==================================================================
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in expire_timers kernel/time/timer.c:1482 [inline]
BUG: KASAN: slab-out-of-bounds in __run_timers+0x759/0xb60 kernel/time/timer.c:1817
Write of size 8 at addr ffff8881c6df31c8 by task kworker/0:15/2730

CPU: 0 PID: 2730 Comm: kworker/0:15 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: rcu_gp process_srcu
Call Trace:
 <IRQ>
 __dump_stack+0x1e/0x20 lib/dump_stack.c:77
 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
 __kasan_report+0xef/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 __hlist_del include/linux/list.h:791 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 expire_timers kernel/time/timer.c:1482 [inline]
 __run_timers+0x759/0xb60 kernel/time/timer.c:1817
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x236/0x660 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x197/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:delay_tsc+0x62/0xc0 arch/x86/lib/delay.c:68
Code: c1 e4 20 49 09 c4 4d 29 fc 49 39 dc 73 55 bf 01 00 00 00 e8 b0 43 1b fd 65 8b 05 c5 5c dc 7b 85 c0 74 1d f3 90 bf 01 00 00 00 <e8> e9 41 1b fd e8 a4 69 fa fd 41 39 c6 75 0e 0f 01 f9 66 90 eb bc
RSP: 0018:ffff8881d7cefb88 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 0000000080000000 RBX: 0000000000002af9 RCX: 0000000000000000
RDX: 0000000000000036 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff8881d7cefba8 R08: dffffc0000000000 R09: ffffed103af9df79
R10: ffffed103af9df79 R11: 1ffff1103af9df78 R12: 000000000000165a
R13: 0000000000000e27 R14: 0000000000000000 R15: 0000003687448049
 __delay arch/x86/lib/delay.c:161 [inline]
 __const_udelay+0x61/0x70 arch/x86/lib/delay.c:175
 try_check_zero+0x2dc/0x350 kernel/rcu/srcutree.c:708
 srcu_advance_state kernel/rcu/srcutree.c:1146 [inline]
 process_srcu+0x183/0xc60 kernel/rcu/srcutree.c:1241
 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290
 worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436
 kthread+0x31e/0x3a0 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 3069:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x162/0x200 mm/kasan/common.c:529
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xe2/0x270 mm/slub.c:2842
 sk_prot_alloc+0x5c/0x410 net/core/sock.c:1616
 sk_alloc+0x38/0x330 net/core/sock.c:1680
 unix_create1+0x90/0x5a0 net/unix/af_unix.c:789
 unix_create+0x135/0x1c0 net/unix/af_unix.c:850
 __sock_create+0x3a8/0x740 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socketpair+0x21e/0x5a0 net/socket.c:1582
 __do_sys_socketpair net/socket.c:1631 [inline]
 __se_sys_socketpair net/socket.c:1628 [inline]
 __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1628
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 3068:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1c3/0x280 mm/kasan/common.c:487
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10c/0x2c0 mm/slub.c:3096
 sk_prot_free net/core/sock.c:1661 [inline]
 __sk_destruct+0x4b9/0x640 net/core/sock.c:1749
 sk_destruct net/core/sock.c:1764 [inline]
 __sk_free+0x384/0x460 net/core/sock.c:1775
 sk_free+0x54/0x90 net/core/sock.c:1786
 sock_put include/net/sock.h:1791 [inline]
 unix_release_sock+0x8e5/0xad0 net/unix/af_unix.c:571
 unix_release+0x4e/0x80 net/unix/af_unix.c:860
 __sock_release net/socket.c:591 [inline]
 sock_close+0xe0/0x270 net/socket.c:1277
 __fput+0x2a3/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x146/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x195/0x1b0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x18e/0x1f0 arch/x86/entry/common.c:194
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x13e/0x170 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881c6df2d00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881c6df2d00, ffff8881c6df3180)
The buggy address belongs to the page:
page:ffffea00071b7c00 refcount:1 mapcount:0 mapping:ffff8881f50def00 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f50def00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x93/0x420 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x29e/0x420 mm/slub.c:2667
 __slab_alloc+0x63/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
 sk_prot_alloc+0x5c/0x410 net/core/sock.c:1616
 sk_alloc+0x38/0x330 net/core/sock.c:1680
 unix_create1+0x90/0x5a0 net/unix/af_unix.c:789
 unix_create+0x135/0x1c0 net/unix/af_unix.c:850
 __sock_create+0x3a8/0x740 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socket+0xec/0x190 net/socket.c:1520
 __do_sys_socket net/socket.c:1529 [inline]
 __se_sys_socket net/socket.c:1527 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1527
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4956 [inline]
 __free_pages+0x8c/0x110 mm/page_alloc.c:4962
 kfree+0x1ca/0x260 mm/slub.c:4068
 kvfree+0x4c/0x50 mm/util.c:625
 netdev_freemem+0x3f/0x60 net/core/dev.c:9583
 netdev_release+0x7f/0xb0 net/core/net-sysfs.c:1743
 device_release+0x70/0x1a0 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:716 [inline]
 kobject_release lib/kobject.c:747 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1fe/0x2c0 lib/kobject.c:764
 put_device+0x1f/0x30 drivers/base/core.c:3010
 free_netdev+0x27e/0x320 net/core/dev.c:9746
 tun_set_iff+0x87c/0xe00 drivers/net/tun.c:2924
 __tun_chr_ioctl+0x771/0x18a0 drivers/net/tun.c:3187
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:3470
 do_vfs_ioctl+0x753/0x13f0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xe1/0x120 fs/ioctl.c:747
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290

Memory state around the buggy address:
 ffff8881c6df3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881c6df3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c6df3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881c6df3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881c6df3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1dab07067 P4D 1dab07067 PUD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 2730 Comm: kworker/0:15 Tainted: G    B             5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: rcu_gp process_srcu
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff8150a590 RBX: 0000000000000100 RCX: ffff8881c1ea0fc0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881c6df31c0
RBP: ffff8881f6e09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103edc1398 R11: 1ffff1103edc1398 R12: 00000000ffffb2b0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881c6df31c0
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ea5fc000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 call_timer_fn+0x3c/0x380 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x81d/0xb60 kernel/time/timer.c:1817
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x236/0x660 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x197/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11d/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:delay_tsc+0x62/0xc0 arch/x86/lib/delay.c:68
Code: c1 e4 20 49 09 c4 4d 29 fc 49 39 dc 73 55 bf 01 00 00 00 e8 b0 43 1b fd 65 8b 05 c5 5c dc 7b 85 c0 74 1d f3 90 bf 01 00 00 00 <e8> e9 41 1b fd e8 a4 69 fa fd 41 39 c6 75 0e 0f 01 f9 66 90 eb bc
RSP: 0018:ffff8881d7cefb88 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 0000000080000000 RBX: 0000000000002af9 RCX: 0000000000000000
RDX: 0000000000000036 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff8881d7cefba8 R08: dffffc0000000000 R09: ffffed103af9df79
R10: ffffed103af9df79 R11: 1ffff1103af9df78 R12: 000000000000165a
R13: 0000000000000e27 R14: 0000000000000000 R15: 0000003687448049
 __delay arch/x86/lib/delay.c:161 [inline]
 __const_udelay+0x61/0x70 arch/x86/lib/delay.c:175
 try_check_zero+0x2dc/0x350 kernel/rcu/srcutree.c:708
 srcu_advance_state kernel/rcu/srcutree.c:1146 [inline]
 process_srcu+0x183/0xc60 kernel/rcu/srcutree.c:1241
 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290
 worker_thread+0xa5c/0x13b0 kernel/workqueue.c:2436
 kthread+0x31e/0x3a0 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
CR2: 0000000000000000
---[ end trace 7cf6706f20dac874 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cf0 EFLAGS: 00010206
RAX: ffffffff8150a590 RBX: 0000000000000100 RCX: ffff8881c1ea0fc0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8881c6df31c0
RBP: ffff8881f6e09d30 R08: 0000000000000004 R09: 0000000000000003
R10: ffffed103edc1398 R11: 1ffff1103edc1398 R12: 00000000ffffb2b0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881c6df31c0
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ea5fc000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
----------------
Code disassembly (best guess):
   0:	c1 e4 20             	shl    $0x20,%esp
   3:	49 09 c4             	or     %rax,%r12
   6:	4d 29 fc             	sub    %r15,%r12
   9:	49 39 dc             	cmp    %rbx,%r12
   c:	73 55                	jae    0x63
   e:	bf 01 00 00 00       	mov    $0x1,%edi
  13:	e8 b0 43 1b fd       	call   0xfd1b43c8
  18:	65 8b 05 c5 5c dc 7b 	mov    %gs:0x7bdc5cc5(%rip),%eax        # 0x7bdc5ce4
  1f:	85 c0                	test   %eax,%eax
  21:	74 1d                	je     0x40
  23:	f3 90                	pause
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 e9 41 1b fd       	call   0xfd1b4218 <-- trapping instruction
  2f:	e8 a4 69 fa fd       	call   0xfdfa69d8
  34:	41 39 c6             	cmp    %eax,%r14d
  37:	75 0e                	jne    0x47
  39:	0f 01 f9             	rdtscp
  3c:	66 90                	xchg   %ax,%ax
  3e:	eb bc                	jmp    0xfffffffc