Extracting prog: 1m22.039444595s
Minimizing prog: 17m2.158392951s
Simplifying prog options: 0s
Extracting C: 51.886082066s
Simplifying C: 8m26.359461799s


extracting reproducer from 51 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program crashed: kernel BUG in clear_page_mlock
single: successfully extracted reproducer
found reproducer with 6 syscalls
minimizing guilty program
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(0x0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x20001c34}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, 0x0, 0x0, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x74}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{0x0}], 0x1, &(0x7f0000001d80)=[{&(0x7f0000001cc0)=""/116, 0x74}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, 0x0, 0x0, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
testing program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
detailed listing:
executing program 0:
madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
mlock2(&(0x7f00004b5000/0x2000)=nil, 0x2000, 0x1)
process_vm_writev(r0, &(0x7f0000001c80)=[{&(0x7f0000001bc0)=""/156, 0x9c}], 0x1, &(0x7f0000001d80)=[{0x0}], 0x1, 0x0)
mbind(&(0x7f0000001000/0x800000)=nil, 0x800000, 0x4000, 0x0, 0x7f, 0x2)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
simplifying C reproducer
testing compiled C program (duration=1m5.757064623s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program did not crash
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program did not crash
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
testing compiled C program (duration=1m5.757064623s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): madvise-mlock-syz_clone-mlock2-process_vm_writev-mbind
program crashed: kernel BUG in clear_page_mlock
reproducing took 27m42.443439429s
repro crashed as (corrupted=false):
head: 05ffc0000029080d 0000000000000000 dead000000000122 ffff0000d5b62001
head: 0000000400000200 0000000000000000 00000144ffffffff ffff0000c08a4000
page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
------------[ cut here ]------------
kernel BUG at include/linux/page-flags.h:431!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4028 Comm: syz-executor357 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : TestClearPageMlocked include/linux/page-flags.h:431 [inline]
pc : clear_page_mlock+0x57c/0x64c mm/mlock.c:64
lr : TestClearPageMlocked include/linux/page-flags.h:431 [inline]
lr : clear_page_mlock+0x57c/0x64c mm/mlock.c:64
sp : ffff80001f9f71e0
x29: ffff80001f9f71e0 x28: 1ffff00003f3eec0 x27: 1fffff800071b5f9
x26: 1fffff800071b5f9 x25: dfff800000000000 x24: ffff0000c90d0000
x23: fffffc00038d8001 x22: 0000000000000001 x21: fffffc00038d8001
x20: fffffc00038dafc8 x19: fffffc00038dafc0 x18: 0000000000000002
x17: 0000000000000000 x16: ffff800011b4e3fc x15: 00000000ffffffff
x14: ffff0000caf49b40 x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000000001 x10: 0000000000000000 x9 : 04b31823e2a0dc00
x8 : 04b31823e2a0dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001f9f6658 x4 : ffff800014c50660 x3 : ffff8000085568c0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000038
Call trace:
 TestClearPageMlocked include/linux/page-flags.h:431 [inline]
 clear_page_mlock+0x57c/0x64c mm/mlock.c:64
 page_remove_rmap+0xbf8/0xfe8 mm/rmap.c:1375
 wp_page_copy+0x94c/0x12b8 mm/memory.c:3146
 do_wp_page+0x6c4/0x9c4
 handle_pte_fault mm/memory.c:4666 [inline]
 __handle_mm_fault mm/memory.c:4783 [inline]
 handle_mm_fault+0x1bdc/0x33a8 mm/memory.c:4881
 faultin_page mm/gup.c:976 [inline]
 __get_user_pages+0x39c/0x92c mm/gup.c:1197
 __get_user_pages_locked mm/gup.c:1382 [inline]
 __get_user_pages_remote+0x194/0x66c mm/gup.c:2007
 pin_user_pages_remote+0x70/0x9c mm/gup.c:3104
 process_vm_rw_single_vec mm/process_vm_access.c:105 [inline]
 process_vm_rw_core mm/process_vm_access.c:215 [inline]
 process_vm_rw+0x574/0xa38 mm/process_vm_access.c:283
 __do_sys_process_vm_writev mm/process_vm_access.c:303 [inline]
 __se_sys_process_vm_writev mm/process_vm_access.c:298 [inline]
 __arm64_sys_process_vm_writev+0xdc/0xf8 mm/process_vm_access.c:298
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: d004aa61 912f8021 aa1303e0 97ff47b5 (d4210000) 
---[ end trace 4ded2cc208f7e424 ]---

final repro crashed as (corrupted=false):
head: 05ffc0000029080d 0000000000000000 dead000000000122 ffff0000d5b62001
head: 0000000400000200 0000000000000000 00000144ffffffff ffff0000c08a4000
page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
------------[ cut here ]------------
kernel BUG at include/linux/page-flags.h:431!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4028 Comm: syz-executor357 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : TestClearPageMlocked include/linux/page-flags.h:431 [inline]
pc : clear_page_mlock+0x57c/0x64c mm/mlock.c:64
lr : TestClearPageMlocked include/linux/page-flags.h:431 [inline]
lr : clear_page_mlock+0x57c/0x64c mm/mlock.c:64
sp : ffff80001f9f71e0
x29: ffff80001f9f71e0 x28: 1ffff00003f3eec0 x27: 1fffff800071b5f9
x26: 1fffff800071b5f9 x25: dfff800000000000 x24: ffff0000c90d0000
x23: fffffc00038d8001 x22: 0000000000000001 x21: fffffc00038d8001
x20: fffffc00038dafc8 x19: fffffc00038dafc0 x18: 0000000000000002
x17: 0000000000000000 x16: ffff800011b4e3fc x15: 00000000ffffffff
x14: ffff0000caf49b40 x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000000001 x10: 0000000000000000 x9 : 04b31823e2a0dc00
x8 : 04b31823e2a0dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff80001f9f6658 x4 : ffff800014c50660 x3 : ffff8000085568c0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000038
Call trace:
 TestClearPageMlocked include/linux/page-flags.h:431 [inline]
 clear_page_mlock+0x57c/0x64c mm/mlock.c:64
 page_remove_rmap+0xbf8/0xfe8 mm/rmap.c:1375
 wp_page_copy+0x94c/0x12b8 mm/memory.c:3146
 do_wp_page+0x6c4/0x9c4
 handle_pte_fault mm/memory.c:4666 [inline]
 __handle_mm_fault mm/memory.c:4783 [inline]
 handle_mm_fault+0x1bdc/0x33a8 mm/memory.c:4881
 faultin_page mm/gup.c:976 [inline]
 __get_user_pages+0x39c/0x92c mm/gup.c:1197
 __get_user_pages_locked mm/gup.c:1382 [inline]
 __get_user_pages_remote+0x194/0x66c mm/gup.c:2007
 pin_user_pages_remote+0x70/0x9c mm/gup.c:3104
 process_vm_rw_single_vec mm/process_vm_access.c:105 [inline]
 process_vm_rw_core mm/process_vm_access.c:215 [inline]
 process_vm_rw+0x574/0xa38 mm/process_vm_access.c:283
 __do_sys_process_vm_writev mm/process_vm_access.c:303 [inline]
 __se_sys_process_vm_writev mm/process_vm_access.c:298 [inline]
 __arm64_sys_process_vm_writev+0xdc/0xf8 mm/process_vm_access.c:298
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: d004aa61 912f8021 aa1303e0 97ff47b5 (d4210000) 
---[ end trace 4ded2cc208f7e424 ]---