Good day, dear maintainers, We found a bug using a modified kernel configuration file used by syzbot. We enhanced the coverage of the configuration file using our tool, klocalizer. Kernel Branch: 6.3.0-next-20230505 Kernel Config: https://drive.google.com/file/d/1CWOQciTTXKzVb4DgU4k4_8G_EBnsj5e_/view?usp=sharing Reproducer: https://drive.google.com/file/d/1URA2qDJHiSLilF49m9XAutOZCd3CNg52/view?usp=sharing Thank you! Best regards, Sanan Hasanov current_req=0000000000000000 command_status=-1 floppy0: floppy timeout called no cont in shutdown! ------------[ cut here ]------------ WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 schedule_bh drivers/block/floppy.c:999 [inline] WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 process_fd_request drivers/block/floppy.c:2847 [inline] WARNING: CPU: 3 PID: 17310 at drivers/block/floppy.c:999 __floppy_read_block_0.isra.0+0x28b/0x320 drivers/block/floppy.c:4160 Modules linked in: CPU: 3 PID: 17310 Comm: syz-executor.2 Not tainted 6.3.0-next-20230505 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:schedule_bh drivers/block/floppy.c:999 [inline] RIP: 0010:process_fd_request drivers/block/floppy.c:2847 [inline] RIP: 0010:__floppy_read_block_0.isra.0+0x28b/0x320 drivers/block/floppy.c:4160 Code: 65 48 2b 04 25 28 00 00 00 0f 85 a4 00 00 00 48 81 c4 88 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d e9 6e 3b 16 04 e8 b5 f3 c2 fc <0f> 0b e9 65 ff ff ff e8 c9 5c 17 fd e9 8a fe ff ff e8 9f f3 c2 fc RSP: 0018:ffff88806c9ff690 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806c9ff818 RCX: 0000000000000000 floppy0: floppy_shutdown: timeout handler died. RDX: ffff88806d252040 RSI: ffffffff84cac7db RDI: ffffffff84cac73e RBP: ffff88806c9ff840 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffea0001b1b740 R13: 0000000000000001 R14: 1ffff1100d93fed3 R15: dffffc0000000000 FS: 00007f57dfc11700(0000) GS:ffff888119f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a805bd0b0 CR3: 00000001178e4000 CR4: 0000000000350ee0 Call Trace: <TASK> floppy_revalidate.isra.0+0x80c/0xc10 drivers/block/floppy.c:4206 floppy_open+0xadc/0xe90 drivers/block/floppy.c:4058 blkdev_get_whole+0x9b/0x2d0 block/bdev.c:606 blkdev_get_by_dev.part.0+0x5da/0xbb0 block/bdev.c:756 blkdev_get_by_dev+0x7d/0x90 block/bdev.c:790 blkdev_open+0x14a/0x2e0 block/fops.c:493 do_dentry_open+0x683/0x1270 fs/open.c:920 vfs_open+0xa4/0xe0 fs/open.c:1051 do_open fs/namei.c:3636 [inline] path_openat+0x1d5c/0x2950 fs/namei.c:3791 do_filp_open+0x1c9/0x420 fs/namei.c:3818 do_sys_openat2+0x17c/0x540 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x175/0x240 fs/open.c:1383 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f57dea3dca4 Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 86 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 b8 f9 ff ff 8b 44 RSP: 002b:00007f57dfc10720 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00007f57dea3dca4 RDX: 0000000000000000 RSI: 00007f57dfc107c0 RDI: 00000000ffffff9c RBP: 00007f57dfc107c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007ffdd213b57f R14: 00007ffdd213b720 R15: 00007f57dfc10d80 </TASK> irq event stamp: 889 hardirqs last enabled at (899): [<ffffffff816ff504>] __up_console_sem+0xf4/0x180 kernel/printk/printk.c:347 hardirqs last disabled at (908): [<ffffffff816ff4e9>] __up_console_sem+0xd9/0x180 kernel/printk/printk.c:345 softirqs last enabled at (298): [<ffffffff8154f646>] invoke_softirq kernel/softirq.c:445 [inline] softirqs last enabled at (298): [<ffffffff8154f646>] __irq_exit_rcu+0x196/0x230 kernel/softirq.c:650 softirqs last disabled at (193): [<ffffffff8154f646>] invoke_softirq kernel/softirq.c:445 [inline] softirqs last disabled at (193): [<ffffffff8154f646>] __irq_exit_rcu+0x196/0x230 kernel/softirq.c:650 ---[ end trace 0000000000000000 ]--- floppy driver state ------------------- ------------[ cut here ]------------ now=4294973631 last interrupt=4294973631 diff=0 last called handler=reset_interrupt WARNING: CPU: 2 PID: 5690 at drivers/block/floppy.c:999 schedule_bh drivers/block/floppy.c:999 [inline] WARNING: CPU: 2 PID: 5690 at drivers/block/floppy.c:999 floppy_interrupt+0x46e/0x4e0 drivers/block/floppy.c:1765 timeout_message=redo fd request Modules linked in: CPU: 2 PID: 5690 Comm: syz-executor.4 Tainted: G W 6.3.0-next-20230505 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:schedule_bh drivers/block/floppy.c:999 [inline] RIP: 0010:floppy_interrupt+0x46e/0x4e0 drivers/block/floppy.c:1765 Code: ff e8 76 45 c3 fc 44 89 e7 31 db e8 3c 92 ff ff 41 89 c4 89 05 93 90 10 0a eb 94 e8 6c af 17 fd e9 cc fc ff ff e8 52 45 c3 fc <0f> 0b e9 a4 fe ff ff 48 c7 c7 00 f2 c0 8a e8 ef ae 17 fd e9 bd fb RSP: 0018:ffff888119f09e38 EFLAGS: 00010046 RAX: 0000000080010001 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff88810d818300 RSI: ffffffff84ca763e RDI: ffffffff84ca74e1 RBP: ffff888119f09e60 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000002 R13: 0000000000000000 R14: ffffffff84ca0b50 R15: 0000000000000000 FS: 000055555577b980(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f410fd88d78 CR3: 000000010ca57000 CR4: 0000000000350ee0 Call Trace: <IRQ> floppy_hardint+0x1b1/0x200 arch/x86/include/asm/floppy.h:66 __handle_irq_event_percpu+0x239/0x840 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0xb1/0x1f0 kernel/irq/handle.c:210 handle_edge_irq+0x268/0xd30 kernel/irq/chip.c:819 last output bytes: generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq arch/x86/kernel/irq.c:231 [inline] __common_interrupt+0xac/0x240 arch/x86/kernel/irq.c:250 8 80 4294973607 common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:240 8 80 4294973607 </IRQ> 8 80 4294973607 <TASK> asm_common_interrupt+0x2b/0x40 arch/x86/include/asm/idtentry.h:636 8 80 4294973607 RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:701 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:135 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x79/0xa0 kernel/locking/spinlock.c:194 8 80 4294973612 Code: c7 c0 a0 c3 e1 8a 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 1b 48 83 3d df fc 00 02 00 74 08 fb 0f 1f 44 00 00 <eb> b0 0f 0b e8 1e cc 1f f8 eb bc 48 c7 c7 a0 c3 e1 8a e8 60 5e 01 RSP: 0018:ffff88811237fbd0 EFLAGS: 00000282 RAX: 1ffffffff15c3874 RBX: 0000000000000286 RCX: 1ffffffff193c081 RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000000 8 80 4294973612 RBP: ffff88811237fbe0 R08: 0000000000000001 R09: 0000000000000001 8 80 4294973612 R10: fffffbfff193c6e2 R11: 0000000000000001 R12: ffff8881079096e0 8 80 4294973612 R13: 0000000000000286 R14: ffff88811237fd18 R15: ffff88811237fd20 8 80 4294973617 spin_unlock_irqrestore include/linux/spinlock.h:405 [inline] remove_wait_queue+0x113/0x1a0 kernel/sched/wait.c:56 8 80 4294973617 8 80 4294973617 do_wait+0x68c/0xc40 kernel/exit.c:1639 8 80 4294973617 kernel_wait4+0x175/0x290 kernel/exit.c:1777 8 80 4294973622 8 80 4294973622 8 80 4294973622 8 80 4294973622 8 80 4294973631 __do_sys_wait4+0x14b/0x160 kernel/exit.c:1805 8 80 4294973631 8 80 4294973631 8 80 4294973631 last result at 4294973631 last redo_fd_request at 4294973631 c3 00 .. status=80 fdc_busy=1 __se_sys_wait4 kernel/exit.c:1801 [inline] __x64_sys_wait4+0x9a/0x100 kernel/exit.c:1801 floppy_work.func=floppy_work_workfn cont=000000001716a029 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 current_req=00000000c74d3a02 entry_SYSCALL_64_after_hwframe+0x72/0xdc command_status=-1 RIP: 0033:0x7fd7eb28c8bf Code: 89 7c 24 10 48 89 4c 24 18 e8 dd d9 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2b 44 89 c7 89 44 24 10 e8 0d da 02 00 8b 44 floppy0: floppy timeout called RSP: 002b:00007ffcf66bb8e0 EFLAGS: 00000293 floppy: error 10 while reading block 0 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 0000000000000110 RCX: 00007fd7eb28c8bf RDX: 0000000040000001 RSI: 00007ffcf66bb95c RDI: 00000000ffffffff RBP: 0000000000000bb8 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000058d8f R13: 0000000000000001 R14: 00007ffcf66bb95c R15: 0000000000000032 </TASK> irq event stamp: 1130498 hardirqs last enabled at (1130497): [<ffffffff88e0c69e>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (1130497): [<ffffffff88e0c69e>] _raw_spin_unlock_irqrestore+0x4e/0xa0 kernel/locking/spinlock.c:194 hardirqs last disabled at (1130498): [<ffffffff88de310a>] common_interrupt+0x1a/0xe0 arch/x86/kernel/irq.c:240 softirqs last enabled at (1129182): [<ffffffff8136dda8>] fpu_clone+0x368/0xc30 arch/x86/kernel/fpu/core.c:630 softirqs last disabled at (1129180): [<ffffffff8136dd42>] fpu_clone+0x302/0xc30 arch/x86/kernel/fpu/core.c:611 ---[ end trace 0000000000000000 ]--- floppy0: no autodetectable formats floppy: error 10 while reading block 0 general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN kobject: 'loop2' (00000000bf49ae8f): kobject_uevent_env KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] kobject: 'loop2' (00000000bf49ae8f): fill_kobj_path: path = '/devices/virtual/block/loop2' CPU: 7 PID: 87 Comm: kworker/u16:3 Tainted: G W 6.3.0-next-20230505 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: floppy floppy_work_workfn RIP: 0010:reset_interrupt+0xfb/0x240 drivers/block/floppy.c:1792 Code: fc 84 db 0f 85 8f 00 00 00 e8 61 af c3 fc 48 8b 1d 2a d2 10 0a 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0b 01 00 00 48 8b 43 08 e8 82 f0 16 04 48 8b 5d RSP: 0018:ffff8881020dfce0 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff84ca0c2f RDI: 0000000000000008 RBP: ffff8881020dfce8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8bb2e200 R13: ffff8881020dfda0 R14: ffff8881014efe00 R15: ffff888100079000 FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f57dea61c40 CR3: 000000010db84000 CR4: 0000000000350ee0 Call Trace: <TASK> floppy_work_workfn+0x19/0x20 drivers/block/floppy.c:992 process_one_work+0x9f4/0x16d0 kernel/workqueue.c:2405 kobject: 'loop5' (000000007e339653): kobject_uevent_env kobject: 'loop5' (000000007e339653): fill_kobj_path: path = '/devices/virtual/block/loop5' worker_thread+0x68e/0x10f0 kernel/workqueue.c:2552 kthread+0x359/0x460 kernel/kthread.c:379 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:reset_interrupt+0xfb/0x240 drivers/block/floppy.c:1792 Code: fc 84 db 0f 85 8f 00 00 00 e8 61 af c3 fc 48 8b 1d 2a d2 10 0a 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0b 01 00 00 48 8b 43 08 e8 82 f0 16 04 48 8b 5d RSP: 0018:ffff8881020dfce0 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff84ca0c2f RDI: 0000000000000008 RBP: ffff8881020dfce8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8bb2e200 R13: ffff8881020dfda0 R14: ffff8881014efe00 R15: ffff888100079000 FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f57dea61c40 CR3: 000000010db84000 CR4: 0000000000350ee0 ---------------- Code disassembly (best guess): 0: c7 c0 a0 c3 e1 8a mov $0x8ae1c3a0,%eax 6: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx d: fc ff df 10: 48 c1 e8 03 shr $0x3,%rax 14: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) 18: 75 1b jne 0x35 1a: 48 83 3d df fc 00 02 cmpq $0x0,0x200fcdf(%rip) # 0x200fd01 21: 00 22: 74 08 je 0x2c 24: fb sti 25: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) * 2a: eb b0 jmp 0xffffffdc <-- trapping instruction 2c: 0f 0b ud2 2e: e8 1e cc 1f f8 call 0xf81fcc51 33: eb bc jmp 0xfffffff1 35: 48 c7 c7 a0 c3 e1 8a mov $0xffffffff8ae1c3a0,%rdi 3c: e8 .byte 0xe8 3d: 60 (bad) 3e: 5e pop %rsi 3f: 01 .byte 0x1