RBP: 0000000000017000 R08: 0000000020000248 R09: 0000000000000000
R10: fe03f80fe03f80ff R11: 0000000000000246 R12: 0000000000000003
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020000040
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a4265b70 by task syz-executor.1/15746

TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
CPU: 1 PID: 15746 Comm: syz-executor.1 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
 tcp_new_space net/ipv4/tcp_input.c:5112 [inline]
 tcp_check_space+0x395/0x640 net/ipv4/tcp_input.c:5123
 tcp_data_snd_check net/ipv4/tcp_input.c:5133 [inline]
 tcp_rcv_established+0x727/0x17a0 net/ipv4/tcp_input.c:5579
 tcp_v6_do_rcv+0xc60/0x1190 net/ipv6/tcp_ipv6.c:1301
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
 sk_backlog_rcv include/net/sock.h:921 [inline]
 __release_sock+0x12a/0x350 net/core/sock.c:2269
 release_sock+0x54/0x1b0 net/core/sock.c:2805
 tls_sk_proto_close+0x575/0x8b0 net/tls/tls_main.c:294
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4177b1
RSP: 002b:00007ffdce382700 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004177b1
RDX: 0000000000000000 RSI: 000000000000086e RDI: 0000000000000004
RBP: 0000000000000001 R08: 00000000216a486e R09: 00000000216a4872
R10: 00007ffdce3827e0 R11: 0000000000000293 R12: 000000000118c9a0
R13: 000000000118c9a0 R14: 00000000000003e8 R15: 000000000118bf2c

Allocated by task 15752:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_init+0xb1/0x4e0 net/tls/tls_main.c:518
 tcp_set_ulp+0x18f/0x4b6 net/ipv4/tcp_ulp.c:127
 do_tcp_setsockopt.constprop.0+0x1f6/0x1c10 net/ipv4/tcp.c:2547
 tcp_setsockopt net/ipv4/tcp.c:2830 [inline]
 tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2822
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 15746:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 tls_ctx_free net/tls/tls_main.c:252 [inline]
 tls_ctx_free net/tls/tls_main.c:246 [inline]
 tls_sk_proto_close+0x568/0x8b0 net/tls/tls_main.c:290
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880a4265b00
 which belongs to the cache kmalloc-192 of size 192
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
The buggy address is located 112 bytes inside of
 192-byte region [ffff8880a4265b00, ffff8880a4265bc0)
The buggy address belongs to the page:
page:ffffea0002909940 count:1 mapcount:0 mapping:ffff8880a4265000 index:0xffff8880a4265700
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a4265000 ffff8880a4265700 000000010000000b
raw: ffffea00020f8820 ffffea000293f760 ffff88812fe50040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4265a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4265a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880a4265b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a4265b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a4265c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================