BUG: spinlock bad magic on CPU#1, syz-executor.2/18210
lock: 0xffff88801aa20800, .magic: ffff8880, .owner: <none>/-1, .owner_cpu: 18209
CPU: 1 PID: 18210 Comm: syz-executor.2 Not tainted 6.2.0-rc8-syzkaller-00021-ge1c04510f521 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
do_raw_spin_lock+0x219/0x2b0 kernel/locking/spinlock_debug.c:114
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
_raw_spin_lock_irqsave+0x45/0x60 kernel/locking/spinlock.c:162
p9_tag_remove net/9p/client.c:390 [inline]
p9_req_put net/9p/client.c:398 [inline]
p9_req_put+0xca/0x250 net/9p/client.c:395
req_done+0x1e2/0x2e0 net/9p/trans_virtio.c:147
vring_interrupt drivers/virtio/virtio_ring.c:2470 [inline]
vring_interrupt+0x2a1/0x3d0 drivers/virtio/virtio_ring.c:2445
__handle_irq_event_percpu+0x264/0x970 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x263/0xd00 kernel/irq/chip.c:819
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xa1/0x210 arch/x86/kernel/irq.c:250
common_interrupt+0xa8/0xd0 arch/x86/kernel/irq.c:240
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 89 c8 48 c1 e9 03 74 14 0f 1f 40 00 48
RSP: 0018:ffffc900037e7580 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea0000a01a00 RSI: ffff888000000000 RDI: ffff888028068000
RBP: ffffea0000a01a00 R08: 0000160000000000 R09: ffffea0000a01c00
R10: fffff94000140346 R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000008 R14: 0000000000000000 R15: 0000000000000001
clear_page arch/x86/include/asm/page_64.h:57 [inline]
clear_highpage include/linux/highmem.h:242 [inline]
clear_highpage_kasan_tagged include/linux/highmem.h:252 [inline]
kernel_init_pages mm/page_alloc.c:1386 [inline]
post_alloc_hook+0x19d/0x320 mm/page_alloc.c:2519
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2287
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x1a4/0x430 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:981
kmalloc include/linux/slab.h:584 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x22d/0x430 security/tomoyo/file.c:822
tomoyo_path_symlink+0x98/0xe0 security/tomoyo/tomoyo.c:211
security_path_symlink+0xe3/0x160 security/security.c:1212
do_symlinkat+0x10a/0x2c0 fs/namei.c:4425
__do_sys_symlinkat fs/namei.c:4447 [inline]
__se_sys_symlinkat fs/namei.c:4444 [inline]
__ia32_sys_symlinkat+0x97/0xc0 fs/namei.c:4444
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7fdf549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ff8bc408 EFLAGS: 00000282 ORIG_RAX: 0000000000000130
RAX: ffffffffffffffda RBX: 00000000ff8bc4f4 RCX: 00000000ffffff9c
RDX: 00000000f72a3418 RSI: 00000000ff8bc4f4 RDI: 00000000f734d000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
================================================================================
UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:131:9
index 5779 is out of range for type 'long unsigned int [8]'
CPU: 1 PID: 18210 Comm: syz-executor.2 Not tainted 6.2.0-rc8-syzkaller-00021-ge1c04510f521 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x31 lib/ubsan.c:151
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:282
decode_tail kernel/locking/qspinlock.c:131 [inline]
__pv_queued_spin_lock_slowpath+0xa51/0xb50 kernel/locking/qspinlock.c:471
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x204/0x2b0 kernel/locking/spinlock_debug.c:115
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
_raw_spin_lock_irqsave+0x45/0x60 kernel/locking/spinlock.c:162
p9_tag_remove net/9p/client.c:390 [inline]
p9_req_put net/9p/client.c:398 [inline]
p9_req_put+0xca/0x250 net/9p/client.c:395
req_done+0x1e2/0x2e0 net/9p/trans_virtio.c:147
vring_interrupt drivers/virtio/virtio_ring.c:2470 [inline]
vring_interrupt+0x2a1/0x3d0 drivers/virtio/virtio_ring.c:2445
__handle_irq_event_percpu+0x264/0x970 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x263/0xd00 kernel/irq/chip.c:819
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xa1/0x210 arch/x86/kernel/irq.c:250
common_interrupt+0xa8/0xd0 arch/x86/kernel/irq.c:240
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 89 c8 48 c1 e9 03 74 14 0f 1f 40 00 48
RSP: 0018:ffffc900037e7580 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea0000a01a00 RSI: ffff888000000000 RDI: ffff888028068000
RBP: ffffea0000a01a00 R08: 0000160000000000 R09: ffffea0000a01c00
R10: fffff94000140346 R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000008 R14: 0000000000000000 R15: 0000000000000001
clear_page arch/x86/include/asm/page_64.h:57 [inline]
clear_highpage include/linux/highmem.h:242 [inline]
clear_highpage_kasan_tagged include/linux/highmem.h:252 [inline]
kernel_init_pages mm/page_alloc.c:1386 [inline]
post_alloc_hook+0x19d/0x320 mm/page_alloc.c:2519
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2287
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x1a4/0x430 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:967 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:981
kmalloc include/linux/slab.h:584 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x22d/0x430 security/tomoyo/file.c:822
tomoyo_path_symlink+0x98/0xe0 security/tomoyo/tomoyo.c:211
security_path_symlink+0xe3/0x160 security/security.c:1212
do_symlinkat+0x10a/0x2c0 fs/namei.c:4425
__do_sys_symlinkat fs/namei.c:4447 [inline]
__se_sys_symlinkat fs/namei.c:4444 [inline]
__ia32_sys_symlinkat+0x97/0xc0 fs/namei.c:4444
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7fdf549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ff8bc408 EFLAGS: 00000282 ORIG_RAX: 0000000000000130
RAX: ffffffffffffffda RBX: 00000000ff8bc4f4 RCX: 00000000ffffff9c
RDX: 00000000f72a3418 RSI: 00000000ff8bc4f4 RDI: 00000000f734d000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: 48 89 47 20 mov %rax,0x20(%rdi)
4: 48 89 47 28 mov %rax,0x28(%rdi)
8: 48 89 47 30 mov %rax,0x30(%rdi)
c: 48 89 47 38 mov %rax,0x38(%rdi)
10: 48 8d 7f 40 lea 0x40(%rdi),%rdi
14: 75 d9 jne 0xffffffef
16: 90 nop
17: c3 retq
18: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
1f: f3 0f 1e fa endbr64
23: b9 00 10 00 00 mov $0x1000,%ecx
28: 31 c0 xor %eax,%eax
* 2a: f3 aa rep stos %al,%es:(%rdi) <-- trapping instruction
2c: c3 retq
2d: 66 90 xchg %ax,%ax
2f: f3 0f 1e fa endbr64
33: 89 c8 mov %ecx,%eax
35: 48 c1 e9 03 shr $0x3,%rcx
39: 74 14 je 0x4f
3b: 0f 1f 40 00 nopl 0x0(%rax)
3f: 48 rex.W