syzbot


BUG: corrupted list in p9_read_work (2)

Status: fixed on 2020/09/16 22:51
Subsystems: net v9fs
[Documentation on labels]
Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com
Fix commit: 74d6a5d56629 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
First crash: 1832d, last: 1470d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: no output from test machine (log)
Repro: syz .config
  
Fix bisection: failed (error log, bisect log)
  
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 4.9 000/212] 4.9.233-rc1 review 220 (220) 2020/08/21 09:40
[PATCH 4.19 00/56] 4.19.137-rc1 review 63 (63) 2020/08/10 18:05
[PATCH 4.14 00/51] 4.14.192-rc1 review 54 (54) 2020/08/05 09:52
[PATCH 5.7 000/120] 5.7.13-rc1 review 134 (134) 2020/08/04 06:52
[PATCH 5.4 00/90] 5.4.56-rc1 review 91 (91) 2020/08/03 12:19
[PATCH v2] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work 3 (3) 2020/06/12 09:22
Re: [PATCH] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work 1 (1) 2020/06/12 06:46
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/24 01:46
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/02 06:29
BUG: corrupted list in p9_read_work (2) 0 (1) 2018/11/23 06:29
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in p9_read_work net v9fs syz 23 1850d 1961d 12/25 fixed on 2018/11/12 21:25
linux-4.14 BUG: corrupted list in p9_read_work syz inconclusive 4 1272d 1459d 0/1 upstream: reported syz repro on 2019/11/30 22:01
linux-4.19 BUG: corrupted list in p9_read_work syz error 3 1227d 1500d 0/1 upstream: reported syz repro on 2019/10/20 09:47
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2019/12/22 03:32 16m bisect fix upstream error job log (0)
2019/10/09 15:07 30m bisect fix upstream job log (0) log
2019/09/08 20:01 29m bisect fix upstream job log (0) log

Sample crash report:
list_del corruption, ffff88809c5d6fb0->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:45!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 2663 Comm: kworker/0:2 Not tainted 5.3.0-rc3+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events p9_read_work
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4f lib/list_debug.c:45
Code: e8 05 02 1e fe 0f 0b 4c 89 f6 48 c7 c7 60 27 c6 87 e8 f4 01 1e fe 0f 0b 4c 89 ea 4c 89 f6 48 c7 c7 a0 26 c6 87 e8 e0 01 1e fe <0f> 0b 4c 89 e2 4c 89 f6 48 c7 c7 00 27 c6 87 e8 cc 01 1e fe 0f 0b
RSP: 0018:ffff8880a1917c40 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88809c5d6f00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c3ba6 RDI: ffffed1014322f7a
RBP: ffff8880a1917c58 R08: 000000000000004e R09: ffffed1015d060d1
R10: ffffed1015d060d0 R11: ffff8880ae830687 R12: dead000000000122
R13: dead000000000100 R14: ffff88809c5d6fb0 R15: ffff88809c5d6fb0
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000009fde90 CR3: 0000000099824000 CR4: 00000000001406f0
Call Trace:
 __list_del_entry include/linux/list.h:131 [inline]
 list_del include/linux/list.h:139 [inline]
 p9_read_work+0xa35/0x10a0 net/9p/trans_fd.c:363
 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace b0bfeaeca581df7c ]---
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4f lib/list_debug.c:45
Code: e8 05 02 1e fe 0f 0b 4c 89 f6 48 c7 c7 60 27 c6 87 e8 f4 01 1e fe 0f 0b 4c 89 ea 4c 89 f6 48 c7 c7 a0 26 c6 87 e8 e0 01 1e fe <0f> 0b 4c 89 e2 4c 89 f6 48 c7 c7 00 27 c6 87 e8 cc 01 1e fe 0f 0b
RSP: 0018:ffff8880a1917c40 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88809c5d6f00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c3ba6 RDI: ffffed1014322f7a
RBP: ffff8880a1917c58 R08: 000000000000004e R09: ffffed1015d060d1
R10: ffffed1015d060d0 R11: ffff8880ae830687 R12: dead000000000122
R13: dead000000000100 R14: ffff88809c5d6fb0 R15: ffff88809c5d6fb0
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000009fde90 CR3: 0000000099824000 CR4: 00000000001406f0

Crashes (38):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/08/09 12:59 upstream b678c568c561 ede31a9b .config console log report syz ci-upstream-kasan-gce-root
2019/01/02 09:18 upstream 28e8c4bc8eb4 3d85f48c .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/01/02 07:13 upstream 28e8c4bc8eb4 3d85f48c .config console log report syz ci-upstream-kasan-gce-root
2019/01/02 05:47 upstream 28e8c4bc8eb4 3d85f48c .config console log report syz ci-upstream-kasan-gce-smack-root
2018/11/22 23:09 upstream edeca3a769ad 87815d9d .config console log report syz ci-upstream-kasan-gce-selinux-root
2018/11/22 22:26 upstream edeca3a769ad 87815d9d .config console log report syz ci-upstream-kasan-gce-smack-root
2019/10/30 07:11 linux-next c57cf3833c66 5ea87a66 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/01/02 00:22 linux-next 6a1d293238c1 3d85f48c .config console log report syz ci-upstream-linux-next-kasan-gce-root
2018/11/22 23:07 linux-next 442b8cea2477 87815d9d .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/11/19 23:40 upstream af42d3466bdc 5bc70212 .config console log report ci-upstream-kasan-gce-root
2019/04/09 21:34 upstream 869e3305f23d 65b612b7 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/05 14:40 upstream ea2cec24c8d4 40f2363e .config console log report ci-upstream-kasan-gce-root
2019/04/04 22:55 upstream 145f47c7381d e5d1b3ac .config console log report ci-upstream-kasan-gce-smack-root
2019/04/02 12:39 upstream 5e7a8ca31926 dfd3394d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/27 12:22 upstream 14c741de9386 55684ce1 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/27 09:38 upstream 14c741de9386 55684ce1 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/26 19:17 upstream a3ac7917b730 55684ce1 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/26 08:55 upstream a3ac7917b730 55684ce1 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/26 05:54 upstream 8c2ffd917477 55684ce1 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/25 19:14 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce-root
2019/03/24 22:44 upstream 1bdd3dbfff7a acbc5b7d .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/24 17:53 upstream 1bdd3dbfff7a acbc5b7d .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/24 03:35 upstream a5ed1e96cafd a2cef203 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/22 20:45 upstream fd1f297b794c 3361bde5 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/18 19:21 upstream 9e98c678c2d6 4656beca .config console log report ci-upstream-kasan-gce-smack-root
2019/03/18 19:07 upstream 9e98c678c2d6 4656beca .config console log report ci-upstream-kasan-gce-root
2019/01/01 20:46 upstream e1ef035d272e 3d85f48c .config console log report ci-upstream-kasan-gce-smack-root
2018/12/24 11:27 upstream 8fe28cb58bcb be79df56 .config console log report ci-upstream-kasan-gce-smack-root
2018/12/16 16:59 upstream 6531e115b7ab def91db3 .config console log report ci-upstream-kasan-gce-selinux-root
2018/11/22 20:06 upstream edeca3a769ad 87815d9d .config console log report ci-upstream-kasan-gce-smack-root
2019/04/10 17:33 linux-next 87b81df1a63d e955ac50 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/27 03:23 linux-next ab8bba4ec4b9 55684ce1 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/26 09:02 linux-next 9e864317704b 55684ce1 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/23 06:29 linux-next e382d91f5f80 3361bde5 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/03/17 18:08 linux-next cf08baa29613 ba18afea .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/13 12:21 linux-next b808822a75a3 c3f3344c .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/01 20:44 linux-next 6a1d293238c1 3d85f48c .config console log report ci-upstream-linux-next-kasan-gce-root
2018/12/31 00:03 linux-next 6a1d293238c1 2b42fdc8 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.