vcan0: j1939_xtp_rx_abort_one: 0x0000000021807ccf: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated.
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
BUG: KASAN: use-after-free in atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
BUG: KASAN: use-after-free in j1939_sock_pending_del+0x19/0x50 net/can/j1939/socket.c:73
Write of size 4 at addr ffff888092a704c0 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351
 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:618
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192
 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98
 atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
 atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
 j1939_sock_pending_del+0x19/0x50 net/can/j1939/socket.c:73
 __j1939_session_drop net/can/j1939/transport.c:257 [inline]
 j1939_session_destroy net/can/j1939/transport.c:270 [inline]
 __j1939_session_release net/can/j1939/transport.c:280 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put+0xb8/0x120 net/can/j1939/transport.c:285
 j1939_xtp_rx_abort_one+0xa2/0xe0 net/can/j1939/transport.c:1261
 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline]
 j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline]
 j1939_tp_recv+0x4a9/0x780 net/can/j1939/transport.c:1973
 j1939_can_recv+0x425/0x590 net/can/j1939/main.c:100
 deliver net/can/af_can.c:568 [inline]
 can_rcv_filter+0x4ff/0x840 net/can/af_can.c:602
 can_receive+0x290/0x470 net/can/af_can.c:659
 can_rcv+0xd9/0x160 net/can/af_can.c:685
 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5006
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5120
 process_backlog+0x1cb/0x670 net/core/dev.c:5951
 napi_poll net/core/dev.c:6388 [inline]
 net_rx_action+0x458/0xe40 net/core/dev.c:6456
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292
 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603
 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 10870:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:493
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x164/0x790 mm/slab.c:3664
 kmalloc include/linux/slab.h:557 [inline]
 sk_prot_alloc+0x14d/0x250 net/core/sock.c:1603
 sk_alloc+0x30/0xc70 net/core/sock.c:1657
 can_create+0x1ac/0x420 net/can/af_can.c:157
 __sock_create+0x262/0x540 net/socket.c:1418
 sock_create net/socket.c:1469 [inline]
 __sys_socket+0xd7/0x1c0 net/socket.c:1511
 __do_sys_socket net/socket.c:1520 [inline]
 __se_sys_socket net/socket.c:1518 [inline]
 __ia32_sys_socket+0x6e/0xb0 net/socket.c:1518
 do_syscall_32_irqs_on arch/x86/entry/common.c:332 [inline]
 do_fast_syscall_32+0x235/0xb3b arch/x86/entry/common.c:403
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 9:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3756
 sk_prot_free net/core/sock.c:1640 [inline]
 __sk_destruct+0x3f1/0x580 net/core/sock.c:1726
 sk_destruct+0x5a/0x70 net/core/sock.c:1734
 __sk_free+0xc7/0x2a0 net/core/sock.c:1745
 sock_wfree+0x10c/0x140 net/core/sock.c:1958
 skb_release_head_state+0x9f/0x1a0 net/core/skbuff.c:652
 skb_release_all+0xd/0x50 net/core/skbuff.c:663
 __kfree_skb net/core/skbuff.c:679 [inline]
 kfree_skb+0xb3/0x2b0 net/core/skbuff.c:697
 skb_queue_purge+0x12/0x30 net/core/skbuff.c:3078
 j1939_session_destroy net/can/j1939/transport.c:269 [inline]
 __j1939_session_release net/can/j1939/transport.c:280 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put+0x61/0x120 net/can/j1939/transport.c:285
 j1939_xtp_rx_abort_one+0xa2/0xe0 net/can/j1939/transport.c:1261
 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline]
 j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline]
 j1939_tp_recv+0x4a9/0x780 net/can/j1939/transport.c:1973
 j1939_can_recv+0x425/0x590 net/can/j1939/main.c:100
 deliver net/can/af_can.c:568 [inline]
 can_rcv_filter+0x4ff/0x840 net/can/af_can.c:602
 can_receive+0x290/0x470 net/can/af_can.c:659
 can_rcv+0xd9/0x160 net/can/af_can.c:685
 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5006
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5120
 process_backlog+0x1cb/0x670 net/core/dev.c:5951
 napi_poll net/core/dev.c:6388 [inline]
 net_rx_action+0x458/0xe40 net/core/dev.c:6456
 __do_softirq+0x262/0x9a8 kernel/softirq.c:292

The buggy address belongs to the object at ffff888092a70000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1216 bytes inside of
 2048-byte region [ffff888092a70000, ffff888092a70800)
The buggy address belongs to the page:
page:ffffea00024a9c00 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0xffff888092a70880 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002a03388 ffffea00022dca08 ffff8880aa400e00
raw: ffff888092a70880 ffff888092a70000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888092a70380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888092a70400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888092a70480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888092a70500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888092a70580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================