Extracting prog: 17m19.818772265s Minimizing prog: 1h41m3.950765406s Simplifying prog options: 0s Extracting C: 3m28.275645231s Simplifying C: 13m6.932180085s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 45s testing program (duration=45s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) syz_usb_ep_write(r0, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 5m0s testing program (duration=5m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) syz_usb_ep_write(r0, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 16m0s testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) syz_usb_ep_write(r0, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter single: successfully extracted reproducer found reproducer with 2 syscalls minimizing guilty program testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) program did not crash testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_ep_write detailed listing: executing program 0: syz_usb_ep_write(0xffffffffffffffff, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program did not crash testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, 0x0, 0x0) syz_usb_ep_write(r0, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program did not crash testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB], 0x0) syz_usb_ep_write(r0, 0x81, 0xffffff63, &(0x7f0000000180)="5126090e088939d040e9e65c6e004564fabb6fdeda9024e55a4f5a8660858b1e7c24b8c9205c0176b1d08757ca38f90aa4c7bd7db40efb0901c22d5f0415f6c3b5571917c0dcb5bd629ab3d7aa34ea4681bacdacee4c49e41d4b88e819b7fd5c1af50eec8126ea817ee0f848f23ee17d36a806dd344e74af415f6966934bb52cd4ca14839442ee68f8a9b3b042c0530c05b1a2ec64a764c88f00"/166) program did not crash testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) syz_usb_ep_write(r0, 0x81, 0x0, 0x0) program did not crash testing program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write detailed listing: executing program 0: r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000080)=ANY=[@ANYBLOB="1201280080c9fc089c0e00008abc0000000109021b0000000000000904e4000196a11b000705810b82ca0000004ff2b7800098d54dc37efea74e3bbae3c90b3ccc39b2dea0cc2aa841da896111ad270c6a6922b04e8deb16d6"], 0x0) syz_usb_ep_write(r0, 0x81, 0x0, &(0x7f0000000180)) program did not crash extracting C reproducer testing compiled C program (duration=16m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter simplifying C reproducer testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:2 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter testing compiled C program (duration=16m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:10 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_ep_write program crashed: BUG: unable to handle kernel paging request in ir_raw_event_store_with_filter reproducing took 2h14m58.977402456s repro crashed as (corrupted=false): rc rc0: IR event FIFO is full! rc rc0: IR event FIFO is full! rc rc0: IR event FIFO is full! 8<--- cut here --- Unable to handle kernel paging request at virtual address 0000104c when write [0000104c] *pgd=8418e003, *pmd=00000000 Internal error: Oops: a05 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 2903 Comm: klogd Not tainted 6.12.0-rc4-syzkaller #0 Hardware name: ARM-Versatile Express PC is at ir_raw_event_store_with_filter+0xf4/0x10c drivers/media/rc/rc-ir-raw.c:184 LR is at __wake_up_klogd.part.0+0x7c/0xac kernel/printk/printk.c:4495 pc : [<81035db4>] lr : [<802bca34>] psr: 60000193 sp : df801d30 ip : df801bb0 fp : df801d44 r10: df801d78 r9 : 8283a6a0 r8 : 8216df70 r7 : 844faf00 r6 : 00000400 r5 : df801d50 r4 : 83cf0400 r3 : 0000104c r2 : 00000000 r1 : 00000100 r0 : 00000080 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 842376c0 DAC: fffffffd Register r0 information: non-paged memory Register r1 information: non-paged memory Register r2 information: NULL pointer Register r3 information: non-paged memory Register r4 information: slab kmalloc-1k start 83cf0400 pointer offset 0 size 1024 Register r5 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r6 information: non-paged memory Register r7 information: slab kmalloc-192 start 844faf00 pointer offset 0 size 192 Register r8 information: non-slab/vmalloc memory Register r9 information: non-slab/vmalloc memory Register r10 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r12 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Process klogd (pid: 2903, stack limit = 0xec3e0000) Stack: (0xdf801d30 to 0xdf802000) 1d20: 844f0e80 df801d50 df801d6c df801d48 1d40: 81040adc 81035ccc 00400032 844e06c0 00000080 00000100 0000035e 844f0e80 1d60: df801dac df801d70 81041090 81040abc 80de84cc 80de840c 00000080 00000100 1d80: 819c5d90 844faf00 ffffffb5 83827200 00000000 844faf00 00000200 83d74048 1da0: df801dcc df801db0 80de86e8 81040f1c 83827200 844faf00 844e06c4 844e06c0 1dc0: df801df4 df801dd0 80de8840 80de8648 83827200 83d74000 844e06c4 844e06c0 1de0: 844faf00 00000200 df801ea4 df801df8 80f47124 80de877c 00000000 00000000 1e00: 00000005 df801e10 80000113 8214f198 82604d40 83d74004 844e06c0 844e06c4 1e20: 827fb92e 83d74000 838273b0 83d74000 0000cc00 828fbaf4 df801e5c 838273ac 1e40: 82604d40 00000400 00000000 00000d7e 0000017e df801e60 83827370 0000cc00 1e60: ffffffb5 83d74048 00000000 00000005 00000000 f87cd2e2 83827370 83827370 1e80: dddc7220 dddc7140 dddc71e0 80f46918 00000000 83666000 df801f0c df801ea8 1ea0: 80304104 80f46924 df801ec4 8203a5d0 00000021 7eac0d70 00000000 827faede 1ec0: dddc7234 81a042d0 8260c5d0 000000a0 7eac0d70 00000021 00000021 f87cd2e2 1ee0: 20000113 dddc7140 20000113 ffffffff 7fffffff 00000101 83666000 00000100 1f00: df801f34 df801f10 803044a8 80303f3c 20000113 000000f0 826040a0 00000009 1f20: 00000008 00400100 df801fac df801f38 8024b524 80304420 df801f54 df801f48 1f40: 819ba008 00400100 82604d40 ffffc303 8221fc50 00000000 824bbd00 0000000a 1f60: 827fc2c8 8260c5d0 8220cfbc 824b1208 df801f38 82604080 8029e440 80293dec 1f80: 83666000 83666000 8221fc50 821df450 ec3e1cc8 00000000 83666000 00000001 1fa0: df801fc4 df801fb0 8024b920 8024b3d8 824bbcdc 8221fc50 df801fd4 df801fc8 1fc0: 8024bc20 8024b888 df801ffc df801fd8 819b93cc 8024bc1c 8027d414 20000013 1fe0: ffffffff ec3e1cfc 84009800 83666000 ec3e1cc4 df802000 819698dc 819b935c Call trace: frame pointer underflow [<81035cc0>] (ir_raw_event_store_with_filter) from [<81040adc>] (sz_push+0x2c/0x74 drivers/media/rc/streamzap.c:104) r5:df801d50 r4:844f0e80 [<81040ab0>] (sz_push) from [<81041090>] (sz_push_full_pulse drivers/media/rc/streamzap.c:115 [inline]) [<81040ab0>] (sz_push) from [<81041090>] (sz_push_half_pulse drivers/media/rc/streamzap.c:121 [inline]) [<81040ab0>] (sz_push) from [<81041090>] (streamzap_callback+0x180/0x270 drivers/media/rc/streamzap.c:189) r5:844f0e80 r4:0000035e [<81040f10>] (streamzap_callback) from [<80de86e8>] (__usb_hcd_giveback_urb+0xac/0x134 drivers/usb/core/hcd.c:1650) r10:83d74048 r9:00000200 r8:844faf00 r7:00000000 r6:83827200 r5:ffffffb5 r4:844faf00 [<80de863c>] (__usb_hcd_giveback_urb) from [<80de8840>] (usb_hcd_giveback_urb+0xd0/0xd4 drivers/usb/core/hcd.c:1734) r7:844e06c0 r6:844e06c4 r5:844faf00 r4:83827200 [<80de8770>] (usb_hcd_giveback_urb) from [<80f47124>] (dummy_timer+0x80c/0x1038 drivers/usb/gadget/udc/dummy_hcd.c:1993) r9:00000200 r8:844faf00 r7:844e06c0 r6:844e06c4 r5:83d74000 r4:83827200 [<80f46918>] (dummy_timer) from [<80304104>] (__run_hrtimer kernel/time/hrtimer.c:1691 [inline]) [<80f46918>] (dummy_timer) from [<80304104>] (__hrtimer_run_queues+0x1d4/0x460 kernel/time/hrtimer.c:1755) r10:83666000 r9:00000000 r8:80f46918 r7:dddc71e0 r6:dddc7140 r5:dddc7220 r4:83827370 [<80303f30>] (__hrtimer_run_queues) from [<803044a8>] (hrtimer_run_softirq+0x94/0xe4 kernel/time/hrtimer.c:1772) r10:00000100 r9:83666000 r8:00000101 r7:7fffffff r6:ffffffff r5:20000113 r4:dddc7140 [<80304414>] (hrtimer_run_softirq) from [<8024b524>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554) r7:00400100 r6:00000008 r5:00000009 r4:826040a0 [<8024b3cc>] (handle_softirqs) from [<8024b920>] (__do_softirq kernel/softirq.c:588 [inline]) [<8024b3cc>] (handle_softirqs) from [<8024b920>] (invoke_softirq kernel/softirq.c:428 [inline]) [<8024b3cc>] (handle_softirqs) from [<8024b920>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637) r10:00000001 r9:83666000 r8:00000000 r7:ec3e1cc8 r6:821df450 r5:8221fc50 r4:83666000 [<8024b87c>] (__irq_exit_rcu) from [<8024bc20>] (irq_exit+0x10/0x18 kernel/softirq.c:661) r5:8221fc50 r4:824bbcdc [<8024bc10>] (irq_exit) from [<819b93cc>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240) [<819b9350>] (generic_handle_arch_irq) from [<819698dc>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40) r9:83666000 r8:84009800 r7:ec3e1cfc r6:ffffffff r5:20000013 r4:8027d414 [<819698c0>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227) Exception stack(0xec3e1cc8 to 0xec3e1d10) 1cc0: 00000001 8203d900 00000001 83666000 00000000 dddd0400 1ce0: 819bcd48 a3eca508 84009800 83666000 00000001 ec3e1d5c ec3e1d08 ec3e1d18 1d00: 819c5c9c 8027d414 20000013 ffffffff [<8027d388>] (finish_task_switch) from [<819bcd48>] (context_switch kernel/sched/core.c:5331 [inline]) [<8027d388>] (finish_task_switch) from [<819bcd48>] (__schedule+0x424/0xc24 kernel/sched/core.c:6690) r10:83cd9ac0 r9:00000000 r8:83cd9500 r7:a3eca508 r6:83666000 r5:dddd0400 r4:84009800 [<819bc924>] (__schedule) from [<819bd974>] (preempt_schedule_irq+0x40/0xa8 kernel/sched/core.c:7012) r10:828731a8 r9:83666000 r8:80200be4 r7:ec3e1e1c r6:ffffffff r5:83666000 r4:00000000 [<819bd934>] (preempt_schedule_irq) from [<80200c04>] (svc_preempt+0x8/0x18) Exception stack(0xec3e1de8 to 0xec3e1e30) 1de0: 00000000 840c1039 00000000 b5403587 0000018f 82873408 1e00: 76ee82cf 00000270 00000000 00000039 828731a8 ec3e1efc 00000000 ec3e1e38 1e20: 0000000a 802bde0c 40000013 ffffffff r5:40000013 r4:802bde0c [<802bdbc0>] (syslog_print) from [<802be544>] (do_syslog+0x16c/0x3a0 kernel/printk/printk.c:1766) r10:00000067 r9:83666000 r8:76ee8140 r7:000003ff r6:00000000 r5:00000000 r4:00000002 [<802be3d8>] (do_syslog) from [<802be78c>] (__do_sys_syslog kernel/printk/printk.c:1858 [inline]) [<802be3d8>] (do_syslog) from [<802be78c>] (sys_syslog+0x14/0x18 kernel/printk/printk.c:1856) r9:83666000 r8:8020029c r7:00000067 r6:00000000 r5:76ee8509 r4:76ee8140 [<802be778>] (sys_syslog) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xec3e1fa8 to 0xec3e1ff0) 1fa0: 76ee8140 76ee8509 00000002 76ee8140 000003ff 0000066c 1fc0: 76ee8140 76ee8509 00000000 00000067 76ee8140 76ee794c 76ee8554 76eca21a 1fe0: 76ee7cfc 7eb9bc94 76e5c9d0 76d7cf1c Code: e594324c e8950003 e2833d41 e283300c (e8830003) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e594324c ldr r3, [r4, #588] @ 0x24c 4: e8950003 ldm r5, {r0, r1} 8: e2833d41 add r3, r3, #4160 @ 0x1040 c: e283300c add r3, r3, #12 * 10: e8830003 stm r3, {r0, r1} <-- trapping instruction final repro crashed as (corrupted=false): rc rc0: IR event FIFO is full! rc rc0: IR event FIFO is full! rc rc0: IR event FIFO is full! 8<--- cut here --- Unable to handle kernel paging request at virtual address 0000104c when write [0000104c] *pgd=8418e003, *pmd=00000000 Internal error: Oops: a05 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 2903 Comm: klogd Not tainted 6.12.0-rc4-syzkaller #0 Hardware name: ARM-Versatile Express PC is at ir_raw_event_store_with_filter+0xf4/0x10c drivers/media/rc/rc-ir-raw.c:184 LR is at __wake_up_klogd.part.0+0x7c/0xac kernel/printk/printk.c:4495 pc : [<81035db4>] lr : [<802bca34>] psr: 60000193 sp : df801d30 ip : df801bb0 fp : df801d44 r10: df801d78 r9 : 8283a6a0 r8 : 8216df70 r7 : 844faf00 r6 : 00000400 r5 : df801d50 r4 : 83cf0400 r3 : 0000104c r2 : 00000000 r1 : 00000100 r0 : 00000080 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 842376c0 DAC: fffffffd Register r0 information: non-paged memory Register r1 information: non-paged memory Register r2 information: NULL pointer Register r3 information: non-paged memory Register r4 information: slab kmalloc-1k start 83cf0400 pointer offset 0 size 1024 Register r5 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r6 information: non-paged memory Register r7 information: slab kmalloc-192 start 844faf00 pointer offset 0 size 192 Register r8 information: non-slab/vmalloc memory Register r9 information: non-slab/vmalloc memory Register r10 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r11 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Register r12 information: 2-page vmalloc region starting at 0xdf800000 allocated at start_kernel+0x5d0/0x778 init/main.c:1008 Process klogd (pid: 2903, stack limit = 0xec3e0000) Stack: (0xdf801d30 to 0xdf802000) 1d20: 844f0e80 df801d50 df801d6c df801d48 1d40: 81040adc 81035ccc 00400032 844e06c0 00000080 00000100 0000035e 844f0e80 1d60: df801dac df801d70 81041090 81040abc 80de84cc 80de840c 00000080 00000100 1d80: 819c5d90 844faf00 ffffffb5 83827200 00000000 844faf00 00000200 83d74048 1da0: df801dcc df801db0 80de86e8 81040f1c 83827200 844faf00 844e06c4 844e06c0 1dc0: df801df4 df801dd0 80de8840 80de8648 83827200 83d74000 844e06c4 844e06c0 1de0: 844faf00 00000200 df801ea4 df801df8 80f47124 80de877c 00000000 00000000 1e00: 00000005 df801e10 80000113 8214f198 82604d40 83d74004 844e06c0 844e06c4 1e20: 827fb92e 83d74000 838273b0 83d74000 0000cc00 828fbaf4 df801e5c 838273ac 1e40: 82604d40 00000400 00000000 00000d7e 0000017e df801e60 83827370 0000cc00 1e60: ffffffb5 83d74048 00000000 00000005 00000000 f87cd2e2 83827370 83827370 1e80: dddc7220 dddc7140 dddc71e0 80f46918 00000000 83666000 df801f0c df801ea8 1ea0: 80304104 80f46924 df801ec4 8203a5d0 00000021 7eac0d70 00000000 827faede 1ec0: dddc7234 81a042d0 8260c5d0 000000a0 7eac0d70 00000021 00000021 f87cd2e2 1ee0: 20000113 dddc7140 20000113 ffffffff 7fffffff 00000101 83666000 00000100 1f00: df801f34 df801f10 803044a8 80303f3c 20000113 000000f0 826040a0 00000009 1f20: 00000008 00400100 df801fac df801f38 8024b524 80304420 df801f54 df801f48 1f40: 819ba008 00400100 82604d40 ffffc303 8221fc50 00000000 824bbd00 0000000a 1f60: 827fc2c8 8260c5d0 8220cfbc 824b1208 df801f38 82604080 8029e440 80293dec 1f80: 83666000 83666000 8221fc50 821df450 ec3e1cc8 00000000 83666000 00000001 1fa0: df801fc4 df801fb0 8024b920 8024b3d8 824bbcdc 8221fc50 df801fd4 df801fc8 1fc0: 8024bc20 8024b888 df801ffc df801fd8 819b93cc 8024bc1c 8027d414 20000013 1fe0: ffffffff ec3e1cfc 84009800 83666000 ec3e1cc4 df802000 819698dc 819b935c Call trace: frame pointer underflow [<81035cc0>] (ir_raw_event_store_with_filter) from [<81040adc>] (sz_push+0x2c/0x74 drivers/media/rc/streamzap.c:104) r5:df801d50 r4:844f0e80 [<81040ab0>] (sz_push) from [<81041090>] (sz_push_full_pulse drivers/media/rc/streamzap.c:115 [inline]) [<81040ab0>] (sz_push) from [<81041090>] (sz_push_half_pulse drivers/media/rc/streamzap.c:121 [inline]) [<81040ab0>] (sz_push) from [<81041090>] (streamzap_callback+0x180/0x270 drivers/media/rc/streamzap.c:189) r5:844f0e80 r4:0000035e [<81040f10>] (streamzap_callback) from [<80de86e8>] (__usb_hcd_giveback_urb+0xac/0x134 drivers/usb/core/hcd.c:1650) r10:83d74048 r9:00000200 r8:844faf00 r7:00000000 r6:83827200 r5:ffffffb5 r4:844faf00 [<80de863c>] (__usb_hcd_giveback_urb) from [<80de8840>] (usb_hcd_giveback_urb+0xd0/0xd4 drivers/usb/core/hcd.c:1734) r7:844e06c0 r6:844e06c4 r5:844faf00 r4:83827200 [<80de8770>] (usb_hcd_giveback_urb) from [<80f47124>] (dummy_timer+0x80c/0x1038 drivers/usb/gadget/udc/dummy_hcd.c:1993) r9:00000200 r8:844faf00 r7:844e06c0 r6:844e06c4 r5:83d74000 r4:83827200 [<80f46918>] (dummy_timer) from [<80304104>] (__run_hrtimer kernel/time/hrtimer.c:1691 [inline]) [<80f46918>] (dummy_timer) from [<80304104>] (__hrtimer_run_queues+0x1d4/0x460 kernel/time/hrtimer.c:1755) r10:83666000 r9:00000000 r8:80f46918 r7:dddc71e0 r6:dddc7140 r5:dddc7220 r4:83827370 [<80303f30>] (__hrtimer_run_queues) from [<803044a8>] (hrtimer_run_softirq+0x94/0xe4 kernel/time/hrtimer.c:1772) r10:00000100 r9:83666000 r8:00000101 r7:7fffffff r6:ffffffff r5:20000113 r4:dddc7140 [<80304414>] (hrtimer_run_softirq) from [<8024b524>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554) r7:00400100 r6:00000008 r5:00000009 r4:826040a0 [<8024b3cc>] (handle_softirqs) from [<8024b920>] (__do_softirq kernel/softirq.c:588 [inline]) [<8024b3cc>] (handle_softirqs) from [<8024b920>] (invoke_softirq kernel/softirq.c:428 [inline]) [<8024b3cc>] (handle_softirqs) from [<8024b920>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637) r10:00000001 r9:83666000 r8:00000000 r7:ec3e1cc8 r6:821df450 r5:8221fc50 r4:83666000 [<8024b87c>] (__irq_exit_rcu) from [<8024bc20>] (irq_exit+0x10/0x18 kernel/softirq.c:661) r5:8221fc50 r4:824bbcdc [<8024bc10>] (irq_exit) from [<819b93cc>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240) [<819b9350>] (generic_handle_arch_irq) from [<819698dc>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40) r9:83666000 r8:84009800 r7:ec3e1cfc r6:ffffffff r5:20000013 r4:8027d414 [<819698c0>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227) Exception stack(0xec3e1cc8 to 0xec3e1d10) 1cc0: 00000001 8203d900 00000001 83666000 00000000 dddd0400 1ce0: 819bcd48 a3eca508 84009800 83666000 00000001 ec3e1d5c ec3e1d08 ec3e1d18 1d00: 819c5c9c 8027d414 20000013 ffffffff [<8027d388>] (finish_task_switch) from [<819bcd48>] (context_switch kernel/sched/core.c:5331 [inline]) [<8027d388>] (finish_task_switch) from [<819bcd48>] (__schedule+0x424/0xc24 kernel/sched/core.c:6690) r10:83cd9ac0 r9:00000000 r8:83cd9500 r7:a3eca508 r6:83666000 r5:dddd0400 r4:84009800 [<819bc924>] (__schedule) from [<819bd974>] (preempt_schedule_irq+0x40/0xa8 kernel/sched/core.c:7012) r10:828731a8 r9:83666000 r8:80200be4 r7:ec3e1e1c r6:ffffffff r5:83666000 r4:00000000 [<819bd934>] (preempt_schedule_irq) from [<80200c04>] (svc_preempt+0x8/0x18) Exception stack(0xec3e1de8 to 0xec3e1e30) 1de0: 00000000 840c1039 00000000 b5403587 0000018f 82873408 1e00: 76ee82cf 00000270 00000000 00000039 828731a8 ec3e1efc 00000000 ec3e1e38 1e20: 0000000a 802bde0c 40000013 ffffffff r5:40000013 r4:802bde0c [<802bdbc0>] (syslog_print) from [<802be544>] (do_syslog+0x16c/0x3a0 kernel/printk/printk.c:1766) r10:00000067 r9:83666000 r8:76ee8140 r7:000003ff r6:00000000 r5:00000000 r4:00000002 [<802be3d8>] (do_syslog) from [<802be78c>] (__do_sys_syslog kernel/printk/printk.c:1858 [inline]) [<802be3d8>] (do_syslog) from [<802be78c>] (sys_syslog+0x14/0x18 kernel/printk/printk.c:1856) r9:83666000 r8:8020029c r7:00000067 r6:00000000 r5:76ee8509 r4:76ee8140 [<802be778>] (sys_syslog) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xec3e1fa8 to 0xec3e1ff0) 1fa0: 76ee8140 76ee8509 00000002 76ee8140 000003ff 0000066c 1fc0: 76ee8140 76ee8509 00000000 00000067 76ee8140 76ee794c 76ee8554 76eca21a 1fe0: 76ee7cfc 7eb9bc94 76e5c9d0 76d7cf1c Code: e594324c e8950003 e2833d41 e283300c (e8830003) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e594324c ldr r3, [r4, #588] @ 0x24c 4: e8950003 ldm r5, {r0, r1} 8: e2833d41 add r3, r3, #4160 @ 0x1040 c: e283300c add r3, r3, #12 * 10: e8830003 stm r3, {r0, r1} <-- trapping instruction