audit: type=1326 audit(1676978481.972:49): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=17664 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7960006b19 code=0x0
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1aa1/0x22d0
Read of size 8 at addr ffff88802eb1f500 by task syz-executor.4/17658

CPU: 1 PID: 17658 Comm: syz-executor.4 Not tainted 6.2.0-next-20230221 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x91/0xf0
 print_report+0xcc/0x620
 kasan_report+0xc0/0xf0
 unwind_next_frame+0x1aa1/0x22d0
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 kmem_cache_free+0xff/0x510
 rcu_core+0x826/0x1af0
 __do_softirq+0x258/0x8a2
 __irq_exit_rcu+0xcc/0x110
 irq_exit_rcu+0x9/0x20
 sysvec_apic_timer_interrupt+0x6e/0x90
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_release+0x145/0x710
Code: 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21 05 00 00 41 8b be 5c 09 00 00 85 ff 0f 85 8f 02 00 00 9c 8f 04 24 <fa> 48 89 da c7 44 24 40 01 00 00 00 83 e3 07 48 b8 00 00 00 00 00
RSP: 0018:ffff88802eb1f3a8 EFLAGS: 00000246
RAX: 0000000000000007 RBX: ffffffff85d28890 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8560a7c0 RDI: 0000000000000000
RBP: 1ffff11005d63e77 R08: 0000000000000001 R09: ffffffff85d27757
R10: fffffbfff0ba4eea R11: 0000000000000001 R12: ffffffff856cb1c0
R13: ffffffff817748da R14: ffff888044321ac0 R15: 0000000000000000
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0001:find_held_lock+0x2c/0x110
RSP: 8446ae08:ffffffff00152c4a EFLAGS: 1ffff11005d63ea9 ORIG_RAX: 0000000000000003
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000041b58ab3
RDX: ffffffff851d23b0 RSI: ffffffff817859a0 RDI: 0000000000000246
RBP: 0000000000000000 R08: ffff88802eb1f500 R09: ffffffff81785ae9
R10: ffff88802eb1f520 R11: ffff888044321ac0 R12: 0000000000152c4a
R13: 1ffff11005d63e9a R14: 0000000000000061 R15: 0000000000112cca
 </TASK>

The buggy address belongs to stack of task syz-executor.4/17658
 and is located at offset 48 in frame:
 __alloc_pages+0x0/0x510

This frame has 3 objects:
 [48, 52) 'alloc_flags'
 [64, 68) 'alloc_gfp'
 [80, 120) 'ac'

The buggy address belongs to the physical page:
page:00000000103f4100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2eb1f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802eb1f400: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802eb1f480: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
>ffff88802eb1f500: 04 f2 04 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00
                   ^
 ffff88802eb1f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802eb1f600: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00
==================================================================
audit: type=1326 audit(1676978484.537:51): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=17802 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7ea5030b19 code=0x0
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.6'.
No source specified
No source specified
No source specified
No source specified
No source specified
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
EXT4-fs (loop6): VFS: Can't find ext4 filesystem
----------------
Code disassembly (best guess):
   0:	14 02                	adc    $0x2,%al
   2:	48 89 f8             	mov    %rdi,%rax
   5:	83 e0 07             	and    $0x7,%eax
   8:	83 c0 03             	add    $0x3,%eax
   b:	38 d0                	cmp    %dl,%al
   d:	7c 08                	jl     0x17
   f:	84 d2                	test   %dl,%dl
  11:	0f 85 21 05 00 00    	jne    0x538
  17:	41 8b be 5c 09 00 00 	mov    0x95c(%r14),%edi
  1e:	85 ff                	test   %edi,%edi
  20:	0f 85 8f 02 00 00    	jne    0x2b5
  26:	9c                   	pushfq
  27:	8f 04 24             	popq   (%rsp)
* 2a:	fa                   	cli <-- trapping instruction
  2b:	48 89 da             	mov    %rbx,%rdx
  2e:	c7 44 24 40 01 00 00 	movl   $0x1,0x40(%rsp)
  35:	00
  36:	83 e3 07             	and    $0x7,%ebx
  39:	48                   	rex.W
  3a:	b8 00 00 00 00       	mov    $0x0,%eax