------------[ cut here ]------------
kernel BUG at include/linux/scatterlist.h:171!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5103 Comm: syz.0.0 Not tainted 6.11.0-syzkaller-11624-ge477dba5442c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:sg_page include/linux/scatterlist.h:171 [inline]
RIP: 0010:sg_phys include/linux/scatterlist.h:389 [inline]
RIP: 0010:perf_trace_dma_unmap_sg+0x784/0x790 include/trace/events/dma.h:224
Code: 00 48 8b 54 24 08 e9 6b fe ff ff e8 46 7e 17 00 48 c7 c7 20 78 94 8e 4c 89 f6 e8 d7 f7 76 03 e9 5b fa ff ff e8 2d 7e 17 00 90 <0f> 0b e8 05 ce 47 0a 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000007aa0 EFLAGS: 00010006
RAX: ffffffff817d3643 RBX: ffff888000256588 RCX: ffff888000672440
RDX: 0000000000010000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000007bd0 R08: ffffffff817d333b R09: 322e66313a30303a
R10: dffffc0000000000 R11: fffff91ffff889ef R12: 0000000000000008
R13: ffff88801faba8c1 R14: ffff8880002565a8 R15: dffffc0000000000
FS:  00007f4373d6d6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c7cd58449 CR3: 0000000012e44000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 trace_dma_unmap_sg+0x1c2/0x230 include/trace/events/dma.h:224
 dma_unmap_sg_attrs+0x49/0xe0 kernel/dma/mapping.c:308
 ata_sg_clean drivers/ata/libata-core.c:4627 [inline]
 __ata_qc_complete+0x1ae/0x5b0 drivers/ata/libata-core.c:4720
 ata_qc_complete_multiple+0x1a3/0x280 drivers/ata/libata-sata.c:789
 ahci_qc_complete drivers/ata/libahci.c:1881 [inline]
 ahci_handle_port_interrupt+0x422/0x650 drivers/ata/libahci.c:1948
 ahci_port_intr drivers/ata/libahci.c:1959 [inline]
 ahci_handle_port_intr+0x18e/0x2c0 drivers/ata/libahci.c:1990
 ahci_single_level_irq_intr+0xa1/0xf0 drivers/ata/libahci.c:2024
 __handle_irq_event_percpu+0x29a/0xa80 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0x89/0x1f0 kernel/irq/handle.c:210
 handle_edge_irq+0x25f/0xc20 kernel/irq/chip.c:831
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:247 [inline]
 call_irq_handler arch/x86/kernel/irq.c:259 [inline]
 __common_interrupt+0x136/0x230 arch/x86/kernel/irq.c:285
 common_interrupt+0xb4/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:clear_page_erms+0xb/0x20 arch/x86/lib/clear_page_64.S:50
Code: 48 8d 7f 40 75 d9 90 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90
RSP: 0018:ffffc9000316f330 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffff88804cf52000 RSI: 0000000000000001 RDI: ffff88804cf52000
RBP: ffff88802fffbcf0 R08: ffffea000133d4b7 R09: 0000000000000000
R10: ffffed10099ea400 R11: fffff94000267a97 R12: 0000000000000001
R13: 0000000000000001 R14: ffffea000133d480 R15: 0000000000000000
 clear_page arch/x86/include/asm/page_64.h:54 [inline]
 clear_highpage_kasan_tagged include/linux/highmem.h:248 [inline]
 kernel_init_pages mm/page_alloc.c:1036 [inline]
 post_alloc_hook+0xf8/0x230 mm/page_alloc.c:1535
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 folio_alloc_mpol_noprof+0x36/0x50 mm/mempolicy.c:2283
 shmem_alloc_folio mm/shmem.c:1774 [inline]
 shmem_alloc_and_add_folio+0x49b/0x13d0 mm/shmem.c:1813
 shmem_get_folio_gfp+0x5a9/0x20a0 mm/shmem.c:2335
 shmem_get_folio mm/shmem.c:2441 [inline]
 shmem_write_begin+0x17e/0x460 mm/shmem.c:3046
 generic_perform_write+0x344/0x6d0 mm/filemap.c:4050
 shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3221
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0xa6d/0xc90 fs/read_write.c:683
 ksys_write+0x183/0x2b0 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4372f7cadf
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
RSP: 002b:00007f4373d6cdf0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f4372f7cadf
RDX: 0000000001000000 RSI: 00007f4367400000 RDI: 0000000000000006
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000009759
R10: 0000000000000002 R11: 0000000000000293 R12: 0000000000000006
R13: 00007f4373d6cef0 R14: 00007f4373d6ceb0 R15: 00007f4367400000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:sg_page include/linux/scatterlist.h:171 [inline]
RIP: 0010:sg_phys include/linux/scatterlist.h:389 [inline]
RIP: 0010:perf_trace_dma_unmap_sg+0x784/0x790 include/trace/events/dma.h:224
Code: 00 48 8b 54 24 08 e9 6b fe ff ff e8 46 7e 17 00 48 c7 c7 20 78 94 8e 4c 89 f6 e8 d7 f7 76 03 e9 5b fa ff ff e8 2d 7e 17 00 90 <0f> 0b e8 05 ce 47 0a 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000007aa0 EFLAGS: 00010006
RAX: ffffffff817d3643 RBX: ffff888000256588 RCX: ffff888000672440
RDX: 0000000000010000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000007bd0 R08: ffffffff817d333b R09: 322e66313a30303a
R10: dffffc0000000000 R11: fffff91ffff889ef R12: 0000000000000008
R13: ffff88801faba8c1 R14: ffff8880002565a8 R15: dffffc0000000000
FS:  00007f4373d6d6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c7cd58449 CR3: 0000000012e44000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 8d 7f 40          	lea    0x40(%rdi),%rdi
   4:	75 d9                	jne    0xffffffdf
   6:	90                   	nop
   7:	c3                   	ret
   8:	cc                   	int3
   9:	cc                   	int3
   a:	cc                   	int3
   b:	cc                   	int3
   c:	0f 1f 00             	nopl   (%rax)
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	f3 0f 1e fa          	endbr64
  23:	b9 00 10 00 00       	mov    $0x1000,%ecx
  28:	31 c0                	xor    %eax,%eax
* 2a:	f3 aa                	rep stos %al,%es:(%rdi) <-- trapping instruction
  2c:	c3                   	ret
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	cc                   	int3
  31:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  38:	00 00 00
  3b:	0f 1f 40 00          	nopl   0x0(%rax)
  3f:	90                   	nop