program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x40, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000700)={&(0x7f0000000780)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x4c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}, @NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x378b5ec3}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_TYPE={0xa, 0x7, 'route\x00'}]}, @NFT_MSG_NEWRULE={0x48, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x20, 0x4, 0x0, 0x1, [{0x1c, 0x1, 0x0, 0x1, @queue={{0xa}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_QUEUE_NUM={0x6, 0x1, 0x1, 0x0, 0x17}]}}}]}]}], {0x14}}, 0xdc}}, 0x0) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) sendto$inet6(r2, &(0x7f00000009c0)="01", 0x1, 0x4004, &(0x7f0000000240)={0xa, 0x4e23, 0x0, @loopback, 0x20}, 0x1c) [ 85.683842][ T5294] Bluetooth: hci0: command tx timeout [ 86.027888][ T5005] ================================================================== [ 86.031664][ T5005] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840 [ 86.035204][ T5005] Read of size 8 at addr ffff888038857c80 by task dhcpcd/5005 [ 86.038921][ T5005] [ 86.040025][ T5005] CPU: 0 UID: 101 PID: 5005 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) [ 86.040039][ T5005] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.040046][ T5005] Call Trace: [ 86.040053][ T5005] [ 86.040058][ T5005] dump_stack_lvl+0xe8/0x150 [ 86.040139][ T5005] print_report+0xba/0x230 [ 86.040154][ T5005] ? bpf_trace_run2+0x2c4/0x840 [ 86.040168][ T5005] kasan_report+0x117/0x150 [ 86.040254][ T5005] ? bpf_trace_run2+0x2c4/0x840 [ 86.040270][ T5005] bpf_trace_run2+0x2c4/0x840 [ 86.040285][ T5005] ? __queue_work+0x1a1/0x1020 [ 86.040299][ T5005] ? bpf_trace_run2+0x1c9/0x840 [ 86.040312][ T5005] ? __pfx_bpf_trace_run2+0x10/0x10 [ 86.040326][ T5005] ? seccomp_filter_release+0x22b/0x2d0 [ 86.040339][ T5005] ? seccomp_filter_release+0x22b/0x2d0 [ 86.040349][ T5005] ? seccomp_filter_release+0x22b/0x2d0 [ 86.040360][ T5005] kfree+0x5b2/0x630 [ 86.040373][ T5005] ? queue_work_on+0x159/0x1d0 [ 86.040387][ T5005] seccomp_filter_release+0x22b/0x2d0 [ 86.040399][ T5005] do_exit+0x338/0x2320 [ 86.040409][ T5005] ? sock_write_iter+0x360/0x550 [ 86.040659][ T5005] ? __pfx_do_exit+0x10/0x10 [ 86.040670][ T5005] ? do_raw_spin_lock+0x12b/0x2f0 [ 86.040683][ T5005] do_group_exit+0x21b/0x2d0 [ 86.040693][ T5005] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.040836][ T5005] get_signal+0x1284/0x1330 [ 86.040853][ T5005] arch_do_signal_or_restart+0xbc/0x830 [ 86.040869][ T5005] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 86.040885][ T5005] exit_to_user_mode_loop+0x86/0x480 [ 86.040897][ T5005] ? rcu_is_watching+0x15/0xb0 [ 86.040912][ T5005] do_syscall_64+0x32d/0xf80 [ 86.040926][ T5005] ? trace_irq_disable+0x3b/0x150 [ 86.040940][ T5005] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.040952][ T5005] ? clear_bhb_loop+0x40/0x90 [ 86.040963][ T5005] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.040974][ T5005] RIP: 0033:0x7f17be75e6c7 [ 86.041016][ T5005] Code: 4d 85 ed 74 e0 4d 85 e4 74 0b 48 89 ef 41 ff d4 4c 89 ee eb da 48 89 f7 e8 e6 1c f3 ff eb f1 0f 1f 40 00 b8 0c 00 00 00 0f 05 <48> 8b 15 6a a7 0d 00 48 89 02 48 39 f8 72 0a 31 c0 c3 0f 1f 80 00 [ 86.041025][ T5005] RSP: 002b:00007ffee7ed12e8 EFLAGS: 00000206 ORIG_RAX: 000000000000000c [ 86.041039][ T5005] RAX: 0000555a5beac000 RBX: fffffffffffdf000 RCX: 00007f17be75e6c7 [ 86.041046][ T5005] RDX: fffffffffffff000 RSI: 0000000000000120 RDI: 0000555a5beac000 [ 86.041052][ T5005] RBP: 0000555a5becd000 R08: 000000000000fe90 R09: 0000000000000000 [ 86.041059][ T5005] R10: 0000000000000120 R11: 0000000000000206 R12: 00007f17be840e50 [ 86.041065][ T5005] R13: 0000000000000009 R14: 0000000000001081 R15: 00007f17be839ac0 [ 86.041076][ T5005] [ 86.041080][ T5005] [ 86.171702][ T5005] Allocated by task 5319: [ 86.173049][ T5005] kasan_save_track+0x3e/0x80 [ 86.174894][ T5005] __kasan_kmalloc+0x93/0xb0 [ 86.176891][ T5005] __kmalloc_cache_noprof+0x31c/0x660 [ 86.179217][ T5005] bpf_raw_tp_link_attach+0x278/0x700 [ 86.181013][ T5005] bpf_raw_tracepoint_open+0x1b2/0x220 [ 86.182594][ T5005] __sys_bpf+0x846/0x950 [ 86.184047][ T5005] __x64_sys_bpf+0x7c/0x90 [ 86.186269][ T5005] do_syscall_64+0x14d/0xf80 [ 86.188361][ T5005] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.190857][ T5005] [ 86.191821][ T5005] Freed by task 5174: [ 86.193374][ T5005] kasan_save_track+0x3e/0x80 [ 86.195486][ T5005] kasan_save_free_info+0x46/0x50 [ 86.197569][ T5005] __kasan_slab_free+0x5c/0x80 [ 86.199641][ T5005] kfree+0x1c1/0x630 [ 86.201508][ T5005] rcu_core+0x7cd/0x1070 [ 86.203486][ T5005] handle_softirqs+0x22a/0x870 [ 86.205771][ T5005] do_softirq+0x76/0xd0 [ 86.207828][ T5005] __local_bh_enable_ip+0xf8/0x130 [ 86.210037][ T5005] packet_release+0xb01/0xcc0 [ 86.212680][ T5005] sock_close+0xc3/0x240 [ 86.214461][ T5005] __fput+0x44f/0xa70 [ 86.216375][ T5005] task_work_run+0x1d9/0x270 [ 86.218349][ T5005] do_exit+0x69b/0x2320 [ 86.221818][ T5005] do_group_exit+0x21b/0x2d0 [ 86.224483][ T5005] get_signal+0x1284/0x1330 [ 86.227608][ T5005] arch_do_signal_or_restart+0xbc/0x830 [ 86.230363][ T5005] exit_to_user_mode_loop+0x86/0x480 [ 86.233287][ T5005] do_syscall_64+0x32d/0xf80 [ 86.235409][ T5005] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.238410][ T5005] [ 86.239626][ T5005] Last potentially related work creation: [ 86.242189][ T5005] kasan_save_stack+0x3e/0x60 [ 86.244373][ T5005] kasan_record_aux_stack+0xbd/0xd0 [ 86.246622][ T5005] call_rcu+0xee/0x890 [ 86.248392][ T5005] bpf_link_release+0x6b/0x80 [ 86.250383][ T5005] __fput+0x44f/0xa70 [ 86.252043][ T5005] task_work_run+0x1d9/0x270 [ 86.253931][ T5005] exit_to_user_mode_loop+0xed/0x480 [ 86.256056][ T5005] do_syscall_64+0x32d/0xf80 [ 86.258009][ T5005] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.260347][ T5005] [ 86.261914][ T5005] The buggy address belongs to the object at ffff888038857c00 [ 86.261914][ T5005] which belongs to the cache kmalloc-192 of size 192 [ 86.267938][ T5005] The buggy address is located 128 bytes inside of [ 86.267938][ T5005] freed 192-byte region [ffff888038857c00, ffff888038857cc0) [ 86.273675][ T5005] [ 86.274778][ T5005] The buggy address belongs to the physical page: [ 86.277575][ T5005] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888038857800 pfn:0x38857 [ 86.282104][ T5005] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff) [ 86.285620][ T5005] page_type: f5(slab) [ 86.287425][ T5005] raw: 04fff00000000200 ffff88801a8413c0 ffffea0000cedc10 ffffea0000d6d390 [ 86.291076][ T5005] raw: ffff888038857800 000000000010000f 00000000f5000000 0000000000000000 [ 86.294812][ T5005] page dumped because: kasan: bad access detected [ 86.297598][ T5005] page_owner tracks the page as allocated [ 86.299985][ T5005] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21165293420, free_ts 21164742357 [ 86.308429][ T5005] post_alloc_hook+0x231/0x280 [ 86.310536][ T5005] get_page_from_freelist+0x24dc/0x2580 [ 86.312957][ T5005] __alloc_frozen_pages_noprof+0x18d/0x380 [ 86.315273][ T5005] allocate_slab+0x77/0x660 [ 86.317124][ T5005] refill_objects+0x331/0x3c0 [ 86.319092][ T5005] __pcs_replace_empty_main+0x2b9/0x620 [ 86.321309][ T5005] __kmalloc_noprof+0x474/0x760 [ 86.323371][ T5005] usb_alloc_urb+0x46/0x150 [ 86.325335][ T5005] usb_control_msg+0x118/0x3e0 [ 86.327286][ T5005] usb_get_descriptor+0xb1/0x3e0 [ 86.329302][ T5005] usb_get_device_descriptor+0x6d/0xd0 [ 86.332325][ T5005] register_root_hub+0x10f/0x5f0 [ 86.334624][ T5005] usb_add_hcd+0xba1/0x10b0 [ 86.336757][ T5005] vhci_hcd_probe+0x141/0x3e0 [ 86.338885][ T5005] platform_probe+0xf9/0x190 [ 86.341151][ T5005] really_probe+0x267/0xaf0 [ 86.343296][ T5005] page last free pid 1083 tgid 1083 stack trace: [ 86.346325][ T5005] __free_frozen_pages+0xc2b/0xdb0 [ 86.348720][ T5005] __kasan_populate_vmalloc+0x1b2/0x1d0 [ 86.351209][ T5005] alloc_vmap_area+0xd73/0x14b0 [ 86.353205][ T5005] __get_vm_area_node+0x1f8/0x300 [ 86.355273][ T5005] __vmalloc_node_range_noprof+0x372/0x1730 [ 86.357610][ T5005] __vmalloc_node_noprof+0xc2/0x100 [ 86.359833][ T5005] dup_task_struct+0x228/0x9a0 [ 86.362041][ T5005] copy_process+0x508/0x3cf0 [ 86.364007][ T5005] kernel_clone+0x248/0x8e0 [ 86.366264][ T5005] user_mode_thread+0x110/0x180 [ 86.368802][ T5005] call_usermodehelper_exec_work+0x5c/0x230 [ 86.371753][ T5005] process_scheduled_works+0xb02/0x1830 [ 86.374515][ T5005] worker_thread+0xa50/0xfc0 [ 86.377566][ T5005] kthread+0x388/0x470 [ 86.379641][ T5005] ret_from_fork+0x51e/0xb90 [ 86.381558][ T5005] ret_from_fork_asm+0x1a/0x30 [ 86.383621][ T5005] [ 86.384595][ T5005] Memory state around the buggy address: [ 86.386668][ T5005] ffff888038857b80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 86.390091][ T5005] ffff888038857c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.393475][ T5005] >ffff888038857c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 86.396700][ T5005] ^ [ 86.398168][ T5005] ffff888038857d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.401520][ T5005] ffff888038857d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 86.404209][ T5005] ==================================================================