[PATCH] cgroups: separate destroy_work into two separate wq
34 views
Skip to first unread message
Tadeusz Struk
May 23, 2022, 1:31:55 PM5/23/22
to syzbot+badfd0...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
======================================================================
diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index 1bfcfb1af352..d534b0d86298 100644
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -179,7 +179,9 @@ struct cgroup_subsys_state {
atomic_t online_cnt;
/* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ //struct work_struct destroy_work;
+ struct work_struct css_release_work;
+ struct work_struct css_killed_ref_work;
struct rcu_work destroy_rwork;
/*
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index adb820e98f24..216cd58b1525 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5099,7 +5099,7 @@ static struct cftype cgroup_base_files[] = {
* css_free_work_fn().
*
* It is actually hairier because both step 2 and 4 require process context
- * and thus involve punting to css->destroy_work adding two additional
+ * and thus involve punting to css->css_release_work adding two additional
* steps to the already complex sequence.
*/
static void css_free_rwork_fn(struct work_struct *work)
@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct work_struct *work)
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, css_release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;
@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_ref *ref)
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);
- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->css_release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->css_release_work);
}
static void init_and_link_css(struct cgroup_subsys_state *css,
@@ -5546,7 +5546,7 @@ int cgroup_mkdir(struct kernfs_node *parent_kn, const char *name, umode_t mode)
static void css_killed_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, css_killed_ref_work);
mutex_lock(&cgroup_mutex);
@@ -5567,8 +5567,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
container_of(ref, struct cgroup_subsys_state, refcnt);
if (atomic_dec_and_test(&css->online_cnt)) {
- INIT_WORK(&css->destroy_work, css_killed_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->css_killed_ref_work, css_killed_work_fn);
+ queue_work(cgroup_destroy_wq, &css->css_killed_ref_work);
}
}
--
2.36.1
======================================================================
diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index 1bfcfb1af352..d534b0d86298 100644
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -179,7 +179,9 @@ struct cgroup_subsys_state {
atomic_t online_cnt;
/* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ //struct work_struct destroy_work;
+ struct work_struct css_release_work;
+ struct work_struct css_killed_ref_work;
struct rcu_work destroy_rwork;
/*
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index adb820e98f24..216cd58b1525 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5099,7 +5099,7 @@ static struct cftype cgroup_base_files[] = {
* css_free_work_fn().
*
* It is actually hairier because both step 2 and 4 require process context
- * and thus involve punting to css->destroy_work adding two additional
+ * and thus involve punting to css->css_release_work adding two additional
* steps to the already complex sequence.
*/
static void css_free_rwork_fn(struct work_struct *work)
@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct work_struct *work)
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, css_release_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;
@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_ref *ref)
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);
- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->css_release_work, css_release_work_fn);
+ queue_work(cgroup_destroy_wq, &css->css_release_work);
}
static void init_and_link_css(struct cgroup_subsys_state *css,
@@ -5546,7 +5546,7 @@ int cgroup_mkdir(struct kernfs_node *parent_kn, const char *name, umode_t mode)
static void css_killed_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, css_killed_ref_work);
mutex_lock(&cgroup_mutex);
@@ -5567,8 +5567,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
container_of(ref, struct cgroup_subsys_state, refcnt);
if (atomic_dec_and_test(&css->online_cnt)) {
- INIT_WORK(&css->destroy_work, css_killed_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->css_killed_ref_work, css_killed_work_fn);
+ queue_work(cgroup_destroy_wq, &css->css_killed_ref_work);
}
}
--
2.36.1
Tadeusz Struk
May 23, 2022, 1:32:27 PM5/23/22
to syzbot+e42ae4...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Tadeusz Struk
May 23, 2022, 1:33:09 PM5/23/22
to syzbot+badfd0...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Tadeusz Struk
May 23, 2022, 1:33:28 PM5/23/22
to syzbot+e42ae4...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
syzbot
May 23, 2022, 1:52:20 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
commit: 4b0986a3 Linux 5.18
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=c35aecab502a4103
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=116592d5f00000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+badfd0...@syzkaller.appspotmail.com
Tested on:
commit: 4b0986a3 Linux 5.18
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=c35aecab502a4103
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=116592d5f00000
Note: testing is done by a robot and is best-effort only.
syzbot
May 23, 2022, 2:10:11 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Tested on:
commit: 4b0986a3 Linux 5.18
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=114a4dc5f00000
syzbot
May 23, 2022, 2:29:17 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0018:ffffc900000c7958 EFLAGS: 00010202
RAX: ffffffff83c684ff RBX: 000000000000000b RCX: ffff88810023cf00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffffc900000c7980 R08: ffffffff840df72d R09: ffffc900000c76f4
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000607e08a4c078 R15: 000000000000000b
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8869632058 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rt_fibinfo_free_cpus+0xee/0x1c0 net/ipv4/fib_semantics.c:203
fib_nh_common_release+0x8d/0x240 net/ipv4/fib_semantics.c:216
fib_nh_release net/ipv4/fib_semantics.c:228 [inline]
free_fib_info_rcu+0x98/0x190 net/ipv4/fib_semantics.c:240
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
run_ksoftirqd+0x23/0x30 kernel/softirq.c:667
smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 336c347c2c8fdb01 ]---
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0018:ffffc900000c7958 EFLAGS: 00010202
RAX: ffffffff83c684ff RBX: 000000000000000b RCX: ffff88810023cf00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffffc900000c7980 R08: ffffffff840df72d R09: ffffc900000c76f4
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000607e08a4c078 R15: 000000000000000b
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8869632058 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 55 push %rbp
5: 48 89 e5 mov %rsp,%rbp
8: 41 57 push %r15
a: 41 56 push %r14
c: 41 55 push %r13
e: 41 54 push %r12
10: 53 push %rbx
11: 49 89 ff mov %rdi,%r15
14: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
1b: fc ff df
1e: e8 61 2d a6 fd callq 0xfda62d84
23: 4d 89 fd mov %r15,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 80 7c 25 00 00 cmpb $0x0,0x0(%r13,%r12,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 4c 89 ff mov %r15,%rdi
35: e8 7a 00 e0 fd callq 0xfde000b4
3a: 4d 8b 37 mov (%r15),%r14
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7f .byte 0x7f
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1401ec6df00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9b19582654944dd
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0018:ffffc900000c7958 EFLAGS: 00010202
RAX: ffffffff83c684ff RBX: 000000000000000b RCX: ffff88810023cf00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffffc900000c7980 R08: ffffffff840df72d R09: ffffc900000c76f4
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000607e08a4c078 R15: 000000000000000b
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8869632058 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rt_fibinfo_free_cpus+0xee/0x1c0 net/ipv4/fib_semantics.c:203
fib_nh_common_release+0x8d/0x240 net/ipv4/fib_semantics.c:216
fib_nh_release net/ipv4/fib_semantics.c:228 [inline]
free_fib_info_rcu+0x98/0x190 net/ipv4/fib_semantics.c:240
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
run_ksoftirqd+0x23/0x30 kernel/softirq.c:667
smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 336c347c2c8fdb01 ]---
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0018:ffffc900000c7958 EFLAGS: 00010202
RAX: ffffffff83c684ff RBX: 000000000000000b RCX: ffff88810023cf00
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffffc900000c7980 R08: ffffffff840df72d R09: ffffc900000c76f4
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000607e08a4c078 R15: 000000000000000b
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8869632058 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 55 push %rbp
5: 48 89 e5 mov %rsp,%rbp
8: 41 57 push %r15
a: 41 56 push %r14
c: 41 55 push %r13
e: 41 54 push %r12
10: 53 push %rbx
11: 49 89 ff mov %rdi,%r15
14: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
1b: fc ff df
1e: e8 61 2d a6 fd callq 0xfda62d84
23: 4d 89 fd mov %r15,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 80 7c 25 00 00 cmpb $0x0,0x0(%r13,%r12,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 4c 89 ff mov %r15,%rdi
35: e8 7a 00 e0 fd callq 0xfde000b4
3a: 4d 8b 37 mov (%r15),%r14
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7f .byte 0x7f
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1401ec6df00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b9b19582654944dd
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=125f6a3df00000
syzbot
May 23, 2022, 2:46:09 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17a04c51f00000
Tadeusz Struk
May 23, 2022, 4:48:43 PM5/23/22
to syzbot+badfd0...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
#syz test: https://android.googlesource.com/kernel/common android12-5.10-lts
======================================================================
diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index 1bfcfb1af352..92b0c5e8c472 100644
======================================================================
diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -178,8 +178,9 @@ struct cgroup_subsys_state {
*/
atomic_t online_cnt;
- /* percpu_ref killing and RCU release */
- struct work_struct destroy_work;
+ /* percpu_ref killing, css release, and RCU release work structs */
+ struct work_struct release_work;
+ struct work_struct killed_ref_work;
struct rcu_work destroy_rwork;
/*
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index adb820e98f24..3e00a793e15d 100644
/*
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5099,7 +5099,7 @@ static struct cftype cgroup_base_files[] = {
* css_free_work_fn().
*
* It is actually hairier because both step 2 and 4 require process context
- * and thus involve punting to css->destroy_work adding two additional
+ * and thus involve punting to css->release_work adding two additional
+++ b/kernel/cgroup/cgroup.c
@@ -5099,7 +5099,7 @@ static struct cftype cgroup_base_files[] = {
* css_free_work_fn().
*
* It is actually hairier because both step 2 and 4 require process context
- * and thus involve punting to css->destroy_work adding two additional
* steps to the already complex sequence.
*/
static void css_free_rwork_fn(struct work_struct *work)
@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct work_struct *work)
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, release_work);
*/
static void css_free_rwork_fn(struct work_struct *work)
@@ -5154,7 +5154,7 @@ static void css_free_rwork_fn(struct work_struct *work)
static void css_release_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
struct cgroup_subsys *ss = css->ss;
struct cgroup *cgrp = css->cgroup;
@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_ref *ref)
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);
- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ INIT_WORK(&css->release_work, css_release_work_fn);
struct cgroup *cgrp = css->cgroup;
@@ -5210,8 +5210,8 @@ static void css_release(struct percpu_ref *ref)
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);
- INIT_WORK(&css->destroy_work, css_release_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ queue_work(cgroup_destroy_wq, &css->release_work);
}
static void init_and_link_css(struct cgroup_subsys_state *css,
@@ -5546,7 +5546,7 @@ int cgroup_mkdir(struct kernfs_node *parent_kn, const char *name, umode_t mode)
static void css_killed_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
+ container_of(work, struct cgroup_subsys_state, killed_ref_work);
static void init_and_link_css(struct cgroup_subsys_state *css,
@@ -5546,7 +5546,7 @@ int cgroup_mkdir(struct kernfs_node *parent_kn, const char *name, umode_t mode)
static void css_killed_work_fn(struct work_struct *work)
{
struct cgroup_subsys_state *css =
- container_of(work, struct cgroup_subsys_state, destroy_work);
mutex_lock(&cgroup_mutex);
@@ -5567,8 +5567,8 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
container_of(ref, struct cgroup_subsys_state, refcnt);
if (atomic_dec_and_test(&css->online_cnt)) {
- INIT_WORK(&css->destroy_work, css_killed_work_fn);
- queue_work(cgroup_destroy_wq, &css->destroy_work);
+ queue_work(cgroup_destroy_wq, &css->killed_ref_work);
}
}
--
2.36.1
Tadeusz Struk
May 23, 2022, 4:49:36 PM5/23/22
to syzbot+e42ae4...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
syzbot
May 23, 2022, 5:06:09 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 150 Comm: klogd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
RAX: ffffffff83c684ff RBX: 0000000000000001 RCX: ffff88810c76e2c0
RDX: 0000000080000100 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000160ba0 R08: ffffffff840df72d R09: ffffc90000160924
FS: 00007facbab80800(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0033:0x7facbad7c3c0
Code: c0 fa ff 0f 1f 80 00 00 00 00 48 89 f8 48 01 d0 eb 1b 0f 1f 84 00 00 00 00 00 48 39 d1 0f 82 37 c0 fa ff 0f 1f 80 00 00 00 00 <48> 89 f8 48 83 fa 20 72 5c 48 83 fa 40 0f 87 b2 00 00 00 c5 fe 6f
RSP: 002b:00007ffcda261218 EFLAGS: 00000246
RAX: 0000000000001ff2 RBX: 0000000000000003 RCX: 0000000000000002
RDX: 0000000000000002 RSI: 00007ffcda261294 RDI: 0000555d94443c5e
RBP: 0000555d94443c5e R08: 00007ffcda261294 R09: 0000000000000002
R10: 0000000000000000 R11: 0000555d94443c5b R12: 0000000000000002
R13: 0000000000000000 R14: 00007facbada2744 R15: 0000000000000000
Modules linked in:
---[ end trace 9badfce2fc7bf8ca ]---
RAX: ffffffff83c684ff RBX: 0000000000000001 RCX: ffff88810c76e2c0
RDX: 0000000080000100 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000160ba0 R08: ffffffff840df72d R09: ffffc90000160924
FS: 00007facbab80800(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 150 Comm: klogd Not tainted 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0000:ffffc90000160b78 EFLAGS: 00010246
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RAX: ffffffff83c684ff RBX: 0000000000000001 RCX: ffff88810c76e2c0
RDX: 0000000080000100 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000160ba0 R08: ffffffff840df72d R09: ffffc90000160924
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000607e08a3b258 R15: 0000000000000001
FS: 00007facbab80800(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbc4f72cff8 CR3: 000000010c7a4000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rt_fibinfo_free_cpus+0xee/0x1c0 net/ipv4/fib_semantics.c:203
fib_nh_common_release+0x8d/0x240 net/ipv4/fib_semantics.c:216
fib_nh_release net/ipv4/fib_semantics.c:228 [inline]
free_fib_info_rcu+0x98/0x190 net/ipv4/fib_semantics.c:240
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
fib_nh_common_release+0x8d/0x240 net/ipv4/fib_semantics.c:216
fib_nh_release net/ipv4/fib_semantics.c:228 [inline]
free_fib_info_rcu+0x98/0x190 net/ipv4/fib_semantics.c:240
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0033:0x7facbad7c3c0
Code: c0 fa ff 0f 1f 80 00 00 00 00 48 89 f8 48 01 d0 eb 1b 0f 1f 84 00 00 00 00 00 48 39 d1 0f 82 37 c0 fa ff 0f 1f 80 00 00 00 00 <48> 89 f8 48 83 fa 20 72 5c 48 83 fa 40 0f 87 b2 00 00 00 c5 fe 6f
RSP: 002b:00007ffcda261218 EFLAGS: 00000246
RAX: 0000000000001ff2 RBX: 0000000000000003 RCX: 0000000000000002
RDX: 0000000000000002 RSI: 00007ffcda261294 RDI: 0000555d94443c5e
RBP: 0000555d94443c5e R08: 00007ffcda261294 R09: 0000000000000002
R10: 0000000000000000 R11: 0000555d94443c5b R12: 0000000000000002
R13: 0000000000000000 R14: 00007facbada2744 R15: 0000000000000000
Modules linked in:
---[ end trace 9badfce2fc7bf8ca ]---
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RSP: 0000:ffffc90000160b78 EFLAGS: 00010246
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 61 2d a6 fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 7a 00 e0 fd 4d 8b 37 49 8d 7f
RAX: ffffffff83c684ff RBX: 0000000000000001 RCX: ffff88810c76e2c0
RDX: 0000000080000100 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000160ba0 R08: ffffffff840df72d R09: ffffc90000160924
R10: 000000000000000b R11: ffffffff84c00596 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000607e08a3b258 R15: 0000000000000001
FS: 00007facbab80800(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbc4f72cff8 CR3: 000000010c7a4000 CR4: 00000000003506a0
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=12722181f00000
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=b9b19582654944dd
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
dashboard link: https://syzkaller.appspot.com/bug?extid=badfd07a93cffefd7317
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14108b6ef00000
syzbot
May 23, 2022, 5:23:15 PM5/23/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
commit: 0974b841 Merge 5.10.117 into android12-5.10-lts
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17138023f00000
syzbot
May 26, 2022, 6:09:20 AM5/26/22
to mko...@suse.com, syzkaller-a...@googlegroups.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in put_task_stack
</TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_task_stack+0x2a/0x220 kernel/fork.c:533
Write of size 4 at addr ffff88810cea1bc0 by task kworker/0:2/53
CPU: 0 PID: 53 Comm: kworker/0:2 Tainted: G W 5.18.0-syzkaller-01161-gcb93b3201ead #0
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:313 [inline]
print_report+0x15f/0x620 mm/kasan/report.c:429
kasan_report+0xe6/0x110 mm/kasan/report.c:491
kasan_check_range+0x2aa/0x2e0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_task_stack+0x2a/0x220 kernel/fork.c:533
sched_show_task+0x380/0x520 kernel/sched/core.c:8732
dump_cpu_task+0x73/0x90 kernel/sched/core.c:11046
synchronize_rcu_expedited_wait+0xc17/0x1310 kernel/rcu/tree_exp.h:668
rcu_exp_wait_wake kernel/rcu/tree_exp.h:685 [inline]
rcu_exp_sel_wait_wake+0x4c9/0x8a0 kernel/rcu/tree_exp.h:719
wait_rcu_exp_gp+0x33/0x40 kernel/rcu/tree_exp.h:510
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 453:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:749 [inline]
slab_alloc_node mm/slub.c:3217 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x192/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
__do_sys_clone kernel/fork.c:2761 [inline]
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 20:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x133/0x170 mm/kasan/common.c:366
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0xc9/0x1a0 mm/slub.c:1754
slab_free mm/slub.c:3510 [inline]
kmem_cache_free+0x110/0x2d0 mm/slub.c:3527
free_task_struct kernel/fork.c:177 [inline]
free_task kernel/fork.c:561 [inline]
__put_task_struct+0x32b/0x4d0 kernel/fork.c:850
put_task_struct include/linux/sched/task.h:115 [inline]
delayed_put_task_struct+0x5c/0x180 kernel/exit.c:177
rcu_do_batch+0x507/0xbc0 kernel/rcu/tree.c:2578
rcu_core+0x4dc/0xef0 kernel/rcu/tree.c:2838
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2855
__do_softirq+0x24e/0x586 kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
put_task_struct_rcu_user+0x58/0xa0 kernel/exit.c:183
finish_task_switch+0x34a/0x700 kernel/sched/core.c:4987
context_switch kernel/sched/core.c:5076 [inline]
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
preempt_schedule_common+0xa7/0x100 kernel/sched/core.c:6553
preempt_schedule+0xd9/0xe0 kernel/sched/core.c:6577
preempt_schedule_thunk+0x16/0x18
on_each_cpu_cond_mask+0x78/0x80 kernel/smp.c:1139
on_each_cpu include/linux/smp.h:71 [inline]
text_poke_sync arch/x86/kernel/alternative.c:1184 [inline]
text_poke_bp_batch+0x504/0x740 arch/x86/kernel/alternative.c:1425
text_poke_flush arch/x86/kernel/alternative.c:1542 [inline]
text_poke_finish+0x1a/0x30 arch/x86/kernel/alternative.c:1549
arch_jump_label_transform_apply+0x15/0x30 arch/x86/kernel/jump_label.c:146
__jump_label_update+0x37e/0x3a0 kernel/jump_label.c:459
jump_label_update+0x3bc/0x450 kernel/jump_label.c:830
static_key_enable_cpuslocked+0x12a/0x250 kernel/jump_label.c:177
static_key_enable+0x1a/0x30 kernel/jump_label.c:190
toggle_allocation_gate+0xbf/0x450 mm/kfence/core.c:774
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
put_task_struct_rcu_user+0x58/0xa0 kernel/exit.c:183
finish_task_switch+0x34a/0x700 kernel/sched/core.c:4987
context_switch kernel/sched/core.c:5076 [inline]
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
schedule_idle+0x50/0x90 kernel/sched/core.c:6488
do_idle+0x583/0x5e0 kernel/sched/idle.c:331
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:400
start_secondary+0xe3/0xf0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xce/0xdb
The buggy address belongs to the object at ffff88810cea10c0
which belongs to the cache task_struct of size 4032
The buggy address is located 2816 bytes inside of
4032-byte region [ffff88810cea10c0, ffff88810cea2080)
The buggy address belongs to the physical page:
page:ffffea000433a800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cea0
head:ffffea000433a800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 ffffea00042a5000 dead000000000002 ffff888100132280
raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 2422520428, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x15b/0x160 mm/page_alloc.c:2434
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0x3f6/0x8b0 mm/page_alloc.c:4182
__alloc_pages+0x3bd/0x850 mm/page_alloc.c:5408
allocate_slab+0x69/0x4d0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x2c2/0x6a0 mm/slub.c:3005
__slab_alloc+0x4a/0x90 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x20e/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
kernel_thread+0x167/0x1e0 kernel/fork.c:2696
create_kthread kernel/kthread.c:399 [inline]
kthreadd+0x38d/0x4e0 kernel/kthread.c:745
ret_from_fork+0x1f/0x30
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810cea1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810cea1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810cea1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810cea1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810cea1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: cb93b320 DEBUG percpu-recount: Crude printk dumps
git tree: https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-syzbot
console output: https://syzkaller.appspot.com/x/log.txt?x=102151d3f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b58c85ce5be4e90e
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
</TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_task_stack+0x2a/0x220 kernel/fork.c:533
Write of size 4 at addr ffff88810cea1bc0 by task kworker/0:2/53
CPU: 0 PID: 53 Comm: kworker/0:2 Tainted: G W 5.18.0-syzkaller-01161-gcb93b3201ead #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: rcu_gp wait_rcu_exp_gp
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:313 [inline]
print_report+0x15f/0x620 mm/kasan/report.c:429
kasan_report+0xe6/0x110 mm/kasan/report.c:491
kasan_check_range+0x2aa/0x2e0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_task_stack+0x2a/0x220 kernel/fork.c:533
sched_show_task+0x380/0x520 kernel/sched/core.c:8732
dump_cpu_task+0x73/0x90 kernel/sched/core.c:11046
synchronize_rcu_expedited_wait+0xc17/0x1310 kernel/rcu/tree_exp.h:668
rcu_exp_wait_wake kernel/rcu/tree_exp.h:685 [inline]
rcu_exp_sel_wait_wake+0x4c9/0x8a0 kernel/rcu/tree_exp.h:719
wait_rcu_exp_gp+0x33/0x40 kernel/rcu/tree_exp.h:510
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 453:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:749 [inline]
slab_alloc_node mm/slub.c:3217 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x192/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
__do_sys_clone kernel/fork.c:2761 [inline]
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 20:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x133/0x170 mm/kasan/common.c:366
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0xc9/0x1a0 mm/slub.c:1754
slab_free mm/slub.c:3510 [inline]
kmem_cache_free+0x110/0x2d0 mm/slub.c:3527
free_task_struct kernel/fork.c:177 [inline]
free_task kernel/fork.c:561 [inline]
__put_task_struct+0x32b/0x4d0 kernel/fork.c:850
put_task_struct include/linux/sched/task.h:115 [inline]
delayed_put_task_struct+0x5c/0x180 kernel/exit.c:177
rcu_do_batch+0x507/0xbc0 kernel/rcu/tree.c:2578
rcu_core+0x4dc/0xef0 kernel/rcu/tree.c:2838
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2855
__do_softirq+0x24e/0x586 kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
put_task_struct_rcu_user+0x58/0xa0 kernel/exit.c:183
finish_task_switch+0x34a/0x700 kernel/sched/core.c:4987
context_switch kernel/sched/core.c:5076 [inline]
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
preempt_schedule_common+0xa7/0x100 kernel/sched/core.c:6553
preempt_schedule+0xd9/0xe0 kernel/sched/core.c:6577
preempt_schedule_thunk+0x16/0x18
on_each_cpu_cond_mask+0x78/0x80 kernel/smp.c:1139
on_each_cpu include/linux/smp.h:71 [inline]
text_poke_sync arch/x86/kernel/alternative.c:1184 [inline]
text_poke_bp_batch+0x504/0x740 arch/x86/kernel/alternative.c:1425
text_poke_flush arch/x86/kernel/alternative.c:1542 [inline]
text_poke_finish+0x1a/0x30 arch/x86/kernel/alternative.c:1549
arch_jump_label_transform_apply+0x15/0x30 arch/x86/kernel/jump_label.c:146
__jump_label_update+0x37e/0x3a0 kernel/jump_label.c:459
jump_label_update+0x3bc/0x450 kernel/jump_label.c:830
static_key_enable_cpuslocked+0x12a/0x250 kernel/jump_label.c:177
static_key_enable+0x1a/0x30 kernel/jump_label.c:190
toggle_allocation_gate+0xbf/0x450 mm/kfence/core.c:774
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
put_task_struct_rcu_user+0x58/0xa0 kernel/exit.c:183
finish_task_switch+0x34a/0x700 kernel/sched/core.c:4987
context_switch kernel/sched/core.c:5076 [inline]
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
schedule_idle+0x50/0x90 kernel/sched/core.c:6488
do_idle+0x583/0x5e0 kernel/sched/idle.c:331
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:400
start_secondary+0xe3/0xf0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xce/0xdb
The buggy address belongs to the object at ffff88810cea10c0
which belongs to the cache task_struct of size 4032
The buggy address is located 2816 bytes inside of
4032-byte region [ffff88810cea10c0, ffff88810cea2080)
The buggy address belongs to the physical page:
page:ffffea000433a800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cea0
head:ffffea000433a800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 ffffea00042a5000 dead000000000002 ffff888100132280
raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 2422520428, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x15b/0x160 mm/page_alloc.c:2434
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0x3f6/0x8b0 mm/page_alloc.c:4182
__alloc_pages+0x3bd/0x850 mm/page_alloc.c:5408
allocate_slab+0x69/0x4d0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x2c2/0x6a0 mm/slub.c:3005
__slab_alloc+0x4a/0x90 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x20e/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
kernel_thread+0x167/0x1e0 kernel/fork.c:2696
create_kthread kernel/kthread.c:399 [inline]
kthreadd+0x38d/0x4e0 kernel/kthread.c:745
ret_from_fork+0x1f/0x30
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810cea1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810cea1b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810cea1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810cea1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810cea1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: cb93b320 DEBUG percpu-recount: Crude printk dumps
git tree: https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-syzbot
console output: https://syzkaller.appspot.com/x/log.txt?x=102151d3f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b58c85ce5be4e90e
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 26, 2022, 12:04:13 PM5/26/22
to mko...@suse.com, syzkaller-a...@googlegroups.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in put_task_stack
</TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_task_stack+0x2a/0x220 kernel/fork.c:533
Write of size 4 at addr ffff88810e514e00 by task kworker/1:3/384
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Write in put_task_stack
</TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_task_stack+0x2a/0x220 kernel/fork.c:533
CPU: 1 PID: 384 Comm: kworker/1:3 Tainted: G W 5.18.0-syzkaller-01161-g8ce1e200dee1 #0
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:749 [inline]
slab_alloc_node mm/slub.c:3217 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x192/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
__do_sys_clone kernel/fork.c:2761 [inline]
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 14:
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:749 [inline]
slab_alloc_node mm/slub.c:3217 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x192/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
__do_sys_clone kernel/fork.c:2761 [inline]
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x18c/0x6d0 kernel/time/hrtimer.c:2044
hrtimer_nanosleep+0x1d0/0x410 kernel/time/hrtimer.c:2097
common_nsleep+0x91/0xb0 kernel/time/posix-timers.c:1227
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline]
__se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline]
__x64_sys_clock_nanosleep+0x360/0x3f0 kernel/time/posix-timers.c:1245
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Second to last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
release_task+0x125f/0x1330
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xb3/0xc0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
call_rcu+0xf9/0x1390 kernel/rcu/tree.c:3126
wait_task_zombie kernel/exit.c:1111 [inline]
wait_consider_task+0x17cf/0x2940 kernel/exit.c:1338
do_wait_thread kernel/exit.c:1401 [inline]
do_wait+0x281/0xab0 kernel/exit.c:1518
kernel_wait4+0x29c/0x3c0 kernel/exit.c:1681
__do_sys_wait4 kernel/exit.c:1709 [inline]
__se_sys_wait4 kernel/exit.c:1705 [inline]
__x64_sys_wait4+0x130/0x1e0 kernel/exit.c:1705
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff88810e514300
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
which belongs to the cache task_struct of size 4032
The buggy address is located 2816 bytes inside of
4032-byte region [ffff88810e514300, ffff88810e5152c0)
The buggy address is located 2816 bytes inside of
The buggy address belongs to the physical page:
head:ffffea0004394400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 0000000000000000 dead000000000001 ffff88810029e280
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 152, tgid 152 (S02klogd), ts 3700770578, free_ts 0
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x15b/0x160 mm/page_alloc.c:2434
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0x3f6/0x8b0 mm/page_alloc.c:4182
__alloc_pages+0x3bd/0x850 mm/page_alloc.c:5408
allocate_slab+0x69/0x4d0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x2c2/0x6a0 mm/slub.c:3005
__slab_alloc+0x4a/0x90 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x20e/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
post_alloc_hook+0x15b/0x160 mm/page_alloc.c:2434
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0x3f6/0x8b0 mm/page_alloc.c:4182
__alloc_pages+0x3bd/0x850 mm/page_alloc.c:5408
allocate_slab+0x69/0x4d0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x2c2/0x6a0 mm/slub.c:3005
__slab_alloc+0x4a/0x90 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x20e/0x300 mm/slub.c:3242
kmem_cache_alloc_node include/linux/slab.h:453 [inline]
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct+0x54/0x4a0 kernel/fork.c:971
copy_process+0x582/0x34c0 kernel/fork.c:2073
kernel_clone+0x224/0x8d0 kernel/fork.c:2644
__do_sys_clone kernel/fork.c:2761 [inline]
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
__se_sys_clone kernel/fork.c:2745 [inline]
__x64_sys_clone+0x289/0x310 kernel/fork.c:2745
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810e514d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88810e514d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810e514e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810e514e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810e514f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 8ce1e200 DEBUG percpu-recount: Crude printk dumps
git tree: https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-syzbot
console output: https://syzkaller.appspot.com/x/log.txt?x=1439a1d3f00000
syzbot
May 26, 2022, 12:26:08 PM5/26/22
to mko...@suse.com, syzkaller-a...@googlegroups.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
list_add corruption. prev->next should be next (ffff8881f733db68), but was ffff888125c7f470. (prev=ffff888125c7f470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 5.18.0-rc7-syzkaller-00016-gebd22823b974 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 20 1c 68 85 4c 89 e6 4c 89 f1 31 c0 e8 d0 be 55 02 0f 0b 48 c7 c7 e0 1c 68 85 4c 89 f6 4c 89 e1 31 c0 e8 ba be 55 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000180978 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f733db70 RCX: 36bb0ee2f94f7600
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc900001809a0 R08: ffffffff81579598 R09: 0000000000000003
R10: fffff52000030095 R11: 1ffff92000030094 R12: ffff888125c7f470
R13: dffffc0000000000 R14: ffff8881f733db68 R15: ffff888125c7f470
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbf6936e218 CR3: 000000011fd9c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:69 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
list_add_tail include/linux/list.h:102 [inline]
insert_work+0x104/0x320 kernel/workqueue.c:1362
__queue_work+0x960/0xd20 kernel/workqueue.c:1517
queue_work_on+0xf2/0x170 kernel/workqueue.c:1545
queue_work include/linux/workqueue.h:502 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5214
percpu_ref_put_many include/linux/percpu-refcount.h:335 [inline]
percpu_ref_put include/linux/percpu-refcount.h:351 [inline]
percpu_ref_call_confirm_rcu+0x3d0/0x3e0 lib/percpu-refcount.c:166
percpu_ref_switch_to_atomic_rcu+0x2bf/0x3a0 lib/percpu-refcount.c:209
rcu_do_batch+0x507/0xbc0 kernel/rcu/tree.c:2535
rcu_core+0x4dc/0xef0 kernel/rcu/tree.c:2786
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2803
__do_softirq+0x24e/0x586 kernel/softirq.c:558
invoke_softirq+0x70/0xd0 kernel/softirq.c:432
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x10 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:40 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:75 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
RIP: 0010:acpi_idle_do_entry+0xb8/0x1f0 drivers/acpi/processor_idle.c:551
Code: 8b 1b 48 89 de 48 83 e6 08 31 ff e8 42 99 bd fc 48 83 e3 08 0f 85 ab 00 00 00 eb 0c e8 11 94 bd fc 0f 00 2d 1a c6 bc 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
RSP: 0018:ffffc90000117c68 EFLAGS: 00000246
RAX: 1ffff11020078860 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8881003c4300 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000117c80 R08: ffffffff84b2e48e R09: ffffed1020078861
R10: ffffed1020078861 R11: 1ffff11020078860 R12: 0000000000000001
R13: ffff88810a37c804 R14: ffff88810953a864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:686
cpuidle_enter_state+0x541/0x10e0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x379/0x5e0 kernel/sched/idle.c:303
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:400
start_secondary+0xe3/0xf0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xc4/0xcb
start_secondary+0xe3/0xf0 arch/x86/kernel/smpboot.c:266
</TASK>
Modules linked in:
Dumping ftrace buffer:
---------------------------------
<idle>-0 0.Ns1. 19588741us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0.Ns1. 19588748us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0.Ns1. 19588750us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0.Ns1. 19588759us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 19588776us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 19588778us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 19588779us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 19588781us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 19588783us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 19588784us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 19608729us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0.Ns1. 19608734us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0.Ns1. 19608737us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0.Ns1. 19608747us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 19608766us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 19608770us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 19608772us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 19608775us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 19608778us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 19608780us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0..s1. 19628721us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0..s1. 19628726us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0..s1. 19628729us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0..s1. 19628739us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 19628754us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 19628757us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 19628758us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 19628759us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 19628761us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 19628762us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0..s1. 19708760us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0..s1. 19708765us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0..s1. 19708766us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0..s1. 19708778us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 19708792us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 19708795us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 19708796us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 19708797us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 19708799us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 19708800us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 19708829us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0.Ns1. 19708831us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0.Ns1. 19708832us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0.Ns1. 19708834us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 19708838us : percpu_ref_call_confirm_rcu: post-put 0
ksoftirq-14 0..s.. 19708908us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775807 percpu 2
ksoftirq-14 0..s.. 19708909us : percpu_ref_call_confirm_rcu: pre-conf 1
ksoftirq-14 0..s.. 19708911us : percpu_ref_call_confirm_rcu: post-conf 1
ksoftirq-14 0..s.. 19708913us : percpu_ref_call_confirm_rcu: pre-put 1
ksoftirq-14 0..s.. 19708920us : percpu_ref_call_confirm_rcu: post-put 0
ksoftirq-14 0..s.. 39248806us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 39248812us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 39248824us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 39248834us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 39248836us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 39248841us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 39248843us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 39248848us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 39248852us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 39248854us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-377 0..... 39248870us : css_killed_work_fn: ffff888121f6fc00 pre-put 1
kworker/-377 0..... 39248877us : css_killed_work_fn: ffff888121f6fc00 post-put 0
kworker/-377 0..... 39248881us : css_killed_work_fn: ffff8881108ee000 pre-put 1
kworker/-377 0..... 39248886us : css_killed_work_fn: ffff8881108ee000 post-put 0
udevd-439 0..s.. 39738741us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
udevd-439 0..s.. 39738746us : percpu_ref_call_confirm_rcu: pre-conf 2
udevd-439 0..s.. 39738756us : percpu_ref_call_confirm_rcu: post-conf 2
udevd-439 0..s.. 39738763us : percpu_ref_call_confirm_rcu: pre-put 2
udevd-439 0..s.. 39738765us : percpu_ref_call_confirm_rcu: post-put 1
udevd-439 0..s.. 39738769us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
udevd-439 0..s.. 39738772us : percpu_ref_call_confirm_rcu: pre-conf 2
udevd-439 0..s.. 39738779us : percpu_ref_call_confirm_rcu: post-conf 2
udevd-439 0..s.. 39738784us : percpu_ref_call_confirm_rcu: pre-put 2
udevd-439 0..s.. 39738786us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-377 0..... 39745312us : css_killed_work_fn: ffff8881249d5000 pre-put 1
kworker/-377 0..... 39745320us : css_killed_work_fn: ffff8881249d5000 post-put 0
kworker/-377 0..... 39745332us : css_killed_work_fn: ffff8881249d7c00 pre-put 1
kworker/-377 0..... 39745338us : css_killed_work_fn: ffff8881249d7c00 post-put 0
ksoftirq-20 1..s.. 40221282us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-20 1..s.. 40221288us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-20 1..s.. 40221295us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-20 1..s.. 40221300us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-20 1..s.. 40221302us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-20 1..s.. 40221310us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-20 1..s.. 40221312us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-20 1..s.. 40221317us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-20 1..s.. 40221321us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-20 1..s.. 40221323us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-21 1..... 40303847us : css_killed_work_fn: ffff8881249ea400 pre-put 1
kworker/-21 1..... 40303857us : css_killed_work_fn: ffff8881249ea400 post-put 0
kworker/-384 1..... 40304219us : css_killed_work_fn: ffff8881249eb800 pre-put 1
kworker/-384 1..... 40304226us : css_killed_work_fn: ffff8881249eb800 post-put 0
kworker/-35 1.Ns1. 40785394us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kworker/-35 1.Ns1. 40785398us : percpu_ref_call_confirm_rcu: pre-conf 2
kworker/-35 1.Ns1. 40785404us : percpu_ref_call_confirm_rcu: post-conf 2
kworker/-35 1.Ns1. 40785406us : percpu_ref_call_confirm_rcu: pre-put 2
kworker/-35 1.Ns1. 40785408us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 1.Ns1. 40785413us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kworker/-35 1.Ns1. 40785415us : percpu_ref_call_confirm_rcu: pre-conf 2
kworker/-35 1.Ns1. 40785418us : percpu_ref_call_confirm_rcu: post-conf 2
kworker/-35 1.Ns1. 40785420us : percpu_ref_call_confirm_rcu: pre-put 2
kworker/-35 1.Ns1. 40785421us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 1.Ns1. 40785423us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kworker/-35 1.Ns1. 40785425us : percpu_ref_call_confirm_rcu: pre-conf 2
kworker/-35 1.Ns1. 40785428us : percpu_ref_call_confirm_rcu: post-conf 2
kworker/-35 1.Ns1. 40785430us : percpu_ref_call_confirm_rcu: pre-put 2
kworker/-35 1.Ns1. 40785431us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 1..... 40862675us : css_killed_work_fn: ffff888124bd4000 pre-put 1
kworker/-35 1..... 40862683us : css_killed_work_fn: ffff888124bd4000 post-put 0
kworker/-35 1..... 40863733us : css_killed_work_fn: ffff888124bd5800 pre-put 1
kworker/-35 1..... 40863741us : css_killed_work_fn: ffff888124bd5800 post-put 0
kworker/-35 1..... 40863983us : css_killed_work_fn: ffff888124bd4400 pre-put 1
kworker/-35 1..... 40863989us : css_killed_work_fn: ffff888124bd4400 post-put 0
syz-exec-461 1..s.. 41238859us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-461 1..s.. 41238866us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-461 1..s.. 41238874us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-461 1..s.. 41238879us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-461 1..s.. 41238881us : percpu_ref_call_confirm_rcu: post-put 1
syz-exec-461 1..s.. 41238892us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-461 1..s.. 41238894us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-461 1..s.. 41238901us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-461 1..s.. 41238905us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-461 1..s.. 41238907us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 1..... 41239662us : css_killed_work_fn: ffff8881250c7c00 pre-put 1
kworker/-35 1..... 41239671us : css_killed_work_fn: ffff8881250c7c00 post-put 0
kworker/-35 1..... 41239885us : css_killed_work_fn: ffff8881250c6800 pre-put 1
kworker/-35 1..... 41239894us : css_killed_work_fn: ffff8881250c6800 post-put 0
<idle>-0 1.Ns1. 41728751us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 41728755us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 41728761us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 41728768us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 41728769us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 41728771us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 41728773us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 41728776us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 41728778us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 41728780us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 41728783us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 41728785us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 41728789us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 41728791us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 41728792us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-21 1..... 41728994us : css_killed_work_fn: ffff8881251c0000 pre-put 1
kworker/-21 1..... 41729001us : css_killed_work_fn: ffff8881251c0000 post-put 0
kworker/-21 1..... 41729051us : css_killed_work_fn: ffff888110f61800 pre-put 1
kworker/-21 1..... 41729057us : css_killed_work_fn: ffff888110f61800 post-put 0
kworker/-21 1..... 41729111us : css_killed_work_fn: ffff888110f73c00 pre-put 1
kworker/-21 1..... 41729117us : css_killed_work_fn: ffff888110f73c00 post-put 0
<idle>-0 0.Ns1. 42228736us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 42228742us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 42228763us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 42228774us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 42228776us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 42228780us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 42228782us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 42228789us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 42228793us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 42228795us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 42228799us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 42228801us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 42228824us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 42228827us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 42228829us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-383 0..... 42228910us : css_killed_work_fn: ffff888112e6e800 pre-put 1
kworker/-383 0..... 42228916us : css_killed_work_fn: ffff888112e6e800 post-put 0
kworker/-383 0..... 42228920us : css_killed_work_fn: ffff888112e6fc00 pre-put 1
kworker/-383 0..... 42228924us : css_killed_work_fn: ffff888112e6fc00 post-put 0
kworker/-383 0..... 42228927us : css_killed_work_fn: ffff888112ea7400 pre-put 1
kworker/-383 0..... 42228931us : css_killed_work_fn: ffff888112ea7400 post-put 0
ksoftirq-14 0..s.. 42718975us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 42718981us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 42718988us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 42719021us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 42719023us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 42719029us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 42719032us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 42719039us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 42719043us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 42719045us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 42719048us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 42719050us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 42719055us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 42719058us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 42719060us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-383 0..... 42719287us : css_killed_work_fn: ffff888112f20800 pre-put 1
kworker/-383 0..... 42719295us : css_killed_work_fn: ffff888112f20800 post-put 0
kworker/-383 0..... 42719304us : css_killed_work_fn: ffff888112f22800 pre-put 1
kworker/-383 0..... 42719309us : css_killed_work_fn: ffff888112f22800 post-put 0
kworker/-383 0..... 42719320us : css_killed_work_fn: ffff888112f23c00 pre-put 1
kworker/-383 0..... 42719327us : css_killed_work_fn: ffff888112f23c00 post-put 0
<idle>-0 0.Ns1. 43158801us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 43158805us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 43158810us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 43158817us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 43158818us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 43158843us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 43158845us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 43158848us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 43158851us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 43158852us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 43159055us : css_killed_work_fn: ffff88812543c400 pre-put 1
kworker/-456 0..... 43159059us : css_killed_work_fn: ffff88812543c400 post-put 0
kworker/-456 0..... 43159062us : css_killed_work_fn: ffff88812543e000 pre-put 1
kworker/-456 0..... 43159065us : css_killed_work_fn: ffff88812543e000 post-put 0
<idle>-0 0.Ns1. 43658778us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 43658784us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 43658798us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 43658807us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 43658809us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 43658817us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 43658820us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 43658826us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 43658829us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 43658831us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 43658833us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 43658835us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 43658842us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 43658845us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 43658847us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 43659039us : css_killed_work_fn: ffff88812548f400 pre-put 1
kworker/-456 0..... 43659052us : css_killed_work_fn: ffff88812548f400 post-put 0
kworker/-456 0..... 43659134us : css_killed_work_fn: ffff88812548d000 pre-put 1
kworker/-456 0..... 43659139us : css_killed_work_fn: ffff88812548d000 post-put 0
kworker/-456 0..... 43659180us : css_killed_work_fn: ffff88812548fc00 pre-put 1
kworker/-456 0..... 43659185us : css_killed_work_fn: ffff88812548fc00 post-put 0
<idle>-0 0.Ns1. 44138750us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 44138754us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 44138765us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 44138773us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 44138775us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 44138781us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 44138782us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 44138787us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 44138789us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 44138790us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 44138792us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 4294967296
<idle>-0 0.Ns1. 44138793us : percpu_ref_call_confirm_rcu: pre-conf 4294967297
<idle>-0 0.Ns1. 44138797us : percpu_ref_call_confirm_rcu: post-conf 4294967297
<idle>-0 0.Ns1. 44138799us : percpu_ref_call_confirm_rcu: pre-put 4294967297
<idle>-0 0.Ns1. 44138800us : percpu_ref_call_confirm_rcu: post-put 4294967296
kworker/-456 0..... 44138865us : css_killed_work_fn: ffff88812548ec00 pre-put 1
kworker/-456 0..... 44138872us : css_killed_work_fn: ffff88812548ec00 post-put 0
kworker/-456 0..... 44138890us : css_killed_work_fn: ffff88812548dc00 pre-put 1
kworker/-456 0..... 44138895us : css_killed_work_fn: ffff88812548dc00 post-put 0
kworker/-456 0..... 44138923us : css_killed_work_fn: ffff88812548f000 pre-put 4294967296
kworker/-456 0..... 44138926us : css_killed_work_fn: ffff88812548f000 post-put 4294967295
<idle>-0 1..s1. 44638727us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 44638732us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 44638750us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 44638761us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 44638763us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 44638772us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 44638774us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 44638780us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 44638784us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 44638786us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 44638790us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 44638792us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 44638799us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 44638802us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 44638804us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 44639017us : css_killed_work_fn: ffff888112e8c400 pre-put 1
kworker/-419 1..... 44639024us : css_killed_work_fn: ffff888112e8c400 post-put 0
kworker/-419 1..... 44639083us : css_killed_work_fn: ffff888112e8d800 pre-put 1
kworker/-419 1..... 44639089us : css_killed_work_fn: ffff888112e8d800 post-put 0
kworker/-419 1..... 44639099us : css_killed_work_fn: ffff888110f6bc00 pre-put 1
kworker/-419 1..... 44639104us : css_killed_work_fn: ffff888110f6bc00 post-put 0
kauditd-25 0.Ns1. 45153541us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kauditd-25 0.Ns1. 45153544us : percpu_ref_call_confirm_rcu: pre-conf 2
kauditd-25 0.Ns1. 45153560us : percpu_ref_call_confirm_rcu: post-conf 2
kauditd-25 0.Ns1. 45153567us : percpu_ref_call_confirm_rcu: pre-put 2
kauditd-25 0.Ns1. 45153568us : percpu_ref_call_confirm_rcu: post-put 1
kauditd-25 0.Ns1. 45153575us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kauditd-25 0.Ns1. 45153576us : percpu_ref_call_confirm_rcu: pre-conf 2
kauditd-25 0.Ns1. 45153580us : percpu_ref_call_confirm_rcu: post-conf 2
kauditd-25 0.Ns1. 45153582us : percpu_ref_call_confirm_rcu: pre-put 2
kauditd-25 0.Ns1. 45153583us : percpu_ref_call_confirm_rcu: post-put 1
kauditd-25 0.Ns1. 45153585us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kauditd-25 0.Ns1. 45153586us : percpu_ref_call_confirm_rcu: pre-conf 2
kauditd-25 0.Ns1. 45153590us : percpu_ref_call_confirm_rcu: post-conf 2
kauditd-25 0.Ns1. 45153592us : percpu_ref_call_confirm_rcu: pre-put 2
kauditd-25 0.Ns1. 45153593us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 45153805us : css_killed_work_fn: ffff888112f2e000 pre-put 1
kworker/-456 0..... 45153812us : css_killed_work_fn: ffff888112f2e000 post-put 0
kworker/-456 0..... 45153821us : css_killed_work_fn: ffff888112f2c400 pre-put 1
kworker/-456 0..... 45153825us : css_killed_work_fn: ffff888112f2c400 post-put 0
kworker/-456 0..... 45153835us : css_killed_work_fn: ffff888112f2d800 pre-put 1
kworker/-456 0..... 45153839us : css_killed_work_fn: ffff888112f2d800 post-put 0
ksoftirq-14 0..s.. 45648866us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 45648872us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 45648887us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 45648896us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 45648898us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 45648907us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 45648909us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 45648915us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 45648919us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 45648928us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 45648930us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 45648931us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 45648934us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 45648936us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 45648937us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 45649144us : css_killed_work_fn: ffff888125542800 pre-put 1
kworker/-456 0..... 45649149us : css_killed_work_fn: ffff888125542800 post-put 0
kworker/-456 0..... 45649152us : css_killed_work_fn: ffff888125540800 pre-put 1
kworker/-456 0..... 45649155us : css_killed_work_fn: ffff888125540800 post-put 0
kworker/-456 0..... 45649157us : css_killed_work_fn: ffff888125541400 pre-put 1
kworker/-456 0..... 45649160us : css_killed_work_fn: ffff888125541400 post-put 0
<idle>-0 1.Ns1. 46028752us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 46028757us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 46028766us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 46028775us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 46028778us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 46028787us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 46028789us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 46028796us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 46028800us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 46028802us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-21 1..... 46029025us : css_killed_work_fn: ffff888112e8fc00 pre-put 1
kworker/-21 1..... 46029036us : css_killed_work_fn: ffff888112e8fc00 post-put 0
kworker/-21 1..... 46029039us : css_killed_work_fn: ffff888112e93c00 pre-put 1
kworker/-21 1..... 46029042us : css_killed_work_fn: ffff888112e93c00 post-put 0
<idle>-0 1.Ns1. 46398785us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 46398790us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 46398799us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 46398810us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 46398812us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 46398820us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 46398823us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 46398829us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 46398833us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 46398835us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 46399037us : css_killed_work_fn: ffff888125558c00 pre-put 1
kworker/-419 1..... 46399045us : css_killed_work_fn: ffff888125558c00 post-put 0
kworker/-419 1..... 46399062us : css_killed_work_fn: ffff88812555a400 pre-put 1
kworker/-419 1..... 46399067us : css_killed_work_fn: ffff88812555a400 post-put 0
<idle>-0 0..s1. 46888777us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 46888783us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 46888802us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 46888812us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 46888815us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 46888875us : css_killed_work_fn: ffff888112e9c400 pre-put 1
kworker/-456 0..... 46888882us : css_killed_work_fn: ffff888112e9c400 post-put 0
ksoftirq-14 0..s.. 46888907us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 46888909us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 46888917us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 46888921us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 46888923us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 46888927us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 4294967296
ksoftirq-14 0..s.. 46888929us : percpu_ref_call_confirm_rcu: pre-conf 4294967297
ksoftirq-14 0..s.. 46888934us : percpu_ref_call_confirm_rcu: post-conf 4294967297
ksoftirq-14 0..s.. 46888937us : percpu_ref_call_confirm_rcu: pre-put 4294967297
ksoftirq-14 0..s.. 46888939us : percpu_ref_call_confirm_rcu: post-put 4294967296
kworker/-456 0..... 46889142us : css_killed_work_fn: ffff888112e9d800 pre-put 1
kworker/-456 0..... 46889148us : css_killed_work_fn: ffff888112e9d800 post-put 0
kworker/-456 0..... 46889161us : css_killed_work_fn: ffff888112f3a000 pre-put 4294967296
kworker/-456 0..... 46889164us : css_killed_work_fn: ffff888112f3a000 post-put 4294967295
<idle>-0 0..s1. 47388725us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 47388731us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 47388743us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 47388753us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 47388754us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 47388763us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 47388765us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 47388770us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 47388772us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 47388773us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 47388775us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 47388776us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 47388780us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 47388782us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 47388783us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 47388858us : css_killed_work_fn: ffff8881f73e8000 pre-put 1
kworker/-456 0..... 47388863us : css_killed_work_fn: ffff8881f73e8000 post-put 0
kworker/-456 0..... 47388880us : css_killed_work_fn: ffff888112e9e000 pre-put 1
kworker/-456 0..... 47388886us : css_killed_work_fn: ffff888112e9e000 post-put 0
kworker/-456 0..... 47388897us : css_killed_work_fn: ffff888112f3ac00 pre-put 1
kworker/-456 0..... 47388902us : css_killed_work_fn: ffff888112f3ac00 post-put 0
<idle>-0 0..s1. 47778696us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 47778702us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 47778722us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 47778732us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 47778735us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 47778750us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 47778752us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 47778760us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 47778764us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 47778766us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-26 0..... 47778841us : css_killed_work_fn: ffff88812560bc00 pre-put 1
kworker/-26 0..... 47778849us : css_killed_work_fn: ffff88812560bc00 post-put 0
kworker/-26 0..... 47778854us : css_killed_work_fn: ffff88812560a800 pre-put 1
kworker/-26 0..... 47778859us : css_killed_work_fn: ffff88812560a800 post-put 0
<idle>-0 0.Ns1. 48188780us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 48188786us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 48188795us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 48188806us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 48188809us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 48188851us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 48188853us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 48188859us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 48188863us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 48188865us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 48189163us : css_killed_work_fn: ffff88812561b800 pre-put 1
kworker/-456 0..... 48189168us : css_killed_work_fn: ffff88812561b800 post-put 0
kworker/-456 0..... 48189170us : css_killed_work_fn: ffff88812561ac00 pre-put 1
kworker/-456 0..... 48189173us : css_killed_work_fn: ffff88812561ac00 post-put 0
<idle>-0 1..s1. 48668711us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 48668717us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 48668733us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 48668741us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 48668743us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 48668749us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 48668750us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 48668754us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 48668756us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 48668757us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 48668759us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 48668761us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 48668764us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 48668766us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 48668767us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-21 1..... 48669043us : css_killed_work_fn: ffff888125597400 pre-put 1
kworker/-21 1..... 48669048us : css_killed_work_fn: ffff888125597400 post-put 0
kworker/-21 1..... 48669052us : css_killed_work_fn: ffff888125595000 pre-put 1
kworker/-21 1..... 48669055us : css_killed_work_fn: ffff888125595000 post-put 0
kworker/-21 1..... 48669057us : css_killed_work_fn: ffff888125597c00 pre-put 1
kworker/-21 1..... 48669060us : css_killed_work_fn: ffff888125597c00 post-put 0
<idle>-0 1..s1. 49458704us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 49458710us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 49458721us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 49458731us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 49458733us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 49458745us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 49458748us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 49458755us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 49458758us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 49458760us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 49458762us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 49458764us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 49458770us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 49458773us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 49458774us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-21 1..... 49458848us : css_killed_work_fn: ffff8881f73ece00 pre-put 1
kworker/-21 1..... 49458853us : css_killed_work_fn: ffff8881f73ece00 post-put 0
kworker/-21 1..... 49458857us : css_killed_work_fn: ffff888113def000 pre-put 1
kworker/-21 1..... 49458863us : css_killed_work_fn: ffff888113def000 post-put 0
kworker/-21 1..... 49458867us : css_killed_work_fn: ffff888113deec00 pre-put 1
kworker/-21 1..... 49458872us : css_killed_work_fn: ffff888113deec00 post-put 0
syz-exec-414 1.Ns1. 50171265us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-414 1.Ns1. 50171270us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-414 1.Ns1. 50171288us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-414 1.Ns1. 50171303us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-414 1.Ns1. 50171306us : percpu_ref_call_confirm_rcu: post-put 1
syz-exec-414 1.Ns1. 50171317us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-414 1.Ns1. 50171319us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-414 1.Ns1. 50171327us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-414 1.Ns1. 50171330us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-414 1.Ns1. 50171333us : percpu_ref_call_confirm_rcu: post-put 1
syz-exec-414 1.Ns1. 50171336us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-414 1.Ns1. 50171339us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-414 1.Ns1. 50171346us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-414 1.Ns1. 50171349us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-414 1.Ns1. 50171351us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 50171396us : css_killed_work_fn: ffff888113df4000 pre-put 1
kworker/-419 1..... 50171401us : css_killed_work_fn: ffff888113df4000 post-put 0
kworker/-419 1..... 50171404us : css_killed_work_fn: ffff888112f45c00 pre-put 1
kworker/-419 1..... 50171407us : css_killed_work_fn: ffff888112f45c00 post-put 0
kworker/-419 1..... 50171409us : css_killed_work_fn: ffff888112f46c00 pre-put 1
kworker/-419 1..... 50171412us : css_killed_work_fn: ffff888112f46c00 post-put 0
<idle>-0 1..s1. 50988751us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 50988757us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 50988772us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 50988781us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 50988784us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 50988792us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 50988805us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 50988811us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 50988814us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 50988817us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 50988820us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 50988863us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 50988869us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 50988873us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 50988874us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 50988967us : css_killed_work_fn: ffff888125682c00 pre-put 1
kworker/-419 1..... 50988975us : css_killed_work_fn: ffff888125682c00 post-put 0
kworker/-419 1..... 50988980us : css_killed_work_fn: ffff888125681c00 pre-put 1
kworker/-419 1..... 50988984us : css_killed_work_fn: ffff888125681c00 post-put 0
kworker/-419 1..... 50988996us : css_killed_work_fn: ffff888125683000 pre-put 1
kworker/-419 1..... 50989001us : css_killed_work_fn: ffff888125683000 post-put 0
<idle>-0 0..s1. 51478778us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 51478783us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 51478800us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 51478810us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 51478813us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 51478822us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 51478825us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 51478832us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 51478836us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 51478838us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 51478841us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 51478844us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 51478851us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 51478854us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 51478856us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 51478912us : css_killed_work_fn: ffff888112f4a000 pre-put 1
kworker/-456 0..... 51478919us : css_killed_work_fn: ffff888112f4a000 post-put 0
kworker/-456 0..... 51478938us : css_killed_work_fn: ffff888112f48400 pre-put 1
kworker/-456 0..... 51478943us : css_killed_work_fn: ffff888112f48400 post-put 0
kworker/-456 0..... 51478957us : css_killed_work_fn: ffff888112f48000 pre-put 1
kworker/-456 0..... 51478964us : css_killed_work_fn: ffff888112f48000 post-put 0
<idle>-0 0.Ns1. 51858745us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 51858751us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 51858759us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 51858770us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 51858773us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 51858782us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 51858785us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 51858792us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 51858796us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 51858798us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 51859041us : css_killed_work_fn: ffff888125662c00 pre-put 1
kworker/-456 0..... 51859046us : css_killed_work_fn: ffff888125662c00 post-put 0
kworker/-456 0..... 51859049us : css_killed_work_fn: ffff888125661c00 pre-put 1
kworker/-456 0..... 51859051us : css_killed_work_fn: ffff888125661c00 post-put 0
<idle>-0 0..s1. 52358807us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 52358812us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 52358826us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 52358835us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 52358836us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 52358880us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 52358882us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 52358889us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 52358893us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 52358896us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 52358900us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 52358902us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 52358908us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 52358912us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 52358914us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 52359006us : css_killed_work_fn: ffff888112f4ec00 pre-put 1
kworker/-456 0..... 52359011us : css_killed_work_fn: ffff888112f4ec00 post-put 0
kworker/-456 0..... 52359014us : css_killed_work_fn: ffff8881146b4000 pre-put 1
kworker/-456 0..... 52359017us : css_killed_work_fn: ffff8881146b4000 post-put 0
kworker/-456 0..... 52359020us : css_killed_work_fn: ffff8881146b7000 pre-put 1
kworker/-456 0..... 52359023us : css_killed_work_fn: ffff8881146b7000 post-put 0
ksoftirq-14 0..s.. 52818879us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 52818885us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 52818896us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 52818903us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 52818904us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 52818909us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 52818910us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 52818914us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 52818916us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 52818917us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 52818919us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 4294967296
ksoftirq-14 0..s.. 52818920us : percpu_ref_call_confirm_rcu: pre-conf 4294967297
ksoftirq-14 0..s.. 52818923us : percpu_ref_call_confirm_rcu: post-conf 4294967297
ksoftirq-14 0..s.. 52818925us : percpu_ref_call_confirm_rcu: pre-put 4294967297
ksoftirq-14 0..s.. 52818926us : percpu_ref_call_confirm_rcu: post-put 4294967296
kworker/-456 0..... 52818989us : css_killed_work_fn: ffff8881256bb400 pre-put 1
kworker/-456 0..... 52818994us : css_killed_work_fn: ffff8881256bb400 post-put 0
kworker/-456 0..... 52818998us : css_killed_work_fn: ffff8881256b9000 pre-put 1
kworker/-456 0..... 52819000us : css_killed_work_fn: ffff8881256b9000 post-put 0
kworker/-456 0..... 52819003us : css_killed_work_fn: ffff8881256bbc00 pre-put 4294967296
kworker/-456 0..... 52819025us : css_killed_work_fn: ffff8881256bbc00 post-put 4294967295
<idle>-0 1.Ns1. 53198727us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 53198733us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 53198741us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 53198751us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 53198754us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 53198762us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 53198764us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 53198771us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 53198775us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 53198777us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 53199014us : css_killed_work_fn: ffff8881256d2c00 pre-put 1
kworker/-419 1..... 53199021us : css_killed_work_fn: ffff8881256d2c00 post-put 0
kworker/-419 1..... 53199037us : css_killed_work_fn: ffff8881256d1c00 pre-put 1
kworker/-419 1..... 53199042us : css_killed_work_fn: ffff8881256d1c00 post-put 0
<idle>-0 1..s1. 53558821us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 53558826us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 53558850us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 53558867us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 53558870us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-20 1..s.. 53558888us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-20 1..s.. 53558890us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-20 1..s.. 53558893us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-20 1..s.. 53558896us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-20 1..s.. 53558899us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 53558968us : css_killed_work_fn: ffff888112e71800 pre-put 1
kworker/-419 1..... 53558975us : css_killed_work_fn: ffff888112e71800 post-put 0
kworker/-419 1..... 53559025us : css_killed_work_fn: ffff888112e70000 pre-put 1
kworker/-419 1..... 53559031us : css_killed_work_fn: ffff888112e70000 post-put 0
<idle>-0 1..s1. 54058745us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 54058749us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 54058761us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 54058769us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 54058770us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 54058776us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 54058777us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 54058781us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 54058783us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 54058785us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 54058786us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 54058788us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 54058791us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 54058793us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 54058794us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 54058834us : css_killed_work_fn: ffff8881146bd000 pre-put 1
kworker/-419 1..... 54058839us : css_killed_work_fn: ffff8881146bd000 post-put 0
kworker/-419 1..... 54058842us : css_killed_work_fn: ffff8881146bfc00 pre-put 1
kworker/-419 1..... 54058845us : css_killed_work_fn: ffff8881146bfc00 post-put 0
kworker/-419 1..... 54058847us : css_killed_work_fn: ffff8881146be800 pre-put 1
kworker/-419 1..... 54058850us : css_killed_work_fn: ffff8881146be800 post-put 0
<idle>-0 0.Ns1. 54448757us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 54448763us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 54448773us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 54448784us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 54448787us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 54448797us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 54448800us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 54448807us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 54448811us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 54448814us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-383 0..... 54449091us : css_killed_work_fn: ffff888113e07c00 pre-put 1
kworker/-383 0..... 54449096us : css_killed_work_fn: ffff888113e07c00 post-put 0
kworker/-383 0..... 54449098us : css_killed_work_fn: ffff888113e04c00 pre-put 1
kworker/-383 0..... 54449101us : css_killed_work_fn: ffff888113e04c00 post-put 0
<idle>-0 1.Ns1. 55488771us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 55488777us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 55488785us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 55488795us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 55488797us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 55488805us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 55488808us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 55488814us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 55488823us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 55488825us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-471 1..... 55488878us : css_killed_work_fn: ffff888113e04400 pre-put 1
kworker/-471 1..... 55488885us : css_killed_work_fn: ffff888113e04400 post-put 0
kworker/-471 1..... 55488889us : css_killed_work_fn: ffff888113e06000 pre-put 1
kworker/-471 1..... 55488893us : css_killed_work_fn: ffff888113e06000 post-put 0
syz-exec-418 0..s.. 56668729us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-418 0..s.. 56668736us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-418 0..s.. 56668771us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-418 0..s.. 56668785us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-418 0..s.. 56668787us : percpu_ref_call_confirm_rcu: post-put 1
syz-exec-418 0..s.. 56668797us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-418 0..s.. 56668800us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-418 0..s.. 56668806us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-418 0..s.. 56668810us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-418 0..s.. 56668812us : percpu_ref_call_confirm_rcu: post-put 1
syz-exec-418 0..s.. 56668815us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
syz-exec-418 0..s.. 56668818us : percpu_ref_call_confirm_rcu: pre-conf 2
syz-exec-418 0..s.. 56668823us : percpu_ref_call_confirm_rcu: post-conf 2
syz-exec-418 0..s.. 56668826us : percpu_ref_call_confirm_rcu: pre-put 2
syz-exec-418 0..s.. 56668828us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-456 0..... 56668963us : css_killed_work_fn: ffff88812575a400 pre-put 1
kworker/-456 0..... 56668970us : css_killed_work_fn: ffff88812575a400 post-put 0
kworker/-456 0..... 56668976us : css_killed_work_fn: ffff88812575b800 pre-put 1
kworker/-456 0..... 56668981us : css_killed_work_fn: ffff88812575b800 post-put 0
kworker/-456 0..... 56668984us : css_killed_work_fn: ffff88812575ac00 pre-put 1
kworker/-456 0..... 56668989us : css_killed_work_fn: ffff88812575ac00 post-put 0
<idle>-0 1..s1. 57168704us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1..s1. 57168710us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 57168743us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 57168749us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 57168751us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 57168760us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 57168763us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 57168769us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 57168773us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 57168775us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 57168778us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 1.Ns1. 57168781us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 57168787us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 57168791us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 57168793us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 57168862us : css_killed_work_fn: ffff88812574c000 pre-put 1
kworker/-419 1..... 57168869us : css_killed_work_fn: ffff88812574c000 post-put 0
kworker/-419 1..... 57168875us : css_killed_work_fn: ffff88812574d800 pre-put 1
kworker/-419 1..... 57168880us : css_killed_work_fn: ffff88812574d800 post-put 0
kworker/-419 1..... 57168883us : css_killed_work_fn: ffff88812574c400 pre-put 1
kworker/-419 1..... 57168889us : css_killed_work_fn: ffff88812574c400 post-put 0
kworker/-419 1.Ns.. 57648711us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
kworker/-419 1.Ns.. 57648717us : percpu_ref_call_confirm_rcu: pre-conf 2
kworker/-419 1.Ns.. 57648724us : percpu_ref_call_confirm_rcu: post-conf 2
kworker/-419 1.Ns.. 57648732us : percpu_ref_call_confirm_rcu: pre-put 2
kworker/-419 1.Ns.. 57648735us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-20 1..s.. 57648768us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-20 1..s.. 57648771us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-20 1..s.. 57648777us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-20 1..s.. 57648780us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-20 1..s.. 57648782us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-20 1..s.. 57648786us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-20 1..s.. 57648788us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-20 1..s.. 57648793us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-20 1..s.. 57648796us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-20 1..s.. 57648798us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-419 1..... 57649299us : css_killed_work_fn: ffff888125786000 pre-put 1
kworker/-419 1..... 57649306us : css_killed_work_fn: ffff888125786000 post-put 0
kworker/-419 1..... 57649407us : css_killed_work_fn: ffff888125787400 pre-put 1
kworker/-419 1..... 57649415us : css_killed_work_fn: ffff888125787400 post-put 0
kworker/-419 1..... 57649486us : css_killed_work_fn: ffff888125785000 pre-put 1
kworker/-419 1..... 57649492us : css_killed_work_fn: ffff888125785000 post-put 0
<idle>-0 0..s1. 58158736us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0..s1. 58158742us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 58158759us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 58158769us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 58158771us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 58158780us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 58158782us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 58158788us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 58158792us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 58158794us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 58158799us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 58158802us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 58158809us : percpu_ref_call_con
Tested on:
commit: ebd22823 DEBUG percpu-recount: Crude printk dumps
git tree: https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-b2
console output: https://syzkaller.appspot.com/x/log.txt?x=13bc504df00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3105f4ccd2ac0c7f
syzbot
May 27, 2022, 12:30:13 PM5/27/22
to mko...@suse.com, syzkaller-a...@googlegroups.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f733db68), but was ffff888118a6dc70. (prev=ffff888118a6dc70).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 416 Comm: syz-executor.3 Tainted: G W 5.18.0-rc7-syzkaller-00018-g5500e05d82fd #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 e0 21 68 85 4c 89 e6 4c 89 f1 31 c0 e8 10 bb 55 02 0f 0b 48 c7 c7 a0 22 68 85 4c 89 f6 4c 89 e1 31 c0 e8 fa ba 55 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000180978 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f733db70 RCX: 6bec13975d935300
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc900001809a0 R08: ffffffff815795f8 R09: ffffed103ee665d1
R10: ffffed103ee665d1 R11: 1ffff1103ee665d0 R12: ffff888118a6dc70
R13: dffffc0000000000 R14: ffff8881f733db68 R15: ffff888118a6dc70
FS: 000055555562b400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ea1d9d090 CR3: 00000001202f2000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:69 [inline]
list_add_tail include/linux/list.h:102 [inline]
insert_work+0x104/0x320 kernel/workqueue.c:1362
__queue_work+0x960/0xd20 kernel/workqueue.c:1517
queue_work_on+0xf2/0x170 kernel/workqueue.c:1545
queue_work include/linux/workqueue.h:502 [inline]
css_release+0xcb/0xe0 kernel/cgroup/cgroup.c:5215
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:69 [inline]
list_add_tail include/linux/list.h:102 [inline]
insert_work+0x104/0x320 kernel/workqueue.c:1362
__queue_work+0x960/0xd20 kernel/workqueue.c:1517
queue_work_on+0xf2/0x170 kernel/workqueue.c:1545
queue_work include/linux/workqueue.h:502 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:335 [inline]
percpu_ref_put include/linux/percpu-refcount.h:351 [inline]
percpu_ref_call_confirm_rcu+0x3d0/0x3e0 lib/percpu-refcount.c:166
percpu_ref_switch_to_atomic_rcu+0x2bf/0x3a0 lib/percpu-refcount.c:209
rcu_do_batch+0x507/0xbc0 kernel/rcu/tree.c:2535
rcu_core+0x4dc/0xef0 kernel/rcu/tree.c:2786
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2803
__do_softirq+0x24e/0x586 kernel/softirq.c:558
invoke_softirq+0x70/0xd0 kernel/softirq.c:432
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x10 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:finish_task_switch+0x20c/0x700 kernel/sched/core.c:4953
percpu_ref_put include/linux/percpu-refcount.h:351 [inline]
percpu_ref_call_confirm_rcu+0x3d0/0x3e0 lib/percpu-refcount.c:166
percpu_ref_switch_to_atomic_rcu+0x2bf/0x3a0 lib/percpu-refcount.c:209
rcu_do_batch+0x507/0xbc0 kernel/rcu/tree.c:2535
rcu_core+0x4dc/0xef0 kernel/rcu/tree.c:2786
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2803
__do_softirq+0x24e/0x586 kernel/softirq.c:558
invoke_softirq+0x70/0xd0 kernel/softirq.c:432
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x10 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
Code: 8b 7d 00 48 b8 00 00 00 00 00 fc ff df 80 3c 03 00 74 9b 4c 89 ef e8 83 75 60 00 eb 91 4c 89 e7 e8 79 14 64 03 fb 48 8b 5d c0 <4c> 8d b3 68 0a 00 00 4c 89 f0 48 c1 e8 03 42 8a 04 38 84 c0 0f 85
RSP: 0018:ffffc9000297fa80 EFLAGS: 00000282
RAX: 0000000080000001 RBX: ffff88810d04d3c0 RCX: 0000000000000002
RDX: 0000000000000001 RSI: ffffffff856820a0 RDI: 0000000000000001
RBP: ffffc9000297fad0 R08: dffffc0000000000 R09: ffffed1020078431
R10: ffffed1020078431 R11: 1ffff11020078430 R12: ffff8881f7336900
R13: 0000000000000000 R14: ffff8881f7337440 R15: dffffc0000000000
context_switch kernel/sched/core.c:5076 [inline]
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
schedule+0xdb/0x190 kernel/sched/core.c:6460
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x18c/0x6d0 kernel/time/hrtimer.c:2044
hrtimer_nanosleep+0x1d0/0x410 kernel/time/hrtimer.c:2097
common_nsleep+0x91/0xb0 kernel/time/posix-timers.c:1227
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline]
__se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline]
__x64_sys_clock_nanosleep+0x360/0x3f0 kernel/time/posix-timers.c:1245
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
__schedule+0xb2a/0x1020 kernel/sched/core.c:6388
schedule+0xdb/0x190 kernel/sched/core.c:6460
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x18c/0x6d0 kernel/time/hrtimer.c:2044
hrtimer_nanosleep+0x1d0/0x410 kernel/time/hrtimer.c:2097
common_nsleep+0x91/0xb0 kernel/time/posix-timers.c:1227
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline]
__se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline]
__x64_sys_clock_nanosleep+0x360/0x3f0 kernel/time/posix-timers.c:1245
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
RIP: 0033:0x7f7f5fcaddba
Code: 83 ff 03 74 3b 48 83 ec 28 b8 fa ff ff ff 83 ff 02 49 89 ca 0f 44 f8 64 8b 04 25 18 00 00 00 85 c0 75 2d b8 e6 00 00 00 0f 05 <89> c2 f7 da 3d 00 f0 ff ff b8 00 00 00 00 0f 47 c2 48 83 c4 28 c3
RSP: 002b:00007ffc6cc6df20 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000000037 RCX: 00007f7f5fcaddba
RDX: 00007ffc6cc6df60 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffc6cc6dfec R08: 00007ffc6cd9d080 R09: 00007ffc6cd9d0b8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
R13: 00000000000141ea R14: 0000000000000006 R15: 00007ffc6cc6e050
</TASK>
Modules linked in:
Dumping ftrace buffer:
---------------------------------
<...>-375 1..... 16935441us : css_get: ffff88811f1b0020 ++
Modules linked in:
Dumping ftrace buffer:
---------------------------------
<...>-375 1..... 16935460us : css_put: ffff88811f1b0020 --
<...>-25 1.Ns1. 17030743us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<...>-25 1.Ns1. 17030749us : percpu_ref_call_confirm_rcu: pre-conf 1
<...>-25 1.Ns1. 17030752us : percpu_ref_call_confirm_rcu: post-conf 1
<...>-25 1.Ns1. 17030762us : percpu_ref_call_confirm_rcu: pre-put 1
<...>-25 1.Ns1. 17030780us : percpu_ref_call_confirm_rcu: post-put 0
<...>-25 1.Ns1. 17030783us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<...>-25 1.Ns1. 17030785us : percpu_ref_call_confirm_rcu: pre-conf 2
<...>-25 1.Ns1. 17030787us : percpu_ref_call_confirm_rcu: post-conf 2
<...>-25 1.Ns1. 17030790us : percpu_ref_call_confirm_rcu: pre-put 2
<...>-25 1.Ns1. 17030792us : percpu_ref_call_confirm_rcu: post-put 1
<...>-375 0..... 17031057us : css_get: ffff88811f0b0020 ++
<...>-375 0..... 17031071us : css_put: ffff88811f0b0020 --
kworker/-26 1..... 17031076us : css_put: ffff88811f1b0020 --
kworker/-26 1..... 17031078us : css_release: ffff88811f1b0020 =0
<...>-375 0..... 17031446us : css_get: ffff88811f0b4020 ++
<...>-375 0..... 17031452us : css_put: ffff88811f0b4020 --
<idle>-0 0..s1. 17062761us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0..s1. 17062767us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0..s1. 17062769us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0..s1. 17062782us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 17062799us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 17062802us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 17062804us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 17062807us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 17062810us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 17062812us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 17062847us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 0.Ns1. 17062849us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 0.Ns1. 17062851us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 0.Ns1. 17062854us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 0.Ns1. 17062862us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 0.Ns1. 17062865us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 0.Ns1. 17062867us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 17062870us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 17062873us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 17062876us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 0..... 17062902us : css_put: ffff88811f0b0020 --
kworker/-35 0..... 17062906us : css_release: ffff88811f0b0020 =0
kworker/-35 0..... 17062920us : css_put: ffff88811f0b4020 --
kworker/-35 0..... 17062922us : css_release: ffff88811f0b4020 =0
<...>-375 1..... 17124106us : css_get: ffff88811f1dc020 ++
<...>-375 1..... 17124115us : css_put: ffff88811f1dc020 --
<...>-375 1..... 17124442us : css_get: ffff88811f1f0020 ++
<...>-375 1..... 17124448us : css_put: ffff88811f1f0020 --
<idle>-0 1..s1. 17172739us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 1..s1. 17172744us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 1..s1. 17172745us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 1..s1. 17172754us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 1.Ns1. 17172769us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 1.Ns1. 17172772us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 1.Ns1. 17172773us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 17172774us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 17172776us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 17172777us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 1.Ns1. 17172799us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 0
<idle>-0 1.Ns1. 17172800us : percpu_ref_call_confirm_rcu: pre-conf 1
<idle>-0 1.Ns1. 17172801us : percpu_ref_call_confirm_rcu: post-conf 1
<idle>-0 1.Ns1. 17172803us : percpu_ref_call_confirm_rcu: pre-put 1
<idle>-0 1.Ns1. 17172807us : percpu_ref_call_confirm_rcu: post-put 0
<idle>-0 1.Ns1. 17172809us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775808 percpu 2
<idle>-0 1.Ns1. 17172810us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 1.Ns1. 17172811us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 1.Ns1. 17172813us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 1.Ns1. 17172814us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-26 1..... 17172833us : css_put: ffff88811f1dc020 --
kworker/-26 1..... 17172835us : css_release: ffff88811f1dc020 =0
kworker/-26 1..... 17172846us : css_put: ffff88811f1f0020 --
kworker/-26 1..... 17172847us : css_release: ffff88811f1f0020 =0
<...>-379 1..... 17578235us : css_get: ffff8881221e8010 ++
<...>-379 1..... 17578247us : css_create: ffff888121516a90 =1 ss=cpu
<...>-379 1..... 17578448us : css_get: ffff8881221e8010 ++
<...>-379 1..... 17578463us : css_create: ffff8881221ec010 =1 ss=memory
<...>-379 1..... 17578473us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17578543us : css_get: ffff8881221e8010 ++
<...>-379 1..... 17578552us : css_create: ffff8881221bdc10 =1 ss=pids
<...>-379 1d..1. 17578943us : css_get: ffff8881221e8010 ++
<...>-379 1d..1. 17578947us : css_get: ffff888121516a90 ++
<...>-379 1d..1. 17578949us : css_get: ffff8881221ec010 ++
<...>-379 1d..1. 17578950us : css_get: ffff8881221bdc10 ++
<...>-379 1..... 17578975us : css_put: ffff8881221e8010 --
<...>-379 1..... 17579910us : css_get: ffff88811f1f4020 ++
<...>-379 1..... 17579928us : css_get: ffff888122200010 ++
<...>-379 1..... 17579933us : css_create: ffff8881221bc010 =1 ss=cpuset
<...>-379 1..... 17580735us : css_get: ffff888122200010 ++
<...>-379 1..... 17580744us : css_create: ffff888121515c10 =1 ss=cpuacct
<...>-379 1..... 17580781us : css_put: ffff88811f1f4020 --
<...>-379 1d..1. 17580892us : css_get: ffff8881221e8010 ++
<...>-379 1d..1. 17580894us : css_get: ffff888122200010 ++
<...>-379 1d..1. 17580896us : css_get: ffff8881221bc010 ++
<...>-379 1d..1. 17580897us : css_get: ffff888121516a90 ++
<...>-379 1d..1. 17580898us : css_get: ffff888121515c10 ++
<...>-379 1d..1. 17580899us : css_get: ffff8881221ec010 ++
<...>-379 1d..1. 17580901us : css_get: ffff8881221bdc10 ++
<...>-379 1d..1. 17580914us : css_put: ffff888121516a90 --
<...>-379 1d..1. 17580916us : css_put: ffff8881221ec010 --
<...>-379 1d..1. 17580917us : css_put: ffff8881221bdc10 --
<...>-379 1d..1. 17580918us : css_put: ffff8881221e8010 --
<...>-379 1..... 17580933us : css_put: ffff888122200010 --
<...>-379 1..... 17581002us : css_get: ffff88811f1d8020 ++
<...>-379 1..... 17581025us : css_get: ffff888122204010 ++
<...>-379 1..... 17581029us : css_create: ffff8881221bc410 =1 ss=io
<...>-379 1..... 17581072us : css_get: ffff888122204010 ++
<...>-379 1..... 17581076us : css_create: ffff888121515010 =1 ss=freezer
<...>-379 1..... 17581094us : css_get: ffff888122204010 ++
<...>-379 1..... 17581102us : css_create: ffff888121515a10 =1 ss=net_prio
<...>-379 1..... 17581120us : css_put: ffff88811f1d8020 --
<...>-379 1d..1. 17581210us : css_get: ffff8881221e8010 ++
<...>-379 1d..1. 17581212us : css_get: ffff888122204010 ++
<...>-379 1d..1. 17581213us : css_get: ffff888122200010 ++
<...>-379 1d..1. 17581214us : css_get: ffff8881221bc010 ++
<...>-379 1d..1. 17581215us : css_get: ffff888121516a90 ++
<...>-379 1d..1. 17581216us : css_get: ffff888121515c10 ++
<...>-379 1d..1. 17581217us : css_get: ffff8881221bc410 ++
<...>-379 1d..1. 17581219us : css_get: ffff8881221ec010 ++
<...>-379 1d..1. 17581220us : css_get: ffff888121515010 ++
<...>-379 1d..1. 17581221us : css_get: ffff888121515a10 ++
<...>-379 1d..1. 17581222us : css_get: ffff8881221bdc10 ++
<...>-379 1d..1. 17581233us : css_put: ffff8881221bc010 --
<...>-379 1d..1. 17581234us : css_put: ffff888121516a90 --
<...>-379 1d..1. 17581235us : css_put: ffff888121515c10 --
<...>-379 1d..1. 17581236us : css_put: ffff8881221ec010 --
<...>-379 1d..1. 17581238us : css_put: ffff8881221bdc10 --
<...>-379 1d..1. 17581239us : css_put: ffff8881221e8010 --
<...>-379 1d..1. 17581243us : css_put: ffff888122200010 --
<...>-379 1..... 17581248us : css_put: ffff888122204010 --
<...>-379 1..... 17581319us : css_put: ffff8881221e8010 --
<...>-379 1..... 17581321us : css_put: ffff8881221ec010 --
<...>-379 1d.... 17581378us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17581380us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17581382us : css_put: ffff8881221ec010 --
<...>-379 1..... 17581619us : css_put: ffff8881221e8010 --
<...>-379 1..... 17581621us : css_put: ffff8881221ec010 --
<...>-379 1..... 17581667us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17581669us : css_put: ffff8881221ec010 --
<...>-379 1..... 17581820us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17581823us : css_put: ffff8881221ec010 --
<...>-379 1..... 17582310us : css_put: ffff8881221e8010 --
<...>-379 1..... 17582313us : css_put: ffff8881221ec010 --
<...>-379 1..... 17582512us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17582514us : css_put: ffff8881221ec010 --
<...>-379 1..... 17582852us : css_put: ffff8881221e8010 --
<...>-379 1..... 17582854us : css_put: ffff8881221ec010 --
<...>-379 1..... 17583222us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17583224us : css_put: ffff8881221ec010 --
<...>-379 1..... 17583698us : css_put: ffff8881221e8010 --
<...>-379 1..... 17583701us : css_put: ffff8881221ec010 --
<...>-379 1..... 17583847us : css_put: ffff8881221e8010 --
<...>-379 1..... 17583850us : css_put: ffff8881221ec010 --
<...>-379 1..... 17584107us : css_put: ffff8881221e8010 --
<...>-379 1..... 17584110us : css_put: ffff8881221ec010 --
<...>-379 1..... 17584295us : css_put: ffff8881221e8010 --
<...>-379 1..... 17584297us : css_put: ffff8881221ec010 --
<...>-379 1..... 17584337us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17584340us : css_put: ffff8881221ec010 --
<...>-379 1..... 17585364us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17585367us : css_put: ffff8881221ec010 --
<...>-384 0d.... 17586393us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586398us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586402us : css_put: ffff8881221ec010 --
<...>-384 0..... 17586440us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586442us : css_put: ffff8881221ec010 --
<...>-384 0..... 17586477us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586479us : css_put: ffff8881221ec010 --
<...>-384 0..... 17586508us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586511us : css_put: ffff8881221ec010 --
<...>-384 0..... 17586526us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17586528us : css_put: ffff8881221ec010 --
<...>-384 0..... 17587682us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17587685us : css_put: ffff8881221ec010 --
<...>-384 0..... 17587744us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17587747us : css_put: ffff8881221ec010 --
<...>-384 0..... 17587760us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17587762us : css_put: ffff8881221ec010 --
<...>-384 0..... 17587780us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17587783us : css_put: ffff8881221ec010 --
<...>-384 0..... 17587938us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17587940us : css_put: ffff8881221ec010 --
<...>-386 0..... 17587991us : css_get: ffff8881221ec010 ++
<...>-386 0..... 17587994us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588078us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588080us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588097us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588100us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588116us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588118us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588135us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588137us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588153us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588155us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588171us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588173us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588189us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588192us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588208us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588210us : css_put: ffff8881221ec010 --
<...>-384 0..... 17588233us : css_get: ffff8881221ec010 ++
<...>-384 0..... 17588235us : css_put: ffff8881221ec010 --
<...>-386 0..... 17588858us : css_get: ffff8881221ec010 ++
<...>-386 0..... 17588860us : css_put: ffff8881221ec010 --
<...>-386 0..... 17588862us : css_put: ffff8881221ec010 --
<...>-386 0..... 17588865us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590078us : css_get: ffff8881221ec010 ++
<...>-386 0..... 17590082us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590084us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590086us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590088us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590090us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590091us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590093us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590094us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590096us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590098us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590100us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590102us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590104us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590106us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590108us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590109us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590111us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590113us : css_put: ffff8881221ec010 --
<...>-386 0..... 17590116us : css_put: ffff8881221ec010 --
<...>-379 1..... 17591303us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17591306us : css_put: ffff8881221ec010 --
<...>-379 1..... 17592032us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17592035us : css_put: ffff8881221ec010 --
<...>-379 0..... 17592872us : css_put: ffff8881221e8010 --
<...>-379 0..... 17592875us : css_put: ffff8881221ec010 --
<...>-379 0..... 17593020us : css_put: ffff8881221e8010 --
<...>-379 0..... 17593022us : css_put: ffff8881221ec010 --
<...>-379 0..... 17593728us : css_put: ffff8881221e8010 --
<...>-379 0..... 17593731us : css_put: ffff8881221ec010 --
<...>-379 0..... 17594229us : css_put: ffff8881221e8010 --
<...>-379 0..... 17594232us : css_put: ffff8881221ec010 --
<...>-379 1..... 17598690us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17598694us : css_put: ffff8881221ec010 --
<...>-379 1..... 17598698us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599032us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17599034us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599037us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599039us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17599041us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599043us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599045us : css_get: ffff8881221ec010 ++
<...>-379 1..... 17599047us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599048us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599050us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599052us : css_put: ffff8881221ec010 --
<...>-379 1..... 17599054us : css_put: ffff8881221ec010 --
<idle>-0 0d.s2. 17702801us : css_put: ffff8881221bc010 --
<idle>-0 0d.s2. 17702807us : css_put: ffff888121516a90 --
<idle>-0 0d.s2. 17702811us : css_put: ffff888121515c10 --
<idle>-0 0d.s2. 17702814us : css_put: ffff8881221bc410 --
<idle>-0 0d.s2. 17702817us : css_put: ffff8881221ec010 --
<idle>-0 0d.s2. 17702819us : css_put: ffff888121515010 --
<idle>-0 0d.s2. 17702822us : css_put: ffff888121515a10 --
<idle>-0 0d.s2. 17702825us : css_put: ffff8881221bdc10 --
<idle>-0 0d.s2. 17702828us : css_put: ffff8881221e8010 --
<idle>-0 0d.s2. 17702838us : css_put: ffff888122204010 --
<idle>-0 0d.s2. 17702845us : css_put: ffff888122200010 --
<...>-404 1..... 34888263us : css_put: ffff88811f1d8020 --
<...>-404 1..... 34894490us : css_put: ffff88811f1d8020 --
<...>-404 1..... 34894744us : css_put: ffff88811f1d8020 --
<...>-404 1..... 34894950us : css_put: ffff88811f1f4020 --
<...>-404 1..... 34895514us : css_put: ffff88811f1f4020 --
syz-exec-417 0..... 36181102us : css_get: ffff888110f56010 ++
syz-exec-417 0..... 36181114us : css_create: ffff88810d48c710 =1 ss=cpu
syz-exec-417 0..... 36181198us : css_get: ffff888110f56010 ++
syz-exec-417 0..... 36181206us : css_create: ffff888110ede010 =1 ss=memory
syz-exec-417 0..... 36181215us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36181329us : css_get: ffff888110f56010 ++
syz-exec-417 0..... 36181337us : css_create: ffff888110ce3810 =1 ss=pids
syz-exec-417 0d..1. 36181926us : css_get: ffff888110f56010 ++
syz-exec-417 0d..1. 36181932us : css_get: ffff88810d48c710 ++
syz-exec-417 0d..1. 36181935us : css_get: ffff888110ede010 ++
syz-exec-417 0d..1. 36181937us : css_get: ffff888110ce3810 ++
syz-exec-417 0..... 36192748us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36192901us : css_get: ffff88811f1f4020 ++
syz-exec-417 0..... 36192934us : css_get: ffff888110fdc010 ++
syz-exec-417 0..... 36192944us : css_create: ffff8881256b0c10 =1 ss=cpuset
syz-exec-417 0..... 36205835us : css_get: ffff888110fdc010 ++
syz-exec-417 0..... 36205853us : css_create: ffff88810d075e10 =1 ss=cpuacct
syz-exec-417 0..... 36205914us : css_put: ffff88811f1f4020 --
syz-exec-417 0d..1. 36206136us : css_get: ffff888110f56010 ++
syz-exec-417 0d..1. 36206140us : css_get: ffff888110fdc010 ++
syz-exec-417 0d..1. 36206142us : css_get: ffff8881256b0c10 ++
syz-exec-417 0d..1. 36206145us : css_get: ffff88810d48c710 ++
syz-exec-417 0d..1. 36206147us : css_get: ffff88810d075e10 ++
syz-exec-417 0d..1. 36206150us : css_get: ffff888110ede010 ++
syz-exec-417 0d..1. 36206153us : css_get: ffff888110ce3810 ++
syz-exec-417 0d..1. 36206175us : css_put: ffff88810d48c710 --
syz-exec-417 0d..1. 36206178us : css_put: ffff888110ede010 --
syz-exec-417 0d..1. 36206181us : css_put: ffff888110ce3810 --
syz-exec-417 0d..1. 36206183us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36206205us : css_put: ffff888110fdc010 --
syz-exec-417 0..... 36206385us : css_get: ffff88811f1d8020 ++
syz-exec-417 0..... 36206422us : css_get: ffff88811112e010 ++
syz-exec-417 0..... 36206434us : css_create: ffff888125730010 =1 ss=io
syz-exec-417 0..... 36206494us : css_get: ffff88811112e010 ++
syz-exec-417 0..... 36206515us : css_create: ffff88810d074810 =1 ss=freezer
syz-exec-417 0..... 36206555us : css_get: ffff88811112e010 ++
syz-exec-417 0..... 36206576us : css_create: ffff88810d075810 =1 ss=net_prio
syz-exec-417 0..... 36206624us : css_put: ffff88811f1d8020 --
syz-exec-417 0d..1. 36206799us : css_get: ffff888110f56010 ++
syz-exec-417 0d..1. 36206802us : css_get: ffff88811112e010 ++
syz-exec-417 0d..1. 36206805us : css_get: ffff888110fdc010 ++
syz-exec-417 0d..1. 36206807us : css_get: ffff8881256b0c10 ++
syz-exec-417 0d..1. 36206809us : css_get: ffff88810d48c710 ++
syz-exec-417 0d..1. 36206812us : css_get: ffff88810d075e10 ++
syz-exec-417 0d..1. 36206814us : css_get: ffff888125730010 ++
syz-exec-417 0d..1. 36206816us : css_get: ffff888110ede010 ++
syz-exec-417 0d..1. 36206818us : css_get: ffff88810d074810 ++
syz-exec-417 0d..1. 36206820us : css_get: ffff88810d075810 ++
syz-exec-417 0d..1. 36206822us : css_get: ffff888110ce3810 ++
syz-exec-417 0d..1. 36206841us : css_put: ffff8881256b0c10 --
syz-exec-417 0d..1. 36206843us : css_put: ffff88810d48c710 --
syz-exec-417 0d..1. 36206845us : css_put: ffff88810d075e10 --
syz-exec-417 0d..1. 36206847us : css_put: ffff888110ede010 --
syz-exec-417 0d..1. 36206850us : css_put: ffff888110ce3810 --
syz-exec-417 0d..1. 36206852us : css_put: ffff888110f56010 --
syz-exec-417 0d..1. 36206860us : css_put: ffff888110fdc010 --
syz-exec-417 0..... 36206871us : css_put: ffff88811112e010 --
syz-exec-417 0..... 36206975us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36206979us : css_put: ffff888110ede010 --
syz-exec-417 0d.... 36207059us : css_put: ffff8881221ec010 --
syz-exec-417 0d.... 36207062us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36207064us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36207069us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36207321us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36207324us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36207393us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36207395us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36207565us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36207568us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36208117us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36208120us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36225436us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36225442us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36225811us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36225814us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36226054us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36226057us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36226269us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36226283us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36232259us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36232265us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36232443us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36232445us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36234617us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36234622us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36235097us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36235100us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36235148us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36235150us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36235601us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36235605us : css_put: ffff888110ede010 --
<...>-442 0..... 36239915us : css_get: ffff888110ede010 ++
<...>-442 0..... 36239920us : css_put: ffff888110ede010 --
<...>-442 0..... 36239958us : css_get: ffff888110ede010 ++
<...>-442 0..... 36239960us : css_put: ffff888110ede010 --
<...>-442 0..... 36239995us : css_get: ffff888110ede010 ++
<...>-442 0..... 36239997us : css_put: ffff888110ede010 --
<...>-442 0..... 36240027us : css_get: ffff888110ede010 ++
<...>-442 0..... 36240029us : css_put: ffff888110ede010 --
<...>-442 0..... 36240044us : css_get: ffff888110ede010 ++
<...>-442 0..... 36240046us : css_put: ffff888110ede010 --
<...>-442 0..... 36240160us : css_get: ffff888110ede010 ++
<...>-442 0..... 36240162us : css_put: ffff888110ede010 --
<...>-442 0..... 36241003us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241006us : css_put: ffff888110ede010 --
<...>-442 0..... 36241025us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241027us : css_put: ffff888110ede010 --
<...>-442 0..... 36241093us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241095us : css_put: ffff888110ede010 --
<...>-442 0..... 36241122us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241124us : css_put: ffff888110ede010 --
<...>-442 0..... 36241144us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241146us : css_put: ffff888110ede010 --
<...>-442 0..... 36241434us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241439us : css_put: ffff888110ede010 --
<...>-443 0..... 36241515us : css_get: ffff888110ede010 ++
<...>-443 0..... 36241518us : css_put: ffff888110ede010 --
<...>-443 0..... 36241784us : css_get: ffff888110ede010 ++
<...>-443 0..... 36241787us : css_put: ffff888110ede010 --
<...>-442 0..... 36241959us : css_get: ffff888110ede010 ++
<...>-442 0..... 36241962us : css_put: ffff888110ede010 --
<...>-443 0d..1. 36242456us : css_get: ffff888110f56010 ++
<...>-443 0d..1. 36242460us : css_get: ffff88811112e010 ++
<...>-443 0d..1. 36242463us : css_get: ffff888110fdc010 ++
<...>-443 0d..1. 36242466us : css_get: ffff8881256b0c10 ++
<...>-443 0d..1. 36242468us : css_get: ffff88810d48c710 ++
<...>-443 0d..1. 36242471us : css_get: ffff88810d075e10 ++
<...>-443 0d..1. 36242473us : css_get: ffff888125730010 ++
<...>-443 0d..1. 36242475us : css_get: ffff888110ede010 ++
<...>-443 0d..1. 36242477us : css_get: ffff88810d074810 ++
<...>-443 0d..1. 36242479us : css_get: ffff88810d075810 ++
<...>-443 0d..1. 36242493us : css_put: ffff8881256b0c10 --
<...>-443 0d..1. 36242495us : css_put: ffff88810d48c710 --
<...>-443 0d..1. 36242497us : css_put: ffff88810d075e10 --
<...>-443 0d..1. 36242499us : css_put: ffff888125730010 --
<...>-443 0d..1. 36242501us : css_put: ffff888110ede010 --
<...>-443 0d..1. 36242503us : css_put: ffff88810d074810 --
<...>-443 0d..1. 36242505us : css_put: ffff88810d075810 --
<...>-443 0d..1. 36242507us : css_put: ffff888110ce3810 --
<...>-443 0d..1. 36242509us : css_put: ffff888110f56010 --
<...>-443 0d..1. 36242517us : css_put: ffff88811112e010 --
<...>-443 0d..1. 36242521us : css_put: ffff888110fdc010 --
<...>-443 0..... 36242535us : kill_css: ffff8881221bdc10
<...>-443 0..... 36242575us : css_get: ffff8881221bdc10 ++
<...>-443 0..... 36242585us : kill_css: ffff888110ce3810
<...>-443 0..... 36242612us : css_get: ffff888110ce3810 ++
<...>-443 0..... 36242950us : css_get: ffff888110ede010 ++
<...>-443 0..... 36242953us : css_put: ffff888110ede010 --
<...>-443 0..... 36242979us : css_get: ffff8881221e8010 ++
ksoftirq-14 0..s.. 36366413us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 36366419us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 36366424us : css_killed_ref_fn: ffff8881221bdc10 =2
ksoftirq-14 0..s.. 36366438us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 36366449us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 36366452us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 36366455us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 36366458us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 36366460us : css_killed_ref_fn: ffff888110ce3810 =2
ksoftirq-14 0..s.. 36366466us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 36366469us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 36366471us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 0..... 36366596us : css_killed_work_fn: ffff8881221bdc10 pre-put 1
kworker/-35 0..... 36366599us : css_put: ffff8881221bdc10 --
kworker/-35 0..... 36366602us : css_release: ffff8881221bdc10 =0
kworker/-35 0..... 36366609us : css_killed_work_fn: ffff8881221bdc10 post-put 0
kworker/-35 0..... 36366623us : css_killed_work_fn: ffff888110ce3810 pre-put 1
kworker/-35 0..... 36366625us : css_put: ffff888110ce3810 --
kworker/-35 0..... 36366627us : css_release: ffff888110ce3810 =0
kworker/-35 0..... 36366632us : css_killed_work_fn: ffff888110ce3810 post-put 0
<...>-443 0..... 36366652us : css_put: ffff8881221e8010 --
<...>-443 0..... 36366673us : css_get: ffff8881221e8010 ++
<...>-443 0..... 36366697us : css_create: ffff8881111dd810 =1 ss=pids
<...>-443 0..... 36366746us : css_get: ffff888110f56010 ++
<...>-443 0..... 36366755us : css_create: ffff8881111df010 =1 ss=pids
<...>-443 0..... 36576062us : kill_css: ffff8881111dd810
<...>-443 0..... 36576108us : css_get: ffff8881111dd810 ++
<...>-443 0..... 36576116us : kill_css: ffff8881111df010
<...>-443 0..... 36576145us : css_get: ffff8881111df010 ++
<...>-443 0..... 36576485us : css_get: ffff888110ede010 ++
<...>-443 0..... 36576488us : css_put: ffff888110ede010 --
<...>-443 0..... 36576492us : css_put: ffff888110ede010 --
<...>-443 0..... 36580959us : css_get: ffff888110ede010 ++
<...>-443 0..... 36580962us : css_put: ffff888110ede010 --
<...>-443 0..... 36580964us : css_put: ffff888110ede010 --
<...>-443 0..... 36580966us : css_put: ffff888110ede010 --
<...>-443 0..... 36581023us : css_get: ffff888110ede010 ++
<...>-443 0..... 36581024us : css_put: ffff888110ede010 --
<...>-443 0..... 36581026us : css_put: ffff888110ede010 --
<...>-443 0..... 36581028us : css_put: ffff888110ede010 --
<...>-443 0..... 36581030us : css_put: ffff888110ede010 --
<...>-443 0..... 36581032us : css_put: ffff888110ede010 --
<...>-443 0..... 36581034us : css_put: ffff888110ede010 --
<...>-443 0..... 36581036us : css_put: ffff888110ede010 --
<...>-443 0..... 36581038us : css_put: ffff888110ede010 --
<...>-443 0..... 36581040us : css_put: ffff888110ede010 --
<...>-443 0..... 36581042us : css_put: ffff888110ede010 --
<...>-443 0..... 36581044us : css_put: ffff888110ede010 --
<...>-443 0..... 36581046us : css_put: ffff888110ede010 --
<...>-443 0..... 36581048us : css_put: ffff888110ede010 --
kworker/-35 0..... 36582775us : css_put: ffff8881221e8010 --
kworker/-35 0..... 36582785us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36583981us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36583985us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36584006us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36584008us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36850778us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36850784us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36850808us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36850810us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36851794us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36851798us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36855853us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36855858us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36856035us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36856038us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36856298us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36856300us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36856485us : css_put: ffff888110f56010 --
syz-exec-417 0..... 36856488us : css_put: ffff888110ede010 --
syz-exec-417 0..... 36856940us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 36856942us : css_put: ffff888110ede010 --
<...>-444 0..... 36856996us : css_get: ffff888110ede010 ++
<...>-444 0..... 36856999us : css_put: ffff888110ede010 --
<...>-444 0..... 36857038us : css_get: ffff888110ede010 ++
<...>-444 0..... 36857040us : css_put: ffff888110ede010 --
<...>-444 0..... 36857077us : css_get: ffff888110ede010 ++
<...>-444 0..... 36857079us : css_put: ffff888110ede010 --
<...>-444 0..... 36857109us : css_get: ffff888110ede010 ++
<...>-444 0..... 36857111us : css_put: ffff888110ede010 --
<...>-444 0..... 36857126us : css_get: ffff888110ede010 ++
<...>-444 0..... 36857128us : css_put: ffff888110ede010 --
<...>-444 0..... 36857215us : css_get: ffff888110ede010 ++
<...>-444 0..... 36857217us : css_put: ffff888110ede010 --
<...>-444 0..... 36858105us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858108us : css_put: ffff888110ede010 --
<...>-444 0..... 36858128us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858131us : css_put: ffff888110ede010 --
<...>-444 0..... 36858199us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858201us : css_put: ffff888110ede010 --
<...>-444 0..... 36858213us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858215us : css_put: ffff888110ede010 --
<...>-444 0..... 36858232us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858234us : css_put: ffff888110ede010 --
<...>-444 0..... 36858326us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858328us : css_put: ffff888110ede010 --
<...>-445 0..... 36858356us : css_get: ffff888110ede010 ++
<...>-445 0..... 36858358us : css_put: ffff888110ede010 --
<...>-445 0..... 36858594us : css_get: ffff888110ede010 ++
<...>-445 0..... 36858597us : css_put: ffff888110ede010 --
<...>-444 0..... 36858708us : css_get: ffff888110ede010 ++
<...>-444 0..... 36858710us : css_put: ffff888110ede010 --
<...>-445 0..... 36858971us : css_get: ffff8881221e8010 ++
<idle>-0 0.Ns1. 36882786us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 36882793us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 36882797us : css_killed_ref_fn: ffff8881111dd810 =2
<idle>-0 0.Ns1. 36882806us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 36882816us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 36882819us : percpu_ref_call_confirm_rcu: post-put 1
<idle>-0 0.Ns1. 36882822us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<idle>-0 0.Ns1. 36882825us : percpu_ref_call_confirm_rcu: pre-conf 2
<idle>-0 0.Ns1. 36882827us : css_killed_ref_fn: ffff8881111df010 =2
<idle>-0 0.Ns1. 36882834us : percpu_ref_call_confirm_rcu: post-conf 2
<idle>-0 0.Ns1. 36882838us : percpu_ref_call_confirm_rcu: pre-put 2
<idle>-0 0.Ns1. 36882841us : percpu_ref_call_confirm_rcu: post-put 1
kworker/-35 0..... 36882974us : css_killed_work_fn: ffff8881111dd810 pre-put 1
kworker/-35 0..... 36882977us : css_put: ffff8881111dd810 --
kworker/-35 0..... 36882980us : css_release: ffff8881111dd810 =0
kworker/-35 0..... 36882985us : css_killed_work_fn: ffff8881111dd810 post-put 0
kworker/-35 0..... 36883016us : css_killed_work_fn: ffff8881111df010 pre-put 1
kworker/-35 0..... 36883018us : css_put: ffff8881111df010 --
kworker/-35 0..... 36883021us : css_release: ffff8881111df010 =0
kworker/-35 0..... 36883025us : css_killed_work_fn: ffff8881111df010 post-put 0
<...>-445 0..... 36883246us : css_put: ffff8881221e8010 --
<...>-445 0..... 36883509us : css_get: ffff888110ede010 ++
<...>-445 0..... 36883512us : css_put: ffff888110ede010 --
<...>-445 0..... 36883562us : css_get: ffff8881221e8010 ++
<...>-445 0..... 36883584us : css_create: ffff88812574bc10 =1 ss=pids
<...>-445 0..... 36883630us : css_get: ffff888110f56010 ++
<...>-445 0..... 36883638us : css_create: ffff88812574a810 =1 ss=pids
<...>-445 0..... 37264989us : kill_css: ffff88812574bc10
<...>-445 0..... 37265034us : css_get: ffff88812574bc10 ++
<...>-445 0..... 37265042us : kill_css: ffff88812574a810
<...>-445 0..... 37265072us : css_get: ffff88812574a810 ++
<...>-445 0..... 37266269us : css_get: ffff888110ede010 ++
<...>-445 0..... 37266273us : css_put: ffff888110ede010 --
<...>-445 0..... 37266277us : css_put: ffff888110ede010 --
<...>-445 0..... 37266550us : css_get: ffff888110ede010 ++
<...>-445 0..... 37266553us : css_put: ffff888110ede010 --
<...>-445 0..... 37266555us : css_put: ffff888110ede010 --
<...>-445 0..... 37266557us : css_put: ffff888110ede010 --
<...>-445 0..... 37266605us : css_get: ffff888110ede010 ++
<...>-445 0..... 37266607us : css_put: ffff888110ede010 --
<...>-445 0..... 37266609us : css_put: ffff888110ede010 --
<...>-445 0..... 37266610us : css_put: ffff888110ede010 --
<...>-445 0..... 37266612us : css_put: ffff888110ede010 --
<...>-445 0..... 37266614us : css_put: ffff888110ede010 --
<...>-445 0..... 37266616us : css_put: ffff888110ede010 --
<...>-445 0..... 37266618us : css_put: ffff888110ede010 --
<...>-445 0..... 37266619us : css_put: ffff888110ede010 --
<...>-445 0..... 37266620us : css_put: ffff888110ede010 --
<...>-445 0..... 37266622us : css_put: ffff888110ede010 --
<...>-445 0..... 37266624us : css_put: ffff888110ede010 --
<...>-445 0..... 37266626us : css_put: ffff888110ede010 --
<...>-445 0..... 37266628us : css_put: ffff888110ede010 --
<...>-445 0..... 37266631us : css_put: ffff888110ede010 --
syz-exec-417 0..... 37270212us : css_get: ffff888110ede010 ++
syz-exec-417 0..... 37270216us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37280374us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37280380us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37280511us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37280513us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37280767us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37280770us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37281267us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37281270us : css_put: ffff888110ede010 --
syz-exec-417 1d.... 37281750us : css_put: ffff8881221ec010 --
syz-exec-417 1d.... 37281754us : css_get: ffff888110ede010 ++
syz-exec-417 1..... 37281756us : css_get: ffff888110ede010 ++
syz-exec-417 1..... 37281759us : css_put: ffff888110ede010 --
<...>-446 0..... 37281856us : css_get: ffff888110ede010 ++
<...>-446 0..... 37281859us : css_put: ffff888110ede010 --
<...>-446 0..... 37281895us : css_get: ffff888110ede010 ++
<...>-446 0..... 37281896us : css_put: ffff888110ede010 --
<...>-446 0..... 37281939us : css_get: ffff888110ede010 ++
<...>-446 0..... 37281942us : css_put: ffff888110ede010 --
<...>-446 0..... 37281978us : css_get: ffff888110ede010 ++
<...>-446 0..... 37281981us : css_put: ffff888110ede010 --
<...>-446 0..... 37281996us : css_get: ffff888110ede010 ++
<...>-446 0..... 37281998us : css_put: ffff888110ede010 --
<...>-446 0..... 37282069us : css_get: ffff888110ede010 ++
<...>-446 0..... 37282072us : css_put: ffff888110ede010 --
<...>-446 0..... 37282952us : css_get: ffff888110ede010 ++
<...>-446 0..... 37282956us : css_put: ffff888110ede010 --
<...>-446 0..... 37282975us : css_get: ffff888110ede010 ++
<...>-446 0..... 37282977us : css_put: ffff888110ede010 --
<...>-446 0..... 37283042us : css_get: ffff888110ede010 ++
<...>-446 0..... 37283045us : css_put: ffff888110ede010 --
<...>-446 0..... 37283058us : css_get: ffff888110ede010 ++
<...>-446 0..... 37283060us : css_put: ffff888110ede010 --
<...>-446 0..... 37283077us : css_get: ffff888110ede010 ++
<...>-446 0..... 37283079us : css_put: ffff888110ede010 --
<...>-446 0..... 37283166us : css_get: ffff888110ede010 ++
<...>-446 0..... 37283169us : css_put: ffff888110ede010 --
<...>-447 1..... 37284526us : css_get: ffff888110ede010 ++
<...>-447 1..... 37284529us : css_put: ffff888110ede010 --
<...>-447 1..... 37284784us : css_get: ffff888110ede010 ++
<...>-447 1..... 37284787us : css_put: ffff888110ede010 --
<...>-446 1..... 37284925us : css_get: ffff888110ede010 ++
<...>-446 1..... 37284927us : css_put: ffff888110ede010 --
<...>-447 1..... 37285237us : css_get: ffff8881221e8010 ++
<...>-53 0..... 37292821us : css_put: ffff8881221e8010 --
<...>-53 0..... 37292831us : css_put: ffff888110f56010 --
ksoftirq-14 0..s.. 37302871us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 37302877us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 37302881us : css_killed_ref_fn: ffff88812574bc10 =2
ksoftirq-14 0..s.. 37302893us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 37302900us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 37302902us : percpu_ref_call_confirm_rcu: post-put 1
ksoftirq-14 0..s.. 37302906us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
ksoftirq-14 0..s.. 37302908us : percpu_ref_call_confirm_rcu: pre-conf 2
ksoftirq-14 0..s.. 37302910us : css_killed_ref_fn: ffff88812574a810 =2
ksoftirq-14 0..s.. 37302916us : percpu_ref_call_confirm_rcu: post-conf 2
ksoftirq-14 0..s.. 37302920us : percpu_ref_call_confirm_rcu: pre-put 2
ksoftirq-14 0..s.. 37302922us : percpu_ref_call_confirm_rcu: post-put 1
<...>-53 0..... 37303572us : css_killed_work_fn: ffff88812574bc10 pre-put 1
<...>-53 0..... 37303576us : css_put: ffff88812574bc10 --
<...>-53 0..... 37303578us : css_release: ffff88812574bc10 =0
<...>-53 0..... 37303585us : css_killed_work_fn: ffff88812574bc10 post-put 0
<...>-53 0..... 37303590us : css_killed_work_fn: ffff88812574a810 pre-put 1
<...>-53 0..... 37303593us : css_put: ffff88812574a810 --
<...>-53 0..... 37303595us : css_release: ffff88812574a810 =0
<...>-53 0..... 37303600us : css_killed_work_fn: ffff88812574a810 post-put 0
<...>-447 0..... 37303642us : css_put: ffff8881221e8010 --
<...>-447 0..... 37303915us : css_get: ffff888110ede010 ++
<...>-447 0..... 37303918us : css_put: ffff888110ede010 --
<...>-447 0..... 37303966us : css_get: ffff8881221e8010 ++
<...>-447 0..... 37303986us : css_create: ffff8881257e6010 =1 ss=pids
<...>-447 0..... 37304029us : css_get: ffff888110f56010 ++
<...>-447 0..... 37304038us : css_create: ffff8881257e7410 =1 ss=pids
<...>-53 0..... 37724046us : css_put: ffff8881221e8010 --
<...>-53 0..... 37724222us : css_put: ffff888110f56010 --
<...>-447 0..... 37724893us : kill_css: ffff8881257e6010
<...>-447 0..... 37724934us : css_get: ffff8881257e6010 ++
<...>-447 0..... 37724941us : kill_css: ffff8881257e7410
<...>-447 0..... 37724972us : css_get: ffff8881257e7410 ++
syz-exec-408 1..... 37725306us : css_get: ffff888111a74010 ++
syz-exec-408 1..... 37725322us : css_create: ffff888121516c50 =1 ss=cpu
syz-exec-408 1..... 37725504us : css_get: ffff888111a74010 ++
syz-exec-408 1..... 37725517us : css_create: ffff888111a70010 =1 ss=memory
syz-exec-408 1..... 37725527us : css_get: ffff888111a70010 ++
syz-exec-408 1d..1. 37726238us : css_get: ffff888111a74010 ++
syz-exec-408 1d..1. 37726243us : css_get: ffff888121516c50 ++
syz-exec-408 1d..1. 37726246us : css_get: ffff888111a70010 ++
syz-exec-408 1..... 37726293us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37726392us : css_get: ffff88811f1f4020 ++
syz-exec-408 1..... 37726421us : css_get: ffff888111a76010 ++
syz-exec-408 1..... 37726430us : css_create: ffff8881257dbc10 =1 ss=cpuset
syz-exec-408 1..... 37727142us : css_get: ffff888111a76010 ++
syz-exec-408 1..... 37727152us : css_create: ffff888111a8ac10 =1 ss=cpuacct
syz-exec-408 1..... 37727228us : css_put: ffff88811f1f4020 --
syz-exec-408 1d..1. 37733282us : css_get: ffff888111a74010 ++
syz-exec-408 1d..1. 37733287us : css_get: ffff888111a76010 ++
syz-exec-408 1d..1. 37733291us : css_get: ffff8881257dbc10 ++
syz-exec-408 1d..1. 37733293us : css_get: ffff888121516c50 ++
syz-exec-408 1d..1. 37733295us : css_get: ffff888111a8ac10 ++
syz-exec-408 1d..1. 37733298us : css_get: ffff888111a70010 ++
syz-exec-408 1d..1. 37733325us : css_put: ffff888121516c50 --
syz-exec-408 1d..1. 37733327us : css_put: ffff888111a70010 --
syz-exec-408 1d..1. 37733330us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37733352us : css_put: ffff888111a76010 --
syz-exec-408 1..... 37733492us : css_get: ffff88811f1d8020 ++
syz-exec-408 1..... 37733531us : css_get: ffff888111b4a010 ++
syz-exec-408 1..... 37733540us : css_create: ffff888125c2a410 =1 ss=io
syz-exec-408 1..... 37733602us : css_get: ffff888111b4a010 ++
syz-exec-408 1..... 37733609us : css_create: ffff888111a89a10 =1 ss=freezer
syz-exec-408 1..... 37733646us : css_get: ffff888111b4a010 ++
syz-exec-408 1..... 37733654us : css_create: ffff888111a89010 =1 ss=net_prio
<...>-447 1..... 37733729us : css_get: ffff888110ede010 ++
<...>-447 1..... 37733732us : css_put: ffff888110ede010 --
<...>-447 1..... 37733736us : css_put: ffff888110ede010 --
<...>-447 1..... 37734034us : css_get: ffff888110ede010 ++
<...>-447 1..... 37734036us : css_put: ffff888110ede010 --
<...>-447 1..... 37734038us : css_put: ffff888110ede010 --
<...>-447 1..... 37734040us : css_put: ffff888110ede010 --
<...>-447 1..... 37734090us : css_get: ffff888110ede010 ++
<...>-447 1..... 37734092us : css_put: ffff888110ede010 --
<...>-447 1..... 37734094us : css_put: ffff888110ede010 --
<...>-447 1..... 37734096us : css_put: ffff888110ede010 --
<...>-447 1..... 37734098us : css_put: ffff888110ede010 --
<...>-447 1..... 37734100us : css_put: ffff888110ede010 --
<...>-447 1..... 37734102us : css_put: ffff888110ede010 --
<...>-447 1..... 37734104us : css_put: ffff888110ede010 --
<...>-447 1..... 37734108us : css_put: ffff888110ede010 --
<...>-447 1..... 37734110us : css_put: ffff888110ede010 --
<...>-447 1..... 37734112us : css_put: ffff888110ede010 --
<...>-447 1..... 37734114us : css_put: ffff888110ede010 --
<...>-447 1..... 37734116us : css_put: ffff888110ede010 --
<...>-447 1..... 37734118us : css_put: ffff888110ede010 --
<...>-447 1..... 37734120us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37742327us : css_get: ffff888110ede010 ++
syz-exec-417 1..... 37742333us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37742613us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37742616us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37742980us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37742982us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37743279us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37743281us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37743778us : css_put: ffff888110f56010 --
syz-exec-417 1..... 37743781us : css_put: ffff888110ede010 --
syz-exec-417 1..... 37744212us : css_get: ffff888110ede010 ++
syz-exec-417 1..... 37744215us : css_put: ffff888110ede010 --
<...>-448 1..... 37744271us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744273us : css_put: ffff888110ede010 --
<...>-448 1..... 37744311us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744314us : css_put: ffff888110ede010 --
<...>-448 1..... 37744348us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744350us : css_put: ffff888110ede010 --
<...>-448 1..... 37744380us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744383us : css_put: ffff888110ede010 --
<...>-448 1..... 37744397us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744399us : css_put: ffff888110ede010 --
<...>-448 1..... 37744471us : css_get: ffff888110ede010 ++
<...>-448 1..... 37744474us : css_put: ffff888110ede010 --
<...>-448 1..... 37745282us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745285us : css_put: ffff888110ede010 --
<...>-448 1..... 37745357us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745359us : css_put: ffff888110ede010 --
<...>-448 1..... 37745427us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745429us : css_put: ffff888110ede010 --
<...>-448 1..... 37745442us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745444us : css_put: ffff888110ede010 --
<...>-448 1..... 37745460us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745462us : css_put: ffff888110ede010 --
<...>-448 1..... 37745548us : css_get: ffff888110ede010 ++
<...>-448 1..... 37745550us : css_put: ffff888110ede010 --
<...>-449 1..... 37747629us : css_get: ffff888110ede010 ++
<...>-449 1..... 37747633us : css_put: ffff888110ede010 --
<...>-449 1..... 37747903us : css_get: ffff888110ede010 ++
<...>-449 1..... 37747906us : css_put: ffff888110ede010 --
<...>-448 1..... 37748026us : css_get: ffff888110ede010 ++
<...>-448 1..... 37748028us : css_put: ffff888110ede010 --
<...>-53 0.Ns1. 37766653us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<...>-53 0.Ns1. 37766656us : percpu_ref_call_confirm_rcu: pre-conf 2
<...>-53 0.Ns1. 37766659us : css_killed_ref_fn: ffff8881257e6010 =2
<...>-53 0.Ns1. 37766665us : percpu_ref_call_confirm_rcu: post-conf 2
<...>-53 0.Ns1. 37766668us : percpu_ref_call_confirm_rcu: pre-put 2
<...>-53 0.Ns1. 37766670us : percpu_ref_call_confirm_rcu: post-put 1
<...>-53 0.Ns1. 37766672us : percpu_ref_switch_to_atomic_rcu: global 9223372036854775809 percpu 1
<...>-53 0.Ns1. 37766673us : percpu_ref_call_confirm_rcu: pre-conf 2
<...>-53 0.Ns1. 37766675us : css_killed_ref_fn: ffff8881257e7410 =2
<...>-53 0.Ns1. 37766679us : percpu_ref_call_confirm_rcu: post-conf 2
<...>-53 0.Ns1. 37766681us : percpu_ref_call_confirm_rcu: pre-put 2
<...>-53 0.Ns1. 37766682us : percpu_ref_call_confirm_rcu: post-put 1
<...>-448 1..... 37798299us : css_get: ffff888110ede010 ++
<...>-448 1..... 37798305us : css_put: ffff888110ede010 --
<...>-450 1..... 37798887us : css_get: ffff888110ede010 ++
<...>-450 1..... 37798890us : css_put: ffff888110ede010 --
syz-exec-408 0..... 37876966us : css_put: ffff88811f1d8020 --
syz-exec-408 0d..1. 37877182us : css_get: ffff888111a74010 ++
syz-exec-408 0d..1. 37877186us : css_get: ffff888111b4a010 ++
syz-exec-408 0d..1. 37877188us : css_get: ffff888111a76010 ++
syz-exec-408 0d..1. 37877192us : css_get: ffff8881257dbc10 ++
syz-exec-408 0d..1. 37877194us : css_get: ffff888121516c50 ++
syz-exec-408 0d..1. 37877196us : css_get: ffff888111a8ac10 ++
syz-exec-408 0d..1. 37877199us : css_get: ffff888125c2a410 ++
syz-exec-408 0d..1. 37877201us : css_get: ffff888111a70010 ++
syz-exec-408 0d..1. 37877203us : css_get: ffff888111a89a10 ++
syz-exec-408 0d..1. 37877204us : css_get: ffff888111a89010 ++
syz-exec-408 0d..1. 37877226us : css_put: ffff8881257dbc10 --
syz-exec-408 0d..1. 37877228us : css_put: ffff888121516c50 --
syz-exec-408 0d..1. 37877230us : css_put: ffff888111a8ac10 --
syz-exec-408 0d..1. 37877232us : css_put: ffff888111a70010 --
syz-exec-408 0d..1. 37877236us : css_put: ffff888111a74010 --
syz-exec-408 0d..1. 37877244us : css_put: ffff888111a76010 --
syz-exec-408 0..... 37877261us : css_put: ffff888111b4a010 --
syz-exec-408 0..... 37877368us : css_put: ffff888111a74010 --
syz-exec-408 0..... 37877371us : css_put: ffff888111a70010 --
syz-exec-408 0d.... 37877468us : css_put: ffff888110ede010 --
syz-exec-408 0d.... 37877470us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37877473us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37877477us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37877671us : css_put: ffff888111a74010 --
syz-exec-408 0..... 37877673us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37877751us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37877753us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37877926us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37877929us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37878501us : css_put: ffff888111a74010 --
syz-exec-408 0..... 37878504us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37878713us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37878716us : css_put: ffff888111a70010 --
syz-exec-408 0..... 37879042us : css_put: ffff888111a74010 --
syz-exec-408 0..... 37879044us : css_put: ffff888111a70010 --
<...>-6 0..... 37879276us : css_killed_work_fn: ffff8881257e6010 pre-put 1
<...>-6 0..... 37879278us : css_put: ffff8881257e6010 --
<...>-6 0..... 37879281us : css_release: ffff8881257e6010 =0
<...>-6 0..... 37879287us : css_killed_work_fn: ffff8881257e6010 post-put 0
<...>-6 0..... 37879333us : css_killed_work_fn: ffff8881257e7410 pre-put 1
<...>-6 0..... 37879335us : css_put: ffff8881257e7410 --
<...>-6 0..... 37879336us : css_release: ffff8881257e7410 =0
<...>-6 0..... 37879341us : css_killed_work_fn: ffff8881257e7410 post-put 0
syz-exec-416 1..... 37879554us : css_get: ffff888111d5e010 ++
syz-exec-416 1..... 37879565us : css_create: ffff888121516010 =1 ss=cpu
syz-exec-416 1..... 37879678us : css_get: ffff888111d5e010 ++
syz-exec-416 1..... 37879686us : css_create: ffff888111e96010 =1 ss=memory
syz-exec-416 1..... 37879693us : css_get: ffff888111e96010 ++
syz-exec-408 0..... 37879694us : css_get: ffff888111a70010 ++
syz-exec-408 0..... 37879698us : css_put: ffff888111a70010 --
syz-exec-416 1d..1. 37880299us : css_get: ffff888111d5e010 ++
syz-exec-416 1d..1. 37880305us : css_get: ffff888121516010 ++
syz-exec-416 1d..1. 37880308us : css_get: ffff888111e96010 ++
syz-exec-416 1..... 37880344us : css_put: ffff888111d5e010 --
syz-exec-416 1..... 37880445us : css_get: ffff88811f1f4020 ++
syz-exec-416 1..... 37880476us : css_get: ffff888111e90010 ++
syz-exec-416 1..... 37880485us : css_create: ffff888125c77010 =1 ss=cpuset
<...>-450 1..... 37880578us : css_get: ffff888110ede010 ++
<...>-450 1..... 37880581us : css_put: ffff888110ede010 --
<...>-450 1..... 37880584us : css_put: ffff888110ede010 --
<...>-450 1..... 37880883us : css_get: ffff888110ede010 ++
<...>-450 1..... 37880886us : css_put: ffff888110ede010 --
<...>-450 1..... 37880888us : css_put: ffff888110ede010 --
<...>-450 1..... 37880891us : css_put: ffff888110ede010 --
<...>-450 1..... 37880945us : css_get: ffff888110ede010 ++
<...>-450 1..... 37880947us : css_put: ffff888110ede010 --
<...>-450 1..... 37880949us : css_put: ffff888110ede010 --
<...>-450 1..... 37880951us : css_put: ffff888110ede010 --
<...>-450 1..... 37880953us : css_put: ffff888110ede010 --
<...>-450 1..... 37880955us : css_put: ffff888110ede010 --
<...>-450 1..... 37880957us : css_put: ffff888110ede010 --
<...>-450 1..... 37880959us : css_put: ffff888110ede010 --
<...>-450 1..... 37880961us : css_put: ffff888110ede010 --
<...>-450 1..... 37880962us : css_put: ffff888110ede010 --
<...>-450 1..... 37880964us : css_put: ffff888110ede010 --
<...>-450 1..... 37880966us : css_put: ffff888110ede010 --
<...>-450 1..... 37880968us : css_put: ffff888110ede010 --
<...>-450 1..... 37880970us : css_put: ffff888110ede010 --
<...>-450 1..... 37880972us : css_put: ffff888110ede010 --
<...>-450 1..... 37880975us : css_put: ffff888110ede010 --
syz-exec-408 1..... 37889225us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37889230us : css_put: ffff888111a70010 --
syz-exec-408 1..... 37889427us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37889430us : css_put: ffff888111a70010 --
syz-exec-408 1..... 37889686us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37889688us : css_put: ffff888111a70010 --
syz-exec-408 1..... 37889873us : css_put: ffff888111a74010 --
syz-exec-408 1..... 37889876us : css_put: ffff888111a70010 --
syz-exec-408 1d.... 37889922us : css_put: ffff888110ede010 --
syz-exec-408 1d.... 37889925us : css_get: ffff888111a70010 ++
syz-exec-408 1..... 37889927us : css_get: ffff888111a70010 ++
syz-exec-408 1..... 37889931us : css_put: ffff888111a70010 --
<...>-452 0..... 37890367us : css_get: ffff888111a70010 ++
syz-exec-408 1..... 37890367us : css_get: ffff888111a70010 ++
<...>-452 0..... 37890370us : css_put: ffff888111a70010 --
syz-exec-408 1..... 37890370us : css_put: ffff888111a70010 --
<...>-452 0..... 37890438us : css_get: ffff888111a70010 ++
<...>-452 0..... 37890441us : css_put: ffff888111a70010 --
<...>-452 0..... 37890476us : css_get: ffff888111a700
Tested on:
commit: 5500e05d DEBUG mark trace end
git tree: https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-b2
console output: https://syzkaller.appspot.com/x/log.txt?x=13a81b19f00000
syzbot
May 27, 2022, 12:46:10 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: d2058918 css_put test
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=af0f8c697adc9063
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=af0f8c697adc9063
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot
May 27, 2022, 1:14:10 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to copy test binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "ro...@10.128.0.245:./syz-fuzzer"]
Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts.
Tested on:
commit: 6be3691c cgroup: css_put imbalance test
git tree: https://github.com/tstruk/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c69b164231ab3df5
syzbot tried to test the proposed patch but the build/boot failed:
failed to copy test binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "ro...@10.128.0.245:./syz-fuzzer"]
Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts.
Tested on:
commit: 6be3691c cgroup: css_put imbalance test
git tree: https://github.com/tstruk/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c69b164231ab3df5
syzbot
May 27, 2022, 1:30:15 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff88810f3c3870. (prev=ffff88810f3c3870).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 07 6a 1c 02 0f 0b 48 c7 c7 50 39 d6 85 e8 b6 f2 19 00 48 c7 c7 20 ef 02 85 4c 89 f6 4c 89 e1 31 c0 e8 e5 69 1c 02 <0f> 0b 48 c7 c7 60 39 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 1653eea7686f4900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff815144f8 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810f3c3870
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810f3c3870
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff1ee300d8 CR3: 00000001086d9000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5112
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 02 3c 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 ce 36 0a fd 0f 00 2d 47 10 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ed31e R09: fffffbfff0b43631
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100073804 R14: ffff8881019ea064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace df2a91dc88feb1f4 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 07 6a 1c 02 0f 0b 48 c7 c7 50 39 d6 85 e8 b6 f2 19 00 48 c7 c7 20 ef 02 85 4c 89 f6 4c 89 e1 31 c0 e8 e5 69 1c 02 <0f> 0b 48 c7 c7 60 39 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 1653eea7686f4900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff815144f8 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810f3c3870
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810f3c3870
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff1ee300d8 CR3: 00000001086d9000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
Code disassembly (best guess):
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 02 3c 0a fd callq 0xfd0a3c0f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 ce 36 0a fd callq 0xfd0a36ef
21: 0f 00 2d 47 10 ab 00 verw 0xab1047(%rip) # 0xab106f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: c204ee33 Linux 5.10.118
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1746a04df00000
syzbot
May 27, 2022, 2:07:09 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff888111b35470. (prev=ffff888111b35470).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller-00001-ga24cf7ad2162 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 e7 6a 1c 02 0f 0b 48 c7 c7 d0 40 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 fc 02 85 4c 89 f6 4c 89 e1 31 c0 e8 c5 6a 1c 02 <0f> 0b 48 c7 c7 e0 40 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 208e090d32344900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514578 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff888111b35470
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff888111b35470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555f933b8 CR3: 000000010a04c000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ebffe R09: fffffbfff0b43631
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100070804 R14: ffff888101ad7064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace b9d4a1c636ee14a3 ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 e7 6a 1c 02 0f 0b 48 c7 c7 d0 40 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 fc 02 85 4c 89 f6 4c 89 e1 31 c0 e8 c5 6a 1c 02 <0f> 0b 48 c7 c7 e0 40 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 208e090d32344900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514578 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff888111b35470
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff888111b35470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555f933b8 CR3: 000000010a04c000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 c2 51 0a fd callq 0xfd0a51cf
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 8e 4c 0a fd callq 0xfd0a4caf
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
21: 0f 00 2d 27 31 ab 00 verw 0xab3127(%rip) # 0xab314f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: a24cf7ad cgroup: test css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16bc58f5f00000
syzbot
May 27, 2022, 3:39:15 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff888111fb7800 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff888111fb7000 !!!
!!! css_release css ffff888111fb7000 !!!
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff888111fb7070. (prev=ffff888111fb7070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller-00001-g4c95bf6dbe4f #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 41 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 00 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 41 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: c38a2811c6aeb400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: fffff52000000f45
R10: fffff52000000f45 R11: 1ffff92000000f44 R12: ffff888111fb7070
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff888111fb7070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb73df55090 CR3: 00000001086d1000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5113
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 62 51 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 2e 4c 0a fd 0f 00 2d e7 33 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ec13e R09: fffffbfff0b43631
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100077804 R14: ffff8881018e6864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 5f324761e0034468 ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 41 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 00 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 41 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: c38a2811c6aeb400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: fffff52000000f45
R10: fffff52000000f45 R11: 1ffff92000000f44 R12: ffff888111fb7070
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff888111fb7070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb73df55090 CR3: 00000001086d1000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
21: 0f 00 2d e7 33 ab 00 verw 0xab33e7(%rip) # 0xab340f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 4c95bf6d cgroup: test css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=158920a3f00000
syzbot
May 27, 2022, 3:59:11 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
secondary_startup_64_no_verify+0xb0/0xbb
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88810dacb800 !!!
!!! css_release css ffff88810dacb800 !!!
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff88810dacb870. (prev=ffff88810dacb870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.118-syzkaller-00001-g6e35c343eaf5 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 41 d6 85 e8 b6 f2 19 00 48 c7 c7 00 fe 02 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 41 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 975f2902bd704d00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810dacb870
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810dacb870
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7bb8618090 CR3: 0000000109354000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ec14e R09: fffffbfff0b43631
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100fed804 R14: ffff888100075864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 3f71cf9c89dc24b8 ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 41 d6 85 e8 b6 f2 19 00 48 c7 c7 00 fe 02 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 41 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 975f2902bd704d00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810dacb870
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810dacb870
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7bb8618090 CR3: 0000000109354000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
21: 0f 00 2d 17 31 ab 00 verw 0xab3117(%rip) # 0xab313f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 6e35c343 cgroup: test css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17898503f00000
Tadeusz Struk
May 27, 2022, 4:10:27 PM5/27/22
to syzbot, syzkaller-a...@googlegroups.com
#syz test: https://github.com/tstruk/linux.git linux-5.10.y
syzbot
May 27, 2022, 5:33:09 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff888110c76800 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff888110c77000 !!!
!!! css_release css ffff888110c77000 !!!
list_add corruption. prev->next should be next (ffff8881f715b460), but was ffff888110c77070. (prev=ffff888110c77070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 5.10.118-syzkaller-00001-gd7f2fd8840a5 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 42 d6 85 e8 b6 f2 19 00 48 c7 c7 40 03 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000150bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b468 RCX: 9e56686f19cc8900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000150be8 R08: ffffffff81514568 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff888110c77070
R13: dffffc0000000000 R14: ffff8881f715b460 R15: ffff888110c77070
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdd38a84ff8 CR3: 000000011a98d000 CR4: 00000000003506a0
RSP: 0018:ffffc900000e7d58 EFLAGS: 00000246
RAX: 1ffff110200477a0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88810023bd00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000e7d70 R08: ffffffff845ec28e R09: ffffed10200477a1
R10: ffffed10200477a1 R11: 1ffff110200477a0 R12: 0000000000000001
R13: ffff888105af5004 R14: ffff888101be4864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
start_secondary+0xd7/0xe0 arch/x86/kernel/smpboot.c:265
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 5d19eefdfba7e805 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 50 42 d6 85 e8 b6 f2 19 00 48 c7 c7 40 03 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 60 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000150bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b468 RCX: 9e56686f19cc8900
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000150be8 R08: ffffffff81514568 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff888110c77070
R13: dffffc0000000000 R14: ffff8881f715b460 R15: ffff888110c77070
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdd38a84ff8 CR3: 000000011a98d000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
21: 0f 00 2d 17 35 ab 00 verw 0xab3517(%rip) # 0xab353f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: d7f2fd88 cgroup: test css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f7af4bf00000
syzbot
May 27, 2022, 6:30:12 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in ip6_pol_route
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 5.10.118-syzkaller-00001-g08d8dbfab803 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1394 [inline]
RIP: 0010:ip6_pol_route+0x5e2/0x13b0 net/ipv6/route.c:2256
Code: e8 33 bd a7 fd 48 8b 03 65 4c 8b 28 31 ff 4c 89 ee e8 22 37 70 fd 4d 85 ed 0f 84 c6 00 00 00 49 8d 5d 78 48 89 d8 48 c1 e8 03 <42> 8a 04 30 84 c0 0f 85 75 0b 00 00 44 8b 33 31 ff 44 89 f6 e8 45
RSP: 0018:ffffc90000127868 EFLAGS: 00010206
RAX: 000000000000000f RBX: 000000000000007b RCX: 0000000080000300
RDX: ffff888100289e80 RSI: 0000000000000003 RDI: 0000000000000000
RBP: ffffc90000127930 R08: ffffffff83f8ddae R09: ffff88810ce9db40
R10: fffff52000024f1b R11: 1ffff92000024f17 R12: 1ffff92000024f16
R13: 0000000000000003 R14: dffffc0000000000 R15: 1ffff92000024f17
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd2a2ca6718 CR3: 000000010cbc8000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ip6_pol_route_input+0x54/0x80 net/ipv6/route.c:2280
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pol_lookup_func include/net/ip6_fib.h:584 [inline]
fib6_rule_lookup+0xcf/0x5e0 net/ipv6/fib6_rules.c:115
ip6_route_input_lookup net/ipv6/route.c:2292 [inline]
ip6_route_input+0x689/0x9e0 net/ipv6/route.c:2461
ip6_rcv_finish_core net/ipv6/ip6_input.c:63 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:74 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ipv6_rcv+0x1ef/0x4a0 net/ipv6/ip6_input.c:297
__netif_receive_skb_one_core net/core/dev.c:5356 [inline]
__netif_receive_skb+0x127/0x410 net/core/dev.c:5470
process_backlog+0x372/0x6b0 net/core/dev.c:6376
napi_poll+0x1a3/0x6a0 net/core/dev.c:6827
net_rx_action+0x2ff/0x930 net/core/dev.c:6897
__do_softirq+0x253/0x67b kernel/softirq.c:298
run_ksoftirqd+0x23/0x30 kernel/softirq.c:653
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 897625ee2abfc660 ]---
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1394 [inline]
RIP: 0010:ip6_pol_route+0x5e2/0x13b0 net/ipv6/route.c:2256
Code: e8 33 bd a7 fd 48 8b 03 65 4c 8b 28 31 ff 4c 89 ee e8 22 37 70 fd 4d 85 ed 0f 84 c6 00 00 00 49 8d 5d 78 48 89 d8 48 c1 e8 03 <42> 8a 04 30 84 c0 0f 85 75 0b 00 00 44 8b 33 31 ff 44 89 f6 e8 45
RSP: 0018:ffffc90000127868 EFLAGS: 00010206
RAX: 000000000000000f RBX: 000000000000007b RCX: 0000000080000300
RDX: ffff888100289e80 RSI: 0000000000000003 RDI: 0000000000000000
RBP: ffffc90000127930 R08: ffffffff83f8ddae R09: ffff88810ce9db40
R10: fffff52000024f1b R11: 1ffff92000024f17 R12: 1ffff92000024f16
R13: 0000000000000003 R14: dffffc0000000000 R15: 1ffff92000024f17
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd2a2ca6718 CR3: 000000010cbc8000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: e8 33 bd a7 fd callq 0xfda7bd38
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
5: 48 8b 03 mov (%rbx),%rax
8: 65 4c 8b 28 mov %gs:(%rax),%r13
c: 31 ff xor %edi,%edi
e: 4c 89 ee mov %r13,%rsi
11: e8 22 37 70 fd callq 0xfd703738
16: 4d 85 ed test %r13,%r13
19: 0f 84 c6 00 00 00 je 0xe5
1f: 49 8d 5d 78 lea 0x78(%r13),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 8a 04 30 mov (%rax,%r14,1),%al <-- trapping instruction
2e: 84 c0 test %al,%al
30: 0f 85 75 0b 00 00 jne 0xbab
36: 44 8b 33 mov (%rbx),%r14d
39: 31 ff xor %edi,%edi
3b: 44 89 f6 mov %r14d,%esi
3e: e8 .byte 0xe8
3f: 45 rex.RB
Tested on:
commit: 08d8dbfa cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=114750ddf00000
syzbot
May 27, 2022, 6:46:10 PM5/27/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88811024e400 !!!
!!! css_killed_ref_fn css ffff88811024dc00 !!!
!!! css_release css ffff88811024dc00 !!!
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff88811024dc70. (prev=ffff88811024dc70).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller-00001-g08d8dbfab803 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 d0 42 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 e0 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: a88943fa35d1d300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88811024dc70
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88811024dc70
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ee9166e69 CR3: 000000011b025000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5114
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 62 51 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 2e 4c 0a fd 0f 00 2d 77 33 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ec36e R09: fffffbfff0b43631
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100af1804 R14: ffff888101be3864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
---[ end trace 058fb55291bd45c3 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 d0 42 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 e0 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: a88943fa35d1d300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88811024dc70
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88811024dc70
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ee9166e69 CR3: 000000011b025000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
21: 0f 00 2d 77 33 ab 00 verw 0xab3377(%rip) # 0xab339f
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 08d8dbfa cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11fdb4bdf00000
commit: 08d8dbfa cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
syzbot
May 31, 2022, 2:07:08 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88810f322800 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88810f320400 !!!
!!! css_release css ffff88810f320400 !!!
list_add corruption. prev->next should be next (ffff8881f705b460), but was ffff88810f320470. (prev=ffff88810f320470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller-00001-g08d8dbfab803 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 d0 42 d6 85 e8 b6 f2 19 00 48 c7 c7 40 ff 02 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 e0 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.118-syzkaller-00001-g08d8dbfab803 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 07d8e9a57264fe00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: fffff52000000f11
R10: fffff52000000f11 R11: 1ffff92000000f10 R12: ffff88810f320470
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810f320470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad60105090 CR3: 00000001149cd000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ec36e R09: fffffbfff0b43631
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff8881050d1804 R14: ffff888100075864 R15: dffffc0000000000
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845ec36e R09: fffffbfff0b43631
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace f7beb61153947086 ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x473/0x50e init/main.c:1058
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 f7 6a 1c 02 0f 0b 48 c7 c7 d0 42 d6 85 e8 b6 f2 19 00 48 c7 c7 40 ff 02 85 4c 89 f6 4c 89 e1 31 c0 e8 d5 6a 1c 02 <0f> 0b 48 c7 c7 e0 42 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b468 RCX: 07d8e9a57264fe00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514568 R09: fffff52000000f11
R10: fffff52000000f11 R11: 1ffff92000000f10 R12: ffff88810f320470
R13: dffffc0000000000 R14: ffff8881f705b460 R15: ffff88810f320470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad60105090 CR3: 00000001149cd000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
21: 0f 00 2d 37 30 ab 00 verw 0xab3037(%rip) # 0xab305f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 62 51 0a fd callq 0xfd0a516f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 2e 4c 0a fd callq 0xfd0a4c4f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 08d8dbfa cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a092cbf00000
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 08d8dbfa cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
syzbot
May 31, 2022, 2:36:11 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_release css ffff888101ccb000 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f705b560), but was ffff888101ccb070. (prev=ffff888101ccb070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 107 Comm: kworker/0:2 Tainted: G W 5.10.119-syzkaller-00165-g1ce0c625d4b9 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 01 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: c14f693ca9dcb300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff815145c8 R09: fffff52000000f45
R10: fffff52000000f45 R11: 1ffff92000000f44 R12: ffff888101ccb070
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff888101ccb070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe496cc0e69 CR3: 00000001093c0000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5116
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xae5/0xe80 kernel/printk/printk.c:2540
Code: 00 48 c7 c7 e0 99 45 86 e8 f8 ed 0c 03 f6 c3 01 0f 85 64 03 00 00 e8 ba 64 00 00 48 8b 44 24 18 48 89 44 24 70 ff 74 24 70 9d <48> 8b 44 24 08 42 80 3c 28 00 74 0d 48 8d bc 24 f0 00 00 00 e8 12
RSP: 0018:ffffc90000a87a00 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff888108132dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc90000a87b48 R08: ffffffff81514141 R09: fffff52000150f38
R10: fffff52000150f38 R11: 1ffff92000150f37 R12: 1ffffffff0bbe745
R13: dffffc0000000000 R14: 0000000000000000 R15: ffffffff85df39f0
vprintk_emit+0x149/0x340 kernel/printk/printk.c:2054
vprintk_default+0x26/0x30 kernel/printk/printk.c:2071
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0x76/0x96 kernel/printk/printk.c:2102
css_release+0x2d/0xd0 kernel/cgroup/cgroup.c:5114
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_put include/linux/cgroup.h:409 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_killed_work_fn+0x4b0/0x500 kernel/cgroup/cgroup.c:5470
process_one_work+0x711/0xce0 kernel/workqueue.c:2279
worker_thread+0xb17/0x1540 kernel/workqueue.c:2425
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace 3a08363c28c4e396 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 01 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: c14f693ca9dcb300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff815145c8 R09: fffff52000000f45
R10: fffff52000000f45 R11: 1ffff92000000f44 R12: ffff888101ccb070
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff888101ccb070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe496cc0e69 CR3: 00000001093c0000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
0: 48 c7 c7 e0 99 45 86 mov $0xffffffff864599e0,%rdi
7: e8 f8 ed 0c 03 callq 0x30cee04
c: f6 c3 01 test $0x1,%bl
f: 0f 85 64 03 00 00 jne 0x379
15: e8 ba 64 00 00 callq 0x64d4
1a: 48 8b 44 24 18 mov 0x18(%rsp),%rax
1f: 48 89 44 24 70 mov %rax,0x70(%rsp)
24: ff 74 24 70 pushq 0x70(%rsp)
28: 9d popfq
* 29: 48 8b 44 24 08 mov 0x8(%rsp),%rax <-- trapping instruction
2e: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
33: 74 0d je 0x42
35: 48 8d bc 24 f0 00 00 lea 0xf0(%rsp),%rdi
3c: 00
3d: e8 .byte 0xe8
3e: 12 .byte 0x12
Tested on:
commit: 1ce0c625 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16bbda3df00000
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
syzbot
May 31, 2022, 3:02:08 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88811ef30000 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f7055220), but was ffff88811ef37070. (prev=ffff88811ef30470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 373 Comm: kworker/1:2 Tainted: G W 5.10.119-syzkaller-00165-g0c6b4937af60 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000160b30 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700
RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000
RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133
R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470
R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:181 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
wg_packet_create_data drivers/net/wireguard/send.c:320 [inline]
wg_packet_send_staged_packets+0xae6/0x1120 drivers/net/wireguard/send.c:387
wg_packet_send_keepalive+0x15b/0x1c0 drivers/net/wireguard/send.c:239
wg_expired_send_persistent_keepalive+0x52/0x80 drivers/net/wireguard/timers.c:141
call_timer_fn+0x35/0x350 kernel/time/timer.c:1414
expire_timers+0x21b/0x410 kernel/time/timer.c:1459
__run_timers+0x5a9/0x700 kernel/time/timer.c:1753
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1766
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1860 [inline]
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:vprintk_emit+0x266/0x340 kernel/printk/printk.c:2053
Code: d0 da 17 00 48 c7 c7 00 0a b9 85 48 89 de e8 51 7f 08 01 f6 c3 01 75 de e8 b7 da 17 00 e8 72 70 00 00 4c 89 75 a0 ff 75 a0 9d <e9> d9 fe ff ff e8 a0 da 17 00 eb 05 e8 99 da 17 00 45 89 ef 48 c7
RSP: 0018:ffffc90000b87b88 EFLAGS: 00000246
RAX: ffffffff8151a629 RBX: 0000000000000000 RCX: ffff8881196e0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc90000b87bf0 R08: ffffffff81513573 R09: fffff52000170f69
R10: fffff52000170f69 R11: 1ffff92000170f68 R12: 1ffff92000170f77
R13: 000000000000003b R14: 0000000000000246 R15: 000000000000003b
vprintk_default+0x26/0x30 kernel/printk/printk.c:2071
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0x76/0x96 kernel/printk/printk.c:2102
css_put include/linux/cgroup.h:412 [inline]
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0x76/0x96 kernel/printk/printk.c:2102
css_killed_work_fn+0x2f6/0x500 kernel/cgroup/cgroup.c:5471
process_one_work+0x711/0xce0 kernel/workqueue.c:2279
worker_thread+0xb17/0x1540 kernel/workqueue.c:2425
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 518ce58d12f18535 ]---
worker_thread+0xb17/0x1540 kernel/workqueue.c:2425
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160b30 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700
RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000
RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133
R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470
R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: da 17 ficoml (%rdi)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
2: 00 48 c7 add %cl,-0x39(%rax)
5: c7 00 0a b9 85 48 movl $0x4885b90a,(%rax)
b: 89 de mov %ebx,%esi
d: e8 51 7f 08 01 callq 0x1087f63
12: f6 c3 01 test $0x1,%bl
15: 75 de jne 0xfffffff5
17: e8 b7 da 17 00 callq 0x17dad3
1c: e8 72 70 00 00 callq 0x7093
21: 4c 89 75 a0 mov %r14,-0x60(%rbp)
25: ff 75 a0 pushq -0x60(%rbp)
28: 9d popfq
* 29: e9 d9 fe ff ff jmpq 0xffffff07 <-- trapping instruction
2e: e8 a0 da 17 00 callq 0x17dad3
33: eb 05 jmp 0x3a
35: e8 99 da 17 00 callq 0x17dad3
3a: 45 89 ef mov %r13d,%r15d
3d: 48 rex.W
3e: c7 .byte 0xc7
Tested on:
commit: 0c6b4937 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162fa093f00000
syzbot
May 31, 2022, 3:30:14 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:408:2: error: expected identifier or '('
./include/linux/cgroup.h:416:1: error: extraneous closing brace ('}')
Tested on:
commit: 27038e13 cgroup: test css_put imbalance
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:408:2: error: expected identifier or '('
./include/linux/cgroup.h:416:1: error: extraneous closing brace ('}')
Tested on:
commit: 27038e13 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
syzbot
May 31, 2022, 3:51:10 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff88811443e400 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!! css_killed_ref_fn css ffff8881166a9400 !!!
!!! css_release css ffff8881166a9400 !!!
list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff8881166a9470. (prev=ffff8881166a9470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G W 5.10.119-syzkaller-00165-g07d497086047 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 c7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 a5 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000137a20 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: ee5de3fc97053400
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000137a48 R08: ffffffff815145e8 R09: ffffed103ee24e73
R10: ffffed103ee24e73 R11: 1ffff1103ee24e72 R12: ffff8881166a9470
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff8881166a9470
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffce6917fb0 CR3: 0000000109158000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5116
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5116
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
run_ksoftirqd+0x23/0x30 kernel/softirq.c:653
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace fca5e2e0f619fa03 ]---
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 c7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 c0 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 a5 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000137a20 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: ee5de3fc97053400
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000137a48 R08: ffffffff815145e8 R09: ffffed103ee24e73
R10: ffffed103ee24e73 R11: 1ffff1103ee24e72 R12: ffff8881166a9470
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff8881166a9470
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffce6917fb0 CR3: 0000000109158000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: 07d49708 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1530e9a3f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 31, 2022, 4:18:07 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:408:70: error: expected ')'
./include/linux/cgroup.h:416:1: error: expected statement
Tested on:
commit: 28f40e87 cgroup: test css_put imbalance
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:408:70: error: expected ')'
./include/linux/cgroup.h:416:1: error: expected statement
Tested on:
commit: 28f40e87 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
syzbot
May 31, 2022, 4:49:07 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:1602:73: error: use of undeclared identifier 'css'
syzbot tried to test the proposed patch but the build/boot failed:
Tested on:
commit: 3507a063 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
May 31, 2022, 5:07:13 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
executing program
executing program
executing program
executing program
executing program
2022/05/31 21:06:31 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
forked to background, child pid 196
no interfaces have a carrier
Starting sshd: OK
syzkaller
syzkaller login: [ 12.566077][ T23] kauditd_printk_skb: 60 callbacks suppressed
[ 12.566084][ T23] audit: type=1400 audit(1654030884.170:71): avc: denied { transition } for pid=289 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 12.578251][ T23] audit: type=1400 audit(1654030884.190:72): avc: denied { write } for pid=289 comm="sh" path="pipe:[11313]" dev="pipefs" ino=11313 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts.
2022/05/31 21:01:30 fuzzer started
2022/05/31 21:01:31 connecting to host at 10.128.0.163:43823
2022/05/31 21:01:31 checking machine...
2022/05/31 21:01:31 checking revisions...
2022/05/31 21:01:31 testing simple program...
[ 19.564888][ T23] audit: type=1400 audit(1654030891.170:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 19.572114][ T23] audit: type=1400 audit(1654030891.180:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 19.576624][ T23] audit: type=1400 audit(1654030891.180:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 19.581239][ T23] audit: type=1400 audit(1654030891.180:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 19.584227][ T370] !!!!!!!! cgroup_kn_lock_live: css->flags & CSS_NO_REF 1 !!
[ 19.586652][ T23] audit: type=1400 audit(1654030891.180:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.594657][ T370] !!! cgroup_apply_control_disable
[ 19.617891][ T23] audit: type=1400 audit(1654030891.180:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.623063][ T370] !!!!!!!! cgroup_kn_lock_live: cgrp->self.flags & CSS_NO_REF 1 !!
[ 19.647244][ T23] audit: type=1400 audit(1654030891.190:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 19.655358][ T370] !!!!!!!! cgroup_kn_lock_live: css->flags & CSS_NO_REF 1 !!
[ 19.678394][ T23] audit: type=1400 audit(1654030891.190:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.686084][ T370] !!! cgroup_apply_control_disable
[ 19.713982][ T370] !!!!!!!! cgroup_kn_lock_live: cgrp->self.flags & CSS_NO_REF 1 !!
[ 19.722285][ T370] !!!!!!!! cgroup_kn_lock_live: css->flags & CSS_NO_REF 1 !!
[ 19.730303][ T370] !!! cgroup_apply_control_disable
[ 19.735734][ T370] !!!!!!!! cgroup_kn_lock_live: cgrp->self.flags & CSS_NO_REF 1 !!
[ 19.743760][ T370] !!!!!!!! cgroup_kn_lock_live: css->flags & CSS_NO_REF 1 !!
[ 19.751162][ T370] !!! cgroup_apply_control_disable
[ 19.756308][ T370] !!!!!!!! cgroup_kn_lock_live: cgrp->self.flags & CSS_NO_REF 1 !!
[ 19.764726][ T370] cgroup: Unknown subsys name 'net'
[ 19.770232][ T370] !!! cgroup_apply_control_disable
[ 19.775884][ T23] audit: type=1400 audit(1654030891.390:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.775928][ T370] !!! cgroup_kill_sb killing css ffff88811a1780d8 !!!
[ 19.802952][ T370] !!! css_put is ALREADY zero css or dying ffff88811a178010 !!!
[ 19.811062][ T370] cgroup: Unknown subsys name 'devices'
[ 19.817505][ T370] !!! cgroup_apply_control_disable
[ 19.823123][ T370] !!! cgroup_kill_sb killing css ffff88811a17c0d8 !!!
[ 19.830010][ T370] !!! css_put is ALREADY zero css or dying ffff88811a17c010 !!!
[ 19.838068][ T370] !!! cgroup_apply_control_disable
[ 19.843751][ T24] !!! css_put is ALREADY zero css or dying ffff88811a178010 !!!
[ 19.852682][ T370] !!! cgroup_kill_sb killing css ffff88811a1a80d8 !!!
[ 19.859590][ T370] !!! css_put is ALREADY zero css or dying ffff88811a1a8010 !!!
[ 19.878253][ T24] !!! css_put is ALREADY zero css or dying ffff88811a17c010 !!!
[ 19.898246][ T45] !!! css_put is ALREADY zero css or dying ffff88811a1a8010 !!!
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
2022/05/31 21:06:31 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: 04a2b747 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
syzbot
May 31, 2022, 6:48:16 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/05/31 22:47:22 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts.
mount(/syzcgroup/net, devices) failed: 22
2022/05/31 22:42:21 fuzzer started
2022/05/31 22:42:22 connecting to host at 10.128.0.163:40019
2022/05/31 22:42:22 checking machine...
2022/05/31 22:42:22 checking revisions...
2022/05/31 22:42:22 testing simple program...
[ 20.168701][ T23] audit: type=1400 audit(1654036942.189:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 20.178624][ T23] audit: type=1400 audit(1654036942.199:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.188178][ T23] audit: type=1400 audit(1654036942.199:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.194244][ T370] !!! cgroup_apply_control_disable
[ 20.207802][ T23] audit: type=1400 audit(1654036942.199:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.213196][ T370] !!! cgroup_apply_control_disable
[ 20.236483][ T23] audit: type=1400 audit(1654036942.199:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.241771][ T370] !!! cgroup_apply_control_disable
[ 20.264596][ T23] audit: type=1400 audit(1654036942.209:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.269670][ T370] !!! cgroup_apply_control_disable
[ 20.293281][ T23] audit: type=1400 audit(1654036942.209:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 20.298865][ T370] cgroup: Unknown subsys name 'net'
[ 20.321057][ T23] audit: type=1400 audit(1654036942.209:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 20.326720][ T370] !!! cgroup_apply_control_disable
[ 20.354308][ T23] audit: type=1400 audit(1654036942.369:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 20.354324][ T370] !!! cgroup_kill_sb killing css ffff88811a1e00d8 !!!
[ 20.381503][ T370] !!! css_put is ALREADY zero css or dying ffff88811a1e0010 !!!
[ 20.389314][ T370] cgroup: Unknown subsys name 'devices'
[ 20.395069][ T370] !!! cgroup_apply_control_disable
[ 20.400580][ T370] !!! cgroup_kill_sb killing css ffff88811a2080d8 !!!
[ 20.407449][ T370] !!! css_put is ALREADY zero css or dying ffff88811a208010 !!!
[ 20.415665][ T370] !!! cgroup_apply_control_disable
[ 20.420873][ T74] !!! css_put is ALREADY zero css or dying ffff88811a1e0010 !!!
[ 20.428761][ T74] !!! css_put is ALREADY zero css or dying ffff88811a208010 !!!
[ 20.428931][ T370] !!! cgroup_kill_sb killing css ffff88811a20c0d8 !!!
[ 20.443385][ T370] !!! css_put is ALREADY zero css or dying ffff88811a20c010 !!!
[ 20.477747][ T24] !!! css_put is ALREADY zero css or dying ffff88811a20c010 !!!
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: 23366fb0 cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
syzbot
May 31, 2022, 6:55:10 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:415:1: error: function definition is not allowed here
syzbot tried to test the proposed patch but the build/boot failed:
./include/linux/cgroup.h:421:1: error: function definition is not allowed here
./include/linux/cgroup.h:426:1: error: function definition is not allowed here
./include/linux/cgroup.h:431:1: error: function definition is not allowed here
./include/linux/cgroup.h:480:1: error: function definition is not allowed here
./include/linux/cgroup.h:493:1: error: function definition is not allowed here
./include/linux/cgroup.h:508:1: error: function definition is not allowed here
./include/linux/cgroup.h:537:1: error: function definition is not allowed here
./include/linux/cgroup.h:544:1: error: function definition is not allowed here
./include/linux/cgroup.h:549:1: error: function definition is not allowed here
./include/linux/cgroup.h:554:1: error: function definition is not allowed here
./include/linux/cgroup.h:573:1: error: function definition is not allowed here
./include/linux/cgroup.h:592:1: error: function definition is not allowed here
./include/linux/cgroup.h:611:1: error: function definition is not allowed here
./include/linux/cgroup.h:619:1: error: function definition is not allowed here
./include/linux/cgroup.h:626:1: error: function definition is not allowed here
./include/linux/cgroup.h:632:1: error: function definition is not allowed here
./include/linux/cgroup.h:640:1: error: function definition is not allowed here
./include/linux/cgroup.h:645:1: error: function definition is not allowed here
Tested on:
commit: 49ff62a8 cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63
syzbot
May 31, 2022, 7:13:09 PM5/31/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/05/31 23:12:27 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts.
2022/05/31 23:07:27 fuzzer started
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts.
2022/05/31 23:07:27 connecting to host at 10.128.0.163:42757
2022/05/31 23:07:27 checking machine...
2022/05/31 23:07:27 checking revisions...
2022/05/31 23:07:27 testing simple program...
[ 18.950706][ T23] audit: type=1400 audit(1654038447.839:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 18.957636][ T23] audit: type=1400 audit(1654038447.839:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.962960][ T23] audit: type=1400 audit(1654038447.839:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.966911][ T23] audit: type=1400 audit(1654038447.839:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.967214][ T369] !!! cgroup_apply_control_disable
[ 18.970954][ T23] audit: type=1400 audit(1654038447.859:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.976374][ T369] !!! cgroup_apply_control_disable
[ 18.999590][ T23] audit: type=1400 audit(1654038447.859:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 19.004428][ T369] !!! cgroup_apply_control_disable
[ 19.027766][ T23] audit: type=1400 audit(1654038447.859:79): avc: denied { mounton } for pid=369 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 19.032886][ T369] !!! cgroup_apply_control_disable
[ 19.055526][ T23] audit: type=1400 audit(1654038447.859:80): avc: denied { mount } for pid=369 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.061354][ T369] cgroup: Unknown subsys name 'net'
[ 19.088553][ T369] !!! cgroup_apply_control_disable
[ 19.094318][ T23] audit: type=1400 audit(1654038447.989:81): avc: denied { unmount } for pid=369 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 19.094356][ T369] !!! cgroup_kill_sb killing css ffff88811a4d00d8 !!!
[ 19.121412][ T369] cgroup: Unknown subsys name 'devices'
[ 19.127315][ T369] !!! cgroup_apply_control_disable
[ 19.132949][ T369] !!! cgroup_kill_sb killing css ffff88811a5000d8 !!!
[ 19.139894][ T369] !!! cgroup_apply_control_disable
[ 19.145290][ T369] !!! cgroup_kill_sb killing css ffff88811a5040d8 !!!
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: eaa5a493 cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jun 1, 2022, 10:31:10 AM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/06/01 14:30:18 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.1.8' (ECDSA) to the list of known hosts.
mount(/syzcgroup/net, devices) failed: 22
2022/06/01 14:25:17 fuzzer started
2022/06/01 14:25:17 connecting to host at 10.128.0.163:42131
2022/06/01 14:25:17 checking machine...
2022/06/01 14:25:17 checking revisions...
2022/06/01 14:25:17 testing simple program...
[ 20.621145][ T23] audit: type=1400 audit(1654093517.950:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 20.646682][ T23] audit: type=1400 audit(1654093517.980:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.655663][ T370] !!! cgroup_apply_control_disable
[ 20.671196][ T23] audit: type=1400 audit(1654093517.980:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.676458][ T370] !!! cgroup_apply_control_disable
[ 20.698607][ T23] audit: type=1400 audit(1654093517.980:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.703259][ T370] !!! cgroup_apply_control_disable
[ 20.726704][ T23] audit: type=1400 audit(1654093517.980:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.733445][ T370] !!! cgroup_apply_control_disable
[ 20.757216][ T23] audit: type=1400 audit(1654093517.980:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.762878][ T370] cgroup: Unknown subsys name 'net'
[ 20.786575][ T23] audit: type=1400 audit(1654093517.980:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 20.792250][ T370] !!! cgroup_apply_control_disable
[ 20.815141][ T23] audit: type=1400 audit(1654093517.980:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 20.843666][ T23] audit: type=1400 audit(1654093518.150:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 20.843806][ T370] cgroup: Unknown subsys name 'devices'
[ 20.870438][ T370] !!! cgroup_apply_control_disable
[ 20.876228][ T370] !!! cgroup_apply_control_disable
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: 04b93f9e cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
syzbot
Jun 1, 2022, 11:01:18 AM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/06/01 15:00:21 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts.
mount(/syzcgroup/net, devices) failed: 22
2022/06/01 14:55:21 fuzzer started
2022/06/01 14:55:21 connecting to host at 10.128.0.163:37713
2022/06/01 14:55:21 checking machine...
2022/06/01 14:55:21 checking revisions...
2022/06/01 14:55:21 testing simple program...
[ 18.379471][ T23] audit: type=1400 audit(1654095321.439:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 18.386792][ T23] audit: type=1400 audit(1654095321.449:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.390535][ T23] audit: type=1400 audit(1654095321.449:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.394320][ T23] audit: type=1400 audit(1654095321.449:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 18.398781][ T23] audit: type=1400 audit(1654095321.449:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.401028][ T370] cgroup: Unknown subsys name 'net'
[ 18.415337][ T23] audit: type=1400 audit(1654095321.449:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 18.444667][ T23] audit: type=1400 audit(1654095321.459:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 18.444831][ T370] cgroup: Unknown subsys name 'devices'
[ 18.467431][ T23] audit: type=1400 audit(1654095321.459:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 18.494995][ T23] audit: type=1400 audit(1654095321.489:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: 6200d579 cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
syzbot
Jun 1, 2022, 11:24:08 AM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/06/01 15:23:07 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
DUID 00:04:ff:5e:17:7d:d8:53:5e:f8:54:ce:ed:1b:c4:81:88:80
mount(/syzcgroup/net, devices) failed: 22
forked to background, child pid 195
Starting sshd: OK
syzkaller
syzkaller login: [ 135.233499][ T23] kauditd_printk_skb: 60 callbacks suppressed
[ 135.233508][ T23] audit: type=1400 audit(1654096680.179:71): avc: denied { transition } for pid=337 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 135.243182][ T23] audit: type=1400 audit(1654096680.189:72): avc: denied { write } for pid=337 comm="sh" path="pipe:[11171]" dev="pipefs" ino=11171 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
Warning: Permanently added '10.128.0.138' (ECDSA) to the list of known hosts.
2022/06/01 15:18:06 fuzzer started
2022/06/01 15:18:06 connecting to host at 10.128.0.163:42461
2022/06/01 15:18:06 checking machine...
2022/06/01 15:18:06 checking revisions...
2022/06/01 15:18:07 testing simple program...
[ 142.137966][ T23] audit: type=1400 audit(1654096687.079:73): avc: denied { integrity } for pid=346 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 142.162723][ T23] audit: type=1400 audit(1654096687.109:74): avc: denied { getattr } for pid=346 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 142.175555][ T354] cgroup: Unknown subsys name 'net'
[ 142.187255][ T23] audit: type=1400 audit(1654096687.109:75): avc: denied { read } for pid=346 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 142.213083][ T23] audit: type=1400 audit(1654096687.109:76): avc: denied { open } for pid=346 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 142.213255][ T354] cgroup: Unknown subsys name 'devices'
[ 142.236282][ T23] audit: type=1400 audit(1654096687.109:77): avc: denied { read } for pid=346 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 142.264847][ T23] audit: type=1400 audit(1654096687.109:78): avc: denied { open } for pid=346 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 142.288363][ T23] audit: type=1400 audit(1654096687.119:79): avc: denied { mounton } for pid=354 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 142.311074][ T23] audit: type=1400 audit(1654096687.119:80): avc: denied { mount } for pid=354 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 142.333818][ T23] audit: type=1400 audit(1654096687.139:81): avc: denied { unmount } for pid=354 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: 1e8d2a59 cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
syzbot
Jun 1, 2022, 12:49:12 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/06/01 16:48:53 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts.
mount(/syzcgroup/net, devices) failed: 22
2022/06/01 16:43:53 fuzzer started
2022/06/01 16:43:53 connecting to host at 10.128.0.163:43767
2022/06/01 16:43:53 checking machine...
2022/06/01 16:43:53 checking revisions...
2022/06/01 16:43:53 testing simple program...
[ 20.245291][ T23] audit: type=1400 audit(1654101833.930:73): avc: denied { integrity } for pid=361 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 20.250340][ T23] audit: type=1400 audit(1654101833.930:74): avc: denied { getattr } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.255518][ T23] audit: type=1400 audit(1654101833.930:75): avc: denied { read } for pid=361 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.259034][ T370] cgroup: Unknown subsys name 'net'
[ 20.259659][ T23] audit: type=1400 audit(1654101833.930:76): avc: denied { open } for pid=361 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 20.264450][ T23] audit: type=1400 audit(1654101833.930:77): avc: denied { read } for pid=361 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.264609][ T370] cgroup: Unknown subsys name 'devices'
[ 20.283047][ T23] audit: type=1400 audit(1654101833.930:78): avc: denied { open } for pid=361 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 20.312120][ T23] audit: type=1400 audit(1654101833.940:79): avc: denied { mounton } for pid=370 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 20.334892][ T23] audit: type=1400 audit(1654101833.940:80): avc: denied { mount } for pid=370 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 20.357449][ T23] audit: type=1400 audit(1654101833.940:81): avc: denied { unmount } for pid=370 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: d214cf8e cgroup: test css_put imbalance
mount(/syzcgroup/net, devices) failed: 22
Tested on:
syzbot
Jun 1, 2022, 1:04:10 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff88810d49dc70. (prev=ffff88810d49dc70).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.119-syzkaller-00164-g56c31ac1d8aa #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 60 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 0cc0373b428b7300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff88810d49dc70
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810d49dc70
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb7116ac090 CR3: 000000011a5d8000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5112
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 b2 e0 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 7e db 0a fd 0f 00 2d e7 b8 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffc900000f7d58 EFLAGS: 00000246
RAX: 1ffff11020046b70 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888100235b80 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000f7d70 R08: ffffffff845e2ebe R09: ffffed1020046b71
R10: ffffed1020046b71 R11: 1ffff11020046b70 R12: 0000000000000001
R13: ffff888105710004 R14: ffff888101cf7064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
start_secondary+0xd7/0xe0 arch/x86/kernel/smpboot.c:265
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace f483058663da04a2 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 60 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 0cc0373b428b7300
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff88810d49dc70
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810d49dc70
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb7116ac090 CR3: 000000011a5d8000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
21: 0f 00 2d e7 b8 ab 00 verw 0xabb8e7(%rip) # 0xabb90f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 56c31ac1 Linux 5.10.119
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16de4ff3f00000
syzbot
Jun 1, 2022, 1:17:14 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
2022/06/01 17:16:06 SYZFATAL: BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
syzbot tried to test the proposed patch but the build/boot failed:
BUG: host setup failed: timedout after 5m0s ["./syz-executor" "setup" "fault" "usb"]
executing program
executing program
executing program
executing program
executing program
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Warning: Permanently added '10.128.0.139' (ECDSA) to the list of known hosts.
mount(/syzcgroup/net, devices) failed: 22
2022/06/01 17:11:05 fuzzer started
2022/06/01 17:11:05 connecting to host at 10.128.0.163:41373
2022/06/01 17:11:05 checking machine...
2022/06/01 17:11:05 checking revisions...
2022/06/01 17:11:05 testing simple program...
[ 21.675901][ T23] audit: type=1400 audit(1654103465.969:73): avc: denied { integrity } for pid=373 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1
[ 21.695894][ T382] cgroup: Unknown subsys name 'net'
[ 21.698672][ T23] audit: type=1400 audit(1654103465.979:74): avc: denied { getattr } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.727708][ T23] audit: type=1400 audit(1654103465.979:75): avc: denied { read } for pid=373 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.727860][ T382] cgroup: Unknown subsys name 'devices'
[ 21.748795][ T23] audit: type=1400 audit(1654103465.979:76): avc: denied { open } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 21.778298][ T23] audit: type=1400 audit(1654103465.989:77): avc: denied { read } for pid=373 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.801382][ T23] audit: type=1400 audit(1654103465.989:78): avc: denied { open } for pid=373 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 21.824909][ T23] audit: type=1400 audit(1654103465.989:79): avc: denied { mounton } for pid=382 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 21.847998][ T23] audit: type=1400 audit(1654103465.989:80): avc: denied { mount } for pid=382 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 21.870343][ T23] audit: type=1400 audit(1654103465.999:81): avc: denied { unmount } for pid=382 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
mount(/syzcgroup/net, net) failed: 22
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: d214cf8e cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
mount(/syzcgroup/net, devices) failed: 22
Tested on:
commit: d214cf8e cgroup: test css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
syzbot
Jun 1, 2022, 1:35:07 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff88810e0cfc70. (prev=ffff88810e0cfc70).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.119-syzkaller-00164-g56c31ac1d8aa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 e0 f1 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.119-syzkaller-00164-g56c31ac1d8aa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 97dffc04ee2ce600
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff88810e0cfc70
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810e0cfc70
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd90c4d5090 CR3: 0000000109338000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RSP: 0018:ffffc900000f7d58 EFLAGS: 00000246
RAX: 1ffff11020046000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888100230000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000f7d70 R08: ffffffff845e2ebe R09: ffffed1020046001
R10: ffffed1020046001 R11: 1ffff11020046000 R12: 0000000000000001
R13: ffff88810574b004 R14: ffff888101ade864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
start_secondary+0xd7/0xe0 arch/x86/kernel/smpboot.c:265
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace d3c783a64b419902 ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
start_secondary+0xd7/0xe0 arch/x86/kernel/smpboot.c:265
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 e0 f1 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 97dffc04ee2ce600
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R10: ffffed103ee2a590 R11: 1ffff1103ee2a58f R12: ffff88810e0cfc70
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: ffffed103ee2a590
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810e0cfc70
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd90c4d5090 CR3: 0000000109338000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
21: 0f 00 2d 67 b7 ab 00 verw 0xabb767(%rip) # 0xabb78f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 56c31ac1 Linux 5.10.119
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 56c31ac1 Linux 5.10.119
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=161647f5f00000
syzbot
Jun 1, 2022, 1:46:09 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f705b560), but was ffff88810e731070. (prev=ffff88810e731070).
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.119-syzkaller-00165-ge5b47f6d9b5f #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f2 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: a201b0cc380d2a00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810e731070
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff88810e731070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc94260c090 CR3: 00000001037ee000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5113
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 b2 e0 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 7e db 0a fd 0f 00 2d b7 b7 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845e2f2e R09: fffffbfff0b43631
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888100074004 R14: ffff8881018ee064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x461/0x4fc init/main.c:1055
arch_call_rest_init+0xe/0x10 init/main.c:846
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
Modules linked in:
---[ end trace 0be4e8a071b35392 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 90 3a d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f2 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 a0 3a d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: a201b0cc380d2a00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810e731070
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff88810e731070
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc94260c090 CR3: 00000001037ee000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
21: 0f 00 2d b7 b7 ab 00 verw 0xabb7b7(%rip) # 0xabb7df
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: e5b47f6d css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1774f2ebf00000
syzbot
Jun 1, 2022, 1:56:12 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff888111c67c00 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff888111c67400 !!!
!!!!! css_release css ffff888111c67400 !!!
list_add corruption. prev->next should be next (ffff8881f705b560), but was ffff888111c67470. (prev=ffff888111c67470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.119-syzkaller-00165-g0a66ee8e523f #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 60 f1 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: 49bfa62f1adb1700
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee04e73
R10: ffffed103ee04e73 R11: 1ffff1103ee04e72 R12: ffff888111c67470
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff888111c67470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9216b5b090 CR3: 0000000109304000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5115
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 b2 e0 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 7e db 0a fd 0f 00 2d 47 b6 ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845e2f5e R09: fffffbfff0b43631
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff8881010e0004 R14: ffff888100071064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x461/0x4fc init/main.c:1055
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 84e0bdab5464fe3d ]---
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x461/0x4fc init/main.c:1055
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 60 f1 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: 49bfa62f1adb1700
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee04e73
R10: ffffed103ee04e73 R11: 1ffff1103ee04e72 R12: ffff888111c67470
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff888111c67470
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9216b5b090 CR3: 0000000109304000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
21: 0f 00 2d 47 b6 ab 00 verw 0xabb647(%rip) # 0xabb66f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 0a66ee8e css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ee6dbdf00000
syzbot
Jun 1, 2022, 2:51:15 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:1568:26: error: invalid operands to binary expression ('struct percpu_ref' and 'int')
Tested on:
commit: 3bfd8e2d css_put imbalance
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:1568:26: error: invalid operands to binary expression ('struct percpu_ref' and 'int')
Tested on:
commit: 3bfd8e2d css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
syzbot
Jun 1, 2022, 3:02:18 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff88810e5a8c00 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff88810e5a8800 !!!
!!!!! css_release css ffff88810e5a8800 !!!
list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff88810e5a8870. (prev=ffff88810e5a8870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G W 5.10.119-syzkaller-00166-g98fd29306a05 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 e0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000137a20 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 31b8a9d7228b8500
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000137a48 R08: ffffffff81514558 R09: ffffed103ee24e73
R10: ffffed103ee24e73 R11: 1ffff1103ee24e72 R12: ffff88810e5a8870
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810e5a8870
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f180d110998 CR3: 000000010989c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5116
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
run_ksoftirqd+0x23/0x30 kernel/softirq.c:653
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace 7436ad90aa4f7d66 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 e0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000137a20 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: 31b8a9d7228b8500
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000137a48 R08: ffffffff81514558 R09: ffffed103ee24e73
R10: ffffed103ee24e73 R11: 1ffff1103ee24e72 R12: ffff88810e5a8870
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810e5a8870
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f180d110998 CR3: 000000010989c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: 98fd2930 css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160616bdf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
syzbot
Jun 1, 2022, 3:16:11 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff88810d985400 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_killed_ref_fn css ffff88810d985c00 !!!
!!!!! css_release css ffff88810d985c00 !!!
list_add corruption. prev->next should be next (ffff8881f705b560), but was ffff88810d985c70. (prev=ffff88810d985c70).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.10.119-syzkaller-00166-g4bea09c60b17 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 60 f5 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: 5ab32c51d0d3a800
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810d985c70
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff88810d985c70
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f02a3f88090 CR3: 00000001075ca000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
css_release+0xdb/0x100 kernel/cgroup/cgroup.c:5117
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
queue_work include/linux/workqueue.h:507 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 b2 e0 0a fd 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 7e db 0a fd 0f 00 2d 27 ba ab 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85a07ce8 EFLAGS: 00000246
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85a07d00 R08: ffffffff845e2f7e R09: fffffbfff0b43631
RAX: 1ffffffff0b43630 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85a1b180 RSI: 0000000000000000 RDI: 0000000000000000
R10: fffffbfff0b43631 R11: 1ffffffff0b43630 R12: 0000000000000001
R13: ffff888105259004 R14: ffff888101cfa864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x461/0x4fc init/main.c:1055
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
cpuidle_enter_state+0x4c8/0x10d0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3a8/0x540 kernel/sched/idle.c:300
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:396
rest_init+0xe6/0xf0 init/main.c:722
arch_call_rest_init+0xe/0x10 init/main.c:846
start_kernel+0x461/0x4fc init/main.c:1055
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
---[ end trace 2037e90005ce7619 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 60 f5 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000007bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705b568 RCX: 5ab32c51d0d3a800
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007be8 R08: ffffffff81514558 R09: ffffed103ee0a590
R10: ffffed103ee0a590 R11: 1ffff1103ee0a58f R12: ffff88810d985c70
R13: dffffc0000000000 R14: ffff8881f705b560 R15: ffff88810d985c70
FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f02a3f88090 CR3: 00000001075ca000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
21: 0f 00 2d 27 ba ab 00 verw 0xabba27(%rip) # 0xabba4f
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 b2 e0 0a fd callq 0xfd0ae0bf
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 7e db 0a fd callq 0xfd0adb9f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 4bea09c6 css_put imbalance
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10f4d147f00000
syzbot
Jun 1, 2022, 4:33:09 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!!! css_release css ffff88810f2bf400 !!!
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff88810f2bf470. (prev=ffff88810f2bf470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 141 Comm: syslogd Tainted: G W 5.10.119-syzkaller-00165-gfa2b08b7db86 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: efd15470297f1700
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: fffff5200002c145
R10: fffff5200002c145 R11: 1ffff9200002c144 R12: ffff88810f2bf470
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810f2bf470
FS: 00007fddd7e81800(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb2ff5c1ff8 CR3: 00000001093b7000 CR4: 00000000003506a0
RIP: 0010:path_init+0x162/0x1120 fs/namei.c:2213
Code: be ff 89 d8 83 e0 01 4c 89 6d 98 75 0a 4d 89 e5 e8 d3 41 be ff eb 5f 49 c7 c6 c0 d5 a0 85 49 c1 ee 03 66 0f 1f 44 00 00 f3 90 <48> b8 00 00 00 00 00 fc ff df 41 0f b6 04 06 84 c0 75 12 8b 1d 45
RSP: 0018:ffffc90000b47af0 EFLAGS: 00000293
RAX: ffffffff81aac985 RBX: 00000000000004d9 RCX: ffff888109418f40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000b47b88 R08: ffffffff81aac93a R09: ffffed1021c4c4ab
R10: ffffed1021c4c4ab R11: 1ffff11021c4c4aa R12: ffff88810f1a5520
R13: ffffc90000b47d78 R14: 1ffffffff0b41ab8 R15: ffffc90000b47d40
path_openat+0x11a/0x3210 fs/namei.c:3355
do_filp_open+0x2ef/0x3e0 fs/namei.c:3389
do_sys_openat2+0xce/0x390 fs/open.c:1180
do_sys_open fs/open.c:1196 [inline]
__do_sys_openat fs/open.c:1212 [inline]
__se_sys_openat fs/open.c:1207 [inline]
__x64_sys_openat+0x1e6/0x210 fs/open.c:1207
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fddd800d697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffde34aae50 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055b7fd2202c0 RCX: 00007fddd800d697
RDX: 0000000000000d41 RSI: 00007fddd819b99a RDI: 00000000ffffff9c
RBP: 00007fddd819b99a R08: 00007fddd809d040 R09: 00007fddd809d0c0
R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000d41
R13: 000055b7fd220400 R14: 0000000000000004 R15: 000055b7fd220410
Modules linked in:
---[ end trace ce307978c4e22eef ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: efd15470297f1700
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160be8 R08: ffffffff81514558 R09: fffff5200002c145
R10: fffff5200002c145 R11: 1ffff9200002c144 R12: ffff88810f2bf470
R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810f2bf470
FS: 00007fddd7e81800(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb2ff5c1ff8 CR3: 00000001093b7000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: be ff 89 d8 83 mov $0x83d889ff,%esi
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
5: e0 01 loopne 0x8
7: 4c 89 6d 98 mov %r13,-0x68(%rbp)
b: 75 0a jne 0x17
d: 4d 89 e5 mov %r12,%r13
10: e8 d3 41 be ff callq 0xffbe41e8
15: eb 5f jmp 0x76
17: 49 c7 c6 c0 d5 a0 85 mov $0xffffffff85a0d5c0,%r14
1e: 49 c1 ee 03 shr $0x3,%r14
22: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
28: f3 90 pause
* 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction
31: fc ff df
34: 41 0f b6 04 06 movzbl (%r14,%rax,1),%eax
39: 84 c0 test %al,%al
3b: 75 12 jne 0x4f
3d: 8b .byte 0x8b
3e: 1d .byte 0x1d
3f: 45 rex.RB
Tested on:
commit: fa2b08b7 css_put imbalance
Tested on:
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=116b87f9f00000
syzbot
Jun 1, 2022, 5:10:09 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault, probably for non-canonical address 0xdffffc001fffffff: 0000 [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range [0x00000000fffffff8-0x00000000ffffffff]
CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G W 5.10.119-syzkaller-00165-g62f4403dcb3c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 51 bd cf fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 9a 53 07 fe 4d 8b 37 49 8d 7f
RSP: 0018:ffffc90000137b20 EFLAGS: 00010207
RAX: ffffffff83994e4f RBX: 00000000fffffffe RCX: ffff88810028eac0
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 00000000fffffffe
RBP: ffffc90000137b48 R08: ffffffff83de386d R09: ffffc900001378c4
R10: 000000000000000b R11: ffffffff8480067b R12: dffffc0000000000
R13: 000000001fffffff R14: 0000607e08c3fb78 R15: 00000000fffffffe
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b31f3594b0 CR3: 000000010940b000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rt_fibinfo_free_cpus+0xee/0x1c0 net/ipv4/fib_semantics.c:203
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fib_nh_common_release+0x8d/0x240 net/ipv4/fib_semantics.c:216
fib_nh_release net/ipv4/fib_semantics.c:228 [inline]
free_fib_info_rcu+0x98/0x190 net/ipv4/fib_semantics.c:240
rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x253/0x67b kernel/softirq.c:298
run_ksoftirqd+0x23/0x30 kernel/softirq.c:653
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
smpboot_thread_fn+0x4c8/0x8b0 kernel/smpboot.c:164
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace 2aceb02816d4a928 ]---
RIP: 0010:dst_dev_put+0x26/0x1c0 net/core/dst.c:156
Code: 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 51 bd cf fd 4d 89 fd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 4c 89 ff e8 9a 53 07 fe 4d 8b 37 49 8d 7f
RSP: 0018:ffffc90000137b20 EFLAGS: 00010207
RAX: ffffffff83994e4f RBX: 00000000fffffffe RCX: ffff88810028eac0
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 00000000fffffffe
RBP: ffffc90000137b48 R08: ffffffff83de386d R09: ffffc900001378c4
R10: 000000000000000b R11: ffffffff8480067b R12: dffffc0000000000
R13: 000000001fffffff R14: 0000607e08c3fb78 R15: 00000000fffffffe
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b31f3594b0 CR3: 000000010940b000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 00 00 add %al,(%rax)
4: 55 push %rbp
5: 48 89 e5 mov %rsp,%rbp
8: 41 57 push %r15
a: 41 56 push %r14
c: 41 55 push %r13
e: 41 54 push %r12
10: 53 push %rbx
11: 49 89 ff mov %rdi,%r15
14: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
1b: fc ff df
1e: e8 51 bd cf fd callq 0xfdcfbd74
23: 4d 89 fd mov %r15,%r13
26: 49 c1 ed 03 shr $0x3,%r13
* 2a: 43 80 7c 25 00 00 cmpb $0x0,0x0(%r13,%r12,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 4c 89 ff mov %r15,%rdi
35: e8 9a 53 07 fe callq 0xfe0753d4
3a: 4d 8b 37 mov (%r15),%r14
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7f .byte 0x7f
Tested on:
commit: 62f4403d css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1142c083f00000
syzbot
Jun 1, 2022, 5:32:10 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 62f4403d css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 62f4403d css_put imbalance
git tree: https://github.com/tstruk/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=26b9d4a1c9786cc4
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot
Jun 1, 2022, 5:48:20 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: c9389768 css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=7b86f3149f8bbf2a
Tadeusz Struk
Jun 1, 2022, 6:24:09 PM6/1/22
to syzbot, syzkaller-a...@googlegroups.com
#syz test: https://github.com/tstruk/linux.git master
syzbot
Jun 1, 2022, 6:26:18 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: dbfa728f css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 1, 2022, 6:42:15 PM6/1/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 18811fa1 css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 2, 2022, 12:24:12 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 1bb6f0e0 css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=2d9d3e440a3a30da
Tadeusz Struk
Jun 2, 2022, 12:30:17 PM6/2/22
to syzbot, syzkaller-a...@googlegroups.com
syzbot
Jun 2, 2022, 1:09:16 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 66c53422 css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
Tadeusz Struk
Jun 2, 2022, 2:53:56 PM6/2/22
to syzbot, syzkaller-a...@googlegroups.com
syzbot
Jun 2, 2022, 3:08:15 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 4d978e7b css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 2, 2022, 3:16:14 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 384 Comm: kworker/1:3 Not tainted 5.18.0-syzkaller-12008-gd6a44a7e5ea9 #0
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 ce 8a 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 b4 8a 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 a3 66 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000b97c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000b97cb8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000172f7d R11: 1ffff92000172f7c R12: 1ffff110243e5818
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121f2c0d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5567
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 ce 8a 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 b4 8a 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 a3 66 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000b97c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000b97cb8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000172f7d R11: 1ffff92000172f7c R12: 1ffff110243e5818
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121f2c0d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 ce 8a 5c 00 callq 0x5c8ade
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 b4 8a 5c 00 callq 0x5c8ade
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 a3 66 05 01 callq 0x10566de
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: d6a44a7e css_put imbalance
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 384 Comm: kworker/1:3 Not tainted 5.18.0-syzkaller-12008-gd6a44a7e5ea9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 ce 8a 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 b4 8a 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 a3 66 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000b97c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000b97cb8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000172f7d R11: 1ffff92000172f7c R12: 1ffff110243e5818
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121f2c0d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000012223f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5567
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 ce 8a 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 b4 8a 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 a3 66 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000b97c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000b97cb8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000172f7d R11: 1ffff92000172f7c R12: 1ffff110243e5818
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121f2c0d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000012223f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 ce 8a 5c 00 callq 0x5c8ade
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 b4 8a 5c 00 callq 0x5c8ade
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 a3 66 05 01 callq 0x10566de
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: d6a44a7e css_put imbalance
git tree: https://github.com/tstruk/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac95cdf00000
syzbot
Jun 2, 2022, 3:31:13 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 396 Comm: kworker/0:3 Not tainted 5.18.0-syzkaller-12008-gb4925c48107d #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 2e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 14 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 03 67 05 01 84 c0 74 6c 48
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90002747c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90002747cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff520004e8f7d R11: 1ffff920004e8f7c R12: 1ffff110243d7c18
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121ebe0d0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000012672d000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5568
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 2e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 14 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 03 67 05 01 84 c0 74 6c 48
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90002747c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90002747cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff520004e8f7d R11: 1ffff920004e8f7c R12: 1ffff110243d7c18
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888121ebe0d0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000012672d000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 2e 8b 5c 00 callq 0x5c8b3e
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 14 8b 5c 00 callq 0x5c8b3e
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 03 67 05 01 callq 0x105673e
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: b4925c48 css_put imbalance
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
git tree: https://github.com/tstruk/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14919463f00000
syzbot
Jun 2, 2022, 3:56:15 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 5.18.0-syzkaller-12008-g2761a705cad6 #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90000067c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000067cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff5200000cf7d R11: 1ffff9200000cf7c R12: 1ffff1102457c998
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888122be4cd0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 00000001256e6000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5569
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90000067c80 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000067cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff5200000cf7d R11: 1ffff9200000cf7c R12: 1ffff1102457c998
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888122be4cd0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 00000001256e6000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 8e 8b 5c 00 callq 0x5c8b9e
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 74 8b 5c 00 callq 0x5c8b9e
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 63 67 05 01 callq 0x105679e
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: 2761a705 css_put imbalance
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
git tree: https://github.com/tstruk/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10690a2bf00000
syzbot
Jun 2, 2022, 4:13:12 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:5893:20: error: use of undeclared identifier 'css'
Tested on:
commit: 3d7174cd css_put imbalance
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:5893:20: error: use of undeclared identifier 'css'
Tested on:
commit: 3d7174cd css_put imbalance
git tree: https://github.com/tstruk/linux.git master
syzbot
Jun 2, 2022, 4:21:09 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 54 Comm: kworker/1:2 Not tainted 5.18.0-syzkaller-12008-ge6b41535e8d6 #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000887c80 EFLAGS: 00010046
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000887cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff52000110f7d R11: 1ffff92000110f7c R12: 1ffff1102443c898
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff8881221e44d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000011fbbd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5569
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
RSP: 0018:ffffc90000887c80 EFLAGS: 00010046
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
css_killed_work_fn+0x3cf/0x3f0 kernel/cgroup/cgroup.c:5569
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 8e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 74 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 63 67 05 01 84 c0 74 6c 48
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000887cb8 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff52000110f7d R11: 1ffff92000110f7c R12: 1ffff1102443c898
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff8881221e44d0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000011fbbd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 8e 8b 5c 00 callq 0x5c8b9e
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 74 8b 5c 00 callq 0x5c8b9e
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 63 67 05 01 callq 0x105679e
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: e6b41535 css_put imbalance
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 8e 8b 5c 00 callq 0x5c8b9e
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 74 8b 5c 00 callq 0x5c8b9e
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 63 67 05 01 callq 0x105679e
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
git tree: https://github.com/tstruk/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10109efbf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d9d3e440a3a30da
syzbot
Jun 2, 2022, 4:34:10 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in css_killed_work_fn
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
BUG: unable to handle page fault for address: fffffffffffffff8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 391 Comm: kworker/0:2 Not tainted 5.18.0-syzkaller-12008-g1b599f72899a #0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6010067 P4D 6010067 PUD 6012067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 7e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 64 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 43 67 05 01 84 c0 74 6c 48
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90000af7c88 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000af7cc0 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff5200015ef7d R11: 1ffff9200015ef7c R12: 1ffff1102448ad98
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888122456cd0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000011bb92000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
css_killed_work_fn+0x3c/0x3e0 kernel/cgroup/cgroup.c:5560
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x6cb/0xbf0 kernel/workqueue.c:2289
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
Code: 00 42 80 3c 33 00 74 08 4c 89 ff e8 7e 8b 5c 00 49 8b 1f 48 8d 7b f8 48 89 f8 48 c1 e8 03 42 80 3c 30 00 74 05 e8 64 8b 5c 00 <48> 8b 7b f8 e8 7b 73 f9 ff 48 89 df e8 43 67 05 01 84 c0 74 6c 48
worker_thread+0xb3c/0x1390 kernel/workqueue.c:2436
kthread+0x26b/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
CR2: fffffffffffffff8
---[ end trace 0000000000000000 ]---
RIP: 0010:swake_up_locked kernel/sched/swait.c:29 [inline]
RIP: 0010:complete+0xac/0x1c0 kernel/sched/completion.c:36
RSP: 0018:ffffc90000af7c88 EFLAGS: 00010046
RAX: 1fffffffffffffff RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
RBP: ffffc90000af7cc0 R08: dffffc0000000000 R09: 0000000000000003
RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffffffffffffff8
R10: fffff5200015ef7d R11: 1ffff9200015ef7c R12: 1ffff1102448ad98
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff888122456cd0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff8 CR3: 000000011bb92000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 7e 8b 5c 00 callq 0x5c8b8e
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 42 80 add %al,-0x80(%rdx)
3: 3c 33 cmp $0x33,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
10: 49 8b 1f mov (%r15),%rbx
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
25: e8 64 8b 5c 00 callq 0x5c8b8e
13: 48 8d 7b f8 lea -0x8(%rbx),%rdi
17: 48 89 f8 mov %rdi,%rax
1a: 48 c1 e8 03 shr $0x3,%rax
1e: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1)
23: 74 05 je 0x2a
* 2a: 48 8b 7b f8 mov -0x8(%rbx),%rdi <-- trapping instruction
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
36: e8 43 67 05 01 callq 0x105677e
2e: e8 7b 73 f9 ff callq 0xfff973ae
33: 48 89 df mov %rbx,%rdi
3b: 84 c0 test %al,%al
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
commit: 1b599f72 css_put imbalance
3d: 74 6c je 0xab
3f: 48 rex.W
Tested on:
git tree: https://github.com/tstruk/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12214ff3f00000
syzbot
Jun 2, 2022, 8:36:12 PM6/2/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 1de342bf css_put imbalance
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=2d9d3e440a3a30da
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot
Jun 3, 2022, 11:15:17 AM6/3/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: f3b1ace4 cgroup: kill and release paths serialize
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 3, 2022, 11:31:12 AM6/3/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: c0f1b2f9 cgroup: kill and release paths serialize
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 3, 2022, 12:55:09 PM6/3/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: eda02c37 cgroup: kill and release paths serialize
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 6, 2022, 12:37:13 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: a59746b6 cgroup debug
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=9b5df3d7a2615f54
Tadeusz Struk
Jun 6, 2022, 12:39:50 PM6/6/22
to syzbot, syzkaller-a...@googlegroups.com
syzbot
Jun 6, 2022, 12:59:12 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
syzbot
Jun 6, 2022, 1:20:16 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 7c793200 debug cgroup
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git tmp_test_cgroup
kernel config: https://syzkaller.appspot.com/x/.config?x=2442bae8437be918
syzbot
Jun 6, 2022, 1:37:07 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: fa44f6e4 cgroup debug
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=9b5df3d7a2615f54
kernel config: https://syzkaller.appspot.com/x/.config?x=9b5df3d7a2615f54
syzbot
Jun 6, 2022, 2:28:17 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: f2906aa8 Linux 5.19-rc1
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
syzbot
Jun 6, 2022, 2:51:07 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 4b0986a3 Linux 5.18
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=2442bae8437be918
syzbot
Jun 6, 2022, 3:08:09 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888112fd4070. (prev=ffff888112fd4070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 411 Comm: syz-executor.1 Tainted: G W 5.10.110-syzkaller-00173-g07b78bf6d055 #0
Code: 48 c7 c7 80 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 87f9f65b4d447300
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c091 R11: 1ffff9200002c090 R12: ffff888112fd4070
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888112fd4070
FS: 000055555555a400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5146
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:277 [inline]
RIP: 0010:path_init+0x175/0x1120 fs/namei.c:2297
Code: ba ff eb 5f 49 c7 c6 c0 d5 e0 85 49 c1 ee 03 66 0f 1f 44 00 00 f3 90 48 b8 00 00 00 00 00 fc ff df 41 0f b6 04 06 84 c0 75 12 <8b> 1d 75 be 2e 04 f6 c3 01 74 26 e8 1b a1 ba ff eb d9 48 c7 c1 c0
RSP: 0018:ffffc90000e978b8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 000000000000050b RCX: ffff8881002d0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000e97950 R08: ffffffff81b2170a R09: ffffed1022615f6b
R10: ffffed1022615f6b R11: 1ffff11022615f6a R12: ffff888113143320
R13: ffffc90000e97c18 R14: 1ffffffff0bc1ab8 R15: ffffc90000e97be0
path_openat+0x185/0x2fd0 fs/namei.c:3439
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5c66948c28
Code: 24 18 31 c0 41 83 e2 40 75 40 89 f0 25 00 00 41 00 3d 00 00 41 00 74 32 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 40 48 8b 4c 24 18 64 48 2b 0c 25 28 00 00 00
RSP: 002b:00007fffc2a1ac00 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f5c66948c28
RDX: 0000000000090800 RSI: 00007f5c669a229c RDI: 00000000ffffff9c
RBP: 00007fffc2a1accc R08: 0000000000090800 R09: 00007f5c669a229c
R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000000
R13: 000000000000c868 R14: 0000000000000006 R15: 00007fffc2a1ad30
Modules linked in:
---[ end trace 2a102412b34a7dc1 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 87f9f65b4d447300
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c091 R11: 1ffff9200002c090 R12: ffff888112fd4070
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888112fd4070
FS: 000055555555a400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
5: c7 c6 c0 d5 e0 85 mov $0x85e0d5c0,%esi
b: 49 c1 ee 03 shr $0x3,%r14
f: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
15: f3 90 pause
17: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1e: fc ff df
21: 41 0f b6 04 06 movzbl (%r14,%rax,1),%eax
26: 84 c0 test %al,%al
28: 75 12 jne 0x3c
* 2a: 8b 1d 75 be 2e 04 mov 0x42ebe75(%rip),%ebx # 0x42ebea5 <-- trapping instruction
30: f6 c3 01 test $0x1,%bl
33: 74 26 je 0x5b
35: e8 1b a1 ba ff callq 0xffbaa155
3a: eb d9 jmp 0x15
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: c1 .byte 0xc1
3f: c0 .byte 0xc0
Tested on:
commit: 07b78bf6 BACKPORT: net/sched: cls_u32: fix netns refco..
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=162f9b9ff00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888112fd4070. (prev=ffff888112fd4070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 411 Comm: syz-executor.1 Tainted: G W 5.10.110-syzkaller-00173-g07b78bf6d055 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 87f9f65b4d447300
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c091 R11: 1ffff9200002c090 R12: ffff888112fd4070
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888112fd4070
FS: 000055555555a400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555b73b38 CR3: 000000010cd78000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5146
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:277 [inline]
RIP: 0010:path_init+0x175/0x1120 fs/namei.c:2297
Code: ba ff eb 5f 49 c7 c6 c0 d5 e0 85 49 c1 ee 03 66 0f 1f 44 00 00 f3 90 48 b8 00 00 00 00 00 fc ff df 41 0f b6 04 06 84 c0 75 12 <8b> 1d 75 be 2e 04 f6 c3 01 74 26 e8 1b a1 ba ff eb d9 48 c7 c1 c0
RSP: 0018:ffffc90000e978b8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 000000000000050b RCX: ffff8881002d0000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000e97950 R08: ffffffff81b2170a R09: ffffed1022615f6b
R10: ffffed1022615f6b R11: 1ffff11022615f6a R12: ffff888113143320
R13: ffffc90000e97c18 R14: 1ffffffff0bc1ab8 R15: ffffc90000e97be0
path_openat+0x185/0x2fd0 fs/namei.c:3439
do_filp_open+0x200/0x440 fs/namei.c:3471
do_sys_openat2+0x13b/0x470 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1238
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5c66948c28
Code: 24 18 31 c0 41 83 e2 40 75 40 89 f0 25 00 00 41 00 3d 00 00 41 00 74 32 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 40 48 8b 4c 24 18 64 48 2b 0c 25 28 00 00 00
RSP: 002b:00007fffc2a1ac00 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f5c66948c28
RDX: 0000000000090800 RSI: 00007f5c669a229c RDI: 00000000ffffff9c
RBP: 00007fffc2a1accc R08: 0000000000090800 R09: 00007f5c669a229c
R10: 0000000000000000 R11: 0000000000000287 R12: 0000000000000000
R13: 000000000000c868 R14: 0000000000000006 R15: 00007fffc2a1ad30
Modules linked in:
---[ end trace 2a102412b34a7dc1 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 87f9f65b4d447300
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c091 R11: 1ffff9200002c090 R12: ffff888112fd4070
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888112fd4070
FS: 000055555555a400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555b73b38 CR3: 000000010cd78000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: ba ff eb 5f 49 mov $0x495febff,%edx
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
5: c7 c6 c0 d5 e0 85 mov $0x85e0d5c0,%esi
b: 49 c1 ee 03 shr $0x3,%r14
f: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
15: f3 90 pause
17: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1e: fc ff df
21: 41 0f b6 04 06 movzbl (%r14,%rax,1),%eax
26: 84 c0 test %al,%al
28: 75 12 jne 0x3c
* 2a: 8b 1d 75 be 2e 04 mov 0x42ebe75(%rip),%ebx # 0x42ebea5 <-- trapping instruction
30: f6 c3 01 test $0x1,%bl
33: 74 26 je 0x5b
35: e8 1b a1 ba ff callq 0xffbaa155
3a: eb d9 jmp 0x15
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: c1 .byte 0xc1
3f: c0 .byte 0xc0
Tested on:
commit: 07b78bf6 BACKPORT: net/sched: cls_u32: fix netns refco..
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=162f9b9ff00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
syzbot
Jun 6, 2022, 3:20:12 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release kill_css(ffff88811467d400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff88811467d470. (prev=ffff88811467d470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W 5.10.110-syzkaller-00174-g9a152518a662 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 7d74300638d53100
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88811467d470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff88811467d470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d9af3cdf28 CR3: 0000000112ade000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5150
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
run_ksoftirqd+0x23/0x30 kernel/softirq.c:667
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 9cc038e294c8c156 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 d8 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 d9 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 7d74300638d53100
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88811467d470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff88811467d470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d9af3cdf28 CR3: 0000000112ade000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: 9a152518 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=112f9505f00000
syzbot
Jun 6, 2022, 3:51:09 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff888113db6400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888113db6470. (prev=ffff888113db6470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 5.10.110-syzkaller-00174-g2bcb85208c67 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 dc 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 dd 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 958566e80b1a5a00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff888113db6470
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888113db6470
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3ecd206028 CR3: 000000011c4a0000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xdc/0x100 kernel/cgroup/cgroup.c:5159
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 92 c9 d9 fc 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 5e c4 d9 fc 0f 00 2d d7 d9 b7 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
RSP: 0018:ffffc900000f7c48 EFLAGS: 00000246
RAX: 1ffff110200509e0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888100284f00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000f7c60 R08: ffffffff8492f48e R09: ffffed10200509e1
R10: ffffed10200509e1 R11: 1ffff110200509e0 R12: 0000000000000001
R13: ffff888103d92004 R14: ffff888105fc4064 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x369/0x5d0 kernel/sched/idle.c:302
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398
start_secondary+0xd7/0xe0 arch/x86/kernel/smpboot.c:265
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 6452452abc7e60d7 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 dc 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 dd 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 958566e80b1a5a00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff888113db6470
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888113db6470
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3ecd206028 CR3: 000000011c4a0000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
Code disassembly (best guess):
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 92 c9 d9 fc callq 0xfcd9c99f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 5e c4 d9 fc callq 0xfcd9c47f
21: 0f 00 2d d7 d9 b7 00 verw 0xb7d9d7(%rip) # 0xb7d9ff
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 2bcb8520 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=11c70d0bf00000
syzbot
Jun 6, 2022, 4:43:11 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff888111a97400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff888111a94400)
!!!! css_release enqueue(ffff888111a94400)
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff888111a94470. (prev=ffff888111a94470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.110-syzkaller-00174-g74d09191747e #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 641c199d59949e00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: ffff888111a94470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111a94470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4254aa3e69 CR3: 000000010c10b000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5152
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 92 c9 d9 fc 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 5e c4 d9 fc 0f 00 2d f7 d7 b7 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85e07be8 EFLAGS: 00000246
RAX: 1ffffffff0bc35e8 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85e1af40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85e07c00 R08: ffffffff8492f46e R09: fffffbfff0bc35e9
R10: fffffbfff0bc35e9 R11: 1ffffffff0bc35e8 R12: 0000000000000001
R13: ffff8881047a7004 R14: ffff888105bc8864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x369/0x5d0 kernel/sched/idle.c:302
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398
rest_init+0xe6/0xf0 init/main.c:714
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x369/0x5d0 kernel/sched/idle.c:302
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398
arch_call_rest_init+0xe/0x10 init/main.c:840
start_kernel+0x45a/0x4cc init/main.c:1053
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
---[ end trace 6e6d887a2a508548 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 641c199d59949e00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: ffff888111a94470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111a94470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4254aa3e69 CR3: 000000010c10b000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 92 c9 d9 fc callq 0xfcd9c99f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 5e c4 d9 fc callq 0xfcd9c47f
21: 0f 00 2d f7 d7 b7 00 verw 0xb7d7f7(%rip) # 0xb7d81f
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 92 c9 d9 fc callq 0xfcd9c99f
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 5e c4 d9 fc callq 0xfcd9c47f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: 74d09191 cgroup debug
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=1255ea0df00000
syzbot
Jun 6, 2022, 5:14:13 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff88811272b800)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff88811272bc00)
!!!! css_release enqueue(ffff88811272bc00)
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff88811272bc70. (prev=ffff88811272bc70).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 374 Comm: kworker/1:2 Not tainted 5.10.110-syzkaller-00174-gc5a957663c73 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 db 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 dc 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: fe9353fa45f2a400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff88811272bc70
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff88811272bc70
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f15d1691e69 CR3: 000000010f9a8000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5151
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xb5c/0xf20 kernel/printk/printk.c:2555
Code: 85 db 4c 8d b4 24 60 01 00 00 0f 85 82 03 00 00 e8 49 6e 00 00 48 8b 44 24 30 48 89 84 24 90 00 00 00 ff b4 24 90 00 00 00 9d <48> 8b 44 24 38 42 80 3c 38 00 74 08 4c 89 f7 e8 40 d1 52 00 48 c7
RSP: 0018:ffffc9000039f7e0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88811e03cf00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc9000039fa70 R08: ffffffff8153ae3b R09: 0000000000000003
R10: fffff52000073eed R11: 1ffff92000073eec R12: ffffc9000039f9e0
R13: 1ffffffff0c3ada1 R14: ffffc9000039f940 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
css_killed_work_fn+0x1e4/0x430 kernel/cgroup/cgroup.c:5504
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace fa523c1e40e49a9f ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 db 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 dc 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: fe9353fa45f2a400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff88811272bc70
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff88811272bc70
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f15d1691e69 CR3: 000000010f9a8000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 db test %ebx,%ebx
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp)
21: 00
22: ff b4 24 90 00 00 00 pushq 0x90(%rsp)
29: 9d popfq
* 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
39: e8 40 d1 52 00 callq 0x52d17e
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: c5a95766 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=11129583f00000
syzbot
Jun 6, 2022, 5:37:11 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:972:72: error: member reference type 'struct cgroup *' is a pointer; did you mean to use '->'?
Tested on:
commit: b49b8c4b cgroup debug
syzbot tried to test the proposed patch but the build/boot failed:
kernel/cgroup/cgroup.c:972:72: error: member reference type 'struct cgroup *' is a pointer; did you mean to use '->'?
Tested on:
commit: b49b8c4b cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
syzbot
Jun 6, 2022, 5:53:09 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff8881150d2400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff8881150d0000)
!!!! css_release enqueue(ffff8881150d0000)
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff8881150d0070. (prev=ffff8881150d0070).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W 5.10.110-syzkaller-00174-geba830c9b38e #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 db 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 dc 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 6e4af497fd7b9a00
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff8881150d0070
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff8881150d0070
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff06178bb8 CR3: 000000010bbca000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5153
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
run_ksoftirqd+0x23/0x30 kernel/softirq.c:667
smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace eb0090bb59c3f93b ]---
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 db 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 dc 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 6e4af497fd7b9a00
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff8881150d0070
RBP: ffffc900000c7808 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff8881150d0070
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff06178bb8 CR3: 000000010bbca000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: eba830c9 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=10991d05f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
syzbot
Jun 6, 2022, 6:24:08 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff88810ad06c00)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff88810ad06c70. (prev=ffff88810ad06c70).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 416 Comm: syz-executor.3 Tainted: G W 5.10.110-syzkaller-00174-gcb15f4b83ce7 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 00 df 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 c0 df 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 819961c67de77700
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff88810ad06c70
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff88810ad06c70
FS: 000055555565c400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555566fcb78 CR3: 000000010d51c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5153
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5153
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xeea/0xf20 kernel/printk/printk.c:2551
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
Code: 19 00 eb 85 e8 f7 06 19 00 c6 05 d0 cb 31 05 00 e8 bb 6a 00 00 48 8b 44 24 30 48 89 84 24 98 00 00 00 ff b4 24 98 00 00 00 9d <e9> 5a ff ff ff e8 cc 06 19 00 e9 d5 fe ff ff 89 f9 80 e1 07 80 c1
RSP: 0018:ffffc90000f37720 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000001 RCX: ffff8881067d93c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000f379b0 R08: ffffffff8153ae3b R09: 0000000000000003
R10: fffff520001e6ed5 R11: 1ffff920001e6ed4 R12: ffffc90000f37920
R13: 1ffffffff0c3adc1 R14: ffffc90000f37880 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
cgroup_sk_free+0xee/0x2c0 kernel/cgroup/cgroup.c:6617
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
sk_prot_free net/core/sock.c:1723 [inline]
__sk_destruct+0x459/0x540 net/core/sock.c:1815
sk_destruct net/core/sock.c:1830 [inline]
__sk_free+0x364/0x470 net/core/sock.c:1841
sk_free+0x51/0x90 net/core/sock.c:1852
sock_put include/net/sock.h:1802 [inline]
tcp_close+0xe30/0x1150 net/ipv4/tcp.c:2661
inet_release+0x197/0x200 net/ipv4/af_inet.c:431
__sock_release net/socket.c:597 [inline]
sock_close+0xdb/0x250 net/socket.c:1267
__fput+0x348/0x7c0 fs/file_table.c:281
____fput+0x15/0x20 fs/file_table.c:314
task_work_run+0x147/0x1b0 kernel/task_work.c:154
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop+0xc8/0xe0 kernel/entry/common.c:164
exit_to_user_mode_prepare kernel/entry/common.c:191 [inline]
syscall_exit_to_user_mode+0x77/0xa0 kernel/entry/common.c:266
do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7ffbfafeed03
Code: c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
RSP: 002b:00007ffc00434ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007ffc00434d30 RCX: 00007ffbfafeed03
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffc00434b40
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555565db00
R13: 000055555565db5b R14: 0000000000000006 R15: 00007ffc00434d70
Modules linked in:
---[ end trace 89236a6ca612e531 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 00 df 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 c0 df 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 819961c67de77700
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff88810ad06c70
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff88810ad06c70
FS: 000055555565c400(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555566fcb78 CR3: 000000010d51c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 19 00 sbb %eax,(%rax)
Code disassembly (best guess):
2: eb 85 jmp 0xffffff89
4: e8 f7 06 19 00 callq 0x190700
9: c6 05 d0 cb 31 05 00 movb $0x0,0x531cbd0(%rip) # 0x531cbe0
10: e8 bb 6a 00 00 callq 0x6ad0
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 98 00 00 mov %rax,0x98(%rsp)
21: 00
22: ff b4 24 98 00 00 00 pushq 0x98(%rsp)
29: 9d popfq
* 2a: e9 5a ff ff ff jmpq 0xffffff89 <-- trapping instruction
2f: e8 cc 06 19 00 callq 0x190700
34: e9 d5 fe ff ff jmpq 0xffffff0e
39: 89 f9 mov %edi,%ecx
3b: 80 e1 07 and $0x7,%cl
3e: 80 .byte 0x80
3f: c1 .byte 0xc1
Tested on:
commit: cb15f4b8 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=14946a9ff00000
syzbot
Jun 6, 2022, 9:21:16 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff888111333400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff888111333400)
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff888111333470. (prev=ffff888111333470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5533 Comm: kworker/0:8 Tainted: G W 5.10.110-syzkaller-00174-g092434b00326 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 027a733cd613c700
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff888111333470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111333470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f20e24c8130 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5154
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xb5c/0xf20 kernel/printk/printk.c:2555
Code: 85 db 4c 8d b4 24 60 01 00 00 0f 85 82 03 00 00 e8 49 6e 00 00 48 8b 44 24 30 48 89 84 24 90 00 00 00 ff b4 24 90 00 00 00 9d <48> 8b 44 24 38 42 80 3c 38 00 74 08 4c 89 f7 e8 40 d2 52 00 48 c7
RSP: 0018:ffffc90000e277c0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88811248bb40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc90000e27a50 R08: ffffffff8153ae3b R09: 0000000000000003
R10: fffff520001c4ee9 R11: 1ffff920001c4ee8 R12: ffffc90000e279c0
R13: 1ffffffff0c3add1 R14: ffffc90000e27920 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
css_release+0x2d/0xd0 kernel/cgroup/cgroup.c:5152
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_put include/linux/cgroup.h:407 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_killed_work_fn+0x3f8/0x430 kernel/cgroup/cgroup.c:5510
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace f80e587012b1ba91 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 027a733cd613c700
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff888111333470
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111333470
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f20e24c8130 CR3: 0000000005e0f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 db test %ebx,%ebx
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp)
21: 00
22: ff b4 24 90 00 00 00 pushq 0x90(%rsp)
29: 9d popfq
* 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
39: e8 40 d2 52 00 callq 0x52d27e
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: 092434b0 cgroup debug
3f: c7 .byte 0xc7
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=1668c7b3f00000
syzbot
Jun 6, 2022, 10:48:08 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff888119b45400)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888119b45470. (prev=ffff888119b45470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 372 Comm: kworker/1:3 Tainted: G W 5.10.110-syzkaller-00174-g5772a6660fb5 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 c0 df 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 80 e0 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 8db17ca183c11400
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c0e5 R11: 1ffff9200002c0e4 R12: ffff888119b45470
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888119b45470
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555c362c0 CR3: 000000010879b000 CR4: 00000000003506a0
RSP: 0018:ffffc90000bc77c0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88811d3be2c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc90000bc7a50 R08: ffffffff8153ae3b R09: 0000000000000003
R10: fffff52000178ee9 R11: 1ffff92000178ee8 R12: ffffc90000bc79c0
R13: 1ffffffff0c3add1 R14: ffffc90000bc7920 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
css_release+0x2d/0xd0 kernel/cgroup/cgroup.c:5152
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_put include/linux/cgroup.h:407 [inline]
css_killed_work_fn+0x3b0/0x3e0 kernel/cgroup/cgroup.c:5510
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
css_release+0x2d/0xd0 kernel/cgroup/cgroup.c:5152
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
css_put include/linux/cgroup.h:407 [inline]
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 1d6a8eed5230f9de ]---
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 c0 df 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 80 e0 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 8db17ca183c11400
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: 0000000000000003
R10: fffff5200002c0e5 R11: 1ffff9200002c0e4 R12: ffff888119b45470
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888119b45470
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555c362c0 CR3: 000000010879b000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 db test %ebx,%ebx
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp)
21: 00
22: ff b4 24 90 00 00 00 pushq 0x90(%rsp)
29: 9d popfq
* 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
39: e8 f0 d1 52 00 callq 0x52d22e
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 db test %ebx,%ebx
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp)
21: 00
22: ff b4 24 90 00 00 00 pushq 0x90(%rsp)
29: 9d popfq
* 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: 5772a666 cgroup debug
3f: c7 .byte 0xc7
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=107e2bdbf00000
syzbot
Jun 6, 2022, 11:48:06 PM6/6/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: cacce447 cgroup debug
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot
Jun 7, 2022, 12:09:09 AM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff888115956800)
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888115956870. (prev=ffff888115956870).
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888115956870
RSP: 0018:ffffc90000b477e0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000001 RCX: ffff888107784f00
R10: fffff52000168eed R11: 1ffff92000168eec R12: ffffc90000b479e0
R13: 1ffffffff0c3adf1 R14: ffffc90000b47940 R15: dffffc0000000000
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888115956870
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888115956870. (prev=ffff888115956870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 372 Comm: kworker/1:2 Tainted: G W 5.10.110-syzkaller-00174-gcacce4479cc9 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_release_work_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 e1 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 e2 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 483bfcc27e200c00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff888115956870
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888115956870
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff6cf6c8718 CR3: 00000001196f5000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5159
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xeea/0xf20 kernel/printk/printk.c:2551
Code: 19 00 eb 85 e8 e7 07 19 00 c6 05 d0 cb 31 05 00 e8 bb 6a 00 00 48 8b 44 24 30 48 89 84 24 98 00 00 00 ff b4 24 98 00 00 00 9d <e9> 5a ff ff ff e8 bc 07 19 00 e9 d5 fe ff ff 89 f9 80 e1 07 80 c1
RSP: 0018:ffffc90000b477e0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000001 RCX: ffff888107784f00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90000b47a70 R08: ffffffff8153ae3b R09: 0000000000000003
R10: fffff52000168eed R11: 1ffff92000168eec R12: ffffc90000b479e0
R13: 1ffffffff0c3adf1 R14: ffffc90000b47940 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
css_release_work_fn+0x432/0x650 kernel/cgroup/cgroup.c:5147
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace ade9ed68a2334729 ]---
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 e1 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 40 e2 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 483bfcc27e200c00
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R10: ffffed103ee64e83 R11: 1ffff1103ee64e82 R12: ffff888115956870
RBP: ffffc90000160a28 R08: ffffffff8153b2f8 R09: ffffed103ee64e83
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888115956870
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff6cf6c8718 CR3: 00000001196f5000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 19 00 sbb %eax,(%rax)
2: eb 85 jmp 0xffffff89
4: e8 e7 07 19 00 callq 0x1907f0
2: eb 85 jmp 0xffffff89
9: c6 05 d0 cb 31 05 00 movb $0x0,0x531cbd0(%rip) # 0x531cbe0
10: e8 bb 6a 00 00 callq 0x6ad0
10: e8 bb 6a 00 00 callq 0x6ad0
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 98 00 00 mov %rax,0x98(%rsp)
21: 00
22: ff b4 24 98 00 00 00 pushq 0x98(%rsp)
29: 9d popfq
* 2a: e9 5a ff ff ff jmpq 0xffffff89 <-- trapping instruction
2f: e8 bc 07 19 00 callq 0x1907f0
34: e9 d5 fe ff ff jmpq 0xffffff0e
39: 89 f9 mov %edi,%ecx
3b: 80 e1 07 and $0x7,%cl
3e: 80 .byte 0x80
3f: c1 .byte 0xc1
39: 89 f9 mov %edi,%ecx
3b: 80 e1 07 and $0x7,%cl
3e: 80 .byte 0x80
3f: c1 .byte 0xc1
Tested on:
commit: cacce447 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=173bba93f00000
commit: cacce447 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
syzbot
Jun 7, 2022, 11:09:13 AM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in process_one_work
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
!!!! css_killed_work_fn css_put(ffff88811552d000)
!!!! css_release_work_fn(ffff88811552d800)
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 6075 Comm: kworker/1:13 Tainted: G W 5.10.110-syzkaller-00174-gea8f0b70badf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: 0x0 (cgroup_destroy)
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 08 de 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 d6 dd 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000d07d28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff8881172e3b40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000d07dc0 R08: ffffffff8146a1bb R09: ffffed1022aa5b0e
R10: ffffed1022aa5b0e R11: 1ffff11022aa5b0d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811e3b4900
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc59e33f08 CR3: 0000000105d93000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 4ba3e93e7aefdc16 ]---
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:process_one_work+0xbc/0xc10 kernel/workqueue.c:2195
Code: df e8 08 de 5f 00 4c 89 7d b8 4c 8b 2b 49 8d 5c 24 08 48 89 d9 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 48 89 8d 70 ff ff ff <80> 3c 01 00 74 08 48 89 df e8 d6 dd 5f 00 41 bf 00 01 00 00 48 89
RSP: 0018:ffffc90000d07d28 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: 0000000000000001
RDX: ffff8881172e3b40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000d07dc0 R08: ffffffff8146a1bb R09: ffffed1022aa5b0e
R10: ffffed1022aa5b0e R11: 1ffff11022aa5b0d R12: 0000000000000000
R13: ffff8881f7355700 R14: dffffc0000000000 R15: ffff88811e3b4900
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc59e33f08 CR3: 0000000105d93000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df e8 fucomip %st(0),%st
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 08 de or %bl,%dh
4: 5f pop %rdi
5: 00 4c 89 7d add %cl,0x7d(%rcx,%rcx,4)
9: b8 4c 8b 2b 49 mov $0x492b8b4c,%eax
e: 8d 5c 24 08 lea 0x8(%rsp),%ebx
12: 48 89 d9 mov %rbx,%rcx
15: 48 c1 e9 03 shr $0x3,%rcx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 8d 70 ff ff ff mov %rcx,-0x90(%rbp)
* 2a: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 d6 dd 5f 00 callq 0x5fde0e
38: 41 bf 00 01 00 00 mov $0x100,%r15d
3e: 48 rex.W
3f: 89 .byte 0x89
Tested on:
commit: ea8f0b70 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=13750e73f00000
syzbot
Jun 7, 2022, 11:56:08 AM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in percpu_ref_kill_and_confirm
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
!!!! control_disable control_disable ss name pids
!!!! control_disable kill_css(ffff888102fdd800)
!!!! IN kill css_get(ffff888102fdd800)
!!!! IN kill css_get(ffff888100125c00)
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 436 Comm: syz-executor.0 Not tainted 5.10.110-syzkaller-00174-g7bf0dde2d9b6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:percpu_ref_kill_and_confirm+0x3a/0x200 lib/percpu-refcount.c:382
Code: f7 49 89 fc 49 bd 00 00 00 00 00 fc ff df e8 fd 7a 20 ff 48 c7 c7 20 90 91 86 e8 f1 bf 46 02 48 89 45 d0 4c 89 e3 48 c1 eb 03 <42> 80 3c 2b 00 74 08 4c 89 e7 e8 07 41 5a ff 4d 8b 34 24 4c 89 f6
RSP: 0018:ffffc900010878b8 EFLAGS: 00010002
RAX: 0000000000000246 RBX: 0000000000000002 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90001087820
RBP: ffffc900010878e8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000210f05 R11: 1ffff92000210f04 R12: 0000000000000010
R13: dffffc0000000000 R14: ffff888100125c54 R15: ffffffff8165dd50
FS: 00007f4ce2de7700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4ce2dc5ff8 CR3: 000000010f918000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kill_css+0x1b5/0x200 kernel/cgroup/cgroup.c:5577
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cgroup_apply_control_disable kernel/cgroup/cgroup.c:3165 [inline]
cgroup_finalize_control+0xb0d/0x10d0 kernel/cgroup/cgroup.c:3229
cgroup_subtree_control_write+0xd29/0x1310 kernel/cgroup/cgroup.c:3358
cgroup_file_write+0x28e/0x590 kernel/cgroup/cgroup.c:3800
kernfs_fop_write_iter+0x2d0/0x410 fs/kernfs/file.c:296
call_write_iter include/linux/fs.h:1947 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xc1c/0xf40 fs/read_write.c:605
ksys_write+0x198/0x2c0 fs/read_write.c:658
__do_sys_write fs/read_write.c:670 [inline]
__se_sys_write fs/read_write.c:667 [inline]
__x64_sys_write+0x7b/0x90 fs/read_write.c:667
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f4ce2e710e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ce2de7168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f4ce2f83f60 RCX: 00007f4ce2e710e9
RDX: 0000000000000006 RSI: 0000000020000100 RDI: 0000000000000004
RBP: 00007f4ce2ecb08d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd756f23ef R14: 00007f4ce2de7300 R15: 0000000000022000
Modules linked in:
---[ end trace 29fe92a4c4e7351f ]---
RIP: 0010:percpu_ref_kill_and_confirm+0x3a/0x200 lib/percpu-refcount.c:382
Code: f7 49 89 fc 49 bd 00 00 00 00 00 fc ff df e8 fd 7a 20 ff 48 c7 c7 20 90 91 86 e8 f1 bf 46 02 48 89 45 d0 4c 89 e3 48 c1 eb 03 <42> 80 3c 2b 00 74 08 4c 89 e7 e8 07 41 5a ff 4d 8b 34 24 4c 89 f6
RSP: 0018:ffffc900010878b8 EFLAGS: 00010002
RAX: 0000000000000246 RBX: 0000000000000002 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90001087820
RBP: ffffc900010878e8 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff52000210f05 R11: 1ffff92000210f04 R12: 0000000000000010
R13: dffffc0000000000 R14: ffff888100125c54 R15: ffffffff8165dd50
FS: 00007f4ce2de7700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4ce2dc5ff8 CR3: 000000010f918000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
0: 49 89 fc mov %rdi,%r12
3: 49 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%r13
a: fc ff df
d: e8 fd 7a 20 ff callq 0xff207b0f
12: 48 c7 c7 20 90 91 86 mov $0xffffffff86919020,%rdi
19: e8 f1 bf 46 02 callq 0x246c00f
1e: 48 89 45 d0 mov %rax,-0x30(%rbp)
22: 4c 89 e3 mov %r12,%rbx
25: 48 c1 eb 03 shr $0x3,%rbx
* 29: 42 80 3c 2b 00 cmpb $0x0,(%rbx,%r13,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 e7 mov %r12,%rdi
33: e8 07 41 5a ff callq 0xff5a413f
38: 4d 8b 34 24 mov (%r12),%r14
3c: 4c 89 f6 mov %r14,%rsi
Tested on:
commit: 7bf0dde2 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=1049ae73f00000
syzbot
Jun 7, 2022, 12:13:09 PM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
commit: 3667043a cgroup debug
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+e42ae4...@syzkaller.appspotmail.com
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
syzbot
Jun 7, 2022, 9:53:07 PM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in css_free_rwork_fn
!!!! css_free_rwork_fn(ffff8881220c1000) ctr = 48
!!!! css_free_rwork_fn(ffff88811375b400) ctr = 49
!!!! css_free_rwork_fn(ffff8881220c3400) ctr = 50
------------[ cut here ]------------
kernel BUG at kernel/cgroup/cgroup.c:5056!
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90000bd7ce0 EFLAGS: 00010293
RAX: ffffffff8165fce6 RBX: 0000000000000032 RCX: ffff88811cfc13c0
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90000bd7d18 R08: ffffffff8165f6af R09: 0000000000000003
R10: fffff5200017aeed R11: 1ffff9200017aeec R12: ffff88810ffd4000
R13: dffffc0000000000 R14: ffff8881220c3400 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
---[ end trace 80c121a6d881675f ]---
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90000bd7ce0 EFLAGS: 00010293
RAX: ffffffff8165fce6 RBX: 0000000000000032 RCX: ffff88811cfc13c0
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90000bd7d18 R08: ffffffff8165f6af R09: 0000000000000003
R10: fffff5200017aeed R11: 1ffff9200017aeec R12: ffff88810ffd4000
R13: dffffc0000000000 R14: ffff8881220c3400 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
commit: 2c30a75d cgroup debug
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
!!!! css_free_rwork_fn(ffff8881220c1000) ctr = 48
!!!! css_free_rwork_fn(ffff88811375b400) ctr = 49
!!!! css_free_rwork_fn(ffff8881220c3400) ctr = 50
------------[ cut here ]------------
kernel BUG at kernel/cgroup/cgroup.c:5056!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 372 Comm: kworker/1:2 Not tainted 5.10.110-syzkaller-00001-g2c30a75d9bd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_free_rwork_fn
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90000bd7ce0 EFLAGS: 00010293
RAX: ffffffff8165fce6 RBX: 0000000000000032 RCX: ffff88811cfc13c0
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90000bd7d18 R08: ffffffff8165f6af R09: 0000000000000003
R10: fffff5200017aeed R11: 1ffff9200017aeec R12: ffff88810ffd4000
R13: dffffc0000000000 R14: ffff8881220c3400 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2972589718 CR3: 000000010bbbd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace 80c121a6d881675f ]---
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90000bd7ce0 EFLAGS: 00010293
RAX: ffffffff8165fce6 RBX: 0000000000000032 RCX: ffff88811cfc13c0
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90000bd7d18 R08: ffffffff8165f6af R09: 0000000000000003
R10: fffff5200017aeed R11: 1ffff9200017aeec R12: ffff88810ffd4000
R13: dffffc0000000000 R14: ffff8881220c3400 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2972588ff8 CR3: 0000000112c2e000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: 2c30a75d cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=15c1d0e7f00000
syzbot
Jun 7, 2022, 10:02:08 PM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f735c060), but was ffff888113531870. (prev=ffff888113531870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24 Comm: kworker/1:1 Tainted: G W 5.10.117-syzkaller-986968-gfdd06dc6b0f8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_free_rwork_fn
Workqueue: cgroup_destroy css_free_rwork_fn
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 c0 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 ad 2b 40 02 0f 0b 48 c7 c7 80 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 97 2b 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 4944f35c8323b900
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153a998 R09: ffffed103ee6a5d8
R10: ffffed103ee6a5d8 R11: 1ffff1103ee6a5d7 R12: ffff888113531870
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888113531870
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc6da32518 CR3: 0000000005e0f000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5161
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
do_softirq+0xca/0x110 kernel/softirq.c:355
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
__local_bh_enable_ip+0x70/0x80 kernel/softirq.c:190
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
_raw_spin_unlock_bh+0x51/0x60 kernel/locking/spinlock.c:207
spin_unlock_bh include/linux/spinlock.h:399 [inline]
cgroup_idr_remove kernel/cgroup/cgroup.c:343 [inline]
css_free_rwork_fn+0x106/0x680 kernel/cgroup/cgroup.c:5065
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace b6358a86ae17d049 ]---
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 c0 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 ad 2b 40 02 0f 0b 48 c7 c7 80 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 97 2b 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000160a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f735c068 RCX: 4944f35c8323b900
RDX: 0000000080000102 RSI: 0000000080000102 RDI: 0000000000000000
RBP: ffffc90000160a28 R08: ffffffff8153a998 R09: ffffed103ee6a5d8
R10: ffffed103ee6a5d8 R11: 1ffff1103ee6a5d7 R12: ffff888113531870
R13: dffffc0000000000 R14: ffff8881f735c060 R15: ffff888113531870
FS: 0000000000000000(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc6da32518 CR3: 0000000005e0f000 CR4: 00000000003506a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: fdd06dc6 ANDROID: GKI: db845c: Update symbols list and..
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=167b8ccff00000
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=142cbe27f00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jun 7, 2022, 11:46:15 PM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in css_free_rwork_fn
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
!!!! css_free_rwork_fn(ffff8881148c8c00) ctr = 49
!!!! css_free_rwork_fn(ffff8881148cac00) ctr = 50
------------[ cut here ]------------
kernel BUG at kernel/cgroup/cgroup.c:5056!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 442 Comm: kworker/0:5 Not tainted 5.10.110-syzkaller-00001-g4773d3aa44b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_free_rwork_fn
Workqueue: cgroup_destroy css_free_rwork_fn
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90001057ce0 EFLAGS: 00010293
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RAX: ffffffff8165fd36 RBX: 0000000000000032 RCX: ffff8881065fcf00
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90001057d18 R08: ffffffff8165f6ff R09: 0000000000000003
R10: fffff5200020aeed R11: 1ffff9200020aeec R12: ffff88810fd46000
R13: dffffc0000000000 R14: ffff8881148cac00 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc163995718 CR3: 000000011f152000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace fb133c1455fd1e41 ]---
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
RIP: 0010:css_free_rwork_fn+0x6d6/0x6e0 kernel/cgroup/cgroup.c:5056
Code: 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 cb 83 40 00 48 8b 7d d0 41 ff 17 e9 18 fc ff ff e8 8a bd 06 00 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54
RSP: 0018:ffffc90001057ce0 EFLAGS: 00010293
RAX: ffffffff8165fd36 RBX: 0000000000000032 RCX: ffff8881065fcf00
RDX: 0000000000000000 RSI: 0000000000000032 RDI: 0000000000000032
RBP: ffffc90001057d18 R08: ffffffff8165f6ff R09: 0000000000000003
R10: fffff5200020aeed R11: 1ffff9200020aeec R12: ffff88810fd46000
R13: dffffc0000000000 R14: ffff8881148cac00 R15: ffffffff85fb4ec0
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f455d776ff8 CR3: 000000011f1a8000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 4773d3aa cgroup debug
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=102d46cff00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jun 7, 2022, 11:54:12 PM6/7/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff888111898870. (prev=ffff888111898870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.117-syzkaller-986968-gfdd06dc6b0f8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 ad 2b 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 97 2b 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 48b16bb8a2f43400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153a998 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: ffff888111898870
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111898870
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0f2d1d9090 CR3: 000000010cf4c000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5161
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5161
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x59e/0xc40 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2726
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
Code: 89 de 48 83 e6 08 31 ff e8 72 a1 d9 fc 48 83 e3 08 0f 85 ae 00 00 00 e9 0c 00 00 00 e8 3e 9c d9 fc 0f 00 2d d7 b5 b7 00 fb f4 <fa> e9 a1 00 00 00 49 83 c6 04 4c 89 f0 48 c1 e8 03 42 8a 04 38 84
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:114 [inline]
RIP: 0010:acpi_idle_do_entry+0xbb/0x1f0 drivers/acpi/processor_idle.c:558
RSP: 0018:ffffffff85e07be8 EFLAGS: 00000246
RAX: 1ffffffff0bc35f0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff85e1af80 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff85e07c00 R08: ffffffff8493168e R09: fffffbfff0bc35f1
R10: fffffbfff0bc35f1 R11: 1ffffffff0bc35f0 R12: 0000000000000001
R13: ffff888102b8e804 R14: ffff88810598d864 R15: dffffc0000000000
acpi_idle_enter+0x32d/0x4f0 drivers/acpi/processor_idle.c:693
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x369/0x5d0 kernel/sched/idle.c:302
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398
rest_init+0xe6/0xf0 init/main.c:714
arch_call_rest_init+0xe/0x10 init/main.c:840
start_kernel+0x45a/0x4cc init/main.c:1053
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
Modules linked in:
cpuidle_enter_state+0x5d0/0x14a0 drivers/cpuidle/cpuidle.c:249
cpuidle_enter+0x5f/0xa0 drivers/cpuidle/cpuidle.c:364
call_cpuidle kernel/sched/idle.c:160 [inline]
cpuidle_idle_call kernel/sched/idle.c:241 [inline]
do_idle+0x369/0x5d0 kernel/sched/idle.c:302
cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:398
rest_init+0xe6/0xf0 init/main.c:714
arch_call_rest_init+0xe/0x10 init/main.c:840
start_kernel+0x45a/0x4cc init/main.c:1053
x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:526
x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:507
secondary_startup_64_no_verify+0xb0/0xbb
---[ end trace f34643ae8fc7e68b ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 da 43 85 4c 89 e6 4c 89 f1 31 c0 e8 ad 2b 40 02 0f 0b 48 c7 c7 40 db 43 85 4c 89 f6 4c 89 e1 31 c0 e8 97 2b 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: 48b16bb8a2f43400
RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153a998 R09: ffffed103ee4a5d8
R10: ffffed103ee4a5d8 R11: 1ffff1103ee4a5d7 R12: ffff888111898870
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff888111898870
FS: 0000000000000000(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0f2d1d9090 CR3: 000000010cf4c000 CR4: 00000000003506b0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
8: e8 72 a1 d9 fc callq 0xfcd9a17f
2: 48 83 e6 08 and $0x8,%rsi
6: 31 ff xor %edi,%edi
d: 48 83 e3 08 and $0x8,%rbx
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
1c: e8 3e 9c d9 fc callq 0xfcd99c5f
11: 0f 85 ae 00 00 00 jne 0xc5
17: e9 0c 00 00 00 jmpq 0x28
21: 0f 00 2d d7 b5 b7 00 verw 0xb7b5d7(%rip) # 0xb7b5ff
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: e9 a1 00 00 00 jmpq 0xd1
30: 49 83 c6 04 add $0x4,%r14
34: 4c 89 f0 mov %r14,%rax
37: 48 c1 e8 03 shr $0x3,%rax
3b: 42 8a 04 38 mov (%rax,%r15,1),%al
3f: 84 .byte 0x84
Tested on:
commit: fdd06dc6 ANDROID: GKI: db845c: Update symbols list and..
git tree: android12-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=105c2173f00000
commit: fdd06dc6 ANDROID: GKI: db845c: Update symbols list and..
git tree: android12-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=89bdb361ba397fca
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=147de9abf00000
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jun 8, 2022, 12:10:08 AM6/8/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_killed_ref_fn enqueue(ffff88810fa85c00)
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in insert_work
!!!! css_release enqueue(ffff88810fa85c00)
list_add corruption. prev->next should be next (ffff8881f725c060), but was ffff88810fa85c70. (prev=ffff88810fa85c70).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 160 Comm: udevd Tainted: G W 5.10.110-syzkaller-00001-g3e2849f855c8 #0
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 de 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 df 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: bb7b7fc54d456a00
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88810fa85c70
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff88810fa85c70
FS: 00007f5034e8d840(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00077b000 CR3: 000000010cca9000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
css_release+0xc0/0xd0 kernel/cgroup/cgroup.c:5158
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0x107/0x330 kernel/workqueue.c:1352
__queue_work+0x971/0xd30 kernel/workqueue.c:1514
queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
queue_work include/linux/workqueue.h:513 [inline]
percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:dput+0x1/0x320 fs/dcache.c:860
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
Code: 08 4c 89 ff e8 40 4f f2 ff 41 80 4f 02 01 4c 89 f7 e8 73 d3 de 02 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 1f 84 00 00 00 00 00 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 50 49 89 fc e8 da 88 b8 ff 4d
RSP: 0018:ffffc90000bc75b0 EFLAGS: 00000246
RAX: 1ffff92000178f41 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88810c85e2c0 RSI: 0000000000000000 RDI: ffff88810e866880
RBP: ffffc90000bc76f0 R08: ffffffff81b24966 R09: fffffbfff0c0d461
R10: fffffbfff0c0d461 R11: 1ffffffff0c0d460 R12: ffffc90000bc7670
R13: ffffc90000bc7a00 R14: dffffc0000000000 R15: 1ffff92000178ec8
walk_component+0x33b/0x5a0 fs/namei.c:1946
link_path_walk+0x5e7/0xc40 fs/namei.c:2259
path_lookupat+0xab/0x460 fs/namei.c:2412
filename_lookup+0x23f/0x6c0 fs/namei.c:2446
user_path_at_empty+0x40/0x50 fs/namei.c:2726
user_path_at include/linux/namei.h:59 [inline]
vfs_statx+0x116/0x3f0 fs/stat.c:193
vfs_fstatat fs/stat.c:215 [inline]
__do_sys_newfstatat fs/stat.c:384 [inline]
__se_sys_newfstatat+0xc8/0x780 fs/stat.c:378
__x64_sys_newfstatat+0x9b/0xb0 fs/stat.c:378
do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5034fe41da
Code: 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 0b 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 90 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 69 fc 0c 00 f7
RSP: 002b:00007fff45f4b2b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 0000559eedfe8850 RCX: 00007f5034fe41da
RDX: 00007fff45f4b2c8 RSI: 00007fff45f4b758 RDI: 00000000ffffff9c
RBP: 00007fff45f4b358 R08: 0000000000000000 R09: 0000559eedfda1d0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff45f4b758
R13: 00007fff45f4b2c8 R14: 0000559eedfaf2c0 R15: 0000000000000000
Modules linked in:
---[ end trace 676ba25a5c410be4 ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 40 de 43 85 4c 89 e6 4c 89 f1 31 c0 e8 8d 10 40 02 0f 0b 48 c7 c7 00 df 43 85 4c 89 f6 4c 89 e1 31 c0 e8 77 10 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc90000007a00 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f725c068 RCX: bb7b7fc54d456a00
RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000
RBP: ffffc90000007a28 R08: ffffffff8153b2f8 R09: ffffed103ee44e83
R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88810fa85c70
R13: dffffc0000000000 R14: ffff8881f725c060 R15: ffff88810fa85c70
FS: 00007f5034e8d840(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00077b000 CR3: 000000010cca9000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4)
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
4: e8 40 4f f2 ff callq 0xfff24f49
9: 41 80 4f 02 01 orb $0x1,0x2(%r15)
e: 4c 89 f7 mov %r14,%rdi
11: e8 73 d3 de 02 callq 0x2ded389
16: 5b pop %rbx
17: 41 5c pop %r12
19: 41 5d pop %r13
1b: 41 5e pop %r14
1d: 41 5f pop %r15
1f: 5d pop %rbp
20: c3 retq
21: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
28: 00
29: 55 push %rbp
* 2a: 48 89 e5 mov %rsp,%rbp <-- trapping instruction
2d: 41 57 push %r15
2f: 41 56 push %r14
31: 41 55 push %r13
33: 41 54 push %r12
35: 53 push %rbx
36: 50 push %rax
37: 49 89 fc mov %rdi,%r12
3a: e8 da 88 b8 ff callq 0xffb88919
3f: 4d rex.WRB
Tested on:
commit: 3e2849f8 cgroup debug
git tree: https://github.com/tstruk/linux.git android12-5.10
console output: https://syzkaller.appspot.com/x/log.txt?x=16c3e973f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8c0af7fe6e394f3
dashboard link: https://syzkaller.appspot.com/bug?extid=e42ae441c3b10acf9e9d
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Reply all
Reply to author
Forward
0 new messages