------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:28! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 9129 Comm: syz-executor.1 Not tainted 6.9.0-rc1-next-20240328-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 e3 4b 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 e1 8e a5 03 e9 45 ff ff ff e8 c7 4b 53 00 90 0f 0b e8 bf 4b 53 00 90 <0f> 0b e8 b7 4b 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000d67ee70 EFLAGS: 00010093 RAX: ffffffff81421f11 RBX: 0000000000000001 RCX: ffff888026879e00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffffff81ee9651 R08: ffffffff81421e5c R09: 1ffffffff291c6bf R10: dffffc0000000000 R11: fffffbfff291c6c0 R12: 0000000000402800 R13: 0000000000000240 R14: 000040800d67ef00 R15: 000000000000002e FS: 00007fcb167c46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000580 CR3: 0000000067de4000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: virt_to_folio include/linux/mm.h:1307 [inline] virt_to_slab mm/kasan/../slab.h:204 [inline] poison_slab_object+0x1a/0x150 mm/kasan/common.c:222 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2180 [inline] memcg_alloc_abort_single+0x71/0x1c0 mm/slub.c:4372 memcg_slab_post_alloc_hook mm/slub.c:2097 [inline] slab_post_alloc_hook mm/slub.c:3888 [inline] slab_alloc_node mm/slub.c:3927 [inline] kmem_cache_alloc_lru_noprof+0x201/0x2b0 mm/slub.c:3946 xas_alloc lib/xarray.c:375 [inline] xas_create+0x10c1/0x16b0 lib/xarray.c:677 xas_store+0xa3/0x1980 lib/xarray.c:787 __filemap_add_folio+0xacc/0x19d0 mm/filemap.c:914 filemap_add_folio+0x157/0x650 mm/filemap.c:970 page_cache_ra_unbounded+0x212/0x7f0 mm/readahead.c:252 do_async_mmap_readahead mm/filemap.c:3203 [inline] filemap_fault+0x74a/0x16a0 mm/filemap.c:3300 __do_fault+0x135/0x460 mm/memory.c:4531 do_read_fault mm/memory.c:4894 [inline] do_fault mm/memory.c:5024 [inline] do_pte_missing mm/memory.c:3880 [inline] handle_pte_fault+0x4089/0x6c80 mm/memory.c:5350 __handle_mm_fault mm/memory.c:5491 [inline] handle_mm_fault+0x10ea/0x1bb0 mm/memory.c:5656 do_user_addr_fault arch/x86/mm/fault.c:1414 [inline] handle_page_fault arch/x86/mm/fault.c:1506 [inline] exc_page_fault+0x2a8/0x8e0 arch/x86/mm/fault.c:1564 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:72 [inline] RIP: 0010:strncpy_from_user+0x21a/0x2f0 lib/strncpy_from_user.c:139 Code: 00 00 00 e8 08 5a ae fc 48 f7 dd 49 89 ed 49 89 dc 48 8b 6c 24 08 4c 8b 3c 24 31 ff 4c 89 e6 e8 cc 5e ae fc 49 83 ec 01 72 43 <43> 8a 1c 2f 4b 8d 3c 2e 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 RSP: 0018:ffffc9000d67fc98 EFLAGS: 00050212 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888026879e00 RDX: 0000000000000000 RSI: 0000000000000fe0 RDI: 0000000000000000 RBP: 0000000000000fe0 R08: ffffffff84e710e4 R09: 1ffffffff1f521ad R10: dffffc0000000000 R11: fffffbfff1f521ae R12: 0000000000000fdf R13: 0000000000000000 R14: ffff88805c61d520 R15: 0000000020000580 getname_flags+0xfa/0x4f0 fs/namei.c:150 do_sys_openat2+0xd2/0x1d0 fs/open.c:1400 do_sys_open fs/open.c:1421 [inline] __do_sys_openat fs/open.c:1437 [inline] __se_sys_openat fs/open.c:1432 [inline] __x64_sys_openat+0x247/0x2a0 fs/open.c:1432 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fcb15a7dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcb167c40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fcb15babf80 RCX: 00007fcb15a7dda9 RDX: 0000000000000000 RSI: 0000000020000580 RDI: ffffffffffffff9c RBP: 00007fcb15aca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fcb15babf80 R15: 00007ffe5d0d7708 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 e3 4b 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 e1 8e a5 03 e9 45 ff ff ff e8 c7 4b 53 00 90 0f 0b e8 bf 4b 53 00 90 <0f> 0b e8 b7 4b 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc9000d67ee70 EFLAGS: 00010093 RAX: ffffffff81421f11 RBX: 0000000000000001 RCX: ffff888026879e00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffffff81ee9651 R08: ffffffff81421e5c R09: 1ffffffff291c6bf R10: dffffc0000000000 R11: fffffbfff291c6c0 R12: 0000000000402800 R13: 0000000000000240 R14: 000040800d67ef00 R15: 000000000000002e FS: 00007fcb167c46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000580 CR3: 0000000067de4000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 e8 add %ch,%al 4: 08 5a ae or %bl,-0x52(%rdx) 7: fc cld 8: 48 f7 dd neg %rbp b: 49 89 ed mov %rbp,%r13 e: 49 89 dc mov %rbx,%r12 11: 48 8b 6c 24 08 mov 0x8(%rsp),%rbp 16: 4c 8b 3c 24 mov (%rsp),%r15 1a: 31 ff xor %edi,%edi 1c: 4c 89 e6 mov %r12,%rsi 1f: e8 cc 5e ae fc call 0xfcae5ef0 24: 49 83 ec 01 sub $0x1,%r12 28: 72 43 jb 0x6d * 2a: 43 8a 1c 2f mov (%r15,%r13,1),%bl <-- trapping instruction 2e: 4b 8d 3c 2e lea (%r14,%r13,1),%rdi 32: 48 89 f8 mov %rdi,%rax 35: 48 c1 e8 03 shr $0x3,%rax 39: 48 rex.W 3a: b9 00 00 00 00 mov $0x0,%ecx