------------[ cut here ]------------ WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 __ll_sc_atomic_add arch/arm64/include/asm/atomic_ll_sc.h:95 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 raw_atomic_add include/linux/atomic/atomic-arch-fallback.h:537 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 raw_atomic_inc include/linux/atomic/atomic-arch-fallback.h:985 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 atomic_inc include/linux/atomic/atomic-instrumented.h:436 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 page_ref_inc include/linux/page_ref.h:158 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 folio_ref_inc include/linux/page_ref.h:165 [inline] WARNING: CPU: 1 PID: 27218 at mm/gup.c:229 try_grab_page+0x194/0x2dc mm/gup.c:236 Modules linked in: CPU: 1 PID: 27218 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : try_grab_page+0x194/0x2dc mm/gup.c:229 lr : instrument_atomic_read include/linux/instrumented.h:68 [inline] lr : atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] lr : page_ref_count include/linux/page_ref.h:67 [inline] lr : folio_ref_count include/linux/page_ref.h:89 [inline] lr : try_grab_page+0x54/0x2dc mm/gup.c:229 sp : ffff80008cb76e50 x29: ffff80008cb76e50 x28: fffffc00001f3580 x27: 0000000000047cd6 x26: 0120000047cd6fc3 x25: 1fffe00001ce2a02 x24: fffffc00001f3588 x23: 1ffff0001196ede0 x22: fffffc00001f35b4 x21: 0000000000290000 x20: fffffc00001f3580 x19: fffffc00001f3580 x18: ffff000014e7c1e0 x17: 0000000000000000 x16: 0000000000000002 x15: 1fffe000029cf83b x14: 00000000000001e1 x13: 1fffe000029cf838 x12: ffff7f800003e6b7 x11: 1fffff800003e6b6 x10: ffff7f800003e6b6 x9 : dfff800000000000 x8 : 0000807ffffc194a x7 : fffffc00001f35b7 x6 : 0000000000000001 x5 : fffffc00001f35b4 x4 : ffff7f800003e6b7 x3 : ffff80008073d71c x2 : 1fffff800003e6b6 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __ll_sc_atomic_add arch/arm64/include/asm/atomic_ll_sc.h:95 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] raw_atomic_add include/linux/atomic/atomic-arch-fallback.h:537 [inline] raw_atomic_inc include/linux/atomic/atomic-arch-fallback.h:985 [inline] atomic_inc include/linux/atomic/atomic-instrumented.h:436 [inline] page_ref_inc include/linux/page_ref.h:158 [inline] folio_ref_inc include/linux/page_ref.h:165 [inline] try_grab_page+0x194/0x2dc mm/gup.c:236 follow_page_pte+0x140/0xbf4 mm/gup.c:651 follow_pmd_mask mm/gup.c:734 [inline] follow_pud_mask mm/gup.c:765 [inline] follow_p4d_mask mm/gup.c:782 [inline] follow_page_mask+0x468/0x89c mm/gup.c:839 __get_user_pages+0x2c0/0x598 mm/gup.c:1256 __get_user_pages_locked mm/gup.c:1487 [inline] __gup_longterm_locked+0x1a8/0x1784 mm/gup.c:2181 internal_get_user_pages_fast+0xdb4/0x1938 mm/gup.c:3179 pin_user_pages_fast+0xb0/0xf4 mm/gup.c:3285 iov_iter_extract_user_pages lib/iov_iter.c:1768 [inline] iov_iter_extract_pages+0x1d0/0xdac lib/iov_iter.c:1831 extract_user_to_sg lib/scatterlist.c:1123 [inline] extract_iter_to_sg lib/scatterlist.c:1349 [inline] extract_iter_to_sg+0x60c/0x134c lib/scatterlist.c:1339 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0xc8/0x168 net/socket.c:748 ____sys_sendmsg+0x550/0x6e0 net/socket.c:2494 ___sys_sendmsg+0x11c/0x19c net/socket.c:2548 __sys_sendmsg+0xe0/0x174 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2584 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139 do_el0_svc+0x50/0x11c arch/arm64/kernel/syscall.c:188 el0_svc+0x4c/0x134 arch/arm64/kernel/entry-common.c:647 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:665 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 irq event stamp: 13564 hardirqs last enabled at (13563): [] count_memcg_events include/linux/memcontrol.h:1076 [inline] hardirqs last enabled at (13563): [] count_memcg_event_mm.part.0+0x1c4/0x1d8 include/linux/memcontrol.h:1108 hardirqs last disabled at (13564): [] el1_dbg+0x24/0x9c arch/arm64/kernel/entry-common.c:407 softirqs last enabled at (13510): [] softirq_handle_end kernel/softirq.c:399 [inline] softirqs last enabled at (13510): [] __do_softirq+0x888/0xe1c kernel/softirq.c:582 softirqs last disabled at (13493): [] ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:80 ---[ end trace 0000000000000000 ]--- page:000000002bf82fc7 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47cd6 flags: 0x1ffc60000001042(referenced|workingset|reserved|node=0|zone=0|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 01ffc60000001042 fffffc00001f3588 fffffc00001f3588 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1027! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 27218 Comm: syz-executor.1 Tainted: G W 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : put_page_testzero include/linux/mm.h:1027 [inline] pc : folio_put_testzero include/linux/mm.h:1033 [inline] pc : folio_put include/linux/mm.h:1439 [inline] pc : put_page include/linux/mm.h:1509 [inline] pc : extract_user_to_sg lib/scatterlist.c:1151 [inline] pc : extract_iter_to_sg lib/scatterlist.c:1349 [inline] pc : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339 lr : put_page_testzero include/linux/mm.h:1027 [inline] lr : folio_put_testzero include/linux/mm.h:1033 [inline] lr : folio_put include/linux/mm.h:1439 [inline] lr : put_page include/linux/mm.h:1509 [inline] lr : extract_user_to_sg lib/scatterlist.c:1151 [inline] lr : extract_iter_to_sg lib/scatterlist.c:1349 [inline] lr : extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339 sp : ffff80008cb77660 x29: ffff80008cb77660 x28: fffffc00001f35b4 x27: 1fffe00002106801 x26: fffffc00001f3580 x25: dfff800000000000 x24: ffff000010834008 x23: 1ffff0001196eee6 x22: 0000000000000003 x21: ffff600002106801 x20: ffff000010834000 x19: 0000000000000007 x18: ffff000014e7c1e0 x17: 0000000000000000 x16: 0000000000000000 x15: 1fffe000029cf83b x14: 0000000000000001 x13: 1fffe000029cf838 x12: ffff70001196ee45 x11: 1ffff0001196ee44 x10: ffff70001196ee44 x9 : dfff800000000000 x8 : 00008fffee6911bc x7 : ffff80008cb77227 x6 : 0000000000000001 x5 : ffff80008cb77220 x4 : 1fffe000029cf6f1 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff000014e7b780 x0 : 000000000000003e Call trace: put_page_testzero include/linux/mm.h:1027 [inline] folio_put_testzero include/linux/mm.h:1033 [inline] folio_put include/linux/mm.h:1439 [inline] put_page include/linux/mm.h:1509 [inline] extract_user_to_sg lib/scatterlist.c:1151 [inline] extract_iter_to_sg lib/scatterlist.c:1349 [inline] extract_iter_to_sg+0xe4c/0x134c lib/scatterlist.c:1339 hash_sendmsg+0x23c/0xf78 crypto/algif_hash.c:119 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0xc8/0x168 net/socket.c:748 ____sys_sendmsg+0x550/0x6e0 net/socket.c:2494 ___sys_sendmsg+0x11c/0x19c net/socket.c:2548 __sys_sendmsg+0xe0/0x174 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2584 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:52 el0_svc_common.constprop.0+0xc4/0x244 arch/arm64/kernel/syscall.c:139 do_el0_svc+0x50/0x11c arch/arm64/kernel/syscall.c:188 el0_svc+0x4c/0x134 arch/arm64/kernel/entry-common.c:647 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:665 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91058021 aa1a03e0 91028021 97d6da7f (d4210000) ---[ end trace 0000000000000000 ]---