================================================================== BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:796 [inline] BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline] BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 Write of size 8 at addr ffff8881e99371c8 by task syz-executor.2/9129 CPU: 0 PID: 9129 Comm: syz-executor.2 Not tainted 5.4.197-syzkaller-00007-g19a66b6f3cd8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18e/0x1d5 lib/dump_stack.c:118 print_address_description+0x8c/0x630 mm/kasan/report.c:384 __kasan_report+0xf6/0x130 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 hlist_add_head include/linux/list.h:796 [inline] enqueue_timer kernel/time/timer.c:541 [inline] __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 internal_add_timer kernel/time/timer.c:604 [inline] __mod_timer+0x9ce/0x1a40 kernel/time/timer.c:1065 tun_set_iff+0x8ca/0x1050 drivers/net/tun.c:2854 __tun_chr_ioctl+0x6c7/0x1b70 drivers/net/tun.c:3149 do_vfs_ioctl+0x6d1/0x15b0 fs/ioctl.c:47 ksys_ioctl fs/ioctl.c:742 [inline] __do_sys_ioctl fs/ioctl.c:749 [inline] __se_sys_ioctl fs/ioctl.c:747 [inline] __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f236339c279 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2362512168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f23634aef80 RCX: 00007f236339c279 RDX: 0000000020000080 RSI: 00000000400454ca RDI: 0000000000000003 RBP: 00007f23633f6189 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd1bc4a60f R14: 00007f2362512300 R15: 0000000000022000 Allocated by task 9056: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842 sk_prot_alloc+0x63/0x3c0 net/core/sock.c:1612 sk_alloc+0x30/0x330 net/core/sock.c:1676 unix_create1+0x8e/0x530 net/unix/af_unix.c:802 unix_create+0x129/0x1b0 net/unix/af_unix.c:863 __sock_create+0x393/0x730 net/socket.c:1408 sock_create net/socket.c:1459 [inline] __sys_socketpair+0x260/0x5e0 net/socket.c:1563 __do_sys_socketpair net/socket.c:1612 [inline] __se_sys_socketpair net/socket.c:1609 [inline] __x64_sys_socketpair+0x97/0xb0 net/socket.c:1609 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 9055: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x178/0x240 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494 slab_free mm/slub.c:3080 [inline] kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096 sk_prot_free+0x94/0x160 net/core/sock.c:1657 sock_put include/net/sock.h:1762 [inline] unix_release_sock+0x632/0x8e0 net/unix/af_unix.c:561 unix_release+0x4a/0x80 net/unix/af_unix.c:873 __sock_release net/socket.c:591 [inline] sock_close+0xd1/0x250 net/socket.c:1258 __fput+0x261/0x680 fs/file_table.c:281 task_work_run+0x186/0x1b0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xbe1/0x2b40 kernel/exit.c:812 do_group_exit+0x136/0x300 kernel/exit.c:910 get_signal+0xd99/0x13f0 kernel/signal.c:2735 do_signal+0x3b/0x540 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0xdd/0x1d0 arch/x86/entry/common.c:159 prepare_exit_to_usermode+0x17c/0x1d0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881e9936d00 which belongs to the cache UNIX of size 1152 The buggy address is located 72 bytes to the right of 1152-byte region [ffff8881e9936d00, ffff8881e9937180) The buggy address belongs to the page: page:ffffea0007a64d00 refcount:1 mapcount:0 mapping:ffff8881f51c2780 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f51c2780 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x194/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x2ab/0x6f0 mm/page_alloc.c:4857 alloc_slab_page+0x39/0x3e0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x450 mm/slub.c:1749 new_slab_objects mm/slub.c:2506 [inline] ___slab_alloc+0x320/0x4b0 mm/slub.c:2667 __slab_alloc+0x5a/0x90 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x100/0x210 mm/slub.c:2842 sk_prot_alloc+0x63/0x3c0 net/core/sock.c:1612 sk_alloc+0x30/0x330 net/core/sock.c:1676 unix_create1+0x8e/0x530 net/unix/af_unix.c:802 unix_create+0x129/0x1b0 net/unix/af_unix.c:863 __sock_create+0x393/0x730 net/socket.c:1408 sock_create net/socket.c:1459 [inline] __sys_socketpair+0x260/0x5e0 net/socket.c:1563 __do_sys_socketpair net/socket.c:1612 [inline] __se_sys_socketpair net/socket.c:1609 [inline] __x64_sys_socketpair+0x97/0xb0 net/socket.c:1609 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7ee/0x920 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4919 [inline] __free_pages+0x45/0x1e0 mm/page_alloc.c:4925 kfree+0x1ef/0x260 mm/slub.c:4068 device_release+0x70/0x1a0 drivers/base/core.c:1776 kobject_cleanup lib/kobject.c:708 [inline] kobject_release+0x1f3/0x3d0 lib/kobject.c:739 netdev_run_todo+0xae7/0xc80 net/core/dev.c:9456 tun_detach drivers/net/tun.c:751 [inline] tun_chr_close+0xc0/0xd0 drivers/net/tun.c:3523 __fput+0x261/0x680 fs/file_table.c:281 task_work_run+0x186/0x1b0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x1ba/0x1d0 arch/x86/entry/common.c:163 prepare_exit_to_usermode+0x17c/0x1d0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Memory state around the buggy address: ffff8881e9937080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e9937100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881e9937180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881e9937200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e9937280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================