==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:796 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline]
BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
Write of size 8 at addr ffff8881c2a971c8 by task kworker/1:24/3054

CPU: 1 PID: 3054 Comm: kworker/1:24 Not tainted 5.4.219-syzkaller-00096-gd7e5d5321233 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: wg-crypt-wg0 wg_packet_tx_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_add_head include/linux/list.h:796 [inline]
 enqueue_timer kernel/time/timer.c:541 [inline]
 __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
 internal_add_timer kernel/time/timer.c:604 [inline]
 __mod_timer+0xaad/0x1c90 kernel/time/timer.c:1065
 mod_peer_timer drivers/net/wireguard/timers.c:37 [inline]
 wg_timers_any_authenticated_packet_traversal+0x125/0x180 drivers/net/wireguard/timers.c:215
 wg_packet_create_data_done drivers/net/wireguard/send.c:247 [inline]
 wg_packet_tx_worker+0x15d/0x4d0 drivers/net/wireguard/send.c:276
 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287
 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433
 kthread+0x2d8/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881c2a96d00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881c2a96d00, ffff8881c2a97180)
The buggy address belongs to the page:
page:ffffea00070aa500 refcount:1 mapcount:0 mapping:ffff8881f51c8280 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f51c8280
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3e0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x450 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x320/0x4a0 mm/slub.c:2667
 __slab_alloc+0x5a/0x90 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x100/0x210 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3c0 net/core/sock.c:1612
 sk_alloc+0x30/0x390 net/core/sock.c:1676
 unix_create1+0x8e/0x580 net/unix/af_unix.c:802
 unix_create+0x129/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x393/0x730 net/socket.c:1408
 sock_create net/socket.c:1459 [inline]
 __sys_socketpair+0x290/0x6e0 net/socket.c:1559
 __do_sys_socketpair net/socket.c:1612 [inline]
 __se_sys_socketpair net/socket.c:1609 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1609
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7fe/0x930 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x8f/0x250 mm/page_alloc.c:4959
 kfree+0x1ef/0x260 mm/slub.c:4068
 bpf_check+0x4b27/0xb740 kernel/bpf/verifier.c:9704
 bpf_prog_load kernel/bpf/syscall.c:1724 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
 __se_sys_bpf+0x77f6/0xbba0 kernel/bpf/syscall.c:2849
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881c2a97080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c2a97100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881c2a97180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881c2a97200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c2a97280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================