syzbot


general protection fault in hrtimer_active (4)

Status: auto-obsoleted due to no activity on 2022/10/20 15:45
Subsystems: kernel
[Documentation on labels]
First crash: 725d, last: 615d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in hrtimer_active (3) kernel syz done error 34 786d 1090d 20/26 fixed on 2022/03/08 16:11
upstream general protection fault in hrtimer_active (5) kernel C error 22 409d 413d 22/26 fixed on 2023/06/08 14:41
upstream general protection fault in hrtimer_active kernel C 669 2330d 2353d 3/26 fixed on 2017/11/28 03:36
upstream KASAN: null-ptr-deref Read in hrtimer_active kernel 7 128d 266d 0/26 closed as invalid on 2024/01/16 13:47
upstream general protection fault in hrtimer_active (2) kernel C 10612 2216d 2221d 4/26 fixed on 2018/03/06 13:29
linux-4.19 general protection fault in hrtimer_active C error 66 918d 1662d 0/1 upstream: reported C repro on 2019/09/09 21:23
upstream BUG: unable to handle kernel NULL pointer dereference in hrtimer_active kernel 1 47d 45d 26/26 fixed on 2024/03/27 19:12

Sample crash report:
bridge28: port 1(bridge_slave_1) entered disabled state
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 2 PID: 32260 Comm: syz-executor.3 Not tainted 5.19.0-rc6-syzkaller-00115-g4a57a8400075 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:274 [inline]
RIP: 0010:hrtimer_active+0x6b/0x1f0 kernel/time/hrtimer.c:1611
Code: 01 f0 48 89 44 24 10 e8 a3 f6 0f 00 48 8b 44 24 08 80 38 00 0f 85 71 01 00 00 49 8b 6d 30 48 8d 45 10 48 89 04 24 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 42 01 00 00 8b 5d 10 31 ff
RSP: 0018:ffffc90024056de8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff88806b6c0120 RCX: ffffc9000d0d1000
RDX: 0000000000040000 RSI: ffffffff816a743d RDI: ffff88806b6c0120
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000004
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88806b6c0120 R14: dffffc0000000000 R15: ffffed100d6d8002
FS:  0000000000000000(0000) GS:ffff88802ca00000(0063) knlGS:00000000f7fd0b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007f0122da18e0 CR3: 0000000075a47000 CR4: 0000000000152ee0
Call Trace:
 <TASK>
 hrtimer_try_to_cancel+0x21/0x1e0 kernel/time/hrtimer.c:1328
 hrtimer_cancel+0x13/0x40 kernel/time/hrtimer.c:1443
 napi_disable+0xc8/0x120 net/core/dev.c:6413
 veth_napi_del_range+0xc5/0x560 drivers/net/veth.c:1044
 veth_napi_del drivers/net/veth.c:1059 [inline]
 veth_set_features+0x156/0x190 drivers/net/veth.c:1487
 __netdev_update_features+0x801/0x1980 net/core/dev.c:9709
 netdev_update_features net/core/dev.c:9783 [inline]
 dev_disable_lro+0x8d/0x3e0 net/core/dev.c:1588
 br_add_if+0xc13/0x1d80 net/bridge/br_if.c:646
 do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2577
 do_setlink+0x9e7/0x3bb0 net/core/rtnetlink.c:2787
 __rtnl_newlink+0xd6a/0x17e0 net/core/rtnetlink.c:3546
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
 rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2488
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2542
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2571
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7fd5549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7fd05cc EFLAGS: 00000296 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000020000300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__seqprop_raw_spinlock_sequence include/linux/seqlock.h:274 [inline]
RIP: 0010:hrtimer_active+0x6b/0x1f0 kernel/time/hrtimer.c:1611
Code: 01 f0 48 89 44 24 10 e8 a3 f6 0f 00 48 8b 44 24 08 80 38 00 0f 85 71 01 00 00 49 8b 6d 30 48 8d 45 10 48 89 04 24 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 42 01 00 00 8b 5d 10 31 ff
RSP: 0018:ffffc90024056de8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: ffff88806b6c0120 RCX: ffffc9000d0d1000
RDX: 0000000000040000 RSI: ffffffff816a743d RDI: ffff88806b6c0120
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000004
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88806b6c0120 R14: dffffc0000000000 R15: ffffed100d6d8002
FS:  0000000000000000(0000) GS:ffff88802ca00000(0063) knlGS:00000000f7fd0b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007f0122da18e0 CR3: 0000000075a47000 CR4: 0000000000152ee0
----------------
Code disassembly (best guess):
   0:	01 f0                	add    %esi,%eax
   2:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
   7:	e8 a3 f6 0f 00       	callq  0xff6af
   c:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  11:	80 38 00             	cmpb   $0x0,(%rax)
  14:	0f 85 71 01 00 00    	jne    0x18b
  1a:	49 8b 6d 30          	mov    0x30(%r13),%rbp
  1e:	48 8d 45 10          	lea    0x10(%rbp),%rax
  22:	48 89 04 24          	mov    %rax,(%rsp)
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	74 08                	je     0x3b
  33:	3c 03                	cmp    $0x3,%al
  35:	0f 8e 42 01 00 00    	jle    0x17d
  3b:	8b 5d 10             	mov    0x10(%rbp),%ebx
  3e:	31 ff                	xor    %edi,%edi

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/07/22 15:37 upstream 4a57a8400075 22343af4 .config console log report info ci-qemu-upstream-386 general protection fault in hrtimer_active
2022/05/02 07:57 upstream 672c0c517342 2df221f6 .config console log report info ci-qemu-upstream-386 general protection fault in hrtimer_active
2022/04/27 09:28 upstream 46cf2c613f4b 1fa34c1b .config console log report info ci-qemu-upstream-386 general protection fault in hrtimer_active
2022/04/17 11:48 upstream a2c29ccd9477 8bcc32a6 .config console log report info ci-qemu-upstream-386 general protection fault in hrtimer_active
2022/04/04 00:26 upstream 09bb8856d4a7 79a2a8fc .config console log report info ci-qemu-upstream-386 general protection fault in hrtimer_active
2022/06/24 01:29 net-old 12378a5a75e3 912f5df7 .config console log report info ci-upstream-net-this-kasan-gce general protection fault in hrtimer_active
2022/06/23 19:18 net-old 12378a5a75e3 912f5df7 .config console log report info ci-upstream-net-this-kasan-gce general protection fault in hrtimer_active
* Struck through repros no longer work on HEAD.