[v6.1] kernel panic: stack is corrupted in preempt_schedule_irq
3 views
Skip to first unread message
syzbot
Dec 27, 2024, 8:18:22 AM12/27/24
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 29f02ec58a94 Linux 6.1.121
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105152f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8697877836e1705
dashboard link: https://syzkaller.appspot.com/bug?extid=a31f511d0ff058ae59c2
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/632e77126918/disk-29f02ec5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83f3846b30db/vmlinux-29f02ec5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/06b9420d9530/bzImage-29f02ec5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a31f51...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 4096
ntfs3: loop4: Different NTFS' sector size (1024) and media sector size (512)
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: preempt_schedule_irq+0x1b8/0x1c0
CPU: 1 PID: 6101 Comm: syz.4.396 Tainted: G W 6.1.121-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
panic+0x318/0x764 kernel/panic.c:339
__stack_chk_fail+0x10/0x10 kernel/panic.c:767
preempt_schedule_irq+0x1b8/0x1c0
irqentry_exit+0x53/0x80 kernel/entry/common.c:439
asm_sysvec_reschedule_ipi+0x16/0x20 arch/x86/include/asm/idtentry.h:696
RIP: 0010:lock_is_held_type+0x137/0x180
Code: 75 40 48 c7 04 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 75 46 41 f7 c4 00 02 00 00 74 01 fb 65 48 8b 04 25 28 00 00 00 <48> 3b 44 24 08 75 3c 89 e8 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffffc9000d05f938 EFLAGS: 00000206
RAX: 62a750ff17957e00 RBX: 0000000000000001 RCX: ffff88802cc63b80
RDX: 0000000000000000 RSI: ffffffff8b0c14c0 RDI: ffffffff8b5e6400
RBP: 0000000000000000 R08: ffffffff81b8d9ad R09: fffff9400028ff69
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000246
R13: ffff88802cc63b80 R14: 00000000ffffffff R15: ffffffff8d32b0e0
lock_is_held include/linux/lockdep.h:283 [inline]
__might_resched+0xa1/0x780 kernel/sched/core.c:9917
kmap include/linux/highmem-internal.h:166 [inline]
ntfs_map_page+0x45/0x60 fs/ntfs3/ntfs_fs.h:908
ntfs_fill_super+0x36ec/0x4410 fs/ntfs3/super.c:1152
get_tree_bdev+0x3fe/0x620 fs/super.c:1366
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3056
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbf4dd874ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbf4eb97e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbf4eb97ef0 RCX: 00007fbf4dd874ca
RDX: 0000000020000040 RSI: 0000000020000980 RDI: 00007fbf4eb97eb0
RBP: 0000000020000040 R08: 00007fbf4eb97ef0 R09: 0000000000800000
R10: 0000000000800000 R11: 0000000000000246 R12: 0000000020000980
R13: 00007fbf4eb97eb0 R14: 000000000001f837 R15: 0000000020000640
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
----------------
Code disassembly (best guess):
0: 75 40 jne 0x42
2: 48 c7 04 24 00 00 00 movq $0x0,(%rsp)
9: 00
a: 9c pushf
b: 8f 04 24 pop (%rsp)
e: f7 04 24 00 02 00 00 testl $0x200,(%rsp)
15: 75 46 jne 0x5d
17: 41 f7 c4 00 02 00 00 test $0x200,%r12d
1e: 74 01 je 0x21
20: fb sti
21: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
28: 00 00
* 2a: 48 3b 44 24 08 cmp 0x8(%rsp),%rax <-- trapping instruction
2f: 75 3c jne 0x6d
31: 89 e8 mov %ebp,%eax
33: 48 83 c4 10 add $0x10,%rsp
37: 5b pop %rbx
38: 41 5c pop %r12
3a: 41 5d pop %r13
3c: 41 5e pop %r14
3e: 41 5f pop %r15
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 29f02ec58a94 Linux 6.1.121
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105152f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8697877836e1705
dashboard link: https://syzkaller.appspot.com/bug?extid=a31f511d0ff058ae59c2
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/632e77126918/disk-29f02ec5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83f3846b30db/vmlinux-29f02ec5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/06b9420d9530/bzImage-29f02ec5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a31f51...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 4096
ntfs3: loop4: Different NTFS' sector size (1024) and media sector size (512)
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: preempt_schedule_irq+0x1b8/0x1c0
CPU: 1 PID: 6101 Comm: syz.4.396 Tainted: G W 6.1.121-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
panic+0x318/0x764 kernel/panic.c:339
__stack_chk_fail+0x10/0x10 kernel/panic.c:767
preempt_schedule_irq+0x1b8/0x1c0
irqentry_exit+0x53/0x80 kernel/entry/common.c:439
asm_sysvec_reschedule_ipi+0x16/0x20 arch/x86/include/asm/idtentry.h:696
RIP: 0010:lock_is_held_type+0x137/0x180
Code: 75 40 48 c7 04 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 75 46 41 f7 c4 00 02 00 00 74 01 fb 65 48 8b 04 25 28 00 00 00 <48> 3b 44 24 08 75 3c 89 e8 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffffc9000d05f938 EFLAGS: 00000206
RAX: 62a750ff17957e00 RBX: 0000000000000001 RCX: ffff88802cc63b80
RDX: 0000000000000000 RSI: ffffffff8b0c14c0 RDI: ffffffff8b5e6400
RBP: 0000000000000000 R08: ffffffff81b8d9ad R09: fffff9400028ff69
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000246
R13: ffff88802cc63b80 R14: 00000000ffffffff R15: ffffffff8d32b0e0
lock_is_held include/linux/lockdep.h:283 [inline]
__might_resched+0xa1/0x780 kernel/sched/core.c:9917
kmap include/linux/highmem-internal.h:166 [inline]
ntfs_map_page+0x45/0x60 fs/ntfs3/ntfs_fs.h:908
ntfs_fill_super+0x36ec/0x4410 fs/ntfs3/super.c:1152
get_tree_bdev+0x3fe/0x620 fs/super.c:1366
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3056
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbf4dd874ca
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbf4eb97e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbf4eb97ef0 RCX: 00007fbf4dd874ca
RDX: 0000000020000040 RSI: 0000000020000980 RDI: 00007fbf4eb97eb0
RBP: 0000000020000040 R08: 00007fbf4eb97ef0 R09: 0000000000800000
R10: 0000000000800000 R11: 0000000000000246 R12: 0000000020000980
R13: 00007fbf4eb97eb0 R14: 000000000001f837 R15: 0000000020000640
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
----------------
Code disassembly (best guess):
0: 75 40 jne 0x42
2: 48 c7 04 24 00 00 00 movq $0x0,(%rsp)
9: 00
a: 9c pushf
b: 8f 04 24 pop (%rsp)
e: f7 04 24 00 02 00 00 testl $0x200,(%rsp)
15: 75 46 jne 0x5d
17: 41 f7 c4 00 02 00 00 test $0x200,%r12d
1e: 74 01 je 0x21
20: fb sti
21: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
28: 00 00
* 2a: 48 3b 44 24 08 cmp 0x8(%rsp),%rax <-- trapping instruction
2f: 75 3c jne 0x6d
31: 89 e8 mov %ebp,%eax
33: 48 83 c4 10 add $0x10,%rsp
37: 5b pop %rbx
38: 41 5c pop %r12
3a: 41 5d pop %r13
3c: 41 5e pop %r14
3e: 41 5f pop %r15
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 12, 2025, 12:36:16 AM5/12/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages