Re: [syzbot] [kernel?] BUG: unable to handle kernel NULL pointer dereference in __hrtimer_run_queues
From: Thomas Gleixner
Date: Tue Jun 04 2024 - 12:24:17 EST
Will!
On Tue, Jun 04 2024 at 14:34, Will Deacon wrote:
> On Tue, Jun 04, 2024 at 02:29:57PM +0200, Thomas Gleixner wrote:
>> On Mon, Jun 03 2024 at 03:22, syzbot wrote:
>> > * 10: f9400821 ldr x1, [x1, #16] <-- trapping instruction
>> while (node->rb_left)
>>
>> > x2 : ff7000007f8cf8e8 x1 : 0000000000000080 x0 : 0000000000000080
>>
>> which obviously crashes. Now the question is how does the original node
>> end up with node::rb_right == 0x80?
>>
>> I doubt that this is a hrtimer or rbtree problem. It smells like random
>> data corruption caused by whatever. It might not even be an ARM64
>> specific issue though the C repro does not trigger on x86...
>>
>> Handing it over to Catalin and Will.
>
> I suspect this is a duplicate of:
>
> https://lore.kernel.org/lkml/20240604110119.GA20284@willie-the-truck/
>
> and there's a fix queued in the -mm tree.
That looks very much so.
Thanks,
tglx