==================================================================
BUG: KASAN: stack-out-of-bounds in expire_timers kernel/time/timer.c:1454 [inline]
BUG: KASAN: stack-out-of-bounds in __run_timers+0x822/0xbe0 kernel/time/timer.c:1787
Read of size 8 at addr ffff8881dda6f1d8 by task syz-executor.0/17783

CPU: 0 PID: 17783 Comm: syz-executor.0 Not tainted 5.4.265-syzkaller-00009-g43a5ead9254d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 expire_timers kernel/time/timer.c:1454 [inline]
 __run_timers+0x822/0xbe0 kernel/time/timer.c:1787
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1800
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>

The buggy address belongs to the page:
page:ffffea0007769bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea0007769b88 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 alloc_thread_stack_node kernel/fork.c:259 [inline]
 dup_task_struct+0x85/0x600 kernel/fork.c:886
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone kernel/fork.c:2557 [inline]
 __se_sys_clone kernel/fork.c:2538 [inline]
 __x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:716 [inline]
 kobject_release lib/kobject.c:747 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:764
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2918
 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3181
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881dda6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dda6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881dda6f180: 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2
                                                    ^
 ffff8881dda6f200: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881dda6f280: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
==================================================================
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle page fault for address: ffffed1037d60bd1
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0011) - permissions violation
PGD 23fff3067 P4D 23fff3067 PUD 23fff2067 PMD 8000000207e001e3 
Oops: 0011 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 17783 Comm: syz-executor.0 Tainted: G    B             5.4.265-syzkaller-00009-g43a5ead9254d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:0xffffed1037d60bd1
Code: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0000:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e38a RBX: 0000000000000100 RCX: ffff8881c1d35e80
RDX: 0000000000000100 RSI: ffffed1037d60bd1 RDI: ffff8881dda6f1c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154dfce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffffbc0
R13: dffffc0000000000 R14: ffffed1037d60bd1 R15: ffff8881dda6f1c0
FS:  0000555556806480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1037d60bd1 CR3: 00000001edbac000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1800
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
Modules linked in:
CR2: ffffed1037d60bd1
---[ end trace d59260a3cfec38e2 ]---
RIP: 0010:0xffffed1037d60bd1
Code: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0000:ffff8881f6e09d18 EFLAGS: 00010206
RAX: ffffffff8154e38a RBX: 0000000000000100 RCX: ffff8881c1d35e80
RDX: 0000000000000100 RSI: ffffed1037d60bd1 RDI: ffff8881dda6f1c0
RBP: ffff8881f6e09ec8 R08: ffffffff8154dfce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffffbc0
R13: dffffc0000000000 R14: ffffed1037d60bd1 R15: ffff8881dda6f1c0
FS:  0000555556806480(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed1037d60bd1 CR3: 00000001edbac000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600