syzbot

 sign-in | mailing list | source | docs
🐞 Open [1626]
Subsystems
🐞 Fixed [5938]
🐞 Invalid [14504]
Missing Backports [110]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: unable to handle kernel paging request in lock_timer_base (2)

Status: moderation: reported on 2024/12/20 09:27
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+bf36934adc7979488192@syzkaller.appspotmail.com
First crash: 14d, last: 14d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in lock_timer_base (3) 2 1398d 1415d 0/1 auto-closed as invalid on 2021/06/30 20:28
upstream BUG: unable to handle kernel paging request in lock_timer_base net 1 2567d 2565d 0/28 closed as invalid on 2018/02/13 20:06
upstream KASAN: slab-use-after-free Read in lock_timer_base mptcp 1 120d 118d 0/28 closed as dup on 2024/09/09 15:31
linux-4.14 general protection fault in lock_timer_base (4) 2 969d 976d 0/1 auto-obsoleted due to no activity on 2022/09/03 04:12
upstream UBSAN: array-index-out-of-bounds in lock_timer_base bcachefs kvm 4 196d 210d 26/28 fixed on 2024/07/09 19:14

Sample crash report:
BUG: unable to handle page fault for address: ffffffff9175c704
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD e73a067 P4D e73a067 PUD e73b063 PMD 14d9c9063 PTE 800fffffee8a3062
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 51 Comm: kworker/1:1 Not tainted 6.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Workqueue: rcu_gp process_srcu
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x8b/0x370 kernel/locking/spinlock_debug.c:115
Code: f1 f1 f1 04 f3 f3 f3 48 89 f1 48 89 74 24 38 48 89 04 16 48 8d 5f 04 48 89 d8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 f6 01 00 00 <8b> 03 3d ad 4e ad de 0f 85 62 01 00 00 4d 8d 6c 24 10 4c 89 e8 48
RSP: 0018:ffffc90000bb77a0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffff9175c704 RCX: 1ffff92000176efc
RDX: dffffc0000000000 RSI: 1ffff92000176efc RDI: ffffffff9175c700
RBP: ffffc90000bb7870 R08: ffffffff90184ef7 R09: 1ffffffff20309de
R10: dffffc0000000000 R11: fffffbfff20309df R12: ffffffff9175c700
R13: 1ffff92000176f10 R14: ffffffff9175c700 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff9175c704 CR3: 00000000684e8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0xe1/0x120 kernel/locking/spinlock.c:162
 lock_timer_base+0x112/0x240 kernel/time/timer.c:1050
 __mod_timer+0x1ca/0xeb0 kernel/time/timer.c:1131
 srcu_queue_delayed_work_on kernel/rcu/srcutree.c:834 [inline]
 srcu_schedule_cbs_sdp kernel/rcu/srcutree.c:843 [inline]
 srcu_gp_end kernel/rcu/srcutree.c:910 [inline]
 srcu_advance_state kernel/rcu/srcutree.c:1747 [inline]
 process_srcu+0x542/0x12e0 kernel/rcu/srcutree.c:1851
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
CR2: ffffffff9175c704
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x8b/0x370 kernel/locking/spinlock_debug.c:115
Code: f1 f1 f1 04 f3 f3 f3 48 89 f1 48 89 74 24 38 48 89 04 16 48 8d 5f 04 48 89 d8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 f6 01 00 00 <8b> 03 3d ad 4e ad de 0f 85 62 01 00 00 4d 8d 6c 24 10 4c 89 e8 48
RSP: 0018:ffffc90000bb77a0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffff9175c704 RCX: 1ffff92000176efc
RDX: dffffc0000000000 RSI: 1ffff92000176efc RDI: ffffffff9175c700
RBP: ffffc90000bb7870 R08: ffffffff90184ef7 R09: 1ffffffff20309de
R10: dffffc0000000000 R11: fffffbfff20309df R12: ffffffff9175c700
R13: 1ffff92000176f10 R14: ffffffff9175c700 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff9175c704 CR3: 00000000684e8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	f1                   	int1
   1:	f1                   	int1
   2:	f1                   	int1
   3:	04 f3                	add    $0xf3,%al
   5:	f3 f3 48 89 f1       	repz repz mov %rsi,%rcx
   a:	48 89 74 24 38       	mov    %rsi,0x38(%rsp)
   f:	48 89 04 16          	mov    %rax,(%rsi,%rdx,1)
  13:	48 8d 5f 04          	lea    0x4(%rdi),%rbx
  17:	48 89 d8             	mov    %rbx,%rax
  1a:	48 c1 e8 03          	shr    $0x3,%rax
  1e:	0f b6 04 10          	movzbl (%rax,%rdx,1),%eax
  22:	84 c0                	test   %al,%al
  24:	0f 85 f6 01 00 00    	jne    0x220
* 2a:	8b 03                	mov    (%rbx),%eax <-- trapping instruction
  2c:	3d ad 4e ad de       	cmp    $0xdead4ead,%eax
  31:	0f 85 62 01 00 00    	jne    0x199
  37:	4d 8d 6c 24 10       	lea    0x10(%r12),%r13
  3c:	4c 89 e8             	mov    %r13,%rax
  3f:	48                   	rex.W

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/12/16 09:18 upstream 78d4f34e2115 7cbfbb3a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs BUG: unable to handle kernel paging request in lock_timer_base
* Struck through repros no longer work on HEAD.