================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:787 [inline] BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:541 [inline] BUG: KASAN: use-after-free in __mod_timer+0xa90/0x1c70 kernel/time/timer.c:1062 Write of size 8 at addr ffff8881e28b71c8 by task kworker/0:2/97 CPU: 0 PID: 97 Comm: kworker/0:2 Not tainted 5.4.101-syzkaller-00440-g55e9d3c6b5f7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: wg-crypt-wg0 wg_packet_tx_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x24e lib/dump_stack.c:118 print_address_description+0x9b/0x650 mm/kasan/report.c:376 __kasan_report+0x182/0x250 mm/kasan/report.c:508 kasan_report+0x30/0x60 mm/kasan/common.c:641 hlist_add_head include/linux/list.h:787 [inline] enqueue_timer kernel/time/timer.c:541 [inline] __mod_timer+0xa90/0x1c70 kernel/time/timer.c:1062 mod_peer_timer drivers/net/wireguard/timers.c:37 [inline] wg_timers_any_authenticated_packet_traversal+0x129/0x190 drivers/net/wireguard/timers.c:215 wg_packet_create_data_done drivers/net/wireguard/send.c:248 [inline] wg_packet_tx_worker+0x2c4/0x9b0 drivers/net/wireguard/send.c:280 process_one_work+0x679/0x1030 kernel/workqueue.c:2277 worker_thread+0xa6f/0x1400 kernel/workqueue.c:2423 kthread+0x30f/0x330 kernel/kthread.c:268 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 120: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x137/0x1e0 mm/kasan/common.c:517 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2821 [inline] slab_alloc mm/slub.c:2829 [inline] kmem_cache_alloc+0x115/0x290 mm/slub.c:2834 mempool_alloc_slab+0x16/0x20 mm/mempool.c:513 mempool_alloc+0x113/0x680 mm/mempool.c:393 bio_alloc_bioset+0x1db/0x640 block/bio.c:483 bio_alloc include/linux/bio.h:405 [inline] submit_bh_wbc+0x1ba/0x790 fs/buffer.c:3042 submit_bh+0x21/0x30 fs/buffer.c:3076 journal_submit_commit_record+0x7b5/0xa70 fs/jbd2/commit.c:154 jbd2_journal_commit_transaction+0x3b51/0x6440 fs/jbd2/commit.c:877 kjournald2+0x494/0x8a0 fs/jbd2/journal.c:209 kthread+0x30f/0x330 kernel/kthread.c:268 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Freed by task 0: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:333 [inline] __kasan_slab_free+0x18a/0x240 mm/kasan/common.c:475 slab_free_hook mm/slub.c:1454 [inline] slab_free_freelist_hook+0x7b/0x150 mm/slub.c:1492 slab_free mm/slub.c:3072 [inline] kmem_cache_free+0xb8/0x5f0 mm/slub.c:3088 req_bio_endio block/blk-core.c:247 [inline] blk_update_request+0x33b/0xfc0 block/blk-core.c:1478 blk_mq_end_request+0x39/0x70 block/blk-mq.c:571 blk_flush_complete_seq+0x5a2/0xd20 block/blk-flush.c:197 flush_end_io+0x4d6/0x6e0 block/blk-flush.c:248 scsi_end_request+0x5bc/0x8b0 drivers/scsi/scsi_lib.c:622 scsi_io_completion+0x1af/0x1bf0 drivers/scsi/scsi_lib.c:968 blk_done_softirq+0x2f2/0x370 block/blk-softirq.c:37 __do_softirq+0x23e/0x615 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881e28b7140 which belongs to the cache bio-0 of size 200 The buggy address is located 136 bytes inside of 200-byte region [ffff8881e28b7140, ffff8881e28b7208) The buggy address belongs to the page: page:ffffea00078a2dc0 refcount:1 mapcount:0 mapping:ffff8881f5044c80 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5044c80 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881e28b7080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff8881e28b7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8881e28b7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881e28b7200: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881e28b7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================