Hi Alejandro Jimenez,
Greetings!
I used Syzkaller and found that there is WARNING in iommufd_fops_release in linux-next next-20251203.
After bisection and the first bad commit is: " 789a5913b29c iommu/amd: Use the generic iommu page table "
All detailed into can be found at: https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... Syzkaller repro code: https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... Syzkaller repro syscall steps: https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... Syzkaller report: https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... Kconfig(make olddefconfig): https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... Bisect info: https://github.com/laifryiee/syzkaller_logs/tree/main/251204_120805_iommufd_... bzImage: https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/251204_12080... Issue dmesg: https://github.com/laifryiee/syzkaller_logs/blob/main/251204_120805_iommufd_...
" [ 26.277988] ------------[ cut here ]------------ [ 26.278641] WARNING: drivers/iommu/iommufd/main.c:369 at iommufd_fops_release+0x385/0x430, CPU#1: repro/724 [ 26.280106] Modules linked in: [ 26.280581] CPU: 1 UID: 0 PID: 724 Comm: repro Not tainted 6.18.0-next-20251203-b2c27842ba85 #1 PREEMPT(volun [ 26.281901] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.q4 [ 26.283453] RIP: 0010:iommufd_fops_release+0x385/0x430 [ 26.284150] Code: 8b 45 d0 65 48 2b 05 82 16 78 05 75 7b 48 81 c4 88 00 00 00 31 c0 5b 41 5c 41 5d 41 5e 41 5e [ 26.286461] RSP: 0018:ffff8880202efba8 EFLAGS: 00010293 [ 26.287290] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83be6832 [ 26.288207] RDX: ffff888019104b00 RSI: ffffffff83be69a5 RDI: 0000000000000005 [ 26.289136] RBP: ffff8880202efc58 R08: 0000000000000001 R09: 0000000000000001 [ 26.290045] R10: 0000000000000000 R11: ffff888019105998 R12: 0000000000000000 [ 26.291071] R13: ffff888022d49008 R14: ffff8880202efbf0 R15: 0000000000000000 [ 26.292002] FS: 0000000000000000(0000) GS:ffff8880e31c0000(0000) knlGS:0000000000000000 [ 26.293036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.293787] CR2: 00007fa6ab957000 CR3: 00000000138bb001 CR4: 0000000000770ef0 [ 26.294815] PKRU: 55555554 [ 26.295192] Call Trace: [ 26.295539] <TASK> [ 26.295843] ? locks_remove_file+0x3b4/0x5d0 [ 26.296451] ? __pfx_iommufd_fops_release+0x10/0x10 [ 26.297104] ? __sanitizer_cov_trace_const_cmp2+0x1c/0x30 [ 26.297841] ? evm_file_release+0x140/0x220 [ 26.298439] ? __pfx_iommufd_fops_release+0x10/0x10 [ 26.299193] __fput+0x41f/0xb70 [ 26.299670] ____fput+0x22/0x30 [ 26.300113] task_work_run+0x19e/0x2b0 [ 26.300644] ? __pfx_task_work_run+0x10/0x10 [ 26.301229] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20 [ 26.301938] ? switch_task_namespaces+0xdd/0x130 [ 26.302579] do_exit+0x8a3/0x28a0 [ 26.303205] ? do_group_exit+0x1d8/0x2c0 [ 26.303745] ? __pfx_do_exit+0x10/0x10 [ 26.304256] ? __this_cpu_preempt_check+0x21/0x30 [ 26.304915] ? _raw_spin_unlock_irq+0x2c/0x60 [ 26.305515] ? lockdep_hardirqs_on+0x85/0x110 [ 26.306099] ? _raw_spin_unlock_irq+0x2c/0x60 [ 26.306796] ? trace_hardirqs_on+0x26/0x130 [ 26.307388] do_group_exit+0xe4/0x2c0 [ 26.307892] __x64_sys_exit_group+0x4d/0x60 [ 26.308460] x64_sys_call+0x21a2/0x21b0 [ 26.308993] do_syscall_64+0x6d/0x1180 [ 26.309509] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 26.310174] RIP: 0033:0x7fa6ab718a4d [ 26.310680] Code: Unable to access opcode bytes at 0x7fa6ab718a23. [ 26.311595] RSP: 002b:00007ffdeee343f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 26.312569] RAX: ffffffffffffffda RBX: 00007fa6ab7f69e0 RCX: 00007fa6ab718a4d [ 26.313498] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI: 0000000000000000 [ 26.314442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000020 [ 26.315466] R10: 00007ffdeee342a0 R11: 0000000000000246 R12: 00007fa6ab7f69e0 [ 26.316385] R13: 00007fa6ab7fbf00 R14: 0000000000000001 R15: 00007fa6ab7fbee8 [ 26.317323] </TASK> [ 26.317642] irq event stamp: 2083 [ 26.318092] hardirqs last enabled at (2091): [<ffffffff81666d75>] __up_console_sem+0x95/0xb0 [ 26.319467] hardirqs last disabled at (2214): [<ffffffff81666d5a>] __up_console_sem+0x7a/0xb0 [ 26.320566] softirqs last enabled at (2212): [<ffffffff8148a2fe>] __irq_exit_rcu+0x10e/0x170 [ 26.321679] softirqs last disabled at (2099): [<ffffffff8148a2fe>] __irq_exit_rcu+0x10e/0x170 [ 26.322880] ---[ end trace 0000000000000000 ]--- "
Hope this cound be insightful to you.
Regards, Yi Lai
---
If you don't need the following environment to reproduce the problem or if you already have one reproduced environment, please ignore the following information.
How to reproduce: git clone https://gitlab.com/xupengfe/repro_vm_env.git cd repro_vm_env tar -xvf repro_vm_env.tar.gz cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0 // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel // You could change the bzImage_xxx as you want // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd " for different qemu version You could use below command to log in, there is no password for root. ssh -p 10023 root@localhost
After login vm(virtual machine) successfully, you could transfer reproduced binary to the vm by below way, and reproduce the problem in vm: gcc -pthread -o repro repro.c scp -P 10023 repro root@localhost:/root/
Get the bzImage for target kernel: Please use target kconfig and copy it to kernel_src/.config make olddefconfig make -jx bzImage //x should equal or less than cpu num your pc has
Fill the bzImage file into above start3.sh to load the target kernel in vm.
Tips: If you already have qemu-system-x86_64, please ignore below info. If you want to install qemu v7.1.0 version: git clone https://github.com/qemu/qemu.git cd qemu git checkout -f v7.1.0 mkdir build cd build yum install -y ninja-build.x86_64 yum -y install libslirp-devel.x86_64 ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp make make install