Hay
Sign in
Date
July 4, 2025, 11:11 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.341731] ==================================================================
[   18.341785] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   18.341850] Read of size 1 at addr fff00000c46ece78 by task kunit_try_catch/196
[   18.341899] 
[   18.341928] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.342019] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.342047] Hardware name: linux,dummy-virt (DT)
[   18.342078] Call trace:
[   18.342101]  show_stack+0x20/0x38 (C)
[   18.342148]  dump_stack_lvl+0x8c/0xd0
[   18.342194]  print_report+0x118/0x608
[   18.342240]  kasan_report+0xdc/0x128
[   18.342293]  __asan_report_load1_noabort+0x20/0x30
[   18.342344]  ksize_uaf+0x544/0x5f8
[   18.342388]  kunit_try_run_case+0x170/0x3f0
[   18.342434]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.342485]  kthread+0x328/0x630
[   18.342526]  ret_from_fork+0x10/0x20
[   18.342573] 
[   18.342591] Allocated by task 196:
[   18.342623]  kasan_save_stack+0x3c/0x68
[   18.342670]  kasan_save_track+0x20/0x40
[   18.342708]  kasan_save_alloc_info+0x40/0x58
[   18.342747]  __kasan_kmalloc+0xd4/0xd8
[   18.342792]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.343784]  ksize_uaf+0xb8/0x5f8
[   18.343881]  kunit_try_run_case+0x170/0x3f0
[   18.343958]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.344246]  kthread+0x328/0x630
[   18.344415]  ret_from_fork+0x10/0x20
[   18.344511] 
[   18.344615] Freed by task 196:
[   18.344645]  kasan_save_stack+0x3c/0x68
[   18.344911]  kasan_save_track+0x20/0x40
[   18.345033]  kasan_save_free_info+0x4c/0x78
[   18.345188]  __kasan_slab_free+0x6c/0x98
[   18.345229]  kfree+0x214/0x3c8
[   18.345285]  ksize_uaf+0x11c/0x5f8
[   18.345711]  kunit_try_run_case+0x170/0x3f0
[   18.345821]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.346112]  kthread+0x328/0x630
[   18.346235]  ret_from_fork+0x10/0x20
[   18.346610] 
[   18.346758] The buggy address belongs to the object at fff00000c46ece00
[   18.346758]  which belongs to the cache kmalloc-128 of size 128
[   18.346873] The buggy address is located 120 bytes inside of
[   18.346873]  freed 128-byte region [fff00000c46ece00, fff00000c46ece80)
[   18.347250] 
[   18.347318] The buggy address belongs to the physical page:
[   18.347397] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1046ec
[   18.347493] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.347626] page_type: f5(slab)
[   18.347697] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.348032] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.348107] page dumped because: kasan: bad access detected
[   18.348138] 
[   18.348156] Memory state around the buggy address:
[   18.348189]  fff00000c46ecd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.348280]  fff00000c46ecd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.348325] >fff00000c46ece00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.348363]                                                                 ^
[   18.348404]  fff00000c46ece80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.348445]  fff00000c46ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.348483] ==================================================================
[   18.324945] ==================================================================
[   18.325016] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   18.325304] Read of size 1 at addr fff00000c46ece00 by task kunit_try_catch/196
[   18.325644] 
[   18.325690] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.325775] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.325867] Hardware name: linux,dummy-virt (DT)
[   18.325903] Call trace:
[   18.325938]  show_stack+0x20/0x38 (C)
[   18.325993]  dump_stack_lvl+0x8c/0xd0
[   18.326053]  print_report+0x118/0x608
[   18.326101]  kasan_report+0xdc/0x128
[   18.326146]  __kasan_check_byte+0x54/0x70
[   18.326193]  ksize+0x30/0x88
[   18.326246]  ksize_uaf+0x168/0x5f8
[   18.326291]  kunit_try_run_case+0x170/0x3f0
[   18.326345]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.326405]  kthread+0x328/0x630
[   18.326450]  ret_from_fork+0x10/0x20
[   18.326508] 
[   18.326527] Allocated by task 196:
[   18.326557]  kasan_save_stack+0x3c/0x68
[   18.326598]  kasan_save_track+0x20/0x40
[   18.326635]  kasan_save_alloc_info+0x40/0x58
[   18.326676]  __kasan_kmalloc+0xd4/0xd8
[   18.326713]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.326762]  ksize_uaf+0xb8/0x5f8
[   18.326797]  kunit_try_run_case+0x170/0x3f0
[   18.327134]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.327382]  kthread+0x328/0x630
[   18.327426]  ret_from_fork+0x10/0x20
[   18.327890] 
[   18.327994] Freed by task 196:
[   18.328047]  kasan_save_stack+0x3c/0x68
[   18.328233]  kasan_save_track+0x20/0x40
[   18.328388]  kasan_save_free_info+0x4c/0x78
[   18.328431]  __kasan_slab_free+0x6c/0x98
[   18.328850]  kfree+0x214/0x3c8
[   18.329000]  ksize_uaf+0x11c/0x5f8
[   18.329216]  kunit_try_run_case+0x170/0x3f0
[   18.329613]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.329687]  kthread+0x328/0x630
[   18.329750]  ret_from_fork+0x10/0x20
[   18.329824] 
[   18.329984] The buggy address belongs to the object at fff00000c46ece00
[   18.329984]  which belongs to the cache kmalloc-128 of size 128
[   18.330167] The buggy address is located 0 bytes inside of
[   18.330167]  freed 128-byte region [fff00000c46ece00, fff00000c46ece80)
[   18.330292] 
[   18.330345] The buggy address belongs to the physical page:
[   18.330378] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1046ec
[   18.330675] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.330847] page_type: f5(slab)
[   18.331272] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.331358] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.331408] page dumped because: kasan: bad access detected
[   18.331440] 
[   18.331459] Memory state around the buggy address:
[   18.331735]  fff00000c46ecd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.331792]  fff00000c46ecd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.332124] >fff00000c46ece00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.332537]                    ^
[   18.332619]  fff00000c46ece80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.332675]  fff00000c46ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.332742] ==================================================================
[   18.334555] ==================================================================
[   18.334608] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   18.334701] Read of size 1 at addr fff00000c46ece00 by task kunit_try_catch/196
[   18.334765] 
[   18.334891] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.335033] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.335061] Hardware name: linux,dummy-virt (DT)
[   18.335116] Call trace:
[   18.335138]  show_stack+0x20/0x38 (C)
[   18.335531]  dump_stack_lvl+0x8c/0xd0
[   18.335626]  print_report+0x118/0x608
[   18.335723]  kasan_report+0xdc/0x128
[   18.336094]  __asan_report_load1_noabort+0x20/0x30
[   18.336161]  ksize_uaf+0x598/0x5f8
[   18.336205]  kunit_try_run_case+0x170/0x3f0
[   18.336260]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.336313]  kthread+0x328/0x630
[   18.336358]  ret_from_fork+0x10/0x20
[   18.336406] 
[   18.336425] Allocated by task 196:
[   18.336454]  kasan_save_stack+0x3c/0x68
[   18.336496]  kasan_save_track+0x20/0x40
[   18.336534]  kasan_save_alloc_info+0x40/0x58
[   18.336575]  __kasan_kmalloc+0xd4/0xd8
[   18.336612]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.336649]  ksize_uaf+0xb8/0x5f8
[   18.336683]  kunit_try_run_case+0x170/0x3f0
[   18.336721]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.336764]  kthread+0x328/0x630
[   18.336795]  ret_from_fork+0x10/0x20
[   18.336841] 
[   18.336860] Freed by task 196:
[   18.336885]  kasan_save_stack+0x3c/0x68
[   18.336921]  kasan_save_track+0x20/0x40
[   18.336956]  kasan_save_free_info+0x4c/0x78
[   18.336996]  __kasan_slab_free+0x6c/0x98
[   18.337032]  kfree+0x214/0x3c8
[   18.337065]  ksize_uaf+0x11c/0x5f8
[   18.337097]  kunit_try_run_case+0x170/0x3f0
[   18.337135]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.337177]  kthread+0x328/0x630
[   18.337209]  ret_from_fork+0x10/0x20
[   18.337243] 
[   18.337261] The buggy address belongs to the object at fff00000c46ece00
[   18.337261]  which belongs to the cache kmalloc-128 of size 128
[   18.337317] The buggy address is located 0 bytes inside of
[   18.337317]  freed 128-byte region [fff00000c46ece00, fff00000c46ece80)
[   18.337521] 
[   18.337661] The buggy address belongs to the physical page:
[   18.337694] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1046ec
[   18.338077] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.338386] page_type: f5(slab)
[   18.338493] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.338835] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.338898] page dumped because: kasan: bad access detected
[   18.339033] 
[   18.339120] Memory state around the buggy address:
[   18.339163]  fff00000c46ecd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.339641]  fff00000c46ecd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.339766] >fff00000c46ece00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.339857]                    ^
[   18.339921]  fff00000c46ece80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.340252]  fff00000c46ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.340587] ==================================================================
Metadata Full log Test run details 

[   12.484619] ==================================================================
[   12.485870] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   12.486117] Read of size 1 at addr ffff88810262fe00 by task kunit_try_catch/213
[   12.486741] 
[   12.486864] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   12.486912] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.486924] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.486945] Call Trace:
[   12.486965]  <TASK>
[   12.486985]  dump_stack_lvl+0x73/0xb0
[   12.487016]  print_report+0xd1/0x650
[   12.487038]  ? __virt_addr_valid+0x1db/0x2d0
[   12.487148]  ? ksize_uaf+0x5fe/0x6c0
[   12.487170]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.487191]  ? ksize_uaf+0x5fe/0x6c0
[   12.487211]  kasan_report+0x141/0x180
[   12.487245]  ? ksize_uaf+0x5fe/0x6c0
[   12.487269]  __asan_report_load1_noabort+0x18/0x20
[   12.487292]  ksize_uaf+0x5fe/0x6c0
[   12.487311]  ? __pfx_ksize_uaf+0x10/0x10
[   12.487332]  ? __schedule+0x10cc/0x2b60
[   12.487353]  ? __pfx_read_tsc+0x10/0x10
[   12.487373]  ? ktime_get_ts64+0x86/0x230
[   12.487397]  kunit_try_run_case+0x1a5/0x480
[   12.487423]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.487446]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.487469]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.487491]  ? __kthread_parkme+0x82/0x180
[   12.487510]  ? preempt_count_sub+0x50/0x80
[   12.487532]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.487555]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.487577]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.487598]  kthread+0x337/0x6f0
[   12.487616]  ? trace_preempt_on+0x20/0xc0
[   12.487639]  ? __pfx_kthread+0x10/0x10
[   12.487658]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.487679]  ? calculate_sigpending+0x7b/0xa0
[   12.487701]  ? __pfx_kthread+0x10/0x10
[   12.487722]  ret_from_fork+0x116/0x1d0
[   12.487739]  ? __pfx_kthread+0x10/0x10
[   12.487758]  ret_from_fork_asm+0x1a/0x30
[   12.487788]  </TASK>
[   12.487799] 
[   12.494406] Allocated by task 213:
[   12.494778]  kasan_save_stack+0x45/0x70
[   12.494990]  kasan_save_track+0x18/0x40
[   12.495180]  kasan_save_alloc_info+0x3b/0x50
[   12.495405]  __kasan_kmalloc+0xb7/0xc0
[   12.495597]  __kmalloc_cache_noprof+0x189/0x420
[   12.495811]  ksize_uaf+0xaa/0x6c0
[   12.495934]  kunit_try_run_case+0x1a5/0x480
[   12.496113]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.496373]  kthread+0x337/0x6f0
[   12.496541]  ret_from_fork+0x116/0x1d0
[   12.496764]  ret_from_fork_asm+0x1a/0x30
[   12.496914] 
[   12.496984] Freed by task 213:
[   12.497094]  kasan_save_stack+0x45/0x70
[   12.497250]  kasan_save_track+0x18/0x40
[   12.497438]  kasan_save_free_info+0x3f/0x60
[   12.497647]  __kasan_slab_free+0x56/0x70
[   12.497842]  kfree+0x222/0x3f0
[   12.498005]  ksize_uaf+0x12c/0x6c0
[   12.498182]  kunit_try_run_case+0x1a5/0x480
[   12.498380]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.498602]  kthread+0x337/0x6f0
[   12.498721]  ret_from_fork+0x116/0x1d0
[   12.498908]  ret_from_fork_asm+0x1a/0x30
[   12.499107] 
[   12.499204] The buggy address belongs to the object at ffff88810262fe00
[   12.499204]  which belongs to the cache kmalloc-128 of size 128
[   12.499665] The buggy address is located 0 bytes inside of
[   12.499665]  freed 128-byte region [ffff88810262fe00, ffff88810262fe80)
[   12.500018] 
[   12.500094] The buggy address belongs to the physical page:
[   12.500353] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262f
[   12.500722] flags: 0x200000000000000(node=0|zone=2)
[   12.500961] page_type: f5(slab)
[   12.501123] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.501599] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.501900] page dumped because: kasan: bad access detected
[   12.502070] 
[   12.502138] Memory state around the buggy address:
[   12.502384]  ffff88810262fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.502705]  ffff88810262fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.503025] >ffff88810262fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.503382]                    ^
[   12.503522]  ffff88810262fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.503799]  ffff88810262ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.504060] ==================================================================
[   12.465360] ==================================================================
[   12.465876] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   12.466154] Read of size 1 at addr ffff88810262fe00 by task kunit_try_catch/213
[   12.466495] 
[   12.466613] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   12.466659] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.466689] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.466711] Call Trace:
[   12.466725]  <TASK>
[   12.466744]  dump_stack_lvl+0x73/0xb0
[   12.466774]  print_report+0xd1/0x650
[   12.466796]  ? __virt_addr_valid+0x1db/0x2d0
[   12.466818]  ? ksize_uaf+0x19d/0x6c0
[   12.466837]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.466858]  ? ksize_uaf+0x19d/0x6c0
[   12.466878]  kasan_report+0x141/0x180
[   12.466898]  ? ksize_uaf+0x19d/0x6c0
[   12.466921]  ? ksize_uaf+0x19d/0x6c0
[   12.466941]  __kasan_check_byte+0x3d/0x50
[   12.466961]  ksize+0x20/0x60
[   12.466981]  ksize_uaf+0x19d/0x6c0
[   12.467001]  ? __pfx_ksize_uaf+0x10/0x10
[   12.467021]  ? __schedule+0x10cc/0x2b60
[   12.467042]  ? __pfx_read_tsc+0x10/0x10
[   12.467062]  ? ktime_get_ts64+0x86/0x230
[   12.467086]  kunit_try_run_case+0x1a5/0x480
[   12.467110]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.467131]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.467154]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.467175]  ? __kthread_parkme+0x82/0x180
[   12.467195]  ? preempt_count_sub+0x50/0x80
[   12.467227]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.467250]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.467271]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.467292]  kthread+0x337/0x6f0
[   12.467310]  ? trace_preempt_on+0x20/0xc0
[   12.467333]  ? __pfx_kthread+0x10/0x10
[   12.467352]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.467372]  ? calculate_sigpending+0x7b/0xa0
[   12.467396]  ? __pfx_kthread+0x10/0x10
[   12.467416]  ret_from_fork+0x116/0x1d0
[   12.467432]  ? __pfx_kthread+0x10/0x10
[   12.467452]  ret_from_fork_asm+0x1a/0x30
[   12.467481]  </TASK>
[   12.467492] 
[   12.474193] Allocated by task 213:
[   12.474369]  kasan_save_stack+0x45/0x70
[   12.474583]  kasan_save_track+0x18/0x40
[   12.474776]  kasan_save_alloc_info+0x3b/0x50
[   12.474992]  __kasan_kmalloc+0xb7/0xc0
[   12.475157]  __kmalloc_cache_noprof+0x189/0x420
[   12.475327]  ksize_uaf+0xaa/0x6c0
[   12.475454]  kunit_try_run_case+0x1a5/0x480
[   12.475626]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.475880]  kthread+0x337/0x6f0
[   12.476051]  ret_from_fork+0x116/0x1d0
[   12.476250]  ret_from_fork_asm+0x1a/0x30
[   12.476434] 
[   12.476504] Freed by task 213:
[   12.476615]  kasan_save_stack+0x45/0x70
[   12.476749]  kasan_save_track+0x18/0x40
[   12.476889]  kasan_save_free_info+0x3f/0x60
[   12.477035]  __kasan_slab_free+0x56/0x70
[   12.477308]  kfree+0x222/0x3f0
[   12.477467]  ksize_uaf+0x12c/0x6c0
[   12.477639]  kunit_try_run_case+0x1a5/0x480
[   12.477842]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.478088]  kthread+0x337/0x6f0
[   12.478275]  ret_from_fork+0x116/0x1d0
[   12.478457]  ret_from_fork_asm+0x1a/0x30
[   12.478594] 
[   12.478667] The buggy address belongs to the object at ffff88810262fe00
[   12.478667]  which belongs to the cache kmalloc-128 of size 128
[   12.479027] The buggy address is located 0 bytes inside of
[   12.479027]  freed 128-byte region [ffff88810262fe00, ffff88810262fe80)
[   12.479869] 
[   12.479969] The buggy address belongs to the physical page:
[   12.480238] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262f
[   12.480544] flags: 0x200000000000000(node=0|zone=2)
[   12.480712] page_type: f5(slab)
[   12.480844] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.481075] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.481610] page dumped because: kasan: bad access detected
[   12.481862] 
[   12.481955] Memory state around the buggy address:
[   12.482184]  ffff88810262fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.482631]  ffff88810262fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.482848] >ffff88810262fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.483060]                    ^
[   12.483175]  ffff88810262fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.483449]  ffff88810262ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.483768] ==================================================================
[   12.505403] ==================================================================
[   12.505697] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   12.506007] Read of size 1 at addr ffff88810262fe78 by task kunit_try_catch/213
[   12.506344] 
[   12.506462] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   12.506507] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.506519] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.506540] Call Trace:
[   12.506560]  <TASK>
[   12.506579]  dump_stack_lvl+0x73/0xb0
[   12.506609]  print_report+0xd1/0x650
[   12.506630]  ? __virt_addr_valid+0x1db/0x2d0
[   12.506652]  ? ksize_uaf+0x5e4/0x6c0
[   12.506672]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.506692]  ? ksize_uaf+0x5e4/0x6c0
[   12.506712]  kasan_report+0x141/0x180
[   12.506732]  ? ksize_uaf+0x5e4/0x6c0
[   12.506756]  __asan_report_load1_noabort+0x18/0x20
[   12.506779]  ksize_uaf+0x5e4/0x6c0
[   12.506798]  ? __pfx_ksize_uaf+0x10/0x10
[   12.506819]  ? __schedule+0x10cc/0x2b60
[   12.506839]  ? __pfx_read_tsc+0x10/0x10
[   12.506859]  ? ktime_get_ts64+0x86/0x230
[   12.506884]  kunit_try_run_case+0x1a5/0x480
[   12.506907]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.506927]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.506949]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.506971]  ? __kthread_parkme+0x82/0x180
[   12.506990]  ? preempt_count_sub+0x50/0x80
[   12.507013]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.507035]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.507055]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.507076]  kthread+0x337/0x6f0
[   12.507094]  ? trace_preempt_on+0x20/0xc0
[   12.507117]  ? __pfx_kthread+0x10/0x10
[   12.507136]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.507155]  ? calculate_sigpending+0x7b/0xa0
[   12.507178]  ? __pfx_kthread+0x10/0x10
[   12.507198]  ret_from_fork+0x116/0x1d0
[   12.507215]  ? __pfx_kthread+0x10/0x10
[   12.507246]  ret_from_fork_asm+0x1a/0x30
[   12.507276]  </TASK>
[   12.507286] 
[   12.513924] Allocated by task 213:
[   12.514085]  kasan_save_stack+0x45/0x70
[   12.514303]  kasan_save_track+0x18/0x40
[   12.514570]  kasan_save_alloc_info+0x3b/0x50
[   12.514717]  __kasan_kmalloc+0xb7/0xc0
[   12.514847]  __kmalloc_cache_noprof+0x189/0x420
[   12.515070]  ksize_uaf+0xaa/0x6c0
[   12.515895]  kunit_try_run_case+0x1a5/0x480
[   12.516175]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.516442]  kthread+0x337/0x6f0
[   12.516612]  ret_from_fork+0x116/0x1d0
[   12.516748]  ret_from_fork_asm+0x1a/0x30
[   12.516894] 
[   12.516965] Freed by task 213:
[   12.517089]  kasan_save_stack+0x45/0x70
[   12.517321]  kasan_save_track+0x18/0x40
[   12.517514]  kasan_save_free_info+0x3f/0x60
[   12.517729]  __kasan_slab_free+0x56/0x70
[   12.517925]  kfree+0x222/0x3f0
[   12.518073]  ksize_uaf+0x12c/0x6c0
[   12.518234]  kunit_try_run_case+0x1a5/0x480
[   12.518445]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.518673]  kthread+0x337/0x6f0
[   12.518804]  ret_from_fork+0x116/0x1d0
[   12.518983]  ret_from_fork_asm+0x1a/0x30
[   12.519120] 
[   12.519193] The buggy address belongs to the object at ffff88810262fe00
[   12.519193]  which belongs to the cache kmalloc-128 of size 128
[   12.519797] The buggy address is located 120 bytes inside of
[   12.519797]  freed 128-byte region [ffff88810262fe00, ffff88810262fe80)
[   12.520181] 
[   12.520272] The buggy address belongs to the physical page:
[   12.520525] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262f
[   12.520889] flags: 0x200000000000000(node=0|zone=2)
[   12.521127] page_type: f5(slab)
[   12.521258] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.521595] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.521863] page dumped because: kasan: bad access detected
[   12.522034] 
[   12.522102] Memory state around the buggy address:
[   12.522373]  ffff88810262fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.522698]  ffff88810262fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.523004] >ffff88810262fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.523271]                                                                 ^
[   12.523567]  ffff88810262fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.523811]  ffff88810262ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.524022] ==================================================================
Metadata Full log Test run details