From: Cong Wang
Date: Wed, 18 Apr 2018 11:51:56 -0700
> @@ -199,9 +200,15 @@ static int llc_ui_release(struct socket *sock)
> llc->laddr.lsap, llc->daddr.lsap);
> if (!llc_send_disc(sk))
> llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
> + sap = llc->sap;
> +
syzbot reported we still access llc->sap in llc_backlog_rcv()
after it is freed in llc_sap_remove_socket():
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/r