syzbot

 sign-in | mailing list | source | docs
🐞 Open [1651]
Subsystems
🐞 Fixed [6000]
🐞 Invalid [14793]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

upstream boot error: BUG: unable to handle kernel NULL pointer dereference in timerqueue_add

Status: closed as invalid on 2023/05/16 10:34
Subsystems: kernel
[Documentation on labels]
First crash: 626d, last: 626d

Sample crash report:
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000207 when read
[00000207] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-rc1-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __rb_insert lib/rbtree.c:117 [inline]
PC is at rb_insert_color+0x38/0x16c lib/rbtree.c:436
LR is at rb_insert_color_cached include/linux/rbtree.h:114 [inline]
LR is at rb_add_cached include/linux/rbtree.h:183 [inline]
LR is at timerqueue_add+0x88/0xf4 lib/timerqueue.c:40
pc : [<817c99c8>]    lr : [<817cdf3c>]    psr: 20000193
sp : 82601d30  ip : 00000207  fp : 82601d3c
r10: 8261ae40  r9 : 80307028  r8 : 00000001
r7 : 00000000  r6 : 00000000  r5 : dddc9c14  r4 : dddc9f48
r3 : 831928a8  r2 : 83192970  r1 : dddc9c14  r0 : dddc9f48
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 849c2480  DAC: fffffffd
Register r0 information: non-slab/vmalloc memory
Register r1 information: non-slab/vmalloc memory
Register r2 information: slab kmalloc-1k start 83192800 pointer offset 368 size 1024
Register r3 information: slab kmalloc-1k start 83192800 pointer offset 168 size 1024
Register r4 information: non-slab/vmalloc memory
Register r5 information: non-slab/vmalloc memory
Register r6 information: NULL pointer
Register r7 information: NULL pointer
Register r8 information: non-paged memory
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: non-slab/vmalloc memory
Register r12 information: non-paged memory
Process swapper/0 (pid: 0, stack limit = 0x82600000)
Stack: (0x82601d30 to 0x82602000)
1d20:                                     82601d5c 82601d40 817cdf3c 817c999c
1d40: dddc9c00 dddc9f48 00000000 00000000 82601d84 82601d60 802f1710 817cdec0
1d60: dddc9f48 dddc9c00 dddc9bc0 00000000 00000001 80307028 82601ddc 82601d88
1d80: 802f1e54 802f16cc 00000001 dea55270 00000000 dddc9c14 81a04b88 8260c498
1da0: dea55270 00000001 dcd65000 31767ca7 20000193 dddc9bc0 20000193 00000003
1dc0: dddc9bcc dddc9c48 dddc9c70 dddc9c98 82601e34 82601de0 802f2c44 802f1c80
1de0: 20000193 0000000f 802b9b94 00000001 dea55270 dddc9d40 dddc9cf0 dddc9d10
1e00: 80305c7c 81128910 0104b90b 8309a200 83099780 81b0febc 0000001c 82601e48
1e20: 8261ae40 00000000 82601e44 82601e38 8112896c 802f2b10 82601e74 82601e48
1e40: 802bf77c 81128948 00010001 8260cdf4 df80a000 824aebe0 df80a00c 00000000
1e60: 8261ae40 00000000 82601e84 82601e78 802b8fe0 802bf6ec 82601ea4 82601e88
1e80: 8087ddb4 802b8fbc 824b0264 82155614 8211af8c 82601ed0 82601ecc 82601ea8
1ea0: 817f662c 8087dd58 817f7c50 20000113 ffffffff 82601f04 00000000 8261ae40
1ec0: 82601f3c 82601ed0 80200b34 817f65d8 00000000 81f9d2f8 00014434 00000001
1ee0: 8261ae40 8260c498 00000000 8260c4e0 00000000 827e16a6 00000000 82601f3c
1f00: 82601f10 82601f20 817f71e0 817f7c50 20000113 ffffffff 817f7c44 817f71cc
1f20: 00000000 8260c498 8261ae40 8260c4e0 82601f84 82601f40 80293774 817f7c10
1f40: 8260c440 00000000 81f862c0 824af2f8 817f71e0 31767ca7 82601f84 000000ea
1f60: 82625c7c 8260c440 00000000 8261a934 8260c440 82850000 82601f94 82601f88
1f80: 80293b00 80293500 82601fa4 82601f98 817f7f54 80293aec 82601fb4 82601fa8
1fa0: 82400bb8 817f7e84 82601ff4 82601fb8 824012f8 82400bb4 00000000 00000000
1fc0: 00000000 00000000 ffffffff 00000000 00000000 820ad744 82484a70 00000000
1fe0: 00000000 000008e0 00000000 82601ff8 00000000 82400c24 00000000 00000000
Backtrace: 
[<817c9990>] (rb_insert_color) from [<817cdf3c>] (rb_insert_color_cached include/linux/rbtree.h:114 [inline])
[<817c9990>] (rb_insert_color) from [<817cdf3c>] (rb_add_cached include/linux/rbtree.h:183 [inline])
[<817c9990>] (rb_insert_color) from [<817cdf3c>] (timerqueue_add+0x88/0xf4 lib/timerqueue.c:40)
[<817cdeb4>] (timerqueue_add) from [<802f1710>] (enqueue_hrtimer+0x50/0xfc kernel/time/hrtimer.c:1091)
 r7:00000000 r6:00000000 r5:dddc9f48 r4:dddc9c00
[<802f16c0>] (enqueue_hrtimer) from [<802f1e54>] (__run_hrtimer kernel/time/hrtimer.c:1702 [inline])
[<802f16c0>] (enqueue_hrtimer) from [<802f1e54>] (__hrtimer_run_queues+0x1e0/0x448 kernel/time/hrtimer.c:1749)
 r9:80307028 r8:00000001 r7:00000000 r6:dddc9bc0 r5:dddc9c00 r4:dddc9f48
[<802f1c74>] (__hrtimer_run_queues) from [<802f2c44>] (hrtimer_interrupt+0x140/0x2cc kernel/time/hrtimer.c:1811)
 r10:dddc9c98 r9:dddc9c70 r8:dddc9c48 r7:dddc9bcc r6:00000003 r5:20000193
 r4:dddc9bc0
[<802f2b04>] (hrtimer_interrupt) from [<8112896c>] (timer_handler drivers/clocksource/arm_arch_timer.c:656 [inline])
[<802f2b04>] (hrtimer_interrupt) from [<8112896c>] (arch_timer_handler_virt+0x30/0x38 drivers/clocksource/arm_arch_timer.c:667)
 r10:00000000 r9:8261ae40 r8:82601e48 r7:0000001c r6:81b0febc r5:83099780
 r4:8309a200
[<8112893c>] (arch_timer_handler_virt) from [<802bf77c>] (handle_percpu_devid_irq+0x9c/0x2d4 kernel/irq/chip.c:930)
[<802bf6e0>] (handle_percpu_devid_irq) from [<802b8fe0>] (generic_handle_irq_desc include/linux/irqdesc.h:158 [inline])
[<802bf6e0>] (handle_percpu_devid_irq) from [<802b8fe0>] (handle_irq_desc kernel/irq/irqdesc.c:651 [inline])
[<802bf6e0>] (handle_percpu_devid_irq) from [<802b8fe0>] (generic_handle_domain_irq+0x30/0x40 kernel/irq/irqdesc.c:707)
 r10:00000000 r9:8261ae40 r8:00000000 r7:df80a00c r6:824aebe0 r5:df80a000
 r4:8260cdf4 r3:00010001
[<802b8fb0>] (generic_handle_domain_irq) from [<8087ddb4>] (gic_handle_irq+0x68/0x7c drivers/irqchip/irq-gic.c:373)
[<8087dd4c>] (gic_handle_irq) from [<817f662c>] (generic_handle_arch_irq+0x60/0x80 kernel/irq/handle.c:238)
 r7:82601ed0 r6:8211af8c r5:82155614 r4:824b0264
[<817f65cc>] (generic_handle_arch_irq) from [<80200b34>] (__irq_svc+0x74/0xac arch/arm/kernel/entry-armv.S:221)
Exception stack(0x82601ed0 to 0x82601f18)
1ec0:                                     00000000 81f9d2f8 00014434 00000001
1ee0: 8261ae40 8260c498 00000000 8260c4e0 00000000 827e16a6 00000000 82601f3c
1f00: 82601f10 82601f20 817f71e0 817f7c50 20000113 ffffffff
 r9:8261ae40 r8:00000000 r7:82601f04 r6:ffffffff r5:20000113 r4:817f7c50
[<817f7c04>] (default_idle_call) from [<80293774>] (cpuidle_idle_call kernel/sched/idle.c:170 [inline])
[<817f7c04>] (default_idle_call) from [<80293774>] (do_idle+0x280/0x2f0 kernel/sched/idle.c:282)
 r7:8260c4e0 r6:8261ae40 r5:8260c498 r4:00000000
[<802934f4>] (do_idle) from [<80293b00>] (cpu_startup_entry+0x20/0x24 kernel/sched/idle.c:379)
 r10:82850000 r9:8260c440 r8:8261a934 r7:00000000 r6:8260c440 r5:82625c7c
 r4:000000ea
[<80293ae0>] (cpu_startup_entry) from [<817f7f54>] (rest_init+0xdc/0xe0 init/main.c:735)
[<817f7e78>] (rest_init) from [<82400bb8>] (arch_post_acpi_subsys_init+0x0/0x20 init/main.c:834)
[<82400ba8>] (arch_call_rest_init) from [<824012f8>] (start_kernel+0x6e0/0x70c init/main.c:1088)
[<82400c18>] (start_kernel) from [<00000000>] (0x0)
Code: e15c0003 0a000018 e35c0000 0a000002 (e59ce000) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e15c0003 	cmp	ip, r3
   4:	0a000018 	beq	0x6c
   8:	e35c0000 	cmp	ip, #0
   c:	0a000002 	beq	0x1c
* 10:	e59ce000 	ldr	lr, [ip] <-- trapping instruction

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/12 13:52 upstream 47a2ee5d4a0b 893599a2 .config console log report ci-qemu2-arm32 upstream boot error: BUG: unable to handle kernel NULL pointer dereference in timerqueue_add
* Struck through repros no longer work on HEAD.