syzbot

kernel BUG at mm/memory.c:2185!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5051 Comm: syz-executor277 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:vmf_insert_pfn_prot+0x24c/0x460 mm/memory.c:2185
Code: 0f 0b e8 07 e3 c5 ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 c3 df c5 ff 49 83 ff 20 0f 85 a5 fe ff ff e8 e4 e2 c5 ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 d3 e2 c5 ff 4d 21 ee 4c 89
RSP: 0018:ffffc90002fcf9d0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff920005f9f3c RCX: 0000000000000000
RDX: ffff8880724f6180 RSI: ffffffff81baa05c RDI: 0000000000000007
RBP: ffff8880222df7e0 R08: 0000000000000007 R09: 0000000000000020
R10: 0000000000000020 R11: 0000000000000005 R12: 0000000020000000
R13: 000000000001c4e8 R14: 000000000c040471 R15: 0000000000000020
FS:  000055555571c3c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000755cb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 drm_gem_shmem_fault+0x1e1/0x290 drivers/gpu/drm/drm_gem_shmem_helper.c:562
 __do_fault+0x107/0x600 mm/memory.c:4163
 do_read_fault mm/memory.c:4514 [inline]
 do_fault mm/memory.c:4643 [inline]
 handle_pte_fault mm/memory.c:4931 [inline]
 __handle_mm_fault+0x22f2/0x3c90 mm/memory.c:5073
 handle_mm_fault+0x1b6/0x850 mm/memory.c:5219
 do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1428
 handle_page_fault arch/x86/mm/fault.c:1519 [inline]
 exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1575
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:copy_user_short_string+0xa/0x40 arch/x86/lib/copy_user_64.S:232
Code: 83 f8 12 74 0a 89 d1 f3 a4 89 c8 0f 01 ca c3 89 d0 0f 01 ca c3 01 ca eb e7 0f 1f 80 00 00 00 00 89 d1 83 e2 07 c1 e9 03 74 12 <4c> 8b 06 4c 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10
RSP: 0018:ffffc90002fcfdf0 EFLAGS: 00050206
RAX: 0000000000000001 RBX: 0000000000000018 RCX: 0000000000000003
RDX: 0000000000000000 RSI: 0000000020000000 RDI: ffffc90002fcfe58
RBP: ffffc90002fcfe58 R08: 0000000000000001 R09: ffffc90002fcfe6f
R10: fffff520005f9fcd R11: 0000000000094001 R12: 00007fffffffefe8
R13: 0000000020000000 R14: 0000000000000007 R15: 0000000020000000
 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
 raw_copy_from_user arch/x86/include/asm/uaccess_64.h:52 [inline]
 _copy_from_user+0x13b/0x170 lib/usercopy.c:16
 copy_from_user include/linux/uaccess.h:161 [inline]
 copy_dev_ioctl fs/autofs/dev-ioctl.c:86 [inline]
 _autofs_dev_ioctl+0x104/0x7f0 fs/autofs/dev-ioctl.c:620
 autofs_dev_ioctl+0x1b/0x30 fs/autofs/dev-ioctl.c:693
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd77dbec559
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe5375c2a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe5375c2b8 RCX: 00007fd77dbec559
RDX: 0000000020000000 RSI: 00000000c0189378 RDI: 0000000000000003
RBP: 00007ffe5375c2b0 R08: 00007ffe5375c2b0 R09: 00007fd77dbaf1c0
R10: 00007ffe5375c2b0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vmf_insert_pfn_prot+0x24c/0x460 mm/memory.c:2185
Code: 0f 0b e8 07 e3 c5 ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 c3 df c5 ff 49 83 ff 20 0f 85 a5 fe ff ff e8 e4 e2 c5 ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 d3 e2 c5 ff 4d 21 ee 4c 89
RSP: 0018:ffffc90002fcf9d0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff920005f9f3c RCX: 0000000000000000
RDX: ffff8880724f6180 RSI: ffffffff81baa05c RDI: 0000000000000007
RBP: ffff8880222df7e0 R08: 0000000000000007 R09: 0000000000000020
R10: 0000000000000020 R11: 0000000000000005 R12: 0000000020000000
R13: 000000000001c4e8 R14: 000000000c040471 R15: 0000000000000020
FS:  000055555571c3c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000755cb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	83 f8 12             	cmp    $0x12,%eax
   3:	74 0a                	je     0xf
   5:	89 d1                	mov    %edx,%ecx
   7:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
   9:	89 c8                	mov    %ecx,%eax
   b:	0f 01 ca             	clac
   e:	c3                   	retq
   f:	89 d0                	mov    %edx,%eax
  11:	0f 01 ca             	clac
  14:	c3                   	retq
  15:	01 ca                	add    %ecx,%edx
  17:	eb e7                	jmp    0x0
  19:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  20:	89 d1                	mov    %edx,%ecx
  22:	83 e2 07             	and    $0x7,%edx
  25:	c1 e9 03             	shr    $0x3,%ecx
  28:	74 12                	je     0x3c
* 2a:	4c 8b 06             	mov    (%rsi),%r8 <-- trapping instruction
  2d:	4c 89 07             	mov    %r8,(%rdi)
  30:	48 8d 76 08          	lea    0x8(%rsi),%rsi
  34:	48 8d 7f 08          	lea    0x8(%rdi),%rdi
  38:	ff c9                	dec    %ecx
  3a:	75 ee                	jne    0x2a
  3c:	21 d2                	and    %edx,%edx
  3e:	74 10                	je     0x50