program:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r0, &(0x7f00000002c0)={0x2, 0x4e21}, 0x10)
connect$inet(r0, &(0x7f0000000180)={0x2, 0x4e21}, 0x10)
shutdown(r0, 0x2)
r1 = syz_open_procfs(0x0, &(0x7f0000000080)='net/tcp\x00')
read$FUSE(r1, &(0x7f0000005fc0)={0x2020}, 0x2020)
mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0)
syz_mount_image$fuse(0x0, &(0x7f0000000140)='./bus\x00', 0x100688d, 0x0, 0x0, 0x0, 0x0)
mount$overlay(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000b80), 0x0, &(0x7f0000000200)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}], [{@smackfstransmute={'smackfstransmute', 0x3d, '}){'}}]})
syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./file1\x00', 0x2000000, 0x0, 0x0, 0x0, 0x0)
unlinkat(0xffffffffffffff9c, &(0x7f00000001c0)='./file0/file1\x00', 0x200)
umount2(&(0x7f00000002c0)='./file0\x00', 0x9)
mount$overlay(0x0, &(0x7f0000000580)='./file0\x00', &(0x7f0000000b80), 0x4008, &(0x7f0000000440)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]})
r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r2}, 0x10)
r3 = userfaultfd(0x80001)
setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000240)='veth1_macvtap\x00', 0x10)
ioctl$UFFDIO_API(r3, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_REGISTER(r3, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x2})
ioctl$UFFDIO_COPY(r3, 0xc028aa05, &(0x7f0000000180)={&(0x7f00002b9000/0x400000)=nil, &(0x7f00003ab000/0x2000)=nil, 0x400000, 0x2, 0x2})
creat(&(0x7f0000000040)='./file0/file1\x00', 0x8)
symlink(&(0x7f0000000080)='.\x00', &(0x7f0000000180)='./bus\x00')

[   84.575120][ T5304] Bluetooth: hci0: command tx timeout
[   84.672208][ T5328] overlay: Unknown parameter 'smackfstransmute'
[   84.877883][ T5179] ==================================================================
[   84.881824][ T5179] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.885264][ T5179] Read of size 8 at addr ffff8880388df680 by task dhcpcd/5179
[   84.888771][ T5179] 
[   84.890091][ T5179] CPU: 0 UID: 101 PID: 5179 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.890108][ T5179] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.890117][ T5179] Call Trace:
[   84.890127][ T5179]  <TASK>
[   84.890135][ T5179]  dump_stack_lvl+0xe8/0x150
[   84.890158][ T5179]  print_report+0xba/0x230
[   84.890174][ T5179]  ? bpf_trace_run2+0x2c4/0x840
[   84.890195][ T5179]  kasan_report+0x117/0x150
[   84.890212][ T5179]  ? bpf_trace_run2+0x2c4/0x840
[   84.890235][ T5179]  bpf_trace_run2+0x2c4/0x840
[   84.890254][ T5179]  ? __queue_work+0x1a1/0x1020
[   84.890271][ T5179]  ? bpf_trace_run2+0x1c9/0x840
[   84.890292][ T5179]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.890310][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.890333][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.890346][ T5179]  ? seccomp_filter_release+0x22b/0x2d0
[   84.890361][ T5179]  kfree+0x5b2/0x630
[   84.890379][ T5179]  ? queue_work_on+0x159/0x1d0
[   84.890399][ T5179]  seccomp_filter_release+0x22b/0x2d0
[   84.890416][ T5179]  do_exit+0x3b0/0x23c0
[   84.890429][ T5179]  ? fput_close_sync+0x11f/0x240
[   84.890447][ T5179]  ? __x64_sys_close+0x7e/0x110
[   84.890465][ T5179]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.890482][ T5179]  ? __pfx_do_exit+0x10/0x10
[   84.890496][ T5179]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.890513][ T5179]  do_group_exit+0x21b/0x2d0
[   84.890527][ T5179]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.890680][ T5179]  get_signal+0x1284/0x1330
[   84.890704][ T5179]  arch_do_signal_or_restart+0xbc/0x830
[   84.890723][ T5179]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.890738][ T5179]  ? kmem_cache_free+0x439/0x630
[   84.890753][ T5179]  ? fput_close_sync+0x11f/0x240
[   84.890774][ T5179]  exit_to_user_mode_loop+0x86/0x480
[   84.890790][ T5179]  ? rcu_is_watching+0x15/0xb0
[   84.890811][ T5179]  do_syscall_64+0x32d/0xf80
[   84.890829][ T5179]  ? trace_irq_disable+0x3b/0x150
[   84.890840][ T5179]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.890853][ T5179]  ? clear_bhb_loop+0x40/0x90
[   84.890869][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.890883][ T5179] RIP: 0033:0x7f366598f407
[   84.890897][ T5179] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.890909][ T5179] RSP: 002b:00007ffe0fedc5d0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.890925][ T5179] RAX: 0000000000000000 RBX: 00007f3665905780 RCX: 00007f366598f407
[   84.890935][ T5179] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[   84.890943][ T5179] RBP: 00007ffe0feec870 R08: 0000000000000000 R09: 0000000000000000
[   84.890951][ T5179] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffe0feec870
[   84.890960][ T5179] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   84.890973][ T5179]  </TASK>
[   84.890978][ T5179] 
[   85.026599][ T5179] Allocated by task 5328:
[   85.028613][ T5179]  kasan_save_track+0x3e/0x80
[   85.030773][ T5179]  __kasan_kmalloc+0x93/0xb0
[   85.032931][ T5179]  __kmalloc_cache_noprof+0x31c/0x660
[   85.035496][ T5179]  bpf_raw_tp_link_attach+0x278/0x700
[   85.038188][ T5179]  bpf_raw_tracepoint_open+0x1b2/0x220
[   85.041190][ T5179]  __sys_bpf+0x846/0x950
[   85.043291][ T5179]  __x64_sys_bpf+0x7c/0x90
[   85.045455][ T5179]  do_syscall_64+0x14d/0xf80
[   85.047505][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.050299][ T5179] 
[   85.051638][ T5179] Freed by task 15:
[   85.053878][ T5179]  kasan_save_track+0x3e/0x80
[   85.056612][ T5179]  kasan_save_free_info+0x46/0x50
[   85.059035][ T5179]  __kasan_slab_free+0x5c/0x80
[   85.061298][ T5179]  kfree+0x1c1/0x630
[   85.063001][ T5179]  rcu_core+0x7cd/0x1070
[   85.065044][ T5179]  handle_softirqs+0x22a/0x870
[   85.067349][ T5179]  run_ksoftirqd+0x36/0x60
[   85.069791][ T5179]  smpboot_thread_fn+0x541/0xa50
[   85.072537][ T5179]  kthread+0x388/0x470
[   85.074401][ T5179]  ret_from_fork+0x51e/0xb90
[   85.076409][ T5179]  ret_from_fork_asm+0x1a/0x30
[   85.078641][ T5179] 
[   85.079814][ T5179] Last potentially related work creation:
[   85.082729][ T5179]  kasan_save_stack+0x3e/0x60
[   85.085128][ T5179]  kasan_record_aux_stack+0xbd/0xd0
[   85.087451][ T5179]  call_rcu+0xee/0x890
[   85.089409][ T5179]  bpf_link_release+0x6b/0x80
[   85.091869][ T5179]  __fput+0x44f/0xa70
[   85.094180][ T5179]  task_work_run+0x1d9/0x270
[   85.096744][ T5179]  exit_to_user_mode_loop+0xed/0x480
[   85.099090][ T5179]  do_syscall_64+0x32d/0xf80
[   85.101217][ T5179]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.103982][ T5179] 
[   85.105250][ T5179] The buggy address belongs to the object at ffff8880388df600
[   85.105250][ T5179]  which belongs to the cache kmalloc-192 of size 192
[   85.112276][ T5179] The buggy address is located 128 bytes inside of
[   85.112276][ T5179]  freed 192-byte region [ffff8880388df600, ffff8880388df6c0)
[   85.118308][ T5179] 
[   85.119402][ T5179] The buggy address belongs to the physical page:
[   85.122526][ T5179] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x388df
[   85.126616][ T5179] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.129848][ T5179] page_type: f5(slab)
[   85.131653][ T5179] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[   85.136073][ T5179] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.140226][ T5179] page dumped because: kasan: bad access detected
[   85.142976][ T5179] page_owner tracks the page as allocated
[   85.145625][ T5179] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21534889903, free_ts 21533786496
[   85.155117][ T5179]  post_alloc_hook+0x231/0x280
[   85.157295][ T5179]  get_page_from_freelist+0x24dc/0x2580
[   85.160233][ T5179]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.163730][ T5179]  allocate_slab+0x77/0x660
[   85.166069][ T5179]  refill_objects+0x331/0x3c0
[   85.168192][ T5179]  __pcs_replace_empty_main+0x2e6/0x730
[   85.170564][ T5179]  __kmalloc_cache_noprof+0x392/0x660
[   85.173043][ T5179]  call_usermodehelper_setup+0x8e/0x270
[   85.175581][ T5179]  kobject_uevent_env+0x658/0x9e0
[   85.178057][ T5179]  device_add+0x557/0xb70
[   85.180541][ T5179]  platform_device_add+0x46a/0x800
[   85.183300][ T5179]  platform_device_register_full+0x46c/0x570
[   85.186145][ T5179]  vhci_hcd_init+0x226/0x370
[   85.188390][ T5179]  do_one_initcall+0x250/0x8d0
[   85.190624][ T5179]  do_initcall_level+0x104/0x190
[   85.192792][ T5179]  do_initcalls+0x59/0xa0
[   85.194839][ T5179] page last free pid 1046 tgid 1046 stack trace:
[   85.198062][ T5179]  __free_frozen_pages+0xc2b/0xdb0
[   85.200586][ T5179]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   85.202931][ T5179]  alloc_vmap_area+0xd73/0x14b0
[   85.205073][ T5179]  __get_vm_area_node+0x1f8/0x300
[   85.207443][ T5179]  __vmalloc_node_range_noprof+0x372/0x1730
[   85.210670][ T5179]  __vmalloc_node_noprof+0xc2/0x100
[   85.213459][ T5179]  dup_task_struct+0x275/0x9a0
[   85.215830][ T5179]  copy_process+0x508/0x3cd0
[   85.217802][ T5179]  kernel_clone+0x248/0x8e0
[   85.219968][ T5179]  user_mode_thread+0x110/0x180
[   85.222202][ T5179]  call_usermodehelper_exec_work+0x5c/0x230
[   85.224871][ T5179]  process_scheduled_works+0xb6e/0x18c0
[   85.227431][ T5179]  worker_thread+0xa53/0xfc0
[   85.229801][ T5179]  kthread+0x388/0x470
[   85.231913][ T5179]  ret_from_fork+0x51e/0xb90
[   85.234625][ T5179]  ret_from_fork_asm+0x1a/0x30
[   85.237430][ T5179] 
[   85.238597][ T5179] Memory state around the buggy address:
[   85.241364][ T5179]  ffff8880388df580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.245201][ T5179]  ffff8880388df600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.249914][ T5179] >ffff8880388df680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.253303][ T5179]                    ^
[   85.255046][ T5179]  ffff8880388df700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.258623][ T5179]  ffff8880388df780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   85.262989][ T5179] ==================================================================