program: ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x1) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000840), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_MP_STATE(r2, 0x4004ae99, &(0x7f00000001c0)=0x2) openat(0xffffffffffffff9c, 0x0, 0x40042, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000240)=[@text16={0x10, 0x0}], 0x1, 0x0, 0x0, 0x0) ioctl$KVM_SET_LAPIC(r2, 0x4400ae8f, &(0x7f0000000440)={"6cdd4237dd245c8404721efdc9c8dc1964125fa96fa42b761c6ec25b2bec0ba4c81036c93a40c8a4d4412a763b00040000000000003c5ca206c047ecee377abaece6b88378e38e06c5fc191f361d264ffa8b46485f02baee1ab6b8154252066178868d1ef4b53606000000000000007c21a984c2b9ca4bbb7a87165c0c1dbc75d7ea4df1001000000000694525952f44500a1f0db509c32cc7ace842c28f37f06e4ea9f1e5f0c6c379f9cc58bf69fcde317fad4825aa1b6a832d4e48cc41bb5a6baa41d614f6c8941bee805954a62d196a4e8d4bf6b21224b57f530d0000c1ff53bf79a1f5c5dc34cf2645cbc11c4562d22db88d0edc5daee171cc04d96d9ec2db07478f347edbd6424923ad4a5672b1b285c7988c4ec0922c655ff600000000c00dc290d936d93236051fadfb4b95d02c0bda7ce38dabb7cd103fe4d0c9c963cd717a77f8df8d46099b1f580968af6afbbc19db161c6df3e7c9c71bc08a282fc2c142856b5e4caff4c0a4f72445ef10dcd2c569319d6e9bb2058d023f669a64fc7d9684b45b00000000364673dcfa9235ea5a2ff23c4bb5c5acb290e8976dcac779ff0000f5620000003d4e185afe28a774b99d3890bd37428617de4cdd6f53c419ce31054182fd098af7b7f1b1152c691611f897558d4b755cb783978d9859b0537b05b623dcb5c4ca9317471a40fa4998cca80e961efffb4e1aa25d8a17deef0c8694c4395fc99be3c3fe7aeb8af4929ce7d346ca62b25d48fda5d10146702f78b233b5208752726ed9f0c340d494b92d19cc930bb8a5f8b4da8f4603ac0c3b698384e17a570dc8524823ed15af4ecfabb4b2541d3c114b7bba1c21a845c9cf0d1cc24aba47e30f558b2246ad95ccf7d2f80cc0ab26f08336ea1a33b79cf35b898837016eb211a1734c7af076e15451e33519fc978f66df7df4557c91024a8dc130a28ef5f63ad07b39c8d23b85cf434e065e8a29a80047fe17dee6f6347b4951f97b5703dc78b1ca9d74ea6a9ae12ab367c0de2659cc38d2f33ddd86e0597d33361eada119b5132145fa4525c488c7fffd6ceda6e9a02ebd97ced6b0161f2cc84615ceb8b18883299c636e9e46724a9a0600a8bb02f3e489631d522019a35fe12a33caf9dd8768ddbc02a484c345c3eff254297b1dbb04989c3f9f3c7b3c985c39b1d313018068d3809bac8c657e39f4f692613e28387e955722908dd88b56163be8312ff47c5b6f280472935af74e97a5a8110a4d74496f4c8ec82ddb010100000000000001a047526865c888c9ff36056cc4ad258021e1581d43badaaec6cc5a2ef989de9801fed6d4be2bfcfe656c9c46bffbe9dd03970800000000000000d372bdd6d89dc1ecf63c23d506114d0fba2bd1c69e8f7e3fccdcda85ce975ec1381b1cec6ddaa76e186719d819164300"}) syz_open_dev$MSR(0x0, 0x0, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 70.618336][ T4533] Bluetooth: hci0: command tx timeout [ 70.707332][ T5107] kvm: vcpu 0: requested 128 ns lapic timer period limited to 200000 ns [ 70.710913][ T5107] kvm: vcpu 0: requested lapic timer restore with starting count register 0x390=1812281087 (231971979136 ns) > initial count (200000 ns). Using initial count to start timer. [ 71.144885][ T29] page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x55a51d60d pfn:0x11a1a [ 71.149799][ T4810] list_add corruption. next->prev should be prev (ffffe8ffffc31ed0), but was ffff8880354f5000. (next=ffff88801aa39400). [ 71.155504][ T4810] ------------[ cut here ]------------ [ 71.158030][ T4810] kernel BUG at lib/list_debug.c:31! [ 71.160642][ T4810] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 71.163573][ T4810] CPU: 0 UID: 0 PID: 4810 Comm: dhcpcd Not tainted 6.12.0-rc1-syzkaller #0 [ 71.167085][ T4810] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 71.171758][ T4810] RIP: 0010:__list_add_valid_or_report+0xd6/0xf0 [ 71.174739][ T4810] Code: e8 6f 08 00 07 90 0f 0b 48 c7 c7 00 f9 60 8c e8 60 08 00 07 90 0f 0b 48 c7 c7 60 f9 60 8c 4c 89 e6 4c 89 f1 e8 4b 08 00 07 90 <0f> 0b 48 c7 c7 e0 f9 60 8c 4c 89 f6 4c 89 e1 e8 36 08 00 07 90 0f [ 71.183022][ T4810] RSP: 0018:ffffc90002beed68 EFLAGS: 00010246 [ 71.185514][ T4810] RAX: 0000000000000075 RBX: ffff88801aa39408 RCX: e74b4a6b4d3c8400 [ 71.188808][ T4810] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 71.192091][ T4810] RBP: ffffe8ffffc31ed0 R08: ffffffff81749dec R09: 1ffff9200057dd48 [ 71.195215][ T4810] R10: dffffc0000000000 R11: fffff5200057dd49 R12: ffffe8ffffc31ed0 [ 71.198224][ T4810] R13: dffffc0000000000 R14: ffff88801aa39400 R15: ffff888011a1a000 [ 71.201206][ T4810] FS: 00007f01a6997740(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 71.204439][ T4810] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.206924][ T4810] CR2: 00007f01a69980e8 CR3: 000000003f8a4000 CR4: 0000000000352ef0 [ 71.209860][ T4810] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.212694][ T4810] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.215416][ T4810] Call Trace: [ 71.216572][ T4810] [ 71.217562][ T4810] ? __die_body+0x5f/0xb0 [ 71.219174][ T4810] ? die+0x9e/0xc0 [ 71.220533][ T4810] ? do_trap+0x15a/0x3a0 [ 71.222074][ T4810] ? __list_add_valid_or_report+0xd6/0xf0 [ 71.224026][ T4810] ? do_error_trap+0x1dc/0x2c0 [ 71.225650][ T4810] ? __list_add_valid_or_report+0xd6/0xf0 [ 71.227727][ T4810] ? __pfx___sanitizer_cov_trace_cmp8+0x10/0x10 [ 71.230109][ T4810] ? __pfx_do_error_trap+0x10/0x10 [ 71.232207][ T4810] ? handle_invalid_op+0x34/0x40 [ 71.234193][ T4810] ? __list_add_valid_or_report+0xd6/0xf0 [ 71.236457][ T4810] ? exc_invalid_op+0x38/0x50 [ 71.238430][ T4810] ? asm_exc_invalid_op+0x1a/0x20 [ 71.240465][ T4810] ? __wake_up_klogd+0xcc/0x110 [ 71.242381][ T4810] ? __list_add_valid_or_report+0xd6/0xf0 [ 71.244235][ T4810] ? __list_add_valid_or_report+0xd5/0xf0 [ 71.246174][ T4810] add_to_unbuddied+0x2e4/0x4d0 [ 71.248012][ T4810] do_compact_page+0x924/0xc50 [ 71.249950][ T4810] zswap_entry_free+0x2f6/0x440 [ 71.251841][ T4810] zswap_load+0x386/0x8f0 [ 71.253470][ T4810] swap_read_folio+0x8c0/0x20b0 [ 71.255336][ T4810] ? __pfx_swap_read_folio+0x10/0x10 [ 71.257313][ T4810] ? __pfx___folio_batch_add_and_move+0x10/0x10 [ 71.259732][ T4810] ? __pfx_workingset_update_node+0x10/0x10 [ 71.261862][ T4810] ? put_swap_device+0x1f/0x250 [ 71.263734][ T4810] ? put_swap_device+0x18b/0x250 [ 71.265525][ T4810] ? __read_swap_cache_async+0x56f/0x8e0 [ 71.267396][ T4810] ? __pfx___read_swap_cache_async+0x10/0x10 [ 71.269588][ T4810] ? blk_start_plug+0x70/0x1b0 [ 71.271511][ T4810] swap_cluster_readahead+0x3d6/0x7f0 [ 71.273535][ T4810] ? __pfx_swap_cluster_readahead+0x10/0x10 [ 71.276090][ T4810] ? xas_load+0x59b/0x5c0 [ 71.278016][ T4810] swapin_readahead+0x1bb/0xdf0 [ 71.279933][ T4810] ? filemap_get_entry+0x123/0x3b0 [ 71.281975][ T4810] ? __pfx_swapin_readahead+0x10/0x10 [ 71.284173][ T4810] ? get_swap_device+0x89/0x400 [ 71.286157][ T4810] ? __filemap_get_folio+0x949/0xbd0 [ 71.288357][ T4810] ? swap_cache_get_folio+0xa6/0x570 [ 71.290520][ T4810] do_swap_page+0x584/0x7b30 [ 71.292445][ T4810] ? do_swap_page+0x15e/0x7b30 [ 71.294429][ T4810] ? __pfx_do_swap_page+0x10/0x10 [ 71.296481][ T4810] ? __pfx___pte_offset_map+0x10/0x10 [ 71.298680][ T4810] ? validate_chain+0x11e/0x5920 [ 71.300579][ T4810] ? __pfx_validate_chain+0x10/0x10 [ 71.302142][ T4810] ? pte_offset_map_nolock+0x137/0x1f0 [ 71.303968][ T4810] ? __pfx_pte_offset_map_nolock+0x10/0x10 [ 71.306364][ T4810] ? _raw_spin_unlock_irqrestore+0x8f/0x140 [ 71.308762][ T4810] handle_pte_fault+0x61d/0x6800 [ 71.310781][ T4810] ? fput+0x1a8/0x230 [ 71.312409][ T4810] ? mark_lock+0x9a/0x360 [ 71.314172][ T4810] ? __pfx_handle_pte_fault+0x10/0x10 [ 71.316383][ T4810] ? __lock_acquire+0x1384/0x2050 [ 71.318333][ T4810] ? mt_find+0x2a9/0x920 [ 71.319967][ T4810] ? __pfx_lock_release+0x10/0x10 [ 71.321899][ T4810] handle_mm_fault+0x1106/0x1bb0 [ 71.323660][ T4810] ? mt_find+0x2a9/0x920 [ 71.325194][ T4810] ? __pfx_handle_mm_fault+0x10/0x10 [ 71.327040][ T4810] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.329203][ T4810] ? lock_mm_and_find_vma+0x9c/0x2f0 [ 71.331423][ T4810] exc_page_fault+0x2b9/0x8c0 [ 71.333189][ T4810] asm_exc_page_fault+0x26/0x30 [ 71.335094][ T4810] RIP: 0010:__get_user_8+0x11/0x20 [ 71.337006][ T4810] Code: ca c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 89 c2 48 c1 fa 3f 48 09 d0 0f 01 cb <48> 8b 10 31 c0 0f 01 ca c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 [ 71.343628][ T4810] RSP: 0018:ffffc90002befd98 EFLAGS: 00050206 [ 71.345685][ T4810] RAX: 00007f01a69980e8 RBX: ffff88801ce1ddd8 RCX: ffffc90002befc03 [ 71.347951][ T4810] RDX: 0000000000000000 RSI: ffffffff8c0adba0 RDI: ffffffff8c60f7a0 [ 71.350888][ T4810] RBP: ffffc90002befec8 R08: ffffffff901ce62f R09: 1ffffffff2039cc5 [ 71.353730][ T4810] R10: dffffc0000000000 R11: fffffbfff2039cc6 R12: ffffc90002befda0 [ 71.356825][ T4810] R13: ffffc90002beffd8 R14: dffffc0000000000 R15: ffff88801ce1c880 [ 71.359953][ T4810] __rseq_handle_notify_resume+0x159/0x14e0 [ 71.362346][ T4810] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 71.364819][ T4810] ? syscall_exit_to_user_mode+0xa3/0x370 [ 71.366857][ T4810] syscall_exit_to_user_mode+0x114/0x370 [ 71.368952][ T4810] do_syscall_64+0x100/0x230 [ 71.370666][ T4810] ? clear_bhb_loop+0x35/0x90 [ 71.372444][ T4810] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.374633][ T4810] RIP: 0033:0x7f01a6a64ad5 [ 71.376425][ T4810] Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 [ 71.384447][ T4810] RSP: 002b:00007ffd55e31e50 EFLAGS: 00000246 ORIG_RAX: 000000000000010f [ 71.387191][ T4810] RAX: 0000000000000002 RBX: 000055d27eb22dd0 RCX: 00007f01a6a64ad5 [ 71.389787][ T4810] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 000055d27eb22db0 [ 71.392404][ T4810] RBP: 00007ffd55e321a0 R08: 0000000000000008 R09: 00007ffd55e11a44 [ 71.395064][ T4810] R10: 00007ffd55e321a0 R11: 0000000000000246 R12: 0000000000000000 [ 71.397720][ T4810] R13: 000055d26764f610 R14: 0000000000000000 R15: 0000000000000000 [ 71.400662][ T4810] [ 71.401868][ T4810] Modules linked in: [ 71.405655][ T4810] ---[ end trace 0000000000000000 ]--- [ 71.408099][ T4810] RIP: 0010:__list_add_valid_or_report+0xd6/0xf0 [ 71.410288][ T4810] Code: e8 6f 08 00 07 90 0f 0b 48 c7 c7 00 f9 60 8c e8 60 08 00 07 90 0f 0b 48 c7 c7 60 f9 60 8c 4c 89 e6 4c 89 f1 e8 4b 08 00 07 90 <0f> 0b 48 c7 c7 e0 f9 60 8c 4c 89 f6 4c 89 e1 e8 36 08 00 07 90 0f [ 71.417632][ T4810] RSP: 0018:ffffc90002beed68 EFLAGS: 00010246 [ 71.420101][ T4810] RAX: 0000000000000075 RBX: ffff88801aa39408 RCX: e74b4a6b4d3c8400 [ 71.423233][ T4810] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 [ 71.425775][ T4810] RBP: ffffe8ffffc31ed0 R08: ffffffff81749dec R09: 1ffff9200057dd48 [ 71.428321][ T4810] R10: dffffc0000000000 R11: fffff5200057dd49 R12: ffffe8ffffc31ed0 [ 71.431206][ T4810] R13: dffffc0000000000 R14: ffff88801aa39400 R15: ffff888011a1a000 [ 71.433694][ T4810] FS: 00007f01a6997740(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 71.436559][ T4810] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.439008][ T4810] CR2: 00007f01a69980e8 CR3: 000000003f8a4000 CR4: 0000000000352ef0 [ 71.442243][ T4810] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.445663][ T4810] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.449051][ T4810] Kernel panic - not syncing: Fatal exception [ 71.451612][ T4810] Kernel Offset: disabled [ 71.453242][ T4810] Rebooting in 86400 seconds..