program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) r1 = socket$packet(0x11, 0x2, 0x300) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r1, 0x8933, &(0x7f00000001c0)={'batadv0\x00', 0x0}) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000085000000750000001801000020646c2500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000e00000095"], 0x0, 0xfffffffe, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0}, 0x94) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000780)={&(0x7f00000007c0)='skb_copy_datagram_iovec\x00', r3}, 0x10) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000780)={&(0x7f0000000280)='skb_copy_datagram_iovec\x00', r4}, 0x18) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r6, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r5, &(0x7f00000000c0), 0x10106, 0x2, 0x0) sendto$packet(r1, &(0x7f0000000040)="10004305", 0x4, 0x0, &(0x7f0000000200)={0x11, 0x8100, r2, 0x1, 0x0, 0x6, @link_local}, 0x14) r7 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)={0x14, 0x26, 0x1, 0x7fffd, 0x1000, {0x15}}, 0x14}, 0x1, 0x0, 0x0, 0x20040811}, 0x24004010) [ 83.866168][ T5297] Bluetooth: hci0: command tx timeout [ 84.106418][ T5194] ================================================================== [ 84.110659][ T5194] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 84.113951][ T5194] Read of size 8 at addr ffff888034332880 by task dhcpcd/5194 [ 84.116968][ T5194] [ 84.118034][ T5194] CPU: 0 UID: 101 PID: 5194 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 84.118050][ T5194] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.118060][ T5194] Call Trace: [ 84.118090][ T5194] [ 84.118095][ T5194] dump_stack_lvl+0xe8/0x150 [ 84.118111][ T5194] print_report+0xba/0x230 [ 84.118120][ T5194] ? bpf_trace_run2+0x2c4/0x840 [ 84.118131][ T5194] kasan_report+0x117/0x150 [ 84.118141][ T5194] ? bpf_trace_run2+0x2c4/0x840 [ 84.118151][ T5194] bpf_trace_run2+0x2c4/0x840 [ 84.118164][ T5194] ? __queue_work+0x1a1/0x1020 [ 84.118201][ T5194] ? bpf_trace_run2+0x1c9/0x840 [ 84.118214][ T5194] ? __pfx_bpf_trace_run2+0x10/0x10 [ 84.118229][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.118243][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.118253][ T5194] ? seccomp_filter_release+0x22b/0x2d0 [ 84.118261][ T5194] kfree+0x5b2/0x630 [ 84.118271][ T5194] ? queue_work_on+0x159/0x1d0 [ 84.118280][ T5194] seccomp_filter_release+0x22b/0x2d0 [ 84.118289][ T5194] do_exit+0x3b0/0x23c0 [ 84.118296][ T5194] ? count_memcg_event_mm+0x21/0x260 [ 84.118305][ T5194] ? __pfx_do_exit+0x10/0x10 [ 84.118311][ T5194] ? count_memcg_event_mm+0x21/0x260 [ 84.118319][ T5194] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.118327][ T5194] do_group_exit+0x21b/0x2d0 [ 84.118334][ T5194] ? _raw_spin_unlock_irq+0x23/0x50 [ 84.118466][ T5194] get_signal+0x1284/0x1330 [ 84.118483][ T5194] arch_do_signal_or_restart+0xbc/0x830 [ 84.118497][ T5194] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 84.118511][ T5194] ? do_user_addr_fault+0xc6f/0x1340 [ 84.118527][ T5194] irqentry_exit+0x176/0x620 [ 84.118542][ T5194] ? trace_irq_disable+0x3b/0x150 [ 84.118558][ T5194] asm_exc_page_fault+0x26/0x30 [ 84.118570][ T5194] RIP: 0033:0x5654dad242c5 [ 84.118582][ T5194] Code: 7d 78 41 c6 85 8e 00 00 00 00 0f 85 65 01 00 00 48 89 e9 48 89 da e8 2a 82 ff ff 41 89 c6 8d 40 01 83 f8 01 0f 86 0b 01 00 00 <49> 8b 5d 00 48 85 db 75 3a e9 8d 00 00 00 0f 1f 44 00 00 66 81 ce [ 84.118590][ T5194] RSP: 002b:00007ffcd306fa10 EFLAGS: 00010202 [ 84.118626][ T5194] RAX: 0000000000000002 RBX: 0000000000000000 RCX: 00005654fb8c07d0 [ 84.118632][ T5194] RDX: 0000000000000001 RSI: 0000000000000002 RDI: 00005654fb8c0380 [ 84.118638][ T5194] RBP: 00007ffcd306fcf0 R08: 0000000000000008 R09: 0000000000000000 [ 84.118645][ T5194] R10: 00007ffcd306fcf0 R11: 0000000000000202 R12: 00005654dad725e0 [ 84.118652][ T5194] R13: 00005654fb8b3d40 R14: 0000000000000001 R15: 00007ffcd306faa0 [ 84.118663][ T5194] [ 84.118667][ T5194] [ 84.236904][ T5194] Allocated by task 5320: [ 84.239135][ T5194] kasan_save_track+0x3e/0x80 [ 84.241301][ T5194] __kasan_kmalloc+0x93/0xb0 [ 84.243343][ T5194] __kmalloc_cache_noprof+0x31c/0x660 [ 84.245829][ T5194] bpf_raw_tp_link_attach+0x278/0x700 [ 84.248237][ T5194] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.251041][ T5194] __sys_bpf+0x846/0x950 [ 84.253225][ T5194] __x64_sys_bpf+0x7c/0x90 [ 84.255682][ T5194] do_syscall_64+0x14d/0xf80 [ 84.257657][ T5194] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.260329][ T5194] [ 84.261439][ T5194] Freed by task 71: [ 84.263283][ T5194] kasan_save_track+0x3e/0x80 [ 84.265743][ T5194] kasan_save_free_info+0x46/0x50 [ 84.268499][ T5194] __kasan_slab_free+0x5c/0x80 [ 84.270924][ T5194] kfree+0x1c1/0x630 [ 84.272682][ T5194] rcu_core+0x7cd/0x1070 [ 84.274507][ T5194] handle_softirqs+0x22a/0x870 [ 84.276645][ T5194] do_softirq+0x76/0xd0 [ 84.278707][ T5194] __local_bh_enable_ip+0xf8/0x130 [ 84.281388][ T5194] scomp_acomp_comp_decomp+0x73a/0xa00 [ 84.284363][ T5194] crypto_acomp_compress+0x4b3/0xbe0 [ 84.286904][ T5194] zswap_store+0xdce/0x1f80 [ 84.288746][ T5194] swap_writeout+0x70c/0xd70 [ 84.290760][ T5194] shrink_folio_list+0x33fd/0x5290 [ 84.292990][ T5194] evict_folios+0x4795/0x5880 [ 84.295191][ T5194] try_to_shrink_lruvec+0xb62/0xfa0 [ 84.297732][ T5194] shrink_one+0x25c/0x710 [ 84.299968][ T5194] shrink_node+0x3197/0x3a90 [ 84.302091][ T5194] kswapd+0x1742/0x2e10 [ 84.304024][ T5194] kthread+0x388/0x470 [ 84.305881][ T5194] ret_from_fork+0x51e/0xb90 [ 84.307936][ T5194] ret_from_fork_asm+0x1a/0x30 [ 84.310891][ T5194] [ 84.312420][ T5194] Last potentially related work creation: [ 84.315584][ T5194] kasan_save_stack+0x3e/0x60 [ 84.317735][ T5194] kasan_record_aux_stack+0xbd/0xd0 [ 84.319975][ T5194] call_rcu+0xee/0x890 [ 84.321979][ T5194] bpf_link_release+0x6b/0x80 [ 84.324034][ T5194] __fput+0x44f/0xa70 [ 84.325846][ T5194] task_work_run+0x1d9/0x270 [ 84.328368][ T5194] exit_to_user_mode_loop+0xed/0x480 [ 84.331751][ T5194] do_syscall_64+0x32d/0xf80 [ 84.334250][ T5194] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.336764][ T5194] [ 84.337813][ T5194] The buggy address belongs to the object at ffff888034332800 [ 84.337813][ T5194] which belongs to the cache kmalloc-192 of size 192 [ 84.343876][ T5194] The buggy address is located 128 bytes inside of [ 84.343876][ T5194] freed 192-byte region [ffff888034332800, ffff8880343328c0) [ 84.351206][ T5194] [ 84.352698][ T5194] The buggy address belongs to the physical page: [ 84.356085][ T5194] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034332100 pfn:0x34332 [ 84.360436][ T5194] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff) [ 84.364342][ T5194] page_type: f5(slab) [ 84.366350][ T5194] raw: 04fff00000000200 ffff88801ac413c0 ffff888030400288 ffffea0000d66390 [ 84.370747][ T5194] raw: ffff888034332100 000000080010000e 00000000f5000000 0000000000000000 [ 84.376180][ T5194] page dumped because: kasan: bad access detected [ 84.378997][ T5194] page_owner tracks the page as allocated [ 84.381910][ T5194] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 10382444414, free_ts 10377203388 [ 84.391026][ T5194] post_alloc_hook+0x231/0x280 [ 84.393398][ T5194] get_page_from_freelist+0x24dc/0x2580 [ 84.396162][ T5194] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.398817][ T5194] allocate_slab+0x77/0x660 [ 84.400949][ T5194] refill_objects+0x331/0x3c0 [ 84.403221][ T5194] __pcs_replace_empty_main+0x2b9/0x620 [ 84.405926][ T5194] __kmalloc_cache_noprof+0x392/0x660 [ 84.408449][ T5194] call_usermodehelper_setup+0x8e/0x270 [ 84.410923][ T5194] kobject_uevent_env+0x658/0x9e0 [ 84.413388][ T5194] tty_register_device_attr+0x573/0x950 [ 84.416696][ T5194] tty_register_driver+0x600/0xb90 [ 84.419029][ T5194] legacy_pty_init+0x3b2/0x5d0 [ 84.421249][ T5194] pty_init+0x9/0x20 [ 84.422815][ T5194] do_one_initcall+0x250/0x8d0 [ 84.424691][ T5194] do_initcall_level+0x104/0x190 [ 84.426826][ T5194] do_initcalls+0x59/0xa0 [ 84.428903][ T5194] page last free pid 53 tgid 53 stack trace: [ 84.431506][ T5194] __free_frozen_pages+0xc2b/0xdb0 [ 84.434169][ T5194] vfree+0x25a/0x400 [ 84.435981][ T5194] delayed_vfree_work+0x55/0x80 [ 84.438210][ T5194] process_scheduled_works+0xb02/0x1830 [ 84.441255][ T5194] worker_thread+0xa50/0xfc0 [ 84.443977][ T5194] kthread+0x388/0x470 [ 84.445761][ T5194] ret_from_fork+0x51e/0xb90 [ 84.447701][ T5194] ret_from_fork_asm+0x1a/0x30 [ 84.449918][ T5194] [ 84.451135][ T5194] Memory state around the buggy address: [ 84.454204][ T5194] ffff888034332780: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.457736][ T5194] ffff888034332800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.461330][ T5194] >ffff888034332880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.465428][ T5194] ^ [ 84.467691][ T5194] ffff888034332900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.471334][ T5194] ffff888034332980: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 84.474906][ T5194] ==================================================================