syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 UID: 0 PID: 5854 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:su3000_i2c_transfer+0x1ad/0xfd0 drivers/media/usb/dvb-usb/dw2102.c:740
Code: 4c 89 f8 48 c1 e8 03 49 bc 00 00 00 00 00 fc ff df 42 80 3c 20 00 74 08 4c 89 ff e8 ad b3 33 fa 49 8b 1f 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 f5 08 00 00 0f b6 1b 48 8b 44 24 38 42
RSP: 0018:ffffc900032e7bb0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: 0000000000000003
RDX: ffffffff87fd4585 RSI: ffffffff8f979470 RDI: 0000000000001900
RBP: 0000000000000000 R08: ffff88803051dc40 R09: 0000000000000002
R10: 0000000000001a00 R11: 0000000000000000 R12: dffffc0000000000
R13: 1ffff110065df68c R14: 0000000000000001 R15: ffff888032efb468
FS:  0000555556170500(0000) GS:ffff888125287000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d163fff CR3: 0000000079e54000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __i2c_transfer+0x79a/0x1f70 drivers/i2c/i2c-core-base.c:-1
 i2c_transfer+0x1cc/0x2d0 drivers/i2c/i2c-core-base.c:2316
 i2cdev_ioctl_rdwr+0x460/0x740 drivers/i2c/i2c-dev.c:306
 i2cdev_ioctl+0x6a5/0x880 drivers/i2c/i2c-dev.c:467
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0x560 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f75e119ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff31b34168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f75e1415fa0 RCX: 00007f75e119ce59
RDX: 0000200000000a40 RSI: 0000000000000707 RDI: 0000000000000004
RBP: 00007f75e1232d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f75e1415fac R14: 00007f75e1415fa0 R15: 00007f75e1415fa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:su3000_i2c_transfer+0x1ad/0xfd0 drivers/media/usb/dvb-usb/dw2102.c:740
Code: 4c 89 f8 48 c1 e8 03 49 bc 00 00 00 00 00 fc ff df 42 80 3c 20 00 74 08 4c 89 ff e8 ad b3 33 fa 49 8b 1f 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 f5 08 00 00 0f b6 1b 48 8b 44 24 38 42
RSP: 0018:ffffc900032e7bb0 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: 0000000000000003
RDX: ffffffff87fd4585 RSI: ffffffff8f979470 RDI: 0000000000001900
RBP: 0000000000000000 R08: ffff88803051dc40 R09: 0000000000000002
R10: 0000000000001a00 R11: 0000000000000000 R12: dffffc0000000000
R13: 1ffff110065df68c R14: 0000000000000001 R15: ffff888032efb468
FS:  0000555556170500(0000) GS:ffff888125387000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e63b92e7d8 CR3: 0000000079e54000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	4c 89 f8             	mov    %r15,%rax
   3:	48 c1 e8 03          	shr    $0x3,%rax
   7:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
   e:	fc ff df
  11:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
  16:	74 08                	je     0x20
  18:	4c 89 ff             	mov    %r15,%rdi
  1b:	e8 ad b3 33 fa       	call   0xfa33b3cd
  20:	49 8b 1f             	mov    (%r15),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 f5 08 00 00    	jne    0x92c
  37:	0f b6 1b             	movzbl (%rbx),%ebx
  3a:	48 8b 44 24 38       	mov    0x38(%rsp),%rax
  3f:	42                   	rex.X