Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 UID: 0 PID: 32547 Comm: kworker/u8:0 Not tainted 6.12.0-syzkaller-10553-gb86545e02e8c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 38 be 00 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 2f a5 6b f8 48 8b 1b 48 89 de 48 83 RSP: 0018:ffffc90000006d70 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888025ee5a00 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff8994b96d R09: 1ffff1100c7b25cc R10: dffffc0000000000 R11: ffffed100c7b25cd R12: 0000000000000007 R13: ffff888063d92e42 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95830415e8 CR3: 000000000e738000 CR4: 00000000003526f0 Call Trace: <IRQ> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7068 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:655 irq_exit_rcu+0x9/0x30 kernel/softirq.c:671 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:csd_lock_wait kernel/smp.c:340 [inline] RIP: 0010:smp_call_function_many_cond+0x19f3/0x2ca0 kernel/smp.c:884 Code: 45 8b 65 00 44 89 e6 83 e6 01 31 ff e8 36 ea 0b 00 41 83 e4 01 49 bc 00 00 00 00 00 fc ff df 75 07 e8 e1 e5 0b 00 eb 38 f3 90 <42> 0f b6 04 23 84 c0 75 11 41 f7 45 00 01 00 00 00 74 1e e8 c5 e5 RSP: 0018:ffffc900103676e0 EFLAGS: 00000293 RAX: ffffffff8189febb RBX: 1ffff110170e88c1 RCX: ffff888025ee5a00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc900103678e0 R08: ffffffff8189fe8a R09: 1ffffffff203cb96 R10: dffffc0000000000 R11: fffffbfff203cb97 R12: dffffc0000000000 R13: ffff8880b8744608 R14: ffff8880b863f980 R15: 0000000000000001 on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1051 on_each_cpu include/linux/smp.h:71 [inline] text_poke_sync arch/x86/kernel/alternative.c:2114 [inline] text_poke_bp_batch+0x352/0xb30 arch/x86/kernel/alternative.c:2324 text_poke_flush arch/x86/kernel/alternative.c:2515 [inline] text_poke_finish+0x30/0x50 arch/x86/kernel/alternative.c:2522 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146 static_key_enable_cpuslocked+0x136/0x260 kernel/jump_label.c:210 static_key_enable+0x1a/0x20 kernel/jump_label.c:223 toggle_allocation_gate+0xbc/0x260 mm/kfence/core.c:849 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 38 be 00 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 2f a5 6b f8 48 8b 1b 48 89 de 48 83 RSP: 0018:ffffc90000006d70 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888025ee5a00 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff8994b96d R09: 1ffff1100c7b25cc R10: dffffc0000000000 R11: ffffed100c7b25cd R12: 0000000000000007 R13: ffff888063d92e42 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95830415e8 CR3: 000000000e738000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 55 push %rbp 8: 41 57 push %r15 a: 41 56 push %r14 c: 53 push %rbx d: 49 89 fe mov %rdi,%r14 10: 48 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%rbp 17: fc ff df 1a: e8 38 be 00 f8 call 0xf800be57 1f: 49 8d 5e 08 lea 0x8(%r14),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction 2e: 74 08 je 0x38 30: 48 89 df mov %rbx,%rdi 33: e8 2f a5 6b f8 call 0xf86ba567 38: 48 8b 1b mov (%rbx),%rbx 3b: 48 89 de mov %rbx,%rsi 3e: 48 rex.W 3f: 83 .byte 0x83