program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) r1 = syz_open_procfs$pagemap(0x0, &(0x7f0000000180)) ioctl$PAGEMAP_SCAN(r1, 0xc0606610, &(0x7f0000000240)={0x60, 0x1, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x7, 0x0, 0x0, 0xfffffffffffffff8, 0x0, 0x5, 0x41, 0x2}) [ 72.138744][ T5301] Bluetooth: hci0: command tx timeout [ 72.275618][ T5013] ================================================================== [ 72.279472][ T5013] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 72.283584][ T5013] Read of size 8 at addr ffff888033698480 by task dhcpcd/5013 [ 72.287321][ T5013] [ 72.288507][ T5013] CPU: 0 UID: 101 PID: 5013 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 72.288523][ T5013] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 72.288530][ T5013] Call Trace: [ 72.288538][ T5013] [ 72.288545][ T5013] dump_stack_lvl+0xe8/0x150 [ 72.288567][ T5013] print_report+0xba/0x230 [ 72.288600][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 72.288618][ T5013] kasan_report+0x117/0x150 [ 72.288632][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 72.288648][ T5013] bpf_trace_run2+0x2c4/0x840 [ 72.288664][ T5013] ? __queue_work+0x1a1/0x1020 [ 72.288680][ T5013] ? bpf_trace_run2+0x1c9/0x840 [ 72.288694][ T5013] ? __pfx_bpf_trace_run2+0x10/0x10 [ 72.288709][ T5013] ? seccomp_filter_release+0x22b/0x2d0 [ 72.288723][ T5013] ? seccomp_filter_release+0x22b/0x2d0 [ 72.288735][ T5013] ? seccomp_filter_release+0x22b/0x2d0 [ 72.288746][ T5013] kfree+0x5b2/0x630 [ 72.288758][ T5013] ? queue_work_on+0x159/0x1d0 [ 72.288770][ T5013] seccomp_filter_release+0x22b/0x2d0 [ 72.288780][ T5013] do_exit+0x3b0/0x23c0 [ 72.288790][ T5013] ? do_pte_missing+0x24ee/0x3750 [ 72.288808][ T5013] ? __pfx_do_exit+0x10/0x10 [ 72.288819][ T5013] ? do_raw_spin_lock+0x12b/0x2f0 [ 72.288831][ T5013] do_group_exit+0x21b/0x2d0 [ 72.288840][ T5013] ? _raw_spin_unlock_irq+0x23/0x50 [ 72.288902][ T5013] get_signal+0x1284/0x1330 [ 72.288919][ T5013] arch_do_signal_or_restart+0xbc/0x830 [ 72.288931][ T5013] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 72.288945][ T5013] ? do_user_addr_fault+0xe5c/0x1340 [ 72.288961][ T5013] irqentry_exit+0x176/0x620 [ 72.288977][ T5013] ? trace_irq_disable+0x3b/0x150 [ 72.288992][ T5013] asm_exc_page_fault+0x26/0x30 [ 72.289003][ T5013] RIP: 0033:0x7fb4ba423350 [ 72.289026][ T5013] Code: Unable to access opcode bytes at 0x7fb4ba423326. [ 72.289032][ T5013] RSP: 002b:00007ffd425566c8 EFLAGS: 00010206 [ 72.289042][ T5013] RAX: ffffffffffffff78 RBX: 00007ffd42556bd0 RCX: 00007ffd42556758 [ 72.289050][ T5013] RDX: 00007ffd42556770 RSI: 00007fb4ba59d3c0 RDI: 00007ffd42556bd0 [ 72.289056][ T5013] RBP: 0000000000000000 R08: 0000000000000046 R09: 0000000000000000 [ 72.289063][ T5013] R10: 0000000000000000 R11: 000055d1973a4a6d R12: 0000000000000000 [ 72.289069][ T5013] R13: 00007ffd425570d0 R14: 0000000000000000 R15: 0000000000000000 [ 72.289079][ T5013] [ 72.289084][ T5013] [ 72.403782][ T5013] Allocated by task 5321: [ 72.406171][ T5013] kasan_save_track+0x3e/0x80 [ 72.408465][ T5013] __kasan_kmalloc+0x93/0xb0 [ 72.411186][ T5013] __kmalloc_cache_noprof+0x31c/0x660 [ 72.413905][ T5013] bpf_raw_tp_link_attach+0x278/0x700 [ 72.416829][ T5013] bpf_raw_tracepoint_open+0x1b2/0x220 [ 72.419270][ T5013] __sys_bpf+0x846/0x950 [ 72.421365][ T5013] __x64_sys_bpf+0x7c/0x90 [ 72.423399][ T5013] do_syscall_64+0x14d/0xf80 [ 72.425648][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.428859][ T5013] [ 72.430335][ T5013] Freed by task 15: [ 72.432506][ T5013] kasan_save_track+0x3e/0x80 [ 72.435236][ T5013] kasan_save_free_info+0x46/0x50 [ 72.438151][ T5013] __kasan_slab_free+0x5c/0x80 [ 72.441087][ T5013] kfree+0x1c1/0x630 [ 72.443282][ T5013] rcu_core+0x7cd/0x1070 [ 72.445635][ T5013] handle_softirqs+0x22a/0x870 [ 72.448331][ T5013] run_ksoftirqd+0x36/0x60 [ 72.450614][ T5013] smpboot_thread_fn+0x541/0xa50 [ 72.453331][ T5013] kthread+0x388/0x470 [ 72.455726][ T5013] ret_from_fork+0x51e/0xb90 [ 72.457939][ T5013] ret_from_fork_asm+0x1a/0x30 [ 72.460164][ T5013] [ 72.461244][ T5013] Last potentially related work creation: [ 72.463802][ T5013] kasan_save_stack+0x3e/0x60 [ 72.466154][ T5013] kasan_record_aux_stack+0xbd/0xd0 [ 72.468791][ T5013] call_rcu+0xee/0x890 [ 72.470975][ T5013] bpf_link_release+0x6b/0x80 [ 72.473022][ T5013] __fput+0x44f/0xa70 [ 72.474802][ T5013] task_work_run+0x1d9/0x270 [ 72.476817][ T5013] exit_to_user_mode_loop+0xed/0x480 [ 72.479281][ T5013] do_syscall_64+0x32d/0xf80 [ 72.481744][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.484754][ T5013] [ 72.485840][ T5013] The buggy address belongs to the object at ffff888033698400 [ 72.485840][ T5013] which belongs to the cache kmalloc-192 of size 192 [ 72.492155][ T5013] The buggy address is located 128 bytes inside of [ 72.492155][ T5013] freed 192-byte region [ffff888033698400, ffff8880336984c0) [ 72.498809][ T5013] [ 72.499999][ T5013] The buggy address belongs to the physical page: [ 72.504686][ T5013] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33698 [ 72.509229][ T5013] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 72.512495][ T5013] page_type: f5(slab) [ 72.514590][ T5013] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 72.518576][ T5013] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 72.522921][ T5013] page dumped because: kasan: bad access detected [ 72.526139][ T5013] page_owner tracks the page as allocated [ 72.529362][ T5013] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 12013358174, free_ts 8587511566 [ 72.539329][ T5013] post_alloc_hook+0x231/0x280 [ 72.542032][ T5013] get_page_from_freelist+0x24dc/0x2580 [ 72.544993][ T5013] __alloc_frozen_pages_noprof+0x18d/0x380 [ 72.547709][ T5013] allocate_slab+0x77/0x660 [ 72.549861][ T5013] refill_objects+0x331/0x3c0 [ 72.552162][ T5013] __pcs_replace_empty_main+0x2f9/0x5e0 [ 72.555052][ T5013] __kmalloc_cache_noprof+0x392/0x660 [ 72.557902][ T5013] drm_atomic_state_alloc+0xa9/0x100 [ 72.560610][ T5013] drm_client_modeset_commit_atomic+0x122/0x7e0 [ 72.564325][ T5013] drm_client_modeset_commit_locked+0xcb/0x4d0 [ 72.567895][ T5013] drm_fb_helper_pan_display+0x3e7/0xbd0 [ 72.570913][ T5013] fb_pan_display+0x39e/0x680 [ 72.573137][ T5013] bit_update_start+0x4c/0x1e0 [ 72.575402][ T5013] fbcon_switch+0x127e/0x2040 [ 72.577758][ T5013] redraw_screen+0x586/0xec0 [ 72.580537][ T5013] set_con2fb_map+0xabb/0xfc0 [ 72.583070][ T5013] page last free pid 9 tgid 9 stack trace: [ 72.585907][ T5013] __free_frozen_pages+0xc2b/0xdb0 [ 72.588207][ T5013] vfree+0x25a/0x400 [ 72.590145][ T5013] delayed_vfree_work+0x55/0x80 [ 72.592708][ T5013] process_scheduled_works+0xb02/0x1830 [ 72.595674][ T5013] worker_thread+0xa50/0xfc0 [ 72.598016][ T5013] kthread+0x388/0x470 [ 72.599938][ T5013] ret_from_fork+0x51e/0xb90 [ 72.602128][ T5013] ret_from_fork_asm+0x1a/0x30 [ 72.605147][ T5013] [ 72.606851][ T5013] Memory state around the buggy address: [ 72.609966][ T5013] ffff888033698380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.613830][ T5013] ffff888033698400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.617675][ T5013] >ffff888033698480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 72.621512][ T5013] ^ [ 72.623622][ T5013] ffff888033698500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.628029][ T5013] ffff888033698580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 72.631918][ T5013] ==================================================================