program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r2, 0x84, 0x64, &(0x7f0000000180)=[@in6={0xa, 0xfffc, 0x0, @loopback}], 0x1c) r3 = socket$inet6_sctp(0xa, 0x1, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r3, 0x84, 0x64, &(0x7f0000000080)=[@in={0x2, 0xfffc, @remote}], 0x10) sendmmsg$inet6(r3, &(0x7f000000cf00)=[{{&(0x7f00000084c0)={0xa, 0xfffc, 0x0, @loopback}, 0x1c, &(0x7f0000008900)=[{&(0x7f0000008500)="88", 0x1}], 0x1}}], 0x1, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f00000000c0)=@newtaction={0x78, 0x30, 0xb, 0x0, 0x0, {}, [{0x64, 0x1, [@m_ct={0x60, 0x1, 0x0, 0x0, {{0x7}, {0x38, 0x2, 0x0, 0x1, [@TCA_CT_PARMS={0x18}, @TCA_CT_LABELS={0x14, 0x7, "4614c334e344ae535af2f0a70ddeb37f"}, @TCA_CT_ZONE={0x6, 0x8}]}, {0x4}, {0xc}, {0xc}}}]}]}, 0x78}}, 0x0) sendmmsg$inet6(r2, &(0x7f000000cf00)=[{{&(0x7f00000084c0)={0xa, 0xfffc, 0x0, @loopback}, 0x1c, &(0x7f0000008900)=[{&(0x7f0000008500)="88", 0xff12}], 0x1}}], 0x1, 0x0) r5 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff7ffc}]}) close_range(r5, 0xffffffffffffffff, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x2c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}]}, @NFT_MSG_NEWRULE={0x30, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_POSITION_ID={0x8, 0xa, 0x1, 0x0, 0x2}]}], {0x14}}, 0xa4}}, 0x0) [ 83.778226][ T4664] Bluetooth: hci0: command tx timeout [ 84.051457][ T5010] ================================================================== [ 84.055652][ T5010] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 84.059123][ T5010] Read of size 8 at addr ffff8880407cf980 by task dhcpcd/5010 [ 84.062615][ T5010] [ 84.063763][ T5010] CPU: 0 UID: 101 PID: 5010 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 84.063779][ T5010] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.063786][ T5010] Call Trace: [ 84.063795][ T5010] [ 84.063801][ T5010] dump_stack_lvl+0xe8/0x150 [ 84.063867][ T5010] print_report+0xba/0x230 [ 84.063905][ T5010] ? bpf_trace_run2+0x2c4/0x840 [ 84.063920][ T5010] kasan_report+0x117/0x150 [ 84.063952][ T5010] ? bpf_trace_run2+0x2c4/0x840 [ 84.063965][ T5010] bpf_trace_run2+0x2c4/0x840 [ 84.063980][ T5010] ? __queue_work+0x1a1/0x1020 [ 84.064018][ T5010] ? bpf_trace_run2+0x1c9/0x840 [ 84.064031][ T5010] ? __pfx_bpf_trace_run2+0x10/0x10 [ 84.064049][ T5010] ? seccomp_filter_release+0x22b/0x2d0 [ 84.064077][ T5010] ? seccomp_filter_release+0x22b/0x2d0 [ 84.064084][ T5010] ? seccomp_filter_release+0x22b/0x2d0 [ 84.064091][ T5010] kfree+0x5b2/0x630 [ 84.064119][ T5010] ? queue_work_on+0x159/0x1d0 [ 84.064128][ T5010] seccomp_filter_release+0x22b/0x2d0 [ 84.064136][ T5010] do_exit+0x3b0/0x23c0 [ 84.064158][ T5010] ? fput_close_sync+0x11f/0x240 [ 84.064208][ T5010] ? __x64_sys_close+0x7e/0x110 [ 84.064222][ T5010] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.064235][ T5010] ? __pfx_do_exit+0x10/0x10 [ 84.064245][ T5010] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.064301][ T5010] do_group_exit+0x21b/0x2d0 [ 84.064311][ T5010] ? _raw_spin_unlock_irq+0x23/0x50 [ 84.064370][ T5010] get_signal+0x1284/0x1330 [ 84.064385][ T5010] arch_do_signal_or_restart+0xbc/0x830 [ 84.064416][ T5010] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 84.064427][ T5010] ? kmem_cache_free+0x439/0x630 [ 84.064436][ T5010] ? fput_close_sync+0x11f/0x240 [ 84.064450][ T5010] exit_to_user_mode_loop+0x86/0x480 [ 84.064512][ T5010] ? rcu_is_watching+0x15/0xb0 [ 84.064528][ T5010] do_syscall_64+0x32d/0xf80 [ 84.064539][ T5010] ? trace_irq_disable+0x3b/0x150 [ 84.064554][ T5010] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.064565][ T5010] ? clear_bhb_loop+0x40/0x90 [ 84.064576][ T5010] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.064587][ T5010] RIP: 0033:0x7f5a9b39d407 [ 84.064596][ T5010] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 84.064603][ T5010] RSP: 002b:00007fff2cf21880 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 84.064646][ T5010] RAX: 0000000000000000 RBX: 00007f5a9b313780 RCX: 00007f5a9b39d407 [ 84.064653][ T5010] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 84.064660][ T5010] RBP: 00007fff2cf31b20 R08: 0000000000000000 R09: 0000000000000000 [ 84.064666][ T5010] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff2cf31b20 [ 84.064673][ T5010] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 84.064682][ T5010] [ 84.064686][ T5010] [ 84.208180][ T5010] Allocated by task 5319: [ 84.210577][ T5010] kasan_save_track+0x3e/0x80 [ 84.212857][ T5010] __kasan_kmalloc+0x93/0xb0 [ 84.215094][ T5010] __kmalloc_cache_noprof+0x31c/0x660 [ 84.217577][ T5010] bpf_raw_tp_link_attach+0x278/0x700 [ 84.219989][ T5010] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.222543][ T5010] __sys_bpf+0x846/0x950 [ 84.224603][ T5010] __x64_sys_bpf+0x7c/0x90 [ 84.227229][ T5010] do_syscall_64+0x14d/0xf80 [ 84.229985][ T5010] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.232617][ T5010] [ 84.233915][ T5010] Freed by task 15: [ 84.235575][ T5010] kasan_save_track+0x3e/0x80 [ 84.237898][ T5010] kasan_save_free_info+0x46/0x50 [ 84.240284][ T5010] __kasan_slab_free+0x5c/0x80 [ 84.242712][ T5010] kfree+0x1c1/0x630 [ 84.245167][ T5010] rcu_core+0x7cd/0x1070 [ 84.247448][ T5010] handle_softirqs+0x22a/0x870 [ 84.249922][ T5010] run_ksoftirqd+0x36/0x60 [ 84.252086][ T5010] smpboot_thread_fn+0x541/0xa50 [ 84.254861][ T5010] kthread+0x388/0x470 [ 84.257075][ T5010] ret_from_fork+0x51e/0xb90 [ 84.259630][ T5010] ret_from_fork_asm+0x1a/0x30 [ 84.262550][ T5010] [ 84.263826][ T5010] Last potentially related work creation: [ 84.266426][ T5010] kasan_save_stack+0x3e/0x60 [ 84.268802][ T5010] kasan_record_aux_stack+0xbd/0xd0 [ 84.271750][ T5010] call_rcu+0xee/0x890 [ 84.273800][ T5010] bpf_link_release+0x6b/0x80 [ 84.276083][ T5010] __fput+0x44f/0xa70 [ 84.278419][ T5010] task_work_run+0x1d9/0x270 [ 84.281225][ T5010] exit_to_user_mode_loop+0xed/0x480 [ 84.283725][ T5010] do_syscall_64+0x32d/0xf80 [ 84.285938][ T5010] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.289078][ T5010] [ 84.290405][ T5010] The buggy address belongs to the object at ffff8880407cf900 [ 84.290405][ T5010] which belongs to the cache kmalloc-192 of size 192 [ 84.296566][ T5010] The buggy address is located 128 bytes inside of [ 84.296566][ T5010] freed 192-byte region [ffff8880407cf900, ffff8880407cf9c0) [ 84.302008][ T5010] [ 84.303016][ T5010] The buggy address belongs to the physical page: [ 84.305715][ T5010] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880407cff00 pfn:0x407cf [ 84.310083][ T5010] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff) [ 84.313896][ T5010] page_type: f5(slab) [ 84.316029][ T5010] raw: 04fff00000000200 ffff88801ac413c0 ffffea0000e21010 ffffea0000cd6ed0 [ 84.319963][ T5010] raw: ffff8880407cff00 000000080010000f 00000000f5000000 0000000000000000 [ 84.323918][ T5010] page dumped because: kasan: bad access detected [ 84.326974][ T5010] page_owner tracks the page as allocated [ 84.329826][ T5010] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5296, tgid 5296 (syz-executor), ts 81783676073, free_ts 81783435413 [ 84.338706][ T5010] post_alloc_hook+0x231/0x280 [ 84.340910][ T5010] get_page_from_freelist+0x24dc/0x2580 [ 84.343417][ T5010] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.346420][ T5010] allocate_slab+0x77/0x660 [ 84.349073][ T5010] ___slab_alloc+0x150/0x6b0 [ 84.351245][ T5010] __kmalloc_node_noprof+0x309/0x7c0 [ 84.353584][ T5010] alloc_slab_obj_exts+0x4b/0x1a0 [ 84.355878][ T5010] __memcg_slab_post_alloc_hook+0x53c/0xa80 [ 84.358671][ T5010] kmem_cache_alloc_lru_noprof+0x346/0x640 [ 84.361389][ T5010] __d_alloc+0x37/0x6f0 [ 84.363810][ T5010] d_alloc_pseudo+0x21/0xc0 [ 84.366821][ T5010] alloc_file_pseudo+0xdd/0x240 [ 84.369395][ T5010] sock_alloc_file+0xb8/0x2e0 [ 84.371617][ T5010] __sys_socket+0x13c/0x1b0 [ 84.373734][ T5010] __x64_sys_socket+0x7a/0x90 [ 84.375864][ T5010] do_syscall_64+0x14d/0xf80 [ 84.378030][ T5010] page last free pid 5296 tgid 5296 stack trace: [ 84.381681][ T5010] __free_frozen_pages+0xc2b/0xdb0 [ 84.384872][ T5010] vfree+0x25a/0x400 [ 84.386893][ T5010] do_ipt_get_ctl+0xf25/0x1240 [ 84.389187][ T5010] nf_getsockopt+0x26e/0x290 [ 84.391377][ T5010] ip_getsockopt+0x19e/0x230 [ 84.393546][ T5010] do_sock_getsockopt+0x37f/0x670 [ 84.395820][ T5010] __x64_sys_getsockopt+0x1a4/0x240 [ 84.398252][ T5010] do_syscall_64+0x14d/0xf80 [ 84.400392][ T5010] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.403974][ T5010] [ 84.405687][ T5010] Memory state around the buggy address: [ 84.408638][ T5010] ffff8880407cf880: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 84.412227][ T5010] ffff8880407cf900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.415839][ T5010] >ffff8880407cf980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.419865][ T5010] ^ [ 84.421846][ T5010] ffff8880407cfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 84.425482][ T5010] ffff8880407cfa80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 84.429175][ T5010] ==================================================================