[ 5869.247411][ T276] ================================================================== [ 5869.247758][ T276] BUG: KASAN: slab-use-after-free in unix_vertex_dead+0x325/0x3b0 [ 5869.248001][ T276] Read of size 8 at addr ffff888017d29850 by task kworker/u18:2/276 [ 5869.248232][ T276] [ 5869.248314][ T276] CPU: 1 UID: 0 PID: 276 Comm: kworker/u18:2 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) [ 5869.248319][ T276] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 5869.248322][ T276] Workqueue: events_unbound __unix_gc [ 5869.248327][ T276] Call Trace: [ 5869.248329][ T276] [ 5869.248331][ T276] dump_stack_lvl+0x82/0xd0 [ 5869.248341][ T276] print_address_description.constprop.0+0x2c/0x400 [ 5869.248350][ T276] ? unix_vertex_dead+0x325/0x3b0 [ 5869.248354][ T276] print_report+0xb4/0x270 [ 5869.248358][ T276] ? unix_vertex_dead+0x325/0x3b0 [ 5869.248361][ T276] ? kasan_addr_to_slab+0x25/0x80 [ 5869.248365][ T276] ? unix_vertex_dead+0x325/0x3b0 [ 5869.248368][ T276] kasan_report+0xca/0x100 [ 5869.248372][ T276] ? unix_vertex_dead+0x325/0x3b0 [ 5869.248377][ T276] unix_vertex_dead+0x325/0x3b0 [ 5869.248382][ T276] unix_walk_scc_fast+0x232/0x550 [ 5869.248386][ T276] ? do_raw_spin_lock+0x130/0x270 [ 5869.248394][ T276] ? __pfx_unix_walk_scc_fast+0x10/0x10 [ 5869.248397][ T276] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 5869.248400][ T276] ? lock_acquire+0x10c/0x170 [ 5869.248403][ T276] ? __unix_gc+0x8b/0x400 [ 5869.248408][ T276] __unix_gc+0xdc/0x400 [ 5869.248412][ T276] ? __pfx___unix_gc+0x10/0x10 [ 5869.248419][ T276] ? rcu_is_watching+0x12/0xc0 [ 5869.248427][ T276] ? rcu_is_watching+0x12/0xc0 [ 5869.248431][ T276] process_one_work+0xe43/0x1660 [ 5869.248440][ T276] ? __pfx_process_one_work+0x10/0x10 [ 5869.248446][ T276] ? assign_work+0x16c/0x240 [ 5869.248453][ T276] worker_thread+0x591/0xcf0 [ 5869.248459][ T276] ? __pfx_worker_thread+0x10/0x10 [ 5869.248462][ T276] kthread+0x37e/0x600 [ 5869.248466][ T276] ? __pfx_kthread+0x10/0x10 [ 5869.248469][ T276] ? ret_from_fork+0x1b/0x320 [ 5869.248475][ T276] ? __lock_release+0x5d/0x170 [ 5869.248479][ T276] ? rcu_is_watching+0x12/0xc0 [ 5869.248482][ T276] ? __pfx_kthread+0x10/0x10 [ 5869.248485][ T276] ret_from_fork+0x240/0x320 [ 5869.248488][ T276] ? __pfx_kthread+0x10/0x10 [ 5869.248491][ T276] ret_from_fork_asm+0x1a/0x30 [ 5869.248502][ T276] [ 5869.248503][ T276] [ 5869.254604][ T276] Allocated by task 14746: [ 5869.254757][ T276] kasan_save_stack+0x24/0x50 [ 5869.254918][ T276] kasan_save_track+0x14/0x30 [ 5869.255077][ T276] __kasan_slab_alloc+0x59/0x70 [ 5869.255233][ T276] kmem_cache_alloc_noprof+0x10b/0x330 [ 5869.255394][ T276] sk_prot_alloc.constprop.0+0x4e/0x1b0 [ 5869.255558][ T276] sk_alloc+0x36/0x6c0 [ 5869.255679][ T276] unix_create1+0x84/0x6f0 [ 5869.255837][ T276] unix_create+0xcb/0x170 [ 5869.255955][ T276] __sock_create+0x23c/0x6a0 [ 5869.256113][ T276] __sys_socket+0x11a/0x1d0 [ 5869.256271][ T276] __x64_sys_socket+0x72/0xb0 [ 5869.256431][ T276] do_syscall_64+0xc1/0x380 [ 5869.256592][ T276] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 5869.256794][ T276] [ 5869.256876][ T276] Freed by task 14746: [ 5869.256995][ T276] kasan_save_stack+0x24/0x50 [ 5869.257157][ T276] kasan_save_track+0x14/0x30 [ 5869.257318][ T276] kasan_save_free_info+0x3b/0x60 [ 5869.257478][ T276] __kasan_slab_free+0x38/0x50 [ 5869.257634][ T276] kmem_cache_free+0x149/0x330 [ 5869.257791][ T276] __sk_destruct+0x46e/0x780 [ 5869.257946][ T276] unix_release_sock+0xa0e/0xf90 [ 5869.258105][ T276] unix_release+0x8c/0xf0 [ 5869.258224][ T276] __sock_release+0xa6/0x260 [ 5869.258384][ T276] sock_close+0x18/0x20 [ 5869.258506][ T276] __fput+0x35c/0xa80 [ 5869.258626][ T276] fput_close_sync+0xdd/0x190 [ 5869.258783][ T276] __x64_sys_close+0x7d/0xd0 [ 5869.258942][ T276] do_syscall_64+0xc1/0x380 [ 5869.259103][ T276] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 5869.259299][ T276] [ 5869.259378][ T276] The buggy address belongs to the object at ffff888017d291c0 [ 5869.259378][ T276] which belongs to the cache UNIX-STREAM of size 1984 [ 5869.259798][ T276] The buggy address is located 1680 bytes inside of [ 5869.259798][ T276] freed 1984-byte region [ffff888017d291c0, ffff888017d29980) [ 5869.260173][ T276] [ 5869.260253][ T276] The buggy address belongs to the physical page: [ 5869.260443][ T276] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17d28 [ 5869.260727][ T276] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 5869.260964][ T276] flags: 0x80000000000040(head|node=0|zone=1) [ 5869.261165][ T276] page_type: f5(slab) [ 5869.261290][ T276] raw: 0080000000000040 ffff888005bdedc0 ffffea0000510c10 ffffea0000278010 [ 5869.261574][ T276] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 5869.261858][ T276] head: 0080000000000040 ffff888005bdedc0 ffffea0000510c10 ffffea0000278010 [ 5869.262141][ T276] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 5869.262424][ T276] head: 0080000000000003 ffffea00005f4a01 00000000ffffffff 00000000ffffffff [ 5869.262703][ T276] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5869.262983][ T276] page dumped because: kasan: bad access detected [ 5869.263180][ T276] [ 5869.263257][ T276] Memory state around the buggy address: [ 5869.263406][ T276] ffff888017d29700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5869.263632][ T276] ffff888017d29780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5869.263859][ T276] >ffff888017d29800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5869.264091][ T276] ^ [ 5869.264285][ T276] ffff888017d29880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5869.264515][ T276] ffff888017d29900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5869.264740][ T276] ================================================================== [ 5869.265047][ T276] Disabling lock debugging due to kernel taint