!!!!! css_release css ffff88810f2bf400 !!! list_add corruption. prev->next should be next (ffff8881f715b560), but was ffff88810f2bf470. (prev=ffff88810f2bf470). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:28! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 141 Comm: syslogd Tainted: G W 5.10.119-syzkaller-00165-gfa2b08b7db86 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26 Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5 RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: efd15470297f1700 RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000 RBP: ffffc90000160be8 R08: ffffffff81514558 R09: fffff5200002c145 R10: fffff5200002c145 R11: 1ffff9200002c144 R12: ffff88810f2bf470 R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810f2bf470 FS: 00007fddd7e81800(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb2ff5c1ff8 CR3: 00000001093b7000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] insert_work+0xfc/0x330 kernel/workqueue.c:1342 __queue_work+0x99e/0xe20 kernel/workqueue.c:1504 queue_work_on+0xbe/0x110 kernel/workqueue.c:1531 queue_work include/linux/workqueue.h:507 [inline] css_release+0xdb/0x100 kernel/cgroup/cgroup.c:5117 percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline] percpu_ref_put include/linux/percpu-refcount.h:338 [inline] percpu_ref_call_confirm_rcu lib/percpu-refcount.c:162 [inline] percpu_ref_switch_to_atomic_rcu+0x5be/0x5e0 lib/percpu-refcount.c:199 rcu_do_batch+0x4ad/0xb00 kernel/rcu/tree.c:2485 rcu_core+0x64a/0xdf0 kernel/rcu/tree.c:2726 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2739 __do_softirq+0x253/0x67b kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423 irq_exit_rcu+0x9/0x10 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:277 [inline] RIP: 0010:path_init+0x162/0x1120 fs/namei.c:2213 Code: be ff 89 d8 83 e0 01 4c 89 6d 98 75 0a 4d 89 e5 e8 d3 41 be ff eb 5f 49 c7 c6 c0 d5 a0 85 49 c1 ee 03 66 0f 1f 44 00 00 f3 90 <48> b8 00 00 00 00 00 fc ff df 41 0f b6 04 06 84 c0 75 12 8b 1d 45 RSP: 0018:ffffc90000b47af0 EFLAGS: 00000293 RAX: ffffffff81aac985 RBX: 00000000000004d9 RCX: ffff888109418f40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc90000b47b88 R08: ffffffff81aac93a R09: ffffed1021c4c4ab R10: ffffed1021c4c4ab R11: 1ffff11021c4c4aa R12: ffff88810f1a5520 R13: ffffc90000b47d78 R14: 1ffffffff0b41ab8 R15: ffffc90000b47d40 path_openat+0x11a/0x3210 fs/namei.c:3355 do_filp_open+0x2ef/0x3e0 fs/namei.c:3389 do_sys_openat2+0xce/0x390 fs/open.c:1180 do_sys_open fs/open.c:1196 [inline] __do_sys_openat fs/open.c:1212 [inline] __se_sys_openat fs/open.c:1207 [inline] __x64_sys_openat+0x1e6/0x210 fs/open.c:1207 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fddd800d697 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffde34aae50 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 000055b7fd2202c0 RCX: 00007fddd800d697 RDX: 0000000000000d41 RSI: 00007fddd819b99a RDI: 00000000ffffff9c RBP: 00007fddd819b99a R08: 00007fddd809d040 R09: 00007fddd809d0c0 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000d41 R13: 000055b7fd220400 R14: 0000000000000004 R15: 000055b7fd220410 Modules linked in: ---[ end trace ce307978c4e22eef ]--- RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26 Code: f1 31 c0 e8 b7 cb 1b 02 0f 0b 48 c7 c7 50 3b d6 85 e8 b6 f2 19 00 48 c7 c7 a0 f3 02 85 4c 89 f6 4c 89 e1 31 c0 e8 95 cb 1b 02 <0f> 0b 48 c7 c7 60 3b d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5 RSP: 0018:ffffc90000160bc0 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff8881f715b568 RCX: efd15470297f1700 RDX: 0000000000000101 RSI: 0000000000000101 RDI: 0000000000000000 RBP: ffffc90000160be8 R08: ffffffff81514558 R09: fffff5200002c145 R10: fffff5200002c145 R11: 1ffff9200002c144 R12: ffff88810f2bf470 R13: dffffc0000000000 R14: ffff8881f715b560 R15: ffff88810f2bf470 FS: 00007fddd7e81800(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb2ff5c1ff8 CR3: 00000001093b7000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: be ff 89 d8 83 mov $0x83d889ff,%esi 5: e0 01 loopne 0x8 7: 4c 89 6d 98 mov %r13,-0x68(%rbp) b: 75 0a jne 0x17 d: 4d 89 e5 mov %r12,%r13 10: e8 d3 41 be ff callq 0xffbe41e8 15: eb 5f jmp 0x76 17: 49 c7 c6 c0 d5 a0 85 mov $0xffffffff85a0d5c0,%r14 1e: 49 c1 ee 03 shr $0x3,%r14 22: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 28: f3 90 pause * 2a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax <-- trapping instruction 31: fc ff df 34: 41 0f b6 04 06 movzbl (%r14,%rax,1),%eax 39: 84 c0 test %al,%al 3b: 75 12 jne 0x4f 3d: 8b .byte 0x8b 3e: 1d .byte 0x1d 3f: 45 rex.RB