================================================================== BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:796 [inline] BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline] BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 Write of size 8 at addr ffff8881ed4231c8 by task kworker/1:29/1242 CPU: 1 PID: 1242 Comm: kworker/1:29 Not tainted 5.4.161-syzkaller-00026-g8a3679a75730 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: wg-crypt-wg0 wg_packet_tx_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18e/0x1de lib/dump_stack.c:118 print_address_description+0x9b/0x650 mm/kasan/report.c:384 __kasan_report+0x182/0x260 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 hlist_add_head include/linux/list.h:796 [inline] enqueue_timer kernel/time/timer.c:541 [inline] __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 internal_add_timer kernel/time/timer.c:604 [inline] __mod_timer+0x9e6/0x1a40 kernel/time/timer.c:1065 mod_peer_timer drivers/net/wireguard/timers.c:37 [inline] wg_timers_any_authenticated_packet_traversal+0x129/0x190 drivers/net/wireguard/timers.c:215 wg_packet_create_data_done drivers/net/wireguard/send.c:247 [inline] wg_packet_tx_worker+0x15d/0x4c0 drivers/net/wireguard/send.c:276 process_one_work+0x679/0x1030 kernel/workqueue.c:2278 worker_thread+0xa6f/0x1400 kernel/workqueue.c:2424 kthread+0x30f/0x330 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 501: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x137/0x1e0 mm/kasan/common.c:529 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x115/0x290 mm/slub.c:2842 kmem_cache_zalloc include/linux/slab.h:680 [inline] __alloc_file+0x26/0x380 fs/file_table.c:101 alloc_empty_file+0xa9/0x1b0 fs/file_table.c:151 path_openat+0xa2/0x3a50 fs/namei.c:3601 do_filp_open+0x19a/0x3a0 fs/namei.c:3642 do_sys_open+0x2e2/0x6d0 fs/open.c:1113 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 16: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x18a/0x240 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494 slab_free mm/slub.c:3080 [inline] kmem_cache_free+0xc5/0x610 mm/slub.c:3096 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch+0x41e/0x900 kernel/rcu/tree.c:2166 rcu_core+0x5ba/0xd60 kernel/rcu/tree.c:2386 __do_softirq+0x23e/0x615 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881ed423080 which belongs to the cache filp of size 280 The buggy address is located 48 bytes to the right of 280-byte region [ffff8881ed423080, ffff8881ed423198) The buggy address belongs to the page: page:ffffea0007b50880 refcount:1 mapcount:0 mapping:ffff8881f5cfb180 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cfb180 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x19a/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x550/0x8b0 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x2d6/0x740 mm/page_alloc.c:4855 alloc_slab_page+0x39/0x3e0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x460 mm/slub.c:1749 new_slab_objects mm/slub.c:2506 [inline] ___slab_alloc+0x330/0x4c0 mm/slub.c:2667 __slab_alloc mm/slub.c:2707 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x18b/0x290 mm/slub.c:2842 kmem_cache_zalloc include/linux/slab.h:680 [inline] __alloc_file+0x26/0x380 fs/file_table.c:101 alloc_empty_file+0xa9/0x1b0 fs/file_table.c:151 path_openat+0xa2/0x3a50 fs/namei.c:3601 do_filp_open+0x19a/0x3a0 fs/namei.c:3642 do_sys_open+0x2e2/0x6d0 fs/open.c:1113 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0xbb6/0xcc0 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4917 [inline] __free_pages+0x47/0x1e0 mm/page_alloc.c:4923 kfree+0x200/0x690 mm/slub.c:4068 device_release+0x70/0x1a0 drivers/base/core.c:1776 kobject_cleanup+0x1de/0x3c0 lib/kobject.c:708 tun_set_iff drivers/net/tun.c:2900 [inline] __tun_chr_ioctl+0x292f/0x4a50 drivers/net/tun.c:3143 do_vfs_ioctl+0x6fb/0x15b0 fs/ioctl.c:47 ksys_ioctl fs/ioctl.c:742 [inline] __do_sys_ioctl fs/ioctl.c:749 [inline] __se_sys_ioctl fs/ioctl.c:747 [inline] __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Memory state around the buggy address: ffff8881ed423080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881ed423100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881ed423180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881ed423200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881ed423280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================