r10:00000036 r9:84ae8000 r8:8020029c r7:00000036 r6:76bbde70 r5:76bbee70 r4:00000006 kobject: kobject_add_internal failed for raw_gadget with -EEXIST, don't try to register things with the same name in the same directory. 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000004 when read [00000004] *pgd=85433003, *pmd=df2d6003 Internal error: Oops: 205 [#1] SMP ARM Modules linked in: CPU: 1 UID: 0 PID: 3864 Comm: syz.0.32 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT Hardware name: ARM-Versatile Express PC is at arch_spin_lock arch/arm/include/asm/spinlock.h:63 [inline] PC is at do_raw_spin_lock include/linux/spinlock.h:187 [inline] PC is at __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] PC is at _raw_spin_lock_irqsave+0x24/0x64 kernel/locking/spinlock.c:162 LR is at get_lock_parent_ip include/linux/ftrace.h:1092 [inline] LR is at preempt_latency_start kernel/sched/core.c:5838 [inline] LR is at preempt_count_add+0x12c/0x150 kernel/sched/core.c:5863 pc : [<81a5b60c>] lr : [<8029eb0c>] psr: 60000093 sp : e048dda0 ip : e048dd78 fp : e048ddb4 r10: 84ae8000 r9 : 00000006 r8 : 853fb738 r7 : 00000000 r6 : 8237d1e8 r5 : 60000013 r4 : 00000004 r3 : 81a5b5e8 r2 : 00000000 r1 : 00000000 r0 : 00000000 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 853d6100 DAC: 00000000 Register r0 information: NULL pointer Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: non-slab/vmalloc memory Register r4 information: non-paged memory Register r5 information: non-paged memory Register r6 information: non-slab/vmalloc memory Register r7 information: NULL pointer Register r8 information: slab kmalloc-128 start 853fb700 pointer offset 56 size 128 Register r9 information: non-paged memory Register r10 information: slab task_struct start 84ae8000 pointer offset 0 size 3072 Register r11 information: 2-page vmalloc region starting at 0xe048c000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Register r12 information: 2-page vmalloc region starting at 0xe048c000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2844 Process syz.0.32 (pid: 3864, stack limit = 0xe048c000) Stack: (0xe048dda0 to 0xe048e000) dda0: 00000000 00000004 e048ddd4 e048ddb8 802cddd8 81a5b5f4 85434640 81c021a0 ddc0: 8237d1e8 00000000 e048dde4 e048ddd8 8028dc7c 802cddc8 e048de0c e048dde8 dde0: 81a28510 8028dc74 e048de10 598c2ec9 00000000 ffffffef 8237d1e8 85434640 de00: e048de34 e048de10 8028e9b8 81a2847c 8237d1e8 81a2847c 84597030 853fb700 de20: 84597030 83365300 e048de54 e048de38 80b46090 8028e8fc 84597030 853fb700 de40: 00000000 83365300 e048de84 e048de58 80b26e04 80b45fd0 85434580 84597004 de60: e048de84 84597030 00000000 84597030 84597004 85431cc0 e048de9c e048de88 de80: 80b296e0 80b26d04 8459700c 00000000 e048debc e048dea0 80fcac8c 80b29668 dea0: 84597000 00000000 60000013 84597004 e048df14 e048dec0 8103aed0 80fcac48 dec0: 00000000 598c2ec9 85431cc0 00005501 00000000 00000000 e048def4 e048dee8 dee0: 80791980 598c2ec9 e048df14 00005501 00000000 85431cc1 00000000 85431cc0 df00: 00000006 84ae8000 e048dfa4 e048df18 8056b530 8103a500 e048df74 e048df28 df20: 802342d0 804ce594 00000006 00010000 00000001 598c2ec9 ffffff9c 0018562c df40: 00000000 83b12700 e048dfa4 8281d170 00000a07 00412000 e048dfb0 80234108 df60: 00000000 00006364 e048dfac e048df78 8023478c 598c2ec9 00000000 00000006 df80: 76bbee70 76bbde70 00000036 8020029c 84ae8000 00000036 00000000 e048dfa8 dfa0: 80200060 8056b404 00000006 76bbee70 00000006 00005501 00000000 76bbde00 dfc0: 00000006 76bbee70 76bbde70 00000036 00000005 76bbee60 004118e4 000000b1 dfe0: 00000000 76bbdde8 002b8000 001318fc 60000010 00000006 00000000 00000000 Call trace: [<81a5b5e8>] (_raw_spin_lock_irqsave) from [<802cddd8>] (complete_with_flags kernel/sched/completion.c:20 [inline]) [<81a5b5e8>] (_raw_spin_lock_irqsave) from [<802cddd8>] (complete+0x1c/0x84 kernel/sched/completion.c:47) r5:00000004 r4:00000000 [<802cddbc>] (complete) from [<8028dc7c>] (module_kobj_release+0x14/0x18 kernel/params.c:946) r7:00000000 r6:8237d1e8 r5:81c021a0 r4:85434640 [<8028dc68>] (module_kobj_release) from [<81a28510>] (kobject_cleanup lib/kobject.c:689 [inline]) [<8028dc68>] (module_kobj_release) from [<81a28510>] (kobject_release lib/kobject.c:720 [inline]) [<8028dc68>] (module_kobj_release) from [<81a28510>] (kref_put include/linux/kref.h:65 [inline]) [<8028dc68>] (module_kobj_release) from [<81a28510>] (kobject_put+0xa0/0x1f4 lib/kobject.c:737) [<81a28470>] (kobject_put) from [<8028e9b8>] (lookup_or_create_module_kobject kernel/params.c:783 [inline]) [<81a28470>] (kobject_put) from [<8028e9b8>] (lookup_or_create_module_kobject+0xc8/0xe0 kernel/params.c:763) r7:85434640 r6:8237d1e8 r5:ffffffef r4:00000000 [<8028e8f0>] (lookup_or_create_module_kobject) from [<80b46090>] (module_add_driver+0xcc/0x138 drivers/base/module.c:46) r7:83365300 r6:84597030 r5:853fb700 r4:84597030 [<80b45fc4>] (module_add_driver) from [<80b26e04>] (bus_add_driver+0x10c/0x21c drivers/base/bus.c:682) r7:83365300 r6:00000000 r5:853fb700 r4:84597030 [<80b26cf8>] (bus_add_driver) from [<80b296e0>] (driver_register+0x84/0x11c drivers/base/driver.c:249) r8:85431cc0 r7:84597004 r6:84597030 r5:00000000 r4:84597030 [<80b2965c>] (driver_register) from [<80fcac8c>] (usb_gadget_register_driver_owner+0x50/0xf8 drivers/usb/gadget/udc/core.c:1700) r5:00000000 r4:8459700c [<80fcac3c>] (usb_gadget_register_driver_owner) from [<8103aed0>] (raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:595 [inline]) [<80fcac3c>] (usb_gadget_register_driver_owner) from [<8103aed0>] (raw_ioctl+0x9dc/0x1094 drivers/usb/gadget/legacy/raw_gadget.c:1306) r7:84597004 r6:60000013 r5:00000000 r4:84597000 [<8103a4f4>] (raw_ioctl) from [<8056b530>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<8103a4f4>] (raw_ioctl) from [<8056b530>] (do_vfs_ioctl fs/ioctl.c:860 [inline]) [<8103a4f4>] (raw_ioctl) from [<8056b530>] (__do_sys_ioctl fs/ioctl.c:904 [inline]) [<8103a4f4>] (raw_ioctl) from [<8056b530>] (sys_ioctl+0x138/0xd84 fs/ioctl.c:892) r10:84ae8000 r9:00000006 r8:85431cc0 r7:00000000 r6:85431cc1 r5:00000000 r4:00005501 [<8056b3f8>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xe048dfa8 to 0xe048dff0) dfa0: 00000006 76bbee70 00000006 00005501 00000000 76bbde00 dfc0: 00000006 76bbee70 76bbde70 00000036 00000005 76bbee60 004118e4 000000b1 dfe0: 00000000 76bbdde8 002b8000 001318fc r10:00000036 r9:84ae8000 r8:8020029c r7:00000036 r6:76bbde70 r5:76bbee70 r4:00000006 Code: f10c0080 e3a00001 eba10cf5 f594f000 (e1943f9f) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: f10c0080 cpsid i 4: e3a00001 mov r0, #1 8: eba10cf5 bl 0xfe8433e4 c: f594f000 pldw [r4] * 10: e1943f9f ldrex r3, [r4] <-- trapping instruction