8<--- cut here --- Unable to handle kernel paging request at virtual address fee00143 when write [fee00143] *pgd=80000080007003, *pmd=00000000 Internal error: Oops: a06 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 8538 Comm: syz.1.1003 Not tainted syzkaller #0 PREEMPT Hardware name: ARM-Versatile Express PC is at __raw_writeb arch/arm/include/asm/io.h:99 [inline] PC is at subdev_8255_io drivers/comedi/drivers/comedi_8255.c:47 [inline] PC is at subdev_8255_io+0x60/0x6c drivers/comedi/drivers/comedi_8255.c:43 LR is at subdev_8255_io drivers/comedi/drivers/comedi_8255.c:47 [inline] LR is at subdev_8255_io+0x4c/0x6c drivers/comedi/drivers/comedi_8255.c:43 pc : [<8149bb18>] lr : [<8149bb04>] psr: 60000013 sp : e033dcb8 ip : e033dcb8 fp : e033dcd4 r10: 00000140 r9 : 00000004 r8 : e033dda4 r7 : 00000000 r6 : 0000009b r5 : 8315acc0 r4 : 00000143 r3 : 0000009b r2 : fee00143 r1 : 00000001 r0 : 8315acc0 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 86a05540 DAC: fffffffd Register r0 information: slab kmalloc-192 start 8315acc0 pointer offset 0 size 192 Register r1 information: non-paged memory Register r2 information: 0-page vmalloc region starting at 0xfee00000 allocated at pci_reserve_io+0x0/0x38 arch/arm/mm/mmu.c:1048 Register r3 information: non-paged memory Register r4 information: non-paged memory Register r5 information: slab kmalloc-192 start 8315acc0 pointer offset 0 size 192 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: 2-page vmalloc region starting at 0xe033c000 allocated at kernel_clone+0xc4/0x43c kernel/fork.c:2746 Register r9 information: non-paged memory Register r10 information: non-paged memory Register r11 information: 2-page vmalloc region starting at 0xe033c000 allocated at kernel_clone+0xc4/0x43c kernel/fork.c:2746 Register r12 information: 2-page vmalloc region starting at 0xe033c000 allocated at kernel_clone+0xc4/0x43c kernel/fork.c:2746 Process syz.1.1003 (pid: 8538, stack limit = 0xe033c000) Stack: (0xe033dcb8 to 0xe033e000) dca0: 8149bab8 00000140 dcc0: 8315acc0 00000000 e033dcf4 e033dcd8 8149b7f4 8149bac4 00000140 80545f10 dce0: 863b0b40 863b0b40 e033dd14 e033dcf8 8149bbac 8149b7a8 8315acc0 00000000 dd00: 863b0b40 00000000 e033dd54 e033dd18 8149bd5c 8149bb30 ffffffff 00000004 dd20: 82a22dc0 00000000 00000000 82bd95c0 8315acc0 00000000 e033dd90 8315acc0 dd40: 00000000 82d30df4 e033dd8c e033dd58 8148a700 8149bcf4 40946400 00000000 dd60: e033dd7c 200000c0 8315acc0 b5403587 40946400 00000002 00000003 84676e40 dd80: e033de4c e033dd90 81485f04 8148a604 35353238 00000000 00000000 00000000 dda0: 00000000 00000140 00000000 fffffff7 ffff0001 10000007 fffffffd 00007ffc ddc0: 30000002 00000007 0000c72a 00000000 00000007 00000003 00000000 00000100 dde0: 000072f0 00000101 00000006 00000006 00000404 00000004 00000000 000002fa de00: 00080008 00001000 80000001 0000000a 00000001 00000004 00000003 00000004 de20: 00000000 b60a9766 00000000 83836980 8315acc0 200000c0 40946400 00000002 de40: e033df14 e033de50 8148722c 81485e44 00000000 b60a9766 00000000 00000000 de60: 8254780c e033dea4 0000005f 845072c8 00000064 8315acf0 e033dee4 e033de88 de80: 80803604 807f9934 00000064 00000001 00000000 e033dea4 85ce7a10 8341e908 dea0: 00006400 0000000b e033de98 00000000 00000000 b60a9766 00000000 83836980 dec0: 40946400 200000c0 200000c0 83836980 00000003 84676e40 e033def4 e033dee8 dee0: 80803738 b60a9766 e033df14 00000000 83836981 40946400 200000c0 83836980 df00: 00000003 84676e40 e033dfa4 e033df18 805ba698 81486ee4 ecac8b10 84676e40 df20: e033df3c e033df30 81b52020 81b51eec e033df54 e033df40 8025a790 8028e468 df40: e033dfb0 40000000 e033df84 e033df58 80220bdc 8025a74c 00000000 82a1eb0c df60: e033dfb0 0013e9c0 ecac8b10 80220b30 00000000 b60a9766 e033dfac 00000000 df80: 00000000 00346310 00000036 8020029c 84676e40 00000036 00000000 e033dfa8 dfa0: 80200060 805ba460 00000000 00000000 00000003 40946400 200000c0 00000000 dfc0: 00000000 00000000 00346310 00000036 003462d8 00000000 00000001 76fa10dc dfe0: 76fa0e88 76fa0e78 00018ebc 00130820 60000010 00000003 00000000 00000000 Call trace: [<8149bab8>] (subdev_8255_io) from [<8149b7f4>] (subdev_8255_do_config+0x58/0x60 drivers/comedi/drivers/comedi_8255.c:115) r7:00000000 r6:8315acc0 r5:00000140 r4:8149bab8 [<8149b79c>] (subdev_8255_do_config) from [<8149bbac>] (__subdev_8255_init drivers/comedi/drivers/comedi_8255.c:172 [inline]) [<8149b79c>] (subdev_8255_do_config) from [<8149bbac>] (subdev_8255_io_init+0x88/0x98 drivers/comedi/drivers/comedi_8255.c:192) r4:863b0b40 [<8149bb24>] (subdev_8255_io_init) from [<8149bd5c>] (dev_8255_attach drivers/comedi/drivers/8255.c:84 [inline]) [<8149bb24>] (subdev_8255_io_init) from [<8149bd5c>] (dev_8255_attach+0x74/0x138 drivers/comedi/drivers/8255.c:46) r7:00000000 r6:863b0b40 r5:00000000 r4:8315acc0 [<8149bce8>] (dev_8255_attach) from [<8148a700>] (comedi_device_attach+0x108/0x244 drivers/comedi/drivers.c:1101) r10:82d30df4 r9:00000000 r8:8315acc0 r7:e033dd90 r6:00000000 r5:8315acc0 r4:82bd95c0 [<8148a5f8>] (comedi_device_attach) from [<81485f04>] (do_devconfig_ioctl+0xcc/0x218 drivers/comedi/comedi_fops.c:930) r10:84676e40 r9:00000003 r8:00000002 r7:40946400 r6:b5403587 r5:8315acc0 r4:200000c0 [<81485e38>] (do_devconfig_ioctl) from [<8148722c>] (comedi_unlocked_ioctl+0x354/0x1db8 drivers/comedi/comedi_fops.c:2302) r8:00000002 r7:40946400 r6:200000c0 r5:8315acc0 r4:83836980 [<81486ed8>] (comedi_unlocked_ioctl) from [<805ba698>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<81486ed8>] (comedi_unlocked_ioctl) from [<805ba698>] (do_vfs_ioctl fs/ioctl.c:551 [inline]) [<81486ed8>] (comedi_unlocked_ioctl) from [<805ba698>] (__do_sys_ioctl fs/ioctl.c:595 [inline]) [<81486ed8>] (comedi_unlocked_ioctl) from [<805ba698>] (sys_ioctl+0x244/0xb5c fs/ioctl.c:583) r10:84676e40 r9:00000003 r8:83836980 r7:200000c0 r6:40946400 r5:83836981 r4:00000000 [<805ba454>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xe033dfa8 to 0xe033dff0) dfa0: 00000000 00000000 00000003 40946400 200000c0 00000000 dfc0: 00000000 00000000 00346310 00000036 003462d8 00000000 00000001 76fa10dc dfe0: 76fa0e88 76fa0e78 00018ebc 00130820 r10:00000036 r9:84676e40 r8:8020029c r7:00000036 r6:00346310 r5:00000000 r4:00000000 Code: e6ef3076 e0842002 e7f32052 e2422612 (e5c23000) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e6ef3076 uxtb r3, r6 4: e0842002 add r2, r4, r2 8: e7f32052 ubfx r2, r2, #0, #20 c: e2422612 sub r2, r2, #18874368 @ 0x1200000 * 10: e5c23000 strb r3, [r2] <-- trapping instruction