Hay
Sign in
Date
July 2, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.403348] ==================================================================
[   18.403593] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   18.403654] Read of size 1 at addr fff00000c706f500 by task kunit_try_catch/196
[   18.404116] 
[   18.404192] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.404276] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.404303] Hardware name: linux,dummy-virt (DT)
[   18.404473] Call trace:
[   18.404517]  show_stack+0x20/0x38 (C)
[   18.404571]  dump_stack_lvl+0x8c/0xd0
[   18.404635]  print_report+0x118/0x608
[   18.404681]  kasan_report+0xdc/0x128
[   18.405072]  __asan_report_load1_noabort+0x20/0x30
[   18.405183]  ksize_uaf+0x598/0x5f8
[   18.405288]  kunit_try_run_case+0x170/0x3f0
[   18.405426]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.405527]  kthread+0x328/0x630
[   18.405704]  ret_from_fork+0x10/0x20
[   18.405916] 
[   18.405960] Allocated by task 196:
[   18.406127]  kasan_save_stack+0x3c/0x68
[   18.406197]  kasan_save_track+0x20/0x40
[   18.406509]  kasan_save_alloc_info+0x40/0x58
[   18.406648]  __kasan_kmalloc+0xd4/0xd8
[   18.406745]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.406799]  ksize_uaf+0xb8/0x5f8
[   18.406837]  kunit_try_run_case+0x170/0x3f0
[   18.407168]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.407301]  kthread+0x328/0x630
[   18.407378]  ret_from_fork+0x10/0x20
[   18.407608] 
[   18.407729] Freed by task 196:
[   18.407797]  kasan_save_stack+0x3c/0x68
[   18.407957]  kasan_save_track+0x20/0x40
[   18.408117]  kasan_save_free_info+0x4c/0x78
[   18.408160]  __kasan_slab_free+0x6c/0x98
[   18.408292]  kfree+0x214/0x3c8
[   18.408334]  ksize_uaf+0x11c/0x5f8
[   18.408367]  kunit_try_run_case+0x170/0x3f0
[   18.408405]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.408465]  kthread+0x328/0x630
[   18.408525]  ret_from_fork+0x10/0x20
[   18.408569] 
[   18.408600] The buggy address belongs to the object at fff00000c706f500
[   18.408600]  which belongs to the cache kmalloc-128 of size 128
[   18.408658] The buggy address is located 0 bytes inside of
[   18.408658]  freed 128-byte region [fff00000c706f500, fff00000c706f580)
[   18.408719] 
[   18.408745] The buggy address belongs to the physical page:
[   18.408794] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10706f
[   18.408861] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.408918] page_type: f5(slab)
[   18.408960] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.409010] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.409059] page dumped because: kasan: bad access detected
[   18.409092] 
[   18.409119] Memory state around the buggy address:
[   18.409156]  fff00000c706f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.409199]  fff00000c706f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.409251] >fff00000c706f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.409298]                    ^
[   18.409325]  fff00000c706f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.409368]  fff00000c706f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.409415] ==================================================================
[   18.392479] ==================================================================
[   18.392538] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   18.392604] Read of size 1 at addr fff00000c706f500 by task kunit_try_catch/196
[   18.392654] 
[   18.392686] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.393172] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.393310] Hardware name: linux,dummy-virt (DT)
[   18.393416] Call trace:
[   18.393477]  show_stack+0x20/0x38 (C)
[   18.393560]  dump_stack_lvl+0x8c/0xd0
[   18.393617]  print_report+0x118/0x608
[   18.393663]  kasan_report+0xdc/0x128
[   18.394109]  __kasan_check_byte+0x54/0x70
[   18.394208]  ksize+0x30/0x88
[   18.394307]  ksize_uaf+0x168/0x5f8
[   18.394559]  kunit_try_run_case+0x170/0x3f0
[   18.394645]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.395028]  kthread+0x328/0x630
[   18.395108]  ret_from_fork+0x10/0x20
[   18.395194] 
[   18.395289] Allocated by task 196:
[   18.395369]  kasan_save_stack+0x3c/0x68
[   18.395457]  kasan_save_track+0x20/0x40
[   18.395506]  kasan_save_alloc_info+0x40/0x58
[   18.395544]  __kasan_kmalloc+0xd4/0xd8
[   18.395807]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.395983]  ksize_uaf+0xb8/0x5f8
[   18.396188]  kunit_try_run_case+0x170/0x3f0
[   18.396385]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.396433]  kthread+0x328/0x630
[   18.396465]  ret_from_fork+0x10/0x20
[   18.396536] 
[   18.396593] Freed by task 196:
[   18.397315]  kasan_save_stack+0x3c/0x68
[   18.397693]  kasan_save_track+0x20/0x40
[   18.397775]  kasan_save_free_info+0x4c/0x78
[   18.397856]  __kasan_slab_free+0x6c/0x98
[   18.397968]  kfree+0x214/0x3c8
[   18.398063]  ksize_uaf+0x11c/0x5f8
[   18.398115]  kunit_try_run_case+0x170/0x3f0
[   18.398190]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.398284]  kthread+0x328/0x630
[   18.398635]  ret_from_fork+0x10/0x20
[   18.398703] 
[   18.398770] The buggy address belongs to the object at fff00000c706f500
[   18.398770]  which belongs to the cache kmalloc-128 of size 128
[   18.399252] The buggy address is located 0 bytes inside of
[   18.399252]  freed 128-byte region [fff00000c706f500, fff00000c706f580)
[   18.399613] 
[   18.399764] The buggy address belongs to the physical page:
[   18.399870] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10706f
[   18.399969] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.400061] page_type: f5(slab)
[   18.400102] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.400151] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.400193] page dumped because: kasan: bad access detected
[   18.400225] 
[   18.400242] Memory state around the buggy address:
[   18.400283]  fff00000c706f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.400343]  fff00000c706f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.400396] >fff00000c706f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.400443]                    ^
[   18.400491]  fff00000c706f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.400552]  fff00000c706f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.400599] ==================================================================
[   18.410465] ==================================================================
[   18.410781] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   18.410996] Read of size 1 at addr fff00000c706f578 by task kunit_try_catch/196
[   18.411057] 
[   18.411094] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.411182] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.411209] Hardware name: linux,dummy-virt (DT)
[   18.411412] Call trace:
[   18.411483]  show_stack+0x20/0x38 (C)
[   18.411537]  dump_stack_lvl+0x8c/0xd0
[   18.411702]  print_report+0x118/0x608
[   18.411765]  kasan_report+0xdc/0x128
[   18.411810]  __asan_report_load1_noabort+0x20/0x30
[   18.411867]  ksize_uaf+0x544/0x5f8
[   18.411911]  kunit_try_run_case+0x170/0x3f0
[   18.411956]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.412009]  kthread+0x328/0x630
[   18.412589]  ret_from_fork+0x10/0x20
[   18.412673] 
[   18.412725] Allocated by task 196:
[   18.412878]  kasan_save_stack+0x3c/0x68
[   18.412977]  kasan_save_track+0x20/0x40
[   18.413129]  kasan_save_alloc_info+0x40/0x58
[   18.413236]  __kasan_kmalloc+0xd4/0xd8
[   18.413276]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.413461]  ksize_uaf+0xb8/0x5f8
[   18.413636]  kunit_try_run_case+0x170/0x3f0
[   18.413785]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.413883]  kthread+0x328/0x630
[   18.413984]  ret_from_fork+0x10/0x20
[   18.414125] 
[   18.414298] Freed by task 196:
[   18.414354]  kasan_save_stack+0x3c/0x68
[   18.414724]  kasan_save_track+0x20/0x40
[   18.414808]  kasan_save_free_info+0x4c/0x78
[   18.414968]  __kasan_slab_free+0x6c/0x98
[   18.415072]  kfree+0x214/0x3c8
[   18.415213]  ksize_uaf+0x11c/0x5f8
[   18.415311]  kunit_try_run_case+0x170/0x3f0
[   18.415368]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.415419]  kthread+0x328/0x630
[   18.415816]  ret_from_fork+0x10/0x20
[   18.415878] 
[   18.415988] The buggy address belongs to the object at fff00000c706f500
[   18.415988]  which belongs to the cache kmalloc-128 of size 128
[   18.416103] The buggy address is located 120 bytes inside of
[   18.416103]  freed 128-byte region [fff00000c706f500, fff00000c706f580)
[   18.416312] 
[   18.416572] The buggy address belongs to the physical page:
[   18.416847] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10706f
[   18.416981] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.417135] page_type: f5(slab)
[   18.417203] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   18.417267] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   18.417372] page dumped because: kasan: bad access detected
[   18.417450] 
[   18.417471] Memory state around the buggy address:
[   18.417863]  fff00000c706f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.417934]  fff00000c706f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.418051] >fff00000c706f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.418160]                                                                 ^
[   18.418324]  fff00000c706f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.418410]  fff00000c706f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.418501] ==================================================================
Metadata Full log Test run details 

[   11.864305] ==================================================================
[   11.864805] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.865328] Read of size 1 at addr ffff888102c8b200 by task kunit_try_catch/215
[   11.865780] 
[   11.866266] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.866317] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.866328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.866350] Call Trace:
[   11.866361]  <TASK>
[   11.866394]  dump_stack_lvl+0x73/0xb0
[   11.866427]  print_report+0xd1/0x650
[   11.866450]  ? __virt_addr_valid+0x1db/0x2d0
[   11.866474]  ? ksize_uaf+0x19d/0x6c0
[   11.866494]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.866517]  ? ksize_uaf+0x19d/0x6c0
[   11.866538]  kasan_report+0x141/0x180
[   11.866559]  ? ksize_uaf+0x19d/0x6c0
[   11.866583]  ? ksize_uaf+0x19d/0x6c0
[   11.866602]  __kasan_check_byte+0x3d/0x50
[   11.866624]  ksize+0x20/0x60
[   11.866645]  ksize_uaf+0x19d/0x6c0
[   11.866666]  ? __pfx_ksize_uaf+0x10/0x10
[   11.866687]  ? __schedule+0x10cc/0x2b60
[   11.866708]  ? __pfx_read_tsc+0x10/0x10
[   11.866729]  ? ktime_get_ts64+0x86/0x230
[   11.866753]  kunit_try_run_case+0x1a5/0x480
[   11.866778]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.866799]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.866824]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.866846]  ? __kthread_parkme+0x82/0x180
[   11.866867]  ? preempt_count_sub+0x50/0x80
[   11.866890]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.866913]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.866934]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.866955]  kthread+0x337/0x6f0
[   11.866973]  ? trace_preempt_on+0x20/0xc0
[   11.866995]  ? __pfx_kthread+0x10/0x10
[   11.867015]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.867034]  ? calculate_sigpending+0x7b/0xa0
[   11.867058]  ? __pfx_kthread+0x10/0x10
[   11.867077]  ret_from_fork+0x116/0x1d0
[   11.867095]  ? __pfx_kthread+0x10/0x10
[   11.867114]  ret_from_fork_asm+0x1a/0x30
[   11.867144]  </TASK>
[   11.867154] 
[   11.878140] Allocated by task 215:
[   11.878310]  kasan_save_stack+0x45/0x70
[   11.878755]  kasan_save_track+0x18/0x40
[   11.879025]  kasan_save_alloc_info+0x3b/0x50
[   11.879196]  __kasan_kmalloc+0xb7/0xc0
[   11.879497]  __kmalloc_cache_noprof+0x189/0x420
[   11.880044]  ksize_uaf+0xaa/0x6c0
[   11.880327]  kunit_try_run_case+0x1a5/0x480
[   11.880542]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.881094]  kthread+0x337/0x6f0
[   11.881348]  ret_from_fork+0x116/0x1d0
[   11.881531]  ret_from_fork_asm+0x1a/0x30
[   11.881989] 
[   11.882230] Freed by task 215:
[   11.882380]  kasan_save_stack+0x45/0x70
[   11.882770]  kasan_save_track+0x18/0x40
[   11.882940]  kasan_save_free_info+0x3f/0x60
[   11.883288]  __kasan_slab_free+0x56/0x70
[   11.883506]  kfree+0x222/0x3f0
[   11.884018]  ksize_uaf+0x12c/0x6c0
[   11.884192]  kunit_try_run_case+0x1a5/0x480
[   11.884348]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.884658]  kthread+0x337/0x6f0
[   11.885234]  ret_from_fork+0x116/0x1d0
[   11.885410]  ret_from_fork_asm+0x1a/0x30
[   11.885853] 
[   11.885950] The buggy address belongs to the object at ffff888102c8b200
[   11.885950]  which belongs to the cache kmalloc-128 of size 128
[   11.886476] The buggy address is located 0 bytes inside of
[   11.886476]  freed 128-byte region [ffff888102c8b200, ffff888102c8b280)
[   11.887408] 
[   11.887502] The buggy address belongs to the physical page:
[   11.888092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c8b
[   11.888559] flags: 0x200000000000000(node=0|zone=2)
[   11.888951] page_type: f5(slab)
[   11.889119] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.889470] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.890133] page dumped because: kasan: bad access detected
[   11.890467] 
[   11.890545] Memory state around the buggy address:
[   11.891024]  ffff888102c8b100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.891321]  ffff888102c8b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.891842] >ffff888102c8b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.892199]                    ^
[   11.892382]  ffff888102c8b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.892975]  ffff888102c8b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.893364] ==================================================================
[   11.893962] ==================================================================
[   11.894209] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.894530] Read of size 1 at addr ffff888102c8b200 by task kunit_try_catch/215
[   11.895022] 
[   11.895116] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.895160] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.895171] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.895191] Call Trace:
[   11.895211]  <TASK>
[   11.895230]  dump_stack_lvl+0x73/0xb0
[   11.895258]  print_report+0xd1/0x650
[   11.895281]  ? __virt_addr_valid+0x1db/0x2d0
[   11.895303]  ? ksize_uaf+0x5fe/0x6c0
[   11.895322]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.895343]  ? ksize_uaf+0x5fe/0x6c0
[   11.895362]  kasan_report+0x141/0x180
[   11.895886]  ? ksize_uaf+0x5fe/0x6c0
[   11.895923]  __asan_report_load1_noabort+0x18/0x20
[   11.895948]  ksize_uaf+0x5fe/0x6c0
[   11.895969]  ? __pfx_ksize_uaf+0x10/0x10
[   11.895989]  ? __schedule+0x10cc/0x2b60
[   11.896010]  ? __pfx_read_tsc+0x10/0x10
[   11.896030]  ? ktime_get_ts64+0x86/0x230
[   11.896053]  kunit_try_run_case+0x1a5/0x480
[   11.896077]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.896098]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.896119]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.896140]  ? __kthread_parkme+0x82/0x180
[   11.896160]  ? preempt_count_sub+0x50/0x80
[   11.896183]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.896205]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.896227]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.896248]  kthread+0x337/0x6f0
[   11.896266]  ? trace_preempt_on+0x20/0xc0
[   11.896289]  ? __pfx_kthread+0x10/0x10
[   11.896308]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.896327]  ? calculate_sigpending+0x7b/0xa0
[   11.896350]  ? __pfx_kthread+0x10/0x10
[   11.896382]  ret_from_fork+0x116/0x1d0
[   11.896400]  ? __pfx_kthread+0x10/0x10
[   11.896419]  ret_from_fork_asm+0x1a/0x30
[   11.896448]  </TASK>
[   11.896459] 
[   11.906278] Allocated by task 215:
[   11.906461]  kasan_save_stack+0x45/0x70
[   11.906952]  kasan_save_track+0x18/0x40
[   11.907138]  kasan_save_alloc_info+0x3b/0x50
[   11.907332]  __kasan_kmalloc+0xb7/0xc0
[   11.907531]  __kmalloc_cache_noprof+0x189/0x420
[   11.908159]  ksize_uaf+0xaa/0x6c0
[   11.908323]  kunit_try_run_case+0x1a5/0x480
[   11.908622]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.908960]  kthread+0x337/0x6f0
[   11.909126]  ret_from_fork+0x116/0x1d0
[   11.909299]  ret_from_fork_asm+0x1a/0x30
[   11.909493] 
[   11.909945] Freed by task 215:
[   11.910104]  kasan_save_stack+0x45/0x70
[   11.910262]  kasan_save_track+0x18/0x40
[   11.910568]  kasan_save_free_info+0x3f/0x60
[   11.910869]  __kasan_slab_free+0x56/0x70
[   11.911166]  kfree+0x222/0x3f0
[   11.911329]  ksize_uaf+0x12c/0x6c0
[   11.911502]  kunit_try_run_case+0x1a5/0x480
[   11.911905]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.912127]  kthread+0x337/0x6f0
[   11.912293]  ret_from_fork+0x116/0x1d0
[   11.912481]  ret_from_fork_asm+0x1a/0x30
[   11.912654] 
[   11.913207] The buggy address belongs to the object at ffff888102c8b200
[   11.913207]  which belongs to the cache kmalloc-128 of size 128
[   11.913718] The buggy address is located 0 bytes inside of
[   11.913718]  freed 128-byte region [ffff888102c8b200, ffff888102c8b280)
[   11.914381] 
[   11.914489] The buggy address belongs to the physical page:
[   11.915014] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c8b
[   11.915338] flags: 0x200000000000000(node=0|zone=2)
[   11.915579] page_type: f5(slab)
[   11.915913] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.916247] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.916574] page dumped because: kasan: bad access detected
[   11.916798] 
[   11.917249] Memory state around the buggy address:
[   11.917472]  ffff888102c8b100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.918033]  ffff888102c8b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.918433] >ffff888102c8b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.918742]                    ^
[   11.919012]  ffff888102c8b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.919304]  ffff888102c8b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.919612] ==================================================================
[   11.920571] ==================================================================
[   11.920999] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.921602] Read of size 1 at addr ffff888102c8b278 by task kunit_try_catch/215
[   11.922028] 
[   11.922265] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.922388] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.922458] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.922479] Call Trace:
[   11.922545]  <TASK>
[   11.922563]  dump_stack_lvl+0x73/0xb0
[   11.922644]  print_report+0xd1/0x650
[   11.922666]  ? __virt_addr_valid+0x1db/0x2d0
[   11.922688]  ? ksize_uaf+0x5e4/0x6c0
[   11.922707]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.922728]  ? ksize_uaf+0x5e4/0x6c0
[   11.922747]  kasan_report+0x141/0x180
[   11.922768]  ? ksize_uaf+0x5e4/0x6c0
[   11.922792]  __asan_report_load1_noabort+0x18/0x20
[   11.922814]  ksize_uaf+0x5e4/0x6c0
[   11.922834]  ? __pfx_ksize_uaf+0x10/0x10
[   11.922854]  ? __schedule+0x10cc/0x2b60
[   11.922875]  ? __pfx_read_tsc+0x10/0x10
[   11.922894]  ? ktime_get_ts64+0x86/0x230
[   11.922917]  kunit_try_run_case+0x1a5/0x480
[   11.922940]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.922960]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.922981]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.923002]  ? __kthread_parkme+0x82/0x180
[   11.923022]  ? preempt_count_sub+0x50/0x80
[   11.923044]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.923066]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.923087]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.923109]  kthread+0x337/0x6f0
[   11.923127]  ? trace_preempt_on+0x20/0xc0
[   11.923150]  ? __pfx_kthread+0x10/0x10
[   11.923169]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.923189]  ? calculate_sigpending+0x7b/0xa0
[   11.923211]  ? __pfx_kthread+0x10/0x10
[   11.923231]  ret_from_fork+0x116/0x1d0
[   11.923249]  ? __pfx_kthread+0x10/0x10
[   11.923267]  ret_from_fork_asm+0x1a/0x30
[   11.923296]  </TASK>
[   11.923307] 
[   11.933284] Allocated by task 215:
[   11.933743]  kasan_save_stack+0x45/0x70
[   11.933957]  kasan_save_track+0x18/0x40
[   11.934129]  kasan_save_alloc_info+0x3b/0x50
[   11.934326]  __kasan_kmalloc+0xb7/0xc0
[   11.934524]  __kmalloc_cache_noprof+0x189/0x420
[   11.934737]  ksize_uaf+0xaa/0x6c0
[   11.935432]  kunit_try_run_case+0x1a5/0x480
[   11.935838]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.936083]  kthread+0x337/0x6f0
[   11.936228]  ret_from_fork+0x116/0x1d0
[   11.936721]  ret_from_fork_asm+0x1a/0x30
[   11.937017] 
[   11.937095] Freed by task 215:
[   11.937386]  kasan_save_stack+0x45/0x70
[   11.937570]  kasan_save_track+0x18/0x40
[   11.937985]  kasan_save_free_info+0x3f/0x60
[   11.938265]  __kasan_slab_free+0x56/0x70
[   11.938460]  kfree+0x222/0x3f0
[   11.938629]  ksize_uaf+0x12c/0x6c0
[   11.939033]  kunit_try_run_case+0x1a5/0x480
[   11.939229]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.939755]  kthread+0x337/0x6f0
[   11.939917]  ret_from_fork+0x116/0x1d0
[   11.940099]  ret_from_fork_asm+0x1a/0x30
[   11.940279] 
[   11.940383] The buggy address belongs to the object at ffff888102c8b200
[   11.940383]  which belongs to the cache kmalloc-128 of size 128
[   11.941268] The buggy address is located 120 bytes inside of
[   11.941268]  freed 128-byte region [ffff888102c8b200, ffff888102c8b280)
[   11.941857] 
[   11.942121] The buggy address belongs to the physical page:
[   11.942320] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c8b
[   11.942852] flags: 0x200000000000000(node=0|zone=2)
[   11.943040] page_type: f5(slab)
[   11.943283] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.943610] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.944130] page dumped because: kasan: bad access detected
[   11.944364] 
[   11.944539] Memory state around the buggy address:
[   11.944932]  ffff888102c8b100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.945312]  ffff888102c8b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.945631] >ffff888102c8b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.946085]                                                                 ^
[   11.946400]  ffff888102c8b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.947046]  ffff888102c8b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.947460] ==================================================================
Metadata Full log Test run details