program:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f00000002c0)='kfree\x00', r0, 0x0, 0xffffffff}, 0x18)
openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x22000, 0x0)
socket(0x2, 0x2, 0x1)
r1 = getpid()
syz_pidfd_open(r1, 0x0)
bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f00000012c0)=ANY=[@ANYBLOB="0300000004000000040000000a"], 0x48)
creat(&(0x7f0000000040)='./file1\x00', 0x0)
memfd_create(&(0x7f0000000040)='\xfd\x0fm3#/\x00n\xaa\xaa\xe4\x01U\x8b\xc2\f\x03\x19\x9c\x8e\xcb\x90\x00\x00\xaegQ\x0e\x94\\y\x0fU2@\'\x8a\x80\x00$\x12\xfc\xe4.)\x9b\xf2@\xf0\xe0\xdb\x1f\xe6\xb4gc\x13\xda\xf9\xcd7el\xb7\xe6\b\x00\x00\x00\x00\xef\xff\x00/~\xc2\x00\b\x00\x00\x00\x00\x00\x00 \xff\xf1\xdem\x9c;%\xb5\"\xe4\xf1x2\x8a\x19p\x04\\\xaa-\x93\xd1\xc4 9\xbfK\xf7E\xf3\x05\xa0\xd0\xe6%\x97\x15\xf0\xab\x86\x90k\x10\xcer\x14\xe0a\xaf\xab\xfe\xd9V\x19\xa5d\x16\x8e]:3\xff\t\xe6\xf7\xb3\xbf\xa3\b[?\xb5\x14t\xd3\x8e\xc0\xe8\xefd\x88\xddz\xa25)\x17\xef\xfb4\xff\xdb\t\x8e\xeb\x1d\\\xf9\x14\xc7\v\xa8\x89\xdb A\xbaBAj\xfe\x18\xc3-+\xd6\xb0K\xee\x1b+\xc7lA\x84\xa6\xfe\x8bU<&\x1a\xe7m\x86\xb7\xa1A\xf9\x02S;C\x99\a.$K\x833\x82\x7f\x1b\'nj\x06\b\xb7\xe8] \x87A[y\xdc\x14\f\xcet\x00\x1f\x0f\xef\xca\xcfz\x7f\an0\xebB\xb8}&\xdd\xc9\xa7\x1dp\t\x9a\xceb \x81\xaaq{H\x88\xdf\xf8\x80\\\x1c8\xfe\xc4\xe3\xb0\x90\xcb\x8b1r\x94\x9f\x00\xce\xc8\xc3\x84\xa0\xc9\b\x00\x81Ks\xba\xbbC6\xd6\x13\xb5\xe086EzD\x18\xd5\x16\x88E\xc6\xf0A\xe3\xf1u\xb3\x95\x02\x12\\Sp\xf4\x9a\xe8\x96^\xe6\xa8K\x12\b}\xff\xcb{\xc6\xf6\xb4\x8b\xb6\xa8Y\xf2\x91\xeeR\v#\x05\x00\xb0\x99\x9b-p\xe3\x17\x04\xb0\xdc\x0fk\x11\xe1\x9a\a\x16\xb7\x9b\x88\xfa\x1e`\x84$\xfc\xd7\xf5^X\xd8[}\x032\xd0\x84\xdby\x94Vp\xa5\xcd(\xab\xb6\x95sR\xab\xfc\x8c\'\x9c\x16Q\xad\xbc\xf04%\xb7\xe5\x14\xb1`\x87#\xbd\n/\xb2\'\x16X\\W`\xff\xff\xff\xff\xc5\xc9\x921<\xd9\xad\x9f\x12@!\xfaI\x88\xab\xef\x86\xe9\a>\x007\xb7\x8e\x9c0-o\xc9\xec_|\x02\xc8Ru\x95\xa8#U\xd6J\x87\xf6X\xb6{\x11$\x00\xc8\x14\xcb\xd1nK\xd8\xb9\x0e\x9bA\xed\xbcs\x1fS\r\x12O\x83\x15\xcb(\xdb\xb1S\x1f%\x04\x9a\xa0l\xa3}\xe7r\x02\x00\xb0\x81\n\xb8\xf6\x00\x00\x8aeh;F[\xe2\x1c<L\xaa\x87A\xcdN#\xfb\xb0\xf2\x1e\x0e#J\xd0hB<\xc0\x82A0)p\xe7&J\x82\x83\x83\xd14\x01\xcf\x1b\xa9\x1d\x1ef\x0f\x86(1\xd6l\xd2\x8f\xb0\xad\t\x15\xdb|\x87\xf1\xc4\xb8\xb2\x9a\xd2A\x80\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x80\x00\x00\x00\x00\x00\x00\x00\x88&}\xd1\x00\x00\x00\xe6\xaf\t\x9f\x96\rN\xc9\x90\xbe\xed\x1ad\x14\xe7\x84\t\'\x8b\x00\xdd\xc9\x0f\x14v\xb6\x04\xf2U\xb4\xf6\xbe\xddT\xcb\x00\x00\x00\x00\x00\x00\xe9\x00\x00\x00\x00\x00\x00o:}\xa7jmH\xedn\x11\xfe\xe2\x0fT\x00\x94\xbc\xc6\x7f\x93eE1xp\xa3\xdc\xd7K9J<\xeb\xd2!\xf4\x19\xbd#\xb8\x83\x858\n\xf8\x12Z\x1a\x12\xfa\xcc\x04\r\xf3\xf4;\v\x15b^\xea\xa2\x04 \xe8\x99\xb3\x97\x9e\r\xb0\x05\xbb(f\xd0\x85\xc5\x15\xae#\x12Q\xacF\xfb\xc8\xbd\xcc#\v\x00\x00\x00\x00\x00\x00\x8f\x9b\x00\x03\xc8}\x11\xbc\x01\x8fi\xf5\x7f\xaf\x11\xfb\x16\x95\xc4c\xc9\x8a/&\x81w\xdf]ao\\\x88\xf7\xce\xbd\xb0\xa6J~\x8d\xf1\xe9\x1c\xcfo\xb3\xdc\x04Y\x8e\r\xf5\xa0\xeft\x06G0\xd8\x12\xda\x80\x1b\'\x88\xee\xe3D\xd6\xa3L\xedN\x0e\xdc@7\xd8^\xae\xea\x92\xbe\x9c\xf9~c\xc1|\xca\x8d\x93R\xe5\xceU\xa5\x0f\xbf\xd8l\x96`\x0f\x00e\x05\x00\x00\x00\x00\x00\x00\x00\xe26 \x19k&.\x7f\x1d~\xdaI\x91\xd8\xe1\\\xda-\x02\x13\x8d\xb6y\xce\x86\xd4\x99\a+\xdf]\xbc\xa6\xc3\x0f\x99W\x9c-t\v\xc7J\xfd\x91\x853\xd1j;\x19W\x96V\x8az+\xf9\x82#\xfaC\xa3YN:\xe8\xda\xbc\xb2h\x8f\xe0\xc6d\x96\xccy\xb3\xc2\x98\x1c\xca\xde\"\xaeW\x89\x83\xc2sB\xe7\b\x9b9~}\xc2\xb3\x1d\xcc?\xd1\x89\xef\xca\x00\x00\x00\x00\x00\x00\x00\x00\x00J[\xc4\x04\xc1\xa6\x10\xc2\x9d\x11\t|\xc0\t\xd9(\x80\xe6s\xaa\x88\x8a\xd6\xa2\x01\x10W]Z\x8d\xf7\xd1P\xf9d\x01|\xa3\x03hSq\x95\x8f\xe1J\xd3#/fcCz\xff\x80\x8e\x1d\xe9\x1aJy\x15\xfa\a\xe7\xcc\xe2M\xa3-r\xf6\x1a\xd74\xdc\xe1\xe4\xc3\x9dU t}\x02\x9a{C|S\xf4\x98\x05\xb9\x15}\xfa\"\xdc\xc2r\xf9\a\xadnD\xb6\x06\xd3\'\x10\x9f|\x17', 0x6)
r2 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000340), 0x2, 0x0)
r3 = socket$unix(0x1, 0x2, 0x0)
ppoll(&(0x7f0000000300)=[{r3, 0x4236}], 0x1, 0x0, 0x0, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f00000000c0)={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000000080)={<r4=>0xffffffffffffffff}, 0x13f}}, 0x20)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x18, 0xfa00, {0x0, &(0x7f0000000300), 0x106, 0x8}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_IP(0xffffffffffffffff, &(0x7f0000000100)={0x3, 0x40, 0xfa00, {{0xa, 0xfffb, 0x5, @empty, 0xa098}, {0xa, 0x4e21, 0x9, @mcast1, 0x9}, r4, 0x80000001}}, 0x48)
writev(r2, &(0x7f0000000040)=[{&(0x7f0000000100), 0x86}], 0x2) (fail_nth: 4)

[   84.552281][ T4671] Bluetooth: hci0: command tx timeout
[   84.787748][ T5171] ==================================================================
[   84.791037][ T5171] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   84.794327][ T5171] Read of size 8 at addr ffff888038dcd480 by task dhcpcd/5171
[   84.797529][ T5171] 
[   84.798596][ T5171] CPU: 0 UID: 101 PID: 5171 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   84.798612][ T5171] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.798620][ T5171] Call Trace:
[   84.798628][ T5171]  <TASK>
[   84.798634][ T5171]  dump_stack_lvl+0xe8/0x150
[   84.798657][ T5171]  print_report+0xba/0x230
[   84.798694][ T5171]  ? bpf_trace_run2+0x2c4/0x840
[   84.798710][ T5171]  kasan_report+0x117/0x150
[   84.798725][ T5171]  ? bpf_trace_run2+0x2c4/0x840
[   84.798741][ T5171]  bpf_trace_run2+0x2c4/0x840
[   84.798758][ T5171]  ? __queue_work+0x1a1/0x1020
[   84.798774][ T5171]  ? bpf_trace_run2+0x1c9/0x840
[   84.798789][ T5171]  ? __pfx_bpf_trace_run2+0x10/0x10
[   84.798805][ T5171]  ? seccomp_filter_release+0x22b/0x2d0
[   84.798819][ T5171]  ? seccomp_filter_release+0x22b/0x2d0
[   84.798830][ T5171]  ? seccomp_filter_release+0x22b/0x2d0
[   84.798841][ T5171]  kfree+0x5b2/0x630
[   84.798857][ T5171]  ? queue_work_on+0x159/0x1d0
[   84.798874][ T5171]  seccomp_filter_release+0x22b/0x2d0
[   84.798886][ T5171]  do_exit+0x3b0/0x23c0
[   84.798898][ T5171]  ? fput_close_sync+0x11f/0x240
[   84.798911][ T5171]  ? __x64_sys_close+0x7e/0x110
[   84.798926][ T5171]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.798940][ T5171]  ? __pfx_do_exit+0x10/0x10
[   84.798953][ T5171]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.798968][ T5171]  do_group_exit+0x21b/0x2d0
[   84.798979][ T5171]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.799042][ T5171]  get_signal+0x1284/0x1330
[   84.799061][ T5171]  arch_do_signal_or_restart+0xbc/0x830
[   84.799075][ T5171]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   84.799087][ T5171]  ? kmem_cache_free+0x439/0x630
[   84.799098][ T5171]  ? fput_close_sync+0x11f/0x240
[   84.799113][ T5171]  exit_to_user_mode_loop+0x86/0x480
[   84.799125][ T5171]  ? rcu_is_watching+0x15/0xb0
[   84.799142][ T5171]  do_syscall_64+0x32d/0xf80
[   84.799154][ T5171]  ? trace_irq_disable+0x3b/0x150
[   84.799170][ T5171]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.799180][ T5171]  ? clear_bhb_loop+0x40/0x90
[   84.799191][ T5171]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.799202][ T5171] RIP: 0033:0x7fa880f89407
[   84.799215][ T5171] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   84.799224][ T5171] RSP: 002b:00007ffc10f55f90 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   84.799236][ T5171] RAX: 0000000000000000 RBX: 00007fa880eff780 RCX: 00007fa880f89407
[   84.799242][ T5171] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000015
[   84.799249][ T5171] RBP: 00007ffc10f66230 R08: 0000000000000000 R09: 0000000000000000
[   84.799255][ T5171] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffc10f66230
[   84.799261][ T5171] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   84.799272][ T5171]  </TASK>
[   84.799276][ T5171] 
[   84.932420][ T5171] Allocated by task 5327:
[   84.934291][ T5171]  kasan_save_track+0x3e/0x80
[   84.936370][ T5171]  __kasan_kmalloc+0x93/0xb0
[   84.938667][ T5171]  __kmalloc_cache_noprof+0x31c/0x660
[   84.941558][ T5171]  bpf_raw_tp_link_attach+0x278/0x700
[   84.944125][ T5171]  bpf_raw_tracepoint_open+0x1b2/0x220
[   84.946799][ T5171]  __sys_bpf+0x846/0x950
[   84.948756][ T5171]  __x64_sys_bpf+0x7c/0x90
[   84.950780][ T5171]  do_syscall_64+0x14d/0xf80
[   84.953320][ T5171]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.957372][ T5171] 
[   84.958735][ T5171] Freed by task 15:
[   84.960444][ T5171]  kasan_save_track+0x3e/0x80
[   84.962470][ T5171]  kasan_save_free_info+0x46/0x50
[   84.964528][ T5171]  __kasan_slab_free+0x5c/0x80
[   84.966510][ T5171]  kfree+0x1c1/0x630
[   84.968126][ T5171]  rcu_core+0x7cd/0x1070
[   84.969845][ T5171]  handle_softirqs+0x22a/0x870
[   84.971974][ T5171]  run_ksoftirqd+0x36/0x60
[   84.974573][ T5171]  smpboot_thread_fn+0x541/0xa50
[   84.977576][ T5171]  kthread+0x388/0x470
[   84.979651][ T5171]  ret_from_fork+0x51e/0xb90
[   84.981836][ T5171]  ret_from_fork_asm+0x1a/0x30
[   84.983934][ T5171] 
[   84.985048][ T5171] Last potentially related work creation:
[   84.987485][ T5171]  kasan_save_stack+0x3e/0x60
[   84.989687][ T5171]  kasan_record_aux_stack+0xbd/0xd0
[   84.992432][ T5171]  call_rcu+0xee/0x890
[   84.995003][ T5171]  bpf_link_release+0x6b/0x80
[   84.997321][ T5171]  __fput+0x44f/0xa70
[   84.999185][ T5171]  task_work_run+0x1d9/0x270
[   85.001269][ T5171]  exit_to_user_mode_loop+0xed/0x480
[   85.003616][ T5171]  do_syscall_64+0x32d/0xf80
[   85.005791][ T5171]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.008617][ T5171] 
[   85.009949][ T5171] The buggy address belongs to the object at ffff888038dcd400
[   85.009949][ T5171]  which belongs to the cache kmalloc-192 of size 192
[   85.017161][ T5171] The buggy address is located 128 bytes inside of
[   85.017161][ T5171]  freed 192-byte region [ffff888038dcd400, ffff888038dcd4c0)
[   85.023071][ T5171] 
[   85.024203][ T5171] The buggy address belongs to the physical page:
[   85.027524][ T5171] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38dcd
[   85.031779][ T5171] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.034999][ T5171] page_type: f5(slab)
[   85.036910][ T5171] raw: 04fff00000000000 ffff88801ac413c0 dead000000000122 0000000000000000
[   85.041930][ T5171] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[   85.046213][ T5171] page dumped because: kasan: bad access detected
[   85.048995][ T5171] page_owner tracks the page as allocated
[   85.051357][ T5171] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5303, tgid 5303 (syz-executor), ts 82408381101, free_ts 82381528135
[   85.062490][ T5171]  post_alloc_hook+0x231/0x280
[   85.064835][ T5171]  get_page_from_freelist+0x24dc/0x2580
[   85.067589][ T5171]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.070508][ T5171]  allocate_slab+0x77/0x660
[   85.072811][ T5171]  refill_objects+0x331/0x3c0
[   85.075007][ T5171]  __pcs_replace_empty_main+0x2e6/0x730
[   85.077551][ T5171]  __kmalloc_cache_noprof+0x392/0x660
[   85.080591][ T5171]  cgroup_file_open+0x90/0x3a0
[   85.083556][ T5171]  kernfs_fop_open+0x9d1/0xca0
[   85.085868][ T5171]  do_dentry_open+0x785/0x14e0
[   85.088033][ T5171]  vfs_open+0x3b/0x340
[   85.089833][ T5171]  path_openat+0x2e08/0x3860
[   85.091953][ T5171]  do_file_open+0x23e/0x4a0
[   85.094060][ T5171]  do_sys_openat2+0x113/0x200
[   85.096404][ T5171]  __x64_sys_openat+0x138/0x170
[   85.098639][ T5171]  do_syscall_64+0x14d/0xf80
[   85.100589][ T5171] page last free pid 15 tgid 15 stack trace:
[   85.103446][ T5171]  __free_frozen_pages+0xc2b/0xdb0
[   85.106388][ T5171]  tlb_remove_table_rcu+0x85/0x100
[   85.109212][ T5171]  rcu_core+0x7cd/0x1070
[   85.111021][ T5171]  handle_softirqs+0x22a/0x870
[   85.113211][ T5171]  run_ksoftirqd+0x36/0x60
[   85.115234][ T5171]  smpboot_thread_fn+0x541/0xa50
[   85.117431][ T5171]  kthread+0x388/0x470
[   85.119213][ T5171]  ret_from_fork+0x51e/0xb90
[   85.121524][ T5171]  ret_from_fork_asm+0x1a/0x30
[   85.124323][ T5171] 
[   85.125713][ T5171] Memory state around the buggy address:
[   85.128217][ T5171]  ffff888038dcd380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   85.131674][ T5171]  ffff888038dcd400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.135308][ T5171] >ffff888038dcd480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.138870][ T5171]                    ^
[   85.140838][ T5171]  ffff888038dcd500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.144953][ T5171]  ffff888038dcd580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   85.148336][ T5171] ==================================================================