[ 5567.773889][ T6942] ================================================================== [ 5567.774235][ T6942] BUG: KASAN: slab-use-after-free in unix_vertex_dead+0x325/0x3b0 [ 5567.774496][ T6942] Read of size 8 at addr ffff888004e306d0 by task kworker/u18:3/6942 [ 5567.774820][ T6942] [ 5567.774908][ T6942] CPU: 1 UID: 0 PID: 6942 Comm: kworker/u18:3 Not tainted 6.16.0-rc1-virtme #1 PREEMPT(full) [ 5567.774913][ T6942] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 5567.774917][ T6942] Workqueue: events_unbound __unix_gc [ 5567.774924][ T6942] Call Trace: [ 5567.774928][ T6942] [ 5567.774930][ T6942] dump_stack_lvl+0x82/0xd0 [ 5567.774948][ T6942] print_address_description.constprop.0+0x2c/0x400 [ 5567.774966][ T6942] ? unix_vertex_dead+0x325/0x3b0 [ 5567.774970][ T6942] print_report+0xb4/0x270 [ 5567.774973][ T6942] ? unix_vertex_dead+0x325/0x3b0 [ 5567.774977][ T6942] ? kasan_addr_to_slab+0x25/0x80 [ 5567.774980][ T6942] ? unix_vertex_dead+0x325/0x3b0 [ 5567.774983][ T6942] kasan_report+0xca/0x100 [ 5567.774987][ T6942] ? unix_vertex_dead+0x325/0x3b0 [ 5567.774993][ T6942] unix_vertex_dead+0x325/0x3b0 [ 5567.774998][ T6942] unix_walk_scc_fast+0x232/0x550 [ 5567.775002][ T6942] ? do_raw_spin_lock+0x130/0x270 [ 5567.775015][ T6942] ? __pfx_unix_walk_scc_fast+0x10/0x10 [ 5567.775018][ T6942] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 5567.775022][ T6942] ? lock_acquire+0x10c/0x170 [ 5567.775025][ T6942] ? __unix_gc+0x8b/0x400 [ 5567.775030][ T6942] __unix_gc+0xdc/0x400 [ 5567.775034][ T6942] ? __pfx___unix_gc+0x10/0x10 [ 5567.775041][ T6942] ? rcu_is_watching+0x12/0xc0 [ 5567.775052][ T6942] ? rcu_is_watching+0x12/0xc0 [ 5567.775056][ T6942] process_one_work+0xe43/0x1660 [ 5567.775072][ T6942] ? __pfx_process_one_work+0x10/0x10 [ 5567.775078][ T6942] ? assign_work+0x16c/0x240 [ 5567.775085][ T6942] worker_thread+0x591/0xcf0 [ 5567.775092][ T6942] ? __pfx_worker_thread+0x10/0x10 [ 5567.775096][ T6942] kthread+0x37e/0x600 [ 5567.775101][ T6942] ? __pfx_kthread+0x10/0x10 [ 5567.775103][ T6942] ? ret_from_fork+0x1b/0x320 [ 5567.775114][ T6942] ? __lock_release+0x5d/0x170 [ 5567.775118][ T6942] ? rcu_is_watching+0x12/0xc0 [ 5567.775121][ T6942] ? __pfx_kthread+0x10/0x10 [ 5567.775125][ T6942] ret_from_fork+0x240/0x320 [ 5567.775128][ T6942] ? __pfx_kthread+0x10/0x10 [ 5567.775130][ T6942] ret_from_fork_asm+0x1a/0x30 [ 5567.775146][ T6942] [ 5567.775147][ T6942] [ 5567.781988][ T6942] Allocated by task 6385: [ 5567.782111][ T6942] kasan_save_stack+0x24/0x50 [ 5567.782277][ T6942] kasan_save_track+0x14/0x30 [ 5567.782533][ T6942] __kasan_slab_alloc+0x59/0x70 [ 5567.782690][ T6942] kmem_cache_alloc_noprof+0x10b/0x330 [ 5567.782856][ T6942] sk_prot_alloc.constprop.0+0x4e/0x1b0 [ 5567.783025][ T6942] sk_alloc+0x36/0x6c0 [ 5567.783238][ T6942] unix_create1+0x84/0x6f0 [ 5567.783397][ T6942] unix_create+0xcb/0x170 [ 5567.783516][ T6942] __sock_create+0x23c/0x6a0 [ 5567.783680][ T6942] __sys_socket+0x11a/0x1d0 [ 5567.783931][ T6942] __x64_sys_socket+0x72/0xb0 [ 5567.784089][ T6942] do_syscall_64+0xc1/0x380 [ 5567.784254][ T6942] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 5567.784455][ T6942] [ 5567.784623][ T6942] Freed by task 6385: [ 5567.784748][ T6942] kasan_save_stack+0x24/0x50 [ 5567.784913][ T6942] kasan_save_track+0x14/0x30 [ 5567.785075][ T6942] kasan_save_free_info+0x3b/0x60 [ 5567.785240][ T6942] __kasan_slab_free+0x38/0x50 [ 5567.785498][ T6942] kmem_cache_free+0x149/0x330 [ 5567.785658][ T6942] __sk_destruct+0x46e/0x780 [ 5567.785821][ T6942] unix_release_sock+0xa0e/0xf90 [ 5567.785979][ T6942] unix_release+0x8c/0xf0 [ 5567.786198][ T6942] __sock_release+0xa6/0x260 [ 5567.786360][ T6942] sock_close+0x18/0x20 [ 5567.786486][ T6942] __fput+0x35c/0xa80 [ 5567.786607][ T6942] fput_close_sync+0xdd/0x190 [ 5567.786859][ T6942] __x64_sys_close+0x7d/0xd0 [ 5567.787017][ T6942] do_syscall_64+0xc1/0x380 [ 5567.787172][ T6942] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 5567.787365][ T6942] [ 5567.787445][ T6942] The buggy address belongs to the object at ffff888004e30040 [ 5567.787445][ T6942] which belongs to the cache UNIX-STREAM of size 1984 [ 5567.787944][ T6942] The buggy address is located 1680 bytes inside of [ 5567.787944][ T6942] freed 1984-byte region [ffff888004e30040, ffff888004e30800) [ 5567.788411][ T6942] [ 5567.788490][ T6942] The buggy address belongs to the physical page: [ 5567.788680][ T6942] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e30 [ 5567.789072][ T6942] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 5567.789313][ T6942] flags: 0x80000000000040(head|node=0|zone=1) [ 5567.789519][ T6942] page_type: f5(slab) [ 5567.789745][ T6942] raw: 0080000000000040 ffff888005ad4dc0 ffffea0000574210 ffff888005ad8828 [ 5567.790029][ T6942] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 5567.790315][ T6942] head: 0080000000000040 ffff888005ad4dc0 ffffea0000574210 ffff888005ad8828 [ 5567.790706][ T6942] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000 [ 5567.790995][ T6942] head: 0080000000000003 ffffea0000138c01 00000000ffffffff 00000000ffffffff [ 5567.791375][ T6942] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5567.791656][ T6942] page dumped because: kasan: bad access detected [ 5567.791854][ T6942] [ 5567.792018][ T6942] Memory state around the buggy address: [ 5567.792168][ T6942] ffff888004e30580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5567.792398][ T6942] ffff888004e30600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5567.792713][ T6942] >ffff888004e30680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5567.792946][ T6942] ^ [ 5567.793133][ T6942] ffff888004e30700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5567.793449][ T6942] ffff888004e30780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 5567.793676][ T6942] ================================================================== [ 5567.793966][ T6942] Disabling lock debugging due to kernel taint