syzbot


BUG: corrupted list in io_uring_del_tctx_node

Status: moderation: reported on 2022/09/25 17:19
Reported-by: syzbot+2fa3c4867d6dfa98315f@syzkaller.appspotmail.com
First crash: 75d, last: 75d

Sample crash report:
list_del corruption. prev->next should be ffff00011ebfc200, but was ffff00010b8c2f28. (prev=ffff00010b8c2f28)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:61!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 16688 Comm: syz-executor.3 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
lr : __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
sp : ffff800013463af0
x29: ffff800013463af0 x28: ffff0000eb47b500 x27: 0000000000000000
x26: 0000000000000098 x25: ffff00011f4ed8e8 x24: ffff00011f4ed898
x23: ffff00011f4ed940 x22: ffff80000cc5f057 x21: ffff0000eb47b500
x20: ffff00011f4ed800 x19: ffff00011ebfc200 x18: 00000000000003d0

x17: ffff80000bffd6bc
 x16: ffff80000db49158
 x15: ffff0000eb47b500
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000eb47b500
x11: ff808000081c1630 x10: 0000000000000000 x9 : d1b96e4997174f00
x8 : d1b96e4997174f00 x7 : ffff8000081625f0 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 000000000000006d
Call trace:
 __list_del_entry_valid+0xbc/0xd0 lib/list_debug.c:59
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 io_uring_del_tctx_node+0x74/0x114 io_uring/tctx.c:176
 io_uring_clean_tctx+0x60/0xe8 io_uring/tctx.c:191
 io_uring_cancel_generic+0x2f0/0x390 io_uring/io_uring.c:2852
 __io_uring_cancel+0x24/0x34 io_uring/io_uring.c:2866
 io_uring_files_cancel include/linux/io_uring.h:44 [inline]
 do_exit+0x8c/0xbe0 kernel/exit.c:750
 do_group_exit+0x70/0xe8 kernel/exit.c:925
 get_signal+0xb0c/0xb40 kernel/signal.c:2857
 do_signal+0x128/0x438 arch/arm64/kernel/signal.c:1071
 do_notify_resume+0xc0/0x1f0 arch/arm64/kernel/signal.c:1124
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190
Code: 9001b460 912d2000 aa0803e3 94a768fe (d4210000) 
---[ end trace 0000000000000000 ]---

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-arm64 2022/09/24 16:52 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c194837ebb57 0042f2b4 .config log report info BUG: corrupted list in io_uring_del_tctx_node
* Struck through repros no longer work on HEAD.