syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
Read of size 8 at addr ffffaf801e7effa0 by task syz-executor.1/2039

CPU: 0 PID: 2039 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122

Allocated by task 1:
(stack is not available)

Last potentially related work creation:
------------[ cut here ]------------
slab index 2097147 out of bounds (293) for stack id fffffffb
WARNING: CPU: 0 PID: 2039 at lib/stackdepot.c:304 stack_depot_fetch lib/stackdepot.c:304 [inline]
WARNING: CPU: 0 PID: 2039 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 lib/stackdepot.c:276
Modules linked in:
CPU: 0 PID: 2039 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : stack_depot_fetch lib/stackdepot.c:304 [inline]
epc : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
 ra : stack_depot_fetch lib/stackdepot.c:304 [inline]
 ra : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf801e7efe60
 gp : ffffffff85863ac0 tp : ffffaf800d9748c0 t0 : ffffffff86bcb657
 t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf801e7efe70
 s1 : ffffaf807aedc940 a0 : 000000000000003c a1 : 00000000000f0000
 a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 3e37a7ea8d461900
 a5 : 3e37a7ea8d461900 a6 : 0000000000f00000 a7 : ffffaf805a9c8863
 s2 : ffffaf801e7effa0 s3 : ffffaf8007202140 s4 : ffffaf801e7ee000
 s5 : ffffaf801e7ef000 s6 : 0000000000003fff s7 : ffffaf801e7eff40
 s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf801e7f0020
 s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c
 t5 : fffff5ef0b53910d t6 : ffffaf801e7ef958
status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff80474a70>] describe_object_stacks mm/kasan/report.c:216 [inline]
[<ffffffff80474a70>] describe_object mm/kasan/report.c:231 [inline]
[<ffffffff80474a70>] print_address_description.constprop.0+0x2fc/0x330 mm/kasan/report.c:263
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
irq event stamp: 55255
hardirqs last  enabled at (55254): [<ffffffff831afd54>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (55254): [<ffffffff831afd54>] _raw_spin_unlock_irqrestore+0x68/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (55255): [<ffffffff831afa4e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (55255): [<ffffffff831afa4e>] _raw_spin_lock_irqsave+0x60/0x62 kernel/locking/spinlock.c:162
softirqs last  enabled at (55148): [<ffffffff82c6ad60>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (55148): [<ffffffff82c6ad60>] clusterip_netdev_event+0x268/0x4aa net/ipv4/netfilter/ipt_CLUSTERIP.c:233
softirqs last disabled at (55161): [<ffffffff80061288>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (55161): [<ffffffff80061288>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (55161): [<ffffffff80061288>] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637
---[ end trace 0000000000000000 ]---

Second to last potentially related work creation:
------------[ cut here ]------------
slab index 2097151 out of bounds (293) for stack id ffffffff
WARNING: CPU: 0 PID: 2039 at lib/stackdepot.c:304 stack_depot_fetch lib/stackdepot.c:304 [inline]
WARNING: CPU: 0 PID: 2039 at lib/stackdepot.c:304 stack_depot_print+0x66/0x70 lib/stackdepot.c:276
Modules linked in:
CPU: 0 PID: 2039 Comm: syz-executor.1 Tainted: G        W         5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : stack_depot_fetch lib/stackdepot.c:304 [inline]
epc : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
 ra : stack_depot_fetch lib/stackdepot.c:304 [inline]
 ra : stack_depot_print+0x66/0x70 lib/stackdepot.c:276
epc : ffffffff80c00b8a ra : ffffffff80c00b8a sp : ffffaf801e7efe60
 gp : ffffffff85863ac0 tp : ffffaf800d9748c0 t0 : ffffffff86bcb657
 t1 : fffff5ef0b53910c t2 : 0000000000000000 s0 : ffffaf801e7efe70
 s1 : ffffaf807aedc940 a0 : 000000000000003c a1 : 00000000000f0000
 a2 : 0000000000000504 a3 : ffffffff8012252a a4 : 3e37a7ea8d461900
 a5 : 3e37a7ea8d461900 a6 : 0000000000f00000 a7 : ffffaf805a9c8863
 s2 : ffffaf801e7effa0 s3 : ffffaf8007202140 s4 : ffffaf801e7ee000
 s5 : ffffaf801e7ef000 s6 : 0000000000003fff s7 : ffffaf801e7eff40
 s8 : 0000000000400000 s9 : ffffffffffffc000 s10: ffffaf801e7f0020
 s11: 0000000000000008 t3 : fffffffff3f3f300 t4 : fffff5ef0b53910c
 t5 : fffff5ef0b53910d t6 : ffffaf801e7ef958
status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff80474a22>] describe_object_stacks mm/kasan/report.c:221 [inline]
[<ffffffff80474a22>] describe_object mm/kasan/report.c:231 [inline]
[<ffffffff80474a22>] print_address_description.constprop.0+0x2ae/0x330 mm/kasan/report.c:263
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8000a052>] walk_stackframe+0x11c/0x260 arch/riscv/kernel/stacktrace.c:57
[<ffffffff8000a4a4>] arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:146
[<ffffffff80162ac8>] stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
irq event stamp: 55255
hardirqs last  enabled at (55254): [<ffffffff831afd54>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (55254): [<ffffffff831afd54>] _raw_spin_unlock_irqrestore+0x68/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (55255): [<ffffffff831afa4e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (55255): [<ffffffff831afa4e>] _raw_spin_lock_irqsave+0x60/0x62 kernel/locking/spinlock.c:162
softirqs last  enabled at (55148): [<ffffffff82c6ad60>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (55148): [<ffffffff82c6ad60>] clusterip_netdev_event+0x268/0x4aa net/ipv4/netfilter/ipt_CLUSTERIP.c:233
softirqs last disabled at (55161): [<ffffffff80061288>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (55161): [<ffffffff80061288>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (55161): [<ffffffff80061288>] __irq_exit_rcu+0x142/0x1f8 kernel/softirq.c:637
---[ end trace 0000000000000000 ]---

The buggy address belongs to the object at ffffaf801e7ee000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 4000 bytes to the right of
 4096-byte region [ffffaf801e7ee000, ffffaf801e7ef000)
The buggy address belongs to the page:
page:ffffaf807aedc940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9e9e8
head:ffffaf807aedc940 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x9800010200(slab|head|section=19|node=0|zone=0)
raw: 0000009800010200 0000000000000000 0000000000000122 ffffaf8007202140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2038, ts 587866216500, free_ts 0
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 alloc_slab_page.constprop.0+0xc2/0xfa mm/slub.c:1799
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x25a/0x2cc mm/slub.c:2004
 ___slab_alloc+0x56e/0x918 mm/slub.c:3018
 __slab_alloc.constprop.0+0x50/0x8c mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x2a2/0x2e0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 kobject_uevent_env+0x1c6/0xdfe lib/kobject_uevent.c:524
 kobject_uevent+0x22/0x2e lib/kobject_uevent.c:642
 device_add+0x8de/0x129e drivers/base/core.c:3386
 netdev_register_kobject+0xcc/0x208 net/core/net-sysfs.c:2008
 register_netdevice+0x8ee/0xc6a net/core/dev.c:9667
 __ip_tunnel_create+0x22e/0x2f6 net/ipv4/ip_tunnel.c:267
page_owner free stack trace missing

Memory state around the buggy address:
 ffffaf801e7efe80: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
 ffffaf801e7eff00: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
>ffffaf801e7eff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffffaf801e7f0000: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
 ffffaf801e7f0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================