program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
preadv(r1, &(0x7f0000000240)=[{&(0x7f0000033a80)=""/102386, 0xfffffd6e}], 0x1, 0x0, 0x0)

[   83.771210][ T5302] Bluetooth: hci0: command tx timeout
[   84.101535][ T5178] ==================================================================
[   84.105665][ T5178] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.110020][ T5178] Read of size 8 at addr ffff8880334c9080 by task dhcpcd/5178
[   84.113851][ T5178] 
[   84.115215][ T5178] CPU: 0 UID: 101 PID: 5178 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.115238][ T5178] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.115246][ T5178] Call Trace:
[   84.115258][ T5178]  <TASK>
[   84.115267][ T5178]  dump_stack_lvl+0xe8/0x150
[   84.115333][ T5178]  print_report+0xba/0x230
[   84.115374][ T5178]  ? bpf_trace_run2+0x2c4/0x840
[   84.115395][ T5178]  kasan_report+0x117/0x150
[   84.115459][ T5178]  ? bpf_trace_run2+0x2c4/0x840
[   84.115476][ T5178]  bpf_trace_run2+0x2c4/0x840
[   84.115495][ T5178]  ? __queue_work+0x1a1/0x1020
[   84.115534][ T5178]  ? bpf_trace_run2+0x1c9/0x840
[   84.115548][ T5178]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.115560][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   84.115596][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   84.115609][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   84.115621][ T5178]  kfree+0x5b2/0x630
[   84.115661][ T5178]  ? queue_work_on+0x159/0x1d0
[   84.115679][ T5178]  seccomp_filter_release+0x22b/0x2d0
[   84.115693][ T5178]  do_exit+0x3b0/0x23c0
[   84.115722][ T5178]  ? fput_close_sync+0x11f/0x240
[   84.115756][ T5178]  ? __x64_sys_close+0x7e/0x110
[   84.115775][ T5178]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.115792][ T5178]  ? __pfx_do_exit+0x10/0x10
[   84.115805][ T5178]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.115840][ T5178]  do_group_exit+0x21b/0x2d0
[   84.115853][ T5178]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.115947][ T5178]  get_signal+0x1284/0x1330
[   84.115975][ T5178]  arch_do_signal_or_restart+0xbc/0x830
[   84.116013][ T5178]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.116030][ T5178]  ? kmem_cache_free+0x439/0x630
[   84.116045][ T5178]  ? fput_close_sync+0x11f/0x240
[   84.116063][ T5178]  exit_to_user_mode_loop+0x86/0x480
[   84.116096][ T5178]  ? rcu_is_watching+0x15/0xb0
[   84.116118][ T5178]  do_syscall_64+0x32d/0xf80
[   84.116132][ T5178]  ? trace_irq_disable+0x3b/0x150
[   84.116154][ T5178]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.116167][ T5178]  ? clear_bhb_loop+0x40/0x90
[   84.116181][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.116195][ T5178] RIP: 0033:0x7f7a717d4407
[   84.116210][ T5178] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.116222][ T5178] RSP: 002b:00007fff3ca2b5c0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.116238][ T5178] RAX: 0000000000000000 RBX: 00007f7a7174a780 RCX: 00007f7a717d4407
[   84.116246][ T5178] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[   84.116253][ T5178] RBP: 00007fff3ca3b860 R08: 0000000000000000 R09: 0000000000000000
[   84.116260][ T5178] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff3ca3b860
[   84.116268][ T5178] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   84.116279][ T5178]  </TASK>
[   84.116284][ T5178] 
[   84.264572][ T5178] Allocated by task 5323:
[   84.266735][ T5178]  kasan_save_track+0x3e/0x80
[   84.269306][ T5178]  __kasan_kmalloc+0x93/0xb0
[   84.271693][ T5178]  __kmalloc_cache_noprof+0x31c/0x660
[   84.274220][ T5178]  bpf_raw_tp_link_attach+0x278/0x700
[   84.276874][ T5178]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.279594][ T5178]  __sys_bpf+0x846/0x950
[   84.282202][ T5178]  __x64_sys_bpf+0x7c/0x90
[   84.284879][ T5178]  do_syscall_64+0x14d/0xf80
[   84.287533][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.290705][ T5178] 
[   84.291934][ T5178] Freed by task 1152:
[   84.293883][ T5178]  kasan_save_track+0x3e/0x80
[   84.296483][ T5178]  kasan_save_free_info+0x46/0x50
[   84.299374][ T5178]  __kasan_slab_free+0x5c/0x80
[   84.301771][ T5178]  kfree+0x1c1/0x630
[   84.303717][ T5178]  rcu_core+0x7cd/0x1070
[   84.305936][ T5178]  handle_softirqs+0x22a/0x870
[   84.308845][ T5178]  do_softirq+0x76/0xd0
[   84.310842][ T5178]  __local_bh_enable_ip+0xf8/0x130
[   84.313274][ T5178]  nsim_dev_trap_report_work+0x7c7/0xb80
[   84.316008][ T5178]  process_scheduled_works+0xb6e/0x18c0
[   84.318591][ T5178]  worker_thread+0xa53/0xfc0
[   84.320817][ T5178]  kthread+0x388/0x470
[   84.322695][ T5178]  ret_from_fork+0x51e/0xb90
[   84.324848][ T5178]  ret_from_fork_asm+0x1a/0x30
[   84.327154][ T5178] 
[   84.328379][ T5178] Last potentially related work creation:
[   84.330991][ T5178]  kasan_save_stack+0x3e/0x60
[   84.333578][ T5178]  kasan_record_aux_stack+0xbd/0xd0
[   84.336049][ T5178]  call_rcu+0xee/0x890
[   84.337981][ T5178]  bpf_link_release+0x6b/0x80
[   84.340129][ T5178]  __fput+0x44f/0xa70
[   84.341935][ T5178]  task_work_run+0x1d9/0x270
[   84.344106][ T5178]  exit_to_user_mode_loop+0xed/0x480
[   84.346480][ T5178]  do_syscall_64+0x32d/0xf80
[   84.348806][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.351632][ T5178] 
[   84.352785][ T5178] The buggy address belongs to the object at ffff8880334c9000
[   84.352785][ T5178]  which belongs to the cache kmalloc-192 of size 192
[   84.359256][ T5178] The buggy address is located 128 bytes inside of
[   84.359256][ T5178]  freed 192-byte region [ffff8880334c9000, ffff8880334c90c0)
[   84.366389][ T5178] 
[   84.367542][ T5178] The buggy address belongs to the physical page:
[   84.370479][ T5178] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x334c9
[   84.374585][ T5178] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   84.378554][ T5178] page_type: f5(slab)
[   84.380639][ T5178] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   84.384709][ T5178] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   84.388826][ T5178] page dumped because: kasan: bad access detected
[   84.392219][ T5178] page_owner tracks the page as allocated
[   84.394905][ T5178] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 15331084164, free_ts 11080194228
[   84.403932][ T5178]  post_alloc_hook+0x231/0x280
[   84.406231][ T5178]  get_page_from_freelist+0x24dc/0x2580
[   84.408900][ T5178]  __alloc_frozen_pages_noprof+0x18d/0x380
[   84.411927][ T5178]  allocate_slab+0x77/0x660
[   84.414331][ T5178]  refill_objects+0x331/0x3c0
[   84.416754][ T5178]  __pcs_replace_empty_main+0x2e6/0x730
[   84.419474][ T5178]  __kmalloc_cache_noprof+0x392/0x660
[   84.421953][ T5178]  drm_atomic_state_alloc+0xa9/0x100
[   84.424510][ T5178]  drm_client_modeset_commit_atomic+0x122/0x7e0
[   84.427490][ T5178]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   84.430459][ T5178]  drm_fb_helper_pan_display+0x3e7/0xbd0
[   84.433070][ T5178]  fb_pan_display+0x39e/0x680
[   84.435375][ T5178]  bit_update_start+0x4c/0x1e0
[   84.438392][ T5178]  fbcon_switch+0x127e/0x2040
[   84.440730][ T5178]  redraw_screen+0x586/0xec0
[   84.442920][ T5178]  set_con2fb_map+0xabb/0xfc0
[   84.445286][ T5178] page last free pid 53 tgid 53 stack trace:
[   84.448707][ T5178]  __free_frozen_pages+0xc2b/0xdb0
[   84.451497][ T5178]  vfree+0x25a/0x400
[   84.453414][ T5178]  delayed_vfree_work+0x55/0x80
[   84.455607][ T5178]  process_scheduled_works+0xb6e/0x18c0
[   84.457987][ T5178]  worker_thread+0xa53/0xfc0
[   84.460403][ T5178]  kthread+0x388/0x470
[   84.462439][ T5178]  ret_from_fork+0x51e/0xb90
[   84.464552][ T5178]  ret_from_fork_asm+0x1a/0x30
[   84.466819][ T5178] 
[   84.468032][ T5178] Memory state around the buggy address:
[   84.471095][ T5178]  ffff8880334c8f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   84.475215][ T5178]  ffff8880334c9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.479532][ T5178] >ffff8880334c9080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   84.483259][ T5178]                    ^
[   84.485249][ T5178]  ffff8880334c9100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.489145][ T5178]  ffff8880334c9180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   84.492839][ T5178] ==================================================================