program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000480)=ANY=[@ANYBLOB="1801000021000000000000003b810000850000006d000000850000005000000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x41000, 0x20, '\x00', 0x0, 0x2}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000340)={&(0x7f00000002c0)='mmap_lock_acquire_returned\x00', r0}, 0x10) (async, rerun: 64) r1 = socket$nl_route(0x10, 0x3, 0x0) (rerun: 64) sendmsg$nl_route(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @xfrm={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_XFRM_IF_ID={0x8, 0x2, 0x2}]}}}]}, 0x3c}}, 0x0) (async, rerun: 64) r2 = socket$nl_route(0x10, 0x3, 0x0) (rerun: 64) sendmsg$nl_route(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="2000000012008f35"], 0x20}, 0x1, 0x0, 0x0, 0x4081}, 0x4040800) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r3, &(0x7f0000000500)=@abs, 0x6e) sendmmsg$unix(r4, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r3, &(0x7f00000000c0), 0x528, 0x0, 0x0) (async) recvmmsg(0xffffffffffffffff, &(0x7f0000005ac0)=[{{0x0, 0x0, &(0x7f0000000380)=[{&(0x7f00000001c0)=""/214, 0xd6}, {&(0x7f0000001880)=""/4102, 0x1006}, {&(0x7f00000002c0)=""/96, 0x60}, {&(0x7f0000001780)=""/228, 0xe4}, {&(0x7f0000001500)=""/252, 0xfc}, {&(0x7f0000000540)=""/264, 0x108}, {&(0x7f00000000c0)=""/35, 0x23}], 0x7}, 0x5}], 0x1, 0x40000002, 0x0) (async, rerun: 32) recvmmsg(r2, &(0x7f0000005840), 0x4000000000000ef, 0x2000, 0x0) (rerun: 32) [ 84.946065][ T5304] Bluetooth: hci0: command tx timeout [ 85.415931][ T77] ================================================================== [ 85.419299][ T77] BUG: KASAN: slab-use-after-free in bpf_trace_run3+0xdd/0x850 [ 85.422926][ T77] Read of size 8 at addr ffff888012bb1d18 by task kswapd0/77 [ 85.426604][ T77] [ 85.427914][ T77] CPU: 0 UID: 0 PID: 77 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) [ 85.427932][ T77] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.427941][ T77] Call Trace: [ 85.427950][ T77] [ 85.427958][ T77] dump_stack_lvl+0xe8/0x150 [ 85.428040][ T77] print_report+0xba/0x230 [ 85.428056][ T77] ? bpf_trace_run3+0xdd/0x850 [ 85.428076][ T77] kasan_report+0x117/0x150 [ 85.428129][ T77] ? bpf_trace_run3+0xdd/0x850 [ 85.428148][ T77] bpf_trace_run3+0xdd/0x850 [ 85.428168][ T77] ? bpf_trace_run3+0x1f0/0x850 [ 85.428187][ T77] ? __pfx_bpf_trace_run3+0x10/0x10 [ 85.428208][ T77] ? __bpf_trace_mmap_lock_acquire_returned+0x15a/0x1d0 [ 85.428228][ T77] __bpf_trace_mmap_lock_acquire_returned+0x17e/0x1d0 [ 85.428242][ T77] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 85.428257][ T77] ? down_read_trylock+0x210/0x380 [ 85.428274][ T77] ? try_to_inc_max_seq+0xcb1/0x10b0 [ 85.428284][ T77] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 85.428296][ T77] __traceiter_mmap_lock_acquire_returned+0x87/0xe0 [ 85.428310][ T77] __mmap_lock_do_trace_acquire_returned+0x1a1/0x210 [ 85.428323][ T77] try_to_inc_max_seq+0xd6d/0x10b0 [ 85.428338][ T77] try_to_shrink_lruvec+0xdbb/0xfa0 [ 85.428358][ T77] ? __pfx_try_to_shrink_lruvec+0x10/0x10 [ 85.428376][ T77] shrink_one+0x25c/0x710 [ 85.428391][ T77] ? shrink_node+0x2d6a/0x3a90 [ 85.428403][ T77] shrink_node+0x3197/0x3a90 [ 85.428419][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 85.428435][ T77] ? shrink_node+0x2d6a/0x3a90 [ 85.428449][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 85.428466][ T77] ? percpu_ref_put+0x19/0x180 [ 85.428482][ T77] ? __pfx_shrink_node+0x10/0x10 [ 85.428494][ T77] ? percpu_ref_put+0x19/0x180 [ 85.428506][ T77] ? percpu_ref_put+0x19/0x180 [ 85.428520][ T77] ? mem_cgroup_iter+0x420/0x450 [ 85.428536][ T77] ? mem_cgroup_iter+0x3b/0x450 [ 85.428551][ T77] kswapd+0x1742/0x2e10 [ 85.428573][ T77] ? kswapd+0x935/0x2e10 [ 85.428591][ T77] ? __pfx_kswapd+0x10/0x10 [ 85.428608][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 85.428623][ T77] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 85.428702][ T77] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 85.428722][ T77] ? __pfx_autoremove_wake_function+0x10/0x10 [ 85.428732][ T77] ? __kthread_parkme+0x7a/0x1f0 [ 85.428746][ T77] kthread+0x388/0x470 [ 85.428756][ T77] ? __pfx_kswapd+0x10/0x10 [ 85.428770][ T77] ? __pfx_kthread+0x10/0x10 [ 85.428780][ T77] ret_from_fork+0x51e/0xb90 [ 85.428801][ T77] ? __pfx_ret_from_fork+0x10/0x10 [ 85.428815][ T77] ? __switch_to+0xc7d/0x1450 [ 85.428831][ T77] ? __pfx_kthread+0x10/0x10 [ 85.428847][ T77] ret_from_fork_asm+0x1a/0x30 [ 85.428886][ T77] [ 85.428894][ T77] [ 85.557399][ T77] Allocated by task 5325: [ 85.559304][ T77] kasan_save_track+0x3e/0x80 [ 85.561366][ T77] __kasan_kmalloc+0x93/0xb0 [ 85.563455][ T77] __kmalloc_cache_noprof+0x31c/0x660 [ 85.566115][ T77] bpf_raw_tp_link_attach+0x278/0x700 [ 85.569009][ T77] bpf_raw_tracepoint_open+0x1b2/0x220 [ 85.571736][ T77] __sys_bpf+0x846/0x950 [ 85.574133][ T77] __x64_sys_bpf+0x7c/0x90 [ 85.576221][ T77] do_syscall_64+0x14d/0xf80 [ 85.578259][ T77] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.581676][ T77] [ 85.583124][ T77] Freed by task 15: [ 85.585092][ T77] kasan_save_track+0x3e/0x80 [ 85.587171][ T77] kasan_save_free_info+0x46/0x50 [ 85.589429][ T77] __kasan_slab_free+0x5c/0x80 [ 85.591410][ T77] kfree+0x1c1/0x630 [ 85.593081][ T77] rcu_core+0x7cd/0x1070 [ 85.595013][ T77] handle_softirqs+0x22a/0x870 [ 85.597418][ T77] run_ksoftirqd+0x36/0x60 [ 85.599866][ T77] smpboot_thread_fn+0x541/0xa50 [ 85.602224][ T77] kthread+0x388/0x470 [ 85.604297][ T77] ret_from_fork+0x51e/0xb90 [ 85.606652][ T77] ret_from_fork_asm+0x1a/0x30 [ 85.608658][ T77] [ 85.609872][ T77] Last potentially related work creation: [ 85.612321][ T77] kasan_save_stack+0x3e/0x60 [ 85.614673][ T77] kasan_record_aux_stack+0xbd/0xd0 [ 85.617508][ T77] call_rcu+0xee/0x890 [ 85.619940][ T77] bpf_link_release+0x6b/0x80 [ 85.622435][ T77] __fput+0x44f/0xa70 [ 85.624298][ T77] task_work_run+0x1d9/0x270 [ 85.626746][ T77] do_exit+0x70f/0x23c0 [ 85.628715][ T77] do_group_exit+0x21b/0x2d0 [ 85.630835][ T77] get_signal+0x1284/0x1330 [ 85.632842][ T77] arch_do_signal_or_restart+0xbc/0x830 [ 85.635500][ T77] exit_to_user_mode_loop+0x86/0x480 [ 85.638107][ T77] do_syscall_64+0x32d/0xf80 [ 85.640390][ T77] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.643210][ T77] [ 85.644406][ T77] The buggy address belongs to the object at ffff888012bb1d00 [ 85.644406][ T77] which belongs to the cache kmalloc-192 of size 192 [ 85.650337][ T77] The buggy address is located 24 bytes inside of [ 85.650337][ T77] freed 192-byte region [ffff888012bb1d00, ffff888012bb1dc0) [ 85.656894][ T77] [ 85.658547][ T77] The buggy address belongs to the physical page: [ 85.661804][ T77] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12bb1 [ 85.665384][ T77] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 85.668532][ T77] page_type: f5(slab) [ 85.670345][ T77] raw: 00fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 85.673778][ T77] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 85.678592][ T77] page dumped because: kasan: bad access detected [ 85.683108][ T77] page_owner tracks the page as allocated [ 85.686598][ T77] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5326, tgid 5324 (syz.0.0), ts 85025825422, free_ts 83094111908 [ 85.694778][ T77] post_alloc_hook+0x231/0x280 [ 85.696999][ T77] get_page_from_freelist+0x24dc/0x2580 [ 85.699496][ T77] __alloc_frozen_pages_noprof+0x18d/0x380 [ 85.702468][ T77] allocate_slab+0x77/0x660 [ 85.705017][ T77] ___slab_alloc+0x150/0x6b0 [ 85.707271][ T77] __kmalloc_node_noprof+0x309/0x7c0 [ 85.709491][ T77] alloc_slab_obj_exts+0xbf/0x240 [ 85.711749][ T77] __memcg_slab_post_alloc_hook+0x53c/0xa80 [ 85.714594][ T77] kmem_cache_alloc_lru_noprof+0x346/0x640 [ 85.717737][ T77] __d_alloc+0x37/0x6f0 [ 85.719828][ T77] d_alloc_pseudo+0x21/0xc0 [ 85.721959][ T77] alloc_file_pseudo+0xdd/0x240 [ 85.724206][ T77] sock_alloc_file+0xb8/0x2e0 [ 85.726705][ T77] __sys_socket+0x13c/0x1b0 [ 85.729192][ T77] __x64_sys_socket+0x7a/0x90 [ 85.731447][ T77] do_syscall_64+0x14d/0xf80 [ 85.733515][ T77] page last free pid 166 tgid 166 stack trace: [ 85.736402][ T77] __free_frozen_pages+0xc2b/0xdb0 [ 85.738822][ T77] rcu_core+0x7cd/0x1070 [ 85.741104][ T77] handle_softirqs+0x22a/0x870 [ 85.743638][ T77] do_softirq+0x76/0xd0 [ 85.745748][ T77] __local_bh_enable_ip+0xf8/0x130 [ 85.748058][ T77] rate_control_rate_init+0x477/0x6e0 [ 85.750545][ T77] ieee80211_ibss_rx_queued_mgmt+0x17e6/0x2cd0 [ 85.753648][ T77] ieee80211_iface_work+0x84e/0x1340 [ 85.756967][ T77] cfg80211_wiphy_work+0x2ab/0x4a0 [ 85.759600][ T77] process_scheduled_works+0xb6e/0x18c0 [ 85.762120][ T77] worker_thread+0xa53/0xfc0 [ 85.764248][ T77] kthread+0x388/0x470 [ 85.766202][ T77] ret_from_fork+0x51e/0xb90 [ 85.768555][ T77] ret_from_fork_asm+0x1a/0x30 [ 85.771231][ T77] [ 85.772596][ T77] Memory state around the buggy address: [ 85.775607][ T77] ffff888012bb1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.779076][ T77] ffff888012bb1c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.782692][ T77] >ffff888012bb1d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.786035][ T77] ^ [ 85.787968][ T77] ffff888012bb1d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.791624][ T77] ffff888012bb1e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.795929][ T77] ==================================================================