==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff8880435df850 by task syz-executor.0/4412
CPU: 0 PID: 4412 Comm: syz-executor.0 Not tainted 6.2.0-rc7-next-20230213 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xc0/0xf0
unwind_next_frame+0x1aa1/0x22d0
arch_stack_walk+0x87/0xf0
stack_trace_save+0x90/0xd0
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
__kasan_slab_free+0x10a/0x190
kmem_cache_free+0xff/0x510
rcu_core+0x822/0x1d40
__do_softirq+0x258/0x8a2
__irq_exit_rcu+0xcc/0x110
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x6e/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_is_held_type+0xe4/0x120
Code: 31 c0 44 39 f0 41 0f 94 c0 b8 ff ff ff ff 65 0f c1 05 d0 d6 bb 7b 83 f8 01 75 2e 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89 c0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 8e 2b 02 00 44 89 c0 e9
RSP: 0018:ffff8880435df788 EFLAGS: 00000286
RAX: 0000000000000001 RBX: 0000000000000005 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff85609e00 RDI: ffff888015d55a40
RBP: ffffffff85609e00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888015d55040
R13: ffff888015d559a0 R14: 00000000ffffffff R15: ffff888015d55a40
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x47/0x70
Code: 89 03 00 a9 00 01 ff 00 74 0e 85 c9 74 35 8b 82 0c 14 00 00 85 c0 74 2b 8b 82 e8 13 00 00 83 f8 02 75 20 48 8b 8a f0 13 00 00 <8b> 92 ec 13 00 00 48 8b 01 48 83 c0 01 48 39 c2 76 07 48 89 01 48
RSP: 0018:ffff8880435df878 EFLAGS: 00000246 ORIG_RAX: ffffffff81b2e550
RAX: 0000000000000002 RBX: ffff888015f45e28 RCX: ffffc900029d8000
RDX: ffff888015d55040 RSI: 0000000041b58ab3 RDI: ffffffff851d4ec8
RBP: ffff88800fab0000 R08: 000000ca00000004 R09: ffffffff84936520
R10: ffff88801b6516b8 R11: ffffffff81b2e63c R12: ffff8880197465d8
R13: ffff88801b651690 R14: 1ffff110086bbf06 R15: ffff88801b6513e0
__ext4_ext_check+0x3b9/0x13c0
The buggy address belongs to stack of task syz-executor.0/4412
and is located at offset 32 in frame:
__ext4_mark_inode_dirty+0x0/0x890
This frame has 3 objects:
[48, 52) 'no_expand'
[64, 88) 'iloc'
[128, 152) 'iloc'
The buggy address belongs to the physical page:
page:00000000c11d739d refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x435df
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea00010d77c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880435df700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880435df780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880435df800: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00
^
ffff8880435df880: 00 f2 f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00
ffff8880435df900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
syz-executor.3 (4417) used greatest stack depth: 23832 bytes left
----------------
Code disassembly (best guess):
0: 31 c0 xor %eax,%eax
2: 44 39 f0 cmp %r14d,%eax
5: 41 0f 94 c0 sete %r8b
9: b8 ff ff ff ff mov $0xffffffff,%eax
e: 65 0f c1 05 d0 d6 bb xadd %eax,%gs:0x7bbbd6d0(%rip) # 0x7bbbd6e6
15: 7b
16: 83 f8 01 cmp $0x1,%eax
19: 75 2e jne 0x49
1b: 48 f7 04 24 00 02 00 testq $0x200,(%rsp)
22: 00
23: 74 01 je 0x26
25: fb sti
26: 48 83 c4 08 add $0x8,%rsp
* 2a: 44 89 c0 mov %r8d,%eax <-- trapping instruction
2d: 5b pop %rbx
2e: 5d pop %rbp
2f: 41 5c pop %r12
31: 41 5d pop %r13
33: 41 5e pop %r14
35: 41 5f pop %r15
37: e9 8e 2b 02 00 jmpq 0x22bca
3c: 44 89 c0 mov %r8d,%eax
3f: e9 .byte 0xe9