------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.h:68:9
index 16382 is out of range for type 'long unsigned int [8]'
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xcc/0xf0 lib/ubsan.c:455
decode_tail kernel/locking/qspinlock.h:68 [inline]
__pv_queued_spin_lock_slowpath+0xbd7/0xc00 kernel/locking/qspinlock.c:285
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt-spinlock.h:35 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/paravirt-spinlock.h:66 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
do_raw_spin_lock+0x1e0/0x260 kernel/locking/spinlock_debug.c:116
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock_irqsave+0x42/0x60 kernel/locking/spinlock.c:166
complete_with_flags kernel/sched/completion.c:25 [inline]
complete+0x1d/0x200 kernel/sched/completion.c:52
transfer drivers/usb/gadget/udc/dummy_hcd.c:1527 [inline]
dummy_timer+0x121c/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:1989
__run_hrtimer kernel/time/hrtimer.c:2032 [inline]
__hrtimer_run_queues+0x462/0x9c0 kernel/time/hrtimer.c:2096
hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2113
handle_softirqs+0x1ea/0x9b0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x162/0x210 kernel/softirq.c:735
irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline]
sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1062
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:64
Code: 96 88 02 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 23 d8 14 00 fb f4 fc 48 03 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffc90000187e00 EFLAGS: 00000246
RAX: 000000000156ed14 RBX: ffff88801eaaca80 RCX: ffffffff8b96c2d5
RDX: 0000000000000001 RSI: ffffffff8c1d2700 RDI: ffffffff81de3aa7
RBP: ffffed1003d55950 R08: 0000000000000000 R09: ffffed100d4c678d
R10: ffff88806a633c6b R11: ffffffff81d50f9c R12: 0000000000000000
R13: 0000000000000000 R14: 1ffff92000030fc4 R15: dffffc0000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:62 [inline]
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:199 [inline]
do_idle+0x3a7/0x5b0 kernel/sched/idle.c:355
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:454
start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312
common_startup_64+0x13e/0x158
---[ end trace ]---
----------------
Code disassembly (best guess):
0: 96 xchg %eax,%esi
1: 88 02 mov %al,(%rdx)
3: c3 ret
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: 0f 1f 00 nopl (%rax)
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: eb 07 jmp 0x28
21: 0f 00 2d 23 d8 14 00 verw 0x14d823(%rip) # 0x14d84b
28: fb sti
29: f4 hlt
* 2a: e9 fc 48 03 00 jmp 0x3492b <-- trapping instruction
2f: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
36: 00 00 00
39: 66 90 xchg %ax,%ax
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop