==================================================================
BUG: KASAN: use-after-free in __queue_work+0x28/0x4a0 kernel/workqueue.c:1425
Read at addr faff0000267fb700 by task kworker/1:4/12812
Pointer tag: [fa], memory tag: [fe]

CPU: 1 PID: 12812 Comm: kworker/1:4 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: linux,dummy-virt (DT)
Workqueue: events nsim_dev_trap_report_work
Call trace:
 dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
 show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x1a8/0x4a0 mm/kasan/report.c:395
 kasan_report+0x94/0xb4 mm/kasan/report.c:495
 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
 do_bad_area arch/arm64/mm/fault.c:473 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
 __queue_work+0x28/0x4a0 kernel/workqueue.c:1425
 queue_work_on+0x6c/0x90 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:503 [inline]
 nci_cmd_timer+0x28/0x34 net/nfc/nci/core.c:615
 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
 expire_timers+0x98/0xc4 kernel/time/timer.c:1519
 __run_timers kernel/time/timer.c:1790 [inline]
 __run_timers kernel/time/timer.c:1763 [inline]
 run_timer_softirq+0xf4/0x254 kernel/time/timer.c:1803
 _stext+0x124/0x2a4
 ____do_softirq+0x10/0x20 arch/arm64/kernel/irq.c:79
 call_on_irq_stack+0x2c/0x5c arch/arm64/kernel/entry.S:889
 do_softirq_own_stack+0x1c/0x30 arch/arm64/kernel/irq.c:84
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xcc/0xf4 kernel/softirq.c:650
 irq_exit_rcu+0x10/0x20 kernel/softirq.c:662
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x6c arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x2c arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:577
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:122 [inline]
 queue_delayed_work_on+0x34/0x8c kernel/workqueue.c:1705
 queue_delayed_work include/linux/workqueue.h:518 [inline]
 schedule_delayed_work include/linux/workqueue.h:670 [inline]
 nsim_dev_trap_report_work+0x2c8/0x304 drivers/net/netdevsim/dev.c:857
 process_one_work+0x1c0/0x310 kernel/workqueue.c:2289
 worker_thread+0x70/0x414 kernel/workqueue.c:2436
 kthread+0x108/0x10c kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860

Allocated by task 2269:
 kasan_save_stack+0x2c/0x60 mm/kasan/common.c:45
 save_stack_info+0x38/0x130 mm/kasan/tags.c:104
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138
 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
 ____kasan_kmalloc mm/kasan/common.c:330 [inline]
 __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:380
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:955 [inline]
 __kmalloc_node_track_caller+0x64/0xb0 mm/slab_common.c:975
 kmalloc_reserve+0x5c/0xd0 net/core/skbuff.c:437
 __alloc_skb+0x94/0x1c0 net/core/skbuff.c:509
 alloc_skb include/linux/skbuff.h:1267 [inline]
 wg_packet_send_keepalive+0x50/0x90 drivers/net/wireguard/send.c:226
 wg_expired_send_persistent_keepalive+0x20/0x30 drivers/net/wireguard/timers.c:141
 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
 expire_timers+0x98/0xc4 kernel/time/timer.c:1519
 __run_timers kernel/time/timer.c:1790 [inline]
 __run_timers kernel/time/timer.c:1763 [inline]
 run_timer_softirq+0xf4/0x254 kernel/time/timer.c:1803
 _stext+0x124/0x2a4

Freed by task 2603:
 kasan_save_stack+0x2c/0x60 mm/kasan/common.c:45
 save_stack_info+0x38/0x130 mm/kasan/tags.c:104
 kasan_save_free_info+0x18/0x30 mm/kasan/tags.c:143
 ____kasan_slab_free.constprop.0+0x1b8/0x230 mm/kasan/common.c:236
 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0xbc/0x1fc mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0x16c/0x2ec mm/slub.c:3674
 kfree+0x60/0xb0 mm/slab_common.c:1007
 skb_free_head+0x40/0x84 net/core/skbuff.c:760
 skb_release_data+0x144/0x220 net/core/skbuff.c:789
 skb_release_all net/core/skbuff.c:854 [inline]
 __kfree_skb net/core/skbuff.c:868 [inline]
 kfree_skb_reason+0x50/0x90 net/core/skbuff.c:891
 kfree_skb include/linux/skbuff.h:1216 [inline]
 consume_skb include/linux/skbuff.h:1235 [inline]
 wg_packet_consume_data_done drivers/net/wireguard/receive.c:435 [inline]
 wg_packet_rx_poll+0x2fc/0x6a0 drivers/net/wireguard/receive.c:474
 __napi_poll+0x38/0x190 net/core/dev.c:6498
 napi_poll net/core/dev.c:6565 [inline]
 net_rx_action+0x354/0x3e0 net/core/dev.c:6676
 _stext+0x124/0x2a4

The buggy address belongs to the object at ffff0000267fb600
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 256 bytes inside of
 512-byte region [ffff0000267fb600, ffff0000267fb800)

The buggy address belongs to the physical page:
page:00000000fafcef19 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x667fa
head:00000000fafcef19 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x1ffc00000010200(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc00000010200 dead000000000100 dead000000000122 f0ff000002c01400
raw: f6ff0000267fae00 000000008010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000267fb500: f4 f4 f4 f4 f4 fe fe fe fe fe fe fe fe fe fe fe
 ffff0000267fb600: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff0000267fb700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 ffff0000267fb800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 ffff0000267fb900: fd fd fd fd fd fe fe fe fe fe fe fe fe fe fe fe
==================================================================
------------[ cut here ]------------
WARNING: CPU: 1 PID: 12812 at kernel/workqueue.c:1438 current_wq_worker kernel/workqueue_internal.h:68 [inline]
WARNING: CPU: 1 PID: 12812 at kernel/workqueue.c:1438 is_chained_work kernel/workqueue.c:1377 [inline]
WARNING: CPU: 1 PID: 12812 at kernel/workqueue.c:1438 __queue_work+0x3b8/0x4a0 kernel/workqueue.c:1438
Modules linked in:
CPU: 1 PID: 12812 Comm: kworker/1:4 Tainted: G    B              6.1.0-rc6-syzkaller #0
Hardware name: linux,dummy-virt (DT)
Workqueue: events nsim_dev_trap_report_work
pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __queue_work+0x3b8/0x4a0 kernel/workqueue.c:1438
lr : queue_work_on+0x6c/0x90 kernel/workqueue.c:1545
sp : ffff80000800bdd0
x29: ffff80000800bdd0 x28: 0000000000000020 x27: 0000000000000008
x26: f4ff00000542cec0 x25: ffff80000a2b60c0 x24: ffff80000a2b60c8
x23: dead000000000122 x22: ffff8000097af210 x21: 0000000000000008
x20: faff0000267fb600 x19: f2ff0000267790a8 x18: 0000000000000014
x17: ffff80007592d000 x16: ffff80000800c000 x15: 0000219fb46a8456
x14: 000000000000016e x13: 000000000000016e x12: 0000000000000000
x11: 0000000000000007 x10: 0000000000003a20 x9 : 0000000000000eaa
x8 : ffff00007fbd2e40 x7 : ffff00007fbd2dc0 x6 : 0000000000b0de6b
x5 : ffff80000a0b32d0 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000100 x1 : 0000000000000100 x0 : f4ff00000542cec0
Call trace:
 current_wq_worker kernel/workqueue_internal.h:68 [inline]
 is_chained_work kernel/workqueue.c:1377 [inline]
 __queue_work+0x3b8/0x4a0 kernel/workqueue.c:1438
 queue_work_on+0x6c/0x90 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:503 [inline]
 nci_cmd_timer+0x28/0x34 net/nfc/nci/core.c:615
 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
 expire_timers+0x98/0xc4 kernel/time/timer.c:1519
 __run_timers kernel/time/timer.c:1790 [inline]
 __run_timers kernel/time/timer.c:1763 [inline]
 run_timer_softirq+0xf4/0x254 kernel/time/timer.c:1803
 _stext+0x124/0x2a4
 ____do_softirq+0x10/0x20 arch/arm64/kernel/irq.c:79
 call_on_irq_stack+0x2c/0x5c arch/arm64/kernel/entry.S:889
 do_softirq_own_stack+0x1c/0x30 arch/arm64/kernel/irq.c:84
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xcc/0xf4 kernel/softirq.c:650
 irq_exit_rcu+0x10/0x20 kernel/softirq.c:662
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x6c arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x2c arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:577
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:122 [inline]
 queue_delayed_work_on+0x34/0x8c kernel/workqueue.c:1705
 queue_delayed_work include/linux/workqueue.h:518 [inline]
 schedule_delayed_work include/linux/workqueue.h:670 [inline]
 nsim_dev_trap_report_work+0x2c8/0x304 drivers/net/netdevsim/dev.c:857
 process_one_work+0x1c0/0x310 kernel/workqueue.c:2289
 worker_thread+0x70/0x414 kernel/workqueue.c:2436
 kthread+0x108/0x10c kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
---[ end trace 0000000000000000 ]---