------------[ cut here ]------------
WARNING: CPU: 1 PID: 24708 at mm/maccess.c:226 copy_from_user_nofault+0x160/0x1c0 mm/maccess.c:226
Modules linked in:
CPU: 1 PID: 24708 Comm: dhcpcd-run-hook Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:copy_from_user_nofault+0x160/0x1c0 mm/maccess.c:226
Code: 24 45 31 f6 31 ff 89 de e8 5d 95 d8 ff 85 db 48 c7 c0 f2 ff ff ff 49 0f 44 c6 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 e0 91 d8 ff <0f> 0b e9 1c ff ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c ea fe
RSP: 0018:ffffc90000dcfec8 EFLAGS: 00010246
RAX: ffffffff81a0b710 RBX: 0000000000000000 RCX: ffff888042fabb80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff8f0ed048 R09: ffffffff8f0ed058
R10: ffffffff8f0ed050 R11: ffffffff8f0ed043 R12: ffff888042fad308
R13: ffffc90001228000 R14: ffffc90000dcff28 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb8adca286 CR3: 0000000073336000 CR4: 00000000003506e0
DR0: 0000200000000300 DR1: 0000200000000300 DR2: 0000200000000300
DR3: 0000200000000300 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 bpf_probe_read_user_common kernel/trace/bpf_trace.c:157 [inline]
 ____bpf_probe_read_user kernel/trace/bpf_trace.c:166 [inline]
 bpf_probe_read_user+0x26/0x70 kernel/trace/bpf_trace.c:163
 bpf_prog_f2594087b0f175cc+0x32/0xbf8
 bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
 __bpf_prog_run include/linux/filter.h:621 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 bpf_prog_run_pin_on_cpu include/linux/filter.h:652 [inline]
 bpf_flow_dissect+0x33e/0x3f0 net/core/flow_dissector.c:896
 __skb_flow_dissect+0x7c5/0x6260 net/core/flow_dissector.c:1029
 skb_flow_dissect_flow_keys include/linux/skbuff.h:1390 [inline]
 ___skb_get_hash+0x55/0x680 net/core/flow_dissector.c:1638
 __skb_get_hash+0xd2/0x270 net/core/flow_dissector.c:1703
 skb_get_hash include/linux/skbuff.h:1432 [inline]
 skb_tx_hash net/core/dev.c:3256 [inline]
 netdev_pick_tx+0x335/0xad0 net/core/dev.c:4153
 netdev_core_pick_tx+0x12e/0x2e0 net/core/dev.c:4186
 __dev_queue_xmit+0x756/0x2f80 net/core/dev.c:4261
 hsr_xmit net/hsr/hsr_forward.c:340 [inline]
 hsr_forward_do net/hsr/hsr_forward.c:431 [inline]
 hsr_forward_skb+0xfd2/0x1700 net/hsr/hsr_forward.c:584
 send_hsr_supervision_frame+0x5f7/0xb80 net/hsr/hsr_device.c:349
 hsr_announce+0x168/0x310 net/hsr/hsr_device.c:405
 call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
 expire_timers kernel/time/timer.c:1699 [inline]
 __run_timers+0x53e/0x800 kernel/time/timer.c:1970
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
 handle_softirqs+0x339/0x830 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:deref_stack_reg+0xc8/0x120 arch/x86/kernel/unwind_orc.c:360
Code: c1 e8 03 42 80 3c 20 00 74 05 e8 43 16 89 00 49 8b 77 28 49 8d 4f 20 4c 89 f7 4c 89 fa e8 10 3d f5 ff 85 c0 74 04 31 c0 eb 26 <4c> 89 f7 e8 90 07 00 00 49 89 c6 48 89 d8 48 c1 e8 03 42 80 3c 20
RSP: 0018:ffffc9000378f110 EFLAGS: 00000202
RAX: ffffc9000378f201 RBX: ffffc9000378f2a8 RCX: 0000000000000001
RDX: ffffc9000378f2a8 RSI: ffffc9000378f2f0 RDI: ffffc9000378f278
RBP: ffffc90003790000 R08: ffffc9000378f2c7 R09: ffffc9000378f2b8
R10: dffffc0000000000 R11: fffff520006f1e59 R12: dffffc0000000000
R13: ffffc90003788000 R14: ffffc9000378f2f0 R15: ffffc9000378f268
 unwind_next_frame+0x115d/0x1d90 arch/x86/kernel/unwind_orc.c:-1
 __unwind_start+0x5bb/0x740 arch/x86/kernel/unwind_orc.c:704
 unwind_start arch/x86/include/asm/unwind.h:60 [inline]
 arch_stack_walk+0xda/0x140 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
 save_stack+0x121/0x230 mm/page_owner.c:119
 __reset_page_owner+0x51/0x180 mm/page_owner.c:140
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page_list+0x119/0x820 mm/page_alloc.c:3433
 release_pages+0x186c/0x1be0 mm/swap.c:963
 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:241 [inline]
 tlb_flush_mmu mm/mmu_gather.c:248 [inline]
 tlb_finish_mmu+0x1b4/0x370 mm/mmu_gather.c:371
 exit_mmap+0x3d0/0x640 mm/mmap.c:3218
 __mmput+0x115/0x3b0 kernel/fork.c:1127
 exec_mmap+0x51d/0x610 fs/exec.c:1035
 begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
 load_elf_binary+0x99c/0x28e0 fs/binfmt_elf.c:1001
 search_binary_handler fs/exec.c:1742 [inline]
 exec_binprm fs/exec.c:1783 [inline]
 bprm_execve+0xaee/0x1840 fs/exec.c:1852
 do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
 do_execve fs/exec.c:2027 [inline]
 __do_sys_execve fs/exec.c:2103 [inline]
 __se_sys_execve fs/exec.c:2098 [inline]
 __x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fdb8ad10107
Code: Unable to access opcode bytes at RIP 0x7fdb8ad100dd.
RSP: 002b:00007ffe74ceb128 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000563997d45080 RCX: 00007fdb8ad10107
RDX: 0000563997d450a8 RSI: 0000563997d45080 RDI: 0000563997d45138
RBP: 0000563997d45138 R08: 00007ffe74cefdc4 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000563997d450a8
R13: 00007fdb8aed5e8b R14: 0000563997d450a8 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	c1 e8 03             	shr    $0x3,%eax
   3:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
   8:	74 05                	je     0xf
   a:	e8 43 16 89 00       	call   0x891652
   f:	49 8b 77 28          	mov    0x28(%r15),%rsi
  13:	49 8d 4f 20          	lea    0x20(%r15),%rcx
  17:	4c 89 f7             	mov    %r14,%rdi
  1a:	4c 89 fa             	mov    %r15,%rdx
  1d:	e8 10 3d f5 ff       	call   0xfff53d32
  22:	85 c0                	test   %eax,%eax
  24:	74 04                	je     0x2a
  26:	31 c0                	xor    %eax,%eax
  28:	eb 26                	jmp    0x50
* 2a:	4c 89 f7             	mov    %r14,%rdi <-- trapping instruction
  2d:	e8 90 07 00 00       	call   0x7c2
  32:	49 89 c6             	mov    %rax,%r14
  35:	48 89 d8             	mov    %rbx,%rax
  38:	48 c1 e8 03          	shr    $0x3,%rax
  3c:	42                   	rex.X
  3d:	80                   	.byte 0x80
  3e:	3c 20                	cmp    $0x20,%al