==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x124/0x130
Read of size 8 at addr ffff8880424f7c00 by task syz-executor.3/1006
CPU: 0 PID: 1006 Comm: syz-executor.3 Not tainted 6.2.0-rc7-next-20230207 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xc0/0xf0
profile_pc+0x124/0x130
profile_tick+0xa8/0xf0
tick_sched_timer+0xea/0x120
__hrtimer_run_queues+0x17f/0xcb0
hrtimer_interrupt+0x2ef/0x750
__sysvec_apic_timer_interrupt+0xff/0x4a0
sysvec_apic_timer_interrupt+0x69/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_read_lock_slowpath+0x131/0x265
Code: 1a 01 00 00 8b 45 00 84 c0 74 37 48 b8 00 00 00 00 00 fc ff df 49 89 ed 48 89 eb 49 c1 ed 03 83 e3 07 49 01 c5 83 c3 03 f3 90 <41> 0f b6 45 00 38 c3 7c 08 84 c0 0f 85 fd 00 00 00 8b 45 00 84 c0
RSP: 0018:ffff8880424f7c00 EFLAGS: 00000286
RAX: 00000000000002ff RBX: 0000000000000003 RCX: ffffffff84487a29
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8540a080
RBP: ffffffff8540a080 R08: 0000000000000001 R09: ffffffff8540a083
R10: fffffbfff0a81410 R11: 0000000000000001 R12: 1ffff1100849ef80
R13: fffffbfff0a81410 R14: ffffffff8540a084 R15: 0000000000000000
do_wait+0x25d/0xc90
kernel_wait4+0x150/0x260
__do_sys_wait4+0x143/0x150
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fe4f8105fb7
Code: 89 7c 24 10 48 89 4c 24 18 e8 d5 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 05 51 02 00 8b 44
RSP: 002b:00007ffe6d2356c0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000181 RCX: 00007fe4f8105fb7
RDX: 0000000040000001 RSI: 00007ffe6d23574c RDI: 00000000ffffffff
RBP: 00007ffe6d23574c R08: 0000000000000000 R09: 00007ffe6d241080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 000000000013fa6a R14: 0000000000000002 R15: 00007ffe6d2357b0
The buggy address belongs to stack of task syz-executor.3/1006
and is located at offset 0 in frame:
queued_read_lock_slowpath+0x0/0x265
This frame has 1 object:
[32, 36) 'val'
The buggy address belongs to the physical page:
page:00000000d8c9e302 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x424f7
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea0001093dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880424f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880424f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880424f7c00: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffff8880424f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffff8880424f7d00: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3 f3
==================================================================
hpet: Lost 4 RTC interrupts
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
=======================================================
WARNING: The mand mount option has been deprecated and
and is ignored by this kernel. Remove the mand
option from the mount to silence this warning.
=======================================================
9pnet_fd: Insufficient options for proto=fd
9pnet_fd: Insufficient options for proto=fd
----------------
Code disassembly (best guess):
0: 1a 01 sbb (%rcx),%al
2: 00 00 add %al,(%rax)
4: 8b 45 00 mov 0x0(%rbp),%eax
7: 84 c0 test %al,%al
9: 74 37 je 0x42
b: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
12: fc ff df
15: 49 89 ed mov %rbp,%r13
18: 48 89 eb mov %rbp,%rbx
1b: 49 c1 ed 03 shr $0x3,%r13
1f: 83 e3 07 and $0x7,%ebx
22: 49 01 c5 add %rax,%r13
25: 83 c3 03 add $0x3,%ebx
28: f3 90 pause
* 2a: 41 0f b6 45 00 movzbl 0x0(%r13),%eax <-- trapping instruction
2f: 38 c3 cmp %al,%bl
31: 7c 08 jl 0x3b
33: 84 c0 test %al,%al
35: 0f 85 fd 00 00 00 jne 0x138
3b: 8b 45 00 mov 0x0(%rbp),%eax
3e: 84 c0 test %al,%al