program: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='nv', 0x2) bind$inet6(r0, &(0x7f0000d84000)={0xa, 0x4e20, 0x3, @dev={0xfe, 0x80, '\x00', 0x29}}, 0x1c) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ff5000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0, 0xffffffffffffff2c}, 0x68) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045) r1 = io_uring_setup(0x1b77, &(0x7f0000000040)={0x0, 0xc89b, 0x100, 0x7, 0x20002f7}) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)=ANY=[@ANYBLOB="200000003c00090026bd08001300"/27, @ANYRES32=0x0], 0x20}}, 0x0) r2 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901) syz_emit_ethernet(0xbe, &(0x7f00000000c0)=ANY=[@ANYBLOB="aaaaaaaaaaaa0000000000000800450000b00000000000119078000000000000000000004e22009c90780100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002200"/190], 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x12, 0x4, &(0x7f00000002c0)=ANY=[@ANYBLOB="180000000000000000000000000000007112673da325deff6e3f1600000000009500000000000000"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xf}, 0x80) io_uring_enter(r1, 0x2219, 0x7721, 0x16, 0x0, 0x0) syz_mount_image$exfat(&(0x7f0000001500), &(0x7f0000001540)='./file0\x00', 0x2145094, &(0x7f0000000180)=ANY=[@ANYBLOB="0062276db8f74f7fdd09aea23fa94ad923d0fdb5a8680772f7e88064a7cad2a43e39cd0b5199dd9fb84274cab09917e9509aa3fed7804e943937"], 0x1, 0x14d3, &(0x7f00000015c0)="$eJzs3HuYz9XaMPB1r7W+jGnSr0kOw7rX/eWXBsskSQ5JckiSJElySkiaJElIDDklIQk5TpLDEJLDYDDO5/P50GRLkiSnnMJ6L+39PJ6928/led+938cfc3+ua12z7vn+7vu31twz8z1c18zPnYZUb1ijSn0iEv8S+OuHFCFEjBCivxDiDiFEIIQoE18m/vrxXApS/rU3Yf9ez6Xd6hWwW4n7n71x/7M37n/2xv3P3rj/2Rv3P3vj/mdv3H/GsrOt0wrcySP7Dn7+n53x+T974/5nb9z/7I37n71x/7M37n/2xv3P3rj/2Rv3n7Hs7FY/f+Zxa8et/v5jjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMZY9XPQ3aCHEf8xv9boYY4wxxhhjjDH27+Nz3uoVMMYYY4wxxhhj7P8/EFIooUUgcoicIkbkErHiNhEnbhe5xR0iIu4U8eIukUfcLfKKfCK/KCASREFRSBiBwgoSoSgsioiouEcUFfeKRFFMFBclhBMlRZK4T5QS94vS4gFRRjwoyoqHRDlRXlQQFcXDopJ4RFQWj4oq4jFRVVQT1UUN8bioKZ4QtcSTorZ4StQRT4u64hlRTzwr6ovnRAPxvGgoXhCNxIuisWgimopmovn/U/67opt4T3QXPUSK6Cl6ifdFb9FH9BX9RH/xgRggPhQDxUdikBgshoiPxVDxiRgmPhXDxQgxUnwmRonRYowYK8aJ8SJVfC4miC/ERPGlmCQmiyliqkgT08R08ZWYIWaKWeJrMVt8I+aIuWKemC/SxQKxUCwSGWKxWCKWikyxTCwXK8RKsUqsFmvEWrFOrBcbxEaxSWwWW8RWsU1sFzvETrFL7BZ7xF6xT+wXB8RB8a3IEt/9X+Zf+If8ziBAgAQJGjTkgBwQAzEQC7EQB3GQG3JDBCIQD/GQB/JAXsgL+SE/JEACFIJCgIBAQFAYCkMUolAUikIiJEJxKA4OHCRBEpSC+6E0lIYyUAbKQlkoB+WhPFSEilAJKkFlqAxVoApUhapQHarD4/A4PAG1oBbUhtpQB+pAXagL9aAe1If60AAaQENoCI2gETSGxtAUmkJzaA4toAW0hJbQGlpDG2gDbaEtJEMytIN20B7aQwfoAB2hI3SCTtAZukAXeBfehffgPegBVWVP6AW9oDf0hr7QD/rBBzAAPoQP4SMYBINhCHwMH8MnMAzOw3AYASNhJFSSo2EMjAWS4yEVUmECTICJMBEmwWSYDFMhDabBdJgOM2AmzISvYTZ8A9/AXJgL8yEd0mEhLIIMyIAlcAEyYRkshxWwElbBSlgDa2ENrIcNsB42wSbYAltgG2yDHbADdsEu2AN7YB/sgwNwAAZBFmTBITgEh+EwHIEjcBSOwjE4BsfhOJyAE3ASTsIpOA1n4DScg3NwHi7ARbgIl+EyXIErcA2uXf/hl9dpqWUOmUPGyBgZK2NlnIyTuWVuGZERGS/jZR6ZR+aVeWV+mV8myARZSBaSKFGSDGVhWVhGZVQWlUVlokyUxWVx6aSTSTJJlpKlZGlZWpaRD8qy8iFZTpaXrVxFWVFWkq1dZfmorCKryKqymqwua8gasqasKWvJWrK2rC3ryDqyrnxG1pM9oS88J693pqEcDI3kEGgsm8imspn8BF6SLeQwaClbydbyFTkChkNb2cIly9dlOzkG2ss35Vh4S3aU46GTfEd2ll1kV/mu7CZbuu6yh5wEPWUvORV6yz6yr+wnZ0A1eb1j1eVHcpAcLIfIj+V8+EQOk5/K4XKEHCk/k6PkaDlGjpXj5HiZKj+XE+QXcqL8Uk6Sk+UUOVWmyWlyuvxKzpAz5Sz5tZwtv5Fz5Fw5T86X6XKBXCgXyQy5WC6RS2WmXCaXyxVypVwlV8s1cq1cJ9fLDXKj3CQ3yy1yq9wmt8sdcqfcJXfLPXKv3Cf3ywPyoPxWZsnv5CH5F3lYfi+PyB/kUfmjPCZ/ksflz/KE/EWelL/KU/K0PCPPynPyN3leXpAX5SV5Wf4ur8ir8pr0UihQUimlVaByqJwqRuVSseo2FaduV7nVHSqi7lTx6i6VR92t8qp8Kr8qoBJUQVVIGYXKKlKhKqyKqKi6RxVV96pEVUwVVyWUUyVVkrpPlVL3q9LqAVVGPajKqodUOVVeVVAV1cOqknpEVVaPqirqMVVVVVPVVQ31uKqpnlC11JOqtnpK1VFPq7rqGVVPPavqq+dUA/W8aqheUI3Ui6qxaqKaqmaquXpJtVAvq5aqlWqtXlFt1KuqrXpNJavXVTv1hmqv3lQd1Fuqo3pbdVLvqM6qi+qqrqpryqvuqodKUT1VL/W+6q36qL6qn+qvPlAD1IdqoPpIDVKD1RD1sRqqPlHD1KdquBqhRqrP1Cg1Wo1RY9U4NV6lqs/VBPWFmqi+VJPUZDVFTVVpaprq+7dKs/4H+V/8k/yBf7z7FrVVbVPb1Q61U+1Su9UetVftVfvVfnVQHVRZKksdUofUYXVYHVFH1FF1VB1Tx9RxdVydUCfUSXVSnVKn1SV1Vp1Tv6nz6oK6oC6py+qyuvK3r4HQoKVWWutA59A5dYzOpWP1bTpO365z6zt0RN+p4/VdOo++W+fV+XR+XUAn6IK6kDYatdWkQ11YF9FRfY8uqu/VibqYLq5LaKdL6iR937+cf7P1NdfNdQvdQrfULXVr3Vq30W10W91WJ+tk3U630+11e91Bd9AddUfdSXfSnXVn3VV31d10N91dd9cpOkX30u/r3rqP7qv76f76Az1AD9AD9UA9SA/SQ/QQPVQP1cP0MD1cD9cj9Ug9So/SY/QYPU6P06k6VU/QE/REPVFP0pP0FD1Fp+k0PV1P1zP0DD1Lz9Kz9Ww9R8/R8/Q8na7T9UK9UGfoDL1EL9GZepleplfoFXqVXqXX6DV6nV6nN+gNepPepDP1Vr1Vb9fb9U69U+/Wu/VevVfv1/v1QX1QZ+ksfUgf0of1YX1EH9FH9VF9TB/Tx/VxfUKf0Cf1SX1Kn9Jn9Bl9Tp/T5/V5fVFf1Jf1ZX1FX9HX9LXrl32BDGSgAx3kCHIEMUFMEBvEBnFBXJA7yB1EgkgQH8QHeYK7g7xBviB/UCBICAoGhQITYGADCsKgcFAkiAb3BEWDe4PEoFhQPCgRuKBkkBTcF5QK7g9KBw8EZYIHg7LBQ0G5oHxQIagYPBxUCh4JKgePBlWCx4KqQbWgelAjeDyoGTwR1AqeDGoHTwV1gqeDusEzQb3g2aB+8FzQIHg+aBi8EDQKXgwaB02CpkGzoPm/tb735/O97LqbHibF9DS9zPumt+lj+pp+pr/5wAwwH5qB5iMzyAw2Q8zHZqj5xAwzn5rhZoQZaT4zo8xoM8aMNePMeJNqPjcTzBdmovnSTDKTzRQz1aSZaWa6+crMMDPNLPO1mW2+MXPMXDPPzDfpZoFZaBaZDLPYLDFLTaZZZpabFWalWWVWmzVmrVln1psNZqPZZDabLWar2Wa2mx1mp9lldps9Zq/ZZ/abA+ag+dZkme/MIfMXc9h8b46YH8xR86M5Zn4yx83P5oT5xZw0v5pT5rQ5Y86ac+Y3c95cMBfNJXPZ/G6umKvmmvHXL+6vn95Ro8YcmANjMAZjMRbjMA5zY26MYATjMR7zYB7Mi3kxP+bHBEzAQlgIryMkLIyFMYpRLIpFMRETsTgWR4cOkzAJS2EpLI2lsQyWwbJYFsthOayAFfBhfBgfwUfwUXwUH8PHsBpWwxpYA2tiTayFtbA21sY6WAfrYl2sh/WwPtbHBtgAG2JDbISNsDE2xqbYFJtjc2yBLbAltsTW2BrbYBtsi20xGZOxHbbD9tgeO2AH7IgdsRN2ws7YGbtiV+yG3bA7dscUTMFe2At7Y2/si32xP/bHATgAB+JAHISDcAgOwaE4FIfhMByOI3AkfoajcDSOwbE4DsdjKqbiBJyAE3EiTsJJOAWnYBqm4XScjjNwBs7CWTgbZ+McnIPzcB6mYzouxIWYgRm4BJdgJmbiclyOK3ElrsbVuBbX4npcjxtxI27GzbgVt+J23I47cSfuxt24F/fiftyPB/EgZmEWHsJDeBgP4xE8gkfxKB7DY3gcj+MJPIEn8SSewlN4Bs/gOTyH5/E8XsSLeBl/xyt4Fa+hxxiby8ba22ycvd3mtnfYf4zz2wI2wRa0hayxeW2+v4vRWptoi9nitoR1tqRNsvf9KS5ny9sKtqJ92Fayj9jKf4pr2idsLfukrW2fsjXs438X17FP27r2BVvPvmjr2ya2gW1mG9oXbCP7om1sm9imtpltY1+1be1rNtm+btvZN/4UL7SL7Fq7zq63G+x+e8BetJfscfuzvWx/t91tD9vffmAH2A/tQPuRHWQH/ykeaT+zo+xoO8aOtePs+D/FU+xUm2an2en2KzvDzvxTnG4X2Nk2w86xc+08O/+P+PqaMuxiu8QutZl2mV1uV9iVdpVdbdf851pX2E12s91i99p9drvdYXfaXXa33fNHfH0fB+23Nst+Z4/Zn+xh+709Yk/Yo/bHP+Lr+zthf7En7a/2lD1tz9iz9pz9zZ63F/7Y//W9n7VX7TXrrSAgSYo0BZSDclIM5aJYuo3i6HbKTXdQhO6keLqL8tDdlJfyUX4qQAlUkAqRISRLRCEVpiIUpXuoKN1LiVSMilMJclSSkug+KkX3U2l6gMrQg1SWHqJyVJ4qUEV6mCrRI1SZHqUq9BhVpWpUnWrQ41STnqBa9CTVpqeoDj1NdekZqkfPUn16jhrQ89SQXqBG9CI1pibUlJpRc3qJWtDL1JJaUWt6hdrQq9SWXqNkep3a0RvUnt6kDvQWdaS3qRO9Q52pC3Wld6kbvUfdqQelUE/qRe9Tb+pDfakf9acPaAB9SAPpIxpEg2kIfUxD6RMaRp/ScBpBI+kzGkWjaQyNpXE0nlLpc5pAX9BE+pIm0WSaQlMpjabRdPqKZtBMmkVf02z6hubQXJpH8ymdFtBCWkQZtJiW0FLKpGW0nFbQSlpFq2kNraV1tJ420EbaRJtpC22lbbSddtBO2kW7aQ/tpX20nw7QQfqWsug7OkR/ocP0PR2hH+go/UjH6Cc6Tj/TCfqFTtKvdIpO0xk6S+foNzpPF+giXaLL9Dtdoat0jTyJEEIZqlCHQZgjzBnGhLnC2PC2MC68Pcwd3hFGwjvD+PCuME94d5g3zBfmDwuECWHBsFBoQgxtSGEYFg6LhNHwnrBoeG+YGBYLi4clQheWDJPC+8JS4f1h6fCBsEz4YFg2fCgsF5YPK4QVw4fDSuEjYeXw0bBK+FhYNawWVg9rhI+HNcMnwlrhk2Ht8KmwdPh0WDd8JqwXPhvWD58LG4TPhw3DF8JG4Yth47BJ2DRsFjYPXwpbhC+HLcNWYevwlbBN+GrYNnwtTA5fD9uFb9z0eErYM+wVvh++H3r/pJoXnR9Njy6ILowuimZEF0eXRJdGM6PLosujK6Iro6uiq6Nromuj66LroxuiG6ObopujW6Le18gpHDjplNMucDlcThfjcrlYd5uLc7e73O4OF3F3unh3l8vj7nZ5XT6X3xVwCa6gK+SMQ2cdudAVdkVc1N3jirp7XaIr5oq7Es65ki7JNXPNXXPXwr3sWrpWrrV7xb3iXnWvutfca+5118694dq7N10H95br6N52b7t3XGfXxXV177pu7j3X3fVwKS7F9XK9XG/X2/V1fV1/198NcAPcQDfQDXKD3BA3xA11Q90wN8wNd8PdSDfSjXKj3Bg3xo1z41yqS3UT3AQ30U10k9wkN8VNcWkuzU13090MN8PNcrPcbDfbzXFz3Dw3z6W7dLfQLXQZLsMtcUtcpst0y91yt9KtdKvdarfWrXXr3Xq30W10m91mt9VtddvddrfT7XS73W631+11+91+d9AddFkuyx1yh9xhd9gdcT+4o+5Hd8z95I67n90J94s76X51p9xpd8addefcb+68u+AuukvusvvdXXFX3TXnXWrk88iEyBeRiZEvI5MikyNTIlMjaZFpkemRryIzIjMjsyJfR2ZHvonMicyNzIvMj6RHFkQWRhZFMiKLI0siSyOZkWWR5ZEVkZWRVRHvC24PfWFfxEf9Pb6ov9cn+mK+uC/hnS/pk/x9vpS/35f2D/gy/kFf1j/ky/nyvoJ/0Tf2TXxT38w39y/5Fv5l39K38q39K76Nf9W39a/5ZP+6b+ff8O39m76Df8t39G/7Tv4d39l38V39u76bf8939z18iu/pe/n3fW/fx/f1/Xx//4Ef4D/0A/1HfpAf7If4j/1Q/4kf5j/1w/0IP9J/5kf50X6MH+vH+fE+1X/uJ/gv/ET/pZ/kJ/spfqpP89P8dP+Vn+Fn+ln+az/bf+Pn+Ll+np/v0/0Cv9Av8hl+sV/il/pMv8wv9yv8Sr/Kr/Zr/Fq/zq/3G/xGv8lv9lv8Vr/Nb/c7/E6/y+/2e/xev8/v9wf8Qf+tz/Lf+UP+L/6w/94f8T/4o/5Hf8z/5I/7n/0J/4s/6X/1p/xpf8af9ef8b/68v+Av+kv+sv/dX/FX/TX+mzXGGGOMsf8RdZPjPf/J5+TfxnW9hBC37yhw9B9rbsz713kfmdAmIoR4vUen5/5jVK2akpLyt9dmKhEUmSuEiNzIzyFuxMtEa/GqSBatRKl/ur4+sstlukn96INCxP6XnBhxI75R//7/pv7o2TetP1eIxCI3cnKJG/GN+qX/m/r5Wtykfq7vU4Vo+V9y4sSN+Eb9JPGyeEMk/90rGWOMMcYYY4yxv+ojK3S42f3t9fvzBH0jJ6e4Ed/s/pwxxhhjjDHGGGO33ltdur72UnJyqw484QlPePKfk1v9m4kxxhhjjDH273bjov9Wr4QxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGMu+/jf+ndit3iNjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDHGGGOMMcYYY4wxxhhjjDF2q/2fAAAA//+uBTVz") r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41000, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r3}, 0x10) sendmsg$nl_route_sched(r2, &(0x7f0000000580)={&(0x7f0000000400)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000480)={&(0x7f0000000440)=@getchain={0x34, 0x66, 0x100, 0x70bd27, 0x25dfdbff, {0x0, 0x0, 0x0, 0x0, {0xb, 0x9}, {0xffe0, 0x8}, {0x10, 0x1}}, [{0x8, 0xb, 0x200}, {0x8, 0xb, 0x2}]}, 0x34}, 0x1, 0x0, 0x0, 0x80}, 0x4004801) r4 = openat(0xffffffffffffff9c, &(0x7f0000000240)='.\x00', 0x0, 0x0) ioctl$FS_IOC_REMOVE_ENCRYPTION_KEY(r4, 0xc0185879, &(0x7f0000000080)={@desc={0x1, 0x0, @desc2}}) syz_open_dev$I2C(&(0x7f0000000140), 0x2, 0x101000) setsockopt$inet6_tcp_int(r2, 0x6, 0x2000000000000022, &(0x7f0000000200)=0x1, 0x4) ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r5 = socket(0x400000000010, 0x3, 0x0) r6 = socket$unix(0x1, 0x1, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r2, 0x84, 0x64, &(0x7f0000000680)=[@in6={0xa, 0x4e21, 0xe, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x4}, @in={0x2, 0x4e24, @local}, @in={0x2, 0x4e20, @private=0xa010100}, @in6={0xa, 0x4e20, 0x7, @loopback, 0x7}, @in6={0xa, 0x4e23, 0x4d, @local, 0x4}, @in={0x2, 0x4e21, @empty}, @in6={0xa, 0x4e20, 0x3, @private0, 0x9}, @in6={0xa, 0x4e22, 0x0, @private1, 0x1}, @in={0x2, 0x4e20, @local}], 0xcc) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r5, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2d, 0xffffffff, {0x0, 0x0, 0x0, r7, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x1, 0xf}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8, 0x2, {0x28}}}]}, 0x38}}, 0x0) socket$unix(0x1, 0x1, 0x0) r8 = socket(0x400000000010, 0x3, 0x0) r9 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r8, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000004c0)=@newtfilter={0x60, 0x2c, 0xd3f, 0x30bd29, 0x25dfdbfd, {0x0, 0x0, 0x0, r10, {0xb, 0xfff3}, {}, {0x7, 0x300}}, [@filter_kind_options=@f_basic={{0xa}, {0x30, 0x2, [@TCA_BASIC_EMATCHES={0x2c, 0x2, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0x1}}, @TCA_EMATCH_TREE_LIST={0x20, 0x2, 0x0, 0x1, [@TCF_EM_U32={0xfffffffffffffd2c, 0x1, 0x0, 0x0, {{0x9, 0x3, 0x8000}, {0xb, 0xfdbc, 0xfffffff8, 0xb}}}]}]}]}}]}, 0x60}, 0x1, 0x0, 0x0, 0x10}, 0x0) [ 85.923674][ T45] Bluetooth: hci0: command tx timeout [ 86.018773][ T5320] loop0: detected capacity change from 0 to 256 [ 86.213386][ T5189] ================================================================== [ 86.216850][ T5189] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 86.220857][ T5189] Read of size 8 at addr ffff8880386e3280 by task dhcpcd/5189 [ 86.224877][ T5189] [ 86.226126][ T5189] CPU: 0 UID: 101 PID: 5189 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 86.226146][ T5189] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.226155][ T5189] Call Trace: [ 86.226164][ T5189] [ 86.226171][ T5189] dump_stack_lvl+0xe8/0x150 [ 86.226191][ T5189] print_report+0xba/0x230 [ 86.226202][ T5189] ? bpf_trace_run2+0x2c4/0x840 [ 86.226216][ T5189] kasan_report+0x117/0x150 [ 86.226227][ T5189] ? bpf_trace_run2+0x2c4/0x840 [ 86.226240][ T5189] bpf_trace_run2+0x2c4/0x840 [ 86.226256][ T5189] ? __queue_work+0x1a1/0x1020 [ 86.226279][ T5189] ? bpf_trace_run2+0x1c9/0x840 [ 86.226303][ T5189] ? __pfx_bpf_trace_run2+0x10/0x10 [ 86.226322][ T5189] ? seccomp_filter_release+0x22b/0x2d0 [ 86.226338][ T5189] ? seccomp_filter_release+0x22b/0x2d0 [ 86.226352][ T5189] ? seccomp_filter_release+0x22b/0x2d0 [ 86.226366][ T5189] kfree+0x5b2/0x630 [ 86.226385][ T5189] ? queue_work_on+0x159/0x1d0 [ 86.226404][ T5189] seccomp_filter_release+0x22b/0x2d0 [ 86.226419][ T5189] do_exit+0x3b0/0x23c0 [ 86.226432][ T5189] ? fput_close_sync+0x11f/0x240 [ 86.226449][ T5189] ? __x64_sys_close+0x7e/0x110 [ 86.226466][ T5189] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.226481][ T5189] ? __pfx_do_exit+0x10/0x10 [ 86.226494][ T5189] ? do_raw_spin_lock+0x12b/0x2f0 [ 86.226510][ T5189] do_group_exit+0x21b/0x2d0 [ 86.226522][ T5189] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.226588][ T5189] get_signal+0x1284/0x1330 [ 86.226611][ T5189] arch_do_signal_or_restart+0xbc/0x830 [ 86.226628][ T5189] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 86.226642][ T5189] ? kmem_cache_free+0x439/0x630 [ 86.226656][ T5189] ? fput_close_sync+0x11f/0x240 [ 86.226675][ T5189] exit_to_user_mode_loop+0x86/0x480 [ 86.226693][ T5189] ? rcu_is_watching+0x15/0xb0 [ 86.226712][ T5189] do_syscall_64+0x32d/0xf80 [ 86.226728][ T5189] ? trace_irq_disable+0x3b/0x150 [ 86.226747][ T5189] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.226760][ T5189] ? clear_bhb_loop+0x40/0x90 [ 86.226775][ T5189] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.226789][ T5189] RIP: 0033:0x7f2f7f72d407 [ 86.226802][ T5189] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 86.226813][ T5189] RSP: 002b:00007ffd43cafbb0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 86.226828][ T5189] RAX: 0000000000000000 RBX: 00007f2f7f6a3780 RCX: 00007f2f7f72d407 [ 86.226837][ T5189] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000019 [ 86.226844][ T5189] RBP: 00007ffd43cbfe50 R08: 0000000000000000 R09: 0000000000000000 [ 86.226851][ T5189] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd43cbfe50 [ 86.226859][ T5189] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 86.226870][ T5189] [ 86.226875][ T5189] [ 86.361456][ T5189] Allocated by task 5320: [ 86.363518][ T5189] kasan_save_track+0x3e/0x80 [ 86.365719][ T5189] __kasan_kmalloc+0x93/0xb0 [ 86.367748][ T5189] __kmalloc_cache_noprof+0x31c/0x660 [ 86.370472][ T5189] bpf_raw_tp_link_attach+0x278/0x700 [ 86.373505][ T5189] bpf_raw_tracepoint_open+0x1b2/0x220 [ 86.376541][ T5189] __sys_bpf+0x846/0x950 [ 86.378576][ T5189] __x64_sys_bpf+0x7c/0x90 [ 86.380522][ T5189] do_syscall_64+0x14d/0xf80 [ 86.382660][ T5189] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.385401][ T5189] [ 86.386429][ T5189] Freed by task 5179: [ 86.388156][ T5189] kasan_save_track+0x3e/0x80 [ 86.390223][ T5189] kasan_save_free_info+0x46/0x50 [ 86.392548][ T5189] __kasan_slab_free+0x5c/0x80 [ 86.394823][ T5189] kfree+0x1c1/0x630 [ 86.396848][ T5189] rcu_core+0x7cd/0x1070 [ 86.398954][ T5189] handle_softirqs+0x22a/0x870 [ 86.401347][ T5189] do_softirq+0x76/0xd0 [ 86.403267][ T5189] __local_bh_enable_ip+0xf8/0x130 [ 86.405483][ T5189] scomp_acomp_comp_decomp+0x73a/0xa00 [ 86.407894][ T5189] crypto_acomp_decompress+0x4b3/0xbe0 [ 86.410428][ T5189] zswap_decompress+0x43c/0x890 [ 86.412820][ T5189] zswap_load+0x2f1/0x4c0 [ 86.415169][ T5189] swap_read_folio+0x6a3/0x25d0 [ 86.417680][ T5189] swap_cluster_readahead+0x5d2/0x690 [ 86.420167][ T5189] swapin_readahead+0x196/0xc50 [ 86.422325][ T5189] do_swap_page+0x56f/0x5a20 [ 86.424665][ T5189] handle_mm_fault+0x12d2/0x3310 [ 86.427506][ T5189] do_user_addr_fault+0x75b/0x1340 [ 86.430275][ T5189] exc_page_fault+0x6a/0xc0 [ 86.432228][ T5189] asm_exc_page_fault+0x26/0x30 [ 86.434285][ T5189] [ 86.435355][ T5189] Last potentially related work creation: [ 86.437662][ T5189] kasan_save_stack+0x3e/0x60 [ 86.440159][ T5189] kasan_record_aux_stack+0xbd/0xd0 [ 86.443386][ T5189] call_rcu+0xee/0x890 [ 86.445408][ T5189] bpf_link_release+0x6b/0x80 [ 86.447487][ T5189] __fput+0x44f/0xa70 [ 86.449298][ T5189] task_work_run+0x1d9/0x270 [ 86.451514][ T5189] exit_to_user_mode_loop+0xed/0x480 [ 86.453862][ T5189] do_syscall_64+0x32d/0xf80 [ 86.456112][ T5189] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.459065][ T5189] [ 86.460302][ T5189] The buggy address belongs to the object at ffff8880386e3200 [ 86.460302][ T5189] which belongs to the cache kmalloc-192 of size 192 [ 86.466662][ T5189] The buggy address is located 128 bytes inside of [ 86.466662][ T5189] freed 192-byte region [ffff8880386e3200, ffff8880386e32c0) [ 86.472900][ T5189] [ 86.474129][ T5189] The buggy address belongs to the physical page: [ 86.477008][ T5189] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x386e3 [ 86.481108][ T5189] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 86.484293][ T5189] page_type: f5(slab) [ 86.489224][ T5189] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 86.493291][ T5189] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 86.497067][ T5189] page dumped because: kasan: bad access detected [ 86.500181][ T5189] page_owner tracks the page as allocated [ 86.502797][ T5189] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 20778447773, free_ts 20773301339 [ 86.512437][ T5189] post_alloc_hook+0x231/0x280 [ 86.514764][ T5189] get_page_from_freelist+0x24dc/0x2580 [ 86.517359][ T5189] __alloc_frozen_pages_noprof+0x18d/0x380 [ 86.520075][ T5189] allocate_slab+0x77/0x660 [ 86.522414][ T5189] refill_objects+0x331/0x3c0 [ 86.524947][ T5189] __pcs_replace_empty_main+0x2e6/0x730 [ 86.527497][ T5189] __kmalloc_noprof+0x474/0x760 [ 86.529593][ T5189] usb_alloc_urb+0x46/0x150 [ 86.531585][ T5189] usb_control_msg+0x118/0x3e0 [ 86.533932][ T5189] hub_power_on+0x1b6/0x460 [ 86.536138][ T5189] hub_activate+0x345/0x1a80 [ 86.538061][ T5189] hub_probe+0x291e/0x3c10 [ 86.540163][ T5189] usb_probe_interface+0x668/0xc90 [ 86.542287][ T5189] really_probe+0x267/0xaf0 [ 86.544434][ T5189] __driver_probe_device+0x18c/0x320 [ 86.547123][ T5189] driver_probe_device+0x4f/0x240 [ 86.549877][ T5189] page last free pid 10 tgid 10 stack trace: [ 86.552684][ T5189] __free_frozen_pages+0xc2b/0xdb0 [ 86.554790][ T5189] vfree+0x25a/0x400 [ 86.556501][ T5189] delayed_vfree_work+0x55/0x80 [ 86.558709][ T5189] process_scheduled_works+0xb6e/0x18c0 [ 86.561548][ T5189] worker_thread+0xa53/0xfc0 [ 86.564056][ T5189] kthread+0x388/0x470 [ 86.566184][ T5189] ret_from_fork+0x51e/0xb90 [ 86.568197][ T5189] ret_from_fork_asm+0x1a/0x30 [ 86.570281][ T5189] [ 86.571393][ T5189] Memory state around the buggy address: [ 86.573851][ T5189] ffff8880386e3180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 86.577815][ T5189] ffff8880386e3200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.582204][ T5189] >ffff8880386e3280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 86.585845][ T5189] ^ [ 86.587749][ T5189] ffff8880386e3300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 86.591289][ T5189] ffff8880386e3380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 86.594881][ T5189] ==================================================================