Extracting prog: 3m29.349616266s
Minimizing prog: 1h33m1.067979248s
Simplifying prog options: 20m57.758927581s
Extracting C: 5m11.980974947s
Simplifying C: 0s


extracting reproducer from 89 programs
testing a last program of every proc
single: executing 39 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f0000010300)=[{0x0}, {0x0}, {0x0}], 0x3)
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program crashed: INFO: task hung in rmap_walk_file
single: successfully extracted reproducer
found reproducer with 9 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f0000010300)=[{0x0}, {0x0}, {0x0}], 0x3)
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f0000010300)=[{0x0}, {0x0}, {0x0}], 0x3)
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f0000010300)=[{0x0}, {0x0}, {0x0}], 0x3)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program crashed: kernel BUG in filemap_unaccount_folio
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(0xffffffffffffffff, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-prctl$PR_SCHED_CORE-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-socket$inet6_mptcp-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
socket$inet6_mptcp(0xa, 0x1, 0x106)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
ioctl$SNDRV_SEQ_IOCTL_QUERY_SUBS(0xffffffffffffffff, 0xc08c5332, &(0x7f0000000400)={{0x3e, 0x3}, 0x1, 0x4, 0x88, {}, 0x0, 0xffff})
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program crashed: kernel BUG in filemap_unaccount_folio
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, 0x0, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, 0x0, &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), 0x0)
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, 0x0, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, 0x0, &(0x7f00000005c0)}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {0x0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340)}], 0x0, 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
detailed listing:
executing program 0:
socket$inet6_mptcp(0xa, 0x1, 0x106)
prctl$PR_SCHED_CORE(0x3e, 0x80000000000001, 0x0, 0x2, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
r0 = syz_io_uring_setup(0x4b5, &(0x7f00000000c0)={0x0, 0x5102, 0x1, 0x2, 0x400}, &(0x7f0000010080), &(0x7f0000000000))
io_uring_register$IORING_REGISTER_BUFFERS_UPDATE(r0, 0x10, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000540)=[{0x0}, {&(0x7f0000000340), 0xa002a0}], &(0x7f00000005c0), 0x2}, 0x20)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x0, 0x0, 0x0, 0x2)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600002, 0x9)

program crashed: kernel BUG in filemap_unaccount_folio
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_mptcp-prctl$PR_SCHED_CORE-mmap-syz_io_uring_setup-io_uring_register$IORING_REGISTER_BUFFERS_UPDATE-mbind-madvise
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
reproducing took 2h2m40.697802418s
repro crashed as (corrupted=false):
 handle_mm_fault+0x18fe/0x1bb0 mm/memory.c:6110
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 19925 tgid 19923 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2657
 __folio_put+0x2b3/0x360 mm/swap.c:112
 free_huge_folio+0xeab/0x1340
 __folio_put+0x106/0x360 mm/swap.c:105
 unmap_and_move_huge_page mm/migrate.c:1545 [inline]
 migrate_hugetlbs mm/migrate.c:1648 [inline]
 migrate_pages+0xe30/0x3380 mm/migrate.c:2046
 do_mbind mm/mempolicy.c:1394 [inline]
 kernel_mbind mm/mempolicy.c:1537 [inline]
 __do_sys_mbind mm/mempolicy.c:1611 [inline]
 __se_sys_mbind+0x145b/0x18d0 mm/mempolicy.c:1607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page has been migrated, last migrate reason: mempolicy_mbind
------------[ cut here ]------------
kernel BUG at mm/filemap.c:162!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 19938 Comm: syz.3.6461 Not tainted 6.13.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:filemap_unaccount_folio+0x73d/0x7d0 mm/filemap.c:162
Code: 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 fb c1 11 00 90 0f 0b e8 43 02 c8 ff 48 89 df 48 c7 c6 80 92 13 8c e8 e4 c1 11 00 90 <0f> 0b e8 2c 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 cd c1 11 00
RSP: 0018:ffffc9000bbaf230 EFLAGS: 00010046
RAX: 11ac0bd89d9d5400 RBX: ffffea00017c8000 RCX: ffffc9000bbaee03
RDX: 0000000000000005 RSI: ffffffff8c0aa8c0 RDI: ffffffff8c5f9580
RBP: 0000000000000000 R08: ffffffff90196577 R09: 1ffffffff2032cae
R10: dffffc0000000000 R11: fffffbfff2032caf R12: dffffc0000000000
R13: 1ffffd40002f9001 R14: ffff8880693f5150 R15: ffffea00017c8008
FS:  00007fd1357aa6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f114178bd58 CR3: 00000000293c4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __filemap_remove_folio+0xc7/0x670 mm/filemap.c:231
 filemap_remove_folio+0xe1/0x1f0 mm/filemap.c:264
 hugetlb_delete_from_page_cache fs/hugetlbfs/inode.c:337 [inline]
 remove_inode_single_folio fs/hugetlbfs/inode.c:542 [inline]
 remove_inode_hugepages+0x5c6/0x1160 fs/hugetlbfs/inode.c:599
 hugetlbfs_punch_hole fs/hugetlbfs/inode.c:722 [inline]
 hugetlbfs_fallocate+0xc06/0x11a0 fs/hugetlbfs/inode.c:748
 vfs_fallocate+0x569/0x6e0 fs/open.c:327
 madvise_remove mm/madvise.c:1020 [inline]
 madvise_vma_behavior mm/madvise.c:1255 [inline]
 madvise_walk_vmas mm/madvise.c:1497 [inline]
 do_madvise+0x23c1/0x4d10 mm/madvise.c:1684
 __do_sys_madvise mm/madvise.c:1700 [inline]
 __se_sys_madvise mm/madvise.c:1698 [inline]
 __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1698
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd13657fed9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd1357aa058 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fd136746080 RCX: 00007fd13657fed9
RDX: 0000000000000009 RSI: 0000000000600002 RDI: 0000000020000000
RBP: 00007fd1365f3cc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd136746080 R15: 00007fff8519a088
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_unaccount_folio+0x73d/0x7d0 mm/filemap.c:162
Code: 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 fb c1 11 00 90 0f 0b e8 43 02 c8 ff 48 89 df 48 c7 c6 80 92 13 8c e8 e4 c1 11 00 90 <0f> 0b e8 2c 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 cd c1 11 00
RSP: 0018:ffffc9000bbaf230 EFLAGS: 00010046
RAX: 11ac0bd89d9d5400 RBX: ffffea00017c8000 RCX: ffffc9000bbaee03
RDX: 0000000000000005 RSI: ffffffff8c0aa8c0 RDI: ffffffff8c5f9580
RBP: 0000000000000000 R08: ffffffff90196577 R09: 1ffffffff2032cae
R10: dffffc0000000000 R11: fffffbfff2032caf R12: dffffc0000000000
R13: 1ffffd40002f9001 R14: ffff8880693f5150 R15: ffffea00017c8008
FS:  00007fd1357aa6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f114178bd58 CR3: 00000000293c4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

final repro crashed as (corrupted=false):
 handle_mm_fault+0x18fe/0x1bb0 mm/memory.c:6110
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 19925 tgid 19923 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2657
 __folio_put+0x2b3/0x360 mm/swap.c:112
 free_huge_folio+0xeab/0x1340
 __folio_put+0x106/0x360 mm/swap.c:105
 unmap_and_move_huge_page mm/migrate.c:1545 [inline]
 migrate_hugetlbs mm/migrate.c:1648 [inline]
 migrate_pages+0xe30/0x3380 mm/migrate.c:2046
 do_mbind mm/mempolicy.c:1394 [inline]
 kernel_mbind mm/mempolicy.c:1537 [inline]
 __do_sys_mbind mm/mempolicy.c:1611 [inline]
 __se_sys_mbind+0x145b/0x18d0 mm/mempolicy.c:1607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page has been migrated, last migrate reason: mempolicy_mbind
------------[ cut here ]------------
kernel BUG at mm/filemap.c:162!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 19938 Comm: syz.3.6461 Not tainted 6.13.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:filemap_unaccount_folio+0x73d/0x7d0 mm/filemap.c:162
Code: 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 fb c1 11 00 90 0f 0b e8 43 02 c8 ff 48 89 df 48 c7 c6 80 92 13 8c e8 e4 c1 11 00 90 <0f> 0b e8 2c 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 cd c1 11 00
RSP: 0018:ffffc9000bbaf230 EFLAGS: 00010046
RAX: 11ac0bd89d9d5400 RBX: ffffea00017c8000 RCX: ffffc9000bbaee03
RDX: 0000000000000005 RSI: ffffffff8c0aa8c0 RDI: ffffffff8c5f9580
RBP: 0000000000000000 R08: ffffffff90196577 R09: 1ffffffff2032cae
R10: dffffc0000000000 R11: fffffbfff2032caf R12: dffffc0000000000
R13: 1ffffd40002f9001 R14: ffff8880693f5150 R15: ffffea00017c8008
FS:  00007fd1357aa6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f114178bd58 CR3: 00000000293c4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __filemap_remove_folio+0xc7/0x670 mm/filemap.c:231
 filemap_remove_folio+0xe1/0x1f0 mm/filemap.c:264
 hugetlb_delete_from_page_cache fs/hugetlbfs/inode.c:337 [inline]
 remove_inode_single_folio fs/hugetlbfs/inode.c:542 [inline]
 remove_inode_hugepages+0x5c6/0x1160 fs/hugetlbfs/inode.c:599
 hugetlbfs_punch_hole fs/hugetlbfs/inode.c:722 [inline]
 hugetlbfs_fallocate+0xc06/0x11a0 fs/hugetlbfs/inode.c:748
 vfs_fallocate+0x569/0x6e0 fs/open.c:327
 madvise_remove mm/madvise.c:1020 [inline]
 madvise_vma_behavior mm/madvise.c:1255 [inline]
 madvise_walk_vmas mm/madvise.c:1497 [inline]
 do_madvise+0x23c1/0x4d10 mm/madvise.c:1684
 __do_sys_madvise mm/madvise.c:1700 [inline]
 __se_sys_madvise mm/madvise.c:1698 [inline]
 __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1698
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd13657fed9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd1357aa058 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fd136746080 RCX: 00007fd13657fed9
RDX: 0000000000000009 RSI: 0000000000600002 RDI: 0000000020000000
RBP: 00007fd1365f3cc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd136746080 R15: 00007fff8519a088
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_unaccount_folio+0x73d/0x7d0 mm/filemap.c:162
Code: 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 fb c1 11 00 90 0f 0b e8 43 02 c8 ff 48 89 df 48 c7 c6 80 92 13 8c e8 e4 c1 11 00 90 <0f> 0b e8 2c 02 c8 ff 48 89 df 48 c7 c6 a0 93 13 8c e8 cd c1 11 00
RSP: 0018:ffffc9000bbaf230 EFLAGS: 00010046
RAX: 11ac0bd89d9d5400 RBX: ffffea00017c8000 RCX: ffffc9000bbaee03
RDX: 0000000000000005 RSI: ffffffff8c0aa8c0 RDI: ffffffff8c5f9580
RBP: 0000000000000000 R08: ffffffff90196577 R09: 1ffffffff2032cae
R10: dffffc0000000000 R11: fffffbfff2032caf R12: dffffc0000000000
R13: 1ffffd40002f9001 R14: ffff8880693f5150 R15: ffffea00017c8008
FS:  00007fd1357aa6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f114178bd58 CR3: 00000000293c4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400