syzbot

 sign-in | mailing list | source | docs
🐞 Open [1656]
Subsystems
🐞 Fixed [6026]
🐞 Invalid [14867]
Missing Backports [139]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: stack guard page was hit in sys_mount

Status: moderation: reported on 2025/02/01 14:57
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+8ceee6efcdc584651860@syzkaller.appspotmail.com
First crash: 7d16h, last: 7d16h
Similar bugs (13)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 BUG: stack guard page was hit in sys_mount (7) C error 3 1024d 1026d 0/2 closed as dup on 2022/04/18 14:30
android-5-10 BUG: stack guard page was hit in sys_mount (2) C error 2 1040d 1041d 0/2 closed as dup on 2022/04/01 14:43
android-5-10 BUG: stack guard page was hit in sys_mount (6) C error 1 1026d 1026d 0/2 closed as dup on 2022/04/15 20:39
android-5-10 BUG: stack guard page was hit in sys_mount C error 4 1044d 1045d 0/2 closed as dup on 2022/03/29 16:35
android-5-10 BUG: stack guard page was hit in sys_mount (3) C error 1 1034d 1034d 0/2 closed as dup on 2022/04/08 14:40
android-5-10 BUG: stack guard page was hit in sys_mount (13) C error 1 1000d 1000d 0/2 closed as dup on 2022/05/12 14:30
android-5-10 BUG: stack guard page was hit in sys_mount (5) C error 2 1027d 1028d 0/2 closed as dup on 2022/04/14 18:04
android-5-10 BUG: stack guard page was hit in sys_mount (11) C error 1 1001d 1001d 0/2 closed as dup on 2022/05/11 16:52
android-5-10 BUG: stack guard page was hit in sys_mount (9) C error 11 1010d 1021d 0/2 closed as dup on 2022/05/04 16:15
android-5-10 BUG: stack guard page was hit in sys_mount (4) C error 6 1031d 1032d 0/2 closed as dup on 2022/04/11 14:20
android-5-10 BUG: stack guard page was hit in sys_mount (12) C error 1 1000d 1000d 0/2 closed as dup on 2022/05/11 21:59
android-5-10 BUG: stack guard page was hit in sys_mount (8) C error 2 1022d 1022d 0/2 closed as dup on 2022/04/19 18:35
android-5-10 BUG: stack guard page was hit in sys_mount (10) C error 3 1001d 1002d 0/2 closed as dup on 2022/05/11 00:32

Sample crash report:
BUG: TASK stack guard page was hit at ffffc9000d1e7fb8 (stack is ffffc9000d1e8000..ffffc9000d1f0000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-08291-g805ba04cb7cc #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__bfs+0x1f/0x6f0 kernel/locking/lockdep.c:1737
Code: 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 45 89 ce <4c> 89 44 24 20 48 89 4c 24 10 48 89 54 24 30 48 89 74 24 08 48 89
RSP: 0018:ffffc9000d1e7fc0 EFLAGS: 00010086
RAX: ffff88801fa4d4b0 RBX: ffff88801fa4d400 RCX: 0000000000000000
RDX: ffffffff819bfcb0 RSI: ffff88801fa4d4b0 RDI: ffffc9000d1e8140
RBP: ffffc9000d1e80a0 R08: ffffc9000d1e8120 R09: 0000000000000020
R10: dffffc0000000000 R11: fffffbfff285f709 R12: ffffc9000d1e816b
R13: 1ffff11003f49a9f R14: 0000000000000020 R15: dffffc0000000000
FS:  00007fd25c58a6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d1e7fb8 CR3: 0000000040ee8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <#DF>
 </#DF>
 <TASK>
 __bfs_forwards kernel/locking/lockdep.c:1846 [inline]
 check_path+0x21/0x40 kernel/locking/lockdep.c:2164
 check_noncircular+0x259/0x4a0 kernel/locking/lockdep.c:2193
 check_prev_add kernel/locking/lockdep.c:3163 [inline]
 check_prevs_add kernel/locking/lockdep.c:3282 [inline]
 validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
 rmqueue_bulk mm/page_alloc.c:2310 [inline]
 __rmqueue_pcplist+0x4a2/0x2a90 mm/page_alloc.c:3004
 rmqueue_pcplist mm/page_alloc.c:3046 [inline]
 rmqueue mm/page_alloc.c:3077 [inline]
 get_page_from_freelist+0x886/0x37a0 mm/page_alloc.c:3474
 __alloc_pages_slowpath+0x43e/0x10b0 mm/page_alloc.c:4288
 __alloc_frozen_pages_noprof+0x49b/0x710 mm/page_alloc.c:4752
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
 alloc_pages_noprof+0x121/0x190 mm/mempolicy.c:2361
 z3fold_alloc mm/z3fold.c:1036 [inline]
 z3fold_zpool_malloc+0x3e5/0xd80 mm/z3fold.c:1388
 zswap_compress mm/zswap.c:971 [inline]
 zswap_store_page mm/zswap.c:1462 [inline]
 zswap_store+0xdba/0x1c30 mm/zswap.c:1569
 swap_writepage+0x647/0xce0 mm/page_io.c:278
 pageout mm/vmscan.c:696 [inline]
 shrink_folio_list+0x35c2/0x5ac0 mm/vmscan.c:1402
 evict_folios+0x45fd/0x56a0 mm/vmscan.c:4655
 try_to_shrink_lruvec+0x713/0x9b0 mm/vmscan.c:4816
 shrink_one+0x3b9/0x850 mm/vmscan.c:4861
 shrink_many mm/vmscan.c:4924 [inline]
 lru_gen_shrink_node mm/vmscan.c:5002 [inline]
 shrink_node+0x37c5/0x3e50 mm/vmscan.c:5973
 shrink_zones mm/vmscan.c:6232 [inline]
 do_try_to_free_pages+0x78c/0x1cf0 mm/vmscan.c:6294
 try_to_free_pages+0x47c/0x1050 mm/vmscan.c:6544
 __perform_reclaim mm/page_alloc.c:3929 [inline]
 __alloc_pages_direct_reclaim+0x178/0x3c0 mm/page_alloc.c:3951
 __alloc_pages_slowpath+0x811/0x10b0 mm/page_alloc.c:4382
 __alloc_frozen_pages_noprof+0x49b/0x710 mm/page_alloc.c:4752
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
 alloc_pages_noprof+0x121/0x190 mm/mempolicy.c:2361
 stack_depot_save_flags+0x72d/0x940 lib/stackdepot.c:627
 save_stack+0x109/0x1f0 mm/page_owner.c:157
 __set_page_owner+0x92/0x800 mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3477
 __alloc_pages_direct_reclaim+0x284/0x3c0 mm/page_alloc.c:3956
 __alloc_pages_slowpath+0x811/0x10b0 mm/page_alloc.c:4382
 __alloc_frozen_pages_noprof+0x49b/0x710 mm/page_alloc.c:4752
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_frozen_pages_noprof mm/mempolicy.c:2341 [inline]
 alloc_pages_noprof+0x121/0x190 mm/mempolicy.c:2361
 stack_depot_save_flags+0x72d/0x940 lib/stackdepot.c:627
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_save_track+0x51/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4294 [inline]
 __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313
 __do_krealloc mm/slub.c:4820 [inline]
 krealloc_noprof+0x10f/0x2f0 mm/slub.c:4873
 bch2_printbuf_make_room+0x1f1/0x350 fs/bcachefs/printbuf.c:59
 bch2_prt_printf+0x267/0x6d0 fs/bcachefs/printbuf.c:186
 bch2_btree_path_to_text_short+0x1f5/0xfa0 fs/bcachefs/btree_iter.c:1529
 __bch2_trans_paths_to_text+0xe5/0x180 fs/bcachefs/btree_iter.c:1597
 bch2_trans_update_max_paths+0x16e/0x420 fs/bcachefs/btree_iter.c:1633
 btree_path_alloc+0x872/0xa60 fs/bcachefs/btree_iter.c:1730
 bch2_path_get+0xb57/0x15d0 fs/bcachefs/btree_iter.c:1781
 bch2_trans_iter_init_common fs/bcachefs/btree_iter.h:500 [inline]
 bch2_trans_iter_init_outlined+0x2ed/0x4c0 fs/bcachefs/btree_iter.c:3051
 bch2_trans_iter_init fs/bcachefs/btree_iter.h:518 [inline]
 btree_key_cache_fill+0x1e1/0x3820 fs/bcachefs/btree_key_cache.c:302
 bch2_btree_path_traverse_cached+0x8b2/0xc60 fs/bcachefs/btree_key_cache.c:379
 bch2_btree_path_traverse_one+0x46a/0x2930 fs/bcachefs/btree_iter.c:1179
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:249 [inline]
 bch2_btree_iter_peek_slot+0x8c0/0x27c0 fs/bcachefs/btree_iter.c:2767
 __bch2_bkey_get_iter fs/bcachefs/btree_iter.h:573 [inline]
 bch2_bkey_get_iter fs/bcachefs/btree_iter.h:587 [inline]
 bch2_check_discard_freespace_key+0x292/0xeb0 fs/bcachefs/alloc_background.c:1404
 try_alloc_bucket fs/bcachefs/alloc_foreground.c:287 [inline]
 bch2_bucket_alloc_freelist fs/bcachefs/alloc_foreground.c:438 [inline]
 bch2_bucket_alloc_trans+0x1589/0x2eb0 fs/bcachefs/alloc_foreground.c:570
 bch2_bucket_alloc_set_trans+0x57c/0xd60 fs/bcachefs/alloc_foreground.c:726
 __open_bucket_add_buckets+0x13a2/0x1e10 fs/bcachefs/alloc_foreground.c:969
 open_bucket_add_buckets+0x33a/0x410 fs/bcachefs/alloc_foreground.c:1013
 bch2_alloc_sectors_start_trans+0xce9/0x2030
 __bch2_btree_node_alloc fs/bcachefs/btree_update_interior.c:322 [inline]
 bch2_btree_reserve_get+0x612/0x1890 fs/bcachefs/btree_update_interior.c:532
 bch2_btree_update_start+0xe56/0x14e0 fs/bcachefs/btree_update_interior.c:1230
 bch2_btree_split_leaf+0x121/0x880 fs/bcachefs/btree_update_interior.c:1851
 bch2_trans_commit_error+0x212/0x1380 fs/bcachefs/btree_trans_commit.c:908
 __bch2_trans_commit+0x8126/0x97a0 fs/bcachefs/btree_trans_commit.c:1085
 wb_flush_one fs/bcachefs/btree_write_buffer.c:181 [inline]
 bch2_btree_write_buffer_flush_locked+0x2c8c/0x5b10 fs/bcachefs/btree_write_buffer.c:379
 btree_write_buffer_flush_seq+0x1c49/0x1e10 fs/bcachefs/btree_write_buffer.c:551
 bch2_btree_write_buffer_journal_flush+0xc7/0x150 fs/bcachefs/btree_write_buffer.c:567
 journal_flush_pins+0x5f7/0xb20 fs/bcachefs/journal_reclaim.c:574
 journal_flush_done+0x8e/0x260 fs/bcachefs/journal_reclaim.c:830
 bch2_journal_flush_pins+0x18a/0x3a0 fs/bcachefs/journal_reclaim.c:863
 bch2_journal_flush_all_pins fs/bcachefs/journal_reclaim.h:76 [inline]
 bch2_journal_replay+0x2744/0x2a70 fs/bcachefs/recovery.c:443
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:226
 bch2_run_recovery_passes+0x2ad/0xa90 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x265a/0x3de0 fs/bcachefs/recovery.c:937
 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1030
 bch2_fs_get_tree+0xd8d/0x1740 fs/bcachefs/fs.c:2203
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3560
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4088
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd25b78e54a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd25c589e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fd25c589ef0 RCX: 00007fd25b78e54a
RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007fd25c589eb0
RBP: 00000000200058c0 R08: 00007fd25c589ef0 R09: 0000000000000014
R10: 0000000000000014 R11: 0000000000000246 R12: 0000000020005900
R13: 00007fd25c589eb0 R14: 00000000000058af R15: 0000000020000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__bfs+0x1f/0x6f0 kernel/locking/lockdep.c:1737
Code: 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec a0 00 00 00 45 89 ce <4c> 89 44 24 20 48 89 4c 24 10 48 89 54 24 30 48 89 74 24 08 48 89
RSP: 0018:ffffc9000d1e7fc0 EFLAGS: 00010086
RAX: ffff88801fa4d4b0 RBX: ffff88801fa4d400 RCX: 0000000000000000
RDX: ffffffff819bfcb0 RSI: ffff88801fa4d4b0 RDI: ffffc9000d1e8140
RBP: ffffc9000d1e80a0 R08: ffffc9000d1e8120 R09: 0000000000000020
R10: dffffc0000000000 R11: fffffbfff285f709 R12: ffffc9000d1e816b
R13: 1ffff11003f49a9f R14: 0000000000000020 R15: dffffc0000000000
FS:  00007fd25c58a6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d1e7fb8 CR3: 0000000040ee8000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	f3 0f 1e fa          	endbr64
   f:	55                   	push   %rbp
  10:	48 89 e5             	mov    %rsp,%rbp
  13:	41 57                	push   %r15
  15:	41 56                	push   %r14
  17:	41 55                	push   %r13
  19:	41 54                	push   %r12
  1b:	53                   	push   %rbx
  1c:	48 83 e4 e0          	and    $0xffffffffffffffe0,%rsp
  20:	48 81 ec a0 00 00 00 	sub    $0xa0,%rsp
  27:	45 89 ce             	mov    %r9d,%r14d
* 2a:	4c 89 44 24 20       	mov    %r8,0x20(%rsp) <-- trapping instruction
  2f:	48 89 4c 24 10       	mov    %rcx,0x10(%rsp)
  34:	48 89 54 24 30       	mov    %rdx,0x30(%rsp)
  39:	48 89 74 24 08       	mov    %rsi,0x8(%rsp)
  3e:	48                   	rex.W
  3f:	89                   	.byte 0x89

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/28 14:52 upstream 805ba04cb7cc ac37c1f8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root BUG: stack guard page was hit in sys_mount
* Struck through repros no longer work on HEAD.