program:
r0 = syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x82a80)
r1 = syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x82a80)
ioctl$CEC_S_MODE(r1, 0x40046109, &(0x7f0000000040)=0xf0)
r2 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f00000000c0)={0x3, 0x4, 0x4, 0xa, 0x0, 0x1, 0xf, '\x00', 0x0, 0xffffffffffffffff, 0x3, 0x5, 0x4}, 0x50)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r3}, 0x10)
bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f00000001c0)={{r2}, &(0x7f0000000140), &(0x7f0000000180)=r3}, 0x20)
ioctl$CEC_S_MODE(r0, 0x40046109, &(0x7f0000000040)=0xf0)
close(r0)

[   84.638861][ T5300] Bluetooth: hci0: command tx timeout
[   84.752595][ T5167] ==================================================================
[   84.757042][ T5167] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.760767][ T5167] Read of size 8 at addr ffff888000979980 by task dhcpcd/5167
[   84.763906][ T5167] 
[   84.765105][ T5167] CPU: 0 UID: 101 PID: 5167 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.765130][ T5167] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.765138][ T5167] Call Trace:
[   84.765169][ T5167]  <TASK>
[   84.765193][ T5167]  dump_stack_lvl+0xe8/0x150
[   84.765216][ T5167]  print_report+0xba/0x230
[   84.765232][ T5167]  ? bpf_trace_run2+0x2c4/0x840
[   84.765268][ T5167]  kasan_report+0x117/0x150
[   84.765282][ T5167]  ? bpf_trace_run2+0x2c4/0x840
[   84.765301][ T5167]  bpf_trace_run2+0x2c4/0x840
[   84.765318][ T5167]  ? __queue_work+0x1a1/0x1020
[   84.765334][ T5167]  ? bpf_trace_run2+0x1c9/0x840
[   84.765349][ T5167]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.765366][ T5167]  ? seccomp_filter_release+0x22b/0x2d0
[   84.765380][ T5167]  ? seccomp_filter_release+0x22b/0x2d0
[   84.765391][ T5167]  ? seccomp_filter_release+0x22b/0x2d0
[   84.765404][ T5167]  kfree+0x5b2/0x630
[   84.765426][ T5167]  ? queue_work_on+0x159/0x1d0
[   84.765442][ T5167]  seccomp_filter_release+0x22b/0x2d0
[   84.765455][ T5167]  do_exit+0x3b0/0x23c0
[   84.765466][ T5167]  ? sock_read_iter+0x267/0x320
[   84.765522][ T5167]  ? __asan_memcpy+0x40/0x70
[   84.765539][ T5167]  ? sock_read_iter+0x267/0x320
[   84.765552][ T5167]  ? __pfx_do_exit+0x10/0x10
[   84.765563][ T5167]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.765579][ T5167]  do_group_exit+0x21b/0x2d0
[   84.765590][ T5167]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.765604][ T5167]  get_signal+0x1284/0x1330
[   84.765624][ T5167]  arch_do_signal_or_restart+0xbc/0x830
[   84.765641][ T5167]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.765655][ T5167]  ? ksys_read+0x1fc/0x270
[   84.765668][ T5167]  exit_to_user_mode_loop+0x86/0x480
[   84.765681][ T5167]  ? rcu_is_watching+0x15/0xb0
[   84.765697][ T5167]  do_syscall_64+0x32d/0xf80
[   84.765709][ T5167]  ? trace_irq_disable+0x3b/0x150
[   84.765719][ T5167]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.765731][ T5167]  ? clear_bhb_loop+0x40/0x90
[   84.765744][ T5167]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.765756][ T5167] RIP: 0033:0x7f8f538dc407
[   84.765790][ T5167] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.765798][ T5167] RSP: 002b:00007ffd813d6470 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
[   84.765848][ T5167] RAX: 0000000000000188 RBX: 00007f8f53852780 RCX: 00007f8f538dc407
[   84.765857][ T5167] RDX: 00000000000100e0 RSI: 00007ffd813d6510 RDI: 0000000000000014
[   84.765864][ T5167] RBP: 0000000000000014 R08: 0000000000000000 R09: 0000000000000000
[   84.765871][ T5167] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd813e66f0
[   84.765879][ T5167] R13: 0000555eba072e10 R14: 00007ffd813d6510 R15: 00007ffd813e66e0
[   84.765918][ T5167]  </TASK>
[   84.765923][ T5167] 
[   84.895869][ T5167] Allocated by task 5321:
[   84.897959][ T5167]  kasan_save_track+0x3e/0x80
[   84.900083][ T5167]  __kasan_kmalloc+0x93/0xb0
[   84.902329][ T5167]  __kmalloc_cache_noprof+0x31c/0x660
[   84.904687][ T5167]  bpf_raw_tp_link_attach+0x278/0x700
[   84.907307][ T5167]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.909754][ T5167]  __sys_bpf+0x846/0x950
[   84.911690][ T5167]  __x64_sys_bpf+0x7c/0x90
[   84.913631][ T5167]  do_syscall_64+0x14d/0xf80
[   84.915665][ T5167]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.918518][ T5167] 
[   84.919851][ T5167] Freed by task 14:
[   84.922085][ T5167]  kasan_save_track+0x3e/0x80
[   84.924492][ T5167]  kasan_save_free_info+0x46/0x50
[   84.926788][ T5167]  __kasan_slab_free+0x5c/0x80
[   84.928851][ T5167]  kfree+0x1c1/0x630
[   84.930549][ T5167]  rcu_core+0x7cd/0x1070
[   84.932404][ T5167]  handle_softirqs+0x22a/0x870
[   84.934679][ T5167]  do_softirq+0x76/0xd0
[   84.936872][ T5167]  __local_bh_enable_ip+0xf8/0x130
[   84.939513][ T5167]  __alloc_skb+0x1aa/0x7d0
[   84.941716][ T5167]  nsim_dev_trap_report_work+0x29a/0xb80
[   84.944030][ T5167]  process_scheduled_works+0xb6e/0x18c0
[   84.946519][ T5167]  worker_thread+0xa53/0xfc0
[   84.948863][ T5167]  kthread+0x388/0x470
[   84.951107][ T5167]  ret_from_fork+0x51e/0xb90
[   84.953520][ T5167]  ret_from_fork_asm+0x1a/0x30
[   84.955705][ T5167] 
[   84.956816][ T5167] Last potentially related work creation:
[   84.959682][ T5167]  kasan_save_stack+0x3e/0x60
[   84.961797][ T5167]  kasan_record_aux_stack+0xbd/0xd0
[   84.964046][ T5167]  call_rcu+0xee/0x890
[   84.966097][ T5167]  bpf_link_release+0x6b/0x80
[   84.968174][ T5167]  __fput+0x44f/0xa70
[   84.970020][ T5167]  task_work_run+0x1d9/0x270
[   84.972130][ T5167]  exit_to_user_mode_loop+0xed/0x480
[   84.974902][ T5167]  do_syscall_64+0x32d/0xf80
[   84.977464][ T5167]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.980543][ T5167] 
[   84.981696][ T5167] The buggy address belongs to the object at ffff888000979900
[   84.981696][ T5167]  which belongs to the cache kmalloc-192 of size 192
[   84.987296][ T5167] The buggy address is located 128 bytes inside of
[   84.987296][ T5167]  freed 192-byte region [ffff888000979900, ffff8880009799c0)
[   84.992552][ T5167] 
[   84.993528][ T5167] The buggy address belongs to the physical page:
[   84.996139][ T5167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x979
[   84.999447][ T5167] flags: 0x7ff00000000000(node=0|zone=0|lastcpupid=0x7ff)
[   85.002057][ T5167] page_type: f5(slab)
[   85.003507][ T5167] raw: 007ff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   85.007050][ T5167] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.011125][ T5167] page dumped because: kasan: bad access detected
[   85.013718][ T5167] page_owner tracks the page as allocated
[   85.015663][ T5167] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14281686769, free_ts 13494437872
[   85.023112][ T5167]  post_alloc_hook+0x231/0x280
[   85.025432][ T5167]  get_page_from_freelist+0x24dc/0x2580
[   85.028089][ T5167]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.030529][ T5167]  allocate_slab+0x77/0x660
[   85.032391][ T5167]  refill_objects+0x331/0x3c0
[   85.034218][ T5167]  __pcs_replace_empty_main+0x2e6/0x730
[   85.036316][ T5167]  __kmalloc_cache_noprof+0x392/0x660
[   85.038376][ T5167]  virtio_gpu_plane_duplicate_state+0x72/0xb0
[   85.041107][ T5167]  drm_atomic_get_plane_state+0x25a/0x670
[   85.043991][ T5167]  drm_client_modeset_commit_atomic+0x227/0x7e0
[   85.046755][ T5167]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   85.049088][ T5167]  drm_fb_helper_pan_display+0x3e7/0xbd0
[   85.051159][ T5167]  fb_pan_display+0x39e/0x680
[   85.052945][ T5167]  bit_update_start+0x4c/0x1e0
[   85.054915][ T5167]  fbcon_switch+0x127e/0x2040
[   85.056848][ T5167]  redraw_screen+0x586/0xec0
[   85.058756][ T5167] page last free pid 9 tgid 9 stack trace:
[   85.061677][ T5167]  __free_frozen_pages+0xc2b/0xdb0
[   85.063902][ T5167]  __slab_free+0x263/0x2b0
[   85.065866][ T5167]  qlist_free_all+0x97/0x100
[   85.068075][ T5167]  kasan_quarantine_reduce+0x148/0x160
[   85.070168][ T5167]  __kasan_slab_alloc+0x22/0x80
[   85.072088][ T5167]  __kmalloc_cache_noprof+0x2ba/0x660
[   85.074389][ T5167]  drm_atomic_state_alloc+0xa9/0x100
[   85.076789][ T5167]  drm_atomic_helper_dirtyfb+0x129/0xf80
[   85.079557][ T5167]  drm_fbdev_shmem_helper_fb_dirty+0x160/0x2d0
[   85.082233][ T5167]  drm_fb_helper_damage_work+0x2b3/0x750
[   85.084664][ T5167]  process_scheduled_works+0xb6e/0x18c0
[   85.087119][ T5167]  worker_thread+0xa53/0xfc0
[   85.089182][ T5167]  kthread+0x388/0x470
[   85.090913][ T5167]  ret_from_fork+0x51e/0xb90
[   85.092888][ T5167]  ret_from_fork_asm+0x1a/0x30
[   85.094840][ T5167] 
[   85.095917][ T5167] Memory state around the buggy address:
[   85.098358][ T5167]  ffff888000979880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   85.101916][ T5167]  ffff888000979900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.105139][ T5167] >ffff888000979980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.108965][ T5167]                    ^
[   85.111110][ T5167]  ffff888000979a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.114893][ T5167]  ffff888000979a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.118814][ T5167] ==================================================================