==================================================================
BUG: KASAN: slab-out-of-bounds in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in detach_if_pending+0x160/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881e58b31c0 by task syz-executor.0/2040

CPU: 0 PID: 2040 Comm: syz-executor.0 Not tainted 5.4.274-syzkaller-00002-g6f97bd951d82 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x160/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1267 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1410
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1452
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2402
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9458
 tun_detach drivers/net/tun.c:766 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3558
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x190/0x1a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f53e0db9e1a
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fff0f4d5320 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00007f53e0db9e1a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: ffffffffffffffff R08: 0000000000000001 R09: 0000001800000000
R10: 00007f53e0d3e000 R11: 0000000000000293 R12: 00007f53e0ef1f80
R13: 00007f53e0ef1f8c R14: 0000000000000032 R15: 00007f53e0ef3980

Allocated by task 369:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881e58b3080
 which belongs to the cache filp of size 280
The buggy address is located 40 bytes to the right of
 280-byte region [ffff8881e58b3080, ffff8881e58b3198)
The buggy address belongs to the page:
page:ffffea0007962c80 refcount:1 mapcount:0 mapping:ffff8881f5d04780 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5d04780
raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_zalloc include/linux/slab.h:680 [inline]
 __alloc_file+0x26/0x310 fs/file_table.c:101
 alloc_empty_file+0x92/0x180 fs/file_table.c:151
 path_openat+0x103/0x34b0 fs/namei.c:3672
 do_filp_open+0x20b/0x450 fs/namei.c:3713
 do_sys_open+0x39c/0x810 fs/open.c:1123
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:716 [inline]
 kobject_release lib/kobject.c:747 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:764
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2919
 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3182
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881e58b3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e58b3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e58b3180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8881e58b3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e58b3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================