program:
r0 = socket$netlink(0x10, 0x3, 0x14)
sendmsg$netlink(r0, &(0x7f0000003f40)={0x0, 0x0, &(0x7f0000003e80)=[{&(0x7f0000001840)={0x10, 0x1000}, 0x10}], 0x1}, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0) (async)
r2 = socket$packet(0x11, 0x3, 0x300) (async)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r5=>0x0})
sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000400)=@newlink={0x3c, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r5}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bridge={{0xb}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BR_MCAST_HASH_MAX={0x8, 0x1b, 0x2}]}}}]}, 0x3c}}, 0x0) (async)
r6 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f00000001c0)={'bridge0\x00', <r7=>0x0}) (async)
r8 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) (async)
r9 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r9, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001ac0)={&(0x7f0000000240)={0x14, 0x26, 0x1, 0xf0bd26, 0x25dfdbfc, {0x4}}, 0x14}, 0x1, 0x0, 0x0, 0x4000d}, 0x20048000) (async)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r8}, 0x10)
getrusage(0xfffffffffffffffe, &(0x7f00000002c0)) (async)
openat$mice(0xffffffffffffff9c, &(0x7f0000000080), 0x0) (async)
syz_open_dev$evdev(&(0x7f0000000000), 0x3, 0x822b01) (async)
r10 = socket$nl_route(0x10, 0x3, 0x0)
r11 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r11, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r12=>0x0})
sendmsg$nl_route(r10, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)=ANY=[@ANYBLOB="380000001400e401000000000000000007000000", @ANYRES32=r12, @ANYBLOB="20000100", @ANYRES32=r7, @ANYBLOB="010003007f00000100"/24], 0x38}, 0x1, 0x0, 0x0, 0x4}, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'bridge0\x00', <r13=>0x0}) (async)
r14 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000140)='/dev/comedi2\x00', 0x208402, 0x0)
ioctl$COMEDI_INSN(r14, 0x8028640c, &(0x7f0000000000)={0xc000003, 0xf, &(0x7f0000000180)=[0x1e, 0x9, 0xf909, 0x899d, 0x80, 0xfffffffb, 0x7, 0x10, 0xfffffe01, 0x1, 0x4, 0x2, 0x6, 0x8811, 0x0], 0x1, 0x4000007}) (async)
sendmsg$nl_route(r1, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000440)=ANY=[@ANYBLOB="3800000054000100000000000000000007000000", @ANYRES8, @ANYBLOB="20000100", @ANYRES32=r13, @ANYBLOB="00000000ffffdd86b615cb81000000000000000000000000c709dea0dfe8811687c69f75d97ee546468381e81f7ba0d7370add1824b60542bef19ff1059d0b69e7a0b11a518148fe4de36c4304e1998013728c7a2dda72e76fb1d4e2df35a610eb1e3ce9d2f7ce4a814387b90078355f7412ad2405a601afb0f306a02a6f31391e724ef0c2abce7e234517d6068d585aaa8d95df89609e4b0a1a95499e010073ef905099931cd64a9156f540d9b8eb175ac0a2", @ANYRES32=r3], 0x38}}, 0x0)

[   85.067659][ T5304] Bluetooth: hci0: command tx timeout
[   85.182812][ T5332] netlink: 32 bytes leftover after parsing attributes in process `syz.0.0'.
[   85.297585][ T5194] ==================================================================
[   85.301764][ T5194] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   85.305906][ T5194] Read of size 8 at addr ffff88803cec8f80 by task dhcpcd/5194
[   85.309279][ T5194] 
[   85.310465][ T5194] CPU: 0 UID: 101 PID: 5194 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.310499][ T5194] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.310506][ T5194] Call Trace:
[   85.310529][ T5194]  <TASK>
[   85.310546][ T5194]  dump_stack_lvl+0xe8/0x150
[   85.310603][ T5194]  print_report+0xba/0x230
[   85.310618][ T5194]  ? bpf_trace_run2+0x2c4/0x840
[   85.310648][ T5194]  kasan_report+0x117/0x150
[   85.310690][ T5194]  ? bpf_trace_run2+0x2c4/0x840
[   85.310707][ T5194]  bpf_trace_run2+0x2c4/0x840
[   85.310723][ T5194]  ? __queue_work+0x1a1/0x1020
[   85.310738][ T5194]  ? bpf_trace_run2+0x1c9/0x840
[   85.310753][ T5194]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.310768][ T5194]  ? seccomp_filter_release+0x22b/0x2d0
[   85.310782][ T5194]  ? seccomp_filter_release+0x22b/0x2d0
[   85.310793][ T5194]  ? seccomp_filter_release+0x22b/0x2d0
[   85.310805][ T5194]  kfree+0x5b2/0x630
[   85.310820][ T5194]  ? queue_work_on+0x159/0x1d0
[   85.310835][ T5194]  seccomp_filter_release+0x22b/0x2d0
[   85.310847][ T5194]  do_exit+0x3b0/0x23c0
[   85.310859][ T5194]  ? fput_close_sync+0x11f/0x240
[   85.310875][ T5194]  ? __x64_sys_close+0x7e/0x110
[   85.310889][ T5194]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.310903][ T5194]  ? __pfx_do_exit+0x10/0x10
[   85.310914][ T5194]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.310928][ T5194]  do_group_exit+0x21b/0x2d0
[   85.310938][ T5194]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.311009][ T5194]  get_signal+0x1284/0x1330
[   85.311026][ T5194]  arch_do_signal_or_restart+0xbc/0x830
[   85.311042][ T5194]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.311052][ T5194]  ? kmem_cache_free+0x439/0x630
[   85.311064][ T5194]  ? fput_close_sync+0x11f/0x240
[   85.311080][ T5194]  exit_to_user_mode_loop+0x86/0x480
[   85.311095][ T5194]  ? rcu_is_watching+0x15/0xb0
[   85.311111][ T5194]  do_syscall_64+0x32d/0xf80
[   85.311133][ T5194]  ? trace_irq_disable+0x3b/0x150
[   85.311139][ T5194]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.311149][ T5194]  ? clear_bhb_loop+0x40/0x90
[   85.311161][ T5194]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.311172][ T5194] RIP: 0033:0x7fb3a09f1407
[   85.311197][ T5194] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   85.311232][ T5194] RSP: 002b:00007fff9185f050 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   85.311257][ T5194] RAX: 0000000000000000 RBX: 00007fb3a0967780 RCX: 00007fb3a09f1407
[   85.311265][ T5194] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000018
[   85.311271][ T5194] RBP: 00007fff9186f2f0 R08: 0000000000000000 R09: 0000000000000000
[   85.311277][ T5194] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9186f2f0
[   85.311282][ T5194] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   85.311293][ T5194]  </TASK>
[   85.311298][ T5194] 
[   85.440801][ T5194] Allocated by task 5332:
[   85.442991][ T5194]  kasan_save_track+0x3e/0x80
[   85.445115][ T5194]  __kasan_kmalloc+0x93/0xb0
[   85.447239][ T5194]  __kmalloc_cache_noprof+0x31c/0x660
[   85.449764][ T5194]  bpf_raw_tp_link_attach+0x278/0x700
[   85.452331][ T5194]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.455006][ T5194]  __sys_bpf+0x846/0x950
[   85.457950][ T5194]  __x64_sys_bpf+0x7c/0x90
[   85.460916][ T5194]  do_syscall_64+0x14d/0xf80
[   85.463026][ T5194]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.465457][ T5194] 
[   85.466607][ T5194] Freed by task 15:
[   85.468327][ T5194]  kasan_save_track+0x3e/0x80
[   85.470334][ T5194]  kasan_save_free_info+0x46/0x50
[   85.472547][ T5194]  __kasan_slab_free+0x5c/0x80
[   85.474753][ T5194]  kfree+0x1c1/0x630
[   85.476841][ T5194]  rcu_core+0x7cd/0x1070
[   85.478742][ T5194]  handle_softirqs+0x22a/0x870
[   85.480711][ T5194]  run_ksoftirqd+0x36/0x60
[   85.482629][ T5194]  smpboot_thread_fn+0x541/0xa50
[   85.484807][ T5194]  kthread+0x388/0x470
[   85.486674][ T5194]  ret_from_fork+0x51e/0xb90
[   85.488710][ T5194]  ret_from_fork_asm+0x1a/0x30
[   85.490877][ T5194] 
[   85.492118][ T5194] Last potentially related work creation:
[   85.495184][ T5194]  kasan_save_stack+0x3e/0x60
[   85.497582][ T5194]  kasan_record_aux_stack+0xbd/0xd0
[   85.500110][ T5194]  call_rcu+0xee/0x890
[   85.501941][ T5194]  bpf_link_release+0x6b/0x80
[   85.504135][ T5194]  __fput+0x44f/0xa70
[   85.506211][ T5194]  task_work_run+0x1d9/0x270
[   85.508776][ T5194]  exit_to_user_mode_loop+0xed/0x480
[   85.512140][ T5194]  do_syscall_64+0x32d/0xf80
[   85.514709][ T5194]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.517628][ T5194] 
[   85.518654][ T5194] The buggy address belongs to the object at ffff88803cec8f00
[   85.518654][ T5194]  which belongs to the cache kmalloc-192 of size 192
[   85.524287][ T5194] The buggy address is located 128 bytes inside of
[   85.524287][ T5194]  freed 192-byte region [ffff88803cec8f00, ffff88803cec8fc0)
[   85.529786][ T5194] 
[   85.530797][ T5194] The buggy address belongs to the physical page:
[   85.534259][ T5194] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3cec8
[   85.540318][ T5194] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.543615][ T5194] page_type: f5(slab)
[   85.545119][ T5194] raw: 04fff00000000000 ffff88801ac413c0 dead000000000122 0000000000000000
[   85.548656][ T5194] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.552486][ T5194] page dumped because: kasan: bad access detected
[   85.555245][ T5194] page_owner tracks the page as allocated
[   85.557790][ T5194] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5312, tgid 5312 (kworker/0:4), ts 83028901577, free_ts 83025915969
[   85.569917][ T5194]  post_alloc_hook+0x231/0x280
[   85.572452][ T5194]  get_page_from_freelist+0x24dc/0x2580
[   85.574937][ T5194]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.577455][ T5194]  allocate_slab+0x77/0x660
[   85.579191][ T5194]  refill_objects+0x331/0x3c0
[   85.581425][ T5194]  __pcs_replace_empty_main+0x2e6/0x730
[   85.584410][ T5194]  __kmalloc_cache_noprof+0x392/0x660
[   85.587578][ T5194]  drm_atomic_state_alloc+0xa9/0x100
[   85.590028][ T5194]  drm_atomic_helper_dirtyfb+0x129/0xf80
[   85.592653][ T5194]  drm_fbdev_shmem_helper_fb_dirty+0x160/0x2d0
[   85.595529][ T5194]  drm_fb_helper_damage_work+0x2b3/0x750
[   85.597898][ T5194]  process_scheduled_works+0xb6e/0x18c0
[   85.600997][ T5194]  worker_thread+0xa53/0xfc0
[   85.603969][ T5194]  kthread+0x388/0x470
[   85.605960][ T5194]  ret_from_fork+0x51e/0xb90
[   85.608028][ T5194]  ret_from_fork_asm+0x1a/0x30
[   85.610003][ T5194] page last free pid 5303 tgid 5303 stack trace:
[   85.612733][ T5194]  __free_frozen_pages+0xc2b/0xdb0
[   85.614907][ T5194]  vfree+0x25a/0x400
[   85.616565][ T5194]  do_ipt_get_ctl+0xf25/0x1240
[   85.618646][ T5194]  nf_getsockopt+0x26e/0x290
[   85.620555][ T5194]  ip_getsockopt+0x19e/0x230
[   85.623946][ T5194]  do_sock_getsockopt+0x37f/0x670
[   85.626889][ T5194]  __x64_sys_getsockopt+0x1a4/0x240
[   85.629072][ T5194]  do_syscall_64+0x14d/0xf80
[   85.630983][ T5194]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.633515][ T5194] 
[   85.634615][ T5194] Memory state around the buggy address:
[   85.636966][ T5194]  ffff88803cec8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.640422][ T5194]  ffff88803cec8f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.645148][ T5194] >ffff88803cec8f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.648448][ T5194]                    ^
[   85.650190][ T5194]  ffff88803cec9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.653327][ T5194]  ffff88803cec9080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.656626][ T5194] ==================================================================