------------[ cut here ]------------
WARNING: kernel/futex/core.c:1604 at futex_ref_rcu+0x2cf/0x360, CPU#1: syz-executor.6/4559
Modules linked in:
CPU: 1 UID: 0 PID: 4559 Comm: syz-executor.6 Tainted: G W 6.17.0-rc3-next-20250829 #1 PREEMPT(voluntary)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:futex_ref_rcu+0x2cf/0x360
Code: ff e9 37 ff ff ff e8 10 ec 0c 00 4c 89 ef e8 c8 04 e8 ff eb a8 e8 01 ec 0c 00 48 89 ef e8 e9 fb ff ff eb a6 e8 f2 eb 0c 00 90 <0f> 0b 90 eb 8e e8 e7 eb 0c 00 90 0f 0b 90 e9 cd fd ff ff 48 89 ef
RSP: 0018:ffff88806cf08e20 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8166fb1d
RDX: ffff888046b29b80 RSI: ffffffff8166fb8e RDI: 0000000000000007
RBP: ffffffffffffffff R08: 0000000000000001 R09: ffffed1001ee1d81
R10: ffffffffffffffff R11: 0000000000000001 R12: dffffc0000000000
R13: ffff88800f70e900 R14: ffffed1001ee1d82 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8880e56dd000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d023000 CR3: 000000003f4f6000 CR4: 0000000000350ef0
Call Trace:
rcu_core+0x7c8/0x1800
handle_softirqs+0x1b1/0x770
__irq_exit_rcu+0xc4/0x100
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x70/0x80
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:folio_remove_rmap_ptes+0x123/0x7c0
Code: 7b 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 0d 06 00 00 48 8b 43 08 31 ff 49 89 c5 48 89 04 24 <41> 83 e5 01 4c 89 ee e8 a1 63 d1 ff 4d 85 ed 0f 85 42 05 00 00 e8
RSP: 0018:ffff888046b67628 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffea0000f6b8c0 RCX: ffffffff81a27efa
RDX: 1ffffd40001ed719 RSI: ffffffff81a27f07 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000000 R09: fffff940001ed718
R10: 0000000000000001 R11: 0000000000000001 R12: ffffea0000f6b8c0
R13: 0000000000000000 R14: ffff88801e9e48c0 R15: ffffea0000f6b8f0
unmap_page_range+0x15fc/0x36d0
unmap_single_vma.constprop.0+0x153/0x230
unmap_vmas+0x1d6/0x430
exit_mmap+0x181/0xaa0
mmput+0xd5/0x390
do_exit+0x79d/0x2970
do_group_exit+0xd3/0x2a0
get_signal+0x2315/0x2340
arch_do_signal_or_restart+0x80/0x790
exit_to_user_mode_loop+0x8b/0x110
do_syscall_64+0x2f7/0x360
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdcea08cb19
Code: Unable to access opcode bytes at 0x7fdcea08caef.
RSP: 002b:00007fdce7602218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fdcea19ff68 RCX: 00007fdcea08cb19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fdcea19ff68
RBP: 00007fdcea19ff60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdcea19ff6c
R13: 00007ffcb0ad18ef R14: 00007fdce7602300 R15: 0000000000022000
irq event stamp: 1016
hardirqs last enabled at (1024): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (1033): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (162): [] handle_softirqs+0x50c/0x770
softirqs last disabled at (171): [] __irq_exit_rcu+0xc4/0x100
---[ end trace 0000000000000000 ]---
unregister_netdevice: waiting for lo to become free. Usage count = 350
----------------
Code disassembly (best guess):
0: 7b 08 jnp 0xa
2: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
9: fc ff df
c: 48 89 fa mov %rdi,%rdx
f: 48 c1 ea 03 shr $0x3,%rdx
13: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
17: 0f 85 0d 06 00 00 jne 0x62a
1d: 48 8b 43 08 mov 0x8(%rbx),%rax
21: 31 ff xor %edi,%edi
23: 49 89 c5 mov %rax,%r13
26: 48 89 04 24 mov %rax,(%rsp)
* 2a: 41 83 e5 01 and $0x1,%r13d <-- trapping instruction
2e: 4c 89 ee mov %r13,%rsi
31: e8 a1 63 d1 ff callq 0xffd163d7
36: 4d 85 ed test %r13,%r13
39: 0f 85 42 05 00 00 jne 0x581
3f: e8 .byte 0xe8