------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:28! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 10188 Comm: syz-executor.3 Not tainted 6.9.0-rc1-next-20240328-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 e3 4b 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 e1 8e a5 03 e9 45 ff ff ff e8 c7 4b 53 00 90 0f 0b e8 bf 4b 53 00 90 <0f> 0b e8 b7 4b 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90009a46cf0 EFLAGS: 00010046 RAX: ffffffff81421f11 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90009549000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffffff81ee9651 R08: ffffffff81421e5c R09: 1ffffffff2924b37 R10: dffffc0000000000 R11: fffffbfff2924b38 R12: 0000000000402800 R13: 0000000000000240 R14: 0000408009a46d80 R15: 000000000000002e FS: 00007f416e7816c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd75197c038 CR3: 000000007b85c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: virt_to_folio include/linux/mm.h:1307 [inline] virt_to_slab mm/kasan/../slab.h:204 [inline] poison_slab_object+0x1a/0x150 mm/kasan/common.c:222 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2180 [inline] memcg_alloc_abort_single+0x71/0x1c0 mm/slub.c:4372 memcg_slab_post_alloc_hook mm/slub.c:2097 [inline] slab_post_alloc_hook mm/slub.c:3888 [inline] slab_alloc_node mm/slub.c:3927 [inline] kmem_cache_alloc_lru_noprof+0x201/0x2b0 mm/slub.c:3946 xas_alloc lib/xarray.c:375 [inline] xas_create+0x10c1/0x16b0 lib/xarray.c:677 xas_store+0xa3/0x1980 lib/xarray.c:787 __filemap_add_folio+0xacc/0x19d0 mm/filemap.c:914 filemap_add_folio+0x157/0x650 mm/filemap.c:970 page_cache_ra_unbounded+0x212/0x7f0 mm/readahead.c:252 do_async_mmap_readahead mm/filemap.c:3203 [inline] filemap_fault+0x74a/0x16a0 mm/filemap.c:3300 __do_fault+0x135/0x460 mm/memory.c:4531 do_read_fault mm/memory.c:4894 [inline] do_fault mm/memory.c:5024 [inline] do_pte_missing mm/memory.c:3880 [inline] handle_pte_fault+0x4089/0x6c80 mm/memory.c:5350 __handle_mm_fault mm/memory.c:5491 [inline] handle_mm_fault+0x10ea/0x1bb0 mm/memory.c:5656 do_user_addr_fault arch/x86/mm/fault.c:1414 [inline] handle_page_fault arch/x86/mm/fault.c:1506 [inline] exc_page_fault+0x2a8/0x8e0 arch/x86/mm/fault.c:1564 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:rep_movs_alternative+0x13/0x70 arch/x86/lib/copy_user_64.S:43 Code: cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 83 f9 40 73 40 83 f9 08 73 21 85 c9 74 0f <8a> 06 88 07 48 ff c7 48 ff c6 48 ff c9 75 f1 c3 cc cc cc cc 66 0f RSP: 0018:ffffc90009a47b10 EFLAGS: 00050206 RAX: ffffffff84ac1f01 RBX: 000000002000c2f8 RCX: 0000000000000038 RDX: 0000000000000001 RSI: 000000002000c2c0 RDI: ffffc90009a47ba0 RBP: ffffc90009a47c50 R08: ffffc90009a47bd7 R09: 1ffff92001348f7a R10: dffffc0000000000 R11: fffff52001348f7b R12: 000000002000c2c0 R13: dffffc0000000000 R14: ffffc90009a47ba0 R15: 0000000000000038 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] raw_copy_from_user arch/x86/include/asm/uaccess_64.h:125 [inline] _copy_from_user+0x8c/0xe0 lib/usercopy.c:23 copy_from_user include/linux/uaccess.h:183 [inline] copy_msghdr_from_user+0xae/0x680 net/socket.c:2514 sendmsg_copy_msghdr net/socket.c:2615 [inline] ___sys_sendmsg net/socket.c:2634 [inline] __sys_sendmsg+0x23d/0x3a0 net/socket.c:2667 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f416da7dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f416e7810c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f416dbabf80 RCX: 00007f416da7dda9 RDX: 0000000000000000 RSI: 000000002000c2c0 RDI: 0000000000000005 RBP: 00007f416daca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f416dbabf80 R15: 00007fff6d4b8478 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__phys_addr+0x162/0x170 arch/x86/mm/physaddr.c:28 Code: e8 e3 4b 53 00 48 c7 c7 00 73 1a 8e 4c 89 f6 4c 89 fa e8 e1 8e a5 03 e9 45 ff ff ff e8 c7 4b 53 00 90 0f 0b e8 bf 4b 53 00 90 <0f> 0b e8 b7 4b 53 00 90 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90009a46cf0 EFLAGS: 00010046 RAX: ffffffff81421f11 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffc90009549000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffffff81ee9651 R08: ffffffff81421e5c R09: 1ffffffff2924b37 R10: dffffc0000000000 R11: fffffbfff2924b38 R12: 0000000000402800 R13: 0000000000000240 R14: 0000408009a46d80 R15: 000000000000002e FS: 00007f416e7816c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd75197c038 CR3: 000000007b85c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: cc int3 1: cc int3 2: cc int3 3: 0f 1f 40 00 nopl 0x0(%rax) 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: f3 0f 1e fa endbr64 1b: 48 83 f9 40 cmp $0x40,%rcx 1f: 73 40 jae 0x61 21: 83 f9 08 cmp $0x8,%ecx 24: 73 21 jae 0x47 26: 85 c9 test %ecx,%ecx 28: 74 0f je 0x39 * 2a: 8a 06 mov (%rsi),%al <-- trapping instruction 2c: 88 07 mov %al,(%rdi) 2e: 48 ff c7 inc %rdi 31: 48 ff c6 inc %rsi 34: 48 ff c9 dec %rcx 37: 75 f1 jne 0x2a 39: c3 ret 3a: cc int3 3b: cc int3 3c: cc int3 3d: cc int3 3e: 66 data16 3f: 0f .byte 0xf