Dear Linux Developer, Recently when using our tool to fuzz kernel, the following crash was triggered: HEAD commit: fc74e0a40e4f Linux 5.16-rc7 git tree: upstream compiler: clang 12.0.0 console output: https://drive.google.com/file/d/1bTS1Khxq5ZVwEPK-QIzGMJ24DcBhlZNW/view?usp=sharing Syzlang reproducer: https://drive.google.com/file/d/11TW-_hd6xARpzEv05ZzN5njdyKjPV4ku/view?usp=sharing C reproducer: https://drive.google.com/file/d/1vLLyr50AtjVUYr3ZFyypwB0WcNa0dloj/view?usp=sharing kernel config: https://drive.google.com/file/d/1L16y3aFu5mPQbKNsc7eQc6RH55YRd1zd/view?usp=sharing IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: Wei Chen <harperchen1110@xxxxxxxxx> WARNING: CPU: 0 PID: 38 at drivers/block/floppy.c:1000 floppy_interrupt+0x694/0x6d0 Modules linked in: CPU: 0 PID: 38 Comm: kworker/u2:2 Not tainted 5.16.0-rc7 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: floppy floppy_work_workfn RIP: 0010:floppy_interrupt+0x694/0x6d0 Code: 21 0c 31 ed 48 c7 c7 00 a6 f4 8a 48 c7 c2 6d c1 52 8c 48 c7 c1 e0 a4 f4 8a 31 c0 e8 9d 68 26 05 e9 e7 fd ff ff e8 1c 38 ac fc <0f> 0b e9 63 fb ff ff 89 d9 80 e1 07 38 c1 0f 8c a6 fa ff ff 48 89 RSP: 0018:ffffc90000007d28 EFLAGS: 00010046 RAX: ffffffff84d5d9d4 RBX: 0000000000000001 RCX: ffff8880149523c0 RDX: 0000000080010000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffff84d5d530 R09: fffffbfff1a56ead R10: fffffbfff1a56ead R11: 0000000000000000 R12: dffffc0000000000 R13: 0000000000000000 R14: ffffffff84d65f30 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007efe73921000 CR3: 000000000c88e000 CR4: 0000000000752ef0 DR0: 00000000200000c0 DR1: 0000000020000080 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <IRQ> __handle_irq_event_percpu+0x20a/0x6d0 handle_irq_event+0x10a/0x300 handle_edge_irq+0x245/0xbe0 __common_interrupt+0xce/0x1e0 common_interrupt+0x9f/0xc0 </IRQ> <TASK> asm_common_interrupt+0x1e/0x40 RIP: 0010:reset_fdc+0x36b/0x520 Code: 80 cb 80 48 8d 2c ed 70 a9 f7 90 48 89 e8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 ef e8 1e d9 f6 fc 8b 55 00 83 c2 04 89 d8 ee <e9> aa 00 00 00 e8 6b b4 ab fc 48 8d 1c ed 6d a9 f7 90 48 89 d8 48 RSP: 0018:ffffc90000cbfc28 EFLAGS: 00000202 RAX: 0000000090f7a981 RBX: ffffffff90f7a981 RCX: ffff8880149523c0 RDX: 00000000000003f4 RSI: 0000000000000062 RDI: 0000000000000044 RBP: ffffffff90f7a970 R08: ffffffff84d65d27 R09: fffffbfff1ff5bd0 R10: fffffbfff1ff5bd0 R11: 0000000000000000 R12: 0000000000000000 R13: 1ffffffff21ef52f R14: dffffc0000000000 R15: ffffffff90f7a978 process_one_work+0x853/0x1140 worker_thread+0xac1/0x1320 kthread+0x410/0x500 ret_from_fork+0x1f/0x30 </TASK> ---------------- Code disassembly (best guess): 0: 80 cb 80 or $0x80,%bl 3: 48 8d 2c ed 70 a9 f7 lea -0x6f085690(,%rbp,8),%rbp a: 90 b: 48 89 e8 mov %rbp,%rax e: 48 c1 e8 03 shr $0x3,%rax 12: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) 17: 74 08 je 0x21 19: 48 89 ef mov %rbp,%rdi 1c: e8 1e d9 f6 fc callq 0xfcf6d93f 21: 8b 55 00 mov 0x0(%rbp),%edx 24: 83 c2 04 add $0x4,%edx 27: 89 d8 mov %ebx,%eax 29: ee out %al,(%dx) * 2a: e9 aa 00 00 00 jmpq 0xd9 <-- trapping instruction 2f: e8 6b b4 ab fc callq 0xfcabb49f 34: 48 8d 1c ed 6d a9 f7 lea -0x6f085693(,%rbp,8),%rbx 3b: 90 3c: 48 89 d8 mov %rbx,%rax 3f: 48 rex.W Best, Wei
