Date
July 6, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.295733] ================================================================== [ 18.295889] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.295946] Read of size 1 at addr fff00000c56ed000 by task kunit_try_catch/196 [ 18.296037] [ 18.296179] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.296286] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.296313] Hardware name: linux,dummy-virt (DT) [ 18.296531] Call trace: [ 18.296627] show_stack+0x20/0x38 (C) [ 18.296721] dump_stack_lvl+0x8c/0xd0 [ 18.296952] print_report+0x118/0x608 [ 18.297013] kasan_report+0xdc/0x128 [ 18.297218] __kasan_check_byte+0x54/0x70 [ 18.297281] ksize+0x30/0x88 [ 18.297323] ksize_uaf+0x168/0x5f8 [ 18.297366] kunit_try_run_case+0x170/0x3f0 [ 18.297514] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.297737] kthread+0x328/0x630 [ 18.297782] ret_from_fork+0x10/0x20 [ 18.297830] [ 18.297849] Allocated by task 196: [ 18.297972] kasan_save_stack+0x3c/0x68 [ 18.298032] kasan_save_track+0x20/0x40 [ 18.298212] kasan_save_alloc_info+0x40/0x58 [ 18.298326] __kasan_kmalloc+0xd4/0xd8 [ 18.298457] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.298587] ksize_uaf+0xb8/0x5f8 [ 18.298673] kunit_try_run_case+0x170/0x3f0 [ 18.298711] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.298966] kthread+0x328/0x630 [ 18.299137] ret_from_fork+0x10/0x20 [ 18.299223] [ 18.299243] Freed by task 196: [ 18.299591] kasan_save_stack+0x3c/0x68 [ 18.299681] kasan_save_track+0x20/0x40 [ 18.299740] kasan_save_free_info+0x4c/0x78 [ 18.299996] __kasan_slab_free+0x6c/0x98 [ 18.300066] kfree+0x214/0x3c8 [ 18.300235] ksize_uaf+0x11c/0x5f8 [ 18.300396] kunit_try_run_case+0x170/0x3f0 [ 18.300466] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.300618] kthread+0x328/0x630 [ 18.300669] ret_from_fork+0x10/0x20 [ 18.300706] [ 18.300764] The buggy address belongs to the object at fff00000c56ed000 [ 18.300764] which belongs to the cache kmalloc-128 of size 128 [ 18.300836] The buggy address is located 0 bytes inside of [ 18.300836] freed 128-byte region [fff00000c56ed000, fff00000c56ed080) [ 18.300897] [ 18.300925] The buggy address belongs to the physical page: [ 18.300959] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056ed [ 18.301022] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.301072] page_type: f5(slab) [ 18.301111] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.301159] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.301212] page dumped because: kasan: bad access detected [ 18.301244] [ 18.301284] Memory state around the buggy address: [ 18.301331] fff00000c56ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.301383] fff00000c56ecf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.301425] >fff00000c56ed000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.301472] ^ [ 18.301894] fff00000c56ed080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.301988] fff00000c56ed100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.302050] ================================================================== [ 18.304421] ================================================================== [ 18.304474] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.304519] Read of size 1 at addr fff00000c56ed000 by task kunit_try_catch/196 [ 18.304620] [ 18.304677] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.304940] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.305005] Hardware name: linux,dummy-virt (DT) [ 18.305207] Call trace: [ 18.305270] show_stack+0x20/0x38 (C) [ 18.305347] dump_stack_lvl+0x8c/0xd0 [ 18.305498] print_report+0x118/0x608 [ 18.305568] kasan_report+0xdc/0x128 [ 18.305640] __asan_report_load1_noabort+0x20/0x30 [ 18.305704] ksize_uaf+0x598/0x5f8 [ 18.305748] kunit_try_run_case+0x170/0x3f0 [ 18.305797] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.305849] kthread+0x328/0x630 [ 18.306297] ret_from_fork+0x10/0x20 [ 18.306516] [ 18.306621] Allocated by task 196: [ 18.306699] kasan_save_stack+0x3c/0x68 [ 18.306769] kasan_save_track+0x20/0x40 [ 18.306986] kasan_save_alloc_info+0x40/0x58 [ 18.307332] __kasan_kmalloc+0xd4/0xd8 [ 18.307516] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.307640] ksize_uaf+0xb8/0x5f8 [ 18.307770] kunit_try_run_case+0x170/0x3f0 [ 18.307945] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.308123] kthread+0x328/0x630 [ 18.308250] ret_from_fork+0x10/0x20 [ 18.308289] [ 18.308603] Freed by task 196: [ 18.308775] kasan_save_stack+0x3c/0x68 [ 18.308937] kasan_save_track+0x20/0x40 [ 18.309035] kasan_save_free_info+0x4c/0x78 [ 18.309122] __kasan_slab_free+0x6c/0x98 [ 18.309159] kfree+0x214/0x3c8 [ 18.309202] ksize_uaf+0x11c/0x5f8 [ 18.309238] kunit_try_run_case+0x170/0x3f0 [ 18.309276] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.309365] kthread+0x328/0x630 [ 18.309402] ret_from_fork+0x10/0x20 [ 18.309446] [ 18.309465] The buggy address belongs to the object at fff00000c56ed000 [ 18.309465] which belongs to the cache kmalloc-128 of size 128 [ 18.309779] The buggy address is located 0 bytes inside of [ 18.309779] freed 128-byte region [fff00000c56ed000, fff00000c56ed080) [ 18.309972] [ 18.309993] The buggy address belongs to the physical page: [ 18.310025] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056ed [ 18.310080] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.310518] page_type: f5(slab) [ 18.310617] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.310836] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.310965] page dumped because: kasan: bad access detected [ 18.311135] [ 18.311156] Memory state around the buggy address: [ 18.311189] fff00000c56ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.311553] fff00000c56ecf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.311705] >fff00000c56ed000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.311803] ^ [ 18.311965] fff00000c56ed080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.312073] fff00000c56ed100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.312490] ================================================================== [ 18.313401] ================================================================== [ 18.313452] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.313857] Read of size 1 at addr fff00000c56ed078 by task kunit_try_catch/196 [ 18.313910] [ 18.313956] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.314245] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.314414] Hardware name: linux,dummy-virt (DT) [ 18.314492] Call trace: [ 18.314800] show_stack+0x20/0x38 (C) [ 18.314903] dump_stack_lvl+0x8c/0xd0 [ 18.314962] print_report+0x118/0x608 [ 18.315294] kasan_report+0xdc/0x128 [ 18.315522] __asan_report_load1_noabort+0x20/0x30 [ 18.315720] ksize_uaf+0x544/0x5f8 [ 18.315811] kunit_try_run_case+0x170/0x3f0 [ 18.316178] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.316370] kthread+0x328/0x630 [ 18.316469] ret_from_fork+0x10/0x20 [ 18.316626] [ 18.316660] Allocated by task 196: [ 18.316693] kasan_save_stack+0x3c/0x68 [ 18.316784] kasan_save_track+0x20/0x40 [ 18.316832] kasan_save_alloc_info+0x40/0x58 [ 18.316873] __kasan_kmalloc+0xd4/0xd8 [ 18.316910] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.316948] ksize_uaf+0xb8/0x5f8 [ 18.316984] kunit_try_run_case+0x170/0x3f0 [ 18.317021] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.317075] kthread+0x328/0x630 [ 18.317106] ret_from_fork+0x10/0x20 [ 18.317142] [ 18.317162] Freed by task 196: [ 18.317188] kasan_save_stack+0x3c/0x68 [ 18.317569] kasan_save_track+0x20/0x40 [ 18.317648] kasan_save_free_info+0x4c/0x78 [ 18.317812] __kasan_slab_free+0x6c/0x98 [ 18.317907] kfree+0x214/0x3c8 [ 18.318094] ksize_uaf+0x11c/0x5f8 [ 18.318285] kunit_try_run_case+0x170/0x3f0 [ 18.318361] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.318524] kthread+0x328/0x630 [ 18.318639] ret_from_fork+0x10/0x20 [ 18.318767] [ 18.318847] The buggy address belongs to the object at fff00000c56ed000 [ 18.318847] which belongs to the cache kmalloc-128 of size 128 [ 18.319041] The buggy address is located 120 bytes inside of [ 18.319041] freed 128-byte region [fff00000c56ed000, fff00000c56ed080) [ 18.319232] [ 18.319278] The buggy address belongs to the physical page: [ 18.319546] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056ed [ 18.319715] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.319893] page_type: f5(slab) [ 18.319990] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.320050] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.320490] page dumped because: kasan: bad access detected [ 18.320545] [ 18.320639] Memory state around the buggy address: [ 18.320825] fff00000c56ecf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.321183] fff00000c56ecf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.321294] >fff00000c56ed000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.321983] ^ [ 18.322090] fff00000c56ed080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.322138] fff00000c56ed100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.322175] ==================================================================
[ 12.132210] ================================================================== [ 12.132855] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.133117] Read of size 1 at addr ffff888102794478 by task kunit_try_catch/213 [ 12.133332] [ 12.133528] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.133572] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.133584] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.133604] Call Trace: [ 12.133622] <TASK> [ 12.133639] dump_stack_lvl+0x73/0xb0 [ 12.133665] print_report+0xd1/0x650 [ 12.133687] ? __virt_addr_valid+0x1db/0x2d0 [ 12.133709] ? ksize_uaf+0x5e4/0x6c0 [ 12.133729] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.133751] ? ksize_uaf+0x5e4/0x6c0 [ 12.133771] kasan_report+0x141/0x180 [ 12.133792] ? ksize_uaf+0x5e4/0x6c0 [ 12.133842] __asan_report_load1_noabort+0x18/0x20 [ 12.133868] ksize_uaf+0x5e4/0x6c0 [ 12.133891] ? __pfx_ksize_uaf+0x10/0x10 [ 12.133916] ? __schedule+0x10cc/0x2b60 [ 12.133955] ? __pfx_read_tsc+0x10/0x10 [ 12.133976] ? ktime_get_ts64+0x86/0x230 [ 12.133999] kunit_try_run_case+0x1a5/0x480 [ 12.134041] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.134062] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.134085] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.134107] ? __kthread_parkme+0x82/0x180 [ 12.134126] ? preempt_count_sub+0x50/0x80 [ 12.134149] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.134171] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.134193] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.134215] kthread+0x337/0x6f0 [ 12.134234] ? trace_preempt_on+0x20/0xc0 [ 12.134256] ? __pfx_kthread+0x10/0x10 [ 12.134276] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.134314] ? calculate_sigpending+0x7b/0xa0 [ 12.134337] ? __pfx_kthread+0x10/0x10 [ 12.134358] ret_from_fork+0x116/0x1d0 [ 12.134376] ? __pfx_kthread+0x10/0x10 [ 12.134396] ret_from_fork_asm+0x1a/0x30 [ 12.134426] </TASK> [ 12.134437] [ 12.147604] Allocated by task 213: [ 12.147744] kasan_save_stack+0x45/0x70 [ 12.147890] kasan_save_track+0x18/0x40 [ 12.148042] kasan_save_alloc_info+0x3b/0x50 [ 12.148428] __kasan_kmalloc+0xb7/0xc0 [ 12.148758] __kmalloc_cache_noprof+0x189/0x420 [ 12.149426] ksize_uaf+0xaa/0x6c0 [ 12.149863] kunit_try_run_case+0x1a5/0x480 [ 12.150269] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.150902] kthread+0x337/0x6f0 [ 12.151251] ret_from_fork+0x116/0x1d0 [ 12.151588] ret_from_fork_asm+0x1a/0x30 [ 12.151848] [ 12.151921] Freed by task 213: [ 12.152046] kasan_save_stack+0x45/0x70 [ 12.152186] kasan_save_track+0x18/0x40 [ 12.152320] kasan_save_free_info+0x3f/0x60 [ 12.152477] __kasan_slab_free+0x56/0x70 [ 12.152969] kfree+0x222/0x3f0 [ 12.153259] ksize_uaf+0x12c/0x6c0 [ 12.153611] kunit_try_run_case+0x1a5/0x480 [ 12.154071] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.154696] kthread+0x337/0x6f0 [ 12.155015] ret_from_fork+0x116/0x1d0 [ 12.155386] ret_from_fork_asm+0x1a/0x30 [ 12.155788] [ 12.155966] The buggy address belongs to the object at ffff888102794400 [ 12.155966] which belongs to the cache kmalloc-128 of size 128 [ 12.157037] The buggy address is located 120 bytes inside of [ 12.157037] freed 128-byte region [ffff888102794400, ffff888102794480) [ 12.157395] [ 12.157481] The buggy address belongs to the physical page: [ 12.158009] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102794 [ 12.158769] flags: 0x200000000000000(node=0|zone=2) [ 12.159327] page_type: f5(slab) [ 12.159694] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.160748] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.161247] page dumped because: kasan: bad access detected [ 12.161420] [ 12.161511] Memory state around the buggy address: [ 12.162005] ffff888102794300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.162706] ffff888102794380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.163452] >ffff888102794400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.163982] ^ [ 12.164471] ffff888102794480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.165324] ffff888102794500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.165731] ================================================================== [ 12.064220] ================================================================== [ 12.065349] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.065857] Read of size 1 at addr ffff888102794400 by task kunit_try_catch/213 [ 12.066112] [ 12.066342] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.066388] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.066400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.066421] Call Trace: [ 12.066434] <TASK> [ 12.066451] dump_stack_lvl+0x73/0xb0 [ 12.066481] print_report+0xd1/0x650 [ 12.066504] ? __virt_addr_valid+0x1db/0x2d0 [ 12.066843] ? ksize_uaf+0x19d/0x6c0 [ 12.066870] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.066893] ? ksize_uaf+0x19d/0x6c0 [ 12.066914] kasan_report+0x141/0x180 [ 12.066949] ? ksize_uaf+0x19d/0x6c0 [ 12.066973] ? ksize_uaf+0x19d/0x6c0 [ 12.066993] __kasan_check_byte+0x3d/0x50 [ 12.067015] ksize+0x20/0x60 [ 12.067036] ksize_uaf+0x19d/0x6c0 [ 12.067066] ? __pfx_ksize_uaf+0x10/0x10 [ 12.067087] ? __schedule+0x10cc/0x2b60 [ 12.067115] ? __pfx_read_tsc+0x10/0x10 [ 12.067136] ? ktime_get_ts64+0x86/0x230 [ 12.067159] kunit_try_run_case+0x1a5/0x480 [ 12.067184] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.067205] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.067228] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.067250] ? __kthread_parkme+0x82/0x180 [ 12.067270] ? preempt_count_sub+0x50/0x80 [ 12.067295] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.067318] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.067341] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.067363] kthread+0x337/0x6f0 [ 12.067383] ? trace_preempt_on+0x20/0xc0 [ 12.067405] ? __pfx_kthread+0x10/0x10 [ 12.067426] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.067446] ? calculate_sigpending+0x7b/0xa0 [ 12.067469] ? __pfx_kthread+0x10/0x10 [ 12.067490] ret_from_fork+0x116/0x1d0 [ 12.067508] ? __pfx_kthread+0x10/0x10 [ 12.067528] ret_from_fork_asm+0x1a/0x30 [ 12.067558] </TASK> [ 12.067569] [ 12.080790] Allocated by task 213: [ 12.081240] kasan_save_stack+0x45/0x70 [ 12.081801] kasan_save_track+0x18/0x40 [ 12.082012] kasan_save_alloc_info+0x3b/0x50 [ 12.082279] __kasan_kmalloc+0xb7/0xc0 [ 12.082440] __kmalloc_cache_noprof+0x189/0x420 [ 12.082972] ksize_uaf+0xaa/0x6c0 [ 12.083251] kunit_try_run_case+0x1a5/0x480 [ 12.083447] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.083993] kthread+0x337/0x6f0 [ 12.084250] ret_from_fork+0x116/0x1d0 [ 12.084708] ret_from_fork_asm+0x1a/0x30 [ 12.084912] [ 12.085024] Freed by task 213: [ 12.085458] kasan_save_stack+0x45/0x70 [ 12.085820] kasan_save_track+0x18/0x40 [ 12.086055] kasan_save_free_info+0x3f/0x60 [ 12.086411] __kasan_slab_free+0x56/0x70 [ 12.086711] kfree+0x222/0x3f0 [ 12.087099] ksize_uaf+0x12c/0x6c0 [ 12.087270] kunit_try_run_case+0x1a5/0x480 [ 12.087723] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.088004] kthread+0x337/0x6f0 [ 12.088355] ret_from_fork+0x116/0x1d0 [ 12.088838] ret_from_fork_asm+0x1a/0x30 [ 12.089180] [ 12.089290] The buggy address belongs to the object at ffff888102794400 [ 12.089290] which belongs to the cache kmalloc-128 of size 128 [ 12.090321] The buggy address is located 0 bytes inside of [ 12.090321] freed 128-byte region [ffff888102794400, ffff888102794480) [ 12.090695] [ 12.090776] The buggy address belongs to the physical page: [ 12.090961] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102794 [ 12.091329] flags: 0x200000000000000(node=0|zone=2) [ 12.091700] page_type: f5(slab) [ 12.092141] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.092659] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.093233] page dumped because: kasan: bad access detected [ 12.093797] [ 12.093999] Memory state around the buggy address: [ 12.094309] ffff888102794300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.094757] ffff888102794380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.095429] >ffff888102794400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.096210] ^ [ 12.096373] ffff888102794480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.097175] ffff888102794500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.097408] ================================================================== [ 12.098508] ================================================================== [ 12.099281] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.099593] Read of size 1 at addr ffff888102794400 by task kunit_try_catch/213 [ 12.100322] [ 12.100528] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.100573] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.100585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.100606] Call Trace: [ 12.100620] <TASK> [ 12.100636] dump_stack_lvl+0x73/0xb0 [ 12.100663] print_report+0xd1/0x650 [ 12.100685] ? __virt_addr_valid+0x1db/0x2d0 [ 12.100706] ? ksize_uaf+0x5fe/0x6c0 [ 12.100765] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.100787] ? ksize_uaf+0x5fe/0x6c0 [ 12.100808] kasan_report+0x141/0x180 [ 12.100829] ? ksize_uaf+0x5fe/0x6c0 [ 12.100861] __asan_report_load1_noabort+0x18/0x20 [ 12.100884] ksize_uaf+0x5fe/0x6c0 [ 12.100904] ? __pfx_ksize_uaf+0x10/0x10 [ 12.100925] ? __schedule+0x10cc/0x2b60 [ 12.100956] ? __pfx_read_tsc+0x10/0x10 [ 12.100976] ? ktime_get_ts64+0x86/0x230 [ 12.100999] kunit_try_run_case+0x1a5/0x480 [ 12.101023] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.101062] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.101086] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.101109] ? __kthread_parkme+0x82/0x180 [ 12.101128] ? preempt_count_sub+0x50/0x80 [ 12.101151] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.101174] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.101195] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.101217] kthread+0x337/0x6f0 [ 12.101236] ? trace_preempt_on+0x20/0xc0 [ 12.101260] ? __pfx_kthread+0x10/0x10 [ 12.101279] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.101299] ? calculate_sigpending+0x7b/0xa0 [ 12.101322] ? __pfx_kthread+0x10/0x10 [ 12.101343] ret_from_fork+0x116/0x1d0 [ 12.101361] ? __pfx_kthread+0x10/0x10 [ 12.101381] ret_from_fork_asm+0x1a/0x30 [ 12.101411] </TASK> [ 12.101422] [ 12.112836] Allocated by task 213: [ 12.113239] kasan_save_stack+0x45/0x70 [ 12.113442] kasan_save_track+0x18/0x40 [ 12.113734] kasan_save_alloc_info+0x3b/0x50 [ 12.114286] __kasan_kmalloc+0xb7/0xc0 [ 12.114682] __kmalloc_cache_noprof+0x189/0x420 [ 12.115221] ksize_uaf+0xaa/0x6c0 [ 12.115576] kunit_try_run_case+0x1a5/0x480 [ 12.115888] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.116452] kthread+0x337/0x6f0 [ 12.116842] ret_from_fork+0x116/0x1d0 [ 12.116992] ret_from_fork_asm+0x1a/0x30 [ 12.117172] [ 12.117330] Freed by task 213: [ 12.117638] kasan_save_stack+0x45/0x70 [ 12.118047] kasan_save_track+0x18/0x40 [ 12.118466] kasan_save_free_info+0x3f/0x60 [ 12.118897] __kasan_slab_free+0x56/0x70 [ 12.119353] kfree+0x222/0x3f0 [ 12.119548] ksize_uaf+0x12c/0x6c0 [ 12.119840] kunit_try_run_case+0x1a5/0x480 [ 12.120230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.120815] kthread+0x337/0x6f0 [ 12.121194] ret_from_fork+0x116/0x1d0 [ 12.121405] ret_from_fork_asm+0x1a/0x30 [ 12.121857] [ 12.122029] The buggy address belongs to the object at ffff888102794400 [ 12.122029] which belongs to the cache kmalloc-128 of size 128 [ 12.122884] The buggy address is located 0 bytes inside of [ 12.122884] freed 128-byte region [ffff888102794400, ffff888102794480) [ 12.123907] [ 12.123994] The buggy address belongs to the physical page: [ 12.124307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102794 [ 12.125095] flags: 0x200000000000000(node=0|zone=2) [ 12.125619] page_type: f5(slab) [ 12.125928] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.126628] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.127229] page dumped because: kasan: bad access detected [ 12.127752] [ 12.127968] Memory state around the buggy address: [ 12.128283] ffff888102794300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.128973] ffff888102794380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.129274] >ffff888102794400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.129947] ^ [ 12.130326] ffff888102794480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.131062] ffff888102794500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.131431] ==================================================================