syzbot


BUG: corrupted list in p9_fd_cancel

Status: fixed on 2018/08/28 17:48
Subsystems: v9fs
[Documentation on labels]
Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com
Fix commit: 9f476d7c540c net/9p/trans_fd.c: fix race by holding the lock
First crash: 2105d, last: 2091d
Discussions (8)
Title Replies (including bot) Last reply
BUG: corrupted list in p9_read_work 24 (29) 2018/11/20 11:28
[PATCH 4.18 000/197] 4.18.8-stable review 205 (205) 2018/09/17 04:57
[PATCH 4.14 000/115] 4.14.70-stable review 128 (128) 2018/09/15 07:15
[PATCH 4.9 00/78] 4.9.127-stable review 82 (82) 2018/09/14 14:55
[PATCH] net/p9/trans_fd.c: fix double list_del() 8 (8) 2018/07/24 10:47
[PATCH] net/9p/trans_fd.c: fix race by holding the lock 2 (2) 2018/07/23 22:54
[PATCH] net/9p/trans_fd.c: fix double list_del() and race in access 4 (4) 2018/07/23 11:46
BUG: corrupted list in p9_fd_cancel 0 (1) 2018/07/09 15:09
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 BUG: corrupted list in p9_fd_cancel 1 442d 442d 0/2 auto-obsoleted due to no activity on 2023/05/27 07:47
upstream BUG: corrupted list in p9_fd_cancel (2) v9fs fuse C error 8 512d 538d 22/26 fixed on 2023/02/24 13:50
android-5-15 BUG: corrupted list in p9_fd_cancel C done 2 446d 446d 2/2 fixed on 2023/01/27 09:47

Sample crash report:
list_del corruption, ffff8801ac6718e8->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:47!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 5740 Comm: syz-executor954 Not tainted 4.18.0-rc4+ #142
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x58 lib/list_debug.c:45
Code: 02 fe 0f 0b 4c 89 e2 48 89 de 48 c7 c7 20 66 1a 88 e8 4a 6e 02 fe 0f 0b 4c 89 ea 48 89 de 48 c7 c7 c0 65 1a 88 e8 36 6e 02 fe <0f> 0b 48 89 de 48 c7 c7 e0 66 1a 88 e8 25 6e 02 fe 0f 0b 48 89 de 
RSP: 0018:ffff8801d68a71c0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff8801ac6718e8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81631821 RDI: 0000000000000001
RBP: ffff8801d68a71d8 R08: ffff8801d640a5c0 R09: ffffed003b5c4fc0
R10: ffffed003b5c4fc0 R11: ffff8801dae27e07 R12: dead000000000200
R13: dead000000000100 R14: ffff8801ac6718e8 R15: ffff8801ac6718f0
FS:  00007fb4fb192700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000046a2e0 CR3: 00000001b2260000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 p9_fd_cancel+0x104/0x360 net/9p/trans_fd.c:690
 p9_client_rpc+0xf1f/0x1400 net/9p/client.c:800
 p9_client_version net/9p/client.c:976 [inline]
 p9_client_create+0xd09/0x16c9 net/9p/client.c:1069
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445cf9
Code: e8 ec ba 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007fb4fb191da8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000006dbc44 RCX: 0000000000445cf9
RDX: 0000000020000780 RSI: 0000000020000740 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000200007c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dbc40
R13: 0030656c69662f2e R14: 64663d736e617274 R15: 0000000000000001
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 64604f15e7f742b0 ]---
RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x58 lib/list_debug.c:45
Code: 02 fe 0f 0b 4c 89 e2 48 89 de 48 c7 c7 20 66 1a 88 e8 4a 6e 02 fe 0f 0b 4c 89 ea 48 89 de 48 c7 c7 c0 65 1a 88 e8 36 6e 02 fe <0f> 0b 48 89 de 48 c7 c7 e0 66 1a 88 e8 25 6e 02 fe 0f 0b 48 89 de 
RSP: 0018:ffff8801d68a71c0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff8801ac6718e8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81631821 RDI: 0000000000000001
RBP: ffff8801d68a71d8 R08: ffff8801d640a5c0 R09: ffffed003b5c4fc0
R10: ffffed003b5c4fc0 R11: ffff8801dae27e07 R12: dead000000000200
R13: dead000000000100 R14: ffff8801ac6718e8 R15: ffff8801ac6718f0
FS:  00007fb4fb192700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000046a2e0 CR3: 00000001b2260000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (34):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/12 03:57 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/12 03:33 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/12 02:01 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 19:14 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/07/11 16:04 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/07/10 23:48 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 17:29 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce
2018/07/10 12:59 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce
2018/07/10 05:39 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 04:15 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 02:28 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/11 03:14 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/10 23:00 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/10 22:32 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/10 09:28 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/10 07:48 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/09 23:40 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/09 15:06 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/09 12:42 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/16 11:31 linux-next 1d4eb636f0ab 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/16 09:30 linux-next 1d4eb636f0ab 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/15 21:16 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 06:54 linux-next 3ee15ba60e6b 06c33b3a .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/11 21:23 linux-next 98be45067040 2e0e3130 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/10 23:48 linux-next 3951bd9fe3e2 2e0e3130 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/10 21:56 linux-next 3951bd9fe3e2 2e0e3130 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/10 20:15 https://github.com/google/kmsan.git master b64f7ec04e12 9fa03fa5 .config console log report syz C ci-upstream-kmsan-gce
2018/07/16 08:47 linux-next 1d4eb636f0ab 92a49505 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2018/07/23 11:33 upstream d72e90f33aa4 f69c5fcd .config console log report ci-upstream-kasan-gce-root
2018/07/10 06:33 upstream 092150a25cb7 f25e5770 .config console log report ci-upstream-kasan-gce
2018/07/09 22:39 upstream 1e4b044d2251 f25e5770 .config console log report ci-upstream-kasan-gce-386
2018/07/20 06:25 linux-next 1c34981993da 49f35839 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/07/19 00:34 linux-next 0b742fe187f7 49f35839 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/07/18 12:37 linux-next 0b742fe187f7 809256c3 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.