==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff888043f8fd40 by task syz-executor.3/8277
CPU: 1 PID: 8277 Comm: syz-executor.3 Not tainted 6.2.0-rc8-next-20230217 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xc0/0xf0
unwind_next_frame+0x1aa1/0x22d0
arch_stack_walk+0x87/0xf0
stack_trace_save+0x90/0xd0
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0xa70
kmem_cache_free+0xb9/0x510
rcu_core+0x822/0x1d40
__do_softirq+0x258/0x8a2
__irq_exit_rcu+0xcc/0x110
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x6e/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kasan_check_range+0x15e/0x1d0
Code: d0 49 39 c2 0f 85 f3 fe ff ff 4c 89 c8 49 0f be 12 83 e0 07 48 39 d0 0f 8d e0 fe ff ff 41 bb 01 00 00 00 5b 5d 44 89 d8 41 5c d1 8e c9 02 48 85 d2 74 e9 48 01 ea eb 09 48 83 c0 01 48 39 d0
RSP: 0018:ffff888043f8fca8 EFLAGS: 00000246
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffffff812c56d2
RDX: fffffbfff0ba4bcb RSI: 0000000000000008 RDI: ffffffff85d25e50
RBP: ffff88800846b948 R08: 0000000000000000 R09: ffffffff85d25e57
R10: fffffbfff0ba4bca R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff81a7dd99
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 41b58ab3:kernfs_remove_by_name_ns+0x89/0x130
RSP: 0018:ffffffff8448da90 EFLAGS: ffffffff85236845 ORIG_RAX: ffffffff8448db22
RAX: ffff88800846b8d8 RBX: ffffffff81a7dd99 RCX: dffffc0000000000
RDX: ffff888016944640 RSI: 0000000000000000 RDI: ffff888008852040
RBP: 0000000000000000 R08: 1ffff110087f1fa8 R09: 0000000000000000
R10: ffffffff81a7dd99 R11: ffffffff812d60b2 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88800846b948 R15: 0000000000000001
The buggy address belongs to stack of task syz-executor.3/8277
and is located at offset 0 in frame:
down_write+0x0/0x1f0
This frame has 1 object:
[32, 40) 'tmp'
The buggy address belongs to the physical page:
page:000000007f62505d refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43f8f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea00010fe3c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888043f8fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888043f8fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888043f8fd00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3
^
ffff888043f8fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888043f8fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
==================================================================
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'.
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 49 39 c2 cmp %rax,%r10
3: 0f 85 f3 fe ff ff jne 0xfffffefc
9: 4c 89 c8 mov %r9,%rax
c: 49 0f be 12 movsbq (%r10),%rdx
10: 83 e0 07 and $0x7,%eax
13: 48 39 d0 cmp %rdx,%rax
16: 0f 8d e0 fe ff ff jge 0xfffffefc
1c: 41 bb 01 00 00 00 mov $0x1,%r11d
22: 5b pop %rbx
23: 5d pop %rbp
24: 44 89 d8 mov %r11d,%eax
27: 41 5c pop %r12
* 29: e9 d1 8e c9 02 jmpq 0x2c98eff <-- trapping instruction
2e: 48 85 d2 test %rdx,%rdx
31: 74 e9 je 0x1c
33: 48 01 ea add %rbp,%rdx
36: eb 09 jmp 0x41
38: 48 83 c0 01 add $0x1,%rax
3c: 48 39 d0 cmp %rdx,%rax