general protection fault in stack_depot_save_flags

[Zijing Yin]

Hi,

Fuzzing v7.1-rc1 (98878ed91b68) with syzkaller on a KASAN build, I hit
the general protection fault below in stack_depot_save_flags(). 

The syzkaller reproducer (repro.prog) and the kernel .config
(repro.config) are attached.  It reproduces when the reproducer is
replayed on a KASAN kernel, though not on every run (roughly 1 VM in 4
within a few minutes); the crash is still reachable on the current
mainline tip.  I can send the full dmesg, the disk image, or test a
debugging patch on request.

Repro: https://bugzilla.kernel.org/attachment.cgi?id=310286
Config: https://bugzilla.kernel.org/attachment.cgi?id=310285

Full splat:

Oops: general protection fault, probably for non-canonical address 0xf4da3160ff110011: 0000 [#1] KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xa6d1ab07f8880088-0xa6d1ab07f888008f]
CPU: 0 UID: 0 PID: 10953 Comm: syz.0.1921 Tainted: G S  B               7.1.0-rc1-g98878ed91b68-dirty #3 PREEMPT(lazy)
Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:stack_depot_save_flags+0x1ac/0x820 lib/stackdepot.c:610
Code: 00 00 31 f6 4c 89 45 c0 4c 89 55 b8 e8 cd e5 fd ff 4c 8b 55 b8 4c 8b 45 c0 8b 75 d0 45 85 e4 75 67 4d 8b 6d 00 4d 39 c5 74 5b <41> 39 5d 10 75 f1 45 39 55 14 75 eb 31 c0 49 8b 0c c7 49 3b 4c c5
RSP: 0018:ffffffff89a12a10 EFLAGS: 00010287
RAX: ff110001f4140000 RBX: 000000006b5c6315 RCX: 0000000000c63150
RDX: 00000000c41db1cd RSI: 0000000000000001 RDI: 00000000e8904c26
RBP: ffffffff89a12a60 R08: ff110001f4da3150 R09: 00000000b77a3f78
R10: 000000000000000c R11: ffffffff81415390 R12: 0000000000000000
R13: f4da3160ff110001 R14: 000000000000000c R15: ffffffff89a12a70
FS:  00007f45dee1d6c0(0000) GS:0000000000000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f13f3f33950 CR3: 0000000131132002 CR4: 0000000000771ef0
PKRU: 80000000
Call Trace:
 <IRQ>
 kasan_save_stack mm/kasan/common.c:58 [inline]
 kasan_save_track+0x40/0x70 mm/kasan/common.c:78
 kasan_save_free_info+0x4a/0x60 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x47/0x70 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 __rcu_free_sheaf_prepare+0x11d/0x2b0 mm/slub.c:2940
 rcu_free_sheaf+0x32/0x170 mm/slub.c:5845
 rcu_core+0x7de/0x1760 kernel/rcu/tree.c:2617
 rcu_core_si+0xd/0x20 kernel/rcu/tree.c:2886
 handle_softirqs+0x202/0x700 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x4b/0xf0 kernel/softirq.c:735
 irq_exit_rcu+0xd/0x20 kernel/softirq.c:752
 sysvec_apic_timer_interrupt+0x77/0x90 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:697
RIP: 0010:memmove+0x1e/0x1b0 arch/x86/lib/memmove_64.S:45
Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 89 f8 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f b5 00 00 00 48 89 d1 <f3> a4 e9 96 ac d3 f8 66 2e 0f 1f 84 00 00 00 00 00 48 81 fa a8 02
RSP: 0018:ff11000111b768c8 EFLAGS: 00000206
RAX: ff11000189893ea4 RBX: fffffffffffffff0 RCX: ffffffff946612ec
RDX: fffffffffffffff0 RSI: ff110001f5232bbc RDI: ff110001f5232ba8
RBP: ff11000111b768f8 R08: ff11000189893e94 R09: 0000000000000000
R10: 00000000ffffffc3 R11: 0000000000000002 R12: 0000000000000000
R13: ffffffff82759003 R14: ff11000189893eb8 R15: ff11000189893ea4
 ext4_xattr_set_entry+0xc13/0x2390 fs/ext4/xattr.c:1763
 ext4_xattr_ibody_set+0x29e/0x740 fs/ext4/xattr.c:2275
 ext4_destroy_inline_data_nolock+0x24b/0x630 fs/ext4/inline.c:472
 ext4_destroy_inline_data+0x87/0x100 fs/ext4/inline.c:1806
 ext4_do_writepages+0x5c7/0x4e40 fs/ext4/inode.c:2827
 ext4_writepages+0x213/0x390 fs/ext4/inode.c:3042
 do_writepages+0x389/0x5c0 mm/page-writeback.c:2575
 file_write_and_wait_range+0x2f6/0x390 mm/filemap.c:388
 mmb_fsync_noflush+0x87/0x240 fs/buffer.c:645
 ext4_sync_file+0x3aa/0xba0 fs/ext4/fsync.c:92
 vfs_fsync_range+0x168/0x190 fs/sync.c:186
 ext4_buffered_write_iter+0x752/0x8a0 include/linux/fs.h:2654
 ext4_file_write_iter+0x707/0x1bf0
 aio_write+0x597/0x830 fs/aio.c:1688
 io_submit_one+0xa8c/0x16d0
 __se_sys_io_submit+0x1a7/0x340 fs/aio.c:2166
 __x64_sys_io_submit+0x7f/0x90 fs/aio.c:2136
 x64_sys_call+0x19e8/0x3030 arch/x86/include/generated/asm/syscalls_64.h:210
 do_syscall_64+0xf7/0x3e0 arch/x86/entry/syscall_64.c:63
 entry_SYSCALL_64_after_hwframe+0x74/0x7c
RIP: 0033:0x7f45e0c20a3d
RSP: 002b:00007f45dee1d048 EFLAGS: 00000212 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f45e0ca065a RCX: 00007f45e0c20a3d
RDX: 0000200000002680 RSI: 0000000000000001 RDI: 00007f45ded79000
RBP: 00007f45dee1d080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00007f45dee1d6c0
R13: ffffffffffffffb0 R14: 000000000000006e R15: 00007ffe972c9960
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

Thanks,
Zijing Yin <yzjaurora@xxxxxxxxx>