==================================================================
BUG: KASAN: slab-use-after-free in btf_name_valid_section kernel/bpf/btf.c:828 [inline]
BUG: KASAN: slab-use-after-free in btf_datasec_check_meta+0x94/0x300 kernel/bpf/btf.c:4698
Read at addr fdf000000dd4e480 by task syz.0.490/5013
Pointer tag: [fd], memory tag: [fe]

CPU: 0 UID: 0 PID: 5013 Comm: syz.0.490 Not tainted 6.11.0-rc2-syzkaller-00257-g5189dafa4cf9 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x78/0x90 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x108/0x618 mm/kasan/report.c:488
 kasan_report+0x88/0xac mm/kasan/report.c:601
 report_tag_fault arch/arm64/mm/fault.c:331 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:343 [inline]
 __do_kernel_fault+0x170/0x1c8 arch/arm64/mm/fault.c:385
 do_bad_area arch/arm64/mm/fault.c:485 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:750
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:826
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:432
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:492
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:593
 btf_name_valid_section kernel/bpf/btf.c:828 [inline]
 btf_datasec_check_meta+0x94/0x300 kernel/bpf/btf.c:4698
 btf_check_meta kernel/bpf/btf.c:5180 [inline]
 btf_check_all_metas kernel/bpf/btf.c:5204 [inline]
 btf_parse_type_sec kernel/bpf/btf.c:5340 [inline]
 btf_parse kernel/bpf/btf.c:5732 [inline]
 btf_new_fd+0x544/0x1454 kernel/bpf/btf.c:7650
 bpf_btf_load kernel/bpf/syscall.c:5035 [inline]
 __sys_bpf+0x8d8/0x2168 kernel/bpf/syscall.c:5755
 __do_sys_bpf kernel/bpf/syscall.c:5817 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5815 [inline]
 __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:5815
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598

Allocated by task 5011:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47
 save_stack_info+0x40/0x158 mm/kasan/tags.c:106
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:142
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 poison_kmalloc_redzone mm/kasan/common.c:343 [inline]
 __kasan_kmalloc+0xb4/0xb8 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __kmalloc_cache_node_noprof+0x174/0x314 mm/slub.c:4201
 kmalloc_node_noprof include/linux/slab.h:704 [inline]
 __get_vm_area_node+0x90/0x1a0 mm/vmalloc.c:3109
 __vmalloc_node_range_noprof+0xe4/0x848 mm/vmalloc.c:3801
 __vmalloc_node_noprof mm/vmalloc.c:3906 [inline]
 vmalloc_noprof+0x94/0xa4 mm/vmalloc.c:3939
 bpf_prog_calc_tag+0x68/0x228 kernel/bpf/core.c:302
 resolve_pseudo_ldimm64 kernel/bpf/verifier.c:18423 [inline]
 bpf_check+0x1380/0x2664 kernel/bpf/verifier.c:21666
 bpf_prog_load+0x678/0xbc0 kernel/bpf/syscall.c:2908
 __sys_bpf+0xc28/0x2168 kernel/bpf/syscall.c:5710
 __do_sys_bpf kernel/bpf/syscall.c:5817 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5815 [inline]
 __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:5815
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598

Freed by task 5011:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47
 save_stack_info+0x40/0x158 mm/kasan/tags.c:106
 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:147
 poison_slab_object+0x178/0x1c0 mm/kasan/common.c:240
 __kasan_slab_free+0x30/0x48 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0xd8/0x28c mm/slub.c:4594
 vfree+0xf8/0x34c mm/vmalloc.c:3369
 bpf_prog_calc_tag+0x174/0x228 kernel/bpf/core.c:358
 resolve_pseudo_ldimm64 kernel/bpf/verifier.c:18423 [inline]
 bpf_check+0x1380/0x2664 kernel/bpf/verifier.c:21666
 bpf_prog_load+0x678/0xbc0 kernel/bpf/syscall.c:2908
 __sys_bpf+0xc28/0x2168 kernel/bpf/syscall.c:5710
 __do_sys_bpf kernel/bpf/syscall.c:5817 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5815 [inline]
 __arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:5815
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at fff000000dd4e480
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [fff000000dd4e480, fff000000dd4e4c0)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xfcf000000dd4e640 pfn:0x4dd4e
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xfdffffff(slab)
raw: 01ffc00000000000 fdf0000003001600 dead000000000122 0000000000000000
raw: fcf000000dd4e640 000000008040002f 00000001fdffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 fff000000dd4e200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 fff000000dd4e300: fe fe fe fe fa fa fa fa fe fe fe fe fe fe fe fe
>fff000000dd4e400: fe fe fe fe fd fd fd fd fe fe fe fe fb fb fb fb
                                           ^
 fff000000dd4e500: f6 f6 f6 f6 fe fe fe fe f4 f4 f4 f4 fe fe fe fe
 fff000000dd4e600: f5 f5 f5 f5 fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================