program:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
close(r0)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
setsockopt$inet6_tcp_int(r0, 0x6, 0x1e, &(0x7f0000000180)=0x400000001, 0xc2)
setsockopt$inet6_tcp_int(r0, 0x6, 0x2000000000000022, &(0x7f0000000140)=0x1, 0x4)
connect$inet6(r2, &(0x7f0000000240)={0xa, 0x4e20, 0x0, @loopback, 0x23}, 0x1c)
sendto$inet6(r2, &(0x7f0000000280)="14", 0x1, 0x44810, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000b00)=ANY=[@ANYBLOB="2c0000003f000701ddffffff00000000037c0000180037801300030071747228"], 0x2c}}, 0x0)
mprotect(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x4)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
clock_adjtime(0x0, &(0x7f0000000000)={0x8003ff, 0x0, 0x23e650d3, 0x6, 0x0, 0x0, 0x0, 0x0, 0x1, 0xffffffff967ba128, 0xf423f, 0xfffffffffffffffd, 0x9, 0x6, 0x0, 0xfffffffffffffffd, 0x3, 0x0, 0x1000, 0x8, 0x2, 0x3, 0x0, 0x1})
pipe2$9p(&(0x7f0000000340)={0xffffffffffffffff, <r4=>0xffffffffffffffff}, 0x80880)
write$P9_RCLUNK(r4, &(0x7f0000000300)={0x7, 0x79, 0x1}, 0x7)
sendmsg$nl_generic(r3, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xc004}, 0xc000)
r5 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
pipe(&(0x7f0000000080))
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000400)={{0x14}, [@NFT_MSG_DELSETELEM={0x14, 0xe, 0xa, 0x801, 0x0, 0x0, {0x3, 0x0, 0x1}}, @NFT_MSG_DELSETELEM={0x2c, 0xe, 0xa, 0x201, 0x0, 0x0, {0x1, 0x0, 0x9}, [@NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz2\x00'}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x3}}}, 0x68}}, 0x4000040)
ioctl$FS_IOC_SETFLAGS(r5, 0x40186f40, &(0x7f0000000440)=0x1f)

[  101.844656][ T5303] Bluetooth: hci0: command tx timeout
[  102.121426][ T5015] ==================================================================
[  102.124970][ T5015] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  102.129192][ T5015] Read of size 8 at addr ffff88803874f380 by task dhcpcd/5015
[  102.133037][ T5015] 
[  102.134102][ T5015] CPU: 0 UID: 101 PID: 5015 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  102.134118][ T5015] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.134125][ T5015] Call Trace:
[  102.134133][ T5015]  <TASK>
[  102.134140][ T5015]  dump_stack_lvl+0xe8/0x150
[  102.134160][ T5015]  print_report+0xba/0x230
[  102.134174][ T5015]  ? bpf_trace_run2+0x2c4/0x840
[  102.134190][ T5015]  kasan_report+0x117/0x150
[  102.134203][ T5015]  ? bpf_trace_run2+0x2c4/0x840
[  102.134218][ T5015]  bpf_trace_run2+0x2c4/0x840
[  102.134233][ T5015]  ? __queue_work+0x1a1/0x1020
[  102.134248][ T5015]  ? bpf_trace_run2+0x1c9/0x840
[  102.134262][ T5015]  ? __pfx_bpf_trace_run2+0x10/0x10
[  102.134276][ T5015]  ? seccomp_filter_release+0x22b/0x2d0
[  102.134287][ T5015]  ? seccomp_filter_release+0x22b/0x2d0
[  102.134294][ T5015]  ? seccomp_filter_release+0x22b/0x2d0
[  102.134301][ T5015]  kfree+0x5b2/0x630
[  102.134311][ T5015]  ? queue_work_on+0x159/0x1d0
[  102.134321][ T5015]  seccomp_filter_release+0x22b/0x2d0
[  102.134328][ T5015]  do_exit+0x3b0/0x23c0
[  102.134337][ T5015]  ? __pfx_do_exit+0x10/0x10
[  102.134343][ T5015]  ? do_raw_spin_lock+0x12b/0x2f0
[  102.134355][ T5015]  ? _raw_spin_unlock_irq+0x23/0x50
[  102.134509][ T5015]  do_group_exit+0x21b/0x2d0
[  102.134520][ T5015]  __x64_sys_exit_group+0x3f/0x40
[  102.134531][ T5015]  x64_sys_call+0x221a/0x2240
[  102.134545][ T5015]  do_syscall_64+0x14d/0xf80
[  102.134559][ T5015]  ? trace_irq_disable+0x3b/0x150
[  102.134569][ T5015]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.134579][ T5015]  ? clear_bhb_loop+0x40/0x90
[  102.134591][ T5015]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.134598][ T5015] RIP: 0033:0x7fc01b9fc6c5
[  102.134607][ T5015] Code: ff ff ff 64 89 02 eb d2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 35 21 f7 0f 00 ba e7 00 00 00 eb 03 66 90 f4 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 f3 f7 d8 64 89 06 eb ec 66 2e 0f 1f 84 00 00
[  102.134613][ T5015] RSP: 002b:00007ffecc5cd4b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[  102.134625][ T5015] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc01b9fc6c5
[  102.134632][ T5015] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
[  102.134639][ T5015] RBP: 00007ffecc5cdac8 R08: 0000557af6e5c2c0 R09: 0000000000000002
[  102.134645][ T5015] R10: 0000000000000020 R11: 0000000000000206 R12: 00007ffecc5cd500
[  102.134651][ T5015] R13: 0000557af6e5d8a0 R14: 00007ffecc5cd740 R15: 00007ffecc5cd4f0
[  102.134663][ T5015]  </TASK>
[  102.134667][ T5015] 
[  102.247316][ T5015] Allocated by task 5326:
[  102.249451][ T5015]  kasan_save_track+0x3e/0x80
[  102.251745][ T5015]  __kasan_kmalloc+0x93/0xb0
[  102.253820][ T5015]  __kmalloc_cache_noprof+0x31c/0x660
[  102.255989][ T5015]  bpf_raw_tp_link_attach+0x278/0x700
[  102.258321][ T5015]  bpf_raw_tracepoint_open+0x1b2/0x220
[  102.260921][ T5015]  __sys_bpf+0x846/0x950
[  102.263095][ T5015]  __x64_sys_bpf+0x7c/0x90
[  102.265275][ T5015]  do_syscall_64+0x14d/0xf80
[  102.267262][ T5015]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.269769][ T5015] 
[  102.270924][ T5015] Freed by task 15:
[  102.272774][ T5015]  kasan_save_track+0x3e/0x80
[  102.275616][ T5015]  kasan_save_free_info+0x46/0x50
[  102.278172][ T5015]  __kasan_slab_free+0x5c/0x80
[  102.280388][ T5015]  kfree+0x1c1/0x630
[  102.282238][ T5015]  rcu_core+0x7cd/0x1070
[  102.284187][ T5015]  handle_softirqs+0x22a/0x870
[  102.286413][ T5015]  run_ksoftirqd+0x36/0x60
[  102.288522][ T5015]  smpboot_thread_fn+0x541/0xa50
[  102.291038][ T5015]  kthread+0x388/0x470
[  102.293057][ T5015]  ret_from_fork+0x51e/0xb90
[  102.295337][ T5015]  ret_from_fork_asm+0x1a/0x30
[  102.297568][ T5015] 
[  102.299142][ T5015] Last potentially related work creation:
[  102.302935][ T5015]  kasan_save_stack+0x3e/0x60
[  102.305821][ T5015]  kasan_record_aux_stack+0xbd/0xd0
[  102.308447][ T5015]  call_rcu+0xee/0x890
[  102.310329][ T5015]  bpf_link_release+0x6b/0x80
[  102.312132][ T5015]  __fput+0x44f/0xa70
[  102.313987][ T5015]  task_work_run+0x1d9/0x270
[  102.316924][ T5015]  exit_to_user_mode_loop+0xed/0x480
[  102.319874][ T5015]  do_syscall_64+0x32d/0xf80
[  102.321932][ T5015]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.324513][ T5015] 
[  102.325560][ T5015] The buggy address belongs to the object at ffff88803874f300
[  102.325560][ T5015]  which belongs to the cache kmalloc-192 of size 192
[  102.331486][ T5015] The buggy address is located 128 bytes inside of
[  102.331486][ T5015]  freed 192-byte region [ffff88803874f300, ffff88803874f3c0)
[  102.338747][ T5015] 
[  102.340012][ T5015] The buggy address belongs to the physical page:
[  102.342822][ T5015] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3874f
[  102.346589][ T5015] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  102.350313][ T5015] page_type: f5(slab)
[  102.352787][ T5015] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[  102.357004][ T5015] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  102.360825][ T5015] page dumped because: kasan: bad access detected
[  102.363791][ T5015] page_owner tracks the page as allocated
[  102.367112][ T5015] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 790, tgid 790 (kworker/0:2), ts 20949421794, free_ts 20944766812
[  102.375812][ T5015]  post_alloc_hook+0x231/0x280
[  102.378212][ T5015]  get_page_from_freelist+0x24dc/0x2580
[  102.381053][ T5015]  __alloc_frozen_pages_noprof+0x18d/0x380
[  102.383728][ T5015]  allocate_slab+0x77/0x660
[  102.385830][ T5015]  refill_objects+0x331/0x3c0
[  102.388042][ T5015]  __pcs_replace_empty_main+0x2e6/0x730
[  102.390699][ T5015]  __kmalloc_noprof+0x474/0x760
[  102.393070][ T5015]  usb_alloc_urb+0x46/0x150
[  102.395129][ T5015]  usb_control_msg+0x118/0x3e0
[  102.396966][ T5015]  hub_ext_port_status+0x116/0x820
[  102.399213][ T5015]  hub_activate+0x6eb/0x1a80
[  102.401514][ T5015]  process_scheduled_works+0xb6e/0x18c0
[  102.404896][ T5015]  worker_thread+0xa53/0xfc0
[  102.407488][ T5015]  kthread+0x388/0x470
[  102.409280][ T5015]  ret_from_fork+0x51e/0xb90
[  102.411276][ T5015]  ret_from_fork_asm+0x1a/0x30
[  102.413335][ T5015] page last free pid 790 tgid 790 stack trace:
[  102.416170][ T5015]  __free_frozen_pages+0xc2b/0xdb0
[  102.419006][ T5015]  vfree+0x25a/0x400
[  102.421229][ T5015]  delayed_vfree_work+0x55/0x80
[  102.423557][ T5015]  process_scheduled_works+0xb6e/0x18c0
[  102.426123][ T5015]  worker_thread+0xa53/0xfc0
[  102.428413][ T5015]  kthread+0x388/0x470
[  102.430691][ T5015]  ret_from_fork+0x51e/0xb90
[  102.433573][ T5015]  ret_from_fork_asm+0x1a/0x30
[  102.436468][ T5015] 
[  102.437906][ T5015] Memory state around the buggy address:
[  102.440769][ T5015]  ffff88803874f280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  102.444787][ T5015]  ffff88803874f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  102.448509][ T5015] >ffff88803874f380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  102.451951][ T5015]                    ^
[  102.454041][ T5015]  ffff88803874f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  102.457999][ T5015]  ffff88803874f480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  102.461378][ T5015] ==================================================================