[syzbot] [kernel?] WARNING in exit_mm

[syzbot <syzbot+295a8715dd1bfadef8bf@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    b84a0ebe421c Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fb1602580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=295a8715dd1bfadef8bf
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=177918ba580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+295a8715dd1bfadef8bf@syzkaller.appspotmail.com

------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xfffffffffffffffe, magic = 0xffff8880369e4150, owner = 0x1, curr 0xffff88801f7f8000, list not empty
WARNING: kernel/locking/rwsem.c:1389 at __up_read+0x307/0x6b0 kernel/locking/rwsem.c:1389, CPU#0: syz.0.17/5989
Modules linked in:
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x3f5/0x6b0 kernel/locking/rwsem.c:1389
Code: 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 38 48 c7 c6 60 f6 ec 8b 48 8b 54 24 30 4c 89 f1 4d 89 f8 4c 8b 4c 24 28 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 0d 23 15 03 e9 72 fe ff ff 48 8d 1d
RSP: 0018:ffffc90004577c18 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: ffff8880369e41a8 RCX: ffff8880369e4150
RDX: fffffffffffffffe RSI: ffffffff8becf660 RDI: ffffffff90579f10
RBP: ffffc90004577cf0 R08: 0000000000000001 R09: ffff88801f7f8000
R10: ffffffff8becf400 R11: ffffed1006d3c82c R12: fffffffffffffffe
R13: 1ffff920008aef8c R14: ffff8880369e4150 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888124de0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e9c747e20 CR3: 0000000078264000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
 exit_mm+0x17e/0x250 kernel/exit.c:579
 do_exit+0x8b9/0x2490 kernel/exit.c:962
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
 __do_sys_exit_group kernel/exit.c:1127 [inline]
 __se_sys_exit_group kernel/exit.c:1125 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1125
 x64_sys_call+0x221a/0x2240 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7e9b99c799
Code: Unable to access opcode bytes at 0x7f7e9b99c76f.
RSP: 002b:00007ffca98be868 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7e9b99c799
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007f7e9bbe63e0
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7e9bbe63e0 R14: 0000000000000003 R15: 00007ffca98be920
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	49 c7 c2 e0 f3 ec 8b 	mov    $0xffffffff8becf3e0,%r10
   7:	4c 0f 44 d0          	cmove  %rax,%r10
   b:	48 8b 7c 24 38       	mov    0x38(%rsp),%rdi
  10:	48 c7 c6 60 f6 ec 8b 	mov    $0xffffffff8becf660,%rsi
  17:	48 8b 54 24 30       	mov    0x30(%rsp),%rdx
  1c:	4c 89 f1             	mov    %r14,%rcx
  1f:	4d 89 f8             	mov    %r15,%r8
  22:	4c 8b 4c 24 28       	mov    0x28(%rsp),%r9
  27:	41 52                	push   %r10
* 29:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2e:	48 83 c4 08          	add    $0x8,%rsp
  32:	e8 0d 23 15 03       	call   0x3152344
  37:	e9 72 fe ff ff       	jmp    0xfffffeae
  3c:	48                   	rex.W
  3d:	8d                   	.byte 0x8d
  3e:	1d                   	.byte 0x1d


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup