Re: [syzbot] [mm?] [bcachefs?] WARNING in lock_list_lru_of_memcg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+38a0cbd267eff2d286ff@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, mmpgouride@gmail.com,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] [bcachefs?] WARNING in lock_list_lru_of_memcg
Date: Tue, 18 Feb 2025 09:38:02 -0800	[thread overview]
Message-ID: <67b4c57a.050a0220.14d86d.0009.GAE@google.com> (raw)
In-Reply-To: <B2F37A7F-BE18-495F-9350-6D7D47198FFD@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in qlist_free_all

BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 3f9de067 P4D 3f9de067 PUD 40014067 PMD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5357 Comm: kworker/0:3 Not tainted 6.14.0-rc3-syzkaller-g2408a807bfc3-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events nsim_fib_event_work
RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:131 [inline]
RIP: 0010:qlist_free_all+0x69/0x140 mm/kasan/quarantine.c:176
Code: e8 06 48 83 e0 c0 49 8b 4c 05 08 f6 c1 01 0f 85 a8 00 00 00 4c 01 e8 66 90 0f b6 48 33 c1 e1 18 81 f9 00 00 00 f5 48 0f 45 c5 <48> 8b 58 08 4d 8b 34 24 48 63 83 c0 00 00 00 49 29 c4 48 89 df 4c
RSP: 0018:ffffc9000d477568 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ff000000
RDX: 0000000000000000 RSI: 0000000013ec5780 RDI: 000000001fffffff
RBP: 0000000000000000 R08: ffffffff816eac95 R09: ffffffff82290c0f
R10: dffffc0000000000 R11: fffffbfff28a8d0f R12: ffffffff93ec5780
R13: ffffea0000000000 R14: ffffffff93ec5780 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000365b0000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4115 [inline]
 slab_alloc_node mm/slub.c:4164 [inline]
 __kmalloc_cache_noprof+0x1d9/0x390 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 nsim_fib4_rt_create drivers/net/netdevsim/fib.c:280 [inline]
 nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:426 [inline]
 nsim_fib4_event drivers/net/netdevsim/fib.c:464 [inline]
 nsim_fib_event drivers/net/netdevsim/fib.c:884 [inline]
 nsim_fib_event_work+0xe02/0x3f00 drivers/net/netdevsim/fib.c:1493
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317
 worker_thread+0x870/0xd30 kernel/workqueue.c:3398
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:qlink_to_cache mm/kasan/quarantine.c:131 [inline]
RIP: 0010:qlist_free_all+0x69/0x140 mm/kasan/quarantine.c:176
Code: e8 06 48 83 e0 c0 49 8b 4c 05 08 f6 c1 01 0f 85 a8 00 00 00 4c 01 e8 66 90 0f b6 48 33 c1 e1 18 81 f9 00 00 00 f5 48 0f 45 c5 <48> 8b 58 08 4d 8b 34 24 48 63 83 c0 00 00 00 49 29 c4 48 89 df 4c
RSP: 0018:ffffc9000d477568 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ff000000
RDX: 0000000000000000 RSI: 0000000013ec5780 RDI: 000000001fffffff
RBP: 0000000000000000 R08: ffffffff816eac95 R09: ffffffff82290c0f
R10: dffffc0000000000 R11: fffffbfff28a8d0f R12: ffffffff93ec5780
R13: ffffea0000000000 R14: ffffffff93ec5780 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000365b0000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 06 48 83 e0       	call   0xe083480b
   5:	c0 49 8b 4c          	rorb   $0x4c,-0x75(%rcx)
   9:	05 08 f6 c1 01       	add    $0x1c1f608,%eax
   e:	0f 85 a8 00 00 00    	jne    0xbc
  14:	4c 01 e8             	add    %r13,%rax
  17:	66 90                	xchg   %ax,%ax
  19:	0f b6 48 33          	movzbl 0x33(%rax),%ecx
  1d:	c1 e1 18             	shl    $0x18,%ecx
  20:	81 f9 00 00 00 f5    	cmp    $0xf5000000,%ecx
  26:	48 0f 45 c5          	cmovne %rbp,%rax
* 2a:	48 8b 58 08          	mov    0x8(%rax),%rbx <-- trapping instruction
  2e:	4d 8b 34 24          	mov    (%r12),%r14
  32:	48 63 83 c0 00 00 00 	movslq 0xc0(%rbx),%rax
  39:	49 29 c4             	sub    %rax,%r12
  3c:	48 89 df             	mov    %rbx,%rdi
  3f:	4c                   	rex.WR


Tested on:

commit:         2408a807 Merge tag 'vfs-6.14-rc4.fixes' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=113477df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b7bde34acd8f53b1
dashboard link: https://syzkaller.appspot.com/bug?extid=38a0cbd267eff2d286ff
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=114603a4580000

next      parent reply	other threads:[~2025-02-18 17:38 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <B2F37A7F-BE18-495F-9350-6D7D47198FFD@gmail.com>
2025-02-18 17:38 ` syzbot [this message]
     [not found] <984ABB17-1380-4581-B8AD-5E233B167856@gmail.com>
2025-02-19 16:37 ` [syzbot] [mm?] [bcachefs?] WARNING in lock_list_lru_of_memcg syzbot
     [not found] <180B5E33-351D-4A3F-8948-02AF10DBA3D8@gmail.com>
2025-02-18 20:25 ` syzbot
     [not found] <7ADD7E39-E7DC-4A40-8236-CD5C90112C96@gmail.com>
2025-02-18 17:12 ` syzbot
2024-12-14  3:56 [syzbot] [mm?] " syzbot
2025-02-14 18:11 ` [syzbot] [mm?] [bcachefs?] " syzbot
2025-02-14 23:23   ` Andrew Morton
2025-02-16 16:13     ` Kairui Song
2025-02-17 17:12       ` Kairui Song
2025-02-17 18:09         ` Alan Huang
2025-02-18 11:40           ` Kairui Song
2025-02-18 12:16             ` Alan Huang
2025-02-18 17:47               ` Kairui Song

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=67b4c57a.050a0220.14d86d.0009.GAE@google.com \
    --to=syzbot+38a0cbd267eff2d286ff@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mmpgouride@gmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.