program:
r0 = syz_open_dev$tty1(0xc, 0x4, 0x1)
dup(r0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
r2 = socket$tipc(0x1e, 0x2, 0x0)
bind$tipc(r2, &(0x7f0000000100)=@name={0x1e, 0x2, 0x0, {{0x42}}}, 0x10)
setsockopt$TIPC_GROUP_JOIN(0xffffffffffffffff, 0x10f, 0x87, &(0x7f0000000180)={0x42, 0x3}, 0x10)
sendmsg$tipc(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000200)=@name, 0x10, 0x0}, 0x4)
r3 = socket$tipc(0x1e, 0x2, 0x0)
setsockopt$TIPC_GROUP_JOIN(r3, 0x10f, 0x87, &(0x7f0000000180)={0x42}, 0x10)
openat$pidfd(0xffffffffffffff9c, &(0x7f00000008c0), 0x0, 0x0)
socket(0x11, 0x800000003, 0x0)

[  134.501622][   T45] Bluetooth: hci0: command tx timeout
[  134.745950][ T5008] ==================================================================
[  134.749431][ T5008] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  134.752693][ T5008] Read of size 8 at addr ffff8880446c1080 by task dhcpcd/5008
[  134.757155][ T5008] 
[  134.758753][ T5008] CPU: 0 UID: 101 PID: 5008 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  134.758766][ T5008] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  134.758772][ T5008] Call Trace:
[  134.758780][ T5008]  <TASK>
[  134.758787][ T5008]  dump_stack_lvl+0xe8/0x150
[  134.758806][ T5008]  print_report+0xba/0x230
[  134.758816][ T5008]  ? bpf_trace_run2+0x2c4/0x840
[  134.758828][ T5008]  kasan_report+0x117/0x150
[  134.758838][ T5008]  ? bpf_trace_run2+0x2c4/0x840
[  134.758848][ T5008]  bpf_trace_run2+0x2c4/0x840
[  134.758858][ T5008]  ? bpf_trace_run2+0x1c9/0x840
[  134.758867][ T5008]  ? __pfx_bpf_trace_run2+0x10/0x10
[  134.758877][ T5008]  ? vm_area_free+0x81/0x210
[  134.758884][ T5008]  ? vm_area_free+0x81/0x210
[  134.758890][ T5008]  ? vm_area_free+0x81/0x210
[  134.758895][ T5008]  kfree+0x5b2/0x630
[  134.758907][ T5008]  vm_area_free+0x81/0x210
[  134.758914][ T5008]  tear_down_vmas+0x312/0x520
[  134.758926][ T5008]  exit_mmap+0x4b6/0xa10
[  134.758936][ T5008]  ? __pfx_exit_mmap+0x10/0x10
[  134.758948][ T5008]  ? __pfx_exit_aio+0x10/0x10
[  134.758960][ T5008]  ? uprobe_clear_state+0x27c/0x290
[  134.758970][ T5008]  __mmput+0x118/0x430
[  134.758983][ T5008]  exit_mm+0x168/0x220
[  134.758994][ T5008]  do_exit+0x6a2/0x23c0
[  134.759003][ T5008]  ? fput_close_sync+0x11f/0x240
[  134.759016][ T5008]  ? __x64_sys_close+0x7e/0x110
[  134.759031][ T5008]  ? __pfx_do_exit+0x10/0x10
[  134.759040][ T5008]  ? do_raw_spin_lock+0x12b/0x2f0
[  134.759050][ T5008]  do_group_exit+0x21b/0x2d0
[  134.759056][ T5008]  ? _raw_spin_unlock_irq+0x23/0x50
[  134.759130][ T5008]  get_signal+0x1284/0x1330
[  134.759143][ T5008]  arch_do_signal_or_restart+0xbc/0x830
[  134.759154][ T5008]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  134.759161][ T5008]  ? kmem_cache_free+0x439/0x630
[  134.759169][ T5008]  ? fput_close_sync+0x11f/0x240
[  134.759178][ T5008]  exit_to_user_mode_loop+0x86/0x480
[  134.759188][ T5008]  ? rcu_is_watching+0x15/0xb0
[  134.759199][ T5008]  do_syscall_64+0x32d/0xf80
[  134.759207][ T5008]  ? trace_irq_disable+0x3b/0x150
[  134.759218][ T5008]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  134.759225][ T5008]  ? clear_bhb_loop+0x40/0x90
[  134.759233][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  134.759243][ T5008] RIP: 0033:0x7fa6aa745407
[  134.759253][ T5008] Code: Unable to access opcode bytes at 0x7fa6aa7453dd.
[  134.759258][ T5008] RSP: 002b:00007ffefe90b620 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[  134.759271][ T5008] RAX: 0000000000000000 RBX: 00007fa6aa6bb780 RCX: 00007fa6aa745407
[  134.759287][ T5008] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
[  134.759292][ T5008] RBP: 00007ffefe90b7c0 R08: 0000000000000000 R09: 0000000000000000
[  134.759298][ T5008] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffefe90b6a4
[  134.759304][ T5008] R13: 00005598d708d534 R14: 00005598fd0b4140 R15: 0000000000001391
[  134.759313][ T5008]  </TASK>
[  134.759316][ T5008] 
[  134.888731][ T5008] Allocated by task 5326:
[  134.890554][ T5008]  kasan_save_track+0x3e/0x80
[  134.892384][ T5008]  __kasan_kmalloc+0x93/0xb0
[  134.894244][ T5008]  __kmalloc_cache_noprof+0x31c/0x660
[  134.896578][ T5008]  bpf_raw_tp_link_attach+0x278/0x700
[  134.899127][ T5008]  bpf_raw_tracepoint_open+0x1b2/0x220
[  134.901807][ T5008]  __sys_bpf+0x846/0x950
[  134.903917][ T5008]  __x64_sys_bpf+0x7c/0x90
[  134.905770][ T5008]  do_syscall_64+0x14d/0xf80
[  134.907723][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  134.910108][ T5008] 
[  134.911124][ T5008] Freed by task 5158:
[  134.912974][ T5008]  kasan_save_track+0x3e/0x80
[  134.915213][ T5008]  kasan_save_free_info+0x46/0x50
[  134.917616][ T5008]  __kasan_slab_free+0x5c/0x80
[  134.920080][ T5008]  kfree+0x1c1/0x630
[  134.921892][ T5008]  rcu_core+0x7cd/0x1070
[  134.923805][ T5008]  handle_softirqs+0x22a/0x870
[  134.926029][ T5008]  do_softirq+0x76/0xd0
[  134.927668][ T5008]  __local_bh_enable_ip+0xf8/0x130
[  134.929956][ T5008]  packet_release+0xb01/0xcc0
[  134.931897][ T5008]  sock_close+0xc3/0x240
[  134.933658][ T5008]  __fput+0x44f/0xa70
[  134.935613][ T5008]  task_work_run+0x1d9/0x270
[  134.937897][ T5008]  do_exit+0x70f/0x23c0
[  134.939763][ T5008]  do_group_exit+0x21b/0x2d0
[  134.941768][ T5008]  get_signal+0x1284/0x1330
[  134.943970][ T5008]  arch_do_signal_or_restart+0xbc/0x830
[  134.946488][ T5008]  exit_to_user_mode_loop+0x86/0x480
[  134.949290][ T5008]  do_syscall_64+0x32d/0xf80
[  134.951838][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  134.954875][ T5008] 
[  134.956276][ T5008] Last potentially related work creation:
[  134.958862][ T5008]  kasan_save_stack+0x3e/0x60
[  134.960990][ T5008]  kasan_record_aux_stack+0xbd/0xd0
[  134.963531][ T5008]  call_rcu+0xee/0x890
[  134.966098][ T5008]  bpf_link_release+0x6b/0x80
[  134.968351][ T5008]  __fput+0x44f/0xa70
[  134.969937][ T5008]  task_work_run+0x1d9/0x270
[  134.971908][ T5008]  exit_to_user_mode_loop+0xed/0x480
[  134.974236][ T5008]  do_syscall_64+0x32d/0xf80
[  134.976681][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  134.979778][ T5008] 
[  134.981115][ T5008] The buggy address belongs to the object at ffff8880446c1000
[  134.981115][ T5008]  which belongs to the cache kmalloc-192 of size 192
[  134.986917][ T5008] The buggy address is located 128 bytes inside of
[  134.986917][ T5008]  freed 192-byte region [ffff8880446c1000, ffff8880446c10c0)
[  134.992818][ T5008] 
[  134.993932][ T5008] The buggy address belongs to the physical page:
[  134.996949][ T5008] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x446c1
[  135.000640][ T5008] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  135.003690][ T5008] page_type: f5(slab)
[  135.006016][ T5008] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[  135.009729][ T5008] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  135.013366][ T5008] page dumped because: kasan: bad access detected
[  135.016545][ T5008] page_owner tracks the page as allocated
[  135.019331][ T5008] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 29823266559, free_ts 29805492863
[  135.028436][ T5008]  post_alloc_hook+0x231/0x280
[  135.030859][ T5008]  get_page_from_freelist+0x24dc/0x2580
[  135.033684][ T5008]  __alloc_frozen_pages_noprof+0x18d/0x380
[  135.036370][ T5008]  allocate_slab+0x77/0x660
[  135.038292][ T5008]  refill_objects+0x331/0x3c0
[  135.040235][ T5008]  __pcs_replace_empty_main+0x2e6/0x730
[  135.042826][ T5008]  __kmalloc_cache_noprof+0x392/0x660
[  135.045255][ T5008]  call_usermodehelper_setup+0x8e/0x270
[  135.048324][ T5008]  kobject_uevent_env+0x658/0x9e0
[  135.050896][ T5008]  kernel_add_sysfs_param+0xb1/0xe0
[  135.053183][ T5008]  param_sysfs_builtin+0x199/0x250
[  135.055796][ T5008]  param_sysfs_builtin_init+0x23/0x30
[  135.058075][ T5008]  do_one_initcall+0x250/0x8d0
[  135.060282][ T5008]  do_initcall_level+0x104/0x190
[  135.062448][ T5008]  do_initcalls+0x59/0xa0
[  135.064298][ T5008]  kernel_init_freeable+0x2a6/0x3e0
[  135.066565][ T5008] page last free pid 10 tgid 10 stack trace:
[  135.070640][ T5008]  __free_frozen_pages+0xc2b/0xdb0
[  135.073584][ T5008]  vfree+0x25a/0x400
[  135.075404][ T5008]  delayed_vfree_work+0x55/0x80
[  135.077614][ T5008]  process_scheduled_works+0xb6e/0x18c0
[  135.080144][ T5008]  worker_thread+0xa53/0xfc0
[  135.082361][ T5008]  kthread+0x388/0x470
[  135.084280][ T5008]  ret_from_fork+0x51e/0xb90
[  135.086418][ T5008]  ret_from_fork_asm+0x1a/0x30
[  135.088534][ T5008] 
[  135.089780][ T5008] Memory state around the buggy address:
[  135.092317][ T5008]  ffff8880446c0f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[  135.095716][ T5008]  ffff8880446c1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  135.099643][ T5008] >ffff8880446c1080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  135.103938][ T5008]                    ^
[  135.105816][ T5008]  ffff8880446c1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  135.109310][ T5008]  ffff8880446c1180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  135.112950][ T5008] ==================================================================