syzbot

 sign-in | mailing list | source | docs
🐞 Open [866] Subsystems 🐞 Fixed [4879] 🐞 Invalid [11675] Missing Backports [71] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in timerqueue_add (4)

Status: upstream: reported C repro on 2023/02/26 03:51
Subsystems: reiserfs
[Documentation on labels]
Reported-by: syzbot+21f2b8753d8bfc6bb816@syzkaller.appspotmail.com
First crash: 287d, last: 35d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit d685c668b0695dff927c85e27ef27d4f404f16a3
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Thu Dec 15 21:43:51 2022 +0000

  buffer: add b_folio as an alias of b_page

  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [reiserfs?] [fat?] [fuse?] general protection fault in timerqueue_add (4) 0 (2) 2023/07/12 11:15
[syzbot] Monthly fat report 0 (1) 2023/03/30 10:28
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in timerqueue_add (2) kernel 2 1795d 1797d 0/25 closed as dup on 2019/01/04 16:41
upstream general protection fault in timerqueue_add (3) kernel 1 1562d 1562d 0/25 auto-closed as invalid on 2019/11/25 13:35
upstream general protection fault in timerqueue_add kernel C 2 2080d 2080d 6/25 fixed on 2018/04/06 16:37
Last patch testing requests (5)
Created Duration User Patch Repo Result
2023/11/01 18:30 13m retest repro upstream report log
2023/10/17 07:11 1m retest repro linux-next error OK
2023/10/17 07:11 14m retest repro upstream report log
2023/08/07 17:04 15m retest repro linux-next report log
2023/08/07 16:14 42m retest repro upstream report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2023/07/12 05:40 5h33m bisect fix upstream job log (1)
2023/04/23 06:57 51m bisect fix upstream job log (0) log
2023/03/24 06:00 30m bisect fix upstream job log (0) log

Sample crash report:
general protection fault, probably for non-canonical address 0xfbfffb8000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xdffffc0000000000-0xdffffc0000000007]
CPU: 1 PID: 5034 Comm: syz-executor322 Not tainted 6.6.0-rc6-syzkaller-00039-g06dc10eae55b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__rb_insert lib/rbtree.c:117 [inline]
RIP: 0010:rb_insert_color+0x9f/0x800 lib/rbtree.c:436
Code: 00 0f 85 41 05 00 00 4c 8b 6d 08 49 39 dd 0f 84 72 01 00 00 4d 85 ed 74 26 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 05 00 00 41 f6 45 00 01 0f 84 40 04 00 00 4c
RSP: 0018:ffffc900001f0d98 EFLAGS: 00010016
RAX: dffffc0000000000 RBX: ffffc9000343f818 RCX: 0000000000000000
RDX: 1bffff8000000000 RSI: ffff8880b992ba10 RDI: ffffffff8a439e48
RBP: ffffffff8a439e40 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880b992c270
R13: dffffc0000000000 R14: dffffc0000000000 R15: ffffc9000343f820
FS:  00005555559f3380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557f50c4d000 CR3: 000000007449f000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 rb_insert_color_cached include/linux/rbtree.h:114 [inline]
 rb_add_cached include/linux/rbtree.h:183 [inline]
 timerqueue_add+0x1bd/0x330 lib/timerqueue.c:40
 enqueue_hrtimer+0x16f/0x310 kernel/time/hrtimer.c:1094
 __run_hrtimer kernel/time/hrtimer.c:1705 [inline]
 __hrtimer_run_queues+0xa0a/0xc10 kernel/time/hrtimer.c:1752
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1814
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline]
 __sysvec_apic_timer_interrupt+0x105/0x3f0 arch/x86/kernel/apic/apic.c:1080
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1074
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:memmove+0x50/0x1b0 arch/x86/lib/memmove_64.S:71
Code: 0f 1f 44 00 00 48 81 fa a8 02 00 00 72 05 40 38 fe 74 47 48 83 ea 20 48 83 ea 20 4c 8b 1e 4c 8b 56 08 4c 8b 4e 10 4c 8b 46 18 <48> 8d 76 20 4c 89 1f 4c 89 57 08 4c 89 4f 10 4c 89 47 18 48 8d 7f
RSP: 0018:ffffc900040def18 EFLAGS: 00000286
RAX: ffff888074de0fb4 RBX: 0000000000000002 RCX: ffff888074de0030
RDX: fffffffffa475b60 RSI: ffff88807a96b3e4 RDI: ffff88807a96b3f4
RBP: 0000000000000020 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888074de0fa4 R15: 0000000000000010
 leaf_paste_entries+0x43c/0x920 fs/reiserfs/lbalance.c:1377
 balance_leaf_finish_node_paste_dirent fs/reiserfs/do_balan.c:1295 [inline]
 balance_leaf_finish_node_paste fs/reiserfs/do_balan.c:1321 [inline]
 balance_leaf_finish_node fs/reiserfs/do_balan.c:1364 [inline]
 balance_leaf+0x9476/0xcd90 fs/reiserfs/do_balan.c:1452
 do_balance+0x337/0x840 fs/reiserfs/do_balan.c:1888
 reiserfs_paste_into_item+0x62a/0x7c0 fs/reiserfs/stree.c:2157
 reiserfs_add_entry+0x936/0xd20 fs/reiserfs/namei.c:565
 reiserfs_mkdir+0x68a/0x9a0 fs/reiserfs/namei.c:860
 xattr_mkdir fs/reiserfs/xattr.c:77 [inline]
 create_privroot fs/reiserfs/xattr.c:891 [inline]
 reiserfs_xattr_init+0x57f/0xbb0 fs/reiserfs/xattr.c:1007
 reiserfs_fill_super+0x2139/0x3150 fs/reiserfs/super.c:2175
 mount_bdev+0x1f3/0x2e0 fs/super.c:1629
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x370 fs/super.c:1750
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff17073dc3a
Code: eb b2 66 0f 24 08 48 8d 44 24 20 48 89 44 24 10 eb b2 66 0f 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 48 c7 c0 ff ff ff <ff> eb a6 e8 5e 04 00 00 66 2e a5 00 00 00 0f 05 48 3d 01 f0 ff ff
RSP: 002b:00007ffdbb56f728 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffdbb56f740 RCX: 00007ff17073dc3a
RDX: 0000000020000080 RSI: 0000000020000040 RDI: 00007ffdbb56f740
RBP: 0000000000000004 R08: 00007ffdbb56f780 R09: 0000000000001112
R10: 000000000000800c R11: 0000000000000286 R12: 000000000000800c
R13: 00007ffdbb56f780 R14: 0000000000000003 R15: 0000000000400000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__rb_insert lib/rbtree.c:117 [inline]
RIP: 0010:rb_insert_color+0x9f/0x800 lib/rbtree.c:436
Code: 00 0f 85 41 05 00 00 4c 8b 6d 08 49 39 dd 0f 84 72 01 00 00 4d 85 ed 74 26 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 05 00 00 41 f6 45 00 01 0f 84 40 04 00 00 4c
RSP: 0018:ffffc900001f0d98 EFLAGS: 00010016

RAX: dffffc0000000000 RBX: ffffc9000343f818 RCX: 0000000000000000
RDX: 1bffff8000000000 RSI: ffff8880b992ba10 RDI: ffffffff8a439e48
RBP: ffffffff8a439e40 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880b992c270
R13: dffffc0000000000 R14: dffffc0000000000 R15: ffffc9000343f820
FS:  00005555559f3380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557f50c4d000 CR3: 000000007449f000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0:	00 0f                	add    %cl,(%rdi)
   2:	85 41 05             	test   %eax,0x5(%rcx)
   5:	00 00                	add    %al,(%rax)
   7:	4c 8b 6d 08          	mov    0x8(%rbp),%r13
   b:	49 39 dd             	cmp    %rbx,%r13
   e:	0f 84 72 01 00 00    	je     0x186
  14:	4d 85 ed             	test   %r13,%r13
  17:	74 26                	je     0x3f
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 ea             	mov    %r13,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 4d 05 00 00    	jne    0x581
  34:	41 f6 45 00 01       	testb  $0x1,0x0(%r13)
  39:	0f 84 40 04 00 00    	je     0x47f
  3f:	4c                   	rex.WR

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/10/18 10:01 upstream 06dc10eae55b 342b9c55 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root general protection fault in timerqueue_add
2023/05/06 04:26 linux-next 83e5775d7afd 4cec9341 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root general protection fault in timerqueue_add
2023/05/29 16:11 upstream e338142b39cf cf184559 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in timerqueue_add
2023/02/22 03:41 upstream 4a7d37e824f5 42a4d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root general protection fault in timerqueue_add
* Struck through repros no longer work on HEAD.