------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:28! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 12996 Comm: syz-executor.0 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 83 56 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 a1 d9 a5 03 e9 45 ff ff ff e8 67 56 53 00 90 0f 0b e8 5f 56 53 00 90 <0f> 0b e8 57 56 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc900020aefb0 EFLAGS: 00010046 RAX: ffffffff81421ed1 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc900158cb000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffffff81eed5e1 R08: ffffffff81421e1c R09: 1ffffffff29392a0 R10: dffffc0000000000 R11: fffffbfff29392a1 R12: 0000000000402800 R13: 0000000000000240 R14: 00004080020af040 R15: 000000000000002e FS: 00007f8c958a96c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffa17f7c038 CR3: 000000002345c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: virt_to_folio include/linux/mm.h:1307 [inline] virt_to_slab mm/kasan/../slab.h:204 [inline] poison_slab_object+0x1a/0x150 mm/kasan/common.c:222 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2180 [inline] memcg_alloc_abort_single+0x71/0x1c0 mm/slub.c:4372 memcg_slab_post_alloc_hook mm/slub.c:2097 [inline] slab_post_alloc_hook mm/slub.c:3888 [inline] slab_alloc_node mm/slub.c:3927 [inline] kmem_cache_alloc_lru_noprof+0x201/0x2b0 mm/slub.c:3946 xas_alloc lib/xarray.c:375 [inline] xas_create+0x10c1/0x16b0 lib/xarray.c:677 xas_store+0xa3/0x1980 lib/xarray.c:787 __filemap_add_folio+0xacc/0x19d0 mm/filemap.c:914 filemap_add_folio+0x157/0x650 mm/filemap.c:970 page_cache_ra_unbounded+0x212/0x7f0 mm/readahead.c:252 do_async_mmap_readahead mm/filemap.c:3203 [inline] filemap_fault+0x74d/0x16a0 mm/filemap.c:3300 __do_fault+0x135/0x460 mm/memory.c:4541 do_read_fault mm/memory.c:4904 [inline] do_fault mm/memory.c:5034 [inline] do_pte_missing mm/memory.c:3887 [inline] handle_pte_fault+0x4299/0x6eb0 mm/memory.c:5361 __handle_mm_fault mm/memory.c:5502 [inline] handle_mm_fault+0x10e7/0x1bb0 mm/memory.c:5667 do_user_addr_fault arch/x86/mm/fault.c:1414 [inline] handle_page_fault arch/x86/mm/fault.c:1506 [inline] exc_page_fault+0x2a8/0x8e0 arch/x86/mm/fault.c:1564 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:72 [inline] RIP: 0010:strncpy_from_user+0x21a/0x2f0 lib/strncpy_from_user.c:139 Code: 00 00 00 e8 e8 19 ae fc 48 f7 dd 49 89 ed 49 89 dc 48 8b 6c 24 08 4c 8b 3c 24 31 ff 4c 89 e6 e8 ac 1e ae fc 49 83 ec 01 72 43 <43> 8a 1c 2f 4b 8d 3c 2e 48 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 RSP: 0018:ffffc900020afdd0 EFLAGS: 00050212 RAX: 0000000000000002 RBX: ffffc900020afe60 RCX: ffff88805739da00 RDX: ffffc900158cb000 RSI: 0000000000000020 RDI: 0000000000000000 RBP: 0000000000000020 R08: ffffffff84e75b64 R09: ffffffff82089c07 R10: 0000000000000003 R11: ffff88805739da00 R12: 000000000000001f R13: 0000000000000000 R14: ffffc900020afe60 R15: 0000000020000000 key_get_type_from_user security/keys/keyctl.c:51 [inline] __do_sys_add_key security/keys/keyctl.c:90 [inline] __se_sys_add_key+0xd9/0x490 security/keys/keyctl.c:74 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7f8c94a7dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8c958a90c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007f8c94babf80 RCX: 00007f8c94a7dda9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000020000000 RBP: 00007f8c94aca47a R08: fffffffffffffffe R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f8c94babf80 R15: 00007ffc1a58e188 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 83 56 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 a1 d9 a5 03 e9 45 ff ff ff e8 67 56 53 00 90 0f 0b e8 5f 56 53 00 90 <0f> 0b e8 57 56 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc900020aefb0 EFLAGS: 00010046 RAX: ffffffff81421ed1 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc900158cb000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffffff81eed5e1 R08: ffffffff81421e1c R09: 1ffffffff29392a0 R10: dffffc0000000000 R11: fffffbfff29392a1 R12: 0000000000402800 R13: 0000000000000240 R14: 00004080020af040 R15: 000000000000002e FS: 00007f8c958a96c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffa17f7c038 CR3: 000000002345c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 e8 add %ch,%al 4: e8 19 ae fc 48 call 0x48fcae22 9: f7 dd neg %ebp b: 49 89 ed mov %rbp,%r13 e: 49 89 dc mov %rbx,%r12 11: 48 8b 6c 24 08 mov 0x8(%rsp),%rbp 16: 4c 8b 3c 24 mov (%rsp),%r15 1a: 31 ff xor %edi,%edi 1c: 4c 89 e6 mov %r12,%rsi 1f: e8 ac 1e ae fc call 0xfcae1ed0 24: 49 83 ec 01 sub $0x1,%r12 28: 72 43 jb 0x6d * 2a: 43 8a 1c 2f mov (%r15,%r13,1),%bl <-- trapping instruction 2e: 4b 8d 3c 2e lea (%r14,%r13,1),%rdi 32: 48 89 f8 mov %rdi,%rax 35: 48 c1 e8 03 shr $0x3,%rax 39: 48 rex.W 3a: b9 00 00 00 00 mov $0x0,%ecx