==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_move_list include/linux/list.h:870 [inline]
BUG: KASAN: slab-out-of-bounds in __collect_expired_timers kernel/time/timer.c:1514 [inline]
BUG: KASAN: slab-out-of-bounds in collect_expired_timers kernel/time/timer.c:1749 [inline]
BUG: KASAN: slab-out-of-bounds in __run_timers+0x521/0xbe0 kernel/time/timer.c:1813
Write of size 8 at addr ffff8881e5eeb1c8 by task migration/1/16

CPU: 1 PID: 16 Comm: migration/1 Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_move_list include/linux/list.h:870 [inline]
 __collect_expired_timers kernel/time/timer.c:1514 [inline]
 collect_expired_timers kernel/time/timer.c:1749 [inline]
 __run_timers+0x521/0xbe0 kernel/time/timer.c:1813
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x45/0x60 kernel/locking/spinlock.c:199
Code: 08 00 74 0c 48 c7 c7 90 3c eb 85 e8 85 03 3d fd 48 83 3d 6d 0b 94 01 00 74 29 48 89 df e8 43 d6 f4 fc 66 90 fb bf 01 00 00 00 <e8> 86 c0 ed fc 65 8b 05 4b 5c ab 7b 85 c0 74 02 5b c3 e8 d4 22 a9
RSP: 0018:ffff8881f5e1fc30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: ffff8881f6f57b40 RCX: dffffc0000000000
RDX: 0000000040000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff8881f5e1fc90 R08: ffffffff8179a549 R09: fffffbfff0c98a5b
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881f6f57b40
R13: ffff8881f5e15e80 R14: dffffc0000000000 R15: 0000000000000000
 finish_lock_switch kernel/sched/core.c:3347 [inline]
 finish_task_switch+0x130/0x590 kernel/sched/core.c:3447
 context_switch kernel/sched/core.c:3611 [inline]
 __schedule+0xb0d/0x1320 kernel/sched/core.c:4307
 schedule+0x12c/0x1d0 kernel/sched/core.c:4375
 smpboot_thread_fn+0x5da/0x930 kernel/smpboot.c:161
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 3548:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 4053:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881e5eeb080
 which belongs to the cache filp of size 280
The buggy address is located 48 bytes to the right of
 280-byte region [ffff8881e5eeb080, ffff8881e5eeb198)
The buggy address belongs to the page:
page:ffffea000797ba80 refcount:1 mapcount:0 mapping:ffff8881f5cfdb80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfdb80
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 bpf_check+0x8aeb/0xb3e0 kernel/bpf/verifier.c:9731
 bpf_prog_load kernel/bpf/syscall.c:1724 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
 __se_sys_bpf+0x8139/0xbcb0 kernel/bpf/syscall.c:2849
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881e5eeb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e5eeb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e5eeb180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881e5eeb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e5eeb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 0 P4D 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: migration/1 Tainted: G    B             5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154e8aa RBX: 0000000000000102 RCX: ffff8881f5e15e80
RDX: 0000000000000102 RSI: 0000000000000000 RDI: ffff8881e5eeb1c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154e4ee R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffcc78
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e5eeb1c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000005e0e000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x45/0x60 kernel/locking/spinlock.c:199
Code: 08 00 74 0c 48 c7 c7 90 3c eb 85 e8 85 03 3d fd 48 83 3d 6d 0b 94 01 00 74 29 48 89 df e8 43 d6 f4 fc 66 90 fb bf 01 00 00 00 <e8> 86 c0 ed fc 65 8b 05 4b 5c ab 7b 85 c0 74 02 5b c3 e8 d4 22 a9
RSP: 0018:ffff8881f5e1fc30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: ffff8881f6f57b40 RCX: dffffc0000000000
RDX: 0000000040000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff8881f5e1fc90 R08: ffffffff8179a549 R09: fffffbfff0c98a5b
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881f6f57b40
R13: ffff8881f5e15e80 R14: dffffc0000000000 R15: 0000000000000000
 finish_lock_switch kernel/sched/core.c:3347 [inline]
 finish_task_switch+0x130/0x590 kernel/sched/core.c:3447
 context_switch kernel/sched/core.c:3611 [inline]
 __schedule+0xb0d/0x1320 kernel/sched/core.c:4307
 schedule+0x12c/0x1d0 kernel/sched/core.c:4375
 smpboot_thread_fn+0x5da/0x930 kernel/smpboot.c:161
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
CR2: 0000000000000000
---[ end trace 9c77d69f313ca49a ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154e8aa RBX: 0000000000000102 RCX: ffff8881f5e15e80
RDX: 0000000000000102 RSI: 0000000000000000 RDI: ffff8881e5eeb1c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154e4ee R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffcc78
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e5eeb1c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000005e0e000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	08 00                	or     %al,(%rax)
   2:	74 0c                	je     0x10
   4:	48 c7 c7 90 3c eb 85 	mov    $0xffffffff85eb3c90,%rdi
   b:	e8 85 03 3d fd       	call   0xfd3d0395
  10:	48 83 3d 6d 0b 94 01 	cmpq   $0x0,0x1940b6d(%rip)        # 0x1940b85
  17:	00
  18:	74 29                	je     0x43
  1a:	48 89 df             	mov    %rbx,%rdi
  1d:	e8 43 d6 f4 fc       	call   0xfcf4d665
  22:	66 90                	xchg   %ax,%ax
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 86 c0 ed fc       	call   0xfcedc0b5 <-- trapping instruction
  2f:	65 8b 05 4b 5c ab 7b 	mov    %gs:0x7bab5c4b(%rip),%eax        # 0x7bab5c81
  36:	85 c0                	test   %eax,%eax
  38:	74 02                	je     0x3c
  3a:	5b                   	pop    %rbx
  3b:	c3                   	ret
  3c:	e8                   	.byte 0xe8
  3d:	d4                   	(bad)
  3e:	22                   	.byte 0x22
  3f:	a9                   	.byte 0xa9