program: prctl$PR_SET_SECCOMP(0x16, 0x2, &(0x7f0000000000)={0x0, &(0x7f00000000c0)}) r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000300)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000100)={0x73622a85, 0x0, 0x2}) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0}) (async) r2 = dup3(r1, r0, 0x0) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x18, 0xb, &(0x7f0000000380)=ANY=[@ANYBLOB="18000000000000000000000000000000180100002020000000000000000000007b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='mmap_lock_acquire_returned\x00', r3}, 0x18) (async, rerun: 64) r4 = userfaultfd(0x801) (async, rerun: 64) r5 = socket$inet_sctp(0x2, 0x1, 0x84) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r5, 0x84, 0x6b, &(0x7f0000000240)=[@in={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}], 0x10) (async) shutdown(r5, 0x1) (async, rerun: 32) getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r5, 0x84, 0x7c, &(0x7f0000000040)={0x0, 0x0, 0x8001}, &(0x7f0000000080)=0x8) (rerun: 32) munmap(&(0x7f0000800000/0x800000)=nil, 0x800000) ioctl$UFFDIO_API(r4, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x139}) ioctl$UFFDIO_MOVE(r4, 0xc028aa05, &(0x7f0000000000)={&(0x7f0000724000/0x2000)=nil, &(0x7f0000ffb000/0x2000)=nil, 0x2000, 0x3}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x10, 0x0, &(0x7f0000000440)=[@request_death={0x400c6313}], 0x0, 0x1000000, 0x0}) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000640)={0x8, 0x0, &(0x7f0000000000)=[@decrefs={0x400c6314}], 0x0, 0x0, 0x0}) (async) r6 = socket$inet(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000300)={'macvtap0\x00', 0x0}) (async) r8 = socket$nl_route(0x10, 0x3, 0x0) (async, rerun: 32) r9 = socket(0x10, 0x803, 0x0) (rerun: 32) bind$netlink(r9, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfd, 0x400}, 0xc) (async) getsockname$packet(r9, &(0x7f0000000600)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000080)=0x14) sendmsg$nl_route(r8, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000700)=ANY=[@ANYBLOB="ee00000010000d042abd7000fbdbdf2500000000265055242b8ac0014ecf82cc1de2a199e52cc18ee8f5c6a499b1c4f9ca7aa49b5b0b9ac4500472d5d6036fb49c4f9060ea13c5ed553b85f17764ca8eb5ba64ed920d7e139b5f1b2165d4467520736c4733a59986b02382a03843da470eb55e97a586cacac16ae764bf45dd04474f3bed8b153183bae532c7e4f3856aeab8e088c2501ddf602ddd494af97e442c5a5641c6682446827f576b822b790e5be144ea5f221e9fb9c96f0c32c14df35f16ae5b6c5ed8664193aadd23d02dbefd3ac7b2d01318250b1b6212f334b12c7456f4ad0addb10164baf9c62bde8b601f37e00a46a01dbc5e4b340f6bbd115b818736f5ebaac5c1fced67d0d83b75b788ae21f67a688fd5722071b2bcb09b4722e3e80e900dc7435be4d0e842c85bd0569017bd4ca7cfff5473fa2e601e998c8cddb546ba0a66a59b81d7ef9db50948dcadb65a4219b6f9b0c5ff8a4dd78517e9939cfe9203ae17651866b03a7d13e6d6", @ANYRES32=r10, @ANYBLOB="01000000000000001c00128009000100626f6e64000000000c0002800500010005000000"], 0x3c}, 0x1, 0x0, 0x0, 0x40040}, 0x0) r11 = socket$nl_route(0x10, 0x3, 0x0) (async) r12 = socket(0x1, 0x803, 0x0) getsockname$packet(r12, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) sendmsg$nl_route(r11, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000001400)=@newlink={0x44, 0x10, 0x401, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0x4}}}, @IFLA_LINK={0x8, 0x5, r7}, @IFLA_MASTER={0x8, 0xa, r13}]}, 0x44}}, 0x0) (async, rerun: 64) socket$nl_route(0x10, 0x3, 0x0) (rerun: 64) [ 84.343063][ T45] Bluetooth: hci0: command tx timeout [ 84.596006][ T77] ================================================================== [ 84.599578][ T77] BUG: KASAN: slab-use-after-free in bpf_trace_run3+0xdd/0x850 [ 84.603293][ T77] Read of size 8 at addr ffff888038982618 by task kswapd0/77 [ 84.607208][ T77] [ 84.608651][ T77] CPU: 0 UID: 0 PID: 77 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) [ 84.608697][ T77] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.608706][ T77] Call Trace: [ 84.608735][ T77] [ 84.608767][ T77] dump_stack_lvl+0xe8/0x150 [ 84.608839][ T77] print_report+0xba/0x230 [ 84.608860][ T77] ? bpf_trace_run3+0xdd/0x850 [ 84.608894][ T77] kasan_report+0x117/0x150 [ 84.608971][ T77] ? bpf_trace_run3+0xdd/0x850 [ 84.608993][ T77] bpf_trace_run3+0xdd/0x850 [ 84.609015][ T77] ? bpf_trace_run3+0x1f0/0x850 [ 84.609035][ T77] ? __pfx_bpf_trace_run3+0x10/0x10 [ 84.609058][ T77] ? __bpf_trace_mmap_lock_acquire_returned+0x15a/0x1d0 [ 84.609083][ T77] __bpf_trace_mmap_lock_acquire_returned+0x17e/0x1d0 [ 84.609105][ T77] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 84.609165][ T77] ? down_read_trylock+0x210/0x380 [ 84.609201][ T77] ? try_to_inc_max_seq+0xcb1/0x10b0 [ 84.609214][ T77] ? __pfx___bpf_trace_mmap_lock_acquire_returned+0x10/0x10 [ 84.609234][ T77] __traceiter_mmap_lock_acquire_returned+0x87/0xe0 [ 84.609255][ T77] __mmap_lock_do_trace_acquire_returned+0x1a1/0x210 [ 84.609278][ T77] try_to_inc_max_seq+0xd6d/0x10b0 [ 84.609299][ T77] try_to_shrink_lruvec+0xdbb/0xfa0 [ 84.609323][ T77] ? __pfx_try_to_shrink_lruvec+0x10/0x10 [ 84.609342][ T77] shrink_one+0x25c/0x710 [ 84.609359][ T77] ? shrink_node+0x2d6a/0x3a90 [ 84.609373][ T77] shrink_node+0x3197/0x3a90 [ 84.609388][ T77] ? finish_task_switch+0x240/0x920 [ 84.609407][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 84.609426][ T77] ? shrink_node+0x2d6a/0x3a90 [ 84.609443][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 84.609463][ T77] ? percpu_ref_put+0x19/0x180 [ 84.609481][ T77] ? __pfx_shrink_node+0x10/0x10 [ 84.609495][ T77] ? percpu_ref_put+0x19/0x180 [ 84.609508][ T77] ? percpu_ref_put+0x19/0x180 [ 84.609524][ T77] ? mem_cgroup_iter+0x420/0x450 [ 84.609541][ T77] ? mem_cgroup_iter+0x3b/0x450 [ 84.609558][ T77] kswapd+0x1742/0x2e10 [ 84.609584][ T77] ? kswapd+0x935/0x2e10 [ 84.609605][ T77] ? __pfx_kswapd+0x10/0x10 [ 84.609626][ T77] ? __lock_acquire+0x6b5/0x2cf0 [ 84.609644][ T77] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.609713][ T77] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 84.609742][ T77] ? __pfx_autoremove_wake_function+0x10/0x10 [ 84.609757][ T77] ? __kthread_parkme+0x7a/0x1f0 [ 84.609780][ T77] kthread+0x388/0x470 [ 84.609793][ T77] ? __pfx_kswapd+0x10/0x10 [ 84.609817][ T77] ? __pfx_kthread+0x10/0x10 [ 84.609832][ T77] ret_from_fork+0x51e/0xb90 [ 84.609859][ T77] ? __pfx_ret_from_fork+0x10/0x10 [ 84.609877][ T77] ? __switch_to+0xc7d/0x1450 [ 84.609904][ T77] ? __pfx_kthread+0x10/0x10 [ 84.609918][ T77] ret_from_fork_asm+0x1a/0x30 [ 84.609945][ T77] [ 84.610926][ T77] [ 84.738632][ T77] Allocated by task 5321: [ 84.740621][ T77] kasan_save_track+0x3e/0x80 [ 84.742873][ T77] __kasan_kmalloc+0x93/0xb0 [ 84.745022][ T77] __kmalloc_cache_noprof+0x31c/0x660 [ 84.747666][ T77] bpf_raw_tp_link_attach+0x278/0x700 [ 84.750269][ T77] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.752980][ T77] __sys_bpf+0x846/0x950 [ 84.755272][ T77] __x64_sys_bpf+0x7c/0x90 [ 84.757684][ T77] do_syscall_64+0x14d/0xf80 [ 84.759572][ T77] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.761655][ T77] [ 84.762487][ T77] Freed by task 15: [ 84.764014][ T77] kasan_save_track+0x3e/0x80 [ 84.766047][ T77] kasan_save_free_info+0x46/0x50 [ 84.768320][ T77] __kasan_slab_free+0x5c/0x80 [ 84.770810][ T77] kfree+0x1c1/0x630 [ 84.773213][ T77] rcu_core+0x7cd/0x1070 [ 84.775402][ T77] handle_softirqs+0x22a/0x870 [ 84.777546][ T77] run_ksoftirqd+0x36/0x60 [ 84.779565][ T77] smpboot_thread_fn+0x541/0xa50 [ 84.782046][ T77] kthread+0x388/0x470 [ 84.784050][ T77] ret_from_fork+0x51e/0xb90 [ 84.786100][ T77] ret_from_fork_asm+0x1a/0x30 [ 84.789044][ T77] [ 84.790556][ T77] Last potentially related work creation: [ 84.793173][ T77] kasan_save_stack+0x3e/0x60 [ 84.795198][ T77] kasan_record_aux_stack+0xbd/0xd0 [ 84.797186][ T77] call_rcu+0xee/0x890 [ 84.798734][ T77] bpf_link_release+0x6b/0x80 [ 84.800743][ T77] __fput+0x44f/0xa70 [ 84.802380][ T77] task_work_run+0x1d9/0x270 [ 84.804316][ T77] do_exit+0x69b/0x2320 [ 84.806346][ T77] do_group_exit+0x21b/0x2d0 [ 84.808701][ T77] get_signal+0x1284/0x1330 [ 84.810866][ T77] arch_do_signal_or_restart+0xbc/0x830 [ 84.813829][ T77] exit_to_user_mode_loop+0x86/0x480 [ 84.816427][ T77] do_syscall_64+0x32d/0xf80 [ 84.818492][ T77] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.821197][ T77] [ 84.822286][ T77] The buggy address belongs to the object at ffff888038982600 [ 84.822286][ T77] which belongs to the cache kmalloc-192 of size 192 [ 84.830338][ T77] The buggy address is located 24 bytes inside of [ 84.830338][ T77] freed 192-byte region [ffff888038982600, ffff8880389826c0) [ 84.836391][ T77] [ 84.837504][ T77] The buggy address belongs to the physical page: [ 84.840238][ T77] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38982 [ 84.844351][ T77] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 84.848613][ T77] page_type: f5(slab) [ 84.850792][ T77] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 84.854643][ T77] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 84.858755][ T77] page dumped because: kasan: bad access detected [ 84.861685][ T77] page_owner tracks the page as allocated [ 84.864319][ T77] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 53, tgid 53 (kworker/0:2), ts 22278682518, free_ts 22277772992 [ 84.875289][ T77] post_alloc_hook+0x231/0x280 [ 84.877548][ T77] get_page_from_freelist+0x24dc/0x2580 [ 84.880142][ T77] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.882805][ T77] allocate_slab+0x77/0x660 [ 84.884881][ T77] refill_objects+0x331/0x3c0 [ 84.886883][ T77] __pcs_replace_empty_main+0x2b9/0x620 [ 84.889650][ T77] __kmalloc_noprof+0x474/0x760 [ 84.892282][ T77] usb_alloc_urb+0x46/0x150 [ 84.895176][ T77] usb_control_msg+0x118/0x3e0 [ 84.897241][ T77] hub_ext_port_status+0x116/0x820 [ 84.899503][ T77] hub_activate+0x6eb/0x1a80 [ 84.901582][ T77] process_scheduled_works+0xb02/0x1830 [ 84.904106][ T77] worker_thread+0xa50/0xfc0 [ 84.906555][ T77] kthread+0x388/0x470 [ 84.908546][ T77] ret_from_fork+0x51e/0xb90 [ 84.911347][ T77] ret_from_fork_asm+0x1a/0x30 [ 84.914131][ T77] page last free pid 13 tgid 13 stack trace: [ 84.916899][ T77] __free_frozen_pages+0xc2b/0xdb0 [ 84.919199][ T77] __kasan_populate_vmalloc+0x137/0x1d0 [ 84.921713][ T77] alloc_vmap_area+0xd73/0x14b0 [ 84.923897][ T77] __get_vm_area_node+0x1f8/0x300 [ 84.926218][ T77] __vmalloc_node_range_noprof+0x372/0x1730 [ 84.928762][ T77] __vmalloc_node_noprof+0xc2/0x100 [ 84.930825][ T77] dup_task_struct+0x228/0x9a0 [ 84.932818][ T77] copy_process+0x508/0x3cf0 [ 84.935063][ T77] kernel_clone+0x248/0x8e0 [ 84.937473][ T77] user_mode_thread+0x110/0x180 [ 84.939933][ T77] call_usermodehelper_exec_work+0x5c/0x230 [ 84.942286][ T77] process_scheduled_works+0xb02/0x1830 [ 84.944325][ T77] worker_thread+0xa50/0xfc0 [ 84.946000][ T77] kthread+0x388/0x470 [ 84.947503][ T77] ret_from_fork+0x51e/0xb90 [ 84.949571][ T77] ret_from_fork_asm+0x1a/0x30 [ 84.951801][ T77] [ 84.952900][ T77] Memory state around the buggy address: [ 84.955481][ T77] ffff888038982500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.959050][ T77] ffff888038982580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 84.962722][ T77] >ffff888038982600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.966419][ T77] ^ [ 84.968498][ T77] ffff888038982680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.972076][ T77] ffff888038982700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.975800][ T77] ==================================================================