==================================================================
BUG: KASAN: use-after-free in hlist_move_list include/linux/list.h:852 [inline]
BUG: KASAN: use-after-free in __collect_expired_timers kernel/time/timer.c:1484 [inline]
BUG: KASAN: use-after-free in collect_expired_timers kernel/time/timer.c:1719 [inline]
BUG: KASAN: use-after-free in __run_timers+0x4e6/0x700 kernel/time/timer.c:1783
Write of size 8 at addr ffff8881ec27f1c8 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.210-syzkaller-00006-gc80a5b2e7f63 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_move_list include/linux/list.h:852 [inline]
 __collect_expired_timers kernel/time/timer.c:1484 [inline]
 collect_expired_timers kernel/time/timer.c:1719 [inline]
 __run_timers+0x4e6/0x700 kernel/time/timer.c:1783
 run_timer_softirq+0x46/0x80 kernel/time/timer.c:1800
 __do_softirq+0x23e/0x643 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x113/0x440 arch/x86/kernel/apic/apic.c:1150
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:default_idle+0x1f/0x30 arch/x86/kernel/process.c:573
Code: 90 90 90 90 90 90 90 90 90 90 90 e8 5b 7b e6 fd bf 01 00 00 00 89 c6 e8 bf 6f e4 fc 0f 1f 44 00 00 0f 00 2d 83 e1 60 00 fb f4 <e8> 3c 7b e6 fd bf ff ff ff ff 89 c6 e9 a0 6f e4 fc 41 57 41 56 53
RSP: 0018:ffffffff85c07d18 EFLAGS: 000002d2 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff85c18a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffffff85c07e20 R08: ffffffff822ae7d0 R09: fffffbfff0b83141
R10: fffffbfff0b83141 R11: 1ffffffff0b83140 R12: ffffffff862695e0
R13: ffffffff85c18a00 R14: 1ffffffff0b83140 R15: 0000000000000000
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x255/0x670 kernel/sched/idle.c:264
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:356
 start_kernel+0x6ef/0x83b init/main.c:1047
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

The buggy address belongs to the page:
page:ffffea0007b09fc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4857
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0xf0 mm/slab_common.c:1358
 kmalloc_large include/linux/slab.h:485 [inline]
 kmalloc include/linux/slab.h:549 [inline]
 kzalloc include/linux/slab.h:690 [inline]
 tipc_nametbl_init+0x93/0x260 net/tipc/name_table.c:738
 tipc_init_net+0x229/0x360 net/tipc/core.c:74
 ops_init+0x278/0x350 net/core/net_namespace.c:137
 setup_net+0x21b/0xa70 net/core/net_namespace.c:338
 copy_net_ns+0x31a/0x510 net/core/net_namespace.c:479
 create_new_namespaces+0x4e3/0x5f0 kernel/nsproxy.c:103
 copy_namespaces+0x169/0x1b0 kernel/nsproxy.c:161
 copy_process+0x12cd/0x3230 kernel/fork.c:2044
 _do_fork+0x196/0x8d0 kernel/fork.c:2391
 __do_sys_clone kernel/fork.c:2549 [inline]
 __se_sys_clone kernel/fork.c:2530 [inline]
 __x64_sys_clone+0x287/0x2f0 kernel/fork.c:2530
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7fe/0x930 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4919 [inline]
 __free_pages+0x8f/0x250 mm/page_alloc.c:4925
 kfree+0x1ef/0x260 mm/slub.c:4068
 tipc_exit_net+0x92/0x100 net/tipc/core.c:108
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x6e4/0xd60 net/core/net_namespace.c:602
 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287
 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433
 kthread+0x2d8/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Memory state around the buggy address:
 ffff8881ec27f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881ec27f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881ec27f180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff8881ec27f200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881ec27f280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1e9922067 P4D 1e9922067 PUD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.4.210-syzkaller-00006-gc80a5b2e7f63 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cc0 EFLAGS: 00010202
RAX: ffffffff8155b109 RBX: 0000000000000101 RCX: ffffffff85c18a00
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881ec27f1c0
RBP: ffff8881ec27f1e0 R08: ffffffff8155aee2 R09: fffffbfff0d9270d
R10: fffffbfff0d9270d R11: 1ffffffff0d9270c R12: 000000010004b260
R13: 1ffff1103edc92f1 R14: 0000000000000000 R15: ffff8881ec27f1c0
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001c875f000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 call_timer_fn+0x31/0x350 kernel/time/timer.c:1418
 expire_timers+0x21e/0x400 kernel/time/timer.c:1463
 __run_timers+0x5e0/0x700 kernel/time/timer.c:1787
 run_timer_softirq+0x46/0x80 kernel/time/timer.c:1800
 __do_softirq+0x23e/0x643 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 smp_apic_timer_interrupt+0x113/0x440 arch/x86/kernel/apic/apic.c:1150
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:default_idle+0x1f/0x30 arch/x86/kernel/process.c:573
Code: 90 90 90 90 90 90 90 90 90 90 90 e8 5b 7b e6 fd bf 01 00 00 00 89 c6 e8 bf 6f e4 fc 0f 1f 44 00 00 0f 00 2d 83 e1 60 00 fb f4 <e8> 3c 7b e6 fd bf ff ff ff ff 89 c6 e9 a0 6f e4 fc 41 57 41 56 53
RSP: 0018:ffffffff85c07d18 EFLAGS: 000002d2 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff85c18a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffffff85c07e20 R08: ffffffff822ae7d0 R09: fffffbfff0b83141
R10: fffffbfff0b83141 R11: 1ffffffff0b83140 R12: ffffffff862695e0
R13: ffffffff85c18a00 R14: 1ffffffff0b83140 R15: 0000000000000000
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x255/0x670 kernel/sched/idle.c:264
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:356
 start_kernel+0x6ef/0x83b init/main.c:1047
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
Modules linked in:
CR2: 0000000000000000
---[ end trace f51098c041de4525 ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881f6e09cc0 EFLAGS: 00010202
RAX: ffffffff8155b109 RBX: 0000000000000101 RCX: ffffffff85c18a00
RDX: 0000000000000101 RSI: 0000000000000000 RDI: ffff8881ec27f1c0
RBP: ffff8881ec27f1e0 R08: ffffffff8155aee2 R09: fffffbfff0d9270d
R10: fffffbfff0d9270d R11: 1ffffffff0d9270c R12: 000000010004b260
R13: 1ffff1103edc92f1 R14: 0000000000000000 R15: ffff8881ec27f1c0
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001c875f000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	e8 5b 7b e6 fd       	callq  0xfde67b6b
  10:	bf 01 00 00 00       	mov    $0x1,%edi
  15:	89 c6                	mov    %eax,%esi
  17:	e8 bf 6f e4 fc       	callq  0xfce46fdb
  1c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  21:	0f 00 2d 83 e1 60 00 	verw   0x60e183(%rip)        # 0x60e1ab
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	e8 3c 7b e6 fd       	callq  0xfde67b6b <-- trapping instruction
  2f:	bf ff ff ff ff       	mov    $0xffffffff,%edi
  34:	89 c6                	mov    %eax,%esi
  36:	e9 a0 6f e4 fc       	jmpq   0xfce46fdb
  3b:	41 57                	push   %r15
  3d:	41 56                	push   %r14
  3f:	53                   	push   %rbx