program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000700)={&(0x7f0000000780)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x4c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}, @NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x378b5ec3}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_TYPE={0xa, 0x7, 'route\x00'}]}, @NFT_MSG_NEWRULE={0x48, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x20, 0x4, 0x0, 0x1, [{0x1c, 0x1, 0x0, 0x1, @queue={{0xa}, @val={0xc, 0x2, 0x0, 0x1, [@NFTA_QUEUE_NUM={0x6, 0x1, 0x1, 0x0, 0x17}]}}}]}]}], {0x14}}, 0xdc}}, 0x0)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendto$inet6(r2, &(0x7f00000009c0)="01", 0x1, 0x4004, &(0x7f0000000240)={0xa, 0x4e23, 0x0, @loopback, 0x20}, 0x1c)

[  103.827997][ T5301] Bluetooth: hci0: command tx timeout
[  103.835684][   T54] cfg80211: failed to load regulatory.db
[  104.105873][ T5123] ==================================================================
[  104.110152][ T5123] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  104.114073][ T5123] Read of size 8 at addr ffff8880388d7180 by task dhcpcd/5123
[  104.117442][ T5123] 
[  104.118548][ T5123] CPU: 0 UID: 101 PID: 5123 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  104.118562][ T5123] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  104.118567][ T5123] Call Trace:
[  104.118575][ T5123]  <TASK>
[  104.118580][ T5123]  dump_stack_lvl+0xe8/0x150
[  104.118598][ T5123]  print_report+0xba/0x230
[  104.118611][ T5123]  ? bpf_trace_run2+0x2c4/0x840
[  104.118626][ T5123]  kasan_report+0x117/0x150
[  104.118638][ T5123]  ? bpf_trace_run2+0x2c4/0x840
[  104.118652][ T5123]  bpf_trace_run2+0x2c4/0x840
[  104.118668][ T5123]  ? __queue_work+0x1a1/0x1020
[  104.118682][ T5123]  ? bpf_trace_run2+0x1c9/0x840
[  104.118696][ T5123]  ? __pfx_bpf_trace_run2+0x10/0x10
[  104.118710][ T5123]  ? seccomp_filter_release+0x22b/0x2d0
[  104.118721][ T5123]  ? seccomp_filter_release+0x22b/0x2d0
[  104.118731][ T5123]  ? seccomp_filter_release+0x22b/0x2d0
[  104.118741][ T5123]  kfree+0x5b2/0x630
[  104.118754][ T5123]  ? queue_work_on+0x159/0x1d0
[  104.118766][ T5123]  seccomp_filter_release+0x22b/0x2d0
[  104.118779][ T5123]  do_exit+0x3b0/0x23c0
[  104.118788][ T5123]  ? fput_close_sync+0x11f/0x240
[  104.118801][ T5123]  ? __x64_sys_close+0x7e/0x110
[  104.118814][ T5123]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.118824][ T5123]  ? __pfx_do_exit+0x10/0x10
[  104.118834][ T5123]  ? do_raw_spin_lock+0x12b/0x2f0
[  104.118848][ T5123]  do_group_exit+0x21b/0x2d0
[  104.118859][ T5123]  ? _raw_spin_unlock_irq+0x23/0x50
[  104.118921][ T5123]  get_signal+0x1284/0x1330
[  104.118938][ T5123]  arch_do_signal_or_restart+0xbc/0x830
[  104.118951][ T5123]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  104.118961][ T5123]  ? kmem_cache_free+0x439/0x630
[  104.118972][ T5123]  ? fput_close_sync+0x11f/0x240
[  104.118986][ T5123]  exit_to_user_mode_loop+0x86/0x480
[  104.118997][ T5123]  ? rcu_is_watching+0x15/0xb0
[  104.119013][ T5123]  do_syscall_64+0x32d/0xf80
[  104.119054][ T5123]  ? trace_irq_disable+0x3b/0x150
[  104.119063][ T5123]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.119073][ T5123]  ? clear_bhb_loop+0x40/0x90
[  104.119084][ T5123]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.119094][ T5123] RIP: 0033:0x7f43e900d407
[  104.119106][ T5123] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[  104.119115][ T5123] RSP: 002b:00007ffebcaa98b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[  104.119143][ T5123] RAX: 0000000000000000 RBX: 00007f43e8f83780 RCX: 00007f43e900d407
[  104.119151][ T5123] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  104.119156][ T5123] RBP: 00007ffebcab9b50 R08: 0000000000000000 R09: 0000000000000000
[  104.119162][ T5123] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffebcab9b50
[  104.119168][ T5123] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  104.119178][ T5123]  </TASK>
[  104.119182][ T5123] 
[  104.251598][ T5123] Allocated by task 5323:
[  104.254052][ T5123]  kasan_save_track+0x3e/0x80
[  104.256224][ T5123]  __kasan_kmalloc+0x93/0xb0
[  104.258199][ T5123]  __kmalloc_cache_noprof+0x31c/0x660
[  104.260643][ T5123]  bpf_raw_tp_link_attach+0x278/0x700
[  104.263294][ T5123]  bpf_raw_tracepoint_open+0x1b2/0x220
[  104.266772][ T5123]  __sys_bpf+0x846/0x950
[  104.269331][ T5123]  __x64_sys_bpf+0x7c/0x90
[  104.271419][ T5123]  do_syscall_64+0x14d/0xf80
[  104.273816][ T5123]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.276716][ T5123] 
[  104.277812][ T5123] Freed by task 15:
[  104.279535][ T5123]  kasan_save_track+0x3e/0x80
[  104.281771][ T5123]  kasan_save_free_info+0x46/0x50
[  104.284896][ T5123]  __kasan_slab_free+0x5c/0x80
[  104.287305][ T5123]  kfree+0x1c1/0x630
[  104.289045][ T5123]  rcu_core+0x7cd/0x1070
[  104.291148][ T5123]  handle_softirqs+0x22a/0x870
[  104.293616][ T5123]  run_ksoftirqd+0x36/0x60
[  104.295976][ T5123]  smpboot_thread_fn+0x541/0xa50
[  104.298180][ T5123]  kthread+0x388/0x470
[  104.299988][ T5123]  ret_from_fork+0x51e/0xb90
[  104.302076][ T5123]  ret_from_fork_asm+0x1a/0x30
[  104.304198][ T5123] 
[  104.305273][ T5123] Last potentially related work creation:
[  104.307848][ T5123]  kasan_save_stack+0x3e/0x60
[  104.310192][ T5123]  kasan_record_aux_stack+0xbd/0xd0
[  104.313194][ T5123]  call_rcu+0xee/0x890
[  104.315367][ T5123]  bpf_link_release+0x6b/0x80
[  104.317495][ T5123]  __fput+0x44f/0xa70
[  104.319350][ T5123]  task_work_run+0x1d9/0x270
[  104.321386][ T5123]  exit_to_user_mode_loop+0xed/0x480
[  104.323949][ T5123]  do_syscall_64+0x32d/0xf80
[  104.326410][ T5123]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.329661][ T5123] 
[  104.330919][ T5123] The buggy address belongs to the object at ffff8880388d7100
[  104.330919][ T5123]  which belongs to the cache kmalloc-192 of size 192
[  104.336910][ T5123] The buggy address is located 128 bytes inside of
[  104.336910][ T5123]  freed 192-byte region [ffff8880388d7100, ffff8880388d71c0)
[  104.344627][ T5123] 
[  104.345906][ T5123] The buggy address belongs to the physical page:
[  104.348729][ T5123] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x388d7
[  104.352808][ T5123] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  104.356136][ T5123] page_type: f5(slab)
[  104.357984][ T5123] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[  104.362273][ T5123] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  104.367078][ T5123] page dumped because: kasan: bad access detected
[  104.370163][ T5123] page_owner tracks the page as allocated
[  104.372610][ T5123] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 27208917578, free_ts 27168724239
[  104.380781][ T5123]  post_alloc_hook+0x231/0x280
[  104.382938][ T5123]  get_page_from_freelist+0x24dc/0x2580
[  104.385776][ T5123]  __alloc_frozen_pages_noprof+0x18d/0x380
[  104.388900][ T5123]  allocate_slab+0x77/0x660
[  104.391109][ T5123]  refill_objects+0x331/0x3c0
[  104.393185][ T5123]  __pcs_replace_empty_main+0x2e6/0x730
[  104.395867][ T5123]  __kmalloc_cache_noprof+0x392/0x660
[  104.398351][ T5123]  call_usermodehelper_setup+0x8e/0x270
[  104.400835][ T5123]  kobject_uevent_env+0x658/0x9e0
[  104.403477][ T5123]  device_add+0x557/0xb70
[  104.405794][ T5123]  usb_set_configuration+0x1a87/0x2110
[  104.408454][ T5123]  usb_generic_driver_probe+0x8d/0x150
[  104.410797][ T5123]  usb_probe_device+0x1c4/0x3b0
[  104.412908][ T5123]  really_probe+0x267/0xaf0
[  104.415129][ T5123]  __driver_probe_device+0x18c/0x320
[  104.417953][ T5123]  driver_probe_device+0x4f/0x240
[  104.420932][ T5123] page last free pid 42 tgid 42 stack trace:
[  104.424039][ T5123]  __free_frozen_pages+0xc2b/0xdb0
[  104.426333][ T5123]  __kasan_populate_vmalloc+0x1b2/0x1d0
[  104.428829][ T5123]  alloc_vmap_area+0xd73/0x14b0
[  104.431209][ T5123]  __get_vm_area_node+0x1f8/0x300
[  104.433943][ T5123]  __vmalloc_node_range_noprof+0x372/0x1730
[  104.437127][ T5123]  __vmalloc_node_noprof+0xc2/0x100
[  104.439565][ T5123]  dup_task_struct+0x275/0x9a0
[  104.441798][ T5123]  copy_process+0x508/0x3cd0
[  104.444056][ T5123]  kernel_clone+0x248/0x8e0
[  104.446198][ T5123]  user_mode_thread+0x110/0x180
[  104.448628][ T5123]  call_usermodehelper_exec_work+0x5c/0x230
[  104.451550][ T5123]  process_scheduled_works+0xb6e/0x18c0
[  104.454927][ T5123]  worker_thread+0xa53/0xfc0
[  104.457368][ T5123]  kthread+0x388/0x470
[  104.459255][ T5123]  ret_from_fork+0x51e/0xb90
[  104.461378][ T5123]  ret_from_fork_asm+0x1a/0x30
[  104.463620][ T5123] 
[  104.464937][ T5123] Memory state around the buggy address:
[  104.468205][ T5123]  ffff8880388d7080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  104.472141][ T5123]  ffff8880388d7100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  104.475606][ T5123] >ffff8880388d7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  104.478887][ T5123]                    ^
[  104.480544][ T5123]  ffff8880388d7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  104.483794][ T5123]  ffff8880388d7280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  104.487626][ T5123] ==================================================================