general protection fault, probably for non-canonical address 0xdffffc0020008007: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000100040038-0x000000010004003f] CPU: 2 PID: 28 Comm: ksoftirqd/2 Not tainted 6.4.0-rc6-syzkaller-00279-g8c1f0c38b310 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:lookup_object lib/debugobjects.c:195 [inline] RIP: 0010:debug_object_deactivate lib/debugobjects.c:776 [inline] RIP: 0010:debug_object_deactivate+0x144/0x300 lib/debugobjects.c:762 Code: 8f 01 00 00 48 8b ab 20 78 f8 91 31 db 48 85 ed 74 44 49 bc 00 00 00 00 00 fc ff df 48 8d 7d 18 83 c3 01 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 1e 01 00 00 4c 3b 7d 18 74 74 48 89 e8 48 c1 RSP: 0018:ffffc9000055fc48 EFLAGS: 00010002 RAX: 0000000020008007 RBX: 0000000000000008 RCX: ffffffff816653d4 RDX: 1ffffffff240259b RSI: 0000000000000006 RDI: 0000000100040038 RBP: 0000000100040020 R08: ffffffff92012cc8 R09: 0000000000000003 R10: fffff520000abf77 R11: dffffc0000000000 R12: dffffc0000000000 R13: ffffffff8a4ee140 R14: 1ffff920000abf8b R15: ffff8880584a7280 FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cf20000 CR3: 000000004d71e000 CR4: 0000000000350ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debug_hrtimer_deactivate kernel/time/hrtimer.c:425 [inline] debug_deactivate kernel/time/hrtimer.c:481 [inline] __run_hrtimer kernel/time/hrtimer.c:1653 [inline] __hrtimer_run_queues+0x3f3/0xbe0 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x17f/0x360 kernel/time/hrtimer.c:1766 __do_softirq+0x1d4/0x905 kernel/softirq.c:571 run_ksoftirqd kernel/softirq.c:939 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 kthread+0x344/0x440 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:lookup_object lib/debugobjects.c:195 [inline] RIP: 0010:debug_object_deactivate lib/debugobjects.c:776 [inline] RIP: 0010:debug_object_deactivate+0x144/0x300 lib/debugobjects.c:762 Code: 8f 01 00 00 48 8b ab 20 78 f8 91 31 db 48 85 ed 74 44 49 bc 00 00 00 00 00 fc ff df 48 8d 7d 18 83 c3 01 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 1e 01 00 00 4c 3b 7d 18 74 74 48 89 e8 48 c1 RSP: 0018:ffffc9000055fc48 EFLAGS: 00010002 RAX: 0000000020008007 RBX: 0000000000000008 RCX: ffffffff816653d4 RDX: 1ffffffff240259b RSI: 0000000000000006 RDI: 0000000100040038 RBP: 0000000100040020 R08: ffffffff92012cc8 R09: 0000000000000003 R10: fffff520000abf77 R11: dffffc0000000000 R12: dffffc0000000000 R13: ffffffff8a4ee140 R14: 1ffff920000abf8b R15: ffff8880584a7280 FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cf20000 CR3: 000000004d71e000 CR4: 0000000000350ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 8f 01 popq (%rcx) 2: 00 00 add %al,(%rax) 4: 48 8b ab 20 78 f8 91 mov -0x6e0787e0(%rbx),%rbp b: 31 db xor %ebx,%ebx d: 48 85 ed test %rbp,%rbp 10: 74 44 je 0x56 12: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 19: fc ff df 1c: 48 8d 7d 18 lea 0x18(%rbp),%rdi 20: 83 c3 01 add $0x1,%ebx 23: 48 89 f8 mov %rdi,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 0f 85 1e 01 00 00 jne 0x153 35: 4c 3b 7d 18 cmp 0x18(%rbp),%r15 39: 74 74 je 0xaf 3b: 48 89 e8 mov %rbp,%rax 3e: 48 rex.W 3f: c1 .byte 0xc1