program: r0 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000240), 0x2400) ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO(r0, 0xc02c5341, &(0x7f0000000380)) r1 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, 0x0}) r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x10201, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0) ioctl$KVM_PRE_FAULT_MEMORY(r5, 0xc040aed5, &(0x7f0000000200)={0x10000, 0x100000}) ioctl$IOMMU_IOAS_UNMAP$ALL(r1, 0x3b86, 0x0) ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f0000000400)={0xc, 0x0, 0x0}) r7 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r7, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) r8 = io_uring_setup(0x7d5, &(0x7f0000000500)={0x0, 0x8020000}) r9 = syz_init_net_socket$ax25(0x3, 0x5, 0xcb) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r11 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(r9, 0x101, 0x19, &(0x7f0000000040)=@rose={'rose', 0x0}, 0x10) ioctl$sock_netdev_private(r11, 0x8914, &(0x7f0000000000)) r12 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r12}, 0x10) bind$ax25(r9, &(0x7f0000000540)={{0x3, @bcast, 0x1}, [@default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]}, 0x48) connect$ax25(r9, &(0x7f00000001c0)={{0x3, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5}, [@bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}, 0x48) close_range(r8, 0xffffffffffffffff, 0x0) ioctl$IOMMU_IOAS_MAP(r1, 0x3b85, &(0x7f0000000440)={0x28, 0x3, r2, 0x0, &(0x7f0000000480)='LLLLLLLLLLLLLLLLLLLLLLLLLLLL', 0x1c, 0x2}) ioctl$IOMMU_IOAS_COPY(r1, 0x3b83, &(0x7f00000004c0)={0x28, 0x1, r6, r2, 0x1c, 0x3, 0x7}) ioctl$IOMMU_IOAS_UNMAP(0xffffffffffffffff, 0x3b86, &(0x7f0000000500)={0x18, r6, 0x7, 0x1d}) bpf$TOKEN_CREATE(0x24, &(0x7f0000000100)={0x0, r5}, 0x8) [ 88.482949][ T45] Bluetooth: hci0: command tx timeout [ 88.744587][ T5322] 8021q: adding VLAN 0 to HW filter on device bond0 [ 88.751535][ T5322] bond0: (slave rose0): Enslaving as an active interface with an up link [ 88.928949][ T5191] ================================================================== [ 88.932670][ T5191] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 88.936210][ T5191] Read of size 8 at addr ffff88801ed8d380 by task dhcpcd/5191 [ 88.939298][ T5191] [ 88.940362][ T5191] CPU: 0 UID: 101 PID: 5191 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 88.940380][ T5191] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.940387][ T5191] Call Trace: [ 88.940393][ T5191] [ 88.941792][ T5191] dump_stack_lvl+0xe8/0x150 [ 88.942037][ T5191] print_report+0xba/0x230 [ 88.942054][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 88.942073][ T5191] kasan_report+0x117/0x150 [ 88.942193][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 88.942209][ T5191] bpf_trace_run2+0x2c4/0x840 [ 88.942222][ T5191] ? __queue_work+0x1a1/0x1020 [ 88.942240][ T5191] ? bpf_trace_run2+0x1c9/0x840 [ 88.942253][ T5191] ? __pfx_bpf_trace_run2+0x10/0x10 [ 88.942267][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 88.942281][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 88.942297][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 88.942308][ T5191] kfree+0x5b2/0x630 [ 88.942326][ T5191] ? queue_work_on+0x159/0x1d0 [ 88.942345][ T5191] seccomp_filter_release+0x22b/0x2d0 [ 88.942357][ T5191] do_exit+0x338/0x2320 [ 88.942367][ T5191] ? fput_close_sync+0x11f/0x240 [ 88.942378][ T5191] ? __x64_sys_close+0x7e/0x110 [ 88.942391][ T5191] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.942403][ T5191] ? __pfx_do_exit+0x10/0x10 [ 88.942413][ T5191] ? do_raw_spin_lock+0x12b/0x2f0 [ 88.942427][ T5191] do_group_exit+0x21b/0x2d0 [ 88.942438][ T5191] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.942792][ T5191] get_signal+0x1284/0x1330 [ 88.942810][ T5191] arch_do_signal_or_restart+0xbc/0x830 [ 88.942825][ T5191] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 88.942835][ T5191] ? kmem_cache_free+0x439/0x630 [ 88.942850][ T5191] ? fput_close_sync+0x11f/0x240 [ 88.942864][ T5191] exit_to_user_mode_loop+0x86/0x480 [ 88.942876][ T5191] ? rcu_is_watching+0x15/0xb0 [ 88.942891][ T5191] do_syscall_64+0x32d/0xf80 [ 88.942905][ T5191] ? trace_irq_disable+0x3b/0x150 [ 88.942919][ T5191] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.942930][ T5191] ? clear_bhb_loop+0x40/0x90 [ 88.942942][ T5191] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.942953][ T5191] RIP: 0033:0x7fda52cea407 [ 88.942965][ T5191] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 88.942975][ T5191] RSP: 002b:00007ffea00c8760 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 88.942987][ T5191] RAX: 0000000000000000 RBX: 00007fda52c60740 RCX: 00007fda52cea407 [ 88.942994][ T5191] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000018 [ 88.943000][ T5191] RBP: 00007ffea00d8a00 R08: 0000000000000000 R09: 0000000000000000 [ 88.943007][ T5191] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffea00d8a00 [ 88.943013][ T5191] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 88.943024][ T5191] [ 88.943028][ T5191] [ 89.060336][ T5191] Allocated by task 5323: [ 89.062140][ T5191] kasan_save_track+0x3e/0x80 [ 89.064092][ T5191] __kasan_kmalloc+0x93/0xb0 [ 89.065999][ T5191] __kmalloc_cache_noprof+0x31c/0x660 [ 89.068319][ T5191] bpf_raw_tp_link_attach+0x278/0x700 [ 89.070510][ T5191] bpf_raw_tracepoint_open+0x1b2/0x220 [ 89.072837][ T5191] __sys_bpf+0x846/0x950 [ 89.074410][ T5191] __x64_sys_bpf+0x7c/0x90 [ 89.076218][ T5191] do_syscall_64+0x14d/0xf80 [ 89.078149][ T5191] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.080463][ T5191] [ 89.081497][ T5191] Freed by task 15: [ 89.083109][ T5191] kasan_save_track+0x3e/0x80 [ 89.085151][ T5191] kasan_save_free_info+0x46/0x50 [ 89.087438][ T5191] __kasan_slab_free+0x5c/0x80 [ 89.089798][ T5191] kfree+0x1c1/0x630 [ 89.091629][ T5191] rcu_core+0x7cd/0x1070 [ 89.093446][ T5191] handle_softirqs+0x22a/0x870 [ 89.095564][ T5191] run_ksoftirqd+0x36/0x60 [ 89.097325][ T5191] smpboot_thread_fn+0x541/0xa50 [ 89.099206][ T5191] kthread+0x388/0x470 [ 89.100799][ T5191] ret_from_fork+0x51e/0xb90 [ 89.102762][ T5191] ret_from_fork_asm+0x1a/0x30 [ 89.104940][ T5191] [ 89.105861][ T5191] Last potentially related work creation: [ 89.108326][ T5191] kasan_save_stack+0x3e/0x60 [ 89.110430][ T5191] kasan_record_aux_stack+0xbd/0xd0 [ 89.112747][ T5191] call_rcu+0xee/0x890 [ 89.114537][ T5191] bpf_link_release+0x6b/0x80 [ 89.116590][ T5191] __fput+0x44f/0xa70 [ 89.118360][ T5191] task_work_run+0x1d9/0x270 [ 89.120355][ T5191] exit_to_user_mode_loop+0xed/0x480 [ 89.122580][ T5191] do_syscall_64+0x32d/0xf80 [ 89.124460][ T5191] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.126997][ T5191] [ 89.127967][ T5191] The buggy address belongs to the object at ffff88801ed8d300 [ 89.127967][ T5191] which belongs to the cache kmalloc-192 of size 192 [ 89.134434][ T5191] The buggy address is located 128 bytes inside of [ 89.134434][ T5191] freed 192-byte region [ffff88801ed8d300, ffff88801ed8d3c0) [ 89.140328][ T5191] [ 89.141502][ T5191] The buggy address belongs to the physical page: [ 89.144184][ T5191] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ed8d [ 89.147825][ T5191] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 89.150648][ T5191] page_type: f5(slab) [ 89.152433][ T5191] raw: 00fff00000000000 ffff88801a8413c0 dead000000000100 dead000000000122 [ 89.155938][ T5191] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 89.159494][ T5191] page dumped because: kasan: bad access detected [ 89.162246][ T5191] page_owner tracks the page as allocated [ 89.164716][ T5191] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5295, tgid 5295 (syz-executor), ts 82837205886, free_ts 82722829218 [ 89.172674][ T5191] post_alloc_hook+0x231/0x280 [ 89.174759][ T5191] get_page_from_freelist+0x24dc/0x2580 [ 89.177019][ T5191] __alloc_frozen_pages_noprof+0x18d/0x380 [ 89.179418][ T5191] allocate_slab+0x77/0x660 [ 89.181390][ T5191] ___slab_alloc+0x150/0x6b0 [ 89.183432][ T5191] __kmalloc_node_noprof+0x309/0x7c0 [ 89.185610][ T5191] alloc_slab_obj_exts+0x4b/0x1b0 [ 89.187839][ T5191] __memcg_slab_post_alloc_hook+0x53c/0xa80 [ 89.190427][ T5191] kmem_cache_alloc_noprof+0x347/0x650 [ 89.192791][ T5191] copy_signal+0x50/0x650 [ 89.194730][ T5191] copy_process+0x1862/0x3cf0 [ 89.196858][ T5191] kernel_clone+0x248/0x8e0 [ 89.198713][ T5191] __x64_sys_clone+0x1b6/0x230 [ 89.200737][ T5191] do_syscall_64+0x14d/0xf80 [ 89.202709][ T5191] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.205314][ T5191] page last free pid 15 tgid 15 stack trace: [ 89.207880][ T5191] __free_frozen_pages+0xc2b/0xdb0 [ 89.210050][ T5191] tlb_remove_table_rcu+0x85/0x100 [ 89.212317][ T5191] rcu_core+0x7cd/0x1070 [ 89.214165][ T5191] handle_softirqs+0x22a/0x870 [ 89.216327][ T5191] run_ksoftirqd+0x36/0x60 [ 89.218244][ T5191] smpboot_thread_fn+0x541/0xa50 [ 89.220351][ T5191] kthread+0x388/0x470 [ 89.222155][ T5191] ret_from_fork+0x51e/0xb90 [ 89.224190][ T5191] ret_from_fork_asm+0x1a/0x30 [ 89.226288][ T5191] [ 89.227311][ T5191] Memory state around the buggy address: [ 89.229590][ T5191] ffff88801ed8d280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc [ 89.232875][ T5191] ffff88801ed8d300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.236151][ T5191] >ffff88801ed8d380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 89.239522][ T5191] ^ [ 89.241441][ T5191] ffff88801ed8d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 89.244996][ T5191] ffff88801ed8d480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 89.248589][ T5191] ================================================================== [ 89.296951][ T5191] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 89.300124][ T5191] CPU: 0 UID: 101 PID: 5191 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 89.303938][ T5191] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 89.308255][ T5191] Call Trace: [ 89.309703][ T5191] [ 89.311020][ T5191] vpanic+0x56c/0xa60 [ 89.312796][ T5191] ? __pfx_vpanic+0x10/0x10 [ 89.314785][ T5191] panic+0xc5/0xd0 [ 89.316456][ T5191] ? __pfx_panic+0x10/0x10 [ 89.318458][ T5191] ? preempt_schedule_thunk+0x16/0x30 [ 89.320743][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 89.322830][ T5191] ? preempt_schedule_thunk+0x16/0x30 [ 89.325041][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 89.327159][ T5191] check_panic_on_warn+0x89/0xb0 [ 89.329361][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 89.331636][ T5191] end_report+0x73/0x180 [ 89.333521][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 89.335666][ T5191] kasan_report+0x128/0x150 [ 89.337716][ T5191] ? bpf_trace_run2+0x2c4/0x840 [ 89.339788][ T5191] bpf_trace_run2+0x2c4/0x840 [ 89.341875][ T5191] ? __queue_work+0x1a1/0x1020 [ 89.343927][ T5191] ? bpf_trace_run2+0x1c9/0x840 [ 89.346057][ T5191] ? __pfx_bpf_trace_run2+0x10/0x10 [ 89.348311][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 89.350676][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 89.353087][ T5191] ? seccomp_filter_release+0x22b/0x2d0 [ 89.355420][ T5191] kfree+0x5b2/0x630 [ 89.357152][ T5191] ? queue_work_on+0x159/0x1d0 [ 89.359287][ T5191] seccomp_filter_release+0x22b/0x2d0 [ 89.361714][ T5191] do_exit+0x338/0x2320 [ 89.363530][ T5191] ? fput_close_sync+0x11f/0x240 [ 89.365714][ T5191] ? __x64_sys_close+0x7e/0x110 [ 89.367813][ T5191] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.370427][ T5191] ? __pfx_do_exit+0x10/0x10 [ 89.372447][ T5191] ? do_raw_spin_lock+0x12b/0x2f0 [ 89.374644][ T5191] do_group_exit+0x21b/0x2d0 [ 89.376688][ T5191] ? _raw_spin_unlock_irq+0x23/0x50 [ 89.378990][ T5191] get_signal+0x1284/0x1330 [ 89.381098][ T5191] arch_do_signal_or_restart+0xbc/0x830 [ 89.383546][ T5191] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 89.386234][ T5191] ? kmem_cache_free+0x439/0x630 [ 89.388533][ T5191] ? fput_close_sync+0x11f/0x240 [ 89.390742][ T5191] exit_to_user_mode_loop+0x86/0x480 [ 89.393073][ T5191] ? rcu_is_watching+0x15/0xb0 [ 89.395097][ T5191] do_syscall_64+0x32d/0xf80 [ 89.397070][ T5191] ? trace_irq_disable+0x3b/0x150 [ 89.399322][ T5191] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.402068][ T5191] ? clear_bhb_loop+0x40/0x90 [ 89.404108][ T5191] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.406657][ T5191] RIP: 0033:0x7fda52cea407 [ 89.408728][ T5191] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 89.417040][ T5191] RSP: 002b:00007ffea00c8760 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 89.420645][ T5191] RAX: 0000000000000000 RBX: 00007fda52c60740 RCX: 00007fda52cea407 [ 89.424191][ T5191] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000018 [ 89.427490][ T5191] RBP: 00007ffea00d8a00 R08: 0000000000000000 R09: 0000000000000000 [ 89.430991][ T5191] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffea00d8a00 [ 89.434440][ T5191] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 89.437884][ T5191] [ 89.439623][ T5191] Kernel Offset: disabled [ 89.441552][ T5191] Rebooting in 86400 seconds..