[syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries
2 views
Skip to first unread message
syzbot
Feb 9, 2026, 1:26:29 PM (12 days ago) Feb 9
to ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab12f0...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_init include/linux/list.h:295 [inline]
io_poll_remove_waitq io_uring/poll.c:149 [inline]
io_poll_remove_entry io_uring/poll.c:166 [inline]
io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
io_poll_remove_entries io_uring/poll.c:177 [inline]
io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
task_work_run+0x150/0x240 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x829/0x2a30 kernel/exit.c:971
do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60e579aeb9
Code: Unable to access opcode bytes at 0x7f60e579ae8f.
RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab12f0...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_init include/linux/list.h:295 [inline]
io_poll_remove_waitq io_uring/poll.c:149 [inline]
io_poll_remove_entry io_uring/poll.c:166 [inline]
io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
io_poll_remove_entries io_uring/poll.c:177 [inline]
io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
task_work_run+0x150/0x240 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x829/0x2a30 kernel/exit.c:971
do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60e579aeb9
Code: Unable to access opcode bytes at 0x7f60e579ae8f.
RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS: 0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Jens Axboe
Feb 9, 2026, 1:50:06 PM (12 days ago) Feb 9
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org
or friends. I've seen that in drivers before, for example comedi, see:
commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2
Author: Ian Abbott <abb...@mev.co.uk>
Date: Tue Jul 22 16:53:16 2025 +0100
comedi: fix race between polling and detaching
as a reference.
#syz set subsystems: media
--
Jens Axboe
Jens Axboe
Feb 9, 2026, 3:18:06 PM (12 days ago) Feb 9
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org
On 2/9/26 11:26 AM, syzbot wrote:
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 8c6f5aafda1d..5cb46109d1ff 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
mutex_unlock(&dmxdev->mutex);
return -ENOMEM;
}
- dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+ dmxdev->dvr_buffer.data = mem;
+ dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+ dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
if (dmxdev->may_do_mmap)
dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
file->f_flags & O_NONBLOCK);
--
Jens Axboe
syzbot
Feb 9, 2026, 3:50:05 PM (12 days ago) Feb 9
to ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ab12f0...@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0...@syzkaller.appspotmail.com
Tested on:
commit: 05f7e89a Linux 6.19
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15956a52580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ab12f0...@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0...@syzkaller.appspotmail.com
Tested on:
commit: 05f7e89a Linux 6.19
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15956a52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=17da94aa580000
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Note: testing is done by a robot and is best-effort only.
Jens Axboe
Feb 9, 2026, 5:04:23 PM (12 days ago) Feb 9
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org
epoll based reproducer for the same issue, showing the problem with dvb
blowing away poll waitqueues. Crash here:
list_del corruption. prev->next should be ff1100004a299148, but was ff1100004169c5c8. (prev=ff1100004169c5c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 10044 Comm: dvr-poll-repro Not tainted 6.19.0-g05f7e89ab973 #422 PREEMPT(full)
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x178/0x280
Code: fc ff df 48 89 d1 48 c1 e9 03 80 3c 01 00 0f 85 07 01 00 00 48 8b 02 48 89 d1 48 c7 c7 40 44 1a 8c 48 89 c2 e8 39 d5 2e fc 90 <0f> 0b 48 89 cf 48 89 74 24 10 48 89 0c 24 48 89 44 24 08 e8 b0 2b
RSP: 0018:ffa000000c74fd30 EFLAGS: 00010082
RAX: 000000000000006d RBX: ff1100004a299130 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e76a0e RDI: fff3fc00018e9f97
RBP: ff1100004a299148 R08: ffffffff81e6f6f7 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: ff1100004169c588
R13: 0000000000000286 R14: ff1100004a354c00 R15: ff1100004a299120
FS: 00007f486cac8740(0000) GS:ff110000975d4000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005599332e7fe0 CR3: 000000006a752000 CR4: 0000000000351ef0
Call Trace:
<TASK>
? srso_alias_return_thunk+0x5/0xfbef5
remove_wait_queue+0x28/0x1b0
ep_remove_wait_queue+0x85/0x1d0
ep_clear_and_put+0x186/0x420
? __pfx_ep_eventpoll_release+0x10/0x10
ep_eventpoll_release+0x3e/0x60
__fput+0x3fd/0xb40
fput_close_sync+0x113/0x250
? __pfx_fput_close_sync+0x10/0x10
__x64_sys_close+0x8b/0x120
do_syscall_64+0xcb/0xf80
? srso_alias_return_thunk+0x5/0xfbef5
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f486cb5ceb2
Code: 18 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 1a 83 e2 39 83 fa 08 75 12 e8 2b ff ff ff 0f 1f 00 49 89 ca 48 8b 44 24 20 0f 05 <48> 83 c4 18 c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 10 ff 74 24 18
RSP: 002b:00007ffe5521f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f486cb5ceb2
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffe5521f140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 00007f486cd0a000 R14: 00007ffe5521f298 R15: 00005643adab8dd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x178/0x280
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: fc ff df 48 89 d1 48 c1 e9 03 80 3c 01 00 0f 85 07 01 00 00 48 8b 02 48 89 d1 48 c7 c7 40 44 1a 8c 48 89 c2 e8 39 d5 2e fc 90 <0f> 0b 48 89 cf 48 89 74 24 10 48 89 0c 24 48 89 44 24 08 e8 b0 2b
RSP: 0018:ffa000000c74fd30 EFLAGS: 00010082
RAX: 000000000000006d RBX: ff1100004a299130 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e76a0e RDI: fff3fc00018e9f97
RBP: ff1100004a299148 R08: ffffffff81e6f6f7 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: ff1100004169c588
R13: 0000000000000286 R14: ff1100004a354c00 R15: ff1100004a299120
FS: 00007f486cac8740(0000) GS:ff110000975d4000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005599332e7fe0 CR3: 000000006a752000 CR4: 0000000000351ef0
Reproducer:
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/epoll.h>
#include <unistd.h>
#define DVR_PATH "/dev/dvb/adapter0/dvr0"
#define NR_ITERATIONS 100
static int test_dvr_poll(int iter)
{
struct epoll_event ev;
int dvr_fd, dvr_fd2, epfd;
int ret = -1;
dvr_fd = open(DVR_PATH, O_RDWR | O_WRONLY);
if (dvr_fd < 0) {
perror("open " DVR_PATH);
return -1;
}
epfd = epoll_create1(0);
if (epfd < 0) {
perror("epoll_create1");
goto close_dvr;
}
memset(&ev, 0, sizeof(ev));
ev.events = EPOLLIN;
ev.data.fd = dvr_fd;
if (epoll_ctl(epfd, EPOLL_CTL_ADD, dvr_fd, &ev) < 0) {
perror("epoll_ctl ADD");
goto close_ep;
}
dvr_fd2 = open(DVR_PATH, O_RDONLY);
if (dvr_fd2 < 0) {
perror("open " DVR_PATH " O_RDONLY");
goto close_ep;
}
close(dvr_fd2);
ret = 0;
close_ep:
close(epfd);
close_dvr:
close(dvr_fd);
return ret;
}
int main(int argc, char *argv[])
{
int i, iterations = NR_ITERATIONS;
if (argc > 1)
iterations = atoi(argv[1]);
for (i = 0; i < iterations; i++) {
if (test_dvr_poll(i))
return 1;
}
return 0;
}
--
Jens Axboe
Jens Axboe
Feb 10, 2026, 5:16:38 PM (11 days ago) Feb 10
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org
last year:
https://lore.kernel.org/linux-media/20250407091619.11...@gmail.com/
and I'm honestly a bit surprised that nobody has dealt with this, it's 10 months ago.
And syzbot is still hitting it, literally crashing the box.
Hmm?
--
Jens Axboe
Jens Axboe
Feb 11, 2026, 7:14:08 PM (10 days ago) Feb 11
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org
least on debian is EVERY standard user, can crash the kernel?
I see replies on other messages, yet this issue has seemingly been
ignored for a year.
--
Jens Axboe
Jens Axboe
8:39 AM (5 hours ago) 8:39 AM
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Mauro Carvalho Chehab, linux...@vger.kernel.org, Linus Torvalds
issue, both the original report and my report. Not quite sure what to do
about it, but I'm tempted to just send the patch to Linus at this point.
--
Jens Axboe
Reply all
Reply to author
Forward
0 new messages