[Linux Kernel Bug] WARNING in iterate_dir
0 views
Skip to first unread message
Jiaming Zhang
9:12 AM (5 hours ago) 9:12 AM
to linux-...@vger.kernel.org, bra...@kernel.org, ja...@suse.cz, linux-...@vger.kernel.org, vi...@zeniv.linux.org.uk, syzk...@googlegroups.com
Dear Linux kernel developers and maintainers,
We are writing to report a warning discovered in the linux kernel.
This issue is reproducible on the latest version (commit
b71e635feefc852405b14620a7fc58c4c80c0f73).
The kernel console output, kernel config, and syzkaller reproducer are
attached to help with analysis. The KASAN report from kernel,
formatted by syz-symbolize, is listed below:
---
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic
= 0xffff888069760e18, owner = 0x0, curr 0xffff888021cc5c40, list empty
WARNING: kernel/locking/rwsem.c:1354 at __up_read+0x4f9/0x670
kernel/locking/rwsem.c:1354, CPU#0: syz.0.327/16241
Modules linked in:
CPU: 0 UID: 0 PID: 16241 Comm: syz.0.327 Not tainted
6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__up_read+0x5df/0x670 kernel/locking/rwsem.c:1354
Code: 22 4b 8b 49 c7 c2 e0 22 4b 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7
c6 80 22 4b 8b 4c 89 ea 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48
0f b9 3a 48 83 c4 08 e8 03 6f e1 02 e9 6e fb ff ff 48 c7 c1
RSP: 0018:ffffc90011d3fc98 EFLAGS: 00010246
RAX: ffffffff8b4b22c0 RBX: ffff888069760e18 RCX: ffff888069760e18
RDX: 0000000000000000 RSI: ffffffff8b4b2280 RDI: ffffffff8f609dc0
RBP: ffffc90011d3fd78 R08: 0000000000000000 R09: ffff888021cc5c40
R10: ffffffff8b4b22c0 R11: ffffed100d2ec1c5 R12: ffff888069760e70
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888021cc5c40
FS: 00007f03d39ec640(0000) GS:ffff8880994e9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000072ecc000 CR4: 0000000000752ef0
PKRU: 00000000
Call Trace:
<TASK>
inode_unlock_shared include/linux/fs.h:1052 [inline]
iterate_dir+0x458/0x570 fs/readdir.c:113
__do_sys_getdents fs/readdir.c:326 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:312
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f03d2baf59d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f03d39ebf98 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f03d2e35fa0 RCX: 00007f03d2baf59d
RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007f03d2c4b388 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f03d2e36038 R14: 00007f03d2e35fa0 R15: 00007f03d39cc000
</TASK>
----------------
Code disassembly (best guess):
0: 22 4b 8b and -0x75(%rbx),%cl
3: 49 c7 c2 e0 22 4b 8b mov $0xffffffff8b4b22e0,%r10
a: 4c 0f 44 d0 cmove %rax,%r10
e: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
13: 48 c7 c6 80 22 4b 8b mov $0xffffffff8b4b2280,%rsi
1a: 4c 89 ea mov %r13,%rdx
1d: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
22: 4d 89 f0 mov %r14,%r8
25: 4d 89 f9 mov %r15,%r9
28: 41 52 push %r10
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 83 c4 08 add $0x8,%rsp
33: e8 03 6f e1 02 call 0x2e16f3b
38: e9 6e fb ff ff jmp 0xfffffbab
3d: 48 rex.W
3e: c7 .byte 0xc7
3f: c1 .byte 0xc1
---
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang
We are writing to report a warning discovered in the linux kernel.
This issue is reproducible on the latest version (commit
b71e635feefc852405b14620a7fc58c4c80c0f73).
The kernel console output, kernel config, and syzkaller reproducer are
attached to help with analysis. The KASAN report from kernel,
formatted by syz-symbolize, is listed below:
---
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic
= 0xffff888069760e18, owner = 0x0, curr 0xffff888021cc5c40, list empty
WARNING: kernel/locking/rwsem.c:1354 at __up_read+0x4f9/0x670
kernel/locking/rwsem.c:1354, CPU#0: syz.0.327/16241
Modules linked in:
CPU: 0 UID: 0 PID: 16241 Comm: syz.0.327 Not tainted
6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__up_read+0x5df/0x670 kernel/locking/rwsem.c:1354
Code: 22 4b 8b 49 c7 c2 e0 22 4b 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7
c6 80 22 4b 8b 4c 89 ea 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48
0f b9 3a 48 83 c4 08 e8 03 6f e1 02 e9 6e fb ff ff 48 c7 c1
RSP: 0018:ffffc90011d3fc98 EFLAGS: 00010246
RAX: ffffffff8b4b22c0 RBX: ffff888069760e18 RCX: ffff888069760e18
RDX: 0000000000000000 RSI: ffffffff8b4b2280 RDI: ffffffff8f609dc0
RBP: ffffc90011d3fd78 R08: 0000000000000000 R09: ffff888021cc5c40
R10: ffffffff8b4b22c0 R11: ffffed100d2ec1c5 R12: ffff888069760e70
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888021cc5c40
FS: 00007f03d39ec640(0000) GS:ffff8880994e9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000072ecc000 CR4: 0000000000752ef0
PKRU: 00000000
Call Trace:
<TASK>
inode_unlock_shared include/linux/fs.h:1052 [inline]
iterate_dir+0x458/0x570 fs/readdir.c:113
__do_sys_getdents fs/readdir.c:326 [inline]
__se_sys_getdents+0xe5/0x250 fs/readdir.c:312
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f03d2baf59d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f03d39ebf98 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f03d2e35fa0 RCX: 00007f03d2baf59d
RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007f03d2c4b388 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f03d2e36038 R14: 00007f03d2e35fa0 R15: 00007f03d39cc000
</TASK>
----------------
Code disassembly (best guess):
0: 22 4b 8b and -0x75(%rbx),%cl
3: 49 c7 c2 e0 22 4b 8b mov $0xffffffff8b4b22e0,%r10
a: 4c 0f 44 d0 cmove %rax,%r10
e: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
13: 48 c7 c6 80 22 4b 8b mov $0xffffffff8b4b2280,%rsi
1a: 4c 89 ea mov %r13,%rdx
1d: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
22: 4d 89 f0 mov %r14,%r8
25: 4d 89 f9 mov %r15,%r9
28: 41 52 push %r10
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 83 c4 08 add $0x8,%rsp
33: e8 03 6f e1 02 call 0x2e16f3b
38: e9 6e fb ff ff jmp 0xfffffbab
3d: 48 rex.W
3e: c7 .byte 0xc7
3f: c1 .byte 0xc1
---
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang
Reply all
Reply to author
Forward
0 new messages