==================================================================
BUG: KASAN: use-after-free in j1939_xtp_rx_dat_one+0xfc8/0x1030 net/can/j1939/transport.c:1849
Read of size 1 at addr ffff888078a75bce by task ksoftirqd/2/26

CPU: 2 PID: 26 Comm: ksoftirqd/2 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 j1939_xtp_rx_dat_one+0xfc8/0x1030 net/can/j1939/transport.c:1849
 j1939_xtp_rx_dat net/can/j1939/transport.c:1901 [inline]
 j1939_tp_recv+0x544/0xb40 net/can/j1939/transport.c:2083
 j1939_can_recv+0x6d7/0x930 net/can/j1939/main.c:101
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:608
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5486
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5600
 process_backlog+0x2a5/0x6c0 net/core/dev.c:6480
 __napi_poll+0xaf/0x440 net/core/dev.c:7035
 napi_poll net/core/dev.c:7102 [inline]
 net_rx_action+0x801/0xb40 net/core/dev.c:7189
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:920 [inline]
 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912
 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 10851:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2956 [inline]
 kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2992
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:414
 alloc_skb include/linux/skbuff.h:1112 [inline]
 alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6005
 sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2461
 j1939_sk_alloc_skb net/can/j1939/socket.c:861 [inline]
 j1939_sk_send_loop net/can/j1939/socket.c:1043 [inline]
 j1939_sk_sendmsg+0x6eb/0x13e0 net/can/j1939/socket.c:1178
 sock_sendmsg_nosec net/socket.c:703 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:723
 sock_no_sendpage+0xf3/0x130 net/core/sock.c:2959
 kernel_sendpage.part.0+0x1a0/0x340 net/socket.c:3673
 kernel_sendpage net/socket.c:3670 [inline]
 sock_sendpage+0xe5/0x140 net/socket.c:1002
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:746
 do_splice_from fs/splice.c:767 [inline]
 direct_splice_actor+0x110/0x180 fs/splice.c:936
 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891
 do_splice_direct+0x1b3/0x280 fs/splice.c:979
 do_sendfile+0x9f0/0x1120 fs/read_write.c:1260
 __do_compat_sys_sendfile fs/read_write.c:1346 [inline]
 __se_compat_sys_sendfile fs/read_write.c:1329 [inline]
 __ia32_compat_sys_sendfile+0x1dd/0x220 fs/read_write.c:1329
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Freed by task 10854:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1625 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650
 slab_free mm/slub.c:3210 [inline]
 kmem_cache_free+0x8e/0x5a0 mm/slub.c:3226
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:688
 __kfree_skb net/core/skbuff.c:745 [inline]
 kfree_skb net/core/skbuff.c:762 [inline]
 kfree_skb+0x140/0x3f0 net/core/skbuff.c:756
 j1939_session_skb_drop_old net/can/j1939/transport.c:336 [inline]
 j1939_xtp_rx_cts_one net/can/j1939/transport.c:1418 [inline]
 j1939_xtp_rx_cts+0xbd6/0x1170 net/can/j1939/transport.c:1457
 j1939_tp_cmd_recv net/can/j1939/transport.c:2027 [inline]
 j1939_tp_recv+0x8be/0xb40 net/can/j1939/transport.c:2093
 j1939_can_recv+0x6d7/0x930 net/can/j1939/main.c:101
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:608
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5486
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5600
 process_backlog+0x2a5/0x6c0 net/core/dev.c:6480
 __napi_poll+0xaf/0x440 net/core/dev.c:7035
 napi_poll net/core/dev.c:7102 [inline]
 net_rx_action+0x801/0xb40 net/core/dev.c:7189
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

The buggy address belongs to the object at ffff888078a75b80
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 78 bytes inside of
 232-byte region [ffff888078a75b80, ffff888078a75c68)
The buggy address belongs to the page:
page:ffffea0001e29d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888078a75040 pfn:0x78a74
head:ffffea0001e29d00 order:1 compound_mapcount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffffea0001e41788 ffffea0001df4208 ffff888040fea640
raw: ffff888078a75040 0000000000190016 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 26, ts 327354658641, free_ts 0
 prep_new_page mm/page_alloc.c:2433 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
 alloc_slab_page mm/slub.c:1688 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1828
 new_slab mm/slub.c:1891 [inline]
 new_slab_objects mm/slub.c:2637 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2800
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2969
 skb_clone+0x170/0x3c0 net/core/skbuff.c:1505
 j1939_can_recv+0x74/0x930 net/can/j1939/main.c:50
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:608
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5486
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5600
 process_backlog+0x2a5/0x6c0 net/core/dev.c:6480
 __napi_poll+0xaf/0x440 net/core/dev.c:7035
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888078a75a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888078a75b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff888078a75b80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff888078a75c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888078a75c80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================