kASAN angry, kASAN smash (stack) in Lua interpreter

[rincebrain]

System information

Type	Version/Name
Distribution Name	Debian
Distribution Version	11
Kernel Version	6.4.7
Architecture	x86_64
OpenZFS Version	8af8d2a

Describe the problem you're observing

While poking at #15330, I got this chestnut, which doesn't seem related to the changes in that tree (and I subsequently reproduced on vanilla, thus the vanilla git commit)

[  654.297956] ==================================================================
[  654.297996] BUG: KASAN: stack-out-of-bounds in __unwind_start+0x69d/0x7d0
[  654.298031] Write of size 8 at addr ffffc900198f76a8 by task zfs/173185

[  654.298068] CPU: 6 PID: 173185 Comm: zfs Kdump: loaded Tainted: P           OE      6.4.7 #4
[  654.298107] Hardware name: Micro-Star International Co., Ltd. MS-7D50/MEG X570S ACE MAX (MS-7D50), BIOS 1.40 05/24/2022
[  654.298154] Call Trace:
[  654.298166]  <TASK>
[  654.298175]  dump_stack_lvl+0x48/0x60
[  654.298194]  print_address_description.constprop.0+0x2c/0x3e0
[  654.298222]  ? __unwind_start+0x69d/0x7d0
[  654.298241]  kasan_report+0x10f/0x120
[  654.298258]  ? __unwind_start+0x69d/0x7d0
[  654.298276]  __unwind_start+0x69d/0x7d0
[  654.298293]  ? __pfx_zcp_lua_to_nvlist_helper+0x10/0x10 [zfs]
[  654.298460]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[  654.298486]  arch_stack_walk+0x68/0x100
[  654.298506]  ? zcp_eval+0x4ed/0xa10 [zfs]
[  654.298655]  stack_trace_save+0x95/0xd0
[  654.298673]  ? __pfx_stack_trace_save+0x10/0x10
[  654.298695]  kasan_save_stack+0x22/0x50
[  654.298713]  ? __pfx_f_call+0x10/0x10 [zfs]
[  654.298839]  ? __pfx_luaD_rawrunprotected+0x10/0x10 [zfs]
[  654.298972]  ? __pfx_f_call+0x10/0x10 [zfs]
[  654.299096]  ? luaD_rawrunprotected+0x101/0x200 [zfs]
[  654.299226]  ? luaD_pcall+0xe4/0x310 [zfs]
[  654.299351]  ? luaD_pcall+0x1f9/0x310 [zfs]
[  654.299477]  ? lua_pcallk+0x158/0x6c0 [zfs]
[  654.299601]  ? __pfx_lua_pcallk+0x10/0x10 [zfs]
[  654.299727]  ? __pfx_lua_pcallk+0x10/0x10 [zfs]
[  654.299851]  kasan_set_track+0x25/0x30
[  654.299869]  kasan_save_free_info+0x2e/0x50
[  654.299888]  __kasan_slab_free+0x10a/0x190
[  654.300721]  ? zcp_eval+0x4ed/0xa10 [zfs]
[  654.301681]  __kmem_cache_free+0x137/0x2b0
[  654.302515]  zcp_eval+0x4ed/0xa10 [zfs]
[  654.303444]  ? __pfx_zcp_eval+0x10/0x10 [zfs]
[  654.304350]  ? __x64_sys_ioctl+0x12c/0x1a0
[  654.305121]  ? do_syscall_64+0x3c/0x90
[  654.305876]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[  654.306623]  ? do_syscall_64+0x3c/0x90
[  654.307362]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[  654.308113]  ? __pfx_nvlist_lookup_nvpair_ei_sep+0x10/0x10 [zfs]
[  654.308965]  ? nvt_add_nvpair+0x2e8/0x5b0 [zfs]
[  654.309792]  ? nvt_lookup_name_type.isra.0+0x164/0x400 [zfs]
[  654.310636]  ? fnvlist_lookup_nvpair+0x63/0xd0 [zfs]
[  654.311495]  ? __pfx_fnvlist_lookup_nvpair+0x10/0x10 [zfs]
[  654.312362]  zfs_ioc_channel_program+0x183/0x270 [zfs]
[  654.313238]  ? __pfx_zfs_ioc_channel_program+0x10/0x10 [zfs]
[  654.314103]  ? nvlist_xalloc.part.0+0xa9/0x310 [zfs]
[  654.314950]  ? fnvlist_alloc+0x6a/0xd0 [zfs]
[  654.315784]  ? __pfx_fnvlist_alloc+0x10/0x10 [zfs]
[  654.316610]  zfsdev_ioctl_common+0x905/0x17e0 [zfs]
[  654.317430]  ? __pfx_zfsdev_ioctl_common+0x10/0x10 [zfs]
[  654.318229]  ? __kasan_kmalloc_large+0x8c/0xc0
[  654.318911]  ? __kmalloc_node+0xd0/0x140
[  654.319594]  ? _copy_from_user+0x34/0x90
[  654.320269]  zfsdev_ioctl+0x57/0xf0 [zfs]
[  654.321054]  __x64_sys_ioctl+0x12c/0x1a0
[  654.321721]  do_syscall_64+0x3c/0x90
[  654.322387]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[  654.323064] RIP: 0033:0x7f98b728a237
[  654.323734] Code: 00 00 00 48 8b 05 59 cc 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 29 cc 0d 00 f7 d8 64 89 01 48
[  654.325178] RSP: 002b:00007ffd08a29ba8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[  654.325924] RAX: ffffffffffffffda RBX: 0000000000005a48 RCX: 00007f98b728a237
[  654.326679] RDX: 00007ffd08a29bd0 RSI: 0000000000005a48 RDI: 0000000000000004
[  654.327434] RBP: 00007ffd08a2d1b0 R08: 00007f98b61ff010 R09: 0000000000000000
[  654.328187] R10: fffffffffffff66e R11: 0000000000000202 R12: 00007ffd08a29bd0
[  654.328944] R13: 0000000000005a48 R14: 000055f44c621201 R15: 00007ffd08a2d278
[  654.329702]  </TASK>

[  654.331175] The buggy address belongs to stack of task zfs/173185
[  654.331940] KASAN internal error: frame info validation failed; invalid marker: 0

[  654.333505] The buggy address belongs to the virtual mapping at
                [ffffc900198f0000, ffffc900198f9000) created by:
                kernel_clone+0xc0/0x6d0

[  654.336749] The buggy address belongs to the physical page:
[  654.337576] page:00000000b4043989 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a1e5
[  654.338446] memcg:ffff888103e56b02
[  654.339313] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[  654.340204] page_type: 0xffffffff()
[  654.341093] raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000
[  654.342008] raw: 0000000000000000 0000000000000000 00000001ffffffff ffff888103e56b02
[  654.342925] page dumped because: kasan: bad access detected

[  654.344747] Memory state around the buggy address:
[  654.345667]  ffffc900198f7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  654.346593]  ffffc900198f7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  654.347504] >ffffc900198f7680: 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00
[  654.348405]                                   ^
[  654.349309]  ffffc900198f7700: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3
[  654.350221]  ffffc900198f7780: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  654.351122] ==================================================================

Describe how to reproduce the problem

Seems to reliably trigger during tst.args_to_lua for me.

Include any warning/errors/backtraces from the system logs

[rincebrain]

#12230 I think. Oops. Nice to see my memory is reliable.