[paulmckrcu:dev.2026.03.04a] [rcutorture] 569ac6a1d7: BUG:KASAN:stack-out-of-bounds_in__list_del_entry

[kernel test robot]

hi, Paul, if the issue is fixed in newer branch, please just ignore. thanks


Hello,

kernel test robot noticed "BUG:KASAN:stack-out-of-bounds_in__list_del_entry" on:

commit: 569ac6a1d7999442e2a381fc4785e1d22699a726 ("rcutorture: Fully test lazy RCU")
https://github.com/paulmckrcu/linux dev.2026.03.04a

in testcase: rcutorture
version: 
with following parameters:

	runtime: 300s
	test: default
	torture_type: tasks


config: x86_64-randconfig-161-20250618
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G

(please refer to attached dmesg/kmsg for entire log/backtrace)


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202603222245.6c112aee-lkp@xxxxxxxxx



[  364.629232][   T11] BUG: KASAN: stack-out-of-bounds in __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[  364.630180][   T11] Read of size 8 at addr ffffc90001edfdd8 by task kworker/0:1/11
[  364.631050][   T11]
[  364.631438][   T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Tainted: GF               T   7.0.0-rc1-00026-g569ac6a1d799 #1 PREEMPT(lazy)  2d0a7e949e4836aaa2820a29d36737f9b4ef5506
[  364.631476][   T11] Tainted: [F]=FORCED_MODULE, [T]=RANDSTRUCT
[  364.631485][   T11] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  364.631500][   T11] Workqueue:  0x0 (events)
[  364.631526][   T11] Call Trace:
[  364.631534][   T11]  <TASK>
[  364.631543][   T11]  dump_stack_lvl (lib/dump_stack.c:122)
[  364.631573][   T11]  print_address_description+0x6e/0x300
[  364.631599][   T11]  print_report (mm/kasan/report.c:483)
[  364.631618][   T11]  ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:166 (discriminator 1))
[  364.631655][   T11]  ? __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[  364.631684][   T11]  kasan_report (mm/kasan/report.c:597)
[  364.631715][   T11]  ? __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[  364.631744][   T11]  __asan_report_load8_noabort (mm/kasan/report_generic.c:381)
[  364.631779][   T11]  __list_del_entry (include/linux/list.h:127 (discriminator 1) include/linux/list.h:223 (discriminator 1))
[  364.631807][   T11]  list_move_tail (include/linux/list.h:319)
[  364.631834][   T11]  move_linked_works (kernel/workqueue.c:1157)
[  364.631862][   T11]  assign_work (kernel/workqueue.c:1219)
[  364.631889][   T11]  worker_thread (kernel/workqueue.c:3438 (discriminator 1))
[  364.631923][   T11]  ? __sanitizer_cov_trace_pc (kernel/kcov.c:217 (discriminator 1))
[  364.631953][   T11]  ? process_scheduled_works (kernel/workqueue.c:3385)
[  364.631989][   T11]  kthread (kernel/kthread.c:467)
[  364.632024][   T11]  ? kthread_affine_node (kernel/kthread.c:412)
[  364.632058][   T11]  ret_from_fork (arch/x86/kernel/process.c:164)
[  364.632080][   T11]  ? write_comp_data (kernel/kcov.c:246 (discriminator 1))
[  364.632105][   T11]  ? arch_exit_to_user_mode_prepare+0x180/0x180
[  364.632130][   T11]  ? __switch_to (arch/x86/kernel/process_64.c:714)
[  364.632158][   T11]  ? kthread_affine_node (kernel/kthread.c:412)
[  364.632192][   T11]  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[  364.632227][   T11]  </TASK>
[  364.632235][   T11]
[  364.661844][   T11] The buggy address belongs to a vmalloc virtual mapping
[  364.662681][   T11] The buggy address belongs to the physical page:
[  364.663447][   T11] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x144e2f
[  364.664574][   T11] flags: 0x2fffc0000000000(node=0|zone=2|lastcpupid=0x3fff)
[  364.665426][   T11] raw: 02fffc0000000000 ffffea0005138bc8 ffffea0005138bc8 0000000000000000
[  364.666438][   T11] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  364.667466][   T11] page dumped because: kasan: bad access detected
[  364.668240][   T11]
[  364.668604][   T11] Memory state around the buggy address:
[  364.669267][   T11]  ffffc90001edfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  364.670217][   T11]  ffffc90001edfd00: 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00
[  364.671190][   T11] >ffffc90001edfd80: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
[  364.672177][   T11]                                                     ^
[  364.672989][   T11]  ffffc90001edfe00: 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[  364.673969][   T11]  ffffc90001edfe80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3
[  364.674932][   T11] ==================================================================
[  364.675950][   T11]  vmalloc memory
[  364.676287][   T11] list_del corruption. next->prev should be ffff88871f432230, but was 0000000041b58ab3. (next=ffffc90001edfdd0)
[  364.677649][   T11] ------------[ cut here ]------------
[  364.678321][   T11] kernel BUG at lib/list_debug.c:65!
[  364.678988][   T11] Oops: invalid opcode: 0000 [#1] SMP KASAN
[  364.679710][   T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Tainted: GF   B           T   7.0.0-rc1-00026-g569ac6a1d799 #1 PREEMPT(lazy)  2d0a7e949e4836aaa2820a29d36737f9b4ef5506
[  364.681229][   T11] Tainted: [F]=FORCED_MODULE, [B]=BAD_PAGE, [T]=RANDSTRUCT
[  364.681755][   T11] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  364.684523][   T11] Workqueue:  0x0 (events)
[  364.684967][   T11] RIP: 0010:__list_del_entry_valid_or_report (lib/list_debug.c:65 (discriminator 1))
[  364.685495][   T11] Code: ea 03 48 c1 e0 2a 80 3c 02 00 74 08 4c 89 e7 e8 be d0 64 00 49 8b 55 08 4c 89 e9 48 89 de 48 c7 c7 c0 13 d1 b8 e8 f8 66 fe ff <0f> 0b 5b b0 01 41 5c 41 5d 5d c3 cc cc cc cc cc cc cc cc cc cc cc
All code
========
   0:	ea                   	(bad)
   1:	03 48 c1             	add    -0x3f(%rax),%ecx
   4:	e0 2a                	loopne 0x30
   6:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   a:	74 08                	je     0x14
   c:	4c 89 e7             	mov    %r12,%rdi
   f:	e8 be d0 64 00       	call   0x64d0d2
  14:	49 8b 55 08          	mov    0x8(%r13),%rdx
  18:	4c 89 e9             	mov    %r13,%rcx
  1b:	48 89 de             	mov    %rbx,%rsi
  1e:	48 c7 c7 c0 13 d1 b8 	mov    $0xffffffffb8d113c0,%rdi
  25:	e8 f8 66 fe ff       	call   0xfffffffffffe6722
  2a:*	0f 0b                	ud2		<-- trapping instruction
  2c:	5b                   	pop    %rbx
  2d:	b0 01                	mov    $0x1,%al
  2f:	41 5c                	pop    %r12
  31:	41 5d                	pop    %r13
  33:	5d                   	pop    %rbp
  34:	c3                   	ret
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	cc                   	int3
  39:	cc                   	int3
  3a:	cc                   	int3
  3b:	cc                   	int3
  3c:	cc                   	int3
  3d:	cc                   	int3
  3e:	cc                   	int3
  3f:	cc                   	int3

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	5b                   	pop    %rbx
   3:	b0 01                	mov    $0x1,%al
   5:	41 5c                	pop    %r12
   7:	41 5d                	pop    %r13
   9:	5d                   	pop    %rbp
   a:	c3                   	ret
   b:	cc                   	int3
   c:	cc                   	int3
   d:	cc                   	int3
   e:	cc                   	int3
   f:	cc                   	int3
  10:	cc                   	int3
  11:	cc                   	int3
  12:	cc                   	int3
  13:	cc                   	int3
  14:	cc                   	int3
  15:	cc                   	int3
[  364.686805][   T11] RSP: 0000:ffffc900000bfd10 EFLAGS: 00210086
[  364.687267][   T11] RAX: 000000000000006d RBX: ffff88871f432230 RCX: 0000000000000000
[  364.687872][   T11] RDX: 000000000000006d RSI: ffff888100993780 RDI: fffff52000017f98
[  364.688473][   T11] RBP: ffffc900000bfd28 R08: 0000000000000000 R09: 0000000000000001
[  364.689088][   T11] R10: 0000000000000000 R11: ffff888100993780 R12: ffffc90001edfdd8
[  364.689688][   T11] R13: ffffc90001edfdd0 R14: ffff88810092aa40 R15: dffffc0000000000
[  364.690292][   T11] FS:  0000000000000000(0000) GS:ffff888764cee000(0000) knlGS:0000000000000000
[  364.690957][   T11] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  364.691447][   T11] CR2: 00000000f6930000 CR3: 00000001314f6000 CR4: 00000000000406b0
[  364.692071][   T11] Call Trace:
[  364.692364][   T11]  <TASK>
[  364.692646][   T11]  __list_del_entry (include/linux/list.h:224)
[  364.693032][   T11]  list_move_tail (include/linux/list.h:319)
[  364.693413][   T11]  move_linked_works (kernel/workqueue.c:1157)
[  364.693821][   T11]  assign_work (kernel/workqueue.c:1219)
[  364.694194][   T11]  worker_thread (kernel/workqueue.c:3438 (discriminator 1))
[  364.694577][   T11]  ? __sanitizer_cov_trace_pc (kernel/kcov.c:217 (discriminator 1))
[  364.695012][   T11]  ? process_scheduled_works (kernel/workqueue.c:3385)
[  364.695453][   T11]  kthread (kernel/kthread.c:467)
[  364.695806][   T11]  ? kthread_affine_node (kernel/kthread.c:412)
[  364.696230][   T11]  ret_from_fork (arch/x86/kernel/process.c:164)
[  364.696611][   T11]  ? write_comp_data (kernel/kcov.c:246 (discriminator 1))
[  364.696998][   T11]  ? arch_exit_to_user_mode_prepare+0x180/0x180
[  364.697507][   T11]  ? __switch_to (arch/x86/kernel/process_64.c:714)
[  364.697890][   T11]  ? kthread_affine_node (kernel/kthread.c:412)
[  364.698427][   T11]  ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[  364.699047][   T11]  </TASK>
[  364.699491][   T11] Modules linked in: rcutorture(F-) torture(F) ipmi_msghandler(F) input_leds(F) led_class(F) evdev(F) mac_hid(F) parport_pc(F) parport(F)
[  364.706068][   T11] ---[ end trace 0000000000000000 ]---
[  364.706752][   T11] RIP: 0010:__list_del_entry_valid_or_report (lib/list_debug.c:65 (discriminator 1))
[  364.707583][   T11] Code: ea 03 48 c1 e0 2a 80 3c 02 00 74 08 4c 89 e7 e8 be d0 64 00 49 8b 55 08 4c 89 e9 48 89 de 48 c7 c7 c0 13 d1 b8 e8 f8 66 fe ff <0f> 0b 5b b0 01 41 5c 41 5d 5d c3 cc cc cc cc cc cc cc cc cc cc cc
All code
========
   0:	ea                   	(bad)
   1:	03 48 c1             	add    -0x3f(%rax),%ecx
   4:	e0 2a                	loopne 0x30
   6:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   a:	74 08                	je     0x14
   c:	4c 89 e7             	mov    %r12,%rdi
   f:	e8 be d0 64 00       	call   0x64d0d2
  14:	49 8b 55 08          	mov    0x8(%r13),%rdx
  18:	4c 89 e9             	mov    %r13,%rcx
  1b:	48 89 de             	mov    %rbx,%rsi
  1e:	48 c7 c7 c0 13 d1 b8 	mov    $0xffffffffb8d113c0,%rdi
  25:	e8 f8 66 fe ff       	call   0xfffffffffffe6722
  2a:*	0f 0b                	ud2		<-- trapping instruction
  2c:	5b                   	pop    %rbx
  2d:	b0 01                	mov    $0x1,%al
  2f:	41 5c                	pop    %r12
  31:	41 5d                	pop    %r13
  33:	5d                   	pop    %rbp
  34:	c3                   	ret
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	cc                   	int3
  39:	cc                   	int3
  3a:	cc                   	int3
  3b:	cc                   	int3
  3c:	cc                   	int3
  3d:	cc                   	int3
  3e:	cc                   	int3
  3f:	cc                   	int3

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	5b                   	pop    %rbx
   3:	b0 01                	mov    $0x1,%al
   5:	41 5c                	pop    %r12
   7:	41 5d                	pop    %r13
   9:	5d                   	pop    %rbp
   a:	c3                   	ret
   b:	cc                   	int3
   c:	cc                   	int3
   d:	cc                   	int3
   e:	cc                   	int3
   f:	cc                   	int3
  10:	cc                   	int3
  11:	cc                   	int3
  12:	cc                   	int3
  13:	cc                   	int3
  14:	cc                   	int3
  15:	cc                   	int3


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260322/202603222245.6c112aee-lkp@xxxxxxxxx



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki