BUG: TASK stack guard page was hit at ffffc9000200fff8 (stack is ffffc90002010000..ffffc90002018000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 787 Comm: syz.4.141 Not tainted syzkaller #0 93fdfe3663caa6d824c2578ca6c3b1aacfeda3e9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:cpuacct_charge+0x10/0x190 kernel/sched/cpuacct.c:335
Code: 70 a6 ff 5d c3 cc cc cc cc cc b8 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 <53> 48 83 ec 10 48 89 75 c8 49 89 ff 48 bb 00 00 00 00 00 fc ff df
RSP: 0018:ffffc90002010000 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000007ec0 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000007ec0 RDI: ffff88811fa25f00
RBP: ffffc90002010020 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000402044 R12: ffff88811fa25f00
R13: ffff88811f260b58 R14: ffff88811fa25fc0 R15: ffff88811f260a00
FS:  00007fa829efa6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000200fff8 CR3: 0000000121162000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 cgroup_account_cputime include/linux/cgroup.h:720 [inline]
 update_se+0x213/0x410 kernel/sched/fair.c:1241
 update_curr+0xf8/0x9e0 kernel/sched/fair.c:1286
 put_prev_entity+0x41/0x160 kernel/sched/fair.c:5707
 pick_next_task_fair+0x5f8/0x770 kernel/sched/fair.c:9091
 __pick_next_task kernel/sched/core.c:6676 [inline]
 pick_next_task kernel/sched/core.c:7196 [inline]
 __schedule+0x667/0x1ea0 kernel/sched/core.c:7790
 preempt_schedule_irq+0xab/0x110 kernel/sched/core.c:8190
 raw_irqentry_exit_cond_resched+0x32/0x40 kernel/entry/common.c:311
 irqentry_exit+0x4a/0x60 kernel/entry/common.c:354
 sysvec_apic_timer_interrupt+0x50/0x90 arch/x86/kernel/apic/apic.c:1049
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702
RIP: 0010:update_stack_state+0x36f/0x4b0 arch/x86/kernel/unwind_frame.c:244
Code: 03 49 bc 00 00 00 00 00 fc ff df 42 80 3c 20 00 74 08 4c 89 f7 e8 11 b7 9a 00 48 8b 45 d0 49 89 06 48 8b 45 98 42 80 3c 20 00 <4c> 8b 75 c8 4c 8b 6d c0 74 08 4c 89 f7 e8 ef b6 9a 00 49 c7 06 00
RSP: 0018:ffffc900020105c0 EFLAGS: 00000246
RAX: 1ffff920004020fc RBX: ffffc90002010788 RCX: ffffc90002010801
RDX: ffffc90002010810 RSI: 1ffff920004020f2 RDI: ffffc900020107e0
RBP: ffffc90002010680 R08: ffffc90002010701 R09: 0000000000000000
R10: ffffc90002010788 R11: fffff520004020fd R12: dffffc0000000000
R13: 0000000000000000 R14: ffffc900020107c0 R15: 1ffff920004020f9
 unwind_next_frame+0x3c1/0x750 arch/x86/kernel/unwind_frame.c:315
 __unwind_start+0x34c/0x410 arch/x86/kernel/unwind_frame.c:417
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xf2/0x170 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0xaa/0x100 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:49 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:70
 kasan_save_free_info+0x4a/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:249 [inline]
 __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:266
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2445 [inline]
 slab_free mm/slub.c:4714 [inline]
 kfree+0x158/0x440 mm/slub.c:4871
 krealloc_noprof+0xfa/0x130 mm/slab_common.c:-1
 <kernel::alloc::allocator::ReallocFunc>::call rust/kernel/alloc/allocator.rs:102 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::realloc rust/kernel/alloc/allocator.rs:141 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::free+0xc6/0x200 rust/kernel/alloc.rs:214
 <kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kbox.rs:492 [inline]
 core::ptr::drop_in_place::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::mem::drop::<kernel::alloc::kbox::Box<kernel::sync::arc::ArcInner<rust_binder_main::process::NodeRefInfo>, kernel::alloc::allocator::Kmalloc>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:961 [inline]
 <kernel::sync::arc::Arc<rust_binder_main::process::NodeRefInfo> as core::ops::drop::Drop>::drop+0x1a9/0x2b0 rust/kernel/sync/arc.rs:404
 core::ptr::drop_in_place::<kernel::sync::arc::Arc<rust_binder_main::process::NodeRefInfo>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::ptr::drop_in_place::<kernel::list::arc::ListArc<rust_binder_main::process::NodeRefInfo, 15493408726748792400>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 core::ptr::drop_in_place::<core::option::Option<kernel::list::arc::ListArc<rust_binder_main::process::NodeRefInfo, 15493408726748792400>>> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 <rust_binder_main::process::Process>::update_ref+0x1247/0x21a0 drivers/android/binder/process.rs:970
 <rust_binder_main::allocation::AllocationView>::cleanup_object drivers/android/binder/allocation.rs:445 [inline]
 <rust_binder_main::allocation::Allocation as core::ops::drop::Drop>::drop+0x153b/0x5360 drivers/android/binder/allocation.rs:258
 core::ptr::drop_in_place::<rust_binder_main::allocation::Allocation>+0x26/0x1a0 usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804
 <rust_binder_main::thread::Thread>::copy_transaction_data+0x6c90/0x8370 drivers/android/binder/thread.rs:1232
 <rust_binder_main::transaction::Transaction>::new+0x390/0x2070 drivers/android/binder/transaction.rs:81
 <rust_binder_main::thread::Thread>::transaction_inner drivers/android/binder/thread.rs:1352 [inline]
 <<rust_binder_main::thread::Thread>::transaction_inner as core::ops::function::FnOnce<(&kernel::sync::arc::Arc<rust_binder_main::thread::Thread>, &rust_binder_main::defs::BinderTransactionDataSg)>>::call_once usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250 [inline]
 <rust_binder_main::thread::Thread>::transaction::<<rust_binder_main::thread::Thread>::transaction_inner>+0x896/0x1090 drivers/android/binder/thread.rs:1327
 <rust_binder_main::thread::Thread>::write+0x1560/0xa0f0 drivers/android/binder/thread.rs:1466
 <rust_binder_main::thread::Thread>::write_read drivers/android/binder/thread.rs:1614 [inline]
 <rust_binder_main::process::Process>::ioctl_write_read drivers/android/binder/process.rs:1612 [inline]
 <rust_binder_main::process::Process>::ioctl drivers/android/binder/process.rs:1677 [inline]
 rust_binder_main::rust_binder_ioctl+0x1019/0x55c0 drivers/android/binder/rust_binder_main.rs:449
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0x135/0x1b0 fs/ioctl.c:893
 __x64_sys_ioctl+0x7f/0xa0 fs/ioctl.c:893
 x64_sys_call+0x1878/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/common.c:47 [inline]
 do_syscall_64+0x57/0xf0 arch/x86/entry/common.c:78
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa828f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa829efa028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa829215fa0 RCX: 00007fa828f9c799
RDX: 0000200000000100 RSI: 00000000c0306201 RDI: 0000000000000004
RBP: 00007fa829032bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa829216038 R14: 00007fa829215fa0 R15: 00007ffe7a94c068
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:cpuacct_charge+0x10/0x190 kernel/sched/cpuacct.c:335
Code: 70 a6 ff 5d c3 cc cc cc cc cc b8 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 <53> 48 83 ec 10 48 89 75 c8 49 89 ff 48 bb 00 00 00 00 00 fc ff df
RSP: 0018:ffffc90002010000 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000007ec0 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000007ec0 RDI: ffff88811fa25f00
RBP: ffffc90002010020 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000402044 R12: ffff88811fa25f00
R13: ffff88811f260b58 R14: ffff88811fa25fc0 R15: ffff88811f260a00
FS:  00007fa829efa6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000200fff8 CR3: 0000000121162000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	70 a6                	jo     0xffffffa8
   2:	ff 5d c3             	lcall  *-0x3d(%rbp)
   5:	cc                   	int3
   6:	cc                   	int3
   7:	cc                   	int3
   8:	cc                   	int3
   9:	cc                   	int3
   a:	b8 00 00 00 00       	mov    $0x0,%eax
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	66 0f 1f 00          	nopw   (%rax)
  1e:	55                   	push   %rbp
  1f:	48 89 e5             	mov    %rsp,%rbp
  22:	41 57                	push   %r15
  24:	41 56                	push   %r14
  26:	41 55                	push   %r13
  28:	41 54                	push   %r12
* 2a:	53                   	push   %rbx <-- trapping instruction
  2b:	48 83 ec 10          	sub    $0x10,%rsp
  2f:	48 89 75 c8          	mov    %rsi,-0x38(%rbp)
  33:	49 89 ff             	mov    %rdi,%r15
  36:	48 bb 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbx
  3d:	fc ff df