[moderation] [sound?] BUG: unable to handle kernel paging request in __run_timers (2)
0 views
Skip to first unread message
syzbot
Oct 26, 2025, 11:36:25 PM (6 days ago) Oct 26
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: dd72c8fcf6d3 Merge tag 'platform-drivers-x86-v6.18-2' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d33734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=94e79a41e05959dd
dashboard link: https://syzkaller.appspot.com/bug?extid=6d5d418ee99ee0216531
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org pe...@perex.cz ti...@suse.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-dd72c8fc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/641af862d567/vmlinux-dd72c8fc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dba2023f37d8/bzImage-dd72c8fc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d5d41...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: fffff52000e84f4a
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcc067 P4D 7ffcc067 PUD 1c699067 PMD 275d6067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 150 Comm: kworker/0:1H Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_highpri snd_vmidi_output_work
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 96 a2 38 f6 48 89 df e8 7e f6 38 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 c5 ff 28 f6 65 8b 05 7e 25 41 08 85 c0 74 16 5b
RSP: 0018:ffffc90002a2fb10 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff888058d89620 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff8da26dd3 RDI: ffffffff8bf071c0
RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90822ad7 R11: 0000000000000001 R12: ffff888057d8a428
R13: 0000000000000000 R14: ffff888058d89620 R15: ffff888058d89608
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
class_spinlock_irqsave_destructor include/linux/spinlock.h:585 [inline]
snd_midi_event_encode_byte sound/core/seq/seq_midi_event.c:183 [inline]
snd_midi_event_encode_byte+0x630/0xe30 sound/core/seq/seq_midi_event.c:170
snd_vmidi_output_work+0x150/0x390 sound/core/seq/seq_virmidi.c:153
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
CR2: fffff52000e84f4a
---[ end trace 0000000000000000 ]---
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 31 00 xor %eax,(%rax)
2: 0f 85 c5 05 00 00 jne 0x5cd
8: 48 85 c0 test %rax,%rax
b: 49 89 07 mov %rax,(%r15)
e: 48 89 44 24 18 mov %rax,0x18(%rsp)
13: 74 24 je 0x39
15: e8 10 ea 13 00 call 0x13ea2a
1a: 48 8b 44 24 18 mov 0x18(%rsp),%rax
1f: 48 8d 78 08 lea 0x8(%rax),%rdi
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 42 80 3c 31 00 cmpb $0x0,(%rcx,%r14,1) <-- trapping instruction
2f: 0f 85 af 05 00 00 jne 0x5e4
35: 4c 89 78 08 mov %r15,0x8(%rax)
39: e8 ec e9 13 00 call 0x13ea2a
3e: 83 .byte 0x83
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: dd72c8fcf6d3 Merge tag 'platform-drivers-x86-v6.18-2' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16d33734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=94e79a41e05959dd
dashboard link: https://syzkaller.appspot.com/bug?extid=6d5d418ee99ee0216531
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org pe...@perex.cz ti...@suse.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-dd72c8fc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/641af862d567/vmlinux-dd72c8fc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dba2023f37d8/bzImage-dd72c8fc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6d5d41...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: fffff52000e84f4a
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcc067 P4D 7ffcc067 PUD 1c699067 PMD 275d6067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 150 Comm: kworker/0:1H Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_highpri snd_vmidi_output_work
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 96 a2 38 f6 48 89 df e8 7e f6 38 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 c5 ff 28 f6 65 8b 05 7e 25 41 08 85 c0 74 16 5b
RSP: 0018:ffffc90002a2fb10 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff888058d89620 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff8da26dd3 RDI: ffffffff8bf071c0
RBP: 0000000000000293 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90822ad7 R11: 0000000000000001 R12: ffff888057d8a428
R13: 0000000000000000 R14: ffff888058d89620 R15: ffff888058d89608
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
class_spinlock_irqsave_destructor include/linux/spinlock.h:585 [inline]
snd_midi_event_encode_byte sound/core/seq/seq_midi_event.c:183 [inline]
snd_midi_event_encode_byte+0x630/0xe30 sound/core/seq/seq_midi_event.c:170
snd_vmidi_output_work+0x150/0x390 sound/core/seq/seq_virmidi.c:153
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
CR2: fffff52000e84f4a
---[ end trace 0000000000000000 ]---
RIP: 0010:hlist_move_list include/linux/list.h:1122 [inline]
RIP: 0010:collect_expired_timers kernel/time/timer.c:1819 [inline]
RIP: 0010:__run_timers+0x320/0x960 kernel/time/timer.c:2354
Code: 31 00 0f 85 c5 05 00 00 48 85 c0 49 89 07 48 89 44 24 18 74 24 e8 10 ea 13 00 48 8b 44 24 18 48 8d 78 08 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 af 05 00 00 4c 89 78 08 e8 ec e9 13 00 83 44
RSP: 0018:ffffc90000007d50 EFLAGS: 00010802
RAX: ffffc90007427a48 RBX: 0000000000000002 RCX: 1ffff92000e84f4a
RDX: ffff888022d12480 RSI: ffffffff81a87ff0 RDI: ffffc90007427a50
RBP: 0000000003ffff01 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b225fa8
R13: ffffc90000007e20 R14: dffffc0000000000 R15: ffffc90000007e18
FS: 0000000000000000(0000) GS:ffff888097812000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000e84f4a CR3: 000000006695b000 CR4: 0000000000352ef0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffeff7ff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 31 00 xor %eax,(%rax)
2: 0f 85 c5 05 00 00 jne 0x5cd
8: 48 85 c0 test %rax,%rax
b: 49 89 07 mov %rax,(%r15)
e: 48 89 44 24 18 mov %rax,0x18(%rsp)
13: 74 24 je 0x39
15: e8 10 ea 13 00 call 0x13ea2a
1a: 48 8b 44 24 18 mov 0x18(%rsp),%rax
1f: 48 8d 78 08 lea 0x8(%rax),%rdi
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 42 80 3c 31 00 cmpb $0x0,(%rcx,%r14,1) <-- trapping instruction
2f: 0f 85 af 05 00 00 jne 0x5e4
35: 4c 89 78 08 mov %r15,0x8(%rax)
39: e8 ec e9 13 00 call 0x13ea2a
3e: 83 .byte 0x83
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages