syzbot


BUG: corrupted list in p9_fd_cancelled (2)

Status: upstream: reported syz repro on 2019/08/29 03:58
Reported-by: syzbot+1d26c4ed77bc6c5ed5e6@syzkaller.appspotmail.com
First crash: 1130d, last: 16d

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)
similar bugs (10):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 BUG: corrupted list in p9_fd_cancelled 1 297d 297d 0/2 closed as invalid on 2022/03/01 11:24
linux-4.14 BUG: corrupted list in p9_fd_cancelled syz done 2 1030d 1076d 1/1 fixed on 2020/01/03 09:37
android-5-10 BUG: corrupted list in p9_fd_cancelled (2) 3 170d 205d 0/2 auto-closed as invalid on 2022/07/10 10:51
android-54 BUG: corrupted list in p9_fd_cancelled 3 458d 666d 0/2 auto-closed as invalid on 2021/10/25 12:29
linux-4.19 BUG: corrupted list in p9_fd_cancelled syz done 2 1050d 1113d 1/1 fixed on 2019/12/18 17:42
upstream BUG: corrupted list in p9_fd_cancelled 16 1434d 1535d 0/24 auto-closed as invalid on 2019/04/23 06:51
linux-4.19 BUG: corrupted list in p9_fd_cancelled (3) 1 265d 265d 0/1 auto-closed as invalid on 2022/05/05 22:32
android-54 BUG: corrupted list in p9_fd_cancelled (2) 7 9d18h 309d 0/2 upstream: reported on 2021/11/23 15:00
linux-4.19 BUG: corrupted list in p9_fd_cancelled (2) 1 580d 580d 0/1 auto-closed as invalid on 2021/06/25 15:45
android-5-10 BUG: corrupted list in p9_fd_cancelled (3) 1 34d 34d 0/2 premoderation: reported on 2022/08/25 12:46

Sample crash report:
list_del corruption, ffff88808ecdbfb0->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:45!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 20174 Comm: syz-executor.1 Not tainted 5.3.0-rc5+ #125
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4f lib/list_debug.c:45
Code: e8 d5 06 1e fe 0f 0b 4c 89 f6 48 c7 c7 e0 26 c6 87 e8 c4 06 1e fe 0f 0b 4c 89 ea 4c 89 f6 48 c7 c7 20 26 c6 87 e8 b0 06 1e fe <0f> 0b 4c 89 e2 4c 89 f6 48 c7 c7 80 26 c6 87 e8 9c 06 1e fe 0f 0b
RSP: 0018:ffff8880994076d8 EFLAGS: 00010286
RAX: 000000000000004e RBX: 1ffff11013280ee9 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c2526 RDI: ffffed1013280ecd
RBP: ffff8880994076f0 R08: 000000000000004e R09: ffffed1015d060d1
R10: ffffed1015d060d0 R11: ffff8880ae830687 R12: dead000000000122
R13: dead000000000100 R14: ffff88808ecdbfb0 R15: ffff88808ecdbfb8
FS:  00007fb2aca54700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee6574f58 CR3: 00000000a8e6d000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:131 [inline]
 list_del include/linux/list.h:139 [inline]
 p9_fd_cancelled+0x3c/0x1c0 net/9p/trans_fd.c:710
 p9_client_flush+0x1b7/0x1f0 net/9p/client.c:674
 p9_client_rpc+0x112f/0x12a0 net/9p/client.c:781
 p9_client_version net/9p/client.c:952 [inline]
 p9_client_create+0xb7f/0x1430 net/9p/client.c:1052
 v9fs_session_init+0x1e7/0x18c0 fs/9p/v9fs.c:406
 v9fs_mount+0x7d/0x920 fs/9p/vfs_super.c:120
 legacy_get_tree+0x108/0x220 fs/fs_context.c:661
 vfs_get_tree+0x8e/0x390 fs/super.c:1413
 do_new_mount fs/namespace.c:2791 [inline]
 do_mount+0x13b3/0x1c30 fs/namespace.c:3111
 ksys_mount+0xdb/0x150 fs/namespace.c:3320
 __do_sys_mount fs/namespace.c:3334 [inline]
 __se_sys_mount fs/namespace.c:3331 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3331
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459879
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb2aca53c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459879
RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 000000000075bfc8 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2aca546d4
R13: 00000000004c5e2f R14: 00000000004da930 R15: 00000000ffffffff
Modules linked in:
---[ end trace c76f5f29f0af3347 ]---
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4f lib/list_debug.c:45
Code: e8 d5 06 1e fe 0f 0b 4c 89 f6 48 c7 c7 e0 26 c6 87 e8 c4 06 1e fe 0f 0b 4c 89 ea 4c 89 f6 48 c7 c7 20 26 c6 87 e8 b0 06 1e fe <0f> 0b 4c 89 e2 4c 89 f6 48 c7 c7 80 26 c6 87 e8 9c 06 1e fe 0f 0b
RSP: 0018:ffff8880994076d8 EFLAGS: 00010286
RAX: 000000000000004e RBX: 1ffff11013280ee9 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c2526 RDI: ffffed1013280ecd
RBP: ffff8880994076f0 R08: 000000000000004e R09: ffffed1015d060d1
R10: ffffed1015d060d0 R11: ffff8880ae830687 R12: dead000000000122
R13: dead000000000100 R14: ffff88808ecdbfb0 R15: ffff88808ecdbfb8
FS:  00007fb2aca54700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee6574f58 CR3: 00000000a8e6d000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (15):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/08/25 02:04 upstream 361469211f87 d21c5d9d .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/10/16 13:10 linux-next 0e9d28bc6c81 d4ea592f .config log report syz
ci-upstream-kasan-gce-smack-root 2022/07/01 23:40 upstream a175eca0f3d7 1434eec0 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-kasan-gce-selinux-root 2022/05/16 03:01 upstream bc403203d65a 744a39e2 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-kasan-gce-smack-root 2022/04/22 10:58 upstream 59f0c2447e25 2738b391 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-kasan-gce-root 2021/12/02 22:38 upstream a51e3ac43ddb 61f86278 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-kasan-gce-root 2021/11/20 11:48 upstream 9539ba4308ad 3a9d0024 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-qemu-upstream-386 2022/09/11 20:25 upstream 4ed9c1e971b1 356d8217 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/05/16 23:06 linux-next 3f7bdc402fb0 744a39e2 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/05/14 08:35 linux-next 1e1b28b936ae 744a39e2 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/05/11 10:26 linux-next 38a288f5941e 8d7b3b67 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/05/08 02:42 linux-next 38a288f5941e e60b1103 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/05/06 22:35 linux-next 38a288f5941e e60b1103 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/04/30 23:15 linux-next 5469f0c06732 2df221f6 .config log report info BUG: corrupted list in p9_fd_cancelled
ci-upstream-linux-next-kasan-gce-root 2022/04/24 05:34 linux-next f1244c81da13 131df97d .config log report info BUG: corrupted list in p9_fd_cancelled
* Struck through repros no longer work on HEAD.