==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:787 [inline]
BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:540 [inline]
BUG: KASAN: use-after-free in __internal_add_timer+0x28d/0x490 kernel/time/timer.c:553
Write of size 8 at addr ffff8881ce0eb188 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.50-syzkaller-01110-g45217b91eaaa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x14a/0x1ce lib/dump_stack.c:118
 print_address_description+0x93/0x620 mm/kasan/report.c:374
 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
 kasan_report+0x36/0x60 mm/kasan/common.c:634
 hlist_add_head include/linux/list.h:787 [inline]
 enqueue_timer kernel/time/timer.c:540 [inline]
 __internal_add_timer+0x28d/0x490 kernel/time/timer.c:553
 internal_add_timer kernel/time/timer.c:595 [inline]
 __mod_timer+0xbf4/0x1af0 kernel/time/timer.c:1053
 mld_ifc_start_timer net/ipv6/mcast.c:1053 [inline]
 mld_ifc_timer_expire+0xb38/0xc80 net/ipv6/mcast.c:2481
 call_timer_fn+0x154/0x340 kernel/time/timer.c:1404
 expire_timers+0x35c/0x470 kernel/time/timer.c:1449
 __run_timers+0x662/0x7b0 kernel/time/timer.c:1773
 run_timer_softirq+0x19/0x30 kernel/time/timer.c:1786
 __do_softirq+0x2d5/0x725 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x16d/0x180 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:546 [inline]
 smp_apic_timer_interrupt+0x281/0x3f0 arch/x86/kernel/apic/apic.c:1146
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:default_idle+0x1f/0x30 arch/x86/kernel/process.c:573
Code: ff e8 55 15 42 fd 90 90 90 90 90 65 8b 35 d1 44 2a 7c bf 01 00 00 00 e8 4f a1 30 fd e9 07 00 00 00 0f 00 2d ab 31 49 00 fb f4 <65> 8b 35 b2 44 2a 7c bf ff ff ff ff e9 30 a1 30 fd 41 57 41 56 53
RSP: 0018:ffffffff84c07d18 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 7ecab8627a8f2e01 RBX: ffffffff84c14980 RCX: ffffffff8124c720
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffffff84c07e20 R08: dffffc0000000000 R09: fffffbfff0982931
R10: fffffbfff0982931 R11: 0000000000000000 R12: ffffffff84d900a0
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffffffff0982930
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x209/0x5e0 kernel/sched/idle.c:263
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:355
 start_kernel+0x7a3/0x873 init/main.c:784
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

Allocated by task 7300:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
 __kmalloc+0xf7/0x2d0 mm/slub.c:3821
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0xc2/0x120 mm/util.c:564
 kvmalloc include/linux/mm.h:678 [inline]
 kvzalloc include/linux/mm.h:686 [inline]
 netif_alloc_netdev_queues net/core/dev.c:8920 [inline]
 alloc_netdev_mqs+0x5bf/0xc60 net/core/dev.c:9550
 sit_init_net+0x179/0x480 net/ipv6/sit.c:1854
 ops_init+0x26e/0x340 net/core/net_namespace.c:137
 setup_net+0x22b/0xac0 net/core/net_namespace.c:335
 copy_net_ns+0x2e5/0x4a0 net/core/net_namespace.c:476
 create_new_namespaces+0x57b/0x680 kernel/nsproxy.c:103
 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:202
 ksys_unshare+0x52f/0xa40 kernel/fork.c:2874
 __do_sys_unshare kernel/fork.c:2942 [inline]
 __se_sys_unshare kernel/fork.c:2940 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:2940
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 392:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457
 slab_free mm/slub.c:3014 [inline]
 kfree+0x12b/0x600 mm/slub.c:3975
 netif_free_tx_queues net/core/dev.c:8908 [inline]
 free_netdev+0x43/0x300 net/core/dev.c:9594
 netdev_run_todo+0xc38/0xe90 net/core/dev.c:9353
 sit_exit_batch_net+0x652/0x690 net/ipv6/sit.c:1897
 ops_exit_list net/core/net_namespace.c:175 [inline]
 cleanup_net+0x79c/0xd60 net/core/net_namespace.c:597
 process_one_work+0x777/0xf90 kernel/workqueue.c:2274
 worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
 kthread+0x2df/0x300 kernel/kthread.c:255
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8881ce0eb000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 392 bytes inside of
 512-byte region [ffff8881ce0eb000, ffff8881ce0eb200)
The buggy address belongs to the page:
page:ffffea0007383a00 refcount:1 mapcount:0 mapping:ffff8881da802500 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802500
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881ce0eb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ce0eb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881ce0eb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8881ce0eb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881ce0eb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 1a04ca067 P4D 1a04ca067 PUD 1a04cb067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B             5.4.50-syzkaller-01110-g45217b91eaaa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881db809c08 EFLAGS: 00010202
RAX: ffffffff8132ff7c RBX: 0000000000000000 RCX: ffffffff84c14980
RDX: 0000000080000101 RSI: 0000000000000000 RDI: ffff8881ce0eb180
RBP: ffff8881ce0eb1a0 R08: ffffffff8132fe17 R09: ffffed103b7046e7
R10: ffffed103b7046e7 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000101 R14: ffff8881ce0eb188 R15: ffff8881ce0eb180
FS:  0000000000000000(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001a04c9004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 call_timer_fn+0x154/0x340 kernel/time/timer.c:1404
 expire_timers+0x35c/0x470 kernel/time/timer.c:1449
 __run_timers+0x662/0x7b0 kernel/time/timer.c:1773
 run_timer_softirq+0x19/0x30 kernel/time/timer.c:1786
 __do_softirq+0x2d5/0x725 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x16d/0x180 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:546 [inline]
 smp_apic_timer_interrupt+0x281/0x3f0 arch/x86/kernel/apic/apic.c:1146
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:831
 </IRQ>
RIP: 0010:default_idle+0x1f/0x30 arch/x86/kernel/process.c:573
Code: ff e8 55 15 42 fd 90 90 90 90 90 65 8b 35 d1 44 2a 7c bf 01 00 00 00 e8 4f a1 30 fd e9 07 00 00 00 0f 00 2d ab 31 49 00 fb f4 <65> 8b 35 b2 44 2a 7c bf ff ff ff ff e9 30 a1 30 fd 41 57 41 56 53
RSP: 0018:ffffffff84c07d18 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 7ecab8627a8f2e01 RBX: ffffffff84c14980 RCX: ffffffff8124c720
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffffff84c07e20 R08: dffffc0000000000 R09: fffffbfff0982931
R10: fffffbfff0982931 R11: 0000000000000000 R12: ffffffff84d900a0
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffffffff0982930
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x209/0x5e0 kernel/sched/idle.c:263
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:355
 start_kernel+0x7a3/0x873 init/main.c:784
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
Modules linked in:
CR2: 0000000000000000
---[ end trace 1e8fdc1d7dc7844b ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffff8881db809c08 EFLAGS: 00010202
RAX: ffffffff8132ff7c RBX: 0000000000000000 RCX: ffffffff84c14980
RDX: 0000000080000101 RSI: 0000000000000000 RDI: ffff8881ce0eb180
RBP: ffff8881ce0eb1a0 R08: ffffffff8132fe17 R09: ffffed103b7046e7
R10: ffffed103b7046e7 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000101 R14: ffff8881ce0eb188 R15: ffff8881ce0eb180
FS:  0000000000000000(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001a04c9004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400