Extracting prog: 1m0.481934516s
Minimizing prog: 18m5.003700146s
Simplifying prog options: 0s
Extracting C: 31.984007034s
Simplifying C: 10m3.168457646s


extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm-socket$kcm-sendmsg$inet-sendmsg$inet-sendmsg-sendmsg$kcm
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
r0 = socket$kcm(0x10, 0x2, 0x0)
r1 = socket$kcm(0x29, 0x5, 0x0)
sendmsg$inet(r1, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)}, 0x800)
sendmsg$inet(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000040)="8ed176fa767857946b6a9b3953d1e092fbaaf6dec0ccb21f84815c9ddec8b2068334fdaaa2137058c5f76c63961002e929a784820bf47c28c18ede49cb03aa97fad0d217caefac4f49fb8f852f1810068028cf1c7dd3bc8bc38dba329803b65a6469c5c6a5442eb7604da61255efbb52eae6f51fca61fb65955813087d4cd019d8843c9dba71fe", 0x87}, {&(0x7f0000000100)="95e2b04648981ce3cb9e1a2cd5ed8803a9437d16c4325ebf18bf953b5c41e7579c62aa505524464c8fd7cd29f48efa66bdfa87e2b8623e6baae995876596736736259f2874b106d8a10b88a5f93a8199c63945e64dd4a398a2540495d50ab770bcbbde73d77db9ff32acaf3cad8e4f5311502296438d77575013380648ed56105b8fb08c780490a74118af7698d1ecfec38474b5d7ca2b25d12a7a1b90129d4c76f997d2cd0cc32e55fdb5825626565a98e1ef8e6ac893d2d556890029e27eec64d0c47bac8106d83bd83df58a5e121b2b60886da1198feca59929bdf097c70fd2f23b8101186688c35a7f13c9d1f4d79dd1cc275293eade652287bbe8", 0xfd}, {&(0x7f0000000200)="c1ff5a68b9af718b5c90e1002a087e8b25a4bb553db3370086da76f398abe330e17758cd54880b4bd386dff3b08c43d96a2cb0ecceaddf38db8375fbd331f4beae5309abbf2b109444aa6a71aa09bae12feeef64411606ea14f96aeb6037958ebd8285a0cd27c8e0248f0e589bad9b6e9676c912386deaf6c4b6acee59dc9a116d72d3ab051d90bcd38c1c40deafabc13ed180fd7192ae3b907a23457b5a0c131e2a73e31dddf394f70a7667b79030e4018996f5b7c2ddaa9a233f1d8fa810266fa0014f2f61", 0xc6}], 0x3, &(0x7f00000003c0)=[@ip_tos_int={{0x14, 0x0, 0x1, 0xc1f}}, @ip_tos_u8={{0x11}}, @ip_ttl={{0x14, 0x0, 0x2, 0x6}}], 0x48}, 0x40080)
sendmsg(r1, 0x0, 0x0)
sendmsg$kcm(r0, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000740)=[{&(0x7f0000000300)="2e00000011008188040f80ec59acbc0413a181000d00000000010000000000000e000a000f000000028002002d1f", 0x2e}], 0x1}, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
single: successfully extracted reproducer
found reproducer with 8 syscalls
minimizing guilty program
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm-socket$kcm-sendmsg$inet-sendmsg$inet-sendmsg
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
r0 = socket$kcm(0x10, 0x2, 0x0)
r1 = socket$kcm(0x29, 0x5, 0x0)
sendmsg$inet(r1, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)}, 0x800)
sendmsg$inet(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000040)="8ed176fa767857946b6a9b3953d1e092fbaaf6dec0ccb21f84815c9ddec8b2068334fdaaa2137058c5f76c63961002e929a784820bf47c28c18ede49cb03aa97fad0d217caefac4f49fb8f852f1810068028cf1c7dd3bc8bc38dba329803b65a6469c5c6a5442eb7604da61255efbb52eae6f51fca61fb65955813087d4cd019d8843c9dba71fe", 0x87}, {&(0x7f0000000100)="95e2b04648981ce3cb9e1a2cd5ed8803a9437d16c4325ebf18bf953b5c41e7579c62aa505524464c8fd7cd29f48efa66bdfa87e2b8623e6baae995876596736736259f2874b106d8a10b88a5f93a8199c63945e64dd4a398a2540495d50ab770bcbbde73d77db9ff32acaf3cad8e4f5311502296438d77575013380648ed56105b8fb08c780490a74118af7698d1ecfec38474b5d7ca2b25d12a7a1b90129d4c76f997d2cd0cc32e55fdb5825626565a98e1ef8e6ac893d2d556890029e27eec64d0c47bac8106d83bd83df58a5e121b2b60886da1198feca59929bdf097c70fd2f23b8101186688c35a7f13c9d1f4d79dd1cc275293eade652287bbe8", 0xfd}, {&(0x7f0000000200)="c1ff5a68b9af718b5c90e1002a087e8b25a4bb553db3370086da76f398abe330e17758cd54880b4bd386dff3b08c43d96a2cb0ecceaddf38db8375fbd331f4beae5309abbf2b109444aa6a71aa09bae12feeef64411606ea14f96aeb6037958ebd8285a0cd27c8e0248f0e589bad9b6e9676c912386deaf6c4b6acee59dc9a116d72d3ab051d90bcd38c1c40deafabc13ed180fd7192ae3b907a23457b5a0c131e2a73e31dddf394f70a7667b79030e4018996f5b7c2ddaa9a233f1d8fa810266fa0014f2f61", 0xc6}], 0x3, &(0x7f00000003c0)=[@ip_tos_int={{0x14, 0x0, 0x1, 0xc1f}}, @ip_tos_u8={{0x11}}, @ip_ttl={{0x14, 0x0, 0x2, 0x6}}], 0x48}, 0x40080)
sendmsg(r1, 0x0, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm-socket$kcm-sendmsg$inet-sendmsg$inet
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
r0 = socket$kcm(0x10, 0x2, 0x0)
r1 = socket$kcm(0x29, 0x5, 0x0)
sendmsg$inet(r1, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)}, 0x800)
sendmsg$inet(r0, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000340)=[{&(0x7f0000000040)="8ed176fa767857946b6a9b3953d1e092fbaaf6dec0ccb21f84815c9ddec8b2068334fdaaa2137058c5f76c63961002e929a784820bf47c28c18ede49cb03aa97fad0d217caefac4f49fb8f852f1810068028cf1c7dd3bc8bc38dba329803b65a6469c5c6a5442eb7604da61255efbb52eae6f51fca61fb65955813087d4cd019d8843c9dba71fe", 0x87}, {&(0x7f0000000100)="95e2b04648981ce3cb9e1a2cd5ed8803a9437d16c4325ebf18bf953b5c41e7579c62aa505524464c8fd7cd29f48efa66bdfa87e2b8623e6baae995876596736736259f2874b106d8a10b88a5f93a8199c63945e64dd4a398a2540495d50ab770bcbbde73d77db9ff32acaf3cad8e4f5311502296438d77575013380648ed56105b8fb08c780490a74118af7698d1ecfec38474b5d7ca2b25d12a7a1b90129d4c76f997d2cd0cc32e55fdb5825626565a98e1ef8e6ac893d2d556890029e27eec64d0c47bac8106d83bd83df58a5e121b2b60886da1198feca59929bdf097c70fd2f23b8101186688c35a7f13c9d1f4d79dd1cc275293eade652287bbe8", 0xfd}, {&(0x7f0000000200)="c1ff5a68b9af718b5c90e1002a087e8b25a4bb553db3370086da76f398abe330e17758cd54880b4bd386dff3b08c43d96a2cb0ecceaddf38db8375fbd331f4beae5309abbf2b109444aa6a71aa09bae12feeef64411606ea14f96aeb6037958ebd8285a0cd27c8e0248f0e589bad9b6e9676c912386deaf6c4b6acee59dc9a116d72d3ab051d90bcd38c1c40deafabc13ed180fd7192ae3b907a23457b5a0c131e2a73e31dddf394f70a7667b79030e4018996f5b7c2ddaa9a233f1d8fa810266fa0014f2f61", 0xc6}], 0x3, &(0x7f00000003c0)=[@ip_tos_int={{0x14, 0x0, 0x1, 0xc1f}}, @ip_tos_u8={{0x11}}, @ip_ttl={{0x14, 0x0, 0x2, 0x6}}], 0x48}, 0x40080)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm-socket$kcm-sendmsg$inet
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
socket$kcm(0x10, 0x2, 0x0)
r0 = socket$kcm(0x29, 0x5, 0x0)
sendmsg$inet(r0, &(0x7f0000000380)={0x0, 0x0, &(0x7f00000002c0)}, 0x800)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm-socket$kcm
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
socket$kcm(0x10, 0x2, 0x0)
socket$kcm(0x29, 0x5, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL-socket$kcm
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)
socket$kcm(0x10, 0x2, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$MAP_UPDATE_ELEM_TAIL_CALL
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, 0x0, 0x0)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)

program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, 0x0, 0x0)

program did not crash
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, 0x0, &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)

program did not crash
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB], &(0x7f0000000480)='syzkaller\x00', 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)

program did not crash
testing program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
detailed listing:
executing program 0:
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000009c0)={0x17, 0x3, &(0x7f00000004c0)=ANY=[@ANYBLOB="c3ae00fe1001000071101a0000000000950000000000000065dcdc741924adb0bbed87854d63332dbfef6c8fc8603a33e2ce107b3a6e60711704e3aac52c108c020400b37f44a327808d5073040e1054bccb5cbedb061d233aa6691381ae337e5b399d627a7b0f28b9f1d01279ca0eaa11daeaecbf1c6b3fb993d557a6e47161688908c62ca0d9c598b04d31fe1c683f64074fc3e03438fd5dfad1881e263fd8e93a3ed23a994ad32ce7e09fbaca6b9982"], 0x0, 0x6, 0x0, 0x0, 0x0, 0x48, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m17.199932287s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
simplifying C reproducer
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
testing compiled C program (duration=1m17.199932287s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD
program crashed: KASAN: slab-out-of-bounds Read in atomic_ptr_type_ok
reproducing took 29m40.638131071s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
BUG: KASAN: slab-out-of-bounds in atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
Read of size 4 at addr ffff888141687690 by task syz-executor123/5833

CPU: 0 UID: 0 PID: 5833 Comm: syz-executor123 Not tainted 6.14.0-rc3-syzkaller-gf28214603dc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
 atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
 check_atomic_store kernel/bpf/verifier.c:7804 [inline]
 check_atomic kernel/bpf/verifier.c:7841 [inline]
 do_check+0x89dd/0xedd0 kernel/bpf/verifier.c:19334
 do_check_common+0x1678/0x2080 kernel/bpf/verifier.c:22600
 do_check_main kernel/bpf/verifier.c:22691 [inline]
 bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
 bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
 __sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
 __do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f2cd90ab9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7b0c8c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f2cd90ab9
RDX: 0000000000000094 RSI: 00004000000009c0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 5833:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4325
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 do_check_common+0x1ec/0x2080 kernel/bpf/verifier.c:22499
 do_check_main kernel/bpf/verifier.c:22691 [inline]
 bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
 bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
 __sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
 __do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888141687000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 312 bytes to the right of
 allocated 1368-byte region [ffff888141687000, ffff888141687558)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141680
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000003 ffffea000505a001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 3345122747, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1585
 prep_new_page mm/page_alloc.c:1593 [inline]
 get_page_from_freelist+0x3a8c/0x3c20 mm/page_alloc.c:3538
 __alloc_frozen_pages_noprof+0x264/0x580 mm/page_alloc.c:4805
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x8f/0x3a0 mm/slub.c:2587
 new_slab mm/slub.c:2640 [inline]
 ___slab_alloc+0xc27/0x14a0 mm/slub.c:3826
 __slab_alloc+0x58/0xa0 mm/slub.c:3916
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 __kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
 acpi_ds_call_control_method+0x136/0x7c0 drivers/acpi/acpica/dsmethod.c:498
 acpi_ps_parse_aml+0x2df/0x960 drivers/acpi/acpica/psparse.c:503
 acpi_ps_execute_method+0x74d/0x880 drivers/acpi/acpica/psxface.c:190
 acpi_ns_evaluate+0x5df/0xa40 drivers/acpi/acpica/nseval.c:205
 acpi_evaluate_object+0x59b/0xaf0 drivers/acpi/acpica/nsxfeval.c:354
 map_mat_entry drivers/acpi/processor_core.c:241 [inline]
 acpi_get_phys_id+0xa5/0xd00 drivers/acpi/processor_core.c:274
 acpi_get_cpuid+0x28/0x1f0 drivers/acpi/processor_core.c:332
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888141687580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888141687600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888141687680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff888141687700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888141687780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
BUG: KASAN: slab-out-of-bounds in atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
Read of size 4 at addr ffff888141687690 by task syz-executor123/5833

CPU: 0 UID: 0 PID: 5833 Comm: syz-executor123 Not tainted 6.14.0-rc3-syzkaller-gf28214603dc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 is_ctx_reg kernel/bpf/verifier.c:6185 [inline]
 atomic_ptr_type_ok+0x3d7/0x550 kernel/bpf/verifier.c:6223
 check_atomic_store kernel/bpf/verifier.c:7804 [inline]
 check_atomic kernel/bpf/verifier.c:7841 [inline]
 do_check+0x89dd/0xedd0 kernel/bpf/verifier.c:19334
 do_check_common+0x1678/0x2080 kernel/bpf/verifier.c:22600
 do_check_main kernel/bpf/verifier.c:22691 [inline]
 bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
 bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
 __sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
 __do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f2cd90ab9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7b0c8c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f2cd90ab9
RDX: 0000000000000094 RSI: 00004000000009c0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>

Allocated by task 5833:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4325
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 do_check_common+0x1ec/0x2080 kernel/bpf/verifier.c:22499
 do_check_main kernel/bpf/verifier.c:22691 [inline]
 bpf_check+0x165c8/0x1cca0 kernel/bpf/verifier.c:23821
 bpf_prog_load+0x1664/0x20e0 kernel/bpf/syscall.c:2967
 __sys_bpf+0x4ea/0x820 kernel/bpf/syscall.c:5811
 __do_sys_bpf kernel/bpf/syscall.c:5918 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5916 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5916
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888141687000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 312 bytes to the right of
 allocated 1368-byte region [ffff888141687000, ffff888141687558)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141680
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000040 ffff88801b042000 dead000000000100 dead000000000122
head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
head: 057ff00000000003 ffffea000505a001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 3345122747, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1585
 prep_new_page mm/page_alloc.c:1593 [inline]
 get_page_from_freelist+0x3a8c/0x3c20 mm/page_alloc.c:3538
 __alloc_frozen_pages_noprof+0x264/0x580 mm/page_alloc.c:4805
 alloc_pages_mpol+0x311/0x660 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab+0x8f/0x3a0 mm/slub.c:2587
 new_slab mm/slub.c:2640 [inline]
 ___slab_alloc+0xc27/0x14a0 mm/slub.c:3826
 __slab_alloc+0x58/0xa0 mm/slub.c:3916
 __slab_alloc_node mm/slub.c:3991 [inline]
 slab_alloc_node mm/slub.c:4152 [inline]
 __kmalloc_cache_noprof+0x27b/0x390 mm/slub.c:4320
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 acpi_ds_create_walk_state+0x103/0x2a0 drivers/acpi/acpica/dswstate.c:518
 acpi_ds_call_control_method+0x136/0x7c0 drivers/acpi/acpica/dsmethod.c:498
 acpi_ps_parse_aml+0x2df/0x960 drivers/acpi/acpica/psparse.c:503
 acpi_ps_execute_method+0x74d/0x880 drivers/acpi/acpica/psxface.c:190
 acpi_ns_evaluate+0x5df/0xa40 drivers/acpi/acpica/nseval.c:205
 acpi_evaluate_object+0x59b/0xaf0 drivers/acpi/acpica/nsxfeval.c:354
 map_mat_entry drivers/acpi/processor_core.c:241 [inline]
 acpi_get_phys_id+0xa5/0xd00 drivers/acpi/processor_core.c:274
 acpi_get_cpuid+0x28/0x1f0 drivers/acpi/processor_core.c:332
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888141687580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888141687600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888141687680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff888141687700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888141687780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================