syzbot

 sign-in | mailing list | source | docs
🐞 Open [1584]
Subsystems
🐞 Fixed [6222]
🐞 Invalid [15735]
Missing Backports [181]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: unable to handle kernel paging request in put_child (2)

Status: moderation: reported on 2025/05/09 18:54
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+95dc7d794f1048023879@syzkaller.appspotmail.com
First crash: 4d21h, last: 4d21h
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in put_child net syz 1 129d 129d 0/28 closed as invalid on 2025/01/31 05:08

Sample crash report:
bridge0: port 1(bridge_slave_0) entered disabled state
BUG: unable to handle page fault for address: ffffed10b17c9005
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffee067 P4D 23ffee067 PUD 0 
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1308 Comm: kworker/u8:6 Not tainted 6.15.0-rc4-syzkaller-00746-g836b313a14a3 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: netns cleanup_net
RIP: 0010:put_child+0xb4/0x790 net/ipv4/fib_trie.c:415
Code: 48 c7 c2 60 b7 7a 8c e8 0a ac b8 f7 48 b9 00 00 00 00 00 fc ff df 4f 8d 3c ee 49 83 c7 08 4c 89 f8 48 c1 e8 03 48 89 44 24 10 <80> 3c 08 00 74 12 4c 89 ff e8 2e 29 3c f8 48 b9 00 00 00 00 00 fc
RSP: 0018:ffffc90004557390 EFLAGS: 00010a06
RAX: 1ffff110b17c9005 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888027333c00 R09: 0000000000000003
R10: 0000000000000006 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000000ac141400 R14: ffff88802b43e020 R15: ffff88858be48028
FS:  0000000000000000(0000) GS:ffff8881261c1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed10b17c9005 CR3: 000000004bb2a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 put_child_root net/ipv4/fib_trie.c:469 [inline]
 fib_table_flush+0xf84/0x11a0 net/ipv4/fib_trie.c:2079
 fib_flush net/ipv4/fib_frontend.c:195 [inline]
 fib_disable_ip+0xfd/0x170 net/ipv4/fib_frontend.c:1455
 fib_netdev_event+0x318/0x490 net/ipv4/fib_frontend.c:-1
 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2266 [inline]
 call_netdevice_notifiers net/core/dev.c:2280 [inline]
 dev_close_many+0x29c/0x410 net/core/dev.c:1783
 unregister_netdevice_many_notify+0x834/0x2320 net/core/dev.c:12006
 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline]
 ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:249
 cleanup_net+0x4c5/0x8a0 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: ffffed10b17c9005
---[ end trace 0000000000000000 ]---
RIP: 0010:put_child+0xb4/0x790 net/ipv4/fib_trie.c:415
Code: 48 c7 c2 60 b7 7a 8c e8 0a ac b8 f7 48 b9 00 00 00 00 00 fc ff df 4f 8d 3c ee 49 83 c7 08 4c 89 f8 48 c1 e8 03 48 89 44 24 10 <80> 3c 08 00 74 12 4c 89 ff e8 2e 29 3c f8 48 b9 00 00 00 00 00 fc
RSP: 0018:ffffc90004557390 EFLAGS: 00010a06
RAX: 1ffff110b17c9005 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffff888027333c00 R09: 0000000000000003
R10: 0000000000000006 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000000ac141400 R14: ffff88802b43e020 R15: ffff88858be48028
FS:  0000000000000000(0000) GS:ffff8881261c1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed10b17c9005 CR3: 000000004bb2a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c7 c2 60 b7 7a 8c 	mov    $0xffffffff8c7ab760,%rdx
   7:	e8 0a ac b8 f7       	call   0xf7b8ac16
   c:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  13:	fc ff df
  16:	4f 8d 3c ee          	lea    (%r14,%r13,8),%r15
  1a:	49 83 c7 08          	add    $0x8,%r15
  1e:	4c 89 f8             	mov    %r15,%rax
  21:	48 c1 e8 03          	shr    $0x3,%rax
  25:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	74 12                	je     0x42
  30:	4c 89 ff             	mov    %r15,%rdi
  33:	e8 2e 29 3c f8       	call   0xf83c2966
  38:	48                   	rex.W
  39:	b9 00 00 00 00       	mov    $0x0,%ecx
  3e:	00 fc                	add    %bh,%ah

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/05 18:47 net-next 836b313a14a3 6ca47dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in put_child
* Struck through repros no longer work on HEAD.