program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = socket$inet_smc(0x2b, 0x1, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
setsockopt$sock_void(r1, 0x1, 0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="043e1301"], 0x16)
r3 = socket$isdn(0x22, 0x3, 0x1)
ioctl$IMCTRLREQ(r3, 0x80044945, &(0x7f00000000c0)={0x10, 0x7, 0x1, 0x10})
r4 = openat$mice(0xffffffffffffff9c, &(0x7f0000000040), 0x40000)
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(r4, 0xc0189375, &(0x7f0000000080)={{0x1, 0x1, 0x18, r2}, './file0\x00'})

[   84.437062][   T45] Bluetooth: hci0: command tx timeout
[   84.784014][ T5179] ==================================================================
[   84.788091][ T5179] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.792865][ T5179] Read of size 8 at addr ffff8880381fc480 by task dhcpcd/5179
[   84.797186][ T5179] 
[   84.798647][ T5179] CPU: 0 UID: 101 PID: 5179 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.798672][ T5179] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.798680][ T5179] Call Trace:
[   84.798691][ T5179]  <TASK>
[   84.798698][ T5179]  dump_stack_lvl+0xe8/0x150
[   84.799283][ T5179]  print_report+0xba/0x230
[   84.799298][ T5179]  ? bpf_trace_run2+0x2c4/0x840
[   84.799316][ T5179]  kasan_report+0x117/0x150
[   84.799375][ T5179]  ? bpf_trace_run2+0x2c4/0x840
[   84.799387][ T5179]  bpf_trace_run2+0x2c4/0x840
[   84.799398][ T5179]  ? __queue_work+0x1a1/0x1020
[   84.799411][ T5179]  ? bpf_trace_run2+0x1c9/0x840
[   84.799425][ T5179]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.799441][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.799456][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.799468][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.799486][ T5179]  kfree+0x5b2/0x630
[   84.799505][ T5179]  ? queue_work_on+0x159/0x1d0
[   84.799522][ T5179]  seccomp_filter_release+0x22b/0x2d0
[   84.799536][ T5179]  do_exit+0x3b0/0x23c0
[   84.799547][ T5179]  ? fput_close_sync+0x11f/0x240
[   84.799563][ T5179]  ? __x64_sys_close+0x7e/0x110
[   84.799577][ T5179]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.799591][ T5179]  ? __pfx_do_exit+0x10/0x10
[   84.799603][ T5179]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.799619][ T5179]  do_group_exit+0x21b/0x2d0
[   84.799631][ T5179]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.799771][ T5179]  get_signal+0x1284/0x1330
[   84.799801][ T5179]  arch_do_signal_or_restart+0xbc/0x830
[   84.799818][ T5179]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.799831][ T5179]  ? kmem_cache_free+0x439/0x630
[   84.799843][ T5179]  ? fput_close_sync+0x11f/0x240
[   84.799861][ T5179]  exit_to_user_mode_loop+0x86/0x480
[   84.799877][ T5179]  ? rcu_is_watching+0x15/0xb0
[   84.799894][ T5179]  do_syscall_64+0x32d/0xf80
[   84.799907][ T5179]  ? trace_irq_disable+0x3b/0x150
[   84.799918][ T5179]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.799929][ T5179]  ? clear_bhb_loop+0x40/0x90
[   84.799942][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.799954][ T5179] RIP: 0033:0x7f65f20e9407
[   84.799967][ T5179] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.799977][ T5179] RSP: 002b:00007ffe0538bf60 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.799993][ T5179] RAX: 0000000000000000 RBX: 00007f65f205f780 RCX: 00007f65f20e9407
[   84.800001][ T5179] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[   84.800006][ T5179] RBP: 00007ffe0539c200 R08: 0000000000000000 R09: 0000000000000000
[   84.800011][ T5179] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe0539c200
[   84.800016][ T5179] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   84.800024][ T5179]  </TASK>
[   84.800027][ T5179] 
[   84.933425][ T5179] Allocated by task 5324:
[   84.935482][ T5179]  kasan_save_track+0x3e/0x80
[   84.938147][ T5179]  __kasan_kmalloc+0x93/0xb0
[   84.940581][ T5179]  __kmalloc_cache_noprof+0x31c/0x660
[   84.943028][ T5179]  bpf_raw_tp_link_attach+0x278/0x700
[   84.945319][ T5179]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.947803][ T5179]  __sys_bpf+0x846/0x950
[   84.949704][ T5179]  __x64_sys_bpf+0x7c/0x90
[   84.952163][ T5179]  do_syscall_64+0x14d/0xf80
[   84.955253][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.958157][ T5179] 
[   84.959300][ T5179] Freed by task 9:
[   84.961077][ T5179]  kasan_save_track+0x3e/0x80
[   84.963192][ T5179]  kasan_save_free_info+0x46/0x50
[   84.965421][ T5179]  __kasan_slab_free+0x5c/0x80
[   84.967509][ T5179]  kfree+0x1c1/0x630
[   84.969266][ T5179]  rcu_core+0x7cd/0x1070
[   84.971208][ T5179]  handle_softirqs+0x22a/0x870
[   84.973538][ T5179]  __irq_exit_rcu+0x5f/0x150
[   84.975729][ T5179]  irq_exit_rcu+0x9/0x30
[   84.977591][ T5179]  sysvec_irq_work+0xa3/0xc0
[   84.979671][ T5179]  asm_sysvec_irq_work+0x1a/0x20
[   84.981874][ T5179] 
[   84.983039][ T5179] Last potentially related work creation:
[   84.986031][ T5179]  kasan_save_stack+0x3e/0x60
[   84.988798][ T5179]  kasan_record_aux_stack+0xbd/0xd0
[   84.991677][ T5179]  call_rcu+0xee/0x890
[   84.993684][ T5179]  bpf_link_release+0x6b/0x80
[   84.995883][ T5179]  __fput+0x44f/0xa70
[   84.997630][ T5179]  task_work_run+0x1d9/0x270
[   84.999647][ T5179]  exit_to_user_mode_loop+0xed/0x480
[   85.002014][ T5179]  do_syscall_64+0x32d/0xf80
[   85.004242][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.007239][ T5179] 
[   85.008560][ T5179] The buggy address belongs to the object at ffff8880381fc400
[   85.008560][ T5179]  which belongs to the cache kmalloc-192 of size 192
[   85.014552][ T5179] The buggy address is located 128 bytes inside of
[   85.014552][ T5179]  freed 192-byte region [ffff8880381fc400, ffff8880381fc4c0)
[   85.020874][ T5179] 
[   85.022290][ T5179] The buggy address belongs to the physical page:
[   85.025400][ T5179] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x381fc
[   85.029011][ T5179] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.032364][ T5179] page_type: f5(slab)
[   85.034391][ T5179] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   85.038998][ T5179] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.043140][ T5179] page dumped because: kasan: bad access detected
[   85.045877][ T5179] page_owner tracks the page as allocated
[   85.048237][ T5179] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 20995424417, free_ts 20987137670
[   85.057691][ T5179]  post_alloc_hook+0x231/0x280
[   85.059845][ T5179]  get_page_from_freelist+0x24dc/0x2580
[   85.062338][ T5179]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.064929][ T5179]  allocate_slab+0x77/0x660
[   85.067130][ T5179]  refill_objects+0x331/0x3c0
[   85.069678][ T5179]  __pcs_replace_empty_main+0x2e6/0x730
[   85.072537][ T5179]  __kmalloc_noprof+0x474/0x760
[   85.074627][ T5179]  usb_alloc_urb+0x46/0x150
[   85.076576][ T5179]  usb_control_msg+0x118/0x3e0
[   85.078643][ T5179]  usb_get_status+0xe7/0x2a0
[   85.080624][ T5179]  hub_probe+0x1e56/0x3c10
[   85.082783][ T5179]  usb_probe_interface+0x668/0xc90
[   85.085431][ T5179]  really_probe+0x267/0xaf0
[   85.088026][ T5179]  __driver_probe_device+0x18c/0x320
[   85.090264][ T5179]  driver_probe_device+0x4f/0x240
[   85.092475][ T5179]  __device_attach_driver+0x279/0x430
[   85.094819][ T5179] page last free pid 12 tgid 12 stack trace:
[   85.097535][ T5179]  __free_frozen_pages+0xc2b/0xdb0
[   85.100100][ T5179]  __kasan_populate_vmalloc+0x137/0x1d0
[   85.103090][ T5179]  alloc_vmap_area+0xd73/0x14b0
[   85.105571][ T5179]  __get_vm_area_node+0x1f8/0x300
[   85.107729][ T5179]  __vmalloc_node_range_noprof+0x372/0x1730
[   85.110206][ T5179]  __vmalloc_node_noprof+0xc2/0x100
[   85.112592][ T5179]  dup_task_struct+0x275/0x9a0
[   85.115241][ T5179]  copy_process+0x508/0x3cd0
[   85.117733][ T5179]  kernel_clone+0x248/0x8e0
[   85.119721][ T5179]  user_mode_thread+0x110/0x180
[   85.121828][ T5179]  call_usermodehelper_exec_work+0x5c/0x230
[   85.124436][ T5179]  process_scheduled_works+0xb6e/0x18c0
[   85.126811][ T5179]  worker_thread+0xa53/0xfc0
[   85.129058][ T5179]  kthread+0x388/0x470
[   85.131416][ T5179]  ret_from_fork+0x51e/0xb90
[   85.133634][ T5179]  ret_from_fork_asm+0x1a/0x30
[   85.135901][ T5179] 
[   85.136943][ T5179] Memory state around the buggy address:
[   85.139329][ T5179]  ffff8880381fc380: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.142900][ T5179]  ffff8880381fc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.146678][ T5179] >ffff8880381fc480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.150423][ T5179]                    ^
[   85.152312][ T5179]  ffff8880381fc500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.155760][ T5179]  ffff8880381fc580: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.159426][ T5179] ==================================================================