================================================================== BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:796 [inline] BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline] BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 Write of size 8 at addr ffff8881c2a971c8 by task kworker/1:24/3054 CPU: 1 PID: 3054 Comm: kworker/1:24 Not tainted 5.4.219-syzkaller-00096-gd7e5d5321233 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: wg-crypt-wg0 wg_packet_tx_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x630 mm/kasan/report.c:384 __kasan_report+0xf6/0x130 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 hlist_add_head include/linux/list.h:796 [inline] enqueue_timer kernel/time/timer.c:541 [inline] __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 internal_add_timer kernel/time/timer.c:604 [inline] __mod_timer+0xaad/0x1c90 kernel/time/timer.c:1065 mod_peer_timer drivers/net/wireguard/timers.c:37 [inline] wg_timers_any_authenticated_packet_traversal+0x125/0x180 drivers/net/wireguard/timers.c:215 wg_packet_create_data_done drivers/net/wireguard/send.c:247 [inline] wg_packet_tx_worker+0x15d/0x4d0 drivers/net/wireguard/send.c:276 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433 kthread+0x2d8/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881c2a96d00 which belongs to the cache UNIX of size 1152 The buggy address is located 72 bytes to the right of 1152-byte region [ffff8881c2a96d00, ffff8881c2a97180) The buggy address belongs to the page: page:ffffea00070aa500 refcount:1 mapcount:0 mapping:ffff8881f51c8280 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f51c8280 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x194/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891 alloc_slab_page+0x39/0x3e0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x450 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x320/0x4a0 mm/slub.c:2667 __slab_alloc+0x5a/0x90 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x100/0x210 mm/slub.c:2842 sk_prot_alloc+0x63/0x3c0 net/core/sock.c:1612 sk_alloc+0x30/0x390 net/core/sock.c:1676 unix_create1+0x8e/0x580 net/unix/af_unix.c:802 unix_create+0x129/0x1b0 net/unix/af_unix.c:863 __sock_create+0x393/0x730 net/socket.c:1408 sock_create net/socket.c:1459 [inline] __sys_socketpair+0x290/0x6e0 net/socket.c:1559 __do_sys_socketpair net/socket.c:1612 [inline] __se_sys_socketpair net/socket.c:1609 [inline] __x64_sys_socketpair+0x97/0xb0 net/socket.c:1609 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7fe/0x930 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4953 [inline] __free_pages+0x8f/0x250 mm/page_alloc.c:4959 kfree+0x1ef/0x260 mm/slub.c:4068 bpf_check+0x4b27/0xb740 kernel/bpf/verifier.c:9704 bpf_prog_load kernel/bpf/syscall.c:1724 [inline] __do_sys_bpf kernel/bpf/syscall.c:2891 [inline] __se_sys_bpf+0x77f6/0xbba0 kernel/bpf/syscall.c:2849 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881c2a97080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c2a97100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881c2a97180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881c2a97200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c2a97280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================