==================================================================
BUG: KASAN: use-after-free in bcm_rx_handler+0x56a/0x700 net/can/bcm.c:671
Read of size 4 at addr ffff888088855818 by task syz-executor.2/11554

CPU: 1 PID: 11554 Comm: syz-executor.2 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x99/0xd0 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.9+0x9/0x503 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold.10+0x1f/0x37 mm/kasan/report.c:530
 bcm_rx_handler+0x56a/0x700 net/can/bcm.c:671
 deliver net/can/af_can.c:571 [inline]
 can_rcv_filter+0x36f/0x7b0 net/can/af_can.c:632
 can_receive+0x255/0x480 net/can/af_can.c:658
 can_rcv+0xd9/0x200 net/can/af_can.c:688
 __netif_receive_skb_one_core+0x10b/0x180 net/core/dev.c:5302
 process_backlog+0x1f8/0x6b0 net/core/dev.c:6306
 napi_poll net/core/dev.c:6750 [inline]
 net_rx_action+0x442/0xf50 net/core/dev.c:6820
 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xa2/0xd0 arch/x86/kernel/irq_64.c:77
 do_softirq.part.10+0x6f/0x80 kernel/softirq.c:343
 netif_rx_ni+0x2af/0x480 net/core/dev.c:4836
 can_send+0x391/0x780 net/can/af_can.c:287
 isotp_sendmsg+0x6ae/0x1380 net/can/isotp.c:942
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:671
 ____sys_sendmsg+0x57b/0x7a0 net/socket.c:2353
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2407
 __sys_sendmsg+0xce/0x170 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7ed3b01188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
RDX: 0000000000000004 RSI: 00000000200003c0 RDI: 0000000000000004
RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffdc3c9dfdf R14: 00007f7ed3b01300 R15: 0000000000022000

Allocated by task 11565:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc mm/kasan/common.c:461 [inline]
 __kasan_kmalloc.constprop.14+0xc1/0xd0 mm/kasan/common.c:434
 kmem_cache_alloc_trace+0x10e/0x1e0 mm/slub.c:2915
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 bcm_rx_setup net/can/bcm.c:1070 [inline]
 bcm_sendmsg+0x1b3a/0x40b8 net/can/bcm.c:1331
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:671
 ____sys_sendmsg+0x57b/0x7a0 net/socket.c:2353
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2407
 __sys_sendmsg+0xce/0x170 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 11553:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xfe/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
 slab_free mm/slub.c:3138 [inline]
 kfree+0xdd/0x660 mm/slub.c:4119
 bcm_release+0x1ce/0x530 net/can/bcm.c:1506
 __sock_release+0xbb/0x270 net/socket.c:596
 sock_close+0xf/0x20 net/socket.c:1277
 __fput+0x1ff/0x830 fs/file_table.c:281
 task_work_run+0xc2/0x160 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:165 [inline]
 exit_to_user_mode_prepare+0x1b6/0x1c0 kernel/entry/common.c:192
 syscall_exit_to_user_mode+0x41/0x2a0 kernel/entry/common.c:267
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888088855800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 24 bytes inside of
 512-byte region [ffff888088855800, ffff888088855a00)
The buggy address belongs to the page:
page:000000000ef80ac7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88854
head:000000000ef80ac7 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880b5841280
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2219 [inline]
 prep_new_page+0x12f/0x240 mm/page_alloc.c:2225
 get_page_from_freelist+0x1a3e/0x5d10 mm/page_alloc.c:3844
 __alloc_pages_nodemask+0x2cd/0x7d0 mm/page_alloc.c:4895
 alloc_pages include/linux/gfp.h:545 [inline]
 alloc_slab_page mm/slub.c:1615 [inline]
 allocate_slab+0x284/0x510 mm/slub.c:1758
 new_slab mm/slub.c:1819 [inline]
 new_slab_objects mm/slub.c:2576 [inline]
 ___slab_alloc+0x49e/0x830 mm/slub.c:2737
 __slab_alloc.isra.50+0xd2/0x170 mm/slub.c:2777
 slab_alloc_node mm/slub.c:2852 [inline]
 slab_alloc mm/slub.c:2896 [inline]
 kmem_cache_alloc_trace+0x19e/0x1e0 mm/slub.c:2913
 kmalloc include/linux/slab.h:554 [inline]
 kmalloc_array include/linux/slab.h:593 [inline]
 rtnl_newlink+0x43/0x80 net/core/rtnetlink.c:3496
 rtnetlink_rcv_msg+0x353/0x8c0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x117/0x370 net/netlink/af_netlink.c:2489
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x766/0xc10 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:671
 __sys_sendto+0x1d2/0x2b0 net/socket.c:1992
 __do_sys_sendto net/socket.c:2004 [inline]
 __se_sys_sendto net/socket.c:2000 [inline]
 __x64_sys_sendto+0xd8/0x1b0 net/socket.c:2000
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888088855700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888088855780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888088855800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888088855880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888088855900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================