==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:814 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer+0x9e/0x2c0 kernel/time/timer.c:541
Write of size 8 at addr ffff8881e3e671c8 by task syz.0.127/873
CPU: 0 PID: 873 Comm: syz.0.127 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack+0x1e/0x20 lib/dump_stack.c:77
dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
__kasan_report+0xef/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
hlist_add_head include/linux/list.h:814 [inline]
enqueue_timer+0x9e/0x2c0 kernel/time/timer.c:541
__internal_add_timer kernel/time/timer.c:554 [inline]
internal_add_timer+0x208/0x3e0 kernel/time/timer.c:604
__mod_timer+0x5ab/0x1150 kernel/time/timer.c:1065
mod_timer+0x1f/0x30 kernel/time/timer.c:1117
can_stat_update+0xbab/0xc40 net/can/proc.c:186
call_timer_fn+0x3c/0x380 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x81d/0xb60 kernel/time/timer.c:1817
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
__do_softirq+0x236/0x660 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x197/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:unwind_next_frame+0x600/0x760 arch/x86/kernel/unwind_frame.c:363
Code: 00 00 00 00 00 fc ff df 48 8b 45 80 42 0f b6 04 00 84 c0 0f 85 c8 00 00 00 c7 03 00 00 00 00 31 c0 65 48 8b 0c 25 28 00 00 00 <48> 3b 4d d0 0f 85 a8 00 00 00 48 83 c4 58 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffff8881de96f838 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000081699001 RBX: ffff8881de96f8c8 RCX: cac631be4ece2f00
RDX: ffff8881de96fd90 RSI: 1ffff1103bd2df1a RDI: ffff8881de96f920
RBP: ffff8881de96f8b8 R08: dffffc0000000000 R09: ffff8881de96f8c8
R10: ffffed103bd2df25 R11: 1ffff1103bd2df19 R12: 0000000000000000
R13: 1ffff1103bd2df24 R14: ffff8881de96f920 R15: ffff8881de96fd78
arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xaa/0xf0 kernel/stacktrace.c:123
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc_trace+0xe6/0x290 mm/slub.c:2854
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
btf_parse kernel/bpf/btf.c:3325 [inline]
btf_new_fd+0x26b/0x10d0 kernel/bpf/btf.c:3416
bpf_btf_load+0x49/0x60 kernel/bpf/syscall.c:2705
__do_sys_bpf kernel/bpf/syscall.c:2936 [inline]
__se_sys_bpf+0x485/0x570 kernel/bpf/syscall.c:2849
__x64_sys_bpf+0x7b/0x90 kernel/bpf/syscall.c:2849
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7ff6a53e8969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff6a3a30038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ff6a5610080 RCX: 00007ff6a53e8969
RDX: 0000000000000020 RSI: 0000200000000080 RDI: 0000000000000012
RBP: 00007ff6a546aab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff6a5610080 R15: 00007ffc1c6fd3a8
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8881e3e66f80
which belongs to the cache RAW of size 1056
The buggy address is located 584 bytes inside of
1056-byte region [ffff8881e3e66f80, ffff8881e3e673a0)
The buggy address belongs to the page:
page:ffffea00078f9900 refcount:1 mapcount:0 mapping:ffff8881f4ce1680 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f4ce1680
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x93/0x420 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x29e/0x420 mm/slub.c:2667
__slab_alloc+0x63/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
sk_prot_alloc+0x5c/0x410 net/core/sock.c:1616
sk_alloc+0x38/0x330 net/core/sock.c:1680
inet_create+0x5c9/0xd50 net/ipv4/af_inet.c:321
__sock_create+0x3a8/0x740 net/socket.c:1427
sock_create_kern+0x3b/0x50 net/socket.c:1496
inet_ctl_sock_create+0x97/0x1e0 net/ipv4/af_inet.c:1647
icmp_sk_init+0x139/0x500 net/ipv4/icmp.c:1276
ops_init+0x1ba/0x4a0 net/core/net_namespace.c:141
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
__free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438
free_the_page mm/page_alloc.c:4956 [inline]
__free_pages+0x8c/0x110 mm/page_alloc.c:4962
kfree+0x1ca/0x260 mm/slub.c:4068
kvfree+0x4c/0x50 mm/util.c:625
bpf_check+0x8371/0x9cf0 kernel/bpf/verifier.c:9731
bpf_prog_load+0xa5f/0xe10 kernel/bpf/syscall.c:1724
__do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
__se_sys_bpf+0x435/0x570 kernel/bpf/syscall.c:2849
__x64_sys_bpf+0x7b/0x90 kernel/bpf/syscall.c:2849
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Memory state around the buggy address:
ffff8881e3e67080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881e3e67100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881e3e67180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8881e3e67200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881e3e67280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1eb33d067 P4D 1eb33d067 PUD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 873 Comm: syz.0.127 Tainted: G B 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff8150a590 RBX: 0000000000000100 RCX: ffff8881ebb42f40
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881e3e671c0
RBP: ffff8881f6e09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103edc1398 R11: 1ffff1103edc1398 R12: 00000000ffff9888
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e3e671c0
FS: 00007ff6a3a306c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001eb33b000 CR4: 00000000003406b0
DR0: 0040000100000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
call_timer_fn+0x3c/0x380 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x81d/0xb60 kernel/time/timer.c:1817
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
__do_softirq+0x236/0x660 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x197/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:unwind_next_frame+0x600/0x760 arch/x86/kernel/unwind_frame.c:363
Code: 00 00 00 00 00 fc ff df 48 8b 45 80 42 0f b6 04 00 84 c0 0f 85 c8 00 00 00 c7 03 00 00 00 00 31 c0 65 48 8b 0c 25 28 00 00 00 <48> 3b 4d d0 0f 85 a8 00 00 00 48 83 c4 58 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffff8881de96f838 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 0000000081699001 RBX: ffff8881de96f8c8 RCX: cac631be4ece2f00
RDX: ffff8881de96fd90 RSI: 1ffff1103bd2df1a RDI: ffff8881de96f920
RBP: ffff8881de96f8b8 R08: dffffc0000000000 R09: ffff8881de96f8c8
R10: ffffed103bd2df25 R11: 1ffff1103bd2df19 R12: 0000000000000000
R13: 1ffff1103bd2df24 R14: ffff8881de96f920 R15: ffff8881de96fd78
arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xaa/0xf0 kernel/stacktrace.c:123
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc_trace+0xe6/0x290 mm/slub.c:2854
kmalloc include/linux/slab.h:556 [inline]
kzalloc include/linux/slab.h:690 [inline]
btf_parse kernel/bpf/btf.c:3325 [inline]
btf_new_fd+0x26b/0x10d0 kernel/bpf/btf.c:3416
bpf_btf_load+0x49/0x60 kernel/bpf/syscall.c:2705
__do_sys_bpf kernel/bpf/syscall.c:2936 [inline]
__se_sys_bpf+0x485/0x570 kernel/bpf/syscall.c:2849
__x64_sys_bpf+0x7b/0x90 kernel/bpf/syscall.c:2849
do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7ff6a53e8969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff6a3a30038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007ff6a5610080 RCX: 00007ff6a53e8969
RDX: 0000000000000020 RSI: 0000200000000080 RDI: 0000000000000012
RBP: 00007ff6a546aab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff6a5610080 R15: 00007ffc1c6fd3a8
Modules linked in:
CR2: 0000000000000000
---[ end trace 46804c97b2305d64 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff8150a590 RBX: 0000000000000100 RCX: ffff8881ebb42f40
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881e3e671c0
RBP: ffff8881f6e09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103edc1398 R11: 1ffff1103edc1398 R12: 00000000ffff9888
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e3e671c0
FS: 00007ff6a3a306c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001eb33b000 CR4: 00000000003406b0
DR0: 0040000100000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess), 7 bytes skipped:
0: df 48 8b fisttps -0x75(%rax)
3: 45 80 42 0f b6 rex.RB addb $0xb6,0xf(%r10)
8: 04 00 add $0x0,%al
a: 84 c0 test %al,%al
c: 0f 85 c8 00 00 00 jne 0xda
12: c7 03 00 00 00 00 movl $0x0,(%rbx)
18: 31 c0 xor %eax,%eax
1a: 65 48 8b 0c 25 28 00 mov %gs:0x28,%rcx
21: 00 00
* 23: 48 3b 4d d0 cmp -0x30(%rbp),%rcx <-- trapping instruction
27: 0f 85 a8 00 00 00 jne 0xd5
2d: 48 83 c4 58 add $0x58,%rsp
31: 5b pop %rbx
32: 41 5c pop %r12
34: 41 5d pop %r13
36: 41 5e pop %r14
38: 41 rex.B