Hay
Sign in
Date
July 11, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.043879] ==================================================================
[   17.044294] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   17.044340] Read of size 1 at addr fff00000c6f3fa78 by task kunit_try_catch/197
[   17.044391] 
[   17.044421] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.044502] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.045149] Hardware name: linux,dummy-virt (DT)
[   17.045246] Call trace:
[   17.045268]  show_stack+0x20/0x38 (C)
[   17.045318]  dump_stack_lvl+0x8c/0xd0
[   17.045373]  print_report+0x118/0x608
[   17.045727]  kasan_report+0xdc/0x128
[   17.046209]  __asan_report_load1_noabort+0x20/0x30
[   17.046504]  ksize_uaf+0x544/0x5f8
[   17.046549]  kunit_try_run_case+0x170/0x3f0
[   17.046896]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.047469]  kthread+0x328/0x630
[   17.047515]  ret_from_fork+0x10/0x20
[   17.047690] 
[   17.047716] Allocated by task 197:
[   17.047744]  kasan_save_stack+0x3c/0x68
[   17.047851]  kasan_save_track+0x20/0x40
[   17.047889]  kasan_save_alloc_info+0x40/0x58
[   17.047929]  __kasan_kmalloc+0xd4/0xd8
[   17.048146]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.048194]  ksize_uaf+0xb8/0x5f8
[   17.048227]  kunit_try_run_case+0x170/0x3f0
[   17.048264]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.048622]  kthread+0x328/0x630
[   17.049019]  ret_from_fork+0x10/0x20
[   17.049070] 
[   17.049089] Freed by task 197:
[   17.049117]  kasan_save_stack+0x3c/0x68
[   17.049153]  kasan_save_track+0x20/0x40
[   17.049190]  kasan_save_free_info+0x4c/0x78
[   17.049227]  __kasan_slab_free+0x6c/0x98
[   17.049265]  kfree+0x214/0x3c8
[   17.049879]  ksize_uaf+0x11c/0x5f8
[   17.049925]  kunit_try_run_case+0x170/0x3f0
[   17.049962]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.050240]  kthread+0x328/0x630
[   17.050273]  ret_from_fork+0x10/0x20
[   17.050310] 
[   17.050332] The buggy address belongs to the object at fff00000c6f3fa00
[   17.050332]  which belongs to the cache kmalloc-128 of size 128
[   17.050765] The buggy address is located 120 bytes inside of
[   17.050765]  freed 128-byte region [fff00000c6f3fa00, fff00000c6f3fa80)
[   17.051530] 
[   17.051831] The buggy address belongs to the physical page:
[   17.052160] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106f3f
[   17.052301] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.052891] page_type: f5(slab)
[   17.052933] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.052984] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.053696] page dumped because: kasan: bad access detected
[   17.053995] 
[   17.054134] Memory state around the buggy address:
[   17.054170]  fff00000c6f3f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.054218]  fff00000c6f3f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.054261] >fff00000c6f3fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.054298]                                                                 ^
[   17.054338]  fff00000c6f3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.055489]  fff00000c6f3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.055936] ==================================================================
[   17.032941] ==================================================================
[   17.032993] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   17.033039] Read of size 1 at addr fff00000c6f3fa00 by task kunit_try_catch/197
[   17.033089] 
[   17.033121] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.033204] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.033228] Hardware name: linux,dummy-virt (DT)
[   17.033257] Call trace:
[   17.033279]  show_stack+0x20/0x38 (C)
[   17.034919]  dump_stack_lvl+0x8c/0xd0
[   17.035078]  print_report+0x118/0x608
[   17.035217]  kasan_report+0xdc/0x128
[   17.035402]  __asan_report_load1_noabort+0x20/0x30
[   17.035490]  ksize_uaf+0x598/0x5f8
[   17.035535]  kunit_try_run_case+0x170/0x3f0
[   17.035590]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.036200]  kthread+0x328/0x630
[   17.036260]  ret_from_fork+0x10/0x20
[   17.036308] 
[   17.036329] Allocated by task 197:
[   17.036356]  kasan_save_stack+0x3c/0x68
[   17.036398]  kasan_save_track+0x20/0x40
[   17.036434]  kasan_save_alloc_info+0x40/0x58
[   17.036986]  __kasan_kmalloc+0xd4/0xd8
[   17.037032]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.037090]  ksize_uaf+0xb8/0x5f8
[   17.037197]  kunit_try_run_case+0x170/0x3f0
[   17.037269]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.037669]  kthread+0x328/0x630
[   17.037706]  ret_from_fork+0x10/0x20
[   17.037741] 
[   17.038172] Freed by task 197:
[   17.038213]  kasan_save_stack+0x3c/0x68
[   17.038262]  kasan_save_track+0x20/0x40
[   17.038300]  kasan_save_free_info+0x4c/0x78
[   17.038337]  __kasan_slab_free+0x6c/0x98
[   17.038374]  kfree+0x214/0x3c8
[   17.038407]  ksize_uaf+0x11c/0x5f8
[   17.038440]  kunit_try_run_case+0x170/0x3f0
[   17.038477]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.038961]  kthread+0x328/0x630
[   17.039002]  ret_from_fork+0x10/0x20
[   17.039037] 
[   17.039332] The buggy address belongs to the object at fff00000c6f3fa00
[   17.039332]  which belongs to the cache kmalloc-128 of size 128
[   17.039687] The buggy address is located 0 bytes inside of
[   17.039687]  freed 128-byte region [fff00000c6f3fa00, fff00000c6f3fa80)
[   17.039769] 
[   17.039789] The buggy address belongs to the physical page:
[   17.039967] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106f3f
[   17.040279] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.040330] page_type: f5(slab)
[   17.040695] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.041072] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.041156] page dumped because: kasan: bad access detected
[   17.041376] 
[   17.041618] Memory state around the buggy address:
[   17.041869]  fff00000c6f3f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.042254]  fff00000c6f3f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.042345] >fff00000c6f3fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.042557]                    ^
[   17.042591]  fff00000c6f3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.042851]  fff00000c6f3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.042892] ==================================================================
[   17.022452] ==================================================================
[   17.022583] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   17.022645] Read of size 1 at addr fff00000c6f3fa00 by task kunit_try_catch/197
[   17.022695] 
[   17.022870] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.023224] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.023259] Hardware name: linux,dummy-virt (DT)
[   17.023292] Call trace:
[   17.023393]  show_stack+0x20/0x38 (C)
[   17.023498]  dump_stack_lvl+0x8c/0xd0
[   17.023547]  print_report+0x118/0x608
[   17.023647]  kasan_report+0xdc/0x128
[   17.023697]  __kasan_check_byte+0x54/0x70
[   17.024051]  ksize+0x30/0x88
[   17.024442]  ksize_uaf+0x168/0x5f8
[   17.024665]  kunit_try_run_case+0x170/0x3f0
[   17.024715]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.025070]  kthread+0x328/0x630
[   17.025139]  ret_from_fork+0x10/0x20
[   17.025187] 
[   17.025207] Allocated by task 197:
[   17.025236]  kasan_save_stack+0x3c/0x68
[   17.025762]  kasan_save_track+0x20/0x40
[   17.025901]  kasan_save_alloc_info+0x40/0x58
[   17.026027]  __kasan_kmalloc+0xd4/0xd8
[   17.026063]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.026439]  ksize_uaf+0xb8/0x5f8
[   17.026485]  kunit_try_run_case+0x170/0x3f0
[   17.026622]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.026994]  kthread+0x328/0x630
[   17.027054]  ret_from_fork+0x10/0x20
[   17.027347] 
[   17.027370] Freed by task 197:
[   17.027400]  kasan_save_stack+0x3c/0x68
[   17.027441]  kasan_save_track+0x20/0x40
[   17.027479]  kasan_save_free_info+0x4c/0x78
[   17.027517]  __kasan_slab_free+0x6c/0x98
[   17.027802]  kfree+0x214/0x3c8
[   17.027874]  ksize_uaf+0x11c/0x5f8
[   17.027912]  kunit_try_run_case+0x170/0x3f0
[   17.027954]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.028426]  kthread+0x328/0x630
[   17.028668]  ret_from_fork+0x10/0x20
[   17.028825] 
[   17.028898] The buggy address belongs to the object at fff00000c6f3fa00
[   17.028898]  which belongs to the cache kmalloc-128 of size 128
[   17.029175] The buggy address is located 0 bytes inside of
[   17.029175]  freed 128-byte region [fff00000c6f3fa00, fff00000c6f3fa80)
[   17.029514] 
[   17.029539] The buggy address belongs to the physical page:
[   17.029572] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106f3f
[   17.029929] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.030087] page_type: f5(slab)
[   17.030130] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.030548] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.030601] page dumped because: kasan: bad access detected
[   17.030653] 
[   17.030794] Memory state around the buggy address:
[   17.030832]  fff00000c6f3f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.030886]  fff00000c6f3f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.030929] >fff00000c6f3fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.030969]                    ^
[   17.031488]  fff00000c6f3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031612]  fff00000c6f3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.032035] ==================================================================
Metadata Full log Test run details 

[   12.847593] ==================================================================
[   12.848197] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   12.848482] Read of size 1 at addr ffff8881029f2f00 by task kunit_try_catch/213
[   12.848792] 
[   12.848878] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   12.848931] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.848942] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.848961] Call Trace:
[   12.848972]  <TASK>
[   12.848986]  dump_stack_lvl+0x73/0xb0
[   12.849015]  print_report+0xd1/0x650
[   12.849037]  ? __virt_addr_valid+0x1db/0x2d0
[   12.849060]  ? ksize_uaf+0x5fe/0x6c0
[   12.849079]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.849102]  ? ksize_uaf+0x5fe/0x6c0
[   12.849123]  kasan_report+0x141/0x180
[   12.849145]  ? ksize_uaf+0x5fe/0x6c0
[   12.849171]  __asan_report_load1_noabort+0x18/0x20
[   12.849195]  ksize_uaf+0x5fe/0x6c0
[   12.849215]  ? __pfx_ksize_uaf+0x10/0x10
[   12.849239]  ? __pfx_ksize_uaf+0x10/0x10
[   12.849266]  kunit_try_run_case+0x1a5/0x480
[   12.849292]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.849315]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.849339]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.849362]  ? __kthread_parkme+0x82/0x180
[   12.849383]  ? preempt_count_sub+0x50/0x80
[   12.849408]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.849432]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.849456]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.849480]  kthread+0x337/0x6f0
[   12.849518]  ? trace_preempt_on+0x20/0xc0
[   12.849541]  ? __pfx_kthread+0x10/0x10
[   12.849561]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.849581]  ? calculate_sigpending+0x7b/0xa0
[   12.849606]  ? __pfx_kthread+0x10/0x10
[   12.849627]  ret_from_fork+0x116/0x1d0
[   12.849646]  ? __pfx_kthread+0x10/0x10
[   12.849666]  ret_from_fork_asm+0x1a/0x30
[   12.849699]  </TASK>
[   12.849708] 
[   12.856567] Allocated by task 213:
[   12.856698]  kasan_save_stack+0x45/0x70
[   12.857129]  kasan_save_track+0x18/0x40
[   12.857336]  kasan_save_alloc_info+0x3b/0x50
[   12.857554]  __kasan_kmalloc+0xb7/0xc0
[   12.857759]  __kmalloc_cache_noprof+0x189/0x420
[   12.857992]  ksize_uaf+0xaa/0x6c0
[   12.858190]  kunit_try_run_case+0x1a5/0x480
[   12.858352]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.858535]  kthread+0x337/0x6f0
[   12.858654]  ret_from_fork+0x116/0x1d0
[   12.858929]  ret_from_fork_asm+0x1a/0x30
[   12.859195] 
[   12.859342] Freed by task 213:
[   12.859604]  kasan_save_stack+0x45/0x70
[   12.859825]  kasan_save_track+0x18/0x40
[   12.859974]  kasan_save_free_info+0x3f/0x60
[   12.860492]  __kasan_slab_free+0x56/0x70
[   12.860656]  kfree+0x222/0x3f0
[   12.860773]  ksize_uaf+0x12c/0x6c0
[   12.860896]  kunit_try_run_case+0x1a5/0x480
[   12.861201]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.861453]  kthread+0x337/0x6f0
[   12.861622]  ret_from_fork+0x116/0x1d0
[   12.862069]  ret_from_fork_asm+0x1a/0x30
[   12.862279] 
[   12.862373] The buggy address belongs to the object at ffff8881029f2f00
[   12.862373]  which belongs to the cache kmalloc-128 of size 128
[   12.863469] The buggy address is located 0 bytes inside of
[   12.863469]  freed 128-byte region [ffff8881029f2f00, ffff8881029f2f80)
[   12.864903] 
[   12.865375] The buggy address belongs to the physical page:
[   12.865878] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029f2
[   12.866144] flags: 0x200000000000000(node=0|zone=2)
[   12.866307] page_type: f5(slab)
[   12.866430] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.866663] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.866888] page dumped because: kasan: bad access detected
[   12.867344] 
[   12.867531] Memory state around the buggy address:
[   12.867983]  ffff8881029f2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.868666]  ffff8881029f2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.869601] >ffff8881029f2f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.870448]                    ^
[   12.870901]  ffff8881029f2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.871723]  ffff8881029f3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.872548] ==================================================================
[   12.827326] ==================================================================
[   12.827800] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   12.828125] Read of size 1 at addr ffff8881029f2f00 by task kunit_try_catch/213
[   12.828443] 
[   12.828545] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   12.828588] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.828600] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.828618] Call Trace:
[   12.828630]  <TASK>
[   12.828644]  dump_stack_lvl+0x73/0xb0
[   12.828673]  print_report+0xd1/0x650
[   12.828696]  ? __virt_addr_valid+0x1db/0x2d0
[   12.828719]  ? ksize_uaf+0x19d/0x6c0
[   12.828738]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.828912]  ? ksize_uaf+0x19d/0x6c0
[   12.828959]  kasan_report+0x141/0x180
[   12.828983]  ? ksize_uaf+0x19d/0x6c0
[   12.829008]  ? ksize_uaf+0x19d/0x6c0
[   12.829077]  __kasan_check_byte+0x3d/0x50
[   12.829100]  ksize+0x20/0x60
[   12.829121]  ksize_uaf+0x19d/0x6c0
[   12.829141]  ? __pfx_ksize_uaf+0x10/0x10
[   12.829164]  ? __pfx_ksize_uaf+0x10/0x10
[   12.829189]  kunit_try_run_case+0x1a5/0x480
[   12.829213]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.829236]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.829260]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.829283]  ? __kthread_parkme+0x82/0x180
[   12.829303]  ? preempt_count_sub+0x50/0x80
[   12.829327]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.829352]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.829376]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.829401]  kthread+0x337/0x6f0
[   12.829419]  ? trace_preempt_on+0x20/0xc0
[   12.829442]  ? __pfx_kthread+0x10/0x10
[   12.829462]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.829483]  ? calculate_sigpending+0x7b/0xa0
[   12.829507]  ? __pfx_kthread+0x10/0x10
[   12.829528]  ret_from_fork+0x116/0x1d0
[   12.829546]  ? __pfx_kthread+0x10/0x10
[   12.829566]  ret_from_fork_asm+0x1a/0x30
[   12.829598]  </TASK>
[   12.829608] 
[   12.836628] Allocated by task 213:
[   12.836787]  kasan_save_stack+0x45/0x70
[   12.836974]  kasan_save_track+0x18/0x40
[   12.837178]  kasan_save_alloc_info+0x3b/0x50
[   12.837338]  __kasan_kmalloc+0xb7/0xc0
[   12.837469]  __kmalloc_cache_noprof+0x189/0x420
[   12.837625]  ksize_uaf+0xaa/0x6c0
[   12.837818]  kunit_try_run_case+0x1a5/0x480
[   12.838042]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.838358]  kthread+0x337/0x6f0
[   12.838538]  ret_from_fork+0x116/0x1d0
[   12.838723]  ret_from_fork_asm+0x1a/0x30
[   12.839055] 
[   12.839140] Freed by task 213:
[   12.839252]  kasan_save_stack+0x45/0x70
[   12.839387]  kasan_save_track+0x18/0x40
[   12.839522]  kasan_save_free_info+0x3f/0x60
[   12.839728]  __kasan_slab_free+0x56/0x70
[   12.840243]  kfree+0x222/0x3f0
[   12.840423]  ksize_uaf+0x12c/0x6c0
[   12.840580]  kunit_try_run_case+0x1a5/0x480
[   12.840745]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.841029]  kthread+0x337/0x6f0
[   12.841187]  ret_from_fork+0x116/0x1d0
[   12.841353]  ret_from_fork_asm+0x1a/0x30
[   12.841506] 
[   12.841602] The buggy address belongs to the object at ffff8881029f2f00
[   12.841602]  which belongs to the cache kmalloc-128 of size 128
[   12.842086] The buggy address is located 0 bytes inside of
[   12.842086]  freed 128-byte region [ffff8881029f2f00, ffff8881029f2f80)
[   12.842430] 
[   12.842504] The buggy address belongs to the physical page:
[   12.842754] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029f2
[   12.843127] flags: 0x200000000000000(node=0|zone=2)
[   12.843358] page_type: f5(slab)
[   12.843691] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.844163] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.844397] page dumped because: kasan: bad access detected
[   12.844566] 
[   12.844634] Memory state around the buggy address:
[   12.845131]  ffff8881029f2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.845459]  ffff8881029f2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.845779] >ffff8881029f2f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.846112]                    ^
[   12.846262]  ffff8881029f2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.846516]  ffff8881029f3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.846730] ==================================================================
[   12.873442] ==================================================================
[   12.874470] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   12.874689] Read of size 1 at addr ffff8881029f2f78 by task kunit_try_catch/213
[   12.875546] 
[   12.875844] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   12.875887] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.875899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.876017] Call Trace:
[   12.876034]  <TASK>
[   12.876048]  dump_stack_lvl+0x73/0xb0
[   12.876078]  print_report+0xd1/0x650
[   12.876099]  ? __virt_addr_valid+0x1db/0x2d0
[   12.876121]  ? ksize_uaf+0x5e4/0x6c0
[   12.876141]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.876164]  ? ksize_uaf+0x5e4/0x6c0
[   12.876184]  kasan_report+0x141/0x180
[   12.876205]  ? ksize_uaf+0x5e4/0x6c0
[   12.876230]  __asan_report_load1_noabort+0x18/0x20
[   12.876254]  ksize_uaf+0x5e4/0x6c0
[   12.876274]  ? __pfx_ksize_uaf+0x10/0x10
[   12.876297]  ? __pfx_ksize_uaf+0x10/0x10
[   12.876322]  kunit_try_run_case+0x1a5/0x480
[   12.876345]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.876367]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.876390]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.876413]  ? __kthread_parkme+0x82/0x180
[   12.876433]  ? preempt_count_sub+0x50/0x80
[   12.876456]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.876479]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.876504]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.876528]  kthread+0x337/0x6f0
[   12.876547]  ? trace_preempt_on+0x20/0xc0
[   12.876569]  ? __pfx_kthread+0x10/0x10
[   12.876589]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.876610]  ? calculate_sigpending+0x7b/0xa0
[   12.876633]  ? __pfx_kthread+0x10/0x10
[   12.876654]  ret_from_fork+0x116/0x1d0
[   12.876673]  ? __pfx_kthread+0x10/0x10
[   12.876692]  ret_from_fork_asm+0x1a/0x30
[   12.876724]  </TASK>
[   12.876733] 
[   12.887445] Allocated by task 213:
[   12.887620]  kasan_save_stack+0x45/0x70
[   12.888114]  kasan_save_track+0x18/0x40
[   12.888357]  kasan_save_alloc_info+0x3b/0x50
[   12.888646]  __kasan_kmalloc+0xb7/0xc0
[   12.888976]  __kmalloc_cache_noprof+0x189/0x420
[   12.889284]  ksize_uaf+0xaa/0x6c0
[   12.889453]  kunit_try_run_case+0x1a5/0x480
[   12.889649]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.890146]  kthread+0x337/0x6f0
[   12.890558]  ret_from_fork+0x116/0x1d0
[   12.890874]  ret_from_fork_asm+0x1a/0x30
[   12.891402] 
[   12.891503] Freed by task 213:
[   12.891653]  kasan_save_stack+0x45/0x70
[   12.892057]  kasan_save_track+0x18/0x40
[   12.892505]  kasan_save_free_info+0x3f/0x60
[   12.892876]  __kasan_slab_free+0x56/0x70
[   12.893461]  kfree+0x222/0x3f0
[   12.893687]  ksize_uaf+0x12c/0x6c0
[   12.893994]  kunit_try_run_case+0x1a5/0x480
[   12.894348]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.894584]  kthread+0x337/0x6f0
[   12.894744]  ret_from_fork+0x116/0x1d0
[   12.895233]  ret_from_fork_asm+0x1a/0x30
[   12.895547] 
[   12.895773] The buggy address belongs to the object at ffff8881029f2f00
[   12.895773]  which belongs to the cache kmalloc-128 of size 128
[   12.896412] The buggy address is located 120 bytes inside of
[   12.896412]  freed 128-byte region [ffff8881029f2f00, ffff8881029f2f80)
[   12.897279] 
[   12.897379] The buggy address belongs to the physical page:
[   12.897836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029f2
[   12.898398] flags: 0x200000000000000(node=0|zone=2)
[   12.898628] page_type: f5(slab)
[   12.899033] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.899542] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.900341] page dumped because: kasan: bad access detected
[   12.900566] 
[   12.900650] Memory state around the buggy address:
[   12.901090]  ffff8881029f2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.901726]  ffff8881029f2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.902278] >ffff8881029f2f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.902725]                                                                 ^
[   12.903192]  ffff8881029f2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.903628]  ffff8881029f3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.904168] ==================================================================
Metadata Full log Test run details