general protection fault in lock_timer_base
11 views
Skip to first unread message
syzbot
Apr 16, 2019, 9:29:05 PM4/16/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e0dbaf200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=ffc77f30e970c28b2bc8
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ffc77f...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
kobject: 'loop2' (ffff8880a499b1e0): kobject_uevent_env
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7307 Comm: kworker/u4:6 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tipc_send tipc_send_work
task: ffff8880653ae580 task.stack: ffff8880653b0000
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:__lock_acquire+0x20c/0x45e0 kernel/locking/lockdep.c:3378
kobject: 'loop2' (ffff8880a499b1e0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
RSP: 0018:ffff8880653b7830 EFLAGS: 00010086
RAX: dead4ead00000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffffffff0ec605f RSI: 0000000000000000 RDI: ffffffff876302f8
RBP: ffff8880653b79e0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880653ae580 R12: ffffffff876302f0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ce22000 CR3: 0000000090ac9000 CR4: 00000000001406e0
kobject: 'loop4' (ffff8880a4a3c1a0): kobject_uevent_env
Call Trace:
kobject: 'loop4' (ffff8880a4a3c1a0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160
lock_timer_base+0x5a/0x190 kernel/time/timer.c:921
kobject: 'loop5' (ffff8880a4a96aa0): kobject_uevent_env
del_timer kernel/time/timer.c:1153 [inline]
del_timer+0x96/0xf0 kernel/time/timer.c:1144
kobject: 'loop5' (ffff8880a4a96aa0): fill_kobj_path: path
= '/devices/virtual/block/loop5'
tipc_subscrb_subscrp_delete+0x16a/0x3a0 net/tipc/subscr.c:207
tipc_subscrb_delete net/tipc/subscr.c:238 [inline]
tipc_subscrb_release_cb+0x18/0x30 net/tipc/subscr.c:316
tipc_close_conn+0x179/0x210 net/tipc/server.c:203
tipc_send_to_sock net/tipc/server.c:538 [inline]
tipc_send_work+0x470/0x5a0 net/tipc/server.c:564
process_one_work+0x868/0x1610 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x31c/0x430 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Code: 00 fc ff df 41 89 f5 4b 8d 7c ec 08 48 89 fa 48 c1 ea 03 80 3c 02 00
0f 85 63 2e 00 00 4b 8b 44 ec 08 48 85 c0 0f 84 15 ff ff ff <f0> ff 80 38
01 00 00 49 8d b3 78 08 00 00 48 ba 00 00 00 00 00
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP:
ffff8880653b7830
RIP: __lock_acquire+0x20c/0x45e0 kernel/locking/lockdep.c:3378 RSP:
ffff8880653b7830
---[ end trace e3c5188702d61999 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12e0dbaf200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=ffc77f30e970c28b2bc8
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ffc77f...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
kobject: 'loop2' (ffff8880a499b1e0): kobject_uevent_env
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7307 Comm: kworker/u4:6 Not tainted 4.14.111 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: tipc_send tipc_send_work
task: ffff8880653ae580 task.stack: ffff8880653b0000
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:__lock_acquire+0x20c/0x45e0 kernel/locking/lockdep.c:3378
kobject: 'loop2' (ffff8880a499b1e0): fill_kobj_path: path
= '/devices/virtual/block/loop2'
RSP: 0018:ffff8880653b7830 EFLAGS: 00010086
RAX: dead4ead00000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffffffff0ec605f RSI: 0000000000000000 RDI: ffffffff876302f8
RBP: ffff8880653b79e0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880653ae580 R12: ffffffff876302f0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ce22000 CR3: 0000000090ac9000 CR4: 00000000001406e0
kobject: 'loop4' (ffff8880a4a3c1a0): kobject_uevent_env
Call Trace:
kobject: 'loop4' (ffff8880a4a3c1a0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160
lock_timer_base+0x5a/0x190 kernel/time/timer.c:921
kobject: 'loop5' (ffff8880a4a96aa0): kobject_uevent_env
del_timer kernel/time/timer.c:1153 [inline]
del_timer+0x96/0xf0 kernel/time/timer.c:1144
kobject: 'loop5' (ffff8880a4a96aa0): fill_kobj_path: path
= '/devices/virtual/block/loop5'
tipc_subscrb_subscrp_delete+0x16a/0x3a0 net/tipc/subscr.c:207
tipc_subscrb_delete net/tipc/subscr.c:238 [inline]
tipc_subscrb_release_cb+0x18/0x30 net/tipc/subscr.c:316
tipc_close_conn+0x179/0x210 net/tipc/server.c:203
tipc_send_to_sock net/tipc/server.c:538 [inline]
tipc_send_work+0x470/0x5a0 net/tipc/server.c:564
process_one_work+0x868/0x1610 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x31c/0x430 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Code: 00 fc ff df 41 89 f5 4b 8d 7c ec 08 48 89 fa 48 c1 ea 03 80 3c 02 00
0f 85 63 2e 00 00 4b 8b 44 ec 08 48 85 c0 0f 84 15 ff ff ff <f0> ff 80 38
01 00 00 49 8d b3 78 08 00 00 48 ba 00 00 00 00 00
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP:
ffff8880653b7830
RIP: __lock_acquire+0x20c/0x45e0 kernel/locking/lockdep.c:3378 RSP:
ffff8880653b7830
---[ end trace e3c5188702d61999 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 25, 2019, 4:49:07 AM10/25/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages