From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 461E1EDEBF5 for ; Tue, 3 Mar 2026 23:35:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 761666B0088; Tue, 3 Mar 2026 18:35:38 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 72EC36B0089; Tue, 3 Mar 2026 18:35:38 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 630DC6B008A; Tue, 3 Mar 2026 18:35:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 4981D6B0089 for ; Tue, 3 Mar 2026 18:35:38 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id EAEFD1A0185 for ; Tue, 3 Mar 2026 23:35:37 +0000 (UTC) X-FDA: 84506361114.10.0C39F45 Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) by imf28.hostedemail.com (Postfix) with ESMTP id 29CC7C0007 for ; Tue, 3 Mar 2026 23:35:35 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=appspotmail.com (policy=none); spf=pass (imf28.hostedemail.com: domain of 3R3CnaQkbABoIOPA0BB4H0FF83.6EE6B4KI4H2EDJ4DJ.2EC@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com designates 209.85.160.70 as permitted sender) smtp.mailfrom=3R3CnaQkbABoIOPA0BB4H0FF83.6EE6B4KI4H2EDJ4DJ.2EC@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1772580936; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references; bh=Ge7xU02yubf1DGANi/nBCzXv9dbYn3ROxI+6J8VSmQU=; b=cd6G9nHOzbjoy3jIytux4RxTL8OwMDrxI86zxCN6Wkky/5sbgOl8DuYI3Va9P9Q7fD7MEY 7tJ+xs2ROU86dNXZ9dTsOZyskeVB0GBFekH1fECv1vrjb4y9oyF00veXmxuS6crC/Zfjb4 OXWpgIf9a/dYKAnuHp+uCxi1FlcvP/w= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1772580936; a=rsa-sha256; cv=none; b=wyiOrVHIzrr2LkVX0PaXL1+ijuS1eKcL4Mqf+YheAfACcgB3Tz70JGp8Ji1h/owC0nQ6Cz uCVOduxRJADD3BzqyS/0vdlrWU/VerHr4o+yC9s21LNZ67ZVGPDbveeZBEq/9dw4zJ3AkL XtvFUQDWusgyEoROD1GXZQOjxysLuXQ= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=appspotmail.com (policy=none); spf=pass (imf28.hostedemail.com: domain of 3R3CnaQkbABoIOPA0BB4H0FF83.6EE6B4KI4H2EDJ4DJ.2EC@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com designates 209.85.160.70 as permitted sender) smtp.mailfrom=3R3CnaQkbABoIOPA0BB4H0FF83.6EE6B4KI4H2EDJ4DJ.2EC@M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-40a4d2264abso10412214fac.2 for ; Tue, 03 Mar 2026 15:35:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772580935; x=1773185735; h=cc:to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ge7xU02yubf1DGANi/nBCzXv9dbYn3ROxI+6J8VSmQU=; b=S52CzZyHZYPeOI2EWepu4kwB1CTf2btbLuWPJvhpOfR79tpw33GHcxlH8p9JcAN0iS uJ6vGu0d+XkfIuu2vnv0i/KTVEidqjkmDD1huPilWLIUKk7LnwrFjGt1iq9mPZz3YTdL ZzkIx4oCi7FB/eYHCY2EWz+7eOwZCs+tmIA3+DRfXXgMJkJpeRq8/rCqMzHLE3L4gOh3 nWrpCAySLyDW+jUYUWGRaDjfPTB9KHfVBqyq8I+ffZivPUJQHY3bytOgyOzaiagVw7u0 jU2ZIgwLp1xwwwA7hQizhWRgIGAJ3UxcH6fYsaYmNcjN7ANFc19tMR64sPiS5AS+tgjr P0Uw== X-Forwarded-Encrypted: i=1; AJvYcCVZAg5HrObF624a9LNVo2NEYZbqD9ytfogLRz4563CxfSNectLmjnVmv0HmRMzquXEzCHimVloaew==@kvack.org X-Gm-Message-State: AOJu0Yzh7x35m/UFyAyqc8SIlEyFdmBgn1HwQWKSFDk1HToXU/7VEDLB gX1Z9nv71T7QQLknLr/AOBKbBuTpt63mgdujVPa8E5cECVuTs/eeMvVzAzo7o/CfsQkhwYxhcHV btMnDWYeiakZYuqtZmRgDP6gdb1r0Sa0dUEhmvR+FAbPyGz5cPb9nhNNheOw= MIME-Version: 1.0 X-Received: by 2002:a05:6820:1798:b0:679:a57c:c84e with SMTP id 006d021491bc7-67b176e76bamr197868eaf.5.1772580935135; Tue, 03 Mar 2026 15:35:35 -0800 (PST) Date: Tue, 03 Mar 2026 15:35:35 -0800 In-Reply-To: <20260303101717.27224-1-jack@suse.cz> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69a77047.050a0220.21ae90.0011.GAE@google.com> Subject: [syzbot ci] Re: fs: Move metadata bh tracking from address_space From: syzbot ci To: agruenba@redhat.com, aivazian.tigran@gmail.com, almaz.alexandrovich@paragon-software.com, axboe@kernel.dk, bcrl@kvack.org, brauner@kernel.org, david@kernel.org, dsterba@suse.com, gfs2@lists.linux.dev, hirofumi@mail.parknet.co.jp, jack@suse.cz, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, linux-aio@kvack.org, linux-block@vger.kernel.org, linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, muchun.song@linux.dev, ntfs3@lists.linux.dev, ocfs2-devel@lists.linux.dev, osalvador@suse.de, tytso@mit.edu, viro@zeniv.linux.org.uk Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 29CC7C0007 X-Stat-Signature: b5pst3ataruyiabux69r6sysukddiy8q X-Rspam-User: X-HE-Tag: 1772580935-10202 X-HE-Meta: U2FsdGVkX1+BP0ylCMwBvlvmyiqMtwppLcDGLmfVoB8AH0cX0ZeztoTqUgvl6Ue9KA3D+uNyZ5M0tE2Svog39/A7K52jbmXRZFmEWlL4hqRUbBK5oJpifX29K99BTQczt9dZqef2gHU93LL2hBcOE9Nq+7zhAaciSWWIvWe/Uye4PHpBAOAfxxvrCGPKWE5916MImOKvHsGGQfE5B54QyqYkDPLtB0Sv1EXt+A0/FXjWZB/Xm2PUoPf+hmjiZoNRRB5zhAqUi26Jh22xDV+mZmCUrgtJknA+4vR3WdhY/7D22MkeUZDA4eydpilKwFEG9XrwErtnwXL7+8YvCX8bks+ef2nccnQbDb1kaZjHQmSnZJFfhpIDUKYU31ibEyV1kJIsPWPLbWqCht+6gxM6IhcIYVhH4hR5TqZb11jHjwyLuhahxik+1bb9OXha8EzfuvPoIKWVzgCle99mCoFkGGf02wfF3IIr0PSGgZPjCimEpxqK9WhDJDyY8NwL3nj9cx79LPWgxsb8ERYMFuR4gloCQICx9n4lXbtJ0+RdqwLv7h6IVpIyGFSicMKBuggl+VS3ho5EuiWZoIvDhUxJCBN/u4srmEfRHl0URsWiGPla7am/Xb2eckg/cZxSw3wsTMZJ/SWw+b/7CVb044WZuIFRb8bQRWGUwsH+vNBifhxEzE1DJl5/zrR1M4Y8bNQelWYT9WqfcG5gTpFnQmzhsK0mHU56GsjVly8AmsCYW0hdxdOrReqFDKOzy2Qf6uJjNjEg/gTM2SELzJVKQ95Hy5rMiyUL1F9NDAz8P3JXA3EHAXX54PMlJHyiod/fMtzw4Cv5fnaZSM2R6bgXu22ptm+8Oawuo8agSiVxhL6nMEXo3r8IpjX7J+EN/RcmrQAwtnX1iG3fWETwyqgjbbQyJm3QBzbXyvl/V8Xi+DJU52s2baMC5656MY6FiAGwBfBydmD6QnGsKDG3hc2nVNz bOkubXF9 RRyTAwXzzdgtN4RBd3LJH5+VTA+dup+7z7kKiMPuB+vcNge99zTvJ6o2hfXqN+W434Q7gwuDkU928TVLmb2JLIpJEuwwSUC8j0NcnYbFpoizP/TeDhWECYzXP296f9hiPAmwShZ5KVd9RfkMNtQk0o5Uv7f6ooRtj06svmZ7zCHETVEni3WMcYwHLr33LXmbkO98seIeVVba84akRFG55QSwxNOGXF2i5oRkRl6QySDjwfZTh0qtrCmQTNj6s8Te9Be5G54eH6leShBORHg1wWLDvN9yctqAZ8YbOHLFJa9Z4HAq08ZVuw98uG0TuZHN43oNG3CZhDS9eiTkuZl0PZIQu3sNWUpDkVdSuTjRfotTnCLDUhs88AIKXCdLb/ch9Ibp8cQnz1p9Xy3o1KmZAuTjx2PlX637oXq1ihdgfhzYmzGwWEAd5586IUmFM5BH5h10DKJ+Dt88jvjJ9YPx+e61glEgthI8OCYWd0SHTTetK69i8Q2g9zbb61FabYMcGZzzjsk8E7NagxwxZoCdJTVTCLKjNfY2OXyKKQBmqZ2J9U6jJ2QuZH/hqgaYOjSpCsiGclMhk3D16wArYVVyopoKzocPI3BWVE8V+O68X7MgUVlVbifBnQRf5sTQ3PPWPdwpkWyoK5Hg2LxTgKxb1xxSYYDcq8IRuO4wDvWQzyoE6JuCVzF9G0XL9y4Dkp7mc2lRMI07uroAFkPLfyfXPaZEprF76ix4DXr+l3jC66MbBPEkRO/9EO0Z4D+31pikq1hq79qLQfHs8VdCdJmpgfV5gKTtYWmvPaKlU87lbiHu0vE9a1V/xwcuEFQTWK4ysyC/nEWyyUKKic52xTZhE3MnUr3YorlYVJ7LC+pjgEkFMOOi/Le5GW0ppv3ynhkFzNEwddFCjSFVAGAh636dfDDK7Zvvne1MhEYRxFBge6eY/b+D83+ZWLxUHbTlchoiAtYmhxbhHk4wEJmW7aCbIMld/0pFJ vjfr5xL3 8UrlthyXN8gOnUFU60OSOoL5LFMakfC2LdebYDxbKeF/dGLEXSm7u6+Rsh0UAPLPEUE6KNqNYE3U/0itoJKuMC6eLefRZLlD+a991gYHQ2Rq6HOluLytOwvOgzMPQB1R Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: syzbot ci has tested the following series [v1] fs: Move metadata bh tracking from address_space https://lore.kernel.org/all/20260303101717.27224-1-jack@suse.cz * [PATCH 01/32] fat: Sync and invalidate metadata buffers from fat_evict_inode() * [PATCH 02/32] udf: Sync and invalidate metadata buffers from udf_evict_inode() * [PATCH 03/32] minix: Sync and invalidate metadata buffers from minix_evict_inode() * [PATCH 04/32] ext2: Sync and invalidate metadata buffers from ext2_evict_inode() * [PATCH 05/32] ext4: Sync and invalidate metadata buffers from ext4_evict_inode() * [PATCH 06/32] ext4: Use inode_has_buffers() * [PATCH 07/32] bfs: Sync and invalidate metadata buffers from bfs_evict_inode() * [PATCH 08/32] affs: Sync and invalidate metadata buffers from affs_evict_inode() * [PATCH 09/32] fs: Ignore inode metadata buffers in inode_lru_isolate() * [PATCH 10/32] fs: Stop using i_private_data for metadata bh tracking * [PATCH 11/32] gfs2: Don't zero i_private_data * [PATCH 12/32] hugetlbfs: Stop using i_private_data * [PATCH 13/32] aio: Stop using i_private_data and i_private_lock * [PATCH 14/32] fs: Remove i_private_data * [PATCH 15/32] fs: Drop osync_buffers_list() * [PATCH 16/32] fs: Fold fsync_buffers_list() into sync_mapping_buffers() * [PATCH 17/32] fs: Move metadata bhs tracking to a separate struct * [PATCH 18/32] fs: Provide operation for fetching mapping_metadata_bhs * [PATCH 19/32] ntfs3: Drop pointless sync_mapping_buffers() call * [PATCH 20/32] ocfs2: Drop pointless sync_mapping_buffers() calls * [PATCH 21/32] bdev: Drop pointless invalidate_mapping_buffers() call * [PATCH 22/32] fs: Switch inode_has_buffers() to take mapping_metadata_bhs * [PATCH 23/32] ext2: Track metadata bhs in fs-private inode part * [PATCH 24/32] affs: Track metadata bhs in fs-private inode part * [PATCH 25/32] bfs: Track metadata bhs in fs-private inode part * [PATCH 26/32] fat: Track metadata bhs in fs-private inode part * [PATCH 27/32] udf: Track metadata bhs in fs-private inode part * [PATCH 28/32] minix: Track metadata bhs in fs-private inode part * [PATCH 29/32] ext4: Track metadata bhs in fs-private inode part * [PATCH 30/32] vfs: Drop mapping_metadata_bhs from address space * [PATCH 31/32] kvm: Use private inode list instead of i_private_list * [PATCH 32/32] fs: Drop i_private_list from address_space and found the following issues: * BUG: spinlock bad magic in region_del * KASAN: slab-use-after-free Read in region_del * general protection fault in mark_buffer_dirty_inode Full report is available here: https://ci.syzbot.org/series/3cf14b16-7f50-44ce-9f95-8ac4b86cf294 *** BUG: spinlock bad magic in region_del tree: mm-new URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git base: f50c6ce7bf30099042dac755fbd1e97da456f5ec arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config syz repro: https://ci.syzbot.org/findings/0d1bc933-ce69-432e-a2d5-b2411fe4cfec/syz_repro BUG: spinlock bad magic on CPU#0, syz.0.151/6273 lock: 0xffff8881165dc808, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 spin_bug kernel/locking/spinlock_debug.c:78 [inline] debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x1e5/0x2f0 kernel/locking/spinlock_debug.c:115 spin_lock include/linux/spinlock.h:341 [inline] region_del+0xbe/0x950 mm/hugetlb.c:863 hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757 remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613 hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623 evict+0x61e/0xb10 fs/inode.c:841 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 do_one_tree fs/dcache.c:1657 [inline] shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671 generic_shutdown_super+0x6f/0x2d0 fs/super.c:624 kill_anon_super+0x3b/0x70 fs/super.c:1292 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x69b/0x2320 kernel/exit.c:971 do_group_exit+0x21b/0x2d0 kernel/exit.c:1112 get_signal+0x1284/0x1330 kernel/signal.c:3034 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e0f19c799 Code: Unable to access opcode bytes at 0x7f6e0f19c76f. RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8 RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864 Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24 RSP: 0018:ffffc90003b17330 EFLAGS: 00010246 RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0 RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000 R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0 Call Trace: hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757 remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613 hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623 evict+0x61e/0xb10 fs/inode.c:841 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 do_one_tree fs/dcache.c:1657 [inline] shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671 generic_shutdown_super+0x6f/0x2d0 fs/super.c:624 kill_anon_super+0x3b/0x70 fs/super.c:1292 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x69b/0x2320 kernel/exit.c:971 do_group_exit+0x21b/0x2d0 kernel/exit.c:1112 get_signal+0x1284/0x1330 kernel/signal.c:3034 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e0f19c799 Code: Unable to access opcode bytes at 0x7f6e0f19c76f. RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8 RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864 Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24 RSP: 0018:ffffc90003b17330 EFLAGS: 00010246 RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0 RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000 R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 24 20 and $0x20,%al 2: 49 29 c4 sub %rax,%r12 5: 4c 03 23 add (%rbx),%r12 8: 48 89 03 mov %rax,(%rbx) b: 48 8b 5c 24 40 mov 0x40(%rsp),%rbx 10: 4c 39 eb cmp %r13,%rbx 13: 0f 84 64 05 00 00 je 0x57d 19: e8 74 c0 9c ff call 0xff9cc092 1e: 4c 89 64 24 10 mov %r12,0x10(%rsp) 23: 49 89 df mov %rbx,%r15 26: 49 c1 ef 03 shr $0x3,%r15 * 2a: 41 80 3c 2f 00 cmpb $0x0,(%r15,%rbp,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 b9 d8 06 00 call 0x6d8f2 39: 48 8b 03 mov (%rbx),%rax 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 44 rex.R 3f: 24 .byte 0x24 *** KASAN: slab-use-after-free Read in region_del tree: mm-new URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git base: f50c6ce7bf30099042dac755fbd1e97da456f5ec arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config syz repro: https://ci.syzbot.org/findings/df3f89db-a2df-4664-973c-472164179e0a/syz_repro ================================================================== BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 Read of size 1 at addr ffff888114425020 by task syz.2.313/6592 CPU: 0 UID: 0 PID: 6592 Comm: syz.2.313 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] region_del+0xbe/0x950 mm/hugetlb.c:863 hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757 remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613 hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623 evict+0x61e/0xb10 fs/inode.c:841 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670 finish_dput+0xc9/0x480 fs/dcache.c:879 do_one_tree fs/dcache.c:1657 [inline] shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671 generic_shutdown_super+0x6f/0x2d0 fs/super.c:624 kill_anon_super+0x3b/0x70 fs/super.c:1292 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x69b/0x2320 kernel/exit.c:971 do_group_exit+0x21b/0x2d0 kernel/exit.c:1112 get_signal+0x1284/0x1330 kernel/signal.c:3034 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6b41f9c799 Code: Unable to access opcode bytes at 0x7f6b41f9c76f. RSP: 002b:00007f6b42db90e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f6b42215fa8 RCX: 00007f6b41f9c799 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6b42215fa8 RBP: 00007f6b42215fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6b42216038 R14: 00007ffd7b00f490 R15: 00007ffd7b00f578 Allocated by task 6005: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5339 kmalloc_noprof include/linux/slab.h:962 [inline] resv_map_alloc+0x51/0x2c0 mm/hugetlb.c:1108 hugetlbfs_get_inode+0x5d/0x680 fs/hugetlbfs/inode.c:932 hugetlbfs_mknod fs/hugetlbfs/inode.c:987 [inline] hugetlbfs_create+0x59/0xf0 fs/hugetlbfs/inode.c:1009 lookup_open fs/namei.c:4483 [inline] open_last_lookups fs/namei.c:4583 [inline] path_openat+0x1395/0x3860 fs/namei.c:4827 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1450 [inline] __se_sys_creat fs/open.c:1444 [inline] __x64_sys_creat+0x8f/0xc0 fs/open.c:1444 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6005: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kfree+0x1c1/0x630 mm/slub.c:6442 hugetlbfs_evict_inode+0xe1/0x260 fs/hugetlbfs/inode.c:628 evict+0x61e/0xb10 fs/inode.c:841 __dentry_kill+0x1a2/0x5e0 fs/dcache.c:670 shrink_kill+0xa9/0x2c0 fs/dcache.c:1147 shrink_dentry_list+0x2e0/0x5e0 fs/dcache.c:1174 shrink_dcache_tree+0xcf/0x310 fs/dcache.c:-1 do_one_tree fs/dcache.c:1654 [inline] shrink_dcache_for_umount+0xa8/0x1f0 fs/dcache.c:1671 generic_shutdown_super+0x6f/0x2d0 fs/super.c:624 kill_anon_super+0x3b/0x70 fs/super.c:1292 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x69b/0x2320 kernel/exit.c:971 do_group_exit+0x21b/0x2d0 kernel/exit.c:1112 get_signal+0x1284/0x1330 kernel/signal.c:3034 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888114425000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 32 bytes inside of freed 512-byte region [ffff888114425000, ffff888114425200) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888114424000 pfn:0x114424 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010 raw: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000 head: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010 head: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000 head: 017ff00000000002 ffffea0004510901 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5267, tgid 5267 (udevd), ts 28927219244, free_ts 28922963584 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3255 [inline] allocate_slab+0x77/0x660 mm/slub.c:3444 new_slab mm/slub.c:3502 [inline] refill_objects+0x331/0x3c0 mm/slub.c:7134 refill_sheaf mm/slub.c:2804 [inline] __pcs_replace_empty_main+0x2b9/0x620 mm/slub.c:4578 alloc_from_pcs mm/slub.c:4681 [inline] slab_alloc_node mm/slub.c:4815 [inline] __kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5334 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1200 [inline] kernfs_fop_open+0x397/0xca0 fs/kernfs/file.c:641 do_dentry_open+0x785/0x14e0 fs/open.c:949 vfs_open+0x3b/0x340 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e08/0x3860 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 5265 tgid 5265 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978 __slab_free+0x263/0x2b0 mm/slub.c:5532 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4501 [inline] slab_alloc_node mm/slub.c:4830 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837 lsm_inode_alloc security/security.c:228 [inline] security_inode_alloc+0x39/0x310 security/security.c:1189 inode_init_always_gfp+0x9c8/0xda0 fs/inode.c:305 inode_init_always include/linux/fs.h:2925 [inline] alloc_inode+0x82/0x1b0 fs/inode.c:352 iget_locked+0x131/0x6a0 fs/inode.c:1474 kernfs_get_inode+0x4f/0x780 fs/kernfs/inode.c:253 kernfs_iop_lookup+0x1fe/0x320 fs/kernfs/dir.c:1241 __lookup_slow+0x2b7/0x410 fs/namei.c:1916 lookup_slow+0x53/0x70 fs/namei.c:1933 walk_component fs/namei.c:2279 [inline] lookup_last fs/namei.c:2780 [inline] path_lookupat+0x3f5/0x8c0 fs/namei.c:2804 filename_lookup+0x256/0x5d0 fs/namei.c:2833 Memory state around the buggy address: ffff888114424f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888114424f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888114425000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888114425080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888114425100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== *** general protection fault in mark_buffer_dirty_inode tree: mm-new URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git base: f50c6ce7bf30099042dac755fbd1e97da456f5ec arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config C repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/c_repro syz repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/syz_repro EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none. ext4 filesystem being mounted at /0/mnt supports timestamps until 2038-01-19 (0x7fffffff) fscrypt: AES-256-CBC-CTS using implementation "cts(cbc(ecb(aes-lib)))" Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 UID: 0 PID: 5946 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002 RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001 FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0 Call Trace: __kasan_check_byte+0x12/0x40 mm/kasan/common.c:573 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] mark_buffer_dirty_inode+0xe3/0x2f0 fs/buffer.c:748 __ext4_handle_dirty_metadata+0x27a/0x810 fs/ext4/ext4_jbd2.c:393 ext4_xattr_block_set+0x24ff/0x2ad0 fs/ext4/xattr.c:2168 ext4_xattr_set_handle+0xe34/0x14c0 fs/ext4/xattr.c:2457 ext4_set_context+0x233/0x560 fs/ext4/crypto.c:166 fscrypt_set_context+0x397/0x460 fs/crypto/policy.c:791 __ext4_new_inode+0x3158/0x3d20 fs/ext4/ialloc.c:1314 ext4_symlink+0x3ac/0xb90 fs/ext4/namei.c:3386 vfs_symlink+0x195/0x340 fs/namei.c:5615 filename_symlinkat+0x1cd/0x410 fs/namei.c:5640 __do_sys_symlink fs/namei.c:5667 [inline] __se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe222b9c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdf34afb88 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007fe222e15fa0 RCX: 00007fe222b9c799 RDX: 0000000000000000 RSI: 00002000000000c0 RDI: 0000200000000080 RBP: 00007fe222c32bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe222e15fac R14: 00007fe222e15fa0 R15: 00007fe222e15fa0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210 Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002 RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000 R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001 FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess), 4 bytes skipped: 0: 0f 1f 40 00 nopl 0x0(%rax) 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 0f 1f 40 d6 nopl -0x2a(%rax) 18: 48 c1 ef 03 shr $0x3,%rdi 1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 23: fc ff df * 26: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction 2a: 3c 08 cmp $0x8,%al 2c: 0f 92 c0 setb %al 2f: e9 40 6a 80 09 jmp 0x9806a74 34: cc int3 35: 66 data16 36: 66 data16 37: 66 data16 38: 66 data16 39: 66 data16 3a: 66 data16 3b: 2e cs *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com.