Hello, We found the following issue using syzkaller on Linux v6.10. The PoC generated by Syzkaller can cause the kernel to report memory corruption related errors. The Syzkaller reproducer: https://gist.github.com/TomAPU/dcbb9b74f4fca8eda50e4ba38c83a364 kernel config: https://gist.github.com/TomAPU/64f5db0fe976a3e94a6dd2b621887cdd It seems that the task corrupted is `swapper`, not `syz-executor`. It seems that there exists a bug in `/dev/sg0`, allowing a program to tamper the memory without being caught by KASAN. The report is below: Syzkaller hit 'BUG: corrupted list in dst_init' bug. list_add corruption. next->prev should be prev (ffff88802e5f4670), but was 0000000000000000. (next=ffff88801966a200). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xca/0xe0 lib/list_debug.c:29 Code: 58 a9 8b e8 d8 00 97 06 0f 0b 48 c7 c7 a0 58 a9 8b e8 ca 00 97 06 0f 0b 48 c7 c7 00 59 a9 8b 4c 89 e6 4c 89 f1 e8 b6 00 97 06 <0f> 0b 48 c7 c7 80 59 a9 8b 4c 89 f6 4c 89 e1 e8 a2 00 97 06 0f 0b RSP: 0018:ffffc900000076d0 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff88801966a208 RCX: ca5f1ee5ed054c00 RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000 RBP: ffffc90000007828 R08: ffffffff8172e30c R09: 1ffff92000000e78 R10: dffffc0000000000 R11: fffff52000000e79 R12: ffff88802e5f4670 R13: dffffc0000000000 R14: ffff88801966a200 R15: ffff88802dffb7c0 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f398f4808f0 CR3: 000000000d932000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> __list_add_valid include/linux/list.h:88 [inline] __list_add include/linux/list.h:150 [inline] list_add include/linux/list.h:169 [inline] ref_tracker_alloc+0x1ef/0x480 lib/ref_tracker.c:213 __netdev_tracker_alloc include/linux/netdevice.h:4038 [inline] netdev_hold include/linux/netdevice.h:4067 [inline] dst_init+0xea/0x480 net/core/dst.c:52 dst_alloc+0x157/0x190 net/core/dst.c:93 ip6_dst_alloc net/ipv6/route.c:344 [inline] icmp6_dst_alloc+0x73/0x410 net/ipv6/route.c:3277 ndisc_send_skb+0x31b/0x11e0 net/ipv6/ndisc.c:489 addrconf_rs_timer+0x3a3/0x650 net/ipv6/addrconf.c:4039 call_timer_fn+0xff/0x240 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers kernel/time/timer.c:2417 [inline] __run_timer_base+0x734/0x9a0 kernel/time/timer.c:2428 run_timer_base kernel/time/timer.c:2437 [inline] run_timer_softirq+0xb3/0x160 kernel/time/timer.c:2447 handle_softirqs+0x272/0x750 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf0/0x1b0 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline] RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:743 Code: 07 76 e7 48 89 07 49 c7 c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 66 90 0f 00 2d c7 a4 4e 00 fb f4 <fa> c3 0f 1f 00 e9 eb ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 65 RSP: 0018:ffffffff8d807d68 EFLAGS: 000002c2 RAX: ca5f1ee5ed054c00 RBX: ffffffff816928eb RCX: 0000000000006f59 RDX: 0000000000000001 RSI: ffffffff8b4c89c0 RDI: ffffffff8ba956e0 RBP: ffffffff8d807eb8 R08: ffff888063a37d0b R09: 1ffff1100c746fa1 R10: dffffc0000000000 R11: ffffed100c746fa2 R12: 1ffffffff1b00fc6 R13: 1ffffffff1b12778 R14: 0000000000000000 R15: dffffc0000000000 default_idle_call+0x6e/0xa0 kernel/sched/idle.c:117 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x22b/0x5c0 kernel/sched/idle.c:332 cpu_startup_entry+0x3d/0x60 kernel/sched/idle.c:430 rest_init+0x2db/0x300 init/main.c:747 start_kernel+0x486/0x500 init/main.c:1103 x86_64_start_reservations+0x26/0x30 arch/x86/kernel/head64.c:507 x86_64_start_kernel+0x5c/0x60 arch/x86/kernel/head64.c:488 common_startup_64+0x13e/0x147 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_add_valid_or_report+0xca/0xe0 lib/list_debug.c:29 Code: 58 a9 8b e8 d8 00 97 06 0f 0b 48 c7 c7 a0 58 a9 8b e8 ca 00 97 06 0f 0b 48 c7 c7 00 59 a9 8b 4c 89 e6 4c 89 f1 e8 b6 00 97 06 <0f> 0b 48 c7 c7 80 59 a9 8b 4c 89 f6 4c 89 e1 e8 a2 00 97 06 0f 0b RSP: 0018:ffffc900000076d0 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff88801966a208 RCX: ca5f1ee5ed054c00 RDX: 0000000000000102 RSI: 0000000000000102 RDI: 0000000000000000 RBP: ffffc90000007828 R08: ffffffff8172e30c R09: 1ffff92000000e78 R10: dffffc0000000000 R11: fffff52000000e79 R12: ffff88802e5f4670 R13: dffffc0000000000 R14: ffff88801966a200 R15: ffff88802dffb7c0 FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f398f4808f0 CR3: 000000000d932000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 76 e7 jbe 0xffffffe9 2: 48 89 07 mov %rax,(%rdi) 5: 49 c7 c0 08 00 00 00 mov $0x8,%r8 c: 4d 29 c8 sub %r9,%r8 f: 4c 01 c7 add %r8,%rdi 12: 4c 29 c2 sub %r8,%rdx 15: e9 72 ff ff ff jmp 0xffffff8c 1a: cc int3 1b: cc int3 1c: cc int3 1d: cc int3 1e: 66 90 xchg %ax,%ax 20: 0f 00 2d c7 a4 4e 00 verw 0x4ea4c7(%rip) # 0x4ea4ee 27: fb sti 28: f4 hlt * 29: fa cli <-- trapping instruction 2a: c3 ret 2b: 0f 1f 00 nopl (%rax) 2e: e9 eb ff ff ff jmp 0x1e 33: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 3a: 00 00 00 3d: 90 nop 3e: 65 gs
