======================================
| [ 1175.823608][T10716] ==================================================================
| [1175.824013][T10716] BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
| [ 1175.824357][T10716] Read of size 4 at addr ffff88800b5c37d8 by task socat/10716
| [ 1175.824686][T10716]
[ 1175.824810][T10716] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1175.824812][T10716] Call Trace:
[ 1175.824814][T10716]  <TASK>
[1175.824816][T10716] dump_stack_lvl (lib/dump_stack.c:123) 
[1175.824824][T10716] print_address_description.constprop.0 (mm/kasan/report.c:409) 
[1175.824832][T10716] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
[1175.824837][T10716] print_report (mm/kasan/report.c:522) 
[1175.824840][T10716] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
[1175.824843][T10716] ? kasan_addr_to_slab (./include/linux/mm.h:1178 mm/kasan/../slab.h:211 mm/kasan/common.c:38) 
[1175.824849][T10716] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
[1175.824851][T10716] kasan_report (mm/kasan/report.c:636) 
[1175.824862][T10716] ? tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
[1175.824867][T10716] tcp_prune_ofo_queue (net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5520) 
[1175.824873][T10716] tcp_try_rmem_schedule (./include/linux/instrumented.h:68 ./include/linux/atomic/atomic-instrumented.h:32 net/ipv4/tcp_input.c:4896 net/ipv4/tcp_input.c:5577 net/ipv4/tcp_input.c:4907) 
[1175.824880][T10716] tcp_data_queue (net/ipv4/tcp_input.c:5192) 
[1175.824887][T10716] ? __pfx_tcp_data_queue (net/ipv4/tcp_input.c:5145) 
[1175.824892][T10716] ? kvm_clock_get_cycles (./arch/x86/include/asm/preempt.h:95 arch/x86/kernel/kvmclock.c:80 arch/x86/kernel/kvmclock.c:86) 
[1175.824898][T10716] ? ktime_get (kernel/time/timekeeping.c:251 (discriminator 4) kernel/time/timekeeping.c:360 (discriminator 4) kernel/time/timekeeping.c:778 (discriminator 4)) 
[1175.824905][T10716] tcp_rcv_established (./include/linux/skbuff.h:2148 ./include/net/tcp.h:2089 ./include/net/tcp.h:2170 net/ipv4/tcp_input.c:5662 net/ipv4/tcp_input.c:6210) 
[1175.824909][T10716] ? find_held_lock (kernel/locking/lockdep.c:5353) 
[1175.824917][T10716] ? __pfx_tcp_rcv_established (net/ipv4/tcp_input.c:6027) 
[1175.824921][T10716] ? ipv4_dst_check (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 net/ipv4/route.c:401 net/ipv4/route.c:1216) 
[1175.824928][T10716] tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1972) 
[1175.824933][T10716] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4475) 
[1175.824939][T10716] __release_sock (./include/net/sock.h:1148 net/core/sock.c:3188) 
[1175.824947][T10716] release_sock (net/core/sock.c:3744) 
[1175.824951][T10716] tcp_recvmsg (net/ipv4/tcp.c:2908) 
[1175.824956][T10716] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) 
[1175.824962][T10716] ? __pfx_tcp_recvmsg (net/ipv4/tcp.c:2892) 
[1175.824966][T10716] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) 
[1175.824969][T10716] ? __mutex_unlock_slowpath (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4329 ./include/linux/atomic/atomic-long.h:1506 ./include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:926) 
[1175.824975][T10716] ? __pfx___mutex_unlock_slowpath (kernel/locking/mutex.c:903) 
[1175.824980][T10716] inet_recvmsg (net/ipv4/af_inet.c:885 (discriminator 8)) 
[1175.824985][T10716] ? __pfx_inet_recvmsg (net/ipv4/af_inet.c:875) 
[1175.824989][T10716] ? __unix_dgram_recvmsg (net/unix/af_unix.c:2583) 
[1175.824993][T10716] sock_read_iter (net/socket.c:1065 net/socket.c:1087 net/socket.c:1157) 
[1175.825000][T10716] ? __pfx___unix_dgram_recvmsg (net/unix/af_unix.c:2554) 
[1175.825003][T10716] ? __pfx_sock_read_iter (net/socket.c:1141) 
[1175.825010][T10716] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[1175.825017][T10716] vfs_read (fs/read_write.c:491 fs/read_write.c:572) 
[1175.825022][T10716] ? __pfx___sys_recvfrom (net/socket.c:2255) 
[1175.825025][T10716] ? ksys_read (./include/linux/file.h:62 ./include/linux/file.h:80 ./include/linux/file.h:85 fs/read_write.c:706) 
[1175.825028][T10716] ? __lock_release (kernel/locking/lockdep.c:5539) 
[1175.825031][T10716] ? __pfx_vfs_read (fs/read_write.c:553) 
[1175.825038][T10716] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:745) 
[1175.825043][T10716] ksys_read (fs/read_write.c:715) 
[1175.825046][T10716] ? __pfx_ksys_read (fs/read_write.c:705) 
[1175.825048][T10716] ? audit_reset_context.part.0.constprop.0 (./include/linux/list.h:373 kernel/auditsc.c:1025) 
[1175.825056][T10716] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[1175.825062][T10716] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 1175.825066][T10716] RIP: 0033:0x7f1da2624292
[ 1175.825072][T10716] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 6a 15 0c 00 e8 65 e1 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
All code
========
   0:	c0 e9 b2             	shr    $0xb2,%cl
   3:	fe                   	(bad)
   4:	ff                   	(bad)
   5:	ff 50 48             	call   *0x48(%rax)
   8:	8d 3d 6a 15 0c 00    	lea    0xc156a(%rip),%edi        # 0xc1578
   e:	e8 65 e1 01 00       	call   0x1e178
  13:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  18:	f3 0f 1e fa          	endbr64
  1c:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  23:	00 
  24:	85 c0                	test   %eax,%eax
  26:	75 10                	jne    0x38
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 56                	ja     0x88
  32:	c3                   	ret
  33:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  38:	48 83 ec 28          	sub    $0x28,%rsp
  3c:	48                   	rex.W
  3d:	89                   	.byte 0x89
  3e:	54                   	push   %rsp
  3f:	24                   	.byte 0x24

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 56                	ja     0x5e
   8:	c3                   	ret
   9:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   e:	48 83 ec 28          	sub    $0x28,%rsp
  12:	48                   	rex.W
  13:	89                   	.byte 0x89
  14:	54                   	push   %rsp
  15:	24                   	.byte 0x24
[ 1175.825075][T10716] RSP: 002b:00007ffea5a84ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 1175.825079][T10716] RAX: ffffffffffffffda RBX: 0000559241bd5560 RCX: 00007f1da2624292
[ 1175.825081][T10716] RDX: 0000000000002000 RSI: 0000559241bd7000 RDI: 0000000000000007
[ 1175.825083][T10716] RBP: 0000559241bd7000 R08: 0000000000002000 R09: 0000000000000000
[ 1175.825085][T10716] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000007


Finger prints:
print_report:kasan_report:tcp_prune_ofo_queue:tcp_try_rmem_schedule:tcp_data_queue