program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f00000003c0)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = syz_mount_image$minix(&(0x7f0000000180), &(0x7f00000001c0)='./file0\x00', 0x11, &(0x7f0000000080)=ANY=[@ANYRESHEX=r0], 0x1, 0x168, &(0x7f0000000240)="$eJzs281KAlEYxvFn1Mrs+ztaBUW0yamU0l1eiugk0liRLVKC6lK6sroAXXQDTXCUSlFnKnIo/z+Q88Ljy3tmcZyzUQBG1okkS5bikjzPu7vZtrQZ9qYADIXXXl89AKMnytEHRlQzFzXv/2dJTy+3hUb7Ew94f2jmIma9l9T41D8ZtP/BMutGrLM/IWkqyP3lsdW/0zV/+ovzE139M4H7W8+/u9XZPytpTtK8pAVJi5KWJC1LWukxv9g1fz3gfAAAAAAAgrCU9MsHfiGi07Lr7PfNx0x+0DcfN/mhT57qm0+YPFm4cIuDtgmgh8gPz3/U5/zHfM4/gPBUa/WzvOs6VxQUFBTvRdi/TAB+m31dubSrtfpeuZIvOSXn/DiTTmczqaOsbS729uDrPYA/7OOlH/ZOAAAAAAAAAAAAAADAd61KWgt7EwAAAACGYhh/Jwr7GQEAAAAAAAAAAAAA+O/eAgAA//+G9kuq")
socketpair(0x22, 0x2, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
r3 = fspick(r1, &(0x7f0000000040)='.\x00', 0x0)
fsconfig$FSCONFIG_CMD_RECONFIGURE(r3, 0x7, 0x0, 0x0, 0x0)
ioctl$sock_ipv6_tunnel_SIOCCHGTUNNEL(0xffffffffffffffff, 0x89f3, &(0x7f0000000000)={'ip6gre0\x00', &(0x7f00000003c0)={'syztnl0\x00', <r4=>0x0, 0x2f, 0xf, 0xa, 0x6, 0x14, @remote, @private2={0xfc, 0x2, '\x00', 0x1}, 0xaa0004b1ebd8f582, 0x492be32f82d7aca1, 0x4, 0x6}})
ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(r2, 0x89f0, &(0x7f0000000200)={'ip6gre0\x00', &(0x7f0000000440)={'syztnl1\x00', r4, 0x4, 0x8, 0x7, 0xe, 0x8, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', @empty, 0x10, 0x80, 0x7, 0x7}})

[   84.119510][   T45] Bluetooth: hci0: command tx timeout
[   84.218385][ T5320] loop0: detected capacity change from 0 to 64
[   84.319908][ T5320] minix: Unknown parameter '0x0000000000000003'
[   84.444039][ T5011] ==================================================================
[   84.448926][ T5011] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.452528][ T5011] Read of size 8 at addr ffff88801f6d1580 by task dhcpcd/5011
[   84.455803][ T5011] 
[   84.456915][ T5011] CPU: 0 UID: 101 PID: 5011 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.456966][ T5011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.456996][ T5011] Call Trace:
[   84.457005][ T5011]  <TASK>
[   84.457034][ T5011]  dump_stack_lvl+0xe8/0x150
[   84.457057][ T5011]  print_report+0xba/0x230
[   84.457070][ T5011]  ? bpf_trace_run2+0x2c4/0x840
[   84.457093][ T5011]  kasan_report+0x117/0x150
[   84.457106][ T5011]  ? bpf_trace_run2+0x2c4/0x840
[   84.457118][ T5011]  bpf_trace_run2+0x2c4/0x840
[   84.457128][ T5011]  ? __queue_work+0x1a1/0x1020
[   84.457141][ T5011]  ? bpf_trace_run2+0x1c9/0x840
[   84.457153][ T5011]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.457167][ T5011]  ? seccomp_filter_release+0x22b/0x2d0
[   84.457181][ T5011]  ? seccomp_filter_release+0x22b/0x2d0
[   84.457192][ T5011]  ? seccomp_filter_release+0x22b/0x2d0
[   84.457202][ T5011]  kfree+0x5b2/0x630
[   84.457215][ T5011]  ? queue_work_on+0x159/0x1d0
[   84.457230][ T5011]  seccomp_filter_release+0x22b/0x2d0
[   84.457242][ T5011]  do_exit+0x3b0/0x23c0
[   84.457254][ T5011]  ? __pfx_do_exit+0x10/0x10
[   84.457262][ T5011]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.457275][ T5011]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.457328][ T5011]  do_group_exit+0x21b/0x2d0
[   84.457336][ T5011]  __x64_sys_exit_group+0x3f/0x40
[   84.457342][ T5011]  x64_sys_call+0x221a/0x2240
[   84.457352][ T5011]  do_syscall_64+0x14d/0xf80
[   84.457360][ T5011]  ? trace_irq_disable+0x3b/0x150
[   84.457367][ T5011]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.457377][ T5011]  ? clear_bhb_loop+0x40/0x90
[   84.457393][ T5011]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.457404][ T5011] RIP: 0033:0x7f2d58b926c5
[   84.457416][ T5011] Code: ff ff ff 64 89 02 eb d2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 35 21 f7 0f 00 ba e7 00 00 00 eb 03 66 90 f4 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 f3 f7 d8 64 89 06 eb ec 66 2e 0f 1f 84 00 00
[   84.457424][ T5011] RSP: 002b:00007ffe277c2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   84.457436][ T5011] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2d58b926c5
[   84.457442][ T5011] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
[   84.457448][ T5011] RBP: 00007ffe277c35f8 R08: 000056100aa792c0 R09: 0000000000000002
[   84.457455][ T5011] R10: 0000000000000020 R11: 0000000000000206 R12: 00007ffe277c3030
[   84.457461][ T5011] R13: 000056100aa7a8a0 R14: 00007ffe277c3270 R15: 00007ffe277c3020
[   84.457472][ T5011]  </TASK>
[   84.457477][ T5011] 
[   84.570803][ T5011] Allocated by task 5320:
[   84.572764][ T5011]  kasan_save_track+0x3e/0x80
[   84.574896][ T5011]  __kasan_kmalloc+0x93/0xb0
[   84.577177][ T5011]  __kmalloc_cache_noprof+0x31c/0x660
[   84.579922][ T5011]  bpf_raw_tp_link_attach+0x278/0x700
[   84.583037][ T5011]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.585437][ T5011]  __sys_bpf+0x846/0x950
[   84.587258][ T5011]  __x64_sys_bpf+0x7c/0x90
[   84.589139][ T5011]  do_syscall_64+0x14d/0xf80
[   84.591092][ T5011]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.593730][ T5011] 
[   84.595004][ T5011] Freed by task 5318:
[   84.596986][ T5011]  kasan_save_track+0x3e/0x80
[   84.599447][ T5011]  kasan_save_free_info+0x46/0x50
[   84.601800][ T5011]  __kasan_slab_free+0x5c/0x80
[   84.603937][ T5011]  kfree+0x1c1/0x630
[   84.605790][ T5011]  rcu_core+0x7cd/0x1070
[   84.607701][ T5011]  handle_softirqs+0x22a/0x870
[   84.609958][ T5011]  do_softirq+0x76/0xd0
[   84.612063][ T5011]  __local_bh_enable_ip+0xf8/0x130
[   84.614764][ T5011]  icmp6_dst_alloc+0x3a6/0x440
[   84.617147][ T5011]  mld_sendpack+0x6ba/0xe40
[   84.619052][ T5011]  mld_dad_work+0x45/0x5b0
[   84.620834][ T5011]  process_scheduled_works+0xb6e/0x18c0
[   84.623223][ T5011]  worker_thread+0xa53/0xfc0
[   84.625175][ T5011]  kthread+0x388/0x470
[   84.626918][ T5011]  ret_from_fork+0x51e/0xb90
[   84.629287][ T5011]  ret_from_fork_asm+0x1a/0x30
[   84.631665][ T5011] 
[   84.632719][ T5011] Last potentially related work creation:
[   84.635009][ T5011]  kasan_save_stack+0x3e/0x60
[   84.636920][ T5011]  kasan_record_aux_stack+0xbd/0xd0
[   84.639027][ T5011]  call_rcu+0xee/0x890
[   84.640588][ T5011]  bpf_link_release+0x6b/0x80
[   84.642581][ T5011]  __fput+0x44f/0xa70
[   84.644199][ T5011]  task_work_run+0x1d9/0x270
[   84.645989][ T5011]  exit_to_user_mode_loop+0xed/0x480
[   84.648107][ T5011]  do_syscall_64+0x32d/0xf80
[   84.650078][ T5011]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.652519][ T5011] 
[   84.653512][ T5011] The buggy address belongs to the object at ffff88801f6d1500
[   84.653512][ T5011]  which belongs to the cache kmalloc-192 of size 192
[   84.660464][ T5011] The buggy address is located 128 bytes inside of
[   84.660464][ T5011]  freed 192-byte region [ffff88801f6d1500, ffff88801f6d15c0)
[   84.666853][ T5011] 
[   84.668152][ T5011] The buggy address belongs to the physical page:
[   84.671287][ T5011] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f6d1
[   84.676703][ T5011] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   84.679746][ T5011] page_type: f5(slab)
[   84.681541][ T5011] raw: 00fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   84.685274][ T5011] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   84.688903][ T5011] page dumped because: kasan: bad access detected
[   84.692203][ T5011] page_owner tracks the page as allocated
[   84.695986][ T5011] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 6557040685, free_ts 0
[   84.703932][ T5011]  post_alloc_hook+0x231/0x280
[   84.706005][ T5011]  get_page_from_freelist+0x24dc/0x2580
[   84.708299][ T5011]  __alloc_frozen_pages_noprof+0x18d/0x380
[   84.710846][ T5011]  allocate_slab+0x77/0x660
[   84.712962][ T5011]  refill_objects+0x331/0x3c0
[   84.715385][ T5011]  __pcs_replace_empty_main+0x2e6/0x730
[   84.717996][ T5011]  __kmalloc_cache_noprof+0x392/0x660
[   84.720599][ T5011]  shrinker_alloc+0x59/0xa80
[   84.722773][ T5011]  alloc_super+0x789/0xab0
[   84.724637][ T5011]  sget_fc+0x329/0xa40
[   84.726457][ T5011]  get_tree_nodev+0x2a/0x150
[   84.728374][ T5011]  vfs_get_tree+0x92/0x2a0
[   84.730443][ T5011]  vfs_kern_mount+0x15b/0x220
[   84.732939][ T5011]  kern_mount+0x43/0x90
[   84.735521][ T5011]  init_pipe_fs+0x25/0x80
[   84.737794][ T5011]  do_one_initcall+0x250/0x8d0
[   84.739959][ T5011] page_owner free stack trace missing
[   84.742347][ T5011] 
[   84.743278][ T5011] Memory state around the buggy address:
[   84.745678][ T5011]  ffff88801f6d1480: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   84.749201][ T5011]  ffff88801f6d1500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.752763][ T5011] >ffff88801f6d1580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   84.757221][ T5011]                    ^
[   84.759684][ T5011]  ffff88801f6d1600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   84.763256][ T5011]  ffff88801f6d1680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   84.766636][ T5011] ==================================================================