Dear Maintainers, When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (113th)was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/general%20protection%20fault%20in%20alloc_bulk/113report.txt Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/config.txt C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0702_6.14/general%20protection%20fault%20in%20alloc_bulk/113repro.c Our reproducer uses mounts a constructed filesystem image. The error occurred around line 215 of the alloc_block function, in the call to add_obj_to-free_ist (c, obj). Obj=llist_del_first (&c ->free-by_rcu_ttrace) obtained a damaged pointer, add_obj_to-free_ist (c, obj) attempted to manipulate the damaged pointer, and then accessed the obj ->next field. KASAN detected accessing an invalid memory address We have reproduced this issue several times on 6.14 again. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>, Jiaji Qin <jjtan24@xxxxxxxxxxxxxx>, Shuoran Bai <baishuoran@xxxxxxxxxxxx> Oops: general protection fault, probably for non-canonical address 0xfc1ffbf110024d86: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xe0ffff8880126c30-0xe0ffff8880126c37] CPU: 0 UID: 0 PID: 17693 Comm: syz.7.371 Not tainted 6.14.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:alloc_bulk+0x72f/0xf40 Code: 85 9a 00 00 00 e8 71 cd d9 ff 48 8b 44 24 20 42 80 3c 38 00 0f 85 5f 07 00 00 49 8b 5c 24 10 48 8d 7b 54 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:ffffc90000007e98 EFLAGS: 00010013 RAX: 1c1ffff110024d86 RBX: e0ffff8880126be0 RCX: ffffffff81e05449 RDX: 0000000000000001 RSI: ffff888073c00000 RDI: e0ffff8880126c34 RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff2de7999 R10: fffffbfff2de7998 R11: ffffffff96f3ccc7 R12: ffff888076366901 R13: 0000000000000001 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007f6e90896700(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555560269b0 CR3: 000000002b20a000 CR4: 0000000000750ef0 PKRU: 80000000 Call Trace: <IRQ> bpf_mem_refill+0x5dd/0x970 irq_work_single+0x128/0x260 irq_work_run_list+0x91/0xc0 irq_work_run+0x58/0xd0 __sysvec_irq_work+0x8c/0x410 sysvec_irq_work+0xd9/0x100 </IRQ> <TASK> asm_sysvec_irq_work+0x1a/0x20 RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 Code: 48 8b 05 53 b8 49 7e 48 8b 80 20 16 00 00 e9 12 20 56 ff 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 bf 02 00 00 00 53 48 8b 6c 24 10 65 48 8b 1d 18 b8 RSP: 0018:ffffc900089cfa08 EFLAGS: 00000212 RAX: 000000000005190f RBX: 0000000000000000 RCX: 0000000000080000 RDX: ffffc90003052000 RSI: ffff888073c00000 RDI: 0000000000000002 RBP: 0000000000000200 R08: 0000000000000001 R09: 0000000000000001 R10: fffffbfff20c2fa2 R11: ffffffff90617d17 R12: 0000000000000006 R13: 0000000000000000 R14: ffff8880137415f8 R15: ffff88807d3b5000 __htab_percpu_map_update_elem+0x506/0x1180 bpf_percpu_hash_update+0xc4/0x240 bpf_map_update_value+0x8ad/0xcd0 generic_map_update_batch+0x473/0x630 bpf_map_do_batch+0x49c/0x600 __sys_bpf+0x2656/0x5150 __x64_sys_bpf+0x79/0xc0 do_syscall_64+0xcf/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e8f9acadd Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e90895ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f6e8fba5fa0 RCX: 00007f6e8f9acadd RDX: 0000000000000038 RSI: 00000000200005c0 RDI: 000000000000001a RBP: 00007f6e8fa2ab8f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6e8fba5fac R14: 00007f6e8fba6038 R15: 00007f6e90895d40 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:alloc_bulk+0x72f/0xf40 Code: 85 9a 00 00 00 e8 71 cd d9 ff 48 8b 44 24 20 42 80 3c 38 00 0f 85 5f 07 00 00 49 8b 5c 24 10 48 8d 7b 54 48 89 f8 48 c1 e8 03 <42> 0f b6 14 38 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:ffffc90000007e98 EFLAGS: 00010013 RAX: 1c1ffff110024d86 RBX: e0ffff8880126be0 RCX: ffffffff81e05449 RDX: 0000000000000001 RSI: ffff888073c00000 RDI: e0ffff8880126c34 RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff2de7999 R10: fffffbfff2de7998 R11: ffffffff96f3ccc7 R12: ffff888076366901 R13: 0000000000000001 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007f6e90896700(0000) GS:ffff88802b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555560269b0 CR3: 000000002b20a000 CR4: 0000000000750ef0 PKRU: 80000000 ---------------- Code disassembly (best guess): 0: 85 9a 00 00 00 e8 test %ebx,-0x18000000(%rdx) 6: 71 cd jno 0xffffffd5 8: d9 ff fcos a: 48 8b 44 24 20 mov 0x20(%rsp),%rax f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 14: 0f 85 5f 07 00 00 jne 0x779 1a: 49 8b 5c 24 10 mov 0x10(%r12),%rbx 1f: 48 8d 7b 54 lea 0x54(%rbx),%rdi 23: 48 89 f8 mov %rdi,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 0f b6 14 38 movzbl (%rax,%r15,1),%edx <-- trapping instruction 2f: 48 89 f8 mov %rdi,%rax 32: 83 e0 07 and $0x7,%eax 35: 83 c0 03 add $0x3,%eax 38: 38 d0 cmp %dl,%al 3a: 7c 08 jl 0x44 3c: 84 d2 test %dl,%dl 3e: 0f .byte 0xf 3f: 85 .byte 0x85 thanks, Kun Hu
