syzbot

 sign-in | mailing list | source | docs
🐞 Open [1592]
Subsystems
🐞 Fixed [6233]
🐞 Invalid [15779]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in count_matching_names

Status: upstream: reported syz repro on 2025/01/31 20:35
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+1aa04f53a21b8994067f@syzkaller.appspotmail.com
First crash: 140d, last: 35d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [usb?] general protection fault in count_matching_names 0 (1) 2025/01/31 20:35
Last patch testing requests (2)
Created Duration User Patch Repo Result
2025/04/25 21:44 20m retest repro upstream OK log
2025/02/14 21:08 24m retest repro upstream report log

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000060: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000300-0x0000000000000307]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:strcmp+0x42/0xa0 lib/string.c:277
Code: 00 fc ff df 31 db 49 8d 3c 1c 48 89 f8 48 c1 e8 03 42 0f b6 04 38 84 c0 75 29 41 0f b6 2c 1c 49 8d 3c 1e 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 20 41 3a 2c 1e 75 2a 48 ff c3 40 84 ed 75
RSP: 0018:ffffc90000007688 EFLAGS: 00010006
RAX: 0000000000000060 RBX: 0000000000000000 RCX: ffffffff941b0760
RDX: ffffffff941b0750 RSI: 0000000000000300 RDI: 0000000000000300
RBP: 0000000000000026 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed100bd9a402 R12: ffffffff8ca1bb40
R13: ffffffff9368a020 R14: 0000000000000300 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888124f96000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c934d2000 CR3: 000000002e5cc000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 count_matching_names+0x58/0x90 kernel/locking/lockdep.c:880
 register_lock_class+0x1d7/0x330 kernel/locking/lockdep.c:1345
 __lock_acquire+0x80/0xd80 kernel/locking/lockdep.c:5110
 lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd8/0x130 kernel/locking/spinlock.c:162
 complete_with_flags kernel/sched/completion.c:20 [inline]
 complete+0x28/0x1c0 kernel/sched/completion.c:47
 transfer drivers/usb/gadget/udc/dummy_hcd.c:1523 [inline]
 dummy_timer+0x21f0/0x4670 drivers/usb/gadget/udc/dummy_hcd.c:1978
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x5a6/0xd40 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfb/0x220 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:81
Code: cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 80 17 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff8ea07d60 EFLAGS: 000002c6
RAX: 68cfca0f8783b500 RBX: ffffffff8197aebe RCX: ffffffff8c30b95c
RDX: 0000000000000001 RSI: ffffffff8e69c6ac RDI: ffffffff8ca1b4a0
RBP: ffffffff8ea07eb8 R08: ffff8880b8632b5b R09: 1ffff110170c656b
R10: dffffc0000000000 R11: ffffed10170c656c R12: 1ffffffff1d40fc6
R13: 1ffffffff1d52cb0 R14: 0000000000000000 R15: dffffc0000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:748
 default_idle_call+0x74/0xb0 kernel/sched/idle.c:117
 cpuidle_idle_call kernel/sched/idle.c:185 [inline]
 do_idle+0x22e/0x5d0 kernel/sched/idle.c:325
 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:423
 rest_init+0x2dc/0x300 init/main.c:743
 start_kernel+0x484/0x510 init/main.c:1099
 x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:513
 x86_64_start_kernel+0x66/0x70 arch/x86/kernel/head64.c:494
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:strcmp+0x42/0xa0 lib/string.c:277
Code: 00 fc ff df 31 db 49 8d 3c 1c 48 89 f8 48 c1 e8 03 42 0f b6 04 38 84 c0 75 29 41 0f b6 2c 1c 49 8d 3c 1e 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 75 20 41 3a 2c 1e 75 2a 48 ff c3 40 84 ed 75
RSP: 0018:ffffc90000007688 EFLAGS: 00010006
RAX: 0000000000000060 RBX: 0000000000000000 RCX: ffffffff941b0760
RDX: ffffffff941b0750 RSI: 0000000000000300 RDI: 0000000000000300
RBP: 0000000000000026 R08: 0000000000000001 R09: 0000000000000001
R10: dffffc0000000000 R11: ffffed100bd9a402 R12: ffffffff8ca1bb40
R13: ffffffff9368a020 R14: 0000000000000300 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888124f96000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c934d2000 CR3: 000000002e5cc000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	df 31                	fbstp  (%rcx)
   2:	db 49 8d             	fisttpl -0x73(%rcx)
   5:	3c 1c                	cmp    $0x1c,%al
   7:	48 89 f8             	mov    %rdi,%rax
   a:	48 c1 e8 03          	shr    $0x3,%rax
   e:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax
  13:	84 c0                	test   %al,%al
  15:	75 29                	jne    0x40
  17:	41 0f b6 2c 1c       	movzbl (%r12,%rbx,1),%ebp
  1c:	49 8d 3c 1e          	lea    (%r14,%rbx,1),%rdi
  20:	48 89 f8             	mov    %rdi,%rax
  23:	48 c1 e8 03          	shr    $0x3,%rax
* 27:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2c:	84 c0                	test   %al,%al
  2e:	75 20                	jne    0x50
  30:	41 3a 2c 1e          	cmp    (%r14,%rbx,1),%bpl
  34:	75 2a                	jne    0x60
  36:	48 ff c3             	inc    %rbx
  39:	40 84 ed             	test   %bpl,%bpl
  3c:	75                   	.byte 0x75

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/11 13:46 upstream 900241a5cc15 12ba9c21 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in count_matching_names
2025/02/25 01:59 upstream d082ecbc71e9 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in count_matching_names
2025/01/10 18:58 upstream 2144da25584e 67d7ec0a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in count_matching_names
2024/12/27 17:20 upstream d6ef8b40d075 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in count_matching_names
2025/01/31 20:34 upstream 69e858e0b8b2 aa47157c .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in count_matching_names
* Struck through repros no longer work on HEAD.