====================================== | [ 4185.262433][T26566] ================================================================== | [4185.262700][T26566] BUG: KASAN: slab-use-after-free in tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) | [ 4185.262899][T26566] Read of size 8 at addr ffff88800bad8cc8 by task kworker/u18:1/26566 | [ 4185.263087][T26566] [ 4185.263369][T26566] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 4185.263654][T26566] Workqueue: events_unbound deferred_close [tls] [ 4185.263858][T26566] Call Trace: [ 4185.263989][T26566] [4185.264063][T26566] dump_stack_lvl (lib/dump_stack.c:117) [4185.264210][T26566] print_address_description.constprop.0 (mm/kasan/report.c:378) [4185.264389][T26566] ? tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [4185.264531][T26566] print_report (mm/kasan/report.c:489) [4185.264664][T26566] ? kasan_addr_to_slab (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/page-flags.h:507 mm/kasan/../slab.h:206 mm/kasan/common.c:38) [4185.264795][T26566] kasan_report (mm/kasan/report.c:603) [4185.264893][T26566] ? tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [4185.265024][T26566] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [4185.265150][T26566] tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [4185.265281][T26566] tcp_write_xmit (net/ipv4/tcp_output.c:1974 net/ipv4/tcp_output.c:2803) [4185.265420][T26566] ? __pfx_tcp_write_xmit (net/ipv4/tcp_output.c:2704) [4185.265551][T26566] ? tcp_get_info (net/ipv4/tcp.c:3784) [4185.265677][T26566] ? find_held_lock (kernel/locking/lockdep.c:5244) [4185.265808][T26566] ? skb_release_data (./arch/x86/include/asm/atomic.h:91 ./include/linux/atomic/atomic-arch-fallback.h:787 ./include/linux/atomic/atomic-instrumented.h:290 ./include/linux/skbuff.h:1247 net/core/skbuff.c:1092) [4185.265939][T26566] __tcp_push_pending_frames (net/ipv4/tcp_output.c:2979) [4185.266074][T26566] __tcp_close (net/ipv4/tcp.c:2851) [4185.266207][T26566] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [4185.266369][T26566] ? __pfx_tcp_close (net/ipv4/tcp.c:2940) [4185.266498][T26566] tcp_close (net/ipv4/tcp.c:2943) [4185.266595][T26566] deferred_close (net/tls/tls_main.c:403) tls [4185.266729][T26566] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) [4185.266860][T26566] ? __pfx_deferred_close (net/tls/tls_main.c:375) tls [4185.267006][T26566] ? process_one_work (kernel/workqueue.c:3230) [4185.267136][T26566] ? lock_acquire (kernel/locking/lockdep.c:5727) [4185.267260][T26566] ? process_one_work (kernel/workqueue.c:3230) [4185.267385][T26566] process_one_work (kernel/workqueue.c:3254) [4185.267514][T26566] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) [4185.267641][T26566] ? __pfx_process_one_work (kernel/workqueue.c:3156) [4185.267781][T26566] ? assign_work (kernel/workqueue.c:1209) [4185.267936][T26566] worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) [4185.268079][T26566] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [4185.268256][T26566] ? __pfx_worker_thread (kernel/workqueue.c:3362) [4185.268400][T26566] ? __pfx_worker_thread (kernel/workqueue.c:3362) [4185.268547][T26566] kthread (kernel/kthread.c:388) [4185.268659][T26566] ? __pfx_kthread (kernel/kthread.c:341) [4185.268805][T26566] ret_from_fork (arch/x86/kernel/process.c:147) [4185.268950][T26566] ? __pfx_kthread (kernel/kthread.c:341) Finger prints: dump_stack_lvl:print_report:kasan_report:kasan_check_range