================================================================== BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:188 [inline] BUG: KASAN: stack-out-of-bounds in list_empty include/linux/list.h:203 [inline] BUG: KASAN: stack-out-of-bounds in thread_group_empty include/linux/sched/signal.h:594 [inline] BUG: KASAN: stack-out-of-bounds in wait_consider_task+0x31d4/0x39b0 kernel/exit.c:1381 Read of size 8 at addr ffff88019bbaacc0 by task syz-executor5/4473 CPU: 0 PID: 4473 Comm: syz-executor5 Not tainted 4.18.0-rc3+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __read_once_size include/linux/compiler.h:188 [inline] list_empty include/linux/list.h:203 [inline] thread_group_empty include/linux/sched/signal.h:594 [inline] wait_consider_task+0x31d4/0x39b0 kernel/exit.c:1381 do_wait_thread kernel/exit.c:1451 [inline] do_wait+0x477/0xb80 kernel/exit.c:1522 kernel_wait4+0x247/0x3f0 kernel/exit.c:1665 __do_sys_wait4+0x137/0x150 kernel/exit.c:1677 __se_sys_wait4 kernel/exit.c:1673 [inline] __x64_sys_wait4+0x97/0xf0 kernel/exit.c:1673 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41012a Code: 0f 83 1a 17 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 6e 5e 63 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007ffedee2e3d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 0000000000023a9a RCX: 000000000041012a RDX: 0000000040000001 RSI: 00007ffedee2e3f4 RDI: ffffffffffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001742940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 000000000000054e R14: 00007ffedee2ea80 R15: 0000000000023a5b Allocated by task 0: (stack is not available) Freed by task 1102416563: (stack is not available) The buggy address belongs to the object at ffff88019bbaa780 which belongs to the cache task_struct(86:syz5) of size 5952 The buggy address is located 1344 bytes inside of 5952-byte region [ffff88019bbaa780, ffff88019bbabec0) The buggy address belongs to the page: page:ffffea00066eea80 count:1 mapcount:0 mapping:ffff8801d72a4380 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea0006b95b08 ffffea0006801188 ffff8801d72a4380 raw: 0000000000000000 ffff88019bbaa780 0000000100000001 ffff8801d673a5c0 page dumped because: kasan: bad access detected page->mem_cgroup:ffff8801d673a5c0 Memory state around the buggy address: ffff88019bbaab80: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 ffff88019bbaac00: f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 >ffff88019bbaac80: f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 ^ ffff88019bbaad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88019bbaad80: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 ================================================================== kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN CPU: 0 PID: 4473 Comm: syz-executor5 Tainted: G B 4.18.0-rc3+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:rb_next+0xd7/0x140 lib/rbtree.c:541 Code: 49 89 dc 4c 89 eb 48 83 e3 fc 48 89 d8 75 c8 48 83 c4 08 5b 41 5c 41 5d 41 5e 5d c3 48 89 d0 48 8d 78 10 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 75 1a 48 8b 50 10 48 85 d2 75 e3 48 83 c4 08 5b 41 5c RSP: 0018:ffff8801dae07ab8 EFLAGS: 00010007 RAX: 23b1e8c689c389ff RBX: dffffc0000000000 RCX: ffffffff87920131 RDX: 04763d18d1387141 RSI: ffffffff879201c0 RDI: 23b1e8c689c38a0f RBP: ffff8801dae07ae0 R08: ffff8801ca3a4000 R09: fffffbfff1568109 R10: fffffbfff1568109 R11: ffffffff8ab4084b R12: ffff880197c67ce0 R13: ffff880197c67ec8 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000001742940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe8868c2610 CR3: 00000001a0fd6000 CR4: 00000000001406f0 DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: timerqueue_del+0xd8/0x150 lib/timerqueue.c:83 __remove_hrtimer+0xa8/0x1b0 kernel/time/hrtimer.c:984 __run_hrtimer kernel/time/hrtimer.c:1380 [inline] __hrtimer_run_queues+0x369/0x10c0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xa1/0xc0 kernel/locking/spinlock.c:184 Code: 68 b0 f1 88 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 21 48 83 3d 6e bb 5b 01 00 74 0e 48 89 df 57 9d <0f> 1f 44 00 00 eb bb 0f 0b 0f 0b e8 cf ef 23 fa eb 97 e8 c8 ef 23 RSP: 0018:ffff8801a08176f8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 0000000000000282 RCX: ffffffff81601b77 RDX: 1ffffffff11e360d RSI: 0000000000000004 RDI: 0000000000000282 RBP: ffff8801a0817708 R08: fffffbfff1205391 R09: fffffbfff1205390 R10: fffffbfff1205390 R11: ffffffff89029c83 R12: ffffffff89029c80 R13: 0000000000000000 R14: ffffffff81486614 R15: ffff88019bbaacc0 spin_unlock_irqrestore include/linux/spinlock.h:365 [inline] kasan_end_report+0x32/0x4f mm/kasan/report.c:178 kasan_report_error mm/kasan/report.c:359 [inline] kasan_report.cold.7+0x76/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __read_once_size include/linux/compiler.h:188 [inline] list_empty include/linux/list.h:203 [inline] thread_group_empty include/linux/sched/signal.h:594 [inline] wait_consider_task+0x31d4/0x39b0 kernel/exit.c:1381 do_wait_thread kernel/exit.c:1451 [inline] do_wait+0x477/0xb80 kernel/exit.c:1522 kernel_wait4+0x247/0x3f0 kernel/exit.c:1665 __do_sys_wait4+0x137/0x150 kernel/exit.c:1677 __se_sys_wait4 kernel/exit.c:1673 [inline] __x64_sys_wait4+0x97/0xf0 kernel/exit.c:1673 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41012a Code: 0f 83 1a 17 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 6e 5e 63 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007ffedee2e3d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 0000000000023a9a RCX: 000000000041012a RDX: 0000000040000001 RSI: 00007ffedee2e3f4 RDI: ffffffffffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001742940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 000000000000054e R14: 00007ffedee2ea80 R15: 0000000000023a5b Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace bad951d2f5159c9a ]--- RIP: 0010:rb_next+0xd7/0x140 lib/rbtree.c:541 Code: 49 89 dc 4c 89 eb 48 83 e3 fc 48 89 d8 75 c8 48 83 c4 08 5b 41 5c 41 5d 41 5e 5d c3 48 89 d0 48 8d 78 10 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 75 1a 48 8b 50 10 48 85 d2 75 e3 48 83 c4 08 5b 41 5c RSP: 0018:ffff8801dae07ab8 EFLAGS: 00010007 RAX: 23b1e8c689c389ff RBX: dffffc0000000000 RCX: ffffffff87920131 RDX: 04763d18d1387141 RSI: ffffffff879201c0 RDI: 23b1e8c689c38a0f RBP: ffff8801dae07ae0 R08: ffff8801ca3a4000 R09: fffffbfff1568109 R10: fffffbfff1568109 R11: ffffffff8ab4084b R12: ffff880197c67ce0 R13: ffff880197c67ec8 R14: dffffc0000000000 R15: 0000000000000000 FS: 0000000001742940(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe8868c2610 CR3: 00000001a0fd6000 CR4: 00000000001406f0 DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600