BUG: unable to handle page fault for address: fffffbfffb11e000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe4067 P4D 23ffe4067 PUD 23ffe3067 PMD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6067 Comm: syz.4.188 Not tainted 6.12.0-rc2-next-20241008-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x82/0x290 mm/kasan/generic.c:189
Code: 01 00 00 00 00 fc ff df 4f 8d 3c 31 4c 89 fd 4c 29 dd 48 83 fd 10 7f 29 48 85 ed 0f 84 3e 01 00 00 4c 89 cd 48 f7 d5 48 01 dd <41> 80 3b 00 0f 85 c9 01 00 00 49 ff c3 48 ff c5 75 ee e9 1e 01 00
RSP: 0018:ffffc90000005d18 EFLAGS: 00010286
RAX: 0000000000000001 RBX: 1ffffffffb11e000 RCX: ffffffff81cf65ff
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffffd88f0000
RBP: ffffffffffffffff R08: ffffffffd88f0007 R09: 1ffffffffb11e000
R10: dffffc0000000000 R11: fffffbfffb11e000 R12: ffffffffd88f0000
R13: 0000000000000008 R14: dffffc0000000001 R15: fffffbfffb11e001
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfffb11e000 CR3: 000000000e734000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 instrument_read include/linux/instrumented.h:26 [inline]
 copy_from_kernel_nofault+0x6f/0x2f0 mm/maccess.c:35
 bpf_probe_read_kernel_common include/linux/bpf.h:2960 [inline]
 ____bpf_probe_read_compat kernel/trace/bpf_trace.c:294 [inline]
 bpf_probe_read_compat+0x10f/0x180 kernel/trace/bpf_trace.c:287
 bpf_prog_11e76113e6dc9cb7+0x43/0x45
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2318 [inline]
 bpf_trace_run3+0x33a/0x5a0 kernel/trace/bpf_trace.c:2360
 trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 kmem_cache_free+0x355/0x420 mm/slub.c:4706
 packet_rcv+0x16f/0x14b0 net/packet/af_packet.c:2290
 dev_queue_xmit_nit+0xad4/0xc10 net/core/dev.c:2347
 xmit_one net/core/dev.c:3584 [inline]
 dev_hard_start_xmit+0x15f/0x7e0 net/core/dev.c:3604
 sch_direct_xmit+0x29c/0x5d0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3821 [inline]
 __dev_queue_xmit+0x1a2d/0x3ed0 net/core/dev.c:4394
 dev_queue_xmit include/linux/netdevice.h:3101 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536
 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466
 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
 tcp_write_xmit+0x17b5/0x6bf0 net/ipv4/tcp_output.c:2830
 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015
 tcp_push_pending_frames include/net/tcp.h:2107 [inline]
 tcp_data_snd_check net/ipv4/tcp_input.c:5741 [inline]
 tcp_rcv_established+0x1111/0x2020 net/ipv4/tcp_input.c:6175
 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915
 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350
 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
 ip_local_deliver net/ipv4/ip_input.c:254 [inline]
 dst_input include/net/dst.h:460 [inline]
 ip_sublist_rcv_finish+0x3be/0x4f0 net/ipv4/ip_input.c:580
 ip_list_rcv_finish net/ipv4/ip_input.c:630 [inline]
 ip_sublist_rcv+0x75d/0xab0 net/ipv4/ip_input.c:638
 ip_list_rcv+0x42b/0x480 net/ipv4/ip_input.c:672
 __netif_receive_skb_list_ptype net/core/dev.c:5709 [inline]
 __netif_receive_skb_list_core+0x94e/0x980 net/core/dev.c:5756
 __netif_receive_skb_list net/core/dev.c:5808 [inline]
 netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:5899
 gro_normal_list include/net/gro.h:515 [inline]
 napi_complete_done+0x310/0x8e0 net/core/dev.c:6250
 virtqueue_napi_complete drivers/net/virtio_net.c:697 [inline]
 virtnet_poll+0x2db0/0x3980 drivers/net/virtio_net.c:2831
 __napi_poll+0xcb/0x490 net/core/dev.c:6775
 napi_poll net/core/dev.c:6844 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6966
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 common_interrupt+0xb9/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 0e 06 2b f6 f6 44 24 21 02 75 52 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> c3 99 8f f5 65 8b 05 b4 32 30 74 85 c0 74 43 48 c7 04 24 0e 36
RSP: 0018:ffffc90002efeec0 EFLAGS: 00000206
RAX: c4772427b9b08d00 RBX: 1ffff920005dfddc RCX: ffffffff819cb7ec
RDX: dffffc0000000000 RSI: ffffffff8c611440 RDI: 0000000000000001
RBP: ffffc90002efef50 R08: ffffffff901d3f2f R09: 1ffffffff203a7e5
R10: dffffc0000000000 R11: fffffbfff203a7e6 R12: dffffc0000000000
R13: 1ffff920005dfdd8 R14: ffffc90002efeee0 R15: 0000000000000246
 __debug_check_no_obj_freed lib/debugobjects.c:998 [inline]
 debug_check_no_obj_freed+0x561/0x580 lib/debugobjects.c:1019
 free_pages_prepare mm/page_alloc.c:1115 [inline]
 free_unref_folios+0x5a4/0x18d0 mm/page_alloc.c:2722
 folios_put_refs+0x76c/0x860 mm/swap.c:1007
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x64c/0x1cf0 mm/shmem.c:1032
 shmem_truncate_range mm/shmem.c:1144 [inline]
 shmem_evict_inode+0x29b/0xa80 mm/shmem.c:1274
 evict+0x4e8/0x9b0 fs/inode.c:808
 __dentry_kill+0x20d/0x630 fs/dcache.c:625
 dput+0x19f/0x2b0 fs/dcache.c:867
 __fput+0x5d2/0x880 fs/file_table.c:439
 task_work_run+0x24f/0x310 kernel/task_work.c:228
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xa2f/0x28e0 kernel/exit.c:939
 do_group_exit+0x207/0x2c0 kernel/exit.c:1088
 get_signal+0x16a3/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f59d717dff9
Code: Unable to access opcode bytes at 0x7f59d717dfcf.
RSP: 002b:00007f59d7f140e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f59d7336060 RCX: 00007f59d717dff9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f59d7336060
RBP: 00007f59d7336058 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f59d7336064
R13: 0000000000000000 R14: 00007ffc6b5e2410 R15: 00007ffc6b5e24f8
 </TASK>
Modules linked in:
CR2: fffffbfffb11e000
---[ end trace 0000000000000000 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x82/0x290 mm/kasan/generic.c:189
Code: 01 00 00 00 00 fc ff df 4f 8d 3c 31 4c 89 fd 4c 29 dd 48 83 fd 10 7f 29 48 85 ed 0f 84 3e 01 00 00 4c 89 cd 48 f7 d5 48 01 dd <41> 80 3b 00 0f 85 c9 01 00 00 49 ff c3 48 ff c5 75 ee e9 1e 01 00
RSP: 0018:ffffc90000005d18 EFLAGS: 00010286

RAX: 0000000000000001 RBX: 1ffffffffb11e000 RCX: ffffffff81cf65ff
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffffd88f0000
RBP: ffffffffffffffff R08: ffffffffd88f0007 R09: 1ffffffffb11e000
R10: dffffc0000000000 R11: fffffbfffb11e000 R12: ffffffffd88f0000
R13: 0000000000000008 R14: dffffc0000000001 R15: fffffbfffb11e001
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfffb11e000 CR3: 000000000e734000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 7 bytes skipped:
   0:	df 4f 8d             	fisttps -0x73(%rdi)
   3:	3c 31                	cmp    $0x31,%al
   5:	4c 89 fd             	mov    %r15,%rbp
   8:	4c 29 dd             	sub    %r11,%rbp
   b:	48 83 fd 10          	cmp    $0x10,%rbp
   f:	7f 29                	jg     0x3a
  11:	48 85 ed             	test   %rbp,%rbp
  14:	0f 84 3e 01 00 00    	je     0x158
  1a:	4c 89 cd             	mov    %r9,%rbp
  1d:	48 f7 d5             	not    %rbp
  20:	48 01 dd             	add    %rbx,%rbp
* 23:	41 80 3b 00          	cmpb   $0x0,(%r11) <-- trapping instruction
  27:	0f 85 c9 01 00 00    	jne    0x1f6
  2d:	49 ff c3             	inc    %r11
  30:	48 ff c5             	inc    %rbp
  33:	75 ee                	jne    0x23
  35:	e9                   	.byte 0xe9
  36:	1e                   	(bad)
  37:	01 00                	add    %eax,(%rax)