==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x11a/0x130
Read of size 8 at addr ffff888008c6f910 by task syz-fuzzer/241
CPU: 1 PID: 241 Comm: syz-fuzzer Not tainted 6.5.0-rc1-next-20230714 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xbe/0xf0
profile_pc+0x11a/0x130
profile_tick+0xa8/0xf0
tick_sched_timer+0xe6/0x110
__hrtimer_run_queues+0x17f/0xb60
hrtimer_interrupt+0x2ef/0x750
__sysvec_apic_timer_interrupt+0xff/0x380
sysvec_apic_timer_interrupt+0x69/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_spin_lock_slowpath+0x128/0xb20
Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 5c 09 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 4a 21 00 00 f3 90 71 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e4 00 00
RSP: 0018:ffff888008c6f908 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8455bcbb
RDX: ffffed1003366314 RSI: 0000000000000004 RDI: ffff888019b31898
RBP: ffff888019b31898 R08: 0000000000000000 R09: ffffed1003366313
R10: ffff888019b3189b R11: 0000000000000001 R12: 0000000000000003
R13: ffffed1003366313 R14: 0000000000000001 R15: 1ffff1100118df22
do_raw_spin_lock+0x1e0/0x270
lock_sock_nested+0x5f/0xf0
tcp_recvmsg+0xf8/0x640
inet_recvmsg+0x12b/0x6c0
sock_recvmsg+0x16c/0x1d0
sock_read_iter+0x2c7/0x3c0
vfs_read+0x7a9/0x8f0
ksys_read+0x1eb/0x250
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x4b0f4b
Code: ff e9 69 ff ff ff cc cc cc cc cc cc cc cc cc e8 5b c3 f8 ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30
RSP: 002b:000000c000335920 EFLAGS: 00000206 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000000c000020800 RCX: 00000000004b0f4b
RDX: 0000000000001000 RSI: 000000c0005e4000 RDI: 0000000000000006
RBP: 000000c000335970 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003
R13: 000000c000000900 R14: 000000000000007f R15: 0000000000002a57
The buggy address belongs to stack of task syz-fuzzer/241
and is located at offset 0 in frame:
queued_spin_lock_slowpath+0x0/0xb20
This frame has 2 objects:
[48, 52) 'val'
[64, 68) 'val'
The buggy address belongs to the physical page:
page:0000000083891f78 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8c6f
flags: 0x100000000000000(node=0|zone=1)
page_type: 0xffffffff()
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888008c6f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888008c6f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888008c6f900: 00 00 f1 f1 f1 f1 f1 f1 04 f2 04 f3 f3 f3 00 00
^
ffff888008c6f980: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3
ffff888008c6fa00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 65 48 add %ah,0x48(%rbp)
5: 2b 04 25 28 00 00 00 sub 0x28,%eax
c: 0f 85 5c 09 00 00 jne 0x96e
12: 48 81 c4 88 00 00 00 add $0x88,%rsp
19: 5b pop %rbx
1a: 5d pop %rbp
1b: 41 5c pop %r12
1d: 41 5d pop %r13
1f: 41 5e pop %r14
21: 41 5f pop %r15
23: e9 4a 21 00 00 jmpq 0x2172
28: f3 90 pause
* 2a: e9 71 ff ff ff jmpq 0xffffffa0 <-- trapping instruction
2f: 44 8b 74 24 48 mov 0x48(%rsp),%r14d
34: 41 81 fe 00 01 00 00 cmp $0x100,%r14d
3b: 0f .byte 0xf
3c: 84 e4 test %ah,%ah