program: r0 = syz_open_dev$tty1(0xc, 0x4, 0x2) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000040)='kfree\x00', r1}, 0x18) r2 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) ioctl$BTRFS_IOC_FS_INFO(r2, 0x8400941f, 0x0) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000080)='f2fs_lookup_extent_tree_start\x00', r2, 0x0, 0x8}, 0x18) ioctl$TIOCL_SETSEL(r0, 0x541c, &(0x7f00000000c0)={0x2, {0x2, 0x3bf, 0x101, 0x147}}) ioctl$TIOCL_PASTESEL(r0, 0x541c, &(0x7f0000000000)) syz_open_dev$tty1(0xc, 0x4, 0x2) (async) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) (async) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000040)='kfree\x00', r1}, 0x18) (async) openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) (async) ioctl$BTRFS_IOC_FS_INFO(r2, 0x8400941f, 0x0) (async) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000140)={&(0x7f0000000080)='f2fs_lookup_extent_tree_start\x00', r2, 0x0, 0x8}, 0x18) (async) ioctl$TIOCL_SETSEL(r0, 0x541c, &(0x7f00000000c0)={0x2, {0x2, 0x3bf, 0x101, 0x147}}) (async) ioctl$TIOCL_PASTESEL(r0, 0x541c, &(0x7f0000000000)) (async) [ 84.315023][ T4671] Bluetooth: hci0: command tx timeout [ 84.648645][ T5018] ================================================================== [ 84.652624][ T5018] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 84.656811][ T5018] Read of size 8 at addr ffff888036b84d80 by task dhcpcd/5018 [ 84.660582][ T5018] [ 84.661717][ T5018] CPU: 0 UID: 101 PID: 5018 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 84.661733][ T5018] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.661740][ T5018] Call Trace: [ 84.661752][ T5018] [ 84.661758][ T5018] dump_stack_lvl+0xe8/0x150 [ 84.661779][ T5018] print_report+0xba/0x230 [ 84.661793][ T5018] ? bpf_trace_run2+0x2c4/0x840 [ 84.661810][ T5018] kasan_report+0x117/0x150 [ 84.661823][ T5018] ? bpf_trace_run2+0x2c4/0x840 [ 84.661839][ T5018] bpf_trace_run2+0x2c4/0x840 [ 84.661857][ T5018] ? bpf_trace_run2+0x1c9/0x840 [ 84.661871][ T5018] ? __pfx_bpf_trace_run2+0x10/0x10 [ 84.661888][ T5018] ? seccomp_filter_release+0x22b/0x2d0 [ 84.661903][ T5018] ? seccomp_filter_release+0x22b/0x2d0 [ 84.661914][ T5018] ? seccomp_filter_release+0x22b/0x2d0 [ 84.661925][ T5018] __traceiter_kfree+0x2e/0x50 [ 84.661937][ T5018] ? seccomp_filter_release+0x22b/0x2d0 [ 84.661950][ T5018] kfree+0x5b2/0x630 [ 84.661965][ T5018] ? queue_work_on+0x159/0x1d0 [ 84.661982][ T5018] seccomp_filter_release+0x22b/0x2d0 [ 84.661995][ T5018] do_exit+0x3b0/0x23c0 [ 84.662005][ T5018] ? fput_close_sync+0x11f/0x240 [ 84.662019][ T5018] ? __x64_sys_close+0x7e/0x110 [ 84.662033][ T5018] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.662046][ T5018] ? __pfx_do_exit+0x10/0x10 [ 84.662057][ T5018] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.662071][ T5018] do_group_exit+0x21b/0x2d0 [ 84.662081][ T5018] ? _raw_spin_unlock_irq+0x23/0x50 [ 84.662145][ T5018] get_signal+0x1284/0x1330 [ 84.662164][ T5018] arch_do_signal_or_restart+0xbc/0x830 [ 84.662178][ T5018] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 84.662190][ T5018] ? kmem_cache_free+0x439/0x630 [ 84.662202][ T5018] ? fput_close_sync+0x11f/0x240 [ 84.662217][ T5018] exit_to_user_mode_loop+0x86/0x480 [ 84.662231][ T5018] ? rcu_is_watching+0x15/0xb0 [ 84.662247][ T5018] do_syscall_64+0x32d/0xf80 [ 84.662262][ T5018] ? trace_irq_disable+0x3b/0x150 [ 84.662272][ T5018] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.662282][ T5018] ? clear_bhb_loop+0x40/0x90 [ 84.662295][ T5018] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.662306][ T5018] RIP: 0033:0x7f4b5d529407 [ 84.662317][ T5018] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 84.662327][ T5018] RSP: 002b:00007fff62d818d0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 84.662340][ T5018] RAX: 0000000000000000 RBX: 00007f4b5d49f780 RCX: 00007f4b5d529407 [ 84.662349][ T5018] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000e [ 84.662355][ T5018] RBP: 00007fff62d91b70 R08: 0000000000000000 R09: 0000000000000000 [ 84.662362][ T5018] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff62d91b70 [ 84.662368][ T5018] R13: 000055ee8eb645f0 R14: 0000000000000001 R15: 0000000000000000 [ 84.662379][ T5018] [ 84.662383][ T5018] [ 84.796387][ T5018] Allocated by task 5326: [ 84.798379][ T5018] kasan_save_track+0x3e/0x80 [ 84.800745][ T5018] __kasan_kmalloc+0x93/0xb0 [ 84.803366][ T5018] __kmalloc_cache_noprof+0x31c/0x660 [ 84.805800][ T5018] bpf_raw_tp_link_attach+0x278/0x700 [ 84.808281][ T5018] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.810671][ T5018] __sys_bpf+0x846/0x950 [ 84.812666][ T5018] __x64_sys_bpf+0x7c/0x90 [ 84.814658][ T5018] do_syscall_64+0x14d/0xf80 [ 84.817294][ T5018] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.821235][ T5018] [ 84.822767][ T5018] Freed by task 5323: [ 84.824594][ T5018] kasan_save_track+0x3e/0x80 [ 84.826405][ T5018] kasan_save_free_info+0x46/0x50 [ 84.828643][ T5018] __kasan_slab_free+0x5c/0x80 [ 84.831304][ T5018] kfree+0x1c1/0x630 [ 84.833480][ T5018] rcu_core+0x7cd/0x1070 [ 84.835918][ T5018] handle_softirqs+0x22a/0x870 [ 84.838750][ T5018] do_softirq+0x76/0xd0 [ 84.840965][ T5018] __local_bh_enable_ip+0xf8/0x130 [ 84.843473][ T5018] icmp6_dst_alloc+0x3a6/0x440 [ 84.845636][ T5018] mld_sendpack+0x6ba/0xe40 [ 84.847633][ T5018] mld_dad_work+0x45/0x5b0 [ 84.849828][ T5018] process_scheduled_works+0xb6e/0x18c0 [ 84.852716][ T5018] worker_thread+0xa53/0xfc0 [ 84.854852][ T5018] kthread+0x388/0x470 [ 84.856386][ T5018] ret_from_fork+0x51e/0xb90 [ 84.858075][ T5018] ret_from_fork_asm+0x1a/0x30 [ 84.860090][ T5018] [ 84.861399][ T5018] Last potentially related work creation: [ 84.864302][ T5018] kasan_save_stack+0x3e/0x60 [ 84.867174][ T5018] kasan_record_aux_stack+0xbd/0xd0 [ 84.870194][ T5018] call_rcu+0xee/0x890 [ 84.872099][ T5018] bpf_link_release+0x6b/0x80 [ 84.874158][ T5018] __fput+0x44f/0xa70 [ 84.875929][ T5018] task_work_run+0x1d9/0x270 [ 84.877952][ T5018] exit_to_user_mode_loop+0xed/0x480 [ 84.880125][ T5018] do_syscall_64+0x32d/0xf80 [ 84.882011][ T5018] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.884650][ T5018] [ 84.885744][ T5018] The buggy address belongs to the object at ffff888036b84d00 [ 84.885744][ T5018] which belongs to the cache kmalloc-192 of size 192 [ 84.893571][ T5018] The buggy address is located 128 bytes inside of [ 84.893571][ T5018] freed 192-byte region [ffff888036b84d00, ffff888036b84dc0) [ 84.899980][ T5018] [ 84.901128][ T5018] The buggy address belongs to the physical page: [ 84.903927][ T5018] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036b84c00 pfn:0x36b84 [ 84.908365][ T5018] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff) [ 84.912649][ T5018] page_type: f5(slab) [ 84.914669][ T5018] raw: 04fff00000000200 ffff88801ac413c0 ffffea0000cce990 ffffea0001092e90 [ 84.918582][ T5018] raw: ffff888036b84c00 000000080010000e 00000000f5000000 0000000000000000 [ 84.922236][ T5018] page dumped because: kasan: bad access detected [ 84.925150][ T5018] page_owner tracks the page as allocated [ 84.927730][ T5018] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17023321742, free_ts 16995286870 [ 84.937313][ T5018] post_alloc_hook+0x231/0x280 [ 84.939532][ T5018] get_page_from_freelist+0x24dc/0x2580 [ 84.941967][ T5018] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.944569][ T5018] allocate_slab+0x77/0x660 [ 84.946703][ T5018] refill_objects+0x331/0x3c0 [ 84.948968][ T5018] __pcs_replace_empty_main+0x2e6/0x730 [ 84.951907][ T5018] __kmalloc_cache_noprof+0x392/0x660 [ 84.954425][ T5018] call_usermodehelper_setup+0x8e/0x270 [ 84.956960][ T5018] kobject_uevent_env+0x658/0x9e0 [ 84.959350][ T5018] netdev_queue_update_kobjects+0x346/0x6c0 [ 84.962118][ T5018] netdev_register_kobject+0x258/0x310 [ 84.964761][ T5018] register_netdevice+0x12c0/0x1cf0 [ 84.967706][ T5018] bond_create+0xa9/0x110 [ 84.969909][ T5018] bonding_init+0x6a/0xb0 [ 84.971878][ T5018] do_one_initcall+0x250/0x8d0 [ 84.973893][ T5018] do_initcall_level+0x104/0x190 [ 84.976158][ T5018] page last free pid 53 tgid 53 stack trace: [ 84.978998][ T5018] __free_frozen_pages+0xc2b/0xdb0 [ 84.981814][ T5018] vfree+0x25a/0x400 [ 84.984051][ T5018] delayed_vfree_work+0x55/0x80 [ 84.986337][ T5018] process_scheduled_works+0xb6e/0x18c0 [ 84.988775][ T5018] worker_thread+0xa53/0xfc0 [ 84.990795][ T5018] kthread+0x388/0x470 [ 84.992630][ T5018] ret_from_fork+0x51e/0xb90 [ 84.995072][ T5018] ret_from_fork_asm+0x1a/0x30 [ 84.998056][ T5018] [ 84.999579][ T5018] Memory state around the buggy address: [ 85.002277][ T5018] ffff888036b84c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.005824][ T5018] ffff888036b84d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.009299][ T5018] >ffff888036b84d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.013031][ T5018] ^ [ 85.015128][ T5018] ffff888036b84e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.018598][ T5018] ffff888036b84e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.021744][ T5018] ==================================================================