[ 4249.323525][   T39] ==================================================================
[ 4249.323849][   T39] BUG: KASAN: slab-use-after-free in tcp_check_space+0x59/0x5f0
[ 4249.324061][   T39] Read of size 8 at addr ffff8880110b57c8 by task kworker/u20:0/39
[ 4249.324260][   T39] 
[ 4249.324336][   T39] CPU: 3 PID: 39 Comm: kworker/u20:0 Not tainted 6.9.0-rc2-virtme #1
[ 4249.324539][   T39] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 4249.324821][   T39] Workqueue: events_unbound deferred_close [tls]
[ 4249.324999][   T39] Call Trace:
[ 4249.325099][   T39]  <TASK>
[ 4249.325168][   T39]  dump_stack_lvl+0x82/0xd0
[ 4249.325308][   T39]  print_address_description.constprop.0+0x2c/0x3b0
[ 4249.325466][   T39]  ? tcp_check_space+0x59/0x5f0
[ 4249.325594][   T39]  print_report+0xb4/0x270
[ 4249.325718][   T39]  ? kasan_addr_to_slab+0x4e/0x90
[ 4249.325851][   T39]  kasan_report+0xbd/0xf0
[ 4249.325959][   T39]  ? tcp_check_space+0x59/0x5f0
[ 4249.326091][   T39]  kasan_check_range+0x39/0x1c0
[ 4249.326227][   T39]  tcp_check_space+0x59/0x5f0
[ 4249.326359][   T39]  tcp_write_xmit+0x962/0x1cb0
[ 4249.326495][   T39]  ? __pfx_tcp_write_xmit+0x10/0x10
[ 4249.326622][   T39]  ? tcp_get_info+0x70/0x80
[ 4249.326757][   T39]  ? find_held_lock+0x2c/0x110
[ 4249.326897][   T39]  ? __lock_release+0x103/0x460
[ 4249.327032][   T39]  ? __pfx_tcp_close+0x10/0x10
[ 4249.327162][   T39]  __tcp_push_pending_frames+0x96/0x320
[ 4249.327288][   T39]  ? __pfx_tcp_close+0x10/0x10
[ 4249.327418][   T39]  __tcp_close+0x8a9/0xe00
[ 4249.327551][   T39]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 4249.327716][   T39]  ? __pfx_tcp_close+0x10/0x10
[ 4249.327843][   T39]  tcp_close+0x24/0xc0
[ 4249.327939][   T39]  deferred_close+0x2c1/0x9e0 [tls]
[ 4249.328082][   T39]  ? trace_lock_acquire+0x135/0x1c0
[ 4249.328214][   T39]  ? __pfx_deferred_close+0x10/0x10 [tls]
[ 4249.328349][   T39]  ? process_one_work+0xde2/0x1730
[ 4249.328478][   T39]  ? lock_acquire+0x32/0xc0
[ 4249.328605][   T39]  ? process_one_work+0xde2/0x1730
[ 4249.328737][   T39]  process_one_work+0xe2c/0x1730
[ 4249.328868][   T39]  ? __pfx___lock_release+0x10/0x10
[ 4249.329002][   T39]  ? __pfx_process_one_work+0x10/0x10
[ 4249.329131][   T39]  ? assign_work+0x16c/0x240
[ 4249.329260][   T39]  worker_thread+0x587/0xd30
[ 4249.329388][   T39]  ? __pfx_worker_thread+0x10/0x10
[ 4249.329520][   T39]  kthread+0x28a/0x350
[ 4249.329624][   T39]  ? __pfx_kthread+0x10/0x10
[ 4249.329751][   T39]  ret_from_fork+0x31/0x70
[ 4249.329892][   T39]  ? __pfx_kthread+0x10/0x10
[ 4249.330029][   T39]  ret_from_fork_asm+0x1a/0x30
[ 4249.330169][   T39]  </TASK>
[ 4249.330268][   T39] 
[ 4249.330338][   T39] Allocated by task 3755:
[ 4249.330441][   T39]  kasan_save_stack+0x24/0x50
[ 4249.330582][   T39]  kasan_save_track+0x14/0x30
[ 4249.330718][   T39]  __kasan_slab_alloc+0x59/0x70
[ 4249.330860][   T39]  kmem_cache_alloc_lru+0xef/0x270
[ 4249.331006][   T39]  sock_alloc_inode+0x23/0x1c0
[ 4249.331150][   T39]  alloc_inode+0x5b/0x200
[ 4249.331256][   T39]  new_inode_pseudo+0x11/0x70
[ 4249.331392][   T39]  sock_alloc+0x40/0x280
[ 4249.331496][   T39]  __sock_create+0x6b/0x5c0
[ 4249.331642][   T39]  __sys_socket+0x11c/0x1e0
[ 4249.331782][   T39]  __x64_sys_socket+0x72/0xb0
[ 4249.331926][   T39]  do_syscall_64+0xc6/0x1e0
[ 4249.332066][   T39]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 4249.332259][   T39] 
[ 4249.332328][   T39] Freed by task 0:
[ 4249.332435][   T39]  kasan_save_stack+0x24/0x50
[ 4249.332566][   T39]  kasan_save_track+0x14/0x30
[ 4249.332700][   T39]  kasan_save_free_info+0x3b/0x60
[ 4249.332841][   T39]  __kasan_slab_free+0xf4/0x180
[ 4249.332975][   T39]  kmem_cache_free+0xd7/0x220
[ 4249.333118][   T39]  rcu_do_batch+0x3c0/0xfb0
[ 4249.333261][   T39]  rcu_core+0x2be/0x500
[ 4249.333370][   T39]  __do_softirq+0x1f8/0x5df
[ 4249.333503][   T39] 
[ 4249.333585][   T39] Last potentially related work creation:
[ 4249.333719][   T39]  kasan_save_stack+0x24/0x50
[ 4249.333857][   T39]  __kasan_record_aux_stack+0x8e/0xa0
[ 4249.333996][   T39]  __call_rcu_common.constprop.0+0x9e/0x830
[ 4249.334166][   T39]  __dentry_kill+0x17d/0x4f0
[ 4249.334300][   T39]  dput.part.0+0x333/0x6c0
[ 4249.334435][   T39]  __fput+0x2f8/0xa80
[ 4249.334542][   T39]  __x64_sys_close+0x7c/0xd0
[ 4249.334679][   T39]  do_syscall_64+0xc6/0x1e0
[ 4249.334816][   T39]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 4249.334979][   T39] 
[ 4249.335046][   T39] The buggy address belongs to the object at ffff8880110b57c0
[ 4249.335046][   T39]  which belongs to the cache sock_inode_cache of size 1344
[ 4249.335404][   T39] The buggy address is located 8 bytes inside of
[ 4249.335404][   T39]  freed 1344-byte region [ffff8880110b57c0, ffff8880110b5d00)
[ 4249.335800][   T39] 
[ 4249.335867][   T39] The buggy address belongs to the physical page:
[ 4249.336100][   T39] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110b0
[ 4249.336327][   T39] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 4249.336680][   T39] flags: 0x80000000000840(slab|head|node=0|zone=1)
[ 4249.336854][   T39] page_type: 0xffffffff()
[ 4249.336965][   T39] raw: 0080000000000840 ffff88800197dcc0 ffffea0000058410 ffff8880021e8468
[ 4249.337214][   T39] raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
[ 4249.337455][   T39] head: 0080000000000840 ffff88800197dcc0 ffffea0000058410 ffff8880021e8468
[ 4249.337692][   T39] head: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
[ 4249.338014][   T39] head: 0080000000000003 ffffea0000442c01 dead000000000122 00000000ffffffff
[ 4249.338250][   T39] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 4249.338491][   T39] page dumped because: kasan: bad access detected
[ 4249.338655][   T39] 
[ 4249.338720][   T39] Memory state around the buggy address:
[ 4249.338842][   T39]  ffff8880110b5680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 4249.339040][   T39]  ffff8880110b5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4249.339234][   T39] >ffff8880110b5780: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 4249.339435][   T39]                                               ^
[ 4249.339673][   T39]  ffff8880110b5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4249.339864][   T39]  ffff8880110b5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4249.340057][   T39] ==================================================================
[ 4249.341826][   T39] Disabling lock debugging due to kernel taint