syzbot

------------[ cut here ]------------
CPU 3 old state 92 new state 1
WARNING: CPU: 3 PID: 13512 at kernel/rcu/srcutree.c:702 srcu_check_nmi_safety+0x10e/0x130 kernel/rcu/srcutree.c:702
Modules linked in:
CPU: 3 PID: 13512 Comm: syz-executor.2 Not tainted 6.10.0-rc5-syzkaller-00018-g55027e689933 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:srcu_check_nmi_safety+0x10e/0x130 kernel/rcu/srcutree.c:702
Code: c0 74 11 3c 03 7f 0d 89 54 24 04 e8 8c 51 77 00 8b 54 24 04 8b b3 c8 01 00 00 44 89 e1 48 c7 c7 60 43 2e 8b e8 b3 a5 dc ff 90 <0f> 0b 90 90 e9 7b ff ff ff e8 64 51 77 00 e9 65 ff ff ff e8 8a 51
RSP: 0018:ffffc90026fd72e8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffe8ffad388c80 RCX: ffffc9000d224000
RDX: 0000000000040000 RSI: ffffffff81511296 RDI: 0000000000000001
RBP: ffffc90029b9e8a8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000003 R12: 0000000000000001
R13: 00000000203c4000 R14: ffffc90029b9e828 R15: ffffc90029b9e828
FS:  0000000000000000(0000) GS:ffff88802c300000(0063) knlGS:00000000f5e97b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000032f22000 CR3: 0000000058532000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 srcu_read_lock include/linux/srcu.h:213 [inline]
 __kvm_handle_hva_range arch/x86/kvm/../../../virt/kvm/kvm_main.c:615 [inline]
 kvm_mmu_notifier_invalidate_range_start+0x29a/0xb10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:800
 mn_hlist_invalidate_range_start mm/mmu_notifier.c:476 [inline]
 __mmu_notifier_invalidate_range_start+0x3b9/0x8f0 mm/mmu_notifier.c:531
 mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:439 [inline]
 wp_page_copy mm/memory.c:3316 [inline]
 do_wp_page+0x2294/0x3290 mm/memory.c:3677
 handle_pte_fault mm/memory.c:5396 [inline]
 __handle_mm_fault+0x2311/0x52a0 mm/memory.c:5523
 handle_mm_fault+0x476/0xa00 mm/memory.c:5688
 do_user_addr_fault+0x2e5/0xe50 arch/x86/mm/fault.c:1389
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:131 [inline]
RIP: 0010:copy_to_user_iter lib/iov_iter.c:25 [inline]
RIP: 0010:iterate_iovec include/linux/iov_iter.h:51 [inline]
RIP: 0010:iterate_and_advance2 include/linux/iov_iter.h:247 [inline]
RIP: 0010:iterate_and_advance include/linux/iov_iter.h:271 [inline]
RIP: 0010:_copy_to_iter+0x48f/0xfc0 lib/iov_iter.c:185
Code: 45 e8 35 ab 10 fd 48 8b 4c 24 10 89 ee 48 8b 44 24 20 4c 8d 34 01 4c 89 f7 e8 ad df 6d fd 0f 01 cb 48 89 e9 4c 89 ff 4c 89 f6 <f3> a4 0f 1f 00 0f 01 ca 48 89 e8 48 29 eb 48 29 c8 48 01 cb 48 01
RSP: 0018:ffffc90026fd7950 EFLAGS: 00050246
RAX: 0000000000000001 RBX: 0000000000001000 RCX: 0000000000000e80
RDX: 0000000000000000 RSI: ffff888012e06180 RDI: 00000000203c4000
RBP: 0000000000001000 R08: 0000000000000000 R09: ffffed10025c0dff
R10: ffff888012e06fff R11: 0000000000000000 R12: 00000000003c3b80
R13: ffffc90026fd7d40 R14: ffff888012e06000 R15: 00000000203c3e80
 copy_page_to_iter lib/iov_iter.c:362 [inline]
 copy_page_to_iter+0xf1/0x180 lib/iov_iter.c:349
 process_vm_rw_pages mm/process_vm_access.c:45 [inline]
 process_vm_rw_single_vec mm/process_vm_access.c:118 [inline]
 process_vm_rw_core.constprop.0+0x5c9/0xa10 mm/process_vm_access.c:216
 process_vm_rw+0x301/0x360 mm/process_vm_access.c:284
 __do_sys_process_vm_readv mm/process_vm_access.c:296 [inline]
 __se_sys_process_vm_readv mm/process_vm_access.c:292 [inline]
 __ia32_sys_process_vm_readv+0xdf/0x1b0 mm/process_vm_access.c:292
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf72a5579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f5e975ac EFLAGS: 00000292 ORIG_RAX: 000000000000015b
RAX: ffffffffffffffda RBX: 00000000000003f7 RCX: 0000000020000340
RDX: 0000000000000002 RSI: 0000000020008640 RDI: 0000000000000286
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	45 e8 35 ab 10 fd    	rex.RB call 0xfd10ab3b
   6:	48 8b 4c 24 10       	mov    0x10(%rsp),%rcx
   b:	89 ee                	mov    %ebp,%esi
   d:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
  12:	4c 8d 34 01          	lea    (%rcx,%rax,1),%r14
  16:	4c 89 f7             	mov    %r14,%rdi
  19:	e8 ad df 6d fd       	call   0xfd6ddfcb
  1e:	0f 01 cb             	stac
  21:	48 89 e9             	mov    %rbp,%rcx
  24:	4c 89 ff             	mov    %r15,%rdi
  27:	4c 89 f6             	mov    %r14,%rsi
* 2a:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
  2c:	0f 1f 00             	nopl   (%rax)
  2f:	0f 01 ca             	clac
  32:	48 89 e8             	mov    %rbp,%rax
  35:	48 29 eb             	sub    %rbp,%rbx
  38:	48 29 c8             	sub    %rcx,%rax
  3b:	48 01 cb             	add    %rcx,%rbx
  3e:	48                   	rex.W
  3f:	01                   	.byte 0x1