syzbot

 sign-in | mailing list | source | docs
🐞 Open [832]
🐞 Fixed [87]
🐞 Invalid [1215]
Missing Backports [132]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in rose_timer_expiry

Status: upstream: reported on 2025/05/02 15:02
Reported-by: syzbot+3373ecf7f0857d6eb397@syzkaller.appspotmail.com
First crash: 282d, last: 8h48m
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-use-after-free Read in rose_timer_expiry (3) hams 19 6059 158d 265d 29/29 fixed on 2025/10/09 01:14
upstream KASAN: slab-use-after-free Read in rose_timer_expiry (2) hams 19 158 270d 394d 28/29 fixed on 2025/05/14 23:24
linux-6.1 KASAN: use-after-free Read in rose_timer_expiry 19 269 157d 281d 0/3 auto-obsoleted due to no activity on 2025/11/13 09:51
upstream KASAN: slab-use-after-free Read in rose_timer_expiry hams 19 5 634d 645d 0/29 closed as invalid on 2024/06/04 18:05
linux-6.6 KASAN: slab-use-after-free Read in rose_timer_expiry 19 130 159d 214d 0/2 auto-obsoleted due to no activity on 2025/11/11 19:12

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
Read of size 2 at addr ffff88805e7a602a by task syz.3.357/6017

CPU: 1 PID: 6017 Comm: syz.3.357 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <IRQ>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
 call_timer_fn+0x17b/0x540 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x53a/0x7f0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x339/0x830 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xbc/0x120 kernel/locking/spinlock.c:194
Code: c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 41 c6 04 07 f8 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 2f da 8c f7 65 8b 05 d0 e7 3c 76 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc90003f0f5c0 EFLAGS: 00000206
RAX: dffffc0000000004 RBX: 0000000000000a06 RCX: e2b7ff4d61f88c00
RDX: dffffc0000000000 RSI: ffffffff8a2b2780 RDI: 0000000000000001
RBP: ffffc90003f0f650 R08: ffffffff901d2177 R09: 1ffffffff203a42e
R10: dffffc0000000000 R11: fffffbfff203a42f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88807e537ec0 R15: 1ffff920007e1eb8
 spin_unlock_irqrestore include/linux/spinlock.h:419 [inline]
 __wake_up_common_lock kernel/sched/wait.c:140 [inline]
 __wake_up_sync_key+0x128/0x190 kernel/sched/wait.c:205
 __unix_dgram_recvmsg+0x4c0/0xd90 net/unix/af_unix.c:2342
 ____sys_recvmsg+0x2cd/0x5e0 net/socket.c:-1
 ___sys_recvmsg+0x21a/0x5c0 net/socket.c:2706
 do_recvmmsg+0x382/0x850 net/socket.c:2800
 __sys_recvmmsg net/socket.c:2879 [inline]
 __do_sys_recvmmsg net/socket.c:2902 [inline]
 __se_sys_recvmmsg net/socket.c:2895 [inline]
 __x64_sys_recvmmsg+0x195/0x250 net/socket.c:2895
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fda860d6eb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fda84311028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fda86352090 RCX: 00007fda860d6eb9
RDX: 00000000080002c1 RSI: 0000200000000040 RDI: 0000000000000003
RBP: 00007fda86144c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fda86352128 R14: 00007fda86352090 R15: 00007fff283dd388
 </TASK>

Allocated by task 4307:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 rose_add_node+0x227/0xdb0 net/rose/rose_route.c:85
 rose_rt_ioctl+0xa2b/0xe70 net/rose/rose_route.c:738
 rose_ioctl+0x2a7/0x7d0 net/rose/af_rose.c:1372
 sock_do_ioctl+0xfb/0x320 net/socket.c:1147
 sock_ioctl+0x4d2/0x710 net/socket.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0xfa/0x170 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff88805e7a6000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 512-byte region [ffff88805e7a6000, ffff88805e7a6200)
The buggy address belongs to the page:
page:ffffea000179e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88805e7a4800 pfn:0x5e7a4
head:ffffea000179e900 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001848108 ffffea00017a6a08 ffff888016c41c80
raw: ffff88805e7a4800 0000000000100008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 7, ts 66192095225, free_ts 17306081534
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192
 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4963
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 ndisc_alloc_skb+0xa6/0x420 net/ipv6/ndisc.c:422
 ndisc_send_rs+0x291/0x730 net/ipv6/ndisc.c:691
 addrconf_dad_completed+0x75d/0xc80 net/ipv6/addrconf.c:4275
 addrconf_dad_work+0xc8c/0x1540 net/ipv6/addrconf.c:-1
 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310
 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396
 free_contig_range+0x96/0xf0 mm/page_alloc.c:9414
 destroy_args+0xf0/0xa00 mm/debug_vm_pgtable.c:1018
 debug_vm_pgtable+0x321/0x380 mm/debug_vm_pgtable.c:1336
 do_one_initcall+0x272/0x730 init/main.c:1316
 do_initcall_level+0x137/0x1f0 init/main.c:1389
 do_initcalls+0x4b/0x90 init/main.c:1405
 kernel_init_freeable+0x3e9/0x570 init/main.c:1629
 kernel_init+0x19/0x1b0 init/main.c:1520
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff88805e7a5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805e7a5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805e7a6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88805e7a6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805e7a6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	c7 44 24 20 00 00 00 	movl   $0x0,0x20(%rsp)
   7:	00
   8:	9c                   	pushf
   9:	8f 44 24 20          	pop    0x20(%rsp)
   d:	f7 44 24 20 00 02 00 	testl  $0x200,0x20(%rsp)
  14:	00
  15:	41 c6 04 07 f8       	movb   $0xf8,(%r15,%rax,1)
  1a:	75 4b                	jne    0x67
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 2f da 8c f7       	call   0xf78cda5e <-- trapping instruction
  2f:	65 8b 05 d0 e7 3c 76 	mov    %gs:0x763ce7d0(%rip),%eax        # 0x763ce806
  36:	85 c0                	test   %eax,%eax
  38:	74 3c                	je     0x76
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss

Crashes (370):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/08 11:03 linux-5.15.y 7b232985052f 4c131dc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/08 02:45 linux-5.15.y 7b232985052f 4c131dc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/07 11:34 linux-5.15.y 7b232985052f f20fc9f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/07 07:09 linux-5.15.y 7b232985052f f20fc9f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/07 05:10 linux-5.15.y 7b232985052f f20fc9f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/06 21:51 linux-5.15.y 7b232985052f 97745f52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/06 06:49 linux-5.15.y 9eec9a14ee10 f03c4191 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/03 02:52 linux-5.15.y 9eec9a14ee10 d78927dd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/02/02 14:40 linux-5.15.y 9eec9a14ee10 018ebef2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/31 17:19 linux-5.15.y 9eec9a14ee10 afc0c4d4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/30 17:05 linux-5.15.y 9eec9a14ee10 ae7dc18c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/29 06:29 linux-5.15.y 9eec9a14ee10 0adc945e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/26 08:45 linux-5.15.y 9eec9a14ee10 55756628 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/26 07:15 linux-5.15.y 9eec9a14ee10 55756628 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/26 04:21 linux-5.15.y 9eec9a14ee10 55756628 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/26 02:04 linux-5.15.y 9eec9a14ee10 55756628 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/24 04:05 linux-5.15.y 9eec9a14ee10 4f25b9b4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/23 05:04 linux-5.15.y 9eec9a14ee10 82c9c083 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/22 03:58 linux-5.15.y 9eec9a14ee10 8fc37797 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/22 02:16 linux-5.15.y 9eec9a14ee10 8fc37797 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/20 19:33 linux-5.15.y 9eec9a14ee10 06648d9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/20 17:53 linux-5.15.y 9eec9a14ee10 06648d9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/20 08:39 linux-5.15.y 9eec9a14ee10 572effc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/20 06:09 linux-5.15.y 9eec9a14ee10 572effc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2026/01/19 04:49 linux-5.15.y 68efe5a6c16a 20d37d28 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/12/10 11:53 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/12/07 07:11 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/27 11:08 linux-5.15.y cc5ec8769306 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/27 09:37 linux-5.15.y cc5ec8769306 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/27 01:33 linux-5.15.y cc5ec8769306 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/26 20:16 linux-5.15.y cc5ec8769306 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/24 17:18 linux-5.15.y cc5ec8769306 bf6fe8fe .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/22 02:49 linux-5.15.y cc5ec8769306 4fb8ef37 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/21 04:35 linux-5.15.y cc5ec8769306 2cc4c24a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/20 22:41 linux-5.15.y cc5ec8769306 2cc4c24a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/20 21:13 linux-5.15.y cc5ec8769306 2cc4c24a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/18 13:57 linux-5.15.y cc5ec8769306 ef766cd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/18 13:47 linux-5.15.y cc5ec8769306 ef766cd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/12 22:21 linux-5.15.y cc5ec8769306 07e030de .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/11 08:38 linux-5.15.y cc5ec8769306 4e1406b4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/09 18:58 linux-5.15.y cc5ec8769306 4e1406b4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/05 14:38 linux-5.15.y cc5ec8769306 a6c9c731 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/04 22:43 linux-5.15.y cc5ec8769306 686bf657 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/11/03 02:32 linux-5.15.y cc5ec8769306 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/10/30 12:39 linux-5.15.y cc5ec8769306 fd2207e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/05/02 15:02 linux-5.15.y 16fdf2c7111b d7f099d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in rose_timer_expiry
2025/08/19 09:11 linux-5.15.y c79648372d02 523f460e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in rose_timer_expiry
* Struck through repros no longer work on HEAD.