==================================================================
BUG: KASAN: slab-out-of-bounds in __hlist_del include/linux/list.h:791 [inline]
BUG: KASAN: slab-out-of-bounds in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: slab-out-of-bounds in detach_if_pending+0x188/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881e760f1c8 by task syz-executor.1/3562

CPU: 1 PID: 3562 Comm: syz-executor.1 Not tainted 5.4.274-syzkaller-00016-gdd432c37afcd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __hlist_del include/linux/list.h:791 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x188/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1267 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1410
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1452
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2402
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9458
 tun_detach drivers/net/tun.c:766 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3558
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xcaf/0x2bc0 kernel/exit.c:859
 do_group_exit+0x138/0x300 kernel/exit.c:982
 __do_sys_exit_group kernel/exit.c:993 [inline]
 __se_sys_exit_group kernel/exit.c:991 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fc640b7af69
Code: Bad RIP value.
RSP: 002b:00007fffda9bdc98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc640b7af69
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007fc640bc8af8 R08: 00007fffda9bba37 R09: 00007fc640cb1f40
R10: 0000000000000009 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fc640cb1f40 R14: 00007fffda9bde70 R15: 00000000ffffffff

Allocated by task 3644:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x5a0 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socketpair+0x28f/0x6e0 net/socket.c:1578
 __do_sys_socketpair net/socket.c:1631 [inline]
 __se_sys_socketpair net/socket.c:1628 [inline]
 __x64_sys_socketpair+0x97/0xb0 net/socket.c:1628
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 3643:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 sk_prot_free net/core/sock.c:1661 [inline]
 __sk_destruct+0x460/0x5e0 net/core/sock.c:1749
 sock_put include/net/sock.h:1789 [inline]
 unix_release_sock+0x69c/0x9f0 net/unix/af_unix.c:561
 unix_release+0x4a/0x80 net/unix/af_unix.c:873
 __sock_release net/socket.c:591 [inline]
 sock_close+0xc7/0x220 net/socket.c:1277
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x190/0x1a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881e760ed00
 which belongs to the cache UNIX of size 1152
The buggy address is located 72 bytes to the right of
 1152-byte region [ffff8881e760ed00, ffff8881e760f180)
The buggy address belongs to the page:
page:ffffea00079d8300 refcount:1 mapcount:0 mapping:ffff8881f51ce280 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f51ce280
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 sk_prot_alloc+0x63/0x3e0 net/core/sock.c:1616
 sk_alloc+0x35/0x2f0 net/core/sock.c:1680
 unix_create1+0x8e/0x5a0 net/unix/af_unix.c:802
 unix_create+0x12c/0x1b0 net/unix/af_unix.c:863
 __sock_create+0x3cb/0x7a0 net/socket.c:1427
 sock_create net/socket.c:1478 [inline]
 __sys_socket+0x132/0x370 net/socket.c:1520
 __do_sys_socket net/socket.c:1529 [inline]
 __se_sys_socket net/socket.c:1527 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1527
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 free_pcp_prepare mm/page_alloc.c:1233 [inline]
 free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085
 free_unref_page mm/page_alloc.c:3134 [inline]
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0xaf/0x140 mm/page_alloc.c:4961
 __vunmap+0x75b/0x890 mm/vmalloc.c:2260
 copy_entries_to_user net/ipv4/netfilter/arp_tables.c:712 [inline]
 get_entries net/ipv4/netfilter/arp_tables.c:867 [inline]
 do_arpt_get_ctl+0x798/0xa20 net/ipv4/netfilter/arp_tables.c:1491
 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
 nf_getsockopt+0x28c/0x2b0 net/netfilter/nf_sockopt.c:122
 ip_getsockopt+0x15d/0x220 net/ipv4/ip_sockglue.c:1586
 __sys_getsockopt+0x1c0/0x2b0 net/socket.c:2138
 __do_sys_getsockopt net/socket.c:2153 [inline]
 __se_sys_getsockopt net/socket.c:2150 [inline]
 __x64_sys_getsockopt+0xb1/0xc0 net/socket.c:2150
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881e760f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e760f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e760f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8881e760f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e760f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================