slab-use-after-free in lookup_object_or_alloc > when timer_is_static_object() accesses freed timer memory. > > #syz test > > The issue occurs when debug_object_activate

slab-use-after-free in timer_is_static_object+0x80/0x90 kernel/time/timer.c:691 Read of size 8 at addr ffff88807e5e8498 by task syz.4.6813/32052 CPU: 1 UID: 0 PID: 32052 Comm

slab-use-after-free in rose_send_frame+0x131/0x220 net/rose/rose_link.c:106 Write of size 8 at addr ffff88805a57c018 by task ktimers/0/16 CPU: 0 UID: 0 PID: 16 Comm: ktimers

slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:593 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x147/0x1350 kernel/locking/mutex.

underflow; use-after-free. WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper

0; use-after-free. WARNING: CPU: 0 PID: 16 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0

slab-use-after-free Read in l2cap_unregister_user ================================================================== BUG: KASAN: slab-use-after-free in __mutex_waiter_is_first

:1444 expire_timers kernel/time/timer.c:1489 [inline] __run_timers+0x5d8/0x7a0 kernel/time/timer.c:1783 run_timer_softirq+0x19/0x30 kernel/time/timer.c:1796 __do_softirq

slab-use-after-free in ax25_find_cb+0x3b8/0x3f0 net/ax25/af_ax25.c:237 Read of size 1 at addr ffff888059c704c0 by task syz.6.2733/17200 CPU: 1 UID: 0 PID: 17200 Comm: syz.6.2733

bpf: Use rcu_read_lock_dont_migrate in bpf_sk.. git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=172af92f980000 kernel config: https://syzkaller

slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] > BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic

slab-use-after-free in rose_t0timer_expiry+0x114/0x150 net/rose/rose_link.c:85 Write of size 1 at addr ffff8880569e3435 by task syz.3.1212/10695 CPU: 0 UID: 0 PID: 10695 Comm

hci_event: Use of a function table to handle Command Complete bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14d538c4580000 final oops: https://syzkaller

slab-use-after-free in __hlist_del include/linux/list.h:980 [inline] BUG: KASAN: slab-use-after-free in hlist_del_init include/linux/list.h:1008 [inline] BUG: KASAN

slab-use-after-free Read in tipc_aead_encrypt_done > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10018df4580000 > final oops: https://syzkaller

slab-use-after-free in rose_timer_expiry+0x471/0x4b0 net/rose/rose_timer.c:183 Read of size 2 at addr ffff888030b0ac2a by task syz-executor/10726 CPU: 1 UID: 0 PID: 10726

slab-use-after-free Read in snd_usbmidi_error_timer ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read

slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] BUG: KASAN: slab-use-after-free in batadv_forw_packet_queue+0x187/0x260 net/batman-adv/send

0; use-after-free. WARNING: CPU: 0 PID: 6783 at lib/refcount.c:25 refcount_warn_saturate+0x13a/0x1d0 lib/refcount.c:25 Modules linked in: CPU: 0 UID: 0 PID: 6783 Comm: syz.

slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] >> BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0 drivers/android/binder

slab-use-after-free in corsair_void_status_work_handler+0xaa/0xb0 drivers/hid/hid-corsair-void.c:515 Read of size 8 at addr ffff8881187e6828 by task kworker/1:1/36 CPU

slab-use-after-free Read in l2cap_send_cmd Bluetooth: Wrong link type (-22) ================================================================== BUG: KASAN: slab-use

fjes: use ethtool string helpers git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=104d6b40580000 kernel config: https://syzkaller.appspot

slab-use-after-free Read in netdev_unregister_kobject ================================================================== BUG: KASAN: slab-use-after-free in device_for_each_child

slab-use-after-free in page_pool_put_unrefed_netmem+0x8b8/0x11f4 Read of size 8 at addr ffff0000c924c708 by task syz-executor/7103 CPU: 0 UID: 0 PID: 7103 Comm: syz-executor

slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in test_and_set_bit include/asm-generic

slab-use-after-free Read in l2cap_connect Bluetooth: Unknown BR/EDR signaling command 0x11 Bluetooth: Wrong link type (-22) ==========================================

slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:

slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU:

slab-use-after-free in rose_get_neigh+0x1b6/0x6f0 net/rose/rose_route.c:692 Read of size 1 at addr ffff88802a32b030 by task syz-executor.2/6399 CPU: 0 PID: 6399 Comm: syz