R13: 00007ffcc92a05ff R14: 00007f7933594300 R15: 0000000000022000
 </TASK>
tmpfs: Bad value for 'size'
kernel profiling enabled (shift: 0)
==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x11a/0x130
Read of size 8 at addr ffff88806cf09a40 by task syz-executor/6070

CPU: 1 PID: 6070 Comm: syz-executor Not tainted 6.4.0-rc6-next-20230616 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x91/0xf0
 print_report+0xcc/0x620
 kasan_report+0xbe/0xf0
 profile_pc+0x11a/0x130
 profile_tick+0xa8/0xf0
 tick_sched_timer+0xe6/0x110
 __hrtimer_run_queues+0x17f/0xb60
 hrtimer_interrupt+0x2ef/0x750
 __sysvec_apic_timer_interrupt+0xff/0x380
 sysvec_apic_timer_interrupt+0x33/0x90
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_spin_lock_slowpath+0x128/0xb20
Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 5c 09 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 6a 21 00 00 f3 90 <e9> 71 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e4 00 00
RSP: 0018:ffff88806cf09a38 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8452d85b
RDX: fffffbfff0b4c691 RSI: 0000000000000004 RDI: ffffffff85a63480
RBP: ffffffff85a63480 R08: 0000000000000000 R09: fffffbfff0b4c690
R10: ffffffff85a63483 R11: 0000000000000001 R12: 0000000000000003
R13: fffffbfff0b4c690 R14: 0000000000000001 R15: 1ffff1100d9e1348
 do_raw_spin_lock+0x1e0/0x270
 mac80211_hwsim_tx_frame_no_nl.isra.0+0x6e7/0x1330
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x427/0x730
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x59d/0xb60
 hrtimer_run_softirq+0x14c/0x310
 __do_softirq+0x1b7/0x7d4
 irq_exit_rcu+0x93/0xc0
 sysvec_apic_timer_interrupt+0x6e/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:_raw_spin_unlock_irqrestore+0x34/0x50
Code: c7 18 53 48 89 f3 48 8b 74 24 10 e8 06 b6 da fc 48 89 ef e8 ce 33 db fc 80 e7 02 74 06 e8 e4 6f 00 fd fb 65 ff 0d f4 ba b0 7b <74> 07 5b 5d e9 23 2a 00 00 0f 1f 44 00 00 5b 5d e9 17 2a 00 00 0f
RSP: 0018:ffff8880442a7ae8 EFLAGS: 00000286
RAX: 0000000000171e3f RBX: 0000000000000246 RCX: ffffffff812ce37f
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8452d00c
RBP: ffffffff87f2dd80 R08: 0000000000000001 R09: fffffbfff0ef756b
R10: ffffffff877bab5f R11: 0000000000000001 R12: ffff88807bc00000
R13: fffffbfff0fe5bb8 R14: ffff88807ba42000 R15: 0000000000000246
 scan_gray_list+0x192/0x400
 kmemleak_scan+0x6b6/0x16f0
 kmemleak_write+0x58e/0x6c0
 full_proxy_write+0x12a/0x1a0
 vfs_write+0x2b9/0xdd0
 ksys_write+0x122/0x250
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fe7cc5ef5c3
Code: 16 00 00 00 eb ae 90 b8 6e 00 00 00 eb a6 e8 44 ef 04 00 0f 1f 40 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffcf4c4c458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffcf4c4ca98 RCX: 00007fe7cc5ef5c3
RDX: 0000000000000004 RSI: 00007fe7cc6a5ed9 RDI: 0000000000000003
RBP: 0000000000000002 R08: 0000000000000268 R09: 00007ffcf4cd2080
R10: 00007ffcf4cd2090 R11: 0000000000000246 R12: 00000000fffffff6
R13: 00007ffcf4c4def1 R14: 0000000000000000 R15: 000000000009691c
 </TASK>

The buggy address belongs to the physical page:
page:0000000025c1af24 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6cf09
flags: 0x100000000001000(reserved|node=0|zone=1)
page_type: 0xffffffff()
raw: 0100000000001000 ffffea0001b3c248 ffffea0001b3c248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806cf09900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88806cf09980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88806cf09a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2
                                           ^
 ffff88806cf09a80: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88806cf09b00: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 65 48             	add    %ah,0x48(%rbp)
   5:	2b 04 25 28 00 00 00 	sub    0x28,%eax
   c:	0f 85 5c 09 00 00    	jne    0x96e
  12:	48 81 c4 88 00 00 00 	add    $0x88,%rsp
  19:	5b                   	pop    %rbx
  1a:	5d                   	pop    %rbp
  1b:	41 5c                	pop    %r12
  1d:	41 5d                	pop    %r13
  1f:	41 5e                	pop    %r14
  21:	41 5f                	pop    %r15
  23:	e9 6a 21 00 00       	jmpq   0x2192
  28:	f3 90                	pause
* 2a:	e9 71 ff ff ff       	jmpq   0xffffffa0 <-- trapping instruction
  2f:	44 8b 74 24 48       	mov    0x48(%rsp),%r14d
  34:	41 81 fe 00 01 00 00 	cmp    $0x100,%r14d
  3b:	0f                   	.byte 0xf
  3c:	84 e4                	test   %ah,%ah