====================================== | [ 3026.320432][T28824] ================================================================== | [3026.320756][T28824] BUG: KASAN: slab-use-after-free in tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) | [ 3026.320956][T28824] Read of size 8 at addr ffff888007d63888 by task kworker/u19:2/28824 | [ 3026.321142][T28824] [ 3026.321415][T28824] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 3026.321700][T28824] Workqueue: events_unbound deferred_close [tls] [ 3026.321880][T28824] Call Trace: [ 3026.321981][T28824] [3026.322047][T28824] dump_stack_lvl (lib/dump_stack.c:117) [3026.322182][T28824] print_address_description.constprop.0 (mm/kasan/report.c:378) [3026.322356][T28824] ? tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [3026.322486][T28824] print_report (mm/kasan/report.c:489) [3026.322613][T28824] ? kasan_addr_to_slab (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/page-flags.h:507 mm/kasan/../slab.h:206 mm/kasan/common.c:38) [3026.322742][T28824] kasan_report (mm/kasan/report.c:603) [3026.322839][T28824] ? tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [3026.322978][T28824] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [3026.323111][T28824] tcp_check_space (./arch/x86/include/asm/bitops.h:206 (discriminator 1) ./arch/x86/include/asm/bitops.h:238 (discriminator 1) ./include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) net/ipv4/tcp_input.c:5640 (discriminator 1)) [3026.323235][T28824] tcp_write_xmit (net/ipv4/tcp_output.c:1974 net/ipv4/tcp_output.c:2803) [3026.323367][T28824] ? __pfx_tcp_write_xmit (net/ipv4/tcp_output.c:2704) [3026.323498][T28824] ? tcp_get_info (net/ipv4/tcp.c:3784) [3026.323628][T28824] ? find_held_lock (kernel/locking/lockdep.c:5244) [3026.323762][T28824] ? __lock_release (kernel/locking/lockdep.c:5430) [3026.323896][T28824] ? __pfx_tcp_close (net/ipv4/tcp.c:2940) [3026.324028][T28824] __tcp_push_pending_frames (net/ipv4/tcp_output.c:2979) [3026.324157][T28824] ? __pfx_tcp_close (net/ipv4/tcp.c:2940) [3026.324289][T28824] __tcp_close (net/ipv4/tcp.c:2851) [3026.324419][T28824] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [3026.324580][T28824] ? __pfx_tcp_close (net/ipv4/tcp.c:2940) [3026.324709][T28824] tcp_close (net/ipv4/tcp.c:2943) [3026.324807][T28824] deferred_close (net/tls/tls_main.c:403) tls [3026.324944][T28824] ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 52)) [3026.325072][T28824] ? __pfx_deferred_close (net/tls/tls_main.c:375) tls [3026.325205][T28824] ? process_one_work (kernel/workqueue.c:3230) [3026.325338][T28824] ? lock_acquire (kernel/locking/lockdep.c:5727) [3026.325468][T28824] ? process_one_work (kernel/workqueue.c:3230) [3026.325604][T28824] process_one_work (kernel/workqueue.c:3254) [3026.325739][T28824] ? __pfx___lock_release (kernel/locking/lockdep.c:5406) [3026.325870][T28824] ? __pfx_process_one_work (kernel/workqueue.c:3156) [3026.326002][T28824] ? assign_work (kernel/workqueue.c:1209) [3026.326134][T28824] worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) [3026.326263][T28824] ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) [3026.326420][T28824] ? __pfx_worker_thread (kernel/workqueue.c:3362) [3026.326544][T28824] ? __pfx_worker_thread (kernel/workqueue.c:3362) [3026.326673][T28824] kthread (kernel/kthread.c:388) [3026.326773][T28824] ? __pfx_kthread (kernel/kthread.c:341) [3026.326899][T28824] ret_from_fork (arch/x86/kernel/process.c:147) [3026.327028][T28824] ? __pfx_kthread (kernel/kthread.c:341) Finger prints: dump_stack_lvl:print_report:kasan_report:kasan_check_range