==================================================================
BUG: KASAN: use-after-free in bq_enqueue kernel/bpf/cpumap.c:749 [inline]
BUG: KASAN: use-after-free in cpu_map_enqueue+0xb0/0x310 kernel/bpf/cpumap.c:775
Read of size 8 at addr ffff0000cd56b208 by task syz.3.346/5344

CPU: 1 PID: 5344 Comm: syz.3.346 Not tainted 6.1.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:427
 kasan_report+0xd4/0x130 mm/kasan/report.c:531
 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
 bq_enqueue kernel/bpf/cpumap.c:749 [inline]
 cpu_map_enqueue+0xb0/0x310 kernel/bpf/cpumap.c:775
 __xdp_do_redirect_frame net/core/filter.c:4324 [inline]
 xdp_do_redirect+0x54c/0x9d8 net/core/filter.c:4368
 tun_xdp_act+0xf4/0xfd0 drivers/net/tun.c:1625
 tun_build_skb drivers/net/tun.c:1715 [inline]
 tun_get_user+0x27d4/0x386c drivers/net/tun.c:1818
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:2044
 call_write_iter include/linux/fs.h:2265 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x610/0x91c fs/read_write.c:584
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Allocated by task 5319:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:936 [inline]
 __kmalloc_node+0xe0/0x1d0 mm/slab_common.c:943
 kmalloc_node include/linux/slab.h:589 [inline]
 bpf_map_kmalloc_node+0x21c/0x610 kernel/bpf/syscall.c:452
 __cpu_map_entry_alloc kernel/bpf/cpumap.c:445 [inline]
 cpu_map_update_elem+0x260/0xda0 kernel/bpf/cpumap.c:603
 bpf_map_update_value+0x294/0x844 kernel/bpf/syscall.c:188
 map_update_elem+0x538/0x6b8 kernel/bpf/syscall.c:1463
 __sys_bpf+0x2dc/0x654 kernel/bpf/syscall.c:5013
 __do_sys_bpf kernel/bpf/syscall.c:5129 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5127 [inline]
 __arm64_sys_bpf+0x80/0x98 kernel/bpf/syscall.c:5127
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Freed by task 5320:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
 kfree+0xcc/0x1b8 mm/slab_common.c:988
 put_cpu_map_entry+0x5a8/0x648 kernel/bpf/cpumap.c:161
 cpu_map_kthread_run+0x2188/0x223c kernel/bpf/cpumap.c:408
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

Last potentially related work creation:
 kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
 insert_work+0x64/0x384 kernel/workqueue.c:1361
 __queue_work+0xd48/0x136c kernel/workqueue.c:1520
 queue_work_on+0xc0/0x16c kernel/workqueue.c:1548
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:573 [inline]
 __cpu_map_entry_replace+0x17c/0x19c kernel/bpf/cpumap.c:558
 cpu_map_free+0xac/0x170 kernel/bpf/cpumap.c:641
 bpf_map_free_deferred+0xbc/0xd0 kernel/bpf/syscall.c:635
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

Second to last potentially related work creation:
 kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
 call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845
 __cpu_map_entry_replace+0x94/0x19c kernel/bpf/cpumap.c:556
 cpu_map_free+0xac/0x170 kernel/bpf/cpumap.c:641
 bpf_map_free_deferred+0xbc/0xd0 kernel/bpf/syscall.c:635
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

The buggy address belongs to the object at ffff0000cd56b200
 which belongs to the cache kmalloc-cg-256 of size 256
The buggy address is located 8 bytes inside of
 256-byte region [ffff0000cd56b200, ffff0000cd56b300)

The buggy address belongs to the physical page:
page:000000001f482857 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d56a
head:000000001f482857 order:1 compound_mapcount:0 compound_pincount:0
memcg:ffff0000f5333201
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003528300 dead000000000003 ffff0000c0002f00
raw: 0000000000000000 0000000080100010 00000001ffffffff ffff0000f5333201
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cd56b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000cd56b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000cd56b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000cd56b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000cd56b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Unable to handle kernel paging request at virtual address e0ae108713c63ca4
KASAN: maybe wild-memory-access in range [0x057484389e31e520-0x057484389e31e527]
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
[e0ae108713c63ca4] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 5344 Comm: syz.3.346 Tainted: G    B              6.1.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : bq_enqueue kernel/bpf/cpumap.c:751 [inline]
pc : cpu_map_enqueue+0x100/0x310 kernel/bpf/cpumap.c:775
lr : bq_enqueue kernel/bpf/cpumap.c:749 [inline]
lr : cpu_map_enqueue+0xd8/0x310 kernel/bpf/cpumap.c:775
sp : ffff8000218275b0
x29: ffff8000218275b0 x28: ffff0000f0310000 x27: ffff0001b3d12f00
x26: ffff0000cd56b200 x25: ffff80019e31d000 x24: dfff800000000000
x23: 00ae908713c63ca4 x22: ffff800015a91148 x21: 057484389e31e520
x20: 057484389e31e4c8 x19: ffff0000caf90000 x18: 0000000000000278
x17: 0000000000000000 x16: ffff80001232fa24 x15: 0000000000000002
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000080000
x11: 000000000002f0d7 x10: ffff80002626b000 x9 : ffff8000086ab3fc
x8 : ffff80019e31d000 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800021826db8 x4 : ffff800015b731c0 x3 : ffff8000081a873c
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000008
Call trace:
 bq_enqueue kernel/bpf/cpumap.c:751 [inline]
 cpu_map_enqueue+0x100/0x310 kernel/bpf/cpumap.c:775
 __xdp_do_redirect_frame net/core/filter.c:4324 [inline]
 xdp_do_redirect+0x54c/0x9d8 net/core/filter.c:4368
 tun_xdp_act+0xf4/0xfd0 drivers/net/tun.c:1625
 tun_build_skb drivers/net/tun.c:1715 [inline]
 tun_get_user+0x27d4/0x386c drivers/net/tun.c:1818
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:2044
 call_write_iter include/linux/fs.h:2265 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x610/0x91c fs/read_write.c:584
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: f9400288 8b170114 91016295 d343feb7 (38f86ae8) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	f9400288 	ldr	x8, [x20]
   4:	8b170114 	add	x20, x8, x23
   8:	91016295 	add	x21, x20, #0x58
   c:	d343feb7 	lsr	x23, x21, #3
* 10:	38f86ae8 	ldrsb	w8, [x23, x24] <-- trapping instruction