==================================================================
BUG: KASAN: stack-out-of-bounds in do_general_protection+0x2ac/0x2f0 arch/x86/kernel/traps.c:539
Read of size 8 at addr ffff8801d815f3f8 by task syz-executor5/702

CPU: 1 PID: 702 Comm: syz-executor5 Not tainted 4.17.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 do_general_protection+0x2ac/0x2f0 arch/x86/kernel/traps.c:539
 general_protection+0x1e/0x30 arch/x86/entry/entry_64.S:1159
RIP: 0010:msr_write_intercepted arch/x86/kvm/vmx.c:2132 [inline]
RIP: 0010:vmx_vcpu_run+0xa12/0x25c0 arch/x86/kvm/vmx.c:9879
Code: 00 00 10 89 de e8 5e c9 5a 00 85 db 0f 84 91 00 00 00 e8 41 c8 5a 00 48 8b 54 24 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 19 00 00 48 8b 04 24 48 8b 98 40 57 00 00 48 
RSP: 0018:ffff8801d815f410 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000010000000 RCX: ffffffff811f7542
RDX: 000000000836b156 RSI: ffffffff811f754f RDI: 0000000000000005
RBP: ffff8801d815f508 R08: ffff88018d266000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 19781 Comm: udevd Not tainted 4.17.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:atomic_inc include/asm-generic/atomic-instrumented.h:102 [inline]
RIP: 0010:__lock_acquire+0x291/0x5140 kernel/locking/lockdep.c:3327
Code: 
 mmu_notifier_release include/linux/mmu_notifier.h:244 [inline]
 exit_mmap+0xa4/0x5a0 mm/mmap.c:3057
48 
85 db 
0f 84 
1d ff 
ff ff 
48 8d 
bb 38 
01 00 
00 be 
 __mmput kernel/fork.c:962 [inline]
 mmput+0x251/0x610 kernel/fork.c:983
04 00 
00 00 
4c 89 
9c 24 
88 00 
00 00 
44 89 
84 24 
 exit_mm kernel/exit.c:544 [inline]
 do_exit+0xe98/0x2730 kernel/exit.c:852
90 00 
00 00 
e8 2f 
c8 59 
00 <f0> 
ff 83 
38 01 
00 00 
4c 8b 
9c 24 
88 00 
00 00 
44 8b 
84 24 
90 00 
00 
RSP: 0018:ffff8801af1ef450 EFLAGS: 00010092
RAX: 0000000000000001 RBX: 1ffff1003b02bdae RCX: ffffffff815d8f91
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 1ffff1003b02bee6
RBP: ffff8801af1ef7d8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801c767a580 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff8ac13aa0
FS:  00007f430024c7a0(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4300253000 CR3: 00000001c3a1e000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_group_exit+0x16f/0x430 kernel/exit.c:968
 __do_sys_exit_group kernel/exit.c:979 [inline]
 __se_sys_exit_group kernel/exit.c:977 [inline]
 __ia32_sys_exit_group+0x3e/0x50 kernel/exit.c:977
 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
 do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:397
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fbdcb9
Code: 
55 
08 
8b 
 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3924
88 
64 
cd 
ff 
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:152
ff 
8b 98 
 debug_object_activate+0x1af/0x670 lib/debugobjects.c:470
68 
cd 
ff 
ff 89 
c8 
85 
 debug_rcu_head_queue kernel/rcu/rcu.h:135 [inline]
 __call_rcu.constprop.67+0xc0/0xbf0 kernel/rcu/tree.c:2906
d2 
74 
02 
89 
0a 
5b 
5d 
c3 
8b 
04 
24 
 call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:2985
c3 
 file_free fs/file_table.c:55 [inline]
 __fput+0x54c/0x890 fs/file_table.c:226
8b 
1c 
24 
 ____fput+0x15/0x20 fs/file_table.c:243
c3 
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
51 
52 
55 
 tracehook_notify_resume include/linux/tracehook.h:192 [inline]
 exit_to_usermode_loop+0x302/0x360 arch/x86/entry/common.c:166
89 
e5 
0f 
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:293
34 
cd 
80 
<5d> 
5a 
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
59 
RIP: 0033:0x7f42ff9542b0
c3 
Code: 
90 
40 
90 
75 0b 
90 
31 c0 
90 
48 83 
eb 
c4 
0d 
08 e9 
90 
0c ff 
90 
ff ff 
90 
48 8d 
90 
3d c5 
90 
32 08 
90 
00 e8 
90 
c0 07 
90 
02 00 
90 
83 3d 
90 
45 a3 
90 
2b 00 
90 
00 75 
10 b8 
RSP: 002b:00000000f5fb228c EFLAGS: 00000286
03 00 
 ORIG_RAX: 00000000000000fc
00 00 
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000000000000
0f 05 
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
<48> 3d 
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
01 f0 
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
ff ff 
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
73 31 

c3 48 
The buggy address belongs to the page:
83 ec 
page:ffffea00076057c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
08 e8 
ce 8a 
flags: 0x2fffc0000000000()
01 00 
raw: 02fffc0000000000 0000000000000000 ffffffff07600101 0000000000000000
48 89 04 
raw: 0000000000000000 ffff8801d815f000 00000000ffffffff 0000000000000000
24 
page dumped because: kasan: bad access detected
RSP: 002b:00007ffc6e47ba68 EFLAGS: 00000246 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 000000000126de80 RCX: 00007f42ff9542b0
RDX: 000000000000001a RSI: 00007f4300253000 RDI: 0000000000000005
Memory state around the buggy address:
RBP: 0000000000000000 R08: 00007f430024c7a0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
 ffff8801d815f280: 00 f2 00 00 00 00 00 00 00 00 00 00 00 00 f3 00
R13: 0000000001255250 R14: 00007ffc6e47bae0 R15: 0000000000000001
Modules linked in:
 ffff8801d815f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dumping ftrace buffer:
>ffff8801d815f380: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
   (ftrace buffer empty)
                                                                ^
---[ end trace 7a4d671e59f34586 ]---
 ffff8801d815f400: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
RIP: 0010:atomic_inc include/asm-generic/atomic-instrumented.h:102 [inline]
RIP: 0010:__lock_acquire+0x291/0x5140 kernel/locking/lockdep.c:3327
 ffff8801d815f480: f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00
Code: 48 
==================================================================
85 db