[ 2076.939873][T18987] ==================================================================
[ 2076.940264][T18987] BUG: KASAN: slab-use-after-free in tcp_prune_ofo_queue+0x595/0x660
[ 2076.940556][T18987] Read of size 4 at addr ffff88801637d998 by task socat/18987
[ 2076.940850][T18987] 
[ 2076.940962][T18987] CPU: 2 UID: 0 PID: 18987 Comm: socat Not tainted 6.16.0-rc5-virtme #1 PREEMPT(full) 
[ 2076.940967][T18987] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 2076.940969][T18987] Call Trace:
[ 2076.940971][T18987]  <TASK>
[ 2076.940972][T18987]  dump_stack_lvl+0x82/0xd0
[ 2076.940979][T18987]  print_address_description.constprop.0+0x2c/0x400
[ 2076.940985][T18987]  ? tcp_prune_ofo_queue+0x595/0x660
[ 2076.940988][T18987]  print_report+0xb4/0x270
[ 2076.940991][T18987]  ? tcp_prune_ofo_queue+0x595/0x660
[ 2076.940993][T18987]  ? kasan_addr_to_slab+0x25/0x80
[ 2076.940998][T18987]  ? tcp_prune_ofo_queue+0x595/0x660
[ 2076.941001][T18987]  kasan_report+0xca/0x100
[ 2076.941004][T18987]  ? tcp_prune_ofo_queue+0x595/0x660
[ 2076.941009][T18987]  tcp_prune_ofo_queue+0x595/0x660
[ 2076.941015][T18987]  tcp_try_rmem_schedule+0x855/0x12e0
[ 2076.941022][T18987]  tcp_data_queue+0x4dd/0x2260
[ 2076.941029][T18987]  ? __pfx_tcp_data_queue+0x10/0x10
[ 2076.941033][T18987]  ? kvm_clock_get_cycles+0x18/0x30
[ 2076.941038][T18987]  ? ktime_get+0xb8/0x200
[ 2076.941043][T18987]  tcp_rcv_established+0x5e8/0x2370
[ 2076.941048][T18987]  ? find_held_lock+0x2b/0x80
[ 2076.941053][T18987]  ? __pfx_tcp_rcv_established+0x10/0x10
[ 2076.941057][T18987]  ? ipv4_dst_check+0x167/0x2e0
[ 2076.941063][T18987]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 2076.941067][T18987]  ? lockdep_hardirqs_on+0x7c/0x110
[ 2076.941072][T18987]  __release_sock+0x27a/0x390
[ 2076.941080][T18987]  release_sock+0x53/0x1d0
[ 2076.941083][T18987]  tcp_recvmsg+0xf7/0x4f0
[ 2076.941088][T18987]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 2076.941092][T18987]  ? __pfx_tcp_recvmsg+0x10/0x10
[ 2076.941096][T18987]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 2076.941100][T18987]  ? __mutex_unlock_slowpath+0x144/0x400
[ 2076.941105][T18987]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 2076.941110][T18987]  inet_recvmsg+0x109/0x1f0
[ 2076.941114][T18987]  ? __pfx_inet_recvmsg+0x10/0x10
[ 2076.941118][T18987]  ? __unix_dgram_recvmsg+0x166/0xc70
[ 2076.941122][T18987]  sock_read_iter+0x3da/0x530
[ 2076.941128][T18987]  ? __pfx___unix_dgram_recvmsg+0x10/0x10
[ 2076.941131][T18987]  ? __pfx_sock_read_iter+0x10/0x10
[ 2076.941141][T18987]  vfs_read+0x9b4/0xce0
[ 2076.941145][T18987]  ? __pfx___sys_recvfrom+0x10/0x10
[ 2076.941149][T18987]  ? __pfx_vfs_read+0x10/0x10
[ 2076.941155][T18987]  ? __rseq_handle_notify_resume+0x2b8/0x420
[ 2076.941163][T18987]  ksys_read+0x183/0x1d0
[ 2076.941166][T18987]  ? __pfx_ksys_read+0x10/0x10
[ 2076.941172][T18987]  do_syscall_64+0xc1/0x380
[ 2076.941178][T18987]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 2076.941181][T18987] RIP: 0033:0x7fc562e02292
[ 2076.941185][T18987] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 6a 15 0c 00 e8 65 e1 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 2076.941188][T18987] RSP: 002b:00007fffc8fe63c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 2076.941192][T18987] RAX: ffffffffffffffda RBX: 000056451c947560 RCX: 00007fc562e02292
[ 2076.941194][T18987] RDX: 0000000000002000 RSI: 000056451c949000 RDI: 0000000000000008
[ 2076.941196][T18987] RBP: 000056451c949000 R08: 0000000000002000 R09: 0000000000000000
[ 2076.941198][T18987] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000008
[ 2076.941200][T18987] R13: 0000000000002000 R14: 00005644faa5810e R15: 0000000000000001
[ 2076.941206][T18987]  </TASK>
[ 2076.941208][T18987] 
[ 2076.953038][T18987] Allocated by task 18996:
[ 2076.953231][T18987]  kasan_save_stack+0x24/0x50
[ 2076.953446][T18987]  kasan_save_track+0x14/0x30
[ 2076.953658][T18987]  __kasan_slab_alloc+0x59/0x70
[ 2076.953854][T18987]  kmem_cache_alloc_node_noprof+0x110/0x340
[ 2076.954110][T18987]  __alloc_skb+0x213/0x2e0
[ 2076.954313][T18987]  ip_frag_next+0x116/0xd20
[ 2076.954512][T18987]  ip_do_fragment+0x74e/0x18c0
[ 2076.954713][T18987]  __ip_finish_output+0x475/0x740
[ 2076.954917][T18987]  __netif_receive_skb_one_core+0x164/0x1b0
[ 2076.955170][T18987]  process_backlog+0x3c1/0x13e0
[ 2076.955366][T18987]  __napi_poll.constprop.0+0xa2/0x460
[ 2076.955578][T18987]  net_rx_action+0x54f/0xda0
[ 2076.955775][T18987]  handle_softirqs+0x218/0x620
[ 2076.955973][T18987]  do_softirq+0xb1/0xe0
[ 2076.956130][T18987]  __local_bh_enable_ip+0x105/0x130
[ 2076.956327][T18987]  __dev_queue_xmit+0x987/0x18e0
[ 2076.956525][T18987]  ip_finish_output2+0x6fd/0x17d0
[ 2076.956721][T18987]  __ip_queue_xmit+0xf12/0x1690
[ 2076.956919][T18987]  __tcp_transmit_skb+0x1df1/0x2de0
[ 2076.957118][T18987]  tcp_write_xmit+0x8a1/0x2d30
[ 2076.957316][T18987]  __tcp_push_pending_frames+0x96/0x330
[ 2076.957515][T18987]  tcp_sendmsg_locked+0x1c30/0x3740
[ 2076.957719][T18987]  tcp_sendmsg+0x2c/0x50
[ 2076.957867][T18987]  sock_write_iter+0x3c1/0x520
[ 2076.958063][T18987]  vfs_write+0xc09/0x1210
[ 2076.958212][T18987]  ksys_write+0x183/0x1d0
[ 2076.958361][T18987]  do_syscall_64+0xc1/0x380
[ 2076.958562][T18987]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 2076.958808][T18987] 
[ 2076.958907][T18987] Freed by task 18987:
[ 2076.959061][T18987]  kasan_save_stack+0x24/0x50
[ 2076.959263][T18987]  kasan_save_track+0x14/0x30
[ 2076.959461][T18987]  kasan_save_free_info+0x3b/0x60
[ 2076.959662][T18987]  __kasan_slab_free+0x38/0x50
[ 2076.959870][T18987]  kmem_cache_free+0x149/0x330
[ 2076.960069][T18987]  tcp_prune_ofo_queue+0x211/0x660
[ 2076.960266][T18987]  tcp_try_rmem_schedule+0x855/0x12e0
[ 2076.960469][T18987]  tcp_data_queue+0x4dd/0x2260
[ 2076.960668][T18987]  tcp_rcv_established+0x5e8/0x2370
[ 2076.960866][T18987]  tcp_v4_do_rcv+0x4ba/0x8c0
[ 2076.961063][T18987]  __release_sock+0x27a/0x390
[ 2076.961261][T18987]  release_sock+0x53/0x1d0
[ 2076.961458][T18987]  tcp_recvmsg+0xf7/0x4f0
[ 2076.961608][T18987]  inet_recvmsg+0x109/0x1f0
[ 2076.961804][T18987]  sock_read_iter+0x3da/0x530
[ 2076.962004][T18987]  vfs_read+0x9b4/0xce0
[ 2076.962152][T18987]  ksys_read+0x183/0x1d0
[ 2076.962300][T18987]  do_syscall_64+0xc1/0x380
[ 2076.962512][T18987]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 2076.962758][T18987] 
[ 2076.962856][T18987] The buggy address belongs to the object at ffff88801637d8c0
[ 2076.962856][T18987]  which belongs to the cache skbuff_head_cache of size 232
[ 2076.963407][T18987] The buggy address is located 216 bytes inside of
[ 2076.963407][T18987]  freed 232-byte region [ffff88801637d8c0, ffff88801637d9a8)
[ 2076.963887][T18987] 
[ 2076.963989][T18987] The buggy address belongs to the physical page:
[ 2076.964229][T18987] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1637c
[ 2076.964591][T18987] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 2076.964918][T18987] flags: 0x80000000000040(head|node=0|zone=1)
[ 2076.965181][T18987] page_type: f5(slab)
[ 2076.965335][T18987] raw: 0080000000000040 ffff88800198fb40 ffffea00006cc410 ffffea00002cd790
[ 2076.965702][T18987] raw: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 2076.966058][T18987] head: 0080000000000040 ffff88800198fb40 ffffea00006cc410 ffffea00002cd790
[ 2076.966421][T18987] head: 0000000000000000 0000000000120012 00000000f5000000 0000000000000000
[ 2076.966782][T18987] head: 0080000000000001 ffffea000058df01 00000000ffffffff 00000000ffffffff
[ 2076.967132][T18987] head: ffff888000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 2076.967480][T18987] page dumped because: kasan: bad access detected
[ 2076.967738][T18987] 
[ 2076.967832][T18987] Memory state around the buggy address:
[ 2076.968128][T18987]  ffff88801637d880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 2076.968419][T18987]  ffff88801637d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2076.968700][T18987] >ffff88801637d980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[ 2076.968982][T18987]                             ^
[ 2076.969175][T18987]  ffff88801637da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2076.969457][T18987]  ffff88801637da80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2076.969849][T18987] ==================================================================
[ 2076.970212][T18987] Disabling lock debugging due to kernel taint
[ 2088.155045][T19101] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 2088.431389][T19107] br0: port 1(veth0) entered blocking state
[ 2088.431726][T19107] br0: port 1(veth0) entered disabled state
[ 2088.431984][T19107] veth0: entered allmulticast mode
[ 2088.433942][T19107] veth0: entered promiscuous mode
[ 2088.749894][T19110] br0: port 1(veth0) entered blocking state
[ 2088.750187][T19110] br0: port 1(veth0) entered forwarding state
[ 2091.560960][T19155] veth0: left allmulticast mode
[ 2091.561189][T19155] veth0: left promiscuous mode
[ 2091.561513][T19155] br0: port 1(veth0) entered disabled state
[ 2091.823244][T19158] 8021q: 802.1Q VLAN Support v1.8
[ 2092.101783][T19162] br0: port 1(veth0.10) entered blocking state
[ 2092.102067][T19162] br0: port 1(veth0.10) entered disabled state
[ 2092.102324][T19162] veth0.10: entered allmulticast mode
[ 2092.102497][T19162] veth0: entered allmulticast mode
[ 2092.105548][T19162] veth0.10: entered promiscuous mode
[ 2092.105739][T19162] veth0: entered promiscuous mode
[ 2092.106897][T19162] br0: port 1(veth0.10) entered blocking state
[ 2092.107133][T19162] br0: port 1(veth0.10) entered forwarding state
[ 2095.185456][T19213] br0: port 1(veth0.10) entered disabled state
[ 2095.361917][T19215] veth0.10 (unregistering): left allmulticast mode
[ 2095.362236][T19215] veth0: left allmulticast mode
[ 2095.362455][T19215] veth0.10 (unregistering): left promiscuous mode
[ 2095.362704][T19215] veth0: left promiscuous mode
[ 2095.363119][T19215] br0: port 1(veth0.10) entered disabled state
[ 2097.198070][T19238] Initializing XFRM netlink socket
[ 2151.657097][T19542] br0: port 1(veth0) entered blocking state
[ 2151.657398][T19542] br0: port 1(veth0) entered disabled state
[ 2151.657669][T19542] veth0: entered allmulticast mode
[ 2151.660451][T19542] veth0: entered promiscuous mode
[ 2151.906812][T19545] br0: port 1(veth0) entered blocking state
[ 2151.907102][T19545] br0: port 1(veth0) entered forwarding state
[ 2156.959534][T19594] veth0: left allmulticast mode
[ 2156.959776][T19594] veth0: left promiscuous mode
[ 2156.960936][T19594] br0: port 1(veth0) entered disabled state
[ 2157.380729][T19599] br0: port 1(veth0.10) entered blocking state
[ 2157.381016][T19599] br0: port 1(veth0.10) entered disabled state
[ 2157.381268][T19599] veth0.10: entered allmulticast mode
[ 2157.381440][T19599] veth0: entered allmulticast mode
[ 2157.383333][T19599] veth0.10: entered promiscuous mode
[ 2157.383517][T19599] veth0: entered promiscuous mode
[ 2157.384991][T19599] br0: port 1(veth0.10) entered blocking state
[ 2157.385228][T19599] br0: port 1(veth0.10) entered forwarding state
[ 2162.354904][T19650] br0: port 1(veth0.10) entered disabled state
[ 2162.550013][T19652] veth0.10 (unregistering): left allmulticast mode
[ 2162.550319][T19652] veth0: left allmulticast mode
[ 2162.550527][T19652] veth0.10 (unregistering): left promiscuous mode
[ 2162.550774][T19652] veth0: left promiscuous mode
[ 2162.551180][T19652] br0: port 1(veth0.10) entered disabled state