program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
capset(&(0x7f00000004c0)={0x20080522}, &(0x7f0000000500))
landlock_restrict_self(0xffffffffffffffff, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x60, 0x2, 0x6, 0x201, 0x0, 0x0, {}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:net,net\x00'}, @IPSET_ATTR_DATA={0x14, 0x7, 0x0, 0x1, [@IPSET_ATTR_MAXELEM={0x8}, @IPSET_ATTR_TIMEOUT={0x8, 0x6, 0x1, 0x0, 0x3}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0xa}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x60}}, 0x0)
sendmsg$IPSET_CMD_TEST(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="640000000906010800000000000000000600000505000100070000003c0007801800148014000240fc0000000000000000000000000000011800018014000240ff01000000000000000000000000000105000300070000000900020073797a31"], 0x64}}, 0x4800)
syz_usb_connect_ath9k(0x3, 0x5a, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0xcf3, 0x9271, 0x108, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x48}}]}}, 0x0)

[   86.841957][ T4669] Bluetooth: hci0: command tx timeout
[   87.091599][ T5014] ==================================================================
[   87.097450][ T5014] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   87.101138][ T5014] Read of size 8 at addr ffff888032581c80 by task dhcpcd/5014
[   87.104626][ T5014] 
[   87.105873][ T5014] CPU: 0 UID: 101 PID: 5014 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   87.105891][ T5014] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.105898][ T5014] Call Trace:
[   87.105907][ T5014]  <TASK>
[   87.105915][ T5014]  dump_stack_lvl+0xe8/0x150
[   87.105938][ T5014]  print_report+0xba/0x230
[   87.105952][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.105968][ T5014]  kasan_report+0x117/0x150
[   87.105988][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.106004][ T5014]  bpf_trace_run2+0x2c4/0x840
[   87.106020][ T5014]  ? __queue_work+0x1a1/0x1020
[   87.106061][ T5014]  ? bpf_trace_run2+0x1c9/0x840
[   87.106077][ T5014]  ? __pfx_bpf_trace_run2+0x10/0x10
[   87.106093][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.106110][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.106122][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.106135][ T5014]  kfree+0x5b2/0x630
[   87.106151][ T5014]  ? queue_work_on+0x159/0x1d0
[   87.106164][ T5014]  seccomp_filter_release+0x22b/0x2d0
[   87.106174][ T5014]  do_exit+0x3b0/0x23c0
[   87.106181][ T5014]  ? do_pte_missing+0x24ee/0x3750
[   87.106194][ T5014]  ? __pfx_do_exit+0x10/0x10
[   87.106205][ T5014]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.106222][ T5014]  do_group_exit+0x21b/0x2d0
[   87.106234][ T5014]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.106383][ T5014]  get_signal+0x1284/0x1330
[   87.106404][ T5014]  arch_do_signal_or_restart+0xbc/0x830
[   87.106419][ T5014]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   87.106435][ T5014]  ? do_user_addr_fault+0xe5c/0x1340
[   87.106454][ T5014]  irqentry_exit+0x176/0x620
[   87.106472][ T5014]  ? trace_irq_disable+0x3b/0x150
[   87.106491][ T5014]  asm_exc_page_fault+0x26/0x30
[   87.106504][ T5014] RIP: 0033:0x7f4cb33ff560
[   87.106529][ T5014] Code: Unable to access opcode bytes at 0x7f4cb33ff536.
[   87.106535][ T5014] RSP: 002b:00007ffd3ac85778 EFLAGS: 00010246
[   87.106548][ T5014] RAX: 0000000000000022 RBX: 0000000000000021 RCX: 0000000000000000
[   87.106556][ T5014] RDX: 0000000000000000 RSI: 00007f4cb355832e RDI: 00007f4cb3556c96
[   87.106563][ T5014] RBP: 00007f4cb3556c96 R08: 0000000000000000 R09: 0000000000000005
[   87.106571][ T5014] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4cb33c3780
[   87.106578][ T5014] R13: 00005645ad29b534 R14: 00005645b96cb140 R15: 0000000000001397
[   87.106591][ T5014]  </TASK>
[   87.106595][ T5014] 
[   87.220782][ T5014] Allocated by task 5325:
[   87.223211][ T5014]  kasan_save_track+0x3e/0x80
[   87.225483][ T5014]  __kasan_kmalloc+0x93/0xb0
[   87.227572][ T5014]  __kmalloc_cache_noprof+0x31c/0x660
[   87.230045][ T5014]  bpf_raw_tp_link_attach+0x278/0x700
[   87.232572][ T5014]  bpf_raw_tracepoint_open+0x1b2/0x220
[   87.235738][ T5014]  __sys_bpf+0x846/0x950
[   87.238118][ T5014]  __x64_sys_bpf+0x7c/0x90
[   87.240434][ T5014]  do_syscall_64+0x14d/0xf80
[   87.242588][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.245335][ T5014] 
[   87.246472][ T5014] Freed by task 5302:
[   87.248329][ T5014]  kasan_save_track+0x3e/0x80
[   87.250804][ T5014]  kasan_save_free_info+0x46/0x50
[   87.253415][ T5014]  __kasan_slab_free+0x5c/0x80
[   87.255912][ T5014]  kfree+0x1c1/0x630
[   87.257830][ T5014]  rcu_core+0x7cd/0x1070
[   87.260014][ T5014]  handle_softirqs+0x22a/0x870
[   87.262297][ T5014]  __irq_exit_rcu+0x5f/0x150
[   87.264476][ T5014]  irq_exit_rcu+0x9/0x30
[   87.266540][ T5014]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   87.269765][ T5014]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   87.273124][ T5014] 
[   87.274295][ T5014] Last potentially related work creation:
[   87.277106][ T5014]  kasan_save_stack+0x3e/0x60
[   87.279517][ T5014]  kasan_record_aux_stack+0xbd/0xd0
[   87.281945][ T5014]  call_rcu+0xee/0x890
[   87.283686][ T5014]  bpf_link_release+0x6b/0x80
[   87.286192][ T5014]  __fput+0x44f/0xa70
[   87.288740][ T5014]  task_work_run+0x1d9/0x270
[   87.291341][ T5014]  exit_to_user_mode_loop+0xed/0x480
[   87.293934][ T5014]  do_syscall_64+0x32d/0xf80
[   87.295928][ T5014]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.298270][ T5014] 
[   87.299392][ T5014] The buggy address belongs to the object at ffff888032581c00
[   87.299392][ T5014]  which belongs to the cache kmalloc-192 of size 192
[   87.305605][ T5014] The buggy address is located 128 bytes inside of
[   87.305605][ T5014]  freed 192-byte region [ffff888032581c00, ffff888032581cc0)
[   87.311879][ T5014] 
[   87.313013][ T5014] The buggy address belongs to the physical page:
[   87.316002][ T5014] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32581
[   87.320240][ T5014] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   87.323540][ T5014] page_type: f5(slab)
[   87.325472][ T5014] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   87.329327][ T5014] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   87.333344][ T5014] page dumped because: kasan: bad access detected
[   87.336359][ T5014] page_owner tracks the page as allocated
[   87.339212][ T5014] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9043298126, free_ts 9042018474
[   87.348410][ T5014]  post_alloc_hook+0x231/0x280
[   87.350622][ T5014]  get_page_from_freelist+0x24dc/0x2580
[   87.353241][ T5014]  __alloc_frozen_pages_noprof+0x18d/0x380
[   87.355883][ T5014]  allocate_slab+0x77/0x660
[   87.358068][ T5014]  refill_objects+0x331/0x3c0
[   87.360480][ T5014]  __pcs_replace_empty_main+0x2f9/0x5e0
[   87.363424][ T5014]  __kmalloc_cache_noprof+0x392/0x660
[   87.366212][ T5014]  call_usermodehelper_setup+0x8e/0x270
[   87.368826][ T5014]  kobject_uevent_env+0x658/0x9e0
[   87.371040][ T5014]  driver_register+0x2d4/0x320
[   87.373357][ T5014]  acpi_video_register+0x47/0x90
[   87.375865][ T5014]  do_one_initcall+0x250/0x8d0
[   87.378105][ T5014]  do_initcall_level+0x104/0x190
[   87.380510][ T5014]  do_initcalls+0x59/0xa0
[   87.382498][ T5014]  kernel_init_freeable+0x2a6/0x3e0
[   87.384611][ T5014]  kernel_init+0x1d/0x1d0
[   87.386544][ T5014] page last free pid 53 tgid 53 stack trace:
[   87.389300][ T5014]  __free_frozen_pages+0xc2b/0xdb0
[   87.391652][ T5014]  vfree+0x25a/0x400
[   87.393465][ T5014]  delayed_vfree_work+0x55/0x80
[   87.396009][ T5014]  process_scheduled_works+0xb02/0x1830
[   87.398968][ T5014]  worker_thread+0xa50/0xfc0
[   87.401130][ T5014]  kthread+0x388/0x470
[   87.402893][ T5014]  ret_from_fork+0x51e/0xb90
[   87.405055][ T5014]  ret_from_fork_asm+0x1a/0x30
[   87.407194][ T5014] 
[   87.408427][ T5014] Memory state around the buggy address:
[   87.411124][ T5014]  ffff888032581b80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   87.415554][ T5014]  ffff888032581c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.419601][ T5014] >ffff888032581c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   87.423105][ T5014]                    ^
[   87.425030][ T5014]  ffff888032581d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.429390][ T5014]  ffff888032581d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   87.433741][ T5014] ==================================================================
[   87.533628][ T5014] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   87.536995][ T5014] CPU: 0 UID: 101 PID: 5014 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   87.541871][ T5014] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.546885][ T5014] Call Trace:
[   87.548353][ T5014]  <TASK>
[   87.549671][ T5014]  vpanic+0x56c/0xa60
[   87.551430][ T5014]  ? __pfx_vpanic+0x10/0x10
[   87.553409][ T5014]  panic+0xc5/0xd0
[   87.555228][ T5014]  ? __pfx_panic+0x10/0x10
[   87.557460][ T5014]  ? preempt_schedule_thunk+0x16/0x30
[   87.560077][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.562674][ T5014]  ? preempt_schedule_thunk+0x16/0x30
[   87.565794][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.568372][ T5014]  check_panic_on_warn+0x89/0xb0
[   87.570594][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.572839][ T5014]  end_report+0x73/0x180
[   87.574854][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.577109][ T5014]  kasan_report+0x128/0x150
[   87.579473][ T5014]  ? bpf_trace_run2+0x2c4/0x840
[   87.582116][ T5014]  bpf_trace_run2+0x2c4/0x840
[   87.584646][ T5014]  ? __queue_work+0x1a1/0x1020
[   87.586806][ T5014]  ? bpf_trace_run2+0x1c9/0x840
[   87.589415][ T5014]  ? __pfx_bpf_trace_run2+0x10/0x10
[   87.592449][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.595604][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.599069][ T5014]  ? seccomp_filter_release+0x22b/0x2d0
[   87.602086][ T5014]  kfree+0x5b2/0x630
[   87.603988][ T5014]  ? queue_work_on+0x159/0x1d0
[   87.606210][ T5014]  seccomp_filter_release+0x22b/0x2d0
[   87.608816][ T5014]  do_exit+0x3b0/0x23c0
[   87.610871][ T5014]  ? do_pte_missing+0x24ee/0x3750
[   87.613361][ T5014]  ? __pfx_do_exit+0x10/0x10
[   87.615770][ T5014]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.618355][ T5014]  do_group_exit+0x21b/0x2d0
[   87.621054][ T5014]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.623797][ T5014]  get_signal+0x1284/0x1330
[   87.626053][ T5014]  arch_do_signal_or_restart+0xbc/0x830
[   87.628696][ T5014]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   87.631588][ T5014]  ? do_user_addr_fault+0xe5c/0x1340
[   87.634120][ T5014]  irqentry_exit+0x176/0x620
[   87.636315][ T5014]  ? trace_irq_disable+0x3b/0x150
[   87.638723][ T5014]  asm_exc_page_fault+0x26/0x30
[   87.641221][ T5014] RIP: 0033:0x7f4cb33ff560
[   87.643590][ T5014] Code: Unable to access opcode bytes at 0x7f4cb33ff536.
[   87.646822][ T5014] RSP: 002b:00007ffd3ac85778 EFLAGS: 00010246
[   87.649801][ T5014] RAX: 0000000000000022 RBX: 0000000000000021 RCX: 0000000000000000
[   87.654136][ T5014] RDX: 0000000000000000 RSI: 00007f4cb355832e RDI: 00007f4cb3556c96
[   87.658306][ T5014] RBP: 00007f4cb3556c96 R08: 0000000000000000 R09: 0000000000000005
[   87.662077][ T5014] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4cb33c3780
[   87.665764][ T5014] R13: 00005645ad29b534 R14: 00005645b96cb140 R15: 0000000000001397
[   87.669455][ T5014]  </TASK>
[   87.671552][ T5014] Kernel Offset: disabled
[   87.674435][ T5014] Rebooting in 86400 seconds..