Hello, syzbot found the following issue on: HEAD commit: 4a7d37e824f5 Merge tag 'hardening-v6.3-rc1' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11fbf928c80000 kernel config: https://syzkaller.appspot.com/x/.config?x=8b969c5af147d31c dashboard link: https://syzkaller.appspot.com/bug?extid=21f2b8753d8bfc6bb816 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17c64f20c80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13734ba0c80000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/6c3d867561ee/disk-4a7d37e8.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/422516721d17/vmlinux-4a7d37e8.xz kernel image: https://storage.googleapis.com/syzbot-assets/164340e12ac4/bzImage-4a7d37e8.xz mounted in repro #1: https://storage.googleapis.com/syzbot-assets/71954e6c3886/mount_1.gz mounted in repro #2: https://storage.googleapis.com/syzbot-assets/89d5f0b5f58a/mount_5.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+21f2b8753d8bfc6bb816@xxxxxxxxxxxxxxxxxxxxxxxxx general protection fault, probably for non-canonical address 0xe3fffb24000f33f5: 0000 [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x1ffff92000799fa8-0x1ffff92000799faf] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-syzkaller-02299-g4a7d37e824f5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline] RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline] RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40 Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8 RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017 RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000 RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480 R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000 R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0 Call Trace: <IRQ> enqueue_hrtimer+0x1aa/0x490 kernel/time/hrtimer.c:1091 __run_hrtimer kernel/time/hrtimer.c:1702 [inline] __hrtimer_run_queues+0xc71/0x1010 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x320/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline] __sysvec_apic_timer_interrupt+0x180/0x660 arch/x86/kernel/apic/apic.c:1113 sysvec_apic_timer_interrupt+0x92/0xc0 arch/x86/kernel/apic/apic.c:1107 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline] RIP: 0010:acpi_safe_halt+0x40/0x50 drivers/acpi/processor_idle.c:113 Code: eb 03 83 e3 01 89 de 0f 1f 44 00 00 84 db 75 1b 0f 1f 44 00 00 eb 0c 0f 1f 44 00 00 0f 00 2d e7 5a a8 00 0f 1f 44 00 00 fb f4 <fa> 5b c3 cc 0f 1f 00 66 0f 1f 84 00 00 00 00 00 55 48 89 fd 53 0f RSP: 0018:ffffc90000177d10 EFLAGS: 00000246 RAX: ffff88813feb1d40 RBX: 0000000000000000 RCX: ffffffff8a096b45 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8880179b1864 R08: 0000000000000001 R09: ffff8880b993606b R10: ffffed1017326c0d R11: 0000000000000000 R12: 0000000000000001 R13: ffff8880179b1800 R14: ffff8880179b1864 R15: 0000000000000000 acpi_idle_do_entry+0x53/0x70 drivers/acpi/processor_idle.c:573 acpi_idle_enter+0x173/0x290 drivers/acpi/processor_idle.c:711 cpuidle_enter_state+0xd3/0x6f0 drivers/cpuidle/cpuidle.c:267 cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388 cpuidle_idle_call kernel/sched/idle.c:215 [inline] do_idle+0x348/0x440 kernel/sched/idle.c:282 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:379 start_secondary+0x256/0x300 arch/x86/kernel/smpboot.c:264 secondary_startup_64_no_verify+0xce/0xdb </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__timerqueue_less lib/timerqueue.c:22 [inline] RIP: 0010:rb_add_cached include/linux/rbtree.h:174 [inline] RIP: 0010:timerqueue_add+0xf7/0x330 lib/timerqueue.c:40 Code: 48 c1 ea 03 42 80 3c 22 00 0f 85 c4 01 00 00 49 8b 17 48 85 d2 74 40 48 89 d3 e8 44 f1 c3 f7 48 8d 7b 18 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 ab 01 00 00 4c 8b 7b 18 4c 89 ef 4c 89 fe e8 RSP: 0018:ffffc900001e0da8 EFLAGS: 00010017 RAX: 03ffff24000f33f5 RBX: 1ffff92000799f95 RCX: 0000000000000000 RDX: ffff88813feb1d40 RSI: ffffffff89bdeb3c RDI: 1ffff92000799fad RBP: ffff8880b992c0e0 R08: 0000000000000006 R09: 00000009dd72e480 R10: ffffc90003c9f5f8 R11: 0000000000000000 R12: dffffc0000000000 R13: 00000009dd72e480 R14: 0000000000000000 R15: ffffc90003ccfc58 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f16907af000 CR3: 000000001de6d000 CR4: 0000000000350ee0 ---------------- Code disassembly (best guess): 0: 48 c1 ea 03 shr $0x3,%rdx 4: 42 80 3c 22 00 cmpb $0x0,(%rdx,%r12,1) 9: 0f 85 c4 01 00 00 jne 0x1d3 f: 49 8b 17 mov (%r15),%rdx 12: 48 85 d2 test %rdx,%rdx 15: 74 40 je 0x57 17: 48 89 d3 mov %rdx,%rbx 1a: e8 44 f1 c3 f7 callq 0xf7c3f163 1f: 48 8d 7b 18 lea 0x18(%rbx),%rdi 23: 48 89 f8 mov %rdi,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 0f 85 ab 01 00 00 jne 0x1e0 35: 4c 8b 7b 18 mov 0x18(%rbx),%r15 39: 4c 89 ef mov %r13,%rdi 3c: 4c 89 fe mov %r15,%rsi 3f: e8 .byte 0xe8 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches