==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x124/0x130
Read of size 8 at addr ffff8880424f7c00 by task syz-executor.3/1006

CPU: 0 PID: 1006 Comm: syz-executor.3 Not tainted 6.2.0-rc7-next-20230207 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x91/0xf0
 print_report+0xcc/0x620
 kasan_report+0xc0/0xf0
 profile_pc+0x124/0x130
 profile_tick+0xa8/0xf0
 tick_sched_timer+0xea/0x120
 __hrtimer_run_queues+0x17f/0xcb0
 hrtimer_interrupt+0x2ef/0x750
 __sysvec_apic_timer_interrupt+0xff/0x4a0
 sysvec_apic_timer_interrupt+0x69/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_read_lock_slowpath+0x131/0x265
Code: 1a 01 00 00 8b 45 00 84 c0 74 37 48 b8 00 00 00 00 00 fc ff df 49 89 ed 48 89 eb 49 c1 ed 03 83 e3 07 49 01 c5 83 c3 03 f3 90 <41> 0f b6 45 00 38 c3 7c 08 84 c0 0f 85 fd 00 00 00 8b 45 00 84 c0
RSP: 0018:ffff8880424f7c00 EFLAGS: 00000286
RAX: 00000000000002ff RBX: 0000000000000003 RCX: ffffffff84487a29
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8540a080
RBP: ffffffff8540a080 R08: 0000000000000001 R09: ffffffff8540a083
R10: fffffbfff0a81410 R11: 0000000000000001 R12: 1ffff1100849ef80
R13: fffffbfff0a81410 R14: ffffffff8540a084 R15: 0000000000000000
 do_wait+0x25d/0xc90
 kernel_wait4+0x150/0x260
 __do_sys_wait4+0x143/0x150
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fe4f8105fb7
Code: 89 7c 24 10 48 89 4c 24 18 e8 d5 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 05 51 02 00 8b 44
RSP: 002b:00007ffe6d2356c0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000181 RCX: 00007fe4f8105fb7
RDX: 0000000040000001 RSI: 00007ffe6d23574c RDI: 00000000ffffffff
RBP: 00007ffe6d23574c R08: 0000000000000000 R09: 00007ffe6d241080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 000000000013fa6a R14: 0000000000000002 R15: 00007ffe6d2357b0
 </TASK>

The buggy address belongs to stack of task syz-executor.3/1006
 and is located at offset 0 in frame:
 queued_read_lock_slowpath+0x0/0x265

This frame has 1 object:
 [32, 36) 'val'

The buggy address belongs to the physical page:
page:00000000d8c9e302 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x424f7
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea0001093dc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880424f7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880424f7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880424f7c00: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
                   ^
 ffff8880424f7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
 ffff8880424f7d00: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3 f3
==================================================================
hpet: Lost 4 RTC interrupts
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
=======================================================
WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
9pnet_fd: Insufficient options for proto=fd
9pnet_fd: Insufficient options for proto=fd
----------------
Code disassembly (best guess):
   0:	1a 01                	sbb    (%rcx),%al
   2:	00 00                	add    %al,(%rax)
   4:	8b 45 00             	mov    0x0(%rbp),%eax
   7:	84 c0                	test   %al,%al
   9:	74 37                	je     0x42
   b:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  12:	fc ff df
  15:	49 89 ed             	mov    %rbp,%r13
  18:	48 89 eb             	mov    %rbp,%rbx
  1b:	49 c1 ed 03          	shr    $0x3,%r13
  1f:	83 e3 07             	and    $0x7,%ebx
  22:	49 01 c5             	add    %rax,%r13
  25:	83 c3 03             	add    $0x3,%ebx
  28:	f3 90                	pause
* 2a:	41 0f b6 45 00       	movzbl 0x0(%r13),%eax <-- trapping instruction
  2f:	38 c3                	cmp    %al,%bl
  31:	7c 08                	jl     0x3b
  33:	84 c0                	test   %al,%al
  35:	0f 85 fd 00 00 00    	jne    0x138
  3b:	8b 45 00             	mov    0x0(%rbp),%eax
  3e:	84 c0                	test   %al,%al