Date
July 12, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.818611] ================================================================== [ 19.818811] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.818980] Read of size 1 at addr fff00000c599f278 by task kunit_try_catch/197 [ 19.819143] [ 19.819224] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.819435] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.819522] Hardware name: linux,dummy-virt (DT) [ 19.819624] Call trace: [ 19.819688] show_stack+0x20/0x38 (C) [ 19.819850] dump_stack_lvl+0x8c/0xd0 [ 19.819992] print_report+0x118/0x608 [ 19.820096] kasan_report+0xdc/0x128 [ 19.820198] __asan_report_load1_noabort+0x20/0x30 [ 19.820312] ksize_uaf+0x544/0x5f8 [ 19.820414] kunit_try_run_case+0x170/0x3f0 [ 19.820522] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.820640] kthread+0x328/0x630 [ 19.820732] ret_from_fork+0x10/0x20 [ 19.820843] [ 19.820879] Allocated by task 197: [ 19.820928] kasan_save_stack+0x3c/0x68 [ 19.821017] kasan_save_track+0x20/0x40 [ 19.821097] kasan_save_alloc_info+0x40/0x58 [ 19.821206] __kasan_kmalloc+0xd4/0xd8 [ 19.821288] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.821371] ksize_uaf+0xb8/0x5f8 [ 19.821444] kunit_try_run_case+0x170/0x3f0 [ 19.821525] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.821619] kthread+0x328/0x630 [ 19.821688] ret_from_fork+0x10/0x20 [ 19.821764] [ 19.821810] Freed by task 197: [ 19.821941] kasan_save_stack+0x3c/0x68 [ 19.822061] kasan_save_track+0x20/0x40 [ 19.822145] kasan_save_free_info+0x4c/0x78 [ 19.822228] __kasan_slab_free+0x6c/0x98 [ 19.822302] kfree+0x214/0x3c8 [ 19.822401] ksize_uaf+0x11c/0x5f8 [ 19.822494] kunit_try_run_case+0x170/0x3f0 [ 19.822594] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.822723] kthread+0x328/0x630 [ 19.822803] ret_from_fork+0x10/0x20 [ 19.822904] [ 19.822952] The buggy address belongs to the object at fff00000c599f200 [ 19.822952] which belongs to the cache kmalloc-128 of size 128 [ 19.823116] The buggy address is located 120 bytes inside of [ 19.823116] freed 128-byte region [fff00000c599f200, fff00000c599f280) [ 19.823296] [ 19.823359] The buggy address belongs to the physical page: [ 19.823446] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10599f [ 19.823563] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.823663] page_type: f5(slab) [ 19.823766] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.823889] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.823967] page dumped because: kasan: bad access detected [ 19.824026] [ 19.824059] Memory state around the buggy address: [ 19.824160] fff00000c599f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.824258] fff00000c599f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.824393] >fff00000c599f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.824496] ^ [ 19.824626] fff00000c599f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.824719] fff00000c599f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.824845] ================================================================== [ 19.795845] ================================================================== [ 19.795986] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.796393] Read of size 1 at addr fff00000c599f200 by task kunit_try_catch/197 [ 19.796520] [ 19.796604] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.796810] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.796889] Hardware name: linux,dummy-virt (DT) [ 19.796961] Call trace: [ 19.797016] show_stack+0x20/0x38 (C) [ 19.797143] dump_stack_lvl+0x8c/0xd0 [ 19.797255] print_report+0x118/0x608 [ 19.797368] kasan_report+0xdc/0x128 [ 19.797478] __kasan_check_byte+0x54/0x70 [ 19.797592] ksize+0x30/0x88 [ 19.797691] ksize_uaf+0x168/0x5f8 [ 19.797789] kunit_try_run_case+0x170/0x3f0 [ 19.797894] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.798002] kthread+0x328/0x630 [ 19.798101] ret_from_fork+0x10/0x20 [ 19.798208] [ 19.798248] Allocated by task 197: [ 19.798313] kasan_save_stack+0x3c/0x68 [ 19.798404] kasan_save_track+0x20/0x40 [ 19.798487] kasan_save_alloc_info+0x40/0x58 [ 19.798587] __kasan_kmalloc+0xd4/0xd8 [ 19.799278] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.799478] ksize_uaf+0xb8/0x5f8 [ 19.799568] kunit_try_run_case+0x170/0x3f0 [ 19.799765] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.800118] kthread+0x328/0x630 [ 19.800295] ret_from_fork+0x10/0x20 [ 19.800432] [ 19.800493] Freed by task 197: [ 19.800683] kasan_save_stack+0x3c/0x68 [ 19.800936] kasan_save_track+0x20/0x40 [ 19.801173] kasan_save_free_info+0x4c/0x78 [ 19.801358] __kasan_slab_free+0x6c/0x98 [ 19.801707] kfree+0x214/0x3c8 [ 19.801798] ksize_uaf+0x11c/0x5f8 [ 19.801902] kunit_try_run_case+0x170/0x3f0 [ 19.802064] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.802215] kthread+0x328/0x630 [ 19.802421] ret_from_fork+0x10/0x20 [ 19.802671] [ 19.802743] The buggy address belongs to the object at fff00000c599f200 [ 19.802743] which belongs to the cache kmalloc-128 of size 128 [ 19.803150] The buggy address is located 0 bytes inside of [ 19.803150] freed 128-byte region [fff00000c599f200, fff00000c599f280) [ 19.803386] [ 19.803696] The buggy address belongs to the physical page: [ 19.803765] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10599f [ 19.803901] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.804175] page_type: f5(slab) [ 19.804349] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.804500] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.804595] page dumped because: kasan: bad access detected [ 19.804674] [ 19.804716] Memory state around the buggy address: [ 19.804793] fff00000c599f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.804912] fff00000c599f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.805013] >fff00000c599f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.805106] ^ [ 19.805182] fff00000c599f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.805285] fff00000c599f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.805380] ================================================================== [ 19.808209] ================================================================== [ 19.808271] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.808328] Read of size 1 at addr fff00000c599f200 by task kunit_try_catch/197 [ 19.808380] [ 19.808411] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.808497] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.808524] Hardware name: linux,dummy-virt (DT) [ 19.808555] Call trace: [ 19.808577] show_stack+0x20/0x38 (C) [ 19.808628] dump_stack_lvl+0x8c/0xd0 [ 19.808675] print_report+0x118/0x608 [ 19.808731] kasan_report+0xdc/0x128 [ 19.808782] __asan_report_load1_noabort+0x20/0x30 [ 19.808879] ksize_uaf+0x598/0x5f8 [ 19.808975] kunit_try_run_case+0x170/0x3f0 [ 19.809193] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.809474] kthread+0x328/0x630 [ 19.809637] ret_from_fork+0x10/0x20 [ 19.809868] [ 19.809909] Allocated by task 197: [ 19.809974] kasan_save_stack+0x3c/0x68 [ 19.810048] kasan_save_track+0x20/0x40 [ 19.810120] kasan_save_alloc_info+0x40/0x58 [ 19.810195] __kasan_kmalloc+0xd4/0xd8 [ 19.810273] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.810354] ksize_uaf+0xb8/0x5f8 [ 19.810426] kunit_try_run_case+0x170/0x3f0 [ 19.810509] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.810626] kthread+0x328/0x630 [ 19.810700] ret_from_fork+0x10/0x20 [ 19.811213] [ 19.811278] Freed by task 197: [ 19.811434] kasan_save_stack+0x3c/0x68 [ 19.811699] kasan_save_track+0x20/0x40 [ 19.811816] kasan_save_free_info+0x4c/0x78 [ 19.812056] __kasan_slab_free+0x6c/0x98 [ 19.812196] kfree+0x214/0x3c8 [ 19.812392] ksize_uaf+0x11c/0x5f8 [ 19.812483] kunit_try_run_case+0x170/0x3f0 [ 19.812680] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.813080] kthread+0x328/0x630 [ 19.813258] ret_from_fork+0x10/0x20 [ 19.813505] [ 19.813546] The buggy address belongs to the object at fff00000c599f200 [ 19.813546] which belongs to the cache kmalloc-128 of size 128 [ 19.813733] The buggy address is located 0 bytes inside of [ 19.813733] freed 128-byte region [fff00000c599f200, fff00000c599f280) [ 19.813873] [ 19.813913] The buggy address belongs to the physical page: [ 19.813976] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10599f [ 19.814561] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.814697] page_type: f5(slab) [ 19.814938] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.815306] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.815573] page dumped because: kasan: bad access detected [ 19.815787] [ 19.815856] Memory state around the buggy address: [ 19.815982] fff00000c599f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.816222] fff00000c599f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.816361] >fff00000c599f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.816456] ^ [ 19.816524] fff00000c599f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.817015] fff00000c599f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.817283] ==================================================================
[ 13.138286] ================================================================== [ 13.139071] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.139291] Read of size 1 at addr ffff888102655578 by task kunit_try_catch/214 [ 13.139513] [ 13.139601] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.139642] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.139653] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.139672] Call Trace: [ 13.139685] <TASK> [ 13.139700] dump_stack_lvl+0x73/0xb0 [ 13.139728] print_report+0xd1/0x650 [ 13.139764] ? __virt_addr_valid+0x1db/0x2d0 [ 13.139787] ? ksize_uaf+0x5e4/0x6c0 [ 13.139807] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.139830] ? ksize_uaf+0x5e4/0x6c0 [ 13.139851] kasan_report+0x141/0x180 [ 13.139872] ? ksize_uaf+0x5e4/0x6c0 [ 13.139897] __asan_report_load1_noabort+0x18/0x20 [ 13.139921] ksize_uaf+0x5e4/0x6c0 [ 13.139941] ? __pfx_ksize_uaf+0x10/0x10 [ 13.139962] ? __schedule+0x10cc/0x2b60 [ 13.140200] ? __pfx_read_tsc+0x10/0x10 [ 13.140225] ? ktime_get_ts64+0x86/0x230 [ 13.140250] kunit_try_run_case+0x1a5/0x480 [ 13.140273] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.140296] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.140320] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.140344] ? __kthread_parkme+0x82/0x180 [ 13.140364] ? preempt_count_sub+0x50/0x80 [ 13.140387] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.140411] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.140435] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.140460] kthread+0x337/0x6f0 [ 13.140479] ? trace_preempt_on+0x20/0xc0 [ 13.140502] ? __pfx_kthread+0x10/0x10 [ 13.140522] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.140543] ? calculate_sigpending+0x7b/0xa0 [ 13.140567] ? __pfx_kthread+0x10/0x10 [ 13.140588] ret_from_fork+0x116/0x1d0 [ 13.140605] ? __pfx_kthread+0x10/0x10 [ 13.140626] ret_from_fork_asm+0x1a/0x30 [ 13.140765] </TASK> [ 13.140777] [ 13.150628] Allocated by task 214: [ 13.151252] kasan_save_stack+0x45/0x70 [ 13.151461] kasan_save_track+0x18/0x40 [ 13.151638] kasan_save_alloc_info+0x3b/0x50 [ 13.152085] __kasan_kmalloc+0xb7/0xc0 [ 13.152270] __kmalloc_cache_noprof+0x189/0x420 [ 13.152478] ksize_uaf+0xaa/0x6c0 [ 13.152638] kunit_try_run_case+0x1a5/0x480 [ 13.153160] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.153485] kthread+0x337/0x6f0 [ 13.153634] ret_from_fork+0x116/0x1d0 [ 13.154090] ret_from_fork_asm+0x1a/0x30 [ 13.154236] [ 13.154334] Freed by task 214: [ 13.154495] kasan_save_stack+0x45/0x70 [ 13.154661] kasan_save_track+0x18/0x40 [ 13.155336] kasan_save_free_info+0x3f/0x60 [ 13.155547] __kasan_slab_free+0x56/0x70 [ 13.155933] kfree+0x222/0x3f0 [ 13.156107] ksize_uaf+0x12c/0x6c0 [ 13.156255] kunit_try_run_case+0x1a5/0x480 [ 13.156469] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.156972] kthread+0x337/0x6f0 [ 13.157233] ret_from_fork+0x116/0x1d0 [ 13.157419] ret_from_fork_asm+0x1a/0x30 [ 13.157859] [ 13.157946] The buggy address belongs to the object at ffff888102655500 [ 13.157946] which belongs to the cache kmalloc-128 of size 128 [ 13.158578] The buggy address is located 120 bytes inside of [ 13.158578] freed 128-byte region [ffff888102655500, ffff888102655580) [ 13.159296] [ 13.159394] The buggy address belongs to the physical page: [ 13.159636] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102655 [ 13.159978] flags: 0x200000000000000(node=0|zone=2) [ 13.160208] page_type: f5(slab) [ 13.160357] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.160650] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.161600] page dumped because: kasan: bad access detected [ 13.162075] [ 13.162153] Memory state around the buggy address: [ 13.162468] ffff888102655400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.163019] ffff888102655480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.163420] >ffff888102655500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.163895] ^ [ 13.164183] ffff888102655580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.164473] ffff888102655600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.165148] ================================================================== [ 13.107001] ================================================================== [ 13.107556] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.107965] Read of size 1 at addr ffff888102655500 by task kunit_try_catch/214 [ 13.108292] [ 13.108383] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.108427] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.108438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.108459] Call Trace: [ 13.108472] <TASK> [ 13.108489] dump_stack_lvl+0x73/0xb0 [ 13.108519] print_report+0xd1/0x650 [ 13.108542] ? __virt_addr_valid+0x1db/0x2d0 [ 13.108566] ? ksize_uaf+0x5fe/0x6c0 [ 13.108585] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.108608] ? ksize_uaf+0x5fe/0x6c0 [ 13.108628] kasan_report+0x141/0x180 [ 13.108649] ? ksize_uaf+0x5fe/0x6c0 [ 13.109092] __asan_report_load1_noabort+0x18/0x20 [ 13.109120] ksize_uaf+0x5fe/0x6c0 [ 13.109140] ? __pfx_ksize_uaf+0x10/0x10 [ 13.109162] ? __schedule+0x10cc/0x2b60 [ 13.109184] ? __pfx_read_tsc+0x10/0x10 [ 13.109205] ? ktime_get_ts64+0x86/0x230 [ 13.109230] kunit_try_run_case+0x1a5/0x480 [ 13.109255] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.109277] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.109301] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.109325] ? __kthread_parkme+0x82/0x180 [ 13.109345] ? preempt_count_sub+0x50/0x80 [ 13.109370] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.109394] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.109418] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.109443] kthread+0x337/0x6f0 [ 13.109461] ? trace_preempt_on+0x20/0xc0 [ 13.109485] ? __pfx_kthread+0x10/0x10 [ 13.109505] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.109526] ? calculate_sigpending+0x7b/0xa0 [ 13.109550] ? __pfx_kthread+0x10/0x10 [ 13.109571] ret_from_fork+0x116/0x1d0 [ 13.109589] ? __pfx_kthread+0x10/0x10 [ 13.109609] ret_from_fork_asm+0x1a/0x30 [ 13.109640] </TASK> [ 13.109650] [ 13.119109] Allocated by task 214: [ 13.119270] kasan_save_stack+0x45/0x70 [ 13.119470] kasan_save_track+0x18/0x40 [ 13.119901] kasan_save_alloc_info+0x3b/0x50 [ 13.120116] __kasan_kmalloc+0xb7/0xc0 [ 13.120275] __kmalloc_cache_noprof+0x189/0x420 [ 13.120625] ksize_uaf+0xaa/0x6c0 [ 13.121078] kunit_try_run_case+0x1a5/0x480 [ 13.121388] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.121623] kthread+0x337/0x6f0 [ 13.121966] ret_from_fork+0x116/0x1d0 [ 13.122270] ret_from_fork_asm+0x1a/0x30 [ 13.122473] [ 13.122557] Freed by task 214: [ 13.123011] kasan_save_stack+0x45/0x70 [ 13.123160] kasan_save_track+0x18/0x40 [ 13.123296] kasan_save_free_info+0x3f/0x60 [ 13.123452] __kasan_slab_free+0x56/0x70 [ 13.123900] kfree+0x222/0x3f0 [ 13.124027] ksize_uaf+0x12c/0x6c0 [ 13.124171] kunit_try_run_case+0x1a5/0x480 [ 13.124823] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.125457] kthread+0x337/0x6f0 [ 13.125883] ret_from_fork+0x116/0x1d0 [ 13.126384] ret_from_fork_asm+0x1a/0x30 [ 13.126917] [ 13.127133] The buggy address belongs to the object at ffff888102655500 [ 13.127133] which belongs to the cache kmalloc-128 of size 128 [ 13.127971] The buggy address is located 0 bytes inside of [ 13.127971] freed 128-byte region [ffff888102655500, ffff888102655580) [ 13.129226] [ 13.129307] The buggy address belongs to the physical page: [ 13.129482] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102655 [ 13.129821] flags: 0x200000000000000(node=0|zone=2) [ 13.130549] page_type: f5(slab) [ 13.130896] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.131742] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.132512] page dumped because: kasan: bad access detected [ 13.133298] [ 13.133393] Memory state around the buggy address: [ 13.133551] ffff888102655400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.134111] ffff888102655480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.135046] >ffff888102655500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.135795] ^ [ 13.136284] ffff888102655580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.136545] ffff888102655600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.137327] ================================================================== [ 13.079008] ================================================================== [ 13.079862] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.080167] Read of size 1 at addr ffff888102655500 by task kunit_try_catch/214 [ 13.080558] [ 13.080655] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.081168] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.081182] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.081203] Call Trace: [ 13.081215] <TASK> [ 13.081232] dump_stack_lvl+0x73/0xb0 [ 13.081265] print_report+0xd1/0x650 [ 13.081288] ? __virt_addr_valid+0x1db/0x2d0 [ 13.081312] ? ksize_uaf+0x19d/0x6c0 [ 13.081332] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.081354] ? ksize_uaf+0x19d/0x6c0 [ 13.081375] kasan_report+0x141/0x180 [ 13.081396] ? ksize_uaf+0x19d/0x6c0 [ 13.081419] ? ksize_uaf+0x19d/0x6c0 [ 13.081439] __kasan_check_byte+0x3d/0x50 [ 13.081461] ksize+0x20/0x60 [ 13.081481] ksize_uaf+0x19d/0x6c0 [ 13.081501] ? __pfx_ksize_uaf+0x10/0x10 [ 13.081522] ? __schedule+0x10cc/0x2b60 [ 13.081545] ? __pfx_read_tsc+0x10/0x10 [ 13.081565] ? ktime_get_ts64+0x86/0x230 [ 13.081589] kunit_try_run_case+0x1a5/0x480 [ 13.081614] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.081637] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.081692] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.081715] ? __kthread_parkme+0x82/0x180 [ 13.081736] ? preempt_count_sub+0x50/0x80 [ 13.081772] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.081796] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.081820] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.081845] kthread+0x337/0x6f0 [ 13.081864] ? trace_preempt_on+0x20/0xc0 [ 13.081887] ? __pfx_kthread+0x10/0x10 [ 13.081907] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.081929] ? calculate_sigpending+0x7b/0xa0 [ 13.081953] ? __pfx_kthread+0x10/0x10 [ 13.081974] ret_from_fork+0x116/0x1d0 [ 13.081992] ? __pfx_kthread+0x10/0x10 [ 13.082012] ret_from_fork_asm+0x1a/0x30 [ 13.082043] </TASK> [ 13.082054] [ 13.092353] Allocated by task 214: [ 13.092542] kasan_save_stack+0x45/0x70 [ 13.092913] kasan_save_track+0x18/0x40 [ 13.093076] kasan_save_alloc_info+0x3b/0x50 [ 13.093271] __kasan_kmalloc+0xb7/0xc0 [ 13.093451] __kmalloc_cache_noprof+0x189/0x420 [ 13.093652] ksize_uaf+0xaa/0x6c0 [ 13.094282] kunit_try_run_case+0x1a5/0x480 [ 13.094484] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.094763] kthread+0x337/0x6f0 [ 13.095174] ret_from_fork+0x116/0x1d0 [ 13.095336] ret_from_fork_asm+0x1a/0x30 [ 13.095542] [ 13.095640] Freed by task 214: [ 13.096046] kasan_save_stack+0x45/0x70 [ 13.096313] kasan_save_track+0x18/0x40 [ 13.096833] kasan_save_free_info+0x3f/0x60 [ 13.097143] __kasan_slab_free+0x56/0x70 [ 13.097333] kfree+0x222/0x3f0 [ 13.097486] ksize_uaf+0x12c/0x6c0 [ 13.097899] kunit_try_run_case+0x1a5/0x480 [ 13.098117] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.098332] kthread+0x337/0x6f0 [ 13.098497] ret_from_fork+0x116/0x1d0 [ 13.098660] ret_from_fork_asm+0x1a/0x30 [ 13.099136] [ 13.099219] The buggy address belongs to the object at ffff888102655500 [ 13.099219] which belongs to the cache kmalloc-128 of size 128 [ 13.100050] The buggy address is located 0 bytes inside of [ 13.100050] freed 128-byte region [ffff888102655500, ffff888102655580) [ 13.100514] [ 13.100621] The buggy address belongs to the physical page: [ 13.100942] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102655 [ 13.101312] flags: 0x200000000000000(node=0|zone=2) [ 13.101534] page_type: f5(slab) [ 13.101689] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.102433] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.102866] page dumped because: kasan: bad access detected [ 13.103280] [ 13.103357] Memory state around the buggy address: [ 13.103583] ffff888102655400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.104327] ffff888102655480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.104944] >ffff888102655500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.105249] ^ [ 13.105401] ffff888102655580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.105885] ffff888102655600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.106167] ==================================================================