KASAN: use-after-free Write in enqueue

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
android-54	KASAN: use-after-free Write in enqueue_timer	C	4288	275d	782d	0/2	auto-obsoleted due to no activity on 2024/09/11 16:22
upstream	KASAN: use-after-free Write in enqueue_timer net		1	871d	871d	22/28	fixed on 2023/02/24 13:50
android-5-15	KASAN: use-after-free Write in enqueue_timer		1	442d	442d	0/2	auto-obsoleted due to no activity on 2024/04/17 12:01
android-6-1	KASAN: use-after-free Write in enqueue_timer origin:lts	C	88	22d	253d	0/2	upstream: reported C repro on 2024/07/25 13:16
upstream	KASAN: slab-use-after-free Write in enqueue_timer net		18	690d	705d	0/28	auto-obsoleted due to no activity on 2023/08/22 15:17
upstream	KASAN: invalid-access Write in enqueue_timer ext4		20	1487d	1509d	0/28	auto-closed as invalid on 2021/07/08 00:48

================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:814 [inline] BUG: KASAN: use-after-free in enqueue_timer+0xb7/0x300 kernel/time/timer.c:541 Write of size 8 at addr ffff8881d7fbf1c8 by task kworker/0:1/13 CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.4.290-syzkaller-00002-g41adfeb3d639 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 hlist_add_head include/linux/list.h:814 [inline] enqueue_timer+0xb7/0x300 kernel/time/timer.c:541 __internal_add_timer kernel/time/timer.c:554 [inline] internal_add_timer+0x240/0x430 kernel/time/timer.c:604 __mod_timer+0x6f1/0x13e0 kernel/time/timer.c:1065 mod_delayed_work_on+0xff/0x190 kernel/workqueue.c:1736 mod_delayed_work include/linux/workqueue.h:531 [inline] addrconf_mod_dad_work+0x79/0x120 net/ipv6/addrconf.c:326 addrconf_dad_work+0xa80/0x16f0 net/ipv6/addrconf.c:4189 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 The buggy address belongs to the page: page:ffffea00075fefc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] kmalloc_order mm/slab_common.c:1342 [inline] kmalloc_order_trace+0x2a/0x100 mm/slab_common.c:1358 __kmalloc_node include/linux/slab.h:422 [inline] kmalloc_node include/linux/slab.h:599 [inline] kvmalloc_node+0x7e/0xf0 mm/util.c:596 kvmalloc include/linux/mm.h:761 [inline] kvzalloc include/linux/mm.h:769 [inline] alloc_netdev_mqs+0x85/0xc70 net/core/dev.c:9629 tun_set_iff+0x51f/0xdc0 drivers/net/tun.c:2893 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3187 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47 ksys_ioctl fs/ioctl.c:742 [inline] __do_sys_ioctl fs/ioctl.c:749 [inline] __se_sys_ioctl fs/ioctl.c:747 [inline] __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4955 [inline] __free_pages+0x91/0x140 mm/page_alloc.c:4961 device_release+0x6b/0x190 drivers/base/core.c:1776 kobject_cleanup lib/kobject.c:716 [inline] kobject_release lib/kobject.c:747 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e6/0x2f0 lib/kobject.c:764 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2924 __tun_chr_ioctl+0x8a9/0x1d00 drivers/net/tun.c:3187 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47 ksys_ioctl fs/ioctl.c:742 [inline] __do_sys_ioctl fs/ioctl.c:749 [inline] __se_sys_ioctl fs/ioctl.c:747 [inline] __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881d7fbf080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881d7fbf100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881d7fbf180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881d7fbf200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881d7fbf280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (2943):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/03/28 01:40	android12-5.4	41adfeb3d639	6c09fb82	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/02/17 15:09	android12-5.4	39762b7a60e9	4121cf9d	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/03/25 00:53	android12-5.4	41adfeb3d639	875573af	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/02/13 04:49	android12-5.4	39762b7a60e9	b27c2402	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/05 04:55	android12-5.4	41adfeb3d639	c53ea9c9	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/05 03:45	android12-5.4	41adfeb3d639	c53ea9c9	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 23:51	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 21:46	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 19:28	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 17:29	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 16:18	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 15:02	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 13:53	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 12:41	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 11:23	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 10:21	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 07:54	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 05:29	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 04:12	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 02:17	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/04 01:09	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 22:22	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 21:20	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 17:41	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 16:06	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 14:35	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 12:20	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 08:28	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 06:55	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 06:16	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 04:26	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 03:09	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 01:44	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/03 00:06	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 22:40	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 20:04	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 18:43	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 17:18	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 16:06	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/02 15:00	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: use-after-free Write in enqueue_timer
2025/02/24 01:25	android12-5.4	6b07fcd94a6a	d34966d1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: use-after-free Write in enqueue_timer
2025/04/05 00:52	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/04 20:33	android12-5.4	41adfeb3d639	1c4febdb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/03 23:26	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/03 21:17	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/03 19:40	android12-5.4	41adfeb3d639	d7ae3a11	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/03 10:30	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/03 09:29	android12-5.4	41adfeb3d639	996a9618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/04/02 21:07	android12-5.4	41adfeb3d639	c799dfdd	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: slab-out-of-bounds Write in enqueue_timer
2025/02/28 07:34	android12-5.4	6b07fcd94a6a	6a8fcbc4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	BUG: unable to handle kernel paging request in enqueue_timer
2025/02/23 19:30	android12-5.4	6b07fcd94a6a	d34966d1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-perf-kasan	KASAN: out-of-bounds Write in enqueue_timer

Crashes (2943):

Assets (help?)

2025/03/28 01:40

android12-5.4