ci starts bisection 2024-04-20 18:40:36.687940772 +0000 UTC m=+210799.669069028
bisecting cause commit starting from 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d
building syzkaller on af24b0505c748561efb50f1d03c824d6642f6c0b
fetch other tags and check if the commit is present
ensuring issue is reproducible on original commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d

testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aa65c5054ee5f5b91f599e2184c7413fa223ef722eba74919a366afdc2bcdfd8
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
check whether we can drop unnecessary instrumentation
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d78cb097fe474be4b83fbef1d540ce9728bd6f70eeb136f96eca0ec4795f1353
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the bug reproduces without the instrumentation
disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed
kconfig minimization: base=3976 full=8025 leaves diff=2014
split chunks (needed=false): <2014>
split chunk #0 of len 2014 into 5 parts
testing without sub-chunk 1/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ae068c1050f2d8aa02901114b4c1596a6a529334068263e71d1cd3ed3ef89739
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c4857f528a838098b7e1a5e1ee2286dbb95779bdb9b217d0ad985504b740e735
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d8104cf0e45fc9106c4d1d3bdf8d754f2faffd056f171175f19a037108a78237
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3ff305e44c6a06abd59b49b3010f99fb0f5a55870d08f8114a15511ff503ec9b
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d5f04dbd218c7eefd573c33bc1f9f23faa1dc96ba52620fd1fdfea9b8ce499a6
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
the chunk can be dropped
disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed
picked [v6.8 v6.7 v6.6 v6.4 v6.2 v6.0 v5.18 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 31 release tags
testing release v6.8
testing commit e8f897f4afef0031fe618a8e94127a0934896aba gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5019b4be3c628763d0f498f91cbaf7bbf67948eb42f1577d777788c731358042
all runs: OK
false negative chance: 0.000
# git bisect start 7b4f2bc91c15fdcf948bb2d9741a9d7d54303f8d e8f897f4afef0031fe618a8e94127a0934896aba
Bisecting: 10725 revisions left to test after this (roughly 13 steps)
[8a2fbffcbfcb60378626e5d4144a6ff43f3b6776] Merge tag 'sparc-for-6.9-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/alarsson/linux-sparc

testing commit 8a2fbffcbfcb60378626e5d4144a6ff43f3b6776 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 30dc97746e6a5aa0ca58e1f5531513433977b3e44200d1a465bb1f63640da546
all runs: OK
false negative chance: 0.000
# git bisect good 8a2fbffcbfcb60378626e5d4144a6ff43f3b6776
Bisecting: 5364 revisions left to test after this (roughly 12 steps)
[3be1e7d95d6a6a70b5d4fffdd5ec7e7ff5f49e4c] Merge branch 'sunxi/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux.git

testing commit 3be1e7d95d6a6a70b5d4fffdd5ec7e7ff5f49e4c gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 0b854e8d0a303034ddd8bc4211e9612291013cb64f85c4ed893e3c8083322e70
all runs: OK
false negative chance: 0.000
# git bisect good 3be1e7d95d6a6a70b5d4fffdd5ec7e7ff5f49e4c
Bisecting: 2765 revisions left to test after this (roughly 11 steps)
[937818318078c43b29c73f64c304eb6a44265d42] Merge branch 'drm-next' of https://gitlab.freedesktop.org/agd5f/linux

testing commit 937818318078c43b29c73f64c304eb6a44265d42 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 23d42605722b45bac075e1f636ecd2328d31137373a8ebb994bc66ba33d86c61
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad 937818318078c43b29c73f64c304eb6a44265d42
Bisecting: 1567 revisions left to test after this (roughly 10 steps)
[12a7fb580186dcfd4a7d75ce494b6b9fd69aae7b] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git

testing commit 12a7fb580186dcfd4a7d75ce494b6b9fd69aae7b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f73933ad656e2243910db0103463b0cdfd37dede7119607af2f38a30ff52826c
all runs: OK
false negative chance: 0.000
# git bisect good 12a7fb580186dcfd4a7d75ce494b6b9fd69aae7b
Bisecting: 751 revisions left to test after this (roughly 10 steps)
[87ef2f0d98e0a1df0501531d77d6c3f20070ef14] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git

testing commit 87ef2f0d98e0a1df0501531d77d6c3f20070ef14 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cc6da4318dcd1ac402a0c1850ae2fa642c76af602c018677005bc3f8ff470858
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad 87ef2f0d98e0a1df0501531d77d6c3f20070ef14
Bisecting: 407 revisions left to test after this (roughly 9 steps)
[fb29028ae7181fbe268d94f6b69d172da4e3640f] mlxsw: pci: Do not setup tasklet from operation

testing commit fb29028ae7181fbe268d94f6b69d172da4e3640f gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 4224e8c42c135e5118685fae5384f39edc3d2324bc747c577d334cdac3eeb90d
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad fb29028ae7181fbe268d94f6b69d172da4e3640f
Bisecting: 203 revisions left to test after this (roughly 8 steps)
[22118810fc7cc98f3afb38919348060ab67ddc5b] ice: fold ice_ptp_read_time into ice_ptp_gettimex64

testing commit 22118810fc7cc98f3afb38919348060ab67ddc5b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ba7a5d0f375f9f822299a9f3be0aed46c1f2fbfb557d47f8c877193e77918b2d
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad 22118810fc7cc98f3afb38919348060ab67ddc5b
Bisecting: 101 revisions left to test after this (roughly 7 steps)
[b09353437b28ff8786e60aa9bd560a4474facfc0] bnxt_en: Simplify bnxt_rfs_capable()

testing commit b09353437b28ff8786e60aa9bd560a4474facfc0 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: be2f17b0a65835c60e261d72c46eb420811614fa169c5c72eb6ac851e14248c5
all runs: OK
false negative chance: 0.000
# git bisect good b09353437b28ff8786e60aa9bd560a4474facfc0
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[730fffce4fd2eb7a0be2d0b6cd7e55e9194d76d5] devlink: use kvzalloc() to allocate devlink instance resources

testing commit 730fffce4fd2eb7a0be2d0b6cd7e55e9194d76d5 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d7efe57b2267986e9f8cb8e0e863cbdd23bfa5a79c3cda82bd6518c92c3b129e
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad 730fffce4fd2eb7a0be2d0b6cd7e55e9194d76d5
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[42f298c06b30bfe0a8cbee5d38644e618699e26e] af_unix: Link struct unix_edge when queuing skb.

testing commit 42f298c06b30bfe0a8cbee5d38644e618699e26e gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cb84d2e801228636c74864da0f768e61ca1bf343f62f946cd9e3288c9cc1e100
all runs: OK
false negative chance: 0.000
# git bisect good 42f298c06b30bfe0a8cbee5d38644e618699e26e
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[da493dbb1f2a156a1b6d8d8a447f2c3affe43678] Merge branch 'af_unix-rework-gc'

testing commit da493dbb1f2a156a1b6d8d8a447f2c3affe43678 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7a9d9610eb94fd8cd631199e0ff1be8b96cec1f5063288810729086056139af1
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad da493dbb1f2a156a1b6d8d8a447f2c3affe43678
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[ba31b4a4e1018f5844c6eb31734976e2184f2f9a] af_unix: Save O(n) setup of Tarjan's algo.

testing commit ba31b4a4e1018f5844c6eb31734976e2184f2f9a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 31636ff295b78a1406ae209284b16375c55cfdc3266a1ed2609159d397efcdbe
all runs: OK
false negative chance: 0.000
# git bisect good ba31b4a4e1018f5844c6eb31734976e2184f2f9a
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[bfdb01283ee8f2f3089656c3ff8f62bb072dabb2] af_unix: Assign a unique index to SCC.

testing commit bfdb01283ee8f2f3089656c3ff8f62bb072dabb2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c4ee0f83800233c4f1107b1d66b81a93366871d76edc984d1bea866f9b21a506
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad bfdb01283ee8f2f3089656c3ff8f62bb072dabb2
Bisecting: 0 revisions left to test after this (roughly 1 step)
[ad081928a8b0f57f269df999a28087fce6f2b6ce] af_unix: Avoid Tarjan's algorithm if unnecessary.

testing commit ad081928a8b0f57f269df999a28087fce6f2b6ce gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a08b96adc0d99b18de96e0a57d0e83e95746d17cbf1142ccd17a28a7a5f2e1dc
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad ad081928a8b0f57f269df999a28087fce6f2b6ce
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[77e5593aebba823bcbcf2c4b58b07efcd63933b8] af_unix: Skip GC if no cycle exists.

testing commit 77e5593aebba823bcbcf2c4b58b07efcd63933b8 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 978917860fe999335f8210fd0620a6057dc13e43e363fc58d09f8ea144c2974f
all runs: crashed: KASAN: slab-use-after-free Read in unix_del_edges
representative crash: KASAN: slab-use-after-free Read in unix_del_edges, types: [KASAN]
# git bisect bad 77e5593aebba823bcbcf2c4b58b07efcd63933b8
77e5593aebba823bcbcf2c4b58b07efcd63933b8 is the first bad commit
commit 77e5593aebba823bcbcf2c4b58b07efcd63933b8
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Mon Mar 25 13:24:20 2024 -0700

    af_unix: Skip GC if no cycle exists.
    
    We do not need to run GC if there is no possible cyclic reference.
    We use unix_graph_maybe_cyclic to decide if we should run GC.
    
    If a fd of an AF_UNIX socket is passed to an already inflight AF_UNIX
    socket, they could form a cyclic reference.  Then, we set true to
    unix_graph_maybe_cyclic and later run Tarjan's algorithm to group
    them into SCC.
    
    Once we run Tarjan's algorithm, we are 100% sure whether cyclic
    references exist or not.  If there is no cycle, we set false to
    unix_graph_maybe_cyclic and can skip the entire garbage collection
    next time.
    
    When finalising SCC, we set true to unix_graph_maybe_cyclic if SCC
    consists of multiple vertices.
    
    Even if SCC is a single vertex, a cycle might exist as self-fd passing.
    Given the corner case is rare, we detect it by checking all edges of
    the vertex and set true to unix_graph_maybe_cyclic.
    
    With this change, __unix_gc() is just a spin_lock() dance in the normal
    usage.
    
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Link: https://lore.kernel.org/r/20240325202425.60930-11-kuniyu@amazon.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

 net/unix/garbage.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

accumulated error probability: 0.00
culprit signature: 978917860fe999335f8210fd0620a6057dc13e43e363fc58d09f8ea144c2974f
parent  signature: 31636ff295b78a1406ae209284b16375c55cfdc3266a1ed2609159d397efcdbe
revisions tested: 23, total time: 9h25m3.364540783s (build: 4h35m56.092651355s, test: 4h31m24.039769748s)
first bad commit: 77e5593aebba823bcbcf2c4b58b07efcd63933b8 af_unix: Skip GC if no cycle exists.
recipients (to): ["kuba@kernel.org" "kuniyu@amazon.com" "pabeni@redhat.com"]
recipients (cc): []
crash: KASAN: slab-use-after-free Read in unix_del_edges
==================================================================
BUG: KASAN: slab-use-after-free in unix_edge_successor net/unix/garbage.c:109 [inline]
BUG: KASAN: slab-use-after-free in unix_del_edge net/unix/garbage.c:162 [inline]
BUG: KASAN: slab-use-after-free in unix_del_edges+0x12b/0x540 net/unix/garbage.c:232
Read of size 8 at addr ffff888112144630 by task kworker/u8:7/600

CPU: 1 PID: 600 Comm: kworker/u8:7 Not tainted 6.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: events_unbound __unix_gc
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x280 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 unix_edge_successor net/unix/garbage.c:109 [inline]
 unix_del_edge net/unix/garbage.c:162 [inline]
 unix_del_edges+0x12b/0x540 net/unix/garbage.c:232
 unix_destroy_fpl+0x44/0x1d0 net/unix/garbage.c:283
 unix_detach_fds net/unix/af_unix.c:1825 [inline]
 unix_destruct_scm+0x15b/0x310 net/unix/af_unix.c:1885
 skb_release_head_state+0x90/0x150 net/core/skbuff.c:1187
 skb_release_all net/core/skbuff.c:1199 [inline]
 __kfree_skb net/core/skbuff.c:1215 [inline]
 kfree_skb_reason+0xd5/0x2d0 net/core/skbuff.c:1251
 __skb_queue_purge_reason include/linux/skbuff.h:3242 [inline]
 __skb_queue_purge include/linux/skbuff.h:3247 [inline]
 __unix_gc+0x18e4/0x19f0 net/unix/garbage.c:660
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x8b6/0x12f0 kernel/workqueue.c:3335
 worker_thread+0x869/0xca0 kernel/workqueue.c:3416
 kthread+0x268/0x2c0 kernel/kthread.c:388
 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
 </TASK>

Allocated by task 7049:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x15f/0x390 mm/slub.c:3852
 sk_prot_alloc+0x52/0x1c0 net/core/sock.c:2074
 sk_alloc+0x35/0x560 net/core/sock.c:2133
 unix_create1+0x8c/0x730
 unix_create+0x114/0x1d0 net/unix/af_unix.c:1036
 __sock_create+0x33c/0x6e0 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socketpair+0x245/0x5f0 net/socket.c:1773
 __do_sys_socketpair net/socket.c:1822 [inline]
 __se_sys_socketpair net/socket.c:1819 [inline]
 __x64_sys_socketpair+0x96/0xb0 net/socket.c:1819
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x95/0x180 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Freed by task 9:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xee/0x1a0 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2106 [inline]
 slab_free mm/slub.c:4280 [inline]
 kmem_cache_free+0x136/0x330 mm/slub.c:4344
 sk_prot_free net/core/sock.c:2114 [inline]
 __sk_destruct+0x390/0x550 net/core/sock.c:2208
 sock_put include/net/sock.h:1948 [inline]
 unix_release_sock+0x98d/0xba0 net/unix/af_unix.c:665
 unix_release+0x87/0xb0 net/unix/af_unix.c:1051
 __sock_release net/socket.c:659 [inline]
 sock_close+0xb4/0x220 net/socket.c:1421
 __fput+0x301/0x670 fs/file_table.c:422
 delayed_fput+0x3f/0x70 fs/file_table.c:445
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x8b6/0x12f0 kernel/workqueue.c:3335
 worker_thread+0x869/0xca0 kernel/workqueue.c:3416
 kthread+0x268/0x2c0 kernel/kthread.c:388
 ret_from_fork+0x32/0x60 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243

The buggy address belongs to the object at ffff888112144000
 which belongs to the cache UNIX of size 1920
The buggy address is located 1584 bytes inside of
 freed 1920-byte region [ffff888112144000, ffff888112144780)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112140
head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8881077b4701
flags: 0x200000000000840(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000000840 ffff888101e8e780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000001ffffffff ffff8881077b4701
head: 0200000000000840 ffff888101e8e780 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000001ffffffff ffff8881077b4701
head: 0200000000000003 ffffea0004485001 ffffea0004485048 00000000ffffffff
head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2381, tgid 2380 (syz-executor.0), ts 56726001357, free_ts 56721450037
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x10f/0x130 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0x32cd/0x36a0 mm/page_alloc.c:3317
 __alloc_pages+0x256/0x670 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page+0x5f/0x160 mm/slub.c:2175
 allocate_slab mm/slub.c:2338 [inline]
 new_slab+0x70/0x270 mm/slub.c:2391
 ___slab_alloc+0xb0d/0x1040 mm/slub.c:3525
 __slab_alloc mm/slub.c:3610 [inline]
 __slab_alloc_node mm/slub.c:3663 [inline]
 slab_alloc_node mm/slub.c:3835 [inline]
 kmem_cache_alloc+0x23a/0x390 mm/slub.c:3852
 sk_prot_alloc+0x52/0x1c0 net/core/sock.c:2074
 sk_alloc+0x35/0x560 net/core/sock.c:2133
 unix_create1+0x8c/0x730
 unix_create+0x114/0x1d0 net/unix/af_unix.c:1036
 __sock_create+0x33c/0x6e0 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socketpair+0x1d5/0x5f0 net/socket.c:1769
 __do_sys_socketpair net/socket.c:1822 [inline]
 __se_sys_socketpair net/socket.c:1819 [inline]
 __x64_sys_socketpair+0x96/0xb0 net/socket.c:1819
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x95/0x180 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
page last free pid 1415 tgid 1415 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x7ce/0x8f0 mm/page_alloc.c:2347
 free_unref_page+0x34/0x230 mm/page_alloc.c:2487
 discard_slab mm/slub.c:2437 [inline]
 __put_partials+0x18e/0x1d0 mm/slub.c:2906
 put_cpu_partial+0x151/0x1b0 mm/slub.c:2981
 __slab_free+0x2b8/0x3a0 mm/slub.c:4151
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x5e/0xc0 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3798 [inline]
 slab_alloc_node mm/slub.c:3845 [inline]
 kmem_cache_alloc+0x15f/0x390 mm/slub.c:3852
 getname_flags+0xa1/0x440 fs/namei.c:139
 vfs_fstatat+0x65/0xa0 fs/stat.c:303
 __do_sys_newfstatat fs/stat.c:468 [inline]
 __se_sys_newfstatat+0xc5/0x750 fs/stat.c:462
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x95/0x180 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Memory state around the buggy address:
 ffff888112144500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888112144580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888112144600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888112144680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888112144700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================