[syzbot] [mm?] INFO: rcu detected stall in mas_preallocate (2)
16 views
Skip to first unread message
syzbot
Dec 9, 2024, 4:12:27 AM12/9/24
to Liam.H...@oracle.com, ak...@linux-foundation.org, ja...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, syzkall...@googlegroups.com, vba...@suse.cz
Hello,
syzbot found the following issue on:
HEAD commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b08020580000
kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3bb09093023b/disk-feffde68.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e37e48dc48a/vmlinux-feffde68.xz
kernel image: https://storage.googleapis.com/syzbot-assets/36b46b3a6421/bzImage-feffde68.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+882589...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: (detected by 0, t=17825 jiffies, g=10505, q=929 ncpus=2)
rcu: All QSes seen, last rcu_preempt kthread activity 11791 (4294964533-4294952742), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 11791 jiffies! g10505 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:25784 pid:17 tgid:17 ppid:2 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5369 [inline]
__schedule+0x1850/0x4c30 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2045
rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2247
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6002 Comm: syz-executor Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__sanitizer_cov_trace_cmp8+0x0/0x90 kernel/kcov.c:293
Code: 10 48 89 74 0a 18 4c 89 44 0a 20 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 4c 8b 04 24 65 48 8b 0c 25 00 d6 03 00 65 8b 05 70 61
RSP: 0018:ffffc90000a18c98 EFLAGS: 00000046
RAX: ffffffff8bcbfbf7 RBX: ffff88805d8d6340 RCX: ffff88803141bc00
RDX: 0000000000010000 RSI: ffff88805d8d6340 RDI: ffff88805d8d6340
RBP: 1ffff1100bb1ac68 R08: ffffffff818d04c0 R09: 1ffffffff20328be
R10: dffffc0000000000 R11: fffffbfff20328bf R12: ffff8880b872c9d0
R13: ffff8880b872c9d0 R14: ffff88805d8d6340 R15: ffff88805d8d6340
FS: 000055557e00b500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f29e4db6bd0 CR3: 00000000622f2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
timerqueue_add+0x4b/0x290 lib/timerqueue.c:38
enqueue_hrtimer+0x1b2/0x3c0 kernel/time/hrtimer.c:1084
__run_hrtimer kernel/time/hrtimer.c:1756 [inline]
__hrtimer_run_queues+0x6cb/0xd30 kernel/time/hrtimer.c:1803
hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1865
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:mas_wr_store_type+0x2a/0x16c0 lib/maple_tree.c:4212
Code: 55 41 57 41 56 41 55 41 54 53 48 81 ec c8 00 00 00 49 89 fe 49 bc 00 00 00 00 00 fc ff df e8 ad 78 d8 f5 4c 89 f0 48 c1 e8 03 <48> 89 84 24 80 00 00 00 42 80 3c 20 00 74 08 4c 89 f7 e8 5f 60 43
RSP: 0018:ffffc900031174c0 EFLAGS: 00000a02
RAX: 1ffff92000622ec4 RBX: 0000000000000000 RCX: ffff88803141bc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003117620
RBP: ffffc900031176f0 R08: ffffffff8bc6b87c R09: ffffffff8bc761f0
R10: 0000000000000005 R11: ffff88803141bc00 R12: dffffc0000000000
R13: ffffc90003117620 R14: ffffc90003117620 R15: dffffc0000000000
mas_preallocate+0x27d/0x8d0 lib/maple_tree.c:5540
vma_iter_prealloc mm/vma.h:349 [inline]
__mmap_new_vma mm/vma.c:2349 [inline]
__mmap_region+0x1b89/0x2cd0 mm/vma.c:2456
mmap_region+0x1d0/0x2c0 mm/mmap.c:1347
do_mmap+0x8f0/0x1000 mm/mmap.c:496
vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:580
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa71757ff53
Code: f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 c7 c0 a8 ff ff ff 64 c7
RSP: 002b:00007ffedb7e9bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: fffffffffffff000 RCX: 00007fa71757ff53
RDX: 0000000000000000 RSI: 0000000000801000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffedb7e9c30
R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b08020580000
kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3bb09093023b/disk-feffde68.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9e37e48dc48a/vmlinux-feffde68.xz
kernel image: https://storage.googleapis.com/syzbot-assets/36b46b3a6421/bzImage-feffde68.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+882589...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: (detected by 0, t=17825 jiffies, g=10505, q=929 ncpus=2)
rcu: All QSes seen, last rcu_preempt kthread activity 11791 (4294964533-4294952742), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 11791 jiffies! g10505 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:25784 pid:17 tgid:17 ppid:2 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5369 [inline]
__schedule+0x1850/0x4c30 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2045
rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2247
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6002 Comm: syz-executor Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__sanitizer_cov_trace_cmp8+0x0/0x90 kernel/kcov.c:293
Code: 10 48 89 74 0a 18 4c 89 44 0a 20 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 4c 8b 04 24 65 48 8b 0c 25 00 d6 03 00 65 8b 05 70 61
RSP: 0018:ffffc90000a18c98 EFLAGS: 00000046
RAX: ffffffff8bcbfbf7 RBX: ffff88805d8d6340 RCX: ffff88803141bc00
RDX: 0000000000010000 RSI: ffff88805d8d6340 RDI: ffff88805d8d6340
RBP: 1ffff1100bb1ac68 R08: ffffffff818d04c0 R09: 1ffffffff20328be
R10: dffffc0000000000 R11: fffffbfff20328bf R12: ffff8880b872c9d0
R13: ffff8880b872c9d0 R14: ffff88805d8d6340 R15: ffff88805d8d6340
FS: 000055557e00b500(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f29e4db6bd0 CR3: 00000000622f2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
timerqueue_add+0x4b/0x290 lib/timerqueue.c:38
enqueue_hrtimer+0x1b2/0x3c0 kernel/time/hrtimer.c:1084
__run_hrtimer kernel/time/hrtimer.c:1756 [inline]
__hrtimer_run_queues+0x6cb/0xd30 kernel/time/hrtimer.c:1803
hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1865
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:mas_wr_store_type+0x2a/0x16c0 lib/maple_tree.c:4212
Code: 55 41 57 41 56 41 55 41 54 53 48 81 ec c8 00 00 00 49 89 fe 49 bc 00 00 00 00 00 fc ff df e8 ad 78 d8 f5 4c 89 f0 48 c1 e8 03 <48> 89 84 24 80 00 00 00 42 80 3c 20 00 74 08 4c 89 f7 e8 5f 60 43
RSP: 0018:ffffc900031174c0 EFLAGS: 00000a02
RAX: 1ffff92000622ec4 RBX: 0000000000000000 RCX: ffff88803141bc00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003117620
RBP: ffffc900031176f0 R08: ffffffff8bc6b87c R09: ffffffff8bc761f0
R10: 0000000000000005 R11: ffff88803141bc00 R12: dffffc0000000000
R13: ffffc90003117620 R14: ffffc90003117620 R15: dffffc0000000000
mas_preallocate+0x27d/0x8d0 lib/maple_tree.c:5540
vma_iter_prealloc mm/vma.h:349 [inline]
__mmap_new_vma mm/vma.c:2349 [inline]
__mmap_region+0x1b89/0x2cd0 mm/vma.c:2456
mmap_region+0x1d0/0x2c0 mm/mmap.c:1347
do_mmap+0x8f0/0x1000 mm/mmap.c:496
vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:580
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa71757ff53
Code: f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 c7 c0 a8 ff ff ff 64 c7
RSP: 002b:00007ffedb7e9bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: fffffffffffff000 RCX: 00007fa71757ff53
RDX: 0000000000000000 RSI: 0000000000801000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffedb7e9c30
R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Liam R. Howlett
Dec 9, 2024, 3:36:57 PM12/9/24
to syzbot, ak...@linux-foundation.org, ja...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, syzkall...@googlegroups.com, vba...@suse.cz
* syzbot <syzbot+882589...@syzkaller.appspotmail.com> [241209 04:12]:
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b08020580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
Check hot fixes in case this is related to known issues.
>
> syzbot found the following issue on:
>
> HEAD commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b08020580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
syzbot
Dec 9, 2024, 9:48:04 PM12/9/24
to ak...@linux-foundation.org, ja...@google.com, liam.h...@oracle.com, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, syzkall...@googlegroups.com, vba...@suse.cz
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in corrupted
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: (detected by 0, t=12997 jiffies, g=15009, q=2022 ncpus=2)
rcu: All QSes seen, last rcu_preempt kthread activity 12997 (4294963490-4294950493), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 12997 jiffies! g15009 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
Code: 2b 00 74 08 4c 89 f7 e8 8a 0a 8b 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0018:ffffc900042ff080 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200085fe1c RCX: ffff888025bf8ad8
RDX: dffffc0000000000 RSI: ffffffff8c0aa9a0 RDI: ffffffff8c5f98c0
RBP: ffffc900042ff1d8 R08: ffffffff942a0887 R09: 1ffffffff2854110
R10: dffffc0000000000 R11: fffffbfff2854111 R12: 1ffff9200085fe18
R13: dffffc0000000000 R14: ffffc900042ff0e0 R15: 0000000000000246
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
</IRQ>
<TASK>
rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
rcu_read_lock include/linux/rcupdate.h:849 [inline]
page_ext_get+0x3d/0x2a0 mm/page_ext.c:525
page_table_check_clear+0x4b/0x550 mm/page_table_check.c:74
get_and_clear_full_ptes include/linux/pgtable.h:712 [inline]
zap_present_folio_ptes mm/memory.c:1510 [inline]
zap_present_ptes mm/memory.c:1595 [inline]
do_zap_pte_range mm/memory.c:1697 [inline]
zap_pte_range mm/memory.c:1739 [inline]
zap_pmd_range mm/memory.c:1822 [inline]
zap_pud_range mm/memory.c:1851 [inline]
zap_p4d_range mm/memory.c:1872 [inline]
unmap_page_range+0x376a/0x48d0 mm/memory.c:1893
unmap_vmas+0x3cc/0x5f0 mm/memory.c:1983
exit_mmap+0x288/0xd50 mm/mmap.c:1263
__mmput+0x115/0x3c0 kernel/fork.c:1406
exit_mm+0x220/0x310 kernel/exit.c:570
do_exit+0x9b2/0x28e0 kernel/exit.c:925
do_group_exit+0x207/0x2c0 kernel/exit.c:1087
get_signal+0x16b2/0x1750 kernel/signal.c:3017
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f479f176197
Code: Unable to access opcode bytes at 0x7f479f17616d.
RSP: 002b:00007fffa52fadc0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 000000000000199b RCX: 00007f479f176197
RDX: 0000000040000000 RSI: 00007fffa52fadfc RDI: 00000000ffffffff
RBP: 00007fffa52fadfc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007fffa52fae80
R13: 00007fffa52fae88 R14: 0000000000000009 R15: 0000000000000000
</TASK>
Tested on:
commit: 6e165f54 mm/page_isolation: fixup isolate_single_pageb..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
console output: https://syzkaller.appspot.com/x/log.txt?x=1571d4df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6da4e19788a025a7
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in corrupted
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: All QSes seen, last rcu_preempt kthread activity 12997 (4294963490-4294950493), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 12997 jiffies! g15009 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:25624 pid:17 tgid:17 ppid:2 flags:0x00004000
rcu: RCU grace-period kthread stack dump:
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5369 [inline]
__schedule+0x1850/0x4c30 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2045
rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2247
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
CPU: 0 UID: 0 PID: 6541 Comm: syz-executor Not tainted 6.13.0-rc1-syzkaller-00172-g6e165f544379 #0
<TASK>
context_switch kernel/sched/core.c:5369 [inline]
__schedule+0x1850/0x4c30 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2045
rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2247
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5853
Code: 2b 00 74 08 4c 89 f7 e8 8a 0a 8b 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0018:ffffc900042ff080 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200085fe1c RCX: ffff888025bf8ad8
RDX: dffffc0000000000 RSI: ffffffff8c0aa9a0 RDI: ffffffff8c5f98c0
RBP: ffffc900042ff1d8 R08: ffffffff942a0887 R09: 1ffffffff2854110
R10: dffffc0000000000 R11: fffffbfff2854111 R12: 1ffff9200085fe18
R13: dffffc0000000000 R14: ffffc900042ff0e0 R15: 0000000000000246
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe0e0053440 CR3: 000000002d710000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
</IRQ>
<TASK>
rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
rcu_read_lock include/linux/rcupdate.h:849 [inline]
page_ext_get+0x3d/0x2a0 mm/page_ext.c:525
page_table_check_clear+0x4b/0x550 mm/page_table_check.c:74
get_and_clear_full_ptes include/linux/pgtable.h:712 [inline]
zap_present_folio_ptes mm/memory.c:1510 [inline]
zap_present_ptes mm/memory.c:1595 [inline]
do_zap_pte_range mm/memory.c:1697 [inline]
zap_pte_range mm/memory.c:1739 [inline]
zap_pmd_range mm/memory.c:1822 [inline]
zap_pud_range mm/memory.c:1851 [inline]
zap_p4d_range mm/memory.c:1872 [inline]
unmap_page_range+0x376a/0x48d0 mm/memory.c:1893
unmap_vmas+0x3cc/0x5f0 mm/memory.c:1983
exit_mmap+0x288/0xd50 mm/mmap.c:1263
__mmput+0x115/0x3c0 kernel/fork.c:1406
exit_mm+0x220/0x310 kernel/exit.c:570
do_exit+0x9b2/0x28e0 kernel/exit.c:925
do_group_exit+0x207/0x2c0 kernel/exit.c:1087
get_signal+0x16b2/0x1750 kernel/signal.c:3017
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f479f176197
Code: Unable to access opcode bytes at 0x7f479f17616d.
RSP: 002b:00007fffa52fadc0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 000000000000199b RCX: 00007f479f176197
RDX: 0000000040000000 RSI: 00007fffa52fadfc RDI: 00000000ffffffff
RBP: 00007fffa52fadfc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007fffa52fae80
R13: 00007fffa52fae88 R14: 0000000000000009 R15: 0000000000000000
</TASK>
Tested on:
commit: 6e165f54 mm/page_isolation: fixup isolate_single_pageb..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
console output: https://syzkaller.appspot.com/x/log.txt?x=1571d4df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6da4e19788a025a7
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Liam R. Howlett
Dec 10, 2024, 1:04:49 PM12/10/24
to syzbot, ak...@linux-foundation.org, ja...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, syzkall...@googlegroups.com, vba...@suse.cz
* syzbot <syzbot+882589...@syzkaller.appspotmail.com> [241209 21:48]:
This stack trace is significantly different than the one pointing to
maple tree code. It rules out the vma tree being the issue as we are
now being interrupted in page table clean up. It doesn't rule out the
tree checking taking too long and causing a timeout.
A C reproducer would help, so hopefully one will be produced by the bot.
Thanks,
Liam
maple tree code. It rules out the vma tree being the issue as we are
now being interrupted in page table clean up. It doesn't rule out the
tree checking taking too long and causing a timeout.
A C reproducer would help, so hopefully one will be produced by the bot.
Thanks,
Liam
syzbot
Jan 2, 2025, 7:46:03 PM1/2/25
to Liam.H...@oracle.com, ak...@linux-foundation.org, da...@davemloft.net, ja...@google.com, j...@mojatatu.com, ji...@resnulli.us, liam.h...@oracle.com, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, net...@vger.kernel.org, syzkall...@googlegroups.com, vba...@suse.cz, viniciu...@intel.com, xiyou.w...@gmail.com
syzbot has bisected this issue to:
commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <viniciu...@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000
tc: Add support for configuring the taprio scheduler
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117df818580000
start commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=137df818580000
console output: https://syzkaller.appspot.com/x/log.txt?x=157df818580000
Reported-by: syzbot+882589...@syzkaller.appspotmail.com
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
Author: Vinicius Costa Gomes <viniciu...@intel.com>
Date: Sat Sep 29 00:59:43 2018 +0000
tc: Add support for configuring the taprio scheduler
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117df818580000
start commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=137df818580000
console output: https://syzkaller.appspot.com/x/log.txt?x=157df818580000
kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
Reported-by: syzbot+882589...@syzkaller.appspotmail.com
Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Liam R. Howlett
Jan 3, 2025, 10:20:52 AM1/3/25
to syzbot, ak...@linux-foundation.org, da...@davemloft.net, ja...@google.com, j...@mojatatu.com, ji...@resnulli.us, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, net...@vger.kernel.org, syzkall...@googlegroups.com, vba...@suse.cz, viniciu...@intel.com, xiyou.w...@gmail.com
* syzbot <syzbot+882589...@syzkaller.appspotmail.com> [250102 19:47]:
This looks wrong, if this is a bug (which looks like it is since it has
a syzbot reproducer?), then it's different than the previous two reports
and probably not related.
Vinicius,
Looking at the patch, it seems you missed some users of -1 vs
TAPRIO_ALL_GATES_OPEN in taprio_peek(). The comment in taprio_dequeue()
is useful - maybe the gate_mask rcu lock/unlock could be a function and
have that comment live in a static inline function?
Thanks,
Liam
a syzbot reproducer?), then it's different than the previous two reports
and probably not related.
Vinicius,
Looking at the patch, it seems you missed some users of -1 vs
TAPRIO_ALL_GATES_OPEN in taprio_peek(). The comment in taprio_dequeue()
is useful - maybe the gate_mask rcu lock/unlock could be a function and
have that comment live in a static inline function?
Thanks,
Liam
Hillf Danton
Jan 3, 2025, 7:00:53 PM1/3/25
to Liam R. Howlett, syzbot, Vladimir Oltean, linux-...@vger.kernel.org, linu...@kvack.org, lorenzo...@oracle.com, net...@vger.kernel.org, syzkall...@googlegroups.com
On Fri, 3 Jan 2025 10:20:34 -0500 "Liam R. Howlett" <Liam.H...@oracle.com>
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb66df20a720
> * syzbot <syzbot+882589...@syzkaller.appspotmail.com> [250102 19:47]:
> > syzbot has bisected this issue to:
> >
> > commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
> > Author: Vinicius Costa Gomes <viniciu...@intel.com>
> > Date: Sat Sep 29 00:59:43 2018 +0000
> >
> > tc: Add support for configuring the taprio scheduler
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117df818580000
> > start commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
> > git tree: upstream
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=137df818580000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=157df818580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
> > dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
> >
> > Reported-by: syzbot+882589...@syzkaller.appspotmail.com
> > Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> >
>
> This looks wrong, if this is a bug (which looks like it is since it has
> a syzbot reproducer?), then it's different than the previous two reports
> and probably not related.
>
In case you missed it, take a look at
> > syzbot has bisected this issue to:
> >
> > commit 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22
> > Author: Vinicius Costa Gomes <viniciu...@intel.com>
> > Date: Sat Sep 29 00:59:43 2018 +0000
> >
> > tc: Add support for configuring the taprio scheduler
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117df818580000
> > start commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.ker..
> > git tree: upstream
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=137df818580000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=157df818580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=50c7a61469ce77e7
> > dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8a8df980000
> >
> > Reported-by: syzbot+882589...@syzkaller.appspotmail.com
> > Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> >
>
> This looks wrong, if this is a bug (which looks like it is since it has
> a syzbot reproducer?), then it's different than the previous two reports
> and probably not related.
>
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb66df20a720
Yun Lu
Feb 7, 2025, 4:10:48 AM2/7/25
to syzbot+882589...@syzkaller.appspotmail.com, Liam.H...@oracle.com, ak...@linux-foundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Signed-off-by: Yun Lu <lu...@kylinos.cn>
---
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index a68e17891b0b..7d3769e0ac0b 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -104,6 +104,7 @@ struct taprio_sched {
u32 max_sdu[TC_MAX_QUEUE]; /* save info from the user */
u32 fp[TC_QOPT_MAX_QUEUE]; /* only for dump and offloading */
u32 txtime_delay;
+ ktime_t offset;
};
struct __tc_taprio_qopt_offload {
@@ -170,6 +171,19 @@ static ktime_t sched_base_time(const struct sched_gate_list *sched)
return ns_to_ktime(sched->base_time);
}
+static ktime_t taprio_get_offset(const struct taprio_sched *q)
+{
+ enum tk_offsets tk_offset = READ_ONCE(q->tk_offset);
+ ktime_t time = ktime_get();
+
+ switch (tk_offset) {
+ case TK_OFFS_MAX:
+ return 0;
+ default:
+ return ktime_sub_ns(ktime_mono_to_any(time, tk_offset), time);
+ }
+}
+
static ktime_t taprio_mono_to_any(const struct taprio_sched *q, ktime_t mono)
{
/* This pairs with WRITE_ONCE() in taprio_parse_clockid() */
@@ -918,6 +932,7 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
int num_tc = netdev_get_num_tc(dev);
struct sched_entry *entry, *next;
struct Qdisc *sch = q->root;
+ ktime_t now_offset = taprio_get_offset(q);
ktime_t end_time;
int tc;
@@ -957,6 +972,14 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
end_time = ktime_add_ns(entry->end_time, next->interval);
end_time = min_t(ktime_t, end_time, oper->cycle_end_time);
+ if (q->offset != now_offset) {
+ ktime_t diff = ktime_sub_ns(now_offset, q->offset);
+
+ end_time = ktime_add_ns(end_time, diff);
+ oper->cycle_end_time = ktime_add_ns(oper->cycle_end_time, diff);
+ q->offset = now_offset;
+ }
+
for (tc = 0; tc < num_tc; tc++) {
if (next->gate_duration[tc] == oper->cycle_time)
next->gate_close_time[tc] = KTIME_MAX;
@@ -1207,6 +1230,7 @@ static int taprio_get_start_time(struct Qdisc *sch,
base = sched_base_time(sched);
now = taprio_get_time(q);
+ q->offset = taprio_get_offset(q);
if (ktime_after(base, now)) {
*start = base;
Signed-off-by: Yun Lu <lu...@kylinos.cn>
---
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index a68e17891b0b..7d3769e0ac0b 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -104,6 +104,7 @@ struct taprio_sched {
u32 max_sdu[TC_MAX_QUEUE]; /* save info from the user */
u32 fp[TC_QOPT_MAX_QUEUE]; /* only for dump and offloading */
u32 txtime_delay;
+ ktime_t offset;
};
struct __tc_taprio_qopt_offload {
@@ -170,6 +171,19 @@ static ktime_t sched_base_time(const struct sched_gate_list *sched)
return ns_to_ktime(sched->base_time);
}
+static ktime_t taprio_get_offset(const struct taprio_sched *q)
+{
+ enum tk_offsets tk_offset = READ_ONCE(q->tk_offset);
+ ktime_t time = ktime_get();
+
+ switch (tk_offset) {
+ case TK_OFFS_MAX:
+ return 0;
+ default:
+ return ktime_sub_ns(ktime_mono_to_any(time, tk_offset), time);
+ }
+}
+
static ktime_t taprio_mono_to_any(const struct taprio_sched *q, ktime_t mono)
{
/* This pairs with WRITE_ONCE() in taprio_parse_clockid() */
@@ -918,6 +932,7 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
int num_tc = netdev_get_num_tc(dev);
struct sched_entry *entry, *next;
struct Qdisc *sch = q->root;
+ ktime_t now_offset = taprio_get_offset(q);
ktime_t end_time;
int tc;
@@ -957,6 +972,14 @@ static enum hrtimer_restart advance_sched(struct hrtimer *timer)
end_time = ktime_add_ns(entry->end_time, next->interval);
end_time = min_t(ktime_t, end_time, oper->cycle_end_time);
+ if (q->offset != now_offset) {
+ ktime_t diff = ktime_sub_ns(now_offset, q->offset);
+
+ end_time = ktime_add_ns(end_time, diff);
+ oper->cycle_end_time = ktime_add_ns(oper->cycle_end_time, diff);
+ q->offset = now_offset;
+ }
+
for (tc = 0; tc < num_tc; tc++) {
if (next->gate_duration[tc] == oper->cycle_time)
next->gate_close_time[tc] = KTIME_MAX;
@@ -1207,6 +1230,7 @@ static int taprio_get_start_time(struct Qdisc *sch,
base = sched_base_time(sched);
now = taprio_get_time(q);
+ q->offset = taprio_get_offset(q);
if (ktime_after(base, now)) {
*start = base;
syzbot
Feb 7, 2025, 4:47:05 AM2/7/25
to ak...@linux-foundation.org, liam.h...@oracle.com, linux-...@vger.kernel.org, lu...@kylinos.cn, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
nclude/linux/blkdev.h:756 [inline]
loop_add+0x81d/0xaf0 drivers/block/loop.c:2096
loop_init+0x168/0x220 drivers/block/loop.c:2288
do_one_initcall+0x248/0x870 init/main.c:1257
do_initcall_level+0x157/0x210 init/main.c:1319
do_initcalls+0x3f/0x80 init/main.c:1335
page_owner free stack trace missing
Memory state around the buggy address:
ffff888141f75b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888141f75b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888141f75c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888141f75c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888141f75d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Warning: Permanently added '10.128.0.174' (ED25519) to the list of known hosts.
2025/02/07 09:46:10 ignoring optional flag "sandboxArg"="0"
2025/02/07 09:46:11 parsed 1 programs
[ 64.680788][ T5831] cgroup: Unknown subsys name 'net'
[ 64.809551][ T5831] cgroup: Unknown subsys name 'cpuset'
[ 64.817337][ T5831] cgroup: Unknown subsys name 'rlimit'
[ 66.046132][ T5831] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 68.468278][ T5846] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 68.794988][ T1121] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 68.816430][ T1121] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 68.872503][ T5849] chnl_net:caif_netlink_parms(): no params data found
[ 68.925704][ T5860] ==================================================================
[ 68.933807][ T5860] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 68.941551][ T5860] Write of size 8 at addr ffff888141f75c08 by task syz-executor/5860
[ 68.949594][ T5860]
[ 68.952007][ T5860] CPU: 0 UID: 0 PID: 5860 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-00081-gbb066fe812d6-dirty #0
[ 68.952018][ T5860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 68.952027][ T5860] Call Trace:
[ 68.952031][ T5860] <TASK>
[ 68.952036][ T5860] dump_stack_lvl+0x241/0x360
[ 68.952050][ T5860] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.952059][ T5860] ? __pfx__printk+0x10/0x10
[ 68.952068][ T5860] ? _printk+0xd5/0x120
[ 68.952075][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952089][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952101][ T5860] print_report+0x169/0x550
[ 68.952110][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952122][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952133][ T5860] ? __virt_addr_valid+0x45f/0x530
[ 68.952145][ T5860] ? __phys_addr+0xba/0x170
[ 68.952157][ T5860] ? binder_add_device+0x5f/0xa0
[ 68.952171][ T5860] kasan_report+0x143/0x180
[ 68.952179][ T5860] ? binder_add_device+0x5f/0xa0
[ 68.952192][ T5860] binder_add_device+0x5f/0xa0
[ 68.952205][ T5860] binderfs_binder_device_create+0x7bf/0x9c0
[ 68.952219][ T5860] binderfs_fill_super+0x944/0xd90
[ 68.952233][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 68.952248][ T5860] ? shrinker_register+0x160/0x230
[ 68.952261][ T5860] ? sget_fc+0x909/0x9c0
[ 68.952272][ T5860] ? __pfx_set_anon_super_fc+0x10/0x10
[ 68.952283][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 68.952295][ T5860] get_tree_nodev+0xb7/0x140
[ 68.952307][ T5860] vfs_get_tree+0x90/0x2b0
[ 68.952319][ T5860] do_new_mount+0x2be/0xb40
[ 68.952329][ T5860] ? __pfx_do_new_mount+0x10/0x10
[ 68.952340][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 68.952349][ T5860] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 68.952362][ T5860] ? __pfx___se_sys_mount+0x10/0x10
[ 68.952371][ T5860] ? do_syscall_64+0x100/0x230
[ 68.952382][ T5860] ? __x64_sys_mount+0x20/0xc0
[ 68.952391][ T5860] do_syscall_64+0xf3/0x230
[ 68.952400][ T5860] ? clear_bhb_loop+0x35/0x90
[ 68.952412][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.952424][ T5860] RIP: 0033:0x7f91065816ba
[ 68.952436][ T5860] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 68.952443][ T5860] RSP: 002b:00007ffc27214878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 68.952459][ T5860] RAX: ffffffffffffffda RBX: 00007f91065f3d49 RCX: 00007f91065816ba
[ 68.952465][ T5860] RDX: 00007f91065ff2fa RSI: 00007f91065f3d49 RDI: 00007f91065ff2fa
[ 68.952471][ T5860] RBP: 00007f91065f3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 68.952478][ T5860] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f91065de068
[ 68.952483][ T5860] R13: 00007f91065de048 R14: 0000000000000009 R15: 0000000000000000
[ 68.952492][ T5860] </TASK>
[ 68.952495][ T5860]
[ 69.224959][ T5860] Allocated by task 5845:
[ 69.229271][ T5860] kasan_save_track+0x3f/0x80
[ 69.234027][ T5860] __kasan_kmalloc+0x98/0xb0
[ 69.238601][ T5860] __kmalloc_cache_noprof+0x243/0x390
[ 69.243955][ T5860] binderfs_binder_device_create+0x16c/0x9c0
[ 69.249920][ T5860] binderfs_fill_super+0x944/0xd90
[ 69.255009][ T5860] get_tree_nodev+0xb7/0x140
[ 69.259583][ T5860] vfs_get_tree+0x90/0x2b0
[ 69.263978][ T5860] do_new_mount+0x2be/0xb40
[ 69.268461][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 69.273112][ T5860] do_syscall_64+0xf3/0x230
[ 69.277601][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.283493][ T5860]
[ 69.285813][ T5860] Freed by task 5845:
[ 69.289778][ T5860] kasan_save_track+0x3f/0x80
[ 69.294458][ T5860] kasan_save_free_info+0x40/0x50
[ 69.299465][ T5860] __kasan_slab_free+0x59/0x70
[ 69.304204][ T5860] kfree+0x196/0x430
[ 69.308074][ T5860] evict+0x4e8/0x9a0
[ 69.311958][ T5860] __dentry_kill+0x20d/0x630
[ 69.316551][ T5860] shrink_kill+0xa9/0x2c0
[ 69.320870][ T5860] shrink_dentry_list+0x2c0/0x5b0
[ 69.325897][ T5860] shrink_dcache_parent+0xcb/0x3b0
[ 69.331002][ T5860] do_one_tree+0x23/0xe0
[ 69.335228][ T5860] shrink_dcache_for_umount+0xb4/0x180
[ 69.340680][ T5860] generic_shutdown_super+0x6a/0x2d0
[ 69.345948][ T5860] kill_litter_super+0x76/0xb0
[ 69.350695][ T5860] binderfs_kill_super+0x44/0x90
[ 69.355617][ T5860] deactivate_locked_super+0xc4/0x130
[ 69.360969][ T5860] cleanup_mnt+0x41f/0x4b0
[ 69.365365][ T5860] task_work_run+0x24f/0x310
[ 69.369937][ T5860] do_exit+0xa2a/0x28e0
[ 69.374165][ T5860] do_group_exit+0x207/0x2c0
[ 69.378743][ T5860] get_signal+0x16b2/0x1750
[ 69.383248][ T5860] arch_do_signal_or_restart+0x96/0x860
[ 69.388777][ T5860] syscall_exit_to_user_mode+0xce/0x340
[ 69.394300][ T5860] do_syscall_64+0x100/0x230
[ 69.398869][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.404744][ T5860]
[ 69.407051][ T5860] The buggy address belongs to the object at ffff888141f75c00
[ 69.407051][ T5860] which belongs to the cache kmalloc-512 of size 512
[ 69.421095][ T5860] The buggy address is located 8 bytes inside of
[ 69.421095][ T5860] freed 512-byte region [ffff888141f75c00, ffff888141f75e00)
[ 69.434789][ T5860]
[ 69.437103][ T5860] The buggy address belongs to the physical page:
[ 69.443496][ T5860] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141f74
[ 69.452336][ T5860] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 69.460916][ T5860] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[ 69.468547][ T5860] page_type: f5(slab)
[ 69.472507][ T5860] raw: 057ff00000000040 ffff88801ac41c80 dead000000000100 dead000000000122
[ 69.481069][ T5860] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.489641][ T5860] head: 057ff00000000040 ffff88801ac41c80 dead000000000100 dead000000000122
[ 69.498304][ T5860] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.506956][ T5860] head: 057ff00000000002 ffffea000507dd01 ffffffffffffffff 0000000000000000
[ 69.515611][ T5860] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 69.524263][ T5860] page dumped because: kasan: bad access detected
[ 69.530662][ T5860] page_owner tracks the page as allocated
[ 69.536373][ T5860] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6980091527, free_ts 0
[ 69.555979][ T5860] post_alloc_hook+0x1f4/0x240
[ 69.560735][ T5860] get_page_from_freelist+0x365c/0x37a0
[ 69.566268][ T5860] __alloc_frozen_pages_noprof+0x292/0x710
[ 69.572058][ T5860] alloc_pages_mpol+0x311/0x660
[ 69.576894][ T5860] allocate_slab+0x8f/0x3a0
[ 69.581421][ T5860] ___slab_alloc+0xc27/0x14a0
[ 69.586100][ T5860] __slab_alloc+0x58/0xa0
[ 69.590410][ T5860] __kmalloc_cache_noprof+0x27b/0x390
[ 69.595761][ T5860] wbt_init+0x78/0x510
[ 69.599806][ T5860] blk_register_queue+0x350/0x3d0
[ 69.604815][ T5860] add_disk_fwnode+0x66d/0xfc0
[ 69.609561][ T5860] loop_add+0x81d/0xaf0
[ 69.613712][ T5860] loop_init+0x168/0x220
[ 69.617930][ T5860] do_one_initcall+0x248/0x870
[ 69.622673][ T5860] do_initcall_level+0x157/0x210
[ 69.627600][ T5860] do_initcalls+0x3f/0x80
[ 69.631925][ T5860] page_owner free stack trace missing
[ 69.637266][ T5860]
[ 69.639569][ T5860] Memory state around the buggy address:
[ 69.645183][ T5860] ffff888141f75b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.653231][ T5860] ffff888141f75b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.661270][ T5860] >ffff888141f75c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.669303][ T5860] ^
[ 69.673603][ T5860] ffff888141f75c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.681641][ T5860] ffff888141f75d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.689675][ T5860] ==================================================================
[ 69.699154][ T5860] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.706351][ T5860] CPU: 0 UID: 0 PID: 5860 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-00081-gbb066fe812d6-dirty #0
[ 69.717706][ T5860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 69.727751][ T5860] Call Trace:
[ 69.731103][ T5860] <TASK>
[ 69.734019][ T5860] dump_stack_lvl+0x241/0x360
[ 69.738689][ T5860] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.743874][ T5860] ? __pfx__printk+0x10/0x10
[ 69.748452][ T5860] ? preempt_schedule+0xe1/0xf0
[ 69.753295][ T5860] ? vscnprintf+0x5d/0x90
[ 69.757616][ T5860] panic+0x349/0x880
[ 69.761527][ T5860] ? check_panic_on_warn+0x21/0xb0
[ 69.766629][ T5860] ? __pfx_panic+0x10/0x10
[ 69.771036][ T5860] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 69.777003][ T5860] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.783317][ T5860] ? print_report+0x502/0x550
[ 69.787979][ T5860] check_panic_on_warn+0x86/0xb0
[ 69.792906][ T5860] ? binder_add_device+0x5f/0xa0
[ 69.797834][ T5860] end_report+0x77/0x160
[ 69.802063][ T5860] kasan_report+0x154/0x180
[ 69.806550][ T5860] ? binder_add_device+0x5f/0xa0
[ 69.811479][ T5860] binder_add_device+0x5f/0xa0
[ 69.816238][ T5860] binderfs_binder_device_create+0x7bf/0x9c0
[ 69.822211][ T5860] binderfs_fill_super+0x944/0xd90
[ 69.827314][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 69.832942][ T5860] ? shrinker_register+0x160/0x230
[ 69.838040][ T5860] ? sget_fc+0x909/0x9c0
[ 69.842268][ T5860] ? __pfx_set_anon_super_fc+0x10/0x10
[ 69.847713][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 69.853334][ T5860] get_tree_nodev+0xb7/0x140
[ 69.857913][ T5860] vfs_get_tree+0x90/0x2b0
[ 69.862321][ T5860] do_new_mount+0x2be/0xb40
[ 69.866830][ T5860] ? __pfx_do_new_mount+0x10/0x10
[ 69.871841][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 69.876509][ T5860] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 69.882478][ T5860] ? __pfx___se_sys_mount+0x10/0x10
[ 69.887668][ T5860] ? do_syscall_64+0x100/0x230
[ 69.892418][ T5860] ? __x64_sys_mount+0x20/0xc0
[ 69.897173][ T5860] do_syscall_64+0xf3/0x230
[ 69.901664][ T5860] ? clear_bhb_loop+0x35/0x90
[ 69.906331][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.912306][ T5860] RIP: 0033:0x7f91065816ba
[ 69.916709][ T5860] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.936560][ T5860] RSP: 002b:00007ffc27214878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 69.944958][ T5860] RAX: ffffffffffffffda RBX: 00007f91065f3d49 RCX: 00007f91065816ba
[ 69.952915][ T5860] RDX: 00007f91065ff2fa RSI: 00007f91065f3d49 RDI: 00007f91065ff2fa
[ 69.960870][ T5860] RBP: 00007f91065f3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 69.968828][ T5860] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f91065de068
[ 69.976793][ T5860] R13: 00007f91065de048 R14: 0000000000000009 R15: 0000000000000000
[ 69.984760][ T5860] </TASK>
[ 69.988002][ T5860] Kernel Offset: disabled
[ 69.992328][ T5860] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3133803738=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 29f61fceff
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=29f61fceff5d68b408b9086bff96ca036b503584 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241205-000301'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"29f61fceff5d68b408b9086bff96ca036b503584\"
/usr/bin/ld: /tmp/cc3sNiex.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=108121b0580000
Tested on:
commit: bb066fe8 Merge tag 'pci-v6.14-fixes-2' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=e1a4da81be23f09e
syzbot tried to test the proposed patch but the build/boot failed:
nclude/linux/blkdev.h:756 [inline]
loop_add+0x81d/0xaf0 drivers/block/loop.c:2096
loop_init+0x168/0x220 drivers/block/loop.c:2288
do_one_initcall+0x248/0x870 init/main.c:1257
do_initcall_level+0x157/0x210 init/main.c:1319
do_initcalls+0x3f/0x80 init/main.c:1335
page_owner free stack trace missing
Memory state around the buggy address:
ffff888141f75b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888141f75b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888141f75c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888141f75c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888141f75d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Warning: Permanently added '10.128.0.174' (ED25519) to the list of known hosts.
2025/02/07 09:46:10 ignoring optional flag "sandboxArg"="0"
2025/02/07 09:46:11 parsed 1 programs
[ 64.680788][ T5831] cgroup: Unknown subsys name 'net'
[ 64.809551][ T5831] cgroup: Unknown subsys name 'cpuset'
[ 64.817337][ T5831] cgroup: Unknown subsys name 'rlimit'
[ 66.046132][ T5831] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 68.468278][ T5846] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 68.794988][ T1121] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 68.816430][ T1121] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 68.872503][ T5849] chnl_net:caif_netlink_parms(): no params data found
[ 68.925704][ T5860] ==================================================================
[ 68.933807][ T5860] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 68.941551][ T5860] Write of size 8 at addr ffff888141f75c08 by task syz-executor/5860
[ 68.949594][ T5860]
[ 68.952007][ T5860] CPU: 0 UID: 0 PID: 5860 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-00081-gbb066fe812d6-dirty #0
[ 68.952018][ T5860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 68.952027][ T5860] Call Trace:
[ 68.952031][ T5860] <TASK>
[ 68.952036][ T5860] dump_stack_lvl+0x241/0x360
[ 68.952050][ T5860] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.952059][ T5860] ? __pfx__printk+0x10/0x10
[ 68.952068][ T5860] ? _printk+0xd5/0x120
[ 68.952075][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952089][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952101][ T5860] print_report+0x169/0x550
[ 68.952110][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952122][ T5860] ? __virt_addr_valid+0x183/0x530
[ 68.952133][ T5860] ? __virt_addr_valid+0x45f/0x530
[ 68.952145][ T5860] ? __phys_addr+0xba/0x170
[ 68.952157][ T5860] ? binder_add_device+0x5f/0xa0
[ 68.952171][ T5860] kasan_report+0x143/0x180
[ 68.952179][ T5860] ? binder_add_device+0x5f/0xa0
[ 68.952192][ T5860] binder_add_device+0x5f/0xa0
[ 68.952205][ T5860] binderfs_binder_device_create+0x7bf/0x9c0
[ 68.952219][ T5860] binderfs_fill_super+0x944/0xd90
[ 68.952233][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 68.952248][ T5860] ? shrinker_register+0x160/0x230
[ 68.952261][ T5860] ? sget_fc+0x909/0x9c0
[ 68.952272][ T5860] ? __pfx_set_anon_super_fc+0x10/0x10
[ 68.952283][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 68.952295][ T5860] get_tree_nodev+0xb7/0x140
[ 68.952307][ T5860] vfs_get_tree+0x90/0x2b0
[ 68.952319][ T5860] do_new_mount+0x2be/0xb40
[ 68.952329][ T5860] ? __pfx_do_new_mount+0x10/0x10
[ 68.952340][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 68.952349][ T5860] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 68.952362][ T5860] ? __pfx___se_sys_mount+0x10/0x10
[ 68.952371][ T5860] ? do_syscall_64+0x100/0x230
[ 68.952382][ T5860] ? __x64_sys_mount+0x20/0xc0
[ 68.952391][ T5860] do_syscall_64+0xf3/0x230
[ 68.952400][ T5860] ? clear_bhb_loop+0x35/0x90
[ 68.952412][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.952424][ T5860] RIP: 0033:0x7f91065816ba
[ 68.952436][ T5860] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 68.952443][ T5860] RSP: 002b:00007ffc27214878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 68.952459][ T5860] RAX: ffffffffffffffda RBX: 00007f91065f3d49 RCX: 00007f91065816ba
[ 68.952465][ T5860] RDX: 00007f91065ff2fa RSI: 00007f91065f3d49 RDI: 00007f91065ff2fa
[ 68.952471][ T5860] RBP: 00007f91065f3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 68.952478][ T5860] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f91065de068
[ 68.952483][ T5860] R13: 00007f91065de048 R14: 0000000000000009 R15: 0000000000000000
[ 68.952492][ T5860] </TASK>
[ 68.952495][ T5860]
[ 69.224959][ T5860] Allocated by task 5845:
[ 69.229271][ T5860] kasan_save_track+0x3f/0x80
[ 69.234027][ T5860] __kasan_kmalloc+0x98/0xb0
[ 69.238601][ T5860] __kmalloc_cache_noprof+0x243/0x390
[ 69.243955][ T5860] binderfs_binder_device_create+0x16c/0x9c0
[ 69.249920][ T5860] binderfs_fill_super+0x944/0xd90
[ 69.255009][ T5860] get_tree_nodev+0xb7/0x140
[ 69.259583][ T5860] vfs_get_tree+0x90/0x2b0
[ 69.263978][ T5860] do_new_mount+0x2be/0xb40
[ 69.268461][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 69.273112][ T5860] do_syscall_64+0xf3/0x230
[ 69.277601][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.283493][ T5860]
[ 69.285813][ T5860] Freed by task 5845:
[ 69.289778][ T5860] kasan_save_track+0x3f/0x80
[ 69.294458][ T5860] kasan_save_free_info+0x40/0x50
[ 69.299465][ T5860] __kasan_slab_free+0x59/0x70
[ 69.304204][ T5860] kfree+0x196/0x430
[ 69.308074][ T5860] evict+0x4e8/0x9a0
[ 69.311958][ T5860] __dentry_kill+0x20d/0x630
[ 69.316551][ T5860] shrink_kill+0xa9/0x2c0
[ 69.320870][ T5860] shrink_dentry_list+0x2c0/0x5b0
[ 69.325897][ T5860] shrink_dcache_parent+0xcb/0x3b0
[ 69.331002][ T5860] do_one_tree+0x23/0xe0
[ 69.335228][ T5860] shrink_dcache_for_umount+0xb4/0x180
[ 69.340680][ T5860] generic_shutdown_super+0x6a/0x2d0
[ 69.345948][ T5860] kill_litter_super+0x76/0xb0
[ 69.350695][ T5860] binderfs_kill_super+0x44/0x90
[ 69.355617][ T5860] deactivate_locked_super+0xc4/0x130
[ 69.360969][ T5860] cleanup_mnt+0x41f/0x4b0
[ 69.365365][ T5860] task_work_run+0x24f/0x310
[ 69.369937][ T5860] do_exit+0xa2a/0x28e0
[ 69.374165][ T5860] do_group_exit+0x207/0x2c0
[ 69.378743][ T5860] get_signal+0x16b2/0x1750
[ 69.383248][ T5860] arch_do_signal_or_restart+0x96/0x860
[ 69.388777][ T5860] syscall_exit_to_user_mode+0xce/0x340
[ 69.394300][ T5860] do_syscall_64+0x100/0x230
[ 69.398869][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.404744][ T5860]
[ 69.407051][ T5860] The buggy address belongs to the object at ffff888141f75c00
[ 69.407051][ T5860] which belongs to the cache kmalloc-512 of size 512
[ 69.421095][ T5860] The buggy address is located 8 bytes inside of
[ 69.421095][ T5860] freed 512-byte region [ffff888141f75c00, ffff888141f75e00)
[ 69.434789][ T5860]
[ 69.437103][ T5860] The buggy address belongs to the physical page:
[ 69.443496][ T5860] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141f74
[ 69.452336][ T5860] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 69.460916][ T5860] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[ 69.468547][ T5860] page_type: f5(slab)
[ 69.472507][ T5860] raw: 057ff00000000040 ffff88801ac41c80 dead000000000100 dead000000000122
[ 69.481069][ T5860] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.489641][ T5860] head: 057ff00000000040 ffff88801ac41c80 dead000000000100 dead000000000122
[ 69.498304][ T5860] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.506956][ T5860] head: 057ff00000000002 ffffea000507dd01 ffffffffffffffff 0000000000000000
[ 69.515611][ T5860] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 69.524263][ T5860] page dumped because: kasan: bad access detected
[ 69.530662][ T5860] page_owner tracks the page as allocated
[ 69.536373][ T5860] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6980091527, free_ts 0
[ 69.555979][ T5860] post_alloc_hook+0x1f4/0x240
[ 69.560735][ T5860] get_page_from_freelist+0x365c/0x37a0
[ 69.566268][ T5860] __alloc_frozen_pages_noprof+0x292/0x710
[ 69.572058][ T5860] alloc_pages_mpol+0x311/0x660
[ 69.576894][ T5860] allocate_slab+0x8f/0x3a0
[ 69.581421][ T5860] ___slab_alloc+0xc27/0x14a0
[ 69.586100][ T5860] __slab_alloc+0x58/0xa0
[ 69.590410][ T5860] __kmalloc_cache_noprof+0x27b/0x390
[ 69.595761][ T5860] wbt_init+0x78/0x510
[ 69.599806][ T5860] blk_register_queue+0x350/0x3d0
[ 69.604815][ T5860] add_disk_fwnode+0x66d/0xfc0
[ 69.609561][ T5860] loop_add+0x81d/0xaf0
[ 69.613712][ T5860] loop_init+0x168/0x220
[ 69.617930][ T5860] do_one_initcall+0x248/0x870
[ 69.622673][ T5860] do_initcall_level+0x157/0x210
[ 69.627600][ T5860] do_initcalls+0x3f/0x80
[ 69.631925][ T5860] page_owner free stack trace missing
[ 69.637266][ T5860]
[ 69.639569][ T5860] Memory state around the buggy address:
[ 69.645183][ T5860] ffff888141f75b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.653231][ T5860] ffff888141f75b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.661270][ T5860] >ffff888141f75c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.669303][ T5860] ^
[ 69.673603][ T5860] ffff888141f75c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.681641][ T5860] ffff888141f75d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.689675][ T5860] ==================================================================
[ 69.699154][ T5860] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.706351][ T5860] CPU: 0 UID: 0 PID: 5860 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-00081-gbb066fe812d6-dirty #0
[ 69.717706][ T5860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 69.727751][ T5860] Call Trace:
[ 69.731103][ T5860] <TASK>
[ 69.734019][ T5860] dump_stack_lvl+0x241/0x360
[ 69.738689][ T5860] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.743874][ T5860] ? __pfx__printk+0x10/0x10
[ 69.748452][ T5860] ? preempt_schedule+0xe1/0xf0
[ 69.753295][ T5860] ? vscnprintf+0x5d/0x90
[ 69.757616][ T5860] panic+0x349/0x880
[ 69.761527][ T5860] ? check_panic_on_warn+0x21/0xb0
[ 69.766629][ T5860] ? __pfx_panic+0x10/0x10
[ 69.771036][ T5860] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 69.777003][ T5860] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.783317][ T5860] ? print_report+0x502/0x550
[ 69.787979][ T5860] check_panic_on_warn+0x86/0xb0
[ 69.792906][ T5860] ? binder_add_device+0x5f/0xa0
[ 69.797834][ T5860] end_report+0x77/0x160
[ 69.802063][ T5860] kasan_report+0x154/0x180
[ 69.806550][ T5860] ? binder_add_device+0x5f/0xa0
[ 69.811479][ T5860] binder_add_device+0x5f/0xa0
[ 69.816238][ T5860] binderfs_binder_device_create+0x7bf/0x9c0
[ 69.822211][ T5860] binderfs_fill_super+0x944/0xd90
[ 69.827314][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 69.832942][ T5860] ? shrinker_register+0x160/0x230
[ 69.838040][ T5860] ? sget_fc+0x909/0x9c0
[ 69.842268][ T5860] ? __pfx_set_anon_super_fc+0x10/0x10
[ 69.847713][ T5860] ? __pfx_binderfs_fill_super+0x10/0x10
[ 69.853334][ T5860] get_tree_nodev+0xb7/0x140
[ 69.857913][ T5860] vfs_get_tree+0x90/0x2b0
[ 69.862321][ T5860] do_new_mount+0x2be/0xb40
[ 69.866830][ T5860] ? __pfx_do_new_mount+0x10/0x10
[ 69.871841][ T5860] __se_sys_mount+0x2d6/0x3c0
[ 69.876509][ T5860] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 69.882478][ T5860] ? __pfx___se_sys_mount+0x10/0x10
[ 69.887668][ T5860] ? do_syscall_64+0x100/0x230
[ 69.892418][ T5860] ? __x64_sys_mount+0x20/0xc0
[ 69.897173][ T5860] do_syscall_64+0xf3/0x230
[ 69.901664][ T5860] ? clear_bhb_loop+0x35/0x90
[ 69.906331][ T5860] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.912306][ T5860] RIP: 0033:0x7f91065816ba
[ 69.916709][ T5860] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.936560][ T5860] RSP: 002b:00007ffc27214878 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 69.944958][ T5860] RAX: ffffffffffffffda RBX: 00007f91065f3d49 RCX: 00007f91065816ba
[ 69.952915][ T5860] RDX: 00007f91065ff2fa RSI: 00007f91065f3d49 RDI: 00007f91065ff2fa
[ 69.960870][ T5860] RBP: 00007f91065f3f58 R08: 0000000000000000 R09: 00000000000001ff
[ 69.968828][ T5860] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f91065de068
[ 69.976793][ T5860] R13: 00007f91065de048 R14: 0000000000000009 R15: 0000000000000000
[ 69.984760][ T5860] </TASK>
[ 69.988002][ T5860] Kernel Offset: disabled
[ 69.992328][ T5860] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3133803738=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 29f61fceff
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=29f61fceff5d68b408b9086bff96ca036b503584 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241205-000301'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"29f61fceff5d68b408b9086bff96ca036b503584\"
/usr/bin/ld: /tmp/cc3sNiex.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=108121b0580000
Tested on:
commit: bb066fe8 Merge tag 'pci-v6.14-fixes-2' of git://git.ke..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=e1a4da81be23f09e
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f8e4a4580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Yun Lu
Mar 9, 2025, 10:13:01 PM3/9/25
to syzbot+882589...@syzkaller.appspotmail.com, Liam.H...@oracle.com, ak...@linux-foundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 9, 2025, 11:20:05 PM3/9/25
to ak...@linux-foundation.org, liam.h...@oracle.com, linux-...@vger.kernel.org, lu...@kylinos.cn, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in worker_thread
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: All QSes seen, last rcu_preempt kthread activity 10506 (4294962116-4294951610), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 10506 jiffies! g14277 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt state:R running task stack:25784 pid:18 tgid:18 ppid:2 task_flags:0x208040 flags:0x00004000
rcu: RCU grace-period kthread stack dump:
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5378 [inline]
__schedule+0x190e/0x4c90 kernel/sched/core.c:6765
__schedule_loop kernel/sched/core.c:6842 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6857
schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2024
rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2226
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
</TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 1162 Comm: kworker/u8:8 Not tainted 6.14.0-rc6-syzkaller-g80e54e84911a-dirty #0
NMI backtrace for cpu 1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:memset_orig+0x75/0xb0 arch/x86/lib/memset_64.S:90
Code: 89 47 30 48 89 47 38 48 8d 7f 40 75 d8 0f 1f 84 00 00 00 00 00 89 d1 83 e1 38 74 14 c1 e9 03 66 0f 1f 44 00 00 ff c9 48 89 07 <48> 8d 7f 08 75 f5 83 e2 07 74 0a ff ca 88 07 48 8d 7f 01 75 f6 4c
RSP: 0018:ffffc90000a28cd0 EFLAGS: 00000002
RAX: 0000000000000000 RBX: 1ffff110170e58ca RCX: 0000000000000001
RDX: 0000000000000018 RSI: 0000000000000000 RDI: ffff8880286e5348
RBP: 1ffff110050dca68 R08: ffff8880286e5357 R09: 0000000000000000
R10: ffff8880286e5340 R11: ffffed10050dca6b R12: ffff8880b872c650
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8880286e5340
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc8509ffd58 CR3: 0000000032a00000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
</NMI>
<IRQ>
rb_link_node include/linux/rbtree.h:63 [inline]
rb_add_cached include/linux/rbtree.h:182 [inline]
timerqueue_add+0x200/0x290 lib/timerqueue.c:40
__run_hrtimer kernel/time/hrtimer.c:1818 [inline]
__hrtimer_run_queues+0x6cb/0xd30 kernel/time/hrtimer.c:1865
hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1927
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline]
__sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:stack_trace_consume_entry+0x5/0x280 kernel/stacktrace.c:83
__sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Code: ff ff ff e8 bd b4 4c 0a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 fb 48 ba 00 00 00 00
RSP: 0018:ffffc90003d9f330 EFLAGS: 00000282
RAX: ffffffff8129d67a RBX: ffffc90003d9f340 RCX: ffffffff917cc000
RDX: ffffffff9197e501 RSI: ffffffff8129d67a RDI: ffffc90003d9f420
RBP: ffffc90003d9f3d0 R08: ffffc90003d9f39f R09: 0000000000000000
R10: ffffc90003d9f390 R11: ffffffff81ab43c0 R12: ffff888026f63c00
R13: ffffffff81ab43c0 R14: ffffc90003d9f420 R15: 0000000000000000
arch_stack_walk+0x10e/0x150 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4609 [inline]
kfree+0x196/0x430 mm/slub.c:4757
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1582 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1b25/0x2d70 net/mac80211/ibss.c:1608
ieee80211_iface_process_skb net/mac80211/iface.c:1612 [inline]
ieee80211_iface_work+0x8dc/0xf90 net/mac80211/iface.c:1666
cfg80211_wiphy_work+0x2f0/0x490 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3319
worker_thread+0x870/0xd30 kernel/workqueue.c:3400
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Tested on:
commit: 80e54e84 Linux 6.14-rc6
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=102d9fa0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cefb44c3bbe3e2a0
dashboard link: https://syzkaller.appspot.com/bug?extid=882589c97d51a9de68eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14999fa0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages