bisecting cause commit starting from f4b752a6b2708bfdf7fbe8a241082c8104f4ce05
building syzkaller on f4e53c1037f48d9bf1790df955b0cc7028a7008e
testing commit f4b752a6b2708bfdf7fbe8a241082c8104f4ce05 with gcc (GCC) 8.1.0
run #0: crashed: INFO: task hung in cancel_delayed_work_sync
run #1: crashed: INFO: task hung in cancel_delayed_work_sync
run #2: crashed: INFO: task hung in cancel_delayed_work_sync
run #3: crashed: INFO: task hung in tls_sw_release_resources_tx
run #4: crashed: INFO: task hung in cancel_delayed_work_sync
run #5: crashed: INFO: task hung in cancel_delayed_work_sync
run #6: crashed: INFO: task hung in tls_sw_release_resources_tx
run #7: crashed: INFO: task hung in cancel_delayed_work_sync
run #8: crashed: INFO: task hung in cancel_delayed_work_sync
run #9: crashed: INFO: task hung in cancel_delayed_work_sync
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
run #0: crashed: INFO: task hung in cancel_delayed_work_sync
run #1: crashed: INFO: task hung in cancel_delayed_work_sync
run #2: crashed: INFO: task hung in cancel_delayed_work_sync
run #3: crashed: INFO: task hung in cancel_delayed_work_sync
run #4: crashed: INFO: task hung in cancel_delayed_work_sync
run #5: crashed: INFO: task hung in cancel_delayed_work_sync
run #6: crashed: INFO: task hung in cancel_delayed_work_sync
run #7: crashed: INFO: task hung in lock_sock_nested
run #8: crashed: INFO: task hung in tls_sw_free_resources_tx
run #9: crashed: INFO: task hung in cancel_delayed_work_sync
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
run #0: crashed: INFO: task hung in tls_sw_free_resources_tx
run #1: crashed: INFO: task hung in cancel_delayed_work_sync
run #2: crashed: INFO: task hung in tls_sw_free_resources_tx
run #3: crashed: INFO: task hung in lock_sock_nested
run #4: crashed: INFO: task hung in cancel_delayed_work_sync
run #5: crashed: INFO: task hung in tls_sw_free_resources_tx
run #6: crashed: INFO: task hung in cancel_delayed_work_sync
run #7: crashed: INFO: task hung in tls_sw_free_resources_tx
run #8: crashed: INFO: task hung in cancel_delayed_work_sync
run #9: crashed: INFO: task hung in cancel_delayed_work_sync
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
run #0: crashed: INFO: task hung in cancel_delayed_work_sync
run #1: crashed: INFO: task hung in cancel_delayed_work_sync
run #2: crashed: INFO: task hung in cancel_delayed_work_sync
run #3: crashed: INFO: task hung in tls_sw_free_resources_tx
run #4: crashed: INFO: task hung in cancel_delayed_work_sync
run #5: crashed: INFO: task hung in cancel_delayed_work_sync
run #6: crashed: INFO: task hung in cancel_delayed_work_sync
run #7: crashed: INFO: task hung in tls_sw_free_resources_tx
run #8: crashed: INFO: task hung in cancel_delayed_work_sync
run #9: crashed: INFO: task hung in tls_sw_free_resources_tx
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #1: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #2: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #3: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #4: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #5: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #6: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #7: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #8: crashed: KASAN: use-after-free Read in generic_gcmaes_encrypt
run #9: crashed: INFO: task hung in tls_sw_free_resources_tx
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: crashed: INFO: task hung in tls_push_record
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: crashed: INFO: task hung in tls_push_record
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
run #1: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
run #2: crashed: INFO: task hung in tls_push_record
run #3: crashed: INFO: task hung in tls_push_record
run #4: crashed: INFO: task hung in tls_push_record
run #5: crashed: INFO: task hung in tls_push_record
run #6: crashed: INFO: task hung in tls_push_record
run #7: crashed: INFO: task hung in tls_push_record
run #8: crashed: INFO: task hung in tls_push_record
run #9: crashed: INFO: task hung in tls_push_record
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at ./include/linux/scatterlist.h:LINE!
run #1: crashed: kernel BUG at ./include/linux/scatterlist.h:LINE!
run #2: crashed: kernel BUG at ./include/linux/scatterlist.h:LINE!
run #3: crashed: INFO: task hung in tls_push_record
run #4: crashed: INFO: task hung in tls_push_record
run #5: crashed: INFO: task hung in tls_push_record
run #6: crashed: INFO: task hung in tls_push_record
run #7: crashed: INFO: task hung in tls_push_record
run #8: crashed: INFO: task hung in tls_push_record
run #9: crashed: INFO: task hung in tls_push_record
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in padata_do_parallel
run #1: crashed: KASAN: use-after-free Read in padata_do_parallel
run #2: crashed: KASAN: use-after-free Write in padata_serial_worker
run #3: crashed: KASAN: use-after-free Read in padata_do_parallel
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Read in padata_do_parallel
run #6: crashed: KASAN: use-after-free Read in padata_do_parallel
run #7: crashed: KASAN: use-after-free Write in padata_serial_worker
run #8: crashed: KASAN: use-after-free Read in padata_do_parallel
run #9: crashed: KASAN: use-after-free Write in padata_serial_worker
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #1: crashed: KASAN: use-after-free Read in padata_do_parallel
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted
run #3: crashed: KASAN: use-after-free Read in padata_do_parallel
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #7: crashed: KASAN: use-after-free Read in padata_do_parallel
run #8: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #9: crashed: KASAN: use-after-free in padata_serial_worker
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
run #0: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Read in padata_do_parallel
run #4: crashed: KASAN: use-after-free Read in padata_do_parallel
run #5: crashed: KASAN: use-after-free Read in padata_do_parallel
run #6: crashed: KASAN: use-after-free Read in padata_do_parallel
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Read in padata_do_parallel
run #9: crashed: KASAN: use-after-free Read in padata_do_parallel
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.13 v4.12
Bisecting: 7028 revisions left to test after this (roughly 13 steps)
[ac7b75966c9c86426b55fe1c50ae148aa4571075] Merge tag 'pinctrl-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit ac7b75966c9c86426b55fe1c50ae148aa4571075 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in padata_do_parallel
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: KASAN: use-after-free Read in padata_do_parallel
run #5: crashed: KASAN: use-after-free Read in padata_do_parallel
run #6: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #7: crashed: KASAN: use-after-free Write in pcrypt_aead_enc
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Write in padata_parallel_worker
# git bisect bad ac7b75966c9c86426b55fe1c50ae148aa4571075
Bisecting: 3538 revisions left to test after this (roughly 12 steps)
[e24dd9ee5399747b71c1d982a484fc7601795f31] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit e24dd9ee5399747b71c1d982a484fc7601795f31 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e24dd9ee5399747b71c1d982a484fc7601795f31
Bisecting: 1787 revisions left to test after this (roughly 11 steps)
[9cc9a5cb176ccb4f2cda5ac34da5a659926f125f] datapath: Avoid using stack larger than 1024.
testing commit 9cc9a5cb176ccb4f2cda5ac34da5a659926f125f with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Read in padata_do_parallel
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Read in padata_do_parallel
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Write in padata_parallel_worker
# git bisect bad 9cc9a5cb176ccb4f2cda5ac34da5a659926f125f
Bisecting: 882 revisions left to test after this (roughly 10 steps)
[073cf9e20c333ab29744717a23f9e43ec7512a20] Merge branch 'udp-reduce-cache-pressure'
testing commit 073cf9e20c333ab29744717a23f9e43ec7512a20 with gcc (GCC) 7.3.0
all runs: OK
# git bisect good 073cf9e20c333ab29744717a23f9e43ec7512a20
Bisecting: 441 revisions left to test after this (roughly 9 steps)
[8abd5599a520e9f188a750f1bde9dde5fb856230] Merge branch 's390-net-updates-part-2'
testing commit 8abd5599a520e9f188a750f1bde9dde5fb856230 with gcc (GCC) 7.3.0
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in padata_serial_worker
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: general protection fault in pcrypt_aead_serial
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: KASAN: use-after-free Read in padata_do_parallel
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Read in padata_do_parallel
# git bisect bad 8abd5599a520e9f188a750f1bde9dde5fb856230
Bisecting: 220 revisions left to test after this (roughly 8 steps)
[2fae5d0e647c6470d206e72b5fc24972bb900f70] Merge branch 'bpf-ctx-narrow'
testing commit 2fae5d0e647c6470d206e72b5fc24972bb900f70 with gcc (GCC) 7.3.0
all runs: OK
# git bisect good 2fae5d0e647c6470d206e72b5fc24972bb900f70
Bisecting: 110 revisions left to test after this (roughly 7 steps)
[41500c3e2a19ffcf40a7158fce1774de08e26ba2] rds: tcp: remove cp_outgoing
testing commit 41500c3e2a19ffcf40a7158fce1774de08e26ba2 with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in padata_serial_worker
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Read in padata_do_parallel
# git bisect bad 41500c3e2a19ffcf40a7158fce1774de08e26ba2
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[c27b32c2a4e6adc09323262d5b38b06979f063ab] r8152: support new chip 8050
testing commit c27b32c2a4e6adc09323262d5b38b06979f063ab with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in padata_serial_worker
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #9: boot failed: WARNING: kernel stack regs has bad 'bp' value
# git bisect bad c27b32c2a4e6adc09323262d5b38b06979f063ab
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[206f60e1451b4b90cb7f3a803d1c440602a458e0] Merge branch 'Broadcom-DTE-based-PTP-clock'
testing commit 206f60e1451b4b90cb7f3a803d1c440602a458e0 with gcc (GCC) 7.3.0
all runs: OK
# git bisect good 206f60e1451b4b90cb7f3a803d1c440602a458e0
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[57d1ef389c96b5ae192767ae16843e839b1eff74] net: dsa: mv88e6xxx: prefix Global Stats macros
testing commit 57d1ef389c96b5ae192767ae16843e839b1eff74 with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Write in padata_parallel_worker
# git bisect bad 57d1ef389c96b5ae192767ae16843e839b1eff74
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[83ad357dee467f63574de35752bc40033deab30e] skbuff: make skb_put_zero() return void
testing commit 83ad357dee467f63574de35752bc40033deab30e with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #3: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #4: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #5: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #6: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #7: crashed: KASAN: use-after-free Read in padata_do_parallel
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Write in padata_parallel_worker
# git bisect bad 83ad357dee467f63574de35752bc40033deab30e
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[3c4d7559159bfe1e3b94df3a657b2cda3a34e218] tls: kernel TLS support
testing commit 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Read in padata_do_parallel
run #1: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #2: crashed: KASAN: use-after-free Read in padata_do_parallel
run #3: crashed: KASAN: use-after-free Write in padata_serial_worker
run #4: crashed: KASAN: use-after-free Read in padata_do_parallel
run #5: crashed: BUG: unable to handle kernel paging request in pcrypt_aead_enc
run #6: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #7: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #8: crashed: KASAN: use-after-free Write in padata_parallel_worker
run #9: crashed: KASAN: use-after-free Write in padata_parallel_worker
# git bisect bad 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e3b5616a347603a521fe3ac46f3194a60900e3a7] tcp: export do_tcp_sendpages and tcp_rate_check_app_limited functions
testing commit e3b5616a347603a521fe3ac46f3194a60900e3a7 with gcc (GCC) 7.3.0
all runs: OK
# git bisect good e3b5616a347603a521fe3ac46f3194a60900e3a7
3c4d7559159bfe1e3b94df3a657b2cda3a34e218 is the first bad commit
commit 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
Author: Dave Watson <davejwatson@fb.com>
Date:   Wed Jun 14 11:37:39 2017 -0700

    tls: kernel TLS support
    
    Software implementation of transport layer security, implemented using ULP
    infrastructure.  tcp proto_ops are replaced with tls equivalents of sendmsg and
    sendpage.
    
    Only symmetric crypto is done in the kernel, keys are passed by setsockopt
    after the handshake is complete.  All control messages are supported via CMSG
    data - the actual symmetric encryption is the same, just the message type needs
    to be passed separately.
    
    For user API, please see Documentation patch.
    
    Pieces that can be shared between hw and sw implementation
    are in tls_main.c
    
    Signed-off-by: Boris Pismenny <borisp@mellanox.com>
    Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
    Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
    Signed-off-by: Dave Watson <davejwatson@fb.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

:100644 100644 10f158ee95a31509882e94012affd0665088af1f 71a74555afdf4695b74267333e31a691d1e1b97e M	MAINTAINERS
:040000 040000 7ae2ecdd101f57ded34a9abfa2efebf204d3948c ebc8e78bcf2da708086aaddd279518a289626e81 M	include
:040000 040000 4ec602f2afe3dbcb390c844ea96d1df793983c6e ead4e27e5324e665f24b9b5aeacf855dc2207e68 M	net
revisions tested: 26, total time: 5h22m50.682997874s (build: 2h4m25.204953376s, test: 3h11m8.946514922s)
first bad commit: 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 tls: kernel TLS support
cc: ["aviadye@mellanox.com" "borisp@mellanox.com" "davejwatson@fb.com" "davem@davemloft.net" "ilyal@mellanox.com"]
crash: KASAN: use-after-free Write in padata_parallel_worker
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
8021q: adding VLAN 0 to HW filter on device team0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:140 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:148 [inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x69b/0x6f0 kernel/padata.c:74
Write of size 8 at addr ffff8801107c7298 by task kworker/0:3/6725

CPU: 0 PID: 6725 Comm: kworker/0:3 Not tainted 4.12.0-rc5+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1f1 lib/dump_stack.c:52
 print_address_description+0xd4/0x230 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24d/0x340 mm/kasan/report.c:408
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434
 list_replace include/linux/list.h:140 [inline]
 list_replace_init include/linux/list.h:148 [inline]
 padata_parallel_worker+0x69b/0x6f0 kernel/padata.c:74
 process_one_work+0xa62/0x1c70 kernel/workqueue.c:2097
 worker_thread+0x215/0x1900 kernel/workqueue.c:2231
 kthread+0x345/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424

Allocated by task 6851:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617
 __do_kmalloc mm/slab.c:3733 [inline]
 __kmalloc+0x156/0x790 mm/slab.c:3742
 kmalloc include/linux/slab.h:497 [inline]
 tls_do_encryption net/tls/tls_sw.c:222 [inline]
 tls_push_record+0x6b7/0x12d0 net/tls/tls_sw.c:264
 tls_sw_sendmsg+0xb45/0x12d0 net/tls/tls_sw.c:449
 inet_sendmsg+0x10e/0x5d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 SYSC_sendto+0x30e/0x5e0 net/socket.c:1737
 SyS_sendto+0x9/0x10 net/socket.c:1705
 entry_SYSCALL_64_fastpath+0x23/0xc2

Freed by task 6851:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:590
 __cache_free mm/slab.c:3511 [inline]
 kfree+0xcc/0x270 mm/slab.c:3828
 tls_do_encryption net/tls/tls_sw.c:238 [inline]
 tls_push_record+0x9ad/0x12d0 net/tls/tls_sw.c:264
 tls_sw_sendmsg+0xb45/0x12d0 net/tls/tls_sw.c:449
 inet_sendmsg+0x10e/0x5d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 SYSC_sendto+0x30e/0x5e0 net/socket.c:1737
 SyS_sendto+0x9/0x10 net/socket.c:1705
 entry_SYSCALL_64_fastpath+0x23/0xc2

The buggy address belongs to the object at ffff8801107c7240
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 88 bytes inside of
 1024-byte region [ffff8801107c7240, ffff8801107c7640)
The buggy address belongs to the page:
page:ffffea000441f180 count:1 mapcount:0 mapping:ffff8801107c6040 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801107c6040 0000000000000000 0000000100000007
raw: ffffea0004509920 ffff88012bc01848 ffff88012bc00ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801107c7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801107c7200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801107c7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8801107c7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801107c7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================