[syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com

list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 io_poll_remove_waitq io_uring/poll.c:149 [inline]
 io_poll_remove_entry io_uring/poll.c:166 [inline]
 io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
 io_poll_remove_entries io_uring/poll.c:177 [inline]
 io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
 io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
 tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
 tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
 task_work_run+0x150/0x240 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x829/0x2a30 kernel/exit.c:971
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
 __do_sys_exit_group kernel/exit.c:1123 [inline]
 __se_sys_exit_group kernel/exit.c:1121 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
 x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f60e579aeb9
Code: Unable to access opcode bytes at 0x7f60e579ae8f.
RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe]

On 2/9/26 11:26 AM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> 
> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
> ------------[ cut here ]------------
> kernel BUG at lib/list_debug.c:62!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  __list_del_entry_valid include/linux/list.h:132 [inline]
>  __list_del_entry include/linux/list.h:223 [inline]
>  list_del_init include/linux/list.h:295 [inline]
>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>  task_work_run+0x150/0x240 kernel/task_work.c:233
>  exit_task_work include/linux/task_work.h:40 [inline]
>  do_exit+0x829/0x2a30 kernel/exit.c:971
>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f60e579aeb9
> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0

This looks like a bug related to dvb polling, presumably in dvb_dvr_poll()
or friends. I've seen that in drivers before, for example comedi, see:

commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Jul 22 16:53:16 2025 +0100

    comedi: fix race between polling and detaching

as a reference.

#syz set subsystems: media

-- 
Jens Axboe

Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe]

On 2/9/26 11:26 AM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
> 
> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
> ------------[ cut here ]------------
> kernel BUG at lib/list_debug.c:62!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  __list_del_entry_valid include/linux/list.h:132 [inline]
>  __list_del_entry include/linux/list.h:223 [inline]
>  list_del_init include/linux/list.h:295 [inline]
>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>  task_work_run+0x150/0x240 kernel/task_work.c:233
>  exit_task_work include/linux/task_work.h:40 [inline]
>  do_exit+0x829/0x2a30 kernel/exit.c:971
>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f60e579aeb9
> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0

#syz test

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 8c6f5aafda1d..5cb46109d1ff 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
 			mutex_unlock(&dmxdev->mutex);
 			return -ENOMEM;
 		}
-		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
+		dmxdev->dvr_buffer.data = mem;
+		dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
+		dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
 		if (dmxdev->may_do_mmap)
 			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
 				     file->f_flags & O_NONBLOCK);

-- 
Jens Axboe

Re: [syzbot] [media] BUG: corrupted list in io_poll_remove_entries

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
Tested-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com

Tested on:

commit:         05f7e89a Linux 6.19
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15956a52580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17da94aa580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe]

On 2/9/26 11:50 AM, Jens Axboe wrote:
> On 2/9/26 11:26 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
>> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
>> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
>>
>> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
>> ------------[ cut here ]------------
>> kernel BUG at lib/list_debug.c:62!
>> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>> Call Trace:
>>  <TASK>
>>  __list_del_entry_valid include/linux/list.h:132 [inline]
>>  __list_del_entry include/linux/list.h:223 [inline]
>>  list_del_init include/linux/list.h:295 [inline]
>>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>>  task_work_run+0x150/0x240 kernel/task_work.c:233
>>  exit_task_work include/linux/task_work.h:40 [inline]
>>  do_exit+0x829/0x2a30 kernel/exit.c:971
>>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f60e579aeb9
>> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
>> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
>> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
>> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>>  </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
> 
> This looks like a bug related to dvb polling, presumably in dvb_dvr_poll()
> or friends. I've seen that in drivers before, for example comedi, see:

As per the other email, I believe this analysis was correct. Here's an
epoll based reproducer for the same issue, showing the problem with dvb
blowing away poll waitqueues. Crash here:

list_del corruption. prev->next should be ff1100004a299148, but was ff1100004169c5c8. (prev=ff1100004169c5c8)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 10044 Comm: dvr-poll-repro Not tainted 6.19.0-g05f7e89ab973 #422 PREEMPT(full) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x178/0x280
Code: fc ff df 48 89 d1 48 c1 e9 03 80 3c 01 00 0f 85 07 01 00 00 48 8b 02 48 89 d1 48 c7 c7 40 44 1a 8c 48 89 c2 e8 39 d5 2e fc 90 <0f> 0b 48 89 cf 48 89 74 24 10 48 89 0c 24 48 89 44 24 08 e8 b0 2b
RSP: 0018:ffa000000c74fd30 EFLAGS: 00010082
RAX: 000000000000006d RBX: ff1100004a299130 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e76a0e RDI: fff3fc00018e9f97
RBP: ff1100004a299148 R08: ffffffff81e6f6f7 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: ff1100004169c588
R13: 0000000000000286 R14: ff1100004a354c00 R15: ff1100004a299120
FS:  00007f486cac8740(0000) GS:ff110000975d4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005599332e7fe0 CR3: 000000006a752000 CR4: 0000000000351ef0
Call Trace:
 <TASK>
 ? srso_alias_return_thunk+0x5/0xfbef5
 remove_wait_queue+0x28/0x1b0
 ep_remove_wait_queue+0x85/0x1d0
 ep_clear_and_put+0x186/0x420
 ? __pfx_ep_eventpoll_release+0x10/0x10
 ep_eventpoll_release+0x3e/0x60
 __fput+0x3fd/0xb40
 fput_close_sync+0x113/0x250
 ? __pfx_fput_close_sync+0x10/0x10
 __x64_sys_close+0x8b/0x120
 do_syscall_64+0xcb/0xf80
 ? srso_alias_return_thunk+0x5/0xfbef5
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f486cb5ceb2
Code: 18 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 1a 83 e2 39 83 fa 08 75 12 e8 2b ff ff ff 0f 1f 00 49 89 ca 48 8b 44 24 20 0f 05 <48> 83 c4 18 c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 10 ff 74 24 18
RSP: 002b:00007ffe5521f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f486cb5ceb2
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007ffe5521f140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 00007f486cd0a000 R14: 00007ffe5521f298 R15: 00005643adab8dd8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x178/0x280
Code: fc ff df 48 89 d1 48 c1 e9 03 80 3c 01 00 0f 85 07 01 00 00 48 8b 02 48 89 d1 48 c7 c7 40 44 1a 8c 48 89 c2 e8 39 d5 2e fc 90 <0f> 0b 48 89 cf 48 89 74 24 10 48 89 0c 24 48 89 44 24 08 e8 b0 2b
RSP: 0018:ffa000000c74fd30 EFLAGS: 00010082
RAX: 000000000000006d RBX: ff1100004a299130 RCX: 0000000000000000
RDX: 000000000000006d RSI: ffffffff81e76a0e RDI: fff3fc00018e9f97
RBP: ff1100004a299148 R08: ffffffff81e6f6f7 R09: 0000000000000001
R10: 0000000000000005 R11: 0000000000000000 R12: ff1100004169c588
R13: 0000000000000286 R14: ff1100004a354c00 R15: ff1100004a299120
FS:  00007f486cac8740(0000) GS:ff110000975d4000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005599332e7fe0 CR3: 000000006a752000 CR4: 0000000000351ef0

Reproducer:


#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/epoll.h>
#include <unistd.h>

#define DVR_PATH	"/dev/dvb/adapter0/dvr0"
#define NR_ITERATIONS	100

static int test_dvr_poll(int iter)
{
	struct epoll_event ev;
	int dvr_fd, dvr_fd2, epfd;
	int ret = -1;

	dvr_fd = open(DVR_PATH, O_RDWR | O_WRONLY);
	if (dvr_fd < 0) {
		perror("open " DVR_PATH);
		return -1;
	}

	epfd = epoll_create1(0);
	if (epfd < 0) {
		perror("epoll_create1");
		goto close_dvr;
	}
	memset(&ev, 0, sizeof(ev));
	ev.events = EPOLLIN;
	ev.data.fd = dvr_fd;
	if (epoll_ctl(epfd, EPOLL_CTL_ADD, dvr_fd, &ev) < 0) {
		perror("epoll_ctl ADD");
		goto close_ep;
	}

	dvr_fd2 = open(DVR_PATH, O_RDONLY);
	if (dvr_fd2 < 0) {
		perror("open " DVR_PATH " O_RDONLY");
		goto close_ep;
	}

	close(dvr_fd2);
	ret = 0;
close_ep:
	close(epfd);
close_dvr:
	close(dvr_fd);
	return ret;
}

int main(int argc, char *argv[])
{
	int i, iterations = NR_ITERATIONS;

	if (argc > 1)
		iterations = atoi(argv[1]);

	for (i = 0; i < iterations; i++) {
		if (test_dvr_poll(i))
			return 1;
	}

	return 0;
}

-- 
Jens Axboe

Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe]

On 2/9/26 1:18 PM, Jens Axboe wrote:
> On 2/9/26 11:26 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
>> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
>> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
>>
>> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
>> ------------[ cut here ]------------
>> kernel BUG at lib/list_debug.c:62!
>> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>> Call Trace:
>>  <TASK>
>>  __list_del_entry_valid include/linux/list.h:132 [inline]
>>  __list_del_entry include/linux/list.h:223 [inline]
>>  list_del_init include/linux/list.h:295 [inline]
>>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>>  task_work_run+0x150/0x240 kernel/task_work.c:233
>>  exit_task_work include/linux/task_work.h:40 [inline]
>>  do_exit+0x829/0x2a30 kernel/exit.c:971
>>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f60e579aeb9
>> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
>> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
>> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
>> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>>  </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
> 
> #syz test
> 
> diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
> index 8c6f5aafda1d..5cb46109d1ff 100644
> --- a/drivers/media/dvb-core/dmxdev.c
> +++ b/drivers/media/dvb-core/dmxdev.c
> @@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
>  			mutex_unlock(&dmxdev->mutex);
>  			return -ENOMEM;
>  		}
> -		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
> +		dmxdev->dvr_buffer.data = mem;
> +		dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
> +		dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
>  		if (dmxdev->may_do_mmap)
>  			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
>  				     file->f_flags & O_NONBLOCK);
> 

Mauro and other maintainers, this is literally the same issue as one reported
last year:

https://lore.kernel.org/linux-media/20250407091619.11250-1-superman.xpt@gmail.com/

and I'm honestly a bit surprised that nobody has dealt with this, it's 10 months ago.
And syzbot is still hitting it, literally crashing the box.

Hmm?

-- 
Jens Axboe

Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe]

On 2/10/26 3:16 PM, Jens Axboe wrote:
> On 2/9/26 1:18 PM, Jens Axboe wrote:
>> On 2/9/26 11:26 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
>>> git tree:       upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
>>> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
>>>
>>> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
>>> ------------[ cut here ]------------
>>> kernel BUG at lib/list_debug.c:62!
>>> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>>> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
>>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>>> Call Trace:
>>>  <TASK>
>>>  __list_del_entry_valid include/linux/list.h:132 [inline]
>>>  __list_del_entry include/linux/list.h:223 [inline]
>>>  list_del_init include/linux/list.h:295 [inline]
>>>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>>>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>>>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>>>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>>>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>>>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>>>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>>>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>>>  task_work_run+0x150/0x240 kernel/task_work.c:233
>>>  exit_task_work include/linux/task_work.h:40 [inline]
>>>  do_exit+0x829/0x2a30 kernel/exit.c:971
>>>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>>>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>>>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>>>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>>>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>>>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>>>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>> RIP: 0033:0x7f60e579aeb9
>>> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
>>> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
>>> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
>>> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
>>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>>> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>>>  </TASK>
>>> Modules linked in:
>>> ---[ end trace 0000000000000000 ]---
>>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>>
>> #syz test
>>
>> diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
>> index 8c6f5aafda1d..5cb46109d1ff 100644
>> --- a/drivers/media/dvb-core/dmxdev.c
>> +++ b/drivers/media/dvb-core/dmxdev.c
>> @@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
>>  			mutex_unlock(&dmxdev->mutex);
>>  			return -ENOMEM;
>>  		}
>> -		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
>> +		dmxdev->dvr_buffer.data = mem;
>> +		dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
>> +		dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
>>  		if (dmxdev->may_do_mmap)
>>  			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
>>  				     file->f_flags & O_NONBLOCK);
>>
> 
> Mauro and other maintainers, this is literally the same issue as one reported
> last year:
> 
> https://lore.kernel.org/linux-media/20250407091619.11250-1-superman.xpt@gmail.com/
> 
> and I'm honestly a bit surprised that nobody has dealt with this, it's 10 months ago.
> And syzbot is still hitting it, literally crashing the box.
> 
> Hmm?

Nobody cares about any user that is able to open a dvr device, which at
least on debian is EVERY standard user, can crash the kernel?

I see replies on other messages, yet this issue has seemingly been
ignored for a year.

-- 
Jens Axboe