TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
Read of size 1 at addr ffff8880a06a0870 by task syz-executor.2/12981

CPU: 0 PID: 12981 Comm: syz-executor.2 Not tainted 4.14.196-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 tls_write_space+0x238/0x2d0 net/tls/tls_main.c:222
 tcp_new_space net/ipv4/tcp_input.c:5112 [inline]
 tcp_check_space+0x395/0x640 net/ipv4/tcp_input.c:5123
 tcp_data_snd_check net/ipv4/tcp_input.c:5133 [inline]
 tcp_rcv_established+0x727/0x17a0 net/ipv4/tcp_input.c:5579
 tcp_v6_do_rcv+0xc60/0x1190 net/ipv6/tcp_ipv6.c:1301
 sk_backlog_rcv include/net/sock.h:921 [inline]
 __release_sock+0x12a/0x350 net/core/sock.c:2269
 release_sock+0x54/0x1b0 net/core/sock.c:2805
 tls_sk_proto_close+0x575/0x8b0 net/tls/tls_main.c:294
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x416f01
RSP: 002b:00007fff80753160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416f01
RDX: 0000000000000000 RSI: 0000000000001834 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00000000f1771838 R09: 0000000000000000
R10: 00007fff80753250 R11: 0000000000000293 R12: 000000000118d940
R13: 000000000118d940 R14: ffffffffffffffff R15: 000000000118cfec

Allocated by task 12983:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_init+0xb1/0x4e0 net/tls/tls_main.c:518
 tcp_set_ulp+0x18f/0x4b6 net/ipv4/tcp_ulp.c:127
 do_tcp_setsockopt.constprop.0+0x1f6/0x1c10 net/ipv4/tcp.c:2547
 tcp_setsockopt net/ipv4/tcp.c:2830 [inline]
 tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2822
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 12981:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 tls_ctx_free net/tls/tls_main.c:252 [inline]
 tls_ctx_free net/tls/tls_main.c:246 [inline]
 tls_sk_proto_close+0x568/0x8b0 net/tls/tls_main.c:290
 inet_release+0xdf/0x1b0 net/ipv4/af_inet.c:425
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:450
 __sock_release+0xcd/0x2b0 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1139
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880a06a0800
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
 192-byte region [ffff8880a06a0800, ffff8880a06a08c0)
The buggy address belongs to the page:
page:ffffea000281a800 count:1 mapcount:0 mapping:ffff8880a06a0000 index:0xffff8880a06a0d00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a06a0000 ffff8880a06a0d00 0000000100000004
raw: ffffea00027f02e0 ffffea000284d7a0 ffff88812fe52040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a06a0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a06a0780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880a06a0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a06a0880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a06a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================