BUG: unable to handle kernel paging request in __run

Kernel	Title	Rank 🛈	Repro	Cause bisect	Count	Last	Reported	Patched	Status
upstream	BUG: unable to handle kernel paging request in __run_timers net	8			2	2540d	2548d	0/29	auto-closed as invalid on 2019/07/10 08:52
android-54	KASAN: use-after-free Write in __run_timers (2)	24	C		752	213d	302d	0/2	upstream: reported C repro on 2025/02/25 14:17
android-54	KASAN: use-after-free Write in __run_timers	24	syz		449	540d	1992d	0/2	auto-obsoleted due to no activity on 2024/09/11 00:16
upstream	KASAN: invalid-access Write in __run_timers kernel	-1			8	1769d	1776d	0/29	auto-closed as invalid on 2021/05/20 13:15
android-6-1	KASAN: use-after-free Write in __run_timers origin:lts	24	C		471	5h11m	389d	0/2	upstream: reported C repro on 2024/12/01 07:19
upstream	KMSAN: uninit-value in __run_timers (3) net	7	C	error	4	842d	878d	0/29	auto-obsoleted due to no activity on 2024/01/10 00:11
upstream	KASAN: slab-use-after-free Write in __run_timers net	24			1	299d	299d	0/29	closed as invalid on 2025/03/30 10:14
linux-5.15	KASAN: use-after-free Write in __run_timers origin:lts-only	24	C		1	13d	13d	0/3	upstream: reported C repro on 2025/12/12 05:05
android-54	KASAN: slab-out-of-bounds Write in __run_timers	23			4	1641d	1831d	0/2	auto-closed as invalid on 2021/10/26 12:53
upstream	BUG: unable to handle kernel NULL pointer dereference in __run_timers arm	10			1	575d	571d	0/29	auto-obsoleted due to no activity on 2024/08/27 10:03

BUG: unable to handle page fault for address: fffff52000e84f4a #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 7ffcc067 P4D 7ffcc067 PUD 1c699067 PMD 275d6067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 150 Comm: kworker/0:1H Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_highpri snd_vmidi_output_work RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline] RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline] RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354 Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44 RSP: 0018:ffffc90000007d50 EFLAGS: 00010802 RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50 RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8 R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18 FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0 DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083 DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <IRQ> __run_timer_base kernel/time/timer.c:2384 [inline] __run_timer_base kernel/time/timer.c:2376 [inline] run_timer_base+0x114/0x190 kernel/time/timer.c:2393 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403 handle_softirqs+0x219/0x8e0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 96 a2 38 f6 48 89 df e8 7e f6 38 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 c5 ff 28 f6 65 8b 05 7e 25 41 08 85 c0 74 16 5b RSP: 0018:ffffc90002a2fb10 EFLAGS: 00000246 RAX: 0000000000000006 RBX: ffff888058d89620 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffffff8da26dd3 RDI: ffffffff8bf071c0 RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90822ad7 R11: 0000000000000001 R12: ffff888057d8a428 R13: 0000000000000000 R14: ffff888058d89620 R15: ffff888058d89608 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] class_spinlock_irqsave_destructor include/linux/spinlock.h:585 [inline] snd_midi_event_encode_byte sound/core/seq/seq_midi_event.c:183 [inline] snd_midi_event_encode_byte+0x630/0xe30 sound/core/seq/seq_midi_event.c:170 snd_vmidi_output_work+0x150/0x390 sound/core/seq/seq_virmidi.c:153 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Modules linked in: CR2: fffff52000e84f4a ---[ end trace 0000000000000000 ]--- RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline] RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline] RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354 Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44 RSP: 0018:ffffc90000007d50 EFLAGS: 00010802 RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50 RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8 R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18 FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0 DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083 DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 31 00 xor %eax,(%rax) 2: 0f 85 c5 05 00 00 jne 0x5cd 8: 48 85 c0 test %rax,%rax b: 49 89 07 mov %rax,(%r15) e: 48 89 44 24 18 mov %rax,0x18(%rsp) 13: 74 24 je 0x39 15: e8 10 ea 13 00 call 0x13ea2a 1a: 48 8b 44 24 18 mov 0x18(%rsp),%rax 1f: 48 8d 78 08 lea 0x8(%rax),%rdi 23: 48 89 f9 mov %rdi,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx * 2a: 42 80 3c 31 00 cmpb $0x0,(%rcx,%r14,1) <-- trapping instruction 2f: 0f 85 af 05 00 00 jne 0x5e4 35: 4c 89 78 08 mov %r15,0x8(%rax) 39: e8 ec e9 13 00 call 0x13ea2a 3e: 83 .byte 0x83 3f: 44 rex.R

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2025/10/23 03:32	upstream	dd72c8fcf6d3	c0460fcd	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	BUG: unable to handle kernel paging request in __run_timers
2025/12/05 00:09	upstream	6dfafbd0299a	d1b870e1	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	KASAN: vmalloc-out-of-bounds Write in __run_timers
2025/12/02 05:42	upstream	1d18101a644e	d1b870e1	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	KASAN: vmalloc-out-of-bounds Write in __run_timers

Crashes (3):

Assets (help?)