================================================================== BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470 Read of size 8 at addr ffff8881c758fbd0 by task syz-executor.4/21090 CPU: 1 PID: 21090 Comm: syz-executor.4 Not tainted 4.14.156-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xe5/0x154 lib/dump_stack.c:58 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470 perf_callchain_kernel+0x3a0/0x540 arch/x86/events/core.c:2338 get_perf_callchain+0x2f5/0x770 kernel/events/callchain.c:217 perf_callchain+0x147/0x190 kernel/events/callchain.c:190 perf_prepare_sample+0x6a8/0x1360 kernel/events/core.c:6149 __perf_event_output kernel/events/core.c:6265 [inline] perf_event_output_forward+0xdc/0x220 kernel/events/core.c:6283 nla_parse: 30 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. __perf_event_overflow+0x12d/0x340 kernel/events/core.c:7541 perf_swevent_overflow+0x7a/0xf0 kernel/events/core.c:7617 perf_swevent_event+0x112/0x270 kernel/events/core.c:7655 perf_tp_event+0x633/0x7f0 kernel/events/core.c:8079 perf_trace_run_bpf_submit kernel/events/core.c:8049 [inline] perf_trace_run_bpf_submit+0x113/0x170 kernel/events/core.c:8035 perf_trace_lock_acquire+0x341/0x4e0 include/trace/events/lock.h:13 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x279/0x360 kernel/locking/lockdep.c:3993 fs_reclaim_acquire.part.0+0x20/0x30 mm/page_alloc.c:3627 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. slab_pre_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2712 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0x24/0x360 mm/slub.c:2805 kmem_cache_zalloc include/linux/slab.h:651 [inline] file_alloc_security security/selinux/hooks.c:369 [inline] selinux_file_alloc_security+0xa9/0x180 security/selinux/hooks.c:3492 security_file_alloc+0x6c/0xa0 security/security.c:876 get_empty_filp+0x154/0x3d0 fs/file_table.c:129 alloc_file+0x24/0x3b0 fs/file_table.c:164 sock_alloc_file+0x123/0x300 net/socket.c:416 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. SYSC_socketpair net/socket.c:1411 [inline] SyS_socketpair+0x227/0x4c0 net/socket.c:1366 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45a679 RSP: 002b:00007f6da805ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045a679 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000001 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000200000c0 R11: 0000000000000246 R12: 00007f6da805b6d4 R13: 00000000004c9e90 R14: 00000000004e2288 R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea00071d63c0 count:0 mapcount:0 mapping: (null) index:0x1 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000001 00000000ffffffff raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c758fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881c758fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881c758fb80: 00 f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00 ^ ffff8881c758fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881c758fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================