==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff888043d6f430 by task syz-executor.0/6513
CPU: 0 PID: 6513 Comm: syz-executor.0 Not tainted 6.2.0-rc8-next-20230217 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xc0/0xf0
unwind_next_frame+0x1aa1/0x22d0
perf_callchain_kernel+0x3f0/0x620
get_perf_callchain+0x172/0x4f0
perf_callchain+0x169/0x1c0
perf_prepare_sample+0xc76/0x2020
perf_event_output_forward+0xd7/0x3c0
__perf_event_overflow+0x4c2/0x9e0
perf_swevent_event+0x4b2/0x550
perf_tp_event+0x2ce/0x10c0
perf_trace_run_bpf_submit+0xf3/0x190
perf_trace_lock+0x2d5/0x480
lock_release+0x4a9/0x710
_raw_spin_unlock_irqrestore+0x1a/0x50
hrtimer_interrupt+0x336/0x750
__sysvec_apic_timer_interrupt+0xff/0x4a0
sysvec_apic_timer_interrupt+0x69/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:core_kernel_text+0x82/0xa0
Code: 82 b2 04 01 76 0b 44 89 e0 5b 41 5c e9 eb dc 29 03 48 81 fb 00 f0 5d 86 72 ec 48 81 fb 41 cb 71 86 73 e3 41 bc 01 00 00 00 5b <44> 89 e0 41 5c e9 c8 dc 29 03 48 c7 c7 84 35 d2 85 e8 98 53 60 00
RSP: 0018:ffff888043d6f200 EFLAGS: 00000283
RAX: dffffc0000000000 RBX: ffffffff8360072c RCX: 0000000000000001
RDX: 1ffff110087ade55 RSI: ffff888043d6f4f0 RDI: ffffffff8360072c
RBP: ffffffff8360072c R08: 0000000000000001 R09: ffff888043d6f290
R10: 0000000000038001 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: ffff888018819ac0 R15: ffff88800eea1be0
__ip_append_data+0x2d2d/0x3aa0
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kasan_check_range+0x4b/0x1d0
Code: 00 48 ba ff ff ff ff ff ff ff fe 48 39 d7 77 29 44 89 c2 e8 87 ea ff ff 5b 5d 83 f0 01 41 5c 41 89 c3 44 89 d8 e9 e9 8f c9 02 <48> ba ff ff ff ff ff 7f ff ff 48 39 d7 76 d7 4c 8d 48 ff 48 89 fd
RSP: 1971:ffff888043d6f458 EFLAGS: 00000286
RAX: ffff88800eea1c74 RBX: 0000000000000001 RCX: ffffffff81838c66
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88800eea1c70
RBP: 00000000000000f0 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff0ba4bca R11: 0000000000000001 R12: ffff888045e1e3c0
R13: 0000000000000000 R14: ffff88800eea1c28 R15: ffff88800eea1be0
The buggy address belongs to stack of task syz-executor.0/6513
and is located at offset 168 in frame:
set_track_prepare+0x0/0xd0
This frame has 1 object:
[32, 160) 'entries'
The buggy address belongs to the physical page:
page:000000004da3e390 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43d6f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 ffffea00010f5bc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888043d6f300: f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00
ffff888043d6f380: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00
>ffff888043d6f400: 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00
^
ffff888043d6f480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888043d6f500: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 04 f3 f3
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: b2 04 mov $0x4,%dl
2: 01 76 0b add %esi,0xb(%rsi)
5: 44 89 e0 mov %r12d,%eax
8: 5b pop %rbx
9: 41 5c pop %r12
b: e9 eb dc 29 03 jmpq 0x329dcfb
10: 48 81 fb 00 f0 5d 86 cmp $0xffffffff865df000,%rbx
17: 72 ec jb 0x5
19: 48 81 fb 41 cb 71 86 cmp $0xffffffff8671cb41,%rbx
20: 73 e3 jae 0x5
22: 41 bc 01 00 00 00 mov $0x1,%r12d
28: 5b pop %rbx
* 29: 44 89 e0 mov %r12d,%eax <-- trapping instruction
2c: 41 5c pop %r12
2e: e9 c8 dc 29 03 jmpq 0x329dcfb
33: 48 c7 c7 84 35 d2 85 mov $0xffffffff85d23584,%rdi
3a: e8 98 53 60 00 callq 0x6053d7