Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 59.175659] ================================================================== [ 59.182922] BUG: KASAN: slab-use-after-free in ksize_uaf+0x68c/0x740 [ 59.189331] Read of size 1 at addr cc228f78 by task kunit_try_catch/252 [ 59.195983] [ 59.197509] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 59.197540] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 59.197540] Hardware name: Generic DRA74X (Flattened Device Tree) [ 59.197540] Call trace: [ 59.197570] unwind_backtrace from show_stack+0x18/0x1c [ 59.197601] show_stack from dump_stack_lvl+0x70/0x90 [ 59.197601] dump_stack_lvl from print_report+0x158/0x528 [ 59.197631] print_report from kasan_report+0xdc/0x118 [ 59.197662] kasan_report from ksize_uaf+0x68c/0x740 [ 59.197692] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 59.197692] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.197723] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 59.197753] kthread from ret_from_fork+0x14/0x20 [ 59.197784] Exception stack(0xf24fbfb0 to 0xf24fbff8) [ 59.197784] bfa0: 00000000 00000000 00000000 00000000 [ 59.197814] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 59.197814] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 59.197845] [ 59.301300] Allocated by task 252: [ 59.304748] kasan_save_track+0x30/0x5c [ 59.308593] __kasan_kmalloc+0x8c/0x94 [ 59.312377] ksize_uaf+0xd0/0x740 [ 59.315734] kunit_try_run_case+0x22c/0x5a8 [ 59.319946] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.325469] kthread+0x464/0x810 [ 59.328735] ret_from_fork+0x14/0x20 [ 59.332336] [ 59.333831] Freed by task 252: [ 59.336914] kasan_save_track+0x30/0x5c [ 59.340789] kasan_save_free_info+0x3c/0x48 [ 59.345001] __kasan_slab_free+0x40/0x50 [ 59.348937] kfree+0xe8/0x384 [ 59.351959] ksize_uaf+0x174/0x740 [ 59.355377] kunit_try_run_case+0x22c/0x5a8 [ 59.359588] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.365112] kthread+0x464/0x810 [ 59.368377] ret_from_fork+0x14/0x20 [ 59.371978] [ 59.373474] The buggy address belongs to the object at cc228f00 [ 59.373474] which belongs to the cache kmalloc-128 of size 128 [ 59.385375] The buggy address is located 120 bytes inside of [ 59.385375] freed 128-byte region [cc228f00, cc228f80) [ 59.396331] [ 59.397827] The buggy address belongs to the physical page: [ 59.403442] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c228 [ 59.410705] flags: 0x0(zone=0) [ 59.413787] page_type: f5(slab) [ 59.416961] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 59.425079] raw: 00000000 [ 59.427734] page dumped because: kasan: bad access detected [ 59.433349] [ 59.434844] Memory state around the buggy address: [ 59.439666] cc228e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.446228] cc228e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.452819] >cc228f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.459381] ^ [ 59.465850] cc228f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.472442] cc229000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.479003] ================================================================== [ 58.547912] ================================================================== [ 58.559448] BUG: KASAN: slab-use-after-free in ksize_uaf+0x1f0/0x740 [ 58.565856] Read of size 1 at addr cc228f00 by task kunit_try_catch/252 [ 58.572509] [ 58.574035] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 58.574066] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 58.574066] Hardware name: Generic DRA74X (Flattened Device Tree) [ 58.574066] Call trace: [ 58.574066] unwind_backtrace from show_stack+0x18/0x1c [ 58.574096] show_stack from dump_stack_lvl+0x70/0x90 [ 58.574127] dump_stack_lvl from print_report+0x158/0x528 [ 58.574157] print_report from kasan_report+0xdc/0x118 [ 58.574188] kasan_report from __kasan_check_byte+0x34/0x3c [ 58.574188] __kasan_check_byte from ksize+0x20/0x3c [ 58.574218] ksize from ksize_uaf+0x1f0/0x740 [ 58.574249] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 58.574249] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.574279] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 58.574310] kthread from ret_from_fork+0x14/0x20 [ 58.574340] Exception stack(0xf24fbfb0 to 0xf24fbff8) [ 58.574340] bfa0: 00000000 00000000 00000000 00000000 [ 58.574371] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 58.574371] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 58.574401] [ 58.687835] Allocated by task 252: [ 58.691253] kasan_save_track+0x30/0x5c [ 58.695129] __kasan_kmalloc+0x8c/0x94 [ 58.698913] ksize_uaf+0xd0/0x740 [ 58.702270] kunit_try_run_case+0x22c/0x5a8 [ 58.706481] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.712005] kthread+0x464/0x810 [ 58.715270] ret_from_fork+0x14/0x20 [ 58.718872] [ 58.720367] Freed by task 252: [ 58.723449] kasan_save_track+0x30/0x5c [ 58.727294] kasan_save_free_info+0x3c/0x48 [ 58.731536] __kasan_slab_free+0x40/0x50 [ 58.735473] kfree+0xe8/0x384 [ 58.738464] ksize_uaf+0x174/0x740 [ 58.741912] kunit_try_run_case+0x22c/0x5a8 [ 58.746124] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.751647] kthread+0x464/0x810 [ 58.754913] ret_from_fork+0x14/0x20 [ 58.758514] [ 58.760009] The buggy address belongs to the object at cc228f00 [ 58.760009] which belongs to the cache kmalloc-128 of size 128 [ 58.771911] The buggy address is located 0 bytes inside of [ 58.771911] freed 128-byte region [cc228f00, cc228f80) [ 58.782684] [ 58.784179] The buggy address belongs to the physical page: [ 58.789794] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c228 [ 58.797058] flags: 0x0(zone=0) [ 58.800140] page_type: f5(slab) [ 58.803314] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 58.811462] raw: 00000000 [ 58.814086] page dumped because: kasan: bad access detected [ 58.819702] [ 58.821197] Memory state around the buggy address: [ 58.826019] cc228e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.832611] cc228e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.839172] >cc228f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.845733] ^ [ 58.848297] cc228f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.854858] cc229000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 58.861450] ================================================================== [ 58.869079] ================================================================== [ 58.876373] BUG: KASAN: slab-use-after-free in ksize_uaf+0x6c8/0x740 [ 58.882751] Read of size 1 at addr cc228f00 by task kunit_try_catch/252 [ 58.889434] [ 58.890930] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 58.890960] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 58.890960] Hardware name: Generic DRA74X (Flattened Device Tree) [ 58.890991] Call trace: [ 58.890991] unwind_backtrace from show_stack+0x18/0x1c [ 58.891021] show_stack from dump_stack_lvl+0x70/0x90 [ 58.891021] dump_stack_lvl from print_report+0x158/0x528 [ 58.891052] print_report from kasan_report+0xdc/0x118 [ 58.891082] kasan_report from ksize_uaf+0x6c8/0x740 [ 58.891113] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 58.891113] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.891143] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 58.891174] kthread from ret_from_fork+0x14/0x20 [ 58.891204] Exception stack(0xf24fbfb0 to 0xf24fbff8) [ 58.891204] bfa0: 00000000 00000000 00000000 00000000 [ 58.891235] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 58.891235] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 58.891265] [ 58.994720] Allocated by task 252: [ 58.998168] kasan_save_track+0x30/0x5c [ 59.002014] __kasan_kmalloc+0x8c/0x94 [ 59.005828] ksize_uaf+0xd0/0x740 [ 59.009155] kunit_try_run_case+0x22c/0x5a8 [ 59.013366] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.018890] kthread+0x464/0x810 [ 59.022155] ret_from_fork+0x14/0x20 [ 59.025756] [ 59.027252] Freed by task 252: [ 59.030334] kasan_save_track+0x30/0x5c [ 59.034210] kasan_save_free_info+0x3c/0x48 [ 59.038421] __kasan_slab_free+0x40/0x50 [ 59.042358] kfree+0xe8/0x384 [ 59.045379] ksize_uaf+0x174/0x740 [ 59.048797] kunit_try_run_case+0x22c/0x5a8 [ 59.053009] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.058532] kthread+0x464/0x810 [ 59.061798] ret_from_fork+0x14/0x20 [ 59.065399] [ 59.066894] The buggy address belongs to the object at cc228f00 [ 59.066894] which belongs to the cache kmalloc-128 of size 128 [ 59.078796] The buggy address is located 0 bytes inside of [ 59.078796] freed 128-byte region [cc228f00, cc228f80) [ 59.089569] [ 59.091064] The buggy address belongs to the physical page: [ 59.096679] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c228 [ 59.103973] flags: 0x0(zone=0) [ 59.107025] page_type: f5(slab) [ 59.110198] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 59.118347] raw: 00000000 [ 59.121002] page dumped because: kasan: bad access detected [ 59.126586] [ 59.128112] Memory state around the buggy address: [ 59.132934] cc228e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.139495] cc228e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.146057] >cc228f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.152648] ^ [ 59.155181] cc228f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.161773] cc229000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.168334] ==================================================================
[ 30.271466] ================================================================== [ 30.282984] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 30.289343] Read of size 1 at addr ffff88810633a600 by task kunit_try_catch/239 [ 30.296651] [ 30.298151] CPU: 3 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 30.298159] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.298162] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 30.298165] Call Trace: [ 30.298167] <TASK> [ 30.298169] dump_stack_lvl+0x73/0xb0 [ 30.298172] print_report+0xd1/0x650 [ 30.298177] ? __virt_addr_valid+0x1db/0x2d0 [ 30.298180] ? ksize_uaf+0x19d/0x6c0 [ 30.298184] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.298189] ? ksize_uaf+0x19d/0x6c0 [ 30.298193] kasan_report+0x141/0x180 [ 30.298197] ? ksize_uaf+0x19d/0x6c0 [ 30.298201] ? ksize_uaf+0x19d/0x6c0 [ 30.298205] __kasan_check_byte+0x3d/0x50 [ 30.298210] ksize+0x20/0x60 [ 30.298213] ksize_uaf+0x19d/0x6c0 [ 30.298217] ? __pfx_ksize_uaf+0x10/0x10 [ 30.298221] ? __schedule+0x10cc/0x2b30 [ 30.298226] ? ktime_get_ts64+0x83/0x230 [ 30.298230] kunit_try_run_case+0x1a2/0x480 [ 30.298235] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.298239] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 30.298244] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.298248] ? __kthread_parkme+0x82/0x180 [ 30.298252] ? preempt_count_sub+0x50/0x80 [ 30.298257] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.298261] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.298265] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.298269] kthread+0x334/0x6f0 [ 30.298273] ? trace_preempt_on+0x20/0xc0 [ 30.298277] ? __pfx_kthread+0x10/0x10 [ 30.298282] ? _raw_spin_unlock_irq+0x47/0x80 [ 30.298286] ? calculate_sigpending+0x7b/0xa0 [ 30.298290] ? __pfx_kthread+0x10/0x10 [ 30.298294] ret_from_fork+0x3e/0x80 [ 30.298298] ? __pfx_kthread+0x10/0x10 [ 30.298302] ret_from_fork_asm+0x1a/0x30 [ 30.298308] </TASK> [ 30.298309] [ 30.463303] Allocated by task 239: [ 30.466755] kasan_save_stack+0x45/0x70 [ 30.470599] kasan_save_track+0x18/0x40 [ 30.474438] kasan_save_alloc_info+0x3b/0x50 [ 30.478723] __kasan_kmalloc+0xb7/0xc0 [ 30.482505] __kmalloc_cache_noprof+0x189/0x420 [ 30.487040] ksize_uaf+0xaa/0x6c0 [ 30.490358] kunit_try_run_case+0x1a2/0x480 [ 30.494545] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.499943] kthread+0x334/0x6f0 [ 30.503174] ret_from_fork+0x3e/0x80 [ 30.506764] ret_from_fork_asm+0x1a/0x30 [ 30.510703] [ 30.512249] Freed by task 239: [ 30.515310] kasan_save_stack+0x45/0x70 [ 30.519147] kasan_save_track+0x18/0x40 [ 30.522987] kasan_save_free_info+0x3f/0x60 [ 30.527171] __kasan_slab_free+0x56/0x70 [ 30.531099] kfree+0x222/0x3f0 [ 30.534158] ksize_uaf+0x12c/0x6c0 [ 30.537562] kunit_try_run_case+0x1a2/0x480 [ 30.541757] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.547157] kthread+0x334/0x6f0 [ 30.550389] ret_from_fork+0x3e/0x80 [ 30.553969] ret_from_fork_asm+0x1a/0x30 [ 30.557894] [ 30.559394] The buggy address belongs to the object at ffff88810633a600 [ 30.559394] which belongs to the cache kmalloc-128 of size 128 [ 30.571908] The buggy address is located 0 bytes inside of [ 30.571908] freed 128-byte region [ffff88810633a600, ffff88810633a680) [ 30.583989] [ 30.585486] The buggy address belongs to the physical page: [ 30.591060] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10633a [ 30.599058] flags: 0x200000000000000(node=0|zone=2) [ 30.603939] page_type: f5(slab) [ 30.607084] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 30.614825] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.622571] page dumped because: kasan: bad access detected [ 30.628142] [ 30.629642] Memory state around the buggy address: [ 30.634436] ffff88810633a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.641654] ffff88810633a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.648908] >ffff88810633a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.656125] ^ [ 30.659361] ffff88810633a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.666587] ffff88810633a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.673805] ================================================================== [ 31.080729] ================================================================== [ 31.087959] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 31.094318] Read of size 1 at addr ffff88810633a678 by task kunit_try_catch/239 [ 31.101625] [ 31.103125] CPU: 3 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 31.103133] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.103135] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 31.103138] Call Trace: [ 31.103139] <TASK> [ 31.103141] dump_stack_lvl+0x73/0xb0 [ 31.103144] print_report+0xd1/0x650 [ 31.103149] ? __virt_addr_valid+0x1db/0x2d0 [ 31.103152] ? ksize_uaf+0x5e4/0x6c0 [ 31.103156] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.103160] ? ksize_uaf+0x5e4/0x6c0 [ 31.103164] kasan_report+0x141/0x180 [ 31.103168] ? ksize_uaf+0x5e4/0x6c0 [ 31.103173] __asan_report_load1_noabort+0x18/0x20 [ 31.103176] ksize_uaf+0x5e4/0x6c0 [ 31.103180] ? __pfx_ksize_uaf+0x10/0x10 [ 31.103184] ? __schedule+0x10cc/0x2b30 [ 31.103189] ? ktime_get_ts64+0x83/0x230 [ 31.103193] kunit_try_run_case+0x1a2/0x480 [ 31.103197] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.103201] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.103206] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.103210] ? __kthread_parkme+0x82/0x180 [ 31.103214] ? preempt_count_sub+0x50/0x80 [ 31.103219] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.103223] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.103226] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.103230] kthread+0x334/0x6f0 [ 31.103234] ? trace_preempt_on+0x20/0xc0 [ 31.103239] ? __pfx_kthread+0x10/0x10 [ 31.103243] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.103247] ? calculate_sigpending+0x7b/0xa0 [ 31.103250] ? __pfx_kthread+0x10/0x10 [ 31.103254] ret_from_fork+0x3e/0x80 [ 31.103258] ? __pfx_kthread+0x10/0x10 [ 31.103262] ret_from_fork_asm+0x1a/0x30 [ 31.103268] </TASK> [ 31.103269] [ 31.262617] Allocated by task 239: [ 31.266022] kasan_save_stack+0x45/0x70 [ 31.269862] kasan_save_track+0x18/0x40 [ 31.273704] kasan_save_alloc_info+0x3b/0x50 [ 31.278019] __kasan_kmalloc+0xb7/0xc0 [ 31.281771] __kmalloc_cache_noprof+0x189/0x420 [ 31.286302] ksize_uaf+0xaa/0x6c0 [ 31.289621] kunit_try_run_case+0x1a2/0x480 [ 31.293807] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.299208] kthread+0x334/0x6f0 [ 31.302438] ret_from_fork+0x3e/0x80 [ 31.306018] ret_from_fork_asm+0x1a/0x30 [ 31.309944] [ 31.311445] Freed by task 239: [ 31.314502] kasan_save_stack+0x45/0x70 [ 31.318343] kasan_save_track+0x18/0x40 [ 31.322182] kasan_save_free_info+0x3f/0x60 [ 31.326367] __kasan_slab_free+0x56/0x70 [ 31.330294] kfree+0x222/0x3f0 [ 31.333353] ksize_uaf+0x12c/0x6c0 [ 31.336766] kunit_try_run_case+0x1a2/0x480 [ 31.340953] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.346352] kthread+0x334/0x6f0 [ 31.349593] ret_from_fork+0x3e/0x80 [ 31.353172] ret_from_fork_asm+0x1a/0x30 [ 31.357098] [ 31.358597] The buggy address belongs to the object at ffff88810633a600 [ 31.358597] which belongs to the cache kmalloc-128 of size 128 [ 31.371112] The buggy address is located 120 bytes inside of [ 31.371112] freed 128-byte region [ffff88810633a600, ffff88810633a680) [ 31.383365] [ 31.384864] The buggy address belongs to the physical page: [ 31.390437] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10633a [ 31.398445] flags: 0x200000000000000(node=0|zone=2) [ 31.403322] page_type: f5(slab) [ 31.406471] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 31.414219] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.421965] page dumped because: kasan: bad access detected [ 31.427536] [ 31.429037] Memory state around the buggy address: [ 31.433830] ffff88810633a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.441057] ffff88810633a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.448275] >ffff88810633a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.455494] ^ [ 31.462626] ffff88810633a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.469845] ffff88810633a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.477065] ================================================================== [ 30.681051] ================================================================== [ 30.688280] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 30.694639] Read of size 1 at addr ffff88810633a600 by task kunit_try_catch/239 [ 30.701946] [ 30.703445] CPU: 3 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 30.703453] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.703455] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 30.703458] Call Trace: [ 30.703460] <TASK> [ 30.703462] dump_stack_lvl+0x73/0xb0 [ 30.703465] print_report+0xd1/0x650 [ 30.703469] ? __virt_addr_valid+0x1db/0x2d0 [ 30.703473] ? ksize_uaf+0x5fe/0x6c0 [ 30.703477] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.703481] ? ksize_uaf+0x5fe/0x6c0 [ 30.703485] kasan_report+0x141/0x180 [ 30.703489] ? ksize_uaf+0x5fe/0x6c0 [ 30.703494] __asan_report_load1_noabort+0x18/0x20 [ 30.703497] ksize_uaf+0x5fe/0x6c0 [ 30.703501] ? __pfx_ksize_uaf+0x10/0x10 [ 30.703505] ? __schedule+0x10cc/0x2b30 [ 30.703510] ? ktime_get_ts64+0x83/0x230 [ 30.703514] kunit_try_run_case+0x1a2/0x480 [ 30.703519] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.703523] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 30.703527] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.703532] ? __kthread_parkme+0x82/0x180 [ 30.703535] ? preempt_count_sub+0x50/0x80 [ 30.703540] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.703544] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.703548] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.703552] kthread+0x334/0x6f0 [ 30.703556] ? trace_preempt_on+0x20/0xc0 [ 30.703560] ? __pfx_kthread+0x10/0x10 [ 30.703564] ? _raw_spin_unlock_irq+0x47/0x80 [ 30.703568] ? calculate_sigpending+0x7b/0xa0 [ 30.703572] ? __pfx_kthread+0x10/0x10 [ 30.703576] ret_from_fork+0x3e/0x80 [ 30.703580] ? __pfx_kthread+0x10/0x10 [ 30.703584] ret_from_fork_asm+0x1a/0x30 [ 30.703590] </TASK> [ 30.703591] [ 30.862913] Allocated by task 239: [ 30.866318] kasan_save_stack+0x45/0x70 [ 30.870158] kasan_save_track+0x18/0x40 [ 30.873996] kasan_save_alloc_info+0x3b/0x50 [ 30.878270] __kasan_kmalloc+0xb7/0xc0 [ 30.882022] __kmalloc_cache_noprof+0x189/0x420 [ 30.886555] ksize_uaf+0xaa/0x6c0 [ 30.889874] kunit_try_run_case+0x1a2/0x480 [ 30.894057] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.899458] kthread+0x334/0x6f0 [ 30.902702] ret_from_fork+0x3e/0x80 [ 30.906330] ret_from_fork_asm+0x1a/0x30 [ 30.910255] [ 30.911754] Freed by task 239: [ 30.914814] kasan_save_stack+0x45/0x70 [ 30.918653] kasan_save_track+0x18/0x40 [ 30.922517] kasan_save_free_info+0x3f/0x60 [ 30.926718] __kasan_slab_free+0x56/0x70 [ 30.930700] kfree+0x222/0x3f0 [ 30.933784] ksize_uaf+0x12c/0x6c0 [ 30.937192] kunit_try_run_case+0x1a2/0x480 [ 30.941386] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.946786] kthread+0x334/0x6f0 [ 30.950024] ret_from_fork+0x3e/0x80 [ 30.953603] ret_from_fork_asm+0x1a/0x30 [ 30.957532] [ 30.959030] The buggy address belongs to the object at ffff88810633a600 [ 30.959030] which belongs to the cache kmalloc-128 of size 128 [ 30.971543] The buggy address is located 0 bytes inside of [ 30.971543] freed 128-byte region [ffff88810633a600, ffff88810633a680) [ 30.983624] [ 30.985125] The buggy address belongs to the physical page: [ 30.990703] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10633a [ 30.998752] flags: 0x200000000000000(node=0|zone=2) [ 31.003635] page_type: f5(slab) [ 31.006782] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 31.014529] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.022268] page dumped because: kasan: bad access detected [ 31.027839] [ 31.029340] Memory state around the buggy address: [ 31.034134] ffff88810633a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.041361] ffff88810633a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.048587] >ffff88810633a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.055805] ^ [ 31.059039] ffff88810633a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.066259] ffff88810633a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.073487] ==================================================================