program: r0 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r0, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) r1 = io_uring_setup(0x7d5, &(0x7f0000000500)) r2 = syz_init_net_socket$ax25(0x3, 0x5, 0xcb) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) r5 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r5}, 0x10) bind$ax25(r2, 0x0, 0x0) connect$ax25(r2, &(0x7f00000001c0)={{0x3, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5}, [@bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @null]}, 0x48) r6 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r6, 0x0) r7 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r7, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000300)={0x6c, 0x2, 0x6, 0x1, 0x6000000, 0x0, {}, [@IPSET_ATTR_TYPENAME={0xe, 0x3, 'bitmap:ip\x00'}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_DATA={0x24, 0x7, 0x0, 0x1, [@IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @empty=0x80ffffff}}, @IPSET_ATTR_NETMASK={0x5, 0x14, 0x2}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x6c}}, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r6, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x1c, &(0x7f0000000500)=[@in6={0xa, 0x0, 0x0, @private1}]}, &(0x7f0000000340)=0x10) r8 = socket$inet_sctp(0x2, 0x5, 0x84) getsockopt$inet_sctp_SCTP_MAX_BURST(r8, 0x84, 0x7b, &(0x7f0000000000)=@assoc_value, &(0x7f0000000240)=0x8) close_range(r1, 0xffffffffffffffff, 0x0) [ 83.926626][ T5298] Bluetooth: hci0: command tx timeout [ 84.086388][ T5323] 8021q: adding VLAN 0 to HW filter on device bond0 [ 84.107640][ T5323] bond0: (slave rose0): Enslaving as an active interface with an up link [ 84.245170][ T5161] ================================================================== [ 84.250089][ T5161] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 84.254772][ T5161] Read of size 8 at addr ffff888037371c80 by task dhcpcd/5161 [ 84.258245][ T5161] [ 84.259432][ T5161] CPU: 0 UID: 101 PID: 5161 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 84.259448][ T5161] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.259455][ T5161] Call Trace: [ 84.259463][ T5161] [ 84.259469][ T5161] dump_stack_lvl+0xe8/0x150 [ 84.259517][ T5161] print_report+0xba/0x230 [ 84.259533][ T5161] ? bpf_trace_run2+0x2c4/0x840 [ 84.259548][ T5161] kasan_report+0x117/0x150 [ 84.259612][ T5161] ? bpf_trace_run2+0x2c4/0x840 [ 84.259625][ T5161] bpf_trace_run2+0x2c4/0x840 [ 84.259638][ T5161] ? __queue_work+0x1a1/0x1020 [ 84.259687][ T5161] ? bpf_trace_run2+0x1c9/0x840 [ 84.259700][ T5161] ? __pfx_bpf_trace_run2+0x10/0x10 [ 84.259718][ T5161] ? seccomp_filter_release+0x22b/0x2d0 [ 84.259731][ T5161] ? seccomp_filter_release+0x22b/0x2d0 [ 84.259741][ T5161] ? seccomp_filter_release+0x22b/0x2d0 [ 84.259751][ T5161] kfree+0x5b2/0x630 [ 84.259765][ T5161] ? queue_work_on+0x159/0x1d0 [ 84.259778][ T5161] seccomp_filter_release+0x22b/0x2d0 [ 84.259790][ T5161] do_exit+0x3b0/0x23c0 [ 84.259800][ T5161] ? count_memcg_event_mm+0x21/0x260 [ 84.259815][ T5161] ? __pfx_do_exit+0x10/0x10 [ 84.259823][ T5161] ? count_memcg_event_mm+0x21/0x260 [ 84.259835][ T5161] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.259849][ T5161] do_group_exit+0x21b/0x2d0 [ 84.259858][ T5161] ? _raw_spin_unlock_irq+0x23/0x50 [ 84.259962][ T5161] get_signal+0x1284/0x1330 [ 84.259978][ T5161] arch_do_signal_or_restart+0xbc/0x830 [ 84.259992][ T5161] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 84.260006][ T5161] ? do_user_addr_fault+0xc6f/0x1340 [ 84.260022][ T5161] irqentry_exit+0x176/0x620 [ 84.260037][ T5161] ? trace_irq_disable+0x3b/0x150 [ 84.260053][ T5161] asm_exc_page_fault+0x26/0x30 [ 84.260085][ T5161] RIP: 0033:0x7fe8e0539370 [ 84.260097][ T5161] Code: 48 85 d2 74 0b f3 0f 6f 02 48 89 e0 0f 29 04 24 48 83 ec 08 45 31 c9 41 b8 08 00 00 00 48 89 c2 68 0f 01 00 00 e8 b0 20 f9 ff <48> 83 c4 28 c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 83 ec 10 48 63 [ 84.260106][ T5161] RSP: 002b:00007ffea62fe480 EFLAGS: 00010206 [ 84.260119][ T5161] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000560f273d97d0 [ 84.260125][ T5161] RDX: 0000000000000001 RSI: 0000000000000002 RDI: 0000560f273d9380 [ 84.260131][ T5161] RBP: 00007ffea62fe790 R08: 0000000000000008 R09: 0000000000000000 [ 84.260138][ T5161] R10: 00007ffea62fe790 R11: 0000000000000202 R12: 0000560efd8675e0 [ 84.260144][ T5161] R13: 0000560f273ccd40 R14: 0000000000000000 R15: 00007ffea62fe540 [ 84.260154][ T5161] [ 84.260158][ T5161] [ 84.387089][ T5161] Allocated by task 5323: [ 84.389324][ T5161] kasan_save_track+0x3e/0x80 [ 84.391766][ T5161] __kasan_kmalloc+0x93/0xb0 [ 84.394499][ T5161] __kmalloc_cache_noprof+0x31c/0x660 [ 84.397273][ T5161] bpf_raw_tp_link_attach+0x278/0x700 [ 84.400045][ T5161] bpf_raw_tracepoint_open+0x1b2/0x220 [ 84.402649][ T5161] __sys_bpf+0x846/0x950 [ 84.404571][ T5161] __x64_sys_bpf+0x7c/0x90 [ 84.406953][ T5161] do_syscall_64+0x14d/0xf80 [ 84.409405][ T5161] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.412811][ T5161] [ 84.413965][ T5161] Freed by task 15: [ 84.415720][ T5161] kasan_save_track+0x3e/0x80 [ 84.417997][ T5161] kasan_save_free_info+0x46/0x50 [ 84.420520][ T5161] __kasan_slab_free+0x5c/0x80 [ 84.422725][ T5161] kfree+0x1c1/0x630 [ 84.424485][ T5161] rcu_core+0x7cd/0x1070 [ 84.426528][ T5161] handle_softirqs+0x22a/0x870 [ 84.428880][ T5161] run_ksoftirqd+0x36/0x60 [ 84.431045][ T5161] smpboot_thread_fn+0x541/0xa50 [ 84.433735][ T5161] kthread+0x388/0x470 [ 84.435812][ T5161] ret_from_fork+0x51e/0xb90 [ 84.437981][ T5161] ret_from_fork_asm+0x1a/0x30 [ 84.440252][ T5161] [ 84.441403][ T5161] Last potentially related work creation: [ 84.444299][ T5161] kasan_save_stack+0x3e/0x60 [ 84.447467][ T5161] kasan_record_aux_stack+0xbd/0xd0 [ 84.450352][ T5161] call_rcu+0xee/0x890 [ 84.452437][ T5161] bpf_link_release+0x6b/0x80 [ 84.454783][ T5161] __fput+0x44f/0xa70 [ 84.456806][ T5161] task_work_run+0x1d9/0x270 [ 84.459118][ T5161] exit_to_user_mode_loop+0xed/0x480 [ 84.462235][ T5161] do_syscall_64+0x32d/0xf80 [ 84.464730][ T5161] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.468049][ T5161] [ 84.469243][ T5161] The buggy address belongs to the object at ffff888037371c00 [ 84.469243][ T5161] which belongs to the cache kmalloc-192 of size 192 [ 84.475860][ T5161] The buggy address is located 128 bytes inside of [ 84.475860][ T5161] freed 192-byte region [ffff888037371c00, ffff888037371cc0) [ 84.483075][ T5161] [ 84.484613][ T5161] The buggy address belongs to the physical page: [ 84.488023][ T5161] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37371 [ 84.492205][ T5161] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 84.495474][ T5161] page_type: f5(slab) [ 84.497766][ T5161] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122 [ 84.502224][ T5161] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 84.506236][ T5161] page dumped because: kasan: bad access detected [ 84.509559][ T5161] page_owner tracks the page as allocated [ 84.512898][ T5161] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 18030607281, free_ts 18028652068 [ 84.522231][ T5161] post_alloc_hook+0x231/0x280 [ 84.524906][ T5161] get_page_from_freelist+0x24dc/0x2580 [ 84.527910][ T5161] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.531293][ T5161] allocate_slab+0x77/0x660 [ 84.533929][ T5161] refill_objects+0x331/0x3c0 [ 84.536273][ T5161] __pcs_replace_empty_main+0x2f9/0x5e0 [ 84.538877][ T5161] __kmalloc_noprof+0x474/0x760 [ 84.541241][ T5161] usb_alloc_urb+0x46/0x150 [ 84.543932][ T5161] usb_control_msg+0x118/0x3e0 [ 84.546810][ T5161] usb_get_string+0xa1/0x3c0 [ 84.549359][ T5161] usb_string_sub+0x76/0x420 [ 84.551829][ T5161] usb_string+0x38f/0x7d0 [ 84.553943][ T5161] usb_cache_string+0x80/0x140 [ 84.556197][ T5161] usb_new_device+0x360/0x16f0 [ 84.558402][ T5161] register_root_hub+0x270/0x5f0 [ 84.560986][ T5161] usb_add_hcd+0xba1/0x10b0 [ 84.563552][ T5161] page last free pid 9 tgid 9 stack trace: [ 84.566660][ T5161] __free_frozen_pages+0xc2b/0xdb0 [ 84.569168][ T5161] vfree+0x25a/0x400 [ 84.570981][ T5161] delayed_vfree_work+0x55/0x80 [ 84.573131][ T5161] process_scheduled_works+0xb02/0x1830 [ 84.576291][ T5161] worker_thread+0xa50/0xfc0 [ 84.579101][ T5161] kthread+0x388/0x470 [ 84.581251][ T5161] ret_from_fork+0x51e/0xb90 [ 84.583509][ T5161] ret_from_fork_asm+0x1a/0x30 [ 84.585362][ T5161] [ 84.586277][ T5161] Memory state around the buggy address: [ 84.588680][ T5161] ffff888037371b80: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc [ 84.592467][ T5161] ffff888037371c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.596193][ T5161] >ffff888037371c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.600495][ T5161] ^ [ 84.602441][ T5161] ffff888037371d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 84.606051][ T5161] ffff888037371d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 84.609827][ T5161] ==================================================================