syzbot


BUG: corrupted list in tipc_nametbl_unsubscribe

Status: fixed on 2018/07/05 05:52
Subsystems: tipc
[Documentation on labels]
Reported-by: syzbot+f25098149f0536920141@syzkaller.appspotmail.com
Fix commit: c3317f4db831 tipc: fix unbalanced reference counter
First crash: 2265d, last: 2205d
Discussions (1)
Title Replies (including bot) Last reply
BUG: corrupted list in tipc_nametbl_unsubscribe 1 (2) 2018/07/04 20:30

Sample crash report:
R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
Name sequence creation failed, no memory
Failed to create subscription for {2147483648,0,4294967295}
list_del corruption. prev->next should be 000000006a45cd4e, but was           (null)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4418 Comm: syzkaller542553 Not tainted 4.16.0-rc6+ #284
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid+0xef/0x150 lib/list_debug.c:51
RSP: 0018:ffff8801b14feec8 EFLAGS: 00010282
RAX: 0000000000000054 RBX: ffffffff886edfe0 RCX: 0000000000000000
RDX: 0000000000000054 RSI: 1ffff1003629fd8e RDI: ffffed003629fdcd
RBP: ffff8801b14feee0 R08: 1ffff1003629fd25 R09: 0000000000000000
R10: ffff8801b14feda8 R11: 0000000000000000 R12: ffffffffffffffff
R13: ffff8801b14ff080 R14: ffff8801b40a5718 R15: ffff8801d40b3780
FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffccb8b5b10 CR3: 0000000007a22004 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del_init include/linux/list.h:159 [inline]
 tipc_nametbl_unsubscribe+0x337/0x990 net/tipc/name_table.c:808
 tipc_sub_unsubscribe+0x6d/0x2e0 net/tipc/subscr.c:164
 tipc_conn_delete_sub+0x324/0x4a0 net/tipc/topsrv.c:245
 tipc_topsrv_kern_unsubscr+0x21d/0x350 net/tipc/topsrv.c:598
 tipc_group_delete+0x2c0/0x3d0 net/tipc/group.c:231
 tipc_sk_leave+0x10b/0x200 net/tipc/socket.c:2800
 tipc_release+0x154/0xff0 net/tipc/socket.c:576
 sock_release+0x8d/0x1e0 net/socket.c:594
 sock_close+0x16/0x20 net/socket.c:1149
 __fput+0x327/0x7e0 fs/file_table.c:209
 ____fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43f5d8
RSP: 002b:00007fffae3a69a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f5d8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf708 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d11c0 R14: 0000000000000000 R15: 0000000000000000
Code: 4c 89 e2 48 c7 c7 40 8e e5 86 e8 a5 67 a7 fe 0f 0b 48 c7 c7 a0 8e e5 86 e8 97 67 a7 fe 0f 0b 48 c7 c7 00 8f e5 86 e8 89 67 a7 fe <0f> 0b 48 c7 c7 60 8f e5 86 e8 7b 67 a7 fe 0f 0b 48 89 df 48 89 
RIP: __list_del_entry_valid+0xef/0x150 lib/list_debug.c:51 RSP: ffff8801b14feec8
---[ end trace c0a58eabd4b15e7a ]---

Crashes (40):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/03/29 13:12 net-next-old 5d22d47b9ed9 d47f0ed6 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/29 12:33 net-next-old 5d22d47b9ed9 d47f0ed6 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/29 12:14 net-next-old 5d22d47b9ed9 d47f0ed6 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/09 01:31 net-next-old fd372a7a9e5e 36d1c454 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/30 07:08 net-next-old 18845557fd6f d47f0ed6 .config console log report syz ci-upstream-net-kasan-gce
2018/03/31 02:04 upstream 9dd2326890d8 8fbce0e4 .config console log report ci-upstream-kasan-gce
2018/03/29 16:07 upstream 0b412605ef5f d47f0ed6 .config console log report ci-upstream-kasan-gce-root
2018/03/31 16:51 upstream b5dbc28762fd 8fbce0e4 .config console log report ci-upstream-kasan-gce-386
2018/03/31 15:26 upstream b5dbc28762fd 8fbce0e4 .config console log report ci-upstream-kasan-gce-386
2018/03/31 02:08 upstream 9dd2326890d8 8fbce0e4 .config console log report ci-upstream-kasan-gce-386
2018/03/29 17:27 upstream 0b412605ef5f d47f0ed6 .config console log report ci-upstream-kasan-gce-386
2018/04/13 20:36 bpf-next 17dec0a94915 7a67784c .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/13 20:34 bpf-next 17dec0a94915 7a67784c .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/11 20:20 bpf-next 17dec0a94915 9cd56d71 .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/09 21:20 bpf-next 4608f064532c b9f65507 .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/09 08:37 bpf-next 4608f064532c f13fb445 .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/05 21:39 bpf-next 4608f064532c a932eae6 .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/05 21:33 bpf-next 4608f064532c a932eae6 .config console log report ci-upstream-bpf-next-kasan-gce
2018/04/05 11:32 bpf-next 4608f064532c 5e1ccffc .config console log report ci-upstream-bpf-next-kasan-gce
2018/03/31 09:40 net-next-old c0b6edef0bf0 8fbce0e4 .config console log report ci-upstream-net-kasan-gce
2018/03/30 23:17 net-next-old 6f14f49ce5eb 8fbce0e4 .config console log report ci-upstream-net-kasan-gce
2018/03/30 21:40 net-next-old 6f14f49ce5eb 8fbce0e4 .config console log report ci-upstream-net-kasan-gce
2018/03/30 21:20 net-next-old 6f14f49ce5eb 8fbce0e4 .config console log report ci-upstream-net-kasan-gce
2018/03/30 20:32 net-next-old 6f14f49ce5eb 8fbce0e4 .config console log report ci-upstream-net-kasan-gce
2018/03/30 15:08 net-next-old 18845557fd6f d47f0ed6 .config console log report ci-upstream-net-kasan-gce
2018/03/30 11:15 net-next-old 18845557fd6f d47f0ed6 .config console log report ci-upstream-net-kasan-gce
2018/03/29 21:02 net-next-old 56455e0998dd d47f0ed6 .config console log report ci-upstream-net-kasan-gce
2018/03/29 16:29 net-next-old 56455e0998dd d47f0ed6 .config console log report ci-upstream-net-kasan-gce
2018/03/09 01:16 net-next-old fd372a7a9e5e 36d1c454 .config console log report ci-upstream-net-kasan-gce
2018/05/08 06:45 https://github.com/google/kmsan.git master d2d741e5d189 045bbd4a .config console log report ci-upstream-kmsan-gce
2018/05/06 17:55 https://github.com/google/kmsan.git master d2d741e5d189 6c18ddb0 .config console log report ci-upstream-kmsan-gce
2018/05/06 01:33 https://github.com/google/kmsan.git master d2d741e5d189 78b251cb .config console log report ci-upstream-kmsan-gce
2018/05/03 10:22 https://github.com/google/kmsan.git master d2d741e5d189 9ce14f4b .config console log report ci-upstream-kmsan-gce
2018/04/30 11:24 https://github.com/google/kmsan.git master d2d741e5d189 06db3cec .config console log report ci-upstream-kmsan-gce
2018/04/27 16:28 https://github.com/google/kmsan.git master d2d741e5d189 7785e404 .config console log report ci-upstream-kmsan-gce
2018/04/24 19:09 https://github.com/google/kmsan.git master d2d741e5d189 37e76fe2 .config console log report ci-upstream-kmsan-gce
2018/04/24 10:06 https://github.com/google/kmsan.git master d2d741e5d189 e7e85d36 .config console log report ci-upstream-kmsan-gce
2018/04/24 09:38 https://github.com/google/kmsan.git master d2d741e5d189 e7e85d36 .config console log report ci-upstream-kmsan-gce
2018/04/22 17:29 https://github.com/google/kmsan.git master d2d741e5d189 d23fcf6c .config console log report ci-upstream-kmsan-gce
2018/04/22 17:27 https://github.com/google/kmsan.git master d2d741e5d189 d23fcf6c .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.