Created attachment 300299 [details]
poc.c

I tested the Linux kernel under version 5.16.0-rc4, and encounter a kernel bug. 

==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x112/0x120 arch/x86/kernel/time.c:42
Read of size 8 at addr ffff88811e2afcb8 by task syz-executor329/384

CPU: 1 PID: 384 Comm: syz-executor329 Not tainted 5.16.0-rc4+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x4c/0x64 lib/dump_stack.c:106
 print_address_description.constprop.9+0x21/0x150 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:450
 profile_pc+0x112/0x120 arch/x86/kernel/time.c:42
 profile_tick+0x98/0xe0 kernel/profile.c:409
 tick_sched_timer+0xd4/0x100 kernel/time/tick-sched.c:1428
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x2cd/0x6c0 kernel/time/hrtimer.c:1749
 hrtimer_interrupt+0x2fd/0x730 kernel/time/hrtimer.c:1811
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]
 __sysvec_apic_timer_interrupt+0x11e/0x380 arch/x86/kernel/apic/apic.c:1103
 sysvec_apic_timer_interrupt+0x85/0xb0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:202 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:513 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:185 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
RIP: 0010:_raw_spin_lock+0x8f/0xd0 kernel/locking/spinlock.c:154
Code: df c7 44 24 20 00 00 00 00 e8 9d 74 ca fd be 04 00 00 00 48 8d 7c 24 20 e8 8e 74 ca fd ba 01 00 00 00 8b 44 24 20 f0 0f b1 13 <75> 2a 48 b8 00 00 00 00 00 fc ff df 48 c7 44 05 00 00 00 00 00 48
RSP: 0000:ffff88811e2afcb8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff88811b129b74 RCX: ffffffffa8591852
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88811e2afcd8
RBP: 1ffff11023c55f97 R08: 0000000000000004 R09: ffffed1023c55f9b
R10: 0000000000000003 R11: ffffed1023c55f9b R12: ffff88811b129b00
R13: ffff88811d839000 R14: ffff88811b129b00 R15: ffff88811b129b74
 spin_lock include/linux/spinlock.h:349 [inline]
 pud_lock include/linux/mm.h:2483 [inline]
 __pmd_alloc+0x178/0x4d0 mm/memory.c:4862
 pmd_alloc include/linux/mm.h:2282 [inline]
 __handle_mm_fault+0xc92/0x1db0 mm/memory.c:4648
 handle_mm_fault+0x114/0x430 mm/memory.c:4784
 do_user_addr_fault+0x3c7/0xe70 arch/x86/mm/fault.c:1397
 handle_page_fault arch/x86/mm/fault.c:1485 [inline]
 exc_page_fault+0x83/0x140 arch/x86/mm/fault.c:1541
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568
RIP: 0033:0x7fb58e2c1a06
Code: 48 8d 35 3b 37 09 00 e8 b8 09 00 00 b8 00 00 00 20 b9 15 00 00 00 45 31 c0 48 89 c7 48 8d 35 32 37 09 00 31 c0 ba 00 00 00 20 <f3> a4 b9 41 00 0c 00 48 c7 c6 9c ff ff ff bf 01 01 00 00 e8 82 a6
RSP: 002b:00007ffc6ce8c1f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000015
RDX: 0000000020000000 RSI: 00007fb58e355131 RDI: 0000000020000000
RBP: 00007ffc6ce8c1f4 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000a795 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

The buggy address belongs to the page:
page:000000001a6e91f3 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e2af
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 ffffea000478abc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

addr ffff88811e2afcb8 is located in stack of task syz-executor329/384 at offset 0 in frame:
 _raw_spin_lock+0x0/0xd0 kernel/locking/spinlock.c:163

this frame has 1 object:
 [32, 36) 'val'

Memory state around the buggy address:
 ffff88811e2afb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811e2afc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811e2afc80: 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 00
                                        ^
 ffff88811e2afd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811e2afd80: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	df c7                	ffreep %st(7)
   2:	44 24 20             	rex.R and $0x20,%al
   5:	00 00                	add    %al,(%rax)
   7:	00 00                	add    %al,(%rax)
   9:	e8 9d 74 ca fd       	callq  0xfdca74ab
   e:	be 04 00 00 00       	mov    $0x4,%esi
  13:	48 8d 7c 24 20       	lea    0x20(%rsp),%rdi
  18:	e8 8e 74 ca fd       	callq  0xfdca74ab
  1d:	ba 01 00 00 00       	mov    $0x1,%edx
  22:	8b 44 24 20          	mov    0x20(%rsp),%eax
  26:	f0 0f b1 13          	lock cmpxchg %edx,(%rbx)
* 2a:	75 2a                	jne    0x56 <-- trapping instruction
  2c:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  33:	fc ff df
  36:	48 c7 44 05 00 00 00 	movq   $0x0,0x0(%rbp,%rax,1)
  3d:	00 00
  3f:	48                   	rex.W