Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 31.517821] ================================================================== [ 31.527671] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.534007] Read of size 1 at addr ffff000801e28500 by task kunit_try_catch/243 [ 31.541295] [ 31.542782] CPU: 7 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 31.542840] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.542857] Hardware name: WinLink E850-96 board (DT) [ 31.542877] Call trace: [ 31.542894] show_stack+0x20/0x38 (C) [ 31.542930] dump_stack_lvl+0x8c/0xd0 [ 31.542965] print_report+0x118/0x608 [ 31.543003] kasan_report+0xdc/0x128 [ 31.543035] __kasan_check_byte+0x54/0x70 [ 31.543069] ksize+0x30/0x88 [ 31.543101] ksize_uaf+0x168/0x5f8 [ 31.543132] kunit_try_run_case+0x170/0x3f0 [ 31.543169] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.543208] kthread+0x328/0x630 [ 31.543236] ret_from_fork+0x10/0x20 [ 31.543273] [ 31.606919] Allocated by task 243: [ 31.610308] kasan_save_stack+0x3c/0x68 [ 31.614125] kasan_save_track+0x20/0x40 [ 31.617945] kasan_save_alloc_info+0x40/0x58 [ 31.622197] __kasan_kmalloc+0xd4/0xd8 [ 31.625929] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.630443] ksize_uaf+0xb8/0x5f8 [ 31.633743] kunit_try_run_case+0x170/0x3f0 [ 31.637910] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.643377] kthread+0x328/0x630 [ 31.646589] ret_from_fork+0x10/0x20 [ 31.650149] [ 31.651623] Freed by task 243: [ 31.654663] kasan_save_stack+0x3c/0x68 [ 31.658481] kasan_save_track+0x20/0x40 [ 31.662300] kasan_save_free_info+0x4c/0x78 [ 31.666467] __kasan_slab_free+0x6c/0x98 [ 31.670373] kfree+0x214/0x3c8 [ 31.673411] ksize_uaf+0x11c/0x5f8 [ 31.676797] kunit_try_run_case+0x170/0x3f0 [ 31.680963] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.686435] kthread+0x328/0x630 [ 31.689644] ret_from_fork+0x10/0x20 [ 31.693203] [ 31.694682] The buggy address belongs to the object at ffff000801e28500 [ 31.694682] which belongs to the cache kmalloc-128 of size 128 [ 31.707181] The buggy address is located 0 bytes inside of [ 31.707181] freed 128-byte region [ffff000801e28500, ffff000801e28580) [ 31.719245] [ 31.720722] The buggy address belongs to the physical page: [ 31.726279] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e28 [ 31.734263] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.741904] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.748847] page_type: f5(slab) [ 31.751984] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.759702] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.767430] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.775239] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.783053] head: 0bfffe0000000001 fffffdffe0078a01 00000000ffffffff 00000000ffffffff [ 31.790864] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.798671] page dumped because: kasan: bad access detected [ 31.804225] [ 31.805700] Memory state around the buggy address: [ 31.810483] ffff000801e28400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.817686] ffff000801e28480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.824889] >ffff000801e28500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.832090] ^ [ 31.835305] ffff000801e28580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.842511] ffff000801e28600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.849714] ================================================================== [ 31.857047] ================================================================== [ 31.864128] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.870457] Read of size 1 at addr ffff000801e28500 by task kunit_try_catch/243 [ 31.877749] [ 31.879235] CPU: 7 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 31.879286] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.879303] Hardware name: WinLink E850-96 board (DT) [ 31.879323] Call trace: [ 31.879338] show_stack+0x20/0x38 (C) [ 31.879373] dump_stack_lvl+0x8c/0xd0 [ 31.879411] print_report+0x118/0x608 [ 31.879444] kasan_report+0xdc/0x128 [ 31.879478] __asan_report_load1_noabort+0x20/0x30 [ 31.879515] ksize_uaf+0x598/0x5f8 [ 31.879543] kunit_try_run_case+0x170/0x3f0 [ 31.879578] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.879615] kthread+0x328/0x630 [ 31.879645] ret_from_fork+0x10/0x20 [ 31.879682] [ 31.941289] Allocated by task 243: [ 31.944675] kasan_save_stack+0x3c/0x68 [ 31.948494] kasan_save_track+0x20/0x40 [ 31.952313] kasan_save_alloc_info+0x40/0x58 [ 31.956567] __kasan_kmalloc+0xd4/0xd8 [ 31.960300] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.964813] ksize_uaf+0xb8/0x5f8 [ 31.968112] kunit_try_run_case+0x170/0x3f0 [ 31.972279] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.977747] kthread+0x328/0x630 [ 31.980960] ret_from_fork+0x10/0x20 [ 31.984518] [ 31.985994] Freed by task 243: [ 31.989033] kasan_save_stack+0x3c/0x68 [ 31.992851] kasan_save_track+0x20/0x40 [ 31.996670] kasan_save_free_info+0x4c/0x78 [ 32.000837] __kasan_slab_free+0x6c/0x98 [ 32.004743] kfree+0x214/0x3c8 [ 32.007781] ksize_uaf+0x11c/0x5f8 [ 32.011167] kunit_try_run_case+0x170/0x3f0 [ 32.015333] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.020803] kthread+0x328/0x630 [ 32.024014] ret_from_fork+0x10/0x20 [ 32.027574] [ 32.029050] The buggy address belongs to the object at ffff000801e28500 [ 32.029050] which belongs to the cache kmalloc-128 of size 128 [ 32.041550] The buggy address is located 0 bytes inside of [ 32.041550] freed 128-byte region [ffff000801e28500, ffff000801e28580) [ 32.053615] [ 32.055092] The buggy address belongs to the physical page: [ 32.060650] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e28 [ 32.068634] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.076273] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.083216] page_type: f5(slab) [ 32.086351] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.094071] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.101798] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.109610] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.117423] head: 0bfffe0000000001 fffffdffe0078a01 00000000ffffffff 00000000ffffffff [ 32.125235] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.133040] page dumped because: kasan: bad access detected [ 32.138595] [ 32.140071] Memory state around the buggy address: [ 32.144849] ffff000801e28400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.152054] ffff000801e28480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.159259] >ffff000801e28500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.166459] ^ [ 32.169675] ffff000801e28580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.176881] ffff000801e28600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.184081] ================================================================== [ 32.191400] ================================================================== [ 32.198497] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.204827] Read of size 1 at addr ffff000801e28578 by task kunit_try_catch/243 [ 32.212119] [ 32.213604] CPU: 7 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 32.213656] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.213674] Hardware name: WinLink E850-96 board (DT) [ 32.213693] Call trace: [ 32.213706] show_stack+0x20/0x38 (C) [ 32.213741] dump_stack_lvl+0x8c/0xd0 [ 32.213779] print_report+0x118/0x608 [ 32.213813] kasan_report+0xdc/0x128 [ 32.213845] __asan_report_load1_noabort+0x20/0x30 [ 32.213881] ksize_uaf+0x544/0x5f8 [ 32.213911] kunit_try_run_case+0x170/0x3f0 [ 32.213947] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.213985] kthread+0x328/0x630 [ 32.214011] ret_from_fork+0x10/0x20 [ 32.214044] [ 32.275659] Allocated by task 243: [ 32.279046] kasan_save_stack+0x3c/0x68 [ 32.282867] kasan_save_track+0x20/0x40 [ 32.286684] kasan_save_alloc_info+0x40/0x58 [ 32.290937] __kasan_kmalloc+0xd4/0xd8 [ 32.294669] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.299183] ksize_uaf+0xb8/0x5f8 [ 32.302483] kunit_try_run_case+0x170/0x3f0 [ 32.306650] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.312117] kthread+0x328/0x630 [ 32.315329] ret_from_fork+0x10/0x20 [ 32.318888] [ 32.320364] Freed by task 243: [ 32.323403] kasan_save_stack+0x3c/0x68 [ 32.327221] kasan_save_track+0x20/0x40 [ 32.331040] kasan_save_free_info+0x4c/0x78 [ 32.335207] __kasan_slab_free+0x6c/0x98 [ 32.339114] kfree+0x214/0x3c8 [ 32.342151] ksize_uaf+0x11c/0x5f8 [ 32.345536] kunit_try_run_case+0x170/0x3f0 [ 32.349703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.355174] kthread+0x328/0x630 [ 32.358384] ret_from_fork+0x10/0x20 [ 32.361943] [ 32.363419] The buggy address belongs to the object at ffff000801e28500 [ 32.363419] which belongs to the cache kmalloc-128 of size 128 [ 32.375920] The buggy address is located 120 bytes inside of [ 32.375920] freed 128-byte region [ffff000801e28500, ffff000801e28580) [ 32.388158] [ 32.389637] The buggy address belongs to the physical page: [ 32.395193] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881e28 [ 32.403178] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.410817] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.417759] page_type: f5(slab) [ 32.420895] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.428615] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.436342] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.444153] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.451966] head: 0bfffe0000000001 fffffdffe0078a01 00000000ffffffff 00000000ffffffff [ 32.459778] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.467584] page dumped because: kasan: bad access detected [ 32.473139] [ 32.474614] Memory state around the buggy address: [ 32.479393] ffff000801e28400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.486598] ffff000801e28480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.493802] >ffff000801e28500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.501003] ^ [ 32.508125] ffff000801e28580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.515331] ffff000801e28600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.522532] ==================================================================
[ 25.796923] ================================================================== [ 25.797140] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 25.797281] Read of size 1 at addr fff00000c6507a00 by task kunit_try_catch/196 [ 25.797396] [ 25.797479] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.797674] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.797740] Hardware name: linux,dummy-virt (DT) [ 25.797821] Call trace: [ 25.797886] show_stack+0x20/0x38 (C) [ 25.798040] dump_stack_lvl+0x8c/0xd0 [ 25.798258] print_report+0x118/0x608 [ 25.798397] kasan_report+0xdc/0x128 [ 25.798527] __kasan_check_byte+0x54/0x70 [ 25.799189] ksize+0x30/0x88 [ 25.799497] ksize_uaf+0x168/0x5f8 [ 25.799680] kunit_try_run_case+0x170/0x3f0 [ 25.799977] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.800178] kthread+0x328/0x630 [ 25.800294] ret_from_fork+0x10/0x20 [ 25.800426] [ 25.800569] Allocated by task 196: [ 25.800778] kasan_save_stack+0x3c/0x68 [ 25.800979] kasan_save_track+0x20/0x40 [ 25.801091] kasan_save_alloc_info+0x40/0x58 [ 25.801279] __kasan_kmalloc+0xd4/0xd8 [ 25.801390] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.801849] ksize_uaf+0xb8/0x5f8 [ 25.802099] kunit_try_run_case+0x170/0x3f0 [ 25.802216] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.802535] kthread+0x328/0x630 [ 25.802730] ret_from_fork+0x10/0x20 [ 25.802883] [ 25.802987] Freed by task 196: [ 25.803163] kasan_save_stack+0x3c/0x68 [ 25.803272] kasan_save_track+0x20/0x40 [ 25.803380] kasan_save_free_info+0x4c/0x78 [ 25.803515] __kasan_slab_free+0x6c/0x98 [ 25.803712] kfree+0x214/0x3c8 [ 25.803859] ksize_uaf+0x11c/0x5f8 [ 25.803976] kunit_try_run_case+0x170/0x3f0 [ 25.804129] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.804259] kthread+0x328/0x630 [ 25.804354] ret_from_fork+0x10/0x20 [ 25.804888] [ 25.804983] The buggy address belongs to the object at fff00000c6507a00 [ 25.804983] which belongs to the cache kmalloc-128 of size 128 [ 25.805122] The buggy address is located 0 bytes inside of [ 25.805122] freed 128-byte region [fff00000c6507a00, fff00000c6507a80) [ 25.805265] [ 25.805385] The buggy address belongs to the physical page: [ 25.805589] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106507 [ 25.805758] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.806136] page_type: f5(slab) [ 25.806488] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.807006] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.807289] page dumped because: kasan: bad access detected [ 25.807374] [ 25.807455] Memory state around the buggy address: [ 25.807535] fff00000c6507900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.807691] fff00000c6507980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.807811] >fff00000c6507a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.807914] ^ [ 25.808201] fff00000c6507a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.808849] fff00000c6507b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.809043] ================================================================== [ 25.810361] ================================================================== [ 25.810497] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 25.810698] Read of size 1 at addr fff00000c6507a00 by task kunit_try_catch/196 [ 25.810895] [ 25.810987] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.811314] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.811386] Hardware name: linux,dummy-virt (DT) [ 25.811537] Call trace: [ 25.811629] show_stack+0x20/0x38 (C) [ 25.811825] dump_stack_lvl+0x8c/0xd0 [ 25.812032] print_report+0x118/0x608 [ 25.812360] kasan_report+0xdc/0x128 [ 25.812490] __asan_report_load1_noabort+0x20/0x30 [ 25.812792] ksize_uaf+0x598/0x5f8 [ 25.812962] kunit_try_run_case+0x170/0x3f0 [ 25.813110] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.813305] kthread+0x328/0x630 [ 25.813432] ret_from_fork+0x10/0x20 [ 25.813693] [ 25.813831] Allocated by task 196: [ 25.813959] kasan_save_stack+0x3c/0x68 [ 25.814141] kasan_save_track+0x20/0x40 [ 25.814265] kasan_save_alloc_info+0x40/0x58 [ 25.814462] __kasan_kmalloc+0xd4/0xd8 [ 25.814703] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.814851] ksize_uaf+0xb8/0x5f8 [ 25.815140] kunit_try_run_case+0x170/0x3f0 [ 25.815255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.815370] kthread+0x328/0x630 [ 25.815492] ret_from_fork+0x10/0x20 [ 25.815602] [ 25.815661] Freed by task 196: [ 25.816021] kasan_save_stack+0x3c/0x68 [ 25.816459] kasan_save_track+0x20/0x40 [ 25.816876] kasan_save_free_info+0x4c/0x78 [ 25.817004] __kasan_slab_free+0x6c/0x98 [ 25.817604] kfree+0x214/0x3c8 [ 25.817846] ksize_uaf+0x11c/0x5f8 [ 25.818012] kunit_try_run_case+0x170/0x3f0 [ 25.818124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.818235] kthread+0x328/0x630 [ 25.818360] ret_from_fork+0x10/0x20 [ 25.818629] [ 25.818706] The buggy address belongs to the object at fff00000c6507a00 [ 25.818706] which belongs to the cache kmalloc-128 of size 128 [ 25.818849] The buggy address is located 0 bytes inside of [ 25.818849] freed 128-byte region [fff00000c6507a00, fff00000c6507a80) [ 25.819036] [ 25.819187] The buggy address belongs to the physical page: [ 25.819269] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106507 [ 25.819752] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.820127] page_type: f5(slab) [ 25.820309] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.820435] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.820544] page dumped because: kasan: bad access detected [ 25.820627] [ 25.820704] Memory state around the buggy address: [ 25.820802] fff00000c6507900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.821119] fff00000c6507980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.821229] >fff00000c6507a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.821320] ^ [ 25.821461] fff00000c6507a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.821746] fff00000c6507b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.822168] ================================================================== [ 25.823497] ================================================================== [ 25.823692] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 25.823882] Read of size 1 at addr fff00000c6507a78 by task kunit_try_catch/196 [ 25.824021] [ 25.824092] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.824288] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.824352] Hardware name: linux,dummy-virt (DT) [ 25.824424] Call trace: [ 25.824485] show_stack+0x20/0x38 (C) [ 25.824616] dump_stack_lvl+0x8c/0xd0 [ 25.824739] print_report+0x118/0x608 [ 25.824858] kasan_report+0xdc/0x128 [ 25.824996] __asan_report_load1_noabort+0x20/0x30 [ 25.825124] ksize_uaf+0x544/0x5f8 [ 25.825232] kunit_try_run_case+0x170/0x3f0 [ 25.825354] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.825482] kthread+0x328/0x630 [ 25.825597] ret_from_fork+0x10/0x20 [ 25.825713] [ 25.825755] Allocated by task 196: [ 25.825857] kasan_save_stack+0x3c/0x68 [ 25.826052] kasan_save_track+0x20/0x40 [ 25.826201] kasan_save_alloc_info+0x40/0x58 [ 25.826376] __kasan_kmalloc+0xd4/0xd8 [ 25.826529] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.826700] ksize_uaf+0xb8/0x5f8 [ 25.826876] kunit_try_run_case+0x170/0x3f0 [ 25.827188] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.827394] kthread+0x328/0x630 [ 25.827489] ret_from_fork+0x10/0x20 [ 25.827679] [ 25.827726] Freed by task 196: [ 25.827928] kasan_save_stack+0x3c/0x68 [ 25.828071] kasan_save_track+0x20/0x40 [ 25.828173] kasan_save_free_info+0x4c/0x78 [ 25.828314] __kasan_slab_free+0x6c/0x98 [ 25.829391] kfree+0x214/0x3c8 [ 25.829520] ksize_uaf+0x11c/0x5f8 [ 25.829608] kunit_try_run_case+0x170/0x3f0 [ 25.829717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.829832] kthread+0x328/0x630 [ 25.829917] ret_from_fork+0x10/0x20 [ 25.830030] [ 25.830079] The buggy address belongs to the object at fff00000c6507a00 [ 25.830079] which belongs to the cache kmalloc-128 of size 128 [ 25.830217] The buggy address is located 120 bytes inside of [ 25.830217] freed 128-byte region [fff00000c6507a00, fff00000c6507a80) [ 25.830364] [ 25.830425] The buggy address belongs to the physical page: [ 25.830519] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106507 [ 25.830673] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.830814] page_type: f5(slab) [ 25.830925] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.831236] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.831354] page dumped because: kasan: bad access detected [ 25.831446] [ 25.831599] Memory state around the buggy address: [ 25.831834] fff00000c6507900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.831965] fff00000c6507980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.832146] >fff00000c6507a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.832245] ^ [ 25.832363] fff00000c6507a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.832492] fff00000c6507b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.832684] ==================================================================
[ 26.082418] ================================================================== [ 26.082563] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 26.083196] Read of size 1 at addr fff00000c7747800 by task kunit_try_catch/196 [ 26.083319] [ 26.083395] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.083612] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.083680] Hardware name: linux,dummy-virt (DT) [ 26.083750] Call trace: [ 26.083814] show_stack+0x20/0x38 (C) [ 26.083969] dump_stack_lvl+0x8c/0xd0 [ 26.085094] print_report+0x118/0x608 [ 26.085247] kasan_report+0xdc/0x128 [ 26.085378] __kasan_check_byte+0x54/0x70 [ 26.085505] ksize+0x30/0x88 [ 26.085627] ksize_uaf+0x168/0x5f8 [ 26.085753] kunit_try_run_case+0x170/0x3f0 [ 26.086073] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.086209] kthread+0x328/0x630 [ 26.086311] ret_from_fork+0x10/0x20 [ 26.086429] [ 26.086475] Allocated by task 196: [ 26.086541] kasan_save_stack+0x3c/0x68 [ 26.086642] kasan_save_track+0x20/0x40 [ 26.086733] kasan_save_alloc_info+0x40/0x58 [ 26.086873] __kasan_kmalloc+0xd4/0xd8 [ 26.087122] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.087412] ksize_uaf+0xb8/0x5f8 [ 26.087538] kunit_try_run_case+0x170/0x3f0 [ 26.088026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.088194] kthread+0x328/0x630 [ 26.088280] ret_from_fork+0x10/0x20 [ 26.088378] [ 26.088429] Freed by task 196: [ 26.088504] kasan_save_stack+0x3c/0x68 [ 26.088608] kasan_save_track+0x20/0x40 [ 26.088783] kasan_save_free_info+0x4c/0x78 [ 26.088912] __kasan_slab_free+0x6c/0x98 [ 26.089006] kfree+0x214/0x3c8 [ 26.089521] ksize_uaf+0x11c/0x5f8 [ 26.089617] kunit_try_run_case+0x170/0x3f0 [ 26.089710] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.089816] kthread+0x328/0x630 [ 26.089917] ret_from_fork+0x10/0x20 [ 26.090001] [ 26.090045] The buggy address belongs to the object at fff00000c7747800 [ 26.090045] which belongs to the cache kmalloc-128 of size 128 [ 26.090181] The buggy address is located 0 bytes inside of [ 26.090181] freed 128-byte region [fff00000c7747800, fff00000c7747880) [ 26.090336] [ 26.090397] The buggy address belongs to the physical page: [ 26.090468] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107747 [ 26.090595] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.090714] page_type: f5(slab) [ 26.090805] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 26.090945] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.091041] page dumped because: kasan: bad access detected [ 26.091112] [ 26.091155] Memory state around the buggy address: [ 26.091230] fff00000c7747700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.091339] fff00000c7747780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.091449] >fff00000c7747800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.091551] ^ [ 26.091637] fff00000c7747880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.091751] fff00000c7747900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.095172] ================================================================== [ 26.115012] ================================================================== [ 26.115117] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 26.115221] Read of size 1 at addr fff00000c7747878 by task kunit_try_catch/196 [ 26.115339] [ 26.115403] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.115597] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.115661] Hardware name: linux,dummy-virt (DT) [ 26.115729] Call trace: [ 26.115792] show_stack+0x20/0x38 (C) [ 26.116039] dump_stack_lvl+0x8c/0xd0 [ 26.116942] print_report+0x118/0x608 [ 26.117164] kasan_report+0xdc/0x128 [ 26.117414] __asan_report_load1_noabort+0x20/0x30 [ 26.117599] ksize_uaf+0x544/0x5f8 [ 26.117722] kunit_try_run_case+0x170/0x3f0 [ 26.117861] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.117995] kthread+0x328/0x630 [ 26.118301] ret_from_fork+0x10/0x20 [ 26.118869] [ 26.118920] Allocated by task 196: [ 26.119026] kasan_save_stack+0x3c/0x68 [ 26.119187] kasan_save_track+0x20/0x40 [ 26.119437] kasan_save_alloc_info+0x40/0x58 [ 26.119616] __kasan_kmalloc+0xd4/0xd8 [ 26.119718] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.119892] ksize_uaf+0xb8/0x5f8 [ 26.120409] kunit_try_run_case+0x170/0x3f0 [ 26.121372] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.121494] kthread+0x328/0x630 [ 26.121592] ret_from_fork+0x10/0x20 [ 26.121691] [ 26.121738] Freed by task 196: [ 26.121802] kasan_save_stack+0x3c/0x68 [ 26.123069] kasan_save_track+0x20/0x40 [ 26.124279] kasan_save_free_info+0x4c/0x78 [ 26.125169] __kasan_slab_free+0x6c/0x98 [ 26.125739] kfree+0x214/0x3c8 [ 26.125852] ksize_uaf+0x11c/0x5f8 [ 26.125946] kunit_try_run_case+0x170/0x3f0 [ 26.127553] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.127820] kthread+0x328/0x630 [ 26.128509] ret_from_fork+0x10/0x20 [ 26.129514] [ 26.129993] The buggy address belongs to the object at fff00000c7747800 [ 26.129993] which belongs to the cache kmalloc-128 of size 128 [ 26.130142] The buggy address is located 120 bytes inside of [ 26.130142] freed 128-byte region [fff00000c7747800, fff00000c7747880) [ 26.131237] [ 26.131323] The buggy address belongs to the physical page: [ 26.131808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107747 [ 26.131974] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.132093] page_type: f5(slab) [ 26.134129] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 26.134424] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.135674] page dumped because: kasan: bad access detected [ 26.135859] [ 26.135963] Memory state around the buggy address: [ 26.136128] fff00000c7747700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.136306] fff00000c7747780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.136457] >fff00000c7747800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.136677] ^ [ 26.136850] fff00000c7747880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.136978] fff00000c7747900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.137087] ================================================================== [ 26.096576] ================================================================== [ 26.096678] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 26.096775] Read of size 1 at addr fff00000c7747800 by task kunit_try_catch/196 [ 26.098937] [ 26.099107] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.099551] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.099647] Hardware name: linux,dummy-virt (DT) [ 26.099729] Call trace: [ 26.099982] show_stack+0x20/0x38 (C) [ 26.100121] dump_stack_lvl+0x8c/0xd0 [ 26.100758] print_report+0x118/0x608 [ 26.100939] kasan_report+0xdc/0x128 [ 26.101445] __asan_report_load1_noabort+0x20/0x30 [ 26.101580] ksize_uaf+0x598/0x5f8 [ 26.101972] kunit_try_run_case+0x170/0x3f0 [ 26.102858] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.103016] kthread+0x328/0x630 [ 26.103148] ret_from_fork+0x10/0x20 [ 26.103339] [ 26.103394] Allocated by task 196: [ 26.103481] kasan_save_stack+0x3c/0x68 [ 26.103585] kasan_save_track+0x20/0x40 [ 26.104426] kasan_save_alloc_info+0x40/0x58 [ 26.104554] __kasan_kmalloc+0xd4/0xd8 [ 26.105119] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.105237] ksize_uaf+0xb8/0x5f8 [ 26.105450] kunit_try_run_case+0x170/0x3f0 [ 26.105622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.105753] kthread+0x328/0x630 [ 26.105889] ret_from_fork+0x10/0x20 [ 26.105986] [ 26.106043] Freed by task 196: [ 26.106240] kasan_save_stack+0x3c/0x68 [ 26.106342] kasan_save_track+0x20/0x40 [ 26.106690] kasan_save_free_info+0x4c/0x78 [ 26.107245] __kasan_slab_free+0x6c/0x98 [ 26.107356] kfree+0x214/0x3c8 [ 26.107603] ksize_uaf+0x11c/0x5f8 [ 26.107861] kunit_try_run_case+0x170/0x3f0 [ 26.107966] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.108072] kthread+0x328/0x630 [ 26.108155] ret_from_fork+0x10/0x20 [ 26.108258] [ 26.108389] The buggy address belongs to the object at fff00000c7747800 [ 26.108389] which belongs to the cache kmalloc-128 of size 128 [ 26.108775] The buggy address is located 0 bytes inside of [ 26.108775] freed 128-byte region [fff00000c7747800, fff00000c7747880) [ 26.109381] [ 26.109457] The buggy address belongs to the physical page: [ 26.109610] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107747 [ 26.109779] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.109923] page_type: f5(slab) [ 26.110058] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 26.110191] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.110298] page dumped because: kasan: bad access detected [ 26.110756] [ 26.110898] Memory state around the buggy address: [ 26.111091] fff00000c7747700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.111203] fff00000c7747780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.111312] >fff00000c7747800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.111408] ^ [ 26.111473] fff00000c7747880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.111604] fff00000c7747900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.111729] ==================================================================
[ 19.795061] ================================================================== [ 19.797160] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 19.797464] Read of size 1 at addr ffff8881039c8100 by task kunit_try_catch/214 [ 19.798341] [ 19.799080] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.799221] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.799262] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.799369] Call Trace: [ 19.799425] <TASK> [ 19.799645] dump_stack_lvl+0x73/0xb0 [ 19.800118] print_report+0xd1/0x650 [ 19.800297] ? __virt_addr_valid+0x1db/0x2d0 [ 19.800364] ? ksize_uaf+0x5fe/0x6c0 [ 19.800399] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.800437] ? ksize_uaf+0x5fe/0x6c0 [ 19.800470] kasan_report+0x141/0x180 [ 19.800531] ? ksize_uaf+0x5fe/0x6c0 [ 19.800670] __asan_report_load1_noabort+0x18/0x20 [ 19.800728] ksize_uaf+0x5fe/0x6c0 [ 19.800763] ? __pfx_ksize_uaf+0x10/0x10 [ 19.800799] ? __schedule+0x10cc/0x2b60 [ 19.800835] ? __pfx_read_tsc+0x10/0x10 [ 19.800869] ? ktime_get_ts64+0x86/0x230 [ 19.800907] kunit_try_run_case+0x1a5/0x480 [ 19.800950] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.800989] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.801026] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.801064] ? __kthread_parkme+0x82/0x180 [ 19.801096] ? preempt_count_sub+0x50/0x80 [ 19.801131] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.801171] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.801210] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.801293] kthread+0x337/0x6f0 [ 19.801328] ? trace_preempt_on+0x20/0xc0 [ 19.801365] ? __pfx_kthread+0x10/0x10 [ 19.801397] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.801432] ? calculate_sigpending+0x7b/0xa0 [ 19.801472] ? __pfx_kthread+0x10/0x10 [ 19.801529] ret_from_fork+0x116/0x1d0 [ 19.801599] ? __pfx_kthread+0x10/0x10 [ 19.801693] ret_from_fork_asm+0x1a/0x30 [ 19.801743] </TASK> [ 19.801759] [ 19.822173] Allocated by task 214: [ 19.822669] kasan_save_stack+0x45/0x70 [ 19.823385] kasan_save_track+0x18/0x40 [ 19.824339] kasan_save_alloc_info+0x3b/0x50 [ 19.825009] __kasan_kmalloc+0xb7/0xc0 [ 19.825493] __kmalloc_cache_noprof+0x189/0x420 [ 19.826256] ksize_uaf+0xaa/0x6c0 [ 19.826884] kunit_try_run_case+0x1a5/0x480 [ 19.827351] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.828525] kthread+0x337/0x6f0 [ 19.829216] ret_from_fork+0x116/0x1d0 [ 19.829911] ret_from_fork_asm+0x1a/0x30 [ 19.830567] [ 19.830984] Freed by task 214: [ 19.831375] kasan_save_stack+0x45/0x70 [ 19.832076] kasan_save_track+0x18/0x40 [ 19.832579] kasan_save_free_info+0x3f/0x60 [ 19.833667] __kasan_slab_free+0x56/0x70 [ 19.834243] kfree+0x222/0x3f0 [ 19.834881] ksize_uaf+0x12c/0x6c0 [ 19.835262] kunit_try_run_case+0x1a5/0x480 [ 19.836024] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.836731] kthread+0x337/0x6f0 [ 19.837488] ret_from_fork+0x116/0x1d0 [ 19.838388] ret_from_fork_asm+0x1a/0x30 [ 19.839201] [ 19.839668] The buggy address belongs to the object at ffff8881039c8100 [ 19.839668] which belongs to the cache kmalloc-128 of size 128 [ 19.840800] The buggy address is located 0 bytes inside of [ 19.840800] freed 128-byte region [ffff8881039c8100, ffff8881039c8180) [ 19.841198] [ 19.841291] The buggy address belongs to the physical page: [ 19.841489] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c8 [ 19.843059] flags: 0x200000000000000(node=0|zone=2) [ 19.844354] page_type: f5(slab) [ 19.845426] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.846200] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.847531] page dumped because: kasan: bad access detected [ 19.848164] [ 19.848398] Memory state around the buggy address: [ 19.848945] ffff8881039c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.849657] ffff8881039c8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.850190] >ffff8881039c8100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.851483] ^ [ 19.851979] ffff8881039c8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.853339] ffff8881039c8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.854048] ================================================================== [ 19.723474] ================================================================== [ 19.724345] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 19.725934] Read of size 1 at addr ffff8881039c8100 by task kunit_try_catch/214 [ 19.726946] [ 19.727442] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.727798] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.727832] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.727886] Call Trace: [ 19.727926] <TASK> [ 19.727972] dump_stack_lvl+0x73/0xb0 [ 19.728072] print_report+0xd1/0x650 [ 19.728143] ? __virt_addr_valid+0x1db/0x2d0 [ 19.728185] ? ksize_uaf+0x19d/0x6c0 [ 19.728216] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.728285] ? ksize_uaf+0x19d/0x6c0 [ 19.728320] kasan_report+0x141/0x180 [ 19.728350] ? ksize_uaf+0x19d/0x6c0 [ 19.728383] ? ksize_uaf+0x19d/0x6c0 [ 19.728411] __kasan_check_byte+0x3d/0x50 [ 19.728441] ksize+0x20/0x60 [ 19.728469] ksize_uaf+0x19d/0x6c0 [ 19.728520] ? __pfx_ksize_uaf+0x10/0x10 [ 19.728618] ? __schedule+0x10cc/0x2b60 [ 19.728698] ? __pfx_read_tsc+0x10/0x10 [ 19.728733] ? ktime_get_ts64+0x86/0x230 [ 19.728768] kunit_try_run_case+0x1a5/0x480 [ 19.728807] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.728841] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.728874] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.728906] ? __kthread_parkme+0x82/0x180 [ 19.728934] ? preempt_count_sub+0x50/0x80 [ 19.728965] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.729000] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.729032] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.729065] kthread+0x337/0x6f0 [ 19.729092] ? trace_preempt_on+0x20/0xc0 [ 19.729124] ? __pfx_kthread+0x10/0x10 [ 19.729152] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.729181] ? calculate_sigpending+0x7b/0xa0 [ 19.729215] ? __pfx_kthread+0x10/0x10 [ 19.729261] ret_from_fork+0x116/0x1d0 [ 19.729300] ? __pfx_kthread+0x10/0x10 [ 19.729329] ret_from_fork_asm+0x1a/0x30 [ 19.729372] </TASK> [ 19.729387] [ 19.752047] Allocated by task 214: [ 19.752892] kasan_save_stack+0x45/0x70 [ 19.753494] kasan_save_track+0x18/0x40 [ 19.754750] kasan_save_alloc_info+0x3b/0x50 [ 19.755287] __kasan_kmalloc+0xb7/0xc0 [ 19.755962] __kmalloc_cache_noprof+0x189/0x420 [ 19.756803] ksize_uaf+0xaa/0x6c0 [ 19.757212] kunit_try_run_case+0x1a5/0x480 [ 19.758132] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.759028] kthread+0x337/0x6f0 [ 19.759459] ret_from_fork+0x116/0x1d0 [ 19.759908] ret_from_fork_asm+0x1a/0x30 [ 19.760442] [ 19.761231] Freed by task 214: [ 19.761785] kasan_save_stack+0x45/0x70 [ 19.762620] kasan_save_track+0x18/0x40 [ 19.763205] kasan_save_free_info+0x3f/0x60 [ 19.763955] __kasan_slab_free+0x56/0x70 [ 19.764472] kfree+0x222/0x3f0 [ 19.765145] ksize_uaf+0x12c/0x6c0 [ 19.765550] kunit_try_run_case+0x1a5/0x480 [ 19.766659] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.767206] kthread+0x337/0x6f0 [ 19.767878] ret_from_fork+0x116/0x1d0 [ 19.768279] ret_from_fork_asm+0x1a/0x30 [ 19.769030] [ 19.769663] The buggy address belongs to the object at ffff8881039c8100 [ 19.769663] which belongs to the cache kmalloc-128 of size 128 [ 19.771198] The buggy address is located 0 bytes inside of [ 19.771198] freed 128-byte region [ffff8881039c8100, ffff8881039c8180) [ 19.772070] [ 19.772316] The buggy address belongs to the physical page: [ 19.773000] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c8 [ 19.774313] flags: 0x200000000000000(node=0|zone=2) [ 19.774664] page_type: f5(slab) [ 19.774923] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.777701] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.778130] page dumped because: kasan: bad access detected [ 19.778514] [ 19.779457] Memory state around the buggy address: [ 19.783049] ffff8881039c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.785679] ffff8881039c8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.788614] >ffff8881039c8100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.790569] ^ [ 19.791377] ffff8881039c8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.792144] ffff8881039c8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.793209] ================================================================== [ 19.855977] ================================================================== [ 19.857843] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 19.858401] Read of size 1 at addr ffff8881039c8178 by task kunit_try_catch/214 [ 19.860063] [ 19.860327] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.860457] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.860495] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.860579] Call Trace: [ 19.860621] <TASK> [ 19.860667] dump_stack_lvl+0x73/0xb0 [ 19.860781] print_report+0xd1/0x650 [ 19.860865] ? __virt_addr_valid+0x1db/0x2d0 [ 19.860942] ? ksize_uaf+0x5e4/0x6c0 [ 19.861015] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.861087] ? ksize_uaf+0x5e4/0x6c0 [ 19.861159] kasan_report+0x141/0x180 [ 19.861201] ? ksize_uaf+0x5e4/0x6c0 [ 19.861242] __asan_report_load1_noabort+0x18/0x20 [ 19.861307] ksize_uaf+0x5e4/0x6c0 [ 19.861340] ? __pfx_ksize_uaf+0x10/0x10 [ 19.861372] ? __schedule+0x10cc/0x2b60 [ 19.861406] ? __pfx_read_tsc+0x10/0x10 [ 19.861437] ? ktime_get_ts64+0x86/0x230 [ 19.861469] kunit_try_run_case+0x1a5/0x480 [ 19.861540] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.861613] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.861694] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.861756] ? __kthread_parkme+0x82/0x180 [ 19.861789] ? preempt_count_sub+0x50/0x80 [ 19.861821] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.861857] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.861892] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.861926] kthread+0x337/0x6f0 [ 19.861952] ? trace_preempt_on+0x20/0xc0 [ 19.861985] ? __pfx_kthread+0x10/0x10 [ 19.862012] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.862044] ? calculate_sigpending+0x7b/0xa0 [ 19.862078] ? __pfx_kthread+0x10/0x10 [ 19.862107] ret_from_fork+0x116/0x1d0 [ 19.862132] ? __pfx_kthread+0x10/0x10 [ 19.862162] ret_from_fork_asm+0x1a/0x30 [ 19.862203] </TASK> [ 19.862216] [ 19.878908] Allocated by task 214: [ 19.879327] kasan_save_stack+0x45/0x70 [ 19.880414] kasan_save_track+0x18/0x40 [ 19.880892] kasan_save_alloc_info+0x3b/0x50 [ 19.881529] __kasan_kmalloc+0xb7/0xc0 [ 19.881862] __kmalloc_cache_noprof+0x189/0x420 [ 19.882566] ksize_uaf+0xaa/0x6c0 [ 19.883047] kunit_try_run_case+0x1a5/0x480 [ 19.884285] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.884863] kthread+0x337/0x6f0 [ 19.885185] ret_from_fork+0x116/0x1d0 [ 19.885645] ret_from_fork_asm+0x1a/0x30 [ 19.886040] [ 19.886257] Freed by task 214: [ 19.888350] kasan_save_stack+0x45/0x70 [ 19.889442] kasan_save_track+0x18/0x40 [ 19.889875] kasan_save_free_info+0x3f/0x60 [ 19.890289] __kasan_slab_free+0x56/0x70 [ 19.890743] kfree+0x222/0x3f0 [ 19.891146] ksize_uaf+0x12c/0x6c0 [ 19.891596] kunit_try_run_case+0x1a5/0x480 [ 19.892031] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.892434] kthread+0x337/0x6f0 [ 19.893950] ret_from_fork+0x116/0x1d0 [ 19.894336] ret_from_fork_asm+0x1a/0x30 [ 19.894921] [ 19.895169] The buggy address belongs to the object at ffff8881039c8100 [ 19.895169] which belongs to the cache kmalloc-128 of size 128 [ 19.896200] The buggy address is located 120 bytes inside of [ 19.896200] freed 128-byte region [ffff8881039c8100, ffff8881039c8180) [ 19.897267] [ 19.897534] The buggy address belongs to the physical page: [ 19.898178] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c8 [ 19.899731] flags: 0x200000000000000(node=0|zone=2) [ 19.900316] page_type: f5(slab) [ 19.900698] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.901224] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.902107] page dumped because: kasan: bad access detected [ 19.902603] [ 19.903533] Memory state around the buggy address: [ 19.904133] ffff8881039c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.904903] ffff8881039c8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.905876] >ffff8881039c8100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.906395] ^ [ 19.906985] ffff8881039c8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.907555] ffff8881039c8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.908899] ==================================================================
[ 18.802680] ================================================================== [ 18.803323] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 18.804175] Read of size 1 at addr ffff8881032f7978 by task kunit_try_catch/214 [ 18.804962] [ 18.805336] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.805447] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.805487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.805541] Call Trace: [ 18.805632] <TASK> [ 18.805677] dump_stack_lvl+0x73/0xb0 [ 18.805856] print_report+0xd1/0x650 [ 18.805962] ? __virt_addr_valid+0x1db/0x2d0 [ 18.806037] ? ksize_uaf+0x5e4/0x6c0 [ 18.806126] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.806180] ? ksize_uaf+0x5e4/0x6c0 [ 18.806214] kasan_report+0x141/0x180 [ 18.806246] ? ksize_uaf+0x5e4/0x6c0 [ 18.806292] __asan_report_load1_noabort+0x18/0x20 [ 18.806329] ksize_uaf+0x5e4/0x6c0 [ 18.806358] ? __pfx_ksize_uaf+0x10/0x10 [ 18.806388] ? __schedule+0x10cc/0x2b60 [ 18.806418] ? __pfx_read_tsc+0x10/0x10 [ 18.806446] ? ktime_get_ts64+0x86/0x230 [ 18.806477] kunit_try_run_case+0x1a5/0x480 [ 18.806510] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.806543] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.806575] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.806607] ? __kthread_parkme+0x82/0x180 [ 18.806635] ? preempt_count_sub+0x50/0x80 [ 18.806664] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.806698] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.806730] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.806763] kthread+0x337/0x6f0 [ 18.806789] ? trace_preempt_on+0x20/0xc0 [ 18.806819] ? __pfx_kthread+0x10/0x10 [ 18.806846] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.806893] ? calculate_sigpending+0x7b/0xa0 [ 18.806937] ? __pfx_kthread+0x10/0x10 [ 18.806967] ret_from_fork+0x116/0x1d0 [ 18.806993] ? __pfx_kthread+0x10/0x10 [ 18.807021] ret_from_fork_asm+0x1a/0x30 [ 18.807060] </TASK> [ 18.807073] [ 18.825029] Allocated by task 214: [ 18.825859] kasan_save_stack+0x45/0x70 [ 18.826402] kasan_save_track+0x18/0x40 [ 18.826961] kasan_save_alloc_info+0x3b/0x50 [ 18.827695] __kasan_kmalloc+0xb7/0xc0 [ 18.828117] __kmalloc_cache_noprof+0x189/0x420 [ 18.828894] ksize_uaf+0xaa/0x6c0 [ 18.829366] kunit_try_run_case+0x1a5/0x480 [ 18.829780] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.830315] kthread+0x337/0x6f0 [ 18.830634] ret_from_fork+0x116/0x1d0 [ 18.831183] ret_from_fork_asm+0x1a/0x30 [ 18.831769] [ 18.832027] Freed by task 214: [ 18.832437] kasan_save_stack+0x45/0x70 [ 18.832803] kasan_save_track+0x18/0x40 [ 18.833383] kasan_save_free_info+0x3f/0x60 [ 18.833830] __kasan_slab_free+0x56/0x70 [ 18.834551] kfree+0x222/0x3f0 [ 18.834937] ksize_uaf+0x12c/0x6c0 [ 18.835713] kunit_try_run_case+0x1a5/0x480 [ 18.836203] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.836807] kthread+0x337/0x6f0 [ 18.837431] ret_from_fork+0x116/0x1d0 [ 18.837794] ret_from_fork_asm+0x1a/0x30 [ 18.838492] [ 18.838713] The buggy address belongs to the object at ffff8881032f7900 [ 18.838713] which belongs to the cache kmalloc-128 of size 128 [ 18.839868] The buggy address is located 120 bytes inside of [ 18.839868] freed 128-byte region [ffff8881032f7900, ffff8881032f7980) [ 18.840968] [ 18.841406] The buggy address belongs to the physical page: [ 18.841839] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1032f7 [ 18.842773] flags: 0x200000000000000(node=0|zone=2) [ 18.843321] page_type: f5(slab) [ 18.843488] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.843748] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.844596] page dumped because: kasan: bad access detected [ 18.844970] [ 18.845367] Memory state around the buggy address: [ 18.845798] ffff8881032f7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.846605] ffff8881032f7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.847233] >ffff8881032f7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.847821] ^ [ 18.848355] ffff8881032f7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.849037] ffff8881032f7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.849625] ================================================================== [ 18.756031] ================================================================== [ 18.756469] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 18.758307] Read of size 1 at addr ffff8881032f7900 by task kunit_try_catch/214 [ 18.758842] [ 18.759146] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.759306] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.759339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.759369] Call Trace: [ 18.759400] <TASK> [ 18.759439] dump_stack_lvl+0x73/0xb0 [ 18.759488] print_report+0xd1/0x650 [ 18.759520] ? __virt_addr_valid+0x1db/0x2d0 [ 18.759553] ? ksize_uaf+0x5fe/0x6c0 [ 18.759581] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.759611] ? ksize_uaf+0x5fe/0x6c0 [ 18.759639] kasan_report+0x141/0x180 [ 18.759669] ? ksize_uaf+0x5fe/0x6c0 [ 18.759703] __asan_report_load1_noabort+0x18/0x20 [ 18.759737] ksize_uaf+0x5fe/0x6c0 [ 18.759764] ? __pfx_ksize_uaf+0x10/0x10 [ 18.759794] ? __schedule+0x10cc/0x2b60 [ 18.759825] ? __pfx_read_tsc+0x10/0x10 [ 18.759853] ? ktime_get_ts64+0x86/0x230 [ 18.759906] kunit_try_run_case+0x1a5/0x480 [ 18.759945] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.759978] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.760011] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.760044] ? __kthread_parkme+0x82/0x180 [ 18.760070] ? preempt_count_sub+0x50/0x80 [ 18.760107] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.760186] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.760262] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.760340] kthread+0x337/0x6f0 [ 18.760408] ? trace_preempt_on+0x20/0xc0 [ 18.760472] ? __pfx_kthread+0x10/0x10 [ 18.760503] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.760534] ? calculate_sigpending+0x7b/0xa0 [ 18.760569] ? __pfx_kthread+0x10/0x10 [ 18.760598] ret_from_fork+0x116/0x1d0 [ 18.760622] ? __pfx_kthread+0x10/0x10 [ 18.760650] ret_from_fork_asm+0x1a/0x30 [ 18.760691] </TASK> [ 18.760705] [ 18.777225] Allocated by task 214: [ 18.777931] kasan_save_stack+0x45/0x70 [ 18.778469] kasan_save_track+0x18/0x40 [ 18.778641] kasan_save_alloc_info+0x3b/0x50 [ 18.778818] __kasan_kmalloc+0xb7/0xc0 [ 18.779091] __kmalloc_cache_noprof+0x189/0x420 [ 18.779801] ksize_uaf+0xaa/0x6c0 [ 18.780256] kunit_try_run_case+0x1a5/0x480 [ 18.780661] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.781263] kthread+0x337/0x6f0 [ 18.781558] ret_from_fork+0x116/0x1d0 [ 18.781961] ret_from_fork_asm+0x1a/0x30 [ 18.782385] [ 18.782615] Freed by task 214: [ 18.783137] kasan_save_stack+0x45/0x70 [ 18.783569] kasan_save_track+0x18/0x40 [ 18.784089] kasan_save_free_info+0x3f/0x60 [ 18.784489] __kasan_slab_free+0x56/0x70 [ 18.784845] kfree+0x222/0x3f0 [ 18.785434] ksize_uaf+0x12c/0x6c0 [ 18.785918] kunit_try_run_case+0x1a5/0x480 [ 18.786515] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.787071] kthread+0x337/0x6f0 [ 18.787500] ret_from_fork+0x116/0x1d0 [ 18.788013] ret_from_fork_asm+0x1a/0x30 [ 18.788493] [ 18.788787] The buggy address belongs to the object at ffff8881032f7900 [ 18.788787] which belongs to the cache kmalloc-128 of size 128 [ 18.789858] The buggy address is located 0 bytes inside of [ 18.789858] freed 128-byte region [ffff8881032f7900, ffff8881032f7980) [ 18.790998] [ 18.791271] The buggy address belongs to the physical page: [ 18.791983] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1032f7 [ 18.792734] flags: 0x200000000000000(node=0|zone=2) [ 18.793334] page_type: f5(slab) [ 18.793690] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.794441] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.795253] page dumped because: kasan: bad access detected [ 18.795817] [ 18.796143] Memory state around the buggy address: [ 18.796562] ffff8881032f7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.797329] ffff8881032f7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.798031] >ffff8881032f7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.798756] ^ [ 18.799055] ffff8881032f7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.799820] ffff8881032f7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.800507] ================================================================== [ 18.708473] ================================================================== [ 18.709631] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 18.710500] Read of size 1 at addr ffff8881032f7900 by task kunit_try_catch/214 [ 18.711079] [ 18.711336] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.711459] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.711496] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.711555] Call Trace: [ 18.711591] <TASK> [ 18.711634] dump_stack_lvl+0x73/0xb0 [ 18.711722] print_report+0xd1/0x650 [ 18.711781] ? __virt_addr_valid+0x1db/0x2d0 [ 18.711816] ? ksize_uaf+0x19d/0x6c0 [ 18.711845] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.711937] ? ksize_uaf+0x19d/0x6c0 [ 18.712040] kasan_report+0x141/0x180 [ 18.712182] ? ksize_uaf+0x19d/0x6c0 [ 18.712265] ? ksize_uaf+0x19d/0x6c0 [ 18.712339] __kasan_check_byte+0x3d/0x50 [ 18.712437] ksize+0x20/0x60 [ 18.712537] ksize_uaf+0x19d/0x6c0 [ 18.712611] ? __pfx_ksize_uaf+0x10/0x10 [ 18.712648] ? __schedule+0x10cc/0x2b60 [ 18.712683] ? __pfx_read_tsc+0x10/0x10 [ 18.712713] ? ktime_get_ts64+0x86/0x230 [ 18.712747] kunit_try_run_case+0x1a5/0x480 [ 18.712783] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.712816] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.712848] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.712903] ? __kthread_parkme+0x82/0x180 [ 18.712935] ? preempt_count_sub+0x50/0x80 [ 18.712968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.713002] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.713035] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.713068] kthread+0x337/0x6f0 [ 18.713094] ? trace_preempt_on+0x20/0xc0 [ 18.713177] ? __pfx_kthread+0x10/0x10 [ 18.713209] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.713239] ? calculate_sigpending+0x7b/0xa0 [ 18.713274] ? __pfx_kthread+0x10/0x10 [ 18.713302] ret_from_fork+0x116/0x1d0 [ 18.713328] ? __pfx_kthread+0x10/0x10 [ 18.713357] ret_from_fork_asm+0x1a/0x30 [ 18.713396] </TASK> [ 18.713410] [ 18.728534] Allocated by task 214: [ 18.728815] kasan_save_stack+0x45/0x70 [ 18.729308] kasan_save_track+0x18/0x40 [ 18.729741] kasan_save_alloc_info+0x3b/0x50 [ 18.730546] __kasan_kmalloc+0xb7/0xc0 [ 18.730860] __kmalloc_cache_noprof+0x189/0x420 [ 18.731453] ksize_uaf+0xaa/0x6c0 [ 18.731896] kunit_try_run_case+0x1a5/0x480 [ 18.732455] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.732993] kthread+0x337/0x6f0 [ 18.733395] ret_from_fork+0x116/0x1d0 [ 18.733861] ret_from_fork_asm+0x1a/0x30 [ 18.734393] [ 18.734595] Freed by task 214: [ 18.734924] kasan_save_stack+0x45/0x70 [ 18.735398] kasan_save_track+0x18/0x40 [ 18.735858] kasan_save_free_info+0x3f/0x60 [ 18.736222] __kasan_slab_free+0x56/0x70 [ 18.736544] kfree+0x222/0x3f0 [ 18.736831] ksize_uaf+0x12c/0x6c0 [ 18.737310] kunit_try_run_case+0x1a5/0x480 [ 18.737759] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.738453] kthread+0x337/0x6f0 [ 18.738841] ret_from_fork+0x116/0x1d0 [ 18.739333] ret_from_fork_asm+0x1a/0x30 [ 18.739796] [ 18.740045] The buggy address belongs to the object at ffff8881032f7900 [ 18.740045] which belongs to the cache kmalloc-128 of size 128 [ 18.742246] The buggy address is located 0 bytes inside of [ 18.742246] freed 128-byte region [ffff8881032f7900, ffff8881032f7980) [ 18.743074] [ 18.744649] The buggy address belongs to the physical page: [ 18.745213] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1032f7 [ 18.746011] flags: 0x200000000000000(node=0|zone=2) [ 18.746677] page_type: f5(slab) [ 18.747083] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.747945] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.748711] page dumped because: kasan: bad access detected [ 18.749444] [ 18.749626] Memory state around the buggy address: [ 18.750005] ffff8881032f7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.751229] ffff8881032f7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.751985] >ffff8881032f7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.752715] ^ [ 18.753401] ffff8881032f7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.753981] ffff8881032f7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.754789] ==================================================================
[ 20.972050] ================================================================== [ 20.972724] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 20.973331] Read of size 1 at addr ffff00000cea4300 by task kunit_try_catch/249 [ 20.973998] [ 20.974155] CPU: 3 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.974192] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.974202] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.974215] Call trace: [ 20.974224] show_stack+0x20/0x38 (C) [ 20.974249] dump_stack_lvl+0x8c/0xd0 [ 20.974275] print_report+0x118/0x608 [ 20.974299] kasan_report+0xdc/0x128 [ 20.974322] __asan_report_load1_noabort+0x20/0x30 [ 20.974348] ksize_uaf+0x598/0x5f8 [ 20.974369] kunit_try_run_case+0x170/0x3f0 [ 20.974393] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.974420] kthread+0x328/0x630 [ 20.974439] ret_from_fork+0x10/0x20 [ 20.974463] [ 20.979931] Allocated by task 249: [ 20.980250] kasan_save_stack+0x3c/0x68 [ 20.980616] kasan_save_track+0x20/0x40 [ 20.980980] kasan_save_alloc_info+0x40/0x58 [ 20.981384] __kasan_kmalloc+0xd4/0xd8 [ 20.981739] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.982164] ksize_uaf+0xb8/0x5f8 [ 20.982481] kunit_try_run_case+0x170/0x3f0 [ 20.982875] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.983384] kthread+0x328/0x630 [ 20.983691] ret_from_fork+0x10/0x20 [ 20.984029] [ 20.984176] Freed by task 249: [ 20.984463] kasan_save_stack+0x3c/0x68 [ 20.984827] kasan_save_track+0x20/0x40 [ 20.985190] kasan_save_free_info+0x4c/0x78 [ 20.985585] __kasan_slab_free+0x6c/0x98 [ 20.985956] kfree+0x214/0x3c8 [ 20.986248] ksize_uaf+0x11c/0x5f8 [ 20.986572] kunit_try_run_case+0x170/0x3f0 [ 20.986965] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.987474] kthread+0x328/0x630 [ 20.987781] ret_from_fork+0x10/0x20 [ 20.988119] [ 20.988267] The buggy address belongs to the object at ffff00000cea4300 [ 20.988267] which belongs to the cache kmalloc-128 of size 128 [ 20.989385] The buggy address is located 0 bytes inside of [ 20.989385] freed 128-byte region [ffff00000cea4300, ffff00000cea4380) [ 20.990468] [ 20.990616] The buggy address belongs to the physical page: [ 20.991122] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcea4 [ 20.991834] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.992433] page_type: f5(slab) [ 20.992736] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 20.993439] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.994136] page dumped because: kasan: bad access detected [ 20.994641] [ 20.994788] Memory state around the buggy address: [ 20.995227] ffff00000cea4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.995882] ffff00000cea4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.996537] >ffff00000cea4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.997188] ^ [ 20.997490] ffff00000cea4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.998144] ffff00000cea4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.998797] ================================================================== [ 20.999875] ================================================================== [ 21.000547] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 21.001140] Read of size 1 at addr ffff00000cea4378 by task kunit_try_catch/249 [ 21.001805] [ 21.001959] CPU: 4 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 21.001995] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.002005] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.002017] Call trace: [ 21.002025] show_stack+0x20/0x38 (C) [ 21.002050] dump_stack_lvl+0x8c/0xd0 [ 21.002074] print_report+0x118/0x608 [ 21.002096] kasan_report+0xdc/0x128 [ 21.002117] __asan_report_load1_noabort+0x20/0x30 [ 21.002141] ksize_uaf+0x544/0x5f8 [ 21.002159] kunit_try_run_case+0x170/0x3f0 [ 21.002183] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.002207] kthread+0x328/0x630 [ 21.002224] ret_from_fork+0x10/0x20 [ 21.002245] [ 21.007704] Allocated by task 249: [ 21.008021] kasan_save_stack+0x3c/0x68 [ 21.008385] kasan_save_track+0x20/0x40 [ 21.008745] kasan_save_alloc_info+0x40/0x58 [ 21.009146] __kasan_kmalloc+0xd4/0xd8 [ 21.009499] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.009920] ksize_uaf+0xb8/0x5f8 [ 21.010233] kunit_try_run_case+0x170/0x3f0 [ 21.010624] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.011132] kthread+0x328/0x630 [ 21.011435] ret_from_fork+0x10/0x20 [ 21.011771] [ 21.011918] Freed by task 249: [ 21.012202] kasan_save_stack+0x3c/0x68 [ 21.012562] kasan_save_track+0x20/0x40 [ 21.012923] kasan_save_free_info+0x4c/0x78 [ 21.013316] __kasan_slab_free+0x6c/0x98 [ 21.013684] kfree+0x214/0x3c8 [ 21.013973] ksize_uaf+0x11c/0x5f8 [ 21.014295] kunit_try_run_case+0x170/0x3f0 [ 21.014685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.015192] kthread+0x328/0x630 [ 21.015495] ret_from_fork+0x10/0x20 [ 21.015832] [ 21.015977] The buggy address belongs to the object at ffff00000cea4300 [ 21.015977] which belongs to the cache kmalloc-128 of size 128 [ 21.017094] The buggy address is located 120 bytes inside of [ 21.017094] freed 128-byte region [ffff00000cea4300, ffff00000cea4380) [ 21.018190] [ 21.018336] The buggy address belongs to the physical page: [ 21.018840] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcea4 [ 21.019551] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.020147] page_type: f5(slab) [ 21.020447] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 21.021148] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 21.021844] page dumped because: kasan: bad access detected [ 21.022347] [ 21.022491] Memory state around the buggy address: [ 21.022929] ffff00000cea4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.023581] ffff00000cea4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.024232] >ffff00000cea4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.024880] ^ [ 21.025524] ffff00000cea4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.026174] ffff00000cea4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.026824] ================================================================== [ 20.943134] ================================================================== [ 20.944225] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 20.944835] Read of size 1 at addr ffff00000cea4300 by task kunit_try_catch/249 [ 20.945517] [ 20.945683] CPU: 3 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.945733] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.945748] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.945765] Call trace: [ 20.945776] show_stack+0x20/0x38 (C) [ 20.945813] dump_stack_lvl+0x8c/0xd0 [ 20.945849] print_report+0x118/0x608 [ 20.945883] kasan_report+0xdc/0x128 [ 20.945915] __kasan_check_byte+0x54/0x70 [ 20.945948] ksize+0x30/0x88 [ 20.945976] ksize_uaf+0x168/0x5f8 [ 20.946004] kunit_try_run_case+0x170/0x3f0 [ 20.946039] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.946077] kthread+0x328/0x630 [ 20.946104] ret_from_fork+0x10/0x20 [ 20.946136] [ 20.951838] Allocated by task 249: [ 20.952163] kasan_save_stack+0x3c/0x68 [ 20.952542] kasan_save_track+0x20/0x40 [ 20.952917] kasan_save_alloc_info+0x40/0x58 [ 20.953334] __kasan_kmalloc+0xd4/0xd8 [ 20.953701] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.954138] ksize_uaf+0xb8/0x5f8 [ 20.954465] kunit_try_run_case+0x170/0x3f0 [ 20.954872] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.955395] kthread+0x328/0x630 [ 20.955710] ret_from_fork+0x10/0x20 [ 20.956061] [ 20.956214] Freed by task 249: [ 20.956507] kasan_save_stack+0x3c/0x68 [ 20.956883] kasan_save_track+0x20/0x40 [ 20.957258] kasan_save_free_info+0x4c/0x78 [ 20.957667] __kasan_slab_free+0x6c/0x98 [ 20.958049] kfree+0x214/0x3c8 [ 20.958352] ksize_uaf+0x11c/0x5f8 [ 20.958686] kunit_try_run_case+0x170/0x3f0 [ 20.959091] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.959615] kthread+0x328/0x630 [ 20.959931] ret_from_fork+0x10/0x20 [ 20.960280] [ 20.960433] The buggy address belongs to the object at ffff00000cea4300 [ 20.960433] which belongs to the cache kmalloc-128 of size 128 [ 20.961565] The buggy address is located 0 bytes inside of [ 20.961565] freed 128-byte region [ffff00000cea4300, ffff00000cea4380) [ 20.962662] [ 20.962816] The buggy address belongs to the physical page: [ 20.963331] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xcea4 [ 20.964054] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.964666] page_type: f5(slab) [ 20.964979] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 20.965694] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.966402] page dumped because: kasan: bad access detected [ 20.966916] [ 20.967068] Memory state around the buggy address: [ 20.967516] ffff00000cea4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.968181] ffff00000cea4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.968846] >ffff00000cea4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.969507] ^ [ 20.969818] ffff00000cea4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.970483] ffff00000cea4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.971145] ==================================================================