syzbot


BUG: corrupted list in kernfs_put_open_node (2)

Status: auto-closed as invalid on 2021/12/15 21:59
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+7751c073b5e23286f687@syzkaller.appspotmail.com
First crash: 953d, last: 953d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in kernfs_put_open_node kernfs 1 2180d 2180d 0/26 closed as invalid on 2018/06/27 15:18

Sample crash report:
list_del corruption. prev->next should be 86e9dfac, but was 00000000
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:51!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 3067 Comm: udevd Not tainted 5.12.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __list_del_entry_valid+0x84/0x9c lib/list_debug.c:51
LR is at wake_up_klogd.part.0+0x7c/0xb4 kernel/printk/printk.c:3118
pc : [<80807340>]    lr : [<802d21b0>]    psr: 600e0093
sp : 85853e60  ip : 85853d90  fp : 85853e6c
r10: 5ac3c35a  r9 : 85675734  r8 : 85d673c0
r7 : 84523b60  r6 : 600e0013  r5 : 86e9df00  r4 : 86eebb40
r3 : 00000000  r2 : 00000000  r1 : ddfc0688  r0 : 00000044
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85864540  DAC: fffffffd
Process udevd (pid: 3067, stack limit = 0x85852210)
Stack: (0x85853e60 to 0x85854000)
3e60: 85853e8c 85853e70 805bae88 808072c8 85f63180 8745c3c0 86e9df00 84523b60
3e80: 85853eac 85853e90 805baf30 805bae50 8745c3c0 85f63180 000a800d 857a1550
3ea0: 85853ee4 85853eb0 804dc2e0 805baf04 85853edc 85853ec0 80384db8 8181ca64
3ec0: 00000000 856756e4 85675140 82c6ba40 81f4a770 85675734 85853ef4 85853ee8
3ee0: 804dc524 804dc250 85853f1c 85853ef8 80270030 804dc520 ffffe000 85853fb0
3f00: 80200224 85852000 fffffe30 81f42a14 85853fac 85853f20 8020ce3c 8026ff9c
3f20: 8745c3c0 00000000 85853f4c 85853f38 804dc0d8 8026fdd4 5ac3c35a 82a2244c
3f40: 85853f5c 85853f50 804dc564 804dc07c 85853f7c 85853f60 804d5158 804dc534
3f60: 837248c0 76d1ec18 00000000 00000006 85853f94 85853f80 80502460 56b92eae
3f80: 01734ec8 01734ec8 76d1ec18 00000000 00000006 80200224 85852000 00000006
3fa0: 00000000 85853fb0 80200098 8020c928 00000000 00000000 000005e8 76c3d894
3fc0: 01734ec8 76d1ec18 00000000 00000006 00000007 00000000 0004023d 00040246
3fe0: 00000000 7ebd21c4 76c3f1bc 76ca4950 200e0010 0000000c 00000000 00000000
Backtrace: 
[<808072bc>] (__list_del_entry_valid) from [<805bae88>] (__list_del_entry include/linux/list.h:132 [inline])
[<808072bc>] (__list_del_entry_valid) from [<805bae88>] (list_del include/linux/list.h:146 [inline])
[<808072bc>] (__list_del_entry_valid) from [<805bae88>] (kernfs_put_open_node+0x44/0xb4 fs/kernfs/file.c:584)
[<805bae44>] (kernfs_put_open_node) from [<805baf30>] (kernfs_fop_release+0x38/0x88 fs/kernfs/file.c:760)
 r7:84523b60 r6:86e9df00 r5:8745c3c0 r4:85f63180
[<805baef8>] (kernfs_fop_release) from [<804dc2e0>] (__fput+0x9c/0x264 fs/file_table.c:280)
 r7:857a1550 r6:000a800d r5:85f63180 r4:8745c3c0
[<804dc244>] (__fput) from [<804dc524>] (____fput+0x10/0x14 fs/file_table.c:313)
 r9:85675734 r8:81f4a770 r7:82c6ba40 r6:85675140 r5:856756e4 r4:00000000
[<804dc514>] (____fput) from [<80270030>] (task_work_run+0xa0/0xdc kernel/task_work.c:140)
[<8026ff90>] (task_work_run) from [<8020ce3c>] (tracehook_notify_resume include/linux/tracehook.h:189 [inline])
[<8026ff90>] (task_work_run) from [<8020ce3c>] (do_work_pending+0x520/0x648 arch/arm/kernel/signal.c:672)
 r9:81f42a14 r8:fffffe30 r7:85852000 r6:80200224 r5:85853fb0 r4:ffffe000
[<8020c91c>] (do_work_pending) from [<80200098>] (slow_work_pending+0xc/0x20)
Exception stack(0x85853fb0 to 0x85853ff8)
3fa0:                                     00000000 00000000 000005e8 76c3d894
3fc0: 01734ec8 76d1ec18 00000000 00000006 00000007 00000000 0004023d 00040246
3fe0: 00000000 7ebd21c4 76c3f1bc 76ca4950 200e0010 0000000c
 r10:00000006 r9:85852000 r8:80200224 r7:00000006 r6:00000000 r5:76d1ec18
 r4:01734ec8
Code: e1a01000 e3000880 e34801fa eb3ffb0c (e7f001f2) 
---[ end trace 741d5c2bb4d4e10b ]---
----------------
Code disassembly (best guess):
   0:	e1a01000 	mov	r1, r0
   4:	e3000880 	movw	r0, #2176	; 0x880
   8:	e34801fa 	movt	r0, #33274	; 0x81fa
   c:	eb3ffb0c 	bl	0xffec44
* 10:	e7f001f2 	udf	#18 <-- trapping instruction

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/09/16 21:58 upstream bf152b0b41dc 7612dc77 .config console log report info ci-qemu2-arm32 BUG: corrupted list in kernfs_put_open_node
* Struck through repros no longer work on HEAD.