==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:814 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
Write of size 8 at addr ffff8881df6131c8 by task syz.6.268/1437
CPU: 0 PID: 1437 Comm: syz.6.268 Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
hlist_add_head include/linux/list.h:814 [inline]
enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
__internal_add_timer kernel/time/timer.c:554 [inline]
internal_add_timer+0x240/0x430 kernel/time/timer.c:604
__mod_timer+0x6f1/0x13e0 kernel/time/timer.c:1065
call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:selinux_inode_permission+0x224/0x6a0 security/selinux/hooks.c:3140
Code: e7 80 00 00 00 49 8b 06 48 63 0d 0b e5 59 03 48 8d 5c 08 04 48 89 d8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 9c 03 00 00 8b 1b <31> ff 44 89 3c 24 44 89 fe e8 ae de 59 ff 48 8b 44 24 10 4c 8d 70
RSP: 0018:ffff8881d532f740 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: 0000000000000088 RCX: 0000000000000000
RDX: ffffc9000955d000 RSI: 0000000000000c64 RDI: 0000000000000c65
RBP: ffff8881d532f818 R08: ffffffff820a6e64 R09: ffff8881d532f780
R10: ffffffffffffffff R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8881dea45178 R15: 0000000000000000
security_inode_permission+0x9d/0xf0 security/security.c:1223
may_lookup fs/namei.c:1779 [inline]
link_path_walk+0x22a/0x1040 fs/namei.c:2159
path_openat+0x1a3/0x34b0 fs/namei.c:3682
do_filp_open+0x20b/0x450 fs/namei.c:3713
do_sys_open+0x39c/0x810 fs/open.c:1123
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fce0af0a169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fce09574038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fce0b122fa0 RCX: 00007fce0af0a169
RDX: 0000000000000002 RSI: 0000400000000080 RDI: 000000000000000b
RBP: 00007fce0af8b2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fce0b122fa0 R15: 00007fff00fe3be8
Allocated by task 1416:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
kmem_cache_zalloc include/linux/slab.h:680 [inline]
__alloc_file+0x26/0x310 fs/file_table.c:101
alloc_empty_file+0x92/0x180 fs/file_table.c:151
alloc_file+0x56/0x4f0 fs/file_table.c:193
alloc_file_pseudo+0x259/0x2f0 fs/file_table.c:233
__anon_inode_getfile fs/anon_inodes.c:109 [inline]
__anon_inode_getfd+0x2aa/0x430 fs/anon_inodes.c:165
bpf_prog_new_fd kernel/bpf/syscall.c:1447 [inline]
bpf_prog_load kernel/bpf/syscall.c:1753 [inline]
__do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
__se_sys_bpf+0x9687/0xbcb0 kernel/bpf/syscall.c:2849
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 10:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook mm/slub.c:1494 [inline]
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881df613080
which belongs to the cache filp of size 280
The buggy address is located 48 bytes to the right of
280-byte region [ffff8881df613080, ffff8881df613198)
The buggy address belongs to the page:
page:ffffea00077d8480 refcount:1 mapcount:0 mapping:ffff8881f5cfd180 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfd180
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
alloc_slab_page+0x39/0x3c0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x440 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x2fe/0x490 mm/slub.c:2667
__slab_alloc+0x62/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
kmem_cache_zalloc include/linux/slab.h:680 [inline]
__alloc_file+0x26/0x310 fs/file_table.c:101
alloc_empty_file+0x92/0x180 fs/file_table.c:151
alloc_file+0x56/0x4f0 fs/file_table.c:193
alloc_file_pseudo+0x259/0x2f0 fs/file_table.c:233
__anon_inode_getfile fs/anon_inodes.c:109 [inline]
__anon_inode_getfd+0x2aa/0x430 fs/anon_inodes.c:165
bpf_prog_new_fd kernel/bpf/syscall.c:1447 [inline]
bpf_prog_load kernel/bpf/syscall.c:1753 [inline]
__do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
__se_sys_bpf+0x9687/0xbcb0 kernel/bpf/syscall.c:2849
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
free_unref_page mm/page_alloc.c:3134 [inline]
free_the_page mm/page_alloc.c:4953 [inline]
__free_pages+0xaf/0x140 mm/page_alloc.c:4961
__vunmap+0x75b/0x890 mm/vmalloc.c:2260
kcov_mmap+0x8c/0x120 kernel/kcov.c:474
call_mmap include/linux/fs.h:1996 [inline]
mmap_region+0x110d/0x16f0 mm/mmap.c:1812
do_mmap+0x822/0xd30 mm/mmap.c:1581
do_mmap_pgoff include/linux/mm.h:2480 [inline]
vm_mmap_pgoff+0x1b5/0x260 mm/util.c:528
ksys_mmap_pgoff+0x168/0x1e0 mm/mmap.c:1631
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Memory state around the buggy address:
ffff8881df613080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881df613100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881df613180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8881df613200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881df613280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1e3932067 P4D 1e3932067 PUD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1445 Comm: syz.4.270 Tainted: G B 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881f37c9f80
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffff8881df6131c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffa4a0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881df6131c0
FS: 00007f2d02d866c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ed8a1000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:do_syscall_64+0x28/0x1c0 arch/x86/entry/common.c:285
Code: 00 00 55 41 57 41 56 41 55 41 54 53 49 89 f6 49 89 fc 48 bb 00 00 00 00 00 fc ff df e8 71 db 63 00 fb 65 4c 8b 2d e8 1d 02 7f <4d> 89 ef 49 c1 ef 03 41 80 3c 1f 00 74 08 4c 89 ef e8 82 c5 93 00
RSP: 0018:ffff8881de8aff20 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: ffffffff81006f8f RBX: dffffc0000000000 RCX: ffff8881f37c9f80
RDX: 0000000000000000 RSI: ffff8881de8aff58 RDI: 00000000000000ca
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000000ca
R13: ffff8881f37c9f80 R14: ffff8881de8aff58 R15: 0000000000000000
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f2d0475e169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d02d860e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f2d04977168 RCX: 00007f2d0475e169
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f2d0497716c
RBP: 00007f2d04977160 R08: 00007fff473ef0b0 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 00007f2d0497716c
R13: 0000000000000000 R14: 00007fff473eb9e0 R15: 00007fff473ebac8
Modules linked in:
CR2: 0000000000000000
---[ end trace ef4203e5965e04e8 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881f37c9f80
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffff8881df6131c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffa4a0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881df6131c0
FS: 00007f2d02d866c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ed8a1000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 00 00 add %al,(%rax)
2: 49 8b 06 mov (%r14),%rax
5: 48 63 0d 0b e5 59 03 movslq 0x359e50b(%rip),%rcx # 0x359e517
c: 48 8d 5c 08 04 lea 0x4(%rax,%rcx,1),%rbx
11: 48 89 d8 mov %rbx,%rax
14: 48 c1 e8 03 shr $0x3,%rax
18: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax
1d: 84 c0 test %al,%al
1f: 0f 85 9c 03 00 00 jne 0x3c1
25: 8b 1b mov (%rbx),%ebx
* 27: 31 ff xor %edi,%edi <-- trapping instruction
29: 44 89 3c 24 mov %r15d,(%rsp)
2d: 44 89 fe mov %r15d,%esi
30: e8 ae de 59 ff call 0xff59dee3
35: 48 8b 44 24 10 mov 0x10(%rsp),%rax
3a: 4c rex.WR
3b: 8d .byte 0x8d
3c: 70 .byte 0x70