==================================================================
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in expire_timers kernel/time/timer.c:1482 [inline]
BUG: KASAN: slab-out-of-bounds in __run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
Write of size 8 at addr ffff8881ed31f1c8 by task syz.1.470/2081
CPU: 0 PID: 2081 Comm: syz.1.470 Tainted: G W 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
__hlist_del include/linux/list.h:791 [inline]
detach_timer kernel/time/timer.c:824 [inline]
expire_timers kernel/time/timer.c:1482 [inline]
__run_timers+0x7be/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:netdev_notifier_info_to_dev include/linux/netdevice.h:2625 [inline]
RIP: 0010:tee_netdev_event+0x2f/0x480 net/netfilter/xt_TEE.c:63
Code: 41 55 41 54 53 48 83 ec 28 48 89 d3 49 89 f5 49 bf 00 00 00 00 00 fc ff df e8 1d 0c bf fd 48 89 d8 48 c1 e8 03 42 80 3c 38 00 <74> 08 48 89 df e8 37 f6 ee fd 48 8b 03 48 89 44 24 10 4c 8d b0 b0
RSP: 0018:ffff8881d38c7920 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1103a718f50 RBX: ffff8881d38c7a80 RCX: 0000000000080000
RDX: ffffc90000940000 RSI: 000000000000ad48 RDI: 000000000000ad49
RBP: 00000000ffffffe9 R08: ffffffff814358a4 R09: fffffbfff0c74551
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffff863fb2c0
R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000
notifier_call_chain kernel/notifier.c:98 [inline]
__raw_notifier_call_chain kernel/notifier.c:399 [inline]
raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
call_netdevice_notifiers_info net/core/dev.c:1670 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1682 [inline]
call_netdevice_notifiers net/core/dev.c:1696 [inline]
register_netdevice+0xb7f/0x12a0 net/core/dev.c:9204
ppp_unit_register drivers/net/ppp/ppp_generic.c:1020 [inline]
ppp_dev_configure+0x7f7/0xab0 drivers/net/ppp/ppp_generic.c:1076
ppp_create_interface drivers/net/ppp/ppp_generic.c:3090 [inline]
ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:864 [inline]
ppp_ioctl+0x672/0x15d0 drivers/net/ppp/ppp_generic.c:617
do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:742 [inline]
__do_sys_ioctl fs/ioctl.c:749 [inline]
__se_sys_ioctl fs/ioctl.c:747 [inline]
__x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f1c61578169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1c5fbe2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f1c61790fa0 RCX: 00007f1c61578169
RDX: 000000110c230000 RSI: 00000000c004743e RDI: 0000000000000004
RBP: 00007f1c615f92a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1c61790fa0 R15: 00007ffee749a0f8
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8881ed31ef80
which belongs to the cache RAW of size 1056
The buggy address is located 584 bytes inside of
1056-byte region [ffff8881ed31ef80, ffff8881ed31f3a0)
The buggy address belongs to the page:
page:ffffea0007b4c700 refcount:1 mapcount:0 mapping:ffff8881f4fce780 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f4fce780
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
alloc_slab_page+0x39/0x3c0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x440 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x2fe/0x490 mm/slub.c:2667
__slab_alloc+0x62/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
sk_alloc+0x35/0x2f0 net/core/sock.c:1680
inet_create+0x693/0xef0 net/ipv4/af_inet.c:321
__sock_create+0x3cb/0x7a0 net/socket.c:1427
inet_ctl_sock_create+0xbe/0x200 net/ipv4/af_inet.c:1647
icmp_sk_init+0x15a/0x570 net/ipv4/icmp.c:1276
ops_init+0x1d4/0x4a0 net/core/net_namespace.c:141
setup_net+0x214/0x990 net/core/net_namespace.c:348
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
free_pcp_prepare mm/page_alloc.c:1233 [inline]
free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
free_unref_page mm/page_alloc.c:3134 [inline]
free_the_page mm/page_alloc.c:4953 [inline]
__free_pages+0xaf/0x140 mm/page_alloc.c:4961
pcpu_free_pages mm/percpu-vm.c:64 [inline]
pcpu_depopulate_chunk mm/percpu-vm.c:328 [inline]
pcpu_balance_workfn+0x940/0x1450 mm/percpu.c:1865
process_one_work+0x765/0xd20 kernel/workqueue.c:2290
worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
kthread+0x2da/0x360 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Memory state around the buggy address:
ffff8881ed31f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ed31f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881ed31f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8881ed31f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881ed31f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1c8b48067 P4D 1c8b48067 PUD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 2081 Comm: syz.1.470 Tainted: G B W 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881e822bf00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881ed31f1c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffa440
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881ed31f1c0
FS: 00007f1c5fbe26c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001eb7a1000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
expire_timers kernel/time/timer.c:1493 [inline]
__run_timers+0x879/0xbe0 kernel/time/timer.c:1817
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
__do_softirq+0x23b/0x6b7 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x195/0x1c0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:539 [inline]
smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
RIP: 0010:netdev_notifier_info_to_dev include/linux/netdevice.h:2625 [inline]
RIP: 0010:tee_netdev_event+0x2f/0x480 net/netfilter/xt_TEE.c:63
Code: 41 55 41 54 53 48 83 ec 28 48 89 d3 49 89 f5 49 bf 00 00 00 00 00 fc ff df e8 1d 0c bf fd 48 89 d8 48 c1 e8 03 42 80 3c 38 00 <74> 08 48 89 df e8 37 f6 ee fd 48 8b 03 48 89 44 24 10 4c 8d b0 b0
RSP: 0018:ffff8881d38c7920 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 1ffff1103a718f50 RBX: ffff8881d38c7a80 RCX: 0000000000080000
RDX: ffffc90000940000 RSI: 000000000000ad48 RDI: 000000000000ad49
RBP: 00000000ffffffe9 R08: ffffffff814358a4 R09: fffffbfff0c74551
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffff863fb2c0
R13: 0000000000000011 R14: dffffc0000000000 R15: dffffc0000000000
notifier_call_chain kernel/notifier.c:98 [inline]
__raw_notifier_call_chain kernel/notifier.c:399 [inline]
raw_notifier_call_chain+0x95/0x110 kernel/notifier.c:406
call_netdevice_notifiers_info net/core/dev.c:1670 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1682 [inline]
call_netdevice_notifiers net/core/dev.c:1696 [inline]
register_netdevice+0xb7f/0x12a0 net/core/dev.c:9204
ppp_unit_register drivers/net/ppp/ppp_generic.c:1020 [inline]
ppp_dev_configure+0x7f7/0xab0 drivers/net/ppp/ppp_generic.c:1076
ppp_create_interface drivers/net/ppp/ppp_generic.c:3090 [inline]
ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:864 [inline]
ppp_ioctl+0x672/0x15d0 drivers/net/ppp/ppp_generic.c:617
do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:742 [inline]
__do_sys_ioctl fs/ioctl.c:749 [inline]
__se_sys_ioctl fs/ioctl.c:747 [inline]
__x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f1c61578169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1c5fbe2038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f1c61790fa0 RCX: 00007f1c61578169
RDX: 000000110c230000 RSI: 00000000c004743e RDI: 0000000000000004
RBP: 00007f1c615f92a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1c61790fa0 R15: 00007ffee749a0f8
Modules linked in:
CR2: 0000000000000000
---[ end trace 66dd1478237919fa ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e8ca RBX: 0000000000000100 RCX: ffff8881e822bf00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881ed31f1c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154e50e R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffa440
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881ed31f1c0
FS: 00007f1c5fbe26c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001eb7a1000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
0: 41 55 push %r13
2: 41 54 push %r12
4: 53 push %rbx
5: 48 83 ec 28 sub $0x28,%rsp
9: 48 89 d3 mov %rdx,%rbx
c: 49 89 f5 mov %rsi,%r13
f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
16: fc ff df
19: e8 1d 0c bf fd call 0xfdbf0c3b
1e: 48 89 d8 mov %rbx,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
* 2a: 74 08 je 0x34 <-- trapping instruction
2c: 48 89 df mov %rbx,%rdi
2f: e8 37 f6 ee fd call 0xfdeef66b
34: 48 8b 03 mov (%rbx),%rax
37: 48 89 44 24 10 mov %rax,0x10(%rsp)
3c: 4c rex.WR
3d: 8d .byte 0x8d
3e: b0 b0 mov $0xb0,%al