program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000240)={0x14, 0x26, 0x1, 0x7fffd, 0x1000, {0x6}}, 0x14}, 0x1, 0x0, 0x0, 0x20000051}, 0x4008090)

[  101.454722][ T5306] Bluetooth: hci0: command tx timeout
[  101.721981][ T5017] ==================================================================
[  101.725770][ T5017] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0x2c4/0x840
[  101.730046][ T5017] Read of size 8 at addr ffff888035f59480 by task dhcpcd/5017
[  101.734018][ T5017] 
[  101.735143][ T5017] CPU: 0 UID: 101 PID: 5017 Comm: dhcpcd Not tainted syzkaller #0 PREEMPT(full) 
[  101.735158][ T5017] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  101.735165][ T5017] Call Trace:
[  101.735174][ T5017]  <TASK>
[  101.735181][ T5017]  dump_stack_lvl+0xe8/0x150
[  101.735204][ T5017]  print_report+0xba/0x230
[  101.735218][ T5017]  ? bpf_trace_run2+0x2c4/0x840
[  101.735235][ T5017]  kasan_report+0x117/0x150
[  101.735250][ T5017]  ? bpf_trace_run2+0x2c4/0x840
[  101.735264][ T5017]  bpf_trace_run2+0x2c4/0x840
[  101.735282][ T5017]  ? __queue_work+0x1a1/0x1020
[  101.735298][ T5017]  ? bpf_trace_run2+0x1c9/0x840
[  101.735313][ T5017]  ? __pfx_bpf_trace_run2+0x10/0x10
[  101.735331][ T5017]  ? seccomp_filter_release+0x22b/0x2d0
[  101.735346][ T5017]  ? seccomp_filter_release+0x22b/0x2d0
[  101.735357][ T5017]  ? seccomp_filter_release+0x22b/0x2d0
[  101.735367][ T5017]  kfree+0x5b2/0x630
[  101.735381][ T5017]  ? queue_work_on+0x159/0x1d0
[  101.735395][ T5017]  seccomp_filter_release+0x22b/0x2d0
[  101.735409][ T5017]  do_exit+0x3b0/0x23c0
[  101.735424][ T5017]  ? __pfx_do_exit+0x10/0x10
[  101.735432][ T5017]  ? do_raw_spin_lock+0x12b/0x2f0
[  101.735446][ T5017]  ? _raw_spin_unlock_irq+0x23/0x50
[  101.735521][ T5017]  do_group_exit+0x21b/0x2d0
[  101.735535][ T5017]  __x64_sys_exit_group+0x3f/0x40
[  101.735545][ T5017]  x64_sys_call+0x221a/0x2240
[  101.735562][ T5017]  do_syscall_64+0x14d/0xf80
[  101.735577][ T5017]  ? trace_irq_disable+0x3b/0x150
[  101.735588][ T5017]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.735600][ T5017]  ? clear_bhb_loop+0x40/0x90
[  101.735614][ T5017]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.735625][ T5017] RIP: 0033:0x7f9d50aa76c5
[  101.735639][ T5017] Code: ff ff ff 64 89 02 eb d2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 8b 35 21 f7 0f 00 ba e7 00 00 00 eb 03 66 90 f4 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 f3 f7 d8 64 89 06 eb ec 66 2e 0f 1f 84 00 00
[  101.735648][ T5017] RSP: 002b:00007fff707d4aa8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
[  101.735679][ T5017] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f9d50aa76c5
[  101.735687][ T5017] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
[  101.735694][ T5017] RBP: 00007fff707d50b8 R08: 000055ea9e3842c0 R09: 0000000000000002
[  101.735700][ T5017] R10: 0000000000000020 R11: 0000000000000206 R12: 00007fff707d4af0
[  101.735706][ T5017] R13: 000055ea9e3858a0 R14: 00007fff707d4d30 R15: 00007fff707d4ae0
[  101.735718][ T5017]  </TASK>
[  101.735722][ T5017] 
[  101.855961][ T5017] Allocated by task 5331:
[  101.858038][ T5017]  kasan_save_track+0x3e/0x80
[  101.860245][ T5017]  __kasan_kmalloc+0x93/0xb0
[  101.862298][ T5017]  __kmalloc_cache_noprof+0x31c/0x660
[  101.864816][ T5017]  bpf_raw_tp_link_attach+0x278/0x700
[  101.867807][ T5017]  bpf_raw_tracepoint_open+0x1b2/0x220
[  101.870664][ T5017]  __sys_bpf+0x846/0x950
[  101.872618][ T5017]  __x64_sys_bpf+0x7c/0x90
[  101.874927][ T5017]  do_syscall_64+0x14d/0xf80
[  101.877490][ T5017]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.880621][ T5017] 
[  101.882016][ T5017] Freed by task 15:
[  101.883892][ T5017]  kasan_save_track+0x3e/0x80
[  101.886017][ T5017]  kasan_save_free_info+0x46/0x50
[  101.888442][ T5017]  __kasan_slab_free+0x5c/0x80
[  101.891013][ T5017]  kfree+0x1c1/0x630
[  101.893152][ T5017]  rcu_core+0x7cd/0x1070
[  101.895394][ T5017]  handle_softirqs+0x22a/0x870
[  101.897544][ T5017]  run_ksoftirqd+0x36/0x60
[  101.899576][ T5017]  smpboot_thread_fn+0x541/0xa50
[  101.902036][ T5017]  kthread+0x388/0x470
[  101.904345][ T5017]  ret_from_fork+0x51e/0xb90
[  101.906752][ T5017]  ret_from_fork_asm+0x1a/0x30
[  101.908937][ T5017] 
[  101.910160][ T5017] Last potentially related work creation:
[  101.913001][ T5017]  kasan_save_stack+0x3e/0x60
[  101.915561][ T5017]  kasan_record_aux_stack+0xbd/0xd0
[  101.918207][ T5017]  call_rcu+0xee/0x890
[  101.920075][ T5017]  bpf_link_release+0x6b/0x80
[  101.922223][ T5017]  __fput+0x44f/0xa70
[  101.924263][ T5017]  task_work_run+0x1d9/0x270
[  101.926791][ T5017]  exit_to_user_mode_loop+0xed/0x480
[  101.929553][ T5017]  do_syscall_64+0x32d/0xf80
[  101.931676][ T5017]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.934359][ T5017] 
[  101.935410][ T5017] The buggy address belongs to the object at ffff888035f59400
[  101.935410][ T5017]  which belongs to the cache kmalloc-192 of size 192
[  101.942558][ T5017] The buggy address is located 128 bytes inside of
[  101.942558][ T5017]  freed 192-byte region [ffff888035f59400, ffff888035f594c0)
[  101.948963][ T5017] 
[  101.950236][ T5017] The buggy address belongs to the physical page:
[  101.953418][ T5017] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35f59
[  101.957405][ T5017] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  101.961052][ T5017] page_type: f5(slab)
[  101.963121][ T5017] raw: 04fff00000000000 ffff88801ac413c0 dead000000000100 dead000000000122
[  101.967201][ T5017] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
[  101.971486][ T5017] page dumped because: kasan: bad access detected
[  101.974912][ T5017] page_owner tracks the page as allocated
[  101.977514][ T5017] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14705301123, free_ts 14700870072
[  101.987662][ T5017]  post_alloc_hook+0x231/0x280
[  101.990302][ T5017]  get_page_from_freelist+0x24dc/0x2580
[  101.993391][ T5017]  __alloc_frozen_pages_noprof+0x18d/0x380
[  101.996423][ T5017]  allocate_slab+0x77/0x660
[  101.998505][ T5017]  refill_objects+0x331/0x3c0
[  102.000831][ T5017]  __pcs_replace_empty_main+0x2e6/0x730
[  102.003556][ T5017]  __kmalloc_cache_noprof+0x392/0x660
[  102.006593][ T5017]  kset_create_and_add+0x5a/0x170
[  102.009024][ T5017]  bus_register+0x1d7/0x480
[  102.011486][ T5017]  iscsi_transport_init+0x150/0x260
[  102.014394][ T5017]  do_one_initcall+0x250/0x8d0
[  102.016978][ T5017]  do_initcall_level+0x104/0x190
[  102.019356][ T5017]  do_initcalls+0x59/0xa0
[  102.021561][ T5017]  kernel_init_freeable+0x2a6/0x3e0
[  102.024562][ T5017]  kernel_init+0x1d/0x1d0
[  102.026645][ T5017]  ret_from_fork+0x51e/0xb90
[  102.028741][ T5017] page last free pid 12 tgid 12 stack trace:
[  102.031546][ T5017]  __free_frozen_pages+0xc2b/0xdb0
[  102.034184][ T5017]  __kasan_populate_vmalloc+0x1b2/0x1d0
[  102.037250][ T5017]  alloc_vmap_area+0xd73/0x14b0
[  102.039700][ T5017]  __get_vm_area_node+0x1f8/0x300
[  102.041989][ T5017]  __vmalloc_node_range_noprof+0x372/0x1730
[  102.044902][ T5017]  __vmalloc_node_noprof+0xc2/0x100
[  102.047361][ T5017]  dup_task_struct+0x275/0x9a0
[  102.050152][ T5017]  copy_process+0x508/0x3cd0
[  102.052796][ T5017]  kernel_clone+0x248/0x8e0
[  102.054924][ T5017]  user_mode_thread+0x110/0x180
[  102.057158][ T5017]  call_usermodehelper_exec_work+0x5c/0x230
[  102.060054][ T5017]  process_scheduled_works+0xb6e/0x18c0
[  102.062951][ T5017]  worker_thread+0xa53/0xfc0
[  102.065182][ T5017]  kthread+0x388/0x470
[  102.067537][ T5017]  ret_from_fork+0x51e/0xb90
[  102.069776][ T5017]  ret_from_fork_asm+0x1a/0x30
[  102.072104][ T5017] 
[  102.073316][ T5017] Memory state around the buggy address:
[  102.075847][ T5017]  ffff888035f59380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  102.079547][ T5017]  ffff888035f59400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  102.083497][ T5017] >ffff888035f59480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  102.087364][ T5017]                    ^
[  102.089321][ T5017]  ffff888035f59500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  102.093512][ T5017]  ffff888035f59580: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[  102.097226][ T5017] ==================================================================