syzbot

 sign-in | mailing list | source | docs
🐞 Open [1501]
Subsystems
🐞 Fixed [6516]
🐞 Invalid [16575]
Missing Backports [204]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in __pcpu_freelist_pop

Status: upstream: reported C repro on 2025/08/18 07:53
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+331f5bebb641724ff1f0@syzkaller.appspotmail.com
First crash: 4d10h, last: 8h37m
Cause bisection: introduced by (bisect log) :
commit c68ea8243c5cc901cea62f695504bec73195d906
Author: Andrea Righi <arighi@nvidia.com>
Date: Wed Jun 4 14:33:11 2025 +0000

  sched_ext: idle: Remove unnecessary ifdef in scx_bpf_cpu_node()

Crash: kernel panic: Fatal exception (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bpf?] general protection fault in __pcpu_freelist_pop 0 (1) 2025/08/18 07:53

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 5867 Comm: syz-executor Not tainted 6.17.0-rc1-syzkaller-ge4414b01c1cd #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:___pcpu_freelist_pop kernel/bpf/percpu_freelist.c:114 [inline]
RIP: 0010:__pcpu_freelist_pop+0x6b7/0x8c0 kernel/bpf/percpu_freelist.c:125
Code: 10 48 3b 8c 24 80 00 00 00 0f 85 b4 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 89 f8 48 c1 e8 03 <80> 3c 18 00 48 89 7c 24 20 74 0a e8 29 3f 41 00 48 8b 7c 24 20 48
RSP: 0018:ffffc90000a08820 EFLAGS: 00010046
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffe8ffffd6e308
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc90000a088f0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000141110 R12: 1ffffd1ffffadc60
R13: ffffe8ffffd6e300 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555583dc4500(0000) GS:ffff888125d1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555622ed5c8 CR3: 00000000769d6000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 pcpu_freelist_pop+0xca/0x170 kernel/bpf/percpu_freelist.c:134
 __bpf_get_stackid+0x574/0xcf0 kernel/bpf/stackmap.c:259
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
 bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
 bpf_prog_b724608cae728045+0x27/0x2f
 bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
 bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
 __do_trace_kfree include/trace/events/kmem.h:94 [inline]
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0x3a0/0x440 mm/slub.c:4866
 slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4717
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 lock_sock include/net/sock.h:1667 [inline]
 tcp_sendmsg+0x21/0x50 net/ipv4/tcp.c:1392
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x19c/0x270 net/socket.c:729
 sock_write_iter+0x258/0x330 net/socket.c:1179
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5c9/0xb30 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe78c18d660
Code: 40 00 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 01 af 1f 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffc45dccfb8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000179a7b00 RCX: 00007fe78c18d660
RDX: 0000000000000108 RSI: 00007fe789c3fef8 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000007 R09: 000000000003fde8
R10: 1a917aa2f8ade145 R11: 0000000000000202 R12: 0000000000000108
R13: 0000555583ddd6d0 R14: 00007ffc45dcd480 R15: 00007fe789c3fef8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:___pcpu_freelist_pop kernel/bpf/percpu_freelist.c:114 [inline]
RIP: 0010:__pcpu_freelist_pop+0x6b7/0x8c0 kernel/bpf/percpu_freelist.c:125
Code: 10 48 3b 8c 24 80 00 00 00 0f 85 b4 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 89 f8 48 c1 e8 03 <80> 3c 18 00 48 89 7c 24 20 74 0a e8 29 3f 41 00 48 8b 7c 24 20 48
RSP: 0018:ffffc90000a08820 EFLAGS: 00010046
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffe8ffffd6e308
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc90000a088f0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000141110 R12: 1ffffd1ffffadc60
R13: ffffe8ffffd6e300 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555583dc4500(0000) GS:ffff888125d1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555622ed5c8 CR3: 00000000769d6000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	10 48 3b             	adc    %cl,0x3b(%rax)
   3:	8c 24 80             	mov    %fs,(%rax,%rax,4)
   6:	00 00                	add    %al,(%rax)
   8:	00 0f                	add    %cl,(%rdi)
   a:	85 b4 01 00 00 48 8d 	test   %esi,-0x72b80000(%rcx,%rax,1)
  11:	65 d8 5b 41          	fcomps %gs:0x41(%rbx)
  15:	5c                   	pop    %rsp
  16:	41 5d                	pop    %r13
  18:	41 5e                	pop    %r14
  1a:	41 5f                	pop    %r15
  1c:	5d                   	pop    %rbp
  1d:	c3                   	ret
  1e:	cc                   	int3
  1f:	cc                   	int3
  20:	cc                   	int3
  21:	cc                   	int3
  22:	cc                   	int3
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	48 89 7c 24 20       	mov    %rdi,0x20(%rsp)
  33:	74 0a                	je     0x3f
  35:	e8 29 3f 41 00       	call   0x413f63
  3a:	48 8b 7c 24 20       	mov    0x20(%rsp),%rdi
  3f:	48                   	rex.W

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/08/17 01:21 bpf e4414b01c1cd 1804e95e .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/19 00:21 bpf e4414b01c1cd 523f460e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/19 00:21 bpf e4414b01c1cd 523f460e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 20:34 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 20:10 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 17:25 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 16:34 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 07:20 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/17 00:16 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/16 21:28 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/16 17:02 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/16 04:27 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/16 00:49 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/15 16:18 bpf e4414b01c1cd 1804e95e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/15 05:46 bpf 7572a47ebcdf dcc075fb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/15 04:53 bpf 8f5ae30d69d7 dcc075fb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/14 22:46 bpf 8f5ae30d69d7 dcc075fb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
2025/08/14 22:44 bpf 8f5ae30d69d7 dcc075fb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce general protection fault in __pcpu_freelist_pop
* Struck through repros no longer work on HEAD.