RIP: 0010:preempt_schedule_thunk+0x5/0x18 arch/x86/entry/thunk_64.S:34
Code: fd 85 db 0f 84 98 00 00 00 44 8d 73 01 44 89 f6 09 de bf ff ff ff ff e8 47 e4 8f fd 41 09 de 0f 88 88 00 00 00 e8 89 e0 8f fd <4c> 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84
RSP: 0000:0000000000000001 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
RAX: ffff88811532d948 RBX: ffffc900072ef560 RCX: ffffc900077e7680
RDX: ffffc900072ef5b0 RSI: ffffffff8100817a RDI: dffffc0000000001
RBP: 0000000000000001 R08: ffff88811532d948 R09: ffffc900077e7690
R10: 1ffff92000efced2 R11: ffffffff84bfe126 R12: ffffc900077e7680
==================================================================
BUG: KASAN: stack-out-of-bounds in __show_regs+0x252/0x4d0 arch/x86/kernel/process_64.c:89
Read of size 8 at addr ffffc900072ef4f8 by task syz-executor.3/14487

CPU: 0 PID: 14487 Comm: syz-executor.3 Not tainted 5.15.118-syzkaller-01748-g241da2ad5601 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 __show_regs+0x252/0x4d0 arch/x86/kernel/process_64.c:89
 show_regs_if_on_stack+0xd9/0xe0 arch/x86/kernel/dumpstack.c:173
 show_trace_log_lvl+0x2a7/0x380 arch/x86/kernel/dumpstack.c:301
 show_stack+0x37/0x40 arch/x86/kernel/dumpstack.c:321
 sched_show_task+0x3d0/0x620 kernel/sched/core.c:8773
 show_state_filter+0x139/0x1a0 kernel/sched/core.c:8818
 show_state include/linux/sched/debug.h:21 [inline]
 fn_show_state+0x10/0x20 drivers/tty/vt/keyboard.c:607
 k_spec+0xff/0x130 drivers/tty/vt/keyboard.c:660
 kbd_keycode drivers/tty/vt/keyboard.c:1512 [inline]
 kbd_event+0x2801/0x3910 drivers/tty/vt/keyboard.c:1531
 input_to_handler drivers/input/input.c:129 [inline]
 input_pass_values+0x8c5/0x1040 drivers/input/input.c:156
 input_handle_event+0xc70/0x1570 drivers/input/input.c:415
 input_inject_event+0x120/0x150 drivers/input/input.c:487
 evdev_write+0x65d/0x7a0 drivers/input/evdev.c:534
 vfs_write+0x406/0x1110 fs/read_write.c:592
 ksys_write+0x199/0x2c0 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:656
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fbac7523389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbac6275168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbac7643050 RCX: 00007fbac7523389
RDX: 00000000000012d8 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00007fbac756e493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd3ea753df R14: 00007fbac6275300 R15: 0000000000022000
 </TASK>


Memory state around the buggy address:
 ffffc900072ef380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900072ef400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900072ef480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                ^
 ffffc900072ef500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900072ef580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
R13: 49b5b4260f00e300 R14: ffffc900077e7680 R15: ffff8881f7136fb0
 </TASK>
task:syz-executor.1  state:R stack:23088 pid:14485 ppid:   434 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5147 [inline]
 __schedule+0xcbe/0x1580 kernel/sched/core.c:6506
 schedule+0x11f/0x1e0 kernel/sched/core.c:6589
 schedule_timeout+0xa9/0x370 kernel/time/timer.c:1866
 unix_wait_for_peer+0x24b/0x330 net/unix/af_unix.c:1315
 unix_dgram_sendmsg+0x143f/0x2090 net/unix/af_unix.c:1913
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2412
 ___sys_sendmsg+0x252/0x2e0 net/socket.c:2466
 __sys_sendmmsg+0x2bf/0x530 net/socket.c:2552
 __do_sys_sendmmsg net/socket.c:2581 [inline]
 __se_sys_sendmmsg net/socket.c:2578 [inline]
 __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2578
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f82f40bf389
RSP: 002b:00007f82f2e11168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f82f41df050 RCX: 00007f82f40bf389
RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000004
RBP: 00007f82f410a493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6cdb6d8f R14: 00007f82f2e11300 R15: 0000000000022000
 </TASK>
task:syz-executor.1  state:R  running task     stack:28816 pid:14492 ppid:   434 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5147 [inline]
 __schedule+0xcbe/0x1580 kernel/sched/core.c:6506
 preempt_schedule_common+0x9b/0xf0 kernel/sched/core.c:6682
 preempt_schedule+0xd9/0xe0 kernel/sched/core.c:6707
 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:34
 try_to_wake_up+0x6dc/0x1150 kernel/sched/core.c:4255
 wake_up_process kernel/sched/core.c:4318 [inline]
 wake_up_q+0xf0/0x1d0 kernel/sched/core.c:972
 futex_wake+0x821/0xc80 kernel/futex/core.c:1696
 do_futex+0x1310/0x37f0 kernel/futex/core.c:3990
 __do_sys_futex kernel/futex/core.c:4062 [inline]
 __se_sys_futex+0x37b/0x3e0 kernel/futex/core.c:4043
 __x64_sys_futex+0xe5/0x100 kernel/futex/core.c:4043
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f82f40bf389
RSP: 002b:00007f82f2df0218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f82f41df128 RCX: 00007f82f40bf389
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f82f41df12c
RBP: 00007f82f41df120 R08: 00007fff6cdb80b0 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f82f41df12c
R13: 00007fff6cdb6d8f R14: 00007f82f2df0300 R15: 0000000000022000
 </TASK>
task:syz-executor.1  state:D stack:26992 pid:14496 ppid:   434 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5147 [inline]
 __schedule+0xcbe/0x1580 kernel/sched/core.c:6506
 schedule+0x11f/0x1e0 kernel/sched/core.c:6589
 schedule_timeout+0xa9/0x370 kernel/time/timer.c:1866
 __down_common kernel/locking/semaphore.c:224 [inline]
 __down+0x1f2/0x370 kernel/locking/semaphore.c:241
 down+0x76/0xb0 kernel/locking/semaphore.c:62
 console_lock+0x1a/0x40 kernel/printk/printk.c:2573
 vcs_open+0x68/0xe0 drivers/tty/vt/vc_screen.c:763
 chrdev_open+0x4f7/0x620 fs/char_dev.c:414
 do_dentry_open+0x81c/0xfd0 fs/open.c:828
 vfs_open+0x73/0x80 fs/open.c:958
 do_open fs/namei.c:3538 [inline]
 path_openat+0x26f0/0x2f40 fs/namei.c:3672
 do_filp_open+0x21c/0x460 fs/namei.c:3699
 do_sys_openat2+0x13f/0x830 fs/open.c:1234
 do_sys_open fs/open.c:1250 [inline]
 __do_sys_openat fs/open.c:1266 [inline]
 __se_sys_openat fs/open.c:1261 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1261
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f82f40bf389
RSP: 002b:00007f82f2dcf168 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f82f41df1f0 RCX: 00007f82f40bf389
RDX: 0000000000000000 RSI: 0000000020000280 RDI: ffffffffffffff9c
RBP: 00007f82f410a493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6cdb6d8f R14: 00007f82f2dcf300 R15: 0000000000022000
 </TASK>
task:syz-executor.1  state:S stack:28784 pid:14497 ppid:   434 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5147 [inline]
 __schedule+0xcbe/0x1580 kernel/sched/core.c:6506
 schedule+0x11f/0x1e0 kernel/sched/core.c:6589
 freezable_schedule include/linux/freezer.h:197 [inline]
 futex_wait_queue_me+0x306/0x760 kernel/futex/core.c:2862
 futex_wait+0x2e6/0x9a0 kernel/futex/core.c:2965
 do_futex+0x1367/0x37f0 kernel/futex/core.c:3985
 __do_sys_futex kernel/futex/core.c:4062 [inline]
 __se_sys_futex+0x37b/0x3e0 kernel/futex/core.c:4043
 __x64_sys_futex+0xe5/0x100 kernel/futex/core.c:4043
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f82f40bf389
RSP: 002b:00007f82f2dae218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f82f41df2c8 RCX: 00007f82f40bf389
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f82f41df2c8
RBP: 00007f82f41df2c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f82f41df2cc
R13: 00007fff6cdb6d8f R14: 00007f82f2dae300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	fd                   	std
   1:	85 db                	test   %ebx,%ebx
   3:	0f 84 98 00 00 00    	je     0xa1
   9:	44 8d 73 01          	lea    0x1(%rbx),%r14d
   d:	44 89 f6             	mov    %r14d,%esi
  10:	09 de                	or     %ebx,%esi
  12:	bf ff ff ff ff       	mov    $0xffffffff,%edi
  17:	e8 47 e4 8f fd       	callq  0xfd8fe463
  1c:	41 09 de             	or     %ebx,%r14d
  1f:	0f 88 88 00 00 00    	js     0xad
  25:	e8 89 e0 8f fd       	callq  0xfd8fe0b3
* 2a:	4c 89 e0             	mov    %r12,%rax <-- trapping instruction
  2d:	48 c1 e8 03          	shr    $0x3,%rax
  31:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  38:	fc ff df
  3b:	0f b6 04 08          	movzbl (%rax,%rcx,1),%eax
  3f:	84                   	.byte 0x84