• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1TITLE: BUG: corrupted list in tipc_nametbl_unsubscribe
2
3[  440.811510] list_del corruption. prev->next should be 00000000bc6553ca, but was 0000000038fa8131
4[  440.811620] ------------[ cut here ]------------
5[  440.811625] kernel BUG at lib/list_debug.c:53!
6[  440.811637] invalid opcode: 0000 [#1] SMP KASAN
7[  440.811642] Dumping ftrace buffer:
8[  440.811646]    (ftrace buffer empty)
9[  440.811649] Modules linked in:
10[  440.811658] CPU: 1 PID: 3200 Comm: syz-executor4 Not tainted 4.15.0-rc8+ #264
11[  440.811662] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
12[  440.811673] RIP: 0010:__list_del_entry_valid+0xef/0x150
13[  440.811677] RSP: 0018:ffff8801be95eb20 EFLAGS: 00010286
14[  440.811683] RAX: 0000000000000054 RBX: ffff8801d359f240 RCX: 0000000000000000
15[  440.811686] RDX: 0000000000000054 RSI: 1ffff10039af2dca RDI: ffffed0037d2bd58
16[  440.811690] RBP: ffff8801be95eb38 R08: 1ffff10037d2bcfc R09: 0000000000000000
17[  440.811694] R10: ffff8801be95ea00 R11: 0000000000000000 R12: ffff8801d50e4900
18[  440.811698] R13: ffff8801be95ecd8 R14: ffff8801c29ac860 R15: ffff8801bd76aa80
19[  440.811704] FS:  00007f70eee26700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
20[  440.811708] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
21[  440.811712] CR2: 00000000010bad18 CR3: 0000000006822006 CR4: 00000000001606e0
22[  440.811718] Call Trace:
23[  440.811727]  ? _raw_spin_lock_bh+0x39/0x40
24[  440.811737]  tipc_nametbl_unsubscribe+0x318/0x990
25[  440.811751]  ? tipc_nametbl_subscribe+0xc10/0xc10
26[  440.811764]  ? lock_acquire+0x1d5/0x580
27[  440.811770]  ? lock_acquire+0x1d5/0x580
28[  440.811777]  ? tipc_subscrb_subscrp_delete+0x8f/0x460
29[  440.811785]  ? __radix_tree_lookup+0x435/0x5e0
30[  440.811797]  ? lock_release+0xa40/0xa40
31[  440.811806]  ? print_irqtrace_events+0x270/0x270
32[  440.811815]  ? find_held_lock+0x35/0x1d0
33[  440.811828]  ? tipc_subscrb_subscrp_delete+0x8f/0x460
34[  440.811843]  tipc_subscrb_subscrp_delete+0x1e9/0x460
35[  440.811857]  ? tipc_subscrp_put+0x360/0x360
36[  440.811866]  ? __local_bh_enable_ip+0x121/0x230
37[  440.811876]  ? trace_hardirqs_on_caller+0x421/0x5c0
38[  440.811884]  ? tipc_conn_lookup+0x74/0x90
39[  440.811891]  ? tipc_subscrb_subscrp_delete+0x460/0x460
40[  440.811901]  tipc_subscrb_release_cb+0x17/0x30
41[  440.811910]  tipc_close_conn+0x171/0x270
42[  440.811922]  tipc_topsrv_kern_unsubscr+0x213/0x340
43[  440.811928]  ? tipc_dest_del+0x350/0x350
44[  440.811937]  ? tipc_topsrv_kern_subscr+0x850/0x850
45[  440.811947]  ? tipc_node_distr_xmit+0x212/0x2b0
46[  440.811964]  tipc_group_delete+0x2c0/0x3d0
47[  440.811975]  ? print_irqtrace_events+0x270/0x270
48[  440.811984]  ? tipc_group_create+0x9c0/0x9c0
49[  440.811993]  ? __tipc_shutdown+0x916/0xc80
50[  440.811999]  ? find_held_lock+0x35/0x1d0
51[  440.812020]  ? tipc_sk_respond+0x550/0x550
52[  440.812038]  tipc_sk_leave+0x10b/0x200
53[  440.812049]  ? tipc_sk_withdraw+0x6b0/0x6b0
54[  440.812062]  ? trace_hardirqs_on_caller+0x421/0x5c0
55[  440.812071]  ? lock_sock_nested+0x91/0x110
56[  440.812080]  ? __local_bh_enable_ip+0x121/0x230
57[  440.812096]  tipc_release+0x154/0xfe0
58[  440.812114]  ? kernel_text_address+0x102/0x140
59[  440.812124]  ? tipc_sk_backlog_rcv+0x390/0x390
60[  440.812132]  ? trace_event_raw_event_lock+0x340/0x340
61[  440.812140]  ? perf_trace_lock+0xd6/0x900
62[  440.812147]  ? __save_stack_trace+0x7e/0xd0
63[  440.812156]  ? check_noncircular+0x20/0x20
64[  440.812167]  ? trace_event_raw_event_lock+0x340/0x340
65[  440.812183]  ? locks_remove_file+0x3fa/0x5a0
66[  440.812194]  ? fcntl_setlk+0x10c0/0x10c0
67[  440.812200]  ? fsnotify+0x7b3/0x1140
68[  440.812219]  ? fsnotify_first_mark+0x2b0/0x2b0
69[  440.812240]  sock_release+0x8d/0x1e0
70[  440.812249]  ? sock_alloc_file+0x560/0x560
71[  440.812257]  sock_close+0x16/0x20
72[  440.812268]  __fput+0x327/0x7e0
73[  440.812284]  ? fput+0x140/0x140
74[  440.812295]  ? _raw_spin_unlock_irq+0x27/0x70
75[  440.812311]  ____fput+0x15/0x20
76[  440.812320]  task_work_run+0x199/0x270
77[  440.812333]  ? task_work_cancel+0x210/0x210
78[  440.812342]  ? _raw_spin_unlock+0x22/0x30
79[  440.812351]  ? switch_task_namespaces+0x87/0xc0
80[  440.812365]  do_exit+0x9bb/0x1ad0
81[  440.812374]  ? try_to_wake_up+0xf9/0x1600
82[  440.812389]  ? mm_update_next_owner+0x930/0x930
83[  440.812400]  ? debug_check_no_locks_freed+0x3c0/0x3c0
84[  440.812408]  ? debug_check_no_locks_freed+0x3c0/0x3c0
85[  440.812418]  ? do_raw_spin_trylock+0x190/0x190
86[  440.812425]  ? do_raw_spin_trylock+0x190/0x190
87[  440.812438]  ? __lock_is_held+0xb6/0x140
88[  440.812463]  ? perf_trace_lock+0xd6/0x900
89[  440.812479]  ? trace_event_raw_event_lock+0x340/0x340
90[  440.812488]  ? __perf_event_task_sched_out+0x266/0x1490
91[  440.812500]  ? check_noncircular+0x20/0x20
92[  440.812516]  ? perf_event_sync_stat+0x5b0/0x5b0
93[  440.812525]  ? __perf_event_task_sched_in+0x200/0xc20
94[  440.812549]  ? find_held_lock+0x35/0x1d0
95[  440.812567]  ? get_signal+0x7ae/0x16c0
96[  440.812577]  ? lock_downgrade+0x980/0x980
97[  440.812595]  do_group_exit+0x149/0x400
98[  440.812604]  ? do_raw_spin_trylock+0x190/0x190
99[  440.812612]  ? SyS_exit+0x30/0x30
100[  440.812620]  ? _raw_spin_unlock_irq+0x27/0x70
101[  440.812631]  ? trace_hardirqs_on_caller+0x421/0x5c0
102[  440.812645]  get_signal+0x73f/0x16c0
103[  440.812664]  ? ptrace_notify+0x130/0x130
104[  440.812678]  ? __schedule+0x8f3/0x2060
105[  440.812685]  ? exit_robust_list+0x240/0x240
106[  440.812701]  ? __sched_text_start+0x8/0x8
107[  440.812719]  ? find_held_lock+0x35/0x1d0
108[  440.812731]  do_signal+0x90/0x1eb0
109[  440.812742]  ? task_work_run+0x16c/0x270
110[  440.812751]  ? lock_downgrade+0x980/0x980
111[  440.812758]  ? mntput+0x66/0x90
112[  440.812769]  ? setup_sigcontext+0x7d0/0x7d0
113[  440.812787]  ? schedule+0xf5/0x430
114[  440.812794]  ? _raw_spin_unlock_irq+0x27/0x70
115[  440.812804]  ? __schedule+0x2060/0x2060
116[  440.812816]  ? _raw_spin_unlock_irq+0x27/0x70
117[  440.812824]  ? task_work_run+0x1f4/0x270
118[  440.812837]  ? task_work_cancel+0x210/0x210
119[  440.812849]  ? exit_to_usermode_loop+0x8c/0x310
120[  440.812865]  exit_to_usermode_loop+0x214/0x310
121[  440.812878]  ? trace_event_raw_event_sys_exit+0x260/0x260
122[  440.812899]  syscall_return_slowpath+0x490/0x550
123[  440.812908]  ? prepare_exit_to_usermode+0x340/0x340
124[  440.812914]  ? SyS_write+0x184/0x220
125[  440.812924]  ? entry_SYSCALL_64_fastpath+0x73/0xa0
126[  440.812935]  ? trace_hardirqs_on_caller+0x421/0x5c0
127[  440.812944]  ? trace_hardirqs_on_thunk+0x1a/0x1c
128[  440.812961]  entry_SYSCALL_64_fastpath+0x9e/0xa0
129[  440.812967] RIP: 0033:0x452df9
130[  440.812971] RSP: 002b:00007f70eee25c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
131[  440.812978] RAX: 0000000000000001 RBX: 000000000071bea0 RCX: 0000000000452df9
132[  440.812983] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000071becc
133[  440.812987] RBP: 0000000000000573 R08: 0000000000000000 R09: 0000000000000000
134[  440.812991] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000001
135[  440.812995] R13: 0000000000000014 R14: 00007f70eee266d4 R15: ffffffffffffffff
136[  440.813016] Code: 4c 89 e2 48 c7 c7 c0 fb e0 85 e8 95 26 fe fe 0f 0b 48 c7 c7 20 fc e0 85 e8 87 26 fe fe 0f 0b 48 c7 c7 80 fc e0 85 e8 79 26 fe fe <0f> 0b 48 c7 c7 e0 fc e0 85 e8 6b 26 fe fe 0f 0b 48 89 df 48 89
137[  440.813159] RIP: __list_del_entry_valid+0xef/0x150 RSP: ffff8801be95eb20
138[  440.813194] ---[ end trace 0c495e0cee371de9 ]---
139