syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 9015 Comm: syz.2.766 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:___pcpu_freelist_pop kernel/bpf/percpu_freelist.c:114 [inline]
RIP: 0010:__pcpu_freelist_pop+0x6b7/0x8c0 kernel/bpf/percpu_freelist.c:125
Code: 10 48 3b 8c 24 80 00 00 00 0f 85 b4 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 89 f8 48 c1 e8 03 <80> 3c 18 00 48 89 7c 24 20 74 0a e8 d9 39 41 00 48 8b 7c 24 20 48
RSP: 0000:ffffc900041bf580 EFLAGS: 00010046
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffe8ffffd39620
RDX: ffffc9000d530000 RSI: 00000000000000e7 RDI: 0000000000000002
RBP: ffffc900041bf650 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000837ebc R12: 1ffffd1ffffa72c3
R13: ffffe8ffffd39618 R14: 0000000000000001 R15: 0000000000000000
FS:  00007f157ebba6c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000001 CR3: 0000000077df6000 CR4: 00000000003526f0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 pcpu_freelist_pop+0xca/0x170 kernel/bpf/percpu_freelist.c:134
 __bpf_get_stackid+0x574/0xcf0 kernel/bpf/stackmap.c:259
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
 bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
 bpf_prog_12712c88fd19bd5b+0x2a/0x32
 bpf_dispatcher_nop_func include/linux/bpf.h:1332 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
 bpf_trace_run4+0x28b/0x4a0 kernel/trace/bpf_trace.c:2300
 __do_trace_mm_page_alloc include/trace/events/kmem.h:177 [inline]
 trace_mm_page_alloc+0x129/0x150 include/trace/events/kmem.h:177
 __alloc_frozen_pages_noprof+0x1d6/0x370 mm/page_alloc.c:5170
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
 vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
 folio_prealloc+0x30/0x180 mm/memory.c:-1
 alloc_anon_folio mm/memory.c:4997 [inline]
 do_anonymous_page mm/memory.c:5054 [inline]
 do_pte_missing mm/memory.c:4232 [inline]
 handle_pte_fault mm/memory.c:6052 [inline]
 __handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f157dc4e1ee
Code: f6 31 c0 e8 b4 f2 13 00 48 81 c4 90 00 00 00 48 98 5b c3 66 0f 1f 84 00 00 00 00 00 41 54 55 53 48 89 fb 48 81 ec d0 00 00 00 <48> 89 74 24 28 48 89 54 24 30 48 89 4c 24 38 4c 89 44 24 40 4c 89
RSP: 002b:00007f157ebb9f70 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00007f157de13167 RCX: 00007f157de23b64
RDX: 0000000000028ef1 RSI: 0000000000000001 RDI: 00007f157de13167
RBP: 00007f157dfc6090 R08: 000000002de3dd0b R09: 7fffffffffffffff
R10: 3fffffffffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007f157dfc6128 R14: 00007f157dfc6090 R15: 00007ffc9e29de68
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:___pcpu_freelist_pop kernel/bpf/percpu_freelist.c:114 [inline]
RIP: 0010:__pcpu_freelist_pop+0x6b7/0x8c0 kernel/bpf/percpu_freelist.c:125
Code: 10 48 3b 8c 24 80 00 00 00 0f 85 b4 01 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 89 f8 48 c1 e8 03 <80> 3c 18 00 48 89 7c 24 20 74 0a e8 d9 39 41 00 48 8b 7c 24 20 48
RSP: 0000:ffffc900041bf580 EFLAGS: 00010046
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffe8ffffd39620
RDX: ffffc9000d530000 RSI: 00000000000000e7 RDI: 0000000000000002
RBP: ffffc900041bf650 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000837ebc R12: 1ffffd1ffffa72c3
R13: ffffe8ffffd39618 R14: 0000000000000001 R15: 0000000000000000
FS:  00007f157ebba6c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000001 CR3: 0000000077df6000 CR4: 00000000003526f0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	10 48 3b             	adc    %cl,0x3b(%rax)
   3:	8c 24 80             	mov    %fs,(%rax,%rax,4)
   6:	00 00                	add    %al,(%rax)
   8:	00 0f                	add    %cl,(%rdi)
   a:	85 b4 01 00 00 48 8d 	test   %esi,-0x72b80000(%rcx,%rax,1)
  11:	65 d8 5b 41          	fcomps %gs:0x41(%rbx)
  15:	5c                   	pop    %rsp
  16:	41 5d                	pop    %r13
  18:	41 5e                	pop    %r14
  1a:	41 5f                	pop    %r15
  1c:	5d                   	pop    %rbp
  1d:	c3                   	ret
  1e:	cc                   	int3
  1f:	cc                   	int3
  20:	cc                   	int3
  21:	cc                   	int3
  22:	cc                   	int3
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	48 89 7c 24 20       	mov    %rdi,0x20(%rsp)
  33:	74 0a                	je     0x3f
  35:	e8 d9 39 41 00       	call   0x413a13
  3a:	48 8b 7c 24 20       	mov    0x20(%rsp),%rdi
  3f:	48                   	rex.W