program:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
r3 = syz_open_dev$sg(&(0x7f00000001c0), 0x508d48d4, 0x40902)
ioctl$SCSI_IOCTL_SEND_COMMAND(r3, 0x1, &(0x7f0000000080)=ANY=[@ANYBLOB="0000000005000000a30c03a0"])
setsockopt$inet6_tcp_int(r0, 0x6, 0x1e, &(0x7f0000000180)=0x400000001, 0xc2)
setsockopt$inet6_tcp_int(r0, 0x6, 0x2000000000000022, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r2, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @loopback, 0x23}, 0x1c)
sendto$inet6(r2, &(0x7f0000000280)="14", 0x1, 0x44810, 0x0, 0x0)

[   88.625555][   T45] Bluetooth: hci0: command tx timeout
[   88.841598][ T5317] program syz.0.0 is using a deprecated SCSI ioctl, please convert it to SG_IO
[   88.987533][ T5008] ==================================================================
[   88.991190][ T5008] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   88.994783][ T5008] Read of size 8 at addr ffff888011846480 by task dhcpcd/5008
[   88.997966][ T5008] 
[   88.999102][ T5008] CPU: 0 UID: 101 PID: 5008 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   88.999131][ T5008] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   88.999138][ T5008] Call Trace:
[   88.999152][ T5008]  <TASK>
[   88.999169][ T5008]  dump_stack_lvl+0xe8/0x150
[   88.999220][ T5008]  print_report+0xba/0x230
[   88.999234][ T5008]  ? bpf_trace_run2+0x2c4/0x840
[   88.999260][ T5008]  kasan_report+0x117/0x150
[   88.999292][ T5008]  ? bpf_trace_run2+0x2c4/0x840
[   88.999308][ T5008]  bpf_trace_run2+0x2c4/0x840
[   88.999324][ T5008]  ? __queue_work+0x1a1/0x1020
[   88.999340][ T5008]  ? bpf_trace_run2+0x1c9/0x840
[   88.999354][ T5008]  ? __pfx_bpf_trace_run2+0x10/0x10
[   88.999375][ T5008]  ? seccomp_filter_release+0x22b/0x2d0
[   88.999388][ T5008]  ? seccomp_filter_release+0x22b/0x2d0
[   88.999399][ T5008]  ? seccomp_filter_release+0x22b/0x2d0
[   88.999410][ T5008]  kfree+0x5b2/0x630
[   88.999425][ T5008]  ? queue_work_on+0x159/0x1d0
[   88.999440][ T5008]  seccomp_filter_release+0x22b/0x2d0
[   88.999453][ T5008]  do_exit+0x338/0x2320
[   88.999467][ T5008]  ? __pfx_do_exit+0x10/0x10
[   88.999476][ T5008]  ? do_raw_spin_lock+0x12b/0x2f0
[   88.999490][ T5008]  ? _raw_spin_unlock_irq+0x23/0x50
[   88.999606][ T5008]  do_group_exit+0x21b/0x2d0
[   88.999618][ T5008]  __x64_sys_exit_group+0x3f/0x40
[   88.999629][ T5008]  x64_sys_call+0x221a/0x2240
[   88.999644][ T5008]  do_syscall_64+0x14d/0xf80
[   88.999660][ T5008]  ? trace_irq_disable+0x3b/0x150
[   88.999675][ T5008]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.999688][ T5008]  ? clear_bhb_loop+0x40/0x90
[   88.999700][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.999711][ T5008] RIP: 0033:0x7f2a5d8b06c5
[   88.999735][ T5008] Code: ff ff ff 64 89 02 eb d2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 35 21 f7 0f 00 ba e7 00 00 00 eb 03 66 90 f4 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 f3 f7 d8 64 89 06 eb ec 66 2e 0f 1f 84 00 00
[   88.999744][ T5008] RSP: 002b:00007ffd5b44c6a8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[   88.999772][ T5008] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a5d8b06c5
[   88.999780][ T5008] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
[   88.999787][ T5008] RBP: 00007ffd5b44ccb8 R08: 000056342b7342c0 R09: 0000000000000002
[   88.999794][ T5008] R10: 0000000000000020 R11: 0000000000000206 R12: 00007ffd5b44c6f0
[   88.999801][ T5008] R13: 000056342b7358a0 R14: 00007ffd5b44c930 R15: 00007ffd5b44c6e0
[   88.999813][ T5008]  </TASK>
[   88.999817][ T5008] 
[   89.105334][ T5008] Allocated by task 5317:
[   89.107284][ T5008]  kasan_save_track+0x3e/0x80
[   89.109412][ T5008]  __kasan_kmalloc+0x93/0xb0
[   89.111505][ T5008]  __kmalloc_cache_noprof+0x31c/0x660
[   89.113877][ T5008]  bpf_raw_tp_link_attach+0x278/0x700
[   89.116263][ T5008]  bpf_raw_tracepoint_open+0x1b2/0x220
[   89.118587][ T5008]  __sys_bpf+0x846/0x950
[   89.120602][ T5008]  __x64_sys_bpf+0x7c/0x90
[   89.122594][ T5008]  do_syscall_64+0x14d/0xf80
[   89.124615][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.127163][ T5008] 
[   89.128250][ T5008] Freed by task 15:
[   89.130072][ T5008]  kasan_save_track+0x3e/0x80
[   89.132190][ T5008]  kasan_save_free_info+0x46/0x50
[   89.134423][ T5008]  __kasan_slab_free+0x5c/0x80
[   89.136504][ T5008]  kfree+0x1c1/0x630
[   89.138301][ T5008]  rcu_core+0x7cd/0x1070
[   89.140323][ T5008]  handle_softirqs+0x22a/0x870
[   89.142510][ T5008]  run_ksoftirqd+0x36/0x60
[   89.144445][ T5008]  smpboot_thread_fn+0x541/0xa50
[   89.146617][ T5008]  kthread+0x388/0x470
[   89.148428][ T5008]  ret_from_fork+0x51e/0xb90
[   89.150549][ T5008]  ret_from_fork_asm+0x1a/0x30
[   89.152637][ T5008] 
[   89.153704][ T5008] Last potentially related work creation:
[   89.156297][ T5008]  kasan_save_stack+0x3e/0x60
[   89.158622][ T5008]  kasan_record_aux_stack+0xbd/0xd0
[   89.160991][ T5008]  call_rcu+0xee/0x890
[   89.162813][ T5008]  bpf_link_release+0x6b/0x80
[   89.164867][ T5008]  __fput+0x44f/0xa70
[   89.166620][ T5008]  task_work_run+0x1d9/0x270
[   89.168664][ T5008]  exit_to_user_mode_loop+0xed/0x480
[   89.171065][ T5008]  do_syscall_64+0x32d/0xf80
[   89.173037][ T5008]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.175667][ T5008] 
[   89.176752][ T5008] The buggy address belongs to the object at ffff888011846400
[   89.176752][ T5008]  which belongs to the cache kmalloc-192 of size 192
[   89.182623][ T5008] The buggy address is located 128 bytes inside of
[   89.182623][ T5008]  freed 192-byte region [ffff888011846400, ffff8880118464c0)
[   89.188465][ T5008] 
[   89.189572][ T5008] The buggy address belongs to the physical page:
[   89.192520][ T5008] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11846
[   89.196205][ T5008] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   89.199148][ T5008] page_type: f5(slab)
[   89.200897][ T5008] raw: 00fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   89.204571][ T5008] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   89.208329][ T5008] page dumped because: kasan: bad access detected
[   89.211136][ T5008] page_owner tracks the page as allocated
[   89.213510][ T5008] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5294, tgid 5294 (syz-executor), ts 83417379750, free_ts 81687935634
[   89.222150][ T5008]  post_alloc_hook+0x231/0x280
[   89.224199][ T5008]  get_page_from_freelist+0x24dc/0x2580
[   89.226546][ T5008]  __alloc_frozen_pages_noprof+0x18d/0x380
[   89.229097][ T5008]  allocate_slab+0x77/0x660
[   89.231241][ T5008]  refill_objects+0x331/0x3c0
[   89.233377][ T5008]  __pcs_replace_empty_main+0x2b9/0x620
[   89.235818][ T5008]  __kmalloc_cache_noprof+0x392/0x660
[   89.238126][ T5008]  netdevice_event+0x3cb/0x8f0
[   89.240368][ T5008]  notifier_call_chain+0x1be/0x400
[   89.242670][ T5008]  register_netdevice+0x173a/0x1cf0
[   89.244968][ T5008]  cfg80211_register_netdevice+0x138/0x2d0
[   89.247545][ T5008]  ieee80211_if_add+0xe87/0x13a0
[   89.249751][ T5008]  ieee80211_register_hw+0x36a3/0x4200
[   89.252281][ T5008]  mac80211_hwsim_new_radio+0x2f97/0x5330
[   89.254963][ T5008]  hwsim_new_radio_nl+0xf35/0x1bd0
[   89.257123][ T5008]  genl_family_rcv_msg_doit+0x22a/0x330
[   89.259496][ T5008] page last free pid 67 tgid 67 stack trace:
[   89.262122][ T5008]  free_unref_folios+0xed5/0x16d0
[   89.264286][ T5008]  shrink_folio_list+0x4a6b/0x5290
[   89.266544][ T5008]  evict_folios+0x4795/0x5880
[   89.268618][ T5008]  try_to_shrink_lruvec+0xb62/0xfa0
[   89.270932][ T5008]  shrink_one+0x25c/0x710
[   89.272880][ T5008]  shrink_node+0x3197/0x3a90
[   89.274891][ T5008]  kswapd+0x1742/0x2e10
[   89.276646][ T5008]  kthread+0x388/0x470
[   89.278470][ T5008]  ret_from_fork+0x51e/0xb90
[   89.280558][ T5008]  ret_from_fork_asm+0x1a/0x30
[   89.282710][ T5008] 
[   89.283734][ T5008] Memory state around the buggy address:
[   89.285885][ T5008]  ffff888011846380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   89.289096][ T5008]  ffff888011846400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.292384][ T5008] >ffff888011846480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   89.295409][ T5008]                    ^
[   89.297007][ T5008]  ffff888011846500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.300251][ T5008]  ffff888011846580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   89.303615][ T5008] ==================================================================