syzbot

 sign-in | mailing list | source | docs
🐞 Open [828]
🐞 Fixed [87]
🐞 Invalid [1182]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in tcp_write_timer_handler (2)

Status: upstream: reported on 2026/01/05 20:49
Reported-by: syzbot+8b2b7809c34e65a99a5b@syzkaller.appspotmail.com
First crash: 8d16h, last: 8d16h
Similar bugs (9)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in tcp_write_timer_handler 19 1 2217d 2217d 0/1 auto-closed as invalid on 2020/04/17 21:22
upstream KASAN: use-after-free Read in tcp_write_timer_handler net 19 6 2496d 2559d 0/29 closed as invalid on 2019/04/19 22:15
linux-4.19 KASAN: use-after-free Read in tcp_write_timer_handler 19 1 1910d 1910d 0/1 auto-closed as invalid on 2021/02/18 23:19
upstream KASAN: use-after-free Read in tcp_write_timer_handler (2) net 19 5 2457d 2459d 0/29 closed as invalid on 2019/05/15 23:07
upstream KASAN: use-after-free Read in tcp_write_timer_handler (3) net 19 82 2309d 2371d 0/29 auto-closed as invalid on 2019/12/04 07:54
linux-5.15 KASAN: use-after-free Read in tcp_write_timer_handler origin:upstream 19 C error 234 519d 1042d 0/3 auto-obsoleted due to no activity on 2024/10/22 01:47
linux-6.1 KASAN: use-after-free Read in tcp_write_timer_handler 19 140 616d 1043d 0/3 auto-obsoleted due to no activity on 2024/07/16 13:06
linux-4.19 KASAN: use-after-free Read in tcp_write_timer_handler (2) 19 12 1204d 1719d 0/1 auto-obsoleted due to no activity on 2023/01/25 19:39
upstream KASAN: use-after-free Read in tcp_write_timer_handler (4) net 19 529 1127d 2154d 0/29 closed as invalid on 2023/03/21 22:54

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
BUG: KASAN: use-after-free in tcp_write_timer_handler+0x876/0x9a0 net/ipv4/tcp_timer.c:659
Read of size 1 at addr ffff88807e73bb95 by task syz.2.1765/10931

CPU: 1 PID: 10931 Comm: syz.2.1765 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
 tcp_write_timer_handler+0x876/0x9a0 net/ipv4/tcp_timer.c:659
 tcp_write_timer+0x126/0x280 net/ipv4/tcp_timer.c:675
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:lock_acquire+0x1f2/0x3f0 kernel/locking/lockdep.c:5627
Code: 00 9c 8f 84 24 80 00 00 00 f6 84 24 81 00 00 00 02 0f 85 f6 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 48 c7 44 24 60 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 66 43 c7 44 3d 09 00 00 43 c6 44 3d 0b
RSP: 0018:ffffc900035cf620 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 0000000000000000 RCX: add26474fa0ed800
RDX: 0000000000000000 RSI: ffffffff8a0b2e80 RDI: ffffffff8a59e800
RBP: ffffc900035cf740 R08: dffffc0000000000 R09: fffffbfff1ff5419
R10: fffffbfff1ff5419 R11: 1ffffffff1ff5418 R12: ffffffff8c11c720
R13: 1ffff920006b9ed0 R14: 0000000000000246 R15: dffffc0000000000
 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:313
 rcu_read_lock include/linux/rcupdate.h:740 [inline]
 inet_twsk_purge+0x119/0x810 net/ipv4/inet_timewait_sock.c:268
 ops_exit_list net/core/net_namespace.c:177 [inline]
 setup_net+0x822/0x9f0 net/core/net_namespace.c:365
 copy_net_ns+0x348/0x5b0 net/core/net_namespace.c:503
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 copy_namespaces+0x37d/0x3e0 kernel/nsproxy.c:178
 copy_process+0x180f/0x3e00 kernel/fork.c:2293
 kernel_clone+0x219/0x930 kernel/fork.c:2679
 __do_sys_clone kernel/fork.c:2796 [inline]
 __se_sys_clone kernel/fork.c:2780 [inline]
 __x64_sys_clone+0x170/0x1c0 kernel/fork.c:2780
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f4030ccc749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f402ef32fe8 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f4030f22fa0 RCX: 00007f4030ccc749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000
RBP: 00007f4030d50f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007f4030f23038 R14: 00007f4030f22fa0 R15: 00007ffe91d6ec08
 </TASK>

Allocated by task 5507:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x9c/0xd0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3238
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 net_alloc net/core/net_namespace.c:418 [inline]
 copy_net_ns+0x13c/0x5b0 net/core/net_namespace.c:490
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x116/0x160 kernel/nsproxy.c:226
 ksys_unshare+0x4bc/0x890 kernel/fork.c:3175
 __do_sys_unshare kernel/fork.c:3249 [inline]
 __se_sys_unshare kernel/fork.c:3247 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:3247
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 9162:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kmem_cache_free+0x8f/0x210 mm/slub.c:3520
 net_complete_free net/core/net_namespace.c:454 [inline]
 cleanup_net+0x871/0xb80 net/core/net_namespace.c:648
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff88807e73b500
 which belongs to the cache net_namespace of size 6528
The buggy address is located 1685 bytes inside of
 6528-byte region [ffff88807e73b500, ffff88807e73ce80)
The buggy address belongs to the page:
page:ffffea0001f9ce00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e738
head:ffffea0001f9ce00 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88802a2894c1
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880169e93c0
raw: 0000000000000000 0000000080040004 00000001ffffffff ffff88802a2894c1
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5172, ts 89601510259, free_ts 89541940851
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc+0x195/0x290 mm/slub.c:3238
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 net_alloc net/core/net_namespace.c:418 [inline]
 copy_net_ns+0x13c/0x5b0 net/core/net_namespace.c:490
 create_new_namespaces+0x3d3/0x6f0 kernel/nsproxy.c:110
 copy_namespaces+0x37d/0x3e0 kernel/nsproxy.c:178
 copy_process+0x180f/0x3e00 kernel/fork.c:2293
 kernel_clone+0x219/0x930 kernel/fork.c:2679
 __do_sys_clone kernel/fork.c:2796 [inline]
 __se_sys_clone kernel/fork.c:2780 [inline]
 __x64_sys_clone+0x170/0x1c0 kernel/fork.c:2780
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_slab mm/slub.c:2020 [inline]
 discard_slab mm/slub.c:2026 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512
 put_cpu_partial+0x12d/0x190 mm/slub.c:2592
 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 __kmalloc+0x127/0x330 mm/slub.c:4408
 kmalloc_array include/linux/slab.h:647 [inline]
 bpf_check+0x96f6/0xf090 kernel/bpf/verifier.c:14198
 bpf_prog_load+0x1043/0x1550 kernel/bpf/syscall.c:2354
 __sys_bpf+0x4c2/0x670 kernel/bpf/syscall.c:4657
 __do_sys_bpf kernel/bpf/syscall.c:4761 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4759 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4759
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff88807e73ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e73bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e73bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88807e73bc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e73bc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	00 9c 8f 84 24 80 00 	add    %bl,0x802484(%rdi,%rcx,4)
   7:	00 00                	add    %al,(%rax)
   9:	f6 84 24 81 00 00 00 	testb  $0x2,0x81(%rsp)
  10:	02
  11:	0f 85 f6 00 00 00    	jne    0x10d
  17:	41 f7 c6 00 02 00 00 	test   $0x200,%r14d
  1e:	74 01                	je     0x21
  20:	fb                   	sti
  21:	48 c7 44 24 60 0e 36 	movq   $0x45e0360e,0x60(%rsp)
  28:	e0 45
* 2a:	4b c7 44 3d 00 00 00 	movq   $0x0,0x0(%r13,%r15,1) <-- trapping instruction
  31:	00 00
  33:	66 43 c7 44 3d 09 00 	movw   $0x0,0x9(%r13,%r15,1)
  3a:	00
  3b:	43                   	rex.XB
  3c:	c6                   	.byte 0xc6
  3d:	44                   	rex.R
  3e:	3d                   	.byte 0x3d
  3f:	0b                   	.byte 0xb

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/05 20:48 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-perf KASAN: use-after-free Read in tcp_write_timer_handler
* Struck through repros no longer work on HEAD.