================================================================== BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1440/0x18a0 arch/x86/kernel/unwind_orc.c:522 Read of size 8 at addr ffff8880ae607828 by task syz-executor166/8197 CPU: 0 PID: 8197 Comm: syz-executor166 Not tainted 4.19.106-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396 unwind_next_frame+0x1440/0x18a0 arch/x86/kernel/unwind_orc.c:522 perf_callchain_kernel+0x402/0x5c0 arch/x86/events/core.c:2346 get_perf_callchain+0x390/0x860 kernel/events/callchain.c:202 perf_callchain+0x165/0x1c0 kernel/events/core.c:6440 perf_prepare_sample+0x80a/0x1570 kernel/events/core.c:6467 __perf_event_output kernel/events/core.c:6582 [inline] perf_event_output_forward+0xf3/0x270 kernel/events/core.c:6600 __perf_event_overflow+0x13c/0x370 kernel/events/core.c:7866 perf_swevent_overflow+0xac/0x150 kernel/events/core.c:7942 perf_swevent_event+0x14d/0x2e0 kernel/events/core.c:7980 perf_tp_event+0x29f/0x850 kernel/events/core.c:8398 perf_trace_run_bpf_submit+0x136/0x190 kernel/events/core.c:8372 perf_trace_lock_acquire+0x362/0x530 include/trace/events/lock.h:13 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x2a0/0x400 kernel/locking/lockdep.c:3902 seqcount_lockdep_reader_access include/linux/seqlock.h:81 [inline] read_seqcount_begin include/linux/seqlock.h:164 [inline] read_seqbegin include/linux/seqlock.h:433 [inline] zone_span_seqbegin include/linux/memory_hotplug.h:65 [inline] page_outside_zone_boundaries mm/page_alloc.c:490 [inline] bad_range+0xc0/0x3c0 mm/page_alloc.c:519 __free_one_page mm/page_alloc.c:819 [inline] free_one_page+0x127/0xee0 mm/page_alloc.c:1195 __free_pages_ok+0x438/0xd80 mm/page_alloc.c:1279 __put_page+0x71/0x380 mm/swap.c:112 put_page include/linux/mm.h:951 [inline] page_to_skb+0x5e2/0x800 drivers/net/virtio_net.c:427 receive_mergeable drivers/net/virtio_net.c:936 [inline] receive_buf+0x1da4/0x5c70 drivers/net/virtio_net.c:1045 virtnet_receive drivers/net/virtio_net.c:1334 [inline] virtnet_poll+0x541/0xd60 drivers/net/virtio_net.c:1439 napi_poll net/core/dev.c:6264 [inline] net_rx_action+0x4ab/0xfc0 net/core/dev.c:6330 __do_softirq+0x26c/0x93c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17b/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] do_IRQ+0x10c/0x1c0 arch/x86/kernel/irq.c:258 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x91/0xe0 kernel/locking/spinlock.c:184 Code: 48 c7 c0 08 56 b2 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 37 48 83 3d 0e d1 92 01 00 74 22 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 50 05 27 fa 65 8b 05 b9 68 e2 78 RSP: 0018:ffff88808fb3f9a0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffffd5 RAX: 1ffffffff1164ac1 RBX: 0000000000000282 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282 RBP: ffffffff8b7f3108 R08: ffff88808ea4e3c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000282 R13: ffff8880802e0000 R14: ffffffff8b7f3108 R15: 0000000000000000 __debug_check_no_obj_freed lib/debugobjects.c:798 [inline] debug_check_no_obj_freed+0x20a/0x42e lib/debugobjects.c:817 free_pages_prepare mm/page_alloc.c:1055 [inline] __free_pages_ok+0x241/0xd80 mm/page_alloc.c:1273 release_pages+0x595/0x18f0 mm/swap.c:768 tlb_flush_mmu_free+0x72/0x140 mm/memory.c:249 tlb_flush_mmu mm/memory.c:258 [inline] arch_tlb_finish_mmu+0x224/0x510 mm/memory.c:273 tlb_finish_mmu+0x97/0x100 mm/memory.c:432 exit_mmap+0x2d2/0x510 mm/mmap.c:3093 __mmput kernel/fork.c:1015 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1036 exit_mm kernel/exit.c:546 [inline] do_exit+0xac8/0x2f30 kernel/exit.c:867 do_group_exit+0x125/0x350 kernel/exit.c:983 __do_sys_exit_group kernel/exit.c:994 [inline] __se_sys_exit_group kernel/exit.c:992 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:992 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43ff98 Code: Bad RIP value. RSP: 002b:00007ffe0fe84d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff98 RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 RBP: 00000000004bf7d0 R08: 00000000000000e7 R09: ffffffffffffffd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0002b981c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000800(reserved) raw: 00fffe0000000800 ffffea0002b981c8 ffffea0002b981c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880ae607700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880ae607780: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 >ffff8880ae607800: f1 f1 04 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 ^ ffff8880ae607880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880ae607900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================