syzbot

==================================================================
BUG: KASAN: use-after-free in rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
Read of size 2 at addr ffff8880788fa82a by task syz.5.665/7248

CPU: 1 PID: 7248 Comm: syz.5.665 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 rose_timer_expiry+0x470/0x490 net/rose/rose_timer.c:183
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa5/0x100 kernel/locking/spinlock.c:194
Code: 74 05 e8 6e 8d cb f7 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 26 16 9f f7 65 8b 05 27 14 50 76 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc90003a875c0 EFLAGS: 00000206
RAX: 1387fa4faaafd300 RBX: 0000000000000a06 RCX: 1387fa4faaafd300
RDX: dffffc0000000000 RSI: ffffffff8a0b1620 RDI: 0000000000000001
RBP: ffffc90003a87650 R08: dffffc0000000000 R09: fffffbfff1ff762f
R10: fffffbfff1ff762f R11: 1ffffffff1ff762e R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88807828d6c0 R15: 1ffff92000750eb8
 spin_unlock_irqrestore include/linux/spinlock.h:418 [inline]
 __wake_up_common_lock kernel/sched/wait.c:140 [inline]
 __wake_up_sync_key+0x11b/0x180 kernel/sched/wait.c:205
 __unix_dgram_recvmsg+0x497/0xd50 net/unix/af_unix.c:2342
 ____sys_recvmsg+0x291/0x580 net/socket.c:-1
 ___sys_recvmsg+0x1af/0x4f0 net/socket.c:2697
 do_recvmmsg+0x344/0x7a0 net/socket.c:2791
 __sys_recvmmsg net/socket.c:2870 [inline]
 __do_sys_recvmmsg net/socket.c:2893 [inline]
 __se_sys_recvmmsg net/socket.c:2886 [inline]
 __x64_sys_recvmmsg+0x18d/0x240 net/socket.c:2886
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f1b4b074be9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1b492bb038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f1b4b2ac090 RCX: 00007f1b4b074be9
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000005
RBP: 00007f1b4b0f7e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1b4b2ac128 R14: 00007f1b4b2ac090 R15: 00007ffe32265778
 </TASK>

Allocated by task 20:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 __napi_alloc_skb+0x151/0x2d0 net/core/skbuff.c:568
 napi_alloc_skb include/linux/skbuff.h:3081 [inline]
 page_to_skb+0x26a/0xcf0 drivers/net/virtio_net.c:474
 receive_mergeable drivers/net/virtio_net.c:1102 [inline]
 receive_buf+0x141b/0x5770 drivers/net/virtio_net.c:1212
 virtnet_receive drivers/net/virtio_net.c:1504 [inline]
 virtnet_poll+0x546/0xef0 drivers/net/virtio_net.c:1617
 __napi_poll+0xc0/0x430 net/core/dev.c:7075
 napi_poll net/core/dev.c:7142 [inline]
 net_rx_action+0x4a8/0x9c0 net/core/dev.c:7232
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 run_ksoftirqd+0x98/0xf0 kernel/softirq.c:943
 smpboot_thread_fn+0x4f6/0x970 kernel/smpboot.c:164
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Freed by task 4170:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4559
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x6fe/0x850 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb+0x4c/0x60 net/core/skbuff.c:756
 sk_eat_skb include/net/sock.h:2742 [inline]
 tcp_recvmsg_locked+0x14d5/0x2760 net/ipv4/tcp.c:2517
 tcp_recvmsg+0x350/0x710 net/ipv4/tcp.c:2563
 inet_recvmsg+0x136/0x1e0 net/ipv4/af_inet.c:868
 sock_recvmsg_nosec net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:984 [inline]
 sock_read_iter+0x2a2/0x340 net/socket.c:1057
 call_read_iter include/linux/fs.h:2166 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0x725/0xcf0 fs/read_write.c:485
 ksys_read+0x14d/0x250 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff8880788fa800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 42 bytes inside of
 512-byte region [ffff8880788fa800, ffff8880788faa00)
The buggy address belongs to the page:
page:ffffea0001e23e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x788f8
head:ffffea0001e23e00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888016841c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3559, ts 15934736504, free_ts 13241505747
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1775 [inline]
 allocate_slab mm/slub.c:1912 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1975
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3008
 __slab_alloc mm/slub.c:3095 [inline]
 slab_alloc_node mm/slub.c:3186 [inline]
 __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4958
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x645/0xbc0 net/netlink/af_netlink.c:1893
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 ____sys_sendmsg+0x5a2/0x8c0 net/socket.c:2436
 ___sys_sendmsg+0x1f0/0x260 net/socket.c:2490
 __sys_sendmsg net/socket.c:2519 [inline]
 __do_sys_sendmsg net/socket.c:2528 [inline]
 __se_sys_sendmsg+0x190/0x250 net/socket.c:2526
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_contig_range+0x96/0xf0 mm/page_alloc.c:9406
 destroy_args+0x100/0xa20 mm/debug_vm_pgtable.c:1018
 debug_vm_pgtable+0x318/0x370 mm/debug_vm_pgtable.c:1336
 do_one_initcall+0x1ee/0x680 init/main.c:1302
 do_initcall_level+0x137/0x1f0 init/main.c:1375
 do_initcalls+0x4b/0x90 init/main.c:1391
 kernel_init_freeable+0x3ce/0x560 init/main.c:1615
 kernel_init+0x19/0x1b0 init/main.c:1506
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Memory state around the buggy address:
 ffff8880788fa700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880788fa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880788fa800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8880788fa880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880788fa900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 6e 8d cb f7       	call   0xf7cb8d75
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4b                	jne    0x67
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 26 16 9f f7       	call   0xf79f1655 <-- trapping instruction
  2f:	65 8b 05 27 14 50 76 	mov    %gs:0x76501427(%rip),%eax        # 0x7650145d
  36:	85 c0                	test   %eax,%eax
  38:	74 3c                	je     0x76
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss