syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: corrupted list in p9_read_work

Status: fixed on 2018/11/12 21:25
Subsystems: v9fs
[Documentation on labels]
Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com
Fix commit: e4ca13f7d075 9p/trans_fd: abort p9_read_work if req status changed
First crash: 2109d, last: 1997d
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 4.9 000/212] 4.9.233-rc1 review 220 (220) 2020/08/21 09:40
[PATCH 4.14 00/51] 4.14.192-rc1 review 54 (54) 2020/08/05 09:52
[PATCH 4.19 00/72] 4.19.57-stable review 84 (84) 2019/07/04 05:29
BUG: corrupted list in p9_read_work 24 (29) 2018/11/20 11:28
[PATCH 1/2] 9p/trans_fd: abort p9_read_work if req status changed 4 (4) 2018/10/15 10:46
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in p9_read_work (2) v9fs syz done error 38 1616d 1978d 15/26 fixed on 2020/09/16 22:51
linux-4.14 BUG: corrupted list in p9_read_work syz inconclusive 4 1418d 1605d 0/1 upstream: reported syz repro on 2019/11/30 22:01
linux-4.19 BUG: corrupted list in p9_read_work syz error 3 1374d 1647d 0/1 upstream: reported syz repro on 2019/10/20 09:47

Sample crash report:
FS-Cache: N-cookie c=00000000c1b0c875 [p=00000000c36d4410 fl=2 nc=0 na=1]
FS-Cache: N-cookie d=0000000030fbc5c9 n=00000000054ee708
FS-Cache: N-key=[10] '34323935303439353030'
list_del corruption, ffff880117fc6ea8->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:47!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 20845 Comm: kworker/0:1 Not tainted 4.19.0+ #300
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kobject: '9p-9996' (00000000632021f9): kobject_add_internal: parent: 'bdi', set: 'devices'
Workqueue: events p9_read_work
RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x4a lib/list_debug.c:45
Code: d5 fd 0f 0b 4c 89 e2 48 89 de 48 c7 c7 c0 9c 40 88 e8 66 0d d5 fd 0f 0b 4c 89 ea 48 89 de 48 c7 c7 20 9c 40 88 e8 52 0d d5 fd <0f> 0b 48 89 de 48 c7 c7 80 9d 40 88 e8 41 0d d5 fd 0f 0b 48 89 de
kobject: '9p-9997' (0000000026d0c9fc): kobject_add_internal: parent: 'bdi', set: 'devices'
RSP: 0018:ffff880145a375b8 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff880117fc6ea8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8165dcc5 RDI: 0000000000000005
RBP: ffff880145a375d0 R08: ffff8801c4bc8680 R09: ffffed003b5c5008
R10: ffffed003b5c5008 R11: ffff8801dae28047 R12: dead000000000200
R13: dead000000000100 R14: ffff8801cd005890 R15: ffff8801cd005850
FS:  0000000000000000(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87f74ae518 CR3: 00000001d59e8000 CR4: 00000000001406f0
kobject: '9p-9996' (00000000632021f9): kobject_uevent_env
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 p9_read_work+0xab6/0x10e0 net/9p/trans_fd.c:379
kobject: '9p-9996' (00000000632021f9): fill_kobj_path: path = '/devices/virtual/bdi/9p-9996'
 process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
kobject: '9p-9997' (0000000026d0c9fc): kobject_uevent_env
kobject: '9p-9997' (0000000026d0c9fc): fill_kobj_path: path = '/devices/virtual/bdi/9p-9997'
kobject: '9p-9998' (00000000beafc11a): kobject_add_internal: parent: 'bdi', set: 'devices'
kobject: '9p-9998' (00000000beafc11a): kobject_uevent_env
 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
kobject: '9p-9998' (00000000beafc11a): fill_kobj_path: path = '/devices/virtual/bdi/9p-9998'
kobject: 'loop0' (000000002499e147): kobject_uevent_env
kobject: 'loop0' (000000002499e147): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop3' (00000000fc2cf095): kobject_uevent_env
kobject: 'loop3' (00000000fc2cf095): fill_kobj_path: path = '/devices/virtual/block/loop3'
 kthread+0x35a/0x420 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350
Modules linked in:
---[ end trace e95c99dd17ec4a63 ]---
RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x4a lib/list_debug.c:45
Code: d5 fd 0f 0b 4c 89 e2 48 89 de 48 c7 c7 c0 9c 40 88 e8 66 0d d5 fd 0f 0b 4c 89 ea 48 89 de 48 c7 c7 20 9c 40 88 e8 52 0d d5 fd <0f> 0b 48 89 de 48 c7 c7 80 9d 40 88 e8 41 0d d5 fd 0f 0b 48 89 de
RSP: 0018:ffff880145a375b8 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff880117fc6ea8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8165dcc5 RDI: 0000000000000005
RBP: ffff880145a375d0 R08: ffff8801c4bc8680 R09: ffffed003b5c5008
R10: ffffed003b5c5008 R11: ffff8801dae28047 R12: dead000000000200
R13: dead000000000100 R14: ffff8801cd005890 R15: ffff8801cd005850
FS:  0000000000000000(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87f74ae518 CR3: 00000001d59e8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/10/24 10:56 upstream 44786880df19 a8292de9 .config console log report syz ci-upstream-kasan-gce-root
2018/10/09 01:06 upstream 0854ba5ff5c9 8b311eaf .config console log report syz ci-upstream-kasan-gce-root
2018/10/14 21:18 linux-next 774ea0551a29 caf12900 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2018/11/04 17:33 upstream 71e56028173b 8bd6bd63 .config console log report ci-upstream-kasan-gce-smack-root
2018/11/01 01:42 upstream 59fc453b21f7 1f38e9ae .config console log report ci-upstream-kasan-gce-root
2018/10/17 12:23 upstream c0cff31be705 1ba7fd7e .config console log report ci-upstream-kasan-gce-smack-root
2018/10/13 12:06 upstream bab5c80b2110 caf12900 .config console log report ci-upstream-kasan-gce-smack-root
2018/10/09 22:05 upstream 64c5e530ac2c 8b311eaf .config console log report ci-upstream-kasan-gce-root
2018/10/04 16:14 upstream cec4de302c5f 8b311eaf .config console log report ci-upstream-kasan-gce-root
2018/09/26 11:19 upstream a38523185b40 455b6354 .config console log report ci-upstream-kasan-gce-smack-root
2018/09/26 04:12 upstream 846e8dd47c26 b7e11289 .config console log report ci-upstream-kasan-gce-smack-root
2018/09/24 12:20 upstream 6bf4ca7fbc85 2f485cdf .config console log report ci-upstream-kasan-gce-smack-root
2018/09/22 07:15 upstream 10dc890d4228 37079712 .config console log report ci-upstream-kasan-gce-selinux-root
2018/09/07 14:00 upstream a49a9dcce802 69cfeb80 .config console log report ci-upstream-kasan-gce-root
2018/09/07 06:49 upstream ca16eb342ebe e30d3b52 .config console log report ci-upstream-kasan-gce-selinux-root
2018/08/27 10:21 upstream 5b394b2ddf03 758cd203 .config console log report ci-upstream-kasan-gce-root
2018/08/23 12:11 upstream 899fbc33fd77 95b5c82b .config console log report ci-upstream-kasan-gce-root
2018/07/30 09:15 upstream 3cfb6772d4cf 1a381291 .config console log report ci-upstream-kasan-gce-root
2018/07/15 20:04 upstream 37b5dca2898d 92a49505 .config console log report ci-upstream-kasan-gce-root
2018/10/25 13:30 linux-next 8c60c36d0b8c a8292de9 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/08/27 03:59 linux-next ab6fc6ef2d8b 758cd203 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/08/23 05:11 linux-next 455fb5ec1df1 95b5c82b .config console log report ci-upstream-linux-next-kasan-gce-root
2018/08/09 03:36 linux-next 6b522b734da2 2eeda842 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.