Date
July 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.610591] ================================================================== [ 19.610678] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.610727] Read of size 1 at addr fff00000c6343f00 by task kunit_try_catch/196 [ 19.610777] [ 19.610805] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.610885] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.610916] Hardware name: linux,dummy-virt (DT) [ 19.610949] Call trace: [ 19.610971] show_stack+0x20/0x38 (C) [ 19.611018] dump_stack_lvl+0x8c/0xd0 [ 19.611062] print_report+0x118/0x608 [ 19.611117] kasan_report+0xdc/0x128 [ 19.611174] __asan_report_load1_noabort+0x20/0x30 [ 19.611289] ksize_uaf+0x598/0x5f8 [ 19.611335] kunit_try_run_case+0x170/0x3f0 [ 19.611380] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.611578] kthread+0x328/0x630 [ 19.612005] ret_from_fork+0x10/0x20 [ 19.612112] [ 19.612130] Allocated by task 196: [ 19.612195] kasan_save_stack+0x3c/0x68 [ 19.612316] kasan_save_track+0x20/0x40 [ 19.612355] kasan_save_alloc_info+0x40/0x58 [ 19.612415] __kasan_kmalloc+0xd4/0xd8 [ 19.612451] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.612492] ksize_uaf+0xb8/0x5f8 [ 19.612525] kunit_try_run_case+0x170/0x3f0 [ 19.612564] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.612608] kthread+0x328/0x630 [ 19.612688] ret_from_fork+0x10/0x20 [ 19.612761] [ 19.612852] Freed by task 196: [ 19.612897] kasan_save_stack+0x3c/0x68 [ 19.612937] kasan_save_track+0x20/0x40 [ 19.612973] kasan_save_free_info+0x4c/0x78 [ 19.613014] __kasan_slab_free+0x6c/0x98 [ 19.613051] kfree+0x214/0x3c8 [ 19.613082] ksize_uaf+0x11c/0x5f8 [ 19.613117] kunit_try_run_case+0x170/0x3f0 [ 19.613153] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.613250] kthread+0x328/0x630 [ 19.613343] ret_from_fork+0x10/0x20 [ 19.613381] [ 19.613452] The buggy address belongs to the object at fff00000c6343f00 [ 19.613452] which belongs to the cache kmalloc-128 of size 128 [ 19.613555] The buggy address is located 0 bytes inside of [ 19.613555] freed 128-byte region [fff00000c6343f00, fff00000c6343f80) [ 19.613726] [ 19.613744] The buggy address belongs to the physical page: [ 19.613776] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106343 [ 19.613895] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.613978] page_type: f5(slab) [ 19.614386] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.614513] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.614722] page dumped because: kasan: bad access detected [ 19.614755] [ 19.614794] Memory state around the buggy address: [ 19.614932] fff00000c6343e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.615037] fff00000c6343e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.615135] >fff00000c6343f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.615239] ^ [ 19.615267] fff00000c6343f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.615457] fff00000c6344000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.615505] ================================================================== [ 19.604415] ================================================================== [ 19.604473] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.604556] Read of size 1 at addr fff00000c6343f00 by task kunit_try_catch/196 [ 19.604606] [ 19.604637] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.604721] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.604747] Hardware name: linux,dummy-virt (DT) [ 19.604778] Call trace: [ 19.604799] show_stack+0x20/0x38 (C) [ 19.604969] dump_stack_lvl+0x8c/0xd0 [ 19.605016] print_report+0x118/0x608 [ 19.605171] kasan_report+0xdc/0x128 [ 19.605217] __kasan_check_byte+0x54/0x70 [ 19.605380] ksize+0x30/0x88 [ 19.605431] ksize_uaf+0x168/0x5f8 [ 19.605644] kunit_try_run_case+0x170/0x3f0 [ 19.605691] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.605743] kthread+0x328/0x630 [ 19.605784] ret_from_fork+0x10/0x20 [ 19.605886] [ 19.605906] Allocated by task 196: [ 19.605934] kasan_save_stack+0x3c/0x68 [ 19.605975] kasan_save_track+0x20/0x40 [ 19.606033] kasan_save_alloc_info+0x40/0x58 [ 19.606320] __kasan_kmalloc+0xd4/0xd8 [ 19.606359] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.606398] ksize_uaf+0xb8/0x5f8 [ 19.606527] kunit_try_run_case+0x170/0x3f0 [ 19.606566] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.606659] kthread+0x328/0x630 [ 19.606692] ret_from_fork+0x10/0x20 [ 19.606728] [ 19.606746] Freed by task 196: [ 19.606919] kasan_save_stack+0x3c/0x68 [ 19.607037] kasan_save_track+0x20/0x40 [ 19.607253] kasan_save_free_info+0x4c/0x78 [ 19.607324] __kasan_slab_free+0x6c/0x98 [ 19.607361] kfree+0x214/0x3c8 [ 19.607405] ksize_uaf+0x11c/0x5f8 [ 19.607564] kunit_try_run_case+0x170/0x3f0 [ 19.607604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.607714] kthread+0x328/0x630 [ 19.607750] ret_from_fork+0x10/0x20 [ 19.607785] [ 19.607806] The buggy address belongs to the object at fff00000c6343f00 [ 19.607806] which belongs to the cache kmalloc-128 of size 128 [ 19.607865] The buggy address is located 0 bytes inside of [ 19.607865] freed 128-byte region [fff00000c6343f00, fff00000c6343f80) [ 19.607958] [ 19.607978] The buggy address belongs to the physical page: [ 19.608009] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106343 [ 19.608061] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.608177] page_type: f5(slab) [ 19.608238] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.608344] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.608430] page dumped because: kasan: bad access detected [ 19.608569] [ 19.608587] Memory state around the buggy address: [ 19.608686] fff00000c6343e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.608779] fff00000c6343e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.608853] >fff00000c6343f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.608894] ^ [ 19.608975] fff00000c6343f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.609173] fff00000c6344000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.609268] ================================================================== [ 19.616848] ================================================================== [ 19.616900] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.616997] Read of size 1 at addr fff00000c6343f78 by task kunit_try_catch/196 [ 19.617046] [ 19.617132] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.617225] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.617252] Hardware name: linux,dummy-virt (DT) [ 19.617280] Call trace: [ 19.617301] show_stack+0x20/0x38 (C) [ 19.617348] dump_stack_lvl+0x8c/0xd0 [ 19.617393] print_report+0x118/0x608 [ 19.617439] kasan_report+0xdc/0x128 [ 19.617482] __asan_report_load1_noabort+0x20/0x30 [ 19.617544] ksize_uaf+0x544/0x5f8 [ 19.617589] kunit_try_run_case+0x170/0x3f0 [ 19.617759] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.617815] kthread+0x328/0x630 [ 19.617856] ret_from_fork+0x10/0x20 [ 19.617934] [ 19.617951] Allocated by task 196: [ 19.617979] kasan_save_stack+0x3c/0x68 [ 19.618019] kasan_save_track+0x20/0x40 [ 19.618062] kasan_save_alloc_info+0x40/0x58 [ 19.618137] __kasan_kmalloc+0xd4/0xd8 [ 19.618183] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.618229] ksize_uaf+0xb8/0x5f8 [ 19.618328] kunit_try_run_case+0x170/0x3f0 [ 19.618391] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.618581] kthread+0x328/0x630 [ 19.618689] ret_from_fork+0x10/0x20 [ 19.618745] [ 19.618779] Freed by task 196: [ 19.618806] kasan_save_stack+0x3c/0x68 [ 19.618843] kasan_save_track+0x20/0x40 [ 19.618881] kasan_save_free_info+0x4c/0x78 [ 19.618925] __kasan_slab_free+0x6c/0x98 [ 19.618962] kfree+0x214/0x3c8 [ 19.618995] ksize_uaf+0x11c/0x5f8 [ 19.619030] kunit_try_run_case+0x170/0x3f0 [ 19.619068] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.619113] kthread+0x328/0x630 [ 19.619146] ret_from_fork+0x10/0x20 [ 19.619190] [ 19.619208] The buggy address belongs to the object at fff00000c6343f00 [ 19.619208] which belongs to the cache kmalloc-128 of size 128 [ 19.619303] The buggy address is located 120 bytes inside of [ 19.619303] freed 128-byte region [fff00000c6343f00, fff00000c6343f80) [ 19.619409] [ 19.619428] The buggy address belongs to the physical page: [ 19.619460] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106343 [ 19.619521] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.619569] page_type: f5(slab) [ 19.619605] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.619772] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.619868] page dumped because: kasan: bad access detected [ 19.619900] [ 19.619917] Memory state around the buggy address: [ 19.619970] fff00000c6343e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.620014] fff00000c6343e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.620056] >fff00000c6343f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.620130] ^ [ 19.620182] fff00000c6343f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.620224] fff00000c6344000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.620261] ==================================================================
[ 13.031591] ================================================================== [ 13.032199] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.032466] Read of size 1 at addr ffff888102675000 by task kunit_try_catch/214 [ 13.033087] [ 13.033452] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.033506] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.033517] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.033538] Call Trace: [ 13.033550] <TASK> [ 13.033567] dump_stack_lvl+0x73/0xb0 [ 13.033607] print_report+0xd1/0x650 [ 13.033629] ? __virt_addr_valid+0x1db/0x2d0 [ 13.033651] ? ksize_uaf+0x5fe/0x6c0 [ 13.033671] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.033693] ? ksize_uaf+0x5fe/0x6c0 [ 13.033717] kasan_report+0x141/0x180 [ 13.033738] ? ksize_uaf+0x5fe/0x6c0 [ 13.033763] __asan_report_load1_noabort+0x18/0x20 [ 13.033787] ksize_uaf+0x5fe/0x6c0 [ 13.033808] ? __pfx_ksize_uaf+0x10/0x10 [ 13.033829] ? __schedule+0x10cc/0x2b60 [ 13.033851] ? __pfx_read_tsc+0x10/0x10 [ 13.033871] ? ktime_get_ts64+0x86/0x230 [ 13.033897] kunit_try_run_case+0x1a5/0x480 [ 13.034098] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.034130] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.034170] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.034194] ? __kthread_parkme+0x82/0x180 [ 13.034214] ? preempt_count_sub+0x50/0x80 [ 13.034278] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.034302] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.034327] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.034351] kthread+0x337/0x6f0 [ 13.034369] ? trace_preempt_on+0x20/0xc0 [ 13.034392] ? __pfx_kthread+0x10/0x10 [ 13.034412] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.034433] ? calculate_sigpending+0x7b/0xa0 [ 13.034457] ? __pfx_kthread+0x10/0x10 [ 13.034478] ret_from_fork+0x116/0x1d0 [ 13.034495] ? __pfx_kthread+0x10/0x10 [ 13.034515] ret_from_fork_asm+0x1a/0x30 [ 13.034547] </TASK> [ 13.034557] [ 13.046870] Allocated by task 214: [ 13.047279] kasan_save_stack+0x45/0x70 [ 13.047635] kasan_save_track+0x18/0x40 [ 13.047826] kasan_save_alloc_info+0x3b/0x50 [ 13.048380] __kasan_kmalloc+0xb7/0xc0 [ 13.048738] __kmalloc_cache_noprof+0x189/0x420 [ 13.049215] ksize_uaf+0xaa/0x6c0 [ 13.049405] kunit_try_run_case+0x1a5/0x480 [ 13.049742] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.050398] kthread+0x337/0x6f0 [ 13.050658] ret_from_fork+0x116/0x1d0 [ 13.050978] ret_from_fork_asm+0x1a/0x30 [ 13.051173] [ 13.051264] Freed by task 214: [ 13.051411] kasan_save_stack+0x45/0x70 [ 13.051967] kasan_save_track+0x18/0x40 [ 13.052283] kasan_save_free_info+0x3f/0x60 [ 13.052872] __kasan_slab_free+0x56/0x70 [ 13.053137] kfree+0x222/0x3f0 [ 13.053295] ksize_uaf+0x12c/0x6c0 [ 13.053456] kunit_try_run_case+0x1a5/0x480 [ 13.054015] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.054283] kthread+0x337/0x6f0 [ 13.054441] ret_from_fork+0x116/0x1d0 [ 13.054941] ret_from_fork_asm+0x1a/0x30 [ 13.055267] [ 13.055512] The buggy address belongs to the object at ffff888102675000 [ 13.055512] which belongs to the cache kmalloc-128 of size 128 [ 13.056488] The buggy address is located 0 bytes inside of [ 13.056488] freed 128-byte region [ffff888102675000, ffff888102675080) [ 13.057327] [ 13.057500] The buggy address belongs to the physical page: [ 13.057757] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102675 [ 13.058549] flags: 0x200000000000000(node=0|zone=2) [ 13.058868] page_type: f5(slab) [ 13.059083] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.059393] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.059768] page dumped because: kasan: bad access detected [ 13.060408] [ 13.060500] Memory state around the buggy address: [ 13.060711] ffff888102674f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.061067] ffff888102674f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.061357] >ffff888102675000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.062123] ^ [ 13.062446] ffff888102675080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.062771] ffff888102675100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.063424] ================================================================== [ 13.064881] ================================================================== [ 13.065627] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.065980] Read of size 1 at addr ffff888102675078 by task kunit_try_catch/214 [ 13.066288] [ 13.066395] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.066437] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.066448] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.066469] Call Trace: [ 13.066482] <TASK> [ 13.066500] dump_stack_lvl+0x73/0xb0 [ 13.066530] print_report+0xd1/0x650 [ 13.066553] ? __virt_addr_valid+0x1db/0x2d0 [ 13.066577] ? ksize_uaf+0x5e4/0x6c0 [ 13.066596] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.066630] ? ksize_uaf+0x5e4/0x6c0 [ 13.066650] kasan_report+0x141/0x180 [ 13.066671] ? ksize_uaf+0x5e4/0x6c0 [ 13.066695] __asan_report_load1_noabort+0x18/0x20 [ 13.066720] ksize_uaf+0x5e4/0x6c0 [ 13.066739] ? __pfx_ksize_uaf+0x10/0x10 [ 13.066760] ? __schedule+0x10cc/0x2b60 [ 13.066782] ? __pfx_read_tsc+0x10/0x10 [ 13.066814] ? ktime_get_ts64+0x86/0x230 [ 13.066840] kunit_try_run_case+0x1a5/0x480 [ 13.066863] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.066897] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.066921] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.066945] ? __kthread_parkme+0x82/0x180 [ 13.066965] ? preempt_count_sub+0x50/0x80 [ 13.066989] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.067012] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.067036] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.067122] kthread+0x337/0x6f0 [ 13.067142] ? trace_preempt_on+0x20/0xc0 [ 13.067166] ? __pfx_kthread+0x10/0x10 [ 13.067187] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.067208] ? calculate_sigpending+0x7b/0xa0 [ 13.067232] ? __pfx_kthread+0x10/0x10 [ 13.067253] ret_from_fork+0x116/0x1d0 [ 13.067270] ? __pfx_kthread+0x10/0x10 [ 13.067302] ret_from_fork_asm+0x1a/0x30 [ 13.067333] </TASK> [ 13.067343] [ 13.075252] Allocated by task 214: [ 13.075456] kasan_save_stack+0x45/0x70 [ 13.075679] kasan_save_track+0x18/0x40 [ 13.075862] kasan_save_alloc_info+0x3b/0x50 [ 13.076217] __kasan_kmalloc+0xb7/0xc0 [ 13.076423] __kmalloc_cache_noprof+0x189/0x420 [ 13.076582] ksize_uaf+0xaa/0x6c0 [ 13.076714] kunit_try_run_case+0x1a5/0x480 [ 13.076860] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.077137] kthread+0x337/0x6f0 [ 13.077302] ret_from_fork+0x116/0x1d0 [ 13.077485] ret_from_fork_asm+0x1a/0x30 [ 13.077898] [ 13.078050] Freed by task 214: [ 13.078211] kasan_save_stack+0x45/0x70 [ 13.078355] kasan_save_track+0x18/0x40 [ 13.078518] kasan_save_free_info+0x3f/0x60 [ 13.078740] __kasan_slab_free+0x56/0x70 [ 13.079020] kfree+0x222/0x3f0 [ 13.079173] ksize_uaf+0x12c/0x6c0 [ 13.079352] kunit_try_run_case+0x1a5/0x480 [ 13.079612] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.079855] kthread+0x337/0x6f0 [ 13.080105] ret_from_fork+0x116/0x1d0 [ 13.080305] ret_from_fork_asm+0x1a/0x30 [ 13.080523] [ 13.080607] The buggy address belongs to the object at ffff888102675000 [ 13.080607] which belongs to the cache kmalloc-128 of size 128 [ 13.080980] The buggy address is located 120 bytes inside of [ 13.080980] freed 128-byte region [ffff888102675000, ffff888102675080) [ 13.081986] [ 13.082094] The buggy address belongs to the physical page: [ 13.082397] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102675 [ 13.082763] flags: 0x200000000000000(node=0|zone=2) [ 13.082941] page_type: f5(slab) [ 13.083217] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.083630] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.083938] page dumped because: kasan: bad access detected [ 13.084107] [ 13.084175] Memory state around the buggy address: [ 13.084328] ffff888102674f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.084648] ffff888102674f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.084980] >ffff888102675000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.085570] ^ [ 13.085809] ffff888102675080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.086398] ffff888102675100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.086786] ================================================================== [ 12.998509] ================================================================== [ 12.999607] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.999827] Read of size 1 at addr ffff888102675000 by task kunit_try_catch/214 [ 13.000047] [ 13.000135] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.000185] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.000196] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.000216] Call Trace: [ 13.000228] <TASK> [ 13.000242] dump_stack_lvl+0x73/0xb0 [ 13.000271] print_report+0xd1/0x650 [ 13.000293] ? __virt_addr_valid+0x1db/0x2d0 [ 13.000316] ? ksize_uaf+0x19d/0x6c0 [ 13.000335] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.000357] ? ksize_uaf+0x19d/0x6c0 [ 13.000377] kasan_report+0x141/0x180 [ 13.000398] ? ksize_uaf+0x19d/0x6c0 [ 13.000421] ? ksize_uaf+0x19d/0x6c0 [ 13.000441] __kasan_check_byte+0x3d/0x50 [ 13.000463] ksize+0x20/0x60 [ 13.000482] ksize_uaf+0x19d/0x6c0 [ 13.000502] ? __pfx_ksize_uaf+0x10/0x10 [ 13.000523] ? __schedule+0x10cc/0x2b60 [ 13.000544] ? __pfx_read_tsc+0x10/0x10 [ 13.000564] ? ktime_get_ts64+0x86/0x230 [ 13.000588] kunit_try_run_case+0x1a5/0x480 [ 13.000620] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.000642] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.000665] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.000689] ? __kthread_parkme+0x82/0x180 [ 13.000709] ? preempt_count_sub+0x50/0x80 [ 13.000733] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.000758] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.000782] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.000806] kthread+0x337/0x6f0 [ 13.000824] ? trace_preempt_on+0x20/0xc0 [ 13.000847] ? __pfx_kthread+0x10/0x10 [ 13.000903] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.000924] ? calculate_sigpending+0x7b/0xa0 [ 13.000948] ? __pfx_kthread+0x10/0x10 [ 13.000983] ret_from_fork+0x116/0x1d0 [ 13.001000] ? __pfx_kthread+0x10/0x10 [ 13.001020] ret_from_fork_asm+0x1a/0x30 [ 13.001063] </TASK> [ 13.001072] [ 13.012269] Allocated by task 214: [ 13.012823] kasan_save_stack+0x45/0x70 [ 13.013270] kasan_save_track+0x18/0x40 [ 13.013560] kasan_save_alloc_info+0x3b/0x50 [ 13.013920] __kasan_kmalloc+0xb7/0xc0 [ 13.014280] __kmalloc_cache_noprof+0x189/0x420 [ 13.014680] ksize_uaf+0xaa/0x6c0 [ 13.014844] kunit_try_run_case+0x1a5/0x480 [ 13.015262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.015658] kthread+0x337/0x6f0 [ 13.015953] ret_from_fork+0x116/0x1d0 [ 13.016297] ret_from_fork_asm+0x1a/0x30 [ 13.016477] [ 13.016876] Freed by task 214: [ 13.017130] kasan_save_stack+0x45/0x70 [ 13.017440] kasan_save_track+0x18/0x40 [ 13.017846] kasan_save_free_info+0x3f/0x60 [ 13.018215] __kasan_slab_free+0x56/0x70 [ 13.018398] kfree+0x222/0x3f0 [ 13.018621] ksize_uaf+0x12c/0x6c0 [ 13.018787] kunit_try_run_case+0x1a5/0x480 [ 13.019287] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.019700] kthread+0x337/0x6f0 [ 13.019873] ret_from_fork+0x116/0x1d0 [ 13.020385] ret_from_fork_asm+0x1a/0x30 [ 13.020784] [ 13.020889] The buggy address belongs to the object at ffff888102675000 [ 13.020889] which belongs to the cache kmalloc-128 of size 128 [ 13.021745] The buggy address is located 0 bytes inside of [ 13.021745] freed 128-byte region [ffff888102675000, ffff888102675080) [ 13.022796] [ 13.023059] The buggy address belongs to the physical page: [ 13.023383] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102675 [ 13.024081] flags: 0x200000000000000(node=0|zone=2) [ 13.024509] page_type: f5(slab) [ 13.024826] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.025441] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.026037] page dumped because: kasan: bad access detected [ 13.026281] [ 13.026372] Memory state around the buggy address: [ 13.026816] ffff888102674f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.027519] ffff888102674f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.028191] >ffff888102675000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.028663] ^ [ 13.028968] ffff888102675080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.029641] ffff888102675100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.030374] ==================================================================