BUG: corrupted list in io_uring_del_tctx_node
9 views
Skip to first unread message
syzbot
Sep 25, 2022, 1:19:35 PM9/25/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c194837ebb57 Merge branch 'for-next/core', remote-tracking..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=129ce288880000
kernel config: https://syzkaller.appspot.com/x/.config?x=15a770deac0c935a
dashboard link: https://syzkaller.appspot.com/bug?extid=2fa3c4867d6dfa98315f
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [asml.s...@gmail.com ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8d8ae425e7fa/disk-c194837e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c540d501ebe7/vmlinux-c194837e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2fa3c4...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff00011ebfc200, but was ffff00010b8c2f28. (prev=ffff00010b8c2f28)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:61!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 16688 Comm: syz-executor.3 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
lr : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
sp : ffff800013463af0
x29: ffff800013463af0 x28: ffff0000eb47b500 x27: 0000000000000000
x26: 0000000000000098 x25: ffff00011f4ed8e8 x24: ffff00011f4ed898
x23: ffff00011f4ed940 x22: ffff80000cc5f057 x21: ffff0000eb47b500
x20: ffff00011f4ed800 x19: ffff00011ebfc200 x18: 00000000000003d0
x17: ffff80000bffd6bc
x16: ffff80000db49158
x15: ffff0000eb47b500
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000eb47b500
x11: ff808000081c1630 x10: 0000000000000000 x9 : d1b96e4997174f00
x8 : d1b96e4997174f00 x7 : ffff8000081625f0 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 000000000000006d
Call trace:
__list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
__list_del_entry include/linux/list.h:134 [inline]
list_del include/linux/list.h:148 [inline]
io_uring_del_tctx_node+0x74/0x114 io_uring/tctx.c:176
io_uring_clean_tctx+0x60/0xe8 io_uring/tctx.c:191
io_uring_cancel_generic+0x2f0/0x390 io_uring/io_uring.c:2852
__io_uring_cancel+0x24/0x34 io_uring/io_uring.c:2866
io_uring_files_cancel include/linux/io_uring.h:44 [inline]
do_exit+0x8c/0xbe0 kernel/exit.c:750
do_group_exit+0x70/0xe8 kernel/exit.c:925
get_signal+0xb0c/0xb40 kernel/signal.c:2857
do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
el0t_64_sync+0x18c/0x190
Code: 9001b460 912d2000 aa0803e3 94a768fe (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c194837ebb57 Merge branch 'for-next/core', remote-tracking..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=129ce288880000
kernel config: https://syzkaller.appspot.com/x/.config?x=15a770deac0c935a
dashboard link: https://syzkaller.appspot.com/bug?extid=2fa3c4867d6dfa98315f
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [asml.s...@gmail.com ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8d8ae425e7fa/disk-c194837e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c540d501ebe7/vmlinux-c194837e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2fa3c4...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff00011ebfc200, but was ffff00010b8c2f28. (prev=ffff00010b8c2f28)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:61!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 16688 Comm: syz-executor.3 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
lr : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
sp : ffff800013463af0
x29: ffff800013463af0 x28: ffff0000eb47b500 x27: 0000000000000000
x26: 0000000000000098 x25: ffff00011f4ed8e8 x24: ffff00011f4ed898
x23: ffff00011f4ed940 x22: ffff80000cc5f057 x21: ffff0000eb47b500
x20: ffff00011f4ed800 x19: ffff00011ebfc200 x18: 00000000000003d0
x17: ffff80000bffd6bc
x16: ffff80000db49158
x15: ffff0000eb47b500
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000eb47b500
x11: ff808000081c1630 x10: 0000000000000000 x9 : d1b96e4997174f00
x8 : d1b96e4997174f00 x7 : ffff8000081625f0 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 000000000000006d
Call trace:
__list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
__list_del_entry include/linux/list.h:134 [inline]
list_del include/linux/list.h:148 [inline]
io_uring_del_tctx_node+0x74/0x114 io_uring/tctx.c:176
io_uring_clean_tctx+0x60/0xe8 io_uring/tctx.c:191
io_uring_cancel_generic+0x2f0/0x390 io_uring/io_uring.c:2852
__io_uring_cancel+0x24/0x34 io_uring/io_uring.c:2866
io_uring_files_cancel include/linux/io_uring.h:44 [inline]
do_exit+0x8c/0xbe0 kernel/exit.c:750
do_group_exit+0x70/0xe8 kernel/exit.c:925
get_signal+0xb0c/0xb40 kernel/signal.c:2857
do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
el0t_64_sync+0x18c/0x190
Code: 9001b460 912d2000 aa0803e3 94a768fe (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 23, 2022, 11:52:38 AM12/23/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages