================================================================== BUG: KASAN: slab-out-of-bounds in hlist_move_list include/linux/list.h:843 [inline] BUG: KASAN: slab-out-of-bounds in __collect_expired_timers kernel/time/timer.c:1482 [inline] BUG: KASAN: slab-out-of-bounds in collect_expired_timers kernel/time/timer.c:1717 [inline] BUG: KASAN: slab-out-of-bounds in __run_timers+0x54e/0x7a0 kernel/time/timer.c:1781 Write of size 8 at addr ffff8881e8b131c8 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.93-syzkaller-00590-g1e5f5a14faba #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1dd/0x24e lib/dump_stack.c:118 print_address_description+0x96/0x640 mm/kasan/report.c:374 __kasan_report+0x177/0x1f0 mm/kasan/report.c:506 kasan_report+0x30/0x60 mm/kasan/common.c:634 hlist_move_list include/linux/list.h:843 [inline] __collect_expired_timers kernel/time/timer.c:1482 [inline] collect_expired_timers kernel/time/timer.c:1717 [inline] __run_timers+0x54e/0x7a0 kernel/time/timer.c:1781 run_timer_softirq+0x46/0x80 kernel/time/timer.c:1798 __do_softirq+0x30f/0x769 kernel/softirq.c:292 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:603 smpboot_thread_fn+0x551/0x930 kernel/smpboot.c:165 kthread+0x31c/0x340 kernel/kthread.c:268 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 25479: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x129/0x1c0 mm/kasan/common.c:510 __kmalloc+0xe7/0x2d0 mm/slub.c:3863 kmalloc_array+0x2d/0x50 include/linux/slab.h:618 kcalloc include/linux/slab.h:629 [inline] iter_file_splice_write+0x22d/0xf80 fs/splice.c:690 splice_direct_to_actor+0x496/0xb00 fs/splice.c:976 do_splice_direct+0x288/0x3e0 fs/splice.c:1064 do_sendfile+0x8e4/0x1130 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1519 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x163/0x230 fs/read_write.c:1511 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 25479: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x17e/0x230 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1453 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1486 slab_free mm/slub.c:3051 [inline] kfree+0x12c/0x660 mm/slub.c:4017 iter_file_splice_write+0xd40/0xf80 fs/splice.c:773 splice_direct_to_actor+0x496/0xb00 fs/splice.c:976 do_splice_direct+0x288/0x3e0 fs/splice.c:1064 do_sendfile+0x8e4/0x1130 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1519 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x163/0x230 fs/read_write.c:1511 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881e8b13000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 200 bytes to the right of 256-byte region [ffff8881e8b13000, ffff8881e8b13100) The buggy address belongs to the page: page:ffffea0007a2c480 refcount:1 mapcount:0 mapping:ffff8881f6002780 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f6002780 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881e8b13080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e8b13100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881e8b13180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881e8b13200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e8b13280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================