From: Ming Lei <ming.lei@redhat.com>
To: Zhaoyang Huang <huangzhaoyang@gmail.com>
Cc: syzbot <syzbot+c104904eeb2c0edbdb06@syzkaller.appspotmail.com>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>
Subject: Re: reply: [syzbot] [block?] BUG: corrupted list in loop_process_work
Date: Tue, 18 Feb 2025 11:33:15 +0800 [thread overview]
Message-ID: <Z7P_ezl4qVmASrwH@fedora> (raw)
In-Reply-To: <CAGWkznFFN-wBXFc4ReCdEpFFNuc_m_EXDDopfQzZtTHt2t-wKw@mail.gmail.com>
Hello Zhaoyang,
On Tue, Feb 18, 2025 at 10:49:04AM +0800, Zhaoyang Huang wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: c674aa7c289e Add linux-next specific files for 20250212
> > git tree: linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=125063f8580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a0fd539126ae5541
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c104904eeb2c0edbdb06
> > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=158a3bdf980000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e18aa4580000
> #syz test
>
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 68c943a77e41..354d77f9228b 100644
> --- a/drivers/block/loop.c
> +++ b/drivers/block/loop.c
> @@ -1972,7 +1972,8 @@ static void loop_process_work(struct loop_worker *worker,
> * *and* the worker will not run again which ensures that it
> * is safe to free any worker on the idle list
> */
> - if (worker && !work_pending(&worker->work)) {
> + if (worker && !work_pending(&worker->work)
> + && list_empty(&worker->idle_list)) {
> worker->last_ran_at = jiffies;
> list_add_tail(&worker->idle_list, &lo->idle_worker_list);
> loop_set_timer(lo);
The `work` to be queued may originate from RB tree or lo->rootcg_work, so it may
be freed during queuing without the lock.
I think you may need to revert the patch.
Thanks,
Ming
prev parent reply other threads:[~2025-02-18 3:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-14 19:58 [syzbot] [block?] BUG: corrupted list in loop_process_work syzbot
2025-02-15 23:40 ` Hillf Danton
2025-02-16 2:00 ` syzbot
2025-02-17 5:57 ` reply: " 黄朝阳 (Zhaoyang Huang)
2025-02-18 2:49 ` Zhaoyang Huang
2025-02-18 3:33 ` Ming Lei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z7P_ezl4qVmASrwH@fedora \
--to=ming.lei@redhat.com \
--cc=huangzhaoyang@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+c104904eeb2c0edbdb06@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.