!!! css_killed_ref_fn css ffff88811ef30000 !!!
list_add corruption. prev->next should be next (ffff8881f7055220), but was ffff88811ef37070. (prev=ffff88811ef30470).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 373 Comm: kworker/1:2 Tainted: G W 5.10.119-syzkaller-00165-g0c6b4937af60 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: cgroup_destroy css_killed_work_fn
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160b30 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700
RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000
RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133
R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470
R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
insert_work+0xfc/0x330 kernel/workqueue.c:1342
__queue_work+0x99e/0xe20 kernel/workqueue.c:1504
queue_work_on+0xbe/0x110 kernel/workqueue.c:1531
wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:181 [inline]
wg_packet_create_data drivers/net/wireguard/send.c:320 [inline]
wg_packet_send_staged_packets+0xae6/0x1120 drivers/net/wireguard/send.c:387
wg_packet_send_keepalive+0x15b/0x1c0 drivers/net/wireguard/send.c:239
wg_expired_send_persistent_keepalive+0x52/0x80 drivers/net/wireguard/timers.c:141
call_timer_fn+0x35/0x350 kernel/time/timer.c:1414
expire_timers+0x21b/0x410 kernel/time/timer.c:1459
__run_timers+0x5a9/0x700 kernel/time/timer.c:1753
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1766
__do_softirq+0x253/0x67b kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x152/0x1e0 kernel/softirq.c:423
irq_exit_rcu+0x9/0x10 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1860 [inline]
RIP: 0010:vprintk_emit+0x266/0x340 kernel/printk/printk.c:2053
Code: d0 da 17 00 48 c7 c7 00 0a b9 85 48 89 de e8 51 7f 08 01 f6 c3 01 75 de e8 b7 da 17 00 e8 72 70 00 00 4c 89 75 a0 ff 75 a0 9d d9 fe ff ff e8 a0 da 17 00 eb 05 e8 99 da 17 00 45 89 ef 48 c7
RSP: 0018:ffffc90000b87b88 EFLAGS: 00000246
RAX: ffffffff8151a629 RBX: 0000000000000000 RCX: ffff8881196e0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc90000b87bf0 R08: ffffffff81513573 R09: fffff52000170f69
R10: fffff52000170f69 R11: 1ffff92000170f68 R12: 1ffff92000170f77
R13: 000000000000003b R14: 0000000000000246 R15: 000000000000003b
vprintk_default+0x26/0x30 kernel/printk/printk.c:2071
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0x76/0x96 kernel/printk/printk.c:2102
css_put include/linux/cgroup.h:412 [inline]
css_killed_work_fn+0x2f6/0x500 kernel/cgroup/cgroup.c:5471
process_one_work+0x711/0xce0 kernel/workqueue.c:2279
worker_thread+0xb17/0x1540 kernel/workqueue.c:2425
kthread+0x365/0x400 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 518ce58d12f18535 ]---
RIP: 0010:__list_add_valid+0xde/0xf0 lib/list_debug.c:26
Code: f1 31 c0 e8 a7 cc 1b 02 0f 0b 48 c7 c7 90 44 d6 85 e8 b6 f2 19 00 48 c7 c7 80 02 03 85 4c 89 f6 4c 89 e1 31 c0 e8 85 cc 1b 02 <0f> 0b 48 c7 c7 a0 44 d6 85 e8 94 f2 19 00 0f 1f 40 00 55 48 89 e5
RSP: 0018:ffffc90000160b30 EFLAGS: 00010046
RAX: 0000000000000075 RBX: ffff8881f7055228 RCX: 4e6d3c802d56a700
RDX: 0000000000000302 RSI: 0000000000000302 RDI: 0000000000000000
RBP: ffffc90000160b58 R08: ffffffff815145c8 R09: fffff5200002c133
R10: fffff5200002c133 R11: 1ffff9200002c132 R12: ffff88811ef30470
R13: dffffc0000000000 R14: ffff8881f7055220 R15: ffffe8ffffc13550
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5ac15cc000 CR3: 0000000110c83000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: da 17 ficoml (%rdi)
2: 00 48 c7 add %cl,-0x39(%rax)
5: c7 00 0a b9 85 48 movl $0x4885b90a,(%rax)
b: 89 de mov %ebx,%esi
d: e8 51 7f 08 01 callq 0x1087f63
12: f6 c3 01 test $0x1,%bl
15: 75 de jne 0xfffffff5
17: e8 b7 da 17 00 callq 0x17dad3
1c: e8 72 70 00 00 callq 0x7093
21: 4c 89 75 a0 mov %r14,-0x60(%rbp)
25: ff 75 a0 pushq -0x60(%rbp)
28: 9d popfq
* 29: e9 d9 fe ff ff jmpq 0xffffff07 <-- trapping instruction
2e: e8 a0 da 17 00 callq 0x17dad3
33: eb 05 jmp 0x3a
35: e8 99 da 17 00 callq 0x17dad3
3a: 45 89 ef mov %r13d,%r15d
3d: 48 rex.W
3e: c7 .byte 0xc7