syzbot

==================================================================
BUG: KASAN: use-after-free in dev_map_flush_old kernel/bpf/devmap.c:365 [inline]
BUG: KASAN: use-after-free in __dev_map_entry_free+0x2a8/0x300 kernel/bpf/devmap.c:379
Read of size 8 at addr ffff8801d8cfa1c8 by task ksoftirqd/1/18

CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.18.0-rc1+ #110
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 dev_map_flush_old kernel/bpf/devmap.c:365 [inline]
 __dev_map_entry_free+0x2a8/0x300 kernel/bpf/devmap.c:379
 __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
 rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:284
 run_ksoftirqd+0x86/0x100 kernel/softirq.c:645
 smpboot_thread_fn+0x417/0x870 kernel/smpboot.c:164
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 8934:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 dev_map_alloc+0x210/0x810 kernel/bpf/devmap.c:102
 find_and_alloc_map kernel/bpf/syscall.c:129 [inline]
 map_create+0x39b/0x1020 kernel/bpf/syscall.c:453
 __do_sys_bpf kernel/bpf/syscall.c:2351 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2328 [inline]
 __x64_sys_bpf+0x303/0x510 kernel/bpf/syscall.c:2328
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 26:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 dev_map_free+0x502/0x680 kernel/bpf/devmap.c:191
 bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:262
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at ffff8801d8cfa0c0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
 512-byte region [ffff8801d8cfa0c0, ffff8801d8cfa2c0)
The buggy address belongs to the page:
page:ffffea0007633e80 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007620148 ffffea000763d6c8 ffff8801da800940
raw: 0000000000000000 ffff8801d8cfa0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d8cfa080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801d8cfa100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d8cfa180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8801d8cfa200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d8cfa280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================