program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)

[   85.022385][ T5300] Bluetooth: hci0: command tx timeout
[   85.197858][ T5189] ==================================================================
[   85.203028][ T5189] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   85.206537][ T5189] Read of size 8 at addr ffff8880359bf880 by task dhcpcd/5189
[   85.209941][ T5189] 
[   85.211238][ T5189] CPU: 0 UID: 101 PID: 5189 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.211255][ T5189] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.211263][ T5189] Call Trace:
[   85.211271][ T5189]  <TASK>
[   85.211277][ T5189]  dump_stack_lvl+0xe8/0x150
[   85.211299][ T5189]  print_report+0xba/0x230
[   85.211313][ T5189]  ? bpf_trace_run2+0x2c4/0x840
[   85.211326][ T5189]  kasan_report+0x117/0x150
[   85.211339][ T5189]  ? bpf_trace_run2+0x2c4/0x840
[   85.211351][ T5189]  bpf_trace_run2+0x2c4/0x840
[   85.211366][ T5189]  ? __queue_work+0x1a1/0x1020
[   85.211383][ T5189]  ? bpf_trace_run2+0x1c9/0x840
[   85.211397][ T5189]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.211411][ T5189]  ? seccomp_filter_release+0x22b/0x2d0
[   85.211426][ T5189]  ? seccomp_filter_release+0x22b/0x2d0
[   85.211435][ T5189]  ? seccomp_filter_release+0x22b/0x2d0
[   85.211445][ T5189]  kfree+0x5b2/0x630
[   85.211461][ T5189]  ? queue_work_on+0x159/0x1d0
[   85.211475][ T5189]  seccomp_filter_release+0x22b/0x2d0
[   85.211487][ T5189]  do_exit+0x3b0/0x23c0
[   85.211498][ T5189]  ? count_memcg_event_mm+0x21/0x260
[   85.211513][ T5189]  ? __pfx_do_exit+0x10/0x10
[   85.211522][ T5189]  ? count_memcg_event_mm+0x21/0x260
[   85.211533][ T5189]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.211546][ T5189]  do_group_exit+0x21b/0x2d0
[   85.211555][ T5189]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.211631][ T5189]  get_signal+0x1284/0x1330
[   85.211650][ T5189]  arch_do_signal_or_restart+0xbc/0x830
[   85.211665][ T5189]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.211678][ T5189]  ? do_user_addr_fault+0xc6f/0x1340
[   85.211692][ T5189]  irqentry_exit+0x176/0x620
[   85.211700][ T5189]  ? trace_irq_disable+0x3b/0x150
[   85.211716][ T5189]  asm_exc_page_fault+0x26/0x30
[   85.211728][ T5189] RIP: 0033:0x7f5f4cff23b3
[   85.211741][ T5189] Code: 25 00 03 00 00 e8 4d b1 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 53 49 89 ca 64 48 8b 1c 25 10 00 00 00 8b 83 08 03 00 00 <80> 3d 66 1d 15 00 00 75 44 a8 01 75 40 a8 10 75 3c 41 51 4c 8d 9b
[   85.211750][ T5189] RSP: 002b:00007ffc6e3f0e00 EFLAGS: 00010206
[   85.211764][ T5189] RAX: 0000000000000000 RBX: 00007f5f4cf68780 RCX: 0000000000000000
[   85.211771][ T5189] RDX: 00000000000100e0 RSI: 00007ffc6e3f0ea0 RDI: 0000000000000018
[   85.211777][ T5189] RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
[   85.211783][ T5189] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffc6e401080
[   85.211790][ T5189] R13: 00005557f5442c40 R14: 00007ffc6e3f0ea0 R15: 00007ffc6e401070
[   85.211802][ T5189]  </TASK>
[   85.211805][ T5189] 
[   85.333949][ T5189] Allocated by task 5324:
[   85.336299][ T5189]  kasan_save_track+0x3e/0x80
[   85.338900][ T5189]  __kasan_kmalloc+0x93/0xb0
[   85.341538][ T5189]  __kmalloc_cache_noprof+0x31c/0x660
[   85.344461][ T5189]  bpf_raw_tp_link_attach+0x278/0x700
[   85.347245][ T5189]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.349845][ T5189]  __sys_bpf+0x846/0x950
[   85.351763][ T5189]  __x64_sys_bpf+0x7c/0x90
[   85.353855][ T5189]  do_syscall_64+0x14d/0xf80
[   85.355942][ T5189]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.358651][ T5189] 
[   85.359956][ T5189] Freed by task 5133:
[   85.362047][ T5189]  kasan_save_track+0x3e/0x80
[   85.364497][ T5189]  kasan_save_free_info+0x46/0x50
[   85.366836][ T5189]  __kasan_slab_free+0x5c/0x80
[   85.369311][ T5189]  kfree+0x1c1/0x630
[   85.371620][ T5189]  rcu_core+0x7cd/0x1070
[   85.373858][ T5189]  handle_softirqs+0x22a/0x870
[   85.375992][ T5189]  __irq_exit_rcu+0x5f/0x150
[   85.378091][ T5189]  irq_exit_rcu+0x9/0x30
[   85.380128][ T5189]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   85.383053][ T5189]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   85.385902][ T5189] 
[   85.387166][ T5189] Last potentially related work creation:
[   85.389985][ T5189]  kasan_save_stack+0x3e/0x60
[   85.392485][ T5189]  kasan_record_aux_stack+0xbd/0xd0
[   85.395027][ T5189]  call_rcu+0xee/0x890
[   85.396965][ T5189]  bpf_link_release+0x6b/0x80
[   85.399330][ T5189]  __fput+0x44f/0xa70
[   85.401332][ T5189]  task_work_run+0x1d9/0x270
[   85.403739][ T5189]  exit_to_user_mode_loop+0xed/0x480
[   85.406222][ T5189]  do_syscall_64+0x32d/0xf80
[   85.408482][ T5189]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.411429][ T5189] 
[   85.412628][ T5189] The buggy address belongs to the object at ffff8880359bf800
[   85.412628][ T5189]  which belongs to the cache kmalloc-192 of size 192
[   85.419079][ T5189] The buggy address is located 128 bytes inside of
[   85.419079][ T5189]  freed 192-byte region [ffff8880359bf800, ffff8880359bf8c0)
[   85.426048][ T5189] 
[   85.427283][ T5189] The buggy address belongs to the physical page:
[   85.430249][ T5189] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x359bf
[   85.434479][ T5189] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.438454][ T5189] page_type: f5(slab)
[   85.440606][ T5189] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   85.444421][ T5189] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.448862][ T5189] page dumped because: kasan: bad access detected
[   85.452323][ T5189] page_owner tracks the page as allocated
[   85.454882][ T5189] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 15058238910, free_ts 15057357030
[   85.464584][ T5189]  post_alloc_hook+0x231/0x280
[   85.466927][ T5189]  get_page_from_freelist+0x24dc/0x2580
[   85.469539][ T5189]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.472147][ T5189]  allocate_slab+0x77/0x660
[   85.474550][ T5189]  refill_objects+0x331/0x3c0
[   85.477030][ T5189]  __pcs_replace_empty_main+0x2e6/0x730
[   85.479886][ T5189]  __kmalloc_node_track_caller_noprof+0x572/0x7b0
[   85.483024][ T5189]  kmemdup_array+0x3f/0x80
[   85.485438][ T5189]  platform_device_add_resources+0x34/0xf0
[   85.488718][ T5189]  mfd_add_devices+0x119e/0x1920
[   85.491178][ T5189]  lpc_ich_probe+0x91e/0x2370
[   85.493193][ T5189]  pci_device_probe+0x41a/0xc70
[   85.495397][ T5189]  really_probe+0x267/0xaf0
[   85.497724][ T5189]  __driver_probe_device+0x18c/0x320
[   85.500593][ T5189]  driver_probe_device+0x4f/0x240
[   85.503109][ T5189]  __driver_attach+0x349/0x640
[   85.505421][ T5189] page last free pid 42 tgid 42 stack trace:
[   85.508725][ T5189]  __free_frozen_pages+0xc2b/0xdb0
[   85.511567][ T5189]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   85.514280][ T5189]  alloc_vmap_area+0xd73/0x14b0
[   85.516446][ T5189]  __get_vm_area_node+0x1f8/0x300
[   85.518878][ T5189]  __vmalloc_node_range_noprof+0x372/0x1730
[   85.523320][ T5189]  __vmalloc_node_noprof+0xc2/0x100
[   85.526174][ T5189]  dup_task_struct+0x275/0x9a0
[   85.528315][ T5189]  copy_process+0x508/0x3cd0
[   85.530359][ T5189]  kernel_clone+0x248/0x8e0
[   85.532264][ T5189]  user_mode_thread+0x110/0x180
[   85.534346][ T5189]  call_usermodehelper_exec_work+0x5c/0x230
[   85.537379][ T5189]  process_scheduled_works+0xb6e/0x18c0
[   85.540300][ T5189]  worker_thread+0xa53/0xfc0
[   85.542379][ T5189]  kthread+0x388/0x470
[   85.544226][ T5189]  ret_from_fork+0x51e/0xb90
[   85.546289][ T5189]  ret_from_fork_asm+0x1a/0x30
[   85.548685][ T5189] 
[   85.550025][ T5189] Memory state around the buggy address:
[   85.552854][ T5189]  ffff8880359bf780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[   85.556206][ T5189]  ffff8880359bf800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.559868][ T5189] >ffff8880359bf880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.564087][ T5189]                    ^
[   85.566405][ T5189]  ffff8880359bf900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.569965][ T5189]  ffff8880359bf980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.573625][ T5189] ==================================================================