==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:814 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
Write of size 8 at addr ffff8881d9d8b1c8 by task syz-executor/358

CPU: 1 PID: 358 Comm: syz-executor Tainted: G        W         5.4.274-syzkaller-00002-g6f97bd951d82 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_add_head include/linux/list.h:814 [inline]
 enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
 __internal_add_timer kernel/time/timer.c:554 [inline]
 internal_add_timer+0x240/0x430 kernel/time/timer.c:604
 __mod_timer+0x6f1/0x13e0 kernel/time/timer.c:1065
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:check_memory_region+0x1a0/0x280 mm/kasan/generic.c:191
Code: 4c 89 d5 48 8d 5d 07 48 85 ed 48 0f 49 dd 48 83 e3 f8 48 29 dd 74 12 41 80 39 00 0f 85 a2 00 00 00 49 ff c1 48 ff cd 75 ee 5b <41> 5e 41 5f 5d c3 45 84 f6 75 61 41 f7 c6 00 ff 00 00 75 5d 41 f7
RSP: 0018:ffff8881dce97580 EFLAGS: 00000256 ORIG_RAX: ffffffffffffff13
RAX: ffff8881dce97901 RBX: 0000000000000010 RCX: ffffffff812fce86
RDX: 0000000000000001 RSI: 0000000000000010 RDI: ffff8881dce97a10
RBP: 0000000000000002 R08: dffffc0000000000 R09: ffffed103b9d2f44
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffffffff0cf7364
R13: ffffffff867b9b22 R14: ffffed103b9d2f44 R15: dffffc0000000000
 memset+0x1f/0x40 mm/kasan/common.c:106
 unwind_next_frame+0x1036/0x1ea0 arch/x86/kernel/unwind_orc.c:534
 __unwind_start+0x708/0x890 arch/x86/kernel/unwind_orc.c:691
 unwind_start arch/x86/include/asm/unwind.h:60 [inline]
 arch_stack_walk+0xdd/0x140 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x118/0x1c0 kernel/stacktrace.c:123
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 dentry_kill+0xb8/0x280 fs/dcache.c:673
 dput+0x3c/0x80 fs/dcache.c:860
 __fput+0x443/0x680 fs/file_table.c:294
 task_work_run+0x140/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x190/0x1a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f445b031820
Code: 00 00 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 40 44 00 00 80 3d 21 0d 16 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007fff97a6b848 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f445b031820
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007fff97a6b89c R08: 000000000000000a R09: 00007fff97a6b597
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000032
R13: 0000000000014622 R14: 00000000000145da R15: 00007fff97a6b900

Allocated by task 161:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881d9d8b080
 which belongs to the cache filp of size 280
The buggy address is located 48 bytes to the right of
 280-byte region [ffff8881d9d8b080, ffff8881d9d8b198)
The buggy address belongs to the page:
page:ffffea0007676280 refcount:1 mapcount:0 mapping:ffff8881f5d05900 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5d05900
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 bpf_check+0x8aaa/0xb340 kernel/bpf/verifier.c:9731
 bpf_prog_load kernel/bpf/syscall.c:1724 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
 __se_sys_bpf+0x8139/0xbcb0 kernel/bpf/syscall.c:2849
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881d9d8b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d9d8b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d9d8b180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881d9d8b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d9d8b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1d9b09067 P4D 1d9b09067 PUD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 358 Comm: syz-executor Tainted: G    B   W         5.4.274-syzkaller-00002-g6f97bd951d82 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154d7aa RBX: 0000000000000101 RCX: ffff8881dd4bcec0
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881d9d8b1c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154d3ee R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffaae0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d9d8b1c0
FS:  0000555556cd7500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001dce3b000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:check_memory_region+0x1a0/0x280 mm/kasan/generic.c:191
Code: 4c 89 d5 48 8d 5d 07 48 85 ed 48 0f 49 dd 48 83 e3 f8 48 29 dd 74 12 41 80 39 00 0f 85 a2 00 00 00 49 ff c1 48 ff cd 75 ee 5b <41> 5e 41 5f 5d c3 45 84 f6 75 61 41 f7 c6 00 ff 00 00 75 5d 41 f7
RSP: 0018:ffff8881dce97580 EFLAGS: 00000256 ORIG_RAX: ffffffffffffff13
RAX: ffff8881dce97901 RBX: 0000000000000010 RCX: ffffffff812fce86
RDX: 0000000000000001 RSI: 0000000000000010 RDI: ffff8881dce97a10
RBP: 0000000000000002 R08: dffffc0000000000 R09: ffffed103b9d2f44
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffffffff0cf7364
R13: ffffffff867b9b22 R14: ffffed103b9d2f44 R15: dffffc0000000000
 memset+0x1f/0x40 mm/kasan/common.c:106
 unwind_next_frame+0x1036/0x1ea0 arch/x86/kernel/unwind_orc.c:534
 __unwind_start+0x708/0x890 arch/x86/kernel/unwind_orc.c:691
 unwind_start arch/x86/include/asm/unwind.h:60 [inline]
 arch_stack_walk+0xdd/0x140 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x118/0x1c0 kernel/stacktrace.c:123
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 dentry_kill+0xb8/0x280 fs/dcache.c:673
 dput+0x3c/0x80 fs/dcache.c:860
 __fput+0x443/0x680 fs/file_table.c:294
 task_work_run+0x140/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x190/0x1a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f445b031820
Code: 00 00 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 40 44 00 00 80 3d 21 0d 16 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007fff97a6b848 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f445b031820
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007fff97a6b89c R08: 000000000000000a R09: 00007fff97a6b597
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000032
R13: 0000000000014622 R14: 00000000000145da R15: 00007fff97a6b900
Modules linked in:
CR2: 0000000000000000
---[ end trace c9228a4d36c34e1d ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154d7aa RBX: 0000000000000101 RCX: ffff8881dd4bcec0
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881d9d8b1c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154d3ee R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffaae0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d9d8b1c0
FS:  0000555556cd7500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001dce3b000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	4c 89 d5             	mov    %r10,%rbp
   3:	48 8d 5d 07          	lea    0x7(%rbp),%rbx
   7:	48 85 ed             	test   %rbp,%rbp
   a:	48 0f 49 dd          	cmovns %rbp,%rbx
   e:	48 83 e3 f8          	and    $0xfffffffffffffff8,%rbx
  12:	48 29 dd             	sub    %rbx,%rbp
  15:	74 12                	je     0x29
  17:	41 80 39 00          	cmpb   $0x0,(%r9)
  1b:	0f 85 a2 00 00 00    	jne    0xc3
  21:	49 ff c1             	inc    %r9
  24:	48 ff cd             	dec    %rbp
  27:	75 ee                	jne    0x17
  29:	5b                   	pop    %rbx
* 2a:	41 5e                	pop    %r14 <-- trapping instruction
  2c:	41 5f                	pop    %r15
  2e:	5d                   	pop    %rbp
  2f:	c3                   	ret
  30:	45 84 f6             	test   %r14b,%r14b
  33:	75 61                	jne    0x96
  35:	41 f7 c6 00 ff 00 00 	test   $0xff00,%r14d
  3c:	75 5d                	jne    0x9b
  3e:	41                   	rex.B
  3f:	f7                   	.byte 0xf7