Date
July 1, 2025, 11:08 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.609078] ================================================================== [ 18.609782] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.609927] Read of size 1 at addr fff00000c7732778 by task kunit_try_catch/197 [ 18.610198] [ 18.610397] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.610675] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.610726] Hardware name: linux,dummy-virt (DT) [ 18.610766] Call trace: [ 18.610792] show_stack+0x20/0x38 (C) [ 18.610866] dump_stack_lvl+0x8c/0xd0 [ 18.610981] print_report+0x118/0x608 [ 18.611036] kasan_report+0xdc/0x128 [ 18.611560] __asan_report_load1_noabort+0x20/0x30 [ 18.611651] ksize_uaf+0x544/0x5f8 [ 18.611703] kunit_try_run_case+0x170/0x3f0 [ 18.611896] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.611971] kthread+0x328/0x630 [ 18.612023] ret_from_fork+0x10/0x20 [ 18.612200] [ 18.612253] Allocated by task 197: [ 18.612296] kasan_save_stack+0x3c/0x68 [ 18.612348] kasan_save_track+0x20/0x40 [ 18.612389] kasan_save_alloc_info+0x40/0x58 [ 18.612448] __kasan_kmalloc+0xd4/0xd8 [ 18.612487] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.612538] ksize_uaf+0xb8/0x5f8 [ 18.612584] kunit_try_run_case+0x170/0x3f0 [ 18.612625] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.612685] kthread+0x328/0x630 [ 18.612734] ret_from_fork+0x10/0x20 [ 18.612781] [ 18.612802] Freed by task 197: [ 18.612833] kasan_save_stack+0x3c/0x68 [ 18.612875] kasan_save_track+0x20/0x40 [ 18.612914] kasan_save_free_info+0x4c/0x78 [ 18.612969] __kasan_slab_free+0x6c/0x98 [ 18.613018] kfree+0x214/0x3c8 [ 18.613065] ksize_uaf+0x11c/0x5f8 [ 18.613113] kunit_try_run_case+0x170/0x3f0 [ 18.613577] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.613950] kthread+0x328/0x630 [ 18.614329] ret_from_fork+0x10/0x20 [ 18.614419] [ 18.614467] The buggy address belongs to the object at fff00000c7732700 [ 18.614467] which belongs to the cache kmalloc-128 of size 128 [ 18.614721] The buggy address is located 120 bytes inside of [ 18.614721] freed 128-byte region [fff00000c7732700, fff00000c7732780) [ 18.614957] [ 18.615441] The buggy address belongs to the physical page: [ 18.615547] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 18.615734] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.615836] page_type: f5(slab) [ 18.616157] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.616384] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.616590] page dumped because: kasan: bad access detected [ 18.616686] [ 18.616806] Memory state around the buggy address: [ 18.616897] fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.616980] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.617312] >fff00000c7732700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.617558] ^ [ 18.617662] fff00000c7732780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.617832] fff00000c7732800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.617929] ================================================================== [ 18.583234] ================================================================== [ 18.583333] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.583409] Read of size 1 at addr fff00000c7732700 by task kunit_try_catch/197 [ 18.583466] [ 18.583513] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.583609] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.583639] Hardware name: linux,dummy-virt (DT) [ 18.583674] Call trace: [ 18.583700] show_stack+0x20/0x38 (C) [ 18.583756] dump_stack_lvl+0x8c/0xd0 [ 18.583807] print_report+0x118/0x608 [ 18.583855] kasan_report+0xdc/0x128 [ 18.583902] __kasan_check_byte+0x54/0x70 [ 18.583954] ksize+0x30/0x88 [ 18.584021] ksize_uaf+0x168/0x5f8 [ 18.584069] kunit_try_run_case+0x170/0x3f0 [ 18.584143] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.584202] kthread+0x328/0x630 [ 18.584247] ret_from_fork+0x10/0x20 [ 18.584301] [ 18.584321] Allocated by task 197: [ 18.584350] kasan_save_stack+0x3c/0x68 [ 18.584396] kasan_save_track+0x20/0x40 [ 18.584436] kasan_save_alloc_info+0x40/0x58 [ 18.584491] __kasan_kmalloc+0xd4/0xd8 [ 18.584531] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.584954] ksize_uaf+0xb8/0x5f8 [ 18.585004] kunit_try_run_case+0x170/0x3f0 [ 18.585124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.585187] kthread+0x328/0x630 [ 18.585223] ret_from_fork+0x10/0x20 [ 18.585262] [ 18.585285] Freed by task 197: [ 18.585323] kasan_save_stack+0x3c/0x68 [ 18.585376] kasan_save_track+0x20/0x40 [ 18.585417] kasan_save_free_info+0x4c/0x78 [ 18.585461] __kasan_slab_free+0x6c/0x98 [ 18.585500] kfree+0x214/0x3c8 [ 18.585535] ksize_uaf+0x11c/0x5f8 [ 18.585692] kunit_try_run_case+0x170/0x3f0 [ 18.585740] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.585789] kthread+0x328/0x630 [ 18.585825] ret_from_fork+0x10/0x20 [ 18.585891] [ 18.585936] The buggy address belongs to the object at fff00000c7732700 [ 18.585936] which belongs to the cache kmalloc-128 of size 128 [ 18.586022] The buggy address is located 0 bytes inside of [ 18.586022] freed 128-byte region [fff00000c7732700, fff00000c7732780) [ 18.586160] [ 18.586267] The buggy address belongs to the physical page: [ 18.586452] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 18.586567] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.586666] page_type: f5(slab) [ 18.586756] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.586814] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.586892] page dumped because: kasan: bad access detected [ 18.586956] [ 18.587149] Memory state around the buggy address: [ 18.587201] fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.587248] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.587607] >fff00000c7732700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.587659] ^ [ 18.587691] fff00000c7732780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.587740] fff00000c7732800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.587785] ================================================================== [ 18.589906] ================================================================== [ 18.589986] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.590052] Read of size 1 at addr fff00000c7732700 by task kunit_try_catch/197 [ 18.590108] [ 18.590170] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.590263] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.590291] Hardware name: linux,dummy-virt (DT) [ 18.590329] Call trace: [ 18.590353] show_stack+0x20/0x38 (C) [ 18.590409] dump_stack_lvl+0x8c/0xd0 [ 18.590460] print_report+0x118/0x608 [ 18.590510] kasan_report+0xdc/0x128 [ 18.590557] __asan_report_load1_noabort+0x20/0x30 [ 18.590612] ksize_uaf+0x598/0x5f8 [ 18.590658] kunit_try_run_case+0x170/0x3f0 [ 18.590707] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.590763] kthread+0x328/0x630 [ 18.590808] ret_from_fork+0x10/0x20 [ 18.590860] [ 18.590879] Allocated by task 197: [ 18.590912] kasan_save_stack+0x3c/0x68 [ 18.590957] kasan_save_track+0x20/0x40 [ 18.590997] kasan_save_alloc_info+0x40/0x58 [ 18.591040] __kasan_kmalloc+0xd4/0xd8 [ 18.591078] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.591788] ksize_uaf+0xb8/0x5f8 [ 18.591949] kunit_try_run_case+0x170/0x3f0 [ 18.591996] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.592425] kthread+0x328/0x630 [ 18.592740] ret_from_fork+0x10/0x20 [ 18.593076] [ 18.593320] Freed by task 197: [ 18.593733] kasan_save_stack+0x3c/0x68 [ 18.593966] kasan_save_track+0x20/0x40 [ 18.594233] kasan_save_free_info+0x4c/0x78 [ 18.594398] __kasan_slab_free+0x6c/0x98 [ 18.595220] kfree+0x214/0x3c8 [ 18.595758] ksize_uaf+0x11c/0x5f8 [ 18.596016] kunit_try_run_case+0x170/0x3f0 [ 18.596123] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.596257] kthread+0x328/0x630 [ 18.596744] ret_from_fork+0x10/0x20 [ 18.596849] [ 18.597172] The buggy address belongs to the object at fff00000c7732700 [ 18.597172] which belongs to the cache kmalloc-128 of size 128 [ 18.597267] The buggy address is located 0 bytes inside of [ 18.597267] freed 128-byte region [fff00000c7732700, fff00000c7732780) [ 18.597353] [ 18.597859] The buggy address belongs to the physical page: [ 18.598314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 18.598572] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.598775] page_type: f5(slab) [ 18.598982] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.599061] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.599329] page dumped because: kasan: bad access detected [ 18.599436] [ 18.599558] Memory state around the buggy address: [ 18.599680] fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.599735] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.599785] >fff00000c7732700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.599838] ^ [ 18.600272] fff00000c7732780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.600538] fff00000c7732800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.600775] ==================================================================
[ 11.957628] ================================================================== [ 11.958406] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.958839] Read of size 1 at addr ffff888102ef5a00 by task kunit_try_catch/213 [ 11.959175] [ 11.959272] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.959319] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.959331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.959352] Call Trace: [ 11.959364] <TASK> [ 11.959394] dump_stack_lvl+0x73/0xb0 [ 11.959425] print_report+0xd1/0x650 [ 11.959448] ? __virt_addr_valid+0x1db/0x2d0 [ 11.959472] ? ksize_uaf+0x19d/0x6c0 [ 11.959491] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.959511] ? ksize_uaf+0x19d/0x6c0 [ 11.959531] kasan_report+0x141/0x180 [ 11.959551] ? ksize_uaf+0x19d/0x6c0 [ 11.959694] ? ksize_uaf+0x19d/0x6c0 [ 11.959717] __kasan_check_byte+0x3d/0x50 [ 11.959738] ksize+0x20/0x60 [ 11.959759] ksize_uaf+0x19d/0x6c0 [ 11.959779] ? __pfx_ksize_uaf+0x10/0x10 [ 11.959799] ? __schedule+0x10cc/0x2b60 [ 11.959821] ? __pfx_read_tsc+0x10/0x10 [ 11.959842] ? ktime_get_ts64+0x86/0x230 [ 11.959866] kunit_try_run_case+0x1a5/0x480 [ 11.959892] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.959912] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.960010] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.960033] ? __kthread_parkme+0x82/0x180 [ 11.960054] ? preempt_count_sub+0x50/0x80 [ 11.960079] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.960102] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.960125] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.960146] kthread+0x337/0x6f0 [ 11.960164] ? trace_preempt_on+0x20/0xc0 [ 11.960187] ? __pfx_kthread+0x10/0x10 [ 11.960206] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.960225] ? calculate_sigpending+0x7b/0xa0 [ 11.960249] ? __pfx_kthread+0x10/0x10 [ 11.960270] ret_from_fork+0x116/0x1d0 [ 11.960289] ? __pfx_kthread+0x10/0x10 [ 11.960308] ret_from_fork_asm+0x1a/0x30 [ 11.960338] </TASK> [ 11.960350] [ 11.971055] Allocated by task 213: [ 11.971367] kasan_save_stack+0x45/0x70 [ 11.971688] kasan_save_track+0x18/0x40 [ 11.971914] kasan_save_alloc_info+0x3b/0x50 [ 11.972364] __kasan_kmalloc+0xb7/0xc0 [ 11.972550] __kmalloc_cache_noprof+0x189/0x420 [ 11.972763] ksize_uaf+0xaa/0x6c0 [ 11.972924] kunit_try_run_case+0x1a5/0x480 [ 11.973117] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.973354] kthread+0x337/0x6f0 [ 11.973521] ret_from_fork+0x116/0x1d0 [ 11.974176] ret_from_fork_asm+0x1a/0x30 [ 11.974360] [ 11.974560] Freed by task 213: [ 11.974859] kasan_save_stack+0x45/0x70 [ 11.975184] kasan_save_track+0x18/0x40 [ 11.975583] kasan_save_free_info+0x3f/0x60 [ 11.975891] __kasan_slab_free+0x56/0x70 [ 11.976278] kfree+0x222/0x3f0 [ 11.976551] ksize_uaf+0x12c/0x6c0 [ 11.976850] kunit_try_run_case+0x1a5/0x480 [ 11.977126] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.977466] kthread+0x337/0x6f0 [ 11.977683] ret_from_fork+0x116/0x1d0 [ 11.977852] ret_from_fork_asm+0x1a/0x30 [ 11.978294] [ 11.978410] The buggy address belongs to the object at ffff888102ef5a00 [ 11.978410] which belongs to the cache kmalloc-128 of size 128 [ 11.979330] The buggy address is located 0 bytes inside of [ 11.979330] freed 128-byte region [ffff888102ef5a00, ffff888102ef5a80) [ 11.980160] [ 11.980270] The buggy address belongs to the physical page: [ 11.980804] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ef5 [ 11.981284] flags: 0x200000000000000(node=0|zone=2) [ 11.981538] page_type: f5(slab) [ 11.981734] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.982397] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.982798] page dumped because: kasan: bad access detected [ 11.983277] [ 11.983394] Memory state around the buggy address: [ 11.983859] ffff888102ef5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.984310] ffff888102ef5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.984807] >ffff888102ef5a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.985801] ^ [ 11.985970] ffff888102ef5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.986547] ffff888102ef5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.987325] ================================================================== [ 11.988506] ================================================================== [ 11.989529] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.990210] Read of size 1 at addr ffff888102ef5a00 by task kunit_try_catch/213 [ 11.990749] [ 11.990869] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.990916] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.990928] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.990947] Call Trace: [ 11.991204] <TASK> [ 11.991229] dump_stack_lvl+0x73/0xb0 [ 11.991263] print_report+0xd1/0x650 [ 11.991286] ? __virt_addr_valid+0x1db/0x2d0 [ 11.991310] ? ksize_uaf+0x5fe/0x6c0 [ 11.991329] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.991350] ? ksize_uaf+0x5fe/0x6c0 [ 11.991369] kasan_report+0x141/0x180 [ 11.991406] ? ksize_uaf+0x5fe/0x6c0 [ 11.991430] __asan_report_load1_noabort+0x18/0x20 [ 11.991453] ksize_uaf+0x5fe/0x6c0 [ 11.991472] ? __pfx_ksize_uaf+0x10/0x10 [ 11.991492] ? __schedule+0x10cc/0x2b60 [ 11.991513] ? __pfx_read_tsc+0x10/0x10 [ 11.991533] ? ktime_get_ts64+0x86/0x230 [ 11.991556] kunit_try_run_case+0x1a5/0x480 [ 11.991580] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.991602] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.991627] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.991648] ? __kthread_parkme+0x82/0x180 [ 11.991669] ? preempt_count_sub+0x50/0x80 [ 11.991691] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.991713] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.991734] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.991755] kthread+0x337/0x6f0 [ 11.991774] ? trace_preempt_on+0x20/0xc0 [ 11.991796] ? __pfx_kthread+0x10/0x10 [ 11.991816] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.991836] ? calculate_sigpending+0x7b/0xa0 [ 11.991858] ? __pfx_kthread+0x10/0x10 [ 11.991877] ret_from_fork+0x116/0x1d0 [ 11.991895] ? __pfx_kthread+0x10/0x10 [ 11.991914] ret_from_fork_asm+0x1a/0x30 [ 11.991943] </TASK> [ 11.991954] [ 12.004313] Allocated by task 213: [ 12.004520] kasan_save_stack+0x45/0x70 [ 12.004928] kasan_save_track+0x18/0x40 [ 12.005363] kasan_save_alloc_info+0x3b/0x50 [ 12.005922] __kasan_kmalloc+0xb7/0xc0 [ 12.006065] __kmalloc_cache_noprof+0x189/0x420 [ 12.006220] ksize_uaf+0xaa/0x6c0 [ 12.006342] kunit_try_run_case+0x1a5/0x480 [ 12.006798] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.007343] kthread+0x337/0x6f0 [ 12.007656] ret_from_fork+0x116/0x1d0 [ 12.008043] ret_from_fork_asm+0x1a/0x30 [ 12.008559] [ 12.008731] Freed by task 213: [ 12.009240] kasan_save_stack+0x45/0x70 [ 12.009636] kasan_save_track+0x18/0x40 [ 12.010022] kasan_save_free_info+0x3f/0x60 [ 12.010291] __kasan_slab_free+0x56/0x70 [ 12.010441] kfree+0x222/0x3f0 [ 12.010560] ksize_uaf+0x12c/0x6c0 [ 12.010684] kunit_try_run_case+0x1a5/0x480 [ 12.010827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.010999] kthread+0x337/0x6f0 [ 12.011116] ret_from_fork+0x116/0x1d0 [ 12.011245] ret_from_fork_asm+0x1a/0x30 [ 12.011390] [ 12.011476] The buggy address belongs to the object at ffff888102ef5a00 [ 12.011476] which belongs to the cache kmalloc-128 of size 128 [ 12.012119] The buggy address is located 0 bytes inside of [ 12.012119] freed 128-byte region [ffff888102ef5a00, ffff888102ef5a80) [ 12.012736] [ 12.012814] The buggy address belongs to the physical page: [ 12.012986] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ef5 [ 12.013344] flags: 0x200000000000000(node=0|zone=2) [ 12.013866] page_type: f5(slab) [ 12.014042] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.014467] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.014773] page dumped because: kasan: bad access detected [ 12.015084] [ 12.015190] Memory state around the buggy address: [ 12.015399] ffff888102ef5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.015712] ffff888102ef5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.016076] >ffff888102ef5a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.016288] ^ [ 12.016456] ffff888102ef5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.016786] ffff888102ef5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.017057] ================================================================== [ 12.017897] ================================================================== [ 12.018344] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.018780] Read of size 1 at addr ffff888102ef5a78 by task kunit_try_catch/213 [ 12.019189] [ 12.019306] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.019352] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.019363] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.019406] Call Trace: [ 12.019426] <TASK> [ 12.019445] dump_stack_lvl+0x73/0xb0 [ 12.019488] print_report+0xd1/0x650 [ 12.019512] ? __virt_addr_valid+0x1db/0x2d0 [ 12.019534] ? ksize_uaf+0x5e4/0x6c0 [ 12.019554] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.019587] ? ksize_uaf+0x5e4/0x6c0 [ 12.019606] kasan_report+0x141/0x180 [ 12.019627] ? ksize_uaf+0x5e4/0x6c0 [ 12.019652] __asan_report_load1_noabort+0x18/0x20 [ 12.019675] ksize_uaf+0x5e4/0x6c0 [ 12.019705] ? __pfx_ksize_uaf+0x10/0x10 [ 12.019725] ? __schedule+0x10cc/0x2b60 [ 12.019746] ? __pfx_read_tsc+0x10/0x10 [ 12.019777] ? ktime_get_ts64+0x86/0x230 [ 12.019800] kunit_try_run_case+0x1a5/0x480 [ 12.019824] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.019845] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.019867] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.019888] ? __kthread_parkme+0x82/0x180 [ 12.019908] ? preempt_count_sub+0x50/0x80 [ 12.019941] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.019963] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.019984] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.020054] kthread+0x337/0x6f0 [ 12.020087] ? trace_preempt_on+0x20/0xc0 [ 12.020111] ? __pfx_kthread+0x10/0x10 [ 12.020132] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.020152] ? calculate_sigpending+0x7b/0xa0 [ 12.020174] ? __pfx_kthread+0x10/0x10 [ 12.020194] ret_from_fork+0x116/0x1d0 [ 12.020212] ? __pfx_kthread+0x10/0x10 [ 12.020231] ret_from_fork_asm+0x1a/0x30 [ 12.020270] </TASK> [ 12.020281] [ 12.029005] Allocated by task 213: [ 12.029195] kasan_save_stack+0x45/0x70 [ 12.029354] kasan_save_track+0x18/0x40 [ 12.029559] kasan_save_alloc_info+0x3b/0x50 [ 12.029799] __kasan_kmalloc+0xb7/0xc0 [ 12.030268] __kmalloc_cache_noprof+0x189/0x420 [ 12.030518] ksize_uaf+0xaa/0x6c0 [ 12.030686] kunit_try_run_case+0x1a5/0x480 [ 12.030878] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.031237] kthread+0x337/0x6f0 [ 12.031393] ret_from_fork+0x116/0x1d0 [ 12.031525] ret_from_fork_asm+0x1a/0x30 [ 12.031662] [ 12.031732] Freed by task 213: [ 12.032105] kasan_save_stack+0x45/0x70 [ 12.032301] kasan_save_track+0x18/0x40 [ 12.032504] kasan_save_free_info+0x3f/0x60 [ 12.032712] __kasan_slab_free+0x56/0x70 [ 12.032939] kfree+0x222/0x3f0 [ 12.033070] ksize_uaf+0x12c/0x6c0 [ 12.033303] kunit_try_run_case+0x1a5/0x480 [ 12.033500] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.033760] kthread+0x337/0x6f0 [ 12.033879] ret_from_fork+0x116/0x1d0 [ 12.034009] ret_from_fork_asm+0x1a/0x30 [ 12.034202] [ 12.034310] The buggy address belongs to the object at ffff888102ef5a00 [ 12.034310] which belongs to the cache kmalloc-128 of size 128 [ 12.034996] The buggy address is located 120 bytes inside of [ 12.034996] freed 128-byte region [ffff888102ef5a00, ffff888102ef5a80) [ 12.035341] [ 12.035690] The buggy address belongs to the physical page: [ 12.035978] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ef5 [ 12.036466] flags: 0x200000000000000(node=0|zone=2) [ 12.036800] page_type: f5(slab) [ 12.037157] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.037416] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.037642] page dumped because: kasan: bad access detected [ 12.038035] [ 12.038152] Memory state around the buggy address: [ 12.038408] ffff888102ef5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.038911] ffff888102ef5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.039321] >ffff888102ef5a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.039583] ^ [ 12.040177] ffff888102ef5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.040527] ffff888102ef5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.040797] ==================================================================