==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x124/0x130
Read of size 8 at addr ffff88803a77fc00 by task syz-executor.2/270
CPU: 1 PID: 270 Comm: syz-executor.2 Not tainted 6.2.0-rc1-next-20221226 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x8f/0xb7
print_report+0x175/0x478
kasan_report+0xc0/0x100
profile_pc+0x124/0x130
profile_tick+0xb2/0x100
tick_sched_timer+0xf6/0x120
__hrtimer_run_queues+0x17f/0xc70
hrtimer_interrupt+0x319/0x770
__sysvec_apic_timer_interrupt+0x148/0x500
sysvec_apic_timer_interrupt+0x8d/0xc0
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_read_lock_slowpath+0x131/0x265
Code: 1a 01 00 00 8b 45 00 84 c0 74 37 48 b8 00 00 00 00 00 fc ff df 49 89 ed 48 89 eb 49 c1 ed 03 83 e3 07 49 01 c5 83 c3 03 f3 90 <41> 0f b6 45 00 38 c3 7c 08 84 c0 0f 85 fd 00 00 00 8b 45 00 84 c0
RSP: 0018:ffff88803a77fc00 EFLAGS: 00000286
RAX: 00000000000002ff RBX: 0000000000000003 RCX: ffffffff8440c879
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8540a080
RBP: ffffffff8540a080 R08: 0000000000000001 R09: ffffffff8540a083
R10: fffffbfff0a81410 R11: 0000000000000001 R12: 1ffff110074eff80
R13: fffffbfff0a81410 R14: ffffffff8540a084 R15: 0000000000000000
do_wait+0x25d/0xc80
kernel_wait4+0x150/0x260
__do_sys_wait4+0x143/0x150
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f21a9baafb7
Code: 89 7c 24 10 48 89 4c 24 18 e8 d5 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 05 51 02 00 8b 44
RSP: 002b:00007ffd94b33450 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 000000000000026d RCX: 00007f21a9baafb7
RDX: 0000000040000001 RSI: 00007ffd94b334dc RDI: 00000000ffffffff
RBP: 00007ffd94b334dc R08: 0000000000000000 R09: 00007ffd94bf0080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 000000000024b0b7 R14: 0000000000000000 R15: 00007ffd94b33540
The buggy address belongs to stack of task syz-executor.2/270
and is located at offset 0 in frame:
queued_read_lock_slowpath+0x0/0x265
This frame has 1 object:
[32, 36) 'val'
The buggy address belongs to the physical page:
page:00000000779d4b77 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3a77f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 ffffea0000e9dfc8 ffffea0000e9dfc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88803a77fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88803a77fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88803a77fc00: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffff88803a77fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffff88803a77fd00: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3 f3
==================================================================
loop2: detected capacity change from 0 to 264192
EXT4-fs (loop2): failed to parse options in superblock:
EXT4-fs (loop2): couldn't mount RDWR because of unsupported optional features (e4580000)
loop2: detected capacity change from 0 to 264192
EXT4-fs (loop2): failed to parse options in superblock:
EXT4-fs (loop2): couldn't mount RDWR because of unsupported optional features (e4580000)
----------------
Code disassembly (best guess):
0: 1a 01 sbb (%rcx),%al
2: 00 00 add %al,(%rax)
4: 8b 45 00 mov 0x0(%rbp),%eax
7: 84 c0 test %al,%al
9: 74 37 je 0x42
b: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
12: fc ff df
15: 49 89 ed mov %rbp,%r13
18: 48 89 eb mov %rbp,%rbx
1b: 49 c1 ed 03 shr $0x3,%r13
1f: 83 e3 07 and $0x7,%ebx
22: 49 01 c5 add %rax,%r13
25: 83 c3 03 add $0x3,%ebx
28: f3 90 pause
* 2a: 41 0f b6 45 00 movzbl 0x0(%r13),%eax <-- trapping instruction
2f: 38 c3 cmp %al,%bl
31: 7c 08 jl 0x3b
33: 84 c0 test %al,%al
35: 0f 85 fd 00 00 00 jne 0x138
3b: 8b 45 00 mov 0x0(%rbp),%eax
3e: 84 c0 test %al,%al