Date
July 10, 2025, 11:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.152245] ================================================================== [ 16.152717] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.153156] Read of size 1 at addr fff00000c63f3a00 by task kunit_try_catch/196 [ 16.153207] [ 16.153241] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.153323] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.153348] Hardware name: linux,dummy-virt (DT) [ 16.153378] Call trace: [ 16.153886] show_stack+0x20/0x38 (C) [ 16.153971] dump_stack_lvl+0x8c/0xd0 [ 16.154028] print_report+0x118/0x608 [ 16.154104] kasan_report+0xdc/0x128 [ 16.154608] __asan_report_load1_noabort+0x20/0x30 [ 16.154666] ksize_uaf+0x598/0x5f8 [ 16.154711] kunit_try_run_case+0x170/0x3f0 [ 16.154760] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.154815] kthread+0x328/0x630 [ 16.154857] ret_from_fork+0x10/0x20 [ 16.154905] [ 16.154924] Allocated by task 196: [ 16.155473] kasan_save_stack+0x3c/0x68 [ 16.155704] kasan_save_track+0x20/0x40 [ 16.156284] kasan_save_alloc_info+0x40/0x58 [ 16.156333] __kasan_kmalloc+0xd4/0xd8 [ 16.156370] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.156764] ksize_uaf+0xb8/0x5f8 [ 16.156807] kunit_try_run_case+0x170/0x3f0 [ 16.156915] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.157120] kthread+0x328/0x630 [ 16.157165] ret_from_fork+0x10/0x20 [ 16.157201] [ 16.157220] Freed by task 196: [ 16.157717] kasan_save_stack+0x3c/0x68 [ 16.158140] kasan_save_track+0x20/0x40 [ 16.158358] kasan_save_free_info+0x4c/0x78 [ 16.158399] __kasan_slab_free+0x6c/0x98 [ 16.158645] kfree+0x214/0x3c8 [ 16.158996] ksize_uaf+0x11c/0x5f8 [ 16.159203] kunit_try_run_case+0x170/0x3f0 [ 16.159251] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.159682] kthread+0x328/0x630 [ 16.159811] ret_from_fork+0x10/0x20 [ 16.160069] [ 16.160105] The buggy address belongs to the object at fff00000c63f3a00 [ 16.160105] which belongs to the cache kmalloc-128 of size 128 [ 16.160209] The buggy address is located 0 bytes inside of [ 16.160209] freed 128-byte region [fff00000c63f3a00, fff00000c63f3a80) [ 16.160272] [ 16.160649] The buggy address belongs to the physical page: [ 16.160906] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f3 [ 16.161165] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.161411] page_type: f5(slab) [ 16.161741] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.161872] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.161915] page dumped because: kasan: bad access detected [ 16.161947] [ 16.162186] Memory state around the buggy address: [ 16.162227] fff00000c63f3900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.162530] fff00000c63f3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.162757] >fff00000c63f3a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.163017] ^ [ 16.163225] fff00000c63f3a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.163664] fff00000c63f3b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.163709] ================================================================== [ 16.166399] ================================================================== [ 16.166540] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.166635] Read of size 1 at addr fff00000c63f3a78 by task kunit_try_catch/196 [ 16.166686] [ 16.166720] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.166937] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.166974] Hardware name: linux,dummy-virt (DT) [ 16.167349] Call trace: [ 16.167374] show_stack+0x20/0x38 (C) [ 16.167729] dump_stack_lvl+0x8c/0xd0 [ 16.168008] print_report+0x118/0x608 [ 16.168335] kasan_report+0xdc/0x128 [ 16.168596] __asan_report_load1_noabort+0x20/0x30 [ 16.168650] ksize_uaf+0x544/0x5f8 [ 16.168696] kunit_try_run_case+0x170/0x3f0 [ 16.168747] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.169517] kthread+0x328/0x630 [ 16.169707] ret_from_fork+0x10/0x20 [ 16.170302] [ 16.170333] Allocated by task 196: [ 16.170363] kasan_save_stack+0x3c/0x68 [ 16.170409] kasan_save_track+0x20/0x40 [ 16.170446] kasan_save_alloc_info+0x40/0x58 [ 16.170488] __kasan_kmalloc+0xd4/0xd8 [ 16.170525] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.171242] ksize_uaf+0xb8/0x5f8 [ 16.171739] kunit_try_run_case+0x170/0x3f0 [ 16.172053] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.172115] kthread+0x328/0x630 [ 16.172402] ret_from_fork+0x10/0x20 [ 16.172577] [ 16.172719] Freed by task 196: [ 16.172752] kasan_save_stack+0x3c/0x68 [ 16.172794] kasan_save_track+0x20/0x40 [ 16.173135] kasan_save_free_info+0x4c/0x78 [ 16.173195] __kasan_slab_free+0x6c/0x98 [ 16.173456] kfree+0x214/0x3c8 [ 16.173534] ksize_uaf+0x11c/0x5f8 [ 16.173771] kunit_try_run_case+0x170/0x3f0 [ 16.173899] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.174055] kthread+0x328/0x630 [ 16.174108] ret_from_fork+0x10/0x20 [ 16.174147] [ 16.174167] The buggy address belongs to the object at fff00000c63f3a00 [ 16.174167] which belongs to the cache kmalloc-128 of size 128 [ 16.174234] The buggy address is located 120 bytes inside of [ 16.174234] freed 128-byte region [fff00000c63f3a00, fff00000c63f3a80) [ 16.174406] [ 16.174466] The buggy address belongs to the physical page: [ 16.174541] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f3 [ 16.174615] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.174947] page_type: f5(slab) [ 16.175051] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.175793] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.177100] page dumped because: kasan: bad access detected [ 16.177268] [ 16.177313] Memory state around the buggy address: [ 16.177692] fff00000c63f3900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.179563] fff00000c63f3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.180116] >fff00000c63f3a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.180222] ^ [ 16.180352] fff00000c63f3a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.180492] fff00000c63f3b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.180562] ================================================================== [ 16.143548] ================================================================== [ 16.143612] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.143670] Read of size 1 at addr fff00000c63f3a00 by task kunit_try_catch/196 [ 16.143720] [ 16.143754] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.143838] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.143864] Hardware name: linux,dummy-virt (DT) [ 16.143895] Call trace: [ 16.143919] show_stack+0x20/0x38 (C) [ 16.143966] dump_stack_lvl+0x8c/0xd0 [ 16.144016] print_report+0x118/0x608 [ 16.144063] kasan_report+0xdc/0x128 [ 16.144126] __kasan_check_byte+0x54/0x70 [ 16.144173] ksize+0x30/0x88 [ 16.144215] ksize_uaf+0x168/0x5f8 [ 16.144260] kunit_try_run_case+0x170/0x3f0 [ 16.144308] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.144360] kthread+0x328/0x630 [ 16.144404] ret_from_fork+0x10/0x20 [ 16.144451] [ 16.144471] Allocated by task 196: [ 16.144498] kasan_save_stack+0x3c/0x68 [ 16.144537] kasan_save_track+0x20/0x40 [ 16.144576] kasan_save_alloc_info+0x40/0x58 [ 16.144617] __kasan_kmalloc+0xd4/0xd8 [ 16.144654] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.144693] ksize_uaf+0xb8/0x5f8 [ 16.144727] kunit_try_run_case+0x170/0x3f0 [ 16.144765] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.144809] kthread+0x328/0x630 [ 16.144841] ret_from_fork+0x10/0x20 [ 16.144878] [ 16.144896] Freed by task 196: [ 16.144922] kasan_save_stack+0x3c/0x68 [ 16.144958] kasan_save_track+0x20/0x40 [ 16.144996] kasan_save_free_info+0x4c/0x78 [ 16.145034] __kasan_slab_free+0x6c/0x98 [ 16.145072] kfree+0x214/0x3c8 [ 16.145861] ksize_uaf+0x11c/0x5f8 [ 16.145992] kunit_try_run_case+0x170/0x3f0 [ 16.146063] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.146167] kthread+0x328/0x630 [ 16.146218] ret_from_fork+0x10/0x20 [ 16.146265] [ 16.146286] The buggy address belongs to the object at fff00000c63f3a00 [ 16.146286] which belongs to the cache kmalloc-128 of size 128 [ 16.146374] The buggy address is located 0 bytes inside of [ 16.146374] freed 128-byte region [fff00000c63f3a00, fff00000c63f3a80) [ 16.146434] [ 16.146475] The buggy address belongs to the physical page: [ 16.146532] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f3 [ 16.146585] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.146634] page_type: f5(slab) [ 16.146696] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.146758] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.146817] page dumped because: kasan: bad access detected [ 16.146849] [ 16.146868] Memory state around the buggy address: [ 16.146909] fff00000c63f3900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.146966] fff00000c63f3980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.147016] >fff00000c63f3a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.147055] ^ [ 16.147507] fff00000c63f3a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.147560] fff00000c63f3b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.147601] ==================================================================
[ 13.247561] ================================================================== [ 13.247924] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.248243] Read of size 1 at addr ffff888102d5f878 by task kunit_try_catch/213 [ 13.248739] [ 13.248837] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.248877] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.248888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.248907] Call Trace: [ 13.248919] <TASK> [ 13.248932] dump_stack_lvl+0x73/0xb0 [ 13.248960] print_report+0xd1/0x650 [ 13.248982] ? __virt_addr_valid+0x1db/0x2d0 [ 13.249003] ? ksize_uaf+0x5e4/0x6c0 [ 13.249022] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.249045] ? ksize_uaf+0x5e4/0x6c0 [ 13.249066] kasan_report+0x141/0x180 [ 13.249087] ? ksize_uaf+0x5e4/0x6c0 [ 13.249111] __asan_report_load1_noabort+0x18/0x20 [ 13.249136] ksize_uaf+0x5e4/0x6c0 [ 13.249155] ? __pfx_ksize_uaf+0x10/0x10 [ 13.249176] ? __schedule+0x10cc/0x2b60 [ 13.249199] ? __pfx_read_tsc+0x10/0x10 [ 13.249219] ? ktime_get_ts64+0x86/0x230 [ 13.249242] kunit_try_run_case+0x1a5/0x480 [ 13.249265] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.249287] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.249310] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.249334] ? __kthread_parkme+0x82/0x180 [ 13.249354] ? preempt_count_sub+0x50/0x80 [ 13.249390] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.249414] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.249438] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.249462] kthread+0x337/0x6f0 [ 13.249480] ? trace_preempt_on+0x20/0xc0 [ 13.249503] ? __pfx_kthread+0x10/0x10 [ 13.249523] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.249558] ? calculate_sigpending+0x7b/0xa0 [ 13.249582] ? __pfx_kthread+0x10/0x10 [ 13.249602] ret_from_fork+0x116/0x1d0 [ 13.249620] ? __pfx_kthread+0x10/0x10 [ 13.249640] ret_from_fork_asm+0x1a/0x30 [ 13.249670] </TASK> [ 13.249679] [ 13.256882] Allocated by task 213: [ 13.257058] kasan_save_stack+0x45/0x70 [ 13.257256] kasan_save_track+0x18/0x40 [ 13.257501] kasan_save_alloc_info+0x3b/0x50 [ 13.257709] __kasan_kmalloc+0xb7/0xc0 [ 13.257894] __kmalloc_cache_noprof+0x189/0x420 [ 13.258075] ksize_uaf+0xaa/0x6c0 [ 13.258250] kunit_try_run_case+0x1a5/0x480 [ 13.258644] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.258864] kthread+0x337/0x6f0 [ 13.258986] ret_from_fork+0x116/0x1d0 [ 13.259118] ret_from_fork_asm+0x1a/0x30 [ 13.259256] [ 13.259326] Freed by task 213: [ 13.259500] kasan_save_stack+0x45/0x70 [ 13.259698] kasan_save_track+0x18/0x40 [ 13.259891] kasan_save_free_info+0x3f/0x60 [ 13.260330] __kasan_slab_free+0x56/0x70 [ 13.260539] kfree+0x222/0x3f0 [ 13.260766] ksize_uaf+0x12c/0x6c0 [ 13.260960] kunit_try_run_case+0x1a5/0x480 [ 13.261147] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.261445] kthread+0x337/0x6f0 [ 13.261592] ret_from_fork+0x116/0x1d0 [ 13.261773] ret_from_fork_asm+0x1a/0x30 [ 13.261911] [ 13.261980] The buggy address belongs to the object at ffff888102d5f800 [ 13.261980] which belongs to the cache kmalloc-128 of size 128 [ 13.262399] The buggy address is located 120 bytes inside of [ 13.262399] freed 128-byte region [ffff888102d5f800, ffff888102d5f880) [ 13.262930] [ 13.263024] The buggy address belongs to the physical page: [ 13.263513] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5f [ 13.263917] flags: 0x200000000000000(node=0|zone=2) [ 13.264154] page_type: f5(slab) [ 13.264278] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.265712] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.266680] page dumped because: kasan: bad access detected [ 13.266861] [ 13.266932] Memory state around the buggy address: [ 13.267087] ffff888102d5f700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.267303] ffff888102d5f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.268004] >ffff888102d5f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.268718] ^ [ 13.269344] ffff888102d5f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.270030] ffff888102d5f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.270771] ================================================================== [ 13.184668] ================================================================== [ 13.185471] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.185915] Read of size 1 at addr ffff888102d5f800 by task kunit_try_catch/213 [ 13.186144] [ 13.186232] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.186274] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.186285] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.186304] Call Trace: [ 13.186316] <TASK> [ 13.186330] dump_stack_lvl+0x73/0xb0 [ 13.186374] print_report+0xd1/0x650 [ 13.186396] ? __virt_addr_valid+0x1db/0x2d0 [ 13.186418] ? ksize_uaf+0x19d/0x6c0 [ 13.186533] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.186561] ? ksize_uaf+0x19d/0x6c0 [ 13.186582] kasan_report+0x141/0x180 [ 13.186604] ? ksize_uaf+0x19d/0x6c0 [ 13.186627] ? ksize_uaf+0x19d/0x6c0 [ 13.187008] __kasan_check_byte+0x3d/0x50 [ 13.187035] ksize+0x20/0x60 [ 13.187058] ksize_uaf+0x19d/0x6c0 [ 13.187079] ? __pfx_ksize_uaf+0x10/0x10 [ 13.187101] ? __schedule+0x10cc/0x2b60 [ 13.187125] ? __pfx_read_tsc+0x10/0x10 [ 13.187146] ? ktime_get_ts64+0x86/0x230 [ 13.187170] kunit_try_run_case+0x1a5/0x480 [ 13.187193] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.187216] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.187240] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.187264] ? __kthread_parkme+0x82/0x180 [ 13.187284] ? preempt_count_sub+0x50/0x80 [ 13.187307] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.187331] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.187355] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.187400] kthread+0x337/0x6f0 [ 13.187419] ? trace_preempt_on+0x20/0xc0 [ 13.187442] ? __pfx_kthread+0x10/0x10 [ 13.187463] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.187484] ? calculate_sigpending+0x7b/0xa0 [ 13.187508] ? __pfx_kthread+0x10/0x10 [ 13.187529] ret_from_fork+0x116/0x1d0 [ 13.187547] ? __pfx_kthread+0x10/0x10 [ 13.187567] ret_from_fork_asm+0x1a/0x30 [ 13.187597] </TASK> [ 13.187607] [ 13.199581] Allocated by task 213: [ 13.199922] kasan_save_stack+0x45/0x70 [ 13.200299] kasan_save_track+0x18/0x40 [ 13.200713] kasan_save_alloc_info+0x3b/0x50 [ 13.200871] __kasan_kmalloc+0xb7/0xc0 [ 13.201006] __kmalloc_cache_noprof+0x189/0x420 [ 13.201164] ksize_uaf+0xaa/0x6c0 [ 13.201286] kunit_try_run_case+0x1a5/0x480 [ 13.201510] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.202083] kthread+0x337/0x6f0 [ 13.202420] ret_from_fork+0x116/0x1d0 [ 13.202939] ret_from_fork_asm+0x1a/0x30 [ 13.203314] [ 13.203570] Freed by task 213: [ 13.203863] kasan_save_stack+0x45/0x70 [ 13.204226] kasan_save_track+0x18/0x40 [ 13.204691] kasan_save_free_info+0x3f/0x60 [ 13.204887] __kasan_slab_free+0x56/0x70 [ 13.205027] kfree+0x222/0x3f0 [ 13.205142] ksize_uaf+0x12c/0x6c0 [ 13.205266] kunit_try_run_case+0x1a5/0x480 [ 13.205749] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.206232] kthread+0x337/0x6f0 [ 13.207196] ret_from_fork+0x116/0x1d0 [ 13.207661] ret_from_fork_asm+0x1a/0x30 [ 13.208065] [ 13.208211] The buggy address belongs to the object at ffff888102d5f800 [ 13.208211] which belongs to the cache kmalloc-128 of size 128 [ 13.209137] The buggy address is located 0 bytes inside of [ 13.209137] freed 128-byte region [ffff888102d5f800, ffff888102d5f880) [ 13.209590] [ 13.209820] The buggy address belongs to the physical page: [ 13.210790] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5f [ 13.211520] flags: 0x200000000000000(node=0|zone=2) [ 13.212028] page_type: f5(slab) [ 13.212340] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.212834] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.213082] page dumped because: kasan: bad access detected [ 13.213255] [ 13.213324] Memory state around the buggy address: [ 13.213508] ffff888102d5f700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.214735] ffff888102d5f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.215366] >ffff888102d5f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.216089] ^ [ 13.216518] ffff888102d5f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.217227] ffff888102d5f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.217999] ================================================================== [ 13.218534] ================================================================== [ 13.218773] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.218987] Read of size 1 at addr ffff888102d5f800 by task kunit_try_catch/213 [ 13.219210] [ 13.219295] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.219334] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.219345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.219394] Call Trace: [ 13.219410] <TASK> [ 13.219426] dump_stack_lvl+0x73/0xb0 [ 13.219455] print_report+0xd1/0x650 [ 13.219477] ? __virt_addr_valid+0x1db/0x2d0 [ 13.219499] ? ksize_uaf+0x5fe/0x6c0 [ 13.219518] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.219541] ? ksize_uaf+0x5fe/0x6c0 [ 13.219561] kasan_report+0x141/0x180 [ 13.219582] ? ksize_uaf+0x5fe/0x6c0 [ 13.219606] __asan_report_load1_noabort+0x18/0x20 [ 13.219631] ksize_uaf+0x5fe/0x6c0 [ 13.219650] ? __pfx_ksize_uaf+0x10/0x10 [ 13.219671] ? __schedule+0x10cc/0x2b60 [ 13.219705] ? __pfx_read_tsc+0x10/0x10 [ 13.219725] ? ktime_get_ts64+0x86/0x230 [ 13.219749] kunit_try_run_case+0x1a5/0x480 [ 13.219773] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.219796] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.219820] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.219843] ? __kthread_parkme+0x82/0x180 [ 13.219863] ? preempt_count_sub+0x50/0x80 [ 13.219886] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.219910] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.219934] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.219958] kthread+0x337/0x6f0 [ 13.219976] ? trace_preempt_on+0x20/0xc0 [ 13.220000] ? __pfx_kthread+0x10/0x10 [ 13.220020] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.220041] ? calculate_sigpending+0x7b/0xa0 [ 13.220064] ? __pfx_kthread+0x10/0x10 [ 13.220085] ret_from_fork+0x116/0x1d0 [ 13.220102] ? __pfx_kthread+0x10/0x10 [ 13.220122] ret_from_fork_asm+0x1a/0x30 [ 13.220153] </TASK> [ 13.220162] [ 13.234583] Allocated by task 213: [ 13.234759] kasan_save_stack+0x45/0x70 [ 13.234907] kasan_save_track+0x18/0x40 [ 13.235043] kasan_save_alloc_info+0x3b/0x50 [ 13.235191] __kasan_kmalloc+0xb7/0xc0 [ 13.235321] __kmalloc_cache_noprof+0x189/0x420 [ 13.235797] ksize_uaf+0xaa/0x6c0 [ 13.236110] kunit_try_run_case+0x1a5/0x480 [ 13.236532] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.237056] kthread+0x337/0x6f0 [ 13.237503] ret_from_fork+0x116/0x1d0 [ 13.237869] ret_from_fork_asm+0x1a/0x30 [ 13.238222] [ 13.238397] Freed by task 213: [ 13.238746] kasan_save_stack+0x45/0x70 [ 13.239093] kasan_save_track+0x18/0x40 [ 13.239492] kasan_save_free_info+0x3f/0x60 [ 13.239827] __kasan_slab_free+0x56/0x70 [ 13.239974] kfree+0x222/0x3f0 [ 13.240091] ksize_uaf+0x12c/0x6c0 [ 13.240223] kunit_try_run_case+0x1a5/0x480 [ 13.240391] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.240567] kthread+0x337/0x6f0 [ 13.240838] ret_from_fork+0x116/0x1d0 [ 13.241083] ret_from_fork_asm+0x1a/0x30 [ 13.241252] [ 13.241323] The buggy address belongs to the object at ffff888102d5f800 [ 13.241323] which belongs to the cache kmalloc-128 of size 128 [ 13.241869] The buggy address is located 0 bytes inside of [ 13.241869] freed 128-byte region [ffff888102d5f800, ffff888102d5f880) [ 13.242778] [ 13.242870] The buggy address belongs to the physical page: [ 13.243087] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5f [ 13.243411] flags: 0x200000000000000(node=0|zone=2) [ 13.243734] page_type: f5(slab) [ 13.243852] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.244217] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.244678] page dumped because: kasan: bad access detected [ 13.244953] [ 13.245038] Memory state around the buggy address: [ 13.245239] ffff888102d5f700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.245490] ffff888102d5f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.245812] >ffff888102d5f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.246094] ^ [ 13.246210] ffff888102d5f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.246725] ffff888102d5f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.247118] ==================================================================