[ 5551.698412][ T9052] ==================================================================
[ 5551.698829][ T9052] BUG: KASAN: slab-use-after-free in __unix_walk_scc+0x8e0/0xce0
[ 5551.699087][ T9052] Read of size 8 at addr ffff888011486fd0 by task kworker/u19:1/9052
[ 5551.699337][ T9052] 
[ 5551.699425][ T9052] CPU: 2 UID: 0 PID: 9052 Comm: kworker/u19:1 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) 
[ 5551.699431][ T9052] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 5551.699433][ T9052] Workqueue: events_unbound __unix_gc
[ 5551.699439][ T9052] Call Trace:
[ 5551.699441][ T9052]  <TASK>
[ 5551.699443][ T9052]  dump_stack_lvl+0x82/0xd0
[ 5551.699454][ T9052]  print_address_description.constprop.0+0x2c/0x400
[ 5551.699463][ T9052]  ? __unix_walk_scc+0x8e0/0xce0
[ 5551.699467][ T9052]  print_report+0xb4/0x270
[ 5551.699470][ T9052]  ? __unix_walk_scc+0x8e0/0xce0
[ 5551.699474][ T9052]  ? kasan_addr_to_slab+0x25/0x80
[ 5551.699478][ T9052]  ? __unix_walk_scc+0x8e0/0xce0
[ 5551.699481][ T9052]  kasan_report+0xca/0x100
[ 5551.699485][ T9052]  ? __unix_walk_scc+0x8e0/0xce0
[ 5551.699491][ T9052]  __unix_walk_scc+0x8e0/0xce0
[ 5551.699497][ T9052]  ? __pfx___unix_walk_scc+0x10/0x10
[ 5551.699501][ T9052]  ? do_raw_spin_lock+0x130/0x270
[ 5551.699508][ T9052]  ? __pfx_do_raw_spin_lock+0x10/0x10
[ 5551.699512][ T9052]  ? lock_acquire+0x10c/0x170
[ 5551.699515][ T9052]  ? __unix_gc+0x8b/0x400
[ 5551.699521][ T9052]  __unix_gc+0x29f/0x400
[ 5551.699525][ T9052]  ? __pfx___unix_gc+0x10/0x10
[ 5551.699532][ T9052]  ? rcu_is_watching+0x12/0xc0
[ 5551.699540][ T9052]  ? rcu_is_watching+0x12/0xc0
[ 5551.699544][ T9052]  process_one_work+0xe43/0x1660
[ 5551.699553][ T9052]  ? __pfx_process_one_work+0x10/0x10
[ 5551.699558][ T9052]  ? assign_work+0x16c/0x240
[ 5551.699567][ T9052]  worker_thread+0x591/0xcf0
[ 5551.699572][ T9052]  ? __pfx_worker_thread+0x10/0x10
[ 5551.699576][ T9052]  kthread+0x37e/0x600
[ 5551.699580][ T9052]  ? __pfx_kthread+0x10/0x10
[ 5551.699582][ T9052]  ? ret_from_fork+0x1b/0x320
[ 5551.699589][ T9052]  ? __lock_release+0x5d/0x170
[ 5551.699593][ T9052]  ? rcu_is_watching+0x12/0xc0
[ 5551.699596][ T9052]  ? __pfx_kthread+0x10/0x10
[ 5551.699599][ T9052]  ret_from_fork+0x240/0x320
[ 5551.699602][ T9052]  ? __pfx_kthread+0x10/0x10
[ 5551.699604][ T9052]  ret_from_fork_asm+0x1a/0x30
[ 5551.699615][ T9052]  </TASK>
[ 5551.699616][ T9052] 
[ 5551.705959][ T9052] Allocated by task 31080:
[ 5551.706121][ T9052]  kasan_save_stack+0x24/0x50
[ 5551.706293][ T9052]  kasan_save_track+0x14/0x30
[ 5551.706465][ T9052]  __kasan_slab_alloc+0x59/0x70
[ 5551.706637][ T9052]  kmem_cache_alloc_noprof+0x10b/0x330
[ 5551.706813][ T9052]  sk_prot_alloc.constprop.0+0x4e/0x1b0
[ 5551.706985][ T9052]  sk_alloc+0x36/0x6c0
[ 5551.707117][ T9052]  unix_create1+0x84/0x6f0
[ 5551.707286][ T9052]  unix_create+0xcb/0x170
[ 5551.707413][ T9052]  __sock_create+0x23c/0x6a0
[ 5551.707583][ T9052]  __sys_socket+0x11a/0x1d0
[ 5551.707753][ T9052]  __x64_sys_socket+0x72/0xb0
[ 5551.707922][ T9052]  do_syscall_64+0xc1/0x380
[ 5551.708094][ T9052]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5551.708304][ T9052] 
[ 5551.708390][ T9052] Freed by task 31080:
[ 5551.708514][ T9052]  kasan_save_stack+0x24/0x50
[ 5551.708683][ T9052]  kasan_save_track+0x14/0x30
[ 5551.708856][ T9052]  kasan_save_free_info+0x3b/0x60
[ 5551.709098][ T9052]  __kasan_slab_free+0x38/0x50
[ 5551.709330][ T9052]  kmem_cache_free+0x149/0x330
[ 5551.709560][ T9052]  __sk_destruct+0x46e/0x780
[ 5551.709803][ T9052]  unix_release_sock+0xa0e/0xf90
[ 5551.710033][ T9052]  unix_release+0x8c/0xf0
[ 5551.710181][ T9052]  __sock_release+0xa6/0x260
[ 5551.710352][ T9052]  sock_close+0x18/0x20
[ 5551.710477][ T9052]  __fput+0x35c/0xa80
[ 5551.710607][ T9052]  fput_close_sync+0xdd/0x190
[ 5551.710774][ T9052]  __x64_sys_close+0x7d/0xd0
[ 5551.710946][ T9052]  do_syscall_64+0xc1/0x380
[ 5551.711117][ T9052]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 5551.711322][ T9052] 
[ 5551.711408][ T9052] The buggy address belongs to the object at ffff888011486940
[ 5551.711408][ T9052]  which belongs to the cache UNIX-STREAM of size 1984
[ 5551.711851][ T9052] The buggy address is located 1680 bytes inside of
[ 5551.711851][ T9052]  freed 1984-byte region [ffff888011486940, ffff888011487100)
[ 5551.712267][ T9052] 
[ 5551.712350][ T9052] The buggy address belongs to the physical page:
[ 5551.712549][ T9052] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11480
[ 5551.712855][ T9052] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 5551.713107][ T9052] flags: 0x80000000000040(head|node=0|zone=1)
[ 5551.713318][ T9052] page_type: f5(slab)
[ 5551.713452][ T9052] raw: 0080000000000040 ffff888005480dc0 ffffea0000273e10 ffffea0000452210
[ 5551.713843][ T9052] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5551.714238][ T9052] head: 0080000000000040 ffff888005480dc0 ffffea0000273e10 ffffea0000452210
[ 5551.714539][ T9052] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
[ 5551.714838][ T9052] head: 0080000000000003 ffffea0000452001 00000000ffffffff 00000000ffffffff
[ 5551.715134][ T9052] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 5551.715432][ T9052] page dumped because: kasan: bad access detected
[ 5551.715635][ T9052] 
[ 5551.715716][ T9052] Memory state around the buggy address:
[ 5551.715878][ T9052]  ffff888011486e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5551.716120][ T9052]  ffff888011486f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5551.716368][ T9052] >ffff888011486f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5551.716615][ T9052]                                                  ^
[ 5551.716822][ T9052]  ffff888011487000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5551.717064][ T9052]  ffff888011487080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5551.717303][ T9052] ==================================================================
[ 5551.717754][ T9052] Disabling lock debugging due to kernel taint