[ 143.969867][ T37] ================================================================== [ 143.970213][ T37] BUG: KASAN: slab-use-after-free in __unix_walk_scc+0x8e0/0xce0 [ 143.970454][ T37] Read of size 8 at addr ffff8880169eccd0 by task kworker/u19:0/37 [ 143.970682][ T37] [ 143.970763][ T37] CPU: 2 UID: 0 PID: 37 Comm: kworker/u19:0 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) [ 143.970768][ T37] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 143.970770][ T37] Workqueue: events_unbound __unix_gc [ 143.970775][ T37] Call Trace: [ 143.970777][ T37] [ 143.970779][ T37] dump_stack_lvl+0x82/0xd0 [ 143.970787][ T37] print_address_description.constprop.0+0x2c/0x400 [ 143.970795][ T37] ? __unix_walk_scc+0x8e0/0xce0 [ 143.970799][ T37] print_report+0xb4/0x270 [ 143.970802][ T37] ? __unix_walk_scc+0x8e0/0xce0 [ 143.970805][ T37] ? kasan_addr_to_slab+0x25/0x80 [ 143.970809][ T37] ? __unix_walk_scc+0x8e0/0xce0 [ 143.970812][ T37] kasan_report+0xca/0x100 [ 143.970816][ T37] ? __unix_walk_scc+0x8e0/0xce0 [ 143.970822][ T37] __unix_walk_scc+0x8e0/0xce0 [ 143.970827][ T37] ? __pfx___unix_walk_scc+0x10/0x10 [ 143.970833][ T37] ? do_raw_spin_lock+0x130/0x270 [ 143.970839][ T37] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 143.970842][ T37] ? lock_acquire+0x10c/0x170 [ 143.970845][ T37] ? __unix_gc+0x8b/0x400 [ 143.970850][ T37] __unix_gc+0x29f/0x400 [ 143.970854][ T37] ? __pfx___unix_gc+0x10/0x10 [ 143.970861][ T37] ? rcu_is_watching+0x12/0xc0 [ 143.970867][ T37] ? rcu_is_watching+0x12/0xc0 [ 143.970871][ T37] process_one_work+0xe43/0x1660 [ 143.970879][ T37] ? __pfx_process_one_work+0x10/0x10 [ 143.970885][ T37] ? assign_work+0x16c/0x240 [ 143.970892][ T37] worker_thread+0x591/0xcf0 [ 143.970897][ T37] ? __pfx_worker_thread+0x10/0x10 [ 143.970901][ T37] kthread+0x37e/0x600 [ 143.970905][ T37] ? __pfx_kthread+0x10/0x10 [ 143.970907][ T37] ? ret_from_fork+0x1b/0x320 [ 143.970912][ T37] ? __lock_release+0x5d/0x170 [ 143.970915][ T37] ? rcu_is_watching+0x12/0xc0 [ 143.970919][ T37] ? __pfx_kthread+0x10/0x10 [ 143.970922][ T37] ret_from_fork+0x240/0x320 [ 143.970924][ T37] ? __pfx_kthread+0x10/0x10 [ 143.970927][ T37] ret_from_fork_asm+0x1a/0x30 [ 143.970937][ T37] [ 143.970938][ T37] [ 143.976748][ T37] Allocated by task 1592: [ 143.976863][ T37] kasan_save_stack+0x24/0x50 [ 143.977021][ T37] kasan_save_track+0x14/0x30 [ 143.977179][ T37] __kasan_slab_alloc+0x59/0x70 [ 143.977347][ T37] kmem_cache_alloc_noprof+0x10b/0x330 [ 143.977501][ T37] sk_prot_alloc.constprop.0+0x4e/0x1b0 [ 143.977659][ T37] sk_alloc+0x36/0x6c0 [ 143.977779][ T37] unix_create1+0x84/0x6f0 [ 143.977933][ T37] unix_create+0xcb/0x170 [ 143.978048][ T37] __sock_create+0x23c/0x6a0 [ 143.978205][ T37] __sys_socket+0x11a/0x1d0 [ 143.978356][ T37] __x64_sys_socket+0x72/0xb0 [ 143.978518][ T37] do_syscall_64+0xc1/0x380 [ 143.978674][ T37] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 143.978867][ T37] [ 143.978943][ T37] Freed by task 1592: [ 143.979056][ T37] kasan_save_stack+0x24/0x50 [ 143.979210][ T37] kasan_save_track+0x14/0x30 [ 143.979359][ T37] kasan_save_free_info+0x3b/0x60 [ 143.979510][ T37] __kasan_slab_free+0x38/0x50 [ 143.979661][ T37] kmem_cache_free+0x149/0x330 [ 143.979814][ T37] __sk_destruct+0x46e/0x780 [ 143.979965][ T37] unix_release_sock+0xa0e/0xf90 [ 143.980116][ T37] unix_release+0x8c/0xf0 [ 143.980232][ T37] __sock_release+0xa6/0x260 [ 143.980390][ T37] sock_close+0x18/0x20 [ 143.980504][ T37] __fput+0x35c/0xa80 [ 143.980618][ T37] fput_close_sync+0xdd/0x190 [ 143.980767][ T37] __x64_sys_close+0x7d/0xd0 [ 143.980918][ T37] do_syscall_64+0xc1/0x380 [ 143.981067][ T37] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 143.981255][ T37] [ 143.981332][ T37] The buggy address belongs to the object at ffff8880169ec640 [ 143.981332][ T37] which belongs to the cache UNIX-STREAM of size 1984 [ 143.981736][ T37] The buggy address is located 1680 bytes inside of [ 143.981736][ T37] freed 1984-byte region [ffff8880169ec640, ffff8880169ece00) [ 143.982102][ T37] [ 143.982179][ T37] The buggy address belongs to the physical page: [ 143.982360][ T37] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x169e8 [ 143.982634][ T37] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 143.982866][ T37] flags: 0x80000000000040(head|node=0|zone=1) [ 143.983063][ T37] page_type: f5(slab) [ 143.983184][ T37] raw: 0080000000000040 ffff888005b4cdc0 ffffea0000192210 ffff888005bc2828 [ 143.983460][ T37] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 143.983759][ T37] head: 0080000000000040 ffff888005b4cdc0 ffffea0000192210 ffff888005bc2828 [ 143.984043][ T37] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 143.984320][ T37] head: 0080000000000003 ffffea00005a7a01 00000000ffffffff 00000000ffffffff [ 143.984602][ T37] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 143.984881][ T37] page dumped because: kasan: bad access detected [ 143.985082][ T37] [ 143.985157][ T37] Memory state around the buggy address: [ 143.985303][ T37] ffff8880169ecb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.985528][ T37] ffff8880169ecc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.985745][ T37] >ffff8880169ecc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.985972][ T37] ^ [ 143.986155][ T37] ffff8880169ecd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.986396][ T37] ffff8880169ecd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 143.986620][ T37] ================================================================== [ 143.986906][ T37] Disabling lock debugging due to kernel taint