syzbot

 sign-in | mailing list | source | docs
🐞 Open [684]
🐞 Fixed [72]
🐞 Invalid [863]
Missing Backports [106]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: unable to handle kernel paging request in preempt_schedule_irq

Status: upstream: reported C repro on 2025/04/28 12:49
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+20d9f172fbffe19fe12f@syzkaller.appspotmail.com
First crash: 11d, last: 11d
Bug presence (1)
Date Name Commit Repro Result
2025/04/29 upstream (ToT) ca91b9500108 C [report] kernel panic: stack is corrupted in __schedule
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in preempt_schedule_irq kernel 1 266d 262d 0/28 auto-obsoleted due to no activity on 2024/11/14 20:10
upstream KASAN: stack-out-of-bounds Write in preempt_schedule_irq kernel 1 33d 28d 0/28 upstream: reported on 2025/04/11 13:09

Sample crash report:
loop4: detected capacity change from 0 to 4096
BUG: unable to handle page fault for address: ffffed110539a76f
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffef067 P4D 23ffef067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 4206 Comm: syz-executor357 Not tainted 5.15.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:207 [inline]
RIP: 0010:test_bit include/asm-generic/bitops/instrumented-non-atomic.h:135 [inline]
RIP: 0010:test_ti_thread_flag include/linux/thread_info.h:118 [inline]
RIP: 0010:need_resched include/linux/sched.h:2111 [inline]
RIP: 0010:preempt_schedule_irq+0xf6/0x150 kernel/sched/core.c:6783
Code: 10 b6 d4 f7 bf 01 00 00 00 e8 96 32 a8 f7 65 48 8b 1d 2e 46 59 76 48 89 df be 08 00 00 00 e8 f1 02 14 f8 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 91 48 89 df e8 4b 01 14 f8 eb 87 48 c7 04 24 0e
RSP: 0018:ffffc90002f5f9e0 EFLAGS: 00010802
RAX: 1ffff1100539a770 RBX: ffff888029cd3b80 RCX: ffffffff89a9299f
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888029cd3b80
RBP: ffffc90002f5fa90 R08: dffffc0000000000 R09: ffffed100539a771
R10: ffffed100539a771 R11: 1ffff1100539a770 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc00ffffffff R15: 1ffff920005ebf3c
FS:  000055556afd0380(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed110539a76f CR3: 0000000022bd6000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 irqentry_exit+0x63/0x70 kernel/entry/common.c:432
 asm_sysvec_reschedule_ipi+0x16/0x20 arch/x86/include/asm/idtentry.h:681
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55
Code: fe ff ff 00 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 90 90 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffc90002f5fb58 EFLAGS: 00010202
RAX: ffff88807bebc000 RBX: 0000000000000000 RCX: 00000000000006c0
RDX: 0000000000000a00 RSI: ffff88806e232340 RDI: ffff88807bebc340
RBP: ffffc90002f5fd28 R08: dffffc0000000000 R09: ffffed100f7d7940
R10: 0000000000000000 R11: 0000000000000140 R12: ffff88807bc6e000
R13: ffffea0001b88c80 R14: ffff88807bfd01f0 R15: 0000000000000000
 ntfs_fill_super+0x302e/0x3c10 fs/ntfs3/super.c:1153
 get_tree_bdev+0x3f1/0x610 fs/super.c:1325
 vfs_get_tree+0x88/0x270 fs/super.c:1530
 do_new_mount+0x24a/0xa40 fs/namespace.c:3012
 do_mount fs/namespace.c:3355 [inline]
 __do_sys_mount fs/namespace.c:3563 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3540
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f74c1bed71a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc9d9dcb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f74c1bed71a
RDX: 0000200000000000 RSI: 0000200000000280 RDI: 00007fffc9d9dd10
RBP: 0000000000000004 R08: 00007fffc9d9dd50 R09: 000000000001f755
R10: 0000000002010c14 R11: 0000000000000206 R12: 0000000000200000
R13: 00007fffc9d9dd50 R14: 0000200000000280 R15: 0000000000000003
 </TASK>
Modules linked in:
CR2: ffffed110539a76f
---[ end trace ff50854c5f78486f ]---
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:207 [inline]
RIP: 0010:test_bit include/asm-generic/bitops/instrumented-non-atomic.h:135 [inline]
RIP: 0010:test_ti_thread_flag include/linux/thread_info.h:118 [inline]
RIP: 0010:need_resched include/linux/sched.h:2111 [inline]
RIP: 0010:preempt_schedule_irq+0xf6/0x150 kernel/sched/core.c:6783
Code: 10 b6 d4 f7 bf 01 00 00 00 e8 96 32 a8 f7 65 48 8b 1d 2e 46 59 76 48 89 df be 08 00 00 00 e8 f1 02 14 f8 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 91 48 89 df e8 4b 01 14 f8 eb 87 48 c7 04 24 0e
RSP: 0018:ffffc90002f5f9e0 EFLAGS: 00010802
RAX: 1ffff1100539a770 RBX: ffff888029cd3b80 RCX: ffffffff89a9299f
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888029cd3b80
RBP: ffffc90002f5fa90 R08: dffffc0000000000 R09: ffffed100539a771
R10: ffffed100539a771 R11: 1ffff1100539a770 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc00ffffffff R15: 1ffff920005ebf3c
FS:  000055556afd0380(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed110539a76f CR3: 0000000022bd6000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	10 b6 d4 f7 bf 01    	adc    %dh,0x1bff7d4(%rsi)
   6:	00 00                	add    %al,(%rax)
   8:	00 e8                	add    %ch,%al
   a:	96                   	xchg   %eax,%esi
   b:	32 a8 f7 65 48 8b    	xor    -0x74b79a09(%rax),%ch
  11:	1d 2e 46 59 76       	sbb    $0x7659462e,%eax
  16:	48 89 df             	mov    %rbx,%rdi
  19:	be 08 00 00 00       	mov    $0x8,%esi
  1e:	e8 f1 02 14 f8       	call   0xf8140314
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1) <-- trapping instruction
  2f:	74 91                	je     0xffffffc2
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 4b 01 14 f8       	call   0xf8140184
  39:	eb 87                	jmp    0xffffffc2
  3b:	48                   	rex.W
  3c:	c7                   	.byte 0xc7
  3d:	04 24                	add    $0x24,%al
  3f:	0e                   	(bad)

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/28 14:15 linux-5.15.y f7347f400572 c6b4fb39 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan BUG: unable to handle kernel paging request in preempt_schedule_irq
2025/04/28 12:56 linux-5.15.y f7347f400572 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan BUG: unable to handle kernel paging request in preempt_schedule_irq
2025/04/28 12:49 linux-5.15.y f7347f400572 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan BUG: unable to handle kernel paging request in preempt_schedule_irq
* Struck through repros no longer work on HEAD.