==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x11a/0x130
Read of size 8 at addr ffff8880362579d0 by task syz-executor.1/7337
CPU: 1 PID: 7337 Comm: syz-executor.1 Not tainted 6.4.0-next-20230706 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xbe/0xf0
profile_pc+0x11a/0x130
profile_tick+0xa8/0xf0
tick_sched_timer+0xe6/0x110
__hrtimer_run_queues+0x17f/0xb60
hrtimer_interrupt+0x2ef/0x750
__sysvec_apic_timer_interrupt+0xff/0x380
sysvec_apic_timer_interrupt+0x69/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_spin_lock_slowpath+0x128/0xb20
Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 5c 09 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 6a 21 00 00 f3 90 71 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e4 00 00
RSP: 0018:ffff8880362579c8 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff84542e5b
RDX: ffffed1001edbefd RSI: 0000000000000004 RDI: ffff88800f6df7e0
RBP: ffff88800f6df7e0 R08: 0000000000000000 R09: ffffed1001edbefc
R10: ffff88800f6df7e3 R11: 0000000000000001 R12: 0000000000000003
R13: ffffed1001edbefc R14: 0000000000000001 R15: 1ffff11006c4af3a
do_raw_spin_lock+0x1e0/0x270
__pte_offset_map_lock+0x121/0x290
follow_page_mask+0x774/0x1900
__get_user_pages+0x38e/0x1250
populate_vma_page_range+0x2dd/0x420
__mm_populate+0x102/0x3a0
__do_sys_mlockall+0x414/0x4a0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7feaf2cddb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feaf0232188 EFLAGS: 00000246 ORIG_RAX: 0000000000000097
RAX: ffffffffffffffda RBX: 00007feaf2df1020 RCX: 00007feaf2cddb19
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 00007feaf2d37f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffffd9018df R14: 00007feaf0232300 R15: 0000000000022000
The buggy address belongs to stack of task syz-executor.1/7337
and is located at offset 0 in frame:
queued_spin_lock_slowpath+0x0/0xb20
This frame has 2 objects:
[48, 52) 'val'
[64, 68) 'val'
The buggy address belongs to the physical page:
page:00000000df8b6a71 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36257
flags: 0x100000000000000(node=0|zone=1)
page_type: 0xffffffff()
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888036257880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888036257900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888036257980: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
^
ffff888036257a00: 04 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
ffff888036257a80: 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 65 48 add %ah,0x48(%rbp)
5: 2b 04 25 28 00 00 00 sub 0x28,%eax
c: 0f 85 5c 09 00 00 jne 0x96e
12: 48 81 c4 88 00 00 00 add $0x88,%rsp
19: 5b pop %rbx
1a: 5d pop %rbp
1b: 41 5c pop %r12
1d: 41 5d pop %r13
1f: 41 5e pop %r14
21: 41 5f pop %r15
23: e9 6a 21 00 00 jmpq 0x2192
28: f3 90 pause
* 2a: e9 71 ff ff ff jmpq 0xffffffa0 <-- trapping instruction
2f: 44 8b 74 24 48 mov 0x48(%rsp),%r14d
34: 41 81 fe 00 01 00 00 cmp $0x100,%r14d
3b: 0f .byte 0xf
3c: 84 e4 test %ah,%ah