------------[ cut here ]------------
WARNING: CPU: 0 PID: 4256 at mm/maccess.c:226 copy_from_user_nofault+0x15c/0x1c0
Modules linked in:
CPU: 0 PID: 4256 Comm: syz.1.2 Not tainted 5.15.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:copy_from_user_nofault+0x15c/0x1c0 mm/maccess.c:226
Code: db 48 c7 c0 f2 ff ff ff 48 0f 44 c5 eb 0c e8 cb c6 d5 ff 48 c7 c0 f2 ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 b4 c6 d5 ff <0f> 0b e9 1e ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c ef fe ff
RSP: 0000:ffffc90000007210 EFLAGS: 00010246
RAX: ffffffff81aaacec RBX: 0000000000000000 RCX: ffff888022ac5940
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81aaabfd R09: ffffed1004558b29
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007288
FS:  000055557d5df500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4db37781d0 CR3: 000000005e8e8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 bpf_probe_read_user_common kernel/trace/bpf_trace.c:157 [inline]
 ____bpf_probe_read_compat kernel/trace/bpf_trace.c:281 [inline]
 bpf_probe_read_compat+0xe4/0x180 kernel/trace/bpf_trace.c:277
 bpf_prog_3d2613b5dfc7747f+0x32/0x604
 bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
 __bpf_prog_run include/linux/filter.h:628 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
 bpf_trace_run2+0x19e/0x340 kernel/trace/bpf_trace.c:1915
 __bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:118
 trace_kfree include/trace/events/kmem.h:118 [inline]
 kfree+0x22f/0x270 mm/slub.c:4549
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x73a/0x8a0 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 consume_skb+0xa3/0x140 net/core/skbuff.c:914
 nsim_start_xmit+0x9a/0xc0 drivers/net/netdevsim/netdev.c:42
 __netdev_start_xmit include/linux/netdevice.h:5019 [inline]
 netdev_start_xmit include/linux/netdevice.h:5033 [inline]
 xmit_one net/core/dev.c:3617 [inline]
 dev_hard_start_xmit+0x298/0x7a0 net/core/dev.c:3633
 __dev_queue_xmit+0x1c8e/0x32b0 net/core/dev.c:4256
 neigh_hh_output include/net/neighbour.h:493 [inline]
 neigh_output include/net/neighbour.h:507 [inline]
 ip6_finish_output2+0xead/0x15a0 net/ipv6/ip6_output.c:130
 dst_output include/net/dst.h:443 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ndisc_send_skb+0xae0/0x13c0 net/ipv6/ndisc.c:511
 addrconf_rs_timer+0x357/0x610 net/ipv6/addrconf.c:3959
 call_timer_fn+0x16d/0x560 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x67c/0x890 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x3a7/0x930 kernel/softirq.c:558
 __do_softirq kernel/softirq.c:592 [inline]
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x157/0x240 kernel/softirq.c:641
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:653
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:lock_acquire+0x252/0x4f0 kernel/locking/lockdep.c:5627
Code: 2b 00 74 08 4c 89 f7 e8 fc 8c 67 00 f6 44 24 61 02 0f 85 84 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0000:ffffc90003257aa0 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200064af60 RCX: ffffffff81637932
RDX: dffffc0000000000 RSI: ffffffff8a8b3d20 RDI: ffffffff8ad90540
RBP: ffffc90003257bf8 R08: dffffc0000000000 R09: fffffbfff20ec821
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff9200064af5c
R13: dffffc0000000000 R14: ffffc90003257b00 R15: 0000000000000246
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:363 [inline]
 handle_pte_fault mm/memory.c:4658 [inline]
 __handle_mm_fault mm/memory.c:4783 [inline]
 handle_mm_fault+0x2953/0x5960 mm/memory.c:4881
 do_user_addr_fault arch/x86/mm/fault.c:1357 [inline]
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x271/0x700 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7f4db34868fc
Code: 23 83 c0 01 44 39 d0 75 dc 48 89 f0 25 ff 1f 00 00 49 89 34 c1 41 88 3c 00 31 c0 c3 66 90 41 38 3c 10 74 0b 41 88 3c 10 31 c0 <49> 89 34 d1 c3 b8 01 00 00 00 c3 66 0f 1f 84 00 00 00 00 00 55 48
RSP: 002b:00007fff52625a08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007f4db42ad720 RCX: 0000000000000000
RDX: 0000000000001c3a RSI: ffffffff818e5c3a RDI: 0000000000000000
RBP: ffffffff818e5c3a R08: 00007f4db3768000 R09: 00007f4db376a000
R10: 00000000818e5c3e R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff818e53f9 R15: 000000000000000c
 </TASK>
----------------
Code disassembly (best guess):
   0:	2b 00                	sub    (%rax),%eax
   2:	74 08                	je     0xc
   4:	4c 89 f7             	mov    %r14,%rdi
   7:	e8 fc 8c 67 00       	call   0x678d08
   c:	f6 44 24 61 02       	testb  $0x2,0x61(%rsp)
  11:	0f 85 84 01 00 00    	jne    0x19b
  17:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
  1e:	74 01                	je     0x21
  20:	fb                   	sti
  21:	48 c7 44 24 40 0e 36 	movq   $0x45e0360e,0x40(%rsp)
  28:	e0 45
* 2a:	4b c7 44 25 00 00 00 	movq   $0x0,0x0(%r13,%r12,1) <-- trapping instruction
  31:	00 00
  33:	43 c7 44 25 09 00 00 	movl   $0x0,0x9(%r13,%r12,1)
  3a:	00 00
  3c:	43                   	rex.XB
  3d:	c7                   	.byte 0xc7
  3e:	44                   	rex.R
  3f:	25                   	.byte 0x25