==================================================================
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: use-after-free in expire_timers kernel/time/timer.c:1482 [inline]
BUG: KASAN: use-after-free in __run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
Write of size 8 at addr ffff8881c7c931c8 by task syz.3.1937/7475
CPU: 0 PID: 7475 Comm: syz.3.1937 Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__hlist_del include/linux/list.h:791 [inline]
detach_timer kernel/time/timer.c:824 [inline]
expire_timers kernel/time/timer.c:1482 [inline]
__run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:unwind_next_frame+0xd/0x1ea0 arch/x86/kernel/unwind_orc.c:413
Code: 80 e1 07 80 c1 03 38 c1 7c 95 4c 89 f7 e8 eb 78 64 00 eb 8b 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 83 e4 e0 48 81 ec c0 02 00 00 49 89 fe 65 48 8b 04 25 28 00 00
RSP: 0018:ffff8881e007ede8 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: ffff8881e8d3ce01 RBX: ffff8881e007ee20 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ffff8881e007ee20
RBP: ffff8881e007ee10 R08: ffffffff8153c592 R09: ffff8881e007ee70
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881e8d3cec0
R13: ffffffff8153c430 R14: ffff8881e007ef00 R15: 0000000000000000
arch_stack_walk+0x111/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x118/0x1c0 kernel/stacktrace.c:123
save_stack+0x95/0x880 mm/page_owner.c:122
__reset_page_owner+0x1f/0x100 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
free_unref_page_list+0x10a/0x590 mm/page_alloc.c:3154
release_pages+0xad8/0xb20 mm/swap.c:842
__pagevec_release+0xc3/0x150 mm/swap.c:862
pagevec_release include/linux/pagevec.h:88 [inline]
shmem_undo_range+0x8a5/0x1ad0 mm/shmem.c:875
shmem_truncate_range mm/shmem.c:997 [inline]
shmem_evict_inode+0x218/0x9a0 mm/shmem.c:1097
evict+0x4ea/0x960 fs/inode.c:610
__dentry_kill+0x429/0x630 fs/dcache.c:583
dentry_kill+0xb8/0x280 fs/dcache.c:677
dput+0x3c/0x80 fs/dcache.c:864
__fput+0x443/0x680 fs/file_table.c:294
task_work_run+0x140/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xcaf/0x2bc0 kernel/exit.c:861
do_group_exit+0x138/0x300 kernel/exit.c:984
get_signal+0xdb1/0x1440 kernel/signal.c:2738
do_signal+0xb0/0x11f0 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0xc0/0x1a0 arch/x86/entry/common.c:159
prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
ret_from_intr+0x1c/0x1c
RIP: 0033:0x7f5fd58bb757
Code: Bad RIP value.
RSP: 002b:00004000000004a0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f5fd59fa169
RDX: 00004000000004c0 RSI: 00004000000005f0 RDI: 000000000000000b
RBP: 00007f5fd5a7b2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5fd5c12fa0 R15: 00007ffe5dee43e8
The buggy address belongs to the page:
page:ffffea00071f24c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea00072ef588 ffffea000731eb08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
__alloc_pages include/linux/gfp.h:503 [inline]
__alloc_pages_node include/linux/gfp.h:516 [inline]
alloc_pages_node include/linux/gfp.h:530 [inline]
__get_free_pages+0xa/0x30 mm/page_alloc.c:4937
_pgd_alloc arch/x86/mm/pgtable.c:407 [inline]
pgd_alloc+0x1e/0x270 arch/x86/mm/pgtable.c:423
mm_alloc_pgd kernel/fork.c:638 [inline]
mm_init+0x450/0x720 kernel/fork.c:1062
dup_mm kernel/fork.c:1376 [inline]
copy_mm+0x1b3/0x10d0 kernel/fork.c:1435
copy_process+0x1291/0x3230 kernel/fork.c:2052
_do_fork+0x197/0x900 kernel/fork.c:2399
__do_sys_clone kernel/fork.c:2557 [inline]
__se_sys_clone kernel/fork.c:2538 [inline]
__x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
free_unref_page mm/page_alloc.c:3134 [inline]
free_the_page mm/page_alloc.c:4953 [inline]
__free_pages mm/page_alloc.c:4961 [inline]
free_pages+0x114/0x1b0 mm/page_alloc.c:4969
mm_free_pgd kernel/fork.c:646 [inline]
__mmdrop+0xab/0x3c0 kernel/fork.c:697
mmdrop include/linux/sched/mm.h:49 [inline]
finish_task_switch+0x1e6/0x590 kernel/sched/core.c:3466
context_switch kernel/sched/core.c:3611 [inline]
__schedule+0xb0d/0x1320 kernel/sched/core.c:4307
schedule+0x12c/0x1d0 kernel/sched/core.c:4375
schedule_hrtimeout_range_clock+0x1ef/0x330 kernel/time/hrtimer.c:2207
freezable_schedule_hrtimeout_range include/linux/freezer.h:239 [inline]
ep_poll fs/eventpoll.c:1940 [inline]
do_epoll_wait+0x1036/0x1280 fs/eventpoll.c:2335
__do_sys_epoll_wait fs/eventpoll.c:2345 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2342 [inline]
__x64_sys_epoll_wait+0x96/0xb0 fs/eventpoll.c:2342
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Memory state around the buggy address:
ffff8881c7c93080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881c7c93100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881c7c93180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881c7c93200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881c7c93280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7475 Comm: syz.3.1937 Tainted: G B 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881e8d3cec0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881c7c931c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffff450
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881c7c931c0
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ec5a9000 CR4: 00000000003406b0
DR0: 0100000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:unwind_next_frame+0xd/0x1ea0 arch/x86/kernel/unwind_orc.c:413
Code: 80 e1 07 80 c1 03 38 c1 7c 95 4c 89 f7 e8 eb 78 64 00 eb 8b 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 83 e4 e0 48 81 ec c0 02 00 00 49 89 fe 65 48 8b 04 25 28 00 00
RSP: 0018:ffff8881e007ede8 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: ffff8881e8d3ce01 RBX: ffff8881e007ee20 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ffff8881e007ee20
RBP: ffff8881e007ee10 R08: ffffffff8153c592 R09: ffff8881e007ee70
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881e8d3cec0
R13: ffffffff8153c430 R14: ffff8881e007ef00 R15: 0000000000000000
arch_stack_walk+0x111/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x118/0x1c0 kernel/stacktrace.c:123
save_stack+0x95/0x880 mm/page_owner.c:122
__reset_page_owner+0x1f/0x100 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
free_unref_page_list+0x10a/0x590 mm/page_alloc.c:3154
release_pages+0xad8/0xb20 mm/swap.c:842
__pagevec_release+0xc3/0x150 mm/swap.c:862
pagevec_release include/linux/pagevec.h:88 [inline]
shmem_undo_range+0x8a5/0x1ad0 mm/shmem.c:875
shmem_truncate_range mm/shmem.c:997 [inline]
shmem_evict_inode+0x218/0x9a0 mm/shmem.c:1097
evict+0x4ea/0x960 fs/inode.c:610
__dentry_kill+0x429/0x630 fs/dcache.c:583
dentry_kill+0xb8/0x280 fs/dcache.c:677
dput+0x3c/0x80 fs/dcache.c:864
__fput+0x443/0x680 fs/file_table.c:294
task_work_run+0x140/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xcaf/0x2bc0 kernel/exit.c:861
do_group_exit+0x138/0x300 kernel/exit.c:984
get_signal+0xdb1/0x1440 kernel/signal.c:2738
do_signal+0xb0/0x11f0 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0xc0/0x1a0 arch/x86/entry/common.c:159
prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
ret_from_intr+0x1c/0x1c
RIP: 0033:0x7f5fd58bb757
Code: Bad RIP value.
RSP: 002b:00004000000004a0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 000000000000000b RCX: 00007f5fd59fa169
RDX: 00004000000004c0 RSI: 00004000000005f0 RDI: 000000000000000b
RBP: 00007f5fd5a7b2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5fd5c12fa0 R15: 00007ffe5dee43e8
Modules linked in:
CR2: 0000000000000000
---[ end trace 16d7fd4ba9f50018 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881e8d3cec0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881c7c931c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffff450
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881c7c931c0
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ec5a9000 CR4: 00000000003406b0
DR0: 0100000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
0: 80 e1 07 and $0x7,%cl
3: 80 c1 03 add $0x3,%cl
6: 38 c1 cmp %al,%cl
8: 7c 95 jl 0xffffff9f
a: 4c 89 f7 mov %r14,%rdi
d: e8 eb 78 64 00 call 0x6478fd
12: eb 8b jmp 0xffffff9f
14: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
1b: 00 00
1d: 55 push %rbp
1e: 48 89 e5 mov %rsp,%rbp
21: 41 57 push %r15
23: 41 56 push %r14
25: 41 55 push %r13
27: 41 54 push %r12
29: 53 push %rbx
* 2a: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp <-- trapping instruction
2e: 48 81 ec c0 02 00 00 sub $0x2c0,%rsp
35: 49 89 fe mov %rdi,%r14
38: 65 gs
39: 48 rex.W
3a: 8b .byte 0x8b
3b: 04 25 add $0x25,%al
3d: 28 00 sub %al,(%rax)