==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x116/0x130
Read of size 8 at addr ffff88803f83f760 by task syz-executor.4/295
CPU: 1 PID: 295 Comm: syz-executor.4 Not tainted 6.0.0-rc2-next-20220826 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5e5
kasan_report+0xb1/0x1c0
profile_pc+0x116/0x130
profile_tick+0xae/0x100
tick_sched_timer+0xf2/0x120
__hrtimer_run_queues+0x1ca/0xbd0
hrtimer_interrupt+0x315/0x770
__sysvec_apic_timer_interrupt+0x144/0x500
sysvec_apic_timer_interrupt+0x89/0xc0
asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:queued_spin_lock_slowpath+0x124/0xc80
Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 cd 0a 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 5e 6f 3b 00 f3 90 71 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e5 00 00
RSP: 0018:ffff88803f83f758 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8424cae7
RDX: ffffed10092b5a76 RSI: 0000000000000004 RDI: ffff8880495ad3a8
RBP: ffff8880495ad3a8 R08: 0000000000000000 R09: ffff8880495ad3ab
R10: ffffed10092b5a75 R11: 0000000000000001 R12: 0000000000000003
R13: ffffed10092b5a75 R14: 0000000000000001 R15: 1ffff11007f07eec
do_raw_spin_lock+0x1dc/0x260
d_walk+0x213/0x8a0
shrink_dcache_parent+0x94/0x3c0
d_invalidate+0x13f/0x280
proc_invalidate_siblings_dcache+0x3d7/0x610
release_task+0xc11/0x14c0
wait_consider_task+0x2ed5/0x3b60
do_wait+0x76f/0xc70
kernel_wait4+0x14c/0x260
__do_sys_wait4+0x143/0x150
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb2ef663fb7
Code: 89 7c 24 10 48 89 4c 24 18 e8 d5 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 05 51 02 00 8b 44
RSP: 002b:00007fff14ce0ce0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000209 RCX: 00007fb2ef663fb7
RDX: 0000000040000001 RSI: 00007fff14ce0d6c RDI: 00000000ffffffff
RBP: 00007fff14ce0d6c R08: 0000000000000000 R09: 00007fff14da3080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 00000000001b42e1 R14: 0000000000000004 R15: 00007fff14ce0dd0
The buggy address belongs to stack of task syz-executor.4/295
and is located at offset 0 in frame:
queued_spin_lock_slowpath+0x0/0xc80
This frame has 2 objects:
[48, 52) 'val'
[64, 68) 'val'
The buggy address belongs to the physical page:
page:0000000084bbb690 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f83f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 ffffea0000fe0fc8 ffffea0000fe0fc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88803f83f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88803f83f680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88803f83f700: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
^
ffff88803f83f780: f1 f1 04 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00
ffff88803f83f800: 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 65 48 add %ah,0x48(%rbp)
5: 2b 04 25 28 00 00 00 sub 0x28,%eax
c: 0f 85 cd 0a 00 00 jne 0xadf
12: 48 81 c4 88 00 00 00 add $0x88,%rsp
19: 5b pop %rbx
1a: 5d pop %rbp
1b: 41 5c pop %r12
1d: 41 5d pop %r13
1f: 41 5e pop %r14
21: 41 5f pop %r15
23: e9 5e 6f 3b 00 jmpq 0x3b6f86
28: f3 90 pause
* 2a: e9 71 ff ff ff jmpq 0xffffffa0 <-- trapping instruction
2f: 44 8b 74 24 48 mov 0x48(%rsp),%r14d
34: 41 81 fe 00 01 00 00 cmp $0x100,%r14d
3b: 0f .byte 0xf
3c: 84 e5 test %ah,%ch