==================================================================
BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x19dd/0x2bf0 net/tipc/socket.c:2167
Read of size 4 at addr ffff88802b0f89b4 by task kworker/u4:2/7855

CPU: 0 PID: 7855 Comm: kworker/u4:2 Not tainted 5.0.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Workqueue: tipc_send tipc_conn_send_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 tipc_sk_filter_rcv+0x19dd/0x2bf0 net/tipc/socket.c:2167
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xaca/0x1db0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x30c/0x460 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7855:
 save_stack+0x43/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:497
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
 __do_kmalloc_node mm/slab.c:3686 [inline]
 __kmalloc_node_track_caller+0x4d/0x70 mm/slab.c:3700
 __kmalloc_reserve.isra.38+0x2c/0xc0 net/core/skbuff.c:140
 __alloc_skb+0xd7/0x570 net/core/skbuff.c:208
 alloc_skb_fclone include/linux/skbuff.h:1107 [inline]
 tipc_buf_acquire+0x22/0xe0 net/tipc/msg.c:66
 tipc_msg_create+0x2f/0x280 net/tipc/msg.c:98
 tipc_topsrv_kern_evt+0x207/0x460 net/tipc/topsrv.c:602
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Freed by task 7855:
 save_stack+0x43/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3821
 skb_free_head+0x6e/0x90 net/core/skbuff.c:557
 skb_release_data+0x478/0x680 net/core/skbuff.c:577
 skb_release_all+0x3d/0x50 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0x97/0x270 net/core/skbuff.c:663
 tipc_sk_proto_rcv net/tipc/socket.c:2009 [inline]
 tipc_sk_filter_rcv+0x1674/0x2bf0 net/tipc/socket.c:2162
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xaca/0x1db0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x30c/0x460 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88802b0f8900
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 180 bytes inside of
 1024-byte region [ffff88802b0f8900, ffff88802b0f8d00)
The buggy address belongs to the page:
page:ffffea0000ac3e00 count:1 mapcount:0 mapping:ffff88802d400ac0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000081b808 ffff88802d401848 ffff88802d400ac0
raw: 0000000000000000 ffff88802b0f8000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802b0f8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802b0f8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802b0f8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88802b0f8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b0f8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================