==================================================================
BUG: KASAN: out-of-bounds in hlist_add_head include/linux/list.h:814 [inline]
BUG: KASAN: out-of-bounds in enqueue_timer+0xc0/0x310 kernel/time/timer.c:541
Write of size 8 at addr ffff8881d7cbf1c8 by task syz.5.1296/5455
CPU: 0 PID: 5455 Comm: syz.5.1296 Not tainted 5.4.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
hlist_add_head include/linux/list.h:814 [inline]
enqueue_timer+0xc0/0x310 kernel/time/timer.c:541
__internal_add_timer kernel/time/timer.c:554 [inline]
internal_add_timer+0x240/0x430 kernel/time/timer.c:604
__mod_timer+0x6f1/0x13e0 kernel/time/timer.c:1065
mod_timer+0x1f/0x30 kernel/time/timer.c:1117
can_stat_update+0xc81/0xd10 net/can/proc.c:181
call_timer_fn+0x3e/0x3b0 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1830
__do_softirq+0x24a/0x687 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19a/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11e/0x4a0 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:compound_head include/linux/page-flags.h:176 [inline]
RIP: 0010:get_page include/linux/mm.h:1121 [inline]
RIP: 0010:copy_one_pte mm/memory.c:804 [inline]
RIP: 0010:copy_pte_range mm/memory.c:855 [inline]
RIP: 0010:copy_pmd_range mm/memory.c:906 [inline]
RIP: 0010:copy_pud_range mm/memory.c:940 [inline]
RIP: 0010:copy_p4d_range mm/memory.c:962 [inline]
RIP: 0010:copy_page_range+0x1048/0x26f0 mm/memory.c:1024
Code: 89 c5 4c 8d 60 08 4d 89 e7 49 c1 ef 03 48 b8 00 00 00 00 00 fc ff df 41 80 3c 07 00 74 08 4c 89 e7 e8 cc 9e 09 00 49 8b 1c 24 <89> de 83 e6 01 31 ff e8 0c 02 d9 ff f6 c3 01 0f 85 e0 02 00 00 e8
RSP: 0018:ffff8881d989f740 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: dead000000000100 RCX: 0000000000080000
RDX: ffffc9000354b000 RSI: 000000000002052d RDI: 000000000002052e
RBP: ffff8881d989f9d0 R08: ffffffff818c8119 R09: fffff94000ede131
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea00076f09c8
R13: ffffea00076f09c0 R14: 80000001dbc27007 R15: 1ffffd4000ede139
dup_mmap kernel/fork.c:608 [inline]
dup_mm kernel/fork.c:1379 [inline]
copy_mm+0xb23/0x10d0 kernel/fork.c:1435
copy_process+0x1290/0x3230 kernel/fork.c:2052
_do_fork+0x197/0x900 kernel/fork.c:2399
__do_sys_clone kernel/fork.c:2557 [inline]
__se_sys_clone kernel/fork.c:2538 [inline]
__x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538
do_syscall_64+0xd8/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f0626fe4169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f062564cfe8 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f062720bfa0 RCX: 00007f0626fe4169
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000011
RBP: 00007f0627066a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f062720bfa0 R15: 00007fffbf2f65c8
The buggy address belongs to the page:
page:ffffea00075f2fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x106dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_ZERO)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x192/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
__vmalloc_area_node mm/vmalloc.c:2431 [inline]
__vmalloc_node_range+0x363/0x700 mm/vmalloc.c:2499
__vmalloc_node mm/vmalloc.c:2554 [inline]
__vmalloc_node_flags_caller+0x7e/0x90 mm/vmalloc.c:2576
bpf_map_area_alloc+0x85/0xa0 kernel/bpf/syscall.c:155
array_map_alloc+0x273/0x6d0 kernel/bpf/arraymap.c:123
find_and_alloc_map kernel/bpf/syscall.c:122 [inline]
map_create kernel/bpf/syscall.c:573 [inline]
__do_sys_bpf kernel/bpf/syscall.c:2873 [inline]
__se_sys_bpf+0x32fa/0xbd60 kernel/bpf/syscall.c:2849
__x64_sys_bpf+0x7b/0x90 kernel/bpf/syscall.c:2849
do_syscall_64+0xd8/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x2a3/0x390 mm/page_alloc.c:3085
free_unref_page mm/page_alloc.c:3134 [inline]
free_the_page mm/page_alloc.c:4953 [inline]
__free_pages+0xaf/0x140 mm/page_alloc.c:4961
__free_slab+0x21d/0x2d0 mm/slub.c:1774
rcu_free_slab+0x14/0x20 mm/slub.c:1781
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2396
__do_softirq+0x24a/0x687 kernel/softirq.c:292
run_ksoftirqd+0x23/0x30 kernel/softirq.c:603
smpboot_thread_fn+0x545/0x930 kernel/smpboot.c:165
kthread+0x321/0x3a0 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Memory state around the buggy address:
ffff8881d7cbf080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d7cbf100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d7cbf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8881d7cbf200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d7cbf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5461 Comm: syz.9.1300 Tainted: G B 5.4.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff815610b1 RBX: ffff8881f6e49500 RCX: ffff8881e7f04ec0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881d7cbf1c0
RBP: ffff8881f6e09d30 R08: ffffffff81560cee R09: 0000000000000003
R10: ffffed103edc1398 R11: dffffc0000000001 R12: 00000000fffff388
R13: 0000000000000100 R14: 0000000000000000 R15: ffff8881d7cbf1c0
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000600e000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000200000000300 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
call_timer_fn+0x3e/0x3b0 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1830
__do_softirq+0x24a/0x687 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19a/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11e/0x4a0 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:release_pages+0x362/0xb20 mm/swap.c:802
Code: ff e8 72 7c e1 ff 48 83 e3 10 0f 85 b5 00 00 00 e8 a3 78 e1 ff 43 80 3c 34 00 0f 85 4e 05 00 00 e9 51 05 00 00 e8 8e 78 e1 ff <49> be 00 00 00 00 00 fc ff df e9 82 00 00 00 e8 7a 78 e1 ff 4d 85
RSP: 0018:ffff8881ea3ef380 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: ffffffff81842242 RBX: 0000000000000000 RCX: ffff8881e7f04ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881ea3ef490 R08: ffffffff81842124 R09: fffff94000ea8ef7
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881e1376010
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffea0007547780
free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:297
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:189 [inline]
tlb_flush_mmu+0xd0/0x180 mm/mmu_gather.c:196
zap_pte_range mm/memory.c:1173 [inline]
zap_pmd_range mm/memory.c:1222 [inline]
zap_pud_range mm/memory.c:1251 [inline]
zap_p4d_range mm/memory.c:1272 [inline]
unmap_page_range+0x1d29/0x2620 mm/memory.c:1293
unmap_single_vma mm/memory.c:1338 [inline]
unmap_vmas+0x355/0x4b0 mm/memory.c:1370
exit_mmap+0x2bc/0x520 mm/mmap.c:3191
__mmput+0x92/0x2d0 kernel/fork.c:1101
mmput+0x54/0x70 kernel/fork.c:1122
exit_mm kernel/exit.c:538 [inline]
do_exit+0xc08/0x2bc0 kernel/exit.c:848
do_group_exit+0x13e/0x310 kernel/exit.c:984
get_signal+0xe28/0x14b0 kernel/signal.c:2738
do_signal+0xb3/0xf10 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0xc4/0x1b0 arch/x86/entry/common.c:159
prepare_exit_to_usermode+0x19c/0x200 arch/x86/entry/common.c:194
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x144/0x170 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fd84b995169
Code: Bad RIP value.
RSP: 002b:00007fd849ffe038 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: 0000000000000000 RBX: 00007fd84bbbcfa0 RCX: 00007fd84b995169
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000010
RBP: 00007fd84ba17a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd84bbbcfa0 R15: 00007ffdd7ad9828
Modules linked in:
CR2: 0000000000000000
---[ end trace 0831d8a073ea4a22 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff815610b1 RBX: ffff8881f6e49500 RCX: ffff8881e7f04ec0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881d7cbf1c0
RBP: ffff8881f6e09d30 R08: ffffffff81560cee R09: 0000000000000003
R10: ffffed103edc1398 R11: dffffc0000000001 R12: 00000000fffff388
R13: 0000000000000100 R14: 0000000000000000 R15: ffff8881d7cbf1c0
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000600e000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000200000000300 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
0: 89 c5 mov %eax,%ebp
2: 4c 8d 60 08 lea 0x8(%rax),%r12
6: 4d 89 e7 mov %r12,%r15
9: 49 c1 ef 03 shr $0x3,%r15
d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
14: fc ff df
17: 41 80 3c 07 00 cmpb $0x0,(%r15,%rax,1)
1c: 74 08 je 0x26
1e: 4c 89 e7 mov %r12,%rdi
21: e8 cc 9e 09 00 call 0x99ef2
26: 49 8b 1c 24 mov (%r12),%rbx
* 2a: 89 de mov %ebx,%esi <-- trapping instruction
2c: 83 e6 01 and $0x1,%esi
2f: 31 ff xor %edi,%edi
31: e8 0c 02 d9 ff call 0xffd90242
36: f6 c3 01 test $0x1,%bl
39: 0f 85 e0 02 00 00 jne 0x31f
3f: e8 .byte 0xe8