======================================
| [ 6292.194976][ T3241] ==================================================================
| [ 6292.195385][ T3241] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
| [ 6292.195694][ T3241] Read of size 4 at addr ffff88800ab07b10 by task tls/3241
| [ 6292.195980][ T3241]
[ 6292.196099][ T3241] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 6292.196104][ T3241] Call Trace:
[ 6292.196107][ T3241]  <TASK>
[ 6292.196110][ T3241] dump_stack_lvl (lib/dump_stack.c:123) 
[ 6292.196131][ T3241] print_address_description.constprop.0 (mm/kasan/report.c:409) 
[ 6292.196150][ T3241] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.196160][ T3241] print_report (mm/kasan/report.c:522) 
[ 6292.196164][ T3241] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.196172][ T3241] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) 
[ 6292.196175][ T3241] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.196183][ T3241] kasan_report (mm/kasan/report.c:636) 
[ 6292.196189][ T3241] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.196199][ T3241] tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.196209][ T3241] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[ 6292.196217][ T3241] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[ 6292.196233][ T3241] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[ 6292.196242][ T3241] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[ 6292.196252][ T3241] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[ 6292.196260][ T3241] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[ 6292.196269][ T3241] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[ 6292.196277][ T3241] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[ 6292.196292][ T3241] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[ 6292.196308][ T3241] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[ 6292.196316][ T3241] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[ 6292.196329][ T3241] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[ 6292.196344][ T3241] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[ 6292.196350][ T3241] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[ 6292.196363][ T3241] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[ 6292.196371][ T3241] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[ 6292.196383][ T3241] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[ 6292.196385][ T3241] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[ 6292.196393][ T3241] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[ 6292.196397][ T3241] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[ 6292.196405][ T3241] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[ 6292.196415][ T3241] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[ 6292.196423][ T3241] __x64_sys_recvfrom (net/socket.c:2289) 
[ 6292.196427][ T3241] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[ 6292.196433][ T3241] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[ 6292.196436][ T3241] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 6292.196440][ T3241] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 6292.196448][ T3241] RIP: 0033:0x7f8ac269eef0
[ 6292.196452][ T3241] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 6292.196455][ T3241] RSP: 002b:00007ffd7272e458 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 6292.196462][ T3241] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007f8ac269eef0
[ 6292.196465][ T3241] RDX: 0000000000001f41 RSI: 00007ffd7273cef0 RDI: 0000000000000177
[ 6292.196467][ T3241] RBP: 00007ffd7273ee70 R08: 0000000000000000 R09: 0000000000000000
[ 6292.196469][ T3241] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8ac255e000
[ 6292.196470][ T3241] R13: 00007ffd7273cef0 R14: 00007ffd7273ee84 R15: 00000000010fca1f
| [ 6292.226410][ T3241] Disabling lock debugging due to kernel taint
| [ 6292.226697][ T3241] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
| [ 6292.227117][ T3241] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
| [ 6292.227783][ T3241] Tainted: [B]=BAD_PAGE
[ 6292.227929][ T3241] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 6292.228166][ T3241] RIP: 0010:tls_strp_check_rcv (net/tls/tls_strp.c:446 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 6292.228420][ T3241] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
All code
========
   0:	7b 28                	jnp    0x2a
   2:	eb 41                	jmp    0x45
   4:	41 01 c7             	add    %eax,%r15d
   7:	41 29 c5             	sub    %eax,%r13d
   a:	48 89 d8             	mov    %rbx,%rax
   d:	48 c1 e8 03          	shr    $0x3,%rax
  11:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
  16:	0f 85 f8 01 00 00    	jne    0x214
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 8d 7b 28          	lea    0x28(%rbx),%rdi
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax		<-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	74 08                	je     0x3b
  33:	3c 03                	cmp    $0x3,%al
  35:	0f 8e 00 02 00 00    	jle    0x23b
  3b:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  3f:	0f                   	.byte 0xf

Code starting with the faulting instruction
===========================================
   0:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
   5:	84 c0                	test   %al,%al
   7:	74 08                	je     0x11
   9:	3c 03                	cmp    $0x3,%al
   b:	0f 8e 00 02 00 00    	jle    0x211
  11:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  15:	0f                   	.byte 0xf
[ 6292.229083][ T3241] RSP: 0018:ffffc90002867908 EFLAGS: 00010206
[ 6292.229321][ T3241] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc082513c
[ 6292.229609][ T3241] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 6292.229893][ T3241] RBP: ffff88801b572cd0 R08: ffff88801b572cda R09: fffffbfff5a5b0b8
[ 6292.230170][ T3241] R10: ffffffffad2d85c7 R11: ffffc90002867400 R12: 1ffff9200050cf24
[ 6292.230444][ T3241] R13: 0000000000001e86 R14: dffffc0000000000 R15: 000000000d945df4
[ 6292.230825][ T3241] FS:  00007f8ac258c740(0000) GS:ffff8880bfd17000(0000) knlGS:0000000000000000
[ 6292.231147][ T3241] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6292.231378][ T3241] CR2: 00007f8ac269f110 CR3: 0000000018962005 CR4: 0000000000772ef0
[ 6292.231756][ T3241] PKRU: 55555554
[ 6292.231903][ T3241] Call Trace:
[ 6292.232040][ T3241]  <TASK>
[ 6292.232134][ T3241] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[ 6292.232371][ T3241] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[ 6292.232560][ T3241] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[ 6292.232751][ T3241] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[ 6292.232939][ T3241] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[ 6292.233269][ T3241] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[ 6292.233456][ T3241] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[ 6292.233640][ T3241] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[ 6292.233828][ T3241] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[ 6292.234119][ T3241] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[ 6292.234306][ T3241] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[ 6292.234493][ T3241] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[ 6292.234674][ T3241] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[ 6292.234959][ T3241] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[ 6292.235142][ T3241] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[ 6292.235329][ T3241] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[ 6292.235513][ T3241] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[ 6292.235841][ T3241] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[ 6292.236024][ T3241] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[ 6292.236248][ T3241] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[ 6292.236429][ T3241] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[ 6292.236719][ T3241] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[ 6292.236904][ T3241] __x64_sys_recvfrom (net/socket.c:2289) 
[ 6292.237085][ T3241] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[ 6292.237264][ T3241] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[ 6292.237445][ T3241] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 6292.237628][ T3241] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 6292.237851][ T3241] RIP: 0033:0x7f8ac269eef0
[ 6292.238040][ T3241] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 6292.238678][ T3241] RSP: 002b:00007ffd7272e458 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 6292.239055][ T3241] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007f8ac269eef0
[ 6292.239332][ T3241] RDX: 0000000000001f41 RSI: 00007ffd7273cef0 RDI: 0000000000000177
[ 6292.239607][ T3241] RBP: 00007ffd7273ee70 R08: 0000000000000000 R09: 0000000000000000
[ 6292.239984][ T3241] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8ac255e000


Finger prints:
tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg:inet_recvmsg:__sys_recvfrom
print_report:kasan_report:tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg