xrivendell7/report-bpf-next Secret

## report-bpf-next
TITLE: general protection fault in do_misc_fixups
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 8240 Comm: 477 Not tainted 6.8.0-05234-gcc9b22dfa735 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
FS:  0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 bpf_check+0x38a5/0xb3b0 kernel/bpf/verifier.c:21291
 bpf_prog_load+0xf3b/0x27e0 kernel/bpf/syscall.c:2895
 __sys_bpf+0xa1e/0x4f00 kernel/bpf/syscall.c:5631
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x4313e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
RSP: 002b:00007ffdad3bdb08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffdad3bdce8 RCX: 00000000004313e9
RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
RBP: 00007ffdad3bdb10 R08: 0000000000000000 R09: 00000000004a06f0
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffdad3bdcd8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
FS:  0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
PKRU: 55555554


TITLE: kernel panic: Fatal exception
CORRUPTED: true (report format is marked as corrupted)
MAINTAINERS (TO): []
MAINTAINERS (CC): []

KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 8240 Comm: 477 Not tainted 6.8.0-05234-gcc9b22dfa735 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
FS:  0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 bpf_check+0x38a5/0xb3b0 kernel/bpf/verifier.c:21291
 bpf_prog_load+0xf3b/0x27e0 kernel/bpf/syscall.c:2895
 __sys_bpf+0xa1e/0x4f00 kernel/bpf/syscall.c:5631
 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
 __x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x4313e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
RSP: 002b:00007ffdad3bdb08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ffdad3bdce8 RCX: 00000000004313e9
RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
RBP: 00007ffdad3bdb10 R08: 0000000000000000 R09: 00000000004a06f0
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffdad3bdcd8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
FS:  0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..


## report0-bpf
[  413.543678][ T8244] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
[  413.546252][ T8244] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[  413.547723][ T8244] CPU: 0 PID: 8244 Comm: 477 Not tainted 6.8.0-05230-g114b5b3b4bde #5
[  413.549221][ T8244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
[  413.550994][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610
[  413.552073][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
[  413.555539][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216
[  413.556688][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6bda1
[  413.558131][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296 RDI: 0000000000000030
[  413.559606][ T8244] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
[  413.561027][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c R12: 0000000000010000
[  413.562467][ T8244] R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
[  413.563913][ T8244] FS:  0000000017f1a380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
[  413.565538][ T8244] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  413.566730][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000 CR4: 0000000000750ef0
[  413.568167][ T8244] PKRU: 55555554
[  413.568869][ T8244] Call Trace:
[  413.569513][ T8244]  <TASK>
[  413.570058][ T8244]  ? show_regs+0x97/0xa0
[  413.570867][ T8244]  ? die_addr+0x56/0xe0
[  413.571654][ T8244]  ? exc_general_protection+0x155/0x230
[  413.572715][ T8244]  ? asm_exc_general_protection+0x26/0x30
[  413.573792][ T8244]  ? do_misc_fixups+0x1a01/0x5610
[  413.574744][ T8244]  ? do_misc_fixups+0xef6/0x5610
[  413.575684][ T8244]  ? do_misc_fixups+0xf58/0x5610
[  413.576630][ T8244]  ? do_misc_fixups+0xef6/0x5610
[  413.577586][ T8244]  ? kvfree+0x50/0x60
[  413.578371][ T8244]  ? __kasan_slab_free+0x11d/0x1a0
[  413.579349][ T8244]  ? kfree+0x129/0x370
[  413.580148][ T8244]  ? __x64_sys_bpf+0x7d/0xc0
[  413.581034][ T8244]  ? __pfx_do_misc_fixups+0x10/0x10
[  413.582047][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.583165][ T8244]  ? __sanitizer_cov_trace_switch+0x54/0x90
[  413.584336][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.585458][ T8244]  ? convert_ctx_accesses+0x1275/0x1860
[  413.586560][ T8244]  ? __pfx_convert_ctx_accesses+0x10/0x10
[  413.587658][ T8244]  ? __pfx_check_max_stack_depth_subprog+0x10/0x10
[  413.588909][ T8244]  ? kvfree+0x50/0x60
[  413.589714][ T8244]  bpf_check+0x38a5/0xb3b0
[  413.590651][ T8244]  ? pcpu_memcg_post_alloc_hook+0x260/0x6f0
[  413.591807][ T8244]  ? __pfx_bpf_check+0x10/0x10
[  413.592767][ T8244]  ? find_held_lock+0x2d/0x110
[  413.593752][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.594898][ T8244]  ? bpf_prog_load+0xe3c/0x27e0
[  413.595900][ T8244]  ? __pfx_lock_release+0x10/0x10
[  413.596947][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.598122][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.599280][ T8244]  ? __pfx___might_resched+0x10/0x10
[  413.600306][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.601402][ T8244]  ? ktime_get_with_offset+0x326/0x560
[  413.602469][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.603551][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.604659][ T8244]  bpf_prog_load+0xf3b/0x27e0
[  413.605595][ T8244]  ? __pfx_bpf_prog_load+0x10/0x10
[  413.606583][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.607669][ T8244]  ? find_held_lock+0x2d/0x110
[  413.608610][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.609786][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.610878][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.611964][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.613106][ T8244]  __sys_bpf+0xa17/0x4ef0
[  413.614002][ T8244]  ? __pfx___sys_bpf+0x10/0x10
[  413.614957][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.616043][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.617128][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.618211][ T8244]  ? find_held_lock+0x2d/0x110
[  413.619173][ T8244]  ? __pfx___up_read+0x10/0x10
[  413.620107][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.621230][ T8244]  ? handle_mm_fault+0x541/0xab0
[  413.622251][ T8244]  __x64_sys_bpf+0x7d/0xc0
[  413.623117][ T8244]  ? srso_alias_return_thunk+0x5/0xfbef5
[  413.624208][ T8244]  ? lockdep_hardirqs_on+0x7c/0x110
[  413.625212][ T8244]  do_syscall_64+0xd5/0x260
[  413.626098][ T8244]  entry_SYSCALL_64_after_hwframe+0x6d/0x75
[  413.627281][ T8244] RIP: 0033:0x4313e9
[  413.628081][ T8244] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
[  413.631741][ T8244] RSP: 002b:00007ffe532a9c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
[  413.633330][ T8244] RAX: ffffffffffffffda RBX: 00007ffe532a9e48 RCX: 00000000004313e9
[  413.634852][ T8244] RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
[  413.636317][ T8244] RBP: 00007ffe532a9c70 R08: 0000000000000000 R09: 00000000004a06f0
[  413.637786][ T8244] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
[  413.639279][ T8244] R13: 00007ffe532a9e38 R14: 0000000000000001 R15: 0000000000000001
[  413.640794][ T8244]  </TASK>
[  413.641369][ T8244] Modules linked in:
[  413.642416][ T8244] ---[ end trace 0000000000000000 ]---
[  413.643407][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610
[  413.644475][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
[  413.647788][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216
[  413.648884][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6bda1
[  413.650285][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296 RDI: 0000000000000030
[  413.651720][ T8244] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
[  413.653884][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c R12: 0000000000010000
[  413.655347][ T8244] R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
[  413.656830][ T8244] FS:  0000000017f1a380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
[  413.658486][ T8244] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  413.659685][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000 CR4: 0000000000750ef0
[  413.661102][ T8244] PKRU: 55555554
[  413.661762][ T8244] Kernel panic - not syncing: Fatal exception
[  413.663144][ T8244] Kernel Offset: disabled
[  413.663944][ T8244] Rebooting in 86400 seconds..

## repro.c
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);

  *(uint32_t*)0x20000300 = 0x18;
  *(uint32_t*)0x20000304 = 4;
  *(uint64_t*)0x20000308 = 0x200000c0;
  memcpy((void*)0x200000c0,
         "\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xbf"
         "\x02\x01\x00\x00\x00\x01\x00\x95",
         25);
  *(uint64_t*)0x20000310 = 0x20000000;
  memcpy((void*)0x20000000, "syzkaller\000", 10);
  *(uint32_t*)0x20000318 = 2;
  *(uint32_t*)0x2000031c = 0;
  *(uint64_t*)0x20000320 = 0;
  *(uint32_t*)0x20000328 = 0;
  *(uint32_t*)0x2000032c = 0;
  memset((void*)0x20000330, 0, 16);
  *(uint32_t*)0x20000340 = 0;
  *(uint32_t*)0x20000344 = 0;
  *(uint32_t*)0x20000348 = -1;
  *(uint32_t*)0x2000034c = 8;
  *(uint64_t*)0x20000350 = 0;
  *(uint32_t*)0x20000358 = 0;
  *(uint32_t*)0x2000035c = 0x10;
  *(uint64_t*)0x20000360 = 0;
  *(uint32_t*)0x20000368 = 0;
  *(uint32_t*)0x2000036c = 0;
  *(uint32_t*)0x20000370 = 0;
  *(uint32_t*)0x20000374 = 0;
  *(uint64_t*)0x20000378 = 0;
  *(uint64_t*)0x20000380 = 0;
  *(uint32_t*)0x20000388 = 0x10;
  *(uint32_t*)0x2000038c = 0;
  syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000300ul, /*size=*/0x90ul);
  return 0;
}

## repro.txt
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000300)={0x18, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="18000000000000000000000000ffffffbf0201000000010095"], &(0x7f0000000000)='syzkaller\x00', 0x2}, 0x90)
	TITLE: general protection fault in do_misc_fixups
	general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
	KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
	CPU: 1 PID: 8240 Comm: 477 Not tainted 6.8.0-05234-gcc9b22dfa735 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
	RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
	Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
	RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
	RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
	RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
	R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	FS: 0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	bpf_check+0x38a5/0xb3b0 kernel/bpf/verifier.c:21291
	bpf_prog_load+0xf3b/0x27e0 kernel/bpf/syscall.c:2895
	__sys_bpf+0xa1e/0x4f00 kernel/bpf/syscall.c:5631
	__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
	__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5736
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	RIP: 0033:0x4313e9
	Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
	RSP: 002b:00007ffdad3bdb08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
	RAX: ffffffffffffffda RBX: 00007ffdad3bdce8 RCX: 00000000004313e9
	RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
	RBP: 00007ffdad3bdb10 R08: 0000000000000000 R09: 00000000004a06f0
	R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
	R13: 00007ffdad3bdcd8 R14: 0000000000000001 R15: 0000000000000001
	</TASK>
	Modules linked in:
	---[ end trace 0000000000000000 ]---
	RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
	Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
	RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
	RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
	RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
	R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	FS: 0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
	PKRU: 55555554


	TITLE: kernel panic: Fatal exception
	CORRUPTED: true (report format is marked as corrupted)
	MAINTAINERS (TO): []
	MAINTAINERS (CC): []

	KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
	CPU: 1 PID: 8240 Comm: 477 Not tainted 6.8.0-05234-gcc9b22dfa735 #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
	RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
	Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
	RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
	RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
	RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
	R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	FS: 0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	bpf_check+0x38a5/0xb3b0 kernel/bpf/verifier.c:21291
	bpf_prog_load+0xf3b/0x27e0 kernel/bpf/syscall.c:2895
	__sys_bpf+0xa1e/0x4f00 kernel/bpf/syscall.c:5631
	__do_sys_bpf kernel/bpf/syscall.c:5738 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5736 [inline]
	__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5736
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xd5/0x260 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	RIP: 0033:0x4313e9
	Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
	RSP: 002b:00007ffdad3bdb08 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
	RAX: ffffffffffffffda RBX: 00007ffdad3bdce8 RCX: 00000000004313e9
	RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
	RBP: 00007ffdad3bdb10 R08: 0000000000000000 R09: 00000000004a06f0
	R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
	R13: 00007ffdad3bdcd8 R14: 0000000000000001 R15: 0000000000000001
	</TASK>
	Modules linked in:
	---[ end trace 0000000000000000 ]---
	RIP: 0010:do_misc_fixups+0xf58/0x5610 kernel/bpf/verifier.c:19606
	Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	RSP: 0018:ffffc9000ea07538 EFLAGS: 00010216
	RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6cf41
	RDX: ffff88802ee51ec0 RSI: ffffffff81a6c436 RDI: 0000000000000030
	RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	R10: 0000000000010000 R11: ffff88802e97d66c R12: 0000000000010000
	R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	FS: 0000000015def380(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000020000300 CR3: 000000007cac2000 CR4: 0000000000750ef0
	PKRU: 55555554
	Kernel panic - not syncing: Fatal exception
	Kernel Offset: disabled
	Rebooting in 86400 seconds..
	[ 413.543678][ T8244] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[ 413.546252][ T8244] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
	[ 413.547723][ T8244] CPU: 0 PID: 8244 Comm: 477 Not tainted 6.8.0-05230-g114b5b3b4bde #5
	[ 413.549221][ T8244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
	[ 413.550994][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610
	[ 413.552073][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	[ 413.555539][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216
	[ 413.556688][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6bda1
	[ 413.558131][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296 RDI: 0000000000000030
	[ 413.559606][ T8244] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	[ 413.561027][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c R12: 0000000000010000
	[ 413.562467][ T8244] R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	[ 413.563913][ T8244] FS: 0000000017f1a380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
	[ 413.565538][ T8244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 413.566730][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000 CR4: 0000000000750ef0
	[ 413.568167][ T8244] PKRU: 55555554
	[ 413.568869][ T8244] Call Trace:
	[ 413.569513][ T8244] <TASK>
	[ 413.570058][ T8244] ? show_regs+0x97/0xa0
	[ 413.570867][ T8244] ? die_addr+0x56/0xe0
	[ 413.571654][ T8244] ? exc_general_protection+0x155/0x230
	[ 413.572715][ T8244] ? asm_exc_general_protection+0x26/0x30
	[ 413.573792][ T8244] ? do_misc_fixups+0x1a01/0x5610
	[ 413.574744][ T8244] ? do_misc_fixups+0xef6/0x5610
	[ 413.575684][ T8244] ? do_misc_fixups+0xf58/0x5610
	[ 413.576630][ T8244] ? do_misc_fixups+0xef6/0x5610
	[ 413.577586][ T8244] ? kvfree+0x50/0x60
	[ 413.578371][ T8244] ? __kasan_slab_free+0x11d/0x1a0
	[ 413.579349][ T8244] ? kfree+0x129/0x370
	[ 413.580148][ T8244] ? __x64_sys_bpf+0x7d/0xc0
	[ 413.581034][ T8244] ? __pfx_do_misc_fixups+0x10/0x10
	[ 413.582047][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.583165][ T8244] ? __sanitizer_cov_trace_switch+0x54/0x90
	[ 413.584336][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.585458][ T8244] ? convert_ctx_accesses+0x1275/0x1860
	[ 413.586560][ T8244] ? __pfx_convert_ctx_accesses+0x10/0x10
	[ 413.587658][ T8244] ? __pfx_check_max_stack_depth_subprog+0x10/0x10
	[ 413.588909][ T8244] ? kvfree+0x50/0x60
	[ 413.589714][ T8244] bpf_check+0x38a5/0xb3b0
	[ 413.590651][ T8244] ? pcpu_memcg_post_alloc_hook+0x260/0x6f0
	[ 413.591807][ T8244] ? __pfx_bpf_check+0x10/0x10
	[ 413.592767][ T8244] ? find_held_lock+0x2d/0x110
	[ 413.593752][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.594898][ T8244] ? bpf_prog_load+0xe3c/0x27e0
	[ 413.595900][ T8244] ? __pfx_lock_release+0x10/0x10
	[ 413.596947][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.598122][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.599280][ T8244] ? __pfx___might_resched+0x10/0x10
	[ 413.600306][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.601402][ T8244] ? ktime_get_with_offset+0x326/0x560
	[ 413.602469][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.603551][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.604659][ T8244] bpf_prog_load+0xf3b/0x27e0
	[ 413.605595][ T8244] ? __pfx_bpf_prog_load+0x10/0x10
	[ 413.606583][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.607669][ T8244] ? find_held_lock+0x2d/0x110
	[ 413.608610][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.609786][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.610878][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.611964][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.613106][ T8244] __sys_bpf+0xa17/0x4ef0
	[ 413.614002][ T8244] ? __pfx___sys_bpf+0x10/0x10
	[ 413.614957][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.616043][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.617128][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.618211][ T8244] ? find_held_lock+0x2d/0x110
	[ 413.619173][ T8244] ? __pfx___up_read+0x10/0x10
	[ 413.620107][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.621230][ T8244] ? handle_mm_fault+0x541/0xab0
	[ 413.622251][ T8244] __x64_sys_bpf+0x7d/0xc0
	[ 413.623117][ T8244] ? srso_alias_return_thunk+0x5/0xfbef5
	[ 413.624208][ T8244] ? lockdep_hardirqs_on+0x7c/0x110
	[ 413.625212][ T8244] do_syscall_64+0xd5/0x260
	[ 413.626098][ T8244] entry_SYSCALL_64_after_hwframe+0x6d/0x75
	[ 413.627281][ T8244] RIP: 0033:0x4313e9
	[ 413.628081][ T8244] Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 248
	[ 413.631741][ T8244] RSP: 002b:00007ffe532a9c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
	[ 413.633330][ T8244] RAX: ffffffffffffffda RBX: 00007ffe532a9e48 RCX: 00000000004313e9
	[ 413.634852][ T8244] RDX: 0000000000000090 RSI: 0000000020000300 RDI: 0000000000000005
	[ 413.636317][ T8244] RBP: 00007ffe532a9c70 R08: 0000000000000000 R09: 00000000004a06f0
	[ 413.637786][ T8244] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
	[ 413.639279][ T8244] R13: 00007ffe532a9e38 R14: 0000000000000001 R15: 0000000000000001
	[ 413.640794][ T8244] </TASK>
	[ 413.641369][ T8244] Modules linked in:
	[ 413.642416][ T8244] ---[ end trace 0000000000000000 ]---
	[ 413.643407][ T8244] RIP: 0010:do_misc_fixups+0xf58/0x5610
	[ 413.644475][ T8244] Code: 8d bd 08 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 60 32 00 00 48 8b ad 08 01 00 00 48 8d 7d 30 48 89 f8 48f
	[ 413.647788][ T8244] RSP: 0018:ffffc9000e17f538 EFLAGS: 00010216
	[ 413.648884][ T8244] RAX: 0000000000000006 RBX: ffffc9000219e05a RCX: ffffffff81a6bda1
	[ 413.650285][ T8244] RDX: ffff88801f339ec0 RSI: ffffffff81a6b296 RDI: 0000000000000030
	[ 413.651720][ T8244] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
	[ 413.653884][ T8244] R10: 0000000000010000 R11: ffff8880296fd66c R12: 0000000000010000
	[ 413.655347][ T8244] R13: dffffc0000000000 R14: 0000000000000002 R15: ffffc9000219e058
	[ 413.656830][ T8244] FS: 0000000017f1a380(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
	[ 413.658486][ T8244] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 413.659685][ T8244] CR2: 0000000020000300 CR3: 0000000020f26000 CR4: 0000000000750ef0
	[ 413.661102][ T8244] PKRU: 55555554
	[ 413.661762][ T8244] Kernel panic - not syncing: Fatal exception
	[ 413.663144][ T8244] Kernel Offset: disabled
	[ 413.663944][ T8244] Rebooting in 86400 seconds..
	#define _GNU_SOURCE

	#include <endian.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	int main(void) {
	syscall(__NR_mmap, /addr=/0x1ffff000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x20000000ul, /len=/0x1000000ul, /prot=/7ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x21000000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);

	(uint32_t)0x20000300 = 0x18;
	(uint32_t)0x20000304 = 4;
	(uint64_t)0x20000308 = 0x200000c0;
	memcpy((void*)0x200000c0,
	"\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xbf"
	"\x02\x01\x00\x00\x00\x01\x00\x95",
	25);
	(uint64_t)0x20000310 = 0x20000000;
	memcpy((void*)0x20000000, "syzkaller\000", 10);
	(uint32_t)0x20000318 = 2;
	(uint32_t)0x2000031c = 0;
	(uint64_t)0x20000320 = 0;
	(uint32_t)0x20000328 = 0;
	(uint32_t)0x2000032c = 0;
	memset((void*)0x20000330, 0, 16);
	(uint32_t)0x20000340 = 0;
	(uint32_t)0x20000344 = 0;
	(uint32_t)0x20000348 = -1;
	(uint32_t)0x2000034c = 8;
	(uint64_t)0x20000350 = 0;
	(uint32_t)0x20000358 = 0;
	(uint32_t)0x2000035c = 0x10;
	(uint64_t)0x20000360 = 0;
	(uint32_t)0x20000368 = 0;
	(uint32_t)0x2000036c = 0;
	(uint32_t)0x20000370 = 0;
	(uint32_t)0x20000374 = 0;
	(uint64_t)0x20000378 = 0;
	(uint64_t)0x20000380 = 0;
	(uint32_t)0x20000388 = 0x10;
	(uint32_t)0x2000038c = 0;
	syscall(__NR_bpf, /cmd=/5ul, /arg=/0x20000300ul, /size=/0x90ul);
	return 0;
	}