program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) (async)
openat$mice(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
syz_open_dev$evdev(&(0x7f0000000000), 0x3, 0x8b38a7869ced0d89)
r1 = syz_usb_connect$hid(0x3, 0x3f, &(0x7f0000000140)=ANY=[@ANYBLOB="12010000000000087d1e323200000000000109022d000100002000090400fc02030002000921ffff040122050009058103"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0) (async)
syz_usb_control_io(r1, &(0x7f0000000440)={0x2c, &(0x7f0000000100)={0x20, 0x3, 0x5, {0x5, 0x22, "26f860"}}, 0x0, 0x0, 0x0, 0x0}, 0x0) (async)
r2 = syz_open_dev$usbfs(&(0x7f0000000080), 0xf, 0x8041)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r2, 0x8108551b, &(0x7f0000000300)={0x0, 0x2, "4cf90fba85c830e42a3ca4b10f01bbcb15f3806c4853e7c44a6974759d9f643905a56baa4195fb396d9bfa306999f1586e5d1ca49add100a36b751a7d9fe0b182ebf2c8a0e66f72c1c08260030752f07cd4089473e52885a3c85bacf3ccfac5bb9435fe036dcfccd7254bbd8bce90e2284d29e1f17d6652270fd0abcb8729f16ff602b438bd122a9e09984e2799d0dbfef7533d1a930ea4f4b57605ace45f5815450693650ae000034aa0c5ca5e793516d156e5a5b34d6c17c40d753426a3d8e15e726d0f2622e873e0cbe63751bb62c68594d4cb0a21b92ad2e80f24a9b290a9eee6779022a0b7f5223e4e8c9f53f501ec8c439724078fdc076a51d50760566"})

[   83.192610][ T5299] Bluetooth: hci0: command tx timeout
[   83.523386][ T5014] ==================================================================
[   83.527793][ T5014] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   83.532442][ T5014] Read of size 8 at addr ffff888038c83180 by task dhcpcd/5014
[   83.536836][ T5014] 
[   83.537984][ T5014] CPU: 0 UID: 101 PID: 5014 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   83.538001][ T5014] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   83.538008][ T5014] Call Trace:
[   83.538016][ T5014]  <TASK>
[   83.538022][ T5014]  dump_stack_lvl+0xe8/0x150
[   83.538042][ T5014]  print_report+0xba/0x230
[   83.538054][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   83.538068][ T5014]  kasan_report+0x117/0x150
[   83.538089][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   83.538104][ T5014]  bpf_trace_run2+0x2c4/0x840
[   83.538117][ T5014]  ? ref_tracker_free+0x522/0x840
[   83.538174][ T5014]  ? bpf_trace_run2+0x1c9/0x840
[   83.538187][ T5014]  ? __pfx_bpf_trace_run2+0x10/0x10
[   83.538200][ T5014]  ? percpu_ref_put+0x1e/0x230
[   83.538210][ T5014]  ? security_sk_free+0xa4/0x180
[   83.538219][ T5014]  ? security_sk_free+0xa4/0x180
[   83.538225][ T5014]  ? security_sk_free+0xa4/0x180
[   83.538232][ T5014]  kfree+0x5b2/0x630
[   83.538246][ T5014]  security_sk_free+0xa4/0x180
[   83.538255][ T5014]  __sk_destruct+0x5dd/0x880
[   83.538294][ T5014]  unix_release_sock+0xa3e/0xc80
[   83.538310][ T5014]  ? __pfx_unix_release_sock+0x10/0x10
[   83.538321][ T5014]  ? down_write+0x16d/0x200
[   83.538333][ T5014]  ? __pfx_down_write+0x10/0x10
[   83.538345][ T5014]  unix_release+0x92/0xd0
[   83.538357][ T5014]  sock_close+0xc3/0x240
[   83.538369][ T5014]  ? __pfx_sock_close+0x10/0x10
[   83.538379][ T5014]  __fput+0x44f/0xa70
[   83.538394][ T5014]  task_work_run+0x1d9/0x270
[   83.538407][ T5014]  ? __pfx_task_work_run+0x10/0x10
[   83.538417][ T5014]  ? do_raw_spin_unlock+0x4d/0x210
[   83.538430][ T5014]  do_exit+0x70f/0x23c0
[   83.538439][ T5014]  ? fput_close_sync+0x11f/0x240
[   83.538450][ T5014]  ? __x64_sys_close+0x7e/0x110
[   83.538466][ T5014]  ? __pfx_do_exit+0x10/0x10
[   83.538476][ T5014]  ? do_raw_spin_lock+0x12b/0x2f0
[   83.538486][ T5014]  do_group_exit+0x21b/0x2d0
[   83.538496][ T5014]  ? _raw_spin_unlock_irq+0x23/0x50
[   83.538511][ T5014]  get_signal+0x1284/0x1330
[   83.538528][ T5014]  arch_do_signal_or_restart+0xbc/0x830
[   83.538541][ T5014]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   83.538550][ T5014]  ? kmem_cache_free+0x439/0x630
[   83.538561][ T5014]  ? fput_close_sync+0x11f/0x240
[   83.538574][ T5014]  exit_to_user_mode_loop+0x86/0x480
[   83.538586][ T5014]  ? rcu_is_watching+0x15/0xb0
[   83.538601][ T5014]  do_syscall_64+0x32d/0xf80
[   83.538613][ T5014]  ? trace_irq_disable+0x3b/0x150
[   83.538627][ T5014]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.538638][ T5014]  ? clear_bhb_loop+0x40/0x90
[   83.538648][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.538658][ T5014] RIP: 0033:0x7f53883c4407
[   83.538669][ T5014] Code: Unable to access opcode bytes at 0x7f53883c43dd.
[   83.538674][ T5014] RSP: 002b:00007ffd11da67a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   83.538686][ T5014] RAX: 0000000000000000 RBX: 00007f538833a780 RCX: 00007f53883c4407
[   83.538693][ T5014] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000e
[   83.538698][ T5014] RBP: 00007ffd11db6a40 R08: 0000000000000000 R09: 0000000000000000
[   83.538705][ T5014] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd11db6a40
[   83.538711][ T5014] R13: 000055bdc84e55f0 R14: 0000000000000001 R15: 0000000000000000
[   83.538722][ T5014]  </TASK>
[   83.538726][ T5014] 
[   83.683018][ T5014] Allocated by task 5322:
[   83.684947][ T5014]  kasan_save_track+0x3e/0x80
[   83.687369][ T5014]  __kasan_kmalloc+0x93/0xb0
[   83.689825][ T5014]  __kmalloc_cache_noprof+0x31c/0x660
[   83.692734][ T5014]  bpf_raw_tp_link_attach+0x278/0x700
[   83.695301][ T5014]  bpf_raw_tracepoint_open+0x1b2/0x220
[   83.697702][ T5014]  __sys_bpf+0x846/0x950
[   83.699562][ T5014]  __x64_sys_bpf+0x7c/0x90
[   83.701869][ T5014]  do_syscall_64+0x14d/0xf80
[   83.704119][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.707441][ T5014] 
[   83.708806][ T5014] Freed by task 5315:
[   83.711044][ T5014]  kasan_save_track+0x3e/0x80
[   83.713238][ T5014]  kasan_save_free_info+0x46/0x50
[   83.715552][ T5014]  __kasan_slab_free+0x5c/0x80
[   83.718017][ T5014]  kfree+0x1c1/0x630
[   83.720105][ T5014]  rcu_core+0x7cd/0x1070
[   83.722236][ T5014]  handle_softirqs+0x22a/0x870
[   83.724676][ T5014]  do_softirq+0x76/0xd0
[   83.726954][ T5014]  __local_bh_enable_ip+0xf8/0x130
[   83.729973][ T5014]  ipv6_get_lladdr+0x2aa/0x3f0
[   83.732010][ T5014]  mld_newpack+0x435/0xc90
[   83.733964][ T5014]  add_grhead+0x5a/0x2a0
[   83.735886][ T5014]  add_grec+0x1452/0x1740
[   83.738132][ T5014]  mld_send_initial_cr+0x288/0x550
[   83.740750][ T5014]  mld_dad_work+0x45/0x5b0
[   83.742810][ T5014]  process_scheduled_works+0xb6e/0x18c0
[   83.745373][ T5014]  worker_thread+0xa53/0xfc0
[   83.747583][ T5014]  kthread+0x388/0x470
[   83.749514][ T5014]  ret_from_fork+0x51e/0xb90
[   83.751600][ T5014]  ret_from_fork_asm+0x1a/0x30
[   83.753928][ T5014] 
[   83.755077][ T5014] Last potentially related work creation:
[   83.757495][ T5014]  kasan_save_stack+0x3e/0x60
[   83.759698][ T5014]  kasan_record_aux_stack+0xbd/0xd0
[   83.761928][ T5014]  call_rcu+0xee/0x890
[   83.763664][ T5014]  bpf_link_release+0x6b/0x80
[   83.765639][ T5014]  __fput+0x44f/0xa70
[   83.767304][ T5014]  task_work_run+0x1d9/0x270
[   83.768936][ T5014]  exit_to_user_mode_loop+0xed/0x480
[   83.770795][ T5014]  do_syscall_64+0x32d/0xf80
[   83.772592][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.775440][ T5014] 
[   83.776750][ T5014] The buggy address belongs to the object at ffff888038c83100
[   83.776750][ T5014]  which belongs to the cache kmalloc-192 of size 192
[   83.782003][ T5014] The buggy address is located 128 bytes inside of
[   83.782003][ T5014]  freed 192-byte region [ffff888038c83100, ffff888038c831c0)
[   83.787460][ T5014] 
[   83.788824][ T5014] The buggy address belongs to the physical page:
[   83.792397][ T5014] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38c83
[   83.796389][ T5014] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   83.799119][ T5014] page_type: f5(slab)
[   83.800491][ T5014] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   83.803991][ T5014] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   83.808139][ T5014] page dumped because: kasan: bad access detected
[   83.812051][ T5014] page_owner tracks the page as allocated
[   83.814832][ T5014] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 20599654757, free_ts 20595678975
[   83.824064][ T5014]  post_alloc_hook+0x231/0x280
[   83.826640][ T5014]  get_page_from_freelist+0x24dc/0x2580
[   83.829310][ T5014]  __alloc_frozen_pages_noprof+0x18d/0x380
[   83.831966][ T5014]  allocate_slab+0x77/0x660
[   83.834026][ T5014]  refill_objects+0x331/0x3c0
[   83.836166][ T5014]  __pcs_replace_empty_main+0x2e6/0x730
[   83.838660][ T5014]  __kmalloc_noprof+0x474/0x760
[   83.840844][ T5014]  usb_alloc_urb+0x46/0x150
[   83.843178][ T5014]  usb_control_msg+0x118/0x3e0
[   83.846069][ T5014]  hub_probe+0xff0/0x3c10
[   83.848519][ T5014]  usb_probe_interface+0x668/0xc90
[   83.851050][ T5014]  really_probe+0x267/0xaf0
[   83.853089][ T5014]  __driver_probe_device+0x18c/0x320
[   83.855365][ T5014]  driver_probe_device+0x4f/0x240
[   83.857515][ T5014]  __device_attach_driver+0x279/0x430
[   83.859773][ T5014]  bus_for_each_drv+0x258/0x2f0
[   83.862158][ T5014] page last free pid 42 tgid 42 stack trace:
[   83.865193][ T5014]  __free_frozen_pages+0xc2b/0xdb0
[   83.867493][ T5014]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   83.869618][ T5014]  alloc_vmap_area+0xd73/0x14b0
[   83.871263][ T5014]  __get_vm_area_node+0x1f8/0x300
[   83.873209][ T5014]  __vmalloc_node_range_noprof+0x372/0x1730
[   83.875633][ T5014]  __vmalloc_node_noprof+0xc2/0x100
[   83.878490][ T5014]  dup_task_struct+0x275/0x9a0
[   83.881601][ T5014]  copy_process+0x508/0x3cd0
[   83.883933][ T5014]  kernel_clone+0x248/0x8e0
[   83.886196][ T5014]  user_mode_thread+0x110/0x180
[   83.888680][ T5014]  call_usermodehelper_exec_work+0x5c/0x230
[   83.891612][ T5014]  process_scheduled_works+0xb6e/0x18c0
[   83.894138][ T5014]  worker_thread+0xa53/0xfc0
[   83.896605][ T5014]  kthread+0x388/0x470
[   83.898814][ T5014]  ret_from_fork+0x51e/0xb90
[   83.900845][ T5014]  ret_from_fork_asm+0x1a/0x30
[   83.902976][ T5014] 
[   83.904014][ T5014] Memory state around the buggy address:
[   83.906466][ T5014]  ffff888038c83080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   83.910056][ T5014]  ffff888038c83100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   83.913863][ T5014] >ffff888038c83180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   83.917248][ T5014]                    ^
[   83.918890][ T5014]  ffff888038c83200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   83.922204][ T5014]  ffff888038c83280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   83.925698][ T5014] ==================================================================
[   83.986664][ T5014] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   83.990629][ T5014] CPU: 0 UID: 101 PID: 5014 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   83.995670][ T5014] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.000393][ T5014] Call Trace:
[   84.001944][ T5014]  <TASK>
[   84.003292][ T5014]  vpanic+0x56c/0xa60
[   84.005048][ T5014]  ? __pfx_vpanic+0x10/0x10
[   84.007178][ T5014]  panic+0xc5/0xd0
[   84.009154][ T5014]  ? __pfx_panic+0x10/0x10
[   84.011922][ T5014]  ? preempt_schedule_thunk+0x16/0x30
[   84.014639][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   84.016753][ T5014]  ? preempt_schedule_thunk+0x16/0x30
[   84.019225][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   84.021503][ T5014]  check_panic_on_warn+0x89/0xb0
[   84.023878][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   84.026264][ T5014]  end_report+0x73/0x180
[   84.028419][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   84.030846][ T5014]  kasan_report+0x128/0x150
[   84.032782][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   84.035165][ T5014]  bpf_trace_run2+0x2c4/0x840
[   84.037179][ T5014]  ? ref_tracker_free+0x522/0x840
[   84.040089][ T5014]  ? bpf_trace_run2+0x1c9/0x840
[   84.042832][ T5014]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.045141][ T5014]  ? percpu_ref_put+0x1e/0x230
[   84.047355][ T5014]  ? security_sk_free+0xa4/0x180
[   84.049613][ T5014]  ? security_sk_free+0xa4/0x180
[   84.051882][ T5014]  ? security_sk_free+0xa4/0x180
[   84.054192][ T5014]  kfree+0x5b2/0x630
[   84.056589][ T5014]  security_sk_free+0xa4/0x180
[   84.059700][ T5014]  __sk_destruct+0x5dd/0x880
[   84.061948][ T5014]  unix_release_sock+0xa3e/0xc80
[   84.064217][ T5014]  ? __pfx_unix_release_sock+0x10/0x10
[   84.066704][ T5014]  ? down_write+0x16d/0x200
[   84.068800][ T5014]  ? __pfx_down_write+0x10/0x10
[   84.071141][ T5014]  unix_release+0x92/0xd0
[   84.073249][ T5014]  sock_close+0xc3/0x240
[   84.075335][ T5014]  ? __pfx_sock_close+0x10/0x10
[   84.077777][ T5014]  __fput+0x44f/0xa70
[   84.079668][ T5014]  task_work_run+0x1d9/0x270
[   84.081658][ T5014]  ? __pfx_task_work_run+0x10/0x10
[   84.083692][ T5014]  ? do_raw_spin_unlock+0x4d/0x210
[   84.085981][ T5014]  do_exit+0x70f/0x23c0
[   84.087866][ T5014]  ? fput_close_sync+0x11f/0x240
[   84.090381][ T5014]  ? __x64_sys_close+0x7e/0x110
[   84.093318][ T5014]  ? __pfx_do_exit+0x10/0x10
[   84.095809][ T5014]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.098006][ T5014]  do_group_exit+0x21b/0x2d0
[   84.100119][ T5014]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.102669][ T5014]  get_signal+0x1284/0x1330
[   84.105153][ T5014]  arch_do_signal_or_restart+0xbc/0x830
[   84.107986][ T5014]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.110949][ T5014]  ? kmem_cache_free+0x439/0x630
[   84.113106][ T5014]  ? fput_close_sync+0x11f/0x240
[   84.115394][ T5014]  exit_to_user_mode_loop+0x86/0x480
[   84.118485][ T5014]  ? rcu_is_watching+0x15/0xb0
[   84.121322][ T5014]  do_syscall_64+0x32d/0xf80
[   84.123492][ T5014]  ? trace_irq_disable+0x3b/0x150
[   84.125706][ T5014]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.128391][ T5014]  ? clear_bhb_loop+0x40/0x90
[   84.130737][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.133583][ T5014] RIP: 0033:0x7f53883c4407
[   84.135641][ T5014] Code: Unable to access opcode bytes at 0x7f53883c43dd.
[   84.138688][ T5014] RSP: 002b:00007ffd11da67a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.142556][ T5014] RAX: 0000000000000000 RBX: 00007f538833a780 RCX: 00007f53883c4407
[   84.146812][ T5014] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000e
[   84.150314][ T5014] RBP: 00007ffd11db6a40 R08: 0000000000000000 R09: 0000000000000000
[   84.153632][ T5014] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd11db6a40
[   84.157653][ T5014] R13: 000055bdc84e55f0 R14: 0000000000000001 R15: 0000000000000000
[   84.161880][ T5014]  </TASK>
[   84.163654][ T5014] Kernel Offset: disabled
[   84.165560][ T5014] Rebooting in 86400 seconds..