* [paulmckrcu:dev.2026.03.04a] [rcutorture] 569ac6a1d7: BUG:KASAN:stack-out-of-bounds_in__list_del_entry
@ 2026-03-22 14:30 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2026-03-22 14:30 UTC (permalink / raw)
To: Paul E. McKenney; +Cc: oe-lkp, lkp, Saravana Kannan, linux-kernel, oliver.sang
hi, Paul, if the issue is fixed in newer branch, please just ignore. thanks
Hello,
kernel test robot noticed "BUG:KASAN:stack-out-of-bounds_in__list_del_entry" on:
commit: 569ac6a1d7999442e2a381fc4785e1d22699a726 ("rcutorture: Fully test lazy RCU")
https://github.com/paulmckrcu/linux dev.2026.03.04a
in testcase: rcutorture
version:
with following parameters:
runtime: 300s
test: default
torture_type: tasks
config: x86_64-randconfig-161-20250618
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202603222245.6c112aee-lkp@intel.com
[ 364.629232][ T11] BUG: KASAN: stack-out-of-bounds in __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[ 364.630180][ T11] Read of size 8 at addr ffffc90001edfdd8 by task kworker/0:1/11
[ 364.631050][ T11]
[ 364.631438][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Tainted: GF T 7.0.0-rc1-00026-g569ac6a1d799 #1 PREEMPT(lazy) 2d0a7e949e4836aaa2820a29d36737f9b4ef5506
[ 364.631476][ T11] Tainted: [F]=FORCED_MODULE, [T]=RANDSTRUCT
[ 364.631485][ T11] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 364.631500][ T11] Workqueue: 0x0 (events)
[ 364.631526][ T11] Call Trace:
[ 364.631534][ T11] <TASK>
[ 364.631543][ T11] dump_stack_lvl (lib/dump_stack.c:122)
[ 364.631573][ T11] print_address_description+0x6e/0x300
[ 364.631599][ T11] print_report (mm/kasan/report.c:483)
[ 364.631618][ T11] ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:166 (discriminator 1))
[ 364.631655][ T11] ? __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[ 364.631684][ T11] kasan_report (mm/kasan/report.c:597)
[ 364.631715][ T11] ? __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[ 364.631744][ T11] __asan_report_load8_noabort (mm/kasan/report_generic.c:381)
[ 364.631779][ T11] __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[ 364.631807][ T11] list_move_tail (include/linux/list.h:319)
[ 364.631834][ T11] move_linked_works (kernel/workqueue.c:1157)
[ 364.631862][ T11] assign_work (kernel/workqueue.c:1219)
[ 364.631889][ T11] worker_thread (kernel/workqueue.c:3438 (discriminator 1))
[ 364.631923][ T11] ? __sanitizer_cov_trace_pc (kernel/kcov.c:217 (discriminator 1))
[ 364.631953][ T11] ? process_scheduled_works (kernel/workqueue.c:3385)
[ 364.631989][ T11] kthread (kernel/kthread.c:467)
[ 364.632024][ T11] ? kthread_affine_node (kernel/kthread.c:412)
[ 364.632058][ T11] ret_from_fork (arch/x86/kernel/process.c:164)
[ 364.632080][ T11] ? write_comp_data (kernel/kcov.c:246 (discriminator 1))
[ 364.632105][ T11] ? arch_exit_to_user_mode_prepare+0x180/0x180
[ 364.632130][ T11] ? __switch_to (arch/x86/kernel/process_64.c:714)
[ 364.632158][ T11] ? kthread_affine_node (kernel/kthread.c:412)
[ 364.632192][ T11] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[ 364.632227][ T11] </TASK>
[ 364.632235][ T11]
[ 364.661844][ T11] The buggy address belongs to a vmalloc virtual mapping
[ 364.662681][ T11] The buggy address belongs to the physical page:
[ 364.663447][ T11] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x144e2f
[ 364.664574][ T11] flags: 0x2fffc0000000000(node=0|zone=2|lastcpupid=0x3fff)
[ 364.665426][ T11] raw: 02fffc0000000000 ffffea0005138bc8 ffffea0005138bc8 0000000000000000
[ 364.666438][ T11] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 364.667466][ T11] page dumped because: kasan: bad access detected
[ 364.668240][ T11]
[ 364.668604][ T11] Memory state around the buggy address:
[ 364.669267][ T11] ffffc90001edfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 364.670217][ T11] ffffc90001edfd00: 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00
[ 364.671190][ T11] >ffffc90001edfd80: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
[ 364.672177][ T11] ^
[ 364.672989][ T11] ffffc90001edfe00: 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 364.673969][ T11] ffffc90001edfe80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3
[ 364.674932][ T11] ==================================================================
[ 364.675950][ T11] vmalloc memory
[ 364.676287][ T11] list_del corruption. next->prev should be ffff88871f432230, but was 0000000041b58ab3. (next=ffffc90001edfdd0)
[ 364.677649][ T11] ------------[ cut here ]------------
[ 364.678321][ T11] kernel BUG at lib/list_debug.c:65!
[ 364.678988][ T11] Oops: invalid opcode: 0000 [#1] SMP KASAN
[ 364.679710][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Tainted: GF B T 7.0.0-rc1-00026-g569ac6a1d799 #1 PREEMPT(lazy) 2d0a7e949e4836aaa2820a29d36737f9b4ef5506
[ 364.681229][ T11] Tainted: [F]=FORCED_MODULE, [B]=BAD_PAGE, [T]=RANDSTRUCT
[ 364.681755][ T11] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 364.684523][ T11] Workqueue: 0x0 (events)
[ 364.684967][ T11] RIP: 0010:__list_del_entry_valid_or_report (lib/list_debug.c:65 (discriminator 1))
[ 364.685495][ T11] Code: ea 03 48 c1 e0 2a 80 3c 02 00 74 08 4c 89 e7 e8 be d0 64 00 49 8b 55 08 4c 89 e9 48 89 de 48 c7 c7 c0 13 d1 b8 e8 f8 66 fe ff <0f> 0b 5b b0 01 41 5c 41 5d 5d c3 cc cc cc cc cc cc cc cc cc cc cc
All code
========
0: ea (bad)
1: 03 48 c1 add -0x3f(%rax),%ecx
4: e0 2a loopne 0x30
6: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
a: 74 08 je 0x14
c: 4c 89 e7 mov %r12,%rdi
f: e8 be d0 64 00 call 0x64d0d2
14: 49 8b 55 08 mov 0x8(%r13),%rdx
18: 4c 89 e9 mov %r13,%rcx
1b: 48 89 de mov %rbx,%rsi
1e: 48 c7 c7 c0 13 d1 b8 mov $0xffffffffb8d113c0,%rdi
25: e8 f8 66 fe ff call 0xfffffffffffe6722
2a:* 0f 0b ud2 <-- trapping instruction
2c: 5b pop %rbx
2d: b0 01 mov $0x1,%al
2f: 41 5c pop %r12
31: 41 5d pop %r13
33: 5d pop %rbp
34: c3 ret
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: cc int3
3c: cc int3
3d: cc int3
3e: cc int3
3f: cc int3
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 5b pop %rbx
3: b0 01 mov $0x1,%al
5: 41 5c pop %r12
7: 41 5d pop %r13
9: 5d pop %rbp
a: c3 ret
b: cc int3
c: cc int3
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: cc int3
12: cc int3
13: cc int3
14: cc int3
15: cc int3
[ 364.686805][ T11] RSP: 0000:ffffc900000bfd10 EFLAGS: 00210086
[ 364.687267][ T11] RAX: 000000000000006d RBX: ffff88871f432230 RCX: 0000000000000000
[ 364.687872][ T11] RDX: 000000000000006d RSI: ffff888100993780 RDI: fffff52000017f98
[ 364.688473][ T11] RBP: ffffc900000bfd28 R08: 0000000000000000 R09: 0000000000000001
[ 364.689088][ T11] R10: 0000000000000000 R11: ffff888100993780 R12: ffffc90001edfdd8
[ 364.689688][ T11] R13: ffffc90001edfdd0 R14: ffff88810092aa40 R15: dffffc0000000000
[ 364.690292][ T11] FS: 0000000000000000(0000) GS:ffff888764cee000(0000) knlGS:0000000000000000
[ 364.690957][ T11] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 364.691447][ T11] CR2: 00000000f6930000 CR3: 00000001314f6000 CR4: 00000000000406b0
[ 364.692071][ T11] Call Trace:
[ 364.692364][ T11] <TASK>
[ 364.692646][ T11] __list_del_entry (include/linux/list.h:224)
[ 364.693032][ T11] list_move_tail (include/linux/list.h:319)
[ 364.693413][ T11] move_linked_works (kernel/workqueue.c:1157)
[ 364.693821][ T11] assign_work (kernel/workqueue.c:1219)
[ 364.694194][ T11] worker_thread (kernel/workqueue.c:3438 (discriminator 1))
[ 364.694577][ T11] ? __sanitizer_cov_trace_pc (kernel/kcov.c:217 (discriminator 1))
[ 364.695012][ T11] ? process_scheduled_works (kernel/workqueue.c:3385)
[ 364.695453][ T11] kthread (kernel/kthread.c:467)
[ 364.695806][ T11] ? kthread_affine_node (kernel/kthread.c:412)
[ 364.696230][ T11] ret_from_fork (arch/x86/kernel/process.c:164)
[ 364.696611][ T11] ? write_comp_data (kernel/kcov.c:246 (discriminator 1))
[ 364.696998][ T11] ? arch_exit_to_user_mode_prepare+0x180/0x180
[ 364.697507][ T11] ? __switch_to (arch/x86/kernel/process_64.c:714)
[ 364.697890][ T11] ? kthread_affine_node (kernel/kthread.c:412)
[ 364.698427][ T11] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[ 364.699047][ T11] </TASK>
[ 364.699491][ T11] Modules linked in: rcutorture(F-) torture(F) ipmi_msghandler(F) input_leds(F) led_class(F) evdev(F) mac_hid(F) parport_pc(F) parport(F)
[ 364.706068][ T11] ---[ end trace 0000000000000000 ]---
[ 364.706752][ T11] RIP: 0010:__list_del_entry_valid_or_report (lib/list_debug.c:65 (discriminator 1))
[ 364.707583][ T11] Code: ea 03 48 c1 e0 2a 80 3c 02 00 74 08 4c 89 e7 e8 be d0 64 00 49 8b 55 08 4c 89 e9 48 89 de 48 c7 c7 c0 13 d1 b8 e8 f8 66 fe ff <0f> 0b 5b b0 01 41 5c 41 5d 5d c3 cc cc cc cc cc cc cc cc cc cc cc
All code
========
0: ea (bad)
1: 03 48 c1 add -0x3f(%rax),%ecx
4: e0 2a loopne 0x30
6: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
a: 74 08 je 0x14
c: 4c 89 e7 mov %r12,%rdi
f: e8 be d0 64 00 call 0x64d0d2
14: 49 8b 55 08 mov 0x8(%r13),%rdx
18: 4c 89 e9 mov %r13,%rcx
1b: 48 89 de mov %rbx,%rsi
1e: 48 c7 c7 c0 13 d1 b8 mov $0xffffffffb8d113c0,%rdi
25: e8 f8 66 fe ff call 0xfffffffffffe6722
2a:* 0f 0b ud2 <-- trapping instruction
2c: 5b pop %rbx
2d: b0 01 mov $0x1,%al
2f: 41 5c pop %r12
31: 41 5d pop %r13
33: 5d pop %rbp
34: c3 ret
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: cc int3
3c: cc int3
3d: cc int3
3e: cc int3
3f: cc int3
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 5b pop %rbx
3: b0 01 mov $0x1,%al
5: 41 5c pop %r12
7: 41 5d pop %r13
9: 5d pop %rbp
a: c3 ret
b: cc int3
c: cc int3
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: cc int3
12: cc int3
13: cc int3
14: cc int3
15: cc int3
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260322/202603222245.6c112aee-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-22 14:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-22 14:30 [paulmckrcu:dev.2026.03.04a] [rcutorture] 569ac6a1d7: BUG:KASAN:stack-out-of-bounds_in__list_del_entry kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.