general protection fault in delayed_work_timer

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-5-15	KASAN: use-after-free Read in delayed_work_timer_fn				1	397d	397d	0/2	auto-obsoleted due to no activity on 2024/06/26 06:44
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 6170 Comm: syz.3.1270 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:__queue_work+0x4f1/0xd70 kernel/workqueue.c:-1
Code: 39 03 0f 84 40 01 00 00 e8 cc 57 2a 00 4c 89 e7 e8 34 46 d7 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 20 07 72 00 49 8b 3e e8 e8 3e d7
RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff88810d3b2880
RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
RBP: ffffc900001b0d00 R08: ffffffff814ae03b R09: 0000000000000007
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810d3c89c8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810d3c89e0
FS:  00007f4e782976c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000005f2030 CR3: 000000011a1ec000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 delayed_work_timer_fn+0x61/0x80 kernel/workqueue.c:1653
 call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1510
 expire_timers kernel/time/timer.c:1550 [inline]
 __run_timers+0x756/0xa10 kernel/time/timer.c:1826
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1839
 handle_softirqs+0x1db/0x650 kernel/softirq.c:624
 __do_softirq kernel/softirq.c:662 [inline]
 invoke_softirq kernel/softirq.c:479 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:262 [inline]
 sysvec_call_function_single+0xa6/0xc0 arch/x86/kernel/smp.c:262
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1b/0x20 arch/x86/include/asm/idtentry.h:699
RIP: 0010:clear_page_erms+0x7/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 66 0f 1f 44 00 00 89 c8 48 c1 e9 03 74 18 0f 1f 84 00 00
RSP: 0018:ffffc9000ff96ec0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffea0004dbf140 RCX: 00000000000001c0
RDX: ffff888136fc5000 RSI: 0000000000000001 RDI: ffff888136fc5e40
RBP: ffffc9000ff96f00 R08: dffffc0000000000 R09: ffffed1026df8a00
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
 get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
 __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
 __folio_alloc+0x15/0x40 mm/page_alloc.c:5869
 __folio_alloc_node include/linux/gfp.h:245 [inline]
 folio_alloc include/linux/gfp.h:274 [inline]
 alloc_page_vma include/linux/gfp.h:283 [inline]
 wp_page_copy+0x23b/0x1690 mm/memory.c:3202
 do_wp_page+0xc5c/0xf30 mm/memory.c:-1
 handle_pte_fault mm/memory.c:5175 [inline]
 __handle_mm_fault mm/memory.c:5299 [inline]
 handle_mm_fault+0x15e0/0x30e0 mm/memory.c:5439
 do_user_addr_fault arch/x86/mm/fault.c:1374 [inline]
 handle_page_fault arch/x86/mm/fault.c:1466 [inline]
 exc_page_fault+0x24d/0x6d0 arch/x86/mm/fault.c:1522
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0010:__put_user_nocheck_4+0x3/0x11
Code: 00 00 48 39 d9 73 54 0f 01 cb 66 89 01 31 c9 0f 01 ca c3 0f 1f 44 00 00 48 bb fd ef ff ff ff 7f 00 00 48 39 d9 73 34 0f 01 cb <89> 01 31 c9 0f 01 ca c3 66 0f 1f 44 00 00 48 bb f9 ef ff ff ff 7f
RSP: 0018:ffffc9000ff97918 EFLAGS: 00050202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00002000005f2030
RDX: ffff88810d3b2880 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: ffffc9000ff97a90 R08: ffffffff84029ced R09: fffff52001ff2ed5
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000002
R13: 00002000005f2000 R14: 0000000000000000 R15: ffffffff8474e490
 ___sys_recvmsg net/socket.c:2770 [inline]
 do_recvmmsg+0x46d/0xab0 net/socket.c:2864
 __sys_recvmmsg net/socket.c:2943 [inline]
 __do_sys_recvmmsg net/socket.c:2966 [inline]
 __se_sys_recvmmsg net/socket.c:2959 [inline]
 __x64_sys_recvmmsg+0x195/0x240 net/socket.c:2959
 x64_sys_call+0x7e5/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:300
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4e7738e169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e78297038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f4e775b6080 RCX: 00007f4e7738e169
RDX: 03fffffffffffcb5 RSI: 00002000000000c0 RDI: 0000000000000003
RBP: 00007f4e77410a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f4e775b6080 R15: 00007ffce183e528
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__queue_work+0x4f1/0xd70 kernel/workqueue.c:-1
Code: 39 03 0f 84 40 01 00 00 e8 cc 57 2a 00 4c 89 e7 e8 34 46 d7 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 20 07 72 00 49 8b 3e e8 e8 3e d7
RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff88810d3b2880
RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
RBP: ffffc900001b0d00 R08: ffffffff814ae03b R09: 0000000000000007
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810d3c89c8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88810d3c89e0
FS:  00007f4e782976c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000005f2030 CR3: 000000011a1ec000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	39 03                	cmp    %eax,(%rbx)
   2:	0f 84 40 01 00 00    	je     0x148
   8:	e8 cc 57 2a 00       	call   0x2a57d9
   d:	4c 89 e7             	mov    %r12,%rdi
  10:	e8 34 46 d7 03       	call   0x3d74649
  15:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  1c:	fc ff df
  1f:	4c 8b 65 d0          	mov    -0x30(%rbp),%r12
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 f7             	mov    %r14,%rdi
  34:	e8 20 07 72 00       	call   0x720759
  39:	49 8b 3e             	mov    (%r14),%rdi
  3c:	e8                   	.byte 0xe8
  3d:	e8                   	.byte 0xe8
  3e:	3e d7                	xlat   %ds:(%rbx)
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/04/23 08:30	android14-6.1	642656a36791	53a8b9bd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in delayed_work_timer_fn
2025/02/17 23:58	android14-6.1	ccc915784332	429ea007	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in delayed_work_timer_fn