program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000003c0)={'wlan0\x00', <r3=>0x0})
sendmsg$NL80211_CMD_CHANNEL_SWITCH(r2, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000400)={0x24, r1, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_CH_SWITCH_COUNT={0x8, 0xb7, 0x99}]}, 0x24}}, 0x0)

[  109.167228][ T4669] Bluetooth: hci0: command tx timeout
[  109.408793][ T5177] ==================================================================
[  109.412736][ T5177] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  109.416150][ T5177] Read of size 8 at addr ffff888044b2e780 by task dhcpcd/5177
[  109.419556][ T5177] 
[  109.420725][ T5177] CPU: 0 UID: 101 PID: 5177 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  109.420742][ T5177] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  109.420750][ T5177] Call Trace:
[  109.420759][ T5177]  <TASK>
[  109.420765][ T5177]  dump_stack_lvl+0xe8/0x150
[  109.420790][ T5177]  print_report+0xba/0x230
[  109.420805][ T5177]  ? bpf_trace_run2+0x2c4/0x840
[  109.420830][ T5177]  kasan_report+0x117/0x150
[  109.420849][ T5177]  ? bpf_trace_run2+0x2c4/0x840
[  109.420867][ T5177]  bpf_trace_run2+0x2c4/0x840
[  109.420886][ T5177]  ? __queue_work+0x1a1/0x1020
[  109.420902][ T5177]  ? bpf_trace_run2+0x1c9/0x840
[  109.420919][ T5177]  ? __pfx_bpf_trace_run2+0x10/0x10
[  109.420943][ T5177]  ? seccomp_filter_release+0x22b/0x2d0
[  109.420959][ T5177]  ? seccomp_filter_release+0x22b/0x2d0
[  109.420972][ T5177]  ? seccomp_filter_release+0x22b/0x2d0
[  109.420985][ T5177]  kfree+0x5b2/0x630
[  109.421002][ T5177]  ? queue_work_on+0x159/0x1d0
[  109.421019][ T5177]  seccomp_filter_release+0x22b/0x2d0
[  109.421034][ T5177]  do_exit+0x3b0/0x23c0
[  109.421045][ T5177]  ? fput_close_sync+0x11f/0x240
[  109.421061][ T5177]  ? __x64_sys_close+0x7e/0x110
[  109.421076][ T5177]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.421090][ T5177]  ? __pfx_do_exit+0x10/0x10
[  109.421102][ T5177]  ? do_raw_spin_lock+0x12b/0x2f0
[  109.421119][ T5177]  do_group_exit+0x21b/0x2d0
[  109.421130][ T5177]  ? _raw_spin_unlock_irq+0x23/0x50
[  109.421198][ T5177]  get_signal+0x1284/0x1330
[  109.421219][ T5177]  arch_do_signal_or_restart+0xbc/0x830
[  109.421235][ T5177]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  109.421249][ T5177]  ? kmem_cache_free+0x439/0x630
[  109.421262][ T5177]  ? fput_close_sync+0x11f/0x240
[  109.421280][ T5177]  exit_to_user_mode_loop+0x86/0x480
[  109.421295][ T5177]  ? rcu_is_watching+0x15/0xb0
[  109.421312][ T5177]  do_syscall_64+0x32d/0xf80
[  109.421325][ T5177]  ? trace_irq_disable+0x3b/0x150
[  109.421335][ T5177]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.421347][ T5177]  ? clear_bhb_loop+0x40/0x90
[  109.421362][ T5177]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.421374][ T5177] RIP: 0033:0x7f7c2c5dd407
[  109.421388][ T5177] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[  109.421398][ T5177] RSP: 002b:00007ffeba902a30 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[  109.421414][ T5177] RAX: 0000000000000000 RBX: 00007f7c2c553780 RCX: 00007f7c2c5dd407
[  109.421422][ T5177] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[  109.421430][ T5177] RBP: 00007ffeba912cd0 R08: 0000000000000000 R09: 0000000000000000
[  109.421437][ T5177] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffeba912cd0
[  109.421445][ T5177] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  109.421457][ T5177]  </TASK>
[  109.421462][ T5177] 
[  109.557801][ T5177] Allocated by task 5325:
[  109.560089][ T5177]  kasan_save_track+0x3e/0x80
[  109.562362][ T5177]  __kasan_kmalloc+0x93/0xb0
[  109.564825][ T5177]  __kmalloc_cache_noprof+0x31c/0x660
[  109.567095][ T5177]  bpf_raw_tp_link_attach+0x278/0x700
[  109.569985][ T5177]  bpf_raw_tracepoint_open+0x1b2/0x220
[  109.572734][ T5177]  __sys_bpf+0x846/0x950
[  109.574883][ T5177]  __x64_sys_bpf+0x7c/0x90
[  109.577013][ T5177]  do_syscall_64+0x14d/0xf80
[  109.579335][ T5177]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.582485][ T5177] 
[  109.583842][ T5177] Freed by task 922:
[  109.585921][ T5177]  kasan_save_track+0x3e/0x80
[  109.588158][ T5177]  kasan_save_free_info+0x46/0x50
[  109.590254][ T5177]  __kasan_slab_free+0x5c/0x80
[  109.592337][ T5177]  kfree+0x1c1/0x630
[  109.594131][ T5177]  rcu_core+0x7cd/0x1070
[  109.596344][ T5177]  handle_softirqs+0x22a/0x870
[  109.599438][ T5177]  do_softirq+0x76/0xd0
[  109.601753][ T5177]  __local_bh_enable_ip+0xf8/0x130
[  109.603998][ T5177]  ipv6_get_lladdr+0x2aa/0x3f0
[  109.606095][ T5177]  mld_newpack+0x435/0xc90
[  109.608011][ T5177]  add_grhead+0x5a/0x2a0
[  109.609879][ T5177]  add_grec+0x1452/0x1740
[  109.611710][ T5177]  mld_send_initial_cr+0x288/0x550
[  109.613955][ T5177]  mld_dad_work+0x45/0x5b0
[  109.615938][ T5177]  process_scheduled_works+0xb6e/0x18c0
[  109.619782][ T5177]  worker_thread+0xa53/0xfc0
[  109.622491][ T5177]  kthread+0x388/0x470
[  109.624488][ T5177]  ret_from_fork+0x51e/0xb90
[  109.626437][ T5177]  ret_from_fork_asm+0x1a/0x30
[  109.628470][ T5177] 
[  109.629474][ T5177] Last potentially related work creation:
[  109.631846][ T5177]  kasan_save_stack+0x3e/0x60
[  109.633941][ T5177]  kasan_record_aux_stack+0xbd/0xd0
[  109.635951][ T5177]  call_rcu+0xee/0x890
[  109.637520][ T5177]  bpf_link_release+0x6b/0x80
[  109.639608][ T5177]  __fput+0x44f/0xa70
[  109.642023][ T5177]  task_work_run+0x1d9/0x270
[  109.644920][ T5177]  exit_to_user_mode_loop+0xed/0x480
[  109.647645][ T5177]  do_syscall_64+0x32d/0xf80
[  109.649894][ T5177]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.652690][ T5177] 
[  109.653736][ T5177] The buggy address belongs to the object at ffff888044b2e700
[  109.653736][ T5177]  which belongs to the cache kmalloc-192 of size 192
[  109.659561][ T5177] The buggy address is located 128 bytes inside of
[  109.659561][ T5177]  freed 192-byte region [ffff888044b2e700, ffff888044b2e7c0)
[  109.666034][ T5177] 
[  109.667505][ T5177] The buggy address belongs to the physical page:
[  109.671046][ T5177] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888044b2ef00 pfn:0x44b2e
[  109.675577][ T5177] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff)
[  109.679327][ T5177] page_type: f5(slab)
[  109.681152][ T5177] raw: 04fff00000000200 ffff88801ac413c0 ffffea0000e42990 ffffea000113cd10
[  109.684939][ T5177] raw: ffff888044b2ef00 000000080010000f 00000000f5000000 0000000000000000
[  109.689517][ T5177] page dumped because: kasan: bad access detected
[  109.692614][ T5177] page_owner tracks the page as allocated
[  109.694878][ T5177] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5305, tgid 5305 (syz-executor), ts 106618280021, free_ts 106546757418
[  109.704830][ T5177]  post_alloc_hook+0x231/0x280
[  109.707343][ T5177]  get_page_from_freelist+0x24dc/0x2580
[  109.710298][ T5177]  __alloc_frozen_pages_noprof+0x18d/0x380
[  109.713091][ T5177]  allocate_slab+0x77/0x660
[  109.715052][ T5177]  refill_objects+0x331/0x3c0
[  109.717030][ T5177]  __pcs_replace_empty_main+0x2e6/0x730
[  109.719507][ T5177]  __kmalloc_cache_noprof+0x392/0x660
[  109.721694][ T5177]  kset_create_and_add+0x5a/0x170
[  109.724211][ T5177]  netdev_register_kobject+0x1a2/0x310
[  109.727773][ T5177]  register_netdevice+0x12c0/0x1cf0
[  109.730879][ T5177]  cfg80211_register_netdevice+0x138/0x2d0
[  109.733441][ T5177]  ieee80211_if_add+0xe87/0x13a0
[  109.735555][ T5177]  ieee80211_register_hw+0x36a3/0x4200
[  109.737900][ T5177]  mac80211_hwsim_new_radio+0x2f97/0x5330
[  109.742405][ T5177]  hwsim_new_radio_nl+0xf35/0x1bd0
[  109.744801][ T5177]  genl_family_rcv_msg_doit+0x22a/0x330
[  109.747944][ T5177] page last free pid 5305 tgid 5305 stack trace:
[  109.751481][ T5177]  __free_frozen_pages+0xc2b/0xdb0
[  109.753909][ T5177]  rcu_core+0x7cd/0x1070
[  109.755721][ T5177]  handle_softirqs+0x22a/0x870
[  109.757754][ T5177]  do_softirq+0x76/0xd0
[  109.759584][ T5177]  __local_bh_enable_ip+0xf8/0x130
[  109.761714][ T5177]  __fib6_clean_all+0x464/0x5a0
[  109.764061][ T5177]  rt6_sync_up+0x130/0x170
[  109.766834][ T5177]  addrconf_notify+0xb6e/0x1050
[  109.770259][ T5177]  notifier_call_chain+0x1be/0x400
[  109.773018][ T5177]  __dev_notify_flags+0x1a9/0x310
[  109.775377][ T5177]  netif_change_flags+0xe8/0x1a0
[  109.777703][ T5177]  do_setlink+0xf82/0x4590
[  109.779793][ T5177]  rtnl_newlink+0x15a9/0x1be0
[  109.781910][ T5177]  rtnetlink_rcv_msg+0x7d5/0xbe0
[  109.784257][ T5177]  netlink_rcv_skb+0x232/0x4b0
[  109.786273][ T5177]  netlink_unicast+0x80f/0x9b0
[  109.788406][ T5177] 
[  109.789698][ T5177] Memory state around the buggy address:
[  109.792521][ T5177]  ffff888044b2e680: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[  109.796706][ T5177]  ffff888044b2e700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  109.800287][ T5177] >ffff888044b2e780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  109.804062][ T5177]                    ^
[  109.805972][ T5177]  ffff888044b2e800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  109.809476][ T5177]  ffff888044b2e880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  109.813175][ T5177] ==================================================================