==================================================================
BUG: KFENCE: use-after-free read in bpf_link_free+0x1df/0x320 kernel/bpf/syscall.c:3078

Use-after-free read at 0xffff88823bd76010 (in kfence-#186):
 bpf_link_free+0x1df/0x320 kernel/bpf/syscall.c:3078
 bpf_link_put_direct kernel/bpf/syscall.c:3106 [inline]
 bpf_link_release+0x63/0x80 kernel/bpf/syscall.c:3113
 __fput+0x270/0xb80 fs/file_table.c:422
 __fput_sync+0x47/0x50 fs/file_table.c:507
 __do_sys_close fs/open.c:1556 [inline]
 __se_sys_close fs/open.c:1541 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1541
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#186: 0xffff88823bd76000-0xffff88823bd76077, size=120, cache=kmalloc-128

allocated by task 22580 on cpu 1 at 1471.920417s:
 kfence_alloc include/linux/kfence.h:129 [inline]
 slab_alloc_node mm/slub.c:3904 [inline]
 kmalloc_trace+0x1fa/0x340 mm/slub.c:4065
 kmalloc include/linux/slab.h:628 [inline]
 kzalloc include/linux/slab.h:749 [inline]
 bpf_raw_tp_link_attach+0x18b/0x640 kernel/bpf/syscall.c:3858
 bpf_raw_tracepoint_open kernel/bpf/syscall.c:3905 [inline]
 __sys_bpf+0x3a7/0x4b70 kernel/bpf/syscall.c:5729
 __do_sys_bpf kernel/bpf/syscall.c:5794 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5792 [inline]
 __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5792
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

freed by task 24 on cpu 1 at 1472.027496s:
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2809
 handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
 run_ksoftirqd kernel/softirq.c:928 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:920
 smpboot_thread_fn+0x661/0xa10 kernel/smpboot.c:164
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 1 PID: 22579 Comm: syz-executor.1 Not tainted 6.9.0-syzkaller-08995-g0450d2083be6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:bpf_link_free+0x1df/0x320 kernel/bpf/syscall.c:3078
Code: 8d 7b 20 48 c7 c6 a0 81 9e 81 e8 9c ec d4 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 1c 01 00 00 <48> 8b 6b 10 e8 58 53 ef ff 48 8d 7d 08 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc900034cfe40 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88823bd76000 RCX: 1ffffffff1fc76a1
RDX: 1ffff110477aec02 RSI: ffffffff8b2caba0 RDI: ffffffff8b8f9300
RBP: ffffffff8b3418a0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe3f797 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88823bd76010 R14: ffff88823bd76018 R15: ffffffff819ea040
FS:  0000555555c20480(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bd76010 CR3: 000000007f91e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bpf_link_put_direct kernel/bpf/syscall.c:3106 [inline]
 bpf_link_release+0x63/0x80 kernel/bpf/syscall.c:3113
 __fput+0x270/0xb80 fs/file_table.c:422
 __fput_sync+0x47/0x50 fs/file_table.c:507
 __do_sys_close fs/open.c:1556 [inline]
 __se_sys_close fs/open.c:1541 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1541
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f462647bdda
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fff180ca020 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f462647bdda
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007fff180ca0f8 R08: 00007f4626400000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000293 R12: 00000000001675d3
R13: 00007f46265abf8c R14: 00007f46265abf80 R15: 0000000000000032
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	8d 7b 20             	lea    0x20(%rbx),%edi
   3:	48 c7 c6 a0 81 9e 81 	mov    $0xffffffff819e81a0,%rsi
   a:	e8 9c ec d4 ff       	call   0xffd4ecab
   f:	4c 89 ea             	mov    %r13,%rdx
  12:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  19:	fc ff df
  1c:	48 c1 ea 03          	shr    $0x3,%rdx
  20:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  24:	0f 85 1c 01 00 00    	jne    0x146
* 2a:	48 8b 6b 10          	mov    0x10(%rbx),%rbp <-- trapping instruction
  2e:	e8 58 53 ef ff       	call   0xffef538b
  33:	48 8d 7d 08          	lea    0x8(%rbp),%rdi
  37:	48                   	rex.W
  38:	b8 00 00 00 00       	mov    $0x0,%eax
  3d:	00 fc                	add    %bh,%ah
  3f:	ff                   	.byte 0xff