======================================
| [ 3823.888367][T27360] ==================================================================
| [3823.888751][T27360] BUG: KASAN: slab-use-after-free in tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
| [ 3823.889030][T27360] Read of size 4 at addr ffff88800edc2d50 by task tls/27360
| [ 3823.889301][T27360]
[ 3823.889413][T27360] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 3823.889420][T27360] Call Trace:
[ 3823.889424][T27360]  <TASK>
[3823.889426][T27360] dump_stack_lvl (lib/dump_stack.c:123) 
[3823.889460][T27360] print_address_description.constprop.0 (mm/kasan/report.c:409) 
[3823.889480][T27360] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[3823.889490][T27360] print_report (mm/kasan/report.c:522) 
[3823.889493][T27360] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[3823.889501][T27360] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) 
[3823.889505][T27360] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[3823.889513][T27360] kasan_report (mm/kasan/report.c:636) 
[3823.889519][T27360] ? tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[3823.889529][T27360] tls_strp_check_rcv (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[3823.889539][T27360] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[3823.889548][T27360] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[3823.889563][T27360] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[3823.889572][T27360] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[3823.889581][T27360] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[3823.889589][T27360] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[3823.889597][T27360] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[3823.889606][T27360] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[3823.889620][T27360] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[3823.889635][T27360] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[3823.889643][T27360] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[3823.889655][T27360] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[3823.889671][T27360] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[3823.889677][T27360] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[3823.889693][T27360] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[3823.889700][T27360] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[3823.889712][T27360] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[3823.889715][T27360] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[3823.889723][T27360] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[3823.889727][T27360] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[3823.889735][T27360] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[3823.889744][T27360] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[3823.889753][T27360] __x64_sys_recvfrom (net/socket.c:2289) 
[3823.889756][T27360] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[3823.889763][T27360] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[3823.889765][T27360] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[3823.889769][T27360] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 3823.889777][T27360] RIP: 0033:0x7fd79c8deef0
[ 3823.889781][T27360] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 3823.889784][T27360] RSP: 002b:00007ffe30bd6978 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 3823.889791][T27360] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007fd79c8deef0
[ 3823.889794][T27360] RDX: 0000000000001f41 RSI: 00007ffe30be5410 RDI: 0000000000000138
[ 3823.889796][T27360] RBP: 00007ffe30be7390 R08: 0000000000000000 R09: 0000000000000000
[ 3823.889798][T27360] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd79c79e000
[ 3823.889800][T27360] R13: 00007ffe30be5410 R14: 00007ffe30be73a4 R15: 000000000104dec5
| [ 3823.913267][T27360] Disabling lock debugging due to kernel taint
| [ 3823.913514][T27360] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI
| [ 3823.913903][T27360] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
| [ 3823.914498][T27360] Tainted: [B]=BAD_PAGE
[ 3823.914629][T27360] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[3823.914835][T27360] RIP: 0010:tls_strp_check_rcv (net/tls/tls_strp.c:446 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) tls 
[ 3823.915054][T27360] Code: 7b 28 eb 41 41 01 c7 41 29 c5 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 f8 01 00 00 48 8b 1b 48 8d 7b 28 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 00 02 00 00 44 3b 7b 28 0f
All code
========
   0:	7b 28                	jnp    0x2a
   2:	eb 41                	jmp    0x45
   4:	41 01 c7             	add    %eax,%r15d
   7:	41 29 c5             	sub    %eax,%r13d
   a:	48 89 d8             	mov    %rbx,%rax
   d:	48 c1 e8 03          	shr    $0x3,%rax
  11:	42 80 3c 30 00       	cmpb   $0x0,(%rax,%r14,1)
  16:	0f 85 f8 01 00 00    	jne    0x214
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 8d 7b 28          	lea    0x28(%rbx),%rdi
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
  2a:*	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax		<-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	74 08                	je     0x3b
  33:	3c 03                	cmp    $0x3,%al
  35:	0f 8e 00 02 00 00    	jle    0x23b
  3b:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  3f:	0f                   	.byte 0xf

Code starting with the faulting instruction
===========================================
   0:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
   5:	84 c0                	test   %al,%al
   7:	74 08                	je     0x11
   9:	3c 03                	cmp    $0x3,%al
   b:	0f 8e 00 02 00 00    	jle    0x211
  11:	44 3b 7b 28          	cmp    0x28(%rbx),%r15d
  15:	0f                   	.byte 0xf
[ 3823.915641][T27360] RSP: 0018:ffffc90001baf908 EFLAGS: 00010206
[ 3823.915851][T27360] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffffffffc059413c
[ 3823.916100][T27360] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000028
[ 3823.916352][T27360] RBP: ffff8880099420d0 R08: ffff8880099420da R09: fffffbfff27db0b8
[ 3823.916598][T27360] R10: ffffffff93ed85c7 R11: ffffc90001baf400 R12: 1ffff92000375f24
[ 3823.916851][T27360] R13: 0000000000001e86 R14: dffffc0000000000 R15: 00000000454254b3
[ 3823.917099][T27360] FS:  00007fd79c7cc740(0000) GS:ffff8880d8f97000(0000) knlGS:0000000000000000
[ 3823.917394][T27360] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3823.917605][T27360] CR2: 00007fd79c8df110 CR3: 000000000fe0e003 CR4: 0000000000772ef0
[ 3823.917854][T27360] PKRU: 55555554
[ 3823.917981][T27360] Call Trace:
[ 3823.918106][T27360]  <TASK>
[3823.918194][T27360] ? __pfx_tls_strp_check_rcv (net/tls/tls_strp.c:540) tls 
[3823.918412][T27360] ? __lock_acquire (kernel/locking/lockdep.c:5240) 
[3823.918585][T27360] tls_rx_rec_wait (net/tls/tls.h:219 net/tls/tls_sw.c:1359) tls 
[3823.918762][T27360] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[3823.918935][T27360] ? __pfx_tls_rx_rec_wait (net/tls/tls_sw.c:1334) tls 
[3823.919143][T27360] ? sk_psock_get (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 ./include/linux/skmsg.h:464) tls 
[3823.919325][T27360] ? __pfx_woken_wake_function (kernel/sched/wait.c:439) 
[3823.919495][T27360] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[3823.919664][T27360] tls_sw_recvmsg (net/tls/tls_sw.c:2067) tls 
[3823.919843][T27360] ? __pfx_tls_sw_recvmsg (net/tls/tls_sw.c:2013) tls 
[3823.920012][T27360] ? do_pte_missing (mm/memory.c:5719 mm/memory.c:4251) 
[3823.920180][T27360] inet_recvmsg (net/ipv4/af_inet.c:883 (discriminator 5)) 
[3823.920347][T27360] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[3823.920516][T27360] __sys_recvfrom (net/socket.c:1065 net/socket.c:1087 net/socket.c:2278) 
[3823.920684][T27360] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[3823.920953][T27360] ? rseq_update_cpu_node_id (kernel/rseq.c:189 (discriminator 10)) 
[3823.921120][T27360] ? __rseq_handle_notify_resume (kernel/rseq.c:442) 
[3823.921325][T27360] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[3823.921593][T27360] ? __pfx___rseq_handle_notify_resume (kernel/rseq.c:425) 
[3823.921797][T27360] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[3823.921962][T27360] ? xfd_validate_state (arch/x86/kernel/fpu/xstate.c:1473 arch/x86/kernel/fpu/xstate.c:1517) 
[3823.922128][T27360] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:142 ./include/linux/mmap_lock.h:237 arch/x86/mm/fault.c:1338) 
[3823.922392][T27360] __x64_sys_recvfrom (net/socket.c:2289) 
[3823.922557][T27360] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:199 arch/x86/entry/syscall_64.c:90) 
[3823.922722][T27360] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[3823.922888][T27360] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[3823.923154][T27360] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 3823.923365][T27360] RIP: 0033:0x7fd79c8deef0
[ 3823.923533][T27360] Code: 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 1d 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 68 c3 0f 1f 80 00 00 00 00 41 54 48 83 ec 20
All code
========
   0:	2e 0f 1f 84 00 00 00 	cs nopl 0x0(%rax,%rax,1)
   7:	00 00 
   9:	90                   	nop
   a:	f3 0f 1e fa          	endbr64
   e:	41 89 ca             	mov    %ecx,%r10d
  11:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  18:	00 
  19:	85 c0                	test   %eax,%eax
  1b:	75 1d                	jne    0x3a
  1d:	45 31 c9             	xor    %r9d,%r9d
  20:	45 31 c0             	xor    %r8d,%r8d
  23:	b8 2d 00 00 00       	mov    $0x2d,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 68                	ja     0x9a
  32:	c3                   	ret
  33:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  3a:	41 54                	push   %r12
  3c:	48 83 ec 20          	sub    $0x20,%rsp

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 68                	ja     0x70
   8:	c3                   	ret
   9:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  10:	41 54                	push   %r12
  12:	48 83 ec 20          	sub    $0x20,%rsp
[ 3823.924218][T27360] RSP: 002b:00007ffe30bd6978 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[ 3823.924466][T27360] RAX: ffffffffffffffda RBX: 0000000000000f99 RCX: 00007fd79c8deef0
[ 3823.924816][T27360] RDX: 0000000000001f41 RSI: 00007ffe30be5410 RDI: 0000000000000138
[ 3823.925067][T27360] RBP: 00007ffe30be7390 R08: 0000000000000000 R09: 0000000000000000
[ 3823.925420][T27360] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd79c79e000


Finger prints:
tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg:inet_recvmsg:__sys_recvfrom
print_report:kasan_report:tls_strp_check_rcv:tls_rx_rec_wait:tls_sw_recvmsg