All of
 help / color / mirror / Atom feed
From: syzbot <>
Subject: Re: [syzbot] BUG: unable to handle kernel NULL pointer dereference in shmem_evict_inode
Date: Wed, 16 Nov 2022 18:11:15 -0800	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>


syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in __sk_destruct

list_del corruption. next->prev should be ffff0000d3a73b80, but was 0000000000000000. (next=ffff0000d43c9680)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:64!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3500 Comm: syz-executor.1 Not tainted 6.1.0-rc4-syzkaller-00039-g1621b6eaebf7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0xcc/0xd0 lib/list_debug.c:62
lr : __list_del_entry_valid+0xcc/0xd0 lib/list_debug.c:62
sp : ffff800012d8bb50
x29: ffff800012d8bb50 x28: 00000000002e0003 x27: 0000000000000000
x26: ffff0000cdf283a8 x25: 0000000000000000 x24: 0000000000000001
x23: 0000000000000000 x22: ffff0000cc951cf0 x21: ffff0000d3a73b80
x20: 0000000000000000 x19: ffff0000cc951c90 x18: 00000000000000c0
x17: 20747562202c3038 x16: ffff80000db2a158 x15: ffff0000c7b39a40
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c7b39a40
x11: ff808000081c06c8 x10: 0000000000000000 x9 : 09ff774b4a8bd800
x8 : 09ff774b4a8bd800 x7 : ffff80000c01881c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcc8 x1 : 0000000100000001 x0 : 000000000000006d
Call trace:
 __list_del_entry_valid+0xcc/0xd0 lib/list_debug.c:62
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 ref_tracker_free+0x188/0x340 lib/ref_tracker.c:146
 netns_tracker_free include/net/net_namespace.h:335 [inline]
 put_net_track include/net/net_namespace.h:349 [inline]
 __sk_destruct+0x27c/0x4e4 net/core/sock.c:2151
 sk_destruct net/core/sock.c:2167 [inline]
 __sk_free+0x238/0x290 net/core/sock.c:2178
 sk_free+0x54/0xbc net/core/sock.c:2189
 sock_put include/net/sock.h:1987 [inline]
 tcp_close+0x78/0xe0 net/ipv4/tcp.c:3034
 inet_release+0xc8/0xe4 net/ipv4/af_inet.c:428
 __sock_release net/socket.c:650 [inline]
 sock_close+0x50/0xf0 net/socket.c:1365
 __fput+0x198/0x3e4 fs/file_table.c:320
 ____fput+0x20/0x30 fs/file_table.c:348
 task_work_run+0x100/0x148 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 do_notify_resume+0x174/0x1f0 arch/arm64/kernel/signal.c:1127
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x9c/0x150 arch/arm64/kernel/entry-common.c:638
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
Code: d4210000 d001b140 913ac800 94a82811 (d4210000) 
---[ end trace 0000000000000000 ]---

Tested on:

commit:         1621b6ea Merge branch 'for-next/fixes' into for-kernelci
git tree:
console output:
kernel config:
dashboard link:
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64

       reply	other threads:[~2022-11-17  2:11 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2022-11-17  2:11 ` syzbot [this message]
2022-11-16 14:54 [syzbot] BUG: unable to handle kernel NULL pointer dereference in shmem_evict_inode syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.