program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = perf_event_open(&(0x7f00000000c0)={0x5, 0x80, 0xec, 0x7, 0x40, 0x7, 0x0, 0x0, 0x4d299, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x1, 0x0, 0x4, 0x2, @perf_bp={0x0, 0x4}, 0x10a980, 0x7ff, 0xa, 0x0, 0xff9, 0x2, 0x400, 0x0, 0x0, 0x0, 0x4002}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x8)
r2 = getpid()
syz_pidfd_open(r2, 0x0)
migrate_pages(r2, 0xffffffffffffffff, &(0x7f0000001000)=0x3, &(0x7f0000001040)=0x2)
mmap(&(0x7f0000002000/0x3000)=nil, 0x3000, 0x100000b, 0x12011, r1, 0x0)
mkdir(&(0x7f0000000000)='./cgroup/file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0)
r3 = socket$inet_tcp(0x2, 0x1, 0x0)
getsockopt$inet_tcp_int(r3, 0x6, 0x1c, 0x0, &(0x7f0000000040))
syz_open_dev$dvb_frontend(&(0x7f00000002c0), 0x0, 0x2)
syz_open_dev$dvb_frontend(&(0x7f0000000080), 0x0, 0x2)

[   99.462386][ T5300] Bluetooth: hci0: command tx timeout
[   99.686932][ T5185] ==================================================================
[   99.690624][ T5185] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   99.695005][ T5185] Read of size 8 at addr ffff888042d03880 by task dhcpcd/5185
[   99.698464][ T5185] 
[   99.699555][ T5185] CPU: 0 UID: 101 PID: 5185 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   99.699572][ T5185] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   99.699579][ T5185] Call Trace:
[   99.699587][ T5185]  <TASK>
[   99.699593][ T5185]  dump_stack_lvl+0xe8/0x150
[   99.699618][ T5185]  print_report+0xba/0x230
[   99.699632][ T5185]  ? bpf_trace_run2+0x2c4/0x840
[   99.699647][ T5185]  kasan_report+0x117/0x150
[   99.699660][ T5185]  ? bpf_trace_run2+0x2c4/0x840
[   99.699678][ T5185]  bpf_trace_run2+0x2c4/0x840
[   99.699694][ T5185]  ? __queue_work+0x1a1/0x1020
[   99.699708][ T5185]  ? bpf_trace_run2+0x1c9/0x840
[   99.699724][ T5185]  ? __pfx_bpf_trace_run2+0x10/0x10
[   99.699740][ T5185]  ? seccomp_filter_release+0x22b/0x2d0
[   99.699754][ T5185]  ? seccomp_filter_release+0x22b/0x2d0
[   99.699765][ T5185]  ? seccomp_filter_release+0x22b/0x2d0
[   99.699777][ T5185]  kfree+0x5b2/0x630
[   99.699794][ T5185]  ? queue_work_on+0x159/0x1d0
[   99.699809][ T5185]  seccomp_filter_release+0x22b/0x2d0
[   99.699822][ T5185]  do_exit+0x3b0/0x23c0
[   99.699832][ T5185]  ? fput_close_sync+0x11f/0x240
[   99.699847][ T5185]  ? __x64_sys_close+0x7e/0x110
[   99.699861][ T5185]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.699874][ T5185]  ? __pfx_do_exit+0x10/0x10
[   99.699885][ T5185]  ? do_raw_spin_lock+0x12b/0x2f0
[   99.699898][ T5185]  do_group_exit+0x21b/0x2d0
[   99.699910][ T5185]  ? _raw_spin_unlock_irq+0x23/0x50
[   99.699964][ T5185]  get_signal+0x1284/0x1330
[   99.699983][ T5185]  arch_do_signal_or_restart+0xbc/0x830
[   99.699997][ T5185]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   99.700010][ T5185]  ? kmem_cache_free+0x439/0x630
[   99.700022][ T5185]  ? fput_close_sync+0x11f/0x240
[   99.700038][ T5185]  exit_to_user_mode_loop+0x86/0x480
[   99.700052][ T5185]  ? rcu_is_watching+0x15/0xb0
[   99.700069][ T5185]  do_syscall_64+0x32d/0xf80
[   99.700083][ T5185]  ? trace_irq_disable+0x3b/0x150
[   99.700092][ T5185]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.700102][ T5185]  ? clear_bhb_loop+0x40/0x90
[   99.700141][ T5185]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.700154][ T5185] RIP: 0033:0x7f39e4d47407
[   99.700168][ T5185] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   99.700178][ T5185] RSP: 002b:00007ffdee9b6c40 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   99.700190][ T5185] RAX: 0000000000000000 RBX: 00007f39e4cbd780 RCX: 00007f39e4d47407
[   99.700197][ T5185] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000019
[   99.700203][ T5185] RBP: 00007ffdee9c6ee0 R08: 0000000000000000 R09: 0000000000000000
[   99.700210][ T5185] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffdee9c6ee0
[   99.700217][ T5185] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   99.700227][ T5185]  </TASK>
[   99.700231][ T5185] 
[   99.828589][ T5185] Allocated by task 5324:
[   99.830576][ T5185]  kasan_save_track+0x3e/0x80
[   99.832820][ T5185]  __kasan_kmalloc+0x93/0xb0
[   99.835221][ T5185]  __kmalloc_cache_noprof+0x31c/0x660
[   99.838094][ T5185]  bpf_raw_tp_link_attach+0x278/0x700
[   99.840852][ T5185]  bpf_raw_tracepoint_open+0x1b2/0x220
[   99.843369][ T5185]  __sys_bpf+0x846/0x950
[   99.845247][ T5185]  __x64_sys_bpf+0x7c/0x90
[   99.847295][ T5185]  do_syscall_64+0x14d/0xf80
[   99.849587][ T5185]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.852996][ T5185] 
[   99.854368][ T5185] Freed by task 71:
[   99.856077][ T5185]  kasan_save_track+0x3e/0x80
[   99.858222][ T5185]  kasan_save_free_info+0x46/0x50
[   99.860455][ T5185]  __kasan_slab_free+0x5c/0x80
[   99.862762][ T5185]  kfree+0x1c1/0x630
[   99.864900][ T5185]  rcu_core+0x7cd/0x1070
[   99.867332][ T5185]  handle_softirqs+0x22a/0x870
[   99.869656][ T5185]  __irq_exit_rcu+0x5f/0x150
[   99.871701][ T5185]  irq_exit_rcu+0x9/0x30
[   99.873626][ T5185]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   99.876278][ T5185]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   99.879614][ T5185] 
[   99.881197][ T5185] Last potentially related work creation:
[   99.884065][ T5185]  kasan_save_stack+0x3e/0x60
[   99.886210][ T5185]  kasan_record_aux_stack+0xbd/0xd0
[   99.888477][ T5185]  call_rcu+0xee/0x890
[   99.890370][ T5185]  bpf_link_release+0x6b/0x80
[   99.892440][ T5185]  __fput+0x44f/0xa70
[   99.894580][ T5185]  task_work_run+0x1d9/0x270
[   99.897655][ T5185]  exit_to_user_mode_loop+0xed/0x480
[   99.900758][ T5185]  do_syscall_64+0x32d/0xf80
[   99.902885][ T5185]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.905527][ T5185] 
[   99.906659][ T5185] The buggy address belongs to the object at ffff888042d03800
[   99.906659][ T5185]  which belongs to the cache kmalloc-192 of size 192
[   99.912808][ T5185] The buggy address is located 128 bytes inside of
[   99.912808][ T5185]  freed 192-byte region [ffff888042d03800, ffff888042d038c0)
[   99.920246][ T5185] 
[   99.921369][ T5185] The buggy address belongs to the physical page:
[   99.924298][ T5185] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42d03
[   99.928170][ T5185] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   99.932184][ T5185] page_type: f5(slab)
[   99.934971][ T5185] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   99.939573][ T5185] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   99.943389][ T5185] page dumped because: kasan: bad access detected
[   99.946266][ T5185] page_owner tracks the page as allocated
[   99.948825][ T5185] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 28335767705, free_ts 28323998719
[   99.958261][ T5185]  post_alloc_hook+0x231/0x280
[   99.960572][ T5185]  get_page_from_freelist+0x24dc/0x2580
[   99.963316][ T5185]  __alloc_frozen_pages_noprof+0x18d/0x380
[   99.966075][ T5185]  allocate_slab+0x77/0x660
[   99.968258][ T5185]  refill_objects+0x331/0x3c0
[   99.970708][ T5185]  __pcs_replace_empty_main+0x2e6/0x730
[   99.973214][ T5185]  __kmalloc_cache_noprof+0x392/0x660
[   99.975415][ T5185]  call_usermodehelper_setup+0x8e/0x270
[   99.977631][ T5185]  kobject_uevent_env+0x658/0x9e0
[   99.980023][ T5185]  kernel_add_sysfs_param+0xb1/0xe0
[   99.983063][ T5185]  param_sysfs_builtin+0x199/0x250
[   99.986048][ T5185]  param_sysfs_builtin_init+0x23/0x30
[   99.988592][ T5185]  do_one_initcall+0x250/0x8d0
[   99.990855][ T5185]  do_initcall_level+0x104/0x190
[   99.993031][ T5185]  do_initcalls+0x59/0xa0
[   99.995001][ T5185]  kernel_init_freeable+0x2a6/0x3e0
[   99.997308][ T5185] page last free pid 1356 tgid 1356 stack trace:
[  100.000512][ T5185]  __free_frozen_pages+0xc2b/0xdb0
[  100.003412][ T5185]  vfree+0x25a/0x400
[  100.005500][ T5185]  delayed_vfree_work+0x55/0x80
[  100.007821][ T5185]  process_scheduled_works+0xb6e/0x18c0
[  100.010324][ T5185]  worker_thread+0xa53/0xfc0
[  100.012406][ T5185]  kthread+0x388/0x470
[  100.014251][ T5185]  ret_from_fork+0x51e/0xb90
[  100.016344][ T5185]  ret_from_fork_asm+0x1a/0x30
[  100.018615][ T5185] 
[  100.020144][ T5185] Memory state around the buggy address:
[  100.023576][ T5185]  ffff888042d03780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  100.027327][ T5185]  ffff888042d03800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.031300][ T5185] >ffff888042d03880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  100.035184][ T5185]                    ^
[  100.037671][ T5185]  ffff888042d03900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  100.041634][ T5185]  ffff888042d03980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  100.045175][ T5185] ==================================================================