[ 3026.320432][T28824] ==================================================================
[ 3026.320756][T28824] BUG: KASAN: slab-use-after-free in tcp_check_space+0x59/0x5f0
[ 3026.320956][T28824] Read of size 8 at addr ffff888007d63888 by task kworker/u19:2/28824
[ 3026.321142][T28824] 
[ 3026.321215][T28824] CPU: 0 PID: 28824 Comm: kworker/u19:2 Not tainted 6.9.0-rc2-virtme #1
[ 3026.321415][T28824] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 3026.321700][T28824] Workqueue: events_unbound deferred_close [tls]
[ 3026.321880][T28824] Call Trace:
[ 3026.321981][T28824]  <TASK>
[ 3026.322047][T28824]  dump_stack_lvl+0x82/0xd0
[ 3026.322182][T28824]  print_address_description.constprop.0+0x2c/0x3b0
[ 3026.322356][T28824]  ? tcp_check_space+0x59/0x5f0
[ 3026.322486][T28824]  print_report+0xb4/0x270
[ 3026.322613][T28824]  ? kasan_addr_to_slab+0x4e/0x90
[ 3026.322742][T28824]  kasan_report+0xbd/0xf0
[ 3026.322839][T28824]  ? tcp_check_space+0x59/0x5f0
[ 3026.322978][T28824]  kasan_check_range+0x39/0x1c0
[ 3026.323111][T28824]  tcp_check_space+0x59/0x5f0
[ 3026.323235][T28824]  tcp_write_xmit+0x962/0x1cb0
[ 3026.323367][T28824]  ? __pfx_tcp_write_xmit+0x10/0x10
[ 3026.323498][T28824]  ? tcp_get_info+0x70/0x80
[ 3026.323628][T28824]  ? find_held_lock+0x2c/0x110
[ 3026.323762][T28824]  ? __lock_release+0x103/0x460
[ 3026.323896][T28824]  ? __pfx_tcp_close+0x10/0x10
[ 3026.324028][T28824]  __tcp_push_pending_frames+0x96/0x320
[ 3026.324157][T28824]  ? __pfx_tcp_close+0x10/0x10
[ 3026.324289][T28824]  __tcp_close+0x8a9/0xe00
[ 3026.324419][T28824]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 3026.324580][T28824]  ? __pfx_tcp_close+0x10/0x10
[ 3026.324709][T28824]  tcp_close+0x24/0xc0
[ 3026.324807][T28824]  deferred_close+0x2c1/0x9e0 [tls]
[ 3026.324944][T28824]  ? trace_lock_acquire+0x135/0x1c0
[ 3026.325072][T28824]  ? __pfx_deferred_close+0x10/0x10 [tls]
[ 3026.325205][T28824]  ? process_one_work+0xde2/0x1730
[ 3026.325338][T28824]  ? lock_acquire+0x32/0xc0
[ 3026.325468][T28824]  ? process_one_work+0xde2/0x1730
[ 3026.325604][T28824]  process_one_work+0xe2c/0x1730
[ 3026.325739][T28824]  ? __pfx___lock_release+0x10/0x10
[ 3026.325870][T28824]  ? __pfx_process_one_work+0x10/0x10
[ 3026.326002][T28824]  ? assign_work+0x16c/0x240
[ 3026.326134][T28824]  worker_thread+0x587/0xd30
[ 3026.326263][T28824]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 3026.326420][T28824]  ? __pfx_worker_thread+0x10/0x10
[ 3026.326544][T28824]  ? __pfx_worker_thread+0x10/0x10
[ 3026.326673][T28824]  kthread+0x28a/0x350
[ 3026.326773][T28824]  ? __pfx_kthread+0x10/0x10
[ 3026.326899][T28824]  ret_from_fork+0x31/0x70
[ 3026.327028][T28824]  ? __pfx_kthread+0x10/0x10
[ 3026.327152][T28824]  ret_from_fork_asm+0x1a/0x30
[ 3026.327284][T28824]  </TASK>
[ 3026.327383][T28824] 
[ 3026.327449][T28824] Allocated by task 28900:
[ 3026.327576][T28824]  kasan_save_stack+0x24/0x50
[ 3026.327705][T28824]  kasan_save_track+0x14/0x30
[ 3026.327833][T28824]  __kasan_slab_alloc+0x59/0x70
[ 3026.327961][T28824]  kmem_cache_alloc_lru+0xef/0x270
[ 3026.328093][T28824]  sock_alloc_inode+0x23/0x1c0
[ 3026.328221][T28824]  alloc_inode+0x5b/0x200
[ 3026.328316][T28824]  new_inode_pseudo+0x11/0x70
[ 3026.328441][T28824]  sock_alloc+0x40/0x280
[ 3026.328535][T28824]  __sock_create+0x6b/0x5c0
[ 3026.328664][T28824]  __sys_socket+0x11c/0x1e0
[ 3026.328791][T28824]  __x64_sys_socket+0x72/0xb0
[ 3026.328921][T28824]  do_syscall_64+0xc6/0x1e0
[ 3026.329050][T28824]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 3026.329207][T28824] 
[ 3026.329271][T28824] Freed by task 0:
[ 3026.329369][T28824]  kasan_save_stack+0x24/0x50
[ 3026.329506][T28824]  kasan_save_track+0x14/0x30
[ 3026.329631][T28824]  kasan_save_free_info+0x3b/0x60
[ 3026.329756][T28824]  __kasan_slab_free+0xf4/0x180
[ 3026.329879][T28824]  kmem_cache_free+0xd7/0x220
[ 3026.330004][T28824]  rcu_do_batch+0x3c0/0xfb0
[ 3026.330131][T28824]  rcu_core+0x2be/0x500
[ 3026.330225][T28824]  __do_softirq+0x1f8/0x5df
[ 3026.330355][T28824] 
[ 3026.330420][T28824] Last potentially related work creation:
[ 3026.330546][T28824]  kasan_save_stack+0x24/0x50
[ 3026.330680][T28824]  __kasan_record_aux_stack+0x8e/0xa0
[ 3026.330806][T28824]  __call_rcu_common.constprop.0+0x9e/0x830
[ 3026.330960][T28824]  __dentry_kill+0x17d/0x4f0
[ 3026.331087][T28824]  dput.part.0+0x333/0x6c0
[ 3026.331217][T28824]  __fput+0x2f8/0xa80
[ 3026.331314][T28824]  __x64_sys_close+0x7c/0xd0
[ 3026.331445][T28824]  do_syscall_64+0xc6/0x1e0
[ 3026.331573][T28824]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 3026.331730][T28824] 
[ 3026.331793][T28824] The buggy address belongs to the object at ffff888007d63880
[ 3026.331793][T28824]  which belongs to the cache sock_inode_cache of size 1344
[ 3026.332134][T28824] The buggy address is located 8 bytes inside of
[ 3026.332134][T28824]  freed 1344-byte region [ffff888007d63880, ffff888007d63dc0)
[ 3026.332437][T28824] 
[ 3026.332501][T28824] The buggy address belongs to the physical page:
[ 3026.332660][T28824] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888007d65e00 pfn:0x7d60
[ 3026.332918][T28824] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3026.333124][T28824] flags: 0x80000000000a40(workingset|slab|head|node=0|zone=1)
[ 3026.333324][T28824] page_type: 0xffffffff()
[ 3026.333433][T28824] raw: 0080000000000a40 ffff88800197dcc0 ffff8880021e8448 ffff8880021e8448
[ 3026.333659][T28824] raw: ffff888007d65e00 000000000014000f 00000001ffffffff 0000000000000000
[ 3026.333891][T28824] head: 0080000000000a40 ffff88800197dcc0 ffff8880021e8448 ffff8880021e8448
[ 3026.334112][T28824] head: ffff888007d65e00 000000000014000f 00000001ffffffff 0000000000000000
[ 3026.334340][T28824] head: 0080000000000003 ffffea00001f5801 ffffea00001f5848 00000000ffffffff
[ 3026.334558][T28824] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 3026.334776][T28824] page dumped because: kasan: bad access detected
[ 3026.334935][T28824] 
[ 3026.334997][T28824] Memory state around the buggy address:
[ 3026.335118][T28824]  ffff888007d63780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3026.335299][T28824]  ffff888007d63800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3026.335479][T28824] >ffff888007d63880: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3026.335660][T28824]                       ^
[ 3026.335751][T28824]  ffff888007d63900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3026.335932][T28824]  ffff888007d63980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3026.336113][T28824] ==================================================================
[ 3026.336328][T28824] Disabling lock debugging due to kernel taint