general protection fault in detach_timer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sanan.hasanou@gmail.com
To: paulmck@kernel.org, andriy.shevchenko@linux.intel.com,
	simona.vetter@ffwll.ch, rdunlap@infradead.org,
	akpm@linux-foundation.org, luca.ceresoli@bootlin.com,
	linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, contact@pgazz.com
Subject: general protection fault in detach_timer
Date: Fri, 26 Jun 2026 14:28:32 -0700 (PDT)	[thread overview]
Message-ID: <6a3eef00.26dcea81.1cc135.d4fa@mx.google.com> (raw)

Good day, dear maintainers,

We found a bug using a modified version of syzkaller.

Kernel Branch: 7.0-rc1
Kernel Config: <https://drive.google.com/open?id=1SkS9U2y8MGrnaXhjJJI5n5SymSSMyYnS>
Unfortunately, we don't have any reproducer for this bug yet.
Thank you!

Best regards,
Sanan Hasanov

Oops: general protection fault, probably for non-canonical address 0xfbd59c0000000025: 0000 [#1] SMP KASAN
KASAN: maybe wild-memory-access in range [0xdead000000000128-0xdead00000000012f]
CPU: 1 UID: 0 PID: 9535 Comm: sshd Not tainted 7.0.0-rc1 #1 PREEMPT_{RT,(full)} 
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__hlist_del include/linux/list.h:994 [inline]
RIP: 0010:detach_timer+0xfc/0x280 kernel/time/timer.c:891
Code: c1 e8 03 80 3c 18 00 74 08 4c 89 ef e8 0d 97 73 00 4d 89 65 00 4d 85 e4 74 45 e8 1f 1d 13 00 49 83 c4 08 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 74 08 4c 89 e7 e8 e6 96 73 00 4d 89 2c 24 80 7d d4 00
RSP: 0018:ffffc90004fef2c8 EFLAGS: 00010012
RAX: 1bd5a00000000025 RBX: dffffc0000000000 RCX: ffff8880259c3980
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90004fef308 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1db00d7 R12: dead00000000012a
R13: ffff88806b32eb70 R14: ffff88802d70dfd0 R15: 1ffff11005ae1bfa
FS:  00007f6eaab35900(0000) GS:ffff8880dc1a8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ab7106260 CR3: 0000000042f28000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 detach_if_pending kernel/time/timer.c:910 [inline]
 __mod_timer+0x782/0xeb0 kernel/time/timer.c:1097
 mod_timer+0x28/0x30 kernel/time/timer.c:1195
 sk_reset_timer+0x2b/0xc0 net/core/sock.c:3677
 inet_csk_reset_xmit_timer include/net/inet_connection_sock.h:-1 [inline]
 tcp_reset_xmit_timer include/net/tcp.h:1575 [inline]
 tcp_rearm_rto+0x363/0x4d0 net/ipv4/tcp_input.c:3548
 tcp_event_new_data_sent+0x337/0x540 net/ipv4/tcp_output.c:105
 tcp_write_xmit+0x1d3c/0x6910 net/ipv4/tcp_output.c:3071
 __tcp_push_pending_frames+0xa5/0x390 net/ipv4/tcp_output.c:3247
 tcp_push+0x4a0/0x670 net/ipv4/tcp.c:782
 tcp_sendmsg_locked+0x4b3f/0x57e0 net/ipv4/tcp.c:1427
 tcp_sendmsg+0x38/0x50 net/ipv4/tcp.c:1464
 inet_sendmsg+0x199/0x310 net/ipv4/af_inet.c:859
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 sock_write_iter+0x304/0x460 net/socket.c:1195
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x5ed/0xb50 fs/read_write.c:688
 ksys_write+0x14e/0x250 fs/read_write.c:740
 __do_sys_write fs/read_write.c:751 [inline]
 __se_sys_write fs/read_write.c:748 [inline]
 __x64_sys_write+0x84/0x90 fs/read_write.c:748
 x64_sys_call+0x23cf/0x2900 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x11c/0x810 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f6eab014473
Code: 8b 15 21 2a 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffec7930fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000000016b4 RCX: 00007f6eab014473
RDX: 00000000000016b4 RSI: 000055a34821fcd0 RDI: 0000000000000004
RBP: 000055a3481f6d10 R08: 3fffffffffffffff R09: 4000000000000000
R10: 7fffffffffffffff R11: 0000000000000246 R12: 000055a323c98768
R13: 0000000000000000 R14: 0000000000000004 R15: 000055a323c4da80
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__hlist_del include/linux/list.h:994 [inline]
RIP: 0010:detach_timer+0xfc/0x280 kernel/time/timer.c:891
Code: c1 e8 03 80 3c 18 00 74 08 4c 89 ef e8 0d 97 73 00 4d 89 65 00 4d 85 e4 74 45 e8 1f 1d 13 00 49 83 c4 08 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 74 08 4c 89 e7 e8 e6 96 73 00 4d 89 2c 24 80 7d d4 00
RSP: 0018:ffffc90004fef2c8 EFLAGS: 00010012
RAX: 1bd5a00000000025 RBX: dffffc0000000000 RCX: ffff8880259c3980
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90004fef308 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1db00d7 R12: dead00000000012a
R13: ffff88806b32eb70 R14: ffff88802d70dfd0 R15: 1ffff11005ae1bfa
FS:  00007f6eaab35900(0000) GS:ffff8880dc1a8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ab7106260 CR3: 0000000042f28000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
   0:	c1 e8 03             	shr    $0x3,%eax
   3:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1)
   7:	74 08                	je     0x11
   9:	4c 89 ef             	mov    %r13,%rdi
   c:	e8 0d 97 73 00       	call   0x73971e
  11:	4d 89 65 00          	mov    %r12,0x0(%r13)
  15:	4d 85 e4             	test   %r12,%r12
  18:	74 45                	je     0x5f
  1a:	e8 1f 1d 13 00       	call   0x131d3e
  1f:	49 83 c4 08          	add    $0x8,%r12
  23:	4c 89 e0             	mov    %r12,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 e7             	mov    %r12,%rdi
  33:	e8 e6 96 73 00       	call   0x73971e
  38:	4d 89 2c 24          	mov    %r13,(%r12)
  3c:	80 7d d4 00          	cmpb   $0x0,-0x2c(%rbp)

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>

                 reply	other threads:[~2026-06-26 21:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6a3eef00.26dcea81.1cc135.d4fa@mx.google.com \
    --to=sanan.hasanou@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=contact@pgazz.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luca.ceresoli@bootlin.com \
    --cc=paulmck@kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=simona.vetter@ffwll.ch \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.