BUG: unable to handle page fault for address: ffffffffa0000fa0
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD ba8f067 P4D ba8f067 PUD ba90063 PMD 169d5067 PTE 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 6444 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller-00453-g395e942d34a2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bpf_prog_9d4bccaf8ccaf0dc_F+0x0/0xd
Code: Unable to access opcode bytes at RIP 0xffffffffa0000f76.
RSP: 0018:ffffc90005246e50 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffffc900046f3000 RCX: ffffc900032f1000
RDX: 1ffff920008de606 RSI: ffffc900046f3048 RDI: 00000000ffff8880
RBP: ffffc90005246e58 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88801b8cd880 R14: ffff88802392d880 R15: 0000000000000001
FS:  00007fa532907700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0000f76 CR3: 0000000075587000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bpf_dispatcher_nop_func include/linux/bpf.h:885 [inline]
 __bpf_prog_run include/linux/filter.h:594 [inline]
 bpf_prog_run include/linux/filter.h:601 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2046 [inline]
 bpf_trace_run4+0x124/0x360 kernel/trace/bpf_trace.c:2085
 __bpf_trace_sched_switch+0x115/0x160 include/trace/events/sched.h:222
 trace_sched_switch include/trace/events/sched.h:222 [inline]
 __schedule+0x145b/0x4b30 kernel/sched/core.c:6425
 preempt_schedule_irq+0x4e/0x90 kernel/sched/core.c:6736
 irqentry_exit+0x31/0x80 kernel/entry/common.c:428
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/irqflags.h:106 [inline]
RIP: 0010:lock_is_held_type+0x51/0x140 kernel/locking/lockdep.c:5704
Code: 8b 76 85 c0 0f 85 ca 00 00 00 65 4c 8b 24 25 80 6f 02 00 41 8b 94 24 5c 0a 00 00 85 d2 0f 85 b1 00 00 00 48 89 fd 41 89 f6 9c <8f> 04 24 fa 48 c7 c7 20 7d cc 89 31 db e8 dd 0d 00 00 41 8b 84 24
RSP: 0018:ffffc90005247228 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffffff8bdcbd98
RBP: ffffffff8bdcbd98 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802392d880
R13: 00000000ffffffff R14: 00000000ffffffff R15: 00fff00000000000
 lock_is_held include/linux/lockdep.h:279 [inline]
 task_css include/linux/cgroup.h:495 [inline]
 blkcg_css.part.0+0xb9/0x1b0 block/blk-cgroup.c:76
 blkcg_css block/blk-cgroup.c:2025 [inline]
 blk_cgroup_congested+0x117/0x260 block/blk-cgroup.c:2023
 __cgroup_throttle_swaprate+0x7e/0x2a0 mm/swapfile.c:3645
 cgroup_throttle_swaprate include/linux/swap.h:639 [inline]
 wp_page_copy+0x447/0x1e20 mm/memory.c:3127
 do_wp_page+0x573/0x1b60 mm/memory.c:3396
 handle_pte_fault mm/memory.c:4921 [inline]
 __handle_mm_fault+0x2371/0x3f50 mm/memory.c:5042
 handle_mm_fault+0x1c8/0x790 mm/memory.c:5140
 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397
 handle_page_fault arch/x86/mm/fault.c:1484 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1540
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:copy_user_enhanced_fast_string+0xa/0x40 arch/x86/lib/copy_user_64.S:166
Code: ff c9 75 f2 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 01 ca c3 8d 0c ca 89 ca eb 20 0f 01 cb 83 fa 40 72 38 89 d1 <f3> a4 31 c0 0f 01 ca c3 89 ca eb 0a 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffc90005247770 EFLAGS: 00050206
RAX: 0000000000000001 RBX: 00000000000101d0 RCX: 000000000000c970
RDX: 00000000000101d0 RSI: ffff888058b83948 RDI: 0000000020024000
RBP: 00000000200207a0 R08: 0000000000000000 R09: ffff888058b902b7
R10: ffffed100b172056 R11: 0000000000000000 R12: ffff888058b800e8
R13: 00007ffffffeee30 R14: 0000000000000000 R15: ffffc90005247d38
 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline]
 copyout.part.0+0xd8/0x100 lib/iov_iter.c:155
 copyout lib/iov_iter.c:667 [inline]
 _copy_to_iter+0x2b9/0x1890 lib/iov_iter.c:667
 copy_to_iter include/linux/uio.h:162 [inline]
 simple_copy_to_iter+0x4c/0x70 net/core/datagram.c:513
 __skb_datagram_iter+0x10f/0x770 net/core/datagram.c:419
 skb_copy_datagram_iter+0xa2/0x2c0 net/core/datagram.c:527
 skb_copy_datagram_msg include/linux/skbuff.h:3827 [inline]
 tipc_recvstream+0x3e9/0x910 net/tipc/socket.c:2070
 sock_recvmsg_nosec net/socket.c:995 [inline]
 sock_recvmsg net/socket.c:1013 [inline]
 sock_recvmsg net/socket.c:1009 [inline]
 ____sys_recvmsg+0x2c7/0x600 net/socket.c:2708
 ___sys_recvmsg+0x127/0x200 net/socket.c:2750
 __sys_recvmsg net/socket.c:2780 [inline]
 __do_sys_recvmsg net/socket.c:2790 [inline]
 __se_sys_recvmsg net/socket.c:2787 [inline]
 __x64_sys_recvmsg+0x12f/0x220 net/socket.c:2787
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa531889109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa532907168 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007fa53199bf60 RCX: 00007fa531889109
RDX: 0000000000001f00 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 00007fa5318e305d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffde383551f R14: 00007fa532907300 R15: 0000000000022000
 </TASK>
Modules linked in:
CR2: ffffffffa0000fa0
---[ end trace 0000000000000000 ]---
RIP: 0010:bpf_prog_9d4bccaf8ccaf0dc_F+0x0/0xd
Code: Unable to access opcode bytes at RIP 0xffffffffa0000f76.
RSP: 0018:ffffc90005246e50 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffffc900046f3000 RCX: ffffc900032f1000
RDX: 1ffff920008de606 RSI: ffffc900046f3048 RDI: 00000000ffff8880
RBP: ffffc90005246e58 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88801b8cd880 R14: ffff88802392d880 R15: 0000000000000001
FS:  00007fa532907700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0000f76 CR3: 0000000075587000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8b 76 85             	mov    -0x7b(%rsi),%esi
   3:	c0 0f 85             	rorb   $0x85,(%rdi)
   6:	ca 00 00             	lret   $0x0
   9:	00 65 4c             	add    %ah,0x4c(%rbp)
   c:	8b 24 25 80 6f 02 00 	mov    0x26f80,%esp
  13:	41 8b 94 24 5c 0a 00 	mov    0xa5c(%r12),%edx
  1a:	00
  1b:	85 d2                	test   %edx,%edx
  1d:	0f 85 b1 00 00 00    	jne    0xd4
  23:	48 89 fd             	mov    %rdi,%rbp
  26:	41 89 f6             	mov    %esi,%r14d
  29:	9c                   	pushfq
* 2a:	8f 04 24             	popq   (%rsp) <-- trapping instruction
  2d:	fa                   	cli
  2e:	48 c7 c7 20 7d cc 89 	mov    $0xffffffff89cc7d20,%rdi
  35:	31 db                	xor    %ebx,%ebx
  37:	e8 dd 0d 00 00       	callq  0xe19
  3c:	41                   	rex.B
  3d:	8b                   	.byte 0x8b
  3e:	84                   	.byte 0x84
  3f:	24                   	.byte 0x24