[ 3027.417389][T16372] ==================================================================
[ 3027.417610][T16372] BUG: KASAN: slab-use-after-free in tcp_check_space+0x59/0x5f0
[ 3027.417809][T16372] Read of size 8 at addr ffff888001748048 by task kworker/u18:2/16372
[ 3027.418005][T16372] 
[ 3027.418083][T16372] CPU: 2 PID: 16372 Comm: kworker/u18:2 Not tainted 6.9.0-rc2-virtme #1
[ 3027.418285][T16372] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 3027.418569][T16372] Workqueue: events_unbound deferred_close [tls]
[ 3027.418751][T16372] Call Trace:
[ 3027.418855][T16372]  <TASK>
[ 3027.418922][T16372]  dump_stack_lvl+0x82/0xd0
[ 3027.419070][T16372]  print_address_description.constprop.0+0x2c/0x3b0
[ 3027.419236][T16372]  ? tcp_check_space+0x59/0x5f0
[ 3027.419365][T16372]  print_report+0xb4/0x270
[ 3027.419497][T16372]  ? kasan_addr_to_slab+0x4e/0x90
[ 3027.419628][T16372]  kasan_report+0xbd/0xf0
[ 3027.419727][T16372]  ? tcp_check_space+0x59/0x5f0
[ 3027.419852][T16372]  kasan_check_range+0x39/0x1c0
[ 3027.419989][T16372]  tcp_check_space+0x59/0x5f0
[ 3027.420116][T16372]  tcp_write_xmit+0x962/0x1cb0
[ 3027.420251][T16372]  ? __pfx_tcp_write_xmit+0x10/0x10
[ 3027.420386][T16372]  ? tcp_get_info+0x70/0x80
[ 3027.420516][T16372]  ? find_held_lock+0x2c/0x110
[ 3027.420653][T16372]  ? __lock_release+0x103/0x460
[ 3027.420789][T16372]  ? __pfx_tcp_close+0x10/0x10
[ 3027.420924][T16372]  __tcp_push_pending_frames+0x96/0x320
[ 3027.421062][T16372]  ? __pfx_tcp_close+0x10/0x10
[ 3027.421194][T16372]  __tcp_close+0x8a9/0xe00
[ 3027.421326][T16372]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 3027.421500][T16372]  ? __pfx_tcp_close+0x10/0x10
[ 3027.421636][T16372]  tcp_close+0x24/0xc0
[ 3027.421744][T16372]  deferred_close+0x2c1/0x9e0 [tls]
[ 3027.421886][T16372]  ? trace_lock_acquire+0x135/0x1c0
[ 3027.422021][T16372]  ? __pfx_deferred_close+0x10/0x10 [tls]
[ 3027.422167][T16372]  ? process_one_work+0xde2/0x1730
[ 3027.422306][T16372]  ? lock_acquire+0x32/0xc0
[ 3027.422440][T16372]  ? process_one_work+0xde2/0x1730
[ 3027.422569][T16372]  process_one_work+0xe2c/0x1730
[ 3027.422699][T16372]  ? __pfx___lock_release+0x10/0x10
[ 3027.422836][T16372]  ? __pfx_process_one_work+0x10/0x10
[ 3027.422970][T16372]  ? assign_work+0x16c/0x240
[ 3027.423102][T16372]  worker_thread+0x587/0xd30
[ 3027.423230][T16372]  ? lockdep_hardirqs_on_prepare.part.0+0x1af/0x370
[ 3027.423385][T16372]  ? __pfx_worker_thread+0x10/0x10
[ 3027.423513][T16372]  ? __pfx_worker_thread+0x10/0x10
[ 3027.423635][T16372]  kthread+0x28a/0x350
[ 3027.423731][T16372]  ? __pfx_kthread+0x10/0x10
[ 3027.423855][T16372]  ret_from_fork+0x31/0x70
[ 3027.423988][T16372]  ? __pfx_kthread+0x10/0x10
[ 3027.424116][T16372]  ret_from_fork_asm+0x1a/0x30
[ 3027.424247][T16372]  </TASK>
[ 3027.424341][T16372] 
[ 3027.424407][T16372] Allocated by task 28942:
[ 3027.424530][T16372]  kasan_save_stack+0x24/0x50
[ 3027.424656][T16372]  kasan_save_track+0x14/0x30
[ 3027.424784][T16372]  __kasan_slab_alloc+0x59/0x70
[ 3027.424907][T16372]  kmem_cache_alloc_lru+0xef/0x270
[ 3027.425035][T16372]  sock_alloc_inode+0x23/0x1c0
[ 3027.425161][T16372]  alloc_inode+0x5b/0x200
[ 3027.425254][T16372]  new_inode_pseudo+0x11/0x70
[ 3027.425387][T16372]  sock_alloc+0x40/0x280
[ 3027.425481][T16372]  __sock_create+0x6b/0x5c0
[ 3027.425606][T16372]  __sys_socket+0x11c/0x1e0
[ 3027.425731][T16372]  __x64_sys_socket+0x72/0xb0
[ 3027.425858][T16372]  do_syscall_64+0xc6/0x1e0
[ 3027.425982][T16372]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 3027.426142][T16372] 
[ 3027.426207][T16372] Freed by task 67:
[ 3027.426300][T16372]  kasan_save_stack+0x24/0x50
[ 3027.426432][T16372]  kasan_save_track+0x14/0x30
[ 3027.426555][T16372]  kasan_save_free_info+0x3b/0x60
[ 3027.426677][T16372]  __kasan_slab_free+0xf4/0x180
[ 3027.426799][T16372]  kmem_cache_free+0xd7/0x220
[ 3027.426927][T16372]  rcu_do_batch+0x3c0/0xfb0
[ 3027.427051][T16372]  rcu_core+0x2be/0x500
[ 3027.427144][T16372]  __do_softirq+0x1f8/0x5df
[ 3027.427272][T16372] 
[ 3027.427336][T16372] Last potentially related work creation:
[ 3027.427461][T16372]  kasan_save_stack+0x24/0x50
[ 3027.427589][T16372]  __kasan_record_aux_stack+0x8e/0xa0
[ 3027.427712][T16372]  __call_rcu_common.constprop.0+0x9e/0x830
[ 3027.427866][T16372]  __dentry_kill+0x17d/0x4f0
[ 3027.428005][T16372]  dput.part.0+0x333/0x6c0
[ 3027.428132][T16372]  __fput+0x2f8/0xa80
[ 3027.428226][T16372]  __x64_sys_close+0x7c/0xd0
[ 3027.428356][T16372]  do_syscall_64+0xc6/0x1e0
[ 3027.428479][T16372]  entry_SYSCALL_64_after_hwframe+0x72/0x7a
[ 3027.428639][T16372] 
[ 3027.428704][T16372] The buggy address belongs to the object at ffff888001748040
[ 3027.428704][T16372]  which belongs to the cache sock_inode_cache of size 1344
[ 3027.429030][T16372] The buggy address is located 8 bytes inside of
[ 3027.429030][T16372]  freed 1344-byte region [ffff888001748040, ffff888001748580)
[ 3027.429330][T16372] 
[ 3027.429393][T16372] The buggy address belongs to the physical page:
[ 3027.429543][T16372] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800174d180 pfn:0x1748
[ 3027.429803][T16372] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 3027.429988][T16372] flags: 0x80000000000a40(workingset|slab|head|node=0|zone=1)
[ 3027.430179][T16372] page_type: 0xffffffff()
[ 3027.430281][T16372] raw: 0080000000000a40 ffff88800197dcc0 ffffea00001d6010 ffff8880021e8448
[ 3027.430504][T16372] raw: ffff88800174d180 000000000014000a 00000001ffffffff 0000000000000000
[ 3027.430724][T16372] head: 0080000000000a40 ffff88800197dcc0 ffffea00001d6010 ffff8880021e8448
[ 3027.430940][T16372] head: ffff88800174d180 000000000014000a 00000001ffffffff 0000000000000000
[ 3027.431162][T16372] head: 0080000000000003 ffffea000005d201 ffffea000005d248 00000000ffffffff
[ 3027.431386][T16372] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 3027.431600][T16372] page dumped because: kasan: bad access detected
[ 3027.431757][T16372] 
[ 3027.431821][T16372] Memory state around the buggy address:
[ 3027.431940][T16372]  ffff888001747f00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3027.432120][T16372]  ffff888001747f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3027.432302][T16372] >ffff888001748000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 3027.432486][T16372]                                               ^
[ 3027.432632][T16372]  ffff888001748080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3027.432813][T16372]  ffff888001748100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3027.432987][T16372] ==================================================================
[ 3027.433250][T16372] Disabling lock debugging due to kernel taint