==================================================================
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in expire_timers kernel/time/timer.c:1482 [inline]
BUG: KASAN: slab-out-of-bounds in __run_timers+0x759/0xb60 kernel/time/timer.c:1817
Write of size 8 at addr ffff8881d4b8f1c8 by task syz.4.359/1643

CPU: 1 PID: 1643 Comm: syz.4.359 Tainted: G        W         5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <IRQ>
 __dump_stack+0x1e/0x20 lib/dump_stack.c:77
 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
 __kasan_report+0xef/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 __hlist_del include/linux/list.h:791 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 expire_timers kernel/time/timer.c:1482 [inline]
 __run_timers+0x759/0xb60 kernel/time/timer.c:1817
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x236/0x660 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x197/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:check_kcov_mode kernel/kcov.c:153 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x17/0x50 kernel/kcov.c:187
Code: 96 d1 85 e8 6b f2 2d 00 5d c3 00 00 90 90 00 00 90 90 00 55 48 89 e5 48 8b 45 08 65 48 8b 0d 90 0e a3 7e 65 8b 15 95 0e a3 7e <f7> c2 00 01 1f 00 74 02 5d c3 8b 91 00 0a 00 00 83 fa 02 75 f3 48
RSP: 0018:ffff8881d2cbf610 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffffffff81849c0e RBX: ffff8881e2971b70 RCX: ffff8881e82b0000
RDX: 0000000080000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881d2cbf610 R08: dffffc0000000000 R09: fffff94000e1a2cf
R10: fffff94000e1a2cf R11: 1ffffd4000e1a2ce R12: 1ffff1103c52e36e
R13: 0000200000200000 R14: 000020000016f000 R15: 0000000000000000
 zap_pte_range mm/memory.c:1069 [inline]
 zap_pmd_range mm/memory.c:1222 [inline]
 zap_pud_range mm/memory.c:1251 [inline]
 zap_p4d_range mm/memory.c:1272 [inline]
 unmap_page_range+0xb7e/0x1b20 mm/memory.c:1293
 unmap_single_vma mm/memory.c:1338 [inline]
 unmap_vmas+0x245/0x340 mm/memory.c:1370
 exit_mmap+0x2bb/0x520 mm/mmap.c:3191
 __mmput+0x92/0x2e0 kernel/fork.c:1101
 mmput+0x47/0x60 kernel/fork.c:1122
 exit_mm kernel/exit.c:538 [inline]
 do_exit+0x99f/0x2660 kernel/exit.c:848
 do_group_exit+0x13e/0x300 kernel/exit.c:984
 get_signal+0xdee/0x13d0 kernel/signal.c:2738
 do_signal+0xad/0xda0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc4/0x1b0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x18e/0x1f0 arch/x86/entry/common.c:194
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x13e/0x170 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fe326923969
Code: Bad RIP value.
RSP: 002b:00007fe324f8c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffff4 RBX: 00007fe326b4afa0 RCX: 00007fe326923969
RDX: 0000200000000040 RSI: 00000000400454ca RDI: 0000000000000007
RBP: 00007fe3269a5ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe326b4afa0 R15: 00007ffe20457dc8

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881d4b8ed00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881d4b8ed00, ffff8881d4b8f180)
The buggy address belongs to the page:
page:ffffea000752e300 refcount:1 mapcount:0 mapping:ffff8881f5e90c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5e90c80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x93/0x420 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x29e/0x420 mm/slub.c:2667
 __slab_alloc+0x63/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
 sk_prot_alloc+0x5c/0x410 net/core/sock.c:1616
 sk_alloc+0x38/0x330 net/core/sock.c:1680
 unix_create1+0x90/0x5a0 net/unix/af_unix.c:789
 unix_create+0x135/0x1c0 net/unix/af_unix.c:850
 __sock_create+0x3a8/0x740 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socket+0xec/0x190 net/socket.c:1520
 __do_sys_socket net/socket.c:1529 [inline]
 __se_sys_socket net/socket.c:1527 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1527
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4956 [inline]
 __free_pages mm/page_alloc.c:4962 [inline]
 free_pages+0xf9/0x180 mm/page_alloc.c:4970
 stack_depot_save+0x492/0x4c0 lib/stackdepot.c:300
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x1c3/0x200 mm/kasan/common.c:529
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 __kmalloc_track_caller+0x10d/0x2d0 mm/slub.c:4449
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 pskb_expand_head+0x123/0x1110 net/core/skbuff.c:1653
 netlink_trim+0x1ae/0x250 net/netlink/af_netlink.c:1288
 netlink_broadcast_filtered+0x75/0x1290 net/netlink/af_netlink.c:1493
 netlink_broadcast net/netlink/af_netlink.c:1538 [inline]
 nlmsg_multicast include/net/netlink.h:968 [inline]
 nlmsg_notify+0xed/0x1b0 net/netlink/af_netlink.c:2510
 rtnl_notify net/core/rtnetlink.c:737 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:3552 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:3567 [inline]
 rtmsg_ifinfo+0xea/0x130 net/core/rtnetlink.c:3573
 netdev_state_change+0x116/0x1a0 net/core/dev.c:1275
 linkwatch_do_dev+0x102/0x140 net/core/link_watch.c:159
 __linkwatch_run_queue+0x412/0x7e0 net/core/link_watch.c:205
 linkwatch_event+0x4c/0x60 net/core/link_watch.c:244
 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290

Memory state around the buggy address:
 ffff8881d4b8f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d4b8f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881d4b8f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881d4b8f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d4b8f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1d9802067 P4D 1d9802067 PUD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1643 Comm: syz.4.359 Tainted: G    B   W         5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09cf0 EFLAGS: 00010202
RAX: ffffffff8150a590 RBX: 0000000000000101 RCX: ffff8881e82b0000
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881d4b8f1c0
RBP: ffff8881f6f09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103ede1398 R11: 1ffff1103ede1398 R12: 00000000ffffa3d8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d4b8f1c0
FS:  00007fe324f8c6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001d4028000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 call_timer_fn+0x3c/0x380 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x81d/0xb60 kernel/time/timer.c:1817
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x236/0x660 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x197/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:check_kcov_mode kernel/kcov.c:153 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x17/0x50 kernel/kcov.c:187
Code: 96 d1 85 e8 6b f2 2d 00 5d c3 00 00 90 90 00 00 90 90 00 55 48 89 e5 48 8b 45 08 65 48 8b 0d 90 0e a3 7e 65 8b 15 95 0e a3 7e <f7> c2 00 01 1f 00 74 02 5d c3 8b 91 00 0a 00 00 83 fa 02 75 f3 48
RSP: 0018:ffff8881d2cbf610 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffffffff81849c0e RBX: ffff8881e2971b70 RCX: ffff8881e82b0000
RDX: 0000000080000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881d2cbf610 R08: dffffc0000000000 R09: fffff94000e1a2cf
R10: fffff94000e1a2cf R11: 1ffffd4000e1a2ce R12: 1ffff1103c52e36e
R13: 0000200000200000 R14: 000020000016f000 R15: 0000000000000000
 zap_pte_range mm/memory.c:1069 [inline]
 zap_pmd_range mm/memory.c:1222 [inline]
 zap_pud_range mm/memory.c:1251 [inline]
 zap_p4d_range mm/memory.c:1272 [inline]
 unmap_page_range+0xb7e/0x1b20 mm/memory.c:1293
 unmap_single_vma mm/memory.c:1338 [inline]
 unmap_vmas+0x245/0x340 mm/memory.c:1370
 exit_mmap+0x2bb/0x520 mm/mmap.c:3191
 __mmput+0x92/0x2e0 kernel/fork.c:1101
 mmput+0x47/0x60 kernel/fork.c:1122
 exit_mm kernel/exit.c:538 [inline]
 do_exit+0x99f/0x2660 kernel/exit.c:848
 do_group_exit+0x13e/0x300 kernel/exit.c:984
 get_signal+0xdee/0x13d0 kernel/signal.c:2738
 do_signal+0xad/0xda0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc4/0x1b0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x18e/0x1f0 arch/x86/entry/common.c:194
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x13e/0x170 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fe326923969
Code: Bad RIP value.
RSP: 002b:00007fe324f8c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffff4 RBX: 00007fe326b4afa0 RCX: 00007fe326923969
RDX: 0000200000000040 RSI: 00000000400454ca RDI: 0000000000000007
RBP: 00007fe3269a5ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe326b4afa0 R15: 00007ffe20457dc8
Modules linked in:
CR2: 0000000000000000
---[ end trace a00f3f3a0f12c146 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09cf0 EFLAGS: 00010202
RAX: ffffffff8150a590 RBX: 0000000000000101 RCX: ffff8881e82b0000
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881d4b8f1c0
RBP: ffff8881f6f09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103ede1398 R11: 1ffff1103ede1398 R12: 00000000ffffa3d8
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881d4b8f1c0
FS:  00007fe324f8c6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001d4028000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	96                   	xchg   %eax,%esi
   1:	d1 85 e8 6b f2 2d    	roll   0x2df26be8(%rbp)
   7:	00 5d c3             	add    %bl,-0x3d(%rbp)
   a:	00 00                	add    %al,(%rax)
   c:	90                   	nop
   d:	90                   	nop
   e:	00 00                	add    %al,(%rax)
  10:	90                   	nop
  11:	90                   	nop
  12:	00 55 48             	add    %dl,0x48(%rbp)
  15:	89 e5                	mov    %esp,%ebp
  17:	48 8b 45 08          	mov    0x8(%rbp),%rax
  1b:	65 48 8b 0d 90 0e a3 	mov    %gs:0x7ea30e90(%rip),%rcx        # 0x7ea30eb3
  22:	7e
  23:	65 8b 15 95 0e a3 7e 	mov    %gs:0x7ea30e95(%rip),%edx        # 0x7ea30ebf
* 2a:	f7 c2 00 01 1f 00    	test   $0x1f0100,%edx <-- trapping instruction
  30:	74 02                	je     0x34
  32:	5d                   	pop    %rbp
  33:	c3                   	ret
  34:	8b 91 00 0a 00 00    	mov    0xa00(%rcx),%edx
  3a:	83 fa 02             	cmp    $0x2,%edx
  3d:	75 f3                	jne    0x32
  3f:	48                   	rex.W