Hay
Sign in
Date
July 5, 2025, 11:11 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.286368] ==================================================================
[   18.286427] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   18.286473] Read of size 1 at addr fff00000c3ec0778 by task kunit_try_catch/196
[   18.286556] 
[   18.286759] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.286867] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.286955] Hardware name: linux,dummy-virt (DT)
[   18.286993] Call trace:
[   18.287063]  show_stack+0x20/0x38 (C)
[   18.287270]  dump_stack_lvl+0x8c/0xd0
[   18.287458]  print_report+0x118/0x608
[   18.287519]  kasan_report+0xdc/0x128
[   18.287565]  __asan_report_load1_noabort+0x20/0x30
[   18.287624]  ksize_uaf+0x544/0x5f8
[   18.287669]  kunit_try_run_case+0x170/0x3f0
[   18.287714]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.287766]  kthread+0x328/0x630
[   18.288069]  ret_from_fork+0x10/0x20
[   18.288283] 
[   18.288398] Allocated by task 196:
[   18.288495]  kasan_save_stack+0x3c/0x68
[   18.288629]  kasan_save_track+0x20/0x40
[   18.288667]  kasan_save_alloc_info+0x40/0x58
[   18.288707]  __kasan_kmalloc+0xd4/0xd8
[   18.288750]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.289130]  ksize_uaf+0xb8/0x5f8
[   18.289330]  kunit_try_run_case+0x170/0x3f0
[   18.289377]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.289644]  kthread+0x328/0x630
[   18.289747]  ret_from_fork+0x10/0x20
[   18.289882] 
[   18.290105] Freed by task 196:
[   18.290279]  kasan_save_stack+0x3c/0x68
[   18.290400]  kasan_save_track+0x20/0x40
[   18.290717]  kasan_save_free_info+0x4c/0x78
[   18.290846]  __kasan_slab_free+0x6c/0x98
[   18.290924]  kfree+0x214/0x3c8
[   18.291102]  ksize_uaf+0x11c/0x5f8
[   18.291334]  kunit_try_run_case+0x170/0x3f0
[   18.291457]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.291505]  kthread+0x328/0x630
[   18.291857]  ret_from_fork+0x10/0x20
[   18.291928] 
[   18.291991] The buggy address belongs to the object at fff00000c3ec0700
[   18.291991]  which belongs to the cache kmalloc-128 of size 128
[   18.292053] The buggy address is located 120 bytes inside of
[   18.292053]  freed 128-byte region [fff00000c3ec0700, fff00000c3ec0780)
[   18.292125] 
[   18.292162] The buggy address belongs to the physical page:
[   18.292461] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ec0
[   18.292572] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.292668] page_type: f5(slab)
[   18.292707] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.292901] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.293094] page dumped because: kasan: bad access detected
[   18.293205] 
[   18.293298] Memory state around the buggy address:
[   18.293660]  fff00000c3ec0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.293742]  fff00000c3ec0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.293799] >fff00000c3ec0700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.293947]                                                                 ^
[   18.294021]  fff00000c3ec0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.294228]  fff00000c3ec0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.294384] ==================================================================
[   18.267887] ==================================================================
[   18.268288] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   18.268636] Read of size 1 at addr fff00000c3ec0700 by task kunit_try_catch/196
[   18.268738] 
[   18.268847] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.269058] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.269289] Hardware name: linux,dummy-virt (DT)
[   18.269430] Call trace:
[   18.269536]  show_stack+0x20/0x38 (C)
[   18.269889]  dump_stack_lvl+0x8c/0xd0
[   18.270141]  print_report+0x118/0x608
[   18.270264]  kasan_report+0xdc/0x128
[   18.270426]  __kasan_check_byte+0x54/0x70
[   18.270517]  ksize+0x30/0x88
[   18.270873]  ksize_uaf+0x168/0x5f8
[   18.270938]  kunit_try_run_case+0x170/0x3f0
[   18.271026]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.271252]  kthread+0x328/0x630
[   18.271417]  ret_from_fork+0x10/0x20
[   18.271611] 
[   18.271773] Allocated by task 196:
[   18.271902]  kasan_save_stack+0x3c/0x68
[   18.271952]  kasan_save_track+0x20/0x40
[   18.272333]  kasan_save_alloc_info+0x40/0x58
[   18.272527]  __kasan_kmalloc+0xd4/0xd8
[   18.272691]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.272799]  ksize_uaf+0xb8/0x5f8
[   18.272928]  kunit_try_run_case+0x170/0x3f0
[   18.273016]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.273389]  kthread+0x328/0x630
[   18.273454]  ret_from_fork+0x10/0x20
[   18.273600] 
[   18.273680] Freed by task 196:
[   18.273844]  kasan_save_stack+0x3c/0x68
[   18.273920]  kasan_save_track+0x20/0x40
[   18.274048]  kasan_save_free_info+0x4c/0x78
[   18.274090]  __kasan_slab_free+0x6c/0x98
[   18.274183]  kfree+0x214/0x3c8
[   18.274612]  ksize_uaf+0x11c/0x5f8
[   18.274744]  kunit_try_run_case+0x170/0x3f0
[   18.274912]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.275163]  kthread+0x328/0x630
[   18.275368]  ret_from_fork+0x10/0x20
[   18.275495] 
[   18.275627] The buggy address belongs to the object at fff00000c3ec0700
[   18.275627]  which belongs to the cache kmalloc-128 of size 128
[   18.275784] The buggy address is located 0 bytes inside of
[   18.275784]  freed 128-byte region [fff00000c3ec0700, fff00000c3ec0780)
[   18.275879] 
[   18.275915] The buggy address belongs to the physical page:
[   18.276107] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ec0
[   18.276175] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.276229] page_type: f5(slab)
[   18.276501] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.276599] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.276661] page dumped because: kasan: bad access detected
[   18.276786] 
[   18.276917] Memory state around the buggy address:
[   18.277034]  fff00000c3ec0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.277078]  fff00000c3ec0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.277120] >fff00000c3ec0700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.277169]                    ^
[   18.277198]  fff00000c3ec0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.277256]  fff00000c3ec0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.277293] ==================================================================
[   18.279177] ==================================================================
[   18.279230] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   18.279349] Read of size 1 at addr fff00000c3ec0700 by task kunit_try_catch/196
[   18.279403] 
[   18.279459] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.279826] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.279887] Hardware name: linux,dummy-virt (DT)
[   18.279985] Call trace:
[   18.280276]  show_stack+0x20/0x38 (C)
[   18.280414]  dump_stack_lvl+0x8c/0xd0
[   18.280461]  print_report+0x118/0x608
[   18.280692]  kasan_report+0xdc/0x128
[   18.280855]  __asan_report_load1_noabort+0x20/0x30
[   18.280990]  ksize_uaf+0x598/0x5f8
[   18.281037]  kunit_try_run_case+0x170/0x3f0
[   18.281113]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.281186]  kthread+0x328/0x630
[   18.281233]  ret_from_fork+0x10/0x20
[   18.281286] 
[   18.281305] Allocated by task 196:
[   18.281332]  kasan_save_stack+0x3c/0x68
[   18.281382]  kasan_save_track+0x20/0x40
[   18.281430]  kasan_save_alloc_info+0x40/0x58
[   18.281478]  __kasan_kmalloc+0xd4/0xd8
[   18.281526]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.281582]  ksize_uaf+0xb8/0x5f8
[   18.281615]  kunit_try_run_case+0x170/0x3f0
[   18.281661]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.281709]  kthread+0x328/0x630
[   18.281757]  ret_from_fork+0x10/0x20
[   18.281793] 
[   18.281813] Freed by task 196:
[   18.281854]  kasan_save_stack+0x3c/0x68
[   18.281891]  kasan_save_track+0x20/0x40
[   18.281928]  kasan_save_free_info+0x4c/0x78
[   18.281965]  __kasan_slab_free+0x6c/0x98
[   18.282002]  kfree+0x214/0x3c8
[   18.282035]  ksize_uaf+0x11c/0x5f8
[   18.282068]  kunit_try_run_case+0x170/0x3f0
[   18.282114]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.282165]  kthread+0x328/0x630
[   18.282447]  ret_from_fork+0x10/0x20
[   18.282720] 
[   18.282771] The buggy address belongs to the object at fff00000c3ec0700
[   18.282771]  which belongs to the cache kmalloc-128 of size 128
[   18.282850] The buggy address is located 0 bytes inside of
[   18.282850]  freed 128-byte region [fff00000c3ec0700, fff00000c3ec0780)
[   18.283041] 
[   18.283088] The buggy address belongs to the physical page:
[   18.283119] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ec0
[   18.283512] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.283618] page_type: f5(slab)
[   18.283807] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.283891] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.284028] page dumped because: kasan: bad access detected
[   18.284091] 
[   18.284111] Memory state around the buggy address:
[   18.284143]  fff00000c3ec0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.284203]  fff00000c3ec0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.284568] >fff00000c3ec0700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.284632]                    ^
[   18.284675]  fff00000c3ec0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.284737]  fff00000c3ec0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.284908] ==================================================================
Metadata Full log Test run details 

[   14.142007] ==================================================================
[   14.142405] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   14.142719] Read of size 1 at addr ffff8881021dbc00 by task kunit_try_catch/214
[   14.142994] 
[   14.143107] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   14.143156] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.143171] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.143195] Call Trace:
[   14.143214]  <TASK>
[   14.143233]  dump_stack_lvl+0x73/0xb0
[   14.143266]  print_report+0xd1/0x650
[   14.143291]  ? __virt_addr_valid+0x1db/0x2d0
[   14.143316]  ? ksize_uaf+0x5fe/0x6c0
[   14.143339]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.143364]  ? ksize_uaf+0x5fe/0x6c0
[   14.143387]  kasan_report+0x141/0x180
[   14.143412]  ? ksize_uaf+0x5fe/0x6c0
[   14.143440]  __asan_report_load1_noabort+0x18/0x20
[   14.143467]  ksize_uaf+0x5fe/0x6c0
[   14.143490]  ? __pfx_ksize_uaf+0x10/0x10
[   14.143514]  ? __schedule+0x10cc/0x2b60
[   14.143540]  ? __pfx_read_tsc+0x10/0x10
[   14.143564]  ? ktime_get_ts64+0x86/0x230
[   14.143591]  kunit_try_run_case+0x1a5/0x480
[   14.143617]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.143642]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.143668]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.143694]  ? __kthread_parkme+0x82/0x180
[   14.143717]  ? preempt_count_sub+0x50/0x80
[   14.143743]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.143769]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.144012]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.144046]  kthread+0x337/0x6f0
[   14.144069]  ? trace_preempt_on+0x20/0xc0
[   14.144108]  ? __pfx_kthread+0x10/0x10
[   14.144131]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.144204]  ? calculate_sigpending+0x7b/0xa0
[   14.144231]  ? __pfx_kthread+0x10/0x10
[   14.144255]  ret_from_fork+0x116/0x1d0
[   14.144278]  ? __pfx_kthread+0x10/0x10
[   14.144301]  ret_from_fork_asm+0x1a/0x30
[   14.144335]  </TASK>
[   14.144349] 
[   14.152781] Allocated by task 214:
[   14.153021]  kasan_save_stack+0x45/0x70
[   14.153437]  kasan_save_track+0x18/0x40
[   14.153678]  kasan_save_alloc_info+0x3b/0x50
[   14.153905]  __kasan_kmalloc+0xb7/0xc0
[   14.154205]  __kmalloc_cache_noprof+0x189/0x420
[   14.154427]  ksize_uaf+0xaa/0x6c0
[   14.154612]  kunit_try_run_case+0x1a5/0x480
[   14.154845]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.155088]  kthread+0x337/0x6f0
[   14.155343]  ret_from_fork+0x116/0x1d0
[   14.155611]  ret_from_fork_asm+0x1a/0x30
[   14.155840] 
[   14.155953] Freed by task 214:
[   14.156106]  kasan_save_stack+0x45/0x70
[   14.156301]  kasan_save_track+0x18/0x40
[   14.156579]  kasan_save_free_info+0x3f/0x60
[   14.156876]  __kasan_slab_free+0x56/0x70
[   14.157039]  kfree+0x222/0x3f0
[   14.157408]  ksize_uaf+0x12c/0x6c0
[   14.157637]  kunit_try_run_case+0x1a5/0x480
[   14.157898]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.158222]  kthread+0x337/0x6f0
[   14.158427]  ret_from_fork+0x116/0x1d0
[   14.158579]  ret_from_fork_asm+0x1a/0x30
[   14.158738] 
[   14.158832] The buggy address belongs to the object at ffff8881021dbc00
[   14.158832]  which belongs to the cache kmalloc-128 of size 128
[   14.159233] The buggy address is located 0 bytes inside of
[   14.159233]  freed 128-byte region [ffff8881021dbc00, ffff8881021dbc80)
[   14.159830] 
[   14.159942] The buggy address belongs to the physical page:
[   14.160230] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1021db
[   14.160532] flags: 0x200000000000000(node=0|zone=2)
[   14.160719] page_type: f5(slab)
[   14.160869] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   14.161131] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   14.161391] page dumped because: kasan: bad access detected
[   14.162047] 
[   14.162173] Memory state around the buggy address:
[   14.162440]  ffff8881021dbb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.163084]  ffff8881021dbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.163732] >ffff8881021dbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.164123]                    ^
[   14.164303]  ffff8881021dbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.164664]  ffff8881021dbd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.164997] ==================================================================
[   14.115534] ==================================================================
[   14.116895] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   14.117832] Read of size 1 at addr ffff8881021dbc00 by task kunit_try_catch/214
[   14.118384] 
[   14.118643] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   14.118709] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.118725] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.118749] Call Trace:
[   14.118764]  <TASK>
[   14.118785]  dump_stack_lvl+0x73/0xb0
[   14.118835]  print_report+0xd1/0x650
[   14.118861]  ? __virt_addr_valid+0x1db/0x2d0
[   14.118887]  ? ksize_uaf+0x19d/0x6c0
[   14.118910]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.118935]  ? ksize_uaf+0x19d/0x6c0
[   14.118958]  kasan_report+0x141/0x180
[   14.118982]  ? ksize_uaf+0x19d/0x6c0
[   14.119009]  ? ksize_uaf+0x19d/0x6c0
[   14.119031]  __kasan_check_byte+0x3d/0x50
[   14.119055]  ksize+0x20/0x60
[   14.119079]  ksize_uaf+0x19d/0x6c0
[   14.119102]  ? __pfx_ksize_uaf+0x10/0x10
[   14.119126]  ? __schedule+0x10cc/0x2b60
[   14.119151]  ? __pfx_read_tsc+0x10/0x10
[   14.119175]  ? ktime_get_ts64+0x86/0x230
[   14.119203]  kunit_try_run_case+0x1a5/0x480
[   14.119230]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.119313]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.119344]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.119370]  ? __kthread_parkme+0x82/0x180
[   14.119395]  ? preempt_count_sub+0x50/0x80
[   14.119422]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.119448]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.119473]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.119499]  kthread+0x337/0x6f0
[   14.119520]  ? trace_preempt_on+0x20/0xc0
[   14.119546]  ? __pfx_kthread+0x10/0x10
[   14.119569]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.119593]  ? calculate_sigpending+0x7b/0xa0
[   14.119619]  ? __pfx_kthread+0x10/0x10
[   14.119643]  ret_from_fork+0x116/0x1d0
[   14.119665]  ? __pfx_kthread+0x10/0x10
[   14.119688]  ret_from_fork_asm+0x1a/0x30
[   14.119722]  </TASK>
[   14.119736] 
[   14.128684] Allocated by task 214:
[   14.128858]  kasan_save_stack+0x45/0x70
[   14.129056]  kasan_save_track+0x18/0x40
[   14.129672]  kasan_save_alloc_info+0x3b/0x50
[   14.129956]  __kasan_kmalloc+0xb7/0xc0
[   14.130179]  __kmalloc_cache_noprof+0x189/0x420
[   14.130391]  ksize_uaf+0xaa/0x6c0
[   14.130591]  kunit_try_run_case+0x1a5/0x480
[   14.130880]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.131092]  kthread+0x337/0x6f0
[   14.131268]  ret_from_fork+0x116/0x1d0
[   14.131480]  ret_from_fork_asm+0x1a/0x30
[   14.131747] 
[   14.131937] Freed by task 214:
[   14.132071]  kasan_save_stack+0x45/0x70
[   14.132295]  kasan_save_track+0x18/0x40
[   14.132466]  kasan_save_free_info+0x3f/0x60
[   14.132635]  __kasan_slab_free+0x56/0x70
[   14.132807]  kfree+0x222/0x3f0
[   14.132943]  ksize_uaf+0x12c/0x6c0
[   14.133142]  kunit_try_run_case+0x1a5/0x480
[   14.133626]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.133951]  kthread+0x337/0x6f0
[   14.134227]  ret_from_fork+0x116/0x1d0
[   14.134399]  ret_from_fork_asm+0x1a/0x30
[   14.134627] 
[   14.134730] The buggy address belongs to the object at ffff8881021dbc00
[   14.134730]  which belongs to the cache kmalloc-128 of size 128
[   14.135405] The buggy address is located 0 bytes inside of
[   14.135405]  freed 128-byte region [ffff8881021dbc00, ffff8881021dbc80)
[   14.135929] 
[   14.136046] The buggy address belongs to the physical page:
[   14.136449] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1021db
[   14.136860] flags: 0x200000000000000(node=0|zone=2)
[   14.137308] page_type: f5(slab)
[   14.137486] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   14.137752] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   14.138070] page dumped because: kasan: bad access detected
[   14.138489] 
[   14.138607] Memory state around the buggy address:
[   14.138884]  ffff8881021dbb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.139253]  ffff8881021dbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.139645] >ffff8881021dbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.139986]                    ^
[   14.140319]  ffff8881021dbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.140693]  ffff8881021dbd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.140992] ==================================================================
[   14.165685] ==================================================================
[   14.166079] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   14.166631] Read of size 1 at addr ffff8881021dbc78 by task kunit_try_catch/214
[   14.166941] 
[   14.167045] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   14.167093] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.167106] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.167130] Call Trace:
[   14.167149]  <TASK>
[   14.167167]  dump_stack_lvl+0x73/0xb0
[   14.167200]  print_report+0xd1/0x650
[   14.167225]  ? __virt_addr_valid+0x1db/0x2d0
[   14.167250]  ? ksize_uaf+0x5e4/0x6c0
[   14.167273]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.167297]  ? ksize_uaf+0x5e4/0x6c0
[   14.167321]  kasan_report+0x141/0x180
[   14.167346]  ? ksize_uaf+0x5e4/0x6c0
[   14.167374]  __asan_report_load1_noabort+0x18/0x20
[   14.167401]  ksize_uaf+0x5e4/0x6c0
[   14.167424]  ? __pfx_ksize_uaf+0x10/0x10
[   14.167448]  ? __schedule+0x10cc/0x2b60
[   14.167474]  ? __pfx_read_tsc+0x10/0x10
[   14.167498]  ? ktime_get_ts64+0x86/0x230
[   14.167525]  kunit_try_run_case+0x1a5/0x480
[   14.167552]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.167577]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.167603]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.167629]  ? __kthread_parkme+0x82/0x180
[   14.167652]  ? preempt_count_sub+0x50/0x80
[   14.167679]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.167706]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.167731]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.167842]  kthread+0x337/0x6f0
[   14.167870]  ? trace_preempt_on+0x20/0xc0
[   14.167897]  ? __pfx_kthread+0x10/0x10
[   14.167920]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.167944]  ? calculate_sigpending+0x7b/0xa0
[   14.167971]  ? __pfx_kthread+0x10/0x10
[   14.167995]  ret_from_fork+0x116/0x1d0
[   14.168016]  ? __pfx_kthread+0x10/0x10
[   14.168039]  ret_from_fork_asm+0x1a/0x30
[   14.168073]  </TASK>
[   14.168087] 
[   14.176312] Allocated by task 214:
[   14.176472]  kasan_save_stack+0x45/0x70
[   14.176665]  kasan_save_track+0x18/0x40
[   14.179251]  kasan_save_alloc_info+0x3b/0x50
[   14.179705]  __kasan_kmalloc+0xb7/0xc0
[   14.179894]  __kmalloc_cache_noprof+0x189/0x420
[   14.180455]  ksize_uaf+0xaa/0x6c0
[   14.180991]  kunit_try_run_case+0x1a5/0x480
[   14.181873]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.182907]  kthread+0x337/0x6f0
[   14.183638]  ret_from_fork+0x116/0x1d0
[   14.184317]  ret_from_fork_asm+0x1a/0x30
[   14.184746] 
[   14.185172] Freed by task 214:
[   14.185721]  kasan_save_stack+0x45/0x70
[   14.186642]  kasan_save_track+0x18/0x40
[   14.187028]  kasan_save_free_info+0x3f/0x60
[   14.187942]  __kasan_slab_free+0x56/0x70
[   14.188425]  kfree+0x222/0x3f0
[   14.188579]  ksize_uaf+0x12c/0x6c0
[   14.188726]  kunit_try_run_case+0x1a5/0x480
[   14.188917]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.189607]  kthread+0x337/0x6f0
[   14.189983]  ret_from_fork+0x116/0x1d0
[   14.190492]  ret_from_fork_asm+0x1a/0x30
[   14.190813] 
[   14.191013] The buggy address belongs to the object at ffff8881021dbc00
[   14.191013]  which belongs to the cache kmalloc-128 of size 128
[   14.191680] The buggy address is located 120 bytes inside of
[   14.191680]  freed 128-byte region [ffff8881021dbc00, ffff8881021dbc80)
[   14.192322] 
[   14.192653] The buggy address belongs to the physical page:
[   14.193305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1021db
[   14.194159] flags: 0x200000000000000(node=0|zone=2)
[   14.194749] page_type: f5(slab)
[   14.195187] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   14.196006] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   14.196825] page dumped because: kasan: bad access detected
[   14.197032] 
[   14.197322] Memory state around the buggy address:
[   14.197834]  ffff8881021dbb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.198646]  ffff8881021dbb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.199393] >ffff8881021dbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.199643]                                                                 ^
[   14.200325]  ffff8881021dbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.201111]  ffff8881021dbd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.201899] ==================================================================
Metadata Full log Test run details