[moderation] [kernel?] BUG: corrupted list in percpu_counter_destroy_many
4 views
Skip to first unread message
syzbot
Jan 16, 2025, 3:22:30 PM1/16/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=169b31df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=699aaa9841ed84d19a5e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+699aaa...@syzkaller.appspotmail.com
slab kmalloc-1k start ffff88807b6b7800 pointer offset 576 size 1024
list_del corruption. next->prev should be ffff888032cf2348, but was ffff88807b6b7a40. (next=ffff88807b6b7a40)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:67!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 11454 Comm: syz.5.1302 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0x18c/0x190 lib/list_debug.c:65
Code: 3a 87 17 fd 42 80 3c 2b 00 74 08 4c 89 e7 e8 eb 23 39 fd 49 8b 56 08 48 c7 c7 80 09 60 8c 4c 89 fe 4c 89 f1 e8 65 9e 3a fc 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc90004e7fba0 EFLAGS: 00010046
RAX: 000000000000006d RBX: 1ffff1100f6d6f49 RCX: 53170ec7fbe60700
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffff888032cf2348 R08: ffffffff819efc6c R09: fffffbfff1cfa188
R10: dffffc0000000000 R11: fffffbfff1cfa188 R12: ffff88807b6b7a48
R13: dffffc0000000000 R14: ffff88807b6b7a40 R15: ffff888032cf2348
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020032000 CR3: 000000007017a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
percpu_counter_destroy_many+0xfb/0x410 lib/percpu_counter.c:244
__mmdrop+0x2b8/0x3d0 kernel/fork.c:871
exit_mm+0x220/0x310 kernel/exit.c:570
do_exit+0x9ad/0x28e0 kernel/exit.c:925
do_group_exit+0x207/0x2c0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1096
x64_sys_call+0x26a8/0x26b0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb7d3985d29
Code: Unable to access opcode bytes at 0x7fb7d3985cff.
RSP: 002b:00007ffe1b7fe0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb7d3985d29
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffe1b7fe11c R08: 00007ffe1b7fe1af R09: 0000000000089277
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000089277 R14: 00007ffe1b7fe170 R15: 00007ffe1b7fe170
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x18c/0x190 lib/list_debug.c:65
Code: 3a 87 17 fd 42 80 3c 2b 00 74 08 4c 89 e7 e8 eb 23 39 fd 49 8b 56 08 48 c7 c7 80 09 60 8c 4c 89 fe 4c 89 f1 e8 65 9e 3a fc 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc90004e7fba0 EFLAGS: 00010046
RAX: 000000000000006d RBX: 1ffff1100f6d6f49 RCX: 53170ec7fbe60700
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffff888032cf2348 R08: ffffffff819efc6c R09: fffffbfff1cfa188
R10: dffffc0000000000 R11: fffffbfff1cfa188 R12: ffff88807b6b7a48
R13: dffffc0000000000 R14: ffff88807b6b7a40 R15: ffff888032cf2348
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020032000 CR3: 000000007017a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7b4b9bf203da Add linux-next specific files for 20250107
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=169b31df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=699aaa9841ed84d19a5e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
CC: [linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c179cc0c7a3c/disk-7b4b9bf2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdea80f2ec16/vmlinux-7b4b9bf2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a277fcaff608/bzImage-7b4b9bf2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+699aaa...@syzkaller.appspotmail.com
slab kmalloc-1k start ffff88807b6b7800 pointer offset 576 size 1024
list_del corruption. next->prev should be ffff888032cf2348, but was ffff88807b6b7a40. (next=ffff88807b6b7a40)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:67!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 11454 Comm: syz.5.1302 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__list_del_entry_valid_or_report+0x18c/0x190 lib/list_debug.c:65
Code: 3a 87 17 fd 42 80 3c 2b 00 74 08 4c 89 e7 e8 eb 23 39 fd 49 8b 56 08 48 c7 c7 80 09 60 8c 4c 89 fe 4c 89 f1 e8 65 9e 3a fc 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc90004e7fba0 EFLAGS: 00010046
RAX: 000000000000006d RBX: 1ffff1100f6d6f49 RCX: 53170ec7fbe60700
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffff888032cf2348 R08: ffffffff819efc6c R09: fffffbfff1cfa188
R10: dffffc0000000000 R11: fffffbfff1cfa188 R12: ffff88807b6b7a48
R13: dffffc0000000000 R14: ffff88807b6b7a40 R15: ffff888032cf2348
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020032000 CR3: 000000007017a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
percpu_counter_destroy_many+0xfb/0x410 lib/percpu_counter.c:244
__mmdrop+0x2b8/0x3d0 kernel/fork.c:871
exit_mm+0x220/0x310 kernel/exit.c:570
do_exit+0x9ad/0x28e0 kernel/exit.c:925
do_group_exit+0x207/0x2c0 kernel/exit.c:1087
__do_sys_exit_group kernel/exit.c:1098 [inline]
__se_sys_exit_group kernel/exit.c:1096 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1096
x64_sys_call+0x26a8/0x26b0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb7d3985d29
Code: Unable to access opcode bytes at 0x7fb7d3985cff.
RSP: 002b:00007ffe1b7fe0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb7d3985d29
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffe1b7fe11c R08: 00007ffe1b7fe1af R09: 0000000000089277
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000089277 R14: 00007ffe1b7fe170 R15: 00007ffe1b7fe170
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x18c/0x190 lib/list_debug.c:65
Code: 3a 87 17 fd 42 80 3c 2b 00 74 08 4c 89 e7 e8 eb 23 39 fd 49 8b 56 08 48 c7 c7 80 09 60 8c 4c 89 fe 4c 89 f1 e8 65 9e 3a fc 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc90004e7fba0 EFLAGS: 00010046
RAX: 000000000000006d RBX: 1ffff1100f6d6f49 RCX: 53170ec7fbe60700
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffff888032cf2348 R08: ffffffff819efc6c R09: fffffbfff1cfa188
R10: dffffc0000000000 R11: fffffbfff1cfa188 R12: ffff88807b6b7a48
R13: dffffc0000000000 R14: ffff88807b6b7a40 R15: ffff888032cf2348
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020032000 CR3: 000000007017a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 13, 2025, 4:18:19 PM3/13/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages