================================================================== BUG: KASAN: slab-out-of-bounds in tick_sched_handle+0x16f/0x190 kernel/time/tick-sched.c:161 Read of size 8 at addr ffff88805926c820 by task syz-executor1/22435 CPU: 0 PID: 22435 Comm: syz-executor1 Not tainted 5.0.0-rc2 #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffff88804ba40000 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 #PF error: [PROT] [INSTR] PGD c201067 P4D c201067 PUD a0b86063 PMD 800000004ba001e3 Thread overran stack, or stack corrupted kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 Oops: 0011 [#1] PREEMPT SMP KASAN CPU: 1 PID: 22434 Comm: syz-executor0 Not tainted 5.0.0-rc2 #24 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 tick_sched_handle+0x16f/0x190 kernel/time/tick-sched.c:161 RIP: 0010:0xffff88804ba40000 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271 Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <9d> 6e ac 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x3a7/0x1050 kernel/time/hrtimer.c:1451 RSP: 0018:ffff888059297f58 EFLAGS: 00010092 RAX: ffff8880a947c280 RBX: ffff8880a0fbd200 RCX: 0000000000000000 RDX: 1ffff1101528f850 RSI: 0000000000000000 RDI: 0000000000000086 RBP: ffff8880a0fbd208 R08: ffff8880a947c280 R09: ffffed1015ce5b90 R10: ffffed1015ce5b8f R11: ffff8880ae72dc7b R12: 00000000ffffffea R13: 0000000000000000 R14: ffffffff86b0236f R15: ffff888059297f88 FS: 00007f3872568700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88804ba40000 CR3: 000000005742e000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline] smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060 Modules linked in: CR2: ffff88804ba40000 ---[ end trace d4d1a15dd2f54dcb ]--- RIP: 0010:0xffff88804ba40000 Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <9d> 6e ac 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RSP: 0018:ffff888059297f58 EFLAGS: 00010092 RAX: ffff8880a947c280 RBX: ffff8880a0fbd200 RCX: 0000000000000000 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 RDX: 1ffff1101528f850 RSI: 0000000000000000 RDI: 0000000000000086 RBP: ffff8880a0fbd208 R08: ffff8880a947c280 R09: ffffed1015ce5b90 R10: ffffed1015ce5b8f R11: ffff8880ae72dc7b R12: 00000000ffffffea Allocated by task 21762: R13: 0000000000000000 R14: ffffffff86b0236f R15: ffff888059297f88 save_stack+0x45/0xd0 mm/kasan/common.c:73 FS: 00007f3872568700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:496 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 CR2: ffff88804ba40000 CR3: 000000005742e000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 __do_kmalloc_node mm/slab.c:3673 [inline] __kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3687 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 __kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:140