==================================================================
BUG: KASAN: use-after-free in tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
BUG: KASAN: use-after-free in tcp_write_timer_handler+0x876/0x9a0 net/ipv4/tcp_timer.c:659
Read of size 1 at addr ffff888075805615 by task syz.8.5543/24386
CPU: 1 PID: 24386 Comm: syz.8.5543 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
print_address_description+0x60/0x2d0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0xdf/0x130 mm/kasan/report.c:451
tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
tcp_write_timer_handler+0x876/0x9a0 net/ipv4/tcp_timer.c:659
tcp_write_timer+0x126/0x280 net/ipv4/tcp_timer.c:675
call_timer_fn+0x17b/0x540 kernel/time/timer.c:1648
expire_timers kernel/time/timer.c:1699 [inline]
__run_timers+0x53e/0x800 kernel/time/timer.c:1970
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1983
handle_softirqs+0x339/0x830 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/irqflags.h:106 [inline]
RIP: 0010:lock_is_held_type+0x61/0x190 kernel/locking/lockdep.c:5662
Code: 0f 85 f4 00 00 00 65 48 8b 1d 4b 44 46 76 83 bb ec 0a 00 00 00 0f 85 df 00 00 00 41 89 f7 49 89 fe 48 c7 04 24 00 00 00 00 9c <8f> 04 24 4c 8b 2c 24 fa 48 c7 c7 80 35 2b 8a e8 4b 0e 00 00 65 ff
RSP: 0018:ffffc9000308f770 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff88801e0ed940 RCX: 4b32dc2084947800
RDX: ffffc90006181000 RSI: 00000000ffffffff RDI: ffffffff8c31eaa0
RBP: 00000000ffffffff R08: dffffc0000000000 R09: 1ffffffff203a618
R10: dffffc0000000000 R11: fffffbfff203a619 R12: dffffc0000000000
R13: 1ffff92000611efc R14: ffffffff8c31eaa0 R15: 00000000ffffffff
task_css include/linux/cgroup.h:496 [inline]
mem_cgroup_from_task+0x96/0x110 mm/memcontrol.c:935
count_memcg_event_mm+0x164/0x370 include/linux/memcontrol.h:1080
handle_mm_fault+0x134/0x4410 mm/memory.c:4863
do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1355
handle_page_fault arch/x86/mm/fault.c:1443 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1496
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x40 arch/x86/lib/copy_user_64.S:206
Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 01 ca c3 90 90 90 90 90 90 90 0f 01 cb 83 fa 40 0f 82 70 ff ff ff 89 d1 <f3> a4 31 c0 0f 01 ca c3 90 90 90 90 90 90 90 90 90 90 89 d1 83 f8
RSP: 0018:ffffc9000308fbe0 EFLAGS: 00050206
RAX: ffffffff83e3cf01 RBX: 000000000000ffd0 RCX: 00000000000011f0
RDX: 000000000000ffd0 RSI: 000020000012f000 RDI: ffff88802f80ede0
RBP: 0000000000000000 R08: ffff88802f80ffcf R09: 1ffff11005f01ff9
R10: dffffc0000000000 R11: ffffed1005f01ffa R12: 00007ffffffff000
R13: 00002000001301f0 R14: ffff88802f800000 R15: 0000200000120220
copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:52 [inline]
_copy_from_user+0xfa/0x170 lib/usercopy.c:23
copy_from_user include/linux/uaccess.h:192 [inline]
generic_map_update_batch+0x4d5/0x7d0 kernel/bpf/syscall.c:1427
bpf_map_do_batch+0x466/0x600 kernel/bpf/syscall.c:-1
__sys_bpf+0x671/0x6f0 kernel/bpf/syscall.c:-1
__do_sys_bpf kernel/bpf/syscall.c:4761 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4759 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4759
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fa64d9d7629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa64bc31028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fa64dc50fa0 RCX: 00007fa64d9d7629
RDX: 0000000000000038 RSI: 0000200000000200 RDI: 000000000000001a
RBP: 00007fa64da6db39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa64dc51038 R14: 00007fa64dc50fa0 R15: 00007fff374618f8
</TASK>
Allocated by task 13337:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x9c/0xd0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3225 [inline]
slab_alloc mm/slub.c:3233 [inline]
kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
kmem_cache_zalloc include/linux/slab.h:728 [inline]
net_alloc net/core/net_namespace.c:418 [inline]
copy_net_ns+0x13c/0x5b0 net/core/net_namespace.c:490
create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x116/0x160 kernel/nsproxy.c:226
ksys_unshare+0x4ca/0x8b0 kernel/fork.c:3175
__do_sys_unshare kernel/fork.c:3249 [inline]
__se_sys_unshare kernel/fork.c:3247 [inline]
__x64_sys_unshare+0x34/0x40 kernel/fork.c:3247
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
The buggy address belongs to the object at ffff888075804f80
which belongs to the cache net_namespace of size 6528
The buggy address is located 1685 bytes inside of
6528-byte region [ffff888075804f80, ffff888075806900)
The buggy address belongs to the page:
page:ffffea0001d60000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888075800000 pfn:0x75800
head:ffffea0001d60000 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88802571a301
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001d6ca00 0000000200000002 ffff888016de93c0
raw: ffff888075800000 0000000080040002 00000001ffffffff ffff88802571a301
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 9630, ts 210014096223, free_ts 209952310426
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
__alloc_pages+0x1ee/0x480 mm/page_alloc.c:5487
alloc_slab_page mm/slub.c:1780 [inline]
allocate_slab mm/slub.c:1917 [inline]
new_slab+0xc0/0x4b0 mm/slub.c:1980
___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
__slab_alloc mm/slub.c:3100 [inline]
slab_alloc_node mm/slub.c:3191 [inline]
slab_alloc mm/slub.c:3233 [inline]
kmem_cache_alloc+0x195/0x290 mm/slub.c:3238
kmem_cache_zalloc include/linux/slab.h:728 [inline]
net_alloc net/core/net_namespace.c:418 [inline]
copy_net_ns+0x13c/0x5b0 net/core/net_namespace.c:490
create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
copy_namespaces+0x37d/0x3e0 kernel/nsproxy.c:178
copy_process+0x1834/0x3e20 kernel/fork.c:2293
kernel_clone+0x23f/0x990 kernel/fork.c:2679
__do_sys_clone kernel/fork.c:2796 [inline]
__se_sys_clone kernel/fork.c:2780 [inline]
__x64_sys_clone+0x19a/0x210 kernel/fork.c:2780
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396
qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3225 [inline]
slab_alloc mm/slub.c:3233 [inline]
kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
__d_alloc+0x2a/0x6f0 fs/dcache.c:1749
d_alloc_pseudo+0x19/0x70 fs/dcache.c:1880
alloc_file_pseudo+0xe0/0x200 fs/file_table.c:256
__anon_inode_getfile fs/anon_inodes.c:109 [inline]
__anon_inode_getfd+0x26b/0x3d0 fs/anon_inodes.c:165
__btf_new_fd kernel/bpf/btf.c:5912 [inline]
btf_new_fd+0x779/0x910 kernel/bpf/btf.c:5939
__sys_bpf+0x58c/0x6f0 kernel/bpf/syscall.c:4702
__do_sys_bpf kernel/bpf/syscall.c:4761 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4759 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4759
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Memory state around the buggy address:
ffff888075805500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075805580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888075805600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075805680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888075805700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 0f 85 f4 00 00 00 jne 0xfa
6: 65 48 8b 1d 4b 44 46 mov %gs:0x7646444b(%rip),%rbx # 0x76464459
d: 76
e: 83 bb ec 0a 00 00 00 cmpl $0x0,0xaec(%rbx)
15: 0f 85 df 00 00 00 jne 0xfa
1b: 41 89 f7 mov %esi,%r15d
1e: 49 89 fe mov %rdi,%r14
21: 48 c7 04 24 00 00 00 movq $0x0,(%rsp)
28: 00
29: 9c pushf
* 2a: 8f 04 24 pop (%rsp) <-- trapping instruction
2d: 4c 8b 2c 24 mov (%rsp),%r13
31: fa cli
32: 48 c7 c7 80 35 2b 8a mov $0xffffffff8a2b3580,%rdi
39: e8 4b 0e 00 00 call 0xe89
3e: 65 gs
3f: ff .byte 0xff