From: syzbot <syzbot+c1d0a03d305972dbbe14@syzkaller.appspotmail.com>
To: davem@davemloft.net, dvyukov@google.com, edumazet@google.com,
hdanton@sina.com, krzysztof.kozlowski@linaro.org,
kuba@kernel.org, linma@zju.edu.cn, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] BUG: corrupted list in nfc_llcp_register_device
Date: Sun, 22 Jan 2023 23:58:51 -0800 [thread overview]
Message-ID: <00000000000012245205f2e9c5a1@google.com> (raw)
In-Reply-To: <000000000000f5b4ab05f0522438@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 2475bf0250de Merge tag 'sched_urgent_for_v6.2_rc6' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116dd0ac480000
kernel config: https://syzkaller.appspot.com/x/.config?x=23330449ad10b66f
dashboard link: https://syzkaller.appspot.com/bug?extid=c1d0a03d305972dbbe14
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e4a789480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=100108fa480000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c1d0a03d305972dbbe14@syzkaller.appspotmail.com
list_add corruption. prev->next should be next (ffff88802620c000), but was ffff88801d633000. (prev=ffffffff8e546e60).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:30!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12187 Comm: syz-executor209 Not tainted 6.2.0-rc5-syzkaller-00013-g2475bf0250de #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:__list_add_valid.cold+0x56/0x58 lib/list_debug.c:30
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 c0 bc a6 8a e8 df 2c f0 ff 0f 0b 48 89 f1 48 c7 c7 40 bc a6 8a 4c 89 e6 e8 cb 2c f0 ff <0f> 0b 4c 89 e1 48 89 ee 48 c7 c7 a0 be a6 8a e8 b7 2c f0 ff 0f 0b
RSP: 0018:ffffc90026c577f0 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff888026209000 RCX: 0000000000000000
RDX: ffff888012c20000 RSI: ffffffff816680ec RDI: fffff52004d8aef0
RBP: ffff888026209000 R08: 0000000000000075 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffff88802620c000
R13: ffff88802620c000 R14: 0000000000000000 R15: ffff88802620a140
FS: 0000000000000000(0000) GS:ffff88802c600000(0063) knlGS:0000000057a07380
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000200003c0 CR3: 000000002433d000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_add include/linux/list.h:69 [inline]
list_add include/linux/list.h:88 [inline]
nfc_llcp_register_device+0x7a8/0x9e0 net/nfc/llcp_core.c:1604
nfc_register_device+0x70/0x3b0 net/nfc/core.c:1124
nci_register_device+0x7cb/0xb50 net/nfc/nci/core.c:1257
virtual_ncidev_open+0x14f/0x230 drivers/nfc/virtual_ncidev.c:148
misc_open+0x37a/0x4a0 drivers/char/misc.c:165
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:882
do_open fs/namei.c:3557 [inline]
path_openat+0x1bbc/0x2a50 fs/namei.c:3714
do_filp_open+0x1ba/0x410 fs/namei.c:3741
do_sys_openat2+0x16d/0x4c0 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_compat_sys_openat fs/open.c:1386 [inline]
__se_compat_sys_openat fs/open.c:1384 [inline]
__ia32_compat_sys_openat+0x143/0x1f0 fs/open.c:1384
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7e6f549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ff98601c EFLAGS: 00000292 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000080
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 00000000ffffffff
RBP: 0000000000008933 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid.cold+0x56/0x58 lib/list_debug.c:30
Code: 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 c0 bc a6 8a e8 df 2c f0 ff 0f 0b 48 89 f1 48 c7 c7 40 bc a6 8a 4c 89 e6 e8 cb 2c f0 ff <0f> 0b 4c 89 e1 48 89 ee 48 c7 c7 a0 be a6 8a e8 b7 2c f0 ff 0f 0b
RSP: 0018:ffffc90026c577f0 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff888026209000 RCX: 0000000000000000
RDX: ffff888012c20000 RSI: ffffffff816680ec RDI: fffff52004d8aef0
RBP: ffff888026209000 R08: 0000000000000075 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffff88802620c000
R13: ffff88802620c000 R14: 0000000000000000 R15: ffff88802620a140
FS: 0000000000000000(0000) GS:ffff88802c600000(0063) knlGS:0000000057a07380
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000200003c0 CR3: 000000002433d000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
* 2a: 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
next prev parent reply other threads:[~2023-01-23 7:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-21 8:14 [syzbot] BUG: corrupted list in nfc_llcp_register_device syzbot
2023-01-23 7:58 ` syzbot [this message]
[not found] <20221221122958.1792-1-hdanton@sina.com>
2022-12-21 15:02 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000012245205f2e9c5a1@google.com \
--to=syzbot+c1d0a03d305972dbbe14@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=hdanton@sina.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kuba@kernel.org \
--cc=linma@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.