======================================
| [ 1306.824005][T13529] ==================================================================
| [1306.824479][T13529] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
| [ 1306.824777][T13529] Read of size 4 at addr ffff888013085750 by task tls/13529
| [ 1306.825056][T13529]
[ 1306.825162][T13529] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1306.825165][T13529] Call Trace:
[ 1306.825169][T13529]  <TASK>
[1306.825171][T13529] dump_stack_lvl (lib/dump_stack.c:123) 
[1306.825191][T13529] print_address_description.constprop.0 (mm/kasan/report.c:409) 
[1306.825201][T13529] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[1306.825211][T13529] print_report (mm/kasan/report.c:522) 
[1306.825215][T13529] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[1306.825223][T13529] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) 
[1306.825226][T13529] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[1306.825234][T13529] kasan_report (mm/kasan/report.c:636) 
[1306.825238][T13529] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[1306.825249][T13529] tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[1306.825257][T13529] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[1306.825265][T13529] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[1306.825274][T13529] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[1306.825281][T13529] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[1306.825291][T13529] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[1306.825301][T13529] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[1306.825309][T13529] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[1306.825318][T13529] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[1306.825325][T13529] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[1306.825331][T13529] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[1306.825347][T13529] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[1306.825355][T13529] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[1306.825363][T13529] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[1306.825371][T13529] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[1306.825378][T13529] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[1306.825384][T13529] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[1306.825391][T13529] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[1306.825396][T13529] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[1306.825399][T13529] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[1306.825405][T13529] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[1306.825409][T13529] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[1306.825415][T13529] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[1306.825420][T13529] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[1306.825425][T13529] __x64_sys_recvfrom (net/socket.c:2289) 
[1306.825429][T13529] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[1306.825434][T13529] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[1306.825437][T13529] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[1306.825441][T13529] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 1306.825445][T13529] RIP: 0033:0x7f6428c84ef0
[ 1306.825449][T13529] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 1306.825452][T13529] RSP: 002b:00007ffc7264d228 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 1306.825457][T13529] RAX: ffffffffffffffda RBX: 0000000000001f41 RCX: 00007f6428c84ef0
[ 1306.825460][T13529] RDX: 0000000000001f41 RSI: 00007ffc7265bcc0 RDI: 00000000000002b4
[ 1306.825462][T13529] RBP: 00007ffc7265dc40 R08: 0000000000000000 R09: 0000000000000000
[ 1306.825464][T13529] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6428b42000
[ 1306.825466][T13529] R13: 00007ffc7265bcc0 R14: 00007ffc7265dc54 R15: 00000000005a64cb
| [ 1306.852874][T13529] Disabling lock debugging due to kernel taint
| [ 1306.853223][T13529] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
| [ 1306.853678][T13529] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
| [ 1306.854448][T13529] Tainted: [B]=BAD_PAGE
[ 1306.854600][T13529] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[1306.854823][T13529] RIP: 0010:tls_strp_check_rcv (net/tls/tls_strp.c:446 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 1306.855059][T13529] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
All code
========
   0:	7b 28                	jnp    0x2a
   2:	eb 41                	jmp    0x45
   4:	41 01 c7             	add    %eax,%r15d
   7:	41 29 c5             	sub    %eax,%r13d
   a:	48 89 d8             	mov    %rbx,%rax
   d:	48 c1 e8 03          	shr    $0x3,%rax
  11:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
  16:	0f 85 f8 01 00 00    	jne    0x214
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 8d 7b 28          	lea    0x28(%rbx),%rdi
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax		<-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	74 08                	je     0x3b
  33:	3c 03                	cmp    $0x3,%al
  35:	0f 8e 00 02 00 00    	jle    0x23b
  3b:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  3f:	0f                   	.byte 0xf

Code starting with the faulting instruction
===========================================
   0:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
   5:	84 c0                	test   %al,%al
   7:	74 08                	je     0x11
   9:	3c 03                	cmp    $0x3,%al
   b:	0f 8e 00 02 00 00    	jle    0x211
  11:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  15:	0f                   	.byte 0xf
[ 1306.855705][T13529] RSP: 0018:ffffc90005027908 EFLAGS: 00010206
[ 1306.855930][T13529] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc0ace13c
[ 1306.856198][T13529] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 1306.856466][T13529] RBP: ffff8880098bc4d0 R08: ffff8880098bc4da R09: fffffbfff3fdb0b8
[ 1306.856738][T13529] R10: ffffffff9fed85c7 R11: ffffc90005027400 R12: 1ffff92000a04f24
[ 1306.857013][T13529] R13: 0000000000001e86 R14: dffffc0000000000 R15: 0000000029fa2eaf
[ 1306.857285][T13529] FS:  00007f6428b72740(0000) GS:ffff8880c5897000(0000) knlGS:0000000000000000
[ 1306.857602][T13529] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1306.857830][T13529] CR2: 00007f6428c733c0 CR3: 000000000e83b006 CR4: 0000000000772ef0
[ 1306.858111][T13529] PKRU: 55555554
[ 1306.858249][T13529] Call Trace:
[ 1306.858386][T13529]  <TASK>
[1306.858482][T13529] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[1306.858666][T13529] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[1306.858896][T13529] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[1306.859077][T13529] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[1306.859268][T13529] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[1306.859451][T13529] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[1306.859679][T13529] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[1306.859862][T13529] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[1306.860075][T13529] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[1306.860322][T13529] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[1306.860572][T13529] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[1306.860756][T13529] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[1306.860939][T13529] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[1306.861129][T13529] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[1306.861311][T13529] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[1306.861491][T13529] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[1306.861673][T13529] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[1306.861859][T13529] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[1306.862079][T13529] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[1306.862260][T13529] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[1306.862483][T13529] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[1306.862663][T13529] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[1306.862842][T13529] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[1306.863034][T13529] __x64_sys_recvfrom (net/socket.c:2289) 
[1306.863277][T13529] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[1306.863522][T13529] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[1306.863765][T13529] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[1306.864007][T13529] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 1306.864312][T13529] RIP: 0033:0x7f6428c84ef0
[ 1306.864563][T13529] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 1306.865188][T13529] RSP: 002b:00007ffc7264d228 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 1306.865454][T13529] RAX: ffffffffffffffda RBX: 0000000000001f41 RCX: 00007f6428c84ef0
[ 1306.865746][T13529] RDX: 0000000000001f41 RSI: 00007ffc7265bcc0 RDI: 00000000000002b4
[ 1306.866052][T13529] RBP: 00007ffc7265dc40 R08: 0000000000000000 R09: 0000000000000000
[ 1306.866417][T13529] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6428b42000


Finger prints:
tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg:inet_recvmsg:__sys_recvfrom
print_report:kasan_report:tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg