!!! css_killed_ref_fn css ffff88811ef30000 !!! list_add corruption. prev->next should be next (ffff8881f7055220), but was ffff88811ef37070. (prev=ffff88811ef30470). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:28! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 373 Comm: kworker/1:2 Tainted: G W 5.10.119-syzkaller-00165-g0c6b4937af60 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: cgroup_destroy css_killed_work_fn RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26 Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5 RSP: 0018:ffffc90000160b30 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700 RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000 RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133 R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470 R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550 FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] insert_work+0xfc/0x330 kernel/workqueue.c:1342 __queue_work+0x99e/0xe20 kernel/workqueue.c:1504 queue_work_on+0xbe/0x110 kernel/workqueue.c:1531 wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:181 [inline] wg_packet_create_data drivers/net/wireguard/send.c:320 [inline] wg_packet_send_staged_packets+0xae6/0x1120 drivers/net/wireguard/send.c:387 wg_packet_send_keepalive+0x15b/0x1c0 drivers/net/wireguard/send.c:239 wg_expired_send_persistent_keepalive+0x52/0x80 drivers/net/wireguard/timers.c:141 call_timer_fn+0x35/0x350 kernel/time/timer.c:1414 expire_timers+0x21b/0x410 kernel/time/timer.c:1459 __run_timers+0x5a9/0x700 kernel/time/timer.c:1753 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1766 __do_softirq+0x253/0x67b kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423 irq_exit_rcu+0x9/0x10 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline] RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1860 [inline] RIP: 0010:vprintk_emit+0x266/0x340 kernel/printk/printk.c:2053 Code: d0 da 17 00 48 c7 c7 00 0a b9 85 48 89 de e8 51 7f 08 01 f6 c3 01 75 de e8 b7 da 17 00 e8 72 70 00 00 4c 89 75 a0 ff 75 a0 9d d9 fe ff ff e8 a0 da 17 00 eb 05 e8 99 da 17 00 45 89 ef 48 c7 RSP: 0018:ffffc90000b87b88 EFLAGS: 00000246 RAX: ffffffff8151a629 RBX: 0000000000000000 RCX: ffff8881196e0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: ffffc90000b87bf0 R08: ffffffff81513573 R09: fffff52000170f69 R10: fffff52000170f69 R11: 1ffff92000170f68 R12: 1ffff92000170f77 R13: 000000000000003b R14: 0000000000000246 R15: 000000000000003b vprintk_default+0x26/0x30 kernel/printk/printk.c:2071 vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401 printk+0x76/0x96 kernel/printk/printk.c:2102 css_put include/linux/cgroup.h:412 [inline] css_killed_work_fn+0x2f6/0x500 kernel/cgroup/cgroup.c:5471 process_one_work+0x711/0xce0 kernel/workqueue.c:2279 worker_thread+0xb17/0x1540 kernel/workqueue.c:2425 kthread+0x365/0x400 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: ---[ end trace 518ce58d12f18535 ]--- RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26 Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5 RSP: 0018:ffffc90000160b30 EFLAGS: 00010046 RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700 RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000 RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133 R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470 R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550 FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: da 17 ficoml (%rdi) 2: 00 48 c7 add %cl,-0x39(%rax) 5: c7 00 0a b9 85 48 movl $0x4885b90a,(%rax) b: 89 de mov %ebx,%esi d: e8 51 7f 08 01 callq 0x1087f63 12: f6 c3 01 test $0x1,%bl 15: 75 de jne 0xfffffff5 17: e8 b7 da 17 00 callq 0x17dad3 1c: e8 72 70 00 00 callq 0x7093 21: 4c 89 75 a0 mov %r14,-0x60(%rbp) 25: ff 75 a0 pushq -0x60(%rbp) 28: 9d popfq * 29: e9 d9 fe ff ff jmpq 0xffffff07 <-- trapping instruction 2e: e8 a0 da 17 00 callq 0x17dad3 33: eb 05 jmp 0x3a 35: e8 99 da 17 00 callq 0x17dad3 3a: 45 89 ef mov %r13d,%r15d 3d: 48 rex.W 3e: c7 .byte 0xc7