================================================================== BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470 Read of size 8 at addr ffff8881a4a47c50 by task syz-executor.3/20420 CPU: 0 PID: 20420 Comm: syz-executor.3 Not tainted 4.14.156-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xe5/0x154 lib/dump_stack.c:58 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 unwind_next_frame+0x169f/0x1810 arch/x86/kernel/unwind_orc.c:470 __save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44 save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 mempool_free+0xd3/0x340 mm/mempool.c:439 bio_free+0x111/0x190 block/bio.c:265 bio_put+0xa3/0xd0 block/bio.c:558 bio_endio+0x334/0x630 block/bio.c:1921 req_bio_endio block/blk-core.c:205 [inline] blk_update_request+0x2d5/0xa20 block/blk-core.c:2784 scsi_end_request+0x7d/0x9d0 drivers/scsi/scsi_lib.c:659 scsi_io_completion+0x9aa/0x1440 drivers/scsi/scsi_lib.c:885 scsi_softirq_done+0x2a5/0x370 drivers/scsi/scsi_lib.c:1671 __blk_mq_complete_request+0x307/0x6e0 block/blk-mq.c:571 blk_mq_complete_request+0x24/0x30 block/blk-mq.c:591 virtscsi_vq_done+0xb9/0x150 drivers/scsi/virtio_scsi.c:223 vring_interrupt+0x104/0x150 drivers/virtio/virtio_ring.c:951 __handle_irq_event_percpu+0xff/0x7a0 kernel/irq/handle.c:147 handle_irq_event_percpu+0x76/0x150 kernel/irq/handle.c:187 handle_irq_event+0xa2/0x12d kernel/irq/handle.c:204 handle_edge_irq+0x21b/0x820 kernel/irq/chip.c:770 generic_handle_irq_desc include/linux/irqdesc.h:159 [inline] handle_irq+0x225/0x2e2 arch/x86/kernel/irq_64.c:87 do_IRQ+0x7f/0x1c0 arch/x86/kernel/irq.c:230 common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:576 RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:774 [inline] RIP: 0010:arch_local_irq_save arch/x86/include/asm/paravirt.h:796 [inline] RIP: 0010:lock_acquire+0x69/0x360 kernel/locking/lockdep.c:3989 RSP: 0018:ffff8881a4a47b30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff8e RAX: 0000000000000007 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff8881a6274680 RSI: 0000000000000000 RDI: ffff8881a6274eac RBP: ffff8881a6275778 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8881a4a47d18 R11: ffff8881dba227cf R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 perf_event_exit_task+0x31/0xab0 kernel/events/core.c:10747 retint_kernel+0x2d/0x2d RIP: 9bc021e8:0xffff8881a4a47d08 RSP: a6274680:2e33cf35abee8a00 EFLAGS: ffff8881dba227cf ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9bdfde8b RBP: ffffffff9bdfde8b R08: ffffffff9d600a3a R09: ffff8881a6274680 R10: ffffffff9bc021e8 R11: ffff8881a4a47cb8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea00069291c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881a4a47b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881a4a47b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 >ffff8881a4a47c00: f1 f1 00 00 00 f2 00 00 00 f2 f2 f2 00 00 00 00 ^ ffff8881a4a47c80: 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 ffff8881a4a47d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================