program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0)

[  109.522089][ T4667] Bluetooth: hci0: command tx timeout
[  109.763774][ T5163] ==================================================================
[  109.768769][ T5163] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  109.773559][ T5163] Read of size 8 at addr ffff88801f93fc80 by task dhcpcd/5163
[  109.777637][ T5163] 
[  109.778877][ T5163] CPU: 0 UID: 101 PID: 5163 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  109.778892][ T5163] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  109.778898][ T5163] Call Trace:
[  109.778908][ T5163]  <TASK>
[  109.778936][ T5163]  dump_stack_lvl+0xe8/0x150
[  109.778957][ T5163]  print_report+0xba/0x230
[  109.778971][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  109.778988][ T5163]  kasan_report+0x117/0x150
[  109.779001][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  109.779016][ T5163]  bpf_trace_run2+0x2c4/0x840
[  109.779031][ T5163]  ? __queue_work+0x1a1/0x1020
[  109.779045][ T5163]  ? bpf_trace_run2+0x1c9/0x840
[  109.779059][ T5163]  ? __pfx_bpf_trace_run2+0x10/0x10
[  109.779073][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  109.779086][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  109.779103][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  109.779113][ T5163]  kfree+0x5b2/0x630
[  109.779127][ T5163]  ? queue_work_on+0x159/0x1d0
[  109.779141][ T5163]  seccomp_filter_release+0x22b/0x2d0
[  109.779152][ T5163]  do_exit+0x3b0/0x23c0
[  109.779166][ T5163]  ? __pfx_do_exit+0x10/0x10
[  109.779174][ T5163]  ? do_raw_spin_lock+0x12b/0x2f0
[  109.779185][ T5163]  ? do_raw_spin_lock+0x12b/0x2f0
[  109.779196][ T5163]  do_group_exit+0x21b/0x2d0
[  109.779205][ T5163]  ? _raw_spin_unlock_irq+0x23/0x50
[  109.779268][ T5163]  get_signal+0x1284/0x1330
[  109.779285][ T5163]  arch_do_signal_or_restart+0xbc/0x830
[  109.779300][ T5163]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  109.779314][ T5163]  exit_to_user_mode_loop+0x86/0x480
[  109.779327][ T5163]  ? rcu_is_watching+0x15/0xb0
[  109.779342][ T5163]  do_syscall_64+0x32d/0xf80
[  109.779353][ T5163]  ? trace_irq_disable+0x3b/0x150
[  109.779368][ T5163]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.779378][ T5163]  ? clear_bhb_loop+0x40/0x90
[  109.779390][ T5163]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.779401][ T5163] RIP: 0033:0x7f79313c6407
[  109.779422][ T5163] Code: Unable to access opcode bytes at 0x7f79313c63dd.
[  109.779427][ T5163] RSP: 002b:00007ffe12c3e150 EFLAGS: 00000202 ORIG_RAX: 000000000000010f
[  109.779440][ T5163] RAX: 0000000000000001 RBX: 00007f793133c780 RCX: 00007f79313c6407
[  109.779448][ T5163] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 000055b6c7f2a380
[  109.779454][ T5163] RBP: 00007ffe12c3e490 R08: 0000000000000008 R09: 0000000000000000
[  109.779460][ T5163] R10: 00007ffe12c3e490 R11: 0000000000000202 R12: 000055b6b8a445e0
[  109.779467][ T5163] R13: 000055b6c7f1dd40 R14: 0000000000000000 R15: 00007ffe12c3e240
[  109.779476][ T5163]  </TASK>
[  109.779480][ T5163] 
[  109.897739][ T5163] Allocated by task 5324:
[  109.899848][ T5163]  kasan_save_track+0x3e/0x80
[  109.902361][ T5163]  __kasan_kmalloc+0x93/0xb0
[  109.904677][ T5163]  __kmalloc_cache_noprof+0x31c/0x660
[  109.907090][ T5163]  bpf_raw_tp_link_attach+0x278/0x700
[  109.909596][ T5163]  bpf_raw_tracepoint_open+0x1b2/0x220
[  109.912455][ T5163]  __sys_bpf+0x846/0x950
[  109.914814][ T5163]  __x64_sys_bpf+0x7c/0x90
[  109.916987][ T5163]  do_syscall_64+0x14d/0xf80
[  109.919218][ T5163]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.922007][ T5163] 
[  109.923439][ T5163] Freed by task 15:
[  109.925855][ T5163]  kasan_save_track+0x3e/0x80
[  109.928302][ T5163]  kasan_save_free_info+0x46/0x50
[  109.930659][ T5163]  __kasan_slab_free+0x5c/0x80
[  109.932964][ T5163]  kfree+0x1c1/0x630
[  109.934976][ T5163]  rcu_core+0x7cd/0x1070
[  109.937249][ T5163]  handle_softirqs+0x22a/0x870
[  109.939850][ T5163]  run_ksoftirqd+0x36/0x60
[  109.942013][ T5163]  smpboot_thread_fn+0x541/0xa50
[  109.944497][ T5163]  kthread+0x388/0x470
[  109.946588][ T5163]  ret_from_fork+0x51e/0xb90
[  109.949066][ T5163]  ret_from_fork_asm+0x1a/0x30
[  109.951513][ T5163] 
[  109.952711][ T5163] Last potentially related work creation:
[  109.955583][ T5163]  kasan_save_stack+0x3e/0x60
[  109.958075][ T5163]  kasan_record_aux_stack+0xbd/0xd0
[  109.960598][ T5163]  call_rcu+0xee/0x890
[  109.962572][ T5163]  bpf_link_release+0x6b/0x80
[  109.964837][ T5163]  __fput+0x44f/0xa70
[  109.966748][ T5163]  task_work_run+0x1d9/0x270
[  109.969059][ T5163]  exit_to_user_mode_loop+0xed/0x480
[  109.971207][ T5163]  do_syscall_64+0x32d/0xf80
[  109.973546][ T5163]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.976529][ T5163] 
[  109.977875][ T5163] The buggy address belongs to the object at ffff88801f93fc00
[  109.977875][ T5163]  which belongs to the cache kmalloc-192 of size 192
[  109.984277][ T5163] The buggy address is located 128 bytes inside of
[  109.984277][ T5163]  freed 192-byte region [ffff88801f93fc00, ffff88801f93fcc0)
[  109.991035][ T5163] 
[  109.992185][ T5163] The buggy address belongs to the physical page:
[  109.995130][ T5163] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f93f
[  109.999813][ T5163] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  110.003228][ T5163] page_type: f5(slab)
[  110.005038][ T5163] raw: 00fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[  110.009232][ T5163] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  110.013675][ T5163] page dumped because: kasan: bad access detected
[  110.016396][ T5163] page_owner tracks the page as allocated
[  110.019171][ T5163] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 5316845695, free_ts 0
[  110.027367][ T5163]  post_alloc_hook+0x231/0x280
[  110.029586][ T5163]  get_page_from_freelist+0x24dc/0x2580
[  110.032065][ T5163]  __alloc_frozen_pages_noprof+0x18d/0x380
[  110.034901][ T5163]  allocate_slab+0x77/0x660
[  110.037126][ T5163]  refill_objects+0x331/0x3c0
[  110.039370][ T5163]  __pcs_replace_empty_main+0x2e6/0x730
[  110.042051][ T5163]  __kmalloc_cache_noprof+0x392/0x660
[  110.044483][ T5163]  kset_create_and_add+0x5a/0x170
[  110.046935][ T5163]  bus_register+0x225/0x480
[  110.049569][ T5163]  usb_init+0x77/0x1b0
[  110.051460][ T5163]  do_one_initcall+0x250/0x8d0
[  110.053672][ T5163]  do_initcall_level+0x104/0x190
[  110.055939][ T5163]  do_initcalls+0x59/0xa0
[  110.058151][ T5163]  kernel_init_freeable+0x2a6/0x3e0
[  110.060882][ T5163]  kernel_init+0x1d/0x1d0
[  110.063136][ T5163]  ret_from_fork+0x51e/0xb90
[  110.065226][ T5163] page_owner free stack trace missing
[  110.067655][ T5163] 
[  110.068935][ T5163] Memory state around the buggy address:
[  110.071840][ T5163]  ffff88801f93fb80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[  110.075498][ T5163]  ffff88801f93fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.079464][ T5163] >ffff88801f93fc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  110.083896][ T5163]                    ^
[  110.085864][ T5163]  ffff88801f93fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.089946][ T5163]  ffff88801f93fd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  110.094581][ T5163] ==================================================================
[  110.171264][ T5163] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  110.175071][ T5163] CPU: 0 UID: 101 PID: 5163 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  110.180034][ T5163] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  110.184657][ T5163] Call Trace:
[  110.186168][ T5163]  <TASK>
[  110.187764][ T5163]  vpanic+0x56c/0xa60
[  110.189986][ T5163]  ? __pfx_vpanic+0x10/0x10
[  110.192457][ T5163]  panic+0xc5/0xd0
[  110.194267][ T5163]  ? __pfx_panic+0x10/0x10
[  110.196366][ T5163]  ? preempt_schedule_thunk+0x16/0x30
[  110.198770][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  110.200975][ T5163]  ? preempt_schedule_thunk+0x16/0x30
[  110.203790][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  110.206341][ T5163]  check_panic_on_warn+0x89/0xb0
[  110.208772][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  110.210921][ T5163]  end_report+0x73/0x180
[  110.212822][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  110.215058][ T5163]  kasan_report+0x128/0x150
[  110.217442][ T5163]  ? bpf_trace_run2+0x2c4/0x840
[  110.219810][ T5163]  bpf_trace_run2+0x2c4/0x840
[  110.222023][ T5163]  ? __queue_work+0x1a1/0x1020
[  110.224213][ T5163]  ? bpf_trace_run2+0x1c9/0x840
[  110.226621][ T5163]  ? __pfx_bpf_trace_run2+0x10/0x10
[  110.229801][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  110.232614][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  110.235095][ T5163]  ? seccomp_filter_release+0x22b/0x2d0
[  110.237696][ T5163]  kfree+0x5b2/0x630
[  110.239693][ T5163]  ? queue_work_on+0x159/0x1d0
[  110.242408][ T5163]  seccomp_filter_release+0x22b/0x2d0
[  110.245008][ T5163]  do_exit+0x3b0/0x23c0
[  110.246951][ T5163]  ? __pfx_do_exit+0x10/0x10
[  110.249224][ T5163]  ? do_raw_spin_lock+0x12b/0x2f0
[  110.251496][ T5163]  ? do_raw_spin_lock+0x12b/0x2f0
[  110.254110][ T5163]  do_group_exit+0x21b/0x2d0
[  110.256741][ T5163]  ? _raw_spin_unlock_irq+0x23/0x50
[  110.259435][ T5163]  get_signal+0x1284/0x1330
[  110.261905][ T5163]  arch_do_signal_or_restart+0xbc/0x830
[  110.265226][ T5163]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  110.268762][ T5163]  exit_to_user_mode_loop+0x86/0x480
[  110.271243][ T5163]  ? rcu_is_watching+0x15/0xb0
[  110.273666][ T5163]  do_syscall_64+0x32d/0xf80
[  110.276088][ T5163]  ? trace_irq_disable+0x3b/0x150
[  110.278801][ T5163]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.281622][ T5163]  ? clear_bhb_loop+0x40/0x90
[  110.283761][ T5163]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.286726][ T5163] RIP: 0033:0x7f79313c6407
[  110.289295][ T5163] Code: Unable to access opcode bytes at 0x7f79313c63dd.
[  110.292615][ T5163] RSP: 002b:00007ffe12c3e150 EFLAGS: 00000202 ORIG_RAX: 000000000000010f
[  110.296461][ T5163] RAX: 0000000000000001 RBX: 00007f793133c780 RCX: 00007f79313c6407
[  110.300674][ T5163] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 000055b6c7f2a380
[  110.304612][ T5163] RBP: 00007ffe12c3e490 R08: 0000000000000008 R09: 0000000000000000
[  110.308202][ T5163] R10: 00007ffe12c3e490 R11: 0000000000000202 R12: 000055b6b8a445e0
[  110.312289][ T5163] R13: 000055b6c7f1dd40 R14: 0000000000000000 R15: 00007ffe12c3e240
[  110.316859][ T5163]  </TASK>
[  110.318657][ T5163] Kernel Offset: disabled
[  110.320469][ T5163] Rebooting in 86400 seconds..