[syzbot] [cgroups?] general protection fault in cgroup_rstat_flush
2 views
Skip to first unread message
syzbot
May 9, 2025, 10:04:29 PMMay 9
Hello,
syzbot found the following issue on:
HEAD commit: 9c69f8884904 Merge tag 'bcachefs-2025-05-08' of git://evil..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1440acf4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9683d529ec1b880
dashboard link: https://syzkaller.appspot.com/bug?extid=175b931e69c9ad9e1945
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/062b75278fb3/disk-9c69f888.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/868b31a2cf71/vmlinux-9c69f888.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e773657fdf9c/bzImage-9c69f888.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Oops: general protection fault, probably for non-canonical address 0xe7ffed1c349f36f7: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x3fff88e1a4f9b7b8-0x3fff88e1a4f9b7bf]
CPU: 0 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: events_unbound flush_memcg_stats_dwork
RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
flush_memcg_stats_dwork+0x15/0x60 mm/memcontrol.c:653
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 70 74 jo 0x76
2: 08 48 89 or %cl,-0x77(%rax)
5: df e8 fucomip %st(0),%st
7: ef out %eax,(%dx)
8: e6 66 out %al,$0x66
a: 00 4c 8b 23 add %cl,0x23(%rbx,%rcx,4)
e: 4b 8d 1c 3c lea (%r12,%r15,1),%rbx
12: 48 81 c3 a0 00 00 00 add $0xa0,%rbx
19: 49 89 dd mov %rbx,%r13
1c: 49 c1 ed 03 shr $0x3,%r13
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 41 80 7c 05 00 00 cmpb $0x0,0x0(%r13,%rax,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 48 89 df mov %rbx,%rdi
35: e8 c0 e6 66 00 call 0x66e6fa
3a: 48 8b 03 mov (%rbx),%rax
3d: 48 rex.W
3e: 3b .byte 0x3b
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9c69f8884904 Merge tag 'bcachefs-2025-05-08' of git://evil..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1440acf4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9683d529ec1b880
dashboard link: https://syzkaller.appspot.com/bug?extid=175b931e69c9ad9e1945
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/062b75278fb3/disk-9c69f888.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/868b31a2cf71/vmlinux-9c69f888.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e773657fdf9c/bzImage-9c69f888.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Oops: general protection fault, probably for non-canonical address 0xe7ffed1c349f36f7: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x3fff88e1a4f9b7b8-0x3fff88e1a4f9b7bf]
CPU: 0 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: events_unbound flush_memcg_stats_dwork
RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
flush_memcg_stats_dwork+0x15/0x60 mm/memcontrol.c:653
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:cgroup_rstat_push_children kernel/cgroup/rstat.c:165 [inline]
RIP: 0010:cgroup_rstat_updated_list kernel/cgroup/rstat.c:245 [inline]
RIP: 0010:cgroup_rstat_flush+0x840/0x1e70 kernel/cgroup/rstat.c:325
Code: 70 74 08 48 89 df e8 ef e6 66 00 4c 8b 23 4b 8d 1c 3c 48 81 c3 a0 00 00 00 49 89 dd 49 c1 ed 03 48 b8 00 00 00 00 00 fc ff df <41> 80 7c 05 00 00 74 08 48 89 df e8 c0 e6 66 00 48 8b 03 48 3b 44
RSP: 0018:ffffc90000bd7920 EFLAGS: 00010003
RAX: dffffc0000000000 RBX: 3fff88e1a4f9b7bd RCX: 1ffffffff1b2b383
RDX: 0000000000000000 RSI: ffffffff8bc0fec0 RDI: ffff88806481c5c1
RBP: ffffc90000bd7b08 R08: ffffffff8f7da777 R09: 1ffffffff1efb4ee
R10: dffffc0000000000 R11: fffffbfff1efb4ef R12: ffff888126200000
R13: 07fff11c349f36f7 R14: 0000000000000000 R15: 400000607ed9b71d
FS: 0000000000000000(0000) GS:ffff888126100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005598d2923440 CR3: 000000005d74e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 70 74 jo 0x76
2: 08 48 89 or %cl,-0x77(%rax)
5: df e8 fucomip %st(0),%st
7: ef out %eax,(%dx)
8: e6 66 out %al,$0x66
a: 00 4c 8b 23 add %cl,0x23(%rbx,%rcx,4)
e: 4b 8d 1c 3c lea (%r12,%r15,1),%rbx
12: 48 81 c3 a0 00 00 00 add $0xa0,%rbx
19: 49 89 dd mov %rbx,%r13
1c: 49 c1 ed 03 shr $0x3,%r13
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 41 80 7c 05 00 00 cmpb $0x0,0x0(%r13,%rax,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 48 89 df mov %rbx,%rdi
35: e8 c0 e6 66 00 call 0x66e6fa
3a: 48 8b 03 mov (%rbx),%rax
3d: 48 rex.W
3e: 3b .byte 0x3b
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Waiman Long
May 9, 2025, 10:56:19 PMMay 9
:
161 while (child != parent) {
162 child->rstat_flush_next = head;
163 head = child;
164 crstatc = cgroup_rstat_cpu(child, cpu);
165 grandchild = crstatc->updated_children; <--
Crash here
166 if (grandchild != child) {
167 /* Push the grand child to the next
level */
168 crstatc->updated_children = child;
169 grandchild->rstat_flush_next = ghead;
170 ghead = grandchild;
171 }
172 child = crstatc->updated_next;
173 crstatc->updated_next = NULL;
It looks like crstatc is invalid. That means the updated_next list may
contain invalid data. Maybe it becomes NULL terminated somehow, but that
should not normally happen.
Anyway, there isn't enough data to determine the root cause yet.
Regards,
Longman
Reply all
Reply to author
Forward
0 new messages