program:
r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000003b810000850000006d000000070000000000000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000880)={&(0x7f0000000a80)='kfree\x00', r1}, 0x10)
r2 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$DMA_HEAP_IOCTL_ALLOC(r2, 0xc0184800, &(0x7f0000000100)={0x4, <r3=>r0})
r4 = signalfd(0xffffffffffffffff, &(0x7f00000001c0), 0x8)
close(r4)
r5 = syz_open_dev$dri(&(0x7f00000008c0), 0xd21, 0x0)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r5, 0xc04064a0, &(0x7f00000001c0)={0x0, &(0x7f00000000c0)=[<r6=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r5, 0xc06864a1, &(0x7f00000003c0)={0x0, 0x0, r6, <r7=>0x0})
ioctl$DRM_IOCTL_MODE_GETFB2(r5, 0xc06864ce, &(0x7f0000000140)={r7, 0x0, 0x7c, 0x9, 0x2, [<r8=>0x0], [0x8, 0x19, 0x7, 0x7ff], [0x1, 0x4, 0x1000, 0x3], [0xfffffffffffffffe, 0x5, 0x0, 0x2]})
ioctl$DRM_IOCTL_GEM_FLINK(r4, 0xc008640a, &(0x7f0000000040)={r8, <r9=>0x0})
ioctl$DRM_IOCTL_GEM_OPEN(r5, 0xc010640b, &(0x7f0000000100)={r9})
ioctl$DRM_IOCTL_GEM_OPEN(r3, 0xc010640b, &(0x7f0000000080)={r9})

[   84.349735][ T5302] Bluetooth: hci0: command tx timeout
[   84.562435][ T5183] ==================================================================
[   84.566500][ T5183] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.570436][ T5183] Read of size 8 at addr ffff888038aeae80 by task dhcpcd/5183
[   84.575241][ T5183] 
[   84.576640][ T5183] CPU: 0 UID: 101 PID: 5183 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.576659][ T5183] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.576665][ T5183] Call Trace:
[   84.576673][ T5183]  <TASK>
[   84.576680][ T5183]  dump_stack_lvl+0xe8/0x150
[   84.576705][ T5183]  print_report+0xba/0x230
[   84.576721][ T5183]  ? bpf_trace_run2+0x2c4/0x840
[   84.576739][ T5183]  kasan_report+0x117/0x150
[   84.576753][ T5183]  ? bpf_trace_run2+0x2c4/0x840
[   84.576771][ T5183]  bpf_trace_run2+0x2c4/0x840
[   84.576788][ T5183]  ? __queue_work+0x1a1/0x1020
[   84.576805][ T5183]  ? bpf_trace_run2+0x1c9/0x840
[   84.576821][ T5183]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.576836][ T5183]  ? seccomp_filter_release+0x22b/0x2d0
[   84.576850][ T5183]  ? seccomp_filter_release+0x22b/0x2d0
[   84.576862][ T5183]  ? seccomp_filter_release+0x22b/0x2d0
[   84.576874][ T5183]  kfree+0x5b2/0x630
[   84.576888][ T5183]  ? queue_work_on+0x159/0x1d0
[   84.576904][ T5183]  seccomp_filter_release+0x22b/0x2d0
[   84.576918][ T5183]  do_exit+0x3b0/0x23c0
[   84.576931][ T5183]  ? fput_close_sync+0x11f/0x240
[   84.576946][ T5183]  ? __x64_sys_close+0x7e/0x110
[   84.576962][ T5183]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.576976][ T5183]  ? __pfx_do_exit+0x10/0x10
[   84.576987][ T5183]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.577004][ T5183]  do_group_exit+0x21b/0x2d0
[   84.577015][ T5183]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.577102][ T5183]  get_signal+0x1284/0x1330
[   84.577122][ T5183]  arch_do_signal_or_restart+0xbc/0x830
[   84.577138][ T5183]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.577150][ T5183]  ? kmem_cache_free+0x439/0x630
[   84.577162][ T5183]  ? fput_close_sync+0x11f/0x240
[   84.577178][ T5183]  exit_to_user_mode_loop+0x86/0x480
[   84.577192][ T5183]  ? rcu_is_watching+0x15/0xb0
[   84.577208][ T5183]  do_syscall_64+0x32d/0xf80
[   84.577226][ T5183]  ? trace_irq_disable+0x3b/0x150
[   84.577243][ T5183]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.577255][ T5183]  ? clear_bhb_loop+0x40/0x90
[   84.577267][ T5183]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.577292][ T5183] RIP: 0033:0x7f266cba4407
[   84.577306][ T5183] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.577315][ T5183] RSP: 002b:00007fffe8ecc960 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.577328][ T5183] RAX: 0000000000000000 RBX: 00007f266cb1a780 RCX: 00007f266cba4407
[   84.577336][ T5183] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000017
[   84.577342][ T5183] RBP: 00007fffe8edcc00 R08: 0000000000000000 R09: 0000000000000000
[   84.577349][ T5183] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffe8edcc00
[   84.577355][ T5183] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   84.577365][ T5183]  </TASK>
[   84.577370][ T5183] 
[   84.712857][ T5183] Allocated by task 5323:
[   84.714877][ T5183]  kasan_save_track+0x3e/0x80
[   84.717043][ T5183]  __kasan_kmalloc+0x93/0xb0
[   84.719283][ T5183]  __kmalloc_cache_noprof+0x31c/0x660
[   84.721985][ T5183]  bpf_raw_tp_link_attach+0x278/0x700
[   84.724902][ T5183]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.727337][ T5183]  __sys_bpf+0x846/0x950
[   84.729226][ T5183]  __x64_sys_bpf+0x7c/0x90
[   84.731269][ T5183]  do_syscall_64+0x14d/0xf80
[   84.733580][ T5183]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.736557][ T5183] 
[   84.737969][ T5183] Freed by task 5324:
[   84.740412][ T5183]  kasan_save_track+0x3e/0x80
[   84.742551][ T5183]  kasan_save_free_info+0x46/0x50
[   84.744742][ T5183]  __kasan_slab_free+0x5c/0x80
[   84.746984][ T5183]  kfree+0x1c1/0x630
[   84.748695][ T5183]  rcu_core+0x7cd/0x1070
[   84.750687][ T5183]  handle_softirqs+0x22a/0x870
[   84.752965][ T5183]  __irq_exit_rcu+0x5f/0x150
[   84.755094][ T5183]  irq_exit_rcu+0x9/0x30
[   84.757047][ T5183]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   84.759932][ T5183]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   84.763919][ T5183] 
[   84.765485][ T5183] Last potentially related work creation:
[   84.768662][ T5183]  kasan_save_stack+0x3e/0x60
[   84.770870][ T5183]  kasan_record_aux_stack+0xbd/0xd0
[   84.773315][ T5183]  call_rcu+0xee/0x890
[   84.775217][ T5183]  bpf_link_release+0x6b/0x80
[   84.777387][ T5183]  __fput+0x44f/0xa70
[   84.779247][ T5183]  task_work_run+0x1d9/0x270
[   84.781604][ T5183]  exit_to_user_mode_loop+0xed/0x480
[   84.784757][ T5183]  do_syscall_64+0x32d/0xf80
[   84.787230][ T5183]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.789900][ T5183] 
[   84.791050][ T5183] The buggy address belongs to the object at ffff888038aeae00
[   84.791050][ T5183]  which belongs to the cache kmalloc-192 of size 192
[   84.797068][ T5183] The buggy address is located 128 bytes inside of
[   84.797068][ T5183]  freed 192-byte region [ffff888038aeae00, ffff888038aeaec0)
[   84.803584][ T5183] 
[   84.804928][ T5183] The buggy address belongs to the physical page:
[   84.808255][ T5183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38aea
[   84.812116][ T5183] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   84.815202][ T5183] page_type: f5(slab)
[   84.816996][ T5183] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   84.821181][ T5183] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   84.825456][ T5183] page dumped because: kasan: bad access detected
[   84.828500][ T5183] page_owner tracks the page as allocated
[   84.830899][ T5183] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 23485853910, free_ts 23442362264
[   84.840091][ T5183]  post_alloc_hook+0x231/0x280
[   84.842769][ T5183]  get_page_from_freelist+0x24dc/0x2580
[   84.846037][ T5183]  __alloc_frozen_pages_noprof+0x18d/0x380
[   84.848702][ T5183]  allocate_slab+0x77/0x660
[   84.850993][ T5183]  refill_objects+0x331/0x3c0
[   84.853143][ T5183]  __pcs_replace_empty_main+0x2f9/0x5e0
[   84.855641][ T5183]  __kmalloc_noprof+0x474/0x760
[   84.858239][ T5183]  usb_alloc_urb+0x46/0x150
[   84.860851][ T5183]  usb_control_msg+0x118/0x3e0
[   84.863230][ T5183]  hub_power_on+0x1b6/0x460
[   84.865235][ T5183]  hub_activate+0x345/0x1a80
[   84.867666][ T5183]  hub_probe+0x291e/0x3c10
[   84.870195][ T5183]  usb_probe_interface+0x668/0xc90
[   84.873194][ T5183]  really_probe+0x267/0xaf0
[   84.875400][ T5183]  __driver_probe_device+0x18c/0x320
[   84.877411][ T5183]  driver_probe_device+0x4f/0x240
[   84.879468][ T5183] page last free pid 10 tgid 10 stack trace:
[   84.882053][ T5183]  __free_frozen_pages+0xc2b/0xdb0
[   84.884609][ T5183]  vfree+0x25a/0x400
[   84.886927][ T5183]  delayed_vfree_work+0x55/0x80
[   84.889129][ T5183]  process_scheduled_works+0xb02/0x1830
[   84.891503][ T5183]  worker_thread+0xa50/0xfc0
[   84.893595][ T5183]  kthread+0x388/0x470
[   84.895387][ T5183]  ret_from_fork+0x51e/0xb90
[   84.897812][ T5183]  ret_from_fork_asm+0x1a/0x30
[   84.900190][ T5183] 
[   84.901546][ T5183] Memory state around the buggy address:
[   84.904096][ T5183]  ffff888038aead80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   84.907386][ T5183]  ffff888038aeae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.911651][ T5183] >ffff888038aeae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   84.915814][ T5183]                    ^
[   84.917853][ T5183]  ffff888038aeaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   84.922287][ T5183]  ffff888038aeaf80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   84.925965][ T5183] ==================================================================