Date
May 23, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 28.112306] ================================================================== [ 28.112467] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 28.112607] Read of size 1 at addr fff00000c775a000 by task kunit_try_catch/198 [ 28.112751] [ 28.112840] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 28.113098] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.113219] Hardware name: linux,dummy-virt (DT) [ 28.113350] Call trace: [ 28.113440] show_stack+0x20/0x38 (C) [ 28.113877] dump_stack_lvl+0x8c/0xd0 [ 28.114333] print_report+0x118/0x608 [ 28.114634] kasan_report+0xdc/0x128 [ 28.114811] __asan_report_load1_noabort+0x20/0x30 [ 28.114972] ksize_uaf+0x598/0x5f8 [ 28.115088] kunit_try_run_case+0x170/0x3f0 [ 28.115222] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.115470] kthread+0x328/0x630 [ 28.115617] ret_from_fork+0x10/0x20 [ 28.115755] [ 28.115817] Allocated by task 198: [ 28.115975] kasan_save_stack+0x3c/0x68 [ 28.116094] kasan_save_track+0x20/0x40 [ 28.116198] kasan_save_alloc_info+0x40/0x58 [ 28.116500] __kasan_kmalloc+0xd4/0xd8 [ 28.116664] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.116815] ksize_uaf+0xb8/0x5f8 [ 28.116959] kunit_try_run_case+0x170/0x3f0 [ 28.117074] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.117248] kthread+0x328/0x630 [ 28.117350] ret_from_fork+0x10/0x20 [ 28.117442] [ 28.117510] Freed by task 198: [ 28.117576] kasan_save_stack+0x3c/0x68 [ 28.117679] kasan_save_track+0x20/0x40 [ 28.117811] kasan_save_free_info+0x4c/0x78 [ 28.117947] __kasan_slab_free+0x6c/0x98 [ 28.118149] kfree+0x214/0x3c8 [ 28.118297] ksize_uaf+0x11c/0x5f8 [ 28.118412] kunit_try_run_case+0x170/0x3f0 [ 28.118599] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.118745] kthread+0x328/0x630 [ 28.118888] ret_from_fork+0x10/0x20 [ 28.119023] [ 28.119141] The buggy address belongs to the object at fff00000c775a000 [ 28.119141] which belongs to the cache kmalloc-128 of size 128 [ 28.119394] The buggy address is located 0 bytes inside of [ 28.119394] freed 128-byte region [fff00000c775a000, fff00000c775a080) [ 28.119692] [ 28.119760] The buggy address belongs to the physical page: [ 28.119989] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10775a [ 28.120303] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.120598] page_type: f5(slab) [ 28.120734] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.120883] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.121010] page dumped because: kasan: bad access detected [ 28.121106] [ 28.121296] Memory state around the buggy address: [ 28.121977] fff00000c7759f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.122430] fff00000c7759f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.122772] >fff00000c775a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.123138] ^ [ 28.123267] fff00000c775a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.123984] fff00000c775a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.124335] ================================================================== [ 28.099435] ================================================================== [ 28.099693] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 28.099940] Read of size 1 at addr fff00000c775a000 by task kunit_try_catch/198 [ 28.100101] [ 28.100198] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 28.100466] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.100556] Hardware name: linux,dummy-virt (DT) [ 28.100878] Call trace: [ 28.100952] show_stack+0x20/0x38 (C) [ 28.101089] dump_stack_lvl+0x8c/0xd0 [ 28.101215] print_report+0x118/0x608 [ 28.101378] kasan_report+0xdc/0x128 [ 28.101622] __kasan_check_byte+0x54/0x70 [ 28.101853] ksize+0x30/0x88 [ 28.102248] ksize_uaf+0x168/0x5f8 [ 28.102391] kunit_try_run_case+0x170/0x3f0 [ 28.102564] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.102726] kthread+0x328/0x630 [ 28.102859] ret_from_fork+0x10/0x20 [ 28.103069] [ 28.103147] Allocated by task 198: [ 28.103322] kasan_save_stack+0x3c/0x68 [ 28.103582] kasan_save_track+0x20/0x40 [ 28.103977] kasan_save_alloc_info+0x40/0x58 [ 28.104211] __kasan_kmalloc+0xd4/0xd8 [ 28.104417] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.104628] ksize_uaf+0xb8/0x5f8 [ 28.104827] kunit_try_run_case+0x170/0x3f0 [ 28.105023] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.105231] kthread+0x328/0x630 [ 28.105347] ret_from_fork+0x10/0x20 [ 28.105441] [ 28.105500] Freed by task 198: [ 28.105562] kasan_save_stack+0x3c/0x68 [ 28.105666] kasan_save_track+0x20/0x40 [ 28.106227] kasan_save_free_info+0x4c/0x78 [ 28.106459] __kasan_slab_free+0x6c/0x98 [ 28.106588] kfree+0x214/0x3c8 [ 28.106734] ksize_uaf+0x11c/0x5f8 [ 28.106860] kunit_try_run_case+0x170/0x3f0 [ 28.107000] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.107173] kthread+0x328/0x630 [ 28.107324] ret_from_fork+0x10/0x20 [ 28.107502] [ 28.107565] The buggy address belongs to the object at fff00000c775a000 [ 28.107565] which belongs to the cache kmalloc-128 of size 128 [ 28.107739] The buggy address is located 0 bytes inside of [ 28.107739] freed 128-byte region [fff00000c775a000, fff00000c775a080) [ 28.107927] [ 28.107979] The buggy address belongs to the physical page: [ 28.108074] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10775a [ 28.108247] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.108390] page_type: f5(slab) [ 28.108805] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.109051] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.109217] page dumped because: kasan: bad access detected [ 28.109332] [ 28.109429] Memory state around the buggy address: [ 28.109515] fff00000c7759f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.109582] fff00000c7759f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.109660] >fff00000c775a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.109792] ^ [ 28.109910] fff00000c775a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.110027] fff00000c775a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.110117] ================================================================== [ 28.126742] ================================================================== [ 28.126883] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 28.127027] Read of size 1 at addr fff00000c775a078 by task kunit_try_catch/198 [ 28.127173] [ 28.127270] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 28.127593] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.128031] Hardware name: linux,dummy-virt (DT) [ 28.128180] Call trace: [ 28.128370] show_stack+0x20/0x38 (C) [ 28.128538] dump_stack_lvl+0x8c/0xd0 [ 28.129727] print_report+0x118/0x608 [ 28.129910] kasan_report+0xdc/0x128 [ 28.130007] __asan_report_load1_noabort+0x20/0x30 [ 28.130078] ksize_uaf+0x544/0x5f8 [ 28.130145] kunit_try_run_case+0x170/0x3f0 [ 28.130213] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.130292] kthread+0x328/0x630 [ 28.130355] ret_from_fork+0x10/0x20 [ 28.130426] [ 28.130479] Allocated by task 198: [ 28.130570] kasan_save_stack+0x3c/0x68 [ 28.130749] kasan_save_track+0x20/0x40 [ 28.130865] kasan_save_alloc_info+0x40/0x58 [ 28.131045] __kasan_kmalloc+0xd4/0xd8 [ 28.131213] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.131392] ksize_uaf+0xb8/0x5f8 [ 28.131905] kunit_try_run_case+0x170/0x3f0 [ 28.132046] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.132116] kthread+0x328/0x630 [ 28.132175] ret_from_fork+0x10/0x20 [ 28.132301] [ 28.132389] Freed by task 198: [ 28.132520] kasan_save_stack+0x3c/0x68 [ 28.132681] kasan_save_track+0x20/0x40 [ 28.132832] kasan_save_free_info+0x4c/0x78 [ 28.132993] __kasan_slab_free+0x6c/0x98 [ 28.133151] kfree+0x214/0x3c8 [ 28.133266] ksize_uaf+0x11c/0x5f8 [ 28.133565] kunit_try_run_case+0x170/0x3f0 [ 28.133701] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.134301] kthread+0x328/0x630 [ 28.134778] ret_from_fork+0x10/0x20 [ 28.134894] [ 28.134953] The buggy address belongs to the object at fff00000c775a000 [ 28.134953] which belongs to the cache kmalloc-128 of size 128 [ 28.135130] The buggy address is located 120 bytes inside of [ 28.135130] freed 128-byte region [fff00000c775a000, fff00000c775a080) [ 28.135324] [ 28.135403] The buggy address belongs to the physical page: [ 28.135515] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10775a [ 28.137079] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.137772] page_type: f5(slab) [ 28.138098] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 28.138362] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 28.138704] page dumped because: kasan: bad access detected [ 28.139313] [ 28.139405] Memory state around the buggy address: [ 28.140018] fff00000c7759f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.140147] fff00000c7759f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 28.140268] >fff00000c775a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.141030] ^ [ 28.141788] fff00000c775a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.142387] fff00000c775a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.142546] ==================================================================
[ 13.138317] ================================================================== [ 13.138846] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.139326] Read of size 1 at addr ffff888102a2d700 by task kunit_try_catch/215 [ 13.139663] [ 13.139781] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 13.139827] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.139838] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.139860] Call Trace: [ 13.139877] <TASK> [ 13.139894] dump_stack_lvl+0x73/0xb0 [ 13.139922] print_report+0xd1/0x650 [ 13.139945] ? __virt_addr_valid+0x1db/0x2d0 [ 13.139978] ? ksize_uaf+0x5fe/0x6c0 [ 13.139999] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.140022] ? ksize_uaf+0x5fe/0x6c0 [ 13.140328] kasan_report+0x141/0x180 [ 13.140353] ? ksize_uaf+0x5fe/0x6c0 [ 13.140390] __asan_report_load1_noabort+0x18/0x20 [ 13.140410] ksize_uaf+0x5fe/0x6c0 [ 13.140431] ? __pfx_ksize_uaf+0x10/0x10 [ 13.140452] ? __schedule+0x10cc/0x2b30 [ 13.140483] ? __pfx_read_tsc+0x10/0x10 [ 13.140502] ? ktime_get_ts64+0x86/0x230 [ 13.140527] kunit_try_run_case+0x1a5/0x480 [ 13.140561] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.140582] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.140605] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.140627] ? __kthread_parkme+0x82/0x180 [ 13.140648] ? preempt_count_sub+0x50/0x80 [ 13.140672] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.140694] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.140715] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.140737] kthread+0x337/0x6f0 [ 13.140753] ? trace_preempt_on+0x20/0xc0 [ 13.140776] ? __pfx_kthread+0x10/0x10 [ 13.140794] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.140815] ? calculate_sigpending+0x7b/0xa0 [ 13.140836] ? __pfx_kthread+0x10/0x10 [ 13.140853] ret_from_fork+0x41/0x80 [ 13.140873] ? __pfx_kthread+0x10/0x10 [ 13.140890] ret_from_fork_asm+0x1a/0x30 [ 13.140921] </TASK> [ 13.140932] [ 13.149026] Allocated by task 215: [ 13.149255] kasan_save_stack+0x45/0x70 [ 13.149509] kasan_save_track+0x18/0x40 [ 13.149681] kasan_save_alloc_info+0x3b/0x50 [ 13.149875] __kasan_kmalloc+0xb7/0xc0 [ 13.150009] __kmalloc_cache_noprof+0x189/0x420 [ 13.150215] ksize_uaf+0xaa/0x6c0 [ 13.150410] kunit_try_run_case+0x1a5/0x480 [ 13.150701] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.151086] kthread+0x337/0x6f0 [ 13.151257] ret_from_fork+0x41/0x80 [ 13.151493] ret_from_fork_asm+0x1a/0x30 [ 13.151691] [ 13.151800] Freed by task 215: [ 13.152065] kasan_save_stack+0x45/0x70 [ 13.152233] kasan_save_track+0x18/0x40 [ 13.152446] kasan_save_free_info+0x3f/0x60 [ 13.152655] __kasan_slab_free+0x56/0x70 [ 13.152807] kfree+0x222/0x3f0 [ 13.152924] ksize_uaf+0x12c/0x6c0 [ 13.153049] kunit_try_run_case+0x1a5/0x480 [ 13.153322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.153572] kthread+0x337/0x6f0 [ 13.153736] ret_from_fork+0x41/0x80 [ 13.153890] ret_from_fork_asm+0x1a/0x30 [ 13.154029] [ 13.154100] The buggy address belongs to the object at ffff888102a2d700 [ 13.154100] which belongs to the cache kmalloc-128 of size 128 [ 13.155005] The buggy address is located 0 bytes inside of [ 13.155005] freed 128-byte region [ffff888102a2d700, ffff888102a2d780) [ 13.155632] [ 13.155720] The buggy address belongs to the physical page: [ 13.156029] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2d [ 13.156466] flags: 0x200000000000000(node=0|zone=2) [ 13.156647] page_type: f5(slab) [ 13.156838] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.157232] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.157601] page dumped because: kasan: bad access detected [ 13.157838] [ 13.157997] Memory state around the buggy address: [ 13.158227] ffff888102a2d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.158563] ffff888102a2d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.158931] >ffff888102a2d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.159184] ^ [ 13.159311] ffff888102a2d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.159634] ffff888102a2d800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.159950] ================================================================== [ 13.103707] ================================================================== [ 13.105073] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.105689] Read of size 1 at addr ffff888102a2d700 by task kunit_try_catch/215 [ 13.107045] [ 13.107314] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 13.107368] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.107381] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.107404] Call Trace: [ 13.107423] <TASK> [ 13.107443] dump_stack_lvl+0x73/0xb0 [ 13.107474] print_report+0xd1/0x650 [ 13.107496] ? __virt_addr_valid+0x1db/0x2d0 [ 13.107519] ? ksize_uaf+0x19d/0x6c0 [ 13.107539] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.107560] ? ksize_uaf+0x19d/0x6c0 [ 13.107581] kasan_report+0x141/0x180 [ 13.107603] ? ksize_uaf+0x19d/0x6c0 [ 13.107626] ? ksize_uaf+0x19d/0x6c0 [ 13.107647] __kasan_check_byte+0x3d/0x50 [ 13.107669] ksize+0x20/0x60 [ 13.107690] ksize_uaf+0x19d/0x6c0 [ 13.107710] ? __pfx_ksize_uaf+0x10/0x10 [ 13.107732] ? __schedule+0x10cc/0x2b30 [ 13.107754] ? __pfx_read_tsc+0x10/0x10 [ 13.107773] ? ktime_get_ts64+0x86/0x230 [ 13.107798] kunit_try_run_case+0x1a5/0x480 [ 13.107822] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.107843] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.107865] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.107887] ? __kthread_parkme+0x82/0x180 [ 13.107909] ? preempt_count_sub+0x50/0x80 [ 13.107934] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.107956] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.107977] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.107999] kthread+0x337/0x6f0 [ 13.108015] ? trace_preempt_on+0x20/0xc0 [ 13.108039] ? __pfx_kthread+0x10/0x10 [ 13.108056] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.108076] ? calculate_sigpending+0x7b/0xa0 [ 13.108098] ? __pfx_kthread+0x10/0x10 [ 13.108115] ret_from_fork+0x41/0x80 [ 13.108135] ? __pfx_kthread+0x10/0x10 [ 13.108152] ret_from_fork_asm+0x1a/0x30 [ 13.108183] </TASK> [ 13.108195] [ 13.121216] Allocated by task 215: [ 13.121473] kasan_save_stack+0x45/0x70 [ 13.121865] kasan_save_track+0x18/0x40 [ 13.122180] kasan_save_alloc_info+0x3b/0x50 [ 13.122341] __kasan_kmalloc+0xb7/0xc0 [ 13.122542] __kmalloc_cache_noprof+0x189/0x420 [ 13.123086] ksize_uaf+0xaa/0x6c0 [ 13.123454] kunit_try_run_case+0x1a5/0x480 [ 13.123897] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.124378] kthread+0x337/0x6f0 [ 13.124523] ret_from_fork+0x41/0x80 [ 13.124948] ret_from_fork_asm+0x1a/0x30 [ 13.125235] [ 13.125319] Freed by task 215: [ 13.125443] kasan_save_stack+0x45/0x70 [ 13.125710] kasan_save_track+0x18/0x40 [ 13.125900] kasan_save_free_info+0x3f/0x60 [ 13.126388] __kasan_slab_free+0x56/0x70 [ 13.126743] kfree+0x222/0x3f0 [ 13.127088] ksize_uaf+0x12c/0x6c0 [ 13.127288] kunit_try_run_case+0x1a5/0x480 [ 13.127638] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.127814] kthread+0x337/0x6f0 [ 13.128010] ret_from_fork+0x41/0x80 [ 13.128400] ret_from_fork_asm+0x1a/0x30 [ 13.128811] [ 13.129080] The buggy address belongs to the object at ffff888102a2d700 [ 13.129080] which belongs to the cache kmalloc-128 of size 128 [ 13.130241] The buggy address is located 0 bytes inside of [ 13.130241] freed 128-byte region [ffff888102a2d700, ffff888102a2d780) [ 13.130709] [ 13.130786] The buggy address belongs to the physical page: [ 13.131183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2d [ 13.132000] flags: 0x200000000000000(node=0|zone=2) [ 13.132528] page_type: f5(slab) [ 13.132864] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.133600] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.133831] page dumped because: kasan: bad access detected [ 13.134348] [ 13.134514] Memory state around the buggy address: [ 13.135043] ffff888102a2d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.135876] ffff888102a2d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.136361] >ffff888102a2d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.136681] ^ [ 13.136837] ffff888102a2d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.137224] ffff888102a2d800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.137511] ================================================================== [ 13.160861] ================================================================== [ 13.161215] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.161440] Read of size 1 at addr ffff888102a2d778 by task kunit_try_catch/215 [ 13.161809] [ 13.162036] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 13.162081] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.162125] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.162145] Call Trace: [ 13.162155] <TASK> [ 13.162169] dump_stack_lvl+0x73/0xb0 [ 13.162228] print_report+0xd1/0x650 [ 13.162261] ? __virt_addr_valid+0x1db/0x2d0 [ 13.162300] ? ksize_uaf+0x5e4/0x6c0 [ 13.162349] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.162371] ? ksize_uaf+0x5e4/0x6c0 [ 13.162392] kasan_report+0x141/0x180 [ 13.162457] ? ksize_uaf+0x5e4/0x6c0 [ 13.162483] __asan_report_load1_noabort+0x18/0x20 [ 13.162503] ksize_uaf+0x5e4/0x6c0 [ 13.162534] ? __pfx_ksize_uaf+0x10/0x10 [ 13.162555] ? __schedule+0x10cc/0x2b30 [ 13.162576] ? __pfx_read_tsc+0x10/0x10 [ 13.162594] ? ktime_get_ts64+0x86/0x230 [ 13.162618] kunit_try_run_case+0x1a5/0x480 [ 13.162641] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.162661] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.162691] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.162712] ? __kthread_parkme+0x82/0x180 [ 13.162734] ? preempt_count_sub+0x50/0x80 [ 13.162758] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.162781] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.162802] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.162824] kthread+0x337/0x6f0 [ 13.162840] ? trace_preempt_on+0x20/0xc0 [ 13.162862] ? __pfx_kthread+0x10/0x10 [ 13.162879] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.162977] ? calculate_sigpending+0x7b/0xa0 [ 13.162998] ? __pfx_kthread+0x10/0x10 [ 13.163016] ret_from_fork+0x41/0x80 [ 13.163048] ? __pfx_kthread+0x10/0x10 [ 13.163065] ret_from_fork_asm+0x1a/0x30 [ 13.163095] </TASK> [ 13.163106] [ 13.174579] Allocated by task 215: [ 13.174796] kasan_save_stack+0x45/0x70 [ 13.175016] kasan_save_track+0x18/0x40 [ 13.175509] kasan_save_alloc_info+0x3b/0x50 [ 13.175701] __kasan_kmalloc+0xb7/0xc0 [ 13.175893] __kmalloc_cache_noprof+0x189/0x420 [ 13.176157] ksize_uaf+0xaa/0x6c0 [ 13.176342] kunit_try_run_case+0x1a5/0x480 [ 13.176665] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.176892] kthread+0x337/0x6f0 [ 13.177058] ret_from_fork+0x41/0x80 [ 13.177733] ret_from_fork_asm+0x1a/0x30 [ 13.178094] [ 13.178201] Freed by task 215: [ 13.178530] kasan_save_stack+0x45/0x70 [ 13.178915] kasan_save_track+0x18/0x40 [ 13.179305] kasan_save_free_info+0x3f/0x60 [ 13.179699] __kasan_slab_free+0x56/0x70 [ 13.180148] kfree+0x222/0x3f0 [ 13.180290] ksize_uaf+0x12c/0x6c0 [ 13.180823] kunit_try_run_case+0x1a5/0x480 [ 13.181435] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.181727] kthread+0x337/0x6f0 [ 13.181867] ret_from_fork+0x41/0x80 [ 13.182056] ret_from_fork_asm+0x1a/0x30 [ 13.182210] [ 13.182319] The buggy address belongs to the object at ffff888102a2d700 [ 13.182319] which belongs to the cache kmalloc-128 of size 128 [ 13.183506] The buggy address is located 120 bytes inside of [ 13.183506] freed 128-byte region [ffff888102a2d700, ffff888102a2d780) [ 13.184287] [ 13.184385] The buggy address belongs to the physical page: [ 13.184876] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a2d [ 13.185429] flags: 0x200000000000000(node=0|zone=2) [ 13.185669] page_type: f5(slab) [ 13.185842] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.186153] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.187138] page dumped because: kasan: bad access detected [ 13.187397] [ 13.187523] Memory state around the buggy address: [ 13.187751] ffff888102a2d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.188271] ffff888102a2d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.188814] >ffff888102a2d700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.189374] ^ [ 13.189871] ffff888102a2d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.190492] ffff888102a2d800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.191290] ==================================================================