BUG: unable to handle kernel NULL pointer dereference in ___preempt_schedule

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: b850307b Linux 4.14.184
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=149bd6b6100000
kernel config: https://syzkaller.appspot.com/x/.config?x=ddc0f08dd6b981c5
dashboard link: https://syzkaller.appspot.com/bug?extid=3fb7ccdd48a567f08238
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3fb7cc...@syzkaller.appspotmail.com

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: ___preempt_schedule+0x16/0x18
PGD a863a067 P4D a863a067 PUD 9ee46067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 11739 Comm: syz-executor.5 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a5cfa600 task.stack: ffff8880863c8000
RIP: 0010:___preempt_schedule+0x16/0x18
RSP: 0018:ffff8880863cfab0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000282 RCX: 0000000000000000
RDX: 1ffff11015da57e3 RSI: 1ffff11010c79f41 RDI: ffff8880aed2bf18
RBP: ffff8880863cfaf8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11010c79f66
FS: 00007f8f472af700(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008bb82000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
_raw_spin_unlock_irqrestore+0xaf/0xe0 kernel/locking/spinlock.c:192
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:126
wakeup_pipe_writers+0x54/0x80 fs/splice.c:459
splice_from_pipe_next.part.0+0x1b4/0x290 fs/splice.c:562
splice_from_pipe_next fs/splice.c:545 [inline]
__splice_from_pipe+0xf9/0x740 fs/splice.c:624
vmsplice_to_user+0x197/0x1c0 fs/splice.c:1272
SYSC_vmsplice fs/splice.c:1353 [inline]
SyS_vmsplice+0x12a/0x150 fs/splice.c:1334
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
BUG: unable to handle kernel paging request at 0000000000040000
IP: in_gate_area_no_mm+0x0/0x4a arch/x86/entry/vsyscall/vsyscall_64.c:333
PGD a863a067 P4D a863a067 PUD 9ee46067 PMD 0
Oops: 0002 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 11739 Comm: syz-executor.5 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a5cfa600 task.stack: ffff8880863c8000
RIP: 0010:in_gate_area_no_mm+0x0/0x4a arch/x86/entry/vsyscall/vsyscall_64.c:333
RSP: 0018:ffff8880863cf110 EFLAGS: 00010046
RAX: 0000000000040000 RBX: 1ffff11010c79e2b RCX: ffffc90012fde000
RDX: 0000000000040000 RSI: ffffffff81536138 RDI: 000000000045ca59
RBP: 000000000045ca59 R08: ffff8880863cf240 R09: fffffbfff146817a
R10: fffffbfff1468179 R11: ffffffff8a340bcb R12: ffff8880863cf240
R13: ffff8880863cf178 R14: ffff8880863cf1b8 R15: ffff8880863cf198
FS: 00007f8f472af700(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000040000 CR3: 000000008bb82000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
is_kernel kernel/kallsyms.c:74 [inline]
is_ksym_addr kernel/kallsyms.c:80 [inline]
kallsyms_lookup+0xa0/0x260 kernel/kallsyms.c:324
__sprint_symbol+0x89/0x190 kernel/kallsyms.c:393
symbol_string+0x174/0x1b0 lib/vsprintf.c:685
pointer+0x3d4/0xa00 lib/vsprintf.c:1728
vsnprintf+0x4ed/0x1350 lib/vsprintf.c:2185
vscnprintf+0x29/0x60 lib/vsprintf.c:2284
vprintk_store+0x3f/0x310 kernel/printk/printk.c:1848
vprintk_emit+0xf9/0x600 kernel/printk/printk.c:1906
vprintk_func+0x58/0x152 kernel/printk/printk_safe.c:401
printk+0x9e/0xbc kernel/printk/printk.c:1996
show_iret_regs+0x1d/0x3f arch/x86/kernel/dumpstack.c:75
__show_regs+0x18/0x50 arch/x86/kernel/process_64.c:74
show_trace_log_lvl+0x23f/0x281 arch/x86/kernel/dumpstack.c:218
show_regs+0x58/0xfd arch/x86/kernel/dumpstack_64.c:170
__die+0x92/0xb8 arch/x86/kernel/dumpstack.c:330
no_context+0x5bb/0x7c0 arch/x86/mm/fault.c:857
__bad_area_nosemaphore+0x1f3/0x2c0 arch/x86/mm/fault.c:948
__do_page_fault+0x842/0xb50 arch/x86/mm/fault.c:1412
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0010:___preempt_schedule+0x16/0x18
RSP: 0018:ffff8880863cfab0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000282 RCX: 0000000000000000
RDX: 1ffff11015da57e3 RSI: 1ffff11010c79f41 RDI: ffff8880aed2bf18
RBP: ffff8880863cfaf8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11010c79f66
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
_raw_spin_unlock_irqrestore+0xaf/0xe0 kernel/locking/spinlock.c:192
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xcd/0x140 kernel/sched/wait.c:126
wakeup_pipe_writers+0x54/0x80 fs/splice.c:459
splice_from_pipe_next.part.0+0x1b4/0x290 fs/splice.c:562
splice_from_pipe_next fs/splice.c:545 [inline]
__splice_from_pipe+0xf9/0x740 fs/splice.c:624
vmsplice_to_user+0x197/0x1c0 fs/splice.c:1272
SYSC_vmsplice fs/splice.c:1353 [inline]
SyS_vmsplice+0x12a/0x150 fs/splice.c:1334
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
BUG: unable to handle kernel paging request at 0000000000040000
IP: in_gate_area_no_mm+0x0/0x4a arch/x86/entry/vsyscall/vsyscall_64.c:333
PGD a863a067 P4D a863a067 PUD 9ee46067 PMD 0
Oops: 0002 [#3] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 11739 Comm: syz-executor.5 Not tainted 4.14.184-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a5cfa600 task.stack: ffff8880863c8000
RIP: 0010:in_gate_area_no_mm+0x0/0x4a arch/x86/entry/vsyscall/vsyscall_64.c:333
RSP: 0018:ffff8880863ce758 EFLAGS: 00010046
RAX: 0000000000040000 RBX: 1ffff11010c79cf4 RCX: ffffc90012fde000
RDX: 0000000000040000 RSI: ffffffff81536138 RDI: 000000000045ca59
RBP: 000000000045ca59 R08: ffff8880863ce888 R09: ffffed1015da44bd
R10: ffffed1015da44bc R11: ffff8880aed225e5 R12: ffff8880863ce888
R13: ffff8880863ce7c0 R14: ffff8880863ce800 R15: ffff8880863ce7e0
FS: 00007f8f472af700(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000040000 CR3: 000000008bb82000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
is_kernel kernel/kallsyms.c:74 [inline]
is_ksym_addr kernel/kallsyms.c:80 [inline]
kallsyms_lookup+0xa0/0x260 kernel/kallsyms.c:324
__sprint_symbol+0x89/0x190 kernel/kallsyms.c:393
symbol_string+0x174/0x1b0 lib/vsprintf.c:685
pointer+0x3d4/0xa00 lib/vsprintf.c:1728
vsnprintf+0x4ed/0x1350 lib/vsprintf.c:2185
vscnprintf+0x29/0x60 lib/vsprintf.c:2284
printk_safe_log_store+0xc5/0x1a0 kernel/printk/printk_safe.c:108
vprintk_safe kernel/printk/printk_safe.c:361 [inline]
vprintk_func+0xfa/0x152 kernel/printk/printk_safe.c:398
printk+0x9e/0xbc kernel/printk/printk.c:1996
show_iret_regs+0x1d/0x3f arch/x86/kernel/dumpstack.c:75
__show_regs+0x18/0x50 arch/x86/kernel/process_64.c:74
show_trace_log_lvl+0x23f/0x281 arch/x86/kernel/dumpstack.c:218
show_regs+0x58/0xfd arch/x86/kernel/dumpstack_64.c:170
__die+0x92/0xb8 arch/x86/kernel/dumpstack.c:330
no_context+0x5bb/0x7c0 arch/x86/mm/fault.c:857
__bad_area_nosemaphore+0x1f3/0x2c0 arch/x86/mm/fault.c:948
__do_page_fault+0x195/0xb50 arch/x86/mm/fault.c:1374
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0010:in_gate_area_no_mm+0x0/0x4a arch/x86/entry/vsyscall/vsyscall_64.c:333
RSP: 0018:ffff8880863cf110 EFLAGS: 00010046
RAX: 0000000000040000 RBX: 1ffff11010c79e2b RCX: ffffc90012fde000
RDX: 0000000000040000 RSI: ffffffff81536138 RDI: 000000000045ca59
RBP: 000000000045ca59 R08: ffff8880863cf240 R09: fffffbfff146817a
R10: fffffbfff1468179 R11: ffffffff8a340bcb R12: ffff8880863cf240
R13: ffff8880863cf178 R14: ffff8880863cf1b8 R15: ffff8880863cf198
is_kernel kernel/kallsyms.c:74 [inline]
is_ksym_addr kernel/kallsyms.c:80 [inline]
kallsyms_lookup+0xa0/0x260 kernel/kallsyms.c:324
__sprint_symbol+0x89/0x190 kernel/kallsyms.c:393
symbol_string+0x174/0x1b0 lib/vsprintf.c:685
pointer+0x3d4/0xa00 lib/vsprintf.c:1728
vsnprintf+0x4ed/0x1350 lib/vsprintf.c:2185
vscnprintf+0x29/0x60 lib/vsprintf.c:2284
vprintk_store+0x3f/0x310 kernel/printk/printk.c:1848
vprintk_emit+0xf9/0x600 kernel/printk/printk.c:1906
vprintk_func+0x58/0x152 kernel/printk/printk_safe.c:401
printk+0x9e/0xbc kernel/printk/printk.c:1996
show_iret_regs+0x1d/0x3f arch/x86/kernel/dumpstack.c:75
__show_regs+0x18/0x50 arch/x86/kernel/process_64.c:74
show_trace_log_lvl+0x23f/0x281 arch/x86/kernel/dumpstack.c:218
show_regs+0x58/0xfd arch/x86/kernel/dumpstack_64.c:170
__die+0x92/0xb8 arch/x86/kernel/dumpstack.c:330
no_context+0x5bb/0x7c0 arch/x86/mm/fault.c:857
__bad_area_nosemaphore+0x1f3/0x2c0 arch/x86/mm/fault.c:948
__do_page_fault+0x842/0xb50 arch/x86/mm/fault.c:1412
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0010:___preempt_schedule+0x16/0x18
RSP: 0018:ffff8880863cfab0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000282 RCX: 0000000000000000

Lost 102 message(s)!


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.