BUG: TASK stack guard page was hit at ffffc9000e217ff8 (stack is ffffc9000e218000..ffffc9000e220000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 545 Comm: syz.1.69 Not tainted syzkaller #0 37924e2d96e0adc5b49b5912cddbdf0b22b3a5de
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:instrument_atomic_read include/linux/instrumented.h:68 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
RIP: 0010:nr_pcp_alloc mm/page_alloc.c:3210 [inline]
RIP: 0010:___rmqueue_pcplist+0x4f6/0x31b0 mm/page_alloc.c:3249
Code: 0f b6 0c 24 83 f9 20 0f 83 08 2a 00 00 41 89 f4 41 d3 e4 45 39 ee 74 ab 48 89 74 24 10 48 8b bc 24 e8 00 00 00 be 08 00 00 00 <e8> 95 b8 05 00 48 8b 94 24 e8 00 00 00 48 89 d0 48 c1 e8 03 48 b9
RSP: 0018:ffffc9000e218000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff1103edce451 RCX: ffffffff8635a540
RDX: ffff8881f6e72288 RSI: 0000000000000008 RDI: ffffffff87e38a38
RBP: ffffc9000e218270 R08: ffff8881f6e72280 R09: 0000000000000002
R10: 0000000000000000 R11: 00000000fffffffc R12: 000000000000003f
R13: 000000000000f51b R14: 0000000000000fda R15: 0000000000001019
FS:  00007f39b403e6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000e217ff8 CR3: 0000000115754000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 __rmqueue_pcplist mm/page_alloc.c:3297 [inline]
 rmqueue_pcplist mm/page_alloc.c:3326 [inline]
 rmqueue mm/page_alloc.c:3359 [inline]
 get_page_from_freelist+0x6f5/0x4a20 mm/page_alloc.c:3945
 __alloc_pages_noprof+0x35f/0x7e0 mm/page_alloc.c:5298
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_pages_noprof include/linux/gfp.h:313 [inline]
 stack_depot_save_flags+0x672/0x800 lib/stackdepot.c:627
 kasan_save_stack mm/kasan/common.c:50 [inline]
 kasan_save_track+0x4f/0x80 mm/kasan/common.c:70
 kasan_save_free_info+0x4a/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:249 [inline]
 __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:266
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2445 [inline]
 slab_free mm/slub.c:4714 [inline]
 kfree+0x158/0x440 mm/slub.c:4871
 krealloc_noprof+0xfa/0x130 mm/slab_common.c:-1
 <kernel::alloc::allocator::ReallocFunc>::call rust/kernel/alloc/allocator.rs:102 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::realloc rust/kernel/alloc/allocator.rs:141 [inline]
 <kernel::alloc::allocator::Kmalloc as kernel::alloc::Allocator>::free+0xc6/0x200 rust/kernel/alloc.rs:214
 <kernel::alloc::kvec::Vec<rust_binder_main::allocation::FileEntry, kernel::alloc::allocator::Kmalloc> as core::ops::drop::Drop>::drop rust/kernel/alloc/kvec.rs:835 [inline]
 core::ptr::drop_in_place::<kernel::alloc::kvec::Vec<rust_binder_main::allocation::FileEntry, kernel::alloc::allocator::Kmalloc>>+0x1f7/0x300 usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804
 core::ptr::drop_in_place::<rust_binder_main::allocation::FileList>+0x7e/0x220 usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804
 core::ptr::drop_in_place::<rust_binder_main::allocation::AllocationInfo> usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804 [inline]
 <rust_binder_main::allocation::Allocation as core::ops::drop::Drop>::drop+0x22ce/0x5680 drivers/android/binder/allocation.rs:284
 core::ptr::drop_in_place::<rust_binder_main::allocation::Allocation>+0x26/0x1a0 usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:804
 <rust_binder_main::thread::Thread>::copy_transaction_data+0x6e44/0x8520 drivers/android/binder/thread.rs:1226
 <rust_binder_main::transaction::Transaction>::new+0x3a2/0x2150 drivers/android/binder/transaction.rs:81
 <rust_binder_main::thread::Thread>::transaction_inner drivers/android/binder/thread.rs:1346 [inline]
 <<rust_binder_main::thread::Thread>::transaction_inner as core::ops::function::FnOnce<(&kernel::sync::arc::Arc<rust_binder_main::thread::Thread>, &rust_binder_main::defs::BinderTransactionDataSg)>>::call_once usr/local/rustup/toolchains/1.91.1-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250 [inline]
 <rust_binder_main::thread::Thread>::transaction::<<rust_binder_main::thread::Thread>::transaction_inner>+0x8c4/0x1110 drivers/android/binder/thread.rs:1321
 <rust_binder_main::thread::Thread>::write+0x17dc/0xa690 drivers/android/binder/thread.rs:1460
 <rust_binder_main::thread::Thread>::write_read drivers/android/binder/thread.rs:1608 [inline]
 <rust_binder_main::process::Process>::ioctl_write_read drivers/android/binder/process.rs:1609 [inline]
 <rust_binder_main::process::Process>::ioctl drivers/android/binder/process.rs:1674 [inline]
 rust_binder_main::rust_binder_ioctl+0x1077/0x5da0 drivers/android/binder/rust_binder_main.rs:449
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0x135/0x1b0 fs/ioctl.c:893
 __x64_sys_ioctl+0x7f/0xa0 fs/ioctl.c:893
 x64_sys_call+0x1878/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/common.c:47 [inline]
 do_syscall_64+0x57/0xf0 arch/x86/entry/common.c:78
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f39b319c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f39b403e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f39b3415fa0 RCX: 00007f39b319c629
RDX: 0000200000000740 RSI: 00000000c0306201 RDI: 0000000000000006
RBP: 00007f39b3232b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f39b3416038 R14: 00007f39b3415fa0 R15: 00007ffe0d3c0838
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:instrument_atomic_read include/linux/instrumented.h:68 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
RIP: 0010:nr_pcp_alloc mm/page_alloc.c:3210 [inline]
RIP: 0010:___rmqueue_pcplist+0x4f6/0x31b0 mm/page_alloc.c:3249
Code: 0f b6 0c 24 83 f9 20 0f 83 08 2a 00 00 41 89 f4 41 d3 e4 45 39 ee 74 ab 48 89 74 24 10 48 8b bc 24 e8 00 00 00 be 08 00 00 00 <e8> 95 b8 05 00 48 8b 94 24 e8 00 00 00 48 89 d0 48 c1 e8 03 48 b9
RSP: 0018:ffffc9000e218000 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff1103edce451 RCX: ffffffff8635a540
RDX: ffff8881f6e72288 RSI: 0000000000000008 RDI: ffffffff87e38a38
RBP: ffffc9000e218270 R08: ffff8881f6e72280 R09: 0000000000000002
R10: 0000000000000000 R11: 00000000fffffffc R12: 000000000000003f
R13: 000000000000f51b R14: 0000000000000fda R15: 0000000000001019
FS:  00007f39b403e6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000e217ff8 CR3: 0000000115754000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	0f b6 0c 24          	movzbl (%rsp),%ecx
   4:	83 f9 20             	cmp    $0x20,%ecx
   7:	0f 83 08 2a 00 00    	jae    0x2a15
   d:	41 89 f4             	mov    %esi,%r12d
  10:	41 d3 e4             	shl    %cl,%r12d
  13:	45 39 ee             	cmp    %r13d,%r14d
  16:	74 ab                	je     0xffffffc3
  18:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)
  1d:	48 8b bc 24 e8 00 00 	mov    0xe8(%rsp),%rdi
  24:	00
  25:	be 08 00 00 00       	mov    $0x8,%esi
* 2a:	e8 95 b8 05 00       	call   0x5b8c4 <-- trapping instruction
  2f:	48 8b 94 24 e8 00 00 	mov    0xe8(%rsp),%rdx
  36:	00
  37:	48 89 d0             	mov    %rdx,%rax
  3a:	48 c1 e8 03          	shr    $0x3,%rax
  3e:	48                   	rex.W
  3f:	b9                   	.byte 0xb9