8<--- cut here --- Unable to handle kernel paging request at virtual address fee04f29 when write [fee04f29] *pgd=80000080007003, *pmd=00000000 Internal error: Oops: a06 [#1] SMP ARM Modules linked in: CPU: 1 UID: 0 PID: 15540 Comm: syz.2.3047 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: ARM-Versatile Express PC is at __raw_writeb arch/arm/include/asm/io.h:88 [inline] PC is at subdev_8255_io drivers/comedi/drivers/comedi_8255.c:47 [inline] PC is at subdev_8255_io+0x60/0x6c drivers/comedi/drivers/comedi_8255.c:43 LR is at subdev_8255_io drivers/comedi/drivers/comedi_8255.c:47 [inline] LR is at subdev_8255_io+0x4c/0x6c drivers/comedi/drivers/comedi_8255.c:43 pc : [<814162b4>] lr : [<814162a0>] psr: 60000013 sp : df9cdcb0 ip : df9cdcb0 fp : df9cdccc r10: 00000001 r9 : 00000084 r8 : df9cdd9c r7 : 00004f26 r6 : 0000009b r5 : 844fe3c0 r4 : 00004f29 r3 : 0000009b r2 : fee04f29 r1 : 00000001 r0 : 844fe3c0 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 850e9cc0 DAC: 00000000 Register r0 information: slab kmalloc-192 start 844fe3c0 pointer offset 0 size 192 Register r1 information: non-paged memory Register r2 information: 0-page vmalloc region starting at 0xfee00000 allocated at pci_reserve_io+0x0/0x38 arch/arm/mm/mmu.c:1055 Register r3 information: non-paged memory Register r4 information: non-paged memory Register r5 information: slab kmalloc-192 start 844fe3c0 pointer offset 0 size 192 Register r6 information: non-paged memory Register r7 information: non-paged memory Register r8 information: 2-page vmalloc region starting at 0xdf9cc000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2651 Register r9 information: non-paged memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xdf9cc000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2651 Register r12 information: 2-page vmalloc region starting at 0xdf9cc000 allocated at kernel_clone+0xac/0x3ec kernel/fork.c:2651 Process syz.2.3047 (pid: 15540, stack limit = 0xdf9cc000) Stack: (0xdf9cdcb0 to 0xdf9ce000) dca0: 81416254 844fe3c0 00004f26 00004f26 dcc0: df9cdcec df9cdcd0 81415f8c 81416260 00004f26 805150ac 86fc8cc0 86fc8cc0 dce0: df9cdd0c df9cdcf0 8141634c 81415f40 844fe3c0 00000000 86fc8cc0 00004f26 dd00: df9cdd4c df9cdd10 814164f8 814162cc 0000005f 8432b180 828217b0 00000000 dd20: 00000000 829d46a0 844fe3c0 844fe404 df9cdd88 844fe3c0 00000000 82b28ad8 dd40: df9cdd84 df9cdd50 8140502c 81416490 844fe3f0 00000000 df9cdd74 200000c0 dd60: 844fe3c0 b5403587 844fe3f0 859dc800 40946400 00000003 df9cde44 df9cdd88 dd80: 81400984 81404f30 35353238 00000000 00000000 00000000 00000000 00004f26 dda0: 00000000 00000002 00000401 00000001 00000cc7 ffffffff 5c952399 00000005 ddc0: 00000403 00000802 00000007 00000001 00000000 00000705 0000e1cb 00008006 dde0: 00000004 00000004 00000395 80001089 fffffffd 00000000 fffffff5 ffffeadb de00: 00000003 0040003e 00000008 00010000 08000000 00000002 00000000 f51b01cf de20: 00000000 851e79c0 844fe3c0 200000c0 844fe3f0 859dc800 df9cdf14 df9cde48 de40: 81401978 81400890 00000000 00000000 00000000 df9cde54 df9cde54 f51b01cf de60: 00000000 00000000 824a45ec 0000005f 83fefde0 00000064 845c3444 859dc800 de80: df9cdee4 df9cde90 807b8180 807ae6a4 00000064 00000001 00000000 df9cdeac dea0: 8603ba90 834dfb28 00006400 0000000b df9cdea0 00000000 df9cdd40 f51b01cf dec0: 851e79c0 40946400 200000c0 200000c0 851e79c0 00000003 df9cdef4 df9cdee8 dee0: 807b82a0 f51b01cf df9cdf14 40946400 00000000 851e79c1 200000c0 851e79c0 df00: 00000003 859dc800 df9cdfa4 df9cdf18 80585768 814013c8 ecac8b10 859dc800 df20: df9cdf3c df9cdf30 81ab01ac 81ab007c df9cdf54 df9cdf40 8025bcbc 8028e0c4 df40: df9cdfb0 40000000 df9cdf84 df9cdf58 80221a38 8025bc78 00000000 8281d17c df60: df9cdfb0 0014c8c0 ecac8b10 8022198c 00000000 f51b01cf df9cdfac 00000000 df80: 00000000 00326450 00000036 8020029c 859dc800 00000036 00000000 df9cdfa8 dfa0: 80200060 80585644 00000000 00000000 00000003 40946400 200000c0 00000000 dfc0: 00000000 00000000 00326450 00000036 00310000 00000000 00006364 76f810bc dfe0: 76f80ec0 76f80eb0 000192bc 00132360 60000010 00000003 00000000 00000000 Call trace: [<81416254>] (subdev_8255_io) from [<81415f8c>] (subdev_8255_do_config+0x58/0x60 drivers/comedi/drivers/comedi_8255.c:115) r7:00004f26 r6:00004f26 r5:844fe3c0 r4:81416254 [<81415f34>] (subdev_8255_do_config) from [<8141634c>] (__subdev_8255_init drivers/comedi/drivers/comedi_8255.c:172 [inline]) [<81415f34>] (subdev_8255_do_config) from [<8141634c>] (subdev_8255_io_init+0x8c/0x9c drivers/comedi/drivers/comedi_8255.c:192) r4:86fc8cc0 [<814162c0>] (subdev_8255_io_init) from [<814164f8>] (dev_8255_attach drivers/comedi/drivers/8255.c:82 [inline]) [<814162c0>] (subdev_8255_io_init) from [<814164f8>] (dev_8255_attach+0x74/0x120 drivers/comedi/drivers/8255.c:46) r7:00004f26 r6:86fc8cc0 r5:00000000 r4:844fe3c0 [<81416484>] (dev_8255_attach) from [<8140502c>] (comedi_device_attach+0x108/0x250 drivers/comedi/drivers.c:1069) r10:82b28ad8 r9:00000000 r8:844fe3c0 r7:df9cdd88 r6:844fe404 r5:844fe3c0 r4:829d46a0 [<81404f24>] (comedi_device_attach) from [<81400984>] (do_devconfig_ioctl+0x100/0x220 drivers/comedi/comedi_fops.c:928) r10:00000003 r9:40946400 r8:859dc800 r7:844fe3f0 r6:b5403587 r5:844fe3c0 r4:200000c0 [<81400884>] (do_devconfig_ioctl) from [<81401978>] (comedi_unlocked_ioctl+0x5bc/0x1c2c drivers/comedi/comedi_fops.c:2240) r8:859dc800 r7:844fe3f0 r6:200000c0 r5:844fe3c0 r4:851e79c0 [<814013bc>] (comedi_unlocked_ioctl) from [<80585768>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<814013bc>] (comedi_unlocked_ioctl) from [<80585768>] (do_vfs_ioctl fs/ioctl.c:551 [inline]) [<814013bc>] (comedi_unlocked_ioctl) from [<80585768>] (__do_sys_ioctl fs/ioctl.c:595 [inline]) [<814013bc>] (comedi_unlocked_ioctl) from [<80585768>] (sys_ioctl+0x130/0xba0 fs/ioctl.c:583) r10:859dc800 r9:00000003 r8:851e79c0 r7:200000c0 r6:851e79c1 r5:00000000 r4:40946400 [<80585638>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xdf9cdfa8 to 0xdf9cdff0) dfa0: 00000000 00000000 00000003 40946400 200000c0 00000000 dfc0: 00000000 00000000 00326450 00000036 00310000 00000000 00006364 76f810bc dfe0: 76f80ec0 76f80eb0 000192bc 00132360 r10:00000036 r9:859dc800 r8:8020029c r7:00000036 r6:00326450 r5:00000000 r4:00000000 Code: e6ef3076 e0842002 e7f32052 e2422612 (e5c23000) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e6ef3076 uxtb r3, r6 4: e0842002 add r2, r4, r2 8: e7f32052 ubfx r2, r2, #0, #20 c: e2422612 sub r2, r2, #18874368 @ 0x1200000 * 10: e5c23000 strb r3, [r2] <-- trapping instruction