8<--- cut here --- Unable to handle kernel paging request at virtual address fee00001 [fee00001] *pgd=80000080007003, *pmd=00000000 Internal error: Oops: a06 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 21117 Comm: syz-executor.0 Not tainted 5.17.0-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __raw_writeb arch/arm/include/asm/io.h:88 [inline] PC is at io_serial_out+0x38/0x40 drivers/tty/serial/8250/8250_port.c:458 LR is at io_serial_out+0x24/0x40 drivers/tty/serial/8250/8250_port.c:458 pc : [<808e8d7c>] lr : [<808e8d68>] psr: 60000093 sp : ee169d48 ip : ee169d48 fp : ee169d64 r10: 00000001 r9 : 00000fff r8 : 85406c00 r7 : a0000013 r6 : 824f0430 r5 : 00000002 r4 : fee00001 r3 : 00000000 r2 : 00000002 r1 : 00000000 r0 : 824f0430 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 846de6c0 DAC: fffffffd Register r0 information: non-slab/vmalloc memory Register r1 information: NULL pointer Register r2 information: non-paged memory Register r3 information: NULL pointer Register r4 information: 0-page vmalloc region starting at 0xfee00000 allocated at pci_reserve_io+0x0/0x38 arch/arm/mm/mmu.c:1028 Register r5 information: non-paged memory Register r6 information: non-slab/vmalloc memory Register r7 information: non-slab/vmalloc memory Register r8 information: slab kmalloc-cg-512 start 85406c00 pointer offset 0 size 512 Register r9 information: non-paged memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xee168000 allocated at kernel_clone+0x9c/0x42c kernel/fork.c:2639 Register r12 information: 2-page vmalloc region starting at 0xee168000 allocated at kernel_clone+0x9c/0x42c kernel/fork.c:2639 Process syz-executor.0 (pid: 21117, stack limit = 0xee168000) Stack: (0xee169d48 to 0xee16a000) 9d40: 824f0430 00000000 824f0430 a0000013 ee169d94 ee169d68 9d60: 808eabb4 808e8d50 00001244 ee16f000 85406c00 824f0430 00000001 85406c00 9d80: 824f0430 a0000013 ee169da4 ee169d98 808e1d7c 808eaa84 ee169dc4 ee169da8 9da0: 808e4134 808e1d38 ee16d000 ee16f26c 00000000 ee16d000 ee169dd4 ee169dc8 9dc0: 808e41a4 808e40d0 ee169e54 ee169dd8 808c4b18 808e41a0 ee169dc0 00005412 9de0: ffffffff 00000000 ffffffff 85406c74 00000001 00000fff 819085b0 55555556 9e00: 00000000 00000000 ee16f000 ee169e7c 00000001 ee169e7c 00000000 ee16d000 9e20: 00000001 ee169e7c 8067cd20 00000000 845a4340 85406c00 808c5a1c 00000009 9e40: 20000000 85406c00 ee169e6c ee169e58 808c5a38 808c473c 00000000 816f6b58 9e60: ee169f14 ee169e70 808c0ab8 808c5a28 00000001 83af3bd8 00000054 846f9200 9e80: 00000003 00000036 ee169ee4 ee169e98 8068c8e8 806827a4 00000001 00000054 9ea0: 00000012 ee169eb4 844cbcd0 82ccc4c8 ee165412 536ea30b ee169ea8 81f31dc4 9ec0: 20000000 536ea3cb 81f310f4 20000000 846f9240 00005412 ee169ef4 ee169ee8 9ee0: 8068c9ec 536ea3cb ee169f14 00005412 00000000 846f9241 20000000 846f9240 9f00: 00000003 83af3bd8 ee169fa4 ee169f18 804a85b0 808c0290 820a666c 820a0420 9f20: 0012bfc8 8503ae00 8503b520 820a6670 00000036 60000010 820a6668 8503ae00 9f40: 820a6670 00000036 ee169f64 ee169f58 816f3004 816f2ed0 ee169f84 ee169f68 9f60: 816f2d8c 816f2ff4 60000013 00000000 0012bfc8 536ea3cb ee169f9c 00000000 9f80: 00000000 0012bfc8 00000036 802002a4 8503ae00 00000036 00000000 ee169fa8 9fa0: 80200060 804a84ac 00000000 00000000 00000003 00005412 20000000 00000000 9fc0: 00000000 00000000 0012bfc8 00000036 7ed6d312 76f9d6d0 7ed6d4a4 76f9d20c 9fe0: 76f9d020 76f9d010 000163a0 0004bf80 60000010 00000003 00000000 00000000 Backtrace: [<808e8d44>] (io_serial_out) from [<808eabb4>] (serial_out drivers/tty/serial/8250/8250.h:120 [inline]) [<808e8d44>] (io_serial_out) from [<808eabb4>] (serial8250_set_THRI drivers/tty/serial/8250/8250.h:140 [inline]) [<808e8d44>] (io_serial_out) from [<808eabb4>] (__start_tx drivers/tty/serial/8250/8250_port.c:1568 [inline]) [<808e8d44>] (io_serial_out) from [<808eabb4>] (serial8250_start_tx+0x13c/0x234 drivers/tty/serial/8250/8250_port.c:1667) r7:a0000013 r6:824f0430 r5:00000000 r4:824f0430 [<808eaa78>] (serial8250_start_tx) from [<808e1d7c>] (__uart_start+0x50/0x54 drivers/tty/serial/serial_core.c:127) r7:a0000013 r6:824f0430 r5:85406c00 r4:00000001 [<808e1d2c>] (__uart_start) from [<808e4134>] (uart_start+0x70/0xd0 drivers/tty/serial/serial_core.c:137) [<808e40c4>] (uart_start) from [<808e41a4>] (uart_flush_chars+0x10/0x14 drivers/tty/serial/serial_core.c:548) r7:ee16d000 r6:00000000 r5:ee16f26c r4:ee16d000 [<808e4194>] (uart_flush_chars) from [<808c4b18>] (__receive_buf drivers/tty/n_tty.c:1553 [inline]) [<808e4194>] (uart_flush_chars) from [<808c4b18>] (n_tty_receive_buf_common+0x3e8/0x12c8 drivers/tty/n_tty.c:1645) [<808c4730>] (n_tty_receive_buf_common) from [<808c5a38>] (n_tty_receive_buf+0x1c/0x24 drivers/tty/n_tty.c:1674) r10:85406c00 r9:20000000 r8:00000009 r7:808c5a1c r6:85406c00 r5:845a4340 r4:00000000 [<808c5a1c>] (n_tty_receive_buf) from [<808c0ab8>] (tiocsti drivers/tty/tty_io.c:2293 [inline]) [<808c5a1c>] (n_tty_receive_buf) from [<808c0ab8>] (tty_ioctl+0x834/0xa88 drivers/tty/tty_io.c:2692) [<808c0284>] (tty_ioctl) from [<804a85b0>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<808c0284>] (tty_ioctl) from [<804a85b0>] (do_vfs_ioctl fs/ioctl.c:830 [inline]) [<808c0284>] (tty_ioctl) from [<804a85b0>] (__do_sys_ioctl fs/ioctl.c:868 [inline]) [<808c0284>] (tty_ioctl) from [<804a85b0>] (sys_ioctl+0x110/0xa70 fs/ioctl.c:856) r10:83af3bd8 r9:00000003 r8:846f9240 r7:20000000 r6:846f9241 r5:00000000 r4:00005412 [<804a84a0>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:64) Exception stack(0xee169fa8 to 0xee169ff0) 9fa0: 00000000 00000000 00000003 00005412 20000000 00000000 9fc0: 00000000 00000000 0012bfc8 00000036 7ed6d312 76f9d6d0 7ed6d4a4 76f9d20c 9fe0: 76f9d020 76f9d010 000163a0 0004bf80 r10:00000036 r9:8503ae00 r8:802002a4 r7:00000036 r6:0012bfc8 r5:00000000 r4:00000000 Code: e6ef5075 e0844001 e7f34054 e2444612 (e5c45000) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e6ef5075 uxtb r5, r5 4: e0844001 add r4, r4, r1 8: e7f34054 ubfx r4, r4, #0, #20 c: e2444612 sub r4, r4, #18874368 ; 0x1200000 * 10: e5c45000 strb r5, [r4] <-- trapping instruction