syzbot

BUG: TASK stack guard page was hit at ffffc900042b7ff8 (stack is ffffc900042b8000..ffffc900042c0000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 2289 Comm: syz-executor421 Not tainted syzkaller #0 41f03d0600fcd02359dd533896f58be78fe14346
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:check_region_inline mm/kasan/generic.c:171 [inline]
RIP: 0010:kasan_check_range+0x1b/0x2b0 mm/kasan/generic.c:189
Code: 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 b0 01 48 85 f6 0f 84 c0 01 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 <53> 4c 8d 04 37 49 39 f8 0f 82 29 02 00 00 49 89 f9 49 c1 e9 2f 41
RSP: 0018:ffffc900042b8000 EFLAGS: 00010002
RAX: f3f3f3f8f1f1f101 RBX: ffff8881f6f50dc0 RCX: ffffffff85aa0c68
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881f6f50dc0
RBP: ffffc900042b8020 R08: ffff8881f6f50c87 R09: 1ffff1103edea190
R10: dffffc0000000000 R11: ffffed103edea191 R12: 1ffff92000857008
R13: dffffc0000000000 R14: 1ffff1103edea195 R15: dffffc0000000000
FS:  000055556035f3c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900042b7ff8 CR3: 000000010b742000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 __kasan_check_read+0x15/0x20 mm/kasan/shadow.c:31
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 queued_spin_trylock include/asm-generic/qspinlock.h:92 [inline]
 do_raw_spin_trylock include/linux/spinlock.h:193 [inline]
 __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
 _raw_spin_trylock+0x78/0x140 kernel/locking/spinlock.c:138
 rcu_nocb_bypass_lock kernel/rcu/tree_nocb.h:96 [inline]
 rcu_nocb_try_bypass kernel/rcu/tree_nocb.h:483 [inline]
 call_rcu_nocb+0x623/0xc80 kernel/rcu/tree_nocb.h:606
 __call_rcu_common+0x43b/0x720 kernel/rcu/tree.c:3117
 call_rcu+0x14/0x20 kernel/rcu/tree.c:3202
 thread_stack_delayed_free kernel/fork.c:246 [inline]
 free_thread_stack kernel/fork.c:352 [inline]
 release_task_stack kernel/fork.c:563 [inline]
 put_task_stack+0x1a8/0x230 kernel/fork.c:570
 finish_task_switch+0x31d/0x760 kernel/sched/core.c:5933
 context_switch kernel/sched/core.c:6029 [inline]
 __schedule+0x13a1/0x1fa0 kernel/sched/core.c:7880
 preempt_schedule_irq+0xab/0x110 kernel/sched/core.c:8206
 raw_irqentry_exit_cond_resched+0x32/0x40 kernel/entry/common.c:311
 irqentry_exit+0x4a/0x60 kernel/entry/common.c:354
 sysvec_reschedule_ipi+0x72/0x80 arch/x86/kernel/smp.c:248
 asm_sysvec_reschedule_ipi+0x1f/0x30 arch/x86/include/asm/idtentry.h:707
RIP: 0010:update_stack_state+0x264/0x4b0 arch/x86/include/asm/stacktrace.h:-1
Code: 8b 7d c0 e8 be 7a 9b 00 e9 0e ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 64 ff ff ff 48 89 df e8 71 7a 9b 00 e9 57 ff ff ff <4c> 89 e3 4d 8d 74 24 40 4d 89 f7 49 c1 ef 03 48 b8 00 00 00 00 00
RSP: 0018:ffffc900042b8738 EFLAGS: 00000202
RAX: 0000000000000001 RBX: ffffc900042b8888 RCX: ffffc900042b8c01
RDX: ffffc900042b8c10 RSI: 1ffff92000857112 RDI: ffffc900042b88e0
RBP: ffffc900042b87f8 R08: ffffc900042b8950 R09: ffffc900042b8948
R10: 0000000000000001 R11: ffffffff8175f0a0 R12: ffffc900042b8888
R13: 0000000000000001 R14: ffffc900042c0000 R15: ffffc900042b8000
 unwind_next_frame+0x3c1/0x750 arch/x86/kernel/unwind_frame.c:315
 arch_stack_walk+0x138/0x170 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xaa/0x100 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:49 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:70
 kasan_save_free_info+0x4a/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:249 [inline]
 __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:266
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2445 [inline]
 slab_free mm/slub.c:4714 [inline]
 kfree+0x158/0x440 mm/slub.c:4875
 krealloc_noprof+0xfa/0x130 mm/slab_common.c:-1
 <kernel::alloc::allocator::ReallocFunc>::call rust/kernel/alloc/allocator.rs:102 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::realloc rust/kernel/alloc/allocator.rs:141 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::free rust/kernel/alloc.rs:214 [inline]
 <kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop+0x594/0x850 rust/kernel/alloc/kbox.rs:492
 core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:961 [inline]
 <kernel::sync::arc::Arc<rust_binder::process::NodeRefInfo> as core::ops::drop::Drop>::drop rust/kernel/sync/arc.rs:404 [inline]
 core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder::process::NodeRefInfo>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder::process::NodeRefInfo, 15493408726748792400>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::ptr::drop_in_place::<core::option::Option<kernel::list::arc::ListArc<rust_binder::process::NodeRefInfo, 15493408726748792400>>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 <rust_binder::process::Process>::update_ref+0x1706/0x2660 drivers/android/binder/process.rs:975
 <rust_binder::allocation::AllocationView>::cleanup_object drivers/android/binder/allocation.rs:453 [inline]
 <rust_binder::allocation::Allocation as core::ops::drop::Drop>::drop+0x1715/0x5dd0 drivers/android/binder/allocation.rs:263
 core::ptr::drop_in_place::<rust_binder::allocation::Allocation>+0x1a/0xf0 usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804
 core::ptr::drop_in_place::<rust_binder::allocation::NewAllocation> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 <rust_binder::thread::Thread>::copy_transaction_data+0x7c54/0x9460 drivers/android/binder/thread.rs:1233
 <rust_binder::transaction::Transaction>::new+0x3d0/0x28d0 drivers/android/binder/transaction.rs:110
 <rust_binder::thread::Thread>::transaction_inner drivers/android/binder/thread.rs:1410 [inline]
 <rust_binder::thread::Thread>::transaction+0x1b97/0x3e50 drivers/android/binder/thread.rs:1370
 <rust_binder::thread::Thread>::write+0x127c/0xa7b0 drivers/android/binder/thread.rs:1532
 <rust_binder::thread::Thread>::write_read drivers/android/binder/thread.rs:1668 [inline]
 <rust_binder::process::Process>::ioctl_write_read drivers/android/binder/process.rs:1620 [inline]
 <rust_binder::process::Process>::ioctl drivers/android/binder/process.rs:1685 [inline]
 rust_binder::rust_binder_ioctl+0x1192/0x5c20 drivers/android/binder/rust_binder_main.rs:462
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0x132/0x1b0 fs/ioctl.c:893
 __x64_sys_ioctl+0x7f/0xa0 fs/ioctl.c:893
 x64_sys_call+0x1878/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/common.c:47 [inline]
 do_syscall_64+0x57/0xf0 arch/x86/entry/common.c:78
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f1df9132309
Code: c0 79 93 eb d5 48 8d 7c 1d 00 eb 99 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 d8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe13fbe2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1df9132309
RDX: 0000200000000180 RSI: 00000000c0306201 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000010000000000 R09: 0000010000000000
R10: 0000010000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:check_region_inline mm/kasan/generic.c:171 [inline]
RIP: 0010:kasan_check_range+0x1b/0x2b0 mm/kasan/generic.c:189
Code: 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 b0 01 48 85 f6 0f 84 c0 01 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 <53> 4c 8d 04 37 49 39 f8 0f 82 29 02 00 00 49 89 f9 49 c1 e9 2f 41
RSP: 0018:ffffc900042b8000 EFLAGS: 00010002
RAX: f3f3f3f8f1f1f101 RBX: ffff8881f6f50dc0 RCX: ffffffff85aa0c68
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881f6f50dc0
RBP: ffffc900042b8020 R08: ffff8881f6f50c87 R09: 1ffff1103edea190
R10: dffffc0000000000 R11: ffffed103edea191 R12: 1ffff92000857008
R13: dffffc0000000000 R14: 1ffff1103edea195 R15: dffffc0000000000
FS:  000055556035f3c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900042b7ff8 CR3: 000000010b742000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	66 0f 1f 00          	nopw   (%rax)
  13:	b0 01                	mov    $0x1,%al
  15:	48 85 f6             	test   %rsi,%rsi
  18:	0f 84 c0 01 00 00    	je     0x1de
  1e:	55                   	push   %rbp
  1f:	48 89 e5             	mov    %rsp,%rbp
  22:	41 57                	push   %r15
  24:	41 56                	push   %r14
  26:	41 55                	push   %r13
  28:	41 54                	push   %r12
* 2a:	53                   	push   %rbx <-- trapping instruction
  2b:	4c 8d 04 37          	lea    (%rdi,%rsi,1),%r8
  2f:	49 39 f8             	cmp    %rdi,%r8
  32:	0f 82 29 02 00 00    	jb     0x261
  38:	49 89 f9             	mov    %rdi,%r9
  3b:	49 c1 e9 2f          	shr    $0x2f,%r9
  3f:	41                   	rex.B