[v6.6] general protection fault in dvb_usbv2_generic_write
0 views
Skip to first unread message
syzbot
Dec 25, 2025, 4:19:22 PM (5 days ago) Dec 25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17cde022580000
kernel config: https://syzkaller.appspot.com/x/.config?x=691a6769a86ac817
dashboard link: https://syzkaller.appspot.com/bug?extid=d8d2dbd2f2120bdaab41
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d8d2db...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 10108 Comm: syz.6.841 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900033873c0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff8880266eda00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003387518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100baff82c R12: 0000000000000000
R13: 1ffff92000670e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f65c72316c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c252092 CR3: 000000002ece8000 CR4: 00000000003526f0
Call Trace:
<TASK>
dvb_usbv2_generic_write+0x26/0x50 drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77
mxl111sf_ctrl_msg+0x162/0x2d0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:73
mxl111sf_write_reg+0xa1/0x180 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123
mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline]
mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline]
mxl111sf_i2c_xfer+0x462/0x4ed0 drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813
__i2c_transfer+0x868/0x2080 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x250/0x390 drivers/i2c/i2c-core-base.c:2328
i2cdev_ioctl_rdwr+0x3b0/0x690 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x646/0x7e0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f65c638f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65c7231038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f65c65e5fa0 RCX: 00007f65c638f749
RDX: 0000200000000a40 RSI: 0000000000000707 RDI: 0000000000000004
RBP: 00007f65c6413f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f65c65e6038 R14: 00007f65c65e5fa0 R15: 00007ffff8d5ddd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900033873c0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff8880266eda00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003387518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100baff82c R12: 0000000000000000
R13: 1ffff92000670e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f65c72316c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8dfa44bd58 CR3: 000000002ece8000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 0f b6 04 30 movzbl (%rax,%rsi,1),%eax
4: 84 c0 test %al,%al
6: 0f 85 da 0a 00 00 jne 0xae6
c: 83 3d d2 a1 79 0c 00 cmpl $0x0,0xc79a1d2(%rip) # 0xc79a1e5
13: 75 2a jne 0x3f
15: 48 8d 7b 60 lea 0x60(%rbx),%rdi
19: 48 89 f8 mov %rdi,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 05 je 0x35
30: e8 e0 eb 6c f7 call 0xf76cec15
35: 48 39 5b 60 cmp %rbx,0x60(%rbx)
39: 0f 85 44 0a 00 00 jne 0xa83
3f: bf .byte 0xbf
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17cde022580000
kernel config: https://syzkaller.appspot.com/x/.config?x=691a6769a86ac817
dashboard link: https://syzkaller.appspot.com/bug?extid=d8d2dbd2f2120bdaab41
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d8d2db...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 10108 Comm: syz.6.841 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900033873c0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff8880266eda00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003387518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100baff82c R12: 0000000000000000
R13: 1ffff92000670e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f65c72316c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c252092 CR3: 000000002ece8000 CR4: 00000000003526f0
Call Trace:
<TASK>
dvb_usbv2_generic_write+0x26/0x50 drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77
mxl111sf_ctrl_msg+0x162/0x2d0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:73
mxl111sf_write_reg+0xa1/0x180 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123
mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline]
mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline]
mxl111sf_i2c_xfer+0x462/0x4ed0 drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813
__i2c_transfer+0x868/0x2080 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x250/0x390 drivers/i2c/i2c-core-base.c:2328
i2cdev_ioctl_rdwr+0x3b0/0x690 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x646/0x7e0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f65c638f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65c7231038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f65c65e5fa0 RCX: 00007f65c638f749
RDX: 0000200000000a40 RSI: 0000000000000707 RDI: 0000000000000004
RBP: 00007f65c6413f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f65c65e6038 R14: 00007f65c65e5fa0 R15: 00007ffff8d5ddd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900033873c0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff8880266eda00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003387518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100baff82c R12: 0000000000000000
R13: 1ffff92000670e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007f65c72316c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8dfa44bd58 CR3: 000000002ece8000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 0f b6 04 30 movzbl (%rax,%rsi,1),%eax
4: 84 c0 test %al,%al
6: 0f 85 da 0a 00 00 jne 0xae6
c: 83 3d d2 a1 79 0c 00 cmpl $0x0,0xc79a1d2(%rip) # 0xc79a1e5
13: 75 2a jne 0x3f
15: 48 8d 7b 60 lea 0x60(%rbx),%rdi
19: 48 89 f8 mov %rdi,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 05 je 0x35
30: e8 e0 eb 6c f7 call 0xf76cec15
35: 48 39 5b 60 cmp %rbx,0x60(%rbx)
39: 0f 85 44 0a 00 00 jne 0xa83
3f: bf .byte 0xbf
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 25, 2025, 4:53:21 PM (5 days ago) Dec 25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=106fabb4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1678e09a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d8d2db...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 5964 Comm: syz.2.23 Not tainted syzkaller #0
RBP: ffffc90003517518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100bcde42c R12: 0000000000000000
R13: 1ffff920006a2e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00005555743b2500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
RAX: ffffffffffffffda RBX: 00007f7ba79e5fa0 RCX: 00007f7ba778f749
RBP: ffffc90003517518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100bcde42c R12: 0000000000000000
R13: 1ffff920006a2e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00005555743b2500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
kernel config: https://syzkaller.appspot.com/x/.config?x=691a6769a86ac817
dashboard link: https://syzkaller.appspot.com/bug?extid=d8d2dbd2f2120bdaab41
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c3e022580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d8d2dbd2f2120bdaab41
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1678e09a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d8d2db...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900035173c0 EFLAGS: 00010202
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff88802ad0bc00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003517518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100bcde42c R12: 0000000000000000
R13: 1ffff920006a2e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00005555743b2500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b34763fff CR3: 000000007c789000 CR4: 00000000003506f0
Call Trace:
<TASK>
dvb_usbv2_generic_write+0x26/0x50 drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77
mxl111sf_ctrl_msg+0x162/0x2d0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:73
mxl111sf_write_reg+0xa1/0x180 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123
mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline]
mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline]
mxl111sf_i2c_xfer+0x462/0x4ed0 drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813
__i2c_transfer+0x868/0x2080 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x250/0x390 drivers/i2c/i2c-core-base.c:2328
i2cdev_ioctl_rdwr+0x3b0/0x690 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x646/0x7e0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7ba778f749
<TASK>
dvb_usbv2_generic_write+0x26/0x50 drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77
mxl111sf_ctrl_msg+0x162/0x2d0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:73
mxl111sf_write_reg+0xa1/0x180 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123
mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline]
mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline]
mxl111sf_i2c_xfer+0x462/0x4ed0 drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813
__i2c_transfer+0x868/0x2080 drivers/i2c/i2c-core-base.c:-1
i2c_transfer+0x250/0x390 drivers/i2c/i2c-core-base.c:2328
i2cdev_ioctl_rdwr+0x3b0/0x690 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x646/0x7e0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff1f937938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7ba79e5fa0 RCX: 00007f7ba778f749
RDX: 0000200000000a40 RSI: 0000000000000707 RDI: 0000000000000004
RBP: 00007f7ba7813f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7ba79e5fa0 R14: 00007f7ba79e5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RSP: 0018:ffffc900035173c0 EFLAGS: 00010202
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline]
RIP: 0010:__mutex_lock+0xe5/0xcc0 kernel/locking/mutex.c:747
Code: 0f b6 04 30 84 c0 0f 85 da 0a 00 00 83 3d d2 a1 79 0c 00 75 2a 48 8d 7b 60 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 05 e8 e0 eb 6c f7 48 39 5b 60 0f 85 44 0a 00 00 bf
RAX: 0000000000000019 RBX: 0000000000000068 RCX: dffffc0000000000
RDX: ffff88802ad0bc00 RSI: ffffffff8aaace60 RDI: 00000000000000c8
RBP: ffffc90003517518 R08: ffffffff87064df6 R09: 000000000000001e
R10: dffffc0000000000 R11: ffffed100bcde42c R12: 0000000000000000
R13: 1ffff920006a2e88 R14: dffffc0000000000 R15: 0000000000000000
FS: 00005555743b2500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c4e9135c0 CR3: 000000007c789000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 0f b6 04 30 movzbl (%rax,%rsi,1),%eax
4: 84 c0 test %al,%al
6: 0f 85 da 0a 00 00 jne 0xae6
c: 83 3d d2 a1 79 0c 00 cmpl $0x0,0xc79a1d2(%rip) # 0xc79a1e5
13: 75 2a jne 0x3f
15: 48 8d 7b 60 lea 0x60(%rbx),%rdi
19: 48 89 f8 mov %rdi,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 05 je 0x35
30: e8 e0 eb 6c f7 call 0xf76cec15
35: 48 39 5b 60 cmp %rbx,0x60(%rbx)
39: 0f 85 44 0a 00 00 jne 0xa83
3f: bf .byte 0xbf
---
If you want syzbot to run the reproducer, reply with:
Code disassembly (best guess):
0: 0f b6 04 30 movzbl (%rax,%rsi,1),%eax
4: 84 c0 test %al,%al
6: 0f 85 da 0a 00 00 jne 0xae6
c: 83 3d d2 a1 79 0c 00 cmpl $0x0,0xc79a1d2(%rip) # 0xc79a1e5
13: 75 2a jne 0x3f
15: 48 8d 7b 60 lea 0x60(%rbx),%rdi
19: 48 89 f8 mov %rdi,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 05 je 0x35
30: e8 e0 eb 6c f7 call 0xf76cec15
35: 48 39 5b 60 cmp %rbx,0x60(%rbx)
39: 0f 85 44 0a 00 00 jne 0xa83
3f: bf .byte 0xbf
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages