* [syzbot] [cgroups?] WARNING in css_rstat_exit @ 2025-06-13 16:55 syzbot 2025-06-16 9:49 ` Michal Koutný 2025-07-14 7:29 ` syzbot 0 siblings, 2 replies; 13+ messages in thread From: syzbot @ 2025-06-13 16:55 UTC (permalink / raw) To: cgroups, hannes, linux-kernel, mkoutny, syzkaller-bugs, tj Hello, syzbot found the following issue on: HEAD commit: 27605c8c0f69 Merge tag 'net-6.16-rc2' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=103b1e0c580000 kernel config: https://syzkaller.appspot.com/x/.config?x=89df02a4e09cb64d dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/79ab1e186123/disk-27605c8c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/d37bf85b966d/vmlinux-27605c8c.xz kernel image: https://storage.googleapis.com/syzbot-assets/eed2865abf8f/bzImage-27605c8c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5887 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 Modules linked in: CPU: 0 UID: 0 PID: 5887 Comm: kworker/0:5 Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: cgroup_destroy css_free_rwork_fn RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 c9 07 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 bb 07 07 00 90 0f 0b 90 e9 30 ff ff ff RSP: 0000:ffffc9000b6afbc0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888057c7a800 RCX: ffff888124754000 RDX: ffff8880308b8000 RSI: ffffffff81b514e7 RDI: ffffffff8df26da0 RBP: ffff888057c7a808 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888057c7a820 R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff888124754000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b10ff8 CR3: 0000000079092000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c5/0x780 kernel/kthread.c:464 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-06-13 16:55 [syzbot] [cgroups?] WARNING in css_rstat_exit syzbot @ 2025-06-16 9:49 ` Michal Koutný 2025-06-17 4:46 ` JP Kobryn 2025-07-14 7:29 ` syzbot 1 sibling, 1 reply; 13+ messages in thread From: Michal Koutný @ 2025-06-16 9:49 UTC (permalink / raw) To: syzbot; +Cc: cgroups, hannes, linux-kernel, syzkaller-bugs, tj, JP Kobryn [-- Attachment #1: Type: text/plain, Size: 3788 bytes --] +Cc: JP On Fri, Jun 13, 2025 at 09:55:30AM -0700, syzbot <syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com> wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 27605c8c0f69 Merge tag 'net-6.16-rc2' of git://git.kernel... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=103b1e0c580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=89df02a4e09cb64d > dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/79ab1e186123/disk-27605c8c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/d37bf85b966d/vmlinux-27605c8c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/eed2865abf8f/bzImage-27605c8c.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 5887 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Modules linked in: > CPU: 0 UID: 0 PID: 5887 Comm: kworker/0:5 Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 > Workqueue: cgroup_destroy css_free_rwork_fn > RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 c9 07 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 bb 07 07 00 90 0f 0b 90 e9 30 ff ff ff > RSP: 0000:ffffc9000b6afbc0 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffff888057c7a800 RCX: ffff888124754000 > RDX: ffff8880308b8000 RSI: ffffffff81b514e7 RDI: ffffffff8df26da0 > RBP: ffff888057c7a808 R08: 0000000000000005 R09: 0000000000000007 > R10: 0000000000000000 R11: 0000000000000001 R12: ffff888057c7a820 > R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 > FS: 0000000000000000(0000) GS:ffff888124754000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b31b10ff8 CR3: 0000000079092000 CR4: 00000000003526f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 > process_scheduled_works kernel/workqueue.c:3321 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 > kthread+0x3c5/0x780 kernel/kthread.c:464 > ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > </TASK> > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-06-16 9:49 ` Michal Koutný @ 2025-06-17 4:46 ` JP Kobryn 0 siblings, 0 replies; 13+ messages in thread From: JP Kobryn @ 2025-06-17 4:46 UTC (permalink / raw) To: Michal Koutný, syzbot Cc: cgroups, hannes, linux-kernel, syzkaller-bugs, tj On 6/16/25 2:49 AM, Michal Koutný wrote: > +Cc: JP Thanks. Looking into this. > > On Fri, Jun 13, 2025 at 09:55:30AM -0700, syzbot <syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com> wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: 27605c8c0f69 Merge tag 'net-6.16-rc2' of git://git.kernel... >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=103b1e0c580000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=89df02a4e09cb64d >> dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed >> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >> >> Unfortunately, I don't have any reproducer for this issue yet. >> >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/79ab1e186123/disk-27605c8c.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/d37bf85b966d/vmlinux-27605c8c.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/eed2865abf8f/bzImage-27605c8c.xz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com >> >> ------------[ cut here ]------------ >> WARNING: CPU: 0 PID: 5887 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 >> Modules linked in: >> CPU: 0 UID: 0 PID: 5887 Comm: kworker/0:5 Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0 PREEMPT(full) >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 >> Workqueue: cgroup_destroy css_free_rwork_fn >> RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 >> Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 c9 07 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 bb 07 07 00 90 0f 0b 90 e9 30 ff ff ff >> RSP: 0000:ffffc9000b6afbc0 EFLAGS: 00010293 >> RAX: 0000000000000000 RBX: ffff888057c7a800 RCX: ffff888124754000 >> RDX: ffff8880308b8000 RSI: ffffffff81b514e7 RDI: ffffffff8df26da0 >> RBP: ffff888057c7a808 R08: 0000000000000005 R09: 0000000000000007 >> R10: 0000000000000000 R11: 0000000000000001 R12: ffff888057c7a820 >> R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 >> FS: 0000000000000000(0000) GS:ffff888124754000(0000) knlGS:0000000000000000 >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> CR2: 0000001b31b10ff8 CR3: 0000000079092000 CR4: 00000000003526f0 >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >> Call Trace: >> <TASK> >> css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 >> process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 >> process_scheduled_works kernel/workqueue.c:3321 [inline] >> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 >> kthread+0x3c5/0x780 kernel/kthread.c:464 >> ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 >> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 >> </TASK> >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@googlegroups.com. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-06-13 16:55 [syzbot] [cgroups?] WARNING in css_rstat_exit syzbot 2025-06-16 9:49 ` Michal Koutný @ 2025-07-14 7:29 ` syzbot 2025-07-14 23:37 ` JP Kobryn ` (2 more replies) 1 sibling, 3 replies; 13+ messages in thread From: syzbot @ 2025-07-14 7:29 UTC (permalink / raw) To: cgroups, hannes, inwardvessel, linux-kernel, mkoutny, syzkaller-bugs, tj syzbot has found a reproducer for the following issue on: HEAD commit: 5d5d62298b8b Merge tag 'x86_urgent_for_v6.16_rc6' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11dabd82580000 kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162c47d4580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/d2d0d46a0e87/disk-5d5d6229.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/0bf6381177a8/vmlinux-5d5d6229.xz kernel image: https://storage.googleapis.com/syzbot-assets/2f3ae8f165f2/bzImage-5d5d6229.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com ------------[ cut here ]------------ WARNING: CPU: 0 PID: 9 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 Modules linked in: CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: cgroup_destroy css_free_rwork_fn RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 d9 09 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 cb 09 07 00 90 0f 0b 90 e9 30 ff ff ff RSP: 0018:ffffc900000e7bc0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881404a4e00 RCX: ffff888124720000 RDX: ffff88801e298000 RSI: ffffffff81b45507 RDI: ffffffff8df37da0 RBP: ffff8881404a4e08 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000001 R12: ffff8881404a4e20 R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff888124720000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000034892000 CR4: 00000000003526f0 Call Trace: <TASK> css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-14 7:29 ` syzbot @ 2025-07-14 23:37 ` JP Kobryn 2025-07-14 23:39 ` syzbot 2025-07-14 23:58 ` JP Kobryn 2025-07-15 1:05 ` JP Kobryn 2 siblings, 1 reply; 13+ messages in thread From: JP Kobryn @ 2025-07-14 23:37 UTC (permalink / raw) To: syzbot, cgroups, hannes, linux-kernel, mkoutny, syzkaller-bugs, tj, Shakeel Butt #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 347e9f5043c89695b01e66b3ed111755afcf1911 diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index a723b7dc6e4e..e6c5c998ead6 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5669,6 +5669,12 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, init_and_link_css(css, ss, cgrp); + err = css_rstat_init(css); + if (err) { + ss->css_free(css); + goto err_out; + } + err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL); if (err) goto err_free_css; @@ -5678,10 +5684,6 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, goto err_free_css; css->id = err; - err = css_rstat_init(css); - if (err) - goto err_free_css; - /* @css is ready to be brought online now, make it visible */ list_add_tail_rcu(&css->sibling, &parent_css->children); cgroup_idr_replace(&ss->css_idr, css, css->id); @@ -5697,6 +5699,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, err_free_css: INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); +err_out: return ERR_PTR(err); } On 7/14/25 12:29 AM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: 5d5d62298b8b Merge tag 'x86_urgent_for_v6.16_rc6' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=11dabd82580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c > dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162c47d4580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/d2d0d46a0e87/disk-5d5d6229.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/0bf6381177a8/vmlinux-5d5d6229.xz > kernel image: https://storage.googleapis.com/syzbot-assets/2f3ae8f165f2/bzImage-5d5d6229.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 9 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Modules linked in: > CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 > Workqueue: cgroup_destroy css_free_rwork_fn > RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 d9 09 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 cb 09 07 00 90 0f 0b 90 e9 30 ff ff ff > RSP: 0018:ffffc900000e7bc0 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffff8881404a4e00 RCX: ffff888124720000 > RDX: ffff88801e298000 RSI: ffffffff81b45507 RDI: ffffffff8df37da0 > RBP: ffff8881404a4e08 R08: 0000000000000005 R09: 0000000000000007 > R10: 0000000000000000 R11: 0000000000000001 R12: ffff8881404a4e20 > R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 > FS: 0000000000000000(0000) GS:ffff888124720000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 0000000034892000 CR4: 00000000003526f0 > Call Trace: > <TASK> > css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 > process_scheduled_works kernel/workqueue.c:3321 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 > kthread+0x3c2/0x780 kernel/kthread.c:464 > ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > </TASK> > > > --- > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-14 23:37 ` JP Kobryn @ 2025-07-14 23:39 ` syzbot 0 siblings, 0 replies; 13+ messages in thread From: syzbot @ 2025-07-14 23:39 UTC (permalink / raw) To: cgroups, hannes, inwardvessel, linux-kernel, mkoutny, shakeel.butt, syzkaller-bugs, tj Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file kernel/cgroup/cgroup.c patch: **** unexpected end of file in patch Tested on: commit: 347e9f50 Linux 6.16-rc6 git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=16e3fd82580000 ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-14 7:29 ` syzbot 2025-07-14 23:37 ` JP Kobryn @ 2025-07-14 23:58 ` JP Kobryn 2025-07-15 0:00 ` syzbot 2025-07-15 1:05 ` JP Kobryn 2 siblings, 1 reply; 13+ messages in thread From: JP Kobryn @ 2025-07-14 23:58 UTC (permalink / raw) To: syzbot, cgroups, hannes, linux-kernel, mkoutny, syzkaller-bugs, tj, Shakeel Butt On 7/14/25 12:29 AM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: 5d5d62298b8b Merge tag 'x86_urgent_for_v6.16_rc6' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=11dabd82580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c > dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162c47d4580000 #syz test diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index a723b7dc6e4e..e6c5c998ead6 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5669,6 +5669,12 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, init_and_link_css(css, ss, cgrp); + err = css_rstat_init(css); + if (err) { + ss->css_free(css); + goto err_out; + } + err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL); if (err) goto err_free_css; @@ -5678,10 +5684,6 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, goto err_free_css; css->id = err; - err = css_rstat_init(css); - if (err) - goto err_free_css; - /* @css is ready to be brought online now, make it visible */ list_add_tail_rcu(&css->sibling, &parent_css->children); cgroup_idr_replace(&ss->css_idr, css, css->id); @@ -5697,6 +5699,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, err_free_css: INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); +err_out: return ERR_PTR(err); } -- ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-14 23:58 ` JP Kobryn @ 2025-07-15 0:00 ` syzbot 0 siblings, 0 replies; 13+ messages in thread From: syzbot @ 2025-07-15 0:00 UTC (permalink / raw) To: cgroups, hannes, inwardvessel, linux-kernel, mkoutny, shakeel.butt, syzkaller-bugs, tj Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file kernel/cgroup/cgroup.c patch: **** unexpected end of file in patch Tested on: commit: 347e9f50 Linux 6.16-rc6 git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=1541718c580000 ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-14 7:29 ` syzbot 2025-07-14 23:37 ` JP Kobryn 2025-07-14 23:58 ` JP Kobryn @ 2025-07-15 1:05 ` JP Kobryn 2025-07-15 1:27 ` syzbot 2025-07-17 13:28 ` Michal Koutný 2 siblings, 2 replies; 13+ messages in thread From: JP Kobryn @ 2025-07-15 1:05 UTC (permalink / raw) To: syzbot, cgroups, hannes, linux-kernel, mkoutny, syzkaller-bugs, tj [-- Attachment #1: Type: text/plain, Size: 2974 bytes --] #syz test On 7/14/25 12:29 AM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: 5d5d62298b8b Merge tag 'x86_urgent_for_v6.16_rc6' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=11dabd82580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=84eae426cbd8669c > dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162c47d4580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/d2d0d46a0e87/disk-5d5d6229.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/0bf6381177a8/vmlinux-5d5d6229.xz > kernel image: https://storage.googleapis.com/syzbot-assets/2f3ae8f165f2/bzImage-5d5d6229.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 9 at kernel/cgroup/rstat.c:497 css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Modules linked in: > CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 > Workqueue: cgroup_destroy css_free_rwork_fn > RIP: 0010:css_rstat_exit+0x368/0x470 kernel/cgroup/rstat.c:497 > Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 0e 01 00 00 49 c7 85 70 05 00 00 00 00 00 00 e9 00 ff ff ff e8 d9 09 07 00 90 <0f> 0b 90 e9 3e ff ff ff e8 cb 09 07 00 90 0f 0b 90 e9 30 ff ff ff > RSP: 0018:ffffc900000e7bc0 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffff8881404a4e00 RCX: ffff888124720000 > RDX: ffff88801e298000 RSI: ffffffff81b45507 RDI: ffffffff8df37da0 > RBP: ffff8881404a4e08 R08: 0000000000000005 R09: 0000000000000007 > R10: 0000000000000000 R11: 0000000000000001 R12: ffff8881404a4e20 > R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 > FS: 0000000000000000(0000) GS:ffff888124720000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 0000000034892000 CR4: 00000000003526f0 > Call Trace: > <TASK> > css_free_rwork_fn+0x80/0x12e0 kernel/cgroup/cgroup.c:5449 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 > process_scheduled_works kernel/workqueue.c:3321 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 > kthread+0x3c2/0x780 kernel/kthread.c:464 > ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > </TASK> > > > --- > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. [-- Attachment #2: 0001-cgroup-make-sure-css_rstat_init-is-called-before-css.patch --] [-- Type: text/x-patch, Size: 1523 bytes --] From 381235b9f2aa500b6e2971e98ea84edc107cd1d8 Mon Sep 17 00:00:00 2001 From: JP Kobryn <inwardvessel@gmail.com> Date: Mon, 14 Jul 2025 16:45:55 -0700 Subject: [PATCH] cgroup: make sure css_rstat_init() is called before css_rstat_exit() Test against syzbot repro. Signed-off-by: JP Kobryn <inwardvessel@gmail.com> --- kernel/cgroup/cgroup.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index a723b7dc6e4e..e6c5c998ead6 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -5669,6 +5669,12 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, init_and_link_css(css, ss, cgrp); + err = css_rstat_init(css); + if (err) { + ss->css_free(css); + goto err_out; + } + err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL); if (err) goto err_free_css; @@ -5678,10 +5684,6 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, goto err_free_css; css->id = err; - err = css_rstat_init(css); - if (err) - goto err_free_css; - /* @css is ready to be brought online now, make it visible */ list_add_tail_rcu(&css->sibling, &parent_css->children); cgroup_idr_replace(&ss->css_idr, css, css->id); @@ -5697,6 +5699,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, err_free_css: INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); +err_out: return ERR_PTR(err); } -- 2.47.1 ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-15 1:05 ` JP Kobryn @ 2025-07-15 1:27 ` syzbot 2025-07-17 13:28 ` Michal Koutný 1 sibling, 0 replies; 13+ messages in thread From: syzbot @ 2025-07-15 1:27 UTC (permalink / raw) To: cgroups, hannes, inwardvessel, linux-kernel, mkoutny, syzkaller-bugs, tj Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com Tested-by: syzbot+8d052e8b99e40bc625ed@syzkaller.appspotmail.com Tested on: commit: 347e9f50 Linux 6.16-rc6 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16a80382580000 kernel config: https://syzkaller.appspot.com/x/.config?x=693e2f5eea496864 dashboard link: https://syzkaller.appspot.com/bug?extid=8d052e8b99e40bc625ed compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1025718c580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-15 1:05 ` JP Kobryn 2025-07-15 1:27 ` syzbot @ 2025-07-17 13:28 ` Michal Koutný 2025-07-17 18:46 ` Shakeel Butt 1 sibling, 1 reply; 13+ messages in thread From: Michal Koutný @ 2025-07-17 13:28 UTC (permalink / raw) To: JP Kobryn; +Cc: syzbot, cgroups, hannes, linux-kernel, syzkaller-bugs, tj [-- Attachment #1: Type: text/plain, Size: 202 bytes --] Thanks for looking into this JP. You seem to tracked down the cause with uncleaned rstat, beware that the approach in the patch would leave reference imbalance after init_and_link_css() though. Michal [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-17 13:28 ` Michal Koutný @ 2025-07-17 18:46 ` Shakeel Butt 2025-07-22 0:29 ` JP Kobryn 0 siblings, 1 reply; 13+ messages in thread From: Shakeel Butt @ 2025-07-17 18:46 UTC (permalink / raw) To: Michal Koutný Cc: JP Kobryn, syzbot, cgroups, hannes, linux-kernel, syzkaller-bugs, tj On Thu, Jul 17, 2025 at 03:28:27PM +0200, Michal Koutný wrote: > Thanks for looking into this JP. > You seem to tracked down the cause with uncleaned rstat, beware that the > approach in the patch would leave reference imbalance after > init_and_link_css() though. Yeah I discussed the same with JP and I think JP is planning to move the css_rstat_init() before init_and_link_css() and a second param to css_rstat_init() to differentiate between css_is_self() or not. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [cgroups?] WARNING in css_rstat_exit 2025-07-17 18:46 ` Shakeel Butt @ 2025-07-22 0:29 ` JP Kobryn 0 siblings, 0 replies; 13+ messages in thread From: JP Kobryn @ 2025-07-22 0:29 UTC (permalink / raw) To: Shakeel Butt, Michal Koutný Cc: syzbot, cgroups, hannes, linux-kernel, syzkaller-bugs, tj Thanks Michal and Shakeel for the input on this. I will be sending out a series to harden css_create(). I was able to open a small window for the placement of css_rstat_init() that satisfies existing constraints and allows for error handling before refcounts come into play. On 7/17/25 11:46 AM, Shakeel Butt wrote: > On Thu, Jul 17, 2025 at 03:28:27PM +0200, Michal Koutný wrote: >> Thanks for looking into this JP. >> You seem to tracked down the cause with uncleaned rstat, beware that the >> approach in the patch would leave reference imbalance after >> init_and_link_css() though. > > Yeah I discussed the same with JP and I think JP is planning to move the > css_rstat_init() before init_and_link_css() and a second param to > css_rstat_init() to differentiate between css_is_self() or not. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2025-07-22 0:29 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-06-13 16:55 [syzbot] [cgroups?] WARNING in css_rstat_exit syzbot 2025-06-16 9:49 ` Michal Koutný 2025-06-17 4:46 ` JP Kobryn 2025-07-14 7:29 ` syzbot 2025-07-14 23:37 ` JP Kobryn 2025-07-14 23:39 ` syzbot 2025-07-14 23:58 ` JP Kobryn 2025-07-15 0:00 ` syzbot 2025-07-15 1:05 ` JP Kobryn 2025-07-15 1:27 ` syzbot 2025-07-17 13:28 ` Michal Koutný 2025-07-17 18:46 ` Shakeel Butt 2025-07-22 0:29 ` JP Kobryn
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).