[syzbot] general protection fault in wb_timer_fn

[syzbot] general protection fault in wb_timer_fn

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    92d00774360d Add linux-next specific files for 20210810
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=127f1f79300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a6933fa6f9a86ca9
dashboard link: https://syzkaller.appspot.com/bug?extid=aa0801b6b32dca9dda82
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145a8ff1300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1496e9fa300000

The issue was bisected to:

commit 9483409ab5067941860754e78a4a44a60311d276
Author: Namhyung Kim <namhyung@kernel.org>
Date:   Mon Mar 15 03:34:36 2021 +0000

    perf core: Allocate perf_buffer in the target node memory

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16fd40f9300000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15fd40f9300000
console output: https://syzkaller.appspot.com/x/log.txt?x=11fd40f9300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa0801b6b32dca9dda82@syzkaller.appspotmail.com
Fixes: 9483409ab506 ("perf core: Allocate perf_buffer in the target node memory")

general protection fault, probably for non-canonical address 0xdffffc00000000aa: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000550-0x0000000000000557]
CPU: 0 PID: 6563 Comm: systemd-udevd Not tainted 5.14.0-rc5-next-20210810-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:latency_exceeded block/blk-wbt.c:237 [inline]
RIP: 0010:wb_timer_fn+0x149/0x1740 block/blk-wbt.c:360
Code: 03 80 3c 02 00 0f 85 68 13 00 00 48 8b 9b c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 50 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 35 13 00 00 48 8b 9b 50 05 00 00 48 b8 00 00 00
RSP: 0018:ffffc90000007cd8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 00000000000000aa RSI: ffffffff83d107dd RDI: 0000000000000550
RBP: ffff88801ab3cc00 R08: 0000000000000003 R09: ffff88801ab3cd83
R10: ffffffff83d107d2 R11: 0000000000027e24 R12: 0000000000000003
R13: 0000000000000000 R14: ffff888146318000 R15: ffff88801ab3ccd0
FS:  00007fc1898e38c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055aed4a39410 CR3: 0000000025577000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x16e/0x1c0 kernel/softirq.c:636
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
 </IRQ>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:tomoyo_domain_quota_is_ok+0x105/0x550 security/tomoyo/util.c:1054
Code: 68 10 48 3b 2c 24 0f 84 f4 00 00 00 49 be 00 00 00 00 00 fc ff df eb 5f e8 f8 8b d7 fd 48 89 e8 48 89 ee 48 c1 e8 03 83 e6 07 <42> 0f b6 0c 30 48 8d 45 07 48 89 c2 48 c1 ea 03 42 0f b6 14 32 40
RSP: 0018:ffffc900011df908 EFLAGS: 00000246
RAX: 1ffff1100f264000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: ffff888019120000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff888079320000 R08: 0000000000000000 R09: 0000000000000010
R10: ffffffff839e1c9a R11: 0000000000000010 R12: 0000000000000002
R13: 00000000000000e1 R14: dffffc0000000000 R15: 0000000000000000
 tomoyo_supervisor+0x2f2/0xf00 security/tomoyo/common.c:2089
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573
 tomoyo_path_perm+0x2f0/0x400 security/tomoyo/file.c:838
 security_inode_getattr+0xcf/0x140 security/security.c:1332
 vfs_getattr fs/stat.c:157 [inline]
 vfs_fstat+0x43/0xb0 fs/stat.c:182
 __do_sys_newfstat+0x81/0x100 fs/stat.c:422
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc1887552e2
Code: 48 8b 05 b9 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 77 33 48 63 fe b8 05 00 00 00 48 89 d6 0f 05 <48> 3d 00 f0 ff ff 77 06 f3 c3 0f 1f 40 00 48 8b 15 81 db 2b 00 f7
RSP: 002b:00007ffed32f4de8 EFLAGS: 00000246 ORIG_RAX: 0000000000000005
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc1887552e2
RDX: 00007ffed32f4e00 RSI: 00007ffed32f4e00 RDI: 0000000000000007
RBP: 00007ffed32f4f80 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000080000 R11: 0000000000000246 R12: 000055aed49f40e0
R13: 000055aed4a06f10 R14: 00007ffed32f4ee0 R15: 00007ffed32f4f40
Modules linked in:
---[ end trace 85971c24ea99db54 ]---
RIP: 0010:latency_exceeded block/blk-wbt.c:237 [inline]
RIP: 0010:wb_timer_fn+0x149/0x1740 block/blk-wbt.c:360
Code: 03 80 3c 02 00 0f 85 68 13 00 00 48 8b 9b c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 50 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 35 13 00 00 48 8b 9b 50 05 00 00 48 b8 00 00 00
RSP: 0018:ffffc90000007cd8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 00000000000000aa RSI: ffffffff83d107dd RDI: 0000000000000550
RBP: ffff88801ab3cc00 R08: 0000000000000003 R09: ffff88801ab3cd83
R10: ffffffff83d107d2 R11: 0000000000027e24 R12: 0000000000000003
R13: 0000000000000000 R14: ffff888146318000 R15: ffff88801ab3ccd0
FS:  00007fc1898e38c0(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055aed4a39410 CR3: 0000000025577000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] general protection fault in wb_timer_fn

[Christoph Hellwig]

On Mon, Aug 16, 2021 at 05:10:41PM +0800, Hillf Danton wrote:
> Remove and free all qos callbacks added, with cb->timer deleted in
> blk_stat_remove_callback().
> 
> only for thoughts.
> 
> +++ x/block/blk-sysfs.c
> @@ -800,9 +800,7 @@ static void blk_release_queue(struct kob
>  
>  	might_sleep();
>  
> -	if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
> -		blk_stat_remove_callback(q, q->poll_cb);
> -	blk_stat_free_callback(q->poll_cb);
> +	rq_qos_exit(q);

rq_qos_exit is already called in blk_cleanup_queue, and the blk-mq
pollig doesn't even use the qos framework.  So I'm not sure what this
is supposed to help.

Re: [syzbot] general protection fault in wb_timer_fn

[Sven Schnelle]

Christoph Hellwig <hch@lst.de> writes:

> On Mon, Aug 16, 2021 at 05:10:41PM +0800, Hillf Danton wrote:
>> Remove and free all qos callbacks added, with cb->timer deleted in
>> blk_stat_remove_callback().
>> 
>> only for thoughts.
>> 
>> +++ x/block/blk-sysfs.c
>> @@ -800,9 +800,7 @@ static void blk_release_queue(struct kob
>>  
>>  	might_sleep();
>>  
>> -	if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags))
>> -		blk_stat_remove_callback(q, q->poll_cb);
>> -	blk_stat_free_callback(q->poll_cb);
>> +	rq_qos_exit(q);
>
> rq_qos_exit is already called in blk_cleanup_queue, and the blk-mq
> pollig doesn't even use the qos framework.  So I'm not sure what this
> is supposed to help.

I'm seeing a similar crash in our CI:

[  464.072042] nbd0: detected capacity change from 0 to 2097152
[  464.092297]  nbd0: p1
[  464.244242] EXT4-fs (nbd0p1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[  468.266306] block nbd0: NBD_DISCONNECT
[  468.266318] block nbd0: Disconnected due to user request.
[  468.266320] block nbd0: shutting down sockets
[  468.291814] Unable to handle kernel pointer dereference in virtual kernel address space
[  468.291817] Failing address: 000002aa264a7000 TEID: 000002aa264a7803
[  468.291819] Fault in home space mode while using kernel ASCE.
[  468.291822] AS:0000000159c84007 R3:0000000000000024 
[  468.291843] Oops: 003b ilc:3 [#1] SMP 
[  468.291846] Modules linked in: nbd(E-) xt_CHECKSUM(E) xt_MASQUERADE(E) xt_conntrack(E) ipt_REJECT(E) xt_tcpudp(E) nft_compat(E) nf_nat_tftp(E) nft_objref(E) nf_conntrack_tftp(E) nft_counter(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) dm_service_time(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) nf_tables(E) nfnetlink(E) sunrpc(E) zfcp(E) scsi_transport_fc(E) dm_multipath(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) mlx5_ib(E) ib_uverbs(E) ib_core(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) zcrypt_cex4(E) eadm_sch(E) sch_fq_codel(E) configfs(E) ip_tables(E) x_tables(E) ghash_s390(E) prng(E) aes_s390(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha512_s390(E) sha256_s390(E) sha1_s390(E) sha_common(E) mlx5_core(E) nvme(E) nvme_core(E) pkey(E) zcrypt(E) rng_core(E) autofs4(E)
[  468.291891] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G            E     5.14.0-20210819.rc6.git0.f26c3abc432a.300.fc34.s390x+next #1
[  468.291894] Hardware name: IBM 8561 T01 703 (LPAR)
[  468.291895] Krnl PSW : 0704c00180000000 0000000158cfe3b6 (wb_timer_fn+0x56/0x538)
[  468.291902]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
[  468.291905] Krnl GPRS: 0000000000000200 000002aa264a7018 0000000189fc3400 0000000000000000
[  468.291907]            fffffffffffc0000 0000000000000000 00000002f767c000 0000000158cc9420
[  468.291909]            0000000000000000 0000000189fc3410 00000001e19622a0 0000000138e9a700
[  468.291911]            0000000080378000 00000002f767c002 0000038000d43ca0 0000038000d43c40
[  468.291937] Krnl Code: 0000000158cfe3a4: e380b0280004        lg      %r8,40(%r11)
                          0000000158cfe3aa: e31010900004        lg      %r1,144(%r1)
                         #0000000158cfe3b0: e31012000004        lg      %r1,512(%r1)
                         >0000000158cfe3b6: e36010980004        lg      %r6,152(%r1)
                          0000000158cfe3bc: ec88005e007c        cgij    %r8,0,8,0000000158cfe478
                          0000000158cfe3c2: e310b0300002        ltg     %r1,48(%r11)
                          0000000158cfe3c8: a7840058            brc     8,0000000158cfe478
                          0000000158cfe3cc: c0e5ffce8822        brasl   %r14,00000001586cf410
[  468.291951] Call Trace:
[  468.291953]  [<0000000158cfe3b6>] wb_timer_fn+0x56/0x538 
[  468.291956]  [<00000001586ca980>] call_timer_fn+0x38/0x178 
[  468.291960]  [<00000001586cad58>] __run_timers.part.0+0x298/0x358 
[  468.291962]  [<00000001586cae62>] run_timer_softirq+0x4a/0x88 
[  468.291964]  [<0000000159149236>] __do_softirq+0x146/0x3c8 
[  468.291967]  [<000000015862cbaa>] irq_exit+0xf2/0x120 
[  468.291970]  [<000000015913a334>] do_ext_irq+0xd4/0x160 
[  468.291972]  [<000000015914769c>] ext_int_handler+0xdc/0x110 
[  468.291974]  [<0000000159147826>] psw_idle_exit+0x0/0xa 
[  468.291976] ([<00000001585dbfe8>] arch_cpu_idle+0x40/0xd0)
[  468.291978]  [<000000015914718a>] default_idle_call+0x42/0x108 
[  468.291980]  [<000000015866ab6a>] do_idle+0xd2/0x160 
[  468.291983]  [<000000015866adb6>] cpu_startup_entry+0x36/0x40 
[  468.291985]  [<00000001585ef74e>] smp_start_secondary+0x86/0x90 
[  468.291987] Last Breaking-Event-Address:
[  468.291989]  [<0000038000d43d30>] 0x38000d43d30
[  468.291992] Kernel panic - not syncing: Fatal exception in interrupt

The crash is likely triggered by nbd. wb_timer_fn+0x56 is block/blk-wbt.c: 237
like in the syzbot reported crash. That line was just recently touched,
so i wonder whether that's related?

Re: [syzbot] general protection fault in wb_timer_fn

[Christoph Hellwig]

On Thu, Aug 19, 2021 at 11:03:42AM +0200, Sven Schnelle wrote:
> I'm seeing a similar crash in our CI:

This series:

https://lore.kernel.org/linux-block/20210816131910.615153-1-hch@lst.de/T/#t

should fi it.  Can you give it a spin?

Re: [syzbot] general protection fault in wb_timer_fn

[Sven Schnelle]

Christoph Hellwig <hch@lst.de> writes:

> On Thu, Aug 19, 2021 at 11:03:42AM +0200, Sven Schnelle wrote:
>> I'm seeing a similar crash in our CI:
>
> This series:
>
> https://lore.kernel.org/linux-block/20210816131910.615153-1-hch@lst.de/T/#t
>
> should fi it.  Can you give it a spin?

Yes. I'll try to reproduce it outside of CI and test the patch set. Thanks!

Re: [syzbot] general protection fault in wb_timer_fn

[Sven Schnelle]

Christoph Hellwig <hch@lst.de> writes:

> On Thu, Aug 19, 2021 at 11:03:42AM +0200, Sven Schnelle wrote:
>> I'm seeing a similar crash in our CI:
>
> This series:
>
> https://lore.kernel.org/linux-block/20210816131910.615153-1-hch@lst.de/T/#t
>
> should fi it.  Can you give it a spin?

I tested it without your patchset and it crashed around every second
try. With that patchset, i wasn't able to reproduce it.

Thanks!
Sven

Re: [syzbot] general protection fault in wb_timer_fn

[Christoph Hellwig]

On Thu, Aug 19, 2021 at 03:10:37PM +0200, Sven Schnelle wrote:
> Christoph Hellwig <hch@lst.de> writes:
> 
> > On Thu, Aug 19, 2021 at 11:03:42AM +0200, Sven Schnelle wrote:
> >> I'm seeing a similar crash in our CI:
> >
> > This series:
> >
> > https://lore.kernel.org/linux-block/20210816131910.615153-1-hch@lst.de/T/#t
> >
> > should fi it.  Can you give it a spin?
> 
> I tested it without your patchset and it crashed around every second
> try. With that patchset, i wasn't able to reproduce it.

Can you send a Tested-by: for the last patch which should fix this?

Re: [syzbot] general protection fault in wb_timer_fn

[Yi Zhang]

On Thu, Aug 19, 2021 at 9:53 PM Christoph Hellwig <hch@lst.de> wrote:
>
> On Thu, Aug 19, 2021 at 03:10:37PM +0200, Sven Schnelle wrote:
> > Christoph Hellwig <hch@lst.de> writes:
> >
> > > On Thu, Aug 19, 2021 at 11:03:42AM +0200, Sven Schnelle wrote:
> > >> I'm seeing a similar crash in our CI:
> > >
> > > This series:
> > >
> > > https://lore.kernel.org/linux-block/20210816131910.615153-1-hch@lst.de/T/#t
> > >
> > > should fi it.  Can you give it a spin?
> >
> > I tested it without your patchset and it crashed around every second
> > try. With that patchset, i wasn't able to reproduce it.
>
> Can you send a Tested-by: for the last patch which should fix this?
>
Hi Christoph

I also met similar issue with blktests, I tried to apply the patchset
but with no luck to apply them, any suggestions to fix it.

[ 2464.154898] run blktests nvme/012 at 2021-08-20 21:20:29
[ 2464.192252] loop0: detected capacity change from 0 to 2097152
[ 2464.309275] nvmet: adding nsid 1 to subsystem blktests-subsystem-1
[ 2464.396464] nvmet: creating controller 1 for subsystem
blktests-subsystem-1 for NQN
nqn.2014-08.org.nvmexpress:uuid:a43453b4c0df4cb7bd2303f547ca0f22.
[ 2464.410162] nvme nvme0: creating 128 I/O queues.
[ 2464.425839] nvme nvme0: new ctrl: "blktests-subsystem-1"
[ 2465.483434] XFS (nvme0n1): Mounting V5 Filesystem
[ 2465.493142] XFS (nvme0n1): Ending clean mount
[ 2465.498278] xfs filesystem being mounted at /mnt/blktests supports
timestamps until 2038 (0x7fffffff)
[ 2488.544383] XFS (nvme0n1): Unmounting Filesystem
[ 2488.559652] nvme nvme0: Removing ctrl: NQN "blktests-subsystem-1"
[ 2488.625086] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000308
[ 2488.633871] Mem abort info:
[ 2488.636655]   ESR = 0x96000004
[ 2488.639698]   EC = 0x25: DABT (current EL), IL = 32 bits
[ 2488.645000]   SET = 0, FnV = 0
[ 2488.648044]   EA = 0, S1PTW = 0
[ 2488.651173]   FSC = 0x04: level 0 translation fault
[ 2488.656039] Data abort info:
[ 2488.658908]   ISV = 0, ISS = 0x00000004
[ 2488.662732]   CM = 0, WnR = 0
[ 2488.665689] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008fd3a0000
[ 2488.672119] [0000000000000308] pgd=0000000000000000, p4d=0000000000000000
[ 2488.678903] Internal error: Oops: 96000004 [#1] SMP
[ 2488.683770] Modules linked in: nvme_loop nvme_fabrics nvmet
nvme_core loop dm_log_writes dm_flakey rfkill mlx5_ib ib_uverbs
ib_core sunrpc coresight_etm4x i2c_smbus coresight_tpiu
coresight_replicator coresight_tmc joydev mlx5_core mlxfw psample tls
acpi_ipmi ipmi_ssif ipmi_devintf ipmi_msghandler coresight_funnel
coresight thunderx2_pmu vfat fat fuse zram ip_tables xfs crct10dif_ce
ast ghash_ce i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm gpio_xlp
i2c_xlp9xx uas usb_storage aes_neon_bs [last unloaded: nvme_core]
[ 2488.735491] CPU: 41 PID: 0 Comm: swapper/41 Not tainted 5.14.0-rc5 #1
[ 2488.751647] pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--)
[ 2488.757641] pc : latency_exceeded+0x30/0x304
[ 2488.761905] lr : wb_timer_fn+0x48/0x1fc
[ 2488.765730] sp : ffff800012b83d00
[ 2488.769031] x29: ffff800012b83d00 x28: ffff800011dc7000 x27: ffff800012b83e80
[ 2488.776156] x26: ffff800011886000 x25: 00000000000000e0 x24: 0000000000000028
[ 2488.783280] x23: ffffffffffffffff x22: ffff0008097ac900 x21: ffff0008097ade80
[ 2488.790404] x20: 0000000000000000 x19: ffff00080adfb300 x18: 0000000000000000
[ 2488.797528] x17: ffff800f4ac9a000 x16: ffff800012b84000 x15: 0000000000004000
[ 2488.804652] x14: 0000000000000000 x13: 0000000000000038 x12: 0000000000000040
[ 2488.811776] x11: 0000000000036e09 x10: ffff0008097ade80 x9 : ffff80001073074c
[ 2488.818901] x8 : fffffbffec7ec0b0 x7 : 000000000000003f x6 : 0000000000000000
[ 2488.826024] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ 2488.833148] x2 : 0000000000000000 x1 : ffff0008097ade80 x0 : 0000000000000000
[ 2488.840273] Call trace:
[ 2488.842707]  latency_exceeded+0x30/0x304
[ 2488.846618]  wb_timer_fn+0x48/0x1fc
[ 2488.850095]  blk_stat_timer_fn+0x170/0x190
[ 2488.854183]  call_timer_fn+0x3c/0x17c
[ 2488.857835]  __run_timers.part.0+0x290/0x330
[ 2488.862092]  run_timer_softirq+0x48/0x80
[ 2488.866002]  __do_softirq+0x128/0x380
[ 2488.869653]  __irq_exit_rcu+0x154/0x160
[ 2488.873482]  irq_exit+0x1c/0x30
[ 2488.876612]  handle_domain_irq+0x70/0x9c
[ 2488.880525]  gic_handle_irq+0x58/0xd8
[ 2488.884174]  call_on_irq_stack+0x2c/0x38
[ 2488.888086]  do_interrupt_handler+0x5c/0x70
[ 2488.892257]  el1_interrupt+0x30/0x50
[ 2488.895824]  el1h_64_irq_handler+0x18/0x24
[ 2488.899908]  el1h_64_irq+0x7c/0x80
[ 2488.903297]  arch_cpu_idle+0x18/0x2c
[ 2488.906861]  default_idle_call+0x4c/0x160
[ 2488.910860]  cpuidle_idle_call+0x14c/0x1a0
[ 2488.914947]  do_idle+0xbc/0x110
[ 2488.918077]  cpu_startup_entry+0x30/0x8c
[ 2488.921988]  secondary_start_kernel+0xec/0x110
[ 2488.926422]  __secondary_switched+0x94/0x98
[ 2488.930596] Code: aa0103f5 f9403000 f9401674 f9404800 (f9418400)
[ 2488.936789] ---[ end trace 8d092c5fdd268b3c ]---
[ 2488.941394] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 2488.948283] SMP: stopping secondary CPUs
[ 2488.952240] Kernel Offset: disabled
[ 2488.955715] CPU features: 0x00600051,a3200840
[ 2488.960059] Memory Limit: none
[ 2488.963125] ---[ end Kernel panic - not syncing: Oops: Fatal
exception in interrupt ]---

-- 
Best Regards,
  Yi Zhang

Re: [syzbot] general protection fault in wb_timer_fn

[Christoph Hellwig]

On Sat, Aug 21, 2021 at 03:48:01PM +0800, Yi Zhang wrote:
> I also met similar issue with blktests, I tried to apply the patchset
> but with no luck to apply them, any suggestions to fix it.

Please just retests the latest for-5.15/block or for-next branch in
Jens' tree.

Re: [syzbot] general protection fault in wb_timer_fn

[Yi Zhang]

On Tue, Aug 24, 2021 at 3:23 PM Christoph Hellwig <hch@lst.de> wrote:
>
> On Sat, Aug 21, 2021 at 03:48:01PM +0800, Yi Zhang wrote:
> > I also met similar issue with blktests, I tried to apply the patchset
> > but with no luck to apply them, any suggestions to fix it.
>
> Please just retests the latest for-5.15/block or for-next branch in
> Jens' tree.
>
Yeah, the issue was fixed with for-5.15/block

-- 
Best Regards,
  Yi Zhang