From: syzbot <syzbot+21f2b8753d8bfc6bb816@syzkaller.appspotmail.com>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
miklos@szeredi.hu, reiserfs-devel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de
Subject: [syzbot] [reiserfs?] [fat?] [fuse?] general protection fault in timerqueue_add (4)
Date: Sat, 25 Feb 2023 19:51:42 -0800 [thread overview]
Message-ID: <000000000000d7894b05f5924787@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 4a7d37e824f5 Merge tag 'hardening-v6.3-rc1' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11fbf928c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b969c5af147d31c
dashboard link: https://syzkaller.appspot.com/bug?extid=21f2b8753d8bfc6bb816
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c64f20c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13734ba0c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c3d867561ee/disk-4a7d37e8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/422516721d17/vmlinux-4a7d37e8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/164340e12ac4/bzImage-4a7d37e8.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/71954e6c3886/mount_1.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/89d5f0b5f58a/mount_5.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+21f2b8753d8bfc6bb816@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xe3fffb24000f33f5: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x1ffff92000799fa8-0x1ffff92000799faf]
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-syzkaller-02299-g4a7d37e824f5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline]
RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline]
RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40
Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8
RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017
RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000
RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad
RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480
R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0
Call Trace:
<IRQ>
enqueue_hrtimer+0x1aa/0x490 kernel/time/hrtimer.c:1091
__run_hrtimer kernel/time/hrtimer.c:1702 [inline]
__hrtimer_run_queues+0xc71/0x1010 kernel/time/hrtimer.c:1749
hrtimer_interrupt+0x320/0x790 kernel/time/hrtimer.c:1811
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]
__sysvec_apic_timer_interrupt+0x180/0x660 arch/x86/kernel/apic/apic.c:1113
sysvec_apic_timer_interrupt+0x92/0xc0 arch/x86/kernel/apic/apic.c:1107
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x40/0x50 drivers/acpi/processor_idle.c:113
Code: eb 03 83 e3 01 89 de 0f 1f 44 00 00 84 db 75 1b 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d e7 5a a8 00 0f 1f 44 00 00 fb f4 <fa> 5b c3 cc 0f 1f 00 66 0f 1f 84 00 00 00 00 00 55 48 89 fd 53 0f
RSP: 0018:ffffc90000177d10 EFLAGS: 00000246
RAX: ffff88813feb1d40 RBX: 0000000000000000 RCX: ffffffff8a096b45
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880179b1864 R08: 0000000000000001 R09: ffff8880b993606b
R10: ffffed1017326c0d R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880179b1800 R14: ffff8880179b1864 R15: 0000000000000000
acpi_idle_do_entry+0x53/0x70 drivers/acpi/processor_idle.c:573
acpi_idle_enter+0x173/0x290 drivers/acpi/processor_idle.c:711
cpuidle_enter_state+0xd3/0x6f0 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x348/0x440 kernel/sched/idle.c:282
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:379
start_secondary+0x256/0x300 arch/x86/kernel/smpboot.c:264
secondary_startup_64_no_verify+0xce/0xdb
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline]
RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline]
RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40
Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8
RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017
RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000
RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad
RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480
R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000
R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
0: 48 c1 ea 03 shr $0x3,%rdx
4: 42 80 3c 22 00 cmpb $0x0,(%rdx,%r12,1)
9: 0f 85 c4 01 00 00 jne 0x1d3
f: 49 8b 17 mov (%r15),%rdx
12: 48 85 d2 test %rdx,%rdx
15: 74 40 je 0x57
17: 48 89 d3 mov %rdx,%rbx
1a: e8 44 f1 c3 f7 callq 0xf7c3f163
1f: 48 8d 7b 18 lea 0x18(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 0f 85 ab 01 00 00 jne 0x1e0
35: 4c 8b 7b 18 mov 0x18(%rbx),%r15
39: 4c 89 ef mov %r13,%rdi
3c: 4c 89 fe mov %r15,%rsi
3f: e8 .byte 0xe8
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2023-02-26 3:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 3:51 syzbot [this message]
2023-07-12 11:15 ` [syzbot] [reiserfs] general protection fault in timerqueue_add (4) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000d7894b05f5924787@google.com \
--to=syzbot+21f2b8753d8bfc6bb816@syzkaller.appspotmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=reiserfs-devel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.