xz
kernel image: https://storage.googleapis.com/syzbot-assets/22c8c0cbe264/Image-2f693b60.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a1df3c...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000036
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000036] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4186 Comm: syz.0.16 Not tainted 5.15.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : htb_deactivate net/sched/sch_htb.c:609 [inline]
pc : htb_qlen_notify+0x3c/0xc8 net/sched/sch_htb.c:1507
lr : htb_qlen_notify+0x2c/0xc8 net/sched/sch_htb.c:1504
sp : ffff80001f9d6da0
x29: ffff80001f9d6da0 x28: 1ffff000025a8aa8 x27: dfff800000000000
x26: 0000000000000000 x25: ffff800012d45548 x24: 0000000000000036
x23: dfff800000000000 x22: ffff8000162edce0 x21: ffff0000d74b0000
x20: 0000000000000000 x19: 00000000000001b0 x18: 0000000000000201
x17: 0000000000000000 x16: ffff8000082bf708 x15: 00000000ffffffff
x14: 0000000000ff0100 x13: ffffffffffffffff x12: 0000000000ff0100
x11: 0000000000000201 x10: 0000000000000000 x9 : 0000000000000003
x8 : ffff0000d193d1c0 x7 : ffff80000f8d3b08 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff0000d74b0000
Call trace:
htb_deactivate net/sched/sch_htb.c:609 [inline]
htb_qlen_notify+0x3c/0xc8 net/sched/sch_htb.c:1507
qdisc_tree_reduce_backlog+0x250/0x410 net/sched/sch_api.c:799
sfq_change net/sched/sch_sfq.c:737 [inline]
sfq_init+0x1338/0x1da4 net/sched/sch_sfq.c:801
qdisc_create+0x6e4/0xf24 net/sched/sch_api.c:1260
tc_modify_qdisc+0x8bc/0x1308 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x9d4/0xd04 net/core/rtnetlink.c:5650
netlink_rcv_skb+0x208/0x3c4 net/netlink/af_netlink.c:2489
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:5668
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x60c/0x89c net/netlink/af_netlink.c:1337
netlink_sendmsg+0x6e8/0x9cc net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x61c/0x920 net/socket.c:2436
__sock_sendmsg net/socket.c:716 [inline]
___sys_sendmsg+0x1d0/0x240 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg net/socket.c:2526 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__arm64_sys_sendmsg+0x1a8/0x254 net/socket.c:2526
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 9106c293 d343fe78 12000a69 11000d29 (38f76b08)
---[ end trace 8309f27fdbe5c677 ]---
----------------
Code disassembly (best guess):
0: 9106c293 add x19, x20, #0x1b0
Code disassembly (best guess):
4: d343fe78 lsr x24, x19, #3
8: 12000a69 and w9, w19, #0x7
c: 11000d29 add w9, w9, #0x3
* 10: 38f76b08 ldrsb w8, [x24, x23] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jul 11, 2025, 5:39:33 AM7/11/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14f75bd4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f8668c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1be8ab...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000037: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
CPU: 1 PID: 4422 Comm: syz.0.16 Not tainted 6.1.144-syzkaller #0
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: ffff888079391dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a750000
RBP: dffffc0000000000 R08: ffff888079391dc0 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807a750000
FS: 0000555590528500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
RAX: ffffffffffffffda RBX: 00007faef65b5fa0 RCX: 00007faef638e929
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: ffff888079391dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a750000
RBP: dffffc0000000000 R08: ffff888079391dc0 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807a750000
FS: 0000555590528500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
HEAD commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b9468c580000
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f8668c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/33f04d64fdc1/disk-dfc486ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ae15f823ab9f/vmlinux-dfc486ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c42843bce2bf/bzImage-dfc486ec.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1be8ab...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000037: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc900032d6e90 EFLAGS: 00010202
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: ffff888079391dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a750000
RBP: dffffc0000000000 R08: ffff888079391dc0 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807a750000
FS: 0000555590528500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000240 CR3: 00000000281c6000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x287/0x470 net/sched/sch_api.c:807
codel_change+0x970/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1d4/0x3a0 net/sched/sch_codel.c:196
qdisc_create+0x7cb/0x1090 net/sched/sch_api.c:1310
tc_modify_qdisc+0xb0f/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x79b/0xed0 net/core/rtnetlink.c:6153
netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2493
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x74c/0x8c0 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x89e/0xbc0 net/netlink/af_netlink.c:1859
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x59b/0x970 net/socket.c:2519
___sys_sendmsg+0x21c/0x290 net/socket.c:2573
__sys_sendmsg net/socket.c:2602 [inline]
__do_sys_sendmsg net/socket.c:2611 [inline]
__se_sys_sendmsg+0x19e/0x270 net/socket.c:2609
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7faef638e929
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x287/0x470 net/sched/sch_api.c:807
codel_change+0x970/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1d4/0x3a0 net/sched/sch_codel.c:196
qdisc_create+0x7cb/0x1090 net/sched/sch_api.c:1310
tc_modify_qdisc+0xb0f/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x79b/0xed0 net/core/rtnetlink.c:6153
netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2493
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x74c/0x8c0 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x89e/0xbc0 net/netlink/af_netlink.c:1859
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x59b/0x970 net/socket.c:2519
___sys_sendmsg+0x21c/0x290 net/socket.c:2573
__sys_sendmsg net/socket.c:2602 [inline]
__do_sys_sendmsg net/socket.c:2611 [inline]
__se_sys_sendmsg+0x19e/0x270 net/socket.c:2609
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe795e3868 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007faef65b5fa0 RCX: 00007faef638e929
RDX: 000000000000c010 RSI: 0000200000000280 RDI: 0000000000000003
RBP: 00007faef6410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007faef65b5fa0 R14: 00007faef65b5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RSP: 0018:ffffc900032d6e90 EFLAGS: 00010202
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:610 [inline]
RIP: 0010:htb_qlen_notify+0x2d/0xb0 net/sched/sch_htb.c:1486
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 f1 a5 38 f9 49 8d 9e b8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 2e a9 38 f9 85
RAX: ffffffff8848319f RBX: 00000000000001b8 RCX: ffff888079391dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a750000
RBP: dffffc0000000000 R08: ffff888079391dc0 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000037 R14: 0000000000000000 R15: ffff88807a750000
FS: 0000555590528500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000240 CR3: 00000000281c6000 CR4: 00000000003506e0
syzbot
Jul 16, 2025, 6:29:39 AM7/16/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9247f4e6573a Linux 6.6.98
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11fb2382580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfe840f14e117c98
dashboard link: https://syzkaller.appspot.com/bug?extid=c8853fb09659df151520
disk image: https://storage.googleapis.com/syzbot-assets/3855f6db0ca8/disk-9247f4e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fe3d6afeb3a6/vmlinux-9247f4e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d8784621ac6/bzImage-9247f4e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c8853f...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000035: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001a8-0x00000000000001af]
CPU: 1 PID: 14702 Comm: syz.3.3086 Not tainted 6.6.98-syzkaller #0
RIP: 0010:htb_qlen_notify+0x31/0xb0 net/sched/sch_htb.c:1489
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 ad 90 f4 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 3a 94 f4 f8 85
RSP: 0018:ffffc90011feed90 EFLAGS: 00010206
RAX: ffffffff889115c3 RBX: 00000000000001a8 RCX: 0000000000080000
RDX: ffffc9000d2db000 RSI: 0000000000001a96 RDI: 0000000000001a97
RBP: dffffc0000000000 R08: ffff88802ea68000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000035 R14: 0000000000000000 R15: ffff88805bf2c000
FS: 00007f1462fff6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x28b/0x470 net/sched/sch_api.c:810
codel_change+0x974/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1fd/0x3e0 net/sched/sch_codel.c:196
qdisc_create+0x8eb/0x1050 net/sched/sch_api.c:1322
tc_modify_qdisc+0xb13/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x7c7/0xf10 net/core/rtnetlink.c:6475
netlink_rcv_skb+0x216/0x480 net/netlink/af_netlink.c:2537
netlink_unicast_kernel net/netlink/af_netlink.c:1323 [inline]
netlink_unicast+0x750/0x8c0 net/netlink/af_netlink.c:1349
netlink_sendmsg+0x8c1/0xbe0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5bf/0x950 net/socket.c:2595
___sys_sendmsg+0x220/0x290 net/socket.c:2649
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2687 [inline]
__se_sys_sendmsg+0x1a5/0x270 net/socket.c:2685
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f146318e929
RAX: ffffffffffffffda RBX: 00007f14633b5fa0 RCX: 00007f146318e929
RDX: 0000000000004000 RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007f1463210b39 R08: 0000000000000000 R09: 0000000000000000
RIP: 0010:htb_qlen_notify+0x31/0xb0 net/sched/sch_htb.c:1489
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 ad 90 f4 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 3a 94 f4 f8 85
RSP: 0018:ffffc90011feed90 EFLAGS: 00010206
RAX: ffffffff889115c3 RBX: 00000000000001a8 RCX: 0000000000080000
RDX: ffffc9000d2db000 RSI: 0000000000001a96 RDI: 0000000000001a97
RBP: dffffc0000000000 R08: ffff88802ea68000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000035 R14: 0000000000000000 R15: ffff88805bf2c000
FS: 00007f1462fff6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
1c: 49 8d 9e a8 01 00 00 lea 0x1a8(%r14),%rbx
syzbot found the following issue on:
HEAD commit: 9247f4e6573a Linux 6.6.98
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11fb2382580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cfe840f14e117c98
dashboard link: https://syzkaller.appspot.com/bug?extid=c8853fb09659df151520
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3855f6db0ca8/disk-9247f4e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fe3d6afeb3a6/vmlinux-9247f4e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d8784621ac6/bzImage-9247f4e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
general protection fault, probably for non-canonical address 0xdffffc0000000035: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001a8-0x00000000000001af]
CPU: 1 PID: 14702 Comm: syz.3.3086 Not tainted 6.6.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:htb_deactivate net/sched/sch_htb.c:613 [inline]
RIP: 0010:htb_qlen_notify+0x31/0xb0 net/sched/sch_htb.c:1489
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 ad 90 f4 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 3a 94 f4 f8 85
RSP: 0018:ffffc90011feed90 EFLAGS: 00010206
RAX: ffffffff889115c3 RBX: 00000000000001a8 RCX: 0000000000080000
RDX: ffffc9000d2db000 RSI: 0000000000001a96 RDI: 0000000000001a97
RBP: dffffc0000000000 R08: ffff88802ea68000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000035 R14: 0000000000000000 R15: ffff88805bf2c000
FS: 00007f1462fff6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d31cff8 CR3: 000000002a6e9000 CR4: 00000000003506e0
Call Trace:
<TASK>
qdisc_tree_reduce_backlog+0x28b/0x470 net/sched/sch_api.c:810
codel_change+0x974/0xdb0 net/sched/sch_codel.c:177
codel_init+0x1fd/0x3e0 net/sched/sch_codel.c:196
qdisc_create+0x8eb/0x1050 net/sched/sch_api.c:1322
tc_modify_qdisc+0xb13/0x1be0 net/sched/sch_api.c:-1
rtnetlink_rcv_msg+0x7c7/0xf10 net/core/rtnetlink.c:6475
netlink_rcv_skb+0x216/0x480 net/netlink/af_netlink.c:2537
netlink_unicast_kernel net/netlink/af_netlink.c:1323 [inline]
netlink_unicast+0x750/0x8c0 net/netlink/af_netlink.c:1349
netlink_sendmsg+0x8c1/0xbe0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5bf/0x950 net/socket.c:2595
___sys_sendmsg+0x220/0x290 net/socket.c:2649
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2687 [inline]
__se_sys_sendmsg+0x1a5/0x270 net/socket.c:2685
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f146318e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1462fff038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f14633b5fa0 RCX: 00007f146318e929
RDX: 0000000000004000 RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007f1463210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f14633b5fa0 R15: 00007ffd9206c138
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_deactivate net/sched/sch_htb.c:613 [inline]
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:htb_qlen_notify+0x31/0xb0 net/sched/sch_htb.c:1489
Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 ad 90 f4 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 48 8b 2b 31 ff 89 ee e8 3a 94 f4 f8 85
RSP: 0018:ffffc90011feed90 EFLAGS: 00010206
RAX: ffffffff889115c3 RBX: 00000000000001a8 RCX: 0000000000080000
RDX: ffffc9000d2db000 RSI: 0000000000001a96 RDI: 0000000000001a97
RBP: dffffc0000000000 R08: ffff88802ea68000 R09: 0000000000000002
R10: 00000000ffffffff R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000035 R14: 0000000000000000 R15: ffff88805bf2c000
FS: 00007f1462fff6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d31cff8 CR3: 000000002a6e9000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
17: e8 ad 90 f4 f8 call 0xf8f490c9
Code disassembly (best guess):
0: 41 56 push %r14
2: 41 55 push %r13
4: 41 54 push %r12
6: 53 push %rbx
7: 49 89 f6 mov %rsi,%r14
a: 49 89 ff mov %rdi,%r15
d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
14: fc ff df
1c: 49 8d 9e a8 01 00 00 lea 0x1a8(%r14),%rbx
23: 49 89 dd mov %rbx,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 75 48 jne 0x7c
34: 8b 2b mov (%rbx),%ebp
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
3a: e8 3a 94 f4 f8 call 0xf8f49479
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 75 48 jne 0x7c
34: 8b 2b mov (%rbx),%ebp
36: 31 ff xor %edi,%edi
38: 89 ee mov %ebp,%esi
3f: 85 .byte 0x85
---
---
syzbot
Aug 11, 2025, 9:52:04 PM8/11/25
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 23c165dde88eac405eebb59051ea1fe139a45803
Author: Victor Nogueira <vic...@mojatatu.com>
Date: Mon Jul 7 21:08:01 2025 +0000
net/sched: Abort __tc_modify_qdisc if parent class does not exist
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14488c34580000
start commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
#syz fix: net/sched: Abort __tc_modify_qdisc if parent class does not exist
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 23c165dde88eac405eebb59051ea1fe139a45803
Author: Victor Nogueira <vic...@mojatatu.com>
Date: Mon Jul 7 21:08:01 2025 +0000
net/sched: Abort __tc_modify_qdisc if parent class does not exist
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14488c34580000
start commit: dfc486ec9cce Linux 6.1.144
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=af043eb58258a24b
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
dashboard link: https://syzkaller.appspot.com/bug?extid=1be8ab4d23babd1c7655
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b9468c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f8668c580000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16f8668c580000
#syz fix: net/sched: Abort __tc_modify_qdisc if parent class does not exist
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Oct 20, 2025, 2:07:19 PM10/20/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
syzbot
Oct 24, 2025, 6:29:20 AM10/24/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages