ci starts bisection 2022-08-06 02:28:13.357929133 +0000 UTC m=+39119.541175108
bisecting cause commit starting from cb71b93c2dc36d18a8b05245973328d018272cdf
building syzkaller on e853abd9a2542fcccb8e1a23eb8ae475500ecaf9
testing commit cb71b93c2dc36d18a8b05245973328d018272cdf
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 115ce45f7dc7f3efc0503934b6a9224341e5bd1786af1f0eb6aecd339dc3643d
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8e899987de81a53e2adf208e1f1944aded05cc76733ffac9de9b842001800352
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect start cb71b93c2dc36d18a8b05245973328d018272cdf 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 10621 revisions left to test after this (roughly 13 steps)
[9d004b2f4fea97cde123e7f1939b80e77bf2e695] Merge tag 'cxl-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl

testing commit 9d004b2f4fea97cde123e7f1939b80e77bf2e695
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 49f7c7b9ca68bff11ee0ecd31c9c530a9a61b3fc15a194d4421dfd6f99bd0108
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #2: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #3: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #4: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #5: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #6: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #7: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #8: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #9: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad 9d004b2f4fea97cde123e7f1939b80e77bf2e695
Bisecting: 5473 revisions left to test after this (roughly 12 steps)
[86c87bea6b42100c67418af690919c44de6ede6e] Merge tag 'devicetree-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

testing commit 86c87bea6b42100c67418af690919c44de6ede6e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b07e03acb06380b64a53ad361ae24b86bf331668aa37f667253681fd56c22fa9
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad 86c87bea6b42100c67418af690919c44de6ede6e
Bisecting: 2583 revisions left to test after this (roughly 11 steps)
[7208c9842c50f97327aac20be62edc8ad230f05c] Merge tag 'gfs2-v5.18-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2

testing commit 7208c9842c50f97327aac20be62edc8ad230f05c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a7a6dacfc8a3ad78e8a4d6c7d0439e5726821758658e9c98b350a33ec3a8f775
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #2: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #3: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #4: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #5: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #6: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #7: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #8: crashed: KASAN: use-after-free Read in __io_remove_buffers
run #9: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad 7208c9842c50f97327aac20be62edc8ad230f05c
Bisecting: 1278 revisions left to test after this (roughly 10 steps)
[ac2ab99072cce553c78f326ea22d72856f570d88] Merge tag 'random-5.19-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random

testing commit ac2ab99072cce553c78f326ea22d72856f570d88
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9b23251b46695f3b961dbee5bd7295ef310e8eaf6cbe8a7fe18fcf561d87124c
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad ac2ab99072cce553c78f326ea22d72856f570d88
Bisecting: 632 revisions left to test after this (roughly 9 steps)
[eb39e37d5cebdf0f63ee2a315fc23b035d81b4b0] Merge tag 'x86_sev_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

testing commit eb39e37d5cebdf0f63ee2a315fc23b035d81b4b0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3da324ebc7253aa6e9ff0527a35c1d4ce559e2b87941982a2f2634f90346d806
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad eb39e37d5cebdf0f63ee2a315fc23b035d81b4b0
Bisecting: 347 revisions left to test after this (roughly 8 steps)
[f6792c877a1cacc3b3eea7cb5b45857b3c484c51] Merge tag 'for-5.19/cdrom-2022-05-22' of git://git.kernel.dk/linux-block

testing commit f6792c877a1cacc3b3eea7cb5b45857b3c484c51
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f466fc9a73f23be8c63008933bad8ef3f7d49768f0112d083995dbbc00cdf6d9
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad f6792c877a1cacc3b3eea7cb5b45857b3c484c51
Bisecting: 163 revisions left to test after this (roughly 7 steps)
[1e57930e9f4083ad5854ab6eadffe790a8167fb4] Merge tag 'rcu.2022.05.19a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu

testing commit 1e57930e9f4083ad5854ab6eadffe790a8167fb4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e0b2fa6e88f154f48cef9716c52f83fbc9d925c132d30885b052c20e8b67e4fe
all runs: OK
# git bisect good 1e57930e9f4083ad5854ab6eadffe790a8167fb4
Bisecting: 81 revisions left to test after this (roughly 6 steps)
[a4f8d94cfb7c69f996b6a52b1fcbec2f2504dd3f] io_uring: move provided and fixed buffers into the same io_kiocb area

testing commit a4f8d94cfb7c69f996b6a52b1fcbec2f2504dd3f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2ffd0274f2361989a7fab9fd7440cf725f4a7a9d3247e7f377c011fce44ff760
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good a4f8d94cfb7c69f996b6a52b1fcbec2f2504dd3f
Bisecting: 43 revisions left to test after this (roughly 5 steps)
[3fe07bcd800d6e5e4e4263ca2564d69095c157bf] io_uring: cleanup handling of the two task_work lists

testing commit 3fe07bcd800d6e5e4e4263ca2564d69095c157bf
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4c956f8e48fb43763fb1220ba89a5944c0cf659a88d0520dedae9ba421abbcf1
all runs: OK
# git bisect good 3fe07bcd800d6e5e4e4263ca2564d69095c157bf
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[0bf1dbee9baf3e78bff297245178f8c9a8ef8670] io_uring: use rcu_dereference in io_close

testing commit 0bf1dbee9baf3e78bff297245178f8c9a8ef8670
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9fe934f411b86c210b62016b243ca41e659a4826a5963468ad23e377d8671fcd
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad 0bf1dbee9baf3e78bff297245178f8c9a8ef8670
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[dbc2564cfe0faff439dc46adb8c009589054ea46] io_uring: let fast poll support multishot

testing commit dbc2564cfe0faff439dc46adb8c009589054ea46
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 98d40749fb2dac92b1cdf6cb61db2d982750a4acf375c11f681d35d0a1766b65
all runs: OK
# git bisect good dbc2564cfe0faff439dc46adb8c009589054ea46
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[c7fb19428d67dd0a2a78a4f237af01d39c78dc5a] io_uring: add support for ring mapped supplied buffers

testing commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 48a9bf260554d31057d52a6cebc94643c9d1b897430c46bc2140820b5ea5a9db
all runs: crashed: KASAN: use-after-free Read in __io_remove_buffers
# git bisect bad c7fb19428d67dd0a2a78a4f237af01d39c78dc5a
Bisecting: 2 revisions left to test after this (roughly 1 step)
[e7637a492b9f1ae6b7cfcecf0aed5e4c76efa3bd] io_uring: fix locking state for empty buffer group

testing commit e7637a492b9f1ae6b7cfcecf0aed5e4c76efa3bd
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a3b16a98ea19b8b2743943aba2eb2ab58a174baa4cbbe6414447c25d8bd00e27
all runs: OK
# git bisect good e7637a492b9f1ae6b7cfcecf0aed5e4c76efa3bd
Bisecting: 0 revisions left to test after this (roughly 1 step)
[d8c2237d0aa9c04b867ce1e281e2a30a86a68e3b] io_uring: add io_pin_pages() helper

testing commit d8c2237d0aa9c04b867ce1e281e2a30a86a68e3b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a0eb2e7c72f62be02243ddd2c812aaa9d1ca569d317de06766de3aa384579e47
all runs: OK
# git bisect good d8c2237d0aa9c04b867ce1e281e2a30a86a68e3b
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a is the first bad commit
commit c7fb19428d67dd0a2a78a4f237af01d39c78dc5a
Author: Jens Axboe <axboe@kernel.dk>
Date:   Sat Apr 30 14:38:53 2022 -0600

    io_uring: add support for ring mapped supplied buffers
    
    Provided buffers allow an application to supply io_uring with buffers
    that can then be grabbed for a read/receive request, when the data
    source is ready to deliver data. The existing scheme relies on using
    IORING_OP_PROVIDE_BUFFERS to do that, but it can be difficult to use
    in real world applications. It's pretty efficient if the application
    is able to supply back batches of provided buffers when they have been
    consumed and the application is ready to recycle them, but if
    fragmentation occurs in the buffer space, it can become difficult to
    supply enough buffers at the time. This hurts efficiency.
    
    Add a register op, IORING_REGISTER_PBUF_RING, which allows an application
    to setup a shared queue for each buffer group of provided buffers. The
    application can then supply buffers simply by adding them to this ring,
    and the kernel can consume then just as easily. The ring shares the head
    with the application, the tail remains private in the kernel.
    
    Provided buffers setup with IORING_REGISTER_PBUF_RING cannot use
    IORING_OP_{PROVIDE,REMOVE}_BUFFERS for adding or removing entries to the
    ring, they must use the mapped ring. Mapped provided buffer rings can
    co-exist with normal provided buffers, just not within the same group ID.
    
    To gauge overhead of the existing scheme and evaluate the mapped ring
    approach, a simple NOP benchmark was written. It uses a ring of 128
    entries, and submits/completes 32 at the time. 'Replenish' is how
    many buffers are provided back at the time after they have been
    consumed:
    
    Test                    Replenish                       NOPs/sec
    ================================================================
    No provided buffers     NA                              ~30M
    Provided buffers        32                              ~16M
    Provided buffers         1                              ~10M
    Ring buffers            32                              ~27M
    Ring buffers             1                              ~27M
    
    The ring mapped buffers perform almost as well as not using provided
    buffers at all, and they don't care if you provided 1 or more back at
    the same time. This means application can just replenish as they go,
    rather than need to batch and compact, further reducing overhead in the
    application. The NOP benchmark above doesn't need to do any compaction,
    so that overhead isn't even reflected in the above test.
    
    Co-developed-by: Dylan Yudaken <dylany@fb.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 fs/io_uring.c                 | 234 +++++++++++++++++++++++++++++++++++++++---
 include/uapi/linux/io_uring.h |  36 +++++++
 2 files changed, 258 insertions(+), 12 deletions(-)

culprit signature: 48a9bf260554d31057d52a6cebc94643c9d1b897430c46bc2140820b5ea5a9db
parent  signature: a0eb2e7c72f62be02243ddd2c812aaa9d1ca569d317de06766de3aa384579e47
revisions tested: 16, total time: 3h19m22.105950612s (build: 1h47m59.049413696s, test: 1h29m23.510892265s)
first bad commit: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a io_uring: add support for ring mapped supplied buffers
recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"]
recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"]
crash: KASAN: use-after-free Read in __io_remove_buffers
==================================================================
BUG: KASAN: use-after-free in __io_remove_buffers.part.0+0x32c/0x470 fs/io_uring.c:4972
Read of size 2 at addr ffff88807b9a9012 by task kworker/u4:3/500

CPU: 1 PID: 500 Comm: kworker/u4:3 Not tainted 5.18.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Workqueue: events_unbound io_ring_exit_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 __io_remove_buffers.part.0+0x32c/0x470 fs/io_uring.c:4972
 __io_remove_buffers fs/io_uring.c:10292 [inline]
 io_destroy_buffers fs/io_uring.c:10295 [inline]
 io_ring_ctx_free fs/io_uring.c:10376 [inline]
 io_ring_exit_work+0x757/0xc5f fs/io_uring.c:10555
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>

Allocated by task 4080:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kcalloc include/linux/slab.h:652 [inline]
 io_init_bl_list+0x1f/0xea fs/io_uring.c:5133
 io_register_pbuf_ring fs/io_uring.c:12153 [inline]
 __io_uring_register fs/io_uring.c:12344 [inline]
 __do_sys_io_uring_register.cold+0x495/0xcba fs/io_uring.c:12380
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4080:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3510 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4552
 io_register_pbuf_ring fs/io_uring.c:12171 [inline]
 __io_uring_register fs/io_uring.c:12344 [inline]
 __do_sys_io_uring_register+0x1557/0x19d0 fs/io_uring.c:12380
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88807b9a9000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 18 bytes inside of
 2048-byte region [ffff88807b9a9000, ffff88807b9a9800)

The buggy address belongs to the physical page:
page:ffffea0001ee6a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b9a8
head:ffffea0001ee6a00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888010842000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3594, tgid 3594 (syz-executor.0), ts 43160208108, free_ts 35760742800
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0x178d/0x3dc0 mm/page_alloc.c:4182
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 kmem_cache_alloc_trace+0x310/0x3f0 mm/slub.c:3256
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 ipv6_add_dev+0xcc/0x10f0 net/ipv6/addrconf.c:378
 addrconf_notify+0x5b7/0x15a0 net/ipv6/addrconf.c:3521
 notifier_call_chain+0x94/0x170 kernel/notifier.c:84
 call_netdevice_notifiers_extack net/core/dev.c:1976 [inline]
 call_netdevice_notifiers net/core/dev.c:1990 [inline]
 register_netdevice+0xd6f/0x1400 net/core/dev.c:9994
 __rtnl_newlink+0x10a4/0x13f0 net/core/rtnetlink.c:3485
 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3531
 rtnetlink_rcv_msg+0x31d/0x8d0 net/core/rtnetlink.c:5993
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2503
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x770/0xc20 net/netlink/af_netlink.c:1921
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423
 folio_put include/linux/mm.h:1200 [inline]
 put_page include/linux/mm.h:1233 [inline]
 __skb_frag_unref include/linux/skbuff.h:3330 [inline]
 skb_release_data+0x3db/0x650 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x39/0x50 net/core/skbuff.c:756
 __sk_defer_free_flush net/ipv4/tcp.c:1601 [inline]
 sk_defer_free_flush include/net/tcp.h:1380 [inline]
 tcp_recvmsg+0x17f/0x4b0 net/ipv4/tcp.c:2577
 inet_recvmsg+0xf2/0x490 net/ipv4/af_inet.c:850
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 sock_read_iter+0x2ae/0x3f0 net/socket.c:1039
 call_read_iter include/linux/fs.h:2044 [inline]
 new_sync_read+0x413/0x510 fs/read_write.c:401
 vfs_read+0x378/0x4b0 fs/read_write.c:482
 ksys_read+0x16b/0x1c0 fs/read_write.c:620
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88807b9a8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b9a8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b9a9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88807b9a9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b9a9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================