BUG: unable to handle page fault for address: ffffffff83c665e0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 5e11067 P4D 5e11067 PUD 5e12063 PMD 3c001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5614 Comm: syz-executor Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__hlist_del include/linux/list.h:791 [inline]
RIP: 0010:detach_timer kernel/time/timer.c:824 [inline]
RIP: 0010:expire_timers kernel/time/timer.c:1482 [inline]
RIP: 0010:__run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
Code: 74 2e e8 a5 66 0f 00 49 83 c5 08 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ef e8 32 51 3f 00 <4d> 89 65 00 eb 05 e8 77 66 0f 00 49 bd 00 00 00 00 00 fc ff df 42
RSP: 0018:ffff8881f6f09d60 EFLAGS: 00010046
RAX: 1ffffffff078ccbc RBX: 1ffff1103ad0d639 RCX: dffffc0000000000
RDX: 0000000080000102 RSI: 0000000000000004 RDI: ffff8881f6f09ce0
RBP: ffff8881f6f09ec8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881f6f09e20
R13: ffffffff83c665e0 R14: 1ffff1103ad0d638 R15: ffff8881d686b1c8
FS:  00005555646bc500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff83c665e0 CR3: 00000001ca162000 CR4: 00000000003406a0
DR0: 0000400000000300 DR1: 0000400000000300 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:check_memory_region+0x6/0x280 mm/kasan/generic.c:190
Code: 41 5e 41 5f 5d c3 48 c7 c7 bb 82 5a 85 eb 0a 48 c7 c7 f3 82 5a 85 4c 89 fe e8 6c 8f c1 02 31 db eb d7 90 90 55 41 57 41 56 53 <b0> 01 48 85 f6 0f 84 8e 01 00 00 48 89 fd 48 c1 ed 2f 81 fd ff ff
RSP: 0018:ffff8881e14979b0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1103d51ed34 RBX: ffff8881e8bc8ec0 RCX: ffffffff81a23462
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff8881e8bc8ec0
RBP: ffff8881c81177f0 R08: dffffc0000000000 R09: ffffed103d1791d4
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 0000000000000000 R14: 00000000000000fe R15: 0000000000000003
 __clear_bit include/asm-generic/bitops-instrumented.h:71 [inline]
 __clear_open_fd fs/file.c:246 [inline]
 dup_fd+0x652/0xad0 fs/file.c:345
 copy_files+0xe1/0x1f0 kernel/fork.c:1485
 copy_process+0x11e3/0x3230 kernel/fork.c:2040
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone kernel/fork.c:2557 [inline]
 __se_sys_clone kernel/fork.c:2538 [inline]
 __x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7ff7efbbf9d3
Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff92fb00c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff7efbbf9d3
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 00005555646bc7d0 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000000927c0 R14: 000000000007224b R15: 00007fff92fb0260
Modules linked in:
CR2: ffffffff83c665e0
---[ end trace 691f7700812b8bb9 ]---
RIP: 0010:__hlist_del include/linux/list.h:791 [inline]
RIP: 0010:detach_timer kernel/time/timer.c:824 [inline]
RIP: 0010:expire_timers kernel/time/timer.c:1482 [inline]
RIP: 0010:__run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
Code: 74 2e e8 a5 66 0f 00 49 83 c5 08 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ef e8 32 51 3f 00 <4d> 89 65 00 eb 05 e8 77 66 0f 00 49 bd 00 00 00 00 00 fc ff df 42
RSP: 0018:ffff8881f6f09d60 EFLAGS: 00010046
RAX: 1ffffffff078ccbc RBX: 1ffff1103ad0d639 RCX: dffffc0000000000
RDX: 0000000080000102 RSI: 0000000000000004 RDI: ffff8881f6f09ce0
RBP: ffff8881f6f09ec8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8881f6f09e20
R13: ffffffff83c665e0 R14: 1ffff1103ad0d638 R15: ffff8881d686b1c8
FS:  00005555646bc500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff83c665e0 CR3: 00000001ca162000 CR4: 00000000003406a0
DR0: 0000400000000300 DR1: 0000400000000300 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	74 2e                	je     0x30
   2:	e8 a5 66 0f 00       	call   0xf66ac
   7:	49 83 c5 08          	add    $0x8,%r13
   b:	4c 89 e8             	mov    %r13,%rax
   e:	48 c1 e8 03          	shr    $0x3,%rax
  12:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  19:	fc ff df
  1c:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
  20:	74 08                	je     0x2a
  22:	4c 89 ef             	mov    %r13,%rdi
  25:	e8 32 51 3f 00       	call   0x3f515c
* 2a:	4d 89 65 00          	mov    %r12,0x0(%r13) <-- trapping instruction
  2e:	eb 05                	jmp    0x35
  30:	e8 77 66 0f 00       	call   0xf66ac
  35:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  3c:	fc ff df
  3f:	42                   	rex.X