syzbot

 sign-in | mailing list | source | docs
🐞 Open [1517]
Subsystems
🐞 Fixed [6485]
🐞 Invalid [16471]
Missing Backports [199]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in refill_obj_stock

Status: closed as dup on 2025/05/27 17:42
Subsystems: cgroups mm
[Documentation on labels]
Reported-by: syzbot+5dd4e428fa723938e6fd@syzkaller.appspotmail.com
First crash: 144d, last: 6d03h
Duplicate of
Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported
BUG: unable to handle kernel paging request in percpu_ref_get_many (2) cgroups mm 8 31 1d09h 72d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] [cgroups?] general protection fault in refill_obj_stock 1 (2) 2025/05/27 17:42

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc001fffe000: 0000 [#1] SMP KASAN NOPTI
KASAN: probably user-memory-access in range [0x00000000ffff0000-0x00000000ffff0007]
CPU: 1 UID: 0 PID: 19781 Comm: dhcpcd-run-hook Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_get_many include/linux/percpu-refcount.h:204 [inline]
RIP: 0010:percpu_ref_get include/linux/percpu-refcount.h:222 [inline]
RIP: 0010:obj_cgroup_get include/linux/memcontrol.h:770 [inline]
RIP: 0010:refill_obj_stock+0x18f/0x6d0 mm/memcontrol.c:3043
Code: c7 c7 00 4e 5c 8e e8 80 94 6e ff e8 7b 0c 63 09 5a 85 c0 0f 85 7d 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 db 04 00 00 48 8b 03 a8 03 0f 85 00 04 00 00 65
RSP: 0018:ffffc90003277698 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 00000000ffff0000 RCX: 00000000d5be5ab4
RDX: 000000001fffe000 RSI: ffffffff8c15bee0 RDI: ffffffff8df43da8
RBP: 0000000000000078 R08: 1d907f62e00821f4 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff93d42740
R13: ffff88813fffb400 R14: ffff8880b853b740 R15: ffff8880b853b740
FS:  0000000000000000(0000) GS:ffff8881247f9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1be7d89286 CR3: 0000000052dd1000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __memcg_slab_free_hook+0x2db/0x5d0 mm/memcontrol.c:3217
 memcg_slab_free_hook mm/slub.c:2206 [inline]
 slab_free mm/slub.c:4640 [inline]
 kmem_cache_free+0x37e/0x4d0 mm/slub.c:4745
 anon_vma_chain_free mm/rmap.c:147 [inline]
 unlink_anon_vmas+0x458/0x820 mm/rmap.c:447
 free_pgtables+0x373/0xcb0 mm/memory.c:402
 exit_mmap+0x3fb/0xb90 mm/mmap.c:1295
 __mmput+0x12a/0x410 kernel/fork.c:1121
 mmput+0x62/0x70 kernel/fork.c:1144
 exec_mmap fs/exec.c:901 [inline]
 begin_new_exec+0x15a7/0x38b0 fs/exec.c:1156
 load_elf_binary+0x8ce/0x4fb0 fs/binfmt_elf.c:995
 search_binary_handler fs/exec.c:1670 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve fs/exec.c:1754 [inline]
 bprm_execve+0x8c0/0x1650 fs/exec.c:1730
 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x8e/0xb0 fs/exec.c:2005
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1be7ccf107
Code: Unable to access opcode bytes at 0x7f1be7ccf0dd.
RSP: 002b:00007ffd932b8b28 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 000055af7badfe38 RCX: 00007f1be7ccf107
RDX: 000055af7badfe60 RSI: 000055af7badfe38 RDI: 000055af7badfef0
RBP: 000055af7badfef0 R08: 00007ffd932bda2d R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 000055af7badfe60
R13: 00007f1be7e94e8b R14: 000055af7badfe60 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__ref_is_percpu include/linux/percpu-refcount.h:174 [inline]
RIP: 0010:percpu_ref_get_many include/linux/percpu-refcount.h:204 [inline]
RIP: 0010:percpu_ref_get include/linux/percpu-refcount.h:222 [inline]
RIP: 0010:obj_cgroup_get include/linux/memcontrol.h:770 [inline]
RIP: 0010:refill_obj_stock+0x18f/0x6d0 mm/memcontrol.c:3043
Code: c7 c7 00 4e 5c 8e e8 80 94 6e ff e8 7b 0c 63 09 5a 85 c0 0f 85 7d 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 db 04 00 00 48 8b 03 a8 03 0f 85 00 04 00 00 65
RSP: 0018:ffffc90003277698 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 00000000ffff0000 RCX: 00000000d5be5ab4
RDX: 000000001fffe000 RSI: ffffffff8c15bee0 RDI: ffffffff8df43da8
RBP: 0000000000000078 R08: 1d907f62e00821f4 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff93d42740
R13: ffff88813fffb400 R14: ffff8880b853b740 R15: ffff8880b853b740
FS:  0000000000000000(0000) GS:ffff8881247f9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1be7ccf0dd CR3: 0000000052dd1000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	c7 c7 00 4e 5c 8e    	mov    $0x8e5c4e00,%edi
   6:	e8 80 94 6e ff       	call   0xff6e948b
   b:	e8 7b 0c 63 09       	call   0x9630c8b
  10:	5a                   	pop    %rdx
  11:	85 c0                	test   %eax,%eax
  13:	0f 85 7d 03 00 00    	jne    0x396
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 da             	mov    %rbx,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 db 04 00 00    	jne    0x50f
  34:	48 8b 03             	mov    (%rbx),%rax
  37:	a8 03                	test   $0x3,%al
  39:	0f 85 00 04 00 00    	jne    0x43f
  3f:	65                   	gs

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/29 23:52 upstream ced1b9e0392d f8f2b4da .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in refill_obj_stock
2025/07/09 03:46 upstream d006330be3f7 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in refill_obj_stock
2025/07/08 17:03 upstream d7b8f8e20813 abade794 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in refill_obj_stock
2025/05/27 13:36 upstream 914873bc7df9 874a1386 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in refill_obj_stock
2025/03/13 14:59 upstream b7f94fcf5546 44be8b44 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in refill_obj_stock
2025/05/16 00:42 upstream 088d13246a46 cfde8269 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in refill_obj_stock
2025/05/15 13:23 upstream 088d13246a46 d6b2ee52 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in refill_obj_stock
2025/05/12 10:06 upstream 82f2b0b97b36 77908e5f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in refill_obj_stock
2025/07/20 19:54 upstream f4a40a4282f4 7117feec .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in refill_obj_stock
* Struck through repros no longer work on HEAD.