Dear Linux kernel maintainers, Syzkaller reports this previously unknown bug on Linux 6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was silently or unintendedly fixed in the latest version. I found a similar bug report [here](https://syzkaller.appspot.com/bug?id=ac425cc8dcf667de21cbe25208555a346ab658d0), but I think this should be a different bug? ``` Syzkaller hit 'WARNING in __put_task_struct' bug. ------------[ cut here ]------------ WARNING: CPU: 2 PID: 10662 at kernel/fork.c:967 __put_task_struct+0x290/0x340 kernel/fork.c:967 Modules linked in: CPU: 2 PID: 10662 Comm: syz-executor389 Not tainted 6.8.0-rc3-00043-ga69d20885494-dirty #52 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__put_task_struct+0x290/0x340 kernel/fork.c:967 Code: da ff ff 48 8b 3d b0 28 69 0f 4c 89 e6 e8 88 d2 7b 00 e9 45 ff ff ff be 03 00 00 00 4c 89 e7 e8 46 be c7 02 e9 33 ff ff ff 90 <0f> 0b 90 e9 ac fd ff ff 90 0f 0b 90 e9 e9 fd ff ff 90 0f 0b 90 e9 RSP: 0018:ffffc90017f67b38 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff92002fecf6f RCX: 1ffff92002fecf36 RDX: 1ffff1100e71a530 RSI: ffffffff8a0bdce0 RDI: ffff8880738d2980 RBP: ffff8880738d2440 R08: 0000000000000000 R09: fffffbfff23d9a15 R10: ffffffff91ecd0af R11: 0000000000000000 R12: ffffffff840b8886 R13: ffff8880738d2468 R14: ffff888024ad7818 R15: ffff8880738d2440 FS: 0000555557445480(0000) GS:ffff8880b9880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff010cdf0b0 CR3: 0000000032094000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> put_task_struct include/linux/sched/task.h:138 [inline] io_wq_exit_workers io_uring/io-wq.c:1274 [inline] io_wq_put_and_exit+0x765/0x8f0 io_uring/io-wq.c:1296 io_uring_clean_tctx+0x10e/0x190 io_uring/tctx.c:193 io_uring_cancel_generic+0x643/0x7c0 io_uring/io_uring.c:3395 io_uring_files_cancel include/linux/io_uring.h:21 [inline] do_exit+0x4bf/0x25a0 kernel/exit.c:829 do_group_exit+0xb4/0x250 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline] __se_sys_exit_group kernel/exit.c:1029 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7ff010c59031 Code: b8 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 16 66 0f 1f 84 00 00 00 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00 RSP: 002b:00007ffd577fbfb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007ff010cde1f0 RCX: 00007ff010c59031 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 000000000000ffff R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff010cde1f0 R13: 0000000000000000 R14: 00007ff010cdec80 R15: 00007ff010c13500 </TASK> Syzkaller reproducer: # {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} r0 = syz_io_uring_setup(0x6e47, &(0x7f0000000000)={0x0, 0x8847, 0x80, 0x4000003, 0x3d6}, &(0x7f0000000080)=<r1=>0x0, &(0x7f00000000c0)=<r2=>0x0) open(&(0x7f0000000100)='./file0\x00', 0x2041, 0x8) r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x680400, 0x104) r4 = socket(0x28, 0x80000, 0x89) epoll_create1(0x80000) eventfd2(0x802, 0x80800) syz_io_uring_submit(r1, r2, &(0x7f0000000340)=@IORING_OP_SEND_ZC={0x2f, 0x1c, 0x1, @sock=r4, &(0x7f0000000240)=@tipc=@name={0x1e, 0x2, 0x1, {{0x41, 0x4}, 0x3}}, &(0x7f00000002c0)=""/82, 0x52, 0x200, 0x1, 0x101, 0x0, {0x100}}) io_uring_enter(r0, 0x1, 0x1, 0x11, &(0x7f0000000380), 0x8) syz_io_uring_complete(r1, &(0x7f0000000400)) io_uring_register$IORING_REGISTER_ENABLE_RINGS(r0, 0xc, 0x0, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000180)=@IORING_OP_ASYNC_CANCEL={0xe, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4, 0x1}) syz_io_uring_submit(r1, r2, 0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000680)=@IORING_OP_UNLINKAT={0x24, 0x50, 0x0, @fd_dir=r3, 0x0, &(0x7f0000000500)='./file0\x00'}) io_uring_enter(r0, 0x3, 0x3, 0xb, 0x0, 0x0) syz_io_uring_complete(r1, 0x0) ``` crepro is in the attachment. Best Regards Xdchase
Attachment:
repro.c
Description: Binary data