program:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
r1 = socket(0x400000000010, 0x3, 0x0)
r2 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000003c0)={'syzkaller0\x00', <r3=>0x0})
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8}}]}, 0x38}}, 0x0)
sendmsg$nl_route_sched(r1, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000007c0)=@newtfilter={0x40, 0x2c, 0xd27, 0x30bd29, 0x25dfdbfd, {0x0, 0x0, 0x0, r3, {0x0, 0xe}, {}, {0x7}}, [@filter_kind_options=@f_matchall={{0xd}, {0xc, 0x2, [@TCA_MATCHALL_FLAGS={0x8, 0x3, 0x1}]}}]}, 0x40}, 0x1, 0x0, 0x0, 0x10}, 0x0)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='memory.events\x00', 0x275a, 0x0)
r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='memory.events\x00', 0x275a, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000001000/0x2000)=nil, 0x2000, 0x0, 0x12, r5, 0x0)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='memory.events\x00', 0x275a, 0x0)
writev(r6, &(0x7f0000000300)=[{&(0x7f00000000c0)="c0", 0x1}], 0x1)
r7 = syz_clone(0x4200000, 0x0, 0x0, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x8, 0x80, 0x0, 0x0, 0x0, 0x0, 0x82, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, @perf_bp={&(0x7f0000000080)}, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff}, r7, 0x0, 0xffffffffffffffff, 0x0)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r4}, 0x10)
r8 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r8, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_REGISTER(r8, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x2})
ioctl$UFFDIO_COPY(r8, 0xc028aa05, &(0x7f0000000180)={&(0x7f00002b9000/0x400000)=nil, &(0x7f00003ab000/0x2000)=nil, 0x400000, 0x2, 0x2})
close(0x3)

[   85.207728][ T5186] ==================================================================
[   85.211964][ T5186] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   85.216105][ T5186] Read of size 8 at addr ffff888035a7bc80 by task dhcpcd/5186
[   85.221080][ T5186] 
[   85.222228][ T5186] CPU: 0 UID: 101 PID: 5186 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.222345][ T5186] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.222352][ T5186] Call Trace:
[   85.222411][ T5186]  <TASK>
[   85.222467][ T5186]  dump_stack_lvl+0xe8/0x150
[   85.222488][ T5186]  print_report+0xba/0x230
[   85.222502][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.222557][ T5186]  kasan_report+0x117/0x150
[   85.222569][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.222586][ T5186]  bpf_trace_run2+0x2c4/0x840
[   85.222604][ T5186]  ? __queue_work+0x1a1/0x1020
[   85.222620][ T5186]  ? bpf_trace_run2+0x1c9/0x840
[   85.222635][ T5186]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.222650][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.222667][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.222678][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.222734][ T5186]  kfree+0x5b2/0x630
[   85.222764][ T5186]  ? queue_work_on+0x159/0x1d0
[   85.222789][ T5186]  seccomp_filter_release+0x22b/0x2d0
[   85.222809][ T5186]  do_exit+0x338/0x2320
[   85.222823][ T5186]  ? fput_close_sync+0x11f/0x240
[   85.222841][ T5186]  ? __x64_sys_close+0x7e/0x110
[   85.222860][ T5186]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.222872][ T5186]  ? __pfx_do_exit+0x10/0x10
[   85.222882][ T5186]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.222895][ T5186]  do_group_exit+0x21b/0x2d0
[   85.222905][ T5186]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.222975][ T5186]  get_signal+0x1284/0x1330
[   85.222993][ T5186]  arch_do_signal_or_restart+0xbc/0x830
[   85.223007][ T5186]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.223018][ T5186]  ? kmem_cache_free+0x439/0x630
[   85.223035][ T5186]  ? fput_close_sync+0x11f/0x240
[   85.223049][ T5186]  exit_to_user_mode_loop+0x86/0x480
[   85.223060][ T5186]  ? rcu_is_watching+0x15/0xb0
[   85.223075][ T5186]  do_syscall_64+0x32d/0xf80
[   85.223090][ T5186]  ? trace_irq_disable+0x3b/0x150
[   85.223105][ T5186]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.223115][ T5186]  ? clear_bhb_loop+0x40/0x90
[   85.223127][ T5186]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.223138][ T5186] RIP: 0033:0x7ff659924407
[   85.223171][ T5186] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   85.223181][ T5186] RSP: 002b:00007ffe5fef9ca0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   85.223214][ T5186] RAX: 0000000000000000 RBX: 00007ff65989a740 RCX: 00007ff659924407
[   85.223221][ T5186] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000019
[   85.223227][ T5186] RBP: 00007ffe5ff09f40 R08: 0000000000000000 R09: 0000000000000000
[   85.223233][ T5186] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe5ff09f40
[   85.223239][ T5186] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   85.223248][ T5186]  </TASK>
[   85.223252][ T5186] 
[   85.342067][ T5186] Allocated by task 5322:
[   85.343933][ T5186]  kasan_save_track+0x3e/0x80
[   85.345905][ T5186]  __kasan_kmalloc+0x93/0xb0
[   85.347891][ T5186]  __kmalloc_cache_noprof+0x31c/0x660
[   85.350168][ T5186]  bpf_raw_tp_link_attach+0x278/0x700
[   85.352481][ T5186]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.354767][ T5186]  __sys_bpf+0x846/0x950
[   85.356635][ T5186]  __x64_sys_bpf+0x7c/0x90
[   85.358584][ T5186]  do_syscall_64+0x14d/0xf80
[   85.360582][ T5186]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.363150][ T5186] 
[   85.364181][ T5186] Freed by task 169:
[   85.365824][ T5186]  kasan_save_track+0x3e/0x80
[   85.367777][ T5186]  kasan_save_free_info+0x46/0x50
[   85.369755][ T5186]  __kasan_slab_free+0x5c/0x80
[   85.371743][ T5186]  kfree+0x1c1/0x630
[   85.373431][ T5186]  rcu_core+0x7cd/0x1070
[   85.375147][ T5186]  handle_softirqs+0x22a/0x870
[   85.377085][ T5186]  do_softirq+0x76/0xd0
[   85.378843][ T5186]  __local_bh_enable_ip+0xf8/0x130
[   85.380903][ T5186]  cfg80211_inform_single_bss_data+0x13c6/0x1b70
[   85.383641][ T5186]  cfg80211_inform_bss_data+0x266/0x3c40
[   85.385954][ T5186]  cfg80211_inform_bss_frame_data+0x3c7/0x760
[   85.388401][ T5186]  ieee80211_bss_info_update+0x794/0xa40
[   85.390748][ T5186]  ieee80211_ibss_rx_queued_mgmt+0x1901/0x2cd0
[   85.393398][ T5186]  ieee80211_iface_work+0x84e/0x1340
[   85.395636][ T5186]  cfg80211_wiphy_work+0x2ab/0x4a0
[   85.397799][ T5186]  process_scheduled_works+0xb02/0x1830
[   85.400208][ T5186]  worker_thread+0xa50/0xfc0
[   85.402230][ T5186]  kthread+0x388/0x470
[   85.403984][ T5186]  ret_from_fork+0x51e/0xb90
[   85.405816][ T5186]  ret_from_fork_asm+0x1a/0x30
[   85.407842][ T5186] 
[   85.408819][ T5186] Last potentially related work creation:
[   85.411095][ T5186]  kasan_save_stack+0x3e/0x60
[   85.413149][ T5186]  kasan_record_aux_stack+0xbd/0xd0
[   85.415392][ T5186]  call_rcu+0xee/0x890
[   85.417198][ T5186]  bpf_link_release+0x6b/0x80
[   85.419181][ T5186]  __fput+0x44f/0xa70
[   85.420878][ T5186]  task_work_run+0x1d9/0x270
[   85.422882][ T5186]  exit_to_user_mode_loop+0xed/0x480
[   85.425099][ T5186]  do_syscall_64+0x32d/0xf80
[   85.427109][ T5186]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.429573][ T5186] 
[   85.430644][ T5186] The buggy address belongs to the object at ffff888035a7bc00
[   85.430644][ T5186]  which belongs to the cache kmalloc-192 of size 192
[   85.436495][ T5186] The buggy address is located 128 bytes inside of
[   85.436495][ T5186]  freed 192-byte region [ffff888035a7bc00, ffff888035a7bcc0)
[   85.442422][ T5186] 
[   85.443514][ T5186] The buggy address belongs to the physical page:
[   85.446301][ T5186] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35a7b
[   85.450126][ T5186] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.453237][ T5186] page_type: f5(slab)
[   85.454962][ T5186] raw: 04fff00000000000 ffff88801a8413c0 dead000000000100 dead000000000122
[   85.458505][ T5186] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   85.462090][ T5186] page dumped because: kasan: bad access detected
[   85.464779][ T5186] page_owner tracks the page as allocated
[   85.467158][ T5186] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 9, tgid 9 (kworker/0:0), ts 20945751602, free_ts 20945121437
[   85.475163][ T5186]  post_alloc_hook+0x231/0x280
[   85.477249][ T5186]  get_page_from_freelist+0x24dc/0x2580
[   85.479688][ T5186]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.482216][ T5186]  allocate_slab+0x77/0x660
[   85.484195][ T5186]  refill_objects+0x331/0x3c0
[   85.486233][ T5186]  __pcs_replace_empty_main+0x2b9/0x620
[   85.488676][ T5186]  __kmalloc_noprof+0x474/0x760
[   85.490867][ T5186]  usb_alloc_urb+0x46/0x150
[   85.492941][ T5186]  usb_control_msg+0x118/0x3e0
[   85.495066][ T5186]  hub_ext_port_status+0x116/0x820
[   85.497341][ T5186]  hub_activate+0x6eb/0x1a80
[   85.499370][ T5186]  process_scheduled_works+0xb02/0x1830
[   85.501756][ T5186]  worker_thread+0xa50/0xfc0
[   85.503821][ T5186]  kthread+0x388/0x470
[   85.505649][ T5186]  ret_from_fork+0x51e/0xb90
[   85.507677][ T5186]  ret_from_fork_asm+0x1a/0x30
[   85.509719][ T5186] page last free pid 13 tgid 13 stack trace:
[   85.512322][ T5186]  __free_frozen_pages+0xc2b/0xdb0
[   85.514572][ T5186]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   85.517048][ T5186]  alloc_vmap_area+0xd73/0x14b0
[   85.519189][ T5186]  __get_vm_area_node+0x1f8/0x300
[   85.521414][ T5186]  __vmalloc_node_range_noprof+0x372/0x1730
[   85.524004][ T5186]  __vmalloc_node_noprof+0xc2/0x100
[   85.526355][ T5186]  dup_task_struct+0x228/0x9a0
[   85.528519][ T5186]  copy_process+0x508/0x3cf0
[   85.530588][ T5186]  kernel_clone+0x248/0x8e0
[   85.532597][ T5186]  user_mode_thread+0x110/0x180
[   85.534750][ T5186]  call_usermodehelper_exec_work+0x5c/0x230
[   85.537113][ T5186]  process_scheduled_works+0xb02/0x1830
[   85.539325][ T5186]  worker_thread+0xa50/0xfc0
[   85.541178][ T5186]  kthread+0x388/0x470
[   85.542813][ T5186]  ret_from_fork+0x51e/0xb90
[   85.544799][ T5186]  ret_from_fork_asm+0x1a/0x30
[   85.546751][ T5186] 
[   85.547707][ T5186] Memory state around the buggy address:
[   85.549868][ T5186]  ffff888035a7bb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.553234][ T5186]  ffff888035a7bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.556693][ T5186] >ffff888035a7bc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.560047][ T5186]                    ^
[   85.561765][ T5186]  ffff888035a7bd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.565045][ T5186]  ffff888035a7bd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.568220][ T5186] ==================================================================
[   85.609726][ T5299] Bluetooth: hci0: command tx timeout
[   85.676658][ T5186] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   85.679711][ T5186] CPU: 0 UID: 101 PID: 5186 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.683389][ T5186] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.687726][ T5186] Call Trace:
[   85.689186][ T5186]  <TASK>
[   85.690499][ T5186]  vpanic+0x56c/0xa60
[   85.692242][ T5186]  ? __pfx_vpanic+0x10/0x10
[   85.694116][ T5186]  panic+0xc5/0xd0
[   85.695866][ T5186]  ? __pfx_panic+0x10/0x10
[   85.697823][ T5186]  ? preempt_schedule_thunk+0x16/0x30
[   85.700170][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.702252][ T5186]  ? preempt_schedule_thunk+0x16/0x30
[   85.704357][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.706428][ T5186]  check_panic_on_warn+0x89/0xb0
[   85.708451][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.710421][ T5186]  end_report+0x73/0x180
[   85.712270][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.714334][ T5186]  kasan_report+0x128/0x150
[   85.716342][ T5186]  ? bpf_trace_run2+0x2c4/0x840
[   85.718475][ T5186]  bpf_trace_run2+0x2c4/0x840
[   85.720536][ T5186]  ? __queue_work+0x1a1/0x1020
[   85.722603][ T5186]  ? bpf_trace_run2+0x1c9/0x840
[   85.724690][ T5186]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.726990][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.729345][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.731723][ T5186]  ? seccomp_filter_release+0x22b/0x2d0
[   85.734154][ T5186]  kfree+0x5b2/0x630
[   85.735985][ T5186]  ? queue_work_on+0x159/0x1d0
[   85.738097][ T5186]  seccomp_filter_release+0x22b/0x2d0
[   85.740384][ T5186]  do_exit+0x338/0x2320
[   85.742152][ T5186]  ? fput_close_sync+0x11f/0x240
[   85.744162][ T5186]  ? __x64_sys_close+0x7e/0x110
[   85.746207][ T5186]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.748801][ T5186]  ? __pfx_do_exit+0x10/0x10
[   85.750783][ T5186]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.752948][ T5186]  do_group_exit+0x21b/0x2d0
[   85.754919][ T5186]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.757138][ T5186]  get_signal+0x1284/0x1330
[   85.759072][ T5186]  arch_do_signal_or_restart+0xbc/0x830
[   85.761445][ T5186]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.763992][ T5186]  ? kmem_cache_free+0x439/0x630
[   85.766046][ T5186]  ? fput_close_sync+0x11f/0x240
[   85.768199][ T5186]  exit_to_user_mode_loop+0x86/0x480
[   85.770467][ T5186]  ? rcu_is_watching+0x15/0xb0
[   85.772566][ T5186]  do_syscall_64+0x32d/0xf80
[   85.774618][ T5186]  ? trace_irq_disable+0x3b/0x150
[   85.776863][ T5186]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.779506][ T5186]  ? clear_bhb_loop+0x40/0x90
[   85.781349][ T5186]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.783874][ T5186] RIP: 0033:0x7ff659924407
[   85.785741][ T5186] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   85.794051][ T5186] RSP: 002b:00007ffe5fef9ca0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   85.797561][ T5186] RAX: 0000000000000000 RBX: 00007ff65989a740 RCX: 00007ff659924407
[   85.800776][ T5186] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000019
[   85.804053][ T5186] RBP: 00007ffe5ff09f40 R08: 0000000000000000 R09: 0000000000000000
[   85.807372][ T5186] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe5ff09f40
[   85.810831][ T5186] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   85.813830][ T5186]  </TASK>
[   85.815475][ T5186] Kernel Offset: disabled
[   85.817339][ T5186] Rebooting in 86400 seconds..