==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in j1939_session_tx_dat net/can/j1939/transport.c:790 [inline]
BUG: KASAN: use-after-free in j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline]
BUG: KASAN: use-after-free in j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095
Read of size 7 at addr ffff888083e49a1e by task ksoftirqd/1/16

CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x32 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192
 memcpy+0x23/0x50 mm/kasan/common.c:127
 memcpy include/linux/string.h:381 [inline]
 j1939_session_tx_dat net/can/j1939/transport.c:790 [inline]
 j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline]
 j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095
 __run_hrtimer kernel/time/hrtimer.c:1517 [inline]
 __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1579
 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1596
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292
 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603
 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 16:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:515
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:523
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3320 [inline]
 kmem_cache_alloc+0x121/0x750 mm/slab.c:3484
 skb_clone+0x10e/0x310 net/core/skbuff.c:1449
 j1939_can_recv+0x21/0x620 net/can/j1939/main.c:50
 deliver net/can/af_can.c:569 [inline]
 can_rcv_filter+0x4ff/0x840 net/can/af_can.c:603
 can_receive+0x290/0x470 net/can/af_can.c:660
 can_rcv+0xd9/0x160 net/can/af_can.c:686
 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5198
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5312
 process_backlog+0x1ef/0x700 net/core/dev.c:6144
 napi_poll net/core/dev.c:6582 [inline]
 net_rx_action+0x458/0xe40 net/core/dev.c:6650
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292

Freed by task 16:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x83/0x320 mm/slab.c:3694
 kfree_skbmem+0x8c/0x130 net/core/skbuff.c:624
 __kfree_skb net/core/skbuff.c:681 [inline]
 kfree_skb+0xbb/0x2d0 net/core/skbuff.c:698
 j1939_can_recv+0x4f8/0x620 net/can/j1939/main.c:109
 deliver net/can/af_can.c:569 [inline]
 can_rcv_filter+0x4ff/0x840 net/can/af_can.c:603
 can_receive+0x290/0x470 net/can/af_can.c:660
 can_rcv+0xd9/0x160 net/can/af_can.c:686
 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5198
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5312
 process_backlog+0x1ef/0x700 net/core/dev.c:6144
 napi_poll net/core/dev.c:6582 [inline]
 net_rx_action+0x458/0xe40 net/core/dev.c:6650
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292

The buggy address belongs to the object at ffff888083e49980
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 158 bytes inside of
 224-byte region [ffff888083e49980, ffff888083e49a60)
The buggy address belongs to the page:
page:ffffea00020f9240 refcount:1 mapcount:0 mapping:ffff88821b77fa80 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0001e339c8 ffffea0001e7bdc8 ffff88821b77fa80
raw: 0000000000000000 ffff888083e490c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888083e49900: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888083e49980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888083e49a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff888083e49a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff888083e49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================