Re: [syzbot] [io-uring?] BUG: corrupted list in io_poll_remove_entries

[Jens Axboe <axboe@kernel.dk>]

On 2/11/26 5:14 PM, Jens Axboe wrote:
> On 2/10/26 3:16 PM, Jens Axboe wrote:
>> On 2/9/26 1:18 PM, Jens Axboe wrote:
>>> On 2/9/26 11:26 AM, syzbot wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit:    e7aa57247700 Merge tag 'spi-fix-v6.19-rc8' of git://git.ke..
>>>> git tree:       upstream
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=14d3b65a580000
>>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=ab12f0c08dd7ab8d057c
>>>> compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1222965a580000
>>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140e833a580000
>>>>
>>>> Downloadable assets:
>>>> disk image: https://storage.googleapis.com/syzbot-assets/c46beb4ff3a5/disk-e7aa5724.raw.xz
>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/d162bcaaf9b9/vmlinux-e7aa5724.xz
>>>> kernel image: https://storage.googleapis.com/syzbot-assets/54b0844b8ea7/bzImage-e7aa5724.xz
>>>>
>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>>> Reported-by: syzbot+ab12f0c08dd7ab8d057c@syzkaller.appspotmail.com
>>>>
>>>> list_del corruption. prev->next should be ffff88807dc6c3f0, but was ffff888146b205c8. (prev=ffff888146b205c8)
>>>> ------------[ cut here ]------------
>>>> kernel BUG at lib/list_debug.c:62!
>>>> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>>>> CPU: 0 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
>>>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>>>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>>>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>>>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>>>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>>>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>>>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>>>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>>>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>>>> Call Trace:
>>>>  <TASK>
>>>>  __list_del_entry_valid include/linux/list.h:132 [inline]
>>>>  __list_del_entry include/linux/list.h:223 [inline]
>>>>  list_del_init include/linux/list.h:295 [inline]
>>>>  io_poll_remove_waitq io_uring/poll.c:149 [inline]
>>>>  io_poll_remove_entry io_uring/poll.c:166 [inline]
>>>>  io_poll_remove_entries.part.0+0x156/0x7e0 io_uring/poll.c:197
>>>>  io_poll_remove_entries io_uring/poll.c:177 [inline]
>>>>  io_poll_task_func+0x39e/0xe30 io_uring/poll.c:343
>>>>  io_handle_tw_list+0x194/0x580 io_uring/io_uring.c:1122
>>>>  tctx_task_work_run+0x57/0x2b0 io_uring/io_uring.c:1182
>>>>  tctx_task_work+0x7a/0xd0 io_uring/io_uring.c:1200
>>>>  task_work_run+0x150/0x240 kernel/task_work.c:233
>>>>  exit_task_work include/linux/task_work.h:40 [inline]
>>>>  do_exit+0x829/0x2a30 kernel/exit.c:971
>>>>  do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
>>>>  __do_sys_exit_group kernel/exit.c:1123 [inline]
>>>>  __se_sys_exit_group kernel/exit.c:1121 [inline]
>>>>  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1121
>>>>  x64_sys_call+0x14fd/0x1510 arch/x86/include/generated/asm/syscalls_64.h:232
>>>>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>>>>  do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
>>>>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>>> RIP: 0033:0x7f60e579aeb9
>>>> Code: Unable to access opcode bytes at 0x7f60e579ae8f.
>>>> RSP: 002b:00007ffc2d47ddf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>>>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f60e579aeb9
>>>> RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
>>>> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f60e59e1280
>>>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>>>> R13: 00007f60e59e1280 R14: 0000000000000003 R15: 00007ffc2d47deb0
>>>>  </TASK>
>>>> Modules linked in:
>>>> ---[ end trace 0000000000000000 ]---
>>>> RIP: 0010:__list_del_entry_valid_or_report+0x14a/0x1d0 lib/list_debug.c:62
>>>> Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 40 3d fa 8b e8 37 b0 32 fc 90 <0f> 0b 4c 89 e7 e8 3c 24 5d fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
>>>> RSP: 0018:ffffc90003bffaa8 EFLAGS: 00010082
>>>> RAX: 000000000000006d RBX: ffff88807dc6c3f0 RCX: 0000000000000000
>>>> RDX: 000000000000006d RSI: ffffffff81e5d6c9 RDI: fffff5200077ff46
>>>> RBP: ffff888146b205c8 R08: 0000000000000005 R09: 0000000000000000
>>>> R10: 0000000080000001 R11: 0000000000000000 R12: ffff88807dc6c2b0
>>>> R13: ffff88807dc6c408 R14: ffff88807dc6c3f0 R15: ffff88807dc6c3c8
>>>> FS:  0000000000000000(0000) GS:ffff8881245d9000(0000) knlGS:0000000000000000
>>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> CR2: 00007f60e56708c0 CR3: 000000006b065000 CR4: 00000000003526f0
>>>
>>> #syz test
>>>
>>> diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
>>> index 8c6f5aafda1d..5cb46109d1ff 100644
>>> --- a/drivers/media/dvb-core/dmxdev.c
>>> +++ b/drivers/media/dvb-core/dmxdev.c
>>> @@ -168,7 +168,9 @@ static int dvb_dvr_open(struct inode *inode, struct file *file)
>>>  			mutex_unlock(&dmxdev->mutex);
>>>  			return -ENOMEM;
>>>  		}
>>> -		dvb_ringbuffer_init(&dmxdev->dvr_buffer, mem, DVR_BUFFER_SIZE);
>>> +		dmxdev->dvr_buffer.data = mem;
>>> +		dmxdev->dvr_buffer.size = DVR_BUFFER_SIZE;
>>> +		dvb_ringbuffer_reset(&dmxdev->dvr_buffer);
>>>  		if (dmxdev->may_do_mmap)
>>>  			dvb_vb2_init(&dmxdev->dvr_vb2_ctx, "dvr",
>>>  				     file->f_flags & O_NONBLOCK);
>>>
>>
>> Mauro and other maintainers, this is literally the same issue as one reported
>> last year:
>>
>> https://lore.kernel.org/linux-media/20250407091619.11250-1-superman.xpt@gmail.com/
>>
>> and I'm honestly a bit surprised that nobody has dealt with this, it's 10 months ago.
>> And syzbot is still hitting it, literally crashing the box.
>>
>> Hmm?
> 
> Nobody cares about any user that is able to open a dvr device, which at
> least on debian is EVERY standard user, can crash the kernel?
> 
> I see replies on other messages, yet this issue has seemingly been
> ignored for a year.

Another ping on this one. For some reason you (Mauro) are ignoring this
issue, both the original report and my report. Not quite sure what to do
about it, but I'm tempted to just send the patch to Linus at this point.

-- 
Jens Axboe