syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000014: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000000a0-0x00000000000000a7]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc5-next-20240827-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:is_same_group kernel/sched/fair.c:411 [inline]
RIP: 0010:find_matching_se kernel/sched/fair.c:448 [inline]
RIP: 0010:check_preempt_wakeup_fair+0x471/0xb00 kernel/sched/fair.c:8679
Code: 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 40 d3 95 00 4d 8b 3f 49 8d ae a0 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 20 d3 95 00 48 8b 5d 00 49 8d af
RSP: 0018:ffffc90000007ce0 EFLAGS: 00010006
RAX: 0000000000000014 RBX: ffff8880b903eb80 RCX: ffffffff81670ea8
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88802003bc00
RBP: 00000000000000a0 R08: ffff88802003bc07 R09: 1ffff11004007780
R10: dffffc0000000000 R11: ffffed1004007781 R12: ffff8880b913eac0
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fae510d3f98 CR3: 0000000023d3e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 wakeup_preempt+0xd8/0x2a0 kernel/sched/core.c:2128
 ttwu_do_activate+0x1f8/0x7e0 kernel/sched/core.c:3666
 ttwu_queue kernel/sched/core.c:3940 [inline]
 try_to_wake_up+0x8bc/0x1480 kernel/sched/core.c:4266
 swake_up_locked kernel/sched/swait.c:29 [inline]
 complete_with_flags kernel/sched/completion.c:24 [inline]
 complete+0xac/0x1c0 kernel/sched/completion.c:47
 csd_do_func kernel/smp.c:134 [inline]
 __flush_smp_call_function_queue+0xb88/0x1690 kernel/smp.c:571
 __sysvec_call_function_single+0xb8/0x430 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x9e/0xc0 arch/x86/kernel/smp.c:266
 </IRQ>
 <TASK>
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:709
RIP: 0010:finish_task_switch+0x1ea/0x870 kernel/sched/core.c:5185
Code: c9 50 e8 b9 f8 0b 00 48 83 c4 08 4c 89 f7 e8 7d 38 00 00 e9 de 04 00 00 4c 89 f7 e8 80 b7 65 0a e8 cb b0 37 00 fb 48 8b 5d c0 <48> 8d bb f8 15 00 00 48 89 f8 48 c1 e8 03 49 be 00 00 00 00 00 fc
RSP: 0018:ffffffff8e607b08 EFLAGS: 00000286
RAX: 4475b29e6080a700 RBX: ffffffff8e694640 RCX: ffffffff94f9b903
RDX: dffffc0000000000 RSI: ffffffff8c0acac0 RDI: ffffffff8c6088c0
RBP: ffffffff8e607b50 R08: ffffffff901c362f R09: 1ffffffff20386c5
R10: dffffc0000000000 R11: fffffbfff20386c6 R12: 1ffff11017207f1b
R13: dffffc0000000000 R14: ffff8880b903eac0 R15: ffff8880b903f8d8
 context_switch kernel/sched/core.c:5314 [inline]
 __schedule+0x1852/0x4b30 kernel/sched/core.c:6677
 schedule_idle+0x53/0x90 kernel/sched/core.c:6795
 do_idle+0x56a/0x5d0 kernel/sched/idle.c:354
 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
 rest_init+0x2dc/0x300 init/main.c:747
 start_kernel+0x47f/0x500 init/main.c:1105
 x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
 x86_64_start_kernel+0x9f/0xa0 arch/x86/kernel/head64.c:488
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:is_same_group kernel/sched/fair.c:411 [inline]
RIP: 0010:find_matching_se kernel/sched/fair.c:448 [inline]
RIP: 0010:check_preempt_wakeup_fair+0x471/0xb00 kernel/sched/fair.c:8679
Code: 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 40 d3 95 00 4d 8b 3f 49 8d ae a0 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 20 d3 95 00 48 8b 5d 00 49 8d af
RSP: 0018:ffffc90000007ce0 EFLAGS: 00010006
RAX: 0000000000000014 RBX: ffff8880b903eb80 RCX: ffffffff81670ea8
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88802003bc00
RBP: 00000000000000a0 R08: ffff88802003bc07 R09: 1ffff11004007780
R10: dffffc0000000000 R11: ffffed1004007781 R12: ffff8880b913eac0
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fae510d3f98 CR3: 0000000023d3e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 4c 89 f8          	add    %cl,-0x8(%rcx,%rcx,4)
   6:	48 c1 e8 03          	shr    $0x3,%rax
   a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   f:	74 08                	je     0x19
  11:	4c 89 ff             	mov    %r15,%rdi
  14:	e8 40 d3 95 00       	call   0x95d359
  19:	4d 8b 3f             	mov    (%r15),%r15
  1c:	49 8d ae a0 00 00 00 	lea    0xa0(%r14),%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 ef             	mov    %rbp,%rdi
  34:	e8 20 d3 95 00       	call   0x95d359
  39:	48 8b 5d 00          	mov    0x0(%rbp),%rbx
  3d:	49                   	rex.WB
  3e:	8d                   	.byte 0x8d
  3f:	af                   	scas   %es:(%rdi),%eax