syzbot

 sign-in | mailing list | source | docs
🐞 Open [1643]
Subsystems
🐞 Fixed [6105]
🐞 Invalid [15284]
Missing Backports [170]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: stack guard page was hit in worker_thread

Status: upstream: reported on 2025/03/23 22:29
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+b6d2e10bf4503ebcd631@syzkaller.appspotmail.com
First crash: 6d03h, last: 3d20h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] BUG: stack guard page was hit in worker_thread 0 (1) 2025/03/23 22:29

Sample crash report:
BUG: TASK stack guard page was hit at ffffc9000c1bff18 (stack is ffffc9000c1c0000..ffffc9000c1c8000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 7350 Comm: kworker/u8:22 Not tainted 6.14.0-rc7-syzkaller-00138-gf653b608f783 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: bond2 bond_resend_igmp_join_requests_delayed
RIP: 0010:lock_acquire+0x1c/0x550 kernel/locking/lockdep.c:5819
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec 20 01 00 00 <4c> 89 4c 24 28 4c 89 44 24 38 48 89 4c 24 30 89 54 24 1c 41 89 f6
RSP: 0018:ffffc9000c1bff20 EFLAGS: 00010082
RAX: 0000000000001c08 RBX: 1ffff92001838014 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88813fffc298
RBP: ffffc9000c1c0068 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2079f6f R12: 0000000000000246
R13: 1ffff92001838010 R14: ffff88813fffc280 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000c1bff18 CR3: 000000002a12a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <#DF>
 </#DF>
 <TASK>
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
 rmqueue_buddy mm/page_alloc.c:2910 [inline]
 rmqueue mm/page_alloc.c:3083 [inline]
 get_page_from_freelist+0xb3d/0x37a0 mm/page_alloc.c:3474
 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4740
 __alloc_pages_noprof+0xa/0x30 mm/page_alloc.c:4774
 __alloc_pages_node_noprof include/linux/gfp.h:265 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:292 [inline]
 ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4239
 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4266
 __do_kmalloc_node mm/slub.c:4282 [inline]
 __kmalloc_node_track_caller_noprof+0x335/0x4c0 mm/slub.c:4313
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:537
 pskb_expand_head+0x1ee/0x1470 net/core/skbuff.c:2185
 __skb_cow include/linux/skbuff.h:3769 [inline]
 skb_cow_head include/linux/skbuff.h:3803 [inline]
 gre_tap_xmit+0x4aa/0x800 net/ipv4/ip_gre.c:769
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xcd3/0x12e0 net/ipv4/ip_output.c:236
 iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbf/0x2560 net/ipv4/ip_tunnel.c:858
 __gre_xmit net/ipv4/ip_gre.c:484 [inline]
 gre_tap_xmit+0x641/0x800 net/ipv4/ip_gre.c:772
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:4042 [inline]
 __dev_queue_xmit+0x1a8f/0x3f50 net/core/dev.c:4618
 dev_queue_xmit include/linux/netdevice.h:3313 [inline]
 bond_dev_queue_xmit+0x147/0x250 drivers/net/bonding/bond_main.c:309
 __bond_start_xmit drivers/net/bonding/bond_main.c:5583 [inline]
 bond_start_xmit+0xcb0/0x1c40 drivers/net/bonding/bond_main.c:5605
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]
 dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3816
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4652
 neigh_output include/net/neighbour.h:539 [inline]
 ip6_finish_output2+0x12bc/0x17c0 net/ipv6/ip6_output.c:141
 ip6_finish_output+0x41e/0x840 net/ipv6/ip6_output.c:226
 NF_HOOK+0x9e/0x430 include/linux/netfilter.h:314
 mld_sendpack+0x843/0xdb0 net/ipv6/mcast.c:1868
 ipv6_mc_rejoin_groups net/ipv6/mcast.c:2878 [inline]
 ipv6_mc_netdev_event+0x1cf/0x5d0 net/ipv6/mcast.c:2893
 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2244 [inline]
 call_netdevice_notifiers+0xb6/0xf0 net/core/dev.c:2258
 bond_resend_igmp_join_requests_delayed+0x63/0x180 drivers/net/bonding/bond_main.c:970
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3319
 worker_thread+0x870/0xd30 kernel/workqueue.c:3400
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lock_acquire+0x1c/0x550 kernel/locking/lockdep.c:5819
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec 20 01 00 00 <4c> 89 4c 24 28 4c 89 44 24 38 48 89 4c 24 30 89 54 24 1c 41 89 f6
RSP: 0018:ffffc9000c1bff20 EFLAGS: 00010082
RAX: 0000000000001c08 RBX: 1ffff92001838014 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88813fffc298
RBP: ffffc9000c1c0068 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2079f6f R12: 0000000000000246
R13: 1ffff92001838010 R14: ffff88813fffc280 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000c1bff18 CR3: 000000002a12a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	f3 0f 1e fa          	endbr64
  12:	55                   	push   %rbp
  13:	48 89 e5             	mov    %rsp,%rbp
  16:	41 57                	push   %r15
  18:	41 56                	push   %r14
  1a:	41 55                	push   %r13
  1c:	41 54                	push   %r12
  1e:	53                   	push   %rbx
  1f:	48 83 e4 e0          	and    $0xffffffffffffffe0,%rsp
  23:	48 81 ec 20 01 00 00 	sub    $0x120,%rsp
* 2a:	4c 89 4c 24 28       	mov    %r9,0x28(%rsp) <-- trapping instruction
  2f:	4c 89 44 24 38       	mov    %r8,0x38(%rsp)
  34:	48 89 4c 24 30       	mov    %rcx,0x30(%rsp)
  39:	89 54 24 1c          	mov    %edx,0x1c(%rsp)
  3d:	41 89 f6             	mov    %esi,%r14d

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/03/22 01:00 net f653b608f783 62330552 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: stack guard page was hit in worker_thread
2025/03/19 18:32 net d9c743b6990b 8d0a2921 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: stack guard page was hit in worker_thread
* Struck through repros no longer work on HEAD.