==================================================================
BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]
BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]
BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
Read of size 8 at addr ffff888044476c80 by task syz-executor.4/21229

CPU: 0 PID: 21229 Comm: syz-executor.4 Not tainted 6.7.0-syzkaller-04629-g3e7aeb78ab01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:488
 kasan_report+0xda/0x110 mm/kasan/report.c:601
 list_empty include/linux/list.h:373 [inline]
 waitqueue_active include/linux/wait.h:127 [inline]
 sock_def_write_space_wfree net/core/sock.c:3384 [inline]
 sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080
 skb_release_all net/core/skbuff.c:1092 [inline]
 napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404
 free_old_xmit_skbs+0xf0/0x370 drivers/net/virtio_net.c:793
 virtnet_poll_tx+0x276/0x640 drivers/net/virtio_net.c:2311
 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576
 napi_poll net/core/dev.c:6645 [inline]
 net_rx_action+0x956/0xe90 net/core/dev.c:6778
 __do_softirq+0x21a/0x8de kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
 common_interrupt+0xb0/0xd0 arch/x86/kernel/irq.c:247
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:deref_stack_reg arch/x86/kernel/unwind_orc.c:406 [inline]
RIP: 0010:unwind_next_frame+0x1ada/0x2390 arch/x86/kernel/unwind_orc.c:648
Code: ff e8 9a c4 4d 00 4c 89 e7 e8 22 da ff ff 48 8d 7b 40 48 89 fa 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 <0f> 84 64 f6 ff ff e8 eb 3b a5 00 e9 5a f6 ff ff e8 61 c4 4d 00 4c
RSP: 0018:ffffc9000351f8a8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffc9000351f928 RCX: ffffc9000351f95c
RDX: 1ffff920006a3f2d RSI: ffffffff813a29d9 RDI: ffffc9000351f968
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff8ace31a0 R12: ffff888021d78060
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000001
 arch_stack_walk+0xfa/0x170 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:580
 __call_rcu_common.constprop.0+0x9a/0x7a0 kernel/rcu/tree.c:2681
 security_inode_free+0x9e/0xc0 security/security.c:1616
 __destroy_inode+0x1f8/0x740 fs/inode.c:285
 destroy_inode+0x91/0x1b0 fs/inode.c:308
 iput_final fs/inode.c:1776 [inline]
 iput.part.0+0x560/0x7b0 fs/inode.c:1802
 iput+0x5c/0x80 fs/inode.c:1792
 d_delete_notify include/linux/fsnotify.h:282 [inline]
 vfs_rmdir fs/namei.c:4198 [inline]
 vfs_rmdir+0x454/0x650 fs/namei.c:4162
 do_rmdir+0x39e/0x410 fs/namei.c:4244
 __do_sys_unlinkat fs/namei.c:4420 [inline]
 __se_sys_unlinkat fs/namei.c:4414 [inline]
 __x64_sys_unlinkat+0xef/0x130 fs/namei.c:4414
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f2e9ca7c587
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc88210f8 EFLAGS: 00000207 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00007f2e9ca7c587
RDX: 0000000000000200 RSI: 00007fffc8822270 RDI: 00000000ffffff9c
RBP: 00007f2e9cac83b9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007fffc8822270
R13: 00007f2e9cac83b9 R14: 00000000000f8fb4 R15: 000000000000000c
 </TASK>

Allocated by task 20641:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:314 [inline]
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879
 alloc_inode_sb include/linux/fs.h:3019 [inline]
 sock_alloc_inode+0x25/0x1c0 net/socket.c:308
 alloc_inode+0x5d/0x220 fs/inode.c:260
 new_inode_pseudo+0x16/0x80 fs/inode.c:1005
 sock_alloc+0x40/0x270 net/socket.c:634
 __sock_create+0xbc/0x800 net/socket.c:1535
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14c/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 1097:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:634
 poison_slab_object mm/kasan/common.c:241 [inline]
 __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kmem_cache_free+0x129/0x350 mm/slub.c:4363
 i_callback+0x43/0x70 fs/inode.c:249
 rcu_do_batch kernel/rcu/tree.c:2158 [inline]
 rcu_core+0x819/0x1680 kernel/rcu/tree.c:2431
 __do_softirq+0x21a/0x8de kernel/softirq.c:553

Last potentially related work creation:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:580
 __call_rcu_common.constprop.0+0x9a/0x7a0 kernel/rcu/tree.c:2681
 destroy_inode+0x129/0x1b0 fs/inode.c:315
 iput_final fs/inode.c:1776 [inline]
 iput.part.0+0x560/0x7b0 fs/inode.c:1802
 iput+0x5c/0x80 fs/inode.c:1792
 dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
 __dentry_kill+0x3b8/0x640 fs/dcache.c:608
 dentry_kill fs/dcache.c:734 [inline]
 dput+0x7eb/0xd90 fs/dcache.c:914
 __fput+0x3b9/0xb70 fs/file_table.c:389
 task_work_run+0x14d/0x240 kernel/task_work.c:180
 get_signal+0x106f/0x2790 kernel/signal.c:2669
 arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
 syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
 do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

The buggy address belongs to the object at ffff888044476c00
 which belongs to the cache sock_inode_cache of size 1408
The buggy address is located 128 bytes inside of
 freed 1408-byte region [ffff888044476c00, ffff888044477180)

The buggy address belongs to the physical page:
page:ffffea0001111c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44470
head:ffffea0001111c00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88807a9a0661
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff88801769cb40 ffffea000231f400 dead000000000003
raw: 0000000000000000 0000000000150015 00000001ffffffff ffff88807a9a0661
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 9391, tgid 9391 (syz-executor.1), ts 362225161569, free_ts 332984055830
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
 prep_new_page mm/page_alloc.c:1540 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
 __alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2190 [inline]
 allocate_slab mm/slub.c:2354 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2407
 ___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
 __slab_alloc_node mm/slub.c:3678 [inline]
 slab_alloc_node mm/slub.c:3850 [inline]
 kmem_cache_alloc_lru+0x379/0x6f0 mm/slub.c:3879
 alloc_inode_sb include/linux/fs.h:3019 [inline]
 sock_alloc_inode+0x25/0x1c0 net/socket.c:308
 alloc_inode+0x5d/0x220 fs/inode.c:260
 new_inode_pseudo+0x16/0x80 fs/inode.c:1005
 sock_alloc+0x40/0x270 net/socket.c:634
 __sock_create+0xbc/0x800 net/socket.c:1535
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14c/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
page last free pid 5149 tgid 5149 stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1140 [inline]
 free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2346
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
 __put_partials+0x14c/0x160 mm/slub.c:2922
 qlink_free mm/kasan/quarantine.c:160 [inline]
 qlist_free_all+0x58/0x150 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:324
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmalloc_trace+0x148/0x340 mm/slub.c:4007
 kmalloc include/linux/slab.h:590 [inline]
 kzalloc include/linux/slab.h:711 [inline]
 keypair_create drivers/net/wireguard/noise.c:100 [inline]
 wg_noise_handshake_begin_session+0xe1/0xe70 drivers/net/wireguard/noise.c:827
 wg_receive_handshake_packet+0x74a/0xbf0 drivers/net/wireguard/receive.c:176
 wg_packet_handshake_receive_worker+0x17f/0x3a0 drivers/net/wireguard/receive.c:213
 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

Memory state around the buggy address:
 ffff888044476b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888044476c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888044476c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888044476d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888044476d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 9a c4 4d 00       	call   0x4dc49f
   5:	4c 89 e7             	mov    %r12,%rdi
   8:	e8 22 da ff ff       	call   0xffffda2f
   d:	48 8d 7b 40          	lea    0x40(%rbx),%rdi
  11:	48 89 fa             	mov    %rdi,%rdx
  14:	49 89 c4             	mov    %rax,%r12
  17:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1e:	fc ff df
  21:	48 c1 ea 03          	shr    $0x3,%rdx
  25:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
* 29:	0f 84 64 f6 ff ff    	je     0xfffff693 <-- trapping instruction
  2f:	e8 eb 3b a5 00       	call   0xa53c1f
  34:	e9 5a f6 ff ff       	jmp    0xfffff693
  39:	e8 61 c4 4d 00       	call   0x4dc49f
  3e:	4c                   	rex.WR