[Android 6.1] invalid opcode in __traceiter_hrtimer_init
0 views
Skip to first unread message
syzbot
Dec 13, 2025, 9:28:32 AM (19 hours ago) Dec 13
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6f1c2f8fd8c8 ANDROID: GKI: Honor add symbols to symbol list
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=12e1f1c2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5bf7cc5fd4a155df
dashboard link: https://syzkaller.appspot.com/bug?extid=7c7abdd820477a819799
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1384be1a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144b1e1a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/44f15e42ea02/disk-6f1c2f8f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4bcca348d9b7/vmlinux-6f1c2f8f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3d2f10071df3/bzImage-6f1c2f8f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c7abd...@syzkaller.appspotmail.com
CFI failure at __traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173 (target: tp_stub_func+0x0/0x10; expected type: 0x98398cdb)
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 371 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173
Code: 89 f8 48 c1 e8 03 80 3c 18 00 74 05 e8 27 65 53 00 49 8b 7d 08 4c 89 fe 8b 55 d4 8b 4d d0 41 ba 25 73 c6 67 45 03 56 fc 74 02 <0f> 0b 41 ff d6 49 83 c4 18 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08
RSP: 0018:ffffc9000a08fc38 EFLAGS: 00010213
RAX: 1ffff110243c0136 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc9000a08fd00 RDI: ffffc90000b4d000
RBP: ffffc9000a08fc68 R08: dffffc0000000000 R09: ffffed102000aa97
R10: 000000000d06da31 R11: 1ffff1102000aa96 R12: ffff888121e009a8
R13: ffff888121e009a8 R14: ffffffff81714610 R15: ffffc9000a08fd00
FS: 000055557a17a500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33c63fff CR3: 0000000132716000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
trace_hrtimer_init include/trace/events/timer.h:173 [inline]
debug_init kernel/time/hrtimer.c:460 [inline]
hrtimer_init_sleeper+0x320/0x370 kernel/time/hrtimer.c:2010
hrtimer_init_sleeper_on_stack include/linux/hrtimer.h:400 [inline]
hrtimer_nanosleep+0xa8/0x310 kernel/time/hrtimer.c:2090
common_nsleep+0x8f/0xb0 kernel/time/posix-timers.c:1268
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1309 [inline]
__se_sys_clock_nanosleep+0x2f7/0x380 kernel/time/posix-timers.c:1286
__x64_sys_clock_nanosleep+0x9b/0xb0 kernel/time/posix-timers.c:1286
x64_sys_call+0x186/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:231
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff342fc1fc3
Code: 1f 84 00 00 00 00 00 83 ff 03 74 7b 83 ff 02 b8 fa ff ff ff 49 89 ca 0f 44 f8 80 3d 9e 95 1f 00 00 74 14 b8 e6 00 00 00 0f 05 <f7> d8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 89 54 24 10
RSP: 002b:00007ffe3a419c28 EFLAGS: 00000202 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff342fc1fc3
RDX: 00007ffe3a419c40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffe3a419cac R08: 0000000000000020 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000001388
R13: 00000000000927c0 R14: 0000000000007e5b R15: 00007ffe3a419d00
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173
Code: 89 f8 48 c1 e8 03 80 3c 18 00 74 05 e8 27 65 53 00 49 8b 7d 08 4c 89 fe 8b 55 d4 8b 4d d0 41 ba 25 73 c6 67 45 03 56 fc 74 02 <0f> 0b 41 ff d6 49 83 c4 18 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08
RSP: 0018:ffffc9000a08fc38 EFLAGS: 00010213
RAX: 1ffff110243c0136 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc9000a08fd00 RDI: ffffc90000b4d000
RBP: ffffc9000a08fc68 R08: dffffc0000000000 R09: ffffed102000aa97
R10: 000000000d06da31 R11: 1ffff1102000aa96 R12: ffff888121e009a8
R13: ffff888121e009a8 R14: ffffffff81714610 R15: ffffc9000a08fd00
FS: 000055557a17a500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33c63fff CR3: 0000000132716000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6f1c2f8fd8c8 ANDROID: GKI: Honor add symbols to symbol list
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=12e1f1c2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5bf7cc5fd4a155df
dashboard link: https://syzkaller.appspot.com/bug?extid=7c7abdd820477a819799
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1384be1a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144b1e1a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/44f15e42ea02/disk-6f1c2f8f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4bcca348d9b7/vmlinux-6f1c2f8f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3d2f10071df3/bzImage-6f1c2f8f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c7abd...@syzkaller.appspotmail.com
CFI failure at __traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173 (target: tp_stub_func+0x0/0x10; expected type: 0x98398cdb)
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 371 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173
Code: 89 f8 48 c1 e8 03 80 3c 18 00 74 05 e8 27 65 53 00 49 8b 7d 08 4c 89 fe 8b 55 d4 8b 4d d0 41 ba 25 73 c6 67 45 03 56 fc 74 02 <0f> 0b 41 ff d6 49 83 c4 18 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08
RSP: 0018:ffffc9000a08fc38 EFLAGS: 00010213
RAX: 1ffff110243c0136 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc9000a08fd00 RDI: ffffc90000b4d000
RBP: ffffc9000a08fc68 R08: dffffc0000000000 R09: ffffed102000aa97
R10: 000000000d06da31 R11: 1ffff1102000aa96 R12: ffff888121e009a8
R13: ffff888121e009a8 R14: ffffffff81714610 R15: ffffc9000a08fd00
FS: 000055557a17a500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33c63fff CR3: 0000000132716000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
trace_hrtimer_init include/trace/events/timer.h:173 [inline]
debug_init kernel/time/hrtimer.c:460 [inline]
hrtimer_init_sleeper+0x320/0x370 kernel/time/hrtimer.c:2010
hrtimer_init_sleeper_on_stack include/linux/hrtimer.h:400 [inline]
hrtimer_nanosleep+0xa8/0x310 kernel/time/hrtimer.c:2090
common_nsleep+0x8f/0xb0 kernel/time/posix-timers.c:1268
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1309 [inline]
__se_sys_clock_nanosleep+0x2f7/0x380 kernel/time/posix-timers.c:1286
__x64_sys_clock_nanosleep+0x9b/0xb0 kernel/time/posix-timers.c:1286
x64_sys_call+0x186/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:231
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff342fc1fc3
Code: 1f 84 00 00 00 00 00 83 ff 03 74 7b 83 ff 02 b8 fa ff ff ff 49 89 ca 0f 44 f8 80 3d 9e 95 1f 00 00 74 14 b8 e6 00 00 00 0f 05 <f7> d8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 89 54 24 10
RSP: 002b:00007ffe3a419c28 EFLAGS: 00000202 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007ff342fc1fc3
RDX: 00007ffe3a419c40 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffe3a419cac R08: 0000000000000020 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000001388
R13: 00000000000927c0 R14: 0000000000007e5b R15: 00007ffe3a419d00
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__traceiter_hrtimer_init+0x82/0xd0 include/trace/events/timer.h:173
Code: 89 f8 48 c1 e8 03 80 3c 18 00 74 05 e8 27 65 53 00 49 8b 7d 08 4c 89 fe 8b 55 d4 8b 4d d0 41 ba 25 73 c6 67 45 03 56 fc 74 02 <0f> 0b 41 ff d6 49 83 c4 18 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08
RSP: 0018:ffffc9000a08fc38 EFLAGS: 00010213
RAX: 1ffff110243c0136 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffc9000a08fd00 RDI: ffffc90000b4d000
RBP: ffffc9000a08fc68 R08: dffffc0000000000 R09: ffffed102000aa97
R10: 000000000d06da31 R11: 1ffff1102000aa96 R12: ffff888121e009a8
R13: ffff888121e009a8 R14: ffffffff81714610 R15: ffffc9000a08fd00
FS: 000055557a17a500(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33c63fff CR3: 0000000132716000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages