[ 6107.372430][ T46] ================================================================== [ 6107.372794][ T46] BUG: KASAN: slab-use-after-free in __unix_walk_scc+0x8e0/0xce0 [ 6107.373042][ T46] Read of size 8 at addr ffff888011b34cd0 by task kworker/u20:1/46 [ 6107.373265][ T46] [ 6107.373352][ T46] CPU: 3 UID: 0 PID: 46 Comm: kworker/u20:1 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) [ 6107.373357][ T46] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 6107.373360][ T46] Workqueue: events_unbound __unix_gc [ 6107.373366][ T46] Call Trace: [ 6107.373370][ T46] [ 6107.373372][ T46] dump_stack_lvl+0x82/0xd0 [ 6107.373390][ T46] print_address_description.constprop.0+0x2c/0x400 [ 6107.373404][ T46] ? __unix_walk_scc+0x8e0/0xce0 [ 6107.373409][ T46] print_report+0xb4/0x270 [ 6107.373412][ T46] ? __unix_walk_scc+0x8e0/0xce0 [ 6107.373415][ T46] ? kasan_addr_to_slab+0x25/0x80 [ 6107.373419][ T46] ? __unix_walk_scc+0x8e0/0xce0 [ 6107.373422][ T46] kasan_report+0xca/0x100 [ 6107.373426][ T46] ? __unix_walk_scc+0x8e0/0xce0 [ 6107.373432][ T46] __unix_walk_scc+0x8e0/0xce0 [ 6107.373437][ T46] ? __pfx___unix_walk_scc+0x10/0x10 [ 6107.373441][ T46] ? do_raw_spin_lock+0x130/0x270 [ 6107.373451][ T46] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 6107.373455][ T46] ? lock_acquire+0x10c/0x170 [ 6107.373458][ T46] ? __unix_gc+0x8b/0x400 [ 6107.373463][ T46] __unix_gc+0x29f/0x400 [ 6107.373467][ T46] ? __pfx___unix_gc+0x10/0x10 [ 6107.373473][ T46] ? rcu_is_watching+0x12/0xc0 [ 6107.373486][ T46] ? rcu_is_watching+0x12/0xc0 [ 6107.373490][ T46] process_one_work+0xe43/0x1660 [ 6107.373499][ T46] ? __pfx_process_one_work+0x10/0x10 [ 6107.373504][ T46] ? assign_work+0x16c/0x240 [ 6107.373511][ T46] worker_thread+0x591/0xcf0 [ 6107.373517][ T46] ? __pfx_worker_thread+0x10/0x10 [ 6107.373520][ T46] kthread+0x37e/0x600 [ 6107.373524][ T46] ? __pfx_kthread+0x10/0x10 [ 6107.373526][ T46] ? ret_from_fork+0x1b/0x320 [ 6107.373532][ T46] ? __lock_release+0x5d/0x170 [ 6107.373536][ T46] ? rcu_is_watching+0x12/0xc0 [ 6107.373539][ T46] ? __pfx_kthread+0x10/0x10 [ 6107.373542][ T46] ret_from_fork+0x240/0x320 [ 6107.373545][ T46] ? __pfx_kthread+0x10/0x10 [ 6107.373548][ T46] ret_from_fork_asm+0x1a/0x30 [ 6107.373563][ T46] [ 6107.373565][ T46] [ 6107.379303][ T46] Allocated by task 31343: [ 6107.379457][ T46] kasan_save_stack+0x24/0x50 [ 6107.379616][ T46] kasan_save_track+0x14/0x30 [ 6107.379776][ T46] __kasan_slab_alloc+0x59/0x70 [ 6107.379930][ T46] kmem_cache_alloc_noprof+0x10b/0x330 [ 6107.380087][ T46] sk_prot_alloc.constprop.0+0x4e/0x1b0 [ 6107.380252][ T46] sk_alloc+0x36/0x6c0 [ 6107.380373][ T46] unix_create1+0x84/0x6f0 [ 6107.380529][ T46] unix_create+0xcb/0x170 [ 6107.380647][ T46] __sock_create+0x23c/0x6a0 [ 6107.380801][ T46] __sys_socket+0x11a/0x1d0 [ 6107.380952][ T46] __x64_sys_socket+0x72/0xb0 [ 6107.381102][ T46] do_syscall_64+0xc1/0x380 [ 6107.381262][ T46] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 6107.381453][ T46] [ 6107.381529][ T46] Freed by task 31343: [ 6107.381647][ T46] kasan_save_stack+0x24/0x50 [ 6107.381803][ T46] kasan_save_track+0x14/0x30 [ 6107.381957][ T46] kasan_save_free_info+0x3b/0x60 [ 6107.382113][ T46] __kasan_slab_free+0x38/0x50 [ 6107.382266][ T46] kmem_cache_free+0x149/0x330 [ 6107.382438][ T46] __sk_destruct+0x46e/0x780 [ 6107.382588][ T46] unix_release_sock+0xa0e/0xf90 [ 6107.382746][ T46] unix_release+0x8c/0xf0 [ 6107.382860][ T46] __sock_release+0xa6/0x260 [ 6107.383012][ T46] sock_close+0x18/0x20 [ 6107.383132][ T46] __fput+0x35c/0xa80 [ 6107.383254][ T46] fput_close_sync+0xdd/0x190 [ 6107.383408][ T46] __x64_sys_close+0x7d/0xd0 [ 6107.383560][ T46] do_syscall_64+0xc1/0x380 [ 6107.383711][ T46] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 6107.383896][ T46] [ 6107.383972][ T46] The buggy address belongs to the object at ffff888011b34640 [ 6107.383972][ T46] which belongs to the cache UNIX-STREAM of size 1984 [ 6107.384372][ T46] The buggy address is located 1680 bytes inside of [ 6107.384372][ T46] freed 1984-byte region [ffff888011b34640, ffff888011b34e00) [ 6107.384738][ T46] [ 6107.384816][ T46] The buggy address belongs to the physical page: [ 6107.384999][ T46] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b30 [ 6107.385270][ T46] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 6107.385505][ T46] flags: 0x80000000000040(head|node=0|zone=1) [ 6107.385707][ T46] page_type: f5(slab) [ 6107.385828][ T46] raw: 0080000000000040 ffff888005ad6dc0 ffffea0000463c10 ffff888005c12828 [ 6107.386104][ T46] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 6107.386374][ T46] head: 0080000000000040 ffff888005ad6dc0 ffffea0000463c10 ffff888005c12828 [ 6107.386651][ T46] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 6107.386920][ T46] head: 0080000000000003 ffffea000046cc01 00000000ffffffff 00000000ffffffff [ 6107.387190][ T46] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 6107.387468][ T46] page dumped because: kasan: bad access detected [ 6107.387654][ T46] [ 6107.387734][ T46] Memory state around the buggy address: [ 6107.387881][ T46] ffff888011b34b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6107.388103][ T46] ffff888011b34c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6107.388325][ T46] >ffff888011b34c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6107.388547][ T46] ^ [ 6107.388734][ T46] ffff888011b34d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6107.389042][ T46] ffff888011b34d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6107.389260][ T46] ================================================================== [ 6107.389512][ T46] Disabling lock debugging due to kernel taint