RIP: 0010:rb_next+0x5e/0x140 lib/rbtree.c:503 Code: 00 48 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d6 00 00 00 49 bd 00 00 00 00 00 fc ff df <48> 8b 45 08 48 bb 00 00 00 00 00 fc ff df 48 85 c0 75 4c 4c 89 e3 RSP: 0018:ffffc90000c679e0 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 ================================================================== BUG: KASAN: stack-out-of-bounds in __show_regs.cold+0xa8/0x481 arch/x86/kernel/process_64.c:83 Read of size 8 at addr ffffc90000c679a8 by task ksoftirqd/1/19 CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 __show_regs.cold+0xa8/0x481 arch/x86/kernel/process_64.c:83 show_trace_log_lvl+0x25b/0x2ba arch/x86/kernel/dumpstack.c:298 sched_show_task kernel/sched/core.c:8144 [inline] sched_show_task+0x433/0x5b0 kernel/sched/core.c:8118 show_state_filter+0x13e/0x300 kernel/sched/core.c:8189 kbd_keycode drivers/tty/vt/keyboard.c:1512 [inline] kbd_event+0x6fe/0x13a0 drivers/tty/vt/keyboard.c:1531 input_to_handler+0x336/0x4a0 drivers/input/input.c:118 input_pass_values.part.0+0x1a3/0x560 drivers/input/input.c:145 input_pass_values drivers/input/input.c:134 [inline] input_handle_event+0x215/0x1160 drivers/input/input.c:415 input_event drivers/input/input.c:446 [inline] input_event+0x54/0x80 drivers/input/input.c:438 hidinput_hid_event+0x3a7/0x1710 drivers/hid/hid-input.c:1444 hid_process_event+0x358/0x590 drivers/hid/hid-core.c:1522 hid_input_field drivers/hid/hid-core.c:1580 [inline] hid_report_raw_event+0xa18/0xfe0 drivers/hid/hid-core.c:1786 hid_input_report+0x26f/0x4b0 drivers/hid/hid-core.c:1853 hid_irq_in+0x4b0/0x620 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:920 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912 smpboot_thread_fn+0x548/0x8c0 kernel/smpboot.c:164 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffffc90000c67880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000c67900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90000c67980: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 ^ ffffc90000c67a00: 00 f2 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 00 ffffc90000c67a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: 00 48 8d add %cl,-0x73(%rax) 3: 7d 08 jge 0xd 5: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax c: fc ff df f: 48 89 fa mov %rdi,%rdx 12: 48 c1 ea 03 shr $0x3,%rdx 16: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 1a: 0f 85 d6 00 00 00 jne 0xf6 20: 49 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%r13 27: fc ff df * 2a: 48 8b 45 08 mov 0x8(%rbp),%rax <-- trapping instruction 2e: 48 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%rbx 35: fc ff df 38: 48 85 c0 test %rax,%rax 3b: 75 4c jne 0x89 3d: 4c 89 e3 mov %r12,%rbx