Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 11.955240] ================================================================== [ 11.955823] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.956114] Read of size 1 at addr ffff888102b31e00 by task kunit_try_catch/216 [ 11.956387] [ 11.956491] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 11.956531] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.956542] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.956599] Call Trace: [ 11.956610] <TASK> [ 11.956624] dump_stack_lvl+0x73/0xb0 [ 11.956648] print_report+0xd1/0x650 [ 11.956669] ? __virt_addr_valid+0x1db/0x2d0 [ 11.956691] ? ksize_uaf+0x19d/0x6c0 [ 11.956711] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.956733] ? ksize_uaf+0x19d/0x6c0 [ 11.956753] kasan_report+0x141/0x180 [ 11.956775] ? ksize_uaf+0x19d/0x6c0 [ 11.956800] ? ksize_uaf+0x19d/0x6c0 [ 11.956820] __kasan_check_byte+0x3d/0x50 [ 11.956842] ksize+0x20/0x60 [ 11.956863] ksize_uaf+0x19d/0x6c0 [ 11.956883] ? __pfx_ksize_uaf+0x10/0x10 [ 11.956905] ? __schedule+0x10cc/0x2b30 [ 11.956927] ? __pfx_read_tsc+0x10/0x10 [ 11.956947] ? ktime_get_ts64+0x86/0x230 [ 11.956971] kunit_try_run_case+0x1a5/0x480 [ 11.956995] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.957015] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.957038] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.957061] ? __kthread_parkme+0x82/0x180 [ 11.957081] ? preempt_count_sub+0x50/0x80 [ 11.957105] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.957148] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.957171] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.957193] kthread+0x337/0x6f0 [ 11.957213] ? trace_preempt_on+0x20/0xc0 [ 11.957235] ? __pfx_kthread+0x10/0x10 [ 11.957256] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.957278] ? calculate_sigpending+0x7b/0xa0 [ 11.957298] ? __pfx_kthread+0x10/0x10 [ 11.957320] ret_from_fork+0x41/0x80 [ 11.957352] ? __pfx_kthread+0x10/0x10 [ 11.957373] ret_from_fork_asm+0x1a/0x30 [ 11.957405] </TASK> [ 11.957414] [ 11.967485] Allocated by task 216: [ 11.967795] kasan_save_stack+0x45/0x70 [ 11.967993] kasan_save_track+0x18/0x40 [ 11.968411] kasan_save_alloc_info+0x3b/0x50 [ 11.968683] __kasan_kmalloc+0xb7/0xc0 [ 11.968970] __kmalloc_cache_noprof+0x189/0x420 [ 11.969406] ksize_uaf+0xaa/0x6c0 [ 11.969686] kunit_try_run_case+0x1a5/0x480 [ 11.969904] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.970335] kthread+0x337/0x6f0 [ 11.970532] ret_from_fork+0x41/0x80 [ 11.970830] ret_from_fork_asm+0x1a/0x30 [ 11.971117] [ 11.971234] Freed by task 216: [ 11.971391] kasan_save_stack+0x45/0x70 [ 11.971571] kasan_save_track+0x18/0x40 [ 11.971747] kasan_save_free_info+0x3f/0x60 [ 11.971933] __kasan_slab_free+0x56/0x70 [ 11.972106] kfree+0x222/0x3f0 [ 11.972700] ksize_uaf+0x12c/0x6c0 [ 11.972951] kunit_try_run_case+0x1a5/0x480 [ 11.973302] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.973731] kthread+0x337/0x6f0 [ 11.974012] ret_from_fork+0x41/0x80 [ 11.974341] ret_from_fork_asm+0x1a/0x30 [ 11.974531] [ 11.974620] The buggy address belongs to the object at ffff888102b31e00 [ 11.974620] which belongs to the cache kmalloc-128 of size 128 [ 11.975100] The buggy address is located 0 bytes inside of [ 11.975100] freed 128-byte region [ffff888102b31e00, ffff888102b31e80) [ 11.975989] [ 11.976231] The buggy address belongs to the physical page: [ 11.976651] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 11.977101] flags: 0x200000000000000(node=0|zone=2) [ 11.977506] page_type: f5(slab) [ 11.977677] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.977987] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.978760] page dumped because: kasan: bad access detected [ 11.979054] [ 11.979270] Memory state around the buggy address: [ 11.979758] ffff888102b31d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.980392] ffff888102b31d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.980833] >ffff888102b31e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.981294] ^ [ 11.981556] ffff888102b31e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.981978] ffff888102b31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.982566] ================================================================== [ 11.983778] ================================================================== [ 11.984041] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.984291] Read of size 1 at addr ffff888102b31e00 by task kunit_try_catch/216 [ 11.984786] [ 11.984890] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 11.984932] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.984943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.984963] Call Trace: [ 11.984974] <TASK> [ 11.984989] dump_stack_lvl+0x73/0xb0 [ 11.985014] print_report+0xd1/0x650 [ 11.985036] ? __virt_addr_valid+0x1db/0x2d0 [ 11.985057] ? ksize_uaf+0x5fe/0x6c0 [ 11.985076] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.985098] ? ksize_uaf+0x5fe/0x6c0 [ 11.985118] kasan_report+0x141/0x180 [ 11.985139] ? ksize_uaf+0x5fe/0x6c0 [ 11.985163] __asan_report_load1_noabort+0x18/0x20 [ 11.985182] ksize_uaf+0x5fe/0x6c0 [ 11.985202] ? __pfx_ksize_uaf+0x10/0x10 [ 11.985223] ? __schedule+0x10cc/0x2b30 [ 11.985245] ? __pfx_read_tsc+0x10/0x10 [ 11.985264] ? ktime_get_ts64+0x86/0x230 [ 11.985620] kunit_try_run_case+0x1a5/0x480 [ 11.985646] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.985668] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.985690] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.985714] ? __kthread_parkme+0x82/0x180 [ 11.985735] ? preempt_count_sub+0x50/0x80 [ 11.985760] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.985788] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.985810] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.985832] kthread+0x337/0x6f0 [ 11.985852] ? trace_preempt_on+0x20/0xc0 [ 11.985875] ? __pfx_kthread+0x10/0x10 [ 11.985896] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.985917] ? calculate_sigpending+0x7b/0xa0 [ 11.985938] ? __pfx_kthread+0x10/0x10 [ 11.985960] ret_from_fork+0x41/0x80 [ 11.985980] ? __pfx_kthread+0x10/0x10 [ 11.986001] ret_from_fork_asm+0x1a/0x30 [ 11.986032] </TASK> [ 11.986042] [ 11.994034] Allocated by task 216: [ 11.994250] kasan_save_stack+0x45/0x70 [ 11.994448] kasan_save_track+0x18/0x40 [ 11.994627] kasan_save_alloc_info+0x3b/0x50 [ 11.994818] __kasan_kmalloc+0xb7/0xc0 [ 11.994991] __kmalloc_cache_noprof+0x189/0x420 [ 11.995563] ksize_uaf+0xaa/0x6c0 [ 11.995799] kunit_try_run_case+0x1a5/0x480 [ 11.996107] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.996536] kthread+0x337/0x6f0 [ 11.996810] ret_from_fork+0x41/0x80 [ 11.997204] ret_from_fork_asm+0x1a/0x30 [ 11.997472] [ 11.997683] Freed by task 216: [ 11.997951] kasan_save_stack+0x45/0x70 [ 11.998314] kasan_save_track+0x18/0x40 [ 11.998508] kasan_save_free_info+0x3f/0x60 [ 11.998697] __kasan_slab_free+0x56/0x70 [ 11.998877] kfree+0x222/0x3f0 [ 11.999023] ksize_uaf+0x12c/0x6c0 [ 11.999508] kunit_try_run_case+0x1a5/0x480 [ 11.999764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.000205] kthread+0x337/0x6f0 [ 12.000434] ret_from_fork+0x41/0x80 [ 12.000723] ret_from_fork_asm+0x1a/0x30 [ 12.001015] [ 12.001117] The buggy address belongs to the object at ffff888102b31e00 [ 12.001117] which belongs to the cache kmalloc-128 of size 128 [ 12.001617] The buggy address is located 0 bytes inside of [ 12.001617] freed 128-byte region [ffff888102b31e00, ffff888102b31e80) [ 12.002092] [ 12.002482] The buggy address belongs to the physical page: [ 12.002943] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 12.003605] flags: 0x200000000000000(node=0|zone=2) [ 12.003896] page_type: f5(slab) [ 12.004181] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.004695] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.005015] page dumped because: kasan: bad access detected [ 12.005578] [ 12.005674] Memory state around the buggy address: [ 12.006089] ffff888102b31d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.006783] ffff888102b31d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.007154] >ffff888102b31e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.007455] ^ [ 12.007607] ffff888102b31e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.007888] ffff888102b31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.008666] ================================================================== [ 12.010089] ================================================================== [ 12.010433] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.010703] Read of size 1 at addr ffff888102b31e78 by task kunit_try_catch/216 [ 12.010994] [ 12.011093] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 12.011526] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.011541] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.011562] Call Trace: [ 12.011577] <TASK> [ 12.011592] dump_stack_lvl+0x73/0xb0 [ 12.012029] print_report+0xd1/0x650 [ 12.012052] ? __virt_addr_valid+0x1db/0x2d0 [ 12.012074] ? ksize_uaf+0x5e4/0x6c0 [ 12.012094] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.012116] ? ksize_uaf+0x5e4/0x6c0 [ 12.012136] kasan_report+0x141/0x180 [ 12.012158] ? ksize_uaf+0x5e4/0x6c0 [ 12.012199] __asan_report_load1_noabort+0x18/0x20 [ 12.012220] ksize_uaf+0x5e4/0x6c0 [ 12.012240] ? __pfx_ksize_uaf+0x10/0x10 [ 12.012261] ? __schedule+0x10cc/0x2b30 [ 12.012284] ? __pfx_read_tsc+0x10/0x10 [ 12.012303] ? ktime_get_ts64+0x86/0x230 [ 12.012340] kunit_try_run_case+0x1a5/0x480 [ 12.012364] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.012385] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.012408] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.012432] ? __kthread_parkme+0x82/0x180 [ 12.012452] ? preempt_count_sub+0x50/0x80 [ 12.012476] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.012498] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.012520] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.012543] kthread+0x337/0x6f0 [ 12.012563] ? trace_preempt_on+0x20/0xc0 [ 12.012587] ? __pfx_kthread+0x10/0x10 [ 12.012608] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.012629] ? calculate_sigpending+0x7b/0xa0 [ 12.012650] ? __pfx_kthread+0x10/0x10 [ 12.012673] ret_from_fork+0x41/0x80 [ 12.012695] ? __pfx_kthread+0x10/0x10 [ 12.012716] ret_from_fork_asm+0x1a/0x30 [ 12.012747] </TASK> [ 12.012758] [ 12.019315] Allocated by task 216: [ 12.019522] kasan_save_stack+0x45/0x70 [ 12.019720] kasan_save_track+0x18/0x40 [ 12.019920] kasan_save_alloc_info+0x3b/0x50 [ 12.020120] __kasan_kmalloc+0xb7/0xc0 [ 12.020303] __kmalloc_cache_noprof+0x189/0x420 [ 12.020529] ksize_uaf+0xaa/0x6c0 [ 12.020685] kunit_try_run_case+0x1a5/0x480 [ 12.020883] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.021132] kthread+0x337/0x6f0 [ 12.021373] ret_from_fork+0x41/0x80 [ 12.021501] ret_from_fork_asm+0x1a/0x30 [ 12.021636] [ 12.021704] Freed by task 216: [ 12.021818] kasan_save_stack+0x45/0x70 [ 12.021950] kasan_save_track+0x18/0x40 [ 12.022080] kasan_save_free_info+0x3f/0x60 [ 12.022218] __kasan_slab_free+0x56/0x70 [ 12.022362] kfree+0x222/0x3f0 [ 12.022477] ksize_uaf+0x12c/0x6c0 [ 12.022629] kunit_try_run_case+0x1a5/0x480 [ 12.022795] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.023022] kthread+0x337/0x6f0 [ 12.023156] ret_from_fork+0x41/0x80 [ 12.023284] ret_from_fork_asm+0x1a/0x30 [ 12.023433] [ 12.023502] The buggy address belongs to the object at ffff888102b31e00 [ 12.023502] which belongs to the cache kmalloc-128 of size 128 [ 12.023850] The buggy address is located 120 bytes inside of [ 12.023850] freed 128-byte region [ffff888102b31e00, ffff888102b31e80) [ 12.024196] [ 12.024265] The buggy address belongs to the physical page: [ 12.024444] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 12.024679] flags: 0x200000000000000(node=0|zone=2) [ 12.024836] page_type: f5(slab) [ 12.024956] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.025346] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.025606] page dumped because: kasan: bad access detected [ 12.025804] [ 12.025875] Memory state around the buggy address: [ 12.026041] ffff888102b31d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.026525] ffff888102b31d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.027010] >ffff888102b31e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.027356] ^ [ 12.027887] ffff888102b31e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.028133] ffff888102b31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.028574] ==================================================================
[ 21.933904] ================================================================== [ 21.934593] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 21.935202] Read of size 1 at addr ffff00000df93778 by task kunit_try_catch/250 [ 21.935880] [ 21.936044] CPU: 2 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.936094] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.936108] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.936126] Call trace: [ 21.936138] show_stack+0x20/0x38 (C) [ 21.936170] dump_stack_lvl+0x8c/0xd0 [ 21.936201] print_report+0x118/0x608 [ 21.936231] kasan_report+0xdc/0x128 [ 21.936260] __asan_report_load1_noabort+0x20/0x30 [ 21.936294] ksize_uaf+0x544/0x5f8 [ 21.936326] kunit_try_run_case+0x170/0x3f0 [ 21.936361] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.936401] kthread+0x328/0x630 [ 21.936435] ret_from_fork+0x10/0x20 [ 21.936467] [ 21.941981] Allocated by task 250: [ 21.942306] kasan_save_stack+0x3c/0x68 [ 21.942678] kasan_save_track+0x20/0x40 [ 21.943049] kasan_save_alloc_info+0x40/0x58 [ 21.943463] __kasan_kmalloc+0xd4/0xd8 [ 21.943826] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.944266] ksize_uaf+0xb8/0x5f8 [ 21.944598] kunit_try_run_case+0x170/0x3f0 [ 21.945003] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.945527] kthread+0x328/0x630 [ 21.945850] ret_from_fork+0x10/0x20 [ 21.946200] [ 21.946353] Freed by task 250: [ 21.946647] kasan_save_stack+0x3c/0x68 [ 21.947018] kasan_save_track+0x20/0x40 [ 21.947390] kasan_save_free_info+0x4c/0x78 [ 21.947795] __kasan_slab_free+0x6c/0x98 [ 21.948174] kfree+0x214/0x3c8 [ 21.948481] ksize_uaf+0x11c/0x5f8 [ 21.948818] kunit_try_run_case+0x170/0x3f0 [ 21.949225] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.949748] kthread+0x328/0x630 [ 21.950071] ret_from_fork+0x10/0x20 [ 21.950421] [ 21.950574] The buggy address belongs to the object at ffff00000df93700 [ 21.950574] which belongs to the cache kmalloc-128 of size 128 [ 21.951708] The buggy address is located 120 bytes inside of [ 21.951708] freed 128-byte region [ffff00000df93700, ffff00000df93780) [ 21.952820] [ 21.952974] The buggy address belongs to the physical page: [ 21.953490] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdf93 [ 21.954214] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.954824] page_type: f5(slab) [ 21.955136] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 21.955852] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.956559] page dumped because: kasan: bad access detected [ 21.957075] [ 21.957227] Memory state around the buggy address: [ 21.957675] ffff00000df93600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.958342] ffff00000df93680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.959007] >ffff00000df93700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.959669] ^ [ 21.960325] ffff00000df93780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.960992] ffff00000df93800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.961654] ================================================================== [ 21.876364] ================================================================== [ 21.877462] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 21.878078] Read of size 1 at addr ffff00000df93700 by task kunit_try_catch/250 [ 21.878759] [ 21.878924] CPU: 2 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.878976] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.878990] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.879008] Call trace: [ 21.879020] show_stack+0x20/0x38 (C) [ 21.879053] dump_stack_lvl+0x8c/0xd0 [ 21.879086] print_report+0x118/0x608 [ 21.879117] kasan_report+0xdc/0x128 [ 21.879145] __kasan_check_byte+0x54/0x70 [ 21.879174] ksize+0x30/0x88 [ 21.879201] ksize_uaf+0x168/0x5f8 [ 21.879233] kunit_try_run_case+0x170/0x3f0 [ 21.879269] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.879308] kthread+0x328/0x630 [ 21.879343] ret_from_fork+0x10/0x20 [ 21.879377] [ 21.885083] Allocated by task 250: [ 21.885408] kasan_save_stack+0x3c/0x68 [ 21.885782] kasan_save_track+0x20/0x40 [ 21.886154] kasan_save_alloc_info+0x40/0x58 [ 21.886569] __kasan_kmalloc+0xd4/0xd8 [ 21.886930] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.887373] ksize_uaf+0xb8/0x5f8 [ 21.887703] kunit_try_run_case+0x170/0x3f0 [ 21.888111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.888636] kthread+0x328/0x630 [ 21.888958] ret_from_fork+0x10/0x20 [ 21.889308] [ 21.889460] Freed by task 250: [ 21.889754] kasan_save_stack+0x3c/0x68 [ 21.890127] kasan_save_track+0x20/0x40 [ 21.890498] kasan_save_free_info+0x4c/0x78 [ 21.890903] __kasan_slab_free+0x6c/0x98 [ 21.891281] kfree+0x214/0x3c8 [ 21.891588] ksize_uaf+0x11c/0x5f8 [ 21.891926] kunit_try_run_case+0x170/0x3f0 [ 21.892332] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.892856] kthread+0x328/0x630 [ 21.893178] ret_from_fork+0x10/0x20 [ 21.893528] [ 21.893681] The buggy address belongs to the object at ffff00000df93700 [ 21.893681] which belongs to the cache kmalloc-128 of size 128 [ 21.894815] The buggy address is located 0 bytes inside of [ 21.894815] freed 128-byte region [ffff00000df93700, ffff00000df93780) [ 21.895914] [ 21.896068] The buggy address belongs to the physical page: [ 21.896586] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdf93 [ 21.897310] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.897923] page_type: f5(slab) [ 21.898238] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 21.898954] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.899662] page dumped because: kasan: bad access detected [ 21.900178] [ 21.900331] Memory state around the buggy address: [ 21.900779] ffff00000df93600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.901446] ffff00000df93680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.902113] >ffff00000df93700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.902776] ^ [ 21.903086] ffff00000df93780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.903753] ffff00000df93800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.904414] ================================================================== [ 21.905496] ================================================================== [ 21.906181] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 21.906792] Read of size 1 at addr ffff00000df93700 by task kunit_try_catch/250 [ 21.907468] [ 21.907633] CPU: 2 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.907682] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.907696] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.907714] Call trace: [ 21.907726] show_stack+0x20/0x38 (C) [ 21.907758] dump_stack_lvl+0x8c/0xd0 [ 21.907791] print_report+0x118/0x608 [ 21.907819] kasan_report+0xdc/0x128 [ 21.907848] __asan_report_load1_noabort+0x20/0x30 [ 21.907881] ksize_uaf+0x598/0x5f8 [ 21.907914] kunit_try_run_case+0x170/0x3f0 [ 21.907949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.907988] kthread+0x328/0x630 [ 21.908022] ret_from_fork+0x10/0x20 [ 21.908054] [ 21.913568] Allocated by task 250: [ 21.913894] kasan_save_stack+0x3c/0x68 [ 21.914268] kasan_save_track+0x20/0x40 [ 21.914638] kasan_save_alloc_info+0x40/0x58 [ 21.915053] __kasan_kmalloc+0xd4/0xd8 [ 21.915415] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.915856] ksize_uaf+0xb8/0x5f8 [ 21.916187] kunit_try_run_case+0x170/0x3f0 [ 21.916594] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.917117] kthread+0x328/0x630 [ 21.917441] ret_from_fork+0x10/0x20 [ 21.917789] [ 21.917942] Freed by task 250: [ 21.918237] kasan_save_stack+0x3c/0x68 [ 21.918609] kasan_save_track+0x20/0x40 [ 21.918980] kasan_save_free_info+0x4c/0x78 [ 21.919385] __kasan_slab_free+0x6c/0x98 [ 21.919765] kfree+0x214/0x3c8 [ 21.920073] ksize_uaf+0x11c/0x5f8 [ 21.920411] kunit_try_run_case+0x170/0x3f0 [ 21.920818] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.921342] kthread+0x328/0x630 [ 21.921665] ret_from_fork+0x10/0x20 [ 21.922016] [ 21.922168] The buggy address belongs to the object at ffff00000df93700 [ 21.922168] which belongs to the cache kmalloc-128 of size 128 [ 21.923302] The buggy address is located 0 bytes inside of [ 21.923302] freed 128-byte region [ffff00000df93700, ffff00000df93780) [ 21.924399] [ 21.924553] The buggy address belongs to the physical page: [ 21.925069] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xdf93 [ 21.925794] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.926406] page_type: f5(slab) [ 21.926718] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 21.927435] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.928142] page dumped because: kasan: bad access detected [ 21.928657] [ 21.928809] Memory state around the buggy address: [ 21.929258] ffff00000df93600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.929924] ffff00000df93680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.930591] >ffff00000df93700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.931253] ^ [ 21.931563] ffff00000df93780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.932230] ffff00000df93800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.932892] ==================================================================