==================================================================
BUG: KASAN: use-after-free in tick_sched_handle+0x16f/0x190 kernel/time/tick-sched.c:161
Read of size 8 at addr ffff8880602ad020 by task syz-executor4/19815
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc

#PF error: [normal kernel read fault]
CPU: 1 PID: 19815 Comm: syz-executor4 Not tainted 4.20.0+ #8
PGD 97852067 P4D 97852067 PUD a9267067 PMD 0 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Oops: 0000 [#1] PREEMPT SMP KASAN
Call Trace:
CPU: 0 PID: 19809 Comm: syz-executor1 Not tainted 4.20.0+ #8
 <IRQ>
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:137 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:142 [inline]
RIP: 0010:qlist_free_all+0x2f/0x150 mm/kasan/quarantine.c:167
Code: 57 41 56 41 55 41 54 49 89 f4 53 48 83 ec 08 48 8b 37 48 85 f6 0f 84 0d 01 00 00 4d 85 e4 49 89 fe 4d 89 e7 0f 84 8c 00 00 00 <49> 63 87 fc 00 00 00 4c 8b 2e 48 29 c6 48 83 3d c4 98 cc 07 00 0f
RSP: 0018:ffff88806623f5c8 EFLAGS: 00010202
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
RAX: ffffea0001848600 RBX: 0000000000000286 RCX: ffffea0001848600
RDX: 0000000000000001 RSI: ffff88806121fd98 RDI: 0000000000000007
RBP: ffff88806623f5f8 R08: ffff88806c334700 R09: 0000000000000000
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88806121fd98 R14: ffff88806623f608 R15: 0000000000000000
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
FS:  00007f074ea29700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
 tick_sched_handle+0x16f/0x190 kernel/time/tick-sched.c:161
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
CR2: 00000000000000fc CR3: 000000008a217000 CR4: 00000000001406f0
 __run_hrtimer kernel/time/hrtimer.c:1389 [inline]
 __hrtimer_run_queues+0x3a7/0x1050 kernel/time/hrtimer.c:1451
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 quarantine_reduce+0x17b/0x1b0 mm/kasan/quarantine.c:260
 kasan_kmalloc+0xa3/0xe0 mm/kasan/common.c:463
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:397
 slab_post_alloc_hook mm/slab.h:444 [inline]
 slab_alloc_node mm/slab.c:3322 [inline]
 kmem_cache_alloc_node+0x131/0x710 mm/slab.c:3629
 __alloc_skb+0xf4/0x730 net/core/skbuff.c:196
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
 smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
 alloc_skb include/linux/skbuff.h:1011 [inline]
 sock_wmalloc+0x16d/0x1f0 net/core/sock.c:1943
 pppol2tp_sendmsg+0x23b/0x6b0 net/l2tp/l2tp_ppp.c:302
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 ___sys_sendmsg+0x409/0x910 net/socket.c:2116
 </IRQ>

Allocated by task 2270600118:
 __sys_sendmmsg+0x246/0x6f0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f074ea28c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457ec9
RDX: 0000000000000209 RSI: 00000000200047c0 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f074ea296d4
R13: 00000000004c4b74 R14: 00000000004d8290 R15: 00000000ffffffff
Modules linked in:
CR2: 00000000000000fc
BUG: unable to handle kernel paging request at ffffffff8cf13780
#PF error: [normal kernel read fault]
PGD 9874067 P4D 9874067 PUD 9875063 PMD 0 
Thread overran stack, or stack corrupted
Oops: 0000 [#2] PREEMPT SMP KASAN
CPU: 1 PID: 19815 Comm: syz-executor4 Tainted: G      D           4.20.0+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:depot_fetch_stack+0x10/0x30 lib/stackdepot.c:202
Code: e6 7b 22 fe e9 20 fe ff ff 48 89 df e8 d9 7b 22 fe e9 f1 fd ff ff 90 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 80 f3 f4 8b 8b 47 0c 48 83 c7 18 c7 46 10 00 00 00 00
RSP: 0018:ffff8880ae707b38 EFLAGS: 00010006
RAX: 00000000001f8880 RBX: ffff8880602ad7ac RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8880ae707b40 RDI: 0000000000003ff0
RBP: ffff8880ae707b68 R08: 000000000000001d R09: ffffed1015ce3ef9
R10: ffffed1015ce3ef8 R11: ffff8880ae71f7c7 R12: ffffea000180ab40
R13: ffff8880602ad020 R14: ffff88808fadac40 R15: ffff8880602ad7a8
FS:  00007f36c12ff700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8cf13780 CR3: 00000000a470b000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 describe_object mm/kasan/report.c:158 [inline]
 print_address_description.cold+0x16a/0x20d mm/kasan/report.c:194
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 tick_sched_handle+0x16f/0x190 kernel/time/tick-sched.c:161
 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
 __run_hrtimer kernel/time/hrtimer.c:1389 [inline]
 __hrtimer_run_queues+0x3a7/0x1050 kernel/time/hrtimer.c:1451
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
 smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
Modules linked in:
CR2: ffffffff8cf13780
---[ end trace 9097b276ee5cc91b ]---
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:137 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:142 [inline]
RIP: 0010:qlist_free_all+0x2f/0x150 mm/kasan/quarantine.c:167
Code: 57 41 56 41 55 41 54 49 89 f4 53 48 83 ec 08 48 8b 37 48 85 f6 0f 84 0d 01 00 00 4d 85 e4 49 89 fe 4d 89 e7 0f 84 8c 00 00 00 <49> 63 87 fc 00 00 00 4c 8b 2e 48 29 c6 48 83 3d c4 98 cc 07 00 0f
RSP: 0018:ffff88806623f5c8 EFLAGS: 00010202
RAX: ffffea0001848600 RBX: 0000000000000286 RCX: ffffea0001848600
RDX: 0000000000000001 RSI: ffff88806121fd98 RDI: 0000000000000007
RBP: ffff88806623f5f8 R08: ffff88806c334700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88806121fd98 R14: ffff88806623f608 R15: 0000000000000000
FS:  00007f36c12ff700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8cf13780 CR3: 00000000a470b000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400