Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp7236701imm;
        Tue, 28 Aug 2018 08:31:46 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdZfQPzUuiANEbl4en+K0MHmrz90oeIrugPgdaee63S5g4a60vceD6TtGrhtUpcxYvOcDDLM
X-Received: by 2002:a62:f610:: with SMTP id x16-v6mr2070374pfh.169.1535470306525;
        Tue, 28 Aug 2018 08:31:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535470306; cv=none;
        d=google.com; s=arc-20160816;
        b=osgqu56Rwql2wfbrV1+2VvcQbaEbOJoWKa0LaF4Lms7LFGdcYH2yM1Q1GQqz6zDlGU
         pionE/O0+1fOqXInErmu7iRBkLcCXBbP9VQCaLqbl6N6KKTJhFpwGfDJEG6db9fHtbXf
         7jRHwxmvBLR1ZOpxOw1bzI+bIICDUJC42KX7bp7YoS5Xh8ae4LG2wCM1SFaG8ei5wSiw
         yp298xwDgh0RlQQozywFwX5DHLnZ/qH6gucE8Jl2rHjJyOqmrlJC694Wfy3TsZ0f7oR7
         sJs+XHtKjLZ+QukF4tCcku+PD6iEUh+nvZpCKFgGIuxq9NPTaAZUesexxxD1p7AwK2Lu
         LQMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:from:subject:message-id:date
         :mime-version:arc-authentication-results;
        bh=f3vvT1ZmBjQIhW7FRy7d1D6KaoYoIgwr2V/UBBZVh+4=;
        b=F1co+wBwou7ZpkhAWeU8c6GxyxAJDCq8YZvBBbvM3SvfSpo/R9pkbtYiJCWTU48bCj
         VOYLrbSk9a7NM/LF78lum75gTdTxiOwVWlIOx6AiGtK4LapD+TdyP1pSkqCNKLhR2IKk
         B4ip75BDqHGk5LU3hqhys1jqR/mW36G2tZsWy+SzdvfcTiEzHXdLhIkt9K/9bhXyAdpv
         7/MwCcJt81Tz4HJvTwbMwAZaiatlmb267Lp24chcL9Zsf1a0HXVjJAjbDLhrX575MkSE
         l2GAFSwkimiLp+kshlUpFOoJqQGUvCKN8qwK9F0QKouEEnYlIxx0zKVHSDRK8FElUtWG
         elLw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q3-v6si1325715plb.102.2018.08.28.08.31.31;
        Tue, 28 Aug 2018 08:31:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727421AbeH1TWZ (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Tue, 28 Aug 2018 15:22:25 -0400
Received: from mail-io0-f198.google.com ([209.85.223.198]:41096 "EHLO
        mail-io0-f198.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727308AbeH1TWO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Aug 2018 15:22:14 -0400
Received: by mail-io0-f198.google.com with SMTP id q24-v6so1662926iog.8
        for <linux-kernel@vger.kernel.org>; Tue, 28 Aug 2018 08:30:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
        bh=f3vvT1ZmBjQIhW7FRy7d1D6KaoYoIgwr2V/UBBZVh+4=;
        b=ru0jj4PN+fqVgxOgFhDIIhJjnNMZldEvBIVdO/9ujikWZxFagWxpflqaZuABzKT0yS
         0hXr5l6KE+xDR5SHN28xDKLs6r3baKKCtnfoSPnTLU3Yx+b7a9vNZZ+43YSB8J1aD90w
         QWhxk/l282uFbFIz45lkb6v1xq1oElHbp0pmHuy5ujugmC/9LLykbwwt9RnHOMgBvlqo
         whH/wb4XKurwcF7GMzVv+hCSZLCnVS3/qM9++ROyE9HS8eboQRRee0HsyarEYw6pDwES
         6ESKWGSA73Z3c4rvj/j6TLXDlB7RjOXjbuMg7GM01K6NSlwrdHfRGSMDnSSUt1EYoqdp
         Vz6Q==
X-Gm-Message-State: APzg51AtD9KILWmqG+RBwbyZknx0ie1XV9JAi3aLzmRO3kPqd5f7J9pu
        JagAdt5ptUO3Gd1O6AJkldy/e0vGeN55ingt9FTDN1kDFhvT
MIME-Version: 1.0
X-Received: by 2002:a24:43cb:: with SMTP id s194-v6mr995336itb.3.1535470202707;
 Tue, 28 Aug 2018 08:30:02 -0700 (PDT)
Date:   Tue, 28 Aug 2018 08:30:02 -0700
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <000000000000fef39305748083ae@google.com>
Subject: KASAN: stack-out-of-bounds Read in __schedule
From:   syzbot <syzbot+45a34334c61a8ecf661d@syzkaller.appspotmail.com>
To:     jack@suse.com, linux-ext4@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        tytso@mit.edu
Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

syzbot found the following crash on:

HEAD commit:    5b394b2ddf03 Linux 4.19-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f4d8e1400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=49927b422dcf0b29
dashboard link: https://syzkaller.appspot.com/bug?extid=45a34334c61a8ecf661d
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13127e5a400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+45a34334c61a8ecf661d@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: stack-out-of-bounds in schedule_debug kernel/sched/core.c:3285  
[inline]
BUG: KASAN: stack-out-of-bounds in __schedule+0x1977/0x1df0  
kernel/sched/core.c:3395
Read of size 8 at addr ffff8801ad090000 by task syz-executor0/4718

CPU: 0 PID: 4718 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #211
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:

The buggy address belongs to the page:
page:ffffea0006b42400 count:1 mapcount:-512 mapping:0000000000000000  
index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
raw: 0000000000000000 0000000000000000 00000001fffffdff ffff8801d29544c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8801d29544c0

Memory state around the buggy address:
  ffff8801ad08ff00: f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00
  ffff8801ad08ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
> ffff8801ad090000: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2
                    ^
  ffff8801ad090080: f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
  ffff8801ad090100: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

BUG: unable to handle kernel paging request at 0000000100000007
PGD 1b34a2067 P4D 1b34a2067 PUD 0
Oops: 0000 [#1] SMP KASAN
CPU: 1 PID: 4325 Comm: rs:main Q:Reg Tainted: G    B              
4.19.0-rc1+ #211
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:find_stack lib/stackdepot.c:188 [inline]
RIP: 0010:depot_save_stack+0x120/0x470 lib/stackdepot.c:238
Code: 0f 00 4e 8b 24 f5 e0 db ae 89 4d 85 e4 0f 84 d4 00 00 00 44 8d 47 ff  
49 c1 e0 03 eb 0d 4d 8b 24 24 4d 85 e4 0f 84 bd 00 00 00 <41> 39 5c 24 08  
75 ec 41 3b 7c 24 0c 75 e5 48 8b 01 49 39 44 24 18
RSP: 0018:ffff8801b2636f40 EFLAGS: 00010006
RAX: 0000000084727a0d RBX: 00000000222ca320 RCX: ffff8801b2636fa0
RDX: 000000004e510a9d RSI: 0000000000400000 RDI: 0000000000000012
RBP: ffff8801b2636f78 R08: 0000000000000088 R09: 00000000dcf06c78
R10: 00000000ecfd654a R11: ffff8801db1236f3 R12: 00000000ffffffff
R13: ffff8801b2636f88 R14: 00000000000ca320 R15: ffff8801b2a72680
FS:  00007ff2eb061700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000007 CR3: 00000001b4fdd000 CR4: 00000000001406e0
Call Trace:
  save_stack+0xa9/0xd0 mm/kasan/kasan.c:454
  set_track mm/kasan/kasan.c:460 [inline]
  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kmem_cache_free+0x86/0x280 mm/slab.c:3756
  jbd2_free_handle include/linux/jbd2.h:1426 [inline]
  jbd2_journal_stop+0x443/0x1600 fs/jbd2/transaction.c:1787
  __ext4_journal_stop+0xde/0x1f0 fs/ext4/ext4_jbd2.c:103
  ext4_dirty_inode+0xab/0xc0 fs/ext4/inode.c:6027
  __mark_inode_dirty+0x760/0x1300 fs/fs-writeback.c:2129
  generic_update_time+0x26a/0x450 fs/inode.c:1651
  update_time fs/inode.c:1667 [inline]
  file_update_time+0x390/0x640 fs/inode.c:1877
  __generic_file_write_iter+0x1dc/0x630 mm/filemap.c:3214
  ext4_file_write_iter+0x390/0x1450 fs/ext4/file.c:266
  call_write_iter include/linux/fs.h:1807 [inline]
  new_sync_write fs/read_write.c:474 [inline]
  __vfs_write+0x6af/0x9d0 fs/read_write.c:487
  vfs_write+0x1fc/0x560 fs/read_write.c:549
  ksys_write+0x101/0x260 fs/read_write.c:598
  __do_sys_write fs/read_write.c:610 [inline]
  __se_sys_write fs/read_write.c:607 [inline]
  __x64_sys_write+0x73/0xb0 fs/read_write.c:607
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ff2ecabf19d
Code: d1 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48  
83 ec 08 e8 be fa ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b 3c 24 48  
89 c2 e8 07 fb ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ff2eb05ff90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 00007ff2ecabf19d
RDX: 0000000000000400 RSI: 0000000002089a90 RDI: 0000000000000005
RBP: 0000000002089a90 R08: 00000000020d9e00 R09: 656c6c616b7a7973
R10: 6c656e72656b2072 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ff2eb060410 R14: 00000000020d9e00 R15: 0000000002089890
Modules linked in:
Dumping ftrace buffer:
    (ftrace buffer empty)
CR2: 0000000100000007
---[ end trace fbf1ba842de6c894 ]---
RIP: 0010:find_stack lib/stackdepot.c:188 [inline]
RIP: 0010:depot_save_stack+0x120/0x470 lib/stackdepot.c:238
Code: 0f 00 4e 8b 24 f5 e0 db ae 89 4d 85 e4 0f 84 d4 00 00 00 44 8d 47 ff  
49 c1 e0 03 eb 0d 4d 8b 24 24 4d 85 e4 0f 84 bd 00 00 00 <41> 39 5c 24 08  
75 ec 41 3b 7c 24 0c 75 e5 48 8b 01 49 39 44 24 18
RSP: 0018:ffff8801b2636f40 EFLAGS: 00010006
RAX: 0000000084727a0d RBX: 00000000222ca320 RCX: ffff8801b2636fa0
RDX: 000000004e510a9d RSI: 0000000000400000 RDI: 0000000000000012
RBP: ffff8801b2636f78 R08: 0000000000000088 R09: 00000000dcf06c78
R10: 00000000ecfd654a R11: ffff8801db1236f3 R12: 00000000ffffffff
R13: ffff8801b2636f88 R14: 00000000000ca320 R15: ffff8801b2a72680
FS:  00007ff2eb061700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000007 CR3: 00000001b4fdd000 CR4: 00000000001406e0
Shutting down cpus with NMI
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches