==================================================================
BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:814 [inline]
BUG: KASAN: slab-out-of-bounds in enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
Write of size 8 at addr ffff8881cd68b1c8 by task ksoftirqd/1/17

CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 5.4.276-syzkaller-00020-g4275fce9fe94 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_add_head include/linux/list.h:814 [inline]
 enqueue_timer+0xb7/0x300 kernel/time/timer.c:541
 __internal_add_timer kernel/time/timer.c:554 [inline]
 internal_add_timer+0x240/0x430 kernel/time/timer.c:604
 __mod_timer+0x6f1/0x13e0 kernel/time/timer.c:1065
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:603
 smpboot_thread_fn+0x545/0x930 kernel/smpboot.c:165
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354

Allocated by task 11321:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x590 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socketpair+0x308/0x6e0 net/socket.c:1582
 __do_sys_socketpair net/socket.c:1631 [inline]
 __se_sys_socketpair net/socket.c:1628 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1628
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 11319:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 sk_prot_free net/core/sock.c:1661 [inline]
 __sk_destruct+0x460/0x5e0 net/core/sock.c:1749
 sock_put include/net/sock.h:1789 [inline]
 unix_release_sock+0x825/0x9f0 net/unix/af_unix.c:577
 unix_release+0x4a/0x80 net/unix/af_unix.c:873
 __sock_release net/socket.c:591 [inline]
 sock_close+0xc7/0x220 net/socket.c:1277
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x190/0x1a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881cd68ad00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881cd68ad00, ffff8881cd68b180)
The buggy address belongs to the page:
page:ffffea000735a200 refcount:1 mapcount:0 mapping:ffff8881f56f1400 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f56f1400
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x590 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socketpair+0x28f/0x6e0 net/socket.c:1578
 __do_sys_socketpair net/socket.c:1631 [inline]
 __se_sys_socketpair net/socket.c:1628 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1628
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4955 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4961
 bpf_check+0x8aaa/0xb340 kernel/bpf/verifier.c:9731
 bpf_prog_load kernel/bpf/syscall.c:1724 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:2891 [inline]
 __se_sys_bpf+0x8139/0xbcb0 kernel/bpf/syscall.c:2849
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881cd68b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881cd68b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cd68b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881cd68b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881cd68b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1d998a067 P4D 1d998a067 PUD 1c2fdb067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 17 Comm: ksoftirqd/1 Tainted: G    B             5.4.276-syzkaller-00020-g4275fce9fe94 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f5e2fb58 EFLAGS: 00010206
RAX: ffffffff8154d48a RBX: 0000000000000100 RCX: ffff8881f5e1cec0
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffff8881cd68b1c0
RBP: ffff8881f5e2fd08 R08: ffffffff8154d0ce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffd768
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881cd68b1c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001da04c000 CR4: 00000000003406a0
DR0: 0000000020000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:603
 smpboot_thread_fn+0x545/0x930 kernel/smpboot.c:165
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
CR2: 0000000000000000
---[ end trace 2ca5fc7b776e8f9b ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f5e2fb58 EFLAGS: 00010206
RAX: ffffffff8154d48a RBX: 0000000000000100 RCX: ffff8881f5e1cec0
RDX: 0000000080000100 RSI: 0000000000000000 RDI: ffff8881cd68b1c0
RBP: ffff8881f5e2fd08 R08: ffffffff8154d0ce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000ffffd768
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881cd68b1c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001da04c000 CR4: 00000000003406a0
DR0: 0000000020000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600