program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x5a}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$TIOCL_SETSEL(r1, 0x541c, &(0x7f00000000c0)={0x2, {0x2, 0x0, 0x0, 0x0, 0x0, 0x300}})
ioctl$TIOCL_PASTESEL(r1, 0x541c, &(0x7f00000004c0))

[   85.467215][ T4667] Bluetooth: hci0: command tx timeout
[   85.623161][ T5178] ==================================================================
[   85.626452][ T5178] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   85.629636][ T5178] Read of size 8 at addr ffff888032a96180 by task dhcpcd/5178
[   85.632909][ T5178] 
[   85.634027][ T5178] CPU: 0 UID: 101 PID: 5178 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.634041][ T5178] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.634047][ T5178] Call Trace:
[   85.634055][ T5178]  <TASK>
[   85.634060][ T5178]  dump_stack_lvl+0xe8/0x150
[   85.634105][ T5178]  print_report+0xba/0x230
[   85.634118][ T5178]  ? bpf_trace_run2+0x2c4/0x840
[   85.634132][ T5178]  kasan_report+0x117/0x150
[   85.634176][ T5178]  ? bpf_trace_run2+0x2c4/0x840
[   85.634189][ T5178]  bpf_trace_run2+0x2c4/0x840
[   85.634202][ T5178]  ? __queue_work+0x1a1/0x1020
[   85.634248][ T5178]  ? bpf_trace_run2+0x1c9/0x840
[   85.634260][ T5178]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.634273][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   85.634285][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   85.634294][ T5178]  ? seccomp_filter_release+0x22b/0x2d0
[   85.634304][ T5178]  kfree+0x5b2/0x630
[   85.634337][ T5178]  ? queue_work_on+0x159/0x1d0
[   85.634350][ T5178]  seccomp_filter_release+0x22b/0x2d0
[   85.634361][ T5178]  do_exit+0x338/0x2320
[   85.634378][ T5178]  ? fput_close_sync+0x11f/0x240
[   85.634409][ T5178]  ? __x64_sys_close+0x7e/0x110
[   85.634420][ T5178]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.634431][ T5178]  ? __pfx_do_exit+0x10/0x10
[   85.634440][ T5178]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.634471][ T5178]  do_group_exit+0x21b/0x2d0
[   85.634481][ T5178]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.634546][ T5178]  get_signal+0x1284/0x1330
[   85.634562][ T5178]  arch_do_signal_or_restart+0xbc/0x830
[   85.634594][ T5178]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.634604][ T5178]  ? kmem_cache_free+0x439/0x630
[   85.634619][ T5178]  ? fput_close_sync+0x11f/0x240
[   85.634630][ T5178]  exit_to_user_mode_loop+0x86/0x480
[   85.634658][ T5178]  ? rcu_is_watching+0x15/0xb0
[   85.634673][ T5178]  do_syscall_64+0x32d/0xf80
[   85.634686][ T5178]  ? trace_irq_disable+0x3b/0x150
[   85.634700][ T5178]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.634709][ T5178]  ? clear_bhb_loop+0x40/0x90
[   85.634717][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.634725][ T5178] RIP: 0033:0x7fad50b13407
[   85.634733][ T5178] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   85.634740][ T5178] RSP: 002b:00007ffc63886230 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   85.634751][ T5178] RAX: 0000000000000000 RBX: 00007fad50a89740 RCX: 00007fad50b13407
[   85.634758][ T5178] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[   85.634763][ T5178] RBP: 00007ffc638964d0 R08: 0000000000000000 R09: 0000000000000000
[   85.634768][ T5178] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffc638964d0
[   85.634775][ T5178] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   85.634785][ T5178]  </TASK>
[   85.634788][ T5178] 
[   85.757332][ T5178] Allocated by task 5324:
[   85.759261][ T5178]  kasan_save_track+0x3e/0x80
[   85.761303][ T5178]  __kasan_kmalloc+0x93/0xb0
[   85.763301][ T5178]  __kmalloc_cache_noprof+0x31c/0x660
[   85.765668][ T5178]  bpf_raw_tp_link_attach+0x278/0x700
[   85.768936][ T5178]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.771299][ T5178]  __sys_bpf+0x846/0x950
[   85.773174][ T5178]  __x64_sys_bpf+0x7c/0x90
[   85.775151][ T5178]  do_syscall_64+0x14d/0xf80
[   85.777199][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.779828][ T5178] 
[   85.780929][ T5178] Freed by task 5012:
[   85.782563][ T5178]  kasan_save_track+0x3e/0x80
[   85.784472][ T5178]  kasan_save_free_info+0x46/0x50
[   85.786713][ T5178]  __kasan_slab_free+0x5c/0x80
[   85.788637][ T5178]  kfree+0x1c1/0x630
[   85.790307][ T5178]  rcu_core+0x7cd/0x1070
[   85.792317][ T5178]  handle_softirqs+0x22a/0x870
[   85.794282][ T5178]  do_softirq+0x76/0xd0
[   85.796146][ T5178]  __local_bh_enable_ip+0xf8/0x130
[   85.798525][ T5178]  mac80211_hwsim_netlink_notify+0xde9/0x1310
[   85.801364][ T5178]  notifier_call_chain+0x1be/0x400
[   85.803562][ T5178]  blocking_notifier_call_chain+0x6a/0x90
[   85.806065][ T5178]  netlink_release+0x123b/0x1ad0
[   85.808279][ T5178]  sock_close+0xc3/0x240
[   85.810212][ T5178]  __fput+0x44f/0xa70
[   85.812050][ T5178]  task_work_run+0x1d9/0x270
[   85.814214][ T5178]  do_exit+0x69b/0x2320
[   85.816117][ T5178]  do_group_exit+0x21b/0x2d0
[   85.818185][ T5178]  get_signal+0x1284/0x1330
[   85.820227][ T5178]  arch_do_signal_or_restart+0xbc/0x830
[   85.822586][ T5178]  exit_to_user_mode_loop+0x86/0x480
[   85.824891][ T5178]  do_syscall_64+0x32d/0xf80
[   85.826803][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.829198][ T5178] 
[   85.830294][ T5178] Last potentially related work creation:
[   85.832866][ T5178]  kasan_save_stack+0x3e/0x60
[   85.835139][ T5178]  kasan_record_aux_stack+0xbd/0xd0
[   85.837565][ T5178]  call_rcu+0xee/0x890
[   85.839355][ T5178]  bpf_link_release+0x6b/0x80
[   85.841515][ T5178]  __fput+0x44f/0xa70
[   85.843337][ T5178]  task_work_run+0x1d9/0x270
[   85.845329][ T5178]  exit_to_user_mode_loop+0xed/0x480
[   85.847663][ T5178]  do_syscall_64+0x32d/0xf80
[   85.849795][ T5178]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.852506][ T5178] 
[   85.853643][ T5178] The buggy address belongs to the object at ffff888032a96100
[   85.853643][ T5178]  which belongs to the cache kmalloc-192 of size 192
[   85.859461][ T5178] The buggy address is located 128 bytes inside of
[   85.859461][ T5178]  freed 192-byte region [ffff888032a96100, ffff888032a961c0)
[   85.865447][ T5178] 
[   85.866494][ T5178] The buggy address belongs to the physical page:
[   85.869278][ T5178] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32a96
[   85.873127][ T5178] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.876308][ T5178] page_type: f5(slab)
[   85.880018][ T5178] raw: 04fff00000000000 ffff88801a8413c0 dead000000000100 dead000000000122
[   85.883845][ T5178] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   85.887406][ T5178] page dumped because: kasan: bad access detected
[   85.889944][ T5178] page_owner tracks the page as allocated
[   85.892171][ T5178] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8219512469, free_ts 8214646191
[   85.899874][ T5178]  post_alloc_hook+0x231/0x280
[   85.901909][ T5178]  get_page_from_freelist+0x24dc/0x2580
[   85.904285][ T5178]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.906736][ T5178]  allocate_slab+0x77/0x660
[   85.908897][ T5178]  refill_objects+0x331/0x3c0
[   85.910918][ T5178]  __pcs_replace_empty_main+0x2b9/0x620
[   85.913219][ T5178]  __kmalloc_cache_noprof+0x392/0x660
[   85.915583][ T5178]  call_usermodehelper_setup+0x8e/0x270
[   85.917974][ T5178]  kobject_uevent_env+0x658/0x9e0
[   85.920470][ T5178]  driver_register+0x2d4/0x320
[   85.922582][ T5178]  do_one_initcall+0x250/0x8d0
[   85.924764][ T5178]  do_initcall_level+0x104/0x190
[   85.926821][ T5178]  do_initcalls+0x59/0xa0
[   85.928733][ T5178]  kernel_init_freeable+0x2a6/0x3e0
[   85.931055][ T5178]  kernel_init+0x1d/0x1d0
[   85.932930][ T5178]  ret_from_fork+0x51e/0xb90
[   85.934884][ T5178] page last free pid 9 tgid 9 stack trace:
[   85.937305][ T5178]  __free_frozen_pages+0xc2b/0xdb0
[   85.939377][ T5178]  vfree+0x25a/0x400
[   85.940971][ T5178]  delayed_vfree_work+0x55/0x80
[   85.942976][ T5178]  process_scheduled_works+0xb02/0x1830
[   85.945183][ T5178]  worker_thread+0xa50/0xfc0
[   85.947082][ T5178]  kthread+0x388/0x470
[   85.948832][ T5178]  ret_from_fork+0x51e/0xb90
[   85.950910][ T5178]  ret_from_fork_asm+0x1a/0x30
[   85.953072][ T5178] 
[   85.954150][ T5178] Memory state around the buggy address:
[   85.956630][ T5178]  ffff888032a96080: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.960048][ T5178]  ffff888032a96100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.963551][ T5178] >ffff888032a96180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.966958][ T5178]                    ^
[   85.968654][ T5178]  ffff888032a96200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.971996][ T5178]  ffff888032a96280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.975170][ T5178] ==================================================================