audit: type=1326 audit(1676978481.972:49): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=17664 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7960006b19 code=0x0
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff88802eb1f500 by task syz-executor.4/17658
CPU: 1 PID: 17658 Comm: syz-executor.4 Not tainted 6.2.0-next-20230221 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x91/0xf0
print_report+0xcc/0x620
kasan_report+0xc0/0xf0
unwind_next_frame+0x1aa1/0x22d0
arch_stack_walk+0x87/0xf0
stack_trace_save+0x90/0xd0
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
__kasan_slab_free+0x10a/0x190
kmem_cache_free+0xff/0x510
rcu_core+0x826/0x1af0
__do_softirq+0x258/0x8a2
__irq_exit_rcu+0xcc/0x110
irq_exit_rcu+0x9/0x20
sysvec_apic_timer_interrupt+0x6e/0x90
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_release+0x145/0x710
Code: 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21 05 00 00 41 8b be 5c 09 00 00 85 ff 0f 85 8f 02 00 00 9c 8f 04 24 48 89 da c7 44 24 40 01 00 00 00 83 e3 07 48 b8 00 00 00 00 00
RSP: 0018:ffff88802eb1f3a8 EFLAGS: 00000246
RAX: 0000000000000007 RBX: ffffffff85d28890 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8560a7c0 RDI: 0000000000000000
RBP: 1ffff11005d63e77 R08: 0000000000000001 R09: ffffffff85d27757
R10: fffffbfff0ba4eea R11: 0000000000000001 R12: ffffffff856cb1c0
R13: ffffffff817748da R14: ffff888044321ac0 R15: 0000000000000000
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0001:find_held_lock+0x2c/0x110
RSP: 8446ae08:ffffffff00152c4a EFLAGS: 1ffff11005d63ea9 ORIG_RAX: 0000000000000003
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000041b58ab3
RDX: ffffffff851d23b0 RSI: ffffffff817859a0 RDI: 0000000000000246
RBP: 0000000000000000 R08: ffff88802eb1f500 R09: ffffffff81785ae9
R10: ffff88802eb1f520 R11: ffff888044321ac0 R12: 0000000000152c4a
R13: 1ffff11005d63e9a R14: 0000000000000061 R15: 0000000000112cca
The buggy address belongs to stack of task syz-executor.4/17658
and is located at offset 48 in frame:
__alloc_pages+0x0/0x510
This frame has 3 objects:
[48, 52) 'alloc_flags'
[64, 68) 'alloc_gfp'
[80, 120) 'ac'
The buggy address belongs to the physical page:
page:00000000103f4100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2eb1f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802eb1f400: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88802eb1f480: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
>ffff88802eb1f500: 04 f2 04 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00
^
ffff88802eb1f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88802eb1f600: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00
==================================================================
audit: type=1326 audit(1676978484.537:51): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=17802 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7ea5030b19 code=0x0
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
No source specified
No source specified
No source specified
No source specified
No source specified
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
----------------
Code disassembly (best guess):
0: 14 02 adc $0x2,%al
2: 48 89 f8 mov %rdi,%rax
5: 83 e0 07 and $0x7,%eax
8: 83 c0 03 add $0x3,%eax
b: 38 d0 cmp %dl,%al
d: 7c 08 jl 0x17
f: 84 d2 test %dl,%dl
11: 0f 85 21 05 00 00 jne 0x538
17: 41 8b be 5c 09 00 00 mov 0x95c(%r14),%edi
1e: 85 ff test %edi,%edi
20: 0f 85 8f 02 00 00 jne 0x2b5
26: 9c pushfq
27: 8f 04 24 popq (%rsp)
* 2a: fa cli <-- trapping instruction
2b: 48 89 da mov %rbx,%rdx
2e: c7 44 24 40 01 00 00 movl $0x1,0x40(%rsp)
35: 00
36: 83 e3 07 and $0x7,%ebx
39: 48 rex.W
3a: b8 00 00 00 00 mov $0x0,%eax