program: r0 = syz_usb_connect(0x2, 0x4a, &(0x7f0000000040)=ANY=[@ANYBLOB="120100005520f010402038b1420104000001090238000100000000090400000544fb2f00090582eb1000000001020009050276"], 0x0) (async) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0xfffffffd}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10) syz_usb_control_io$cdc_ecm(r0, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000000000)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0) (async) r2 = socket$inet_udp(0x2, 0x2, 0x0) (async) r3 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f00000015c0), 0x2, 0x0) ioctl$VHOST_SET_VRING_BASE(r3, 0xaf01, 0x0) (async) ioctl$VHOST_SET_VRING_ADDR(r3, 0x4028af11, &(0x7f00000002c0)={0x0, 0x1, 0x0, &(0x7f0000000180)=""/53, 0x0}) (async) ioctl$VHOST_SET_VRING_ADDR(r3, 0x4028af11, &(0x7f0000000280)={0x1, 0x0, 0x0, &(0x7f00000000c0)=""/87, 0x0}) (async) ioctl$VHOST_SET_MEM_TABLE(r3, 0x4008af03, &(0x7f0000000240)) (async) syz_usb_control_io$lan78xx(r0, &(0x7f0000000480)={0x14, &(0x7f00000007c0)={0x20, 0x32, 0x88, {0x88, 0xc, "d592e671b91d77c051f948c9ac4fd1e627dc4fb12954c4d575347c9d03e5cb8ce8c1c9ff4d9c30fb8ccb4e30416e142823662d30e2f082a395976242e0c27efbb8f27a3cf622d8a6fe981cf2e0f11ab5bb1cf294b1067b2e36f2c5786becfbcd006a47babe6bf9b3aa1328ccc4511a2af03fc9bbb135706600"/134}}, &(0x7f0000000340)=ANY=[@ANYBLOB="00e7b10000008651bc79"]}, &(0x7f0000000780)={0x34, &(0x7f0000000580)={0x20, 0x18, 0xe0, "f5e58351341fe93ae08dd631cb1ab36ce464271ba3e1513ae8da2b670784d1db9a1c3f28b16577bf720672352128f2dfc22a750c667a512a15bb6277d5c602e3219de213e2abfb5c140a121622863c26a9800c060afa10ee4194f3368dc87cd0769f86e55979e858ce962ac0637f8cdf6cd219126a450a505f8e9c0da3030f8d92431c708e7712d64b1e029f748ae1a462090b7091637352561096b4cea30351a13e88ed771106d6bcc2d79845121a0184bd3ac822a42b39933f93a676b802200bf35f34a620ab812be675c33fbd875f580937676cc462c99c64ab627c7cc105"}, &(0x7f00000004c0)={0x0, 0xa, 0x1, 0x2}, &(0x7f0000000680)={0x0, 0x8, 0x1, 0x29}, &(0x7f00000006c0)={0xc0, 0xa1, 0x4, 0x28ae}, &(0x7f0000000700)={0x40, 0xa0, 0x4, 0xfec}, &(0x7f0000000740)={0xc0, 0xa2, 0x2f, "563db79a630e2de503654d553e6731d1aaf82ef9450c9c848ee240a5c8595ec887e85334226e6c10c1f4360df6729b"}}) (async) ioctl$VHOST_VSOCK_SET_RUNNING(r3, 0x4004af61, &(0x7f0000000500)=0x1) r4 = syz_open_dev$sndctrl(&(0x7f0000000000), 0x0, 0x0) ioctl$SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE(r4, 0x40045532, &(0x7f0000000040)) r5 = openat$audio(0xffffffffffffff9c, &(0x7f0000000140), 0x40000000040201, 0x0) r6 = syz_open_dev$sndpcmp(&(0x7f0000000200), 0x0, 0xa2c65) write$RDMA_USER_CM_CMD_CREATE_ID(r5, &(0x7f0000000500)={0x0, 0xfffffffffffffd83, 0xfa00, {0x0, 0x0}}, 0xfdbc) (async) ioctl$SNDRV_PCM_IOCTL_SW_PARAMS(r6, 0xc0884113, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x10001}) (async) ioctl$SNDRV_PCM_IOCTL_STATUS_EXT32(r6, 0x4148, 0x0) ioctl$VHOST_SET_VRING_KICK(r3, 0x4008af04, &(0x7f0000000200)) (async) r7 = socket$pppl2tp(0x18, 0x1, 0x1) connect$pppl2tp(r7, &(0x7f0000000000)=@pppol2tpv3={0x18, 0x1, {0x0, r2, {0x2, 0x0, @broadcast}, 0x2}}, 0x2e) r8 = syz_genetlink_get_family_id$l2tp(&(0x7f00000008c0), 0xffffffffffffffff) (async) r9 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$L2TP_CMD_SESSION_GET(r9, &(0x7f0000000240)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f00000000c0)={&(0x7f00000002c0)={0x68, r8, 0x200, 0x70bd29, 0x25dfdbfb, {}, [@L2TP_ATTR_OFFSET={0x6, 0x3, 0xf}, @L2TP_ATTR_DEBUG={0x8, 0x11, 0x1}, @L2TP_ATTR_UDP_CSUM={0x5, 0xd, 0x1}, @L2TP_ATTR_UDP_SPORT={0x6, 0x1a, 0x4e24}, @L2TP_ATTR_MTU={0x6}, @L2TP_ATTR_FD={0x8, 0x17, @udp=r2}, @L2TP_ATTR_COOKIE={0xc, 0xf, 0x9}, @L2TP_ATTR_RECV_SEQ={0x5, 0x12, 0x7}, @L2TP_ATTR_UDP_ZERO_CSUM6_TX={0x5, 0x21, 0x1}, @L2TP_ATTR_VLAN_ID={0x6, 0xe, 0x401}]}, 0x68}, 0x1, 0x0, 0x0, 0x4044040}, 0x20004040) (async) setsockopt$inet_opts(r2, 0x0, 0x4, 0x0, 0x0) (async) sendmsg$L2TP_CMD_SESSION_DELETE(r9, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000180)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r8, @ANYBLOB="01002cbd701004000000050000000600010005000000080009000200000008000b000000000808000c00a60ad0f9"], 0x34}, 0x1, 0x0, 0x0, 0x20008845}, 0x0) [ 75.037045][ T4663] Bluetooth: hci0: command tx timeout [ 75.335179][ T9] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 75.343942][ T5173] ================================================================== [ 75.347349][ T5173] BUG: KASAN: vmalloc-out-of-bounds in bpf_trace_run2+0x28c/0x840 [ 75.355739][ T5173] Read of size 8 at addr ffffc9000147e040 by task dhcpcd/5173 [ 75.359273][ T5173] [ 75.360524][ T5173] CPU: 0 UID: 101 PID: 5173 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 75.360539][ T5173] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.360566][ T5173] Call Trace: [ 75.360742][ T5173] [ 75.360790][ T5173] dump_stack_lvl+0xe8/0x150 [ 75.360934][ T5173] print_report+0xba/0x230 [ 75.360969][ T5173] ? bpf_trace_run2+0x28c/0x840 [ 75.361009][ T5173] kasan_report+0x117/0x150 [ 75.361069][ T5173] ? bpf_trace_run2+0x28c/0x840 [ 75.361086][ T5173] bpf_trace_run2+0x28c/0x840 [ 75.361132][ T5173] ? __queue_work+0x1a1/0x1020 [ 75.361161][ T5173] ? bpf_trace_run2+0x1c9/0x840 [ 75.361172][ T5173] ? __pfx_bpf_trace_run2+0x10/0x10 [ 75.361184][ T5173] ? seccomp_filter_release+0x22b/0x2d0 [ 75.361196][ T5173] ? seccomp_filter_release+0x22b/0x2d0 [ 75.361205][ T5173] ? seccomp_filter_release+0x22b/0x2d0 [ 75.361214][ T5173] kfree+0x5b2/0x630 [ 75.361260][ T5173] ? queue_work_on+0x159/0x1d0 [ 75.361273][ T5173] seccomp_filter_release+0x22b/0x2d0 [ 75.361284][ T5173] do_exit+0x338/0x2320 [ 75.361294][ T5173] ? fput_close_sync+0x11f/0x240 [ 75.361366][ T5173] ? __x64_sys_close+0x7e/0x110 [ 75.361378][ T5173] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.361389][ T5173] ? __pfx_do_exit+0x10/0x10 [ 75.361399][ T5173] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.361451][ T5173] do_group_exit+0x21b/0x2d0 [ 75.361460][ T5173] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.361520][ T5173] get_signal+0x1284/0x1330 [ 75.361538][ T5173] arch_do_signal_or_restart+0xbc/0x830 [ 75.361600][ T5173] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 75.361611][ T5173] ? kmem_cache_free+0x439/0x630 [ 75.361628][ T5173] ? fput_close_sync+0x11f/0x240 [ 75.361642][ T5173] exit_to_user_mode_loop+0x86/0x480 [ 75.361692][ T5173] ? rcu_is_watching+0x15/0xb0 [ 75.361709][ T5173] do_syscall_64+0x32d/0xf80 [ 75.361781][ T5173] ? trace_irq_disable+0x3b/0x150 [ 75.361798][ T5173] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.361810][ T5173] ? clear_bhb_loop+0x40/0x90 [ 75.361822][ T5173] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.361848][ T5173] RIP: 0033:0x7fb3ddad5407 [ 75.361909][ T5173] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 75.361955][ T5173] RSP: 002b:00007fff062cb570 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 75.361969][ T5173] RAX: 0000000000000000 RBX: 00007fb3dda4b740 RCX: 00007fb3ddad5407 [ 75.361977][ T5173] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016 [ 75.361983][ T5173] RBP: 00007fff062db810 R08: 0000000000000000 R09: 0000000000000000 [ 75.361989][ T5173] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff062db810 [ 75.361996][ T5173] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 75.362006][ T5173] [ 75.362011][ T5173] [ 75.483225][ T5173] The buggy address belongs to a vmalloc virtual mapping [ 75.486582][ T5173] Memory state around the buggy address: [ 75.489159][ T5173] ffffc9000147df00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 75.492640][ T5173] ffffc9000147df80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 75.495994][ T5173] >ffffc9000147e000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 75.499417][ T5173] ^ [ 75.502093][ T5173] ffffc9000147e080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 75.505722][ T5173] ffffc9000147e100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 75.509207][ T5173] ==================================================================