program:
mount$overlay(0x0, 0x0, 0x0, 0x0, &(0x7f0000000000)={[{@lowerdir={'lowerdir', 0x3d, '.'}}]})
mknodat(0xffffffffffffff9c, 0x0, 0x21c0, 0x103)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000700)={&(0x7f0000000780)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x4c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}, @NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x378b5ec3}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_TYPE={0xa, 0x7, 'route\x00'}]}, @NFT_MSG_NEWRULE={0x48, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x20, 0x4, 0x0, 0x1, [{0x1c, 0x1, 0x0, 0x1, @queue={{0xa}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_QUEUE_NUM={0x6, 0x1, 0x1, 0x0, 0x17}]}}}]}]}], {0x14}}, 0xdc}}, 0x0)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendto$inet6(r2, &(0x7f00000009c0)="01", 0x1, 0x4004, &(0x7f0000000240)={0xa, 0x4e23, 0x0, @loopback, 0x20}, 0x1c)
r3 = socket$inet6(0xa, 0x4, 0x8000000003c)
connect$inet6(r3, &(0x7f0000000180)={0xa, 0x3, 0x3, @dev={0xfe, 0x80, '\x00', 0xd}, 0x9}, 0x1c)
sendmmsg$unix(r3, &(0x7f0000007b80)=[{{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2404c054}}], 0x1, 0x2000c080)
sendmsg(r3, &(0x7f00000000c0)={0x0, 0x33, &(0x7f0000000100)=[{&(0x7f0000000000)=',', 0x584}], 0x1, 0x0, 0x0, 0x2c}, 0x44004)
r4 = open$dir(&(0x7f0000000040)='./file0\x00', 0x608c0, 0x6)
openat(r4, &(0x7f0000000080)='./file0\x00', 0x355002, 0x40)

[   85.095036][ T4663] Bluetooth: hci0: command tx timeout
[   85.288270][ T5190] ==================================================================
[   85.291898][ T5190] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   85.295325][ T5190] Read of size 8 at addr ffff88803837bb80 by task dhcpcd/5190
[   85.298644][ T5190] 
[   85.299741][ T5190] CPU: 0 UID: 101 PID: 5190 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   85.299757][ T5190] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.299764][ T5190] Call Trace:
[   85.299771][ T5190]  <TASK>
[   85.299777][ T5190]  dump_stack_lvl+0xe8/0x150
[   85.299799][ T5190]  print_report+0xba/0x230
[   85.299813][ T5190]  ? bpf_trace_run2+0x2c4/0x840
[   85.299831][ T5190]  kasan_report+0x117/0x150
[   85.299845][ T5190]  ? bpf_trace_run2+0x2c4/0x840
[   85.299861][ T5190]  bpf_trace_run2+0x2c4/0x840
[   85.299879][ T5190]  ? __queue_work+0x1a1/0x1020
[   85.299895][ T5190]  ? bpf_trace_run2+0x1c9/0x840
[   85.299911][ T5190]  ? __pfx_bpf_trace_run2+0x10/0x10
[   85.299926][ T5190]  ? seccomp_filter_release+0x22b/0x2d0
[   85.299942][ T5190]  ? seccomp_filter_release+0x22b/0x2d0
[   85.299953][ T5190]  ? seccomp_filter_release+0x22b/0x2d0
[   85.299965][ T5190]  kfree+0x5b2/0x630
[   85.299981][ T5190]  ? queue_work_on+0x159/0x1d0
[   85.299996][ T5190]  seccomp_filter_release+0x22b/0x2d0
[   85.300010][ T5190]  do_exit+0x338/0x2320
[   85.300020][ T5190]  ? fput_close_sync+0x11f/0x240
[   85.300036][ T5190]  ? __x64_sys_close+0x7e/0x110
[   85.300049][ T5190]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.300062][ T5190]  ? __pfx_do_exit+0x10/0x10
[   85.300073][ T5190]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.300089][ T5190]  do_group_exit+0x21b/0x2d0
[   85.300100][ T5190]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.300152][ T5190]  get_signal+0x1284/0x1330
[   85.300174][ T5190]  arch_do_signal_or_restart+0xbc/0x830
[   85.300189][ T5190]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   85.300201][ T5190]  ? kmem_cache_free+0x439/0x630
[   85.300220][ T5190]  ? fput_close_sync+0x11f/0x240
[   85.300235][ T5190]  exit_to_user_mode_loop+0x86/0x480
[   85.300249][ T5190]  ? rcu_is_watching+0x15/0xb0
[   85.300267][ T5190]  do_syscall_64+0x32d/0xf80
[   85.300284][ T5190]  ? trace_irq_disable+0x3b/0x150
[   85.300300][ T5190]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.300313][ T5190]  ? clear_bhb_loop+0x40/0x90
[   85.300327][ T5190]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.300339][ T5190] RIP: 0033:0x7fd9fa7ae407
[   85.300351][ T5190] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   85.300362][ T5190] RSP: 002b:00007ffd5b7d39c0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   85.300375][ T5190] RAX: 0000000000000000 RBX: 00007fd9fa724740 RCX: 00007fd9fa7ae407
[   85.300384][ T5190] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000001b
[   85.300391][ T5190] RBP: 00007ffd5b7e3c60 R08: 0000000000000000 R09: 0000000000000000
[   85.300398][ T5190] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd5b7e3c60
[   85.300407][ T5190] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   85.300439][ T5190]  </TASK>
[   85.300445][ T5190] 
[   85.422203][ T5190] Allocated by task 5322:
[   85.423955][ T5190]  kasan_save_track+0x3e/0x80
[   85.425889][ T5190]  __kasan_kmalloc+0x93/0xb0
[   85.427592][ T5190]  __kmalloc_cache_noprof+0x31c/0x660
[   85.429308][ T5190]  bpf_raw_tp_link_attach+0x278/0x700
[   85.430999][ T5190]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.432970][ T5190]  __sys_bpf+0x846/0x950
[   85.434702][ T5190]  __x64_sys_bpf+0x7c/0x90
[   85.436443][ T5190]  do_syscall_64+0x14d/0xf80
[   85.438424][ T5190]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.441086][ T5190] 
[   85.442182][ T5190] Freed by task 5314:
[   85.443953][ T5190]  kasan_save_track+0x3e/0x80
[   85.446131][ T5190]  kasan_save_free_info+0x46/0x50
[   85.448398][ T5190]  __kasan_slab_free+0x5c/0x80
[   85.450507][ T5190]  kfree+0x1c1/0x630
[   85.452286][ T5190]  rcu_core+0x7cd/0x1070
[   85.454256][ T5190]  handle_softirqs+0x22a/0x870
[   85.456403][ T5190]  do_softirq+0x76/0xd0
[   85.458326][ T5190]  __local_bh_enable_ip+0xf8/0x130
[   85.460602][ T5190]  ipv6_get_lladdr+0x2aa/0x3f0
[   85.462758][ T5190]  mld_newpack+0x435/0xc90
[   85.464796][ T5190]  add_grhead+0x5a/0x2a0
[   85.466588][ T5190]  add_grec+0x1452/0x1740
[   85.468339][ T5190]  mld_send_initial_cr+0x288/0x550
[   85.470464][ T5190]  mld_dad_work+0x45/0x5b0
[   85.472287][ T5190]  process_scheduled_works+0xb02/0x1830
[   85.474592][ T5190]  worker_thread+0xa50/0xfc0
[   85.476536][ T5190]  kthread+0x388/0x470
[   85.478194][ T5190]  ret_from_fork+0x51e/0xb90
[   85.480084][ T5190]  ret_from_fork_asm+0x1a/0x30
[   85.482259][ T5190] 
[   85.483367][ T5190] Last potentially related work creation:
[   85.485983][ T5190]  kasan_save_stack+0x3e/0x60
[   85.488159][ T5190]  kasan_record_aux_stack+0xbd/0xd0
[   85.490442][ T5190]  call_rcu+0xee/0x890
[   85.492326][ T5190]  bpf_link_release+0x6b/0x80
[   85.494498][ T5190]  __fput+0x44f/0xa70
[   85.496366][ T5190]  task_work_run+0x1d9/0x270
[   85.498489][ T5190]  exit_to_user_mode_loop+0xed/0x480
[   85.500869][ T5190]  do_syscall_64+0x32d/0xf80
[   85.502647][ T5190]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.505220][ T5190] 
[   85.506418][ T5190] The buggy address belongs to the object at ffff88803837bb00
[   85.506418][ T5190]  which belongs to the cache kmalloc-192 of size 192
[   85.512658][ T5190] The buggy address is located 128 bytes inside of
[   85.512658][ T5190]  freed 192-byte region [ffff88803837bb00, ffff88803837bbc0)
[   85.518699][ T5190] 
[   85.519806][ T5190] The buggy address belongs to the physical page:
[   85.522620][ T5190] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3837b
[   85.526416][ T5190] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.529465][ T5190] page_type: f5(slab)
[   85.531196][ T5190] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   85.534711][ T5190] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.538417][ T5190] page dumped because: kasan: bad access detected
[   85.541173][ T5190] page_owner tracks the page as allocated
[   85.543715][ T5190] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 21252838834, free_ts 21251791149
[   85.552624][ T5190]  post_alloc_hook+0x231/0x280
[   85.554718][ T5190]  get_page_from_freelist+0x24dc/0x2580
[   85.557274][ T5190]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.559779][ T5190]  allocate_slab+0x77/0x660
[   85.561782][ T5190]  refill_objects+0x331/0x3c0
[   85.563923][ T5190]  __pcs_replace_empty_main+0x2b9/0x620
[   85.566433][ T5190]  __kmalloc_noprof+0x474/0x760
[   85.568633][ T5190]  usb_alloc_urb+0x46/0x150
[   85.570727][ T5190]  usb_control_msg+0x118/0x3e0
[   85.572887][ T5190]  hub_ext_port_status+0x116/0x820
[   85.575156][ T5190]  hub_activate+0x6eb/0x1a80
[   85.577084][ T5190]  process_scheduled_works+0xb02/0x1830
[   85.579560][ T5190]  worker_thread+0xa50/0xfc0
[   85.581713][ T5190]  kthread+0x388/0x470
[   85.583579][ T5190]  ret_from_fork+0x51e/0xb90
[   85.585683][ T5190]  ret_from_fork_asm+0x1a/0x30
[   85.587887][ T5190] page last free pid 12 tgid 12 stack trace:
[   85.590608][ T5190]  __free_frozen_pages+0xc2b/0xdb0
[   85.592946][ T5190]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   85.595342][ T5190]  alloc_vmap_area+0xd73/0x14b0
[   85.597489][ T5190]  __get_vm_area_node+0x1f8/0x300
[   85.599640][ T5190]  __vmalloc_node_range_noprof+0x372/0x1730
[   85.602180][ T5190]  __vmalloc_node_noprof+0xc2/0x100
[   85.604275][ T5190]  dup_task_struct+0x228/0x9a0
[   85.606345][ T5190]  copy_process+0x508/0x3cf0
[   85.608438][ T5190]  kernel_clone+0x248/0x8e0
[   85.610445][ T5190]  user_mode_thread+0x110/0x180
[   85.612650][ T5190]  call_usermodehelper_exec_work+0x5c/0x230
[   85.615331][ T5190]  process_scheduled_works+0xb02/0x1830
[   85.617809][ T5190]  worker_thread+0xa50/0xfc0
[   85.619866][ T5190]  kthread+0x388/0x470
[   85.621740][ T5190]  ret_from_fork+0x51e/0xb90
[   85.623776][ T5190]  ret_from_fork_asm+0x1a/0x30
[   85.625681][ T5190] 
[   85.626800][ T5190] Memory state around the buggy address:
[   85.629252][ T5190]  ffff88803837ba80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.632725][ T5190]  ffff88803837bb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.636263][ T5190] >ffff88803837bb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.639724][ T5190]                    ^
[   85.641569][ T5190]  ffff88803837bc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.644705][ T5190]  ffff88803837bc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.648282][ T5190] ==================================================================