------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xffffffffffffff00, magic = 0xffff8880118b1b58, owner = 0x1, curr 0xffff88803fcb4980, list empty
WARNING: kernel/locking/rwsem.c:1359 at __up_read+0x307/0x6b0 kernel/locking/rwsem.c:1359, CPU#0: syz.0.0/5332
Modules linked in:
CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__up_read+0x3f7/0x6b0 kernel/locking/rwsem.c:1359
Code: 8b 49 c7 c2 c0 eb cc 8b 4c 0f 44 d0 48 8b 7c 24 38 48 c7 c6 00 ee cc 8b 48 8b 54 24 30 4c 89 f1 4d 89 f8 4c 8b 4c 24 28 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 cb aa 0b 03 e9 70 fe ff ff 48 8d 1d
RSP: 0018:ffffc9000e8a7918 EFLAGS: 00010246
RAX: ffffffff8bcceba0 RBX: ffff8880118b1bb0 RCX: ffff8880118b1b58
RDX: ffffffffffffff00 RSI: ffffffff8bccee00 RDI: ffffffff9014fdc0
RBP: ffffc9000e8a79e8 R08: 0000000000000001 R09: ffff88803fcb4980
R10: ffffffff8bcceba0 R11: ffffed100231636d R12: ffffffffffffff00
R13: 1ffff92001d14f2c R14: ffff8880118b1b58 R15: 0000000000000001
FS: 00007f66aa09f6c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001285a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
inode_unlock_shared include/linux/fs.h:1053 [inline]
lookup_slow+0x5e/0x70 fs/namei.c:1934
walk_component fs/namei.c:2279 [inline]
link_path_walk+0xd1e/0x18d0 fs/namei.c:2647
path_parentat fs/namei.c:2851 [inline]
__filename_parentat+0x27f/0x6f0 fs/namei.c:2875
filename_parentat fs/namei.c:2893 [inline]
filename_create+0xd9/0x370 fs/namei.c:4903
filename_mkdirat+0xd2/0x510 fs/namei.c:5259
__do_sys_mkdirat fs/namei.c:5287 [inline]
__se_sys_mkdirat+0x35/0x150 fs/namei.c:5284
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66a919c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66aa09efe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f66a9416180 RCX: 00007f66a919c799
RDX: 0000000000000000 RSI: 0000200000000240 RDI: ffffffffffffff9c
RBP: 00007f66a9232c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f66a9416218 R14: 00007f66a9416180 R15: 00007fffeabb6f18
</TASK>
----------------
Code disassembly (best guess):
0: 8b 49 c7 mov -0x39(%rcx),%ecx
3: c2 c0 eb ret $0xebc0
6: cc int3
7: 8b 4c 0f 44 mov 0x44(%rdi,%rcx,1),%ecx
b: d0 48 8b rorb $1,-0x75(%rax)
e: 7c 24 jl 0x34
10: 38 48 c7 cmp %cl,-0x39(%rax)
13: c6 00 ee movb $0xee,(%rax)
16: cc int3
17: 8b 48 8b mov -0x75(%rax),%ecx
1a: 54 push %rsp
1b: 24 30 and $0x30,%al
1d: 4c 89 f1 mov %r14,%rcx
20: 4d 89 f8 mov %r15,%r8
23: 4c 8b 4c 24 28 mov 0x28(%rsp),%r9
28: 41 52 push %r10
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 83 c4 08 add $0x8,%rsp
33: e8 cb aa 0b 03 call 0x30bab03
38: e9 70 fe ff ff jmp 0xfffffead
3d: 48 rex.W
3e: 8d .byte 0x8d
3f: 1d .byte 0x1d