==================================================================
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in expire_timers kernel/time/timer.c:1452 [inline]
BUG: KASAN: slab-out-of-bounds in __run_timers+0x7be/0xbe0 kernel/time/timer.c:1787
Write of size 8 at addr ffff8881e49f31c8 by task syz-executor.2/18072

CPU: 1 PID: 18072 Comm: syz-executor.2 Not tainted 5.4.265-syzkaller-00001-g1b3143b9b166 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __hlist_del include/linux/list.h:791 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 expire_timers kernel/time/timer.c:1452 [inline]
 __run_timers+0x7be/0xbe0 kernel/time/timer.c:1787
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1800
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>

Allocated by task 17895:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x5a0 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1425
 sock_create net/socket.c:1476 [inline]
 __sys_socketpair+0x308/0x6e0 net/socket.c:1580
 __do_sys_socketpair net/socket.c:1629 [inline]
 __se_sys_socketpair net/socket.c:1626 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1626
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17894:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 sk_prot_free net/core/sock.c:1661 [inline]
 __sk_destruct+0x460/0x5e0 net/core/sock.c:1749
 sock_put include/net/sock.h:1782 [inline]
 unix_release_sock+0x69c/0x9f0 net/unix/af_unix.c:561
 unix_release+0x4a/0x80 net/unix/af_unix.c:873
 __sock_release net/socket.c:591 [inline]
 sock_close+0xc7/0x220 net/socket.c:1275
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xcaf/0x2bc0 kernel/exit.c:859
 do_group_exit+0x138/0x300 kernel/exit.c:982
 get_signal+0xdb1/0x1440 kernel/signal.c:2735
 do_signal+0xb0/0x11f0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc0/0x1a0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881e49f2d00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881e49f2d00, ffff8881e49f3180)
The buggy address belongs to the page:
page:ffffea0007927c00 refcount:1 mapcount:0 mapping:ffff8881f57f6c80 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f57f6c80
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x5a0 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1425
 sock_create net/socket.c:1476 [inline]
 __sys_socketpair+0x308/0x6e0 net/socket.c:1580
 __do_sys_socketpair net/socket.c:1629 [inline]
 __se_sys_socketpair net/socket.c:1626 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1626
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:716 [inline]
 kobject_release lib/kobject.c:747 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:764
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2918
 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3181
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881e49f3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e49f3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e49f3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881e49f3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e49f3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1dd882067 P4D 1dd882067 PUD 1e6f25067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18072 Comm: syz-executor.2 Tainted: G    B             5.4.265-syzkaller-00001-g1b3143b9b166 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154e38a RBX: 0000000000000101 RCX: ffff8881e36ecec0
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881e49f31c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154dfce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffff4b0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e49f31c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ead7b000 CR4: 00000000003406a0
DR0: 0000000020000240 DR1: 0000000020000240 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1418
 expire_timers kernel/time/timer.c:1463 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1787
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1800
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x11a/0x460 arch/x86/kernel/apic/apic.c:1149
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
Modules linked in:
CR2: 0000000000000000
---[ end trace 1952e29c0a0aee2a ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6f09d18 EFLAGS: 00010202
RAX: ffffffff8154e38a RBX: 0000000000000101 RCX: ffff8881e36ecec0
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881e49f31c0
RBP: ffff8881f6f09ec8 R08: ffffffff8154dfce R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 00000000fffff4b0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881e49f31c0
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001ead7b000 CR4: 00000000003406a0
DR0: 0000000020000240 DR1: 0000000020000240 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600