================================================================== kasan: CONFIG_KASAN_INLINE enabled BUG: KASAN: stack-out-of-bounds in __rb_insert lib/rbtree.c:126 [inline] BUG: KASAN: stack-out-of-bounds in rb_insert_color+0xac7/0x1480 lib/rbtree.c:452 kasan: GPF could be caused by NULL-ptr deref or user memory access Read of size 8 at addr ffff8801b930fce0 by task syz-executor5/5953 general protection fault: 0000 [#1] SMP KASAN CPU: 0 PID: 5953 Comm: syz-executor5 Not tainted 4.18.0-rc3-next-20180706+ #1 CPU: 1 PID: -2124464624 Comm: ³ŠµA Not tainted 4.18.0-rc3-next-20180706+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: RIP: 0010:task_css include/linux/cgroup.h:477 [inline] RIP: 0010:task_ca kernel/sched/cpuacct.c:43 [inline] RIP: 0010:cpuacct_account_field+0x13c/0x3b0 kernel/sched/cpuacct.c:365 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 Code: 9a 53 08 00 print_address_description+0x6c/0x20b mm/kasan/report.c:256 85 c0 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412 74 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 0d 80 __rb_insert lib/rbtree.c:126 [inline] rb_insert_color+0xac7/0x1480 lib/rbtree.c:452 3d 5e 51 3c 08 00 0f 84 79 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 10 48 89 fa 48 timerqueue_add+0x173/0x2b0 lib/timerqueue.c:58 c1 enqueue_hrtimer+0x18e/0x540 kernel/time/hrtimer.c:960 ea 03 <80> 3c 02 00 0f 85 49 __hrtimer_start_range_ns kernel/time/hrtimer.c:1089 [inline] hrtimer_start_range_ns+0x616/0xd20 kernel/time/hrtimer.c:1115 02 00 00 4d 8b 65 10 hrtimer_start_expires include/linux/hrtimer.h:412 [inline] do_nanosleep+0x1b0/0x750 kernel/time/hrtimer.c:1686 49 81 fc c0 a6 f7 88 0f hrtimer_nanosleep+0x2d4/0x620 kernel/time/hrtimer.c:1743 RSP: 0018:ffff8801daf078e8 EFLAGS: 00010806 RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000 __do_sys_nanosleep kernel/time/hrtimer.c:1777 [inline] __se_sys_nanosleep kernel/time/hrtimer.c:1764 [inline] __x64_sys_nanosleep+0x1e7/0x280 kernel/time/hrtimer.c:1764 RDX: 13756fc937a87382 RSI: 0000000000000000 RDI: 9bab7e49bd439c10 RBP: ffff8801daf07978 R08: 0000000000000000 R09: 0000000000000001 R10: ffff8801daf07950 R11: dffffc0000000000 R12: ffff8801b92b6600 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 R13: 9bab7e49bd439c00 R14: 1ffff1003b5e0f1e R15: 00000000000f4240 FS: 00007f8873e60700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc5ea8ed000 CR3: 00000001bf06c000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4812d1 Code: 75 14 b8 cgroup_account_cputime_field include/linux/cgroup.h:739 [inline] task_group_account_field kernel/sched/cputime.c:108 [inline] account_system_index_time+0x1dc/0x5c0 kernel/sched/cputime.c:171 23 00 00 00 0f 05 48 account_system_time+0x7f/0xb0 kernel/sched/cputime.c:199 3d account_process_tick+0x76/0x240 kernel/sched/cputime.c:498 01 f0 update_process_times+0x21/0x70 kernel/time/timer.c:1634 ff ff tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 0f __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460 83 e4 02 f9 ff c3 48 83 ec 08 e8 6a 74 fd hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 ff local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050 48 89 04 24 b8 23 00 00 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:867 00 0f 05 Modules linked in: <48> 8b Dumping ftrace buffer: 3c 24 --------------------------------- 48 89 syz-exec-24965 1...2 247453289us : 0: }D c2 syz-exec-24965 1...2 247453296us : 0: }D e8 syz-exec-24965 1...2 247453299us : 0: }D b3 syz-exec-24965 1...2 247453301us : 0: }D 74 syz-exec-24965 1...2 247453304us : 0: }D fd syz-exec-24965 1...2 247453306us : 0: }D ff 48 syz-exec-24965 1...2 247453309us : 0: }D 89 d0 syz-exec-24965 1...2 247453311us : 0: }D 48 syz-exec-24965 1...2 247453314us : 0: }D 83 syz-exec-24965 1...2 247453316us : 0: }D c4 syz-exec-24965 1...2 247453319us : 0: }D 08 48 syz-exec-24965 1...2 247453321us : 0: }D 3d syz-exec-24965 1...2 247453324us : 0: }D 01 syz-exec-24965 1...2 247453326us : 0: }D syz-exec-24965 1...2 247453329us : 0: }D RSP: 002b:00007fff7c19a590 EFLAGS: 00000293 ORIG_RAX: 0000000000000023 syz-exec-24965 1...2 247453331us : 0: }D RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004812d1 syz-exec-24965 1...2 247453333us : 0: }D RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff7c19a5a0 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 syz-exec-24965 1...2 247453336us : 0: }D R10: 00007fff7c19a580 R11: 0000000000000293 R12: 000000000017b37a R13: 0000000000000002 R14: 000000000072bea0 R15: 0000000000000001 syz-exec-24965 1...2 247453338us : 0: }D syz-exec-24965 1...2 247453341us : 0: }D The buggy address belongs to the page: syz-exec-24965 1...2 247453343us : 0: }D page:ffffea0006e4c3c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 syz-exec-24965 1...2 247453346us : 0: }D syz-exec-24965 1...2 247453348us : 0: }D flags: 0x2fffc0000000000() raw: 02fffc0000000000 ffffea0006e4c708 ffffea0006e4c388 0000000000000000 syz-exec-24965 1...2 247453351us : 0: }D raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 syz-exec-24965 1...2 247453353us : 0: }D page dumped because: kasan: bad access detected syz-exec-24965 1...2 247453356us : 0: }D Memory state around the buggy address: syz-exec-24965 1...2 247453358us : 0: }D ffff8801b930fb80: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 syz-exec-24965 1...2 247453361us : 0: }D ffff8801b930fc00: f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 syz-exec-24965 1...2 247453363us : 0: }D >ffff8801b930fc80: f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 syz-exec-24965 1...2 247453365us : 0: }D ^ syz-exec-24965 1...2 247453368us : 0: }D ffff8801b930fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 syz-exec-24965 1...2 247453371us : 0: }D ffff8801b930fd80: 00 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 syz-exec-24965 1...2 247453373us : 0: }D ==================================================================