syzbot

 sign-in | mailing list | source | docs
🐞 Open [98]
🐞 Fixed [1]
🐞 Invalid [146]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

general protection fault in delayed_work_timer_fn

Status: premoderation: reported on 2025/02/17 23:58
Reported-by: syzbot+0177878f98c100ff97cd@syzkaller.appspotmail.com
First crash: 5d23h, last: 5d23h
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in delayed_work_timer_fn 1 332d 332d 0/2 auto-obsoleted due to no activity on 2024/06/26 06:44

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 869 Comm: syz.2.150 Not tainted 6.1.124-syzkaller-00008-gccc915784332 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__queue_work+0x4f1/0xd70
Code: 39 03 0f 84 40 01 00 00 e8 5c 6c 2a 00 4c 89 e7 e8 64 49 d7 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 70 09 72 00 49 8b 3e e8 18 42 d7
RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff888117edbcc0
RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
RBP: ffffc900001b0d00 R08: ffffffff814b261b R09: 0000000000000007
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881132c09c8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881132c09e0
FS:  00007f12267ff6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e11fffc CR3: 000000010f71f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 delayed_work_timer_fn+0x61/0x80 kernel/workqueue.c:1653
 call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1510
 expire_timers kernel/time/timer.c:1550 [inline]
 __run_timers+0x756/0xa10 kernel/time/timer.c:1826
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1839
 handle_softirqs+0x1db/0x650 kernel/softirq.c:617
 __do_softirq kernel/softirq.c:655 [inline]
 invoke_softirq kernel/softirq.c:472 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:704
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:716
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:clear_page_erms+0x7/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 66 0f 1f 44 00 00 89 c8 48 c1 e9 03 74 18 0f 1f 84 00 00
RSP: 0018:ffffc9000fe6ed00 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffea0004c8dc80 RCX: 0000000000000f80
RDX: ffff888132372000 RSI: 0000000000000001 RDI: ffff888132372080
RBP: ffffc9000fe6ed40 R08: dffffc0000000000 R09: ffffed102646e400
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
 get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
 __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
 __folio_alloc+0x15/0x40 mm/page_alloc.c:5869
 __folio_alloc_node include/linux/gfp.h:245 [inline]
 folio_alloc include/linux/gfp.h:274 [inline]
 shmem_alloc_folio mm/shmem.c:1597 [inline]
 shmem_alloc_and_acct_folio+0x78c/0xa50 mm/shmem.c:1622
 shmem_get_folio_gfp+0x12d4/0x24b0 mm/shmem.c:1951
 shmem_fault+0x1f7/0x840 mm/shmem.c:2166
 __do_fault mm/memory.c:4359 [inline]
 do_read_fault mm/memory.c:4725 [inline]
 do_fault+0xbc5/0x1f10 mm/memory.c:4861
 handle_pte_fault mm/memory.c:5157 [inline]
 __handle_mm_fault mm/memory.c:5299 [inline]
 handle_mm_fault+0x189f/0x30e0 mm/memory.c:5439
 faultin_page mm/gup.c:1009 [inline]
 __get_user_pages+0x377/0xf20 mm/gup.c:1233
 populate_vma_page_range mm/gup.c:1590 [inline]
 __mm_populate+0x375/0x570 mm/gup.c:1704
 mm_populate include/linux/mm.h:3061 [inline]
 vm_mmap_pgoff+0x290/0x430 mm/util.c:530
 ksys_mmap_pgoff+0xed/0x1e0 mm/mmap.c:1520
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 x64_sys_call+0x67/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:10
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f122698cde9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f12267ff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f1226ba5fa0 RCX: 00007f122698cde9
RDX: b635773f06ebbeee RSI: 0000000000b36000 RDI: 0000400000000000
RBP: 00007f1226a0e2a0 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000008031 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1226ba5fa0 R15: 00007ffca35d4ac8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__queue_work+0x4f1/0xd70
Code: 39 03 0f 84 40 01 00 00 e8 5c 6c 2a 00 4c 89 e7 e8 64 49 d7 03 49 bd 00 00 00 00 00 fc ff df 4c 8b 65 d0 4c 89 f0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 f7 e8 70 09 72 00 49 8b 3e e8 18 42 d7
RSP: 0018:ffffc900001b0c78 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 000000007fffffff RCX: ffff888117edbcc0
RDX: 0000000000000100 RSI: 000000007fffffff RDI: 000000007fffffff
RBP: ffffc900001b0d00 R08: ffffffff814b261b R09: 0000000000000007
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881132c09c8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881132c09e0
FS:  00007f12267ff6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e11fffc CR3: 000000010f71f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	39 03                	cmp    %eax,(%rbx)
   2:	0f 84 40 01 00 00    	je     0x148
   8:	e8 5c 6c 2a 00       	call   0x2a6c69
   d:	4c 89 e7             	mov    %r12,%rdi
  10:	e8 64 49 d7 03       	call   0x3d74979
  15:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  1c:	fc ff df
  1f:	4c 8b 65 d0          	mov    -0x30(%rbp),%r12
  23:	4c 89 f0             	mov    %r14,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 f7             	mov    %r14,%rdi
  34:	e8 70 09 72 00       	call   0x7209a9
  39:	49 8b 3e             	mov    (%r14),%rdi
  3c:	e8                   	.byte 0xe8
  3d:	18 42 d7             	sbb    %al,-0x29(%rdx)

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/17 23:58 android14-6.1 ccc915784332 429ea007 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 general protection fault in delayed_work_timer_fn
* Struck through repros no longer work on HEAD.