syzbot

 sign-in | mailing list | source | docs
🐞 Open [969] Subsystems 🐞 Fixed [4558] 🐞 Invalid [10512] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in timerqueue_add (4)

Status: upstream: reported C repro on 2023/02/26 03:51
Labels: reiserfs (incorrect?)
Reported-by: syzbot+21f2b8753d8bfc6bb816@syzkaller.appspotmail.com
First crash: 100d, last: 4d05h

Cause bisection: failed (error log, bisect log)
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] Monthly fat report 0 (1) 2023/03/30 10:28
[syzbot] [reiserfs?] [fat?] [fuse?] general protection fault in timerqueue_add (4) 0 (1) 2023/02/26 03:51
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in timerqueue_add (2) 2 1608d 1610d 0/24 closed as dup on 2019/01/04 16:41
upstream general protection fault in timerqueue_add (3) 1 1375d 1375d 0/24 auto-closed as invalid on 2019/11/25 13:35
upstream general protection fault in timerqueue_add kernel C 2 1893d 1893d 6/24 fixed on 2018/04/06 16:37
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/04/23 06:57 51m bisect fix upstream job log (0) log
2023/03/24 06:00 30m bisect fix upstream job log (0) log

Sample crash report:
general protection fault, probably for non-canonical address 0xe3fffb24000f33f5: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x1ffff92000799fa8-0x1ffff92000799faf]
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-syzkaller-02299-g4a7d37e824f5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline]
RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline]
RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40
Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8
RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017
RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000
RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad
RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480
R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 enqueue_hrtimer+0x1aa/0x490 kernel/time/hrtimer.c:1091
 __run_hrtimer kernel/time/hrtimer.c:1702 [inline]
 __hrtimer_run_queues+0xc71/0x1010 kernel/time/hrtimer.c:1749
 hrtimer_interrupt+0x320/0x790 kernel/time/hrtimer.c:1811
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]
 __sysvec_apic_timer_interrupt+0x180/0x660 arch/x86/kernel/apic/apic.c:1113
 sysvec_apic_timer_interrupt+0x92/0xc0 arch/x86/kernel/apic/apic.c:1107
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x40/0x50 drivers/acpi/processor_idle.c:113
Code: eb 03 83 e3 01 89 de 0f 1f 44 00 00 84 db 75 1b 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d e7 5a a8 00 0f 1f 44 00 00 fb f4 <fa> 5b c3 cc 0f 1f 00 66 0f 1f 84 00 00 00 00 00 55 48 89 fd 53 0f
RSP: 0018:ffffc90000177d10 EFLAGS: 00000246
RAX: ffff88813feb1d40 RBX: 0000000000000000 RCX: ffffffff8a096b45
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880179b1864 R08: 0000000000000001 R09: ffff8880b993606b
R10: ffffed1017326c0d R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880179b1800 R14: ffff8880179b1864 R15: 0000000000000000
 acpi_idle_do_entry+0x53/0x70 drivers/acpi/processor_idle.c:573
 acpi_idle_enter+0x173/0x290 drivers/acpi/processor_idle.c:711
 cpuidle_enter_state+0xd3/0x6f0 drivers/cpuidle/cpuidle.c:267
 cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388
 cpuidle_idle_call kernel/sched/idle.c:215 [inline]
 do_idle+0x348/0x440 kernel/sched/idle.c:282
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:379
 start_secondary+0x256/0x300 arch/x86/kernel/smpboot.c:264
 secondary_startup_64_no_verify+0xce/0xdb
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline]
RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline]
RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40
Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8
RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017

RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000
RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad
RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480
R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	42 80 3c 22 00       	cmpb   $0x0,(%rdx,%r12,1)
   9:	0f 85 c4 01 00 00    	jne    0x1d3
   f:	49 8b 17             	mov    (%r15),%rdx
  12:	48 85 d2             	test   %rdx,%rdx
  15:	74 40                	je     0x57
  17:	48 89 d3             	mov    %rdx,%rbx
  1a:	e8 44 f1 c3 f7       	callq  0xf7c3f163
  1f:	48 8d 7b 18          	lea    0x18(%rbx),%rdi
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1) <-- trapping instruction
  2f:	0f 85 ab 01 00 00    	jne    0x1e0
  35:	4c 8b 7b 18          	mov    0x18(%rbx),%r15
  39:	4c 89 ef             	mov    %r13,%rdi
  3c:	4c 89 fe             	mov    %r15,%rsi
  3f:	e8                   	.byte 0xe8

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2023/02/22 03:41 upstream 4a7d37e824f5 42a4d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root general protection fault in timerqueue_add
2023/05/06 04:26 linux-next 83e5775d7afd 4cec9341 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root general protection fault in timerqueue_add
2023/05/29 16:11 upstream e338142b39cf cf184559 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in timerqueue_add
* Struck through repros no longer work on HEAD.