Date
July 3, 2025, 11:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.025107] ================================================================== [ 20.025234] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 20.025349] Read of size 1 at addr fff00000c6345f78 by task kunit_try_catch/196 [ 20.025465] [ 20.025534] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.025720] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.025780] Hardware name: linux,dummy-virt (DT) [ 20.025847] Call trace: [ 20.026132] show_stack+0x20/0x38 (C) [ 20.026509] dump_stack_lvl+0x8c/0xd0 [ 20.026633] print_report+0x118/0x608 [ 20.026749] kasan_report+0xdc/0x128 [ 20.026841] __asan_report_load1_noabort+0x20/0x30 [ 20.026985] ksize_uaf+0x544/0x5f8 [ 20.027094] kunit_try_run_case+0x170/0x3f0 [ 20.027341] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.027523] kthread+0x328/0x630 [ 20.027628] ret_from_fork+0x10/0x20 [ 20.027765] [ 20.027804] Allocated by task 196: [ 20.027905] kasan_save_stack+0x3c/0x68 [ 20.028003] kasan_save_track+0x20/0x40 [ 20.028105] kasan_save_alloc_info+0x40/0x58 [ 20.028198] __kasan_kmalloc+0xd4/0xd8 [ 20.028282] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.028388] ksize_uaf+0xb8/0x5f8 [ 20.028464] kunit_try_run_case+0x170/0x3f0 [ 20.028620] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.028772] kthread+0x328/0x630 [ 20.028873] ret_from_fork+0x10/0x20 [ 20.028971] [ 20.029424] Freed by task 196: [ 20.029504] kasan_save_stack+0x3c/0x68 [ 20.029588] kasan_save_track+0x20/0x40 [ 20.029671] kasan_save_free_info+0x4c/0x78 [ 20.029752] __kasan_slab_free+0x6c/0x98 [ 20.030138] kfree+0x214/0x3c8 [ 20.030208] ksize_uaf+0x11c/0x5f8 [ 20.030279] kunit_try_run_case+0x170/0x3f0 [ 20.030350] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.030437] kthread+0x328/0x630 [ 20.030504] ret_from_fork+0x10/0x20 [ 20.030583] [ 20.030635] The buggy address belongs to the object at fff00000c6345f00 [ 20.030635] which belongs to the cache kmalloc-128 of size 128 [ 20.030925] The buggy address is located 120 bytes inside of [ 20.030925] freed 128-byte region [fff00000c6345f00, fff00000c6345f80) [ 20.031233] [ 20.031282] The buggy address belongs to the physical page: [ 20.031352] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106345 [ 20.031468] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.031585] page_type: f5(slab) [ 20.031665] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.032085] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.032206] page dumped because: kasan: bad access detected [ 20.032348] [ 20.032412] Memory state around the buggy address: [ 20.032541] fff00000c6345e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.032660] fff00000c6345e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.032765] >fff00000c6345f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.032864] ^ [ 20.033037] fff00000c6345f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.033195] fff00000c6346000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.033328] ================================================================== [ 20.005606] ================================================================== [ 20.006008] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 20.006164] Read of size 1 at addr fff00000c6345f00 by task kunit_try_catch/196 [ 20.006294] [ 20.006383] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.006556] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.006785] Hardware name: linux,dummy-virt (DT) [ 20.006865] Call trace: [ 20.006925] show_stack+0x20/0x38 (C) [ 20.007062] dump_stack_lvl+0x8c/0xd0 [ 20.007174] print_report+0x118/0x608 [ 20.007276] kasan_report+0xdc/0x128 [ 20.007373] __kasan_check_byte+0x54/0x70 [ 20.007478] ksize+0x30/0x88 [ 20.007623] ksize_uaf+0x168/0x5f8 [ 20.007758] kunit_try_run_case+0x170/0x3f0 [ 20.007904] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.008058] kthread+0x328/0x630 [ 20.008139] ret_from_fork+0x10/0x20 [ 20.008243] [ 20.008287] Allocated by task 196: [ 20.008380] kasan_save_stack+0x3c/0x68 [ 20.008464] kasan_save_track+0x20/0x40 [ 20.008851] kasan_save_alloc_info+0x40/0x58 [ 20.009093] __kasan_kmalloc+0xd4/0xd8 [ 20.009197] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.009288] ksize_uaf+0xb8/0x5f8 [ 20.009358] kunit_try_run_case+0x170/0x3f0 [ 20.009627] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.009741] kthread+0x328/0x630 [ 20.009817] ret_from_fork+0x10/0x20 [ 20.009903] [ 20.009945] Freed by task 196: [ 20.009999] kasan_save_stack+0x3c/0x68 [ 20.010088] kasan_save_track+0x20/0x40 [ 20.010169] kasan_save_free_info+0x4c/0x78 [ 20.010252] __kasan_slab_free+0x6c/0x98 [ 20.010512] kfree+0x214/0x3c8 [ 20.010640] ksize_uaf+0x11c/0x5f8 [ 20.010726] kunit_try_run_case+0x170/0x3f0 [ 20.010831] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.010972] kthread+0x328/0x630 [ 20.011232] ret_from_fork+0x10/0x20 [ 20.011494] [ 20.011613] The buggy address belongs to the object at fff00000c6345f00 [ 20.011613] which belongs to the cache kmalloc-128 of size 128 [ 20.011785] The buggy address is located 0 bytes inside of [ 20.011785] freed 128-byte region [fff00000c6345f00, fff00000c6345f80) [ 20.011956] [ 20.012045] The buggy address belongs to the physical page: [ 20.012120] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106345 [ 20.012237] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.012584] page_type: f5(slab) [ 20.012730] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.012851] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.012948] page dumped because: kasan: bad access detected [ 20.013015] [ 20.013066] Memory state around the buggy address: [ 20.013137] fff00000c6345e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.013237] fff00000c6345e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.013354] >fff00000c6345f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.013485] ^ [ 20.013571] fff00000c6345f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.013713] fff00000c6346000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.013799] ================================================================== [ 20.015618] ================================================================== [ 20.015738] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 20.015849] Read of size 1 at addr fff00000c6345f00 by task kunit_try_catch/196 [ 20.015961] [ 20.016049] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.016237] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.016297] Hardware name: linux,dummy-virt (DT) [ 20.016372] Call trace: [ 20.016420] show_stack+0x20/0x38 (C) [ 20.016544] dump_stack_lvl+0x8c/0xd0 [ 20.016662] print_report+0x118/0x608 [ 20.016763] kasan_report+0xdc/0x128 [ 20.016866] __asan_report_load1_noabort+0x20/0x30 [ 20.016986] ksize_uaf+0x598/0x5f8 [ 20.017488] kunit_try_run_case+0x170/0x3f0 [ 20.017745] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.018181] kthread+0x328/0x630 [ 20.018397] ret_from_fork+0x10/0x20 [ 20.018489] [ 20.018529] Allocated by task 196: [ 20.018610] kasan_save_stack+0x3c/0x68 [ 20.018702] kasan_save_track+0x20/0x40 [ 20.018794] kasan_save_alloc_info+0x40/0x58 [ 20.018924] __kasan_kmalloc+0xd4/0xd8 [ 20.019007] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.019288] ksize_uaf+0xb8/0x5f8 [ 20.019373] kunit_try_run_case+0x170/0x3f0 [ 20.019458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.019555] kthread+0x328/0x630 [ 20.019622] ret_from_fork+0x10/0x20 [ 20.019704] [ 20.019748] Freed by task 196: [ 20.019809] kasan_save_stack+0x3c/0x68 [ 20.019895] kasan_save_track+0x20/0x40 [ 20.019978] kasan_save_free_info+0x4c/0x78 [ 20.020090] __kasan_slab_free+0x6c/0x98 [ 20.020716] kfree+0x214/0x3c8 [ 20.020839] ksize_uaf+0x11c/0x5f8 [ 20.020960] kunit_try_run_case+0x170/0x3f0 [ 20.021065] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.021194] kthread+0x328/0x630 [ 20.021287] ret_from_fork+0x10/0x20 [ 20.021387] [ 20.021432] The buggy address belongs to the object at fff00000c6345f00 [ 20.021432] which belongs to the cache kmalloc-128 of size 128 [ 20.021648] The buggy address is located 0 bytes inside of [ 20.021648] freed 128-byte region [fff00000c6345f00, fff00000c6345f80) [ 20.021768] [ 20.021806] The buggy address belongs to the physical page: [ 20.022218] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106345 [ 20.022341] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.022486] page_type: f5(slab) [ 20.022599] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 20.022744] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.022892] page dumped because: kasan: bad access detected [ 20.022967] [ 20.023011] Memory state around the buggy address: [ 20.023101] fff00000c6345e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.023202] fff00000c6345e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.023300] >fff00000c6345f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.023386] ^ [ 20.023455] fff00000c6345f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.023556] fff00000c6346000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.023681] ==================================================================
[ 12.067853] ================================================================== [ 12.068389] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.069065] Read of size 1 at addr ffff8881027a9f78 by task kunit_try_catch/213 [ 12.069652] [ 12.069765] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.069808] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.069820] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.069840] Call Trace: [ 12.069854] <TASK> [ 12.069868] dump_stack_lvl+0x73/0xb0 [ 12.069895] print_report+0xd1/0x650 [ 12.069915] ? __virt_addr_valid+0x1db/0x2d0 [ 12.069937] ? ksize_uaf+0x5e4/0x6c0 [ 12.069956] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.069976] ? ksize_uaf+0x5e4/0x6c0 [ 12.069996] kasan_report+0x141/0x180 [ 12.070016] ? ksize_uaf+0x5e4/0x6c0 [ 12.070040] __asan_report_load1_noabort+0x18/0x20 [ 12.070062] ksize_uaf+0x5e4/0x6c0 [ 12.070081] ? __pfx_ksize_uaf+0x10/0x10 [ 12.070102] ? __schedule+0x10cc/0x2b60 [ 12.070135] ? __pfx_read_tsc+0x10/0x10 [ 12.070155] ? ktime_get_ts64+0x86/0x230 [ 12.070177] kunit_try_run_case+0x1a5/0x480 [ 12.070199] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.070220] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.070241] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.070262] ? __kthread_parkme+0x82/0x180 [ 12.070280] ? preempt_count_sub+0x50/0x80 [ 12.070303] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.070326] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.070347] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.070369] kthread+0x337/0x6f0 [ 12.070387] ? trace_preempt_on+0x20/0xc0 [ 12.070408] ? __pfx_kthread+0x10/0x10 [ 12.070427] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.070446] ? calculate_sigpending+0x7b/0xa0 [ 12.070468] ? __pfx_kthread+0x10/0x10 [ 12.070488] ret_from_fork+0x116/0x1d0 [ 12.070559] ? __pfx_kthread+0x10/0x10 [ 12.070581] ret_from_fork_asm+0x1a/0x30 [ 12.070610] </TASK> [ 12.070621] [ 12.078052] Allocated by task 213: [ 12.078244] kasan_save_stack+0x45/0x70 [ 12.078391] kasan_save_track+0x18/0x40 [ 12.078768] kasan_save_alloc_info+0x3b/0x50 [ 12.078985] __kasan_kmalloc+0xb7/0xc0 [ 12.079186] __kmalloc_cache_noprof+0x189/0x420 [ 12.079664] ksize_uaf+0xaa/0x6c0 [ 12.079849] kunit_try_run_case+0x1a5/0x480 [ 12.080019] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.080291] kthread+0x337/0x6f0 [ 12.080465] ret_from_fork+0x116/0x1d0 [ 12.080659] ret_from_fork_asm+0x1a/0x30 [ 12.080861] [ 12.080957] Freed by task 213: [ 12.081103] kasan_save_stack+0x45/0x70 [ 12.081309] kasan_save_track+0x18/0x40 [ 12.081537] kasan_save_free_info+0x3f/0x60 [ 12.081719] __kasan_slab_free+0x56/0x70 [ 12.081880] kfree+0x222/0x3f0 [ 12.081997] ksize_uaf+0x12c/0x6c0 [ 12.082120] kunit_try_run_case+0x1a5/0x480 [ 12.082277] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.082479] kthread+0x337/0x6f0 [ 12.082694] ret_from_fork+0x116/0x1d0 [ 12.082879] ret_from_fork_asm+0x1a/0x30 [ 12.083070] [ 12.083176] The buggy address belongs to the object at ffff8881027a9f00 [ 12.083176] which belongs to the cache kmalloc-128 of size 128 [ 12.083620] The buggy address is located 120 bytes inside of [ 12.083620] freed 128-byte region [ffff8881027a9f00, ffff8881027a9f80) [ 12.084220] [ 12.084311] The buggy address belongs to the physical page: [ 12.084541] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027a9 [ 12.084861] flags: 0x200000000000000(node=0|zone=2) [ 12.085074] page_type: f5(slab) [ 12.085925] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.086200] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.086966] page dumped because: kasan: bad access detected [ 12.087623] [ 12.087708] Memory state around the buggy address: [ 12.087947] ffff8881027a9e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.088435] ffff8881027a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.089134] >ffff8881027a9f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.089718] ^ [ 12.090298] ffff8881027a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.090671] ffff8881027aa000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 12.090965] ================================================================== [ 12.021440] ================================================================== [ 12.021904] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.022243] Read of size 1 at addr ffff8881027a9f00 by task kunit_try_catch/213 [ 12.022594] [ 12.022709] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.022750] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.022761] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.022780] Call Trace: [ 12.022791] <TASK> [ 12.022803] dump_stack_lvl+0x73/0xb0 [ 12.022829] print_report+0xd1/0x650 [ 12.022850] ? __virt_addr_valid+0x1db/0x2d0 [ 12.022872] ? ksize_uaf+0x19d/0x6c0 [ 12.022890] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.022911] ? ksize_uaf+0x19d/0x6c0 [ 12.022930] kasan_report+0x141/0x180 [ 12.022950] ? ksize_uaf+0x19d/0x6c0 [ 12.022972] ? ksize_uaf+0x19d/0x6c0 [ 12.022991] __kasan_check_byte+0x3d/0x50 [ 12.023012] ksize+0x20/0x60 [ 12.023032] ksize_uaf+0x19d/0x6c0 [ 12.023051] ? __pfx_ksize_uaf+0x10/0x10 [ 12.023104] ? __schedule+0x10cc/0x2b60 [ 12.023145] ? __pfx_read_tsc+0x10/0x10 [ 12.023165] ? ktime_get_ts64+0x86/0x230 [ 12.023189] kunit_try_run_case+0x1a5/0x480 [ 12.023212] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.023233] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.023255] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.023276] ? __kthread_parkme+0x82/0x180 [ 12.023315] ? preempt_count_sub+0x50/0x80 [ 12.023338] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.023359] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.023380] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.023402] kthread+0x337/0x6f0 [ 12.023420] ? trace_preempt_on+0x20/0xc0 [ 12.023442] ? __pfx_kthread+0x10/0x10 [ 12.023463] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.023483] ? calculate_sigpending+0x7b/0xa0 [ 12.023505] ? __pfx_kthread+0x10/0x10 [ 12.023524] ret_from_fork+0x116/0x1d0 [ 12.023541] ? __pfx_kthread+0x10/0x10 [ 12.023560] ret_from_fork_asm+0x1a/0x30 [ 12.023589] </TASK> [ 12.023599] [ 12.030877] Allocated by task 213: [ 12.031045] kasan_save_stack+0x45/0x70 [ 12.031285] kasan_save_track+0x18/0x40 [ 12.031508] kasan_save_alloc_info+0x3b/0x50 [ 12.031688] __kasan_kmalloc+0xb7/0xc0 [ 12.031820] __kmalloc_cache_noprof+0x189/0x420 [ 12.031976] ksize_uaf+0xaa/0x6c0 [ 12.032140] kunit_try_run_case+0x1a5/0x480 [ 12.032571] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.032828] kthread+0x337/0x6f0 [ 12.032997] ret_from_fork+0x116/0x1d0 [ 12.033197] ret_from_fork_asm+0x1a/0x30 [ 12.033467] [ 12.033560] Freed by task 213: [ 12.033717] kasan_save_stack+0x45/0x70 [ 12.033889] kasan_save_track+0x18/0x40 [ 12.034063] kasan_save_free_info+0x3f/0x60 [ 12.034279] __kasan_slab_free+0x56/0x70 [ 12.034530] kfree+0x222/0x3f0 [ 12.034675] ksize_uaf+0x12c/0x6c0 [ 12.034820] kunit_try_run_case+0x1a5/0x480 [ 12.035024] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.035267] kthread+0x337/0x6f0 [ 12.035490] ret_from_fork+0x116/0x1d0 [ 12.035657] ret_from_fork_asm+0x1a/0x30 [ 12.035850] [ 12.035939] The buggy address belongs to the object at ffff8881027a9f00 [ 12.035939] which belongs to the cache kmalloc-128 of size 128 [ 12.036509] The buggy address is located 0 bytes inside of [ 12.036509] freed 128-byte region [ffff8881027a9f00, ffff8881027a9f80) [ 12.036911] [ 12.036983] The buggy address belongs to the physical page: [ 12.037185] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027a9 [ 12.037671] flags: 0x200000000000000(node=0|zone=2) [ 12.037910] page_type: f5(slab) [ 12.038076] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.038526] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.038859] page dumped because: kasan: bad access detected [ 12.039104] [ 12.039237] Memory state around the buggy address: [ 12.039518] ffff8881027a9e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.039760] ffff8881027a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.039975] >ffff8881027a9f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.040323] ^ [ 12.040487] ffff8881027a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.040807] ffff8881027aa000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 12.041201] ================================================================== [ 12.042504] ================================================================== [ 12.042851] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.043093] Read of size 1 at addr ffff8881027a9f00 by task kunit_try_catch/213 [ 12.043327] [ 12.043408] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.043446] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.043457] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.043474] Call Trace: [ 12.043484] <TASK> [ 12.043498] dump_stack_lvl+0x73/0xb0 [ 12.043521] print_report+0xd1/0x650 [ 12.043542] ? __virt_addr_valid+0x1db/0x2d0 [ 12.043563] ? ksize_uaf+0x5fe/0x6c0 [ 12.043582] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.043602] ? ksize_uaf+0x5fe/0x6c0 [ 12.043622] kasan_report+0x141/0x180 [ 12.043642] ? ksize_uaf+0x5fe/0x6c0 [ 12.043666] __asan_report_load1_noabort+0x18/0x20 [ 12.043689] ksize_uaf+0x5fe/0x6c0 [ 12.043708] ? __pfx_ksize_uaf+0x10/0x10 [ 12.043728] ? __schedule+0x10cc/0x2b60 [ 12.043748] ? __pfx_read_tsc+0x10/0x10 [ 12.043767] ? ktime_get_ts64+0x86/0x230 [ 12.043789] kunit_try_run_case+0x1a5/0x480 [ 12.043812] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.043832] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.043853] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.043874] ? __kthread_parkme+0x82/0x180 [ 12.043893] ? preempt_count_sub+0x50/0x80 [ 12.043915] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.043937] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.043958] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.043979] kthread+0x337/0x6f0 [ 12.043997] ? trace_preempt_on+0x20/0xc0 [ 12.044018] ? __pfx_kthread+0x10/0x10 [ 12.044037] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.044056] ? calculate_sigpending+0x7b/0xa0 [ 12.044078] ? __pfx_kthread+0x10/0x10 [ 12.044098] ret_from_fork+0x116/0x1d0 [ 12.044115] ? __pfx_kthread+0x10/0x10 [ 12.044422] ret_from_fork_asm+0x1a/0x30 [ 12.044453] </TASK> [ 12.044463] [ 12.051615] Allocated by task 213: [ 12.051743] kasan_save_stack+0x45/0x70 [ 12.051884] kasan_save_track+0x18/0x40 [ 12.052018] kasan_save_alloc_info+0x3b/0x50 [ 12.052197] __kasan_kmalloc+0xb7/0xc0 [ 12.052394] __kmalloc_cache_noprof+0x189/0x420 [ 12.052629] ksize_uaf+0xaa/0x6c0 [ 12.052799] kunit_try_run_case+0x1a5/0x480 [ 12.053001] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.053922] kthread+0x337/0x6f0 [ 12.054138] ret_from_fork+0x116/0x1d0 [ 12.054335] ret_from_fork_asm+0x1a/0x30 [ 12.054535] [ 12.054629] Freed by task 213: [ 12.054783] kasan_save_stack+0x45/0x70 [ 12.054973] kasan_save_track+0x18/0x40 [ 12.055561] kasan_save_free_info+0x3f/0x60 [ 12.055984] __kasan_slab_free+0x56/0x70 [ 12.056454] kfree+0x222/0x3f0 [ 12.056622] ksize_uaf+0x12c/0x6c0 [ 12.056787] kunit_try_run_case+0x1a5/0x480 [ 12.056979] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.057228] kthread+0x337/0x6f0 [ 12.057386] ret_from_fork+0x116/0x1d0 [ 12.057559] ret_from_fork_asm+0x1a/0x30 [ 12.057738] [ 12.057827] The buggy address belongs to the object at ffff8881027a9f00 [ 12.057827] which belongs to the cache kmalloc-128 of size 128 [ 12.058858] The buggy address is located 0 bytes inside of [ 12.058858] freed 128-byte region [ffff8881027a9f00, ffff8881027a9f80) [ 12.059797] [ 12.060024] The buggy address belongs to the physical page: [ 12.060603] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027a9 [ 12.060932] flags: 0x200000000000000(node=0|zone=2) [ 12.061418] page_type: f5(slab) [ 12.061712] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.062406] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.062922] page dumped because: kasan: bad access detected [ 12.063570] [ 12.063685] Memory state around the buggy address: [ 12.063900] ffff8881027a9e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.064450] ffff8881027a9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.064957] >ffff8881027a9f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.065710] ^ [ 12.065879] ffff8881027a9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.066447] ffff8881027aa000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 12.066970] ==================================================================