[syzbot] [kernel?] WARNING in exit_mm
1 view
Skip to first unread message
syzbot
Mar 17, 2026, 4:39:27 PM (22 hours ago) Mar 17
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fb1602580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177918ba580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+295a87...@syzkaller.appspotmail.com
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xfffffffffffffffe, magic = 0xffff8880369e4150, owner = 0x1, curr 0xffff88801f7f8000, list not empty
WARNING: kernel/locking/rwsem.c:1389 at __up_read+0x307/0x6b0 kernel/locking/rwsem.c:1389, CPU#0: syz.0.17/5989
Modules linked in:
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x3f5/0x6b0 kernel/locking/rwsem.c:1389
Code: 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 38 48 c7 c6 60 f6 ec 8b 48 8b 54 24 30 4c 89 f1 4d 89 f8 4c 8b 4c 24 28 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 0d 23 15 03 e9 72 fe ff ff 48 8d 1d
RSP: 0018:ffffc90004577c18 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: ffff8880369e41a8 RCX: ffff8880369e4150
RDX: fffffffffffffffe RSI: ffffffff8becf660 RDI: ffffffff90579f10
RBP: ffffc90004577cf0 R08: 0000000000000001 R09: ffff88801f7f8000
R10: ffffffff8becf400 R11: ffffed1006d3c82c R12: fffffffffffffffe
R13: 1ffff920008aef8c R14: ffff8880369e4150 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888124de0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e9c747e20 CR3: 0000000078264000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
exit_mm+0x17e/0x250 kernel/exit.c:579
do_exit+0x8b9/0x2490 kernel/exit.c:962
do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
__do_sys_exit_group kernel/exit.c:1127 [inline]
__se_sys_exit_group kernel/exit.c:1125 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1125
x64_sys_call+0x221a/0x2240 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7e9b99c799
Code: Unable to access opcode bytes at 0x7f7e9b99c76f.
RSP: 002b:00007ffca98be868 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7e9b99c799
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f7e9bbe63e0
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7e9bbe63e0 R14: 0000000000000003 R15: 00007ffca98be920
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 38 mov 0x38(%rsp),%rdi
10: 48 c7 c6 60 f6 ec 8b mov $0xffffffff8becf660,%rsi
17: 48 8b 54 24 30 mov 0x30(%rsp),%rdx
1c: 4c 89 f1 mov %r14,%rcx
1f: 4d 89 f8 mov %r15,%r8
22: 4c 8b 4c 24 28 mov 0x28(%rsp),%r9
27: 41 52 push %r10
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: 48 83 c4 08 add $0x8,%rsp
32: e8 0d 23 15 03 call 0x3152344
37: e9 72 fe ff ff jmp 0xfffffeae
3c: 48 rex.W
3d: 8d .byte 0x8d
3e: 1d .byte 0x1d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fb1602580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177918ba580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+295a87...@syzkaller.appspotmail.com
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xfffffffffffffffe, magic = 0xffff8880369e4150, owner = 0x1, curr 0xffff88801f7f8000, list not empty
WARNING: kernel/locking/rwsem.c:1389 at __up_read+0x307/0x6b0 kernel/locking/rwsem.c:1389, CPU#0: syz.0.17/5989
Modules linked in:
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x3f5/0x6b0 kernel/locking/rwsem.c:1389
Code: 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 38 48 c7 c6 60 f6 ec 8b 48 8b 54 24 30 4c 89 f1 4d 89 f8 4c 8b 4c 24 28 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 0d 23 15 03 e9 72 fe ff ff 48 8d 1d
RSP: 0018:ffffc90004577c18 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: ffff8880369e41a8 RCX: ffff8880369e4150
RDX: fffffffffffffffe RSI: ffffffff8becf660 RDI: ffffffff90579f10
RBP: ffffc90004577cf0 R08: 0000000000000001 R09: ffff88801f7f8000
R10: ffffffff8becf400 R11: ffffed1006d3c82c R12: fffffffffffffffe
R13: 1ffff920008aef8c R14: ffff8880369e4150 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888124de0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e9c747e20 CR3: 0000000078264000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
exit_mm+0x17e/0x250 kernel/exit.c:579
do_exit+0x8b9/0x2490 kernel/exit.c:962
do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
__do_sys_exit_group kernel/exit.c:1127 [inline]
__se_sys_exit_group kernel/exit.c:1125 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1125
x64_sys_call+0x221a/0x2240 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7e9b99c799
Code: Unable to access opcode bytes at 0x7f7e9b99c76f.
RSP: 002b:00007ffca98be868 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7e9b99c799
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f7e9bbe63e0
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7e9bbe63e0 R14: 0000000000000003 R15: 00007ffca98be920
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 38 mov 0x38(%rsp),%rdi
10: 48 c7 c6 60 f6 ec 8b mov $0xffffffff8becf660,%rsi
17: 48 8b 54 24 30 mov 0x30(%rsp),%rdx
1c: 4c 89 f1 mov %r14,%rcx
1f: 4d 89 f8 mov %r15,%r8
22: 4c 8b 4c 24 28 mov 0x28(%rsp),%r9
27: 41 52 push %r10
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: 48 83 c4 08 add $0x8,%rsp
32: e8 0d 23 15 03 call 0x3152344
37: e9 72 fe ff ff jmp 0xfffffeae
3c: 48 rex.W
3d: 8d .byte 0x8d
3e: 1d .byte 0x1d
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Mar 17, 2026, 6:45:20 PM (20 hours ago) Mar 17
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Tue, 17 Mar 2026 13:39:24 -0700 [thread overview]
--- x/kernel/locking/rwsem.c
+++ y/kernel/locking/rwsem.c
@@ -365,12 +365,11 @@ enum rwsem_wake_type {
#define MAX_READERS_WAKEUP 0x100
static inline
-bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
+void __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
__must_hold(&sem->wait_lock)
{
if (list_empty(&waiter->list)) {
sem->first_waiter = NULL;
- return true;
}
if (sem->first_waiter == waiter) {
@@ -378,8 +377,6 @@ bool __rwsem_del_waiter(struct rw_semaph
struct rwsem_waiter, list);
}
list_del(&waiter->list);
-
- return false;
}
/*
@@ -394,7 +391,8 @@ static inline bool
rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
{
lockdep_assert_held(&sem->wait_lock);
- if (__rwsem_del_waiter(sem, waiter))
+ __rwsem_del_waiter(sem, waiter);
+ if (rwsem_is_contended(sem))
return true;
atomic_long_andnot(RWSEM_FLAG_HANDOFF | RWSEM_FLAG_WAITERS, &sem->count);
return false;
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb1602580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177918ba580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=15fb1602580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177918ba580000
--- x/kernel/locking/rwsem.c
+++ y/kernel/locking/rwsem.c
@@ -365,12 +365,11 @@ enum rwsem_wake_type {
#define MAX_READERS_WAKEUP 0x100
static inline
-bool __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
+void __rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
__must_hold(&sem->wait_lock)
{
if (list_empty(&waiter->list)) {
sem->first_waiter = NULL;
- return true;
}
if (sem->first_waiter == waiter) {
@@ -378,8 +377,6 @@ bool __rwsem_del_waiter(struct rw_semaph
struct rwsem_waiter, list);
}
list_del(&waiter->list);
-
- return false;
}
/*
@@ -394,7 +391,8 @@ static inline bool
rwsem_del_waiter(struct rw_semaphore *sem, struct rwsem_waiter *waiter)
{
lockdep_assert_held(&sem->wait_lock);
- if (__rwsem_del_waiter(sem, waiter))
+ __rwsem_del_waiter(sem, waiter);
+ if (rwsem_is_contended(sem))
return true;
atomic_long_andnot(RWSEM_FLAG_HANDOFF | RWSEM_FLAG_WAITERS, &sem->count);
return false;
--
syzbot
Mar 17, 2026, 9:11:05 PM (17 hours ago) Mar 17
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+295a87...@syzkaller.appspotmail.com
Tested-by: syzbot+295a87...@syzkaller.appspotmail.com
Tested on:
commit: 8e5a478b Add linux-next specific files for 20260317
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171d5b4a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1d7d59e3bf573a4f
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+295a87...@syzkaller.appspotmail.com
Tested-by: syzbot+295a87...@syzkaller.appspotmail.com
Tested on:
commit: 8e5a478b Add linux-next specific files for 20260317
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171d5b4a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1d7d59e3bf573a4f
dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=17c2e2d6580000
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages