================================================================== BUG: KASAN: stack-out-of-bounds in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: stack-out-of-bounds in trace_page_fault_entries arch/x86/mm/fault.c:1541 [inline] BUG: KASAN: stack-out-of-bounds in do_page_fault+0x66/0x330 arch/x86/mm/fault.c:1553 Read of size 8 at addr ffff8881e22f7960 by task syz-executor.4/2718 CPU: 0 PID: 2718 Comm: syz-executor.4 Not tainted 5.4.268-syzkaller-00003-g2d5d8240a7cb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: The buggy address belongs to the page: page:ffffea000788bdc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 ffffea000788bdc8 ffffea000788bdc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] alloc_thread_stack_node kernel/fork.c:259 [inline] dup_task_struct+0x85/0x600 kernel/fork.c:886 copy_process+0x56d/0x3230 kernel/fork.c:1889 _do_fork+0x197/0x900 kernel/fork.c:2399 __do_sys_clone kernel/fork.c:2557 [inline] __se_sys_clone kernel/fork.c:2538 [inline] __x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page_owner free stack trace missing Memory state around the buggy address: ffff8881e22f7800: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881e22f7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881e22f7900: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ^ ffff8881e22f7980: 00 f2 f2 f2 00 f2 f2 f2 f1 f1 f1 f1 00 f2 f2 f2 ffff8881e22f7a00: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== PANIC: double fault, error_code: 0x0 CPU: 0 PID: 2718 Comm: syz-executor.4 Tainted: G B 5.4.268-syzkaller-00003-g2d5d8240a7cb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:check_preemption_disabled+0x8/0x320 lib/smp_processor_id.c:13 Code: 90 90 e8 8b f4 32 ff 48 c7 c7 a0 3f fa 84 48 c7 c6 e0 3f fa 84 eb 0b 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 41 54 53 48 83 e4 e0 48 81 ec 80 00 00 00 49 89 f7 49 89 fc RSP: 0018:ffff8881e1d57000 EFLAGS: 00010093 RAX: ffffffff82315295 RBX: ffffffff85eb6a98 RCX: ffff8881e8c39f80 RDX: 0000000000000000 RSI: ffffffff84fa3fe0 RDI: ffffffff84fa3fa0 RBP: ffff8881e1d57010 R08: ffffffff8130385e R09: fffffbfff0c96c9e R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1103c3aae10 R13: dffffc0000000000 R14: ffff8881e1d57080 R15: 0000607e08e0fee0 FS: 0000555556f41480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881e1d56ff8 CR3: 00000001f5c2a000 CR4: 00000000003406b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: <#DF> ---------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: e8 8b f4 32 ff call 0xff32f492 7: 48 c7 c7 a0 3f fa 84 mov $0xffffffff84fa3fa0,%rdi e: 48 c7 c6 e0 3f fa 84 mov $0xffffffff84fa3fe0,%rsi 15: eb 0b jmp 0x22 17: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1) 1e: 00 00 00 00 22: 55 push %rbp 23: 48 89 e5 mov %rsp,%rbp 26: 41 57 push %r15 28: 41 56 push %r14 * 2a: 41 55 push %r13 <-- trapping instruction 2c: 41 54 push %r12 2e: 53 push %rbx 2f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp 33: 48 81 ec 80 00 00 00 sub $0x80,%rsp 3a: 49 89 f7 mov %rsi,%r15 3d: 49 89 fc mov %rdi,%r12