RAX: 0000000000000000 RBX: 00007f1cb8fb5fa0 RCX: 00007f1cb8d8e969 RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f1cb9cbc090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 00007f1cb8fb5fa0 R15: 00007fffa8980898 CFI failure at __traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38 (target: tp_stub_func+0x0/0x10; expected type: 0x205553a5) invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 2138 Comm: syz.2.9799 Not tainted 6.1.134-syzkaller-00012-g646380b087a5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025 RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38 Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 RSP: 0018:ffffc900023b7888 EFLAGS: 00010093 RAX: 1ffff1102201d606 RBX: ffffffff81710320 RCX: ffff8881305ebcc0 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc90002c0f000 RBP: ffffc900023b78b8 R08: ffff8881305ebcc0 R09: 000000000000000c R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff8881100eb028 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881100eb028 FS: 00007f1cb9cbc6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000011045f000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 000000000000004c DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: trace_tlb_flush include/trace/events/tlb.h:38 [inline] switch_mm_irqs_off+0x61f/0x980 arch/x86/mm/tlb.c:630 context_switch kernel/sched/core.c:5405 [inline] __schedule+0x9eb/0x14e0 kernel/sched/core.c:6750 preempt_schedule_irq+0x9b/0x110 kernel/sched/core.c:7062 raw_irqentry_exit_cond_resched+0x29/0x30 kernel/entry/common.c:396 irqentry_exit+0x37/0x40 kernel/entry/common.c:439 sysvec_reschedule_ipi+0x78/0x80 arch/x86/kernel/smp.c:244 asm_sysvec_reschedule_ipi+0x1b/0x20 arch/x86/include/asm/idtentry.h:696 RIP: 0010:memcg_slab_free_hook+0x6/0x1d0 mm/slab.h:579 Code: 00 00 e8 4d b2 97 ff f0 49 0f ba 2e 00 0f 83 49 ff ff ff eb ca 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 55 41 54 53 48 83 ec 28 48 89 75 d0 e9 a5 01 00 00 49 89 RSP: 0018:ffffc900023b7bb8 EFLAGS: 00000286 RAX: ffffea0004403ac0 RBX: ffff8881100eb280 RCX: 0000000000000001 RDX: ffffc900023b7bd0 RSI: ffffea0004403ac0 RDI: ffff888100042900 RBP: ffffc900023b7bc0 R08: dffffc0000000000 R09: ffffed10275e3c01 R10: 0000000000000000 R11: ffffffff8180d9e0 R12: ffffea0004403ac0 R13: dffffc0000000000 R14: ffffffff8180d9f5 R15: ffff888100042900 slab_free mm/slub.c:3681 [inline] __kmem_cache_free+0xa3/0x1b0 mm/slub.c:3702 kfree+0x6f/0xf0 mm/slab_common.c:990 bpf_raw_tp_link_dealloc+0x15/0x20 kernel/bpf/syscall.c:3176 bpf_link_free+0x321/0x390 kernel/bpf/syscall.c:2740 bpf_link_put kernel/bpf/syscall.c:2762 [inline] bpf_link_release+0x15f/0x170 kernel/bpf/syscall.c:2771 __fput+0x1fc/0x8f0 fs/file_table.c:320 ____fput+0x15/0x20 fs/file_table.c:348 task_work_run+0x1db/0x240 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x9b/0xb0 kernel/entry/common.c:177 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:303 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f1cb8d8e969 Code: Unable to access opcode bytes at 0x7f1cb8d8e93f. RSP: 002b:00007f1cb9cbc038 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007f1cb8fb5fa0 RCX: 00007f1cb8d8e969 RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f1cb9cbc090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 00007f1cb8fb5fa0 R15: 00007fffa8980898 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__traceiter_tlb_flush+0x80/0xd0 include/trace/events/tlb.h:38 Code: 89 f8 48 c1 e8 03 42 80 3c 28 00 74 05 e8 38 60 07 00 49 8b 7c 24 08 44 89 f6 48 8b 55 d0 41 ba 5b ac aa df 44 03 53 fc 74 02 <0f> 0b ff d3 49 83 c7 18 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 RSP: 0018:ffffc900023b7888 EFLAGS: 00010093 RAX: 1ffff1102201d606 RBX: ffffffff81710320 RCX: ffff8881305ebcc0 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: ffffc90002c0f000 RBP: ffffc900023b78b8 R08: ffff8881305ebcc0 R09: 000000000000000c R10: 0000000084eb1367 R11: 0000000040000000 R12: ffff8881100eb028 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881100eb028 FS: 00007f1cb9cbc6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000011045f000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 000000000000004c DR6: 00000000ffff0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: e8 4d b2 97 ff call 0xff97b254 7: f0 49 0f ba 2e 00 lock btsq $0x0,(%r14) d: 0f 83 49 ff ff ff jae 0xffffff5c 13: eb ca jmp 0xffffffdf 15: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1c: 00 00 00 1f: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 24: 55 push %rbp 25: 48 89 e5 mov %rsp,%rbp 28: 41 57 push %r15 * 2a: 41 56 push %r14 <-- trapping instruction 2c: 41 55 push %r13 2e: 41 54 push %r12 30: 53 push %rbx 31: 48 83 ec 28 sub $0x28,%rsp 35: 48 89 75 d0 mov %rsi,-0x30(%rbp) 39: e9 a5 01 00 00 jmp 0x1e3 3e: 49 rex.WB 3f: 89 .byte 0x89