program: r0 = mq_open(&(0x7f0000000400)='!d|\x00\x00\x8d\x00)|T\r\x1a\x10\xa9\x9b\xb8\xc2V\xc9\xa2>UgY\x94y\x00\x15H\xc3\xbc\xb2]\x1e\xf81.\x9e\x92h\xbe#U\x02', 0x6e93ebbbcc088cf2, 0x0, &(0x7f0000000000)={0x0, 0x1, 0xd2d}) mq_timedsend(r0, 0x0, 0x0, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f00000000c0)='personality\x00') pread64(r1, &(0x7f0000000100)=""/87, 0x57, 0x5) (async) mq_timedreceive(r0, &(0x7f0000000580)=""/4096, 0x1000, 0x0, &(0x7f0000000140)) r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r2}, 0x10) (async) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000700)={&(0x7f0000000780)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x4c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}, @NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x378b5ec3}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_TYPE={0xa, 0x7, 'route\x00'}]}, @NFT_MSG_NEWRULE={0x48, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x20, 0x4, 0x0, 0x1, [{0x1c, 0x1, 0x0, 0x1, @queue={{0xa}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_QUEUE_NUM={0x6, 0x1, 0x1, 0x0, 0x17}]}}}]}]}], {0x14}}, 0xdc}}, 0x0) r4 = socket$inet6_sctp(0xa, 0x1, 0x84) sendto$inet6(r4, &(0x7f00000009c0)="01", 0x1, 0x4004, &(0x7f0000000240)={0xa, 0x4e23, 0x0, @loopback, 0x20}, 0x1c) (async, rerun: 64) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000040)={'wlan0\x00'}) (rerun: 64) [ 83.436127][ T5299] Bluetooth: hci0: command tx timeout [ 83.441204][ T1315] ieee802154 phy0 wpan0: encryption failed: -22 [ 83.444867][ T1315] ieee802154 phy1 wpan1: encryption failed: -22 [ 84.431636][ T5194] ================================================================== [ 84.435296][ T5194] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 84.439848][ T5194] Read of size 8 at addr ffff88803422af80 by task dhcpcd/5194 [ 84.443878][ T5194] [ 84.445162][ T5194] CPU: 0 UID: 101 PID: 5194 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 84.445181][ T5194] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.445190][ T5194] Call Trace: [ 84.445203][ T5194] [ 84.445211][ T5194] dump_stack_lvl+0xe8/0x150 [ 84.445241][ T5194] print_report+0xba/0x230 [ 84.445261][ T5194] ? bpf_trace_run2+0x2c4/0x840 [ 84.445278][ T5194] kasan_report+0x117/0x150 [ 84.445291][ T5194] ? bpf_trace_run2+0x2c4/0x840 [ 84.445322][ T5194] bpf_trace_run2+0x2c4/0x840 [ 84.445339][ T5194] ? __queue_work+0x1a1/0x1020 [ 84.445358][ T5194] ? bpf_trace_run2+0x1c9/0x840 [ 84.445374][ T5194] ? __pfx_bpf_trace_run2+0x10/0x10 [ 84.445389][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.445404][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.445417][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.445429][ T5194] kfree+0x5b2/0x630 [ 84.445444][ T5194] ? queue_work_on+0x159/0x1d0 [ 84.445459][ T5194] seccomp_filter_release+0x22b/0x2d0 [ 84.445472][ T5194] do_exit+0x3b0/0x23c0 [ 84.445484][ T5194] ? fput_close_sync+0x11f/0x240 [ 84.445500][ T5194] ? __x64_sys_close+0x7e/0x110 [ 84.445515][ T5194] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.445529][ T5194] ? __pfx_do_exit+0x10/0x10 [ 84.445540][ T5194] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.445555][ T5194] do_group_exit+0x21b/0x2d0 [ 84.445566][ T5194] ? _raw_spin_unlock_irq+0x23/0x50 [ 84.445666][ T5194] get_signal+0x1284/0x1330 [ 84.445687][ T5194] arch_do_signal_or_restart+0xbc/0x830 [ 84.445704][ T5194] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 84.445716][ T5194] ? kmem_cache_free+0x439/0x630 [ 84.445727][ T5194] ? fput_close_sync+0x11f/0x240 [ 84.445742][ T5194] exit_to_user_mode_loop+0x86/0x480 [ 84.445756][ T5194] ? rcu_is_watching+0x15/0xb0 [ 84.445774][ T5194] do_syscall_64+0x32d/0xf80 [ 84.445792][ T5194] ? trace_irq_disable+0x3b/0x150 [ 84.445809][ T5194] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.445821][ T5194] ? clear_bhb_loop+0x40/0x90 [ 84.445834][ T5194] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.445848][ T5194] RIP: 0033:0x7f0e5cb95407 [ 84.445864][ T5194] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 84.445874][ T5194] RSP: 002b:00007ffd505ecb40 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 84.445887][ T5194] RAX: 0000000000000000 RBX: 00007f0e5cb0b780 RCX: 00007f0e5cb95407 [ 84.445895][ T5194] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000017 [ 84.445901][ T5194] RBP: 00007ffd505fcde0 R08: 0000000000000000 R09: 0000000000000000 [ 84.445907][ T5194] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd505fcde0 [ 84.445914][ T5194] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 84.445924][ T5194] [ 84.445928][ T5194] [ 84.581555][ T5194] Allocated by task 5319: [ 84.583583][ T5194] kasan_save_track+0x3e/0x80 [ 84.585824][ T5194] __kasan_kmalloc+0x93/0xb0 [ 84.587978][ T5194] __kmalloc_cache_noprof+0x31c/0x660 [ 84.590591][ T5194] bpf_raw_tp_link_attach+0x278/0x700 [ 84.593308][ T5194] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.597221][ T5194] __sys_bpf+0x846/0x950 [ 84.599518][ T5194] __x64_sys_bpf+0x7c/0x90 [ 84.601515][ T5194] do_syscall_64+0x14d/0xf80 [ 84.603827][ T5194] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.606548][ T5194] [ 84.607686][ T5194] Freed by task 15: [ 84.609472][ T5194] kasan_save_track+0x3e/0x80 [ 84.611568][ T5194] kasan_save_free_info+0x46/0x50 [ 84.613823][ T5194] __kasan_slab_free+0x5c/0x80 [ 84.616015][ T5194] kfree+0x1c1/0x630 [ 84.618005][ T5194] rcu_core+0x7cd/0x1070 [ 84.620293][ T5194] handle_softirqs+0x22a/0x870 [ 84.622837][ T5194] run_ksoftirqd+0x36/0x60 [ 84.624961][ T5194] smpboot_thread_fn+0x541/0xa50 [ 84.626993][ T5194] kthread+0x388/0x470 [ 84.628852][ T5194] ret_from_fork+0x51e/0xb90 [ 84.630748][ T5194] ret_from_fork_asm+0x1a/0x30 [ 84.633173][ T5194] [ 84.634533][ T5194] Last potentially related work creation: [ 84.637717][ T5194] kasan_save_stack+0x3e/0x60 [ 84.640049][ T5194] kasan_record_aux_stack+0xbd/0xd0 [ 84.642393][ T5194] call_rcu+0xee/0x890 [ 84.644337][ T5194] bpf_link_release+0x6b/0x80 [ 84.646570][ T5194] __fput+0x44f/0xa70 [ 84.648421][ T5194] task_work_run+0x1d9/0x270 [ 84.650427][ T5194] exit_to_user_mode_loop+0xed/0x480 [ 84.653244][ T5194] do_syscall_64+0x32d/0xf80 [ 84.656158][ T5194] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.658896][ T5194] [ 84.659954][ T5194] The buggy address belongs to the object at ffff88803422af00 [ 84.659954][ T5194] which belongs to the cache kmalloc-192 of size 192 [ 84.666039][ T5194] The buggy address is located 128 bytes inside of [ 84.666039][ T5194] freed 192-byte region [ffff88803422af00, ffff88803422afc0) [ 84.672292][ T5194] [ 84.673639][ T5194] The buggy address belongs to the physical page: [ 84.676866][ T5194] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3422a [ 84.680956][ T5194] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 84.684316][ T5194] page_type: f5(slab) [ 84.686036][ T5194] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 84.689796][ T5194] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 84.694832][ T5194] page dumped because: kasan: bad access detected [ 84.697989][ T5194] page_owner tracks the page as allocated [ 84.700513][ T5194] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 18378687847, free_ts 18375646217 [ 84.709653][ T5194] post_alloc_hook+0x231/0x280 [ 84.712260][ T5194] get_page_from_freelist+0x24dc/0x2580 [ 84.715288][ T5194] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.718052][ T5194] allocate_slab+0x77/0x660 [ 84.720004][ T5194] refill_objects+0x331/0x3c0 [ 84.722106][ T5194] __pcs_replace_empty_main+0x2f9/0x5e0 [ 84.724607][ T5194] __kmalloc_cache_noprof+0x392/0x660 [ 84.727148][ T5194] call_usermodehelper_setup+0x8e/0x270 [ 84.730271][ T5194] kobject_uevent_env+0x658/0x9e0 [ 84.732901][ T5194] really_probe+0x789/0xaf0 [ 84.735072][ T5194] __driver_probe_device+0x18c/0x320 [ 84.737456][ T5194] driver_probe_device+0x4f/0x240 [ 84.739892][ T5194] __driver_attach+0x349/0x640 [ 84.742208][ T5194] bus_for_each_dev+0x23b/0x2c0 [ 84.745039][ T5194] bus_add_driver+0x345/0x670 [ 84.747571][ T5194] driver_register+0x23a/0x320 [ 84.749979][ T5194] page last free pid 1231 tgid 1231 stack trace: [ 84.752891][ T5194] __free_frozen_pages+0xc2b/0xdb0 [ 84.755262][ T5194] vfree+0x25a/0x400 [ 84.757145][ T5194] delayed_vfree_work+0x55/0x80 [ 84.759801][ T5194] process_scheduled_works+0xb02/0x1830 [ 84.762918][ T5194] worker_thread+0xa50/0xfc0 [ 84.765101][ T5194] kthread+0x388/0x470 [ 84.766965][ T5194] ret_from_fork+0x51e/0xb90 [ 84.768996][ T5194] ret_from_fork_asm+0x1a/0x30 [ 84.771179][ T5194] [ 84.772270][ T5194] Memory state around the buggy address: [ 84.775057][ T5194] ffff88803422ae80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.779194][ T5194] ffff88803422af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.782535][ T5194] >ffff88803422af80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.785771][ T5194] ^ [ 84.787566][ T5194] ffff88803422b000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 84.791295][ T5194] ffff88803422b080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 84.795639][ T5194] ==================================================================