program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', 0x0}) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r3}, 0x10) r4 = userfaultfd(0x80001) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)) ioctl$UFFDIO_API(r4, 0xc018aa3f, &(0x7f00000000c0)) ioctl$UFFDIO_REGISTER(0xffffffffffffffff, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00002df000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_COPY(r4, 0xc028aa05, &(0x7f0000000180)={&(0x7f00002b9000/0x400000)=nil, &(0x7f00003ab000/0x2000)=nil, 0x400000, 0x2, 0x2}) r5 = getpid() r6 = syz_pidfd_open(r5, 0x0) close_range(r6, 0xffffffffffffffff, 0x0) syz_usb_connect(0x3, 0xb, &(0x7f0000000500)=ANY=[], 0x0) ioctl$BTRFS_IOC_ADD_DEV(r6, 0x40095505, 0x0) sendmsg$nl_route(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)=@mpls_delroute={0x10c, 0x19, 0x100, 0x70bd28, 0x25dfdbff, {0x1c, 0x20, 0x14, 0xde, 0x0, 0x0, 0xff, 0x7}, [@RTA_MULTIPATH={0xc, 0x9, {0x100, 0x21, 0x0, r2}}, @RTA_TTL_PROPAGATE={0x5, 0x1a, 0x9}, @RTA_VIA={0x14, 0x12, {0xa, "9b871f1c3abf5d7e3756d85270db"}}, @RTA_TTL_PROPAGATE={0x5, 0x1a, 0x6}, @RTA_NEWDST={0x84, 0x13, [{0x9}, {}, {0xb}, {0x4}, {0x62, 0x0, 0x1}, {0xffffa}, {0x2}, {0x8}, {0x5}, {0xa017}, {0x1ff, 0x0, 0x1}, {0xffffa}, {0x6c0f}, {0x3, 0x0, 0x1}, {0x4}, {0x7}, {0xfffff, 0x0, 0x1}, {0xde, 0x0, 0x1}, {0xff}, {0x8}, {0x4}, {0x400}, {0x0, 0x0, 0x1}, {0xf20, 0x0, 0x1}, {0x644}, {0x1000, 0x0, 0x1}, {0x0, 0x0, 0x1}, {0xa}, {0x3, 0x0, 0x1}, {0xffffa}, {}, {0x0, 0x0, 0x1}]}, @RTA_VIA={0x14, 0x12, {0x1a, "82b526952055d6ccb406c90a141a"}}, @RTA_OIF={0x8, 0x4, r2}, @RTA_MULTIPATH={0xc, 0x9, {0x46, 0x0, 0x9, r2}}, @RTA_DST={0x8, 0x1, {0x2}}, @RTA_MULTIPATH={0xc, 0x9, {0x9, 0x24, 0x5, r2}}]}, 0x10c}}, 0x0) [ 84.853626][ T45] Bluetooth: hci0: command tx timeout [ 85.039085][ T5013] ================================================================== [ 85.042607][ T5013] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 85.046293][ T5013] Read of size 8 at addr ffff88803477fa80 by task dhcpcd/5013 [ 85.049791][ T5013] [ 85.050951][ T5013] CPU: 0 UID: 101 PID: 5013 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 85.050968][ T5013] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.050976][ T5013] Call Trace: [ 85.050987][ T5013] [ 85.050994][ T5013] dump_stack_lvl+0xe8/0x150 [ 85.051062][ T5013] print_report+0xba/0x230 [ 85.051104][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.051121][ T5013] kasan_report+0x117/0x150 [ 85.051161][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.051176][ T5013] bpf_trace_run2+0x2c4/0x840 [ 85.051192][ T5013] ? bpf_trace_run2+0x1c9/0x840 [ 85.051204][ T5013] ? __pfx_bpf_trace_run2+0x10/0x10 [ 85.051218][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.051300][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.051310][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.051322][ T5013] kfree+0x5b2/0x630 [ 85.051339][ T5013] ? __pfx_udp_destruct_sock+0x10/0x10 [ 85.051352][ T5013] udp_destruct_sock+0x15/0x20 [ 85.051364][ T5013] __sk_destruct+0x85/0x880 [ 85.051375][ T5013] ? __sk_free+0x2da/0x3f0 [ 85.051393][ T5013] inet_release+0x186/0x200 [ 85.051406][ T5013] sock_close+0xc3/0x240 [ 85.051420][ T5013] ? __pfx_sock_close+0x10/0x10 [ 85.051431][ T5013] __fput+0x44f/0xa70 [ 85.051470][ T5013] task_work_run+0x1d9/0x270 [ 85.051501][ T5013] ? __pfx_task_work_run+0x10/0x10 [ 85.051512][ T5013] ? do_raw_spin_unlock+0x4d/0x210 [ 85.051550][ T5013] do_exit+0x70f/0x23c0 [ 85.051585][ T5013] ? fput_close_sync+0x11f/0x240 [ 85.051596][ T5013] ? __x64_sys_close+0x7e/0x110 [ 85.051611][ T5013] ? __pfx_do_exit+0x10/0x10 [ 85.051620][ T5013] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.051631][ T5013] do_group_exit+0x21b/0x2d0 [ 85.051641][ T5013] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.051664][ T5013] get_signal+0x1284/0x1330 [ 85.051687][ T5013] arch_do_signal_or_restart+0xbc/0x830 [ 85.051733][ T5013] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 85.051745][ T5013] ? kmem_cache_free+0x439/0x630 [ 85.051756][ T5013] ? fput_close_sync+0x11f/0x240 [ 85.051769][ T5013] exit_to_user_mode_loop+0x86/0x480 [ 85.051808][ T5013] ? rcu_is_watching+0x15/0xb0 [ 85.051841][ T5013] do_syscall_64+0x32d/0xf80 [ 85.051853][ T5013] ? trace_irq_disable+0x3b/0x150 [ 85.051862][ T5013] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.051873][ T5013] ? clear_bhb_loop+0x40/0x90 [ 85.051886][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.051897][ T5013] RIP: 0033:0x7fb5588f7407 [ 85.051909][ T5013] Code: Unable to access opcode bytes at 0x7fb5588f73dd. [ 85.051914][ T5013] RSP: 002b:00007fff9b8ca190 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 85.051953][ T5013] RAX: 0000000000000000 RBX: 00007fb55886d780 RCX: 00007fb5588f7407 [ 85.051961][ T5013] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a [ 85.051966][ T5013] RBP: 00007fff9b8ca330 R08: 0000000000000000 R09: 0000000000000000 [ 85.051972][ T5013] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b8ca214 [ 85.051978][ T5013] R13: 00005645e8ceb534 R14: 000056462047a140 R15: 0000000000001396 [ 85.051988][ T5013] [ 85.051992][ T5013] [ 85.198875][ T5013] Allocated by task 5328: [ 85.201514][ T5013] kasan_save_track+0x3e/0x80 [ 85.203785][ T5013] __kasan_kmalloc+0x93/0xb0 [ 85.205859][ T5013] __kmalloc_cache_noprof+0x31c/0x660 [ 85.208183][ T5013] bpf_raw_tp_link_attach+0x278/0x700 [ 85.210544][ T5013] bpf_raw_tracepoint_open+0x1b2/0x220 [ 85.212951][ T5013] __sys_bpf+0x846/0x950 [ 85.215046][ T5013] __x64_sys_bpf+0x7c/0x90 [ 85.217170][ T5013] do_syscall_64+0x14d/0xf80 [ 85.219479][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.223049][ T5013] [ 85.224484][ T5013] Freed by task 5145: [ 85.226611][ T5013] kasan_save_track+0x3e/0x80 [ 85.228758][ T5013] kasan_save_free_info+0x46/0x50 [ 85.231119][ T5013] __kasan_slab_free+0x5c/0x80 [ 85.233161][ T5013] kfree+0x1c1/0x630 [ 85.235024][ T5013] rcu_core+0x7cd/0x1070 [ 85.237314][ T5013] handle_softirqs+0x22a/0x870 [ 85.239457][ T5013] do_softirq+0x76/0xd0 [ 85.241384][ T5013] __local_bh_enable_ip+0xf8/0x130 [ 85.243648][ T5013] packet_release+0xb01/0xcc0 [ 85.246034][ T5013] sock_close+0xc3/0x240 [ 85.248073][ T5013] __fput+0x44f/0xa70 [ 85.249960][ T5013] fput_close_sync+0x11f/0x240 [ 85.252620][ T5013] __x64_sys_close+0x7e/0x110 [ 85.255139][ T5013] do_syscall_64+0x14d/0xf80 [ 85.257657][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.260473][ T5013] [ 85.261664][ T5013] Last potentially related work creation: [ 85.264386][ T5013] kasan_save_stack+0x3e/0x60 [ 85.266603][ T5013] kasan_record_aux_stack+0xbd/0xd0 [ 85.269100][ T5013] call_rcu+0xee/0x890 [ 85.271526][ T5013] bpf_link_release+0x6b/0x80 [ 85.274202][ T5013] __fput+0x44f/0xa70 [ 85.276111][ T5013] task_work_run+0x1d9/0x270 [ 85.278090][ T5013] exit_to_user_mode_loop+0xed/0x480 [ 85.280369][ T5013] do_syscall_64+0x32d/0xf80 [ 85.282506][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.285668][ T5013] [ 85.287041][ T5013] The buggy address belongs to the object at ffff88803477fa00 [ 85.287041][ T5013] which belongs to the cache kmalloc-192 of size 192 [ 85.293110][ T5013] The buggy address is located 128 bytes inside of [ 85.293110][ T5013] freed 192-byte region [ffff88803477fa00, ffff88803477fac0) [ 85.299747][ T5013] [ 85.300941][ T5013] The buggy address belongs to the physical page: [ 85.303901][ T5013] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3477f [ 85.308532][ T5013] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.312598][ T5013] page_type: f5(slab) [ 85.315179][ T5013] raw: 04fff00000000000 ffff88801ac413c0 dead000000000122 0000000000000000 [ 85.320199][ T5013] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 85.324867][ T5013] page dumped because: kasan: bad access detected [ 85.328481][ T5013] page_owner tracks the page as allocated [ 85.330917][ T5013] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5304, tgid 5304 (syz-executor), ts 82652067708, free_ts 82592776791 [ 85.340994][ T5013] post_alloc_hook+0x231/0x280 [ 85.344567][ T5013] get_page_from_freelist+0x24dc/0x2580 [ 85.347486][ T5013] __alloc_frozen_pages_noprof+0x18d/0x380 [ 85.350739][ T5013] allocate_slab+0x77/0x660 [ 85.353394][ T5013] refill_objects+0x331/0x3c0 [ 85.355651][ T5013] __pcs_replace_empty_main+0x2e6/0x730 [ 85.357982][ T5013] __kmalloc_noprof+0x474/0x760 [ 85.360407][ T5013] memcg_list_lru_alloc+0x27e/0x800 [ 85.362680][ T5013] __memcg_slab_post_alloc_hook+0x312/0xa80 [ 85.365644][ T5013] kmem_cache_alloc_lru_noprof+0x346/0x640 [ 85.368740][ T5013] __d_alloc+0x37/0x6f0 [ 85.370759][ T5013] d_alloc_pseudo+0x21/0xc0 [ 85.372865][ T5013] alloc_file_pseudo+0xdd/0x240 [ 85.374963][ T5013] sock_alloc_file+0xb8/0x2e0 [ 85.377020][ T5013] __sys_socket+0x13c/0x1b0 [ 85.379598][ T5013] __x64_sys_socket+0x7a/0x90 [ 85.382549][ T5013] page last free pid 5304 tgid 5304 stack trace: [ 85.385769][ T5013] __free_frozen_pages+0xc2b/0xdb0 [ 85.387646][ T5013] __slab_free+0x263/0x2b0 [ 85.389506][ T5013] qlist_free_all+0x97/0x100 [ 85.391300][ T5013] kasan_quarantine_reduce+0x148/0x160 [ 85.393476][ T5013] __kasan_slab_alloc+0x22/0x80 [ 85.395405][ T5013] kmem_cache_alloc_lru_noprof+0x2b8/0x640 [ 85.397695][ T5013] sock_alloc_inode+0x28/0xc0 [ 85.400188][ T5013] alloc_inode+0x6a/0x1b0 [ 85.402993][ T5013] __sock_create+0x12d/0x9d0 [ 85.405205][ T5013] __sys_socket+0xd6/0x1b0 [ 85.407301][ T5013] __x64_sys_socket+0x7a/0x90 [ 85.409373][ T5013] do_syscall_64+0x14d/0xf80 [ 85.411475][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.414280][ T5013] [ 85.415606][ T5013] Memory state around the buggy address: [ 85.418834][ T5013] ffff88803477f980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 85.422507][ T5013] ffff88803477fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.426142][ T5013] >ffff88803477fa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.429965][ T5013] ^ [ 85.432271][ T5013] ffff88803477fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.436505][ T5013] ffff88803477fb80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 85.440160][ T5013] ================================================================== [ 85.450400][ T5013] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.453378][ T5013] CPU: 0 UID: 101 PID: 5013 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 85.457096][ T5013] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.461540][ T5013] Call Trace: [ 85.463258][ T5013] [ 85.464736][ T5013] vpanic+0x56c/0xa60 [ 85.466444][ T5013] ? __pfx_vpanic+0x10/0x10 [ 85.468266][ T5013] panic+0xc5/0xd0 [ 85.470141][ T5013] ? __pfx_panic+0x10/0x10 [ 85.472918][ T5013] ? preempt_schedule_thunk+0x16/0x30 [ 85.475768][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.477857][ T5013] ? preempt_schedule_thunk+0x16/0x30 [ 85.480495][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.482843][ T5013] check_panic_on_warn+0x89/0xb0 [ 85.485239][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.487799][ T5013] end_report+0x73/0x180 [ 85.490065][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.492519][ T5013] kasan_report+0x128/0x150 [ 85.494816][ T5013] ? bpf_trace_run2+0x2c4/0x840 [ 85.497202][ T5013] bpf_trace_run2+0x2c4/0x840 [ 85.499419][ T5013] ? bpf_trace_run2+0x1c9/0x840 [ 85.501765][ T5013] ? __pfx_bpf_trace_run2+0x10/0x10 [ 85.504596][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.507301][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.509781][ T5013] ? udp_destruct_sock+0x15/0x20 [ 85.512449][ T5013] kfree+0x5b2/0x630 [ 85.514260][ T5013] ? __pfx_udp_destruct_sock+0x10/0x10 [ 85.516827][ T5013] udp_destruct_sock+0x15/0x20 [ 85.519043][ T5013] __sk_destruct+0x85/0x880 [ 85.521893][ T5013] ? __sk_free+0x2da/0x3f0 [ 85.524192][ T5013] inet_release+0x186/0x200 [ 85.526386][ T5013] sock_close+0xc3/0x240 [ 85.528339][ T5013] ? __pfx_sock_close+0x10/0x10 [ 85.530506][ T5013] __fput+0x44f/0xa70 [ 85.532837][ T5013] task_work_run+0x1d9/0x270 [ 85.535301][ T5013] ? __pfx_task_work_run+0x10/0x10 [ 85.537973][ T5013] ? do_raw_spin_unlock+0x4d/0x210 [ 85.540298][ T5013] do_exit+0x70f/0x23c0 [ 85.542107][ T5013] ? fput_close_sync+0x11f/0x240 [ 85.544208][ T5013] ? __x64_sys_close+0x7e/0x110 [ 85.546368][ T5013] ? __pfx_do_exit+0x10/0x10 [ 85.548544][ T5013] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.551528][ T5013] do_group_exit+0x21b/0x2d0 [ 85.554154][ T5013] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.556628][ T5013] get_signal+0x1284/0x1330 [ 85.558632][ T5013] arch_do_signal_or_restart+0xbc/0x830 [ 85.560977][ T5013] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 85.564258][ T5013] ? kmem_cache_free+0x439/0x630 [ 85.567211][ T5013] ? fput_close_sync+0x11f/0x240 [ 85.569592][ T5013] exit_to_user_mode_loop+0x86/0x480 [ 85.571971][ T5013] ? rcu_is_watching+0x15/0xb0 [ 85.574105][ T5013] do_syscall_64+0x32d/0xf80 [ 85.576062][ T5013] ? trace_irq_disable+0x3b/0x150 [ 85.578022][ T5013] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.580482][ T5013] ? clear_bhb_loop+0x40/0x90 [ 85.582734][ T5013] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.586547][ T5013] RIP: 0033:0x7fb5588f7407 [ 85.588997][ T5013] Code: Unable to access opcode bytes at 0x7fb5588f73dd. [ 85.592098][ T5013] RSP: 002b:00007fff9b8ca190 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 85.595553][ T5013] RAX: 0000000000000000 RBX: 00007fb55886d780 RCX: 00007fb5588f7407 [ 85.599047][ T5013] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a [ 85.602575][ T5013] RBP: 00007fff9b8ca330 R08: 0000000000000000 R09: 0000000000000000 [ 85.606296][ T5013] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b8ca214 [ 85.609987][ T5013] R13: 00005645e8ceb534 R14: 000056462047a140 R15: 0000000000001396 [ 85.613353][ T5013] [ 85.615157][ T5013] Kernel Offset: disabled [ 85.617259][ T5013] Rebooting in 86400 seconds..