Re: general protection fault in kernfs_kill_sb (2)
Hi Al, On Mon, 14 May 2018 05:04:15 +0100 Al Virowrote: > > On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > > > But there remains a refcount bug because deactivate_locked_super() from > > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > > if kernfs_mount_ns() returned an error. > > Trivial: > > unfuck sysfs_mount() > > Signed-off-by: Al Viro I noticed this turn up in linux-next today. Can I ask that you please add an actual commit message to it before sending it on to Linus. -- Cheers, Stephen Rothwell pgpt80ZhcWVlk.pgp Description: OpenPGP digital signature
Re: general protection fault in kernfs_kill_sb (2)
Hi Al, On Mon, 14 May 2018 05:04:15 +0100 Al Viro wrote: > > On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > > > But there remains a refcount bug because deactivate_locked_super() from > > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > > if kernfs_mount_ns() returned an error. > > Trivial: > > unfuck sysfs_mount() > > Signed-off-by: Al Viro I noticed this turn up in linux-next today. Can I ask that you please add an actual commit message to it before sending it on to Linus. -- Cheers, Stephen Rothwell pgpt80ZhcWVlk.pgp Description: OpenPGP digital signature
Re: general protection fault in kernfs_kill_sb (2)
On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote: > diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c > index b428d317ae92..92682fcc41f6 100644 > --- a/fs/sysfs/mount.c > +++ b/fs/sysfs/mount.c > @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > { > struct dentry *root; > void *ns; > - bool new_sb; > + bool new_sb = false; > > if (!(flags & SB_KERNMOUNT)) { > if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET)) > @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); > root = kernfs_mount_ns(fs_type, flags, sysfs_root, > SYSFS_MAGIC, _sb, ns); > - if (IS_ERR(root) || !new_sb) > + if (!new_sb) > kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); > - else if (new_sb) > + else if (!IS_ERR(root)) > root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE; > > return root; What we want for that kobj_ns_drop() is "no fs instances created" (== no ->kill_sb(), be it now or later, to drop that kobj reference); for setting ->s_iflags - "new instance successfully set up". That's it; all we need is new_sb that would be accurate on its own. The problem is with kludging over the cases when it's left uninitialized (early exits from kernfs_mount_ns()) with IS_ERR(root), which happens to grab the cases when new_sb *was* set to true. So the fix is to initialize new_sb properly and get rid of that kludge. Which turns the whole thing into if (!new_sb) ... if (!IS_ERR(root) && new_sb) ... i.e. if (!new_sb) ... else if (!IS_ERR(root)) ...
Re: general protection fault in kernfs_kill_sb (2)
On Mon, May 14, 2018 at 05:04:15AM +0100, Al Viro wrote: > diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c > index b428d317ae92..92682fcc41f6 100644 > --- a/fs/sysfs/mount.c > +++ b/fs/sysfs/mount.c > @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > { > struct dentry *root; > void *ns; > - bool new_sb; > + bool new_sb = false; > > if (!(flags & SB_KERNMOUNT)) { > if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET)) > @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type > *fs_type, > ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); > root = kernfs_mount_ns(fs_type, flags, sysfs_root, > SYSFS_MAGIC, _sb, ns); > - if (IS_ERR(root) || !new_sb) > + if (!new_sb) > kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); > - else if (new_sb) > + else if (!IS_ERR(root)) > root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE; > > return root; What we want for that kobj_ns_drop() is "no fs instances created" (== no ->kill_sb(), be it now or later, to drop that kobj reference); for setting ->s_iflags - "new instance successfully set up". That's it; all we need is new_sb that would be accurate on its own. The problem is with kludging over the cases when it's left uninitialized (early exits from kernfs_mount_ns()) with IS_ERR(root), which happens to grab the cases when new_sb *was* set to true. So the fix is to initialize new_sb properly and get rid of that kludge. Which turns the whole thing into if (!new_sb) ... if (!IS_ERR(root) && new_sb) ... i.e. if (!new_sb) ... else if (!IS_ERR(root)) ...
Re: general protection fault in kernfs_kill_sb (2)
On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > But there remains a refcount bug because deactivate_locked_super() from > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > if kernfs_mount_ns() returned an error. Trivial: unfuck sysfs_mount() Signed-off-by: Al Viro--- diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index b428d317ae92..92682fcc41f6 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, { struct dentry *root; void *ns; - bool new_sb; + bool new_sb = false; if (!(flags & SB_KERNMOUNT)) { if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET)) @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); root = kernfs_mount_ns(fs_type, flags, sysfs_root, SYSFS_MAGIC, _sb, ns); - if (IS_ERR(root) || !new_sb) + if (!new_sb) kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); - else if (new_sb) + else if (!IS_ERR(root)) root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE; return root;
Re: general protection fault in kernfs_kill_sb (2)
On Mon, May 14, 2018 at 12:20:16PM +0900, Tetsuo Handa wrote: > But there remains a refcount bug because deactivate_locked_super() from > kernfs_mount_ns() triggers kobj_ns_drop() from sysfs_kill_sb() via > sb->kill_sb() when kobj_ns_drop() is always called by sysfs_mount() > if kernfs_mount_ns() returned an error. Trivial: unfuck sysfs_mount() Signed-off-by: Al Viro --- diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index b428d317ae92..92682fcc41f6 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, { struct dentry *root; void *ns; - bool new_sb; + bool new_sb = false; if (!(flags & SB_KERNMOUNT)) { if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET)) @@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type, ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET); root = kernfs_mount_ns(fs_type, flags, sysfs_root, SYSFS_MAGIC, _sb, ns); - if (IS_ERR(root) || !new_sb) + if (!new_sb) kobj_ns_drop(KOBJ_NS_TYPE_NET, ns); - else if (new_sb) + else if (!IS_ERR(root)) root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE; return root;
Re: general protection fault in kernfs_kill_sb (2)
On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote: > This is what I reported at > https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . > > We are currently waiting for comments from Al Viro. 1) the damn thing is unusable without javashit. Which gets about the same reaction as sending something.doc in attachment. Please, find a less obnoxious way to archive the thing (or to generate URLs that would work without that garbage). 2) deactivate_locked_super() *WILL* be called when fill_super() fails. Live with it; it allows to simplify a whole lot of cleanup logics in various filesystems. Again, we are not going for a model where ->kill_sb() is not called for something returned by sget(). Rationale: rarely exercised paths tend to rot, so anything that increases the duplication of bits and pieces of normal teardown into failure exits of foo_fill_super() is a bloody bad idea. If anything, we want to take a lot of stuff out of ->put_super() instances directly into ->kill_sb() ones, precisely because ->put_super() is only called for fully set up filesystems. 3) kernfs needs to be fixed. The rest of the dropped commits were made redundant by 8e04944f0ea8; this one wasn't. Mea culpa.
Re: general protection fault in kernfs_kill_sb (2)
On Sun, May 13, 2018 at 11:19:46AM +0900, Tetsuo Handa wrote: > This is what I reported at > https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . > > We are currently waiting for comments from Al Viro. 1) the damn thing is unusable without javashit. Which gets about the same reaction as sending something.doc in attachment. Please, find a less obnoxious way to archive the thing (or to generate URLs that would work without that garbage). 2) deactivate_locked_super() *WILL* be called when fill_super() fails. Live with it; it allows to simplify a whole lot of cleanup logics in various filesystems. Again, we are not going for a model where ->kill_sb() is not called for something returned by sget(). Rationale: rarely exercised paths tend to rot, so anything that increases the duplication of bits and pieces of normal teardown into failure exits of foo_fill_super() is a bloody bad idea. If anything, we want to take a lot of stuff out of ->put_super() instances directly into ->kill_sb() ones, precisely because ->put_super() is only called for fully set up filesystems. 3) kernfs needs to be fixed. The rest of the dropped commits were made redundant by 8e04944f0ea8; this one wasn't. Mea culpa.
Re: general protection fault in kernfs_kill_sb (2)
On 2018/05/13 2:01, syzbot wrote: > Call Trace: > __list_del_entry include/linux/list.h:117 [inline] > list_del include/linux/list.h:125 [inline] > kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 > sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 > deactivate_locked_super+0x97/0x100 fs/super.c:316 > kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335 > sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36 > mount_fs+0xae/0x328 fs/super.c:1267 > vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 > vfs_kern_mount fs/namespace.c:1027 [inline] > do_new_mount fs/namespace.c:2518 [inline] > do_mount+0x564/0x3070 fs/namespace.c:2848 > ksys_mount+0x12d/0x140 fs/namespace.c:3064 > __do_sys_mount fs/namespace.c:3078 [inline] > __se_sys_mount fs/namespace.c:3075 [inline] > __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 > do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4426a9 > RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5 > RAX: ffda RBX: RCX: 004426a9 > RDX: 20c0 RSI: 2080 RDI: 2040 > RBP: 7ffc558bda60 R08: R09: 0003 > R10: R11: 0246 R12: > R13: 0004 R14: 1380 R15: 7ffc558bd2f8 > Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 > 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f > 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8 > RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: > 8801aca6f860 > ---[ end trace d148f307a34e229f ]--- This is what I reported at https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . We are currently waiting for comments from Al Viro.
Re: general protection fault in kernfs_kill_sb (2)
On 2018/05/13 2:01, syzbot wrote: > Call Trace: > __list_del_entry include/linux/list.h:117 [inline] > list_del include/linux/list.h:125 [inline] > kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 > sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 > deactivate_locked_super+0x97/0x100 fs/super.c:316 > kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335 > sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36 > mount_fs+0xae/0x328 fs/super.c:1267 > vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 > vfs_kern_mount fs/namespace.c:1027 [inline] > do_new_mount fs/namespace.c:2518 [inline] > do_mount+0x564/0x3070 fs/namespace.c:2848 > ksys_mount+0x12d/0x140 fs/namespace.c:3064 > __do_sys_mount fs/namespace.c:3078 [inline] > __se_sys_mount fs/namespace.c:3075 [inline] > __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 > do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4426a9 > RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5 > RAX: ffda RBX: RCX: 004426a9 > RDX: 20c0 RSI: 2080 RDI: 2040 > RBP: 7ffc558bda60 R08: R09: 0003 > R10: R11: 0246 R12: > R13: 0004 R14: 1380 R15: 7ffc558bd2f8 > Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 > 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f > 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8 > RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: > 8801aca6f860 > ---[ end trace d148f307a34e229f ]--- This is what I reported at https://groups.google.com/d/msg/syzkaller-bugs/ISOJlV2I2QM/qHslGMi3AwAJ . We are currently waiting for comments from Al Viro.
general protection fault in kernfs_kill_sb (2)
Hello, syzbot found the following crash on: HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780 kernel config: https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9 dashboard link: https://syzkaller.appspot.com/bug?extid=481ad819c717f6b78df9 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15078e9780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12bf369780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+481ad819c717f6b78...@syzkaller.appspotmail.com RBP: 7ffc558bda60 R08: R09: 0003 R10: R11: 0246 R12: R13: 0004 R14: 1380 R15: 7ffc558bd2f8 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4540 Comm: syz-executor884 Not tainted 4.17.0-rc4+ #43 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 0018:8801aca6f860 EFLAGS: 00010246 RAX: dc00 RBX: 8801ac528498 RCX: RDX: RSI: RDI: 8801ac5284a0 RBP: 8801aca6f878 R08: fbfff11cc855 R09: fbfff11cc854 R10: 8801aca6f878 R11: 88e642a7 R12: R13: R14: 8801aca6f908 R15: 8801ac528498 FS: 00f86880() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004b6f3c CR3: 0001d973 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 deactivate_locked_super+0x97/0x100 fs/super.c:316 kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335 sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36 mount_fs+0xae/0x328 fs/super.c:1267 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x564/0x3070 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4426a9 RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: RCX: 004426a9 RDX: 20c0 RSI: 2080 RDI: 2040 RBP: 7ffc558bda60 R08: R09: 0003 R10: R11: 0246 R12: R13: 0004 R14: 1380 R15: 7ffc558bd2f8 Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8 RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 8801aca6f860 ---[ end trace d148f307a34e229f ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.
general protection fault in kernfs_kill_sb (2)
Hello, syzbot found the following crash on: HEAD commit:f0ab773f5c96 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140ce81780 kernel config: https://syzkaller.appspot.com/x/.config?x=fcce42b221691ff9 dashboard link: https://syzkaller.appspot.com/bug?extid=481ad819c717f6b78df9 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=15078e9780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12bf369780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+481ad819c717f6b78...@syzkaller.appspotmail.com RBP: 7ffc558bda60 R08: R09: 0003 R10: R11: 0246 R12: R13: 0004 R14: 1380 R15: 7ffc558bd2f8 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4540 Comm: syz-executor884 Not tainted 4.17.0-rc4+ #43 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 0018:8801aca6f860 EFLAGS: 00010246 RAX: dc00 RBX: 8801ac528498 RCX: RDX: RSI: RDI: 8801ac5284a0 RBP: 8801aca6f878 R08: fbfff11cc855 R09: fbfff11cc854 R10: 8801aca6f878 R11: 88e642a7 R12: R13: R14: 8801aca6f908 R15: 8801ac528498 FS: 00f86880() GS:8801daf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004b6f3c CR3: 0001d973 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] kernfs_kill_sb+0xa0/0x350 fs/kernfs/mount.c:361 sysfs_kill_sb+0x22/0x40 fs/sysfs/mount.c:50 deactivate_locked_super+0x97/0x100 fs/super.c:316 kernfs_mount_ns+0x753/0x8e0 fs/kernfs/mount.c:335 sysfs_mount+0xdf/0x200 fs/sysfs/mount.c:36 mount_fs+0xae/0x328 fs/super.c:1267 vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2518 [inline] do_mount+0x564/0x3070 fs/namespace.c:2848 ksys_mount+0x12d/0x140 fs/namespace.c:3064 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4426a9 RSP: 002b:7ffc558bd1b8 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: RCX: 004426a9 RDX: 20c0 RSI: 2080 RDI: 2040 RBP: 7ffc558bda60 R08: R09: 0003 R10: R11: 0246 R12: R13: 0004 R14: 1380 R15: 7ffc558bd2f8 Code: c5 0f 84 cc 00 00 00 48 b8 00 02 00 00 00 00 ad de 49 39 c4 0f 84 a5 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 5f 49 8b 14 24 48 39 da 0f 85 ba 00 00 00 48 b8 RIP: __list_del_entry_valid+0x84/0xf3 lib/list_debug.c:51 RSP: 8801aca6f860 ---[ end trace d148f307a34e229f ]--- --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.