Date
July 12, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.892602] ================================================================== [ 16.892677] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.892743] Read of size 1 at addr fff00000c7897000 by task kunit_try_catch/196 [ 16.892806] [ 16.892844] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.892928] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.892953] Hardware name: linux,dummy-virt (DT) [ 16.893191] Call trace: [ 16.893321] show_stack+0x20/0x38 (C) [ 16.893375] dump_stack_lvl+0x8c/0xd0 [ 16.893460] print_report+0x118/0x5d0 [ 16.893525] kasan_report+0xdc/0x128 [ 16.893571] __asan_report_load1_noabort+0x20/0x30 [ 16.893638] ksize_uaf+0x598/0x5f8 [ 16.893701] kunit_try_run_case+0x170/0x3f0 [ 16.893748] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.893799] kthread+0x328/0x630 [ 16.893842] ret_from_fork+0x10/0x20 [ 16.894150] [ 16.894190] Allocated by task 196: [ 16.894219] kasan_save_stack+0x3c/0x68 [ 16.894321] kasan_save_track+0x20/0x40 [ 16.894361] kasan_save_alloc_info+0x40/0x58 [ 16.894400] __kasan_kmalloc+0xd4/0xd8 [ 16.894466] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.894610] ksize_uaf+0xb8/0x5f8 [ 16.894645] kunit_try_run_case+0x170/0x3f0 [ 16.894780] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.894834] kthread+0x328/0x630 [ 16.894967] ret_from_fork+0x10/0x20 [ 16.895011] [ 16.895056] Freed by task 196: [ 16.895346] kasan_save_stack+0x3c/0x68 [ 16.895408] kasan_save_track+0x20/0x40 [ 16.895445] kasan_save_free_info+0x4c/0x78 [ 16.895486] __kasan_slab_free+0x6c/0x98 [ 16.895819] kfree+0x214/0x3c8 [ 16.895940] ksize_uaf+0x11c/0x5f8 [ 16.896024] kunit_try_run_case+0x170/0x3f0 [ 16.896109] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.896153] kthread+0x328/0x630 [ 16.896487] ret_from_fork+0x10/0x20 [ 16.896576] [ 16.896624] The buggy address belongs to the object at fff00000c7897000 [ 16.896624] which belongs to the cache kmalloc-128 of size 128 [ 16.896793] The buggy address is located 0 bytes inside of [ 16.896793] freed 128-byte region [fff00000c7897000, fff00000c7897080) [ 16.896868] [ 16.896905] The buggy address belongs to the physical page: [ 16.896957] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107897 [ 16.897047] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.897098] page_type: f5(slab) [ 16.897146] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.897209] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.897251] page dumped because: kasan: bad access detected [ 16.897283] [ 16.897302] Memory state around the buggy address: [ 16.897351] fff00000c7896f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.897397] fff00000c7896f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.897444] >fff00000c7897000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.897490] ^ [ 16.897528] fff00000c7897080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.897581] fff00000c7897100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.897630] ================================================================== [ 16.886212] ================================================================== [ 16.886291] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.886342] Read of size 1 at addr fff00000c7897000 by task kunit_try_catch/196 [ 16.886393] [ 16.886431] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.886517] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.886542] Hardware name: linux,dummy-virt (DT) [ 16.886582] Call trace: [ 16.886613] show_stack+0x20/0x38 (C) [ 16.886660] dump_stack_lvl+0x8c/0xd0 [ 16.886703] print_report+0x118/0x5d0 [ 16.886759] kasan_report+0xdc/0x128 [ 16.886803] __kasan_check_byte+0x54/0x70 [ 16.886857] ksize+0x30/0x88 [ 16.886899] ksize_uaf+0x168/0x5f8 [ 16.886942] kunit_try_run_case+0x170/0x3f0 [ 16.886990] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.887043] kthread+0x328/0x630 [ 16.887091] ret_from_fork+0x10/0x20 [ 16.887139] [ 16.887156] Allocated by task 196: [ 16.887423] kasan_save_stack+0x3c/0x68 [ 16.887920] kasan_save_track+0x20/0x40 [ 16.887994] kasan_save_alloc_info+0x40/0x58 [ 16.888090] __kasan_kmalloc+0xd4/0xd8 [ 16.888182] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.888231] ksize_uaf+0xb8/0x5f8 [ 16.888266] kunit_try_run_case+0x170/0x3f0 [ 16.888607] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.888696] kthread+0x328/0x630 [ 16.888783] ret_from_fork+0x10/0x20 [ 16.888862] [ 16.888947] Freed by task 196: [ 16.889025] kasan_save_stack+0x3c/0x68 [ 16.889066] kasan_save_track+0x20/0x40 [ 16.889105] kasan_save_free_info+0x4c/0x78 [ 16.889143] __kasan_slab_free+0x6c/0x98 [ 16.889390] kfree+0x214/0x3c8 [ 16.889480] ksize_uaf+0x11c/0x5f8 [ 16.889563] kunit_try_run_case+0x170/0x3f0 [ 16.889695] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.889745] kthread+0x328/0x630 [ 16.889829] ret_from_fork+0x10/0x20 [ 16.889869] [ 16.889888] The buggy address belongs to the object at fff00000c7897000 [ 16.889888] which belongs to the cache kmalloc-128 of size 128 [ 16.890126] The buggy address is located 0 bytes inside of [ 16.890126] freed 128-byte region [fff00000c7897000, fff00000c7897080) [ 16.890282] [ 16.890318] The buggy address belongs to the physical page: [ 16.890389] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107897 [ 16.890482] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.890531] page_type: f5(slab) [ 16.890570] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.890791] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.890941] page dumped because: kasan: bad access detected [ 16.891045] [ 16.891134] Memory state around the buggy address: [ 16.891250] fff00000c7896f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.891349] fff00000c7896f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.891393] >fff00000c7897000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.891433] ^ [ 16.891460] fff00000c7897080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.891503] fff00000c7897100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.891544] ================================================================== [ 16.897851] ================================================================== [ 16.897899] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.897950] Read of size 1 at addr fff00000c7897078 by task kunit_try_catch/196 [ 16.898001] [ 16.898029] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.898417] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.898456] Hardware name: linux,dummy-virt (DT) [ 16.898507] Call trace: [ 16.898545] show_stack+0x20/0x38 (C) [ 16.898643] dump_stack_lvl+0x8c/0xd0 [ 16.898689] print_report+0x118/0x5d0 [ 16.898733] kasan_report+0xdc/0x128 [ 16.898779] __asan_report_load1_noabort+0x20/0x30 [ 16.899131] ksize_uaf+0x544/0x5f8 [ 16.899229] kunit_try_run_case+0x170/0x3f0 [ 16.899395] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.899481] kthread+0x328/0x630 [ 16.899546] ret_from_fork+0x10/0x20 [ 16.899593] [ 16.899611] Allocated by task 196: [ 16.899769] kasan_save_stack+0x3c/0x68 [ 16.899817] kasan_save_track+0x20/0x40 [ 16.899909] kasan_save_alloc_info+0x40/0x58 [ 16.900046] __kasan_kmalloc+0xd4/0xd8 [ 16.900147] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.900246] ksize_uaf+0xb8/0x5f8 [ 16.900303] kunit_try_run_case+0x170/0x3f0 [ 16.900454] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.900501] kthread+0x328/0x630 [ 16.900965] ret_from_fork+0x10/0x20 [ 16.901089] [ 16.901195] Freed by task 196: [ 16.901253] kasan_save_stack+0x3c/0x68 [ 16.901293] kasan_save_track+0x20/0x40 [ 16.901611] kasan_save_free_info+0x4c/0x78 [ 16.901747] __kasan_slab_free+0x6c/0x98 [ 16.901839] kfree+0x214/0x3c8 [ 16.901922] ksize_uaf+0x11c/0x5f8 [ 16.902043] kunit_try_run_case+0x170/0x3f0 [ 16.902135] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.902190] kthread+0x328/0x630 [ 16.902465] ret_from_fork+0x10/0x20 [ 16.902564] [ 16.902627] The buggy address belongs to the object at fff00000c7897000 [ 16.902627] which belongs to the cache kmalloc-128 of size 128 [ 16.902776] The buggy address is located 120 bytes inside of [ 16.902776] freed 128-byte region [fff00000c7897000, fff00000c7897080) [ 16.902857] [ 16.902932] The buggy address belongs to the physical page: [ 16.903133] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107897 [ 16.903361] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.903438] page_type: f5(slab) [ 16.903476] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.903543] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.903586] page dumped because: kasan: bad access detected [ 16.903867] [ 16.903964] Memory state around the buggy address: [ 16.903999] fff00000c7896f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.904124] fff00000c7896f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.904445] >fff00000c7897000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.904534] ^ [ 16.904629] fff00000c7897080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.904686] fff00000c7897100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.904739] ==================================================================
[ 13.511903] ================================================================== [ 13.512438] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.512814] Read of size 1 at addr ffff8881029ef978 by task kunit_try_catch/213 [ 13.513211] [ 13.513312] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.513352] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.513400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.513419] Call Trace: [ 13.513445] <TASK> [ 13.513471] dump_stack_lvl+0x73/0xb0 [ 13.513527] print_report+0xd1/0x610 [ 13.513550] ? __virt_addr_valid+0x1db/0x2d0 [ 13.513572] ? ksize_uaf+0x5e4/0x6c0 [ 13.513629] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.513664] ? ksize_uaf+0x5e4/0x6c0 [ 13.513695] kasan_report+0x141/0x180 [ 13.513717] ? ksize_uaf+0x5e4/0x6c0 [ 13.513744] __asan_report_load1_noabort+0x18/0x20 [ 13.513769] ksize_uaf+0x5e4/0x6c0 [ 13.513789] ? __pfx_ksize_uaf+0x10/0x10 [ 13.513811] ? __schedule+0x10cc/0x2b60 [ 13.513832] ? __pfx_read_tsc+0x10/0x10 [ 13.513852] ? ktime_get_ts64+0x86/0x230 [ 13.513877] kunit_try_run_case+0x1a5/0x480 [ 13.513900] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.513923] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.513947] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.514001] ? __kthread_parkme+0x82/0x180 [ 13.514021] ? preempt_count_sub+0x50/0x80 [ 13.514100] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.514128] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.514153] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.514179] kthread+0x337/0x6f0 [ 13.514198] ? trace_preempt_on+0x20/0xc0 [ 13.514221] ? __pfx_kthread+0x10/0x10 [ 13.514241] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.514308] ? calculate_sigpending+0x7b/0xa0 [ 13.514332] ? __pfx_kthread+0x10/0x10 [ 13.514387] ret_from_fork+0x116/0x1d0 [ 13.514405] ? __pfx_kthread+0x10/0x10 [ 13.514426] ret_from_fork_asm+0x1a/0x30 [ 13.514466] </TASK> [ 13.514476] [ 13.523273] Allocated by task 213: [ 13.523413] kasan_save_stack+0x45/0x70 [ 13.523559] kasan_save_track+0x18/0x40 [ 13.523743] kasan_save_alloc_info+0x3b/0x50 [ 13.524001] __kasan_kmalloc+0xb7/0xc0 [ 13.524193] __kmalloc_cache_noprof+0x189/0x420 [ 13.524557] ksize_uaf+0xaa/0x6c0 [ 13.524756] kunit_try_run_case+0x1a5/0x480 [ 13.524968] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.525255] kthread+0x337/0x6f0 [ 13.525427] ret_from_fork+0x116/0x1d0 [ 13.525694] ret_from_fork_asm+0x1a/0x30 [ 13.525917] [ 13.525988] Freed by task 213: [ 13.526211] kasan_save_stack+0x45/0x70 [ 13.526466] kasan_save_track+0x18/0x40 [ 13.526645] kasan_save_free_info+0x3f/0x60 [ 13.526855] __kasan_slab_free+0x56/0x70 [ 13.527316] kfree+0x222/0x3f0 [ 13.527450] ksize_uaf+0x12c/0x6c0 [ 13.527612] kunit_try_run_case+0x1a5/0x480 [ 13.527878] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.528135] kthread+0x337/0x6f0 [ 13.528339] ret_from_fork+0x116/0x1d0 [ 13.528643] ret_from_fork_asm+0x1a/0x30 [ 13.528788] [ 13.528860] The buggy address belongs to the object at ffff8881029ef900 [ 13.528860] which belongs to the cache kmalloc-128 of size 128 [ 13.529731] The buggy address is located 120 bytes inside of [ 13.529731] freed 128-byte region [ffff8881029ef900, ffff8881029ef980) [ 13.530355] [ 13.530431] The buggy address belongs to the physical page: [ 13.530720] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ef [ 13.531097] flags: 0x200000000000000(node=0|zone=2) [ 13.531502] page_type: f5(slab) [ 13.531627] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.531943] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.532467] page dumped because: kasan: bad access detected [ 13.532830] [ 13.532904] Memory state around the buggy address: [ 13.533086] ffff8881029ef800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.533416] ffff8881029ef880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.533699] >ffff8881029ef900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.533991] ^ [ 13.534298] ffff8881029ef980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.534607] ffff8881029efa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.534906] ================================================================== [ 13.467022] ================================================================== [ 13.467578] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.467844] Read of size 1 at addr ffff8881029ef900 by task kunit_try_catch/213 [ 13.468139] [ 13.468241] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.468297] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.468310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.468332] Call Trace: [ 13.468344] <TASK> [ 13.468358] dump_stack_lvl+0x73/0xb0 [ 13.468390] print_report+0xd1/0x610 [ 13.468412] ? __virt_addr_valid+0x1db/0x2d0 [ 13.468437] ? ksize_uaf+0x19d/0x6c0 [ 13.468457] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.468480] ? ksize_uaf+0x19d/0x6c0 [ 13.468501] kasan_report+0x141/0x180 [ 13.468523] ? ksize_uaf+0x19d/0x6c0 [ 13.468547] ? ksize_uaf+0x19d/0x6c0 [ 13.468567] __kasan_check_byte+0x3d/0x50 [ 13.468590] ksize+0x20/0x60 [ 13.468610] ksize_uaf+0x19d/0x6c0 [ 13.468630] ? __pfx_ksize_uaf+0x10/0x10 [ 13.468652] ? __schedule+0x10cc/0x2b60 [ 13.468675] ? __pfx_read_tsc+0x10/0x10 [ 13.468696] ? ktime_get_ts64+0x86/0x230 [ 13.468721] kunit_try_run_case+0x1a5/0x480 [ 13.468747] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.468770] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.468795] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.468818] ? __kthread_parkme+0x82/0x180 [ 13.468856] ? preempt_count_sub+0x50/0x80 [ 13.468881] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.468905] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.468931] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.468956] kthread+0x337/0x6f0 [ 13.468975] ? trace_preempt_on+0x20/0xc0 [ 13.468999] ? __pfx_kthread+0x10/0x10 [ 13.469019] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.469041] ? calculate_sigpending+0x7b/0xa0 [ 13.469083] ? __pfx_kthread+0x10/0x10 [ 13.469105] ret_from_fork+0x116/0x1d0 [ 13.469124] ? __pfx_kthread+0x10/0x10 [ 13.469144] ret_from_fork_asm+0x1a/0x30 [ 13.469175] </TASK> [ 13.469186] [ 13.476398] Allocated by task 213: [ 13.476560] kasan_save_stack+0x45/0x70 [ 13.476723] kasan_save_track+0x18/0x40 [ 13.476908] kasan_save_alloc_info+0x3b/0x50 [ 13.477076] __kasan_kmalloc+0xb7/0xc0 [ 13.477369] __kmalloc_cache_noprof+0x189/0x420 [ 13.477556] ksize_uaf+0xaa/0x6c0 [ 13.477680] kunit_try_run_case+0x1a5/0x480 [ 13.477827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.478004] kthread+0x337/0x6f0 [ 13.478124] ret_from_fork+0x116/0x1d0 [ 13.478255] ret_from_fork_asm+0x1a/0x30 [ 13.478404] [ 13.478474] Freed by task 213: [ 13.478630] kasan_save_stack+0x45/0x70 [ 13.478830] kasan_save_track+0x18/0x40 [ 13.479025] kasan_save_free_info+0x3f/0x60 [ 13.479237] __kasan_slab_free+0x56/0x70 [ 13.479454] kfree+0x222/0x3f0 [ 13.479645] ksize_uaf+0x12c/0x6c0 [ 13.479911] kunit_try_run_case+0x1a5/0x480 [ 13.480193] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.480805] kthread+0x337/0x6f0 [ 13.481282] ret_from_fork+0x116/0x1d0 [ 13.481702] ret_from_fork_asm+0x1a/0x30 [ 13.482830] [ 13.482936] The buggy address belongs to the object at ffff8881029ef900 [ 13.482936] which belongs to the cache kmalloc-128 of size 128 [ 13.483690] The buggy address is located 0 bytes inside of [ 13.483690] freed 128-byte region [ffff8881029ef900, ffff8881029ef980) [ 13.484526] [ 13.484644] The buggy address belongs to the physical page: [ 13.484844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ef [ 13.485233] flags: 0x200000000000000(node=0|zone=2) [ 13.485670] page_type: f5(slab) [ 13.485814] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.486234] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.486765] page dumped because: kasan: bad access detected [ 13.486945] [ 13.487150] Memory state around the buggy address: [ 13.487391] ffff8881029ef800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.487747] ffff8881029ef880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.488011] >ffff8881029ef900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.488362] ^ [ 13.488524] ffff8881029ef980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.489207] ffff8881029efa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.489614] ================================================================== [ 13.490348] ================================================================== [ 13.490627] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.490937] Read of size 1 at addr ffff8881029ef900 by task kunit_try_catch/213 [ 13.491502] [ 13.491612] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.491654] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.491665] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.491685] Call Trace: [ 13.491697] <TASK> [ 13.491711] dump_stack_lvl+0x73/0xb0 [ 13.491740] print_report+0xd1/0x610 [ 13.491762] ? __virt_addr_valid+0x1db/0x2d0 [ 13.491785] ? ksize_uaf+0x5fe/0x6c0 [ 13.491805] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.491829] ? ksize_uaf+0x5fe/0x6c0 [ 13.491849] kasan_report+0x141/0x180 [ 13.491871] ? ksize_uaf+0x5fe/0x6c0 [ 13.491896] __asan_report_load1_noabort+0x18/0x20 [ 13.491921] ksize_uaf+0x5fe/0x6c0 [ 13.491941] ? __pfx_ksize_uaf+0x10/0x10 [ 13.491963] ? __schedule+0x10cc/0x2b60 [ 13.492029] ? __pfx_read_tsc+0x10/0x10 [ 13.492050] ? ktime_get_ts64+0x86/0x230 [ 13.492087] kunit_try_run_case+0x1a5/0x480 [ 13.492111] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.492135] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.492159] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.492183] ? __kthread_parkme+0x82/0x180 [ 13.492202] ? preempt_count_sub+0x50/0x80 [ 13.492227] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.492251] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.492348] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.492376] kthread+0x337/0x6f0 [ 13.492395] ? trace_preempt_on+0x20/0xc0 [ 13.492419] ? __pfx_kthread+0x10/0x10 [ 13.492440] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.492461] ? calculate_sigpending+0x7b/0xa0 [ 13.492485] ? __pfx_kthread+0x10/0x10 [ 13.492506] ret_from_fork+0x116/0x1d0 [ 13.492524] ? __pfx_kthread+0x10/0x10 [ 13.492544] ret_from_fork_asm+0x1a/0x30 [ 13.492575] </TASK> [ 13.492585] [ 13.500010] Allocated by task 213: [ 13.500246] kasan_save_stack+0x45/0x70 [ 13.500463] kasan_save_track+0x18/0x40 [ 13.500661] kasan_save_alloc_info+0x3b/0x50 [ 13.500874] __kasan_kmalloc+0xb7/0xc0 [ 13.501059] __kmalloc_cache_noprof+0x189/0x420 [ 13.501295] ksize_uaf+0xaa/0x6c0 [ 13.501451] kunit_try_run_case+0x1a5/0x480 [ 13.501687] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.502024] kthread+0x337/0x6f0 [ 13.502173] ret_from_fork+0x116/0x1d0 [ 13.502316] ret_from_fork_asm+0x1a/0x30 [ 13.502457] [ 13.502528] Freed by task 213: [ 13.502639] kasan_save_stack+0x45/0x70 [ 13.502783] kasan_save_track+0x18/0x40 [ 13.502917] kasan_save_free_info+0x3f/0x60 [ 13.503124] __kasan_slab_free+0x56/0x70 [ 13.503328] kfree+0x222/0x3f0 [ 13.503504] ksize_uaf+0x12c/0x6c0 [ 13.503683] kunit_try_run_case+0x1a5/0x480 [ 13.503893] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.504148] kthread+0x337/0x6f0 [ 13.504441] ret_from_fork+0x116/0x1d0 [ 13.504646] ret_from_fork_asm+0x1a/0x30 [ 13.504853] [ 13.504951] The buggy address belongs to the object at ffff8881029ef900 [ 13.504951] which belongs to the cache kmalloc-128 of size 128 [ 13.506282] The buggy address is located 0 bytes inside of [ 13.506282] freed 128-byte region [ffff8881029ef900, ffff8881029ef980) [ 13.506916] [ 13.507078] The buggy address belongs to the physical page: [ 13.507332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ef [ 13.507577] flags: 0x200000000000000(node=0|zone=2) [ 13.507741] page_type: f5(slab) [ 13.507860] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.508136] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.508510] page dumped because: kasan: bad access detected [ 13.508768] [ 13.508862] Memory state around the buggy address: [ 13.509089] ffff8881029ef800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.509719] ffff8881029ef880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.510191] >ffff8881029ef900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.510471] ^ [ 13.510637] ffff8881029ef980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.510963] ffff8881029efa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.511370] ==================================================================