================================================================== BUG: KASAN: null-ptr-deref in cdev_del+0x1e/0x56 fs/char_dev.c:596 Read of size 4 at addr 0000000000000060 by task syz-executor.0/2271 CPU: 0 PID: 2271 Comm: syz-executor.0 Not tainted 5.12.0-rc8-syzkaller-00011-g18a3c5f7abfd #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:202 [] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118 [] __dump_stack lib/dump_stack.c:79 [inline] [] dump_stack+0x148/0x1d8 lib/dump_stack.c:120 [] __kasan_report mm/kasan/report.c:403 [inline] [] kasan_report+0x146/0x18c mm/kasan/report.c:416 [] check_region_inline mm/kasan/generic.c:174 [inline] [] __asan_load4+0x4a/0x80 mm/kasan/generic.c:252 [] cdev_del+0x1e/0x56 fs/char_dev.c:596 [] tty_unregister_device drivers/tty/tty_io.c:3343 [inline] [] tty_unregister_device+0xcc/0xea drivers/tty/tty_io.c:3338 [] gsmld_detach_gsm drivers/tty/n_gsm.c:2409 [inline] [] gsmld_close+0x70/0x188 drivers/tty/n_gsm.c:2478 [] tty_ldisc_close+0xa8/0x100 drivers/tty/tty_ldisc.c:488 [] tty_ldisc_kill+0x5e/0xc8 drivers/tty/tty_ldisc.c:636 [] tty_ldisc_release+0x1b8/0x230 drivers/tty/tty_ldisc.c:809 [] tty_release_struct+0x22/0xc0 drivers/tty/tty_io.c:1714 [] tty_release+0x856/0xc4a drivers/tty/tty_io.c:1885 [] __fput+0x166/0x49a fs/file_table.c:280 [] ____fput+0x1a/0x24 fs/file_table.c:313 [] task_work_run+0xd0/0x148 kernel/task_work.c:140 [] tracehook_notify_resume include/linux/tracehook.h:189 [inline] [] do_notify_resume+0x700/0x930 arch/riscv/kernel/signal.c:320 [] ret_from_exception+0x0/0x14 ================================================================== Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000060 Oops [#1] Modules linked in: CPU: 0 PID: 2271 Comm: syz-executor.0 Tainted: G B 5.12.0-rc8-syzkaller-00011-g18a3c5f7abfd #0 Hardware name: riscv-virtio,qemu (DT) epc : cdev_del+0x22/0x56 fs/char_dev.c:596 ra : cdev_del+0x1e/0x56 fs/char_dev.c:596 epc : ffffffe000403ba4 ra : ffffffe000403ba0 sp : ffffffe027eb3b00 gp : ffffffe0045883c0 tp : ffffffe00bb30000 t0 : 0000000000000000 t1 : 0000000000006000 t2 : 00000000000f4240 s0 : ffffffe027eb3b20 s1 : 0000000000000000 a0 : 0000000000000064 a1 : 0000000000000007 a2 : 1ffffffc01766000 a3 : ffffffe002a93f76 a4 : 0000000000000000 a5 : ffffffe00bb31000 a6 : 0000000000f00000 a7 : 0000000054494d45 s2 : ffffffe00bb4a008 s3 : 0000000000000008 s4 : ffffffe00b575008 s5 : ffffffe00bbe3648 s6 : ffffffe00b0ef680 s7 : ffffffe00bbe34d0 s8 : ffffffe00a87d290 s9 : ffffffe00b0ef830 s10: ffffffe00a87d298 s11: ffffffe00bbe3648 t3 : 000000000000237b t4 : ffffffc404c757b2 t5 : ffffffc404c757ba t6 : 0000000000040000 status: 0000000000000120 badaddr: 0000000000000060 cause: 000000000000000d Call Trace: [] cdev_del+0x22/0x56 fs/char_dev.c:596 [] tty_unregister_device drivers/tty/tty_io.c:3343 [inline] [] tty_unregister_device+0xcc/0xea drivers/tty/tty_io.c:3338 [] gsmld_detach_gsm drivers/tty/n_gsm.c:2409 [inline] [] gsmld_close+0x70/0x188 drivers/tty/n_gsm.c:2478 [] tty_ldisc_close+0xa8/0x100 drivers/tty/tty_ldisc.c:488 [] tty_ldisc_kill+0x5e/0xc8 drivers/tty/tty_ldisc.c:636 [] tty_ldisc_release+0x1b8/0x230 drivers/tty/tty_ldisc.c:809 [] tty_release_struct+0x22/0xc0 drivers/tty/tty_io.c:1714 [] tty_release+0x856/0xc4a drivers/tty/tty_io.c:1885 [] __fput+0x166/0x49a fs/file_table.c:280 [] ____fput+0x1a/0x24 fs/file_table.c:313 [] task_work_run+0xd0/0x148 kernel/task_work.c:140 [] tracehook_notify_resume include/linux/tracehook.h:189 [inline] [] do_notify_resume+0x700/0x930 arch/riscv/kernel/signal.c:320 [] ret_from_exception+0x0/0x14 ---[ end trace 34ee98fcfb582a25 ]---