==================================================================
BUG: KASAN: slab-out-of-bounds in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in detach_if_pending+0x12d/0x330 kernel/time/timer.c:841
Write of size 8 at addr ffff8881e4a5b1c0 by task syz.4.70/596

CPU: 1 PID: 596 Comm: syz.4.70 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 __dump_stack+0x1e/0x20 lib/dump_stack.c:77
 dump_stack+0x15b/0x1b8 lib/dump_stack.c:118
 print_address_description+0x8d/0x4c0 mm/kasan/report.c:384
 __kasan_report+0xef/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x12d/0x330 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1267 [inline]
 del_timer_sync+0x136/0x1a0 kernel/time/timer.c:1410
 tun_flow_uninit+0x2f/0x2b0 drivers/net/tun.c:1452
 tun_free_netdev+0x7a/0x1b0 drivers/net/tun.c:2404
 netdev_run_todo+0xa45/0xc70 net/core/dev.c:9477
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:112
 tun_detach drivers/net/tun.c:766 [inline]
 tun_chr_close+0xc4/0x140 drivers/net/tun.c:3563
 __fput+0x2a3/0x730 fs/file_table.c:281
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x146/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa43/0x2660 kernel/exit.c:861
 do_group_exit+0x13e/0x300 kernel/exit.c:984
 get_signal+0xdee/0x13d0 kernel/signal.c:2738
 do_signal+0xad/0xda0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc4/0x1b0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x18e/0x1f0 arch/x86/entry/common.c:194
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x13e/0x170 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7f101f165969
Code: Bad RIP value.
RSP: 002b:00007f101d7ce038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f101f38cfa0 RCX: 00007f101f165969
RDX: 0000200000000080 RSI: 0000000000008914 RDI: 0000000000000009
RBP: 00007f101f1e7ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f101f38cfa0 R15: 00007ffd17ab7708

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881e4a5ad00
 which belongs to the cache UNIX of size 1152
The buggy address is located 64 bytes to the right of
 1152-byte region [ffff8881e4a5ad00, ffff8881e4a5b180)
The buggy address belongs to the page:
page:ffffea0007929600 refcount:1 mapcount:0 mapping:ffff8881f5e8b400 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5e8b400
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x35e/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894
 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x93/0x420 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x29e/0x420 mm/slub.c:2667
 __slab_alloc+0x63/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842
 sk_prot_alloc+0x5c/0x410 net/core/sock.c:1616
 sk_alloc+0x38/0x330 net/core/sock.c:1680
 unix_create1+0x90/0x5a0 net/unix/af_unix.c:789
 unix_create+0x135/0x1c0 net/unix/af_unix.c:850
 __sock_create+0x3a8/0x740 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socketpair+0x21e/0x5a0 net/socket.c:1582
 __do_sys_socketpair net/socket.c:1631 [inline]
 __se_sys_socketpair net/socket.c:1628 [inline]
 __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1628
 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4956 [inline]
 __free_pages mm/page_alloc.c:4962 [inline]
 free_pages+0xf9/0x180 mm/page_alloc.c:4970
 stack_depot_save+0x492/0x4c0 lib/stackdepot.c:300
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x223/0x280 mm/kasan/common.c:487
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:496
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0xb7/0x180 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kfree+0xbe/0x260 mm/slub.c:4071
 skb_free_head net/core/skbuff.c:601 [inline]
 skb_release_data+0x4ea/0x610 net/core/skbuff.c:621
 skb_release_all net/core/skbuff.c:675 [inline]
 __kfree_skb net/core/skbuff.c:689 [inline]
 consume_skb+0xad/0x240 net/core/skbuff.c:849
 netlink_broadcast_filtered+0x1198/0x1290 net/netlink/af_netlink.c:1516
 netlink_broadcast net/netlink/af_netlink.c:1538 [inline]
 nlmsg_multicast include/net/netlink.h:968 [inline]
 nlmsg_notify+0xed/0x1b0 net/netlink/af_netlink.c:2510
 rtnl_notify+0x9a/0xc0 net/core/rtnetlink.c:737
 inet6_rt_notify+0x365/0x470 net/ipv6/route.c:6008
 fib6_del_route net/ipv6/ip6_fib.c:1893 [inline]
 fib6_del+0x950/0xbe0 net/ipv6/ip6_fib.c:1926
 fib6_clean_node+0x296/0x520 net/ipv6/ip6_fib.c:2088
 fib6_walk_continue+0x4fc/0x700 net/ipv6/ip6_fib.c:2010

Memory state around the buggy address:
 ffff8881e4a5b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881e4a5b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881e4a5b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8881e4a5b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e4a5b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syz.4.70 (596) used greatest stack depth: 22912 bytes left