syzbot

 sign-in | mailing list | source | docs
🐞 Open [50] 🐞 Fixed [58] 🐞 Invalid [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: corrupted list in process_one_work

Status: upstream: reported C repro on 2022/04/10 06:05
Reported-by: syzbot+badfd07a93cffefd7317@syzkaller.appspotmail.com
Fix commit: d007f49ab789 percpu_ref_init(): clean ->percpu_count_ref on failure
Patched on: [ci2-android-5-10 ci2-android-5-10-perf], missing on: []
First crash: 350d, last: 265d

Cause bisection: failed (error log, bisect log)

Fix bisection: fixed by (bisect log) :
commit d007f49ab789bee8ed76021830b49745d5feaf61
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed May 18 06:13:40 2022 +0000

  percpu_ref_init(): clean ->percpu_count_ref on failure

similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in process_one_work 16 1706d 1718d 0/24 closed as invalid on 2018/09/05 12:51
android-5-15 KASAN: use-after-free Read in process_one_work C unreliable 38 6d04h 146d 0/2 upstream: reported C repro on 2022/10/31 08:36
upstream general protection fault in process_one_work (2) 1 614d 610d 0/24 auto-closed as invalid on 2021/09/17 12:34
upstream KASAN: slab-out-of-bounds Read in process_one_work 1 149d 145d 0/24 auto-obsoleted due to no activity on 2023/01/25 20:05
android-54 KASAN: use-after-free Read in process_one_work 1 5d15h 5d15h 0/2 upstream: reported on 2023/03/20 18:33
Last patch testing requests:
Created Duration User Patch Repo Result
2022/08/30 17:30 16m tadeusz.struk@linaro.org android12-5.10-lts OK log
2022/06/03 17:44 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 18:06 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/05/26 00:54 9m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 20:48 16m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 19:32 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/23 19:31 10m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 17:33 19m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 17:31 19m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/20 20:05 9m tadeusz.struk@linaro.org patch https://android.googlesource.com/kernel/common android12-5.10 report log
2022/05/20 18:51 10m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/20 18:49 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/16 19:50 8m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/05/16 15:41 8m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/16 15:21 9m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/12 20:30 7m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/12 00:00 7m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/11 20:54 11m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/06 18:03 12m (58) tadeusz.struk@linaro.org https://android.googlesource.com/kernel/common android12-5.10 report log
2022/04/12 17:11 7m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/04/12 01:10 9m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/04/12 00:46 11m tadeusz.struk@linaro.org patch https://android.googlesource.com/kernel/common android12-5.10 OK
2022/04/11 14:21 9m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log

Sample crash report:
list_del corruption. next->prev should be ffffffff862f6c48, but was ffff8881f715c060
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 5.10.109-syzkaller-00693-g414e6c8e941c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events destroy_list_workfn

RIP: 0010:__list_del_entry_valid+0xf9/0x100 lib/list_debug.c:54
Code: 7a d3 3f 02 0f 0b 48 c7 c7 e0 ca 43 85 4c 89 f6 31 c0 e8 67 d3 3f 02 0f 0b 48 c7 c7 40 cb 43 85 4c 89 f6 31 c0 e8 54 d3 3f 02 <0f> 0b 0f 1f 44 00 00 55 48 89 e5 be 08 00 00 00 48 c7 c7 20 d2 54
RSP: 0018:ffffc9000019fcf8 EFLAGS: 00010046

RAX: 0000000000000054 RBX: ffff8881061e2c78 RCX: 004ae6d477344a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000019fd18 R08: ffffffff8153b3c8 R09: ffffed103ee2a5d8
R10: ffffed103ee2a5d8 R11: 1ffff1103ee2a5d7 R12: dffffc0000000000
R13: ffffffff862f6c48 R14: ffffffff862f6c48 R15: ffff8881f7155720
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb511cfb2f0 CR3: 00000001069bd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:132 [inline]
 list_del_init include/linux/list.h:204 [inline]
 process_one_work+0x445/0xc10 kernel/workqueue.c:2240
 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
 kthread+0x349/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:

---[ end trace 38d67c29ca1c8c64 ]---
RIP: 0010:__list_del_entry_valid+0xf9/0x100 lib/list_debug.c:54
Code: 7a d3 3f 02 0f 0b 48 c7 c7 e0 ca 43 85 4c 89 f6 31 c0 e8 67 d3 3f 02 0f 0b 48 c7 c7 40 cb 43 85 4c 89 f6 31 c0 e8 54 d3 3f 02 <0f> 0b 0f 1f 44 00 00 55 48 89 e5 be 08 00 00 00 48 c7 c7 20 d2 54
RSP: 0018:ffffc9000019fcf8 EFLAGS: 00010046

RAX: 0000000000000054 RBX: ffff8881061e2c78 RCX: 004ae6d477344a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000019fd18 R08: ffffffff8153b3c8 R09: ffffed103ee2a5d8
R10: ffffed103ee2a5d8 R11: 1ffff1103ee2a5d7 R12: dffffc0000000000
R13: ffffffff862f6c48 R14: ffffffff862f6c48 R15: ffff8881f7155720
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb511cfb2f0 CR3: 00000001069bd000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-android-5-10 2022/04/10 06:03 android12-5.10-lts 414e6c8e941c e22c3da3 .config console log report syz C BUG: corrupted list in process_one_work
ci2-android-5-10-perf 2022/07/03 19:44 android12-5.10-lts fa7f6a5f56d9 1434eec0 .config console log report info BUG: corrupted list in process_one_work
* Struck through repros no longer work on HEAD.