syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf801124fa60 by task syz-executor.0/2308

CPU: 0 PID: 2308 Comm: syz-executor.0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
[<ffffffff8049a462>] save_stack+0x112/0x16c mm/page_owner.c:121
[<ffffffff8049adc2>] __set_page_owner+0x48/0x136 mm/page_owner.c:183
[<ffffffff80412f7a>] set_page_owner include/linux/page_owner.h:31 [inline]
[<ffffffff80412f7a>] post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
[<ffffffff80416a5c>] prep_new_page mm/page_alloc.c:2434 [inline]
[<ffffffff80416a5c>] get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
[<ffffffff80418efa>] __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389

Allocated by task 2042:
 stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
 kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0x80/0xb2 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 kmem_cache_alloc_trace+0x178/0x2e0 mm/slub.c:3257
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
 tomoyo_init_log+0x898/0x14cc security/tomoyo/audit.c:264
 tomoyo_supervisor+0x250/0xc1e security/tomoyo/common.c:2097
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x164/0x184 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0xdaa/0x1192 security/tomoyo/domain.c:879
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
 tomoyo_bprm_check_security+0xdc/0x136 security/tomoyo/tomoyo.c:91
 security_bprm_check+0x44/0x96 security/security.c:866
 search_binary_handler fs/exec.c:1715 [inline]
 exec_binprm fs/exec.c:1768 [inline]
 bprm_execve fs/exec.c:1837 [inline]
 bprm_execve+0x532/0x1140 fs/exec.c:1799
 do_execveat_common+0x298/0x312 fs/exec.c:1926
 do_execve fs/exec.c:1994 [inline]
 __do_sys_execve fs/exec.c:2070 [inline]
 sys_execve+0x32/0x40 fs/exec.c:2065
 ret_from_syscall+0x0/0x2

Last potentially related work creation:
 stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
 kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xc4/0xdc mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xe/0x16 mm/kasan/generic.c:358
 insert_work+0x40/0x1d4 kernel/workqueue.c:1368
 __queue_work+0x4ec/0xed0 kernel/workqueue.c:1534
 rcu_work_rcufn+0x54/0x7e kernel/workqueue.c:1771
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x63c/0xf36 kernel/rcu/tree.c:2778
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2795
 __do_softirq+0x274/0x8fc kernel/softirq.c:558

Second to last potentially related work creation:
 stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
 kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xc4/0xdc mm/kasan/generic.c:348
 kasan_record_aux_stack_noalloc+0xe/0x16 mm/kasan/generic.c:358
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0x8c/0x4ce kernel/rcu/tree.c:3106
 queue_rcu_work+0x72/0x76 kernel/workqueue.c:1791
 css_release_work_fn+0x27a/0x612 kernel/cgroup/cgroup.c:5200
 process_one_work+0x654/0xffe kernel/workqueue.c:2307
 worker_thread+0x360/0x8fa kernel/workqueue.c:2454
 kthread+0x19e/0x1fa kernel/kthread.c:377
 ret_from_exception+0x0/0x10

The buggy address belongs to the object at ffffaf801124c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 6752 bytes to the right of
 8192-byte region [ffffaf801124c000, ffffaf801124e000)
The buggy address belongs to the page:
page:ffffaf807ab1b440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffffaf8011248000 pfn:0x91448
head:ffffaf807ab1b440 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x9000010200(slab|head|section=18|node=0|zone=0)
raw: 0000009000010200 ffffaf807aa5bbc0 0000000000000002 ffffaf8007202280
raw: ffffaf8011248000 0000000080020000 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2027, ts 318753682700, free_ts 317814783600
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x25a/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x2a2/0x2e0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1190 [inline]
 cgroup1_get_tree+0x6b2/0x894 kernel/cgroup/cgroup-v1.c:1214
 vfs_get_tree+0x4a/0x19c fs/super.c:1497
 do_new_mount fs/namespace.c:2994 [inline]
 path_mount+0xe9c/0x14dc fs/namespace.c:3324
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 sys_mount+0x360/0x3ee fs/namespace.c:3522
 ret_from_syscall+0x0/0x2
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 __free_pages+0xe2/0x112 mm/page_alloc.c:5474
 __free_slab+0x122/0x27c mm/slub.c:2028
 free_slab mm/slub.c:2043 [inline]
 discard_slab+0x4c/0x7a mm/slub.c:2049
 __slab_free+0x20a/0x29c mm/slub.c:3414
 do_slab_free mm/slub.c:3497 [inline]
 ___cache_free+0x17c/0x354 mm/slub.c:3516
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x7c/0x132 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x14c/0x1c8 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x5c/0x98 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 __kmalloc+0x156/0x318 mm/slub.c:4420
 kmalloc include/linux/slab.h:586 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2031 [inline]
 tomoyo_supervisor+0xb26/0xc1e security/tomoyo/common.c:2103
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x152/0x18e security/tomoyo/file.c:573
 tomoyo_check_open_permission+0x304/0x348 security/tomoyo/file.c:780
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline]
 tomoyo_file_open+0x78/0x7c security/tomoyo/tomoyo.c:306

Memory state around the buggy address:
 ffffaf801124f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffaf801124f980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffffaf801124fa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                       ^
 ffffaf801124fa80: fc fc fc fc fc fc fc fc f1 f1 f1 f1 00 00 00 f3
 ffffaf801124fb00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================