syzbot


BUG: corrupted list in process_one_work

Status: upstream: reported C repro on 2022/04/10 06:05
Reported-by: syzbot+badfd07a93cffefd7317@syzkaller.appspotmail.com
Fix commit: d007f49ab789 percpu_ref_init(): clean ->percpu_count_ref on failure
Patched on: [ci2-android-5-10 ci2-android-5-10-perf], missing on: []
First crash: 796d, last: 58d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit d007f49ab789bee8ed76021830b49745d5feaf61
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed May 18 06:13:40 2022 +0000

  percpu_ref_init(): clean ->percpu_count_ref on failure

  
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in process_one_work kernel 16 2153d 2164d 0/27 closed as invalid on 2018/09/05 12:51
android-5-15 KASAN: use-after-free Read in process_one_work missing-backport origin:downstream C unreliable 195 7h09m 592d 0/2 upstream: reported C repro on 2022/10/31 08:36
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 372d 1541d 22/27 fixed on 2023/06/08 14:41
upstream KASAN: global-out-of-bounds Read in process_one_work kernel 1 29d 25d 0/27 moderation: reported on 2024/05/20 01:05
upstream general protection fault in process_one_work (2) kernel 1 1061d 1057d 0/27 auto-closed as invalid on 2021/09/17 12:34
upstream KASAN: slab-out-of-bounds Read in process_one_work kernel 1 596d 591d 0/27 auto-obsoleted due to no activity on 2023/01/25 20:05
android-6-1 KASAN: use-after-free Read in process_one_work origin:upstream missing-backport C error 232 1d04h 389d 0/2 upstream: reported C repro on 2023/05/21 23:04
upstream KASAN: slab-use-after-free Read in process_one_work kernel 2 279d 281d 0/27 auto-obsoleted due to no activity on 2023/12/08 17:35
android-54 KASAN: use-after-free Read in process_one_work 1 452d 452d 0/2 auto-obsoleted due to no activity on 2023/07/18 18:33
upstream KASAN: use-after-free Read in process_one_work 1 2465d 2430d 0/27 closed as invalid on 2018/02/14 13:45
Last patch testing requests (23)
Created Duration User Patch Repo Result
2022/08/30 17:30 16m tadeusz.struk@linaro.org android12-5.10-lts OK log
2022/06/03 17:44 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 18:06 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/05/26 00:54 9m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 20:48 16m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 19:32 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/23 19:31 10m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 17:33 19m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 17:31 19m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/20 20:05 9m tadeusz.struk@linaro.org patch https://android.googlesource.com/kernel/common android12-5.10 report log
2022/05/20 18:51 10m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/20 18:49 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/16 19:50 8m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/05/16 15:41 8m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/16 15:21 9m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/12 20:30 7m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/12 00:00 7m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/11 20:54 11m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/06 18:03 12m (58) tadeusz.struk@linaro.org https://android.googlesource.com/kernel/common android12-5.10 report log
2022/04/12 17:11 7m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/04/12 01:10 9m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/04/12 00:46 11m tadeusz.struk@linaro.org patch https://android.googlesource.com/kernel/common android12-5.10 OK
2022/04/11 14:21 9m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2022/08/02 20:04 3h18m bisect fix android12-5.10-lts job log (1)
2022/06/10 11:23 20m bisect fix android12-5.10-lts job log (0) log
2022/05/11 10:04 24m bisect fix android12-5.10-lts job log (0) log

Sample crash report:
list_del corruption. next->prev should be ffffffff862f6c48, but was ffff8881f715c060
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 5.10.109-syzkaller-00693-g414e6c8e941c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events destroy_list_workfn

RIP: 0010:__list_del_entry_valid+0xf9/0x100 lib/list_debug.c:54
Code: 7a d3 3f 02 0f 0b 48 c7 c7 e0 ca 43 85 4c 89 f6 31 c0 e8 67 d3 3f 02 0f 0b 48 c7 c7 40 cb 43 85 4c 89 f6 31 c0 e8 54 d3 3f 02 <0f> 0b 0f 1f 44 00 00 55 48 89 e5 be 08 00 00 00 48 c7 c7 20 d2 54
RSP: 0018:ffffc9000019fcf8 EFLAGS: 00010046

RAX: 0000000000000054 RBX: ffff8881061e2c78 RCX: 004ae6d477344a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000019fd18 R08: ffffffff8153b3c8 R09: ffffed103ee2a5d8
R10: ffffed103ee2a5d8 R11: 1ffff1103ee2a5d7 R12: dffffc0000000000
R13: ffffffff862f6c48 R14: ffffffff862f6c48 R15: ffff8881f7155720
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb511cfb2f0 CR3: 00000001069bd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:132 [inline]
 list_del_init include/linux/list.h:204 [inline]
 process_one_work+0x445/0xc10 kernel/workqueue.c:2240
 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
 kthread+0x349/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:

---[ end trace 38d67c29ca1c8c64 ]---
RIP: 0010:__list_del_entry_valid+0xf9/0x100 lib/list_debug.c:54
Code: 7a d3 3f 02 0f 0b 48 c7 c7 e0 ca 43 85 4c 89 f6 31 c0 e8 67 d3 3f 02 0f 0b 48 c7 c7 40 cb 43 85 4c 89 f6 31 c0 e8 54 d3 3f 02 <0f> 0b 0f 1f 44 00 00 55 48 89 e5 be 08 00 00 00 48 c7 c7 20 d2 54
RSP: 0018:ffffc9000019fcf8 EFLAGS: 00010046

RAX: 0000000000000054 RBX: ffff8881061e2c78 RCX: 004ae6d477344a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000019fd18 R08: ffffffff8153b3c8 R09: ffffed103ee2a5d8
R10: ffffed103ee2a5d8 R11: 1ffff1103ee2a5d7 R12: dffffc0000000000
R13: ffffffff862f6c48 R14: ffffffff862f6c48 R15: ffff8881f7155720
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb511cfb2f0 CR3: 00000001069bd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/04/10 06:03 android12-5.10-lts 414e6c8e941c e22c3da3 .config console log report syz C ci2-android-5-10 BUG: corrupted list in process_one_work
2022/07/03 19:44 android12-5.10-lts fa7f6a5f56d9 1434eec0 .config console log report info ci2-android-5-10-perf BUG: corrupted list in process_one_work
2024/04/16 22:44 android13-5.10-lts 4e1bc8d8e8ae 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
2024/04/08 19:08 android13-5.10-lts 4e1bc8d8e8ae 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
2024/04/06 14:00 android13-5.10-lts e7daca75b4c3 ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
2024/03/29 01:41 android13-5.10-lts e7daca75b4c3 e91187ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
2024/03/26 07:13 android13-5.10-lts e7daca75b4c3 bcd9b39f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
2023/07/15 08:37 android13-5.10-lts 59b65efafe20 35d9ecc5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: use-after-free Read in process_one_work
* Struck through repros no longer work on HEAD.