syzbot

BUG: unable to handle page fault for address: ffffffffff600000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 6c12067 P4D 6c12067 PUD 6c14067 PMD 6c16067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 83 Comm: syslogd Not tainted 6.1.68-syzkaller-00023-g92432f07d663 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:strncpy_from_kernel_nofault+0x92/0x1e0 mm/maccess.c:91
Code: d0 48 c1 e8 03 48 89 45 c0 42 0f b6 04 30 84 c0 48 89 55 c8 0f 85 eb 00 00 00 ff 02 45 31 e4 48 8b 55 d0 4c 8b 7d b8 49 89 dd <42> 8a 1c 23 4a 8d 3c 22 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc90000937698 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffff600000 RCX: ffff88810bd63cc0
RDX: ffffc90000937720 RSI: ffffffffff600000 RDI: ffffffffff600000
RBP: ffffc900009376e0 R08: ffffffff8138ca8d R09: ffffed1021b47223
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffffff600000 R14: dffffc0000000000 R15: 0000000000000005
FS:  00007f15bdbf4380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600000 CR3: 000000010f2e7000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bpf_probe_read_kernel_str_common kernel/trace/bpf_trace.c:265 [inline]
 ____bpf_probe_read_kernel_str kernel/trace/bpf_trace.c:274 [inline]
 bpf_probe_read_kernel_str+0x2a/0x70 kernel/trace/bpf_trace.c:271
 bpf_prog_ef3a4661c9d1378e+0x42/0x44
 bpf_dispatcher_nop_func include/linux/bpf.h:982 [inline]
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run include/linux/filter.h:607 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2275 [inline]
 bpf_trace_run2+0x133/0x290 kernel/trace/bpf_trace.c:2314
 __bpf_trace_kfree+0x6f/0x90 include/trace/events/kmem.h:94
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0xce/0xf0 mm/slab_common.c:996
 skb_free_head net/core/skbuff.c:762 [inline]
 skb_release_data+0x616/0x840 net/core/skbuff.c:791
 skb_release_all net/core/skbuff.c:856 [inline]
 __kfree_skb net/core/skbuff.c:870 [inline]
 consume_skb+0xac/0x250 net/core/skbuff.c:1035
 skb_free_datagram+0x15/0x20 net/core/datagram.c:322
 __unix_dgram_recvmsg+0xcce/0x12b0 net/unix/af_unix.c:2530
 unix_dgram_recvmsg+0xb7/0xd0 net/unix/af_unix.c:2547
 sock_recvmsg_nosec net/socket.c:1017 [inline]
 sock_recvmsg net/socket.c:1035 [inline]
 sock_read_iter+0x3b2/0x4b0 net/socket.c:1108
 call_read_iter include/linux/fs.h:2252 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x771/0xad0 fs/read_write.c:470
 ksys_read+0x199/0x2c0 fs/read_write.c:613
 __do_sys_read fs/read_write.c:623 [inline]
 __se_sys_read fs/read_write.c:621 [inline]
 __x64_sys_read+0x7b/0x90 fs/read_write.c:621
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f15bdd48b6a
Code: 00 3d 00 00 41 00 75 0d 50 48 8d 3d 2d 08 0a 00 e8 ea 7d 01 00 31 c0 e9 07 ff ff ff 64 8b 04 25 18 00 00 00 85 c0 75 1b 0f 05 <48> 3d 00 f0 ff ff 76 6c 48 8b 15 8f a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffddfb60038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f15bdd48b6a
RDX: 00000000000000ff RSI: 000055eb45859300 RDI: 0000000000000000
RBP: 000055eb458592c0 R08: 0000000000000001 R09: 0000000000000000
R10: 00007f15bdee73a3 R11: 0000000000000246 R12: 000055eb45859357
R13: 000055eb45859300 R14: 0000000000000000 R15: 00007f15bdf25a80
 </TASK>
Modules linked in:
CR2: ffffffffff600000
---[ end trace 0000000000000000 ]---
RIP: 0010:strncpy_from_kernel_nofault+0x92/0x1e0 mm/maccess.c:91
Code: d0 48 c1 e8 03 48 89 45 c0 42 0f b6 04 30 84 c0 48 89 55 c8 0f 85 eb 00 00 00 ff 02 45 31 e4 48 8b 55 d0 4c 8b 7d b8 49 89 dd <42> 8a 1c 23 4a 8d 3c 22 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc90000937698 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffff600000 RCX: ffff88810bd63cc0
RDX: ffffc90000937720 RSI: ffffffffff600000 RDI: ffffffffff600000
RBP: ffffc900009376e0 R08: ffffffff8138ca8d R09: ffffed1021b47223
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffffff600000 R14: dffffc0000000000 R15: 0000000000000005
FS:  00007f15bdbf4380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600000 CR3: 000000010f2e7000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	d0 48 c1             	rorb   -0x3f(%rax)
   3:	e8 03 48 89 45       	call   0x4589480b
   8:	c0 42 0f b6          	rolb   $0xb6,0xf(%rdx)
   c:	04 30                	add    $0x30,%al
   e:	84 c0                	test   %al,%al
  10:	48 89 55 c8          	mov    %rdx,-0x38(%rbp)
  14:	0f 85 eb 00 00 00    	jne    0x105
  1a:	ff 02                	incl   (%rdx)
  1c:	45 31 e4             	xor    %r12d,%r12d
  1f:	48 8b 55 d0          	mov    -0x30(%rbp),%rdx
  23:	4c 8b 7d b8          	mov    -0x48(%rbp),%r15
  27:	49 89 dd             	mov    %rbx,%r13
* 2a:	42 8a 1c 23          	mov    (%rbx,%r12,1),%bl <-- trapping instruction
  2e:	4a 8d 3c 22          	lea    (%rdx,%r12,1),%rdi
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
  3e:	84 c0                	test   %al,%al