program:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f0000000000)=0x100000001, 0x4)
connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @loopback}, 0x1c)
setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f00000000c0), 0x4)
setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x1, &(0x7f00000001c0)=@gcm_256={{0x304}, "6ae04425ace3f60c", "acba84f0a6731f234db1cc7f3f382ad796bd667cb12ea99509873931d2873103", "0f9dafb4", "ec3fff9afd96e6c0"}, 0x38)
setsockopt$inet6_tcp_int(r0, 0x6, 0x19, &(0x7f0000000180)=0x8, 0x4)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0xfffffffd}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
r2 = syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_SIOCSIFVLAN_GET_VLAN_REALDEV_NAME_CMD(r2, 0x8983, &(0x7f0000000040)={0x8, 'batadv0\x00', {'syzkaller1\x00'}, 0xcb})
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x4800, 0x0)
setsockopt$inet6_tcp_TCP_REPAIR(r0, 0x6, 0x13, &(0x7f0000000200)=0xffffffffffffffff, 0x4)
writev(r0, &(0x7f0000000080)=[{&(0x7f00000002c0)="ec", 0xfdef}], 0x1)

[   74.555242][ T5294] Bluetooth: hci0: command tx timeout
[   74.713227][ T5174] ==================================================================
[   74.716391][ T5174] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[   74.719611][ T5174] Read of size 8 at addr ffff888032898f80 by task dhcpcd/5174
[   74.722412][ T5174] 
[   74.723526][ T5174] CPU: 0 UID: 101 PID: 5174 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[   74.723540][ T5174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.723547][ T5174] Call Trace:
[   74.723571][ T5174]  <TASK>
[   74.723578][ T5174]  dump_stack_lvl+0xe8/0x150
[   74.723596][ T5174]  print_report+0xba/0x230
[   74.723609][ T5174]  ? bpf_trace_run2+0x2c4/0x840
[   74.723624][ T5174]  kasan_report+0x117/0x150
[   74.723640][ T5174]  ? bpf_trace_run2+0x2c4/0x840
[   74.723654][ T5174]  bpf_trace_run2+0x2c4/0x840
[   74.723668][ T5174]  ? __queue_work+0x1a1/0x1020
[   74.723681][ T5174]  ? bpf_trace_run2+0x1c9/0x840
[   74.723693][ T5174]  ? __pfx_bpf_trace_run2+0x10/0x10
[   74.723705][ T5174]  ? seccomp_filter_release+0x22b/0x2d0
[   74.723717][ T5174]  ? seccomp_filter_release+0x22b/0x2d0
[   74.723727][ T5174]  ? seccomp_filter_release+0x22b/0x2d0
[   74.723736][ T5174]  kfree+0x5b2/0x630
[   74.723746][ T5174]  ? queue_work_on+0x159/0x1d0
[   74.723760][ T5174]  seccomp_filter_release+0x22b/0x2d0
[   74.723770][ T5174]  do_exit+0x338/0x2310
[   74.723780][ T5174]  ? fput_close_sync+0x11f/0x240
[   74.723791][ T5174]  ? __x64_sys_close+0x7e/0x110
[   74.723803][ T5174]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.723814][ T5174]  ? __pfx_do_exit+0x10/0x10
[   74.723820][ T5174]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.723828][ T5174]  do_group_exit+0x21b/0x2d0
[   74.723834][ T5174]  ? _raw_spin_unlock_irq+0x23/0x50
[   74.723976][ T5174]  get_signal+0x1284/0x1330
[   74.723992][ T5174]  arch_do_signal_or_restart+0xbc/0x830
[   74.724006][ T5174]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   74.724016][ T5174]  ? kmem_cache_free+0x439/0x630
[   74.724031][ T5174]  ? fput_close_sync+0x11f/0x240
[   74.724044][ T5174]  exit_to_user_mode_loop+0x86/0x480
[   74.724056][ T5174]  ? rcu_is_watching+0x15/0xb0
[   74.724075][ T5174]  do_syscall_64+0x32d/0xf80
[   74.724088][ T5174]  ? trace_irq_disable+0x3b/0x150
[   74.724101][ T5174]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.724111][ T5174]  ? clear_bhb_loop+0x40/0x90
[   74.724123][ T5174]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.724134][ T5174] RIP: 0033:0x7f8ddca4e407
[   74.724145][ T5174] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[   74.724154][ T5174] RSP: 002b:00007ffc937b84a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   74.724166][ T5174] RAX: 0000000000000000 RBX: 00007f8ddc9c4740 RCX: 00007f8ddca4e407
[   74.724172][ T5174] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000016
[   74.724178][ T5174] RBP: 00007ffc937c8740 R08: 0000000000000000 R09: 0000000000000000
[   74.724184][ T5174] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffc937c8740
[   74.724190][ T5174] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   74.724200][ T5174]  </TASK>
[   74.724203][ T5174] 
[   74.847916][ T5174] Allocated by task 5314:
[   74.849973][ T5174]  kasan_save_track+0x3e/0x80
[   74.852192][ T5174]  __kasan_kmalloc+0x93/0xb0
[   74.854190][ T5174]  __kmalloc_cache_noprof+0x31c/0x660
[   74.856327][ T5174]  bpf_raw_tp_link_attach+0x278/0x700
[   74.858595][ T5174]  bpf_raw_tracepoint_open+0x1b2/0x220
[   74.861017][ T5174]  __sys_bpf+0x846/0x950
[   74.862828][ T5174]  __x64_sys_bpf+0x7c/0x90
[   74.864754][ T5174]  do_syscall_64+0x14d/0xf80
[   74.866719][ T5174]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.869289][ T5174] 
[   74.870355][ T5174] Freed by task 15:
[   74.872063][ T5174]  kasan_save_track+0x3e/0x80
[   74.874033][ T5174]  kasan_save_free_info+0x46/0x50
[   74.876070][ T5174]  __kasan_slab_free+0x5c/0x80
[   74.877994][ T5174]  kfree+0x1c1/0x630
[   74.879566][ T5174]  rcu_core+0x7cd/0x1070
[   74.881175][ T5174]  handle_softirqs+0x22a/0x870
[   74.883056][ T5174]  run_ksoftirqd+0x36/0x60
[   74.884837][ T5174]  smpboot_thread_fn+0x541/0xa50
[   74.886746][ T5174]  kthread+0x388/0x470
[   74.888510][ T5174]  ret_from_fork+0x51e/0xb90
[   74.890548][ T5174]  ret_from_fork_asm+0x1a/0x30
[   74.892688][ T5174] 
[   74.893725][ T5174] Last potentially related work creation:
[   74.896076][ T5174]  kasan_save_stack+0x3e/0x60
[   74.898257][ T5174]  kasan_record_aux_stack+0xbd/0xd0
[   74.900556][ T5174]  call_rcu+0xee/0x890
[   74.902348][ T5174]  bpf_link_release+0x6b/0x80
[   74.904435][ T5174]  __fput+0x44f/0xa70
[   74.906122][ T5174]  task_work_run+0x1d9/0x270
[   74.908116][ T5174]  exit_to_user_mode_loop+0xed/0x480
[   74.910386][ T5174]  do_syscall_64+0x32d/0xf80
[   74.912312][ T5174]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.914938][ T5174] 
[   74.915943][ T5174] The buggy address belongs to the object at ffff888032898f00
[   74.915943][ T5174]  which belongs to the cache kmalloc-192 of size 192
[   74.921886][ T5174] The buggy address is located 128 bytes inside of
[   74.921886][ T5174]  freed 192-byte region [ffff888032898f00, ffff888032898fc0)
[   74.927639][ T5174] 
[   74.928642][ T5174] The buggy address belongs to the physical page:
[   74.931312][ T5174] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32898
[   74.934900][ T5174] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   74.937983][ T5174] page_type: f5(slab)
[   74.939605][ T5174] raw: 04fff00000000000 ffff88801a8413c0 dead000000000100 dead000000000122
[   74.943284][ T5174] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   74.946992][ T5174] page dumped because: kasan: bad access detected
[   74.949817][ T5174] page_owner tracks the page as allocated
[   74.952353][ T5174] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8403483097, free_ts 8260924194
[   74.960513][ T5174]  post_alloc_hook+0x231/0x280
[   74.962602][ T5174]  get_page_from_freelist+0x24dc/0x2580
[   74.965052][ T5174]  __alloc_frozen_pages_noprof+0x18d/0x380
[   74.967611][ T5174]  allocate_slab+0x77/0x660
[   74.969613][ T5174]  refill_objects+0x331/0x3c0
[   74.971489][ T5174]  __pcs_replace_empty_main+0x2b9/0x620
[   74.973493][ T5174]  __kmalloc_cache_noprof+0x392/0x660
[   74.975481][ T5174]  call_usermodehelper_setup+0x8e/0x270
[   74.977787][ T5174]  kobject_uevent_env+0x658/0x9e0
[   74.980181][ T5174]  driver_register+0x2d4/0x320
[   74.982352][ T5174]  do_one_initcall+0x250/0x8d0
[   74.984330][ T5174]  do_initcall_level+0x104/0x190
[   74.987086][ T5174]  do_initcalls+0x59/0xa0
[   74.989467][ T5174]  kernel_init_freeable+0x2a6/0x3e0
[   74.991801][ T5174]  kernel_init+0x1d/0x1d0
[   74.993777][ T5174]  ret_from_fork+0x51e/0xb90
[   74.995942][ T5174] page last free pid 10 tgid 10 stack trace:
[   74.998889][ T5174]  __free_frozen_pages+0xc00/0xd90
[   75.001325][ T5174]  vfree+0x25a/0x400
[   75.002829][ T5174]  delayed_vfree_work+0x55/0x80
[   75.004936][ T5174]  process_scheduled_works+0xb02/0x1830
[   75.007364][ T5174]  worker_thread+0xa50/0xfc0
[   75.009486][ T5174]  kthread+0x388/0x470
[   75.011356][ T5174]  ret_from_fork+0x51e/0xb90
[   75.013402][ T5174]  ret_from_fork_asm+0x1a/0x30
[   75.015528][ T5174] 
[   75.016612][ T5174] Memory state around the buggy address:
[   75.019204][ T5174]  ffff888032898e80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   75.022887][ T5174]  ffff888032898f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   75.027053][ T5174] >ffff888032898f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   75.031437][ T5174]                    ^
[   75.033300][ T5174]  ffff888032899000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.037587][ T5174]  ffff888032899080: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[   75.041975][ T5174] ==================================================================