syzbot

==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: use-after-free in detach_if_pending+0x160/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881ece271c0 by task syz-executor953/423

CPU: 1 PID: 423 Comm: syz-executor953 Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x160/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1267 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1410
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1452
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2404
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9477
 tun_detach drivers/net/tun.c:766 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3563
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 ptrace_notify+0x29e/0x350 kernel/signal.c:2274
 ptrace_report_syscall include/linux/tracehook.h:66 [inline]
 tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
 syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fd2b3532d89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd2b34f2218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007fd2b35bd408 RCX: 00007fd2b3532d89
RDX: 0000400000000100 RSI: 00000000400454ca RDI: 0000000000000005
RBP: 00007fd2b35bd400 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd2b358a320
R13: 00004000000002c0 R14: 000040000000085c R15: 0000400000000840

Allocated by task 353:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 __alloc_skb+0x7a/0x4d0 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1130 [inline]
 sk_stream_alloc_skb+0x1f4/0xa70 net/ipv4/tcp.c:891
 tcp_sendmsg_locked+0xe07/0x3810 net/ipv4/tcp.c:1300
 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1450
 sock_sendmsg_nosec net/socket.c:638 [inline]
 __sock_sendmsg net/socket.c:650 [inline]
 sock_write_iter+0x344/0x470 net/socket.c:1009
 call_write_iter include/linux/fs.h:1991 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5d3/0x750 fs/read_write.c:496
 vfs_write+0x206/0x4e0 fs/read_write.c:558
 ksys_write+0x199/0x2c0 fs/read_write.c:611
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 353:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __dev_kfree_skb_any+0x159/0x180 net/core/dev.c:2748
 free_old_xmit_skbs+0x119/0x290 drivers/net/virtio_net.c:1450
 start_xmit+0x109/0x1470 drivers/net/virtio_net.c:1669
 __netdev_start_xmit include/linux/netdevice.h:4538 [inline]
 netdev_start_xmit include/linux/netdevice.h:4552 [inline]
 xmit_one net/core/dev.c:3221 [inline]
 dev_hard_start_xmit+0x1b7/0x6b0 net/core/dev.c:3237
 sch_direct_xmit+0x28f/0xa10 net/sched/sch_generic.c:336
 qdisc_restart net/sched/sch_generic.c:401 [inline]
 __qdisc_run+0xa14/0x1e80 net/sched/sch_generic.c:409
 qdisc_run+0xf8/0x300 include/net/pkt_sched.h:122
 __dev_xmit_skb net/core/dev.c:3432 [inline]
 __dev_queue_xmit+0xb2b/0x2790 net/core/dev.c:3787
 neigh_hh_output include/net/neighbour.h:502 [inline]
 neigh_output include/net/neighbour.h:516 [inline]
 ip_finish_output2+0xb4f/0xfc0 net/ipv4/ip_output.c:236
 NF_HOOK_COND include/linux/netfilter.h:292 [inline]
 ip_output+0x19b/0x3a0 net/ipv4/ip_output.c:440
 dst_output include/net/dst.h:438 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0xfaa/0x1850 net/ipv4/ip_output.c:541
 __tcp_transmit_skb+0x1dfa/0x33a0 net/ipv4/tcp_output.c:1179
 tcp_transmit_skb net/ipv4/tcp_output.c:1195 [inline]
 tcp_write_xmit+0x17b0/0x5cd0 net/ipv4/tcp_output.c:2478
 __tcp_push_pending_frames+0x91/0x2e0 net/ipv4/tcp_output.c:2660
 tcp_sendmsg_locked+0x2fff/0x3810 net/ipv4/tcp.c:1420
 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1450
 sock_sendmsg_nosec net/socket.c:638 [inline]
 __sock_sendmsg net/socket.c:650 [inline]
 sock_write_iter+0x344/0x470 net/socket.c:1009
 call_write_iter include/linux/fs.h:1991 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5d3/0x750 fs/read_write.c:496
 vfs_write+0x206/0x4e0 fs/read_write.c:558
 ksys_write+0x199/0x2c0 fs/read_write.c:611
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881ece27180
 which belongs to the cache skbuff_fclone_cache of size 488
The buggy address is located 64 bytes inside of
 488-byte region [ffff8881ece27180, ffff8881ece27368)
The buggy address belongs to the page:
page:ffffea0007b38980 refcount:1 mapcount:0 mapping:ffff8881f1cc5180 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f1cc5180
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 __alloc_skb+0x7a/0x4d0 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1130 [inline]
 sk_stream_alloc_skb+0x1f4/0xa70 net/ipv4/tcp.c:891
 tcp_sendmsg_locked+0xe07/0x3810 net/ipv4/tcp.c:1300
 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1450
 sock_sendmsg_nosec net/socket.c:638 [inline]
 __sock_sendmsg net/socket.c:650 [inline]
 sock_write_iter+0x344/0x470 net/socket.c:1009
 call_write_iter include/linux/fs.h:1991 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5d3/0x750 fs/read_write.c:496
 vfs_write+0x206/0x4e0 fs/read_write.c:558
 ksys_write+0x199/0x2c0 fs/read_write.c:611
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:716 [inline]
 kobject_release lib/kobject.c:747 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:764
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2924
 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3187
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881ece27080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff8881ece27100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881ece27180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8881ece27200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ece27280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================