syzbot


BUG: corrupted list in insert_work

Status: upstream: reported C repro on 2022/04/07 16:56
Reported-by: syzbot+e42ae441c3b10acf9e9d@syzkaller.appspotmail.com
Fix commit: d007f49ab789 percpu_ref_init(): clean ->percpu_count_ref on failure
Patched on: [ci2-android-5-10 ci2-android-5-10-perf], missing on: []
First crash: 1101d, last: 862d
Cause bisection: introduced by (bisect log) :
commit 0d6882dd158e559b291a2d1b045a65bc2fa4fc58
Author: Maxime Ripard <maxime@cerno.tech>
Date: Sat Feb 19 12:07:55 2022 +0000

  ARM: boot: dts: bcm2711: Fix HVS register range

Crash: BUG: corrupted list in insert_work (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit d007f49ab789bee8ed76021830b49745d5feaf61
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed May 18 06:13:40 2022 +0000

  percpu_ref_init(): clean ->percpu_count_ref on failure

  
Discussions (4)
Title Replies (including bot) Last reply
[PATCH] cgroup: serialize css kill and release paths 9 (9) 2022/06/09 14:55
[PATCH 0/2] cgroup_subsys_state lifecycle fixups 20 (20) 2022/06/02 14:28
[PATCH] cgroup: don't queue css_release_work if one already pending 19 (19) 2022/05/23 21:27
Re: [PATCH] cgroup: don't queue css_release_work if one already pending 1 (1) 2022/04/13 15:39
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in insert_work 1 611d 611d 0/2 auto-obsoleted due to no activity on 2023/06/23 11:29
Last patch testing requests (99)
Created Duration User Patch Repo Result
2022/08/30 17:49 16m tadeusz.struk@linaro.org android12-5.10-lts OK log
2022/06/08 03:47 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/08 03:39 7m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/06/08 03:36 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 17:41 9m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/06/07 16:17 13m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 15:50 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 OK
2022/06/07 15:46 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 14:50 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 03:51 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 03:30 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 OK
2022/06/07 02:29 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/07 01:03 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 22:11 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 21:43 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 21:32 4m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 error
2022/06/06 20:55 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 19:56 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 19:41 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 19:10 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 18:58 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git android12-5.10 report log
2022/06/06 18:32 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/06 18:09 18m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/06 17:07 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/06 17:02 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git tmp_test_cgroup OK
2022/06/06 16:39 18m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/06 16:19 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/03 16:26 19m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/03 15:04 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/03 14:57 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 22:35 21m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 20:26 7m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master report log
2022/06/02 20:13 7m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master report log
2022/06/02 20:08 4m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master error
2022/06/02 19:48 7m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master report log
2022/06/02 19:21 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master report log
2022/06/02 19:03 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master report log
2022/06/02 18:50 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 16:30 18m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/02 16:05 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/01 22:24 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/01 22:08 17m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/01 21:17 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/06/01 21:14 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y OK
2022/06/01 20:48 20m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 19:58 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 18:59 10m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 18:53 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 17:58 7m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/06/01 17:44 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 17:36 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 17:25 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/06/01 17:00 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/06/01 16:55 8m tadeusz.struk@linaro.org https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y report log
2022/06/01 16:34 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/06/01 15:09 14m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/06/01 14:33 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/06/01 14:13 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 22:57 15m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 22:53 0m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 21:12 16m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 20:54 11m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 20:44 4m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 20:17 0m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 19:40 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/31 19:28 0m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/31 18:53 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/31 18:22 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/31 17:53 12m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 22:33 11m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 22:21 8m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 20:10 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 19:47 10m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 19:21 10m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 17:50 15m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 17:21 7m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y report log
2022/05/27 16:53 9m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git linux-5.10.y error
2022/05/27 16:15 15m tadeusz.struk@linaro.org https://github.com/tstruk/linux.git master OK
2022/05/27 16:14 14m mkoutny@suse.com https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-b2 report log
2022/05/26 16:15 9m mkoutny@suse.com https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-b2 report log
2022/05/26 15:55 7m mkoutny@suse.com https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-syzbot report log
2022/05/26 09:54 13m mkoutny@suse.com https://github.com/Werkov/linux.git cgroup-ml/css-lifecycle-syzbot report log
2022/05/23 20:49 16m tadeusz.struk@linaro.org patch android12-5.10-lts OK
2022/05/23 19:31 9m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/23 17:33 16m tadeusz.struk@linaro.org patch android12-5.10-lts OK
2022/05/23 17:32 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/20 18:50 9m tadeusz.struk@linaro.org patch android12-5.10-lts report log
2022/05/20 18:50 16m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/05/18 16:49 15m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/18 16:49 13m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/05/16 20:08 15m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/05/16 20:07 7m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/05/12 17:43 8m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/05/11 20:53 15m tadeusz.struk@linaro.org git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/04/12 17:11 9m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2022/04/12 16:40 10m tadeusz.struk@linaro.org patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2022/04/12 00:45 14m tadeusz.struk@linaro.org patch https://android.googlesource.com/kernel/common android12-5.10 OK
2022/04/08 17:09 13m tadeusz.struk@linaro.org android12-5.10-lts report log
2022/04/07 18:07 11m tadeusz.struk@linaro.org https://android.googlesource.com/kernel/common android12-5.10 OK
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2022/08/16 02:29 3h28m bisect fix android12-5.10-lts OK (1) job log
2022/06/09 07:12 16m bisect fix android12-5.10-lts OK (0) job log log

Sample crash report:
list_add corruption. prev->next should be next (ffff8881f705c060), but was ffff888113123870. (prev=ffff888113123870).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G        W         5.10.112-syzkaller-00287-gde64d941a71a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 d3 43 85 4c 89 e6 4c 89 f1 31 c0 e8 9d 08 40 02 0f 0b 48 c7 c7 40 d4 43 85 4c 89 f6 4c 89 e1 31 c0 e8 87 08 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705c068 RCX: 1dcf49864b76af00
RDX: 0000000080000101 RSI: 0000000080000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153aa88 R09: ffffed103ee0a5d8
R10: ffffed103ee0a5d8 R11: 1ffff1103ee0a5d7 R12: ffff888113123870
R13: dffffc0000000000 R14: ffff8881f705c060 R15: ffff888113123870
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc8eceb3a43 CR3: 000000011d88f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add_tail include/linux/list.h:100 [inline]
 insert_work+0x107/0x330 kernel/workqueue.c:1352
 __queue_work+0x971/0xd30 kernel/workqueue.c:1514
 queue_work_on+0xf2/0x150 kernel/workqueue.c:1541
 queue_work include/linux/workqueue.h:513 [inline]
 css_release+0xae/0xc0 kernel/cgroup/cgroup.c:5161
 percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
 percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
 percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline]
 percpu_ref_switch_to_atomic_rcu+0x5a2/0x5b0 lib/percpu-refcount.c:199
 rcu_do_batch+0x4f8/0xbc0 kernel/rcu/tree.c:2485
 rcu_core+0x59b/0xe30 kernel/rcu/tree.c:2722
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2735
 __do_softirq+0x27e/0x596 kernel/softirq.c:305
 run_ksoftirqd+0x23/0x30 kernel/softirq.c:667
 smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:164
 kthread+0x349/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace d4de1ca9cdcd19af ]---
RIP: 0010:__list_add_valid+0xc6/0xd0 lib/list_debug.c:26
Code: 48 c7 c7 80 d3 43 85 4c 89 e6 4c 89 f1 31 c0 e8 9d 08 40 02 0f 0b 48 c7 c7 40 d4 43 85 4c 89 f6 4c 89 e1 31 c0 e8 87 08 40 02 <0f> 0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 54 53 49
RSP: 0018:ffffc900000c77e0 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f705c068 RCX: 1dcf49864b76af00
RDX: 0000000080000101 RSI: 0000000080000101 RDI: 0000000000000000
RBP: ffffc900000c7808 R08: ffffffff8153aa88 R09: ffffed103ee0a5d8
R10: ffffed103ee0a5d8 R11: 1ffff1103ee0a5d7 R12: ffff888113123870
R13: dffffc0000000000 R14: ffff8881f705c060 R15: ffff888113123870
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc8eceb3a43 CR3: 000000011d88f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/05/10 07:12 android12-5.10-lts de64d941a71a 8b277b8e .config strace log report syz C ci2-android-5-10 BUG: corrupted list in insert_work
2022/04/08 15:28 android12-5.10-lts 414e6c8e941c c6ff3e05 .config console log report syz C ci2-android-5-10 BUG: corrupted list in insert_work
2022/03/30 22:06 android12-5.10-lts 414e6c8e941c 42718dd6 .config console log report syz C ci2-android-5-10 BUG: corrupted list in insert_work
2022/07/17 02:28 android12-5.10-lts ebc9fb07d294 95cb00d1 .config console log report syz C ci2-android-5-10 BUG: corrupted list in insert_work
2022/06/21 19:20 android12-5.10-lts fdd06dc6b0f8 0fc5c330 .config console log report info ci2-android-5-10-perf BUG: corrupted list in insert_work
2022/06/12 05:42 android12-5.10-lts fdd06dc6b0f8 0d5abf15 .config console log report info ci2-android-5-10 BUG: corrupted list in insert_work
2022/04/25 20:57 android12-5.10-lts e08dd85cc95e 152baedd .config console log report info ci2-android-5-10 BUG: corrupted list in insert_work
2022/01/26 04:55 android12-5.10-lts 0347b1658399 2cbffd88 .config console log report info ci2-android-5-10 BUG: corrupted list in insert_work
2021/11/20 12:00 android12-5.10-lts 76698ea35fd3 4eb20a4e .config console log report info ci2-android-5-10 BUG: corrupted list in insert_work
* Struck through repros no longer work on HEAD.