Running some fuzzing on virtiofs from a non-privileged user could trigger a warning in virtio_fs_enqueue_req(): WARN_ON(out_sgs + in_sgs != total_sgs); # /usr/libexec/virtiofsd --socket-path=/tmp/vhostqemu -o source=$TESTDIR -o cache=always -o no_posix_lock ... # mount -t virtiofs myfs /tmp $ cd /tmp $ trinity -C 48 --arch 64 >From the log, the final piece of the code from the process was: ioctl(fd=343, cmd=0x5a004000, arg=0x40000000); [ 4327.977314] WARNING: CPU: 2 PID: 12259 at fs/fuse/virtio_fs.c:1151 virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs] [ 4327.983910] Modules linked in: cmtp kernelcapi hidp bnep bridge stp llc dlci pppoe rfcomm nfnetlink pptp gre can_bcm bluetooth ecdh_generic ecc l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppoxw [ 4327.984068] sunrpc dm_mirror dm_region_hash dm_log dm_mod [ 4328.046826] CPU: 2 PID: 12259 Comm: trinity-c20 Kdump: loaded Not tainted 5.9.0-rc7-next-20201002+ #5 [ 4328.053714] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014 [ 4328.059513] RIP: 0010:virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs] [ 4328.063812] Code: c1 e7 05 48 03 7c 24 10 6a 00 e8 85 a4 ff ff 8d 48 01 58 41 8d 54 0d 00 e9 d2 fb ff ff 48 89 ef e8 8f 33 5e f9 e9 42 fe ff ff <0f> 0b e9 c7 fb ff ff 48 8b 7c 24 08 e8 c9 49 cf f8 0f b6 45 19 [ 4328.076709] RSP: 0018:ffff8889fbb4f9c0 EFLAGS: 00010297 [ 4328.079112] RAX: 0000000000000000 RBX: ffff8889c9ad88a8 RCX: 0000000000000003 [ 4328.083725] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88810575c1cc [ 4328.089156] RBP: ffff8889fbb4fe20 R08: ffffed1020aeb83c R09: 0000000000001000 [ 4328.095906] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008 [ 4328.101870] R13: 0000000000000004 R14: 0000000000000003 R15: ffff8889c9ad88d8 [ 4328.106674] FS: 00007f1129d21740(0000) GS:ffff888a7e900000(0000) knlGS:0000000000000000 [ 4328.111642] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4328.114333] CR2: 000000000000002f CR3: 000000090f4ea005 CR4: 0000000000770ee0 [ 4328.117623] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4328.122782] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4328.128516] PKRU: 55555550 [ 4328.130769] Call Trace: [ 4328.131992] ? virtio_fs_probe+0x14d0/0x14d0 [virtiofs] [ 4328.134465] ? trace_hardirqs_on+0x1c/0x110 [ 4328.136419] ? make_kprojid+0x20/0x20 [ 4328.138936] ? __is_kernel_percpu_address+0x63/0x1e0 [ 4328.141899] ? __module_address+0x3f/0x370 [ 4328.143835] ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0 [ 4328.146248] ? virtio_fs_wake_pending_and_unlock+0x18b/0x610 [virtiofs] [ 4328.149323] ? lock_downgrade+0x730/0x730 [ 4328.151217] ? lock_acquire+0x17f/0x7e0 [ 4328.152998] ? fuse_simple_request+0x233/0x9f0 [fuse] [ 4328.155360] ? rcu_read_unlock+0x40/0x40 [ 4328.157169] virtio_fs_wake_pending_and_unlock+0x1f0/0x610 [virtiofs] virtio_fs_wake_pending_and_unlock at fs/fuse/virtio_fs.c:1227 (discriminator 10) [ 4328.160173] ? queue_request_and_unlock+0x11e/0x290 [fuse] [ 4328.162685] fuse_simple_request+0x3b2/0x9f0 [fuse] __fuse_request_send at fs/fuse/dev.c:421 (inlined by) fuse_simple_request at fs/fuse/dev.c:503 [ 4328.164933] fuse_do_ioctl+0x6c6/0x1280 [fuse] [ 4328.166992] ? fuse_readahead+0x1410/0x1410 [fuse] [ 4328.169213] ? hrtimer_forward+0x1b0/0x1b0 [ 4328.171113] ? hrtimer_cancel+0x20/0x20 [ 4328.172903] ? ioctl_file_clone+0x120/0x120 [ 4328.174849] ? _raw_spin_unlock_irq+0x24/0x30 [ 4328.176871] ? fuse_allow_current_process+0x235/0x2a0 [fuse] [ 4328.181615] __x64_sys_ioctl+0x128/0x190 [ 4328.184832] do_syscall_64+0x33/0x40 [ 4328.190405] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4328.196680] RIP: 0033:0x7f112963478d [ 4328.200415] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08 [ 4328.214734] RSP: 002b:00007ffd75a76ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 4328.220222] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007f112963478d [ 4328.224383] RDX: 0000000040000000 RSI: 000000005a004000 RDI: 0000000000000157 [ 4328.228838] RBP: 0000000000000010 R08: 00000000000000a6 R09: 000000002e2e2e2e [ 4328.233241] R10: fffffffffffffffc R11: 0000000000000246 R12: 0000000000000002 [ 4328.237136] R13: 00007f1129c8e058 R14: 00007f1129d216c0 R15: 00007f1129c8e000 [ 4328.240635] CPU: 2 PID: 12259 Comm: trinity-c20 Kdump: loaded Not tainted 5.9.0-rc7-next-20201002+ #5 [ 4328.248370] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014 [ 4328.254499] Call Trace: [ 4328.256522] dump_stack+0x99/0xcb [ 4328.259336] __warn.cold.11+0xe/0x55 [ 4328.261944] ? virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs] [ 4328.264929] report_bug+0x1af/0x260 [ 4328.266673] handle_bug+0x44/0x80 [ 4328.270439] exc_invalid_op+0x13/0x40 [ 4328.273490] asm_exc_invalid_op+0x12/0x20 [ 4328.276814] RIP: 0010:virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs] [ 4328.281866] Code: c1 e7 05 48 03 7c 24 10 6a 00 e8 85 a4 ff ff 8d 48 01 58 41 8d 54 0d 00 e9 d2 fb ff ff 48 89 ef e8 8f 33 5e f9 e9 42 fe ff ff <0f> 0b e9 c7 fb ff ff 48 8b 7c 24 08 e8 c9 49 cf f8 0f b6 45 19 [ 4328.294322] RSP: 0018:ffff8889fbb4f9c0 EFLAGS: 00010297 [ 4328.299571] RAX: 0000000000000000 RBX: ffff8889c9ad88a8 RCX: 0000000000000003 [ 4328.305197] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88810575c1cc [ 4328.308930] RBP: ffff8889fbb4fe20 R08: ffffed1020aeb83c R09: 0000000000001000 [ 4328.313548] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008 [ 4328.318783] R13: 0000000000000004 R14: 0000000000000003 R15: ffff8889c9ad88d8 [ 4328.322338] ? virtio_fs_probe+0x14d0/0x14d0 [virtiofs] [ 4328.324902] ? trace_hardirqs_on+0x1c/0x110 [ 4328.328759] ? make_kprojid+0x20/0x20 [ 4328.331336] ? __is_kernel_percpu_address+0x63/0x1e0 [ 4328.333882] ? __module_address+0x3f/0x370 [ 4328.337281] ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0 [ 4328.341248] ? virtio_fs_wake_pending_and_unlock+0x18b/0x610 [virtiofs] [ 4328.345799] ? lock_downgrade+0x730/0x730 [ 4328.348017] ? lock_acquire+0x17f/0x7e0 [ 4328.350546] ? fuse_simple_request+0x233/0x9f0 [fuse] [ 4328.355082] ? rcu_read_unlock+0x40/0x40 [ 4328.358741] virtio_fs_wake_pending_and_unlock+0x1f0/0x610 [virtiofs] [ 4328.362663] ? queue_request_and_unlock+0x11e/0x290 [fuse] [ 4328.366070] fuse_simple_request+0x3b2/0x9f0 [fuse] [ 4328.368684] fuse_do_ioctl+0x6c6/0x1280 [fuse] [ 4328.371398] ? fuse_readahead+0x1410/0x1410 [fuse] [ 4328.373750] ? hrtimer_forward+0x1b0/0x1b0 [ 4328.375807] ? hrtimer_cancel+0x20/0x20 [ 4328.378899] ? ioctl_file_clone+0x120/0x120 [ 4328.380978] ? _raw_spin_unlock_irq+0x24/0x30 [ 4328.383097] ? fuse_allow_current_process+0x235/0x2a0 [fuse] [ 4328.387317] __x64_sys_ioctl+0x128/0x190 [ 4328.390560] do_syscall_64+0x33/0x40 [ 4328.393175] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 4328.396953] RIP: 0033:0x7f112963478d [ 4328.399000] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08 [ 4328.411726] RSP: 002b:00007ffd75a76ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 4328.417652] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007f112963478d [ 4328.422766] RDX: 0000000040000000 RSI: 000000005a004000 RDI: 0000000000000157 [ 4328.427831] RBP: 0000000000000010 R08: 00000000000000a6 R09: 000000002e2e2e2e [ 4328.433501] R10: fffffffffffffffc R11: 0000000000000246 R12: 0000000000000002 [ 4328.438662] R13: 00007f1129c8e058 R14: 00007f1129d216c0 R15: 00007f1129c8e000 [ 4328.443667] irq event stamp: 0 [ 4328.446682] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 4328.451788] hardirqs last disabled at (0): [<ffffffffb8fa08d7>] copy_process+0x18a7/0x5f00 [ 4328.456792] softirqs last enabled at (0): [<ffffffffb8fa0913>] copy_process+0x18e3/0x5f00 [ 4328.462852] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 4328.467521] ---[ end trace d6b440e9dac66d6a ]---