[syzbot] [fs?] BUG: corrupted list in remove_wait_queue (2)
14 views
Skip to first unread message
syzbot
Jan 22, 2025, 6:27:21 PM1/22/25
to bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: fda5e3f28400 Merge tag 'trace-v6.13-rc7-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1117e024580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5e182416a4b418f
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177959df980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1288d1f8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd46ddd4b381/disk-fda5e3f2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f7cf021f77f5/vmlinux-fda5e3f2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/12cb03ba7d7e/bzImage-fda5e3f2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e21d5...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffffc90003377b98, but was ffff88802a2585c8. (prev=ffff88802a2585c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 9290 Comm: syz-executor367 Not tainted 6.13.0-rc7-syzkaller-00191-gfda5e3f28400 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 19 db da fc 90 0f 0b 48 89 ca 48 c7 c7 00 a0 b1 8b e8 07 db da fc 90 0f 0b 48 89 c2 48 c7 c7 60 a0 b1 8b e8 f5 da da fc 90 <0f> 0b 48 89 d1 48 c7 c7 e0 a0 b1 8b 48 89 c2 e8 e0 da da fc 90 0f
RSP: 0018:ffffc90003377880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003377b80 RCX: ffffffff8178e449
RDX: 0000000000000000 RSI: ffffffff81798bd6 RDI: 0000000000000005
RBP: ffff88802a258588 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000286
R13: ffffc90003377b98 R14: ffffc90003377ba0 R15: ffffc90003377b70
FS: 0000555578a00380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f687b8542b0 CR3: 0000000073a90000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
__remove_wait_queue include/linux/wait.h:207 [inline]
remove_wait_queue+0x30/0x180 kernel/sched/wait.c:55
free_poll_entry fs/select.c:132 [inline]
poll_freewait+0xd5/0x250 fs/select.c:141
do_sys_poll+0x6f7/0xde0 fs/select.c:1010
__do_sys_poll fs/select.c:1074 [inline]
__se_sys_poll fs/select.c:1062 [inline]
__x64_sys_poll+0x1a8/0x450 fs/select.c:1062
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f687b7d8809
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb8bb93f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
RAX: ffffffffffffffda RBX: 00307276642f3072 RCX: 00007f687b7d8809
RDX: 0000000000000106 RSI: 0000000000000005 RDI: 0000000020000080
RBP: 0000000000000000 R08: 00007ffdb8bb8f60 R09: 00007ffdb8bb8f60
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb8bb941c
R13: 00007ffdb8bb9430 R14: 00007ffdb8bb9470 R15: 0000000000000359
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 19 db da fc 90 0f 0b 48 89 ca 48 c7 c7 00 a0 b1 8b e8 07 db da fc 90 0f 0b 48 89 c2 48 c7 c7 60 a0 b1 8b e8 f5 da da fc 90 <0f> 0b 48 89 d1 48 c7 c7 e0 a0 b1 8b 48 89 c2 e8 e0 da da fc 90 0f
RSP: 0018:ffffc90003377880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003377b80 RCX: ffffffff8178e449
RDX: 0000000000000000 RSI: ffffffff81798bd6 RDI: 0000000000000005
RBP: ffff88802a258588 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000286
R13: ffffc90003377b98 R14: ffffc90003377ba0 R15: ffffc90003377b70
FS: 0000555578a00380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f687b8542b0 CR3: 0000000073a90000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fda5e3f28400 Merge tag 'trace-v6.13-rc7-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1117e024580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5e182416a4b418f
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177959df980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1288d1f8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd46ddd4b381/disk-fda5e3f2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f7cf021f77f5/vmlinux-fda5e3f2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/12cb03ba7d7e/bzImage-fda5e3f2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e21d5...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffffc90003377b98, but was ffff88802a2585c8. (prev=ffff88802a2585c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 9290 Comm: syz-executor367 Not tainted 6.13.0-rc7-syzkaller-00191-gfda5e3f28400 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 19 db da fc 90 0f 0b 48 89 ca 48 c7 c7 00 a0 b1 8b e8 07 db da fc 90 0f 0b 48 89 c2 48 c7 c7 60 a0 b1 8b e8 f5 da da fc 90 <0f> 0b 48 89 d1 48 c7 c7 e0 a0 b1 8b 48 89 c2 e8 e0 da da fc 90 0f
RSP: 0018:ffffc90003377880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003377b80 RCX: ffffffff8178e449
RDX: 0000000000000000 RSI: ffffffff81798bd6 RDI: 0000000000000005
RBP: ffff88802a258588 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000286
R13: ffffc90003377b98 R14: ffffc90003377ba0 R15: ffffc90003377b70
FS: 0000555578a00380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f687b8542b0 CR3: 0000000073a90000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
__remove_wait_queue include/linux/wait.h:207 [inline]
remove_wait_queue+0x30/0x180 kernel/sched/wait.c:55
free_poll_entry fs/select.c:132 [inline]
poll_freewait+0xd5/0x250 fs/select.c:141
do_sys_poll+0x6f7/0xde0 fs/select.c:1010
__do_sys_poll fs/select.c:1074 [inline]
__se_sys_poll fs/select.c:1062 [inline]
__x64_sys_poll+0x1a8/0x450 fs/select.c:1062
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f687b7d8809
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdb8bb93f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
RAX: ffffffffffffffda RBX: 00307276642f3072 RCX: 00007f687b7d8809
RDX: 0000000000000106 RSI: 0000000000000005 RDI: 0000000020000080
RBP: 0000000000000000 R08: 00007ffdb8bb8f60 R09: 00007ffdb8bb8f60
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdb8bb941c
R13: 00007ffdb8bb9430 R14: 00007ffdb8bb9470 R15: 0000000000000359
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x12c/0x1c0 lib/list_debug.c:62
Code: e8 19 db da fc 90 0f 0b 48 89 ca 48 c7 c7 00 a0 b1 8b e8 07 db da fc 90 0f 0b 48 89 c2 48 c7 c7 60 a0 b1 8b e8 f5 da da fc 90 <0f> 0b 48 89 d1 48 c7 c7 e0 a0 b1 8b 48 89 c2 e8 e0 da da fc 90 0f
RSP: 0018:ffffc90003377880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003377b80 RCX: ffffffff8178e449
RDX: 0000000000000000 RSI: ffffffff81798bd6 RDI: 0000000000000005
RBP: ffff88802a258588 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000286
R13: ffffc90003377b98 R14: ffffc90003377ba0 R15: ffffc90003377b70
FS: 0000555578a00380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f687b8542b0 CR3: 0000000073a90000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Feb 17, 2025, 2:26:41 AM2/17/25
to syzbot+4e21d5...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test
diff --git a/fs/select.c b/fs/select.c
index 7da531b1cf6b..63dd2fb58447 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -977,6 +977,7 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
struct poll_list *walk = head;
unsigned int todo = nfds;
unsigned int len;
+ static DEFINE_MUTEX(syspoll_lock);
if (nfds > rlimit(RLIMIT_NOFILE))
return -EINVAL;
@@ -1005,9 +1006,11 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
}
}
+ mutex_lock(&syspoll_lock);
poll_initwait(&table);
fdcount = do_poll(head, &table, end_time);
poll_freewait(&table);
+ mutex_unlock(&syspoll_lock);
if (!user_write_access_begin(ufds, nfds * sizeof(*ufds)))
goto out_fds;
diff --git a/fs/select.c b/fs/select.c
index 7da531b1cf6b..63dd2fb58447 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -977,6 +977,7 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
struct poll_list *walk = head;
unsigned int todo = nfds;
unsigned int len;
+ static DEFINE_MUTEX(syspoll_lock);
if (nfds > rlimit(RLIMIT_NOFILE))
return -EINVAL;
@@ -1005,9 +1006,11 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
}
}
+ mutex_lock(&syspoll_lock);
poll_initwait(&table);
fdcount = do_poll(head, &table, end_time);
poll_freewait(&table);
+ mutex_unlock(&syspoll_lock);
if (!user_write_access_begin(ufds, nfds * sizeof(*ufds)))
goto out_fds;
syzbot
Feb 17, 2025, 2:49:06 AM2/17/25
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
x64_sys_ppoll+0x10/0x10
[ 290.731692][ T30] do_syscall_64+0xcd/0x250
[ 290.736222][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 290.742188][ T30] RIP: 0033:0x7f73a7655ad5
[ 290.746833][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 290.755346][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 290.763447][ T30] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000560ad729aec0
[ 290.771556][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 00007f73a772db40
[ 290.779578][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 290.787562][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 290.795697][ T30] </TASK>
[ 290.798731][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 290.808055][ T30] INFO: task dhcpcd:5459 blocked for more than 147 seconds.
[ 290.815568][ T30] Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 290.823253][ T30] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 290.832145][ T30] task:dhcpcd state:D stack:26496 pid:5459 tgid:5459 ppid:5455 task_flags:0x400140 flags:0x00000002
[ 290.844203][ T30] Call Trace:
[ 290.847520][ T30] <TASK>
[ 290.850575][ T30] __schedule+0xf43/0x5890
[ 290.855023][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 290.860293][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 290.865524][ T30] ? __pfx___schedule+0x10/0x10
[ 290.870478][ T30] ? schedule+0x298/0x350
[ 290.874855][ T30] ? __pfx_lock_release+0x10/0x10
[ 290.879964][ T30] ? __mutex_trylock_common+0x78/0x250
[ 290.885453][ T30] ? lock_acquire+0x2f/0xb0
[ 290.890068][ T30] ? schedule+0x1fd/0x350
[ 290.894446][ T30] schedule+0xe7/0x350
[ 290.898633][ T30] schedule_preempt_disabled+0x13/0x30
[ 290.904183][ T30] __mutex_lock+0x6bd/0xb10
[ 290.908716][ T30] ? do_sys_poll+0x2d0/0xe00
[ 290.913403][ T30] ? __pfx___mutex_lock+0x10/0x10
[ 290.918494][ T30] ? __pfx_lock_release+0x10/0x10
[ 290.923613][ T30] ? trace_lock_acquire+0x14e/0x1f0
[ 290.928841][ T30] ? __might_fault+0xe3/0x190
[ 290.933619][ T30] ? do_sys_poll+0x2d0/0xe00
[ 290.938227][ T30] do_sys_poll+0x2d0/0xe00
[ 290.942703][ T30] ? kasan_save_stack+0x42/0x60
[ 290.947598][ T30] ? kasan_save_stack+0x33/0x60
[ 290.952546][ T30] ? kasan_save_track+0x14/0x30
[ 290.957418][ T30] ? kasan_save_free_info+0x3b/0x60
[ 290.962730][ T30] ? __kasan_slab_free+0x51/0x70
[ 290.967708][ T30] ? do_seccomp+0x7b6/0x2640
[ 290.972379][ T30] ? prctl_set_seccomp+0x4b/0x70
[ 290.977354][ T30] ? __pfx_do_sys_poll+0x10/0x10
[ 290.982562][ T30] ? __lock_acquire+0x15a9/0x3c40
[ 290.987646][ T30] ? _raw_spin_unlock_irq+0x23/0x50
[ 290.993013][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 290.998264][ T30] ? _raw_spin_unlock_irq+0x2e/0x50
[ 291.003613][ T30] ? set_user_sigmask+0x217/0x2a0
[ 291.008835][ T30] ? __pfx_set_user_sigmask+0x10/0x10
[ 291.014322][ T30] ? __pfx___seccomp_filter+0x10/0x10
[ 291.019761][ T30] __x64_sys_ppoll+0x25a/0x2d0
[ 291.024530][ T30] ? __pfx___x64_sys_ppoll+0x10/0x10
[ 291.029895][ T30] ? __secure_computing+0x273/0x3f0
[ 291.035156][ T30] do_syscall_64+0xcd/0x250
[ 291.039834][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 291.045747][ T30] RIP: 0033:0x7f73a7655ad5
[ 291.050246][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 291.058866][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 291.066939][ T30] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000560ad72a3fe0
[ 291.074970][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 0000560aac1543d0
[ 291.083120][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 291.091194][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 291.099293][ T30] </TASK>
[ 291.102341][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 291.111627][ T30] INFO: task dhcpcd:5460 blocked for more than 147 seconds.
[ 291.118925][ T30] Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.126598][ T30] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 291.135463][ T30] task:dhcpcd state:D stack:26832 pid:5460 tgid:5460 ppid:5455 task_flags:0x400140 flags:0x00000002
[ 291.147505][ T30] Call Trace:
[ 291.150846][ T30] <TASK>
[ 291.153773][ T30] __schedule+0xf43/0x5890
[ 291.158186][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 291.163449][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 291.168881][ T30] ? __pfx___schedule+0x10/0x10
[ 291.173882][ T30] ? schedule+0x298/0x350
[ 291.178244][ T30] ? __pfx_lock_release+0x10/0x10
[ 291.183389][ T30] ? __mutex_trylock_common+0x78/0x250
[ 291.188915][ T30] ? lock_acquire+0x2f/0xb0
[ 291.193503][ T30] ? schedule+0x1fd/0x350
[ 291.197860][ T30] schedule+0xe7/0x350
[ 291.202004][ T30] schedule_preempt_disabled+0x13/0x30
[ 291.207504][ T30] __mutex_lock+0x6bd/0xb10
[ 291.212094][ T30] ? do_sys_poll+0x2d0/0xe00
[ 291.216708][ T30] ? __pfx___mutex_lock+0x10/0x10
[ 291.221799][ T30] ? __pfx_lock_release+0x10/0x10
[ 291.226843][ T30] ? trace_lock_acquire+0x14e/0x1f0
[ 291.232148][ T30] ? __might_fault+0xe3/0x190
[ 291.236868][ T30] ? do_sys_poll+0x2d0/0xe00
[ 291.241634][ T30] do_sys_poll+0x2d0/0xe00
[ 291.246100][ T30] ? kasan_save_stack+0x42/0x60
[ 291.251100][ T30] ? kasan_save_stack+0x33/0x60
[ 291.255986][ T30] ? kasan_save_track+0x14/0x30
[ 291.260988][ T30] ? kasan_save_free_info+0x3b/0x60
[ 291.266242][ T30] ? __kasan_slab_free+0x51/0x70
[ 291.271273][ T30] ? do_seccomp+0x7b6/0x2640
[ 291.275883][ T30] ? prctl_set_seccomp+0x4b/0x70
[ 291.280932][ T30] ? __pfx_do_sys_poll+0x10/0x10
[ 291.285992][ T30] ? __lock_acquire+0x15a9/0x3c40
[ 291.291144][ T30] ? _raw_spin_unlock_irq+0x23/0x50
[ 291.296382][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.301644][ T30] ? _raw_spin_unlock_irq+0x2e/0x50
[ 291.306873][ T30] ? set_user_sigmask+0x217/0x2a0
[ 291.312079][ T30] ? __pfx_set_user_sigmask+0x10/0x10
[ 291.317479][ T30] ? __pfx___seccomp_filter+0x10/0x10
[ 291.322906][ T30] __x64_sys_ppoll+0x25a/0x2d0
[ 291.327720][ T30] ? __pfx___x64_sys_ppoll+0x10/0x10
[ 291.333098][ T30] ? __secure_computing+0x273/0x3f0
[ 291.338322][ T30] do_syscall_64+0xcd/0x250
[ 291.342906][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 291.348835][ T30] RIP: 0033:0x7f73a7655ad5
[ 291.353323][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 291.361809][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 291.369858][ T30] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000560ad72a3fe0
[ 291.377851][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 0000560aac1543d0
[ 291.385916][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 291.393989][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 291.402027][ T30] </TASK>
[ 291.405086][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 291.414264][ T30]
[ 291.414264][ T30] Showing all locks held in the system:
[ 291.422038][ T30] 1 lock held by khungtaskd/30:
[ 291.426879][ T30] #0: ffffffff8e1bc140 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x7f/0x390
[ 291.436858][ T30] 1 lock held by udevd/5211:
[ 291.441501][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.450767][ T30] 1 lock held by udevd/5212:
[ 291.455375][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.464517][ T30] 1 lock held by udevd/5213:
[ 291.469156][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.478241][ T30] 1 lock held by udevd/5214:
[ 291.482870][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.492033][ T30] 1 lock held by udevd/5215:
[ 291.496615][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.505760][ T30] 1 lock held by udevd/5216:
[ 291.510433][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.519700][ T30] 1 lock held by udevd/5217:
[ 291.524339][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.533509][ T30] 1 lock held by udevd/5218:
[ 291.538130][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.547238][ T30] 1 lock held by udevd/5219:
[ 291.551886][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.561003][ T30] 1 lock held by udevd/5220:
[ 291.565599][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.574739][ T30] 1 lock held by udevd/5221:
[ 291.579362][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.588420][ T30] 1 lock held by udevd/5222:
[ 291.593070][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.602195][ T30] 1 lock held by dhcpcd/5439:
[ 291.606873][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.616059][ T30] 1 lock held by dhcpcd/5455:
[ 291.620790][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.629941][ T30] 1 lock held by dhcpcd/5456:
[ 291.634625][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.643772][ T30] 1 lock held by dhcpcd/5459:
[ 291.648458][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.657626][ T30] 1 lock held by dhcpcd/5460:
[ 291.662340][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.671689][ T30]
[ 291.674036][ T30] =============================================
[ 291.674036][ T30]
[ 291.682563][ T30] NMI backtrace for cpu 1
[ 291.682578][ T30] CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.682600][ T30] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 291.682611][ T30] Call Trace:
[ 291.682617][ T30] <TASK>
[ 291.682625][ T30] dump_stack_lvl+0x116/0x1f0
[ 291.682658][ T30] nmi_cpu_backtrace+0x27b/0x390
[ 291.682690][ T30] ? __pfx_nmi_raise_cpu_backtrace+0x10/0x10
[ 291.682715][ T30] nmi_trigger_cpumask_backtrace+0x29c/0x300
[ 291.682737][ T30] watchdog+0xf62/0x12b0
[ 291.682768][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.682793][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.682821][ T30] ? __kthread_parkme+0x148/0x220
[ 291.682854][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.682882][ T30] kthread+0x3af/0x750
[ 291.682906][ T30] ? __pfx_kthread+0x10/0x10
[ 291.682933][ T30] ? __pfx_kthread+0x10/0x10
[ 291.682957][ T30] ret_from_fork+0x45/0x80
[ 291.682984][ T30] ? __pfx_kthread+0x10/0x10
[ 291.683004][ T30] ret_from_fork_asm+0x1a/0x30
[ 291.683036][ T30] </TASK>
[ 291.683044][ T30] Sending NMI from CPU 1 to CPUs 0:
[ 291.795725][ C0] NMI backtrace for cpu 0 skipped: idling at acpi_safe_halt+0x1a/0x20
[ 291.796705][ T30] Kernel panic - not syncing: hung_task: blocked tasks
[ 291.796720][ T30] CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.796745][ T30] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 291.796759][ T30] Call Trace:
[ 291.796767][ T30] <TASK>
[ 291.796776][ T30] dump_stack_lvl+0x3d/0x1f0
[ 291.796811][ T30] panic+0x71d/0x800
[ 291.796833][ T30] ? __pfx_panic+0x10/0x10
[ 291.796853][ T30] ? __pfx__printk+0x10/0x10
[ 291.796878][ T30] ? ret_from_fork_asm+0x1a/0x30
[ 291.796908][ T30] ? irq_work_claim+0x76/0xa0
[ 291.796936][ T30] ? __pfx_nmi_raise_cpu_backtrace+0x10/0x10
[ 291.796963][ T30] ? irq_work_queue+0x2a/0x80
[ 291.796990][ T30] ? watchdog+0xdcc/0x12b0
[ 291.797018][ T30] ? watchdog+0xdbf/0x12b0
[ 291.797049][ T30] watchdog+0xddd/0x12b0
[ 291.797082][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.797108][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.797136][ T30] ? __kthread_parkme+0x148/0x220
[ 291.797169][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.797197][ T30] kthread+0x3af/0x750
[ 291.797222][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797250][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797273][ T30] ret_from_fork+0x45/0x80
[ 291.797311][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797335][ T30] ret_from_fork_asm+0x1a/0x30
[ 291.797371][ T30] </TASK>
[ 291.939091][ T30] Kernel Offset: disabled
[ 291.943412][ T30] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2848228343=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at f2cb035c8f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f2cb035c8f931efff4a020b164e657f16f51934b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250117-180932'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"f2cb035c8f931efff4a020b164e657f16f51934b\"
/usr/bin/ld: /tmp/ccI4knEC.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=173adbf8580000
Tested on:
commit: 0ad2507d Linux 6.14-rc3
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=179507154deeb15f
syzbot tried to test the proposed patch but the build/boot failed:
x64_sys_ppoll+0x10/0x10
[ 290.731692][ T30] do_syscall_64+0xcd/0x250
[ 290.736222][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 290.742188][ T30] RIP: 0033:0x7f73a7655ad5
[ 290.746833][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 290.755346][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 290.763447][ T30] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000560ad729aec0
[ 290.771556][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 00007f73a772db40
[ 290.779578][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 290.787562][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 290.795697][ T30] </TASK>
[ 290.798731][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 290.808055][ T30] INFO: task dhcpcd:5459 blocked for more than 147 seconds.
[ 290.815568][ T30] Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 290.823253][ T30] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 290.832145][ T30] task:dhcpcd state:D stack:26496 pid:5459 tgid:5459 ppid:5455 task_flags:0x400140 flags:0x00000002
[ 290.844203][ T30] Call Trace:
[ 290.847520][ T30] <TASK>
[ 290.850575][ T30] __schedule+0xf43/0x5890
[ 290.855023][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 290.860293][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 290.865524][ T30] ? __pfx___schedule+0x10/0x10
[ 290.870478][ T30] ? schedule+0x298/0x350
[ 290.874855][ T30] ? __pfx_lock_release+0x10/0x10
[ 290.879964][ T30] ? __mutex_trylock_common+0x78/0x250
[ 290.885453][ T30] ? lock_acquire+0x2f/0xb0
[ 290.890068][ T30] ? schedule+0x1fd/0x350
[ 290.894446][ T30] schedule+0xe7/0x350
[ 290.898633][ T30] schedule_preempt_disabled+0x13/0x30
[ 290.904183][ T30] __mutex_lock+0x6bd/0xb10
[ 290.908716][ T30] ? do_sys_poll+0x2d0/0xe00
[ 290.913403][ T30] ? __pfx___mutex_lock+0x10/0x10
[ 290.918494][ T30] ? __pfx_lock_release+0x10/0x10
[ 290.923613][ T30] ? trace_lock_acquire+0x14e/0x1f0
[ 290.928841][ T30] ? __might_fault+0xe3/0x190
[ 290.933619][ T30] ? do_sys_poll+0x2d0/0xe00
[ 290.938227][ T30] do_sys_poll+0x2d0/0xe00
[ 290.942703][ T30] ? kasan_save_stack+0x42/0x60
[ 290.947598][ T30] ? kasan_save_stack+0x33/0x60
[ 290.952546][ T30] ? kasan_save_track+0x14/0x30
[ 290.957418][ T30] ? kasan_save_free_info+0x3b/0x60
[ 290.962730][ T30] ? __kasan_slab_free+0x51/0x70
[ 290.967708][ T30] ? do_seccomp+0x7b6/0x2640
[ 290.972379][ T30] ? prctl_set_seccomp+0x4b/0x70
[ 290.977354][ T30] ? __pfx_do_sys_poll+0x10/0x10
[ 290.982562][ T30] ? __lock_acquire+0x15a9/0x3c40
[ 290.987646][ T30] ? _raw_spin_unlock_irq+0x23/0x50
[ 290.993013][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 290.998264][ T30] ? _raw_spin_unlock_irq+0x2e/0x50
[ 291.003613][ T30] ? set_user_sigmask+0x217/0x2a0
[ 291.008835][ T30] ? __pfx_set_user_sigmask+0x10/0x10
[ 291.014322][ T30] ? __pfx___seccomp_filter+0x10/0x10
[ 291.019761][ T30] __x64_sys_ppoll+0x25a/0x2d0
[ 291.024530][ T30] ? __pfx___x64_sys_ppoll+0x10/0x10
[ 291.029895][ T30] ? __secure_computing+0x273/0x3f0
[ 291.035156][ T30] do_syscall_64+0xcd/0x250
[ 291.039834][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 291.045747][ T30] RIP: 0033:0x7f73a7655ad5
[ 291.050246][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 291.058866][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 291.066939][ T30] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000560ad72a3fe0
[ 291.074970][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 0000560aac1543d0
[ 291.083120][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 291.091194][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 291.099293][ T30] </TASK>
[ 291.102341][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 291.111627][ T30] INFO: task dhcpcd:5460 blocked for more than 147 seconds.
[ 291.118925][ T30] Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.126598][ T30] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 291.135463][ T30] task:dhcpcd state:D stack:26832 pid:5460 tgid:5460 ppid:5455 task_flags:0x400140 flags:0x00000002
[ 291.147505][ T30] Call Trace:
[ 291.150846][ T30] <TASK>
[ 291.153773][ T30] __schedule+0xf43/0x5890
[ 291.158186][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 291.163449][ T30] ? __pfx___lock_acquire+0x10/0x10
[ 291.168881][ T30] ? __pfx___schedule+0x10/0x10
[ 291.173882][ T30] ? schedule+0x298/0x350
[ 291.178244][ T30] ? __pfx_lock_release+0x10/0x10
[ 291.183389][ T30] ? __mutex_trylock_common+0x78/0x250
[ 291.188915][ T30] ? lock_acquire+0x2f/0xb0
[ 291.193503][ T30] ? schedule+0x1fd/0x350
[ 291.197860][ T30] schedule+0xe7/0x350
[ 291.202004][ T30] schedule_preempt_disabled+0x13/0x30
[ 291.207504][ T30] __mutex_lock+0x6bd/0xb10
[ 291.212094][ T30] ? do_sys_poll+0x2d0/0xe00
[ 291.216708][ T30] ? __pfx___mutex_lock+0x10/0x10
[ 291.221799][ T30] ? __pfx_lock_release+0x10/0x10
[ 291.226843][ T30] ? trace_lock_acquire+0x14e/0x1f0
[ 291.232148][ T30] ? __might_fault+0xe3/0x190
[ 291.236868][ T30] ? do_sys_poll+0x2d0/0xe00
[ 291.241634][ T30] do_sys_poll+0x2d0/0xe00
[ 291.246100][ T30] ? kasan_save_stack+0x42/0x60
[ 291.251100][ T30] ? kasan_save_stack+0x33/0x60
[ 291.255986][ T30] ? kasan_save_track+0x14/0x30
[ 291.260988][ T30] ? kasan_save_free_info+0x3b/0x60
[ 291.266242][ T30] ? __kasan_slab_free+0x51/0x70
[ 291.271273][ T30] ? do_seccomp+0x7b6/0x2640
[ 291.275883][ T30] ? prctl_set_seccomp+0x4b/0x70
[ 291.280932][ T30] ? __pfx_do_sys_poll+0x10/0x10
[ 291.285992][ T30] ? __lock_acquire+0x15a9/0x3c40
[ 291.291144][ T30] ? _raw_spin_unlock_irq+0x23/0x50
[ 291.296382][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.301644][ T30] ? _raw_spin_unlock_irq+0x2e/0x50
[ 291.306873][ T30] ? set_user_sigmask+0x217/0x2a0
[ 291.312079][ T30] ? __pfx_set_user_sigmask+0x10/0x10
[ 291.317479][ T30] ? __pfx___seccomp_filter+0x10/0x10
[ 291.322906][ T30] __x64_sys_ppoll+0x25a/0x2d0
[ 291.327720][ T30] ? __pfx___x64_sys_ppoll+0x10/0x10
[ 291.333098][ T30] ? __secure_computing+0x273/0x3f0
[ 291.338322][ T30] do_syscall_64+0xcd/0x250
[ 291.342906][ T30] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 291.348835][ T30] RIP: 0033:0x7f73a7655ad5
[ 291.353323][ T30] RSP: 002b:00007ffe72d11e20 EFLAGS: 00000246 ORIG_RAX: 000000000000010f
[ 291.361809][ T30] RAX: ffffffffffffffda RBX: 0000560ad729aee0 RCX: 00007f73a7655ad5
[ 291.369858][ T30] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000560ad72a3fe0
[ 291.377851][ T30] RBP: 00007ffe72d12170 R08: 0000000000000008 R09: 0000560aac1543d0
[ 291.385916][ T30] R10: 00007ffe72d12170 R11: 0000000000000246 R12: 0000000000000000
[ 291.393989][ T30] R13: 0000560aac154610 R14: 0000000000000003 R15: 0000000000000000
[ 291.402027][ T30] </TASK>
[ 291.405086][ T30] Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
[ 291.414264][ T30]
[ 291.414264][ T30] Showing all locks held in the system:
[ 291.422038][ T30] 1 lock held by khungtaskd/30:
[ 291.426879][ T30] #0: ffffffff8e1bc140 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x7f/0x390
[ 291.436858][ T30] 1 lock held by udevd/5211:
[ 291.441501][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.450767][ T30] 1 lock held by udevd/5212:
[ 291.455375][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.464517][ T30] 1 lock held by udevd/5213:
[ 291.469156][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.478241][ T30] 1 lock held by udevd/5214:
[ 291.482870][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.492033][ T30] 1 lock held by udevd/5215:
[ 291.496615][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.505760][ T30] 1 lock held by udevd/5216:
[ 291.510433][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.519700][ T30] 1 lock held by udevd/5217:
[ 291.524339][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.533509][ T30] 1 lock held by udevd/5218:
[ 291.538130][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.547238][ T30] 1 lock held by udevd/5219:
[ 291.551886][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.561003][ T30] 1 lock held by udevd/5220:
[ 291.565599][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.574739][ T30] 1 lock held by udevd/5221:
[ 291.579362][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.588420][ T30] 1 lock held by udevd/5222:
[ 291.593070][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.602195][ T30] 1 lock held by dhcpcd/5439:
[ 291.606873][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.616059][ T30] 1 lock held by dhcpcd/5455:
[ 291.620790][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.629941][ T30] 1 lock held by dhcpcd/5456:
[ 291.634625][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.643772][ T30] 1 lock held by dhcpcd/5459:
[ 291.648458][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.657626][ T30] 1 lock held by dhcpcd/5460:
[ 291.662340][ T30] #0: ffffffff8e3c1a48 (syspoll_lock){+.+.}-{4:4}, at: do_sys_poll+0x2d0/0xe00
[ 291.671689][ T30]
[ 291.674036][ T30] =============================================
[ 291.674036][ T30]
[ 291.682563][ T30] NMI backtrace for cpu 1
[ 291.682578][ T30] CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.682600][ T30] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 291.682611][ T30] Call Trace:
[ 291.682617][ T30] <TASK>
[ 291.682625][ T30] dump_stack_lvl+0x116/0x1f0
[ 291.682658][ T30] nmi_cpu_backtrace+0x27b/0x390
[ 291.682690][ T30] ? __pfx_nmi_raise_cpu_backtrace+0x10/0x10
[ 291.682715][ T30] nmi_trigger_cpumask_backtrace+0x29c/0x300
[ 291.682737][ T30] watchdog+0xf62/0x12b0
[ 291.682768][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.682793][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.682821][ T30] ? __kthread_parkme+0x148/0x220
[ 291.682854][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.682882][ T30] kthread+0x3af/0x750
[ 291.682906][ T30] ? __pfx_kthread+0x10/0x10
[ 291.682933][ T30] ? __pfx_kthread+0x10/0x10
[ 291.682957][ T30] ret_from_fork+0x45/0x80
[ 291.682984][ T30] ? __pfx_kthread+0x10/0x10
[ 291.683004][ T30] ret_from_fork_asm+0x1a/0x30
[ 291.683036][ T30] </TASK>
[ 291.683044][ T30] Sending NMI from CPU 1 to CPUs 0:
[ 291.795725][ C0] NMI backtrace for cpu 0 skipped: idling at acpi_safe_halt+0x1a/0x20
[ 291.796705][ T30] Kernel panic - not syncing: hung_task: blocked tasks
[ 291.796720][ T30] CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.14.0-rc3-syzkaller-g0ad2507d5d93-dirty #0
[ 291.796745][ T30] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 291.796759][ T30] Call Trace:
[ 291.796767][ T30] <TASK>
[ 291.796776][ T30] dump_stack_lvl+0x3d/0x1f0
[ 291.796811][ T30] panic+0x71d/0x800
[ 291.796833][ T30] ? __pfx_panic+0x10/0x10
[ 291.796853][ T30] ? __pfx__printk+0x10/0x10
[ 291.796878][ T30] ? ret_from_fork_asm+0x1a/0x30
[ 291.796908][ T30] ? irq_work_claim+0x76/0xa0
[ 291.796936][ T30] ? __pfx_nmi_raise_cpu_backtrace+0x10/0x10
[ 291.796963][ T30] ? irq_work_queue+0x2a/0x80
[ 291.796990][ T30] ? watchdog+0xdcc/0x12b0
[ 291.797018][ T30] ? watchdog+0xdbf/0x12b0
[ 291.797049][ T30] watchdog+0xddd/0x12b0
[ 291.797082][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.797108][ T30] ? lockdep_hardirqs_on+0x7c/0x110
[ 291.797136][ T30] ? __kthread_parkme+0x148/0x220
[ 291.797169][ T30] ? __pfx_watchdog+0x10/0x10
[ 291.797197][ T30] kthread+0x3af/0x750
[ 291.797222][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797250][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797273][ T30] ret_from_fork+0x45/0x80
[ 291.797311][ T30] ? __pfx_kthread+0x10/0x10
[ 291.797335][ T30] ret_from_fork_asm+0x1a/0x30
[ 291.797371][ T30] </TASK>
[ 291.939091][ T30] Kernel Offset: disabled
[ 291.943412][ T30] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2848228343=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at f2cb035c8f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=f2cb035c8f931efff4a020b164e657f16f51934b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250117-180932'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"f2cb035c8f931efff4a020b164e657f16f51934b\"
/usr/bin/ld: /tmp/ccI4knEC.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=173adbf8580000
Tested on:
commit: 0ad2507d Linux 6.14-rc3
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=179507154deeb15f
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11f26898580000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Jul 7, 2025, 5:30:04 AM7/7/25
to bra...@kernel.org, gre...@linuxfoundation.org, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, lizh...@windriver.com, mch...@kernel.org, stan...@126.com, superm...@gmail.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzbot has bisected this issue to:
commit 8ffdff6a8cfbdc174a3a390b6f825a277b5bb895
Author: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Date: Wed Apr 14 08:58:10 2021 +0000
staging: comedi: move out of staging directory
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13009f70580000
start commit: 05df91921da6 Merge tag 'v6.16-rc4-smb3-client-fixes' of gi..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=10809f70580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17009f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45bd916a213c79bb
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161cdc8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d1a582580000
Reported-by: syzbot+4e21d5...@syzkaller.appspotmail.com
Fixes: 8ffdff6a8cfb ("staging: comedi: move out of staging directory")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 8ffdff6a8cfbdc174a3a390b6f825a277b5bb895
Author: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Date: Wed Apr 14 08:58:10 2021 +0000
staging: comedi: move out of staging directory
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13009f70580000
start commit: 05df91921da6 Merge tag 'v6.16-rc4-smb3-client-fixes' of gi..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=10809f70580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17009f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45bd916a213c79bb
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161cdc8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d1a582580000
Reported-by: syzbot+4e21d5...@syzkaller.appspotmail.com
Fixes: 8ffdff6a8cfb ("staging: comedi: move out of staging directory")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Hillf Danton
Jul 7, 2025, 7:27:15 AM7/7/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Mon, 07 Jul 2025 02:30:02 -0700
--- x/drivers/comedi/comedi_fops.c
+++ y/drivers/comedi/comedi_fops.c
@@ -2454,7 +2454,7 @@ static __poll_t comedi_poll(struct file
struct comedi_device *dev = cfp->dev;
struct comedi_subdevice *s, *s_read;
- down_read(&dev->attach_lock);
+ down_write(&dev->attach_lock);
if (!dev->attached) {
dev_dbg(dev->class_dev, "no driver attached\n");
@@ -2484,7 +2484,7 @@ static __poll_t comedi_poll(struct file
}
done:
- up_read(&dev->attach_lock);
+ up_write(&dev->attach_lock);
return mask;
}
--
> syzbot has bisected this issue to:
>
> commit 8ffdff6a8cfbdc174a3a390b6f825a277b5bb895
> Author: Greg Kroah-Hartman <gre...@linuxfoundation.org>
> Date: Wed Apr 14 08:58:10 2021 +0000
>
> staging: comedi: move out of staging directory
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13009f70580000
> start commit: 05df91921da6 Merge tag 'v6.16-rc4-smb3-client-fixes' of gi..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=10809f70580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17009f70580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=45bd916a213c79bb
> dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161cdc8c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d1a582580000
#syz test upstream master
>
> commit 8ffdff6a8cfbdc174a3a390b6f825a277b5bb895
> Author: Greg Kroah-Hartman <gre...@linuxfoundation.org>
> Date: Wed Apr 14 08:58:10 2021 +0000
>
> staging: comedi: move out of staging directory
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13009f70580000
> start commit: 05df91921da6 Merge tag 'v6.16-rc4-smb3-client-fixes' of gi..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=10809f70580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17009f70580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=45bd916a213c79bb
> dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161cdc8c580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d1a582580000
--- x/drivers/comedi/comedi_fops.c
+++ y/drivers/comedi/comedi_fops.c
@@ -2454,7 +2454,7 @@ static __poll_t comedi_poll(struct file
struct comedi_device *dev = cfp->dev;
struct comedi_subdevice *s, *s_read;
- down_read(&dev->attach_lock);
+ down_write(&dev->attach_lock);
if (!dev->attached) {
dev_dbg(dev->class_dev, "no driver attached\n");
@@ -2484,7 +2484,7 @@ static __poll_t comedi_poll(struct file
}
done:
- up_read(&dev->attach_lock);
+ up_write(&dev->attach_lock);
return mask;
}
--
syzbot
Jul 7, 2025, 7:43:06 AM7/7/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in remove_wait_queue
slab kmalloc-8k start ffff8881457ec000 pointer offset 1480 size 8192
list_del corruption. prev->next should be ffffc90003d8fb98, but was ffff8881457ec5c8. (prev=ffff8881457ec5c8)
CPU: 0 UID: 0 PID: 6485 Comm: syz.1.17 Not tainted 6.16.0-rc5-syzkaller-gd7b8f8e20813-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__list_del_entry_valid_or_report+0x17a/0x200 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 a0 26 f5 8b e8 07 ca bf fc 90 <0f> 0b 4c 89 e7 e8 dc e7 23 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003d8f880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003d8fb98 RCX: ffffffff819a6f69
RDX: 0000000000000000 RSI: ffffffff819aeb6e RDI: 0000000000000005
RBP: ffff8881457ec5c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff8881457ec5c8
R13: ffffc90003d8fb98 R14: ffffc90003d8fba0 R15: ffffc90003d8fb70
FS: 00007f2a989306c0(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2a97b85d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2a98930038 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
RAX: ffffffffffffffda RBX: 00007f2a97d75fa0 RCX: 00007f2a97b85d29
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2a97d75fa0 R15: 00007ffddfb83ed8
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 a0 26 f5 8b e8 07 ca bf fc 90 <0f> 0b 4c 89 e7 e8 dc e7 23 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003d8f880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003d8fb98 RCX: ffffffff819a6f69
RDX: 0000000000000000 RSI: ffffffff819aeb6e RDI: 0000000000000005
RBP: ffff8881457ec5c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff8881457ec5c8
R13: ffffc90003d8fb98 R14: ffffc90003d8fba0 R15: ffffc90003d8fb70
FS: 00007f2a989306c0(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
Tested on:
commit: d7b8f8e2 Linux 6.16-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ec9f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a9b42a4fcb738e08
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in remove_wait_queue
slab kmalloc-8k start ffff8881457ec000 pointer offset 1480 size 8192
list_del corruption. prev->next should be ffffc90003d8fb98, but was ffff8881457ec5c8. (prev=ffff8881457ec5c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
kernel BUG at lib/list_debug.c:62!
CPU: 0 UID: 0 PID: 6485 Comm: syz.1.17 Not tainted 6.16.0-rc5-syzkaller-gd7b8f8e20813-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__list_del_entry_valid_or_report+0x17a/0x200 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 a0 26 f5 8b e8 07 ca bf fc 90 <0f> 0b 4c 89 e7 e8 dc e7 23 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003d8f880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003d8fb98 RCX: ffffffff819a6f69
RDX: 0000000000000000 RSI: ffffffff819aeb6e RDI: 0000000000000005
RBP: ffff8881457ec5c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff8881457ec5c8
R13: ffffc90003d8fb98 R14: ffffc90003d8fba0 R15: ffffc90003d8fb70
FS: 00007f2a989306c0(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc742be1a8 CR3: 0000000077286000 CR4: 00000000003526f0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
__remove_wait_queue include/linux/wait.h:207 [inline]
remove_wait_queue+0x30/0x180 kernel/sched/wait.c:55
free_poll_entry fs/select.c:132 [inline]
poll_freewait+0xd5/0x250 fs/select.c:141
do_sys_poll+0x6a9/0xde0 fs/select.c:1010
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
__remove_wait_queue include/linux/wait.h:207 [inline]
remove_wait_queue+0x30/0x180 kernel/sched/wait.c:55
free_poll_entry fs/select.c:132 [inline]
poll_freewait+0xd5/0x250 fs/select.c:141
__do_sys_poll fs/select.c:1074 [inline]
__se_sys_poll fs/select.c:1062 [inline]
__x64_sys_poll+0x1a6/0x450 fs/select.c:1062
__se_sys_poll fs/select.c:1062 [inline]
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2a97b85d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2a98930038 EFLAGS: 00000246 ORIG_RAX: 0000000000000007
RAX: ffffffffffffffda RBX: 00007f2a97d75fa0 RCX: 00007f2a97b85d29
RDX: 0000000000000106 RSI: 0000000000000005 RDI: 0000000020000080
RBP: 00007f2a97c01b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2a97d75fa0 R15: 00007ffddfb83ed8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x17a/0x200 lib/list_debug.c:62
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 a0 26 f5 8b e8 07 ca bf fc 90 <0f> 0b 4c 89 e7 e8 dc e7 23 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003d8f880 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffffc90003d8fb98 RCX: ffffffff819a6f69
RDX: 0000000000000000 RSI: ffffffff819aeb6e RDI: 0000000000000005
RBP: ffff8881457ec5c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff8881457ec5c8
R13: ffffc90003d8fb98 R14: ffffc90003d8fba0 R15: ffffc90003d8fb70
FS: 00007f2a989306c0(0000) GS:ffff888124a0d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc742be1a8 CR3: 0000000077286000 CR4: 00000000003526f0
Tested on:
commit: d7b8f8e2 Linux 6.16-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ec9f70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a9b42a4fcb738e08
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=143c928c580000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Jan 15, 2026, 6:32:07 PM (8 hours ago) Jan 15
to abb...@mev.co.uk, ax...@kernel.dk, bra...@kernel.org, gre...@linuxfoundation.org, hda...@sina.com, ja...@suse.cz, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, lizh...@windriver.com, mch...@kernel.org, stan...@126.com, superm...@gmail.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzbot suspects this issue was fixed by commit:
commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2
Author: Ian Abbott <abb...@mev.co.uk>
Date: Tue Jul 22 15:53:16 2025 +0000
comedi: fix race between polling and detaching
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10d49dfc580000
start commit: 038d61fd6422 Linux 6.16
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=515ec0b49771bcd1
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14fbbcf0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11034aa2580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: comedi: fix race between polling and detaching
commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2
Author: Ian Abbott <abb...@mev.co.uk>
Date: Tue Jul 22 15:53:16 2025 +0000
comedi: fix race between polling and detaching
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10d49dfc580000
start commit: 038d61fd6422 Linux 6.16
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=515ec0b49771bcd1
dashboard link: https://syzkaller.appspot.com/bug?extid=4e21d5f67b886a692b55
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14fbbcf0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11034aa2580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: comedi: fix race between polling and detaching
Reply all
Reply to author
Forward
0 new messages