syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: soft lockup in handle_mm_fault

Status: upstream: reported on 2023/02/05 20:47
Reported-by: syzbot+183169bb1c0ca026afb0@syzkaller.appspotmail.com
First crash: 654d, last: 654d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: soft lockup in handle_mm_fault mm 153 1178d 1282d 0/28 closed as dup on 2021/05/19 06:00
upstream BUG: soft lockup in handle_mm_fault (2) arm 84 1103d 1172d 0/28 auto-closed as invalid on 2022/02/12 04:15
linux-5.15 INFO: rcu detected stall in handle_mm_fault (2) origin:upstream missing-backport C error 5 41d 304d 0/3 upstream: reported C repro on 2024/01/22 00:21
linux-6.1 INFO: rcu detected stall in handle_mm_fault 1 335d 335d 0/3 auto-obsoleted due to no activity on 2024/03/30 23:28
linux-5.15 INFO: rcu detected stall in handle_mm_fault 1 412d 412d 0/3 auto-obsoleted due to no activity on 2024/01/14 02:34

Sample crash report:
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-fuzzer:10841]
Modules linked in:
irq event stamp: 4173032
hardirqs last  enabled at (4173031): [<ffffffff8129070b>] kvm_wait arch/x86/kernel/kvm.c:799 [inline]
hardirqs last  enabled at (4173031): [<ffffffff8129070b>] kvm_wait+0x14b/0x240 arch/x86/kernel/kvm.c:779
hardirqs last disabled at (4173032): [<ffffffff81003d00>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last  enabled at (4173020): [<ffffffff88400678>] __do_softirq+0x678/0x980 kernel/softirq.c:318
softirqs last disabled at (4172891): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (4172891): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
CPU: 0 PID: 10841 Comm: syz-fuzzer Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 48 89 df e8 f4 20 7f f9 e9 2e ff ff ff 48 89 df e8 e7 20 7f f9 eb 82 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 14 43 4e 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 04 43 4e 00 f4 c3 90 90 41 56 41 55
RSP: 0000:ffff888045527ad8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3054 RBX: ffff8880b36d74d0 RCX: 1ffff11012560532
RDX: dffffc0000000000 RSI: ffff888092b02970 RDI: ffff888092b02944
RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000286
R13: ffffed10166dae9a R14: 0000000000000001 R15: ffff8880ba02be00
FS:  000000c010a27c90(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c02a2d95d1 CR3: 00000000af2b9000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
 kvm_wait arch/x86/kernel/kvm.c:799 [inline]
 kvm_wait+0x179/0x240 arch/x86/kernel/kvm.c:779
 pv_wait arch/x86/include/asm/paravirt.h:689 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:471 [inline]
 __pv_queued_spin_lock_slowpath+0x86a/0xae0 kernel/locking/qspinlock.c:474
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:679 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:53 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:88 [inline]
 do_raw_spin_lock+0x189/0x220 kernel/locking/spinlock_debug.c:113
 spin_lock include/linux/spinlock.h:329 [inline]
 do_anonymous_page+0xbb6/0x1be0 mm/memory.c:3331
 handle_pte_fault mm/memory.c:4173 [inline]
 __handle_mm_fault+0x227a/0x41c0 mm/memory.c:4299
 handle_mm_fault+0x436/0xb10 mm/memory.c:4336
 __do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
RIP: 0033:0x46649c
Code: 00 01 00 00 48 81 c7 00 01 00 00 48 81 fb 00 01 00 00 0f 83 6e ff ff ff e9 f7 fe ff ff c5 fd ef c0 48 81 fb 00 00 00 02 73 46 <c5> fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 48 81 eb
RSP: 002b:000000c00adab9e0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000a2f RCX: 000000000000a000
RDX: 000000c02a2d95d1 RSI: 0000000000000001 RDI: 000000c02a2d95d1
RBP: 000000c00adaba40 R08: 00007fa0ca3495b8 R09: 0000000000000000
R10: 00007fa0988fa640 R11: 0000000000000001 R12: 000000c02a2d0000
R13: 0000000000000000 R14: 000000c00023b040 R15: 0000000001153fc0
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8102 Comm: syz-fuzzer Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:fq_flow_add_tail net/sched/sch_fq.c:138 [inline]
RIP: 0010:fq_dequeue+0x7be/0x12b0 net/sched/sch_fq.c:489
Code: 00 0f 85 a5 09 00 00 4c 89 f8 4c 8b 6d 40 48 c1 e8 03 42 80 3c 20 00 0f 85 13 09 00 00 48 8b 44 24 10 4d 89 2f 42 80 3c 20 00 <0f> 85 0d 09 00 00 48 83 bb 90 02 00 00 00 0f 84 ce 00 00 00 e8 99
RSP: 0000:ffff8880ba1071c0 EFLAGS: 00000246
RAX: 1ffff11014a11722 RBX: ffff8880a508b680 RCX: ffffffff8699cbf7
RDX: 0000000000000100 RSI: ffffffff8699cd5b RDI: ffff88809be26a18
RBP: ffff88809be269d8 R08: ffffffff8c665058 R09: 0000000000000000
R10: 0000000000000005 R11: ffffffff8c66505b R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8880a508b900 R15: ffff8880a508b910
FS:  000000c0001dec90(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c02a289000 CR3: 00000000af2b9000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 dequeue_skb net/sched/sch_generic.c:282 [inline]
 qdisc_restart net/sched/sch_generic.c:385 [inline]
 __qdisc_run+0x1b9/0x1640 net/sched/sch_generic.c:403
 __dev_xmit_skb net/core/dev.c:3500 [inline]
 __dev_queue_xmit+0x1518/0x2e00 net/core/dev.c:3807
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0xb6d/0x15a0 net/ipv4/ip_output.c:230
 ip_finish_output+0xae9/0x10b0 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x5f0 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 ip_send_skb net/ipv4/ip_output.c:1452 [inline]
 ip_push_pending_frames+0x8b/0x140 net/ipv4/ip_output.c:1472
 icmp_push_reply+0x3bb/0x530 net/ipv4/icmp.c:398
 __icmp_send+0x11d1/0x1520 net/ipv4/icmp.c:773
 icmp_send include/net/icmp.h:47 [inline]
 __udp4_lib_rcv+0x1613/0x3180 net/ipv4/udp.c:2268
 ip_local_deliver_finish+0x495/0xc00 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_local_deliver+0x188/0x500 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_rcv+0xca/0x3c0 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
 process_backlog+0x241/0x700 net/core/dev.c:5849
 napi_poll net/core/dev.c:6280 [inline]
 net_rx_action+0x4ac/0xfb0 net/core/dev.c:6346
 __do_softirq+0x265/0x980 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:arch_static_branch arch/x86/include/asm/jump_label.h:23 [inline]
RIP: 0010:do_memsw_account mm/memcontrol.c:100 [inline]
RIP: 0010:mem_cgroup_commit_charge+0x211/0x4d0 mm/memcontrol.c:6065
Code: 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 5d 02 00 00 48 83 3d a4 53 52 08 00 0f 84 b7 01 00 00 fb 66 0f 1f 44 00 00 <e9> 0f 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 8b 05
RSP: 0000:ffff888095007bc8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3053 RBX: 0000000000000000 RCX: 1ffff11013ff31b2
RDX: dffffc0000000000 RSI: ffff88809ff98d70 RDI: ffff88809ff98d44
RBP: ffffea0001483700 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0001483708
R13: ffffea0001483700 R14: 0000000000000001 R15: ffff8880b59f68c0
 do_anonymous_page+0x1321/0x1be0 mm/memory.c:3350
 handle_pte_fault mm/memory.c:4173 [inline]
 __handle_mm_fault+0x227a/0x41c0 mm/memory.c:4299
 handle_mm_fault+0x436/0xb10 mm/memory.c:4336
 __do_page_fault+0x68e/0xd60 arch/x86/mm/fault.c:1412
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
RIP: 0033:0x466a7c
Code: 4c 01 de 48 29 c3 c5 fe 6f 06 c5 fe 6f 4e 20 c5 fe 6f 56 40 c5 fe 6f 5e 60 48 01 c6 c5 fd 7f 07 c5 fd 7f 4f 20 c5 fd 7f 57 40 <c5> fd 7f 5f 60 48 01 c7 48 29 c3 77 cf 48 01 c3 48 01 fb c4 c1 7e
RSP: 002b:000000c02ab1b960 EFLAGS: 00010202
RAX: 0000000000000080 RBX: 0000000000002b1c RCX: 000000c0299cfb3c
RDX: 000000000000c000 RSI: 000000c0299cd020 RDI: 000000c02a288fa0
RBP: 000000c02ab1ba10 R08: 00007fa0ca349108 R09: 0000000000000000
R10: 000000c02a280000 R11: 0000000000000020 R12: 000000c02a280000
R13: 0000000000000000 R14: 000000c00023a1a0 R15: 00007fa0a13719d5

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/05 20:47 linux-4.19.y 3f8a27f9e27b be607b78 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 BUG: soft lockup in handle_mm_fault
* Struck through repros no longer work on HEAD.