BUG: KASAN: slab-out-of-bounds in hlist_add_head include/linux/list.h:787 [inline] BUG: KASAN: slab-out-of-bounds in enqueue_timer kernel/time/timer.c:541 [inline] BUG: KASAN: slab-out-of-bounds in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 Write of size 8 at addr ffff8881ee3fb1c8 by task syz-executor.4/555 CPU: 0 PID: 555 Comm: syz-executor.4 Not tainted 5.4.97-syzkaller-00250-g57b3f4830fb6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x24e lib/dump_stack.c:118 print_address_description+0x9b/0x650 mm/kasan/report.c:376 __kasan_report+0x182/0x250 mm/kasan/report.c:508 kasan_report+0x30/0x60 mm/kasan/common.c:641 hlist_add_head include/linux/list.h:787 [inline] enqueue_timer kernel/time/timer.c:541 [inline] __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554 internal_add_timer kernel/time/timer.c:604 [inline] __mod_timer+0xab9/0x1c70 kernel/time/timer.c:1065 tun_flow_init drivers/net/tun.c:1368 [inline] tun_set_iff drivers/net/tun.c:2840 [inline] __tun_chr_ioctl+0x337d/0x4bd0 drivers/net/tun.c:3096 do_vfs_ioctl+0x76a/0x1720 fs/ioctl.c:47 ksys_ioctl fs/ioctl.c:742 [inline] __do_sys_ioctl fs/ioctl.c:749 [inline] __se_sys_ioctl fs/ioctl.c:747 [inline] __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465d99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f368cc93188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465d99 RDX: 0000000020000000 RSI: 00000000400454ca RDI: 0000000000000005 RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffdc742169f R14: 00007f368cc93300 R15: 0000000000022000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881ee3fad00 which belongs to the cache UNIX of size 1152 The buggy address is located 72 bytes to the right of 1152-byte region [ffff8881ee3fad00, ffff8881ee3fb180) The buggy address belongs to the page: page:ffffea0007b8fe00 refcount:1 mapcount:0 mapping:ffff8881f4320c80 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f4320c80 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881ee3fb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881ee3fb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881ee3fb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881ee3fb200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881ee3fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================