------------[ cut here ]------------
WARNING: CPU: 1 PID: 4159 at mm/maccess.c:226 copy_from_user_nofault+0x160/0x1c0 mm/maccess.c:226
Modules linked in:
CPU: 1 PID: 4159 Comm: syz-executor Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:copy_from_user_nofault+0x160/0x1c0 mm/maccess.c:226
Code: 24 45 31 f6 31 ff 89 de e8 ad e2 d7 ff 85 db 48 c7 c0 f2 ff ff ff 49 0f 44 c6 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 30 df d7 ff <0f> 0b e9 1c ff ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c ea fe
RSP: 0018:ffffc90000dcf9c8 EFLAGS: 00010246
RAX: ffffffff819fe2f0 RBX: 0000000000000000 RCX: ffff88807a403b80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: dffffc0000000000 R09: fffffbfff1ff3619
R10: fffffbfff1ff3619 R11: 1ffffffff1ff3618 R12: ffff88807a405308
R13: dffffc0000000000 R14: ffffc90000dcfa28 R15: 0000000000000000
FS:  0000555572e24500(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000010000 CR3: 000000001f77f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 bpf_probe_read_user_common kernel/trace/bpf_trace.c:157 [inline]
 ____bpf_probe_read_user kernel/trace/bpf_trace.c:166 [inline]
 bpf_probe_read_user+0x26/0x70 kernel/trace/bpf_trace.c:163
 bpf_prog_f71667c8aa58b018+0x3a/0xf54
 bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
 __bpf_prog_run include/linux/filter.h:628 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
 bpf_trace_run2+0x15b/0x2d0 kernel/trace/bpf_trace.c:1915
 __bpf_trace_kfree+0x6e/0x90 include/trace/events/kmem.h:118
 trace_kfree include/trace/events/kmem.h:118 [inline]
 kfree+0x25f/0x2a0 mm/slub.c:4549
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x6fe/0x850 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x4c/0x60 net/core/skbuff.c:756
 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3400 [inline]
 tcp_ack+0x2086/0x6260 net/ipv4/tcp_input.c:3957
 tcp_rcv_established+0xe7d/0x1c80 net/ipv4/tcp_input.c:5973
 tcp_v4_do_rcv+0x44b/0x9b0 net/ipv4/tcp_ipv4.c:1731
 tcp_v4_rcv+0x268f/0x2cb0 net/ipv4/tcp_ipv4.c:2143
 ip_protocol_deliver_rcu+0x3ad/0x770 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x1d5/0x320 net/ipv4/ip_input.c:231
 NF_HOOK+0x2d6/0x360 include/linux/netfilter.h:302
 dst_input include/net/dst.h:462 [inline]
 ip_sublist_rcv_finish net/ipv4/ip_input.c:577 [inline]
 ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
 ip_sublist_rcv+0xa1f/0xce0 net/ipv4/ip_input.c:636
 ip_list_rcv+0x3df/0x430 net/ipv4/ip_input.c:671
 __netif_receive_skb_list_ptype net/core/dev.c:5568 [inline]
 __netif_receive_skb_list_core+0x574/0x740 net/core/dev.c:5616
 __netif_receive_skb_list net/core/dev.c:5668 [inline]
 netif_receive_skb_list_internal+0x871/0xb90 net/core/dev.c:5759
 gro_normal_list net/core/dev.c:5913 [inline]
 napi_complete_done+0x37d/0x830 net/core/dev.c:6651
 virtqueue_napi_complete drivers/net/virtio_net.c:357 [inline]
 virtnet_poll+0x912/0xef0 drivers/net/virtio_net.c:1592
 __napi_poll+0xc0/0x430 net/core/dev.c:7075
 napi_poll net/core/dev.c:7142 [inline]
 net_rx_action+0x4a8/0x9c0 net/core/dev.c:7232
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 common_interrupt+0xb5/0xd0 arch/x86/kernel/irq.c:242
 </IRQ>
 <TASK>
 asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:667
RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:277 [inline]
RIP: 0010:read_seqbegin include/linux/seqlock.h:897 [inline]
RIP: 0010:zone_span_seqbegin include/linux/memory_hotplug.h:83 [inline]
RIP: 0010:page_outside_zone_boundaries mm/page_alloc.c:580 [inline]
RIP: 0010:bad_range+0x77/0x2d0 mm/page_alloc.c:607
Code: 89 e5 48 c1 ed 03 48 89 44 24 30 48 c1 e8 03 48 89 44 24 20 48 89 4c 24 28 48 c1 e9 03 48 89 4c 24 18 4c 89 e7 e8 59 02 00 00 <42> 0f b6 44 35 00 84 c0 0f 85 bb 00 00 00 41 8b 1c 24 f6 c3 01 4c
RSP: 0018:ffffc900030ef290 EFLAGS: 00000246
RAX: 540e15696f3bdf00 RBX: ffff88813fffbcb8 RCX: 540e15696f3bdf00
RDX: dffffc0000000000 RSI: ffffffff8a0b11c0 RDI: ffffffff8a59a740
RBP: 1ffff11027fff6f7 R08: dffffc0000000000 R09: fffffbfff1ad157e
R10: fffffbfff1ad157e R11: 1ffffffff1ad157d R12: ffff88813fffb7b8
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffc900030ef568
 rmqueue mm/page_alloc.c:3760 [inline]
 get_page_from_freelist+0x1b56/0x1c60 mm/page_alloc.c:4189
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474
 __get_free_pages+0x8/0x30 mm/page_alloc.c:5511
 poll_get_entry fs/select.c:170 [inline]
 __pollwait+0x234/0x3f0 fs/select.c:225
 poll_wait include/linux/poll.h:47 [inline]
 pipe_poll+0xe5/0x490 fs/pipe.c:669
 vfs_poll include/linux/poll.h:94 [inline]
 do_select+0xf87/0x16f0 fs/select.c:537
 core_sys_select+0x65c/0x860 fs/select.c:680
 do_pselect fs/select.c:762 [inline]
 __do_sys_pselect6 fs/select.c:803 [inline]
 __se_sys_pselect6+0x2ed/0x3a0 fs/select.c:794
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f9f9c49f6ec
Code: 29 44 24 30 80 3d 6b 6e 1f 00 00 4c 89 4c 24 40 4c 8d 4c 24 40 48 c7 44 24 48 08 00 00 00 74 2e 4c 89 ea b8 0e 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7c 48 8b 54 24 58 64 48 2b 14 25 28 00 00 00
RSP: 002b:00007fff070a9b20 EFLAGS: 00000202 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 00007fff070a9c50 RCX: 00007f9f9c49f6ec
RDX: 0000000000000000 RSI: 00007fff070a9c50 RDI: 0000000000000023
RBP: 00007fff070a9e90 R08: 00007fff070a9b50 R09: 00007fff070a9b60
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff070a9ef0
R13: 0000000000000000 R14: 00007fff070aa0a0 R15: 00007fff070a9ce0
 </TASK>
----------------
Code disassembly (best guess):
   0:	89 e5                	mov    %esp,%ebp
   2:	48 c1 ed 03          	shr    $0x3,%rbp
   6:	48 89 44 24 30       	mov    %rax,0x30(%rsp)
   b:	48 c1 e8 03          	shr    $0x3,%rax
   f:	48 89 44 24 20       	mov    %rax,0x20(%rsp)
  14:	48 89 4c 24 28       	mov    %rcx,0x28(%rsp)
  19:	48 c1 e9 03          	shr    $0x3,%rcx
  1d:	48 89 4c 24 18       	mov    %rcx,0x18(%rsp)
  22:	4c 89 e7             	mov    %r12,%rdi
  25:	e8 59 02 00 00       	call   0x283
* 2a:	42 0f b6 44 35 00    	movzbl 0x0(%rbp,%r14,1),%eax <-- trapping instruction
  30:	84 c0                	test   %al,%al
  32:	0f 85 bb 00 00 00    	jne    0xf3
  38:	41 8b 1c 24          	mov    (%r12),%ebx
  3c:	f6 c3 01             	test   $0x1,%bl
  3f:	4c                   	rex.WR