program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc) (async)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
r2 = bpf$BPF_BTF_LOAD(0x12, &(0x7f00000002c0)={&(0x7f00000003c0)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@enum={0x0, 0x10}]}}, 0x0, 0x26}, 0x20)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000000)={0x6, 0x4, 0x4, 0x1, 0x80, 0x1, 0x0, '\x00', 0x0, r2, 0x0, 0x1}, 0x48)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x5, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x40, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_PRIORITY={0x8}, @NFTA_HOOK_HOOKNUM={0x8}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWRULE={0x54, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x2c, 0x4, 0x0, 0x1, [{0x28, 0x1, 0x0, 0x1, @fib={{0x8}, @val={0x1c, 0x2, 0x0, 0x1, [@NFTA_FIB_RESULT={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_FIB_FLAGS={0x8, 0x3, 0x1, 0x0, 0x1}, @NFTA_FIB_DREG={0x8, 0x1, 0x1, 0x0, 0x14}]}}}]}]}], {0x14}}, 0xdc}}, 0x0)

[   83.275773][   T45] Bluetooth: hci0: command tx timeout
[   83.488415][ T5197] ==================================================================
[   83.493938][ T5197] BUG: KASAN: vmalloc-out-of-bounds in bpf_trace_run2+0x28c/0x840
[   83.497132][ T5197] Read of size 8 at addr ffffc900014a6040 by task dhcpcd/5197
[   83.500021][ T5197] 
[   83.501101][ T5197] CPU: 0 UID: 101 PID: 5197 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   83.501118][ T5197] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   83.501126][ T5197] Call Trace:
[   83.501134][ T5197]  <TASK>
[   83.501140][ T5197]  dump_stack_lvl+0xe8/0x150
[   83.501162][ T5197]  print_report+0xba/0x230
[   83.501175][ T5197]  ? bpf_trace_run2+0x28c/0x840
[   83.501192][ T5197]  kasan_report+0x117/0x150
[   83.501205][ T5197]  ? bpf_trace_run2+0x28c/0x840
[   83.501222][ T5197]  bpf_trace_run2+0x28c/0x840
[   83.501238][ T5197]  ? __queue_work+0x1a1/0x1020
[   83.501253][ T5197]  ? bpf_trace_run2+0x1c9/0x840
[   83.501268][ T5197]  ? __pfx_bpf_trace_run2+0x10/0x10
[   83.501283][ T5197]  ? seccomp_filter_release+0x22b/0x2d0
[   83.501297][ T5197]  ? seccomp_filter_release+0x22b/0x2d0
[   83.501308][ T5197]  ? seccomp_filter_release+0x22b/0x2d0
[   83.501320][ T5197]  kfree+0x5b2/0x630
[   83.501334][ T5197]  ? queue_work_on+0x159/0x1d0
[   83.501350][ T5197]  seccomp_filter_release+0x22b/0x2d0
[   83.501363][ T5197]  do_exit+0x3b0/0x23c0
[   83.501375][ T5197]  ? __pfx_do_exit+0x10/0x10
[   83.501386][ T5197]  ? do_raw_spin_lock+0x12b/0x2f0
[   83.501397][ T5197]  ? do_raw_spin_lock+0x12b/0x2f0
[   83.501410][ T5197]  do_group_exit+0x21b/0x2d0
[   83.501421][ T5197]  ? _raw_spin_unlock_irq+0x23/0x50
[   83.501500][ T5197]  get_signal+0x1284/0x1330
[   83.501518][ T5197]  arch_do_signal_or_restart+0xbc/0x830
[   83.501533][ T5197]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   83.501556][ T5197]  exit_to_user_mode_loop+0x86/0x480
[   83.501569][ T5197]  ? rcu_is_watching+0x15/0xb0
[   83.501585][ T5197]  do_syscall_64+0x32d/0xf80
[   83.501598][ T5197]  ? trace_irq_disable+0x3b/0x150
[   83.501637][ T5197]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.501650][ T5197]  ? clear_bhb_loop+0x40/0x90
[   83.501662][ T5197]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.501674][ T5197] RIP: 0033:0x7f12cb9a1407
[   83.501685][ T5197] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   83.501694][ T5197] RSP: 002b:00007ffd686640d0 EFLAGS: 00000202 ORIG_RAX: 000000000000010f
[   83.501707][ T5197] RAX: 0000000000000001 RBX: 00007f12cb917780 RCX: 00007f12cb9a1407
[   83.501715][ T5197] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 000055c73f87a380
[   83.501722][ T5197] RBP: 00007ffd68664410 R08: 0000000000000008 R09: 0000000000000000
[   83.501728][ T5197] R10: 00007ffd68664410 R11: 0000000000000202 R12: 000055c72af2c5e0
[   83.501735][ T5197] R13: 000055c73f86dd40 R14: 0000000000000000 R15: 00007ffd686641c0
[   83.501746][ T5197]  </TASK>
[   83.501750][ T5197] 
[   83.620872][ T5197] The buggy address belongs to a vmalloc virtual mapping
[   83.624500][ T5197] Memory state around the buggy address:
[   83.627133][ T5197]  ffffc900014a5f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   83.630429][ T5197]  ffffc900014a5f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   83.633743][ T5197] >ffffc900014a6000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   83.637636][ T5197]                                            ^
[   83.640556][ T5197]  ffffc900014a6080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   83.644052][ T5197]  ffffc900014a6100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[   83.647597][ T5197] ==================================================================