[ 4185.262433][T26566] ==================================================================
[ 4185.262700][T26566] BUG: KASAN: slab-use-after-free in tcp_check_space+0x59/0x5f0
[ 4185.262899][T26566] Read of size 8 at addr ffff88800bad8cc8 by task kworker/u18:1/26566
[ 4185.263087][T26566] 
[ 4185.263171][T26566] CPU: 1 PID: 26566 Comm: kworker/u18:1 Not tainted 6.9.0-rc2-virtme #1
[ 4185.263369][T26566] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 4185.263654][T26566] Workqueue: events_unbound deferred_close [tls]
[ 4185.263858][T26566] Call Trace:
[ 4185.263989][T26566]  <TASK>
[ 4185.264063][T26566]  dump_stack_lvl+0x82/0xd0
[ 4185.264210][T26566]  print_address_description.constprop.0+0x2c/0x3b0
[ 4185.264389][T26566]  ? tcp_check_space+0x59/0x5f0
[ 4185.264531][T26566]  print_report+0xb4/0x270
[ 4185.264664][T26566]  ? kasan_addr_to_slab+0x4e/0x90
[ 4185.264795][T26566]  kasan_report+0xbd/0xf0
[ 4185.264893][T26566]  ? tcp_check_space+0x59/0x5f0
[ 4185.265024][T26566]  kasan_check_range+0x39/0x1c0
[ 4185.265150][T26566]  tcp_check_space+0x59/0x5f0
[ 4185.265281][T26566]  tcp_write_xmit+0x962/0x1cb0
[ 4185.265420][T26566]  ? __pfx_tcp_write_xmit+0x10/0x10
[ 4185.265551][T26566]  ? tcp_get_info+0x70/0x80
[ 4185.265677][T26566]  ? find_held_lock+0x2c/0x110
[ 4185.265808][T26566]  ? skb_release_data+0x5b5/0x7e0
[ 4185.265939][T26566]  __tcp_push_pending_frames+0x96/0x320
[ 4185.266074][T26566]  __tcp_close+0x8a9/0xe00
[ 4185.266207][T26566]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 4185.266369][T26566]  ? __pfx_tcp_close+0x10/0x10
[ 4185.266498][T26566]  tcp_close+0x24/0xc0
[ 4185.266595][T26566]  deferred_close+0x2c1/0x9e0 [tls]
[ 4185.266729][T26566]  ? trace_lock_acquire+0x135/0x1c0
[ 4185.266860][T26566]  ? __pfx_deferred_close+0x10/0x10 [tls]
[ 4185.267006][T26566]  ? process_one_work+0xde2/0x1730
[ 4185.267136][T26566]  ? lock_acquire+0x32/0xc0
[ 4185.267260][T26566]  ? process_one_work+0xde2/0x1730
[ 4185.267385][T26566]  process_one_work+0xe2c/0x1730
[ 4185.267514][T26566]  ? __pfx___lock_release+0x10/0x10
[ 4185.267641][T26566]  ? __pfx_process_one_work+0x10/0x10
[ 4185.267781][T26566]  ? assign_work+0x16c/0x240
[ 4185.267936][T26566]  worker_thread+0x587/0xd30
[ 4185.268079][T26566]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 4185.268256][T26566]  ? __pfx_worker_thread+0x10/0x10
[ 4185.268400][T26566]  ? __pfx_worker_thread+0x10/0x10
[ 4185.268547][T26566]  kthread+0x28a/0x350
[ 4185.268659][T26566]  ? __pfx_kthread+0x10/0x10
[ 4185.268805][T26566]  ret_from_fork+0x31/0x70
[ 4185.268950][T26566]  ? __pfx_kthread+0x10/0x10
[ 4185.269089][T26566]  ret_from_fork_asm+0x1a/0x30
[ 4185.269234][T26566]  </TASK>
[ 4185.269344][T26566] 
[ 4185.269419][T26566] Allocated by task 30594:
[ 4185.269561][T26566]  kasan_save_stack+0x24/0x50
[ 4185.269693][T26566]  kasan_save_track+0x14/0x30
[ 4185.269822][T26566]  __kasan_slab_alloc+0x59/0x70
[ 4185.269955][T26566]  kmem_cache_alloc_lru+0xef/0x270
[ 4185.270102][T26566]  sock_alloc_inode+0x23/0x1c0
[ 4185.270248][T26566]  alloc_inode+0x5b/0x200
[ 4185.270353][T26566]  new_inode_pseudo+0x11/0x70
[ 4185.270491][T26566]  sock_alloc+0x40/0x280
[ 4185.270602][T26566]  do_accept+0x132/0x560
[ 4185.270708][T26566]  __sys_accept4+0x60/0xc0
[ 4185.270844][T26566]  __x64_sys_accept+0x74/0xb0
[ 4185.270988][T26566]  do_syscall_64+0xc6/0x1e0
[ 4185.271132][T26566]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 4185.271320][T26566] 
[ 4185.271395][T26566] Freed by task 26566:
[ 4185.271504][T26566]  kasan_save_stack+0x24/0x50
[ 4185.271655][T26566]  kasan_save_track+0x14/0x30
[ 4185.271800][T26566]  kasan_save_free_info+0x3b/0x60
[ 4185.271939][T26566]  __kasan_slab_free+0xf4/0x180
[ 4185.272091][T26566]  kmem_cache_free+0xd7/0x220
[ 4185.272226][T26566]  rcu_do_batch+0x3c0/0xfb0
[ 4185.272370][T26566]  rcu_core+0x2be/0x500
[ 4185.272500][T26566]  __do_softirq+0x1f8/0x5df
[ 4185.272650][T26566] 
[ 4185.272726][T26566] Last potentially related work creation:
[ 4185.272871][T26566]  kasan_save_stack+0x24/0x50
[ 4185.273026][T26566]  __kasan_record_aux_stack+0x8e/0xa0
[ 4185.273186][T26566]  __call_rcu_common.constprop.0+0x9e/0x830
[ 4185.273371][T26566]  __dentry_kill+0x17d/0x4f0
[ 4185.273515][T26566]  dput.part.0+0x333/0x6c0
[ 4185.273673][T26566]  __fput+0x2f8/0xa80
[ 4185.273781][T26566]  __x64_sys_close+0x7c/0xd0
[ 4185.273933][T26566]  do_syscall_64+0xc6/0x1e0
[ 4185.274072][T26566]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 4185.274258][T26566] 
[ 4185.274337][T26566] The buggy address belongs to the object at ffff88800bad8cc0
[ 4185.274337][T26566]  which belongs to the cache sock_inode_cache of size 1344
[ 4185.274712][T26566] The buggy address is located 8 bytes inside of
[ 4185.274712][T26566]  freed 1344-byte region [ffff88800bad8cc0, ffff88800bad9200)
[ 4185.275075][T26566] 
[ 4185.275143][T26566] The buggy address belongs to the physical page:
[ 4185.275304][T26566] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800badb880 pfn:0xbad8
[ 4185.275565][T26566] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4185.275755][T26566] flags: 0x80000000000a40(workingset|slab|head|node=0|zone=1)
[ 4185.275949][T26566] page_type: 0xffffffff()
[ 4185.276060][T26566] raw: 0080000000000a40 ffff88800197dcc0 ffff8880021e8448 ffff8880021e8448
[ 4185.276292][T26566] raw: ffff88800badb880 0000000000140009 00000001ffffffff 0000000000000000
[ 4185.276527][T26566] head: 0080000000000a40 ffff88800197dcc0 ffff8880021e8448 ffff8880021e8448
[ 4185.276762][T26566] head: ffff88800badb880 0000000000140009 00000001ffffffff 0000000000000000
[ 4185.276990][T26566] head: 0080000000000003 ffffea00002eb601 ffffea00002eb648 00000000ffffffff
[ 4185.277232][T26566] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 4185.277482][T26566] page dumped because: kasan: bad access detected
[ 4185.277653][T26566] 
[ 4185.277727][T26566] Memory state around the buggy address:
[ 4185.277860][T26566]  ffff88800bad8b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 4185.278062][T26566]  ffff88800bad8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4185.278263][T26566] >ffff88800bad8c80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 4185.278475][T26566]                                               ^
[ 4185.278636][T26566]  ffff88800bad8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4185.278833][T26566]  ffff88800bad8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4185.279026][T26566] ==================================================================
[ 4185.279266][T26566] Disabling lock debugging due to kernel taint