RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
BUG: unable to handle page fault for address: ffff888022e74000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 12c01067 P4D 12c01067 PUD 12c02067 PMD 2727c063 PTE 8000000022e74063
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 12816 Comm: syz-executor.1 Not tainted 6.7.0-rc4-syzkaller-00384-gb10a3ccaf6e3 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 48 83 f9 40 73 36 83 f9 08 73 0f 85 c9
RSP: 0000:ffffc90020d3f130 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea00008b9d00 RSI: ffff888000000000 RDI: ffff888022e74000
RBP: ffffea00008b9d00 R08: 0000160000000000 R09: 0000000000000000
R10: ffffed10045ce800 R11: dffffc0000000000 R12: 0000000000000000
R13: ffffea00008b9d40 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88802c700000(0063) knlGS:00000000f7f91b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffff888022e74000 CR3: 000000001b66a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 clear_page arch/x86/include/asm/page_64.h:53 [inline]
 clear_highpage_kasan_tagged include/linux/highmem.h:248 [inline]
 kernel_init_pages mm/page_alloc.c:1072 [inline]
 post_alloc_hook+0x1a3/0x350 mm/page_alloc.c:1535
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312
 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 __get_free_pages+0xc/0x40 mm/page_alloc.c:4615
 tlb_next_batch mm/mmu_gather.c:35 [inline]
 __tlb_remove_page_size+0x2a8/0x470 mm/mmu_gather.c:136
 __tlb_remove_page include/asm-generic/tlb.h:471 [inline]
 zap_pte_range mm/memory.c:1469 [inline]
 zap_pmd_range mm/memory.c:1583 [inline]
 zap_pud_range mm/memory.c:1612 [inline]
 zap_p4d_range mm/memory.c:1633 [inline]
 unmap_page_range+0x1314/0x2b70 mm/memory.c:1654
 unmap_single_vma+0x194/0x2b0 mm/memory.c:1700
 unmap_vmas+0x229/0x470 mm/memory.c:1744
 exit_mmap+0x1ad/0xa70 mm/mmap.c:3308
 __mmput+0x12a/0x4d0 kernel/fork.c:1349
 mmput+0x62/0x70 kernel/fork.c:1371
 dup_mm kernel/fork.c:1707 [inline]
 copy_mm kernel/fork.c:1740 [inline]
 copy_process+0x45d2/0x73f0 kernel/fork.c:2502
 kernel_clone+0xfd/0x930 kernel/fork.c:2907
 __do_compat_sys_ia32_clone+0xb7/0xf0 arch/x86/kernel/sys_ia32.c:254
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x62/0xe0 arch/x86/entry/common.c:321
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:346
 entry_SYSENTER_compat_after_hwframe+0x70/0x7a
RIP: 0023:0xf7f96579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f9155c EFLAGS: 00000246 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 0000000080040000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
CR2: ffff888022e74000
---[ end trace 0000000000000000 ]---
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 48 83 f9 40 73 36 83 f9 08 73 0f 85 c9
RSP: 0000:ffffc90020d3f130 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea00008b9d00 RSI: ffff888000000000 RDI: ffff888022e74000
RBP: ffffea00008b9d00 R08: 0000160000000000 R09: 0000000000000000
R10: ffffed10045ce800 R11: dffffc0000000000 R12: 0000000000000000
R13: ffffea00008b9d40 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88802c700000(0063) knlGS:00000000f7f91b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffff888022e74000 CR3: 000000001b66a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 89 47 20          	mov    %rax,0x20(%rdi)
   4:	48 89 47 28          	mov    %rax,0x28(%rdi)
   8:	48 89 47 30          	mov    %rax,0x30(%rdi)
   c:	48 89 47 38          	mov    %rax,0x38(%rdi)
  10:	48 8d 7f 40          	lea    0x40(%rdi),%rdi
  14:	75 d9                	jne    0xffffffef
  16:	90                   	nop
  17:	c3                   	ret
  18:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  1f:	f3 0f 1e fa          	endbr64
  23:	b9 00 10 00 00       	mov    $0x1000,%ecx
  28:	31 c0                	xor    %eax,%eax
* 2a:	f3 aa                	rep stos %al,%es:(%rdi) <-- trapping instruction
  2c:	c3                   	ret
  2d:	66 90                	xchg   %ax,%ax
  2f:	f3 0f 1e fa          	endbr64
  33:	48 83 f9 40          	cmp    $0x40,%rcx
  37:	73 36                	jae    0x6f
  39:	83 f9 08             	cmp    $0x8,%ecx
  3c:	73 0f                	jae    0x4d
  3e:	85 c9                	test   %ecx,%ecx