[moderation] [mm?] [cgroups?] general protection fault in __refill_obj_stock

0 views
Skip to first unread message

syzbot

unread,
Jul 3, 2026, 1:41:33 PM (17 hours ago) Jul 3
to syzkaller-upst...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: dc59e4fea9d8 Linux 7.2-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17d24376580000
kernel config: https://syzkaller.appspot.com/x/.config?x=eb3cf873145f98c4
dashboard link: https://syzkaller.appspot.com/bug?extid=a6c762e85b4793137b4e
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
CC: [ak...@linux-foundation.org cgr...@vger.kernel.org han...@cmpxchg.org linux-...@vger.kernel.org linu...@kvack.org mho...@kernel.org muchu...@linux.dev roman.g...@linux.dev shakee...@linux.dev]

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e6fd87236296/disk-dc59e4fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2fe0c301e8fc/vmlinux-dc59e4fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f0d204932e98/bzImage-dc59e4fe.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a6c762...@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xe01551554015555b: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x00aaaaaa00aaaad8-0x00aaaaaa00aaaadf]
CPU: 0 UID: 0 PID: 5632 Comm: syz-executor Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:obj_cgroup_is_root include/linux/memcontrol.h:525 [inline]
RIP: 0010:obj_cgroup_get_many include/linux/memcontrol.h:761 [inline]
RIP: 0010:obj_cgroup_get include/linux/memcontrol.h:767 [inline]
RIP: 0010:__refill_obj_stock+0x9a/0x5f0 mm/memcontrol.c:3432
Code: 83 c5 01 49 83 c5 08 83 fd 05 75 bc 83 f9 ff 0f 84 3b 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7f 30 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e ec 04 00 00 41 80 7f 30 00 0f 84 68
RSP: 0018:ffffc9000400f8e0 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: 001555554015555b RSI: ffff8880b843cb80 RDI: 00aaaaaa00aaaada
RBP: 0000000000000005 R08: 0000000000000001 R09: 000000000000086e
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880b843cb80
R13: ffff8880b843cbf8 R14: 0000000000004000 R15: 00aaaaaa00aaaaaa
FS: 000055557c095500(0000) GS:ffff8881242e7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe6c47eb078 CR3: 00000000735b2000 CR4: 00000000003526f0
Call Trace:
<TASK>
refill_obj_stock mm/memcontrol.c:3467 [inline]
obj_cgroup_uncharge+0x28/0x40 mm/memcontrol.c:3525
pcpu_memcg_free_hook mm/percpu.c:1667 [inline]
free_percpu mm/percpu.c:2261 [inline]
free_percpu+0x317/0x1510 mm/percpu.c:2232
xt_percpu_counter_free+0x9f/0xd0 net/netfilter/x_tables.c:2157
cleanup_entry+0x2b7/0x380 net/ipv4/netfilter/ip_tables.c:654
__do_replace+0x6c3/0x980 net/ipv4/netfilter/ip_tables.c:1080
do_replace net/ipv4/netfilter/ip_tables.c:1139 [inline]
do_ipt_set_ctl+0x95b/0xbc0 net/ipv4/netfilter/ip_tables.c:1634
nf_setsockopt+0x8d/0xf0 net/netfilter/nf_sockopt.c:101
ip_setsockopt+0xcb/0xf0 net/ipv4/ip_sockglue.c:1424
tcp_setsockopt+0xa7/0x100 net/ipv4/tcp.c:4179
do_sock_setsockopt+0xf3/0x1d0 net/socket.c:2368
__sys_setsockopt+0x119/0x190 net/socket.c:2393
__do_sys_setsockopt net/socket.c:2399 [inline]
__se_sys_setsockopt net/socket.c:2396 [inline]
__x64_sys_setsockopt+0xbd/0x160 net/socket.c:2396
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x840 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe6c459e69a
Code: 48 83 ec 10 48 63 c9 48 63 ff 45 89 c9 6a 2c e8 6c 99 fb ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 e8 ff ff ff f7
RSP: 002b:00007ffd91db09c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007ffd91db0a50 RCX: 00007fe6c459e69a
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00000000000002d8 R09: 0000000000000000
R10: 00007fe6c47eb020 R11: 0000000000000202 R12: 00007fe6c47eafc0
R13: 00007ffd91db09ec R14: 0000000000000000 R15: 00007fe6c47ed180
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:obj_cgroup_is_root include/linux/memcontrol.h:525 [inline]
RIP: 0010:obj_cgroup_get_many include/linux/memcontrol.h:761 [inline]
RIP: 0010:obj_cgroup_get include/linux/memcontrol.h:767 [inline]
RIP: 0010:__refill_obj_stock+0x9a/0x5f0 mm/memcontrol.c:3432
Code: 83 c5 01 49 83 c5 08 83 fd 05 75 bc 83 f9 ff 0f 84 3b 02 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7f 30 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e ec 04 00 00 41 80 7f 30 00 0f 84 68
RSP: 0018:ffffc9000400f8e0 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: 001555554015555b RSI: ffff8880b843cb80 RDI: 00aaaaaa00aaaada
RBP: 0000000000000005 R08: 0000000000000001 R09: 000000000000086e
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880b843cb80
R13: ffff8880b843cbf8 R14: 0000000000004000 R15: 00aaaaaa00aaaaaa
FS: 000055557c095500(0000) GS:ffff8881242e7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe6c47eb078 CR3: 00000000735b2000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 83 c5 01 add $0x1,%ebp
3: 49 83 c5 08 add $0x8,%r13
7: 83 fd 05 cmp $0x5,%ebp
a: 75 bc jne 0xffffffc8
c: 83 f9 ff cmp $0xffffffff,%ecx
f: 0f 84 3b 02 00 00 je 0x250
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 49 8d 7f 30 lea 0x30(%r15),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 84 c0 test %al,%al
30: 74 06 je 0x38
32: 0f 8e ec 04 00 00 jle 0x524
38: 41 80 7f 30 00 cmpb $0x0,0x30(%r15)
3d: 0f .byte 0xf
3e: 84 .byte 0x84
3f: 68 .byte 0x68


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages