8<--- cut here --- Unable to handle kernel paging request at virtual address fee00001 [fee00001] *pgd=80000080007003, *pmd=00000000 Internal error: Oops: a06 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 12556 Comm: syz-executor.0 Not tainted 5.17.0-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __raw_writeb arch/arm/include/asm/io.h:88 [inline] PC is at io_serial_out+0x38/0x40 drivers/tty/serial/8250/8250_port.c:458 LR is at io_serial_out+0x24/0x40 drivers/tty/serial/8250/8250_port.c:458 pc : [<808e9204>] lr : [<808e91f0>] psr: 60000093 sp : ed645d48 ip : ed645d48 fp : ed645d64 r10: 00000001 r9 : 00000fff r8 : 8453e200 r7 : a0000013 r6 : 824f1440 r5 : 00000002 r4 : fee00001 r3 : 00000000 r2 : 00000002 r1 : 00000000 r0 : 824f1440 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 85488c00 DAC: fffffffd Register r0 information: non-slab/vmalloc memory Register r1 information: NULL pointer Register r2 information: non-paged memory Register r3 information: NULL pointer Register r4 information: 0-page vmalloc region starting at 0xfee00000 allocated at pci_reserve_io+0x0/0x38 arch/arm/mm/mmu.c:1028 Register r5 information: non-paged memory Register r6 information: non-slab/vmalloc memory Register r7 information: non-slab/vmalloc memory Register r8 information: slab kmalloc-cg-512 start 8453e200 pointer offset 0 size 512 Register r9 information: non-paged memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xed644000 allocated at kernel_clone+0x9c/0x42c kernel/fork.c:2639 Register r12 information: 2-page vmalloc region starting at 0xed644000 allocated at kernel_clone+0x9c/0x42c kernel/fork.c:2639 Process syz-executor.0 (pid: 12556, stack limit = 0xed644000) Stack: (0xed645d48 to 0xed646000) 5d40: 824f1440 00000000 824f1440 a0000013 ed645d94 ed645d68 5d60: 808eb03c 808e91d8 00001244 ed661000 8453e200 824f1440 00000001 8453e200 5d80: 824f1440 a0000013 ed645da4 ed645d98 808e2204 808eaf0c ed645dc4 ed645da8 5da0: 808e45bc 808e21c0 ed65f000 ed66126c 00000007 ed65f000 ed645dd4 ed645dc8 5dc0: 808e462c 808e4558 ed645e54 ed645dd8 808c4fe8 808e4628 ed645dc0 00005412 5de0: ffffffff 00000000 ffffffff 8453e274 00000001 00000fff 81908eb0 55555556 5e00: 00000000 00000000 ed661000 ed645e7c 00000001 ed645e7c 00000000 ed65f000 5e20: 00000001 ed645e7c 8067c5f8 00000000 854881c0 8453e200 808c5eec 00000009 5e40: 200008c0 8453e200 ed645e6c ed645e58 808c5f08 808c4c0c 00000000 816f7ce0 5e60: ed645f14 ed645e70 808c0d68 808c5ef8 00000001 83b61dd0 07000054 85680600 5e80: 00000005 00000036 ed645ee4 ed645e98 8068c0b4 80682098 00000001 00000054 5ea0: 00000012 ed645eb4 8416a190 834e45d8 80275412 536ea30b ed645ea8 81f34dc4 5ec0: 200008c0 536ea3cb 81f340f4 200008c0 85680600 00005412 ed645ef4 ed645ee8 5ee0: 8068c1b8 536ea3cb ed645f14 00005412 00000000 85680600 200008c0 85680600 5f00: 00000005 83b61dd0 ed645fa4 ed645f18 804a813c 808c0560 820a666c 820a0420 5f20: 0012bfc8 852edc00 852ee320 820a6670 00000036 60000010 820a6668 852edc00 5f40: 820a6670 00000036 ed645f64 ed645f58 816f4184 816f4050 ed645f84 ed645f68 5f60: 816f3f0c 816f4174 60000013 00000000 0012bfc8 536ea3cb ed645f9c 00000000 5f80: 00000000 0012bfc8 00000036 802002a4 852edc00 00000036 00000000 ed645fa8 5fa0: 80200060 804a8038 00000000 00000000 00000005 00005412 200008c0 00000000 5fc0: 00000000 00000000 0012bfc8 00000036 7eddc312 76fda6d0 7eddc4a4 76fda20c 5fe0: 76fda020 76fda010 000163a0 0004bf80 60000010 00000005 00000000 00000000 Backtrace: [<808e91cc>] (io_serial_out) from [<808eb03c>] (serial_out drivers/tty/serial/8250/8250.h:120 [inline]) [<808e91cc>] (io_serial_out) from [<808eb03c>] (serial8250_set_THRI drivers/tty/serial/8250/8250.h:140 [inline]) [<808e91cc>] (io_serial_out) from [<808eb03c>] (__start_tx drivers/tty/serial/8250/8250_port.c:1568 [inline]) [<808e91cc>] (io_serial_out) from [<808eb03c>] (serial8250_start_tx+0x13c/0x234 drivers/tty/serial/8250/8250_port.c:1667) r7:a0000013 r6:824f1440 r5:00000000 r4:824f1440 [<808eaf00>] (serial8250_start_tx) from [<808e2204>] (__uart_start+0x50/0x54 drivers/tty/serial/serial_core.c:127) r7:a0000013 r6:824f1440 r5:8453e200 r4:00000001 [<808e21b4>] (__uart_start) from [<808e45bc>] (uart_start+0x70/0xd0 drivers/tty/serial/serial_core.c:137) [<808e454c>] (uart_start) from [<808e462c>] (uart_flush_chars+0x10/0x14 drivers/tty/serial/serial_core.c:548) r7:ed65f000 r6:00000007 r5:ed66126c r4:ed65f000 [<808e461c>] (uart_flush_chars) from [<808c4fe8>] (__receive_buf drivers/tty/n_tty.c:1553 [inline]) [<808e461c>] (uart_flush_chars) from [<808c4fe8>] (n_tty_receive_buf_common+0x3e8/0x12c8 drivers/tty/n_tty.c:1645) [<808c4c00>] (n_tty_receive_buf_common) from [<808c5f08>] (n_tty_receive_buf+0x1c/0x24 drivers/tty/n_tty.c:1674) r10:8453e200 r9:200008c0 r8:00000009 r7:808c5eec r6:8453e200 r5:854881c0 r4:00000000 [<808c5eec>] (n_tty_receive_buf) from [<808c0d68>] (tiocsti drivers/tty/tty_io.c:2293 [inline]) [<808c5eec>] (n_tty_receive_buf) from [<808c0d68>] (tty_ioctl+0x814/0xa68 drivers/tty/tty_io.c:2692) [<808c0554>] (tty_ioctl) from [<804a813c>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<808c0554>] (tty_ioctl) from [<804a813c>] (do_vfs_ioctl fs/ioctl.c:830 [inline]) [<808c0554>] (tty_ioctl) from [<804a813c>] (__do_sys_ioctl fs/ioctl.c:868 [inline]) [<808c0554>] (tty_ioctl) from [<804a813c>] (sys_ioctl+0x110/0xa70 fs/ioctl.c:856) r10:83b61dd0 r9:00000005 r8:85680600 r7:200008c0 r6:85680600 r5:00000000 r4:00005412 [<804a802c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:64) Exception stack(0xed645fa8 to 0xed645ff0) 5fa0: 00000000 00000000 00000005 00005412 200008c0 00000000 5fc0: 00000000 00000000 0012bfc8 00000036 7eddc312 76fda6d0 7eddc4a4 76fda20c 5fe0: 76fda020 76fda010 000163a0 0004bf80 r10:00000036 r9:852edc00 r8:802002a4 r7:00000036 r6:0012bfc8 r5:00000000 r4:00000000 Code: e6ef5075 e0844001 e7f34054 e2444612 (e5c45000) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e6ef5075 uxtb r5, r5 4: e0844001 add r4, r4, r1 8: e7f34054 ubfx r4, r4, #0, #20 c: e2444612 sub r4, r4, #18874368 ; 0x1200000 * 10: e5c45000 strb r5, [r4] <-- trapping instruction