Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 17.129489] ================================================================== [ 17.129666] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.129726] Read of size 1 at addr fff00000c77d7078 by task kunit_try_catch/197 [ 17.129777] [ 17.129811] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.130495] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.130536] Hardware name: linux,dummy-virt (DT) [ 17.130567] Call trace: [ 17.130591] show_stack+0x20/0x38 (C) [ 17.130730] dump_stack_lvl+0x8c/0xd0 [ 17.130802] print_report+0x118/0x608 [ 17.130965] kasan_report+0xdc/0x128 [ 17.131018] __asan_report_load1_noabort+0x20/0x30 [ 17.131517] ksize_uaf+0x544/0x5f8 [ 17.131687] kunit_try_run_case+0x170/0x3f0 [ 17.131735] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.132676] kthread+0x328/0x630 [ 17.132904] ret_from_fork+0x10/0x20 [ 17.133245] [ 17.133678] Allocated by task 197: [ 17.133767] kasan_save_stack+0x3c/0x68 [ 17.133812] kasan_save_track+0x20/0x40 [ 17.133850] kasan_save_alloc_info+0x40/0x58 [ 17.133891] __kasan_kmalloc+0xd4/0xd8 [ 17.133929] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.133968] ksize_uaf+0xb8/0x5f8 [ 17.134964] kunit_try_run_case+0x170/0x3f0 [ 17.135408] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.135458] kthread+0x328/0x630 [ 17.135490] ret_from_fork+0x10/0x20 [ 17.136013] [ 17.136094] Freed by task 197: [ 17.136184] kasan_save_stack+0x3c/0x68 [ 17.136283] kasan_save_track+0x20/0x40 [ 17.136483] kasan_save_free_info+0x4c/0x78 [ 17.136809] __kasan_slab_free+0x6c/0x98 [ 17.136851] kfree+0x214/0x3c8 [ 17.137659] ksize_uaf+0x11c/0x5f8 [ 17.138498] kunit_try_run_case+0x170/0x3f0 [ 17.138778] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.138888] kthread+0x328/0x630 [ 17.138921] ret_from_fork+0x10/0x20 [ 17.139090] [ 17.139201] The buggy address belongs to the object at fff00000c77d7000 [ 17.139201] which belongs to the cache kmalloc-128 of size 128 [ 17.139346] The buggy address is located 120 bytes inside of [ 17.139346] freed 128-byte region [fff00000c77d7000, fff00000c77d7080) [ 17.140217] [ 17.140610] The buggy address belongs to the physical page: [ 17.140950] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d7 [ 17.141457] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.141984] page_type: f5(slab) [ 17.142344] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.142400] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.142441] page dumped because: kasan: bad access detected [ 17.143002] [ 17.143043] Memory state around the buggy address: [ 17.143235] fff00000c77d6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.143632] fff00000c77d6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.143756] >fff00000c77d7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.143913] ^ [ 17.144108] fff00000c77d7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.144237] fff00000c77d7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.144530] ================================================================== [ 17.108772] ================================================================== [ 17.108836] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.108887] Read of size 1 at addr fff00000c77d7000 by task kunit_try_catch/197 [ 17.108935] [ 17.108969] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.109066] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.109093] Hardware name: linux,dummy-virt (DT) [ 17.109121] Call trace: [ 17.109144] show_stack+0x20/0x38 (C) [ 17.109191] dump_stack_lvl+0x8c/0xd0 [ 17.109424] print_report+0x118/0x608 [ 17.109486] kasan_report+0xdc/0x128 [ 17.109546] __kasan_check_byte+0x54/0x70 [ 17.110085] ksize+0x30/0x88 [ 17.110353] ksize_uaf+0x168/0x5f8 [ 17.110581] kunit_try_run_case+0x170/0x3f0 [ 17.110804] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.111335] kthread+0x328/0x630 [ 17.111486] ret_from_fork+0x10/0x20 [ 17.112015] [ 17.112039] Allocated by task 197: [ 17.112070] kasan_save_stack+0x3c/0x68 [ 17.112282] kasan_save_track+0x20/0x40 [ 17.112585] kasan_save_alloc_info+0x40/0x58 [ 17.112645] __kasan_kmalloc+0xd4/0xd8 [ 17.112684] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.112723] ksize_uaf+0xb8/0x5f8 [ 17.113195] kunit_try_run_case+0x170/0x3f0 [ 17.113244] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.113303] kthread+0x328/0x630 [ 17.113500] ret_from_fork+0x10/0x20 [ 17.113734] [ 17.113754] Freed by task 197: [ 17.114079] kasan_save_stack+0x3c/0x68 [ 17.114260] kasan_save_track+0x20/0x40 [ 17.114522] kasan_save_free_info+0x4c/0x78 [ 17.114568] __kasan_slab_free+0x6c/0x98 [ 17.114935] kfree+0x214/0x3c8 [ 17.115063] ksize_uaf+0x11c/0x5f8 [ 17.115496] kunit_try_run_case+0x170/0x3f0 [ 17.115539] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.115809] kthread+0x328/0x630 [ 17.115998] ret_from_fork+0x10/0x20 [ 17.116091] [ 17.116220] The buggy address belongs to the object at fff00000c77d7000 [ 17.116220] which belongs to the cache kmalloc-128 of size 128 [ 17.116551] The buggy address is located 0 bytes inside of [ 17.116551] freed 128-byte region [fff00000c77d7000, fff00000c77d7080) [ 17.116854] [ 17.116995] The buggy address belongs to the physical page: [ 17.117051] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d7 [ 17.117119] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.117299] page_type: f5(slab) [ 17.117389] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.117578] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.117684] page dumped because: kasan: bad access detected [ 17.117740] [ 17.117799] Memory state around the buggy address: [ 17.117912] fff00000c77d6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.118089] fff00000c77d6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.118145] >fff00000c77d7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.118199] ^ [ 17.118539] fff00000c77d7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.118603] fff00000c77d7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.118698] ================================================================== [ 17.119767] ================================================================== [ 17.119822] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.119869] Read of size 1 at addr fff00000c77d7000 by task kunit_try_catch/197 [ 17.120255] [ 17.120351] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.120502] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.120559] Hardware name: linux,dummy-virt (DT) [ 17.120598] Call trace: [ 17.120690] show_stack+0x20/0x38 (C) [ 17.120760] dump_stack_lvl+0x8c/0xd0 [ 17.120880] print_report+0x118/0x608 [ 17.120953] kasan_report+0xdc/0x128 [ 17.121016] __asan_report_load1_noabort+0x20/0x30 [ 17.121288] ksize_uaf+0x598/0x5f8 [ 17.121356] kunit_try_run_case+0x170/0x3f0 [ 17.121403] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.121453] kthread+0x328/0x630 [ 17.121493] ret_from_fork+0x10/0x20 [ 17.121539] [ 17.121558] Allocated by task 197: [ 17.121586] kasan_save_stack+0x3c/0x68 [ 17.121638] kasan_save_track+0x20/0x40 [ 17.121676] kasan_save_alloc_info+0x40/0x58 [ 17.121715] __kasan_kmalloc+0xd4/0xd8 [ 17.121755] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.121834] ksize_uaf+0xb8/0x5f8 [ 17.121872] kunit_try_run_case+0x170/0x3f0 [ 17.122060] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.122122] kthread+0x328/0x630 [ 17.122517] ret_from_fork+0x10/0x20 [ 17.122570] [ 17.122862] Freed by task 197: [ 17.122894] kasan_save_stack+0x3c/0x68 [ 17.123193] kasan_save_track+0x20/0x40 [ 17.123281] kasan_save_free_info+0x4c/0x78 [ 17.123337] __kasan_slab_free+0x6c/0x98 [ 17.123374] kfree+0x214/0x3c8 [ 17.123630] ksize_uaf+0x11c/0x5f8 [ 17.123671] kunit_try_run_case+0x170/0x3f0 [ 17.123938] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.123993] kthread+0x328/0x630 [ 17.124026] ret_from_fork+0x10/0x20 [ 17.124062] [ 17.124081] The buggy address belongs to the object at fff00000c77d7000 [ 17.124081] which belongs to the cache kmalloc-128 of size 128 [ 17.124141] The buggy address is located 0 bytes inside of [ 17.124141] freed 128-byte region [fff00000c77d7000, fff00000c77d7080) [ 17.124200] [ 17.125036] The buggy address belongs to the physical page: [ 17.125074] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d7 [ 17.125140] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.125194] page_type: f5(slab) [ 17.125231] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.125719] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.126027] page dumped because: kasan: bad access detected [ 17.126143] [ 17.126162] Memory state around the buggy address: [ 17.126273] fff00000c77d6f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.126683] fff00000c77d6f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 17.126926] >fff00000c77d7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.127337] ^ [ 17.127378] fff00000c77d7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.127423] fff00000c77d7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.127466] ==================================================================
[ 17.112079] ================================================================== [ 17.112399] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.112785] Read of size 1 at addr fff00000c63cdf78 by task kunit_try_catch/197 [ 17.112852] [ 17.112885] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.112997] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.113024] Hardware name: linux,dummy-virt (DT) [ 17.113061] Call trace: [ 17.113090] show_stack+0x20/0x38 (C) [ 17.113144] dump_stack_lvl+0x8c/0xd0 [ 17.113193] print_report+0x118/0x608 [ 17.113252] kasan_report+0xdc/0x128 [ 17.113300] __asan_report_load1_noabort+0x20/0x30 [ 17.113349] ksize_uaf+0x544/0x5f8 [ 17.113392] kunit_try_run_case+0x170/0x3f0 [ 17.113438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.113489] kthread+0x328/0x630 [ 17.113527] ret_from_fork+0x10/0x20 [ 17.113581] [ 17.113609] Allocated by task 197: [ 17.113636] kasan_save_stack+0x3c/0x68 [ 17.113677] kasan_save_track+0x20/0x40 [ 17.113713] kasan_save_alloc_info+0x40/0x58 [ 17.113754] __kasan_kmalloc+0xd4/0xd8 [ 17.113790] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.113828] ksize_uaf+0xb8/0x5f8 [ 17.113862] kunit_try_run_case+0x170/0x3f0 [ 17.113899] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.114348] kthread+0x328/0x630 [ 17.114604] ret_from_fork+0x10/0x20 [ 17.114842] [ 17.115010] Freed by task 197: [ 17.115417] kasan_save_stack+0x3c/0x68 [ 17.115487] kasan_save_track+0x20/0x40 [ 17.115634] kasan_save_free_info+0x4c/0x78 [ 17.115839] __kasan_slab_free+0x6c/0x98 [ 17.115892] kfree+0x214/0x3c8 [ 17.115939] ksize_uaf+0x11c/0x5f8 [ 17.116276] kunit_try_run_case+0x170/0x3f0 [ 17.116382] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.116480] kthread+0x328/0x630 [ 17.116817] ret_from_fork+0x10/0x20 [ 17.117095] [ 17.117136] The buggy address belongs to the object at fff00000c63cdf00 [ 17.117136] which belongs to the cache kmalloc-128 of size 128 [ 17.117613] The buggy address is located 120 bytes inside of [ 17.117613] freed 128-byte region [fff00000c63cdf00, fff00000c63cdf80) [ 17.117693] [ 17.117713] The buggy address belongs to the physical page: [ 17.117760] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063cd [ 17.118072] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.118235] page_type: f5(slab) [ 17.118276] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.118337] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.118656] page dumped because: kasan: bad access detected [ 17.118706] [ 17.118784] Memory state around the buggy address: [ 17.119166] fff00000c63cde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.119281] fff00000c63cde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.119381] >fff00000c63cdf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.119509] ^ [ 17.119554] fff00000c63cdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.119615] fff00000c63ce000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.119969] ================================================================== [ 17.092199] ================================================================== [ 17.092408] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.092473] Read of size 1 at addr fff00000c63cdf00 by task kunit_try_catch/197 [ 17.092527] [ 17.092715] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.093191] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.093244] Hardware name: linux,dummy-virt (DT) [ 17.093345] Call trace: [ 17.093493] show_stack+0x20/0x38 (C) [ 17.093577] dump_stack_lvl+0x8c/0xd0 [ 17.093957] print_report+0x118/0x608 [ 17.094048] kasan_report+0xdc/0x128 [ 17.094216] __kasan_check_byte+0x54/0x70 [ 17.094344] ksize+0x30/0x88 [ 17.094499] ksize_uaf+0x168/0x5f8 [ 17.094603] kunit_try_run_case+0x170/0x3f0 [ 17.094751] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.094804] kthread+0x328/0x630 [ 17.094860] ret_from_fork+0x10/0x20 [ 17.095218] [ 17.095258] Allocated by task 197: [ 17.095355] kasan_save_stack+0x3c/0x68 [ 17.095477] kasan_save_track+0x20/0x40 [ 17.095659] kasan_save_alloc_info+0x40/0x58 [ 17.095766] __kasan_kmalloc+0xd4/0xd8 [ 17.095973] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.096011] ksize_uaf+0xb8/0x5f8 [ 17.096433] kunit_try_run_case+0x170/0x3f0 [ 17.096517] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.096623] kthread+0x328/0x630 [ 17.096806] ret_from_fork+0x10/0x20 [ 17.097307] [ 17.097408] Freed by task 197: [ 17.097595] kasan_save_stack+0x3c/0x68 [ 17.097746] kasan_save_track+0x20/0x40 [ 17.097893] kasan_save_free_info+0x4c/0x78 [ 17.098134] __kasan_slab_free+0x6c/0x98 [ 17.098310] kfree+0x214/0x3c8 [ 17.098384] ksize_uaf+0x11c/0x5f8 [ 17.098560] kunit_try_run_case+0x170/0x3f0 [ 17.098712] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.098768] kthread+0x328/0x630 [ 17.098803] ret_from_fork+0x10/0x20 [ 17.098849] [ 17.098878] The buggy address belongs to the object at fff00000c63cdf00 [ 17.098878] which belongs to the cache kmalloc-128 of size 128 [ 17.098947] The buggy address is located 0 bytes inside of [ 17.098947] freed 128-byte region [fff00000c63cdf00, fff00000c63cdf80) [ 17.099007] [ 17.099035] The buggy address belongs to the physical page: [ 17.099081] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063cd [ 17.099135] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.099180] page_type: f5(slab) [ 17.099235] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.099285] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.099336] page dumped because: kasan: bad access detected [ 17.099368] [ 17.099393] Memory state around the buggy address: [ 17.099424] fff00000c63cde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.099475] fff00000c63cde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.099527] >fff00000c63cdf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.099572] ^ [ 17.099608] fff00000c63cdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.099673] fff00000c63ce000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.099712] ================================================================== [ 17.101008] ================================================================== [ 17.101073] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.101233] Read of size 1 at addr fff00000c63cdf00 by task kunit_try_catch/197 [ 17.101348] [ 17.101682] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.101781] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.101806] Hardware name: linux,dummy-virt (DT) [ 17.101835] Call trace: [ 17.102041] show_stack+0x20/0x38 (C) [ 17.102224] dump_stack_lvl+0x8c/0xd0 [ 17.102272] print_report+0x118/0x608 [ 17.102333] kasan_report+0xdc/0x128 [ 17.102377] __asan_report_load1_noabort+0x20/0x30 [ 17.102840] ksize_uaf+0x598/0x5f8 [ 17.102954] kunit_try_run_case+0x170/0x3f0 [ 17.103120] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.103240] kthread+0x328/0x630 [ 17.103593] ret_from_fork+0x10/0x20 [ 17.103846] [ 17.104030] Allocated by task 197: [ 17.104218] kasan_save_stack+0x3c/0x68 [ 17.104266] kasan_save_track+0x20/0x40 [ 17.104724] kasan_save_alloc_info+0x40/0x58 [ 17.104823] __kasan_kmalloc+0xd4/0xd8 [ 17.105013] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.105106] ksize_uaf+0xb8/0x5f8 [ 17.105571] kunit_try_run_case+0x170/0x3f0 [ 17.105710] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.105962] kthread+0x328/0x630 [ 17.106069] ret_from_fork+0x10/0x20 [ 17.106220] [ 17.106240] Freed by task 197: [ 17.106280] kasan_save_stack+0x3c/0x68 [ 17.106344] kasan_save_track+0x20/0x40 [ 17.106673] kasan_save_free_info+0x4c/0x78 [ 17.106746] __kasan_slab_free+0x6c/0x98 [ 17.107017] kfree+0x214/0x3c8 [ 17.107379] ksize_uaf+0x11c/0x5f8 [ 17.107648] kunit_try_run_case+0x170/0x3f0 [ 17.107756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.107897] kthread+0x328/0x630 [ 17.108059] ret_from_fork+0x10/0x20 [ 17.108169] [ 17.108447] The buggy address belongs to the object at fff00000c63cdf00 [ 17.108447] which belongs to the cache kmalloc-128 of size 128 [ 17.108629] The buggy address is located 0 bytes inside of [ 17.108629] freed 128-byte region [fff00000c63cdf00, fff00000c63cdf80) [ 17.108967] [ 17.109012] The buggy address belongs to the physical page: [ 17.109147] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063cd [ 17.109300] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.109485] page_type: f5(slab) [ 17.109535] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.109692] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.109810] page dumped because: kasan: bad access detected [ 17.109868] [ 17.110200] Memory state around the buggy address: [ 17.110287] fff00000c63cde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.110395] fff00000c63cde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.110466] >fff00000c63cdf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.110508] ^ [ 17.110546] fff00000c63cdf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.110828] fff00000c63ce000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.111038] ==================================================================
[ 13.944934] ================================================================== [ 13.945730] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.946267] Read of size 1 at addr ffff88810254d678 by task kunit_try_catch/214 [ 13.947189] [ 13.947374] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.947672] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.947707] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.947741] Call Trace: [ 13.947767] <TASK> [ 13.947795] dump_stack_lvl+0x73/0xb0 [ 13.947851] print_report+0xd1/0x650 [ 13.947893] ? __virt_addr_valid+0x1db/0x2d0 [ 13.947934] ? ksize_uaf+0x5e4/0x6c0 [ 13.947971] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.948014] ? ksize_uaf+0x5e4/0x6c0 [ 13.948044] kasan_report+0x141/0x180 [ 13.948080] ? ksize_uaf+0x5e4/0x6c0 [ 13.948174] __asan_report_load1_noabort+0x18/0x20 [ 13.948215] ksize_uaf+0x5e4/0x6c0 [ 13.948251] ? __pfx_ksize_uaf+0x10/0x10 [ 13.948290] ? __schedule+0x10cc/0x2b60 [ 13.948325] ? __pfx_read_tsc+0x10/0x10 [ 13.948351] ? ktime_get_ts64+0x86/0x230 [ 13.948375] kunit_try_run_case+0x1a5/0x480 [ 13.948396] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.948415] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.948435] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.948454] ? __kthread_parkme+0x82/0x180 [ 13.948472] ? preempt_count_sub+0x50/0x80 [ 13.948492] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.948553] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.948593] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.948639] kthread+0x337/0x6f0 [ 13.948664] ? trace_preempt_on+0x20/0xc0 [ 13.948686] ? __pfx_kthread+0x10/0x10 [ 13.948704] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.948722] ? calculate_sigpending+0x7b/0xa0 [ 13.948743] ? __pfx_kthread+0x10/0x10 [ 13.948762] ret_from_fork+0x116/0x1d0 [ 13.948778] ? __pfx_kthread+0x10/0x10 [ 13.948795] ret_from_fork_asm+0x1a/0x30 [ 13.948823] </TASK> [ 13.948834] [ 13.960401] Allocated by task 214: [ 13.960755] kasan_save_stack+0x45/0x70 [ 13.961033] kasan_save_track+0x18/0x40 [ 13.961275] kasan_save_alloc_info+0x3b/0x50 [ 13.961782] __kasan_kmalloc+0xb7/0xc0 [ 13.962149] __kmalloc_cache_noprof+0x189/0x420 [ 13.962472] ksize_uaf+0xaa/0x6c0 [ 13.963235] kunit_try_run_case+0x1a5/0x480 [ 13.963775] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.964009] kthread+0x337/0x6f0 [ 13.964224] ret_from_fork+0x116/0x1d0 [ 13.964654] ret_from_fork_asm+0x1a/0x30 [ 13.964999] [ 13.965188] Freed by task 214: [ 13.965432] kasan_save_stack+0x45/0x70 [ 13.965900] kasan_save_track+0x18/0x40 [ 13.966233] kasan_save_free_info+0x3f/0x60 [ 13.966397] __kasan_slab_free+0x56/0x70 [ 13.967081] kfree+0x222/0x3f0 [ 13.967281] ksize_uaf+0x12c/0x6c0 [ 13.967529] kunit_try_run_case+0x1a5/0x480 [ 13.967851] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.968131] kthread+0x337/0x6f0 [ 13.968283] ret_from_fork+0x116/0x1d0 [ 13.968443] ret_from_fork_asm+0x1a/0x30 [ 13.968738] [ 13.968898] The buggy address belongs to the object at ffff88810254d600 [ 13.968898] which belongs to the cache kmalloc-128 of size 128 [ 13.969370] The buggy address is located 120 bytes inside of [ 13.969370] freed 128-byte region [ffff88810254d600, ffff88810254d680) [ 13.970215] [ 13.970391] The buggy address belongs to the physical page: [ 13.971192] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10254d [ 13.971760] flags: 0x200000000000000(node=0|zone=2) [ 13.972038] page_type: f5(slab) [ 13.972314] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.972899] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.973346] page dumped because: kasan: bad access detected [ 13.973843] [ 13.973999] Memory state around the buggy address: [ 13.974235] ffff88810254d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.975073] ffff88810254d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.975643] >ffff88810254d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.976096] ^ [ 13.976412] ffff88810254d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.976986] ffff88810254d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.977403] ================================================================== [ 13.912468] ================================================================== [ 13.913026] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.913464] Read of size 1 at addr ffff88810254d600 by task kunit_try_catch/214 [ 13.913763] [ 13.913955] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.914037] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.914058] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.914093] Call Trace: [ 13.914117] <TASK> [ 13.914145] dump_stack_lvl+0x73/0xb0 [ 13.914197] print_report+0xd1/0x650 [ 13.914232] ? __virt_addr_valid+0x1db/0x2d0 [ 13.914270] ? ksize_uaf+0x5fe/0x6c0 [ 13.914302] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.914343] ? ksize_uaf+0x5fe/0x6c0 [ 13.914377] kasan_report+0x141/0x180 [ 13.914410] ? ksize_uaf+0x5fe/0x6c0 [ 13.914452] __asan_report_load1_noabort+0x18/0x20 [ 13.914492] ksize_uaf+0x5fe/0x6c0 [ 13.914526] ? __pfx_ksize_uaf+0x10/0x10 [ 13.914547] ? __schedule+0x10cc/0x2b60 [ 13.914578] ? __pfx_read_tsc+0x10/0x10 [ 13.914608] ? ktime_get_ts64+0x86/0x230 [ 13.915093] kunit_try_run_case+0x1a5/0x480 [ 13.915141] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.915162] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.915183] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.915203] ? __kthread_parkme+0x82/0x180 [ 13.915220] ? preempt_count_sub+0x50/0x80 [ 13.915241] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.915260] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.915280] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.915299] kthread+0x337/0x6f0 [ 13.915316] ? trace_preempt_on+0x20/0xc0 [ 13.915336] ? __pfx_kthread+0x10/0x10 [ 13.915354] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.915371] ? calculate_sigpending+0x7b/0xa0 [ 13.915391] ? __pfx_kthread+0x10/0x10 [ 13.915410] ret_from_fork+0x116/0x1d0 [ 13.915426] ? __pfx_kthread+0x10/0x10 [ 13.915443] ret_from_fork_asm+0x1a/0x30 [ 13.915470] </TASK> [ 13.915482] [ 13.927256] Allocated by task 214: [ 13.927425] kasan_save_stack+0x45/0x70 [ 13.927652] kasan_save_track+0x18/0x40 [ 13.927938] kasan_save_alloc_info+0x3b/0x50 [ 13.928240] __kasan_kmalloc+0xb7/0xc0 [ 13.928507] __kmalloc_cache_noprof+0x189/0x420 [ 13.928855] ksize_uaf+0xaa/0x6c0 [ 13.929110] kunit_try_run_case+0x1a5/0x480 [ 13.929410] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.930417] kthread+0x337/0x6f0 [ 13.930855] ret_from_fork+0x116/0x1d0 [ 13.931077] ret_from_fork_asm+0x1a/0x30 [ 13.931283] [ 13.931446] Freed by task 214: [ 13.931872] kasan_save_stack+0x45/0x70 [ 13.932228] kasan_save_track+0x18/0x40 [ 13.932703] kasan_save_free_info+0x3f/0x60 [ 13.933005] __kasan_slab_free+0x56/0x70 [ 13.933253] kfree+0x222/0x3f0 [ 13.933448] ksize_uaf+0x12c/0x6c0 [ 13.934200] kunit_try_run_case+0x1a5/0x480 [ 13.934650] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.935082] kthread+0x337/0x6f0 [ 13.935388] ret_from_fork+0x116/0x1d0 [ 13.935795] ret_from_fork_asm+0x1a/0x30 [ 13.936135] [ 13.936317] The buggy address belongs to the object at ffff88810254d600 [ 13.936317] which belongs to the cache kmalloc-128 of size 128 [ 13.937078] The buggy address is located 0 bytes inside of [ 13.937078] freed 128-byte region [ffff88810254d600, ffff88810254d680) [ 13.937541] [ 13.937656] The buggy address belongs to the physical page: [ 13.937879] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10254d [ 13.939188] flags: 0x200000000000000(node=0|zone=2) [ 13.939382] page_type: f5(slab) [ 13.939894] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.940128] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.940752] page dumped because: kasan: bad access detected [ 13.940990] [ 13.941095] Memory state around the buggy address: [ 13.941398] ffff88810254d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.941677] ffff88810254d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.942148] >ffff88810254d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.942434] ^ [ 13.942758] ffff88810254d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.943061] ffff88810254d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.943899] ================================================================== [ 13.878014] ================================================================== [ 13.878853] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.879189] Read of size 1 at addr ffff88810254d600 by task kunit_try_catch/214 [ 13.879665] [ 13.879859] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.879941] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.879960] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.879996] Call Trace: [ 13.880020] <TASK> [ 13.880045] dump_stack_lvl+0x73/0xb0 [ 13.880100] print_report+0xd1/0x650 [ 13.880136] ? __virt_addr_valid+0x1db/0x2d0 [ 13.880176] ? ksize_uaf+0x19d/0x6c0 [ 13.880210] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.880253] ? ksize_uaf+0x19d/0x6c0 [ 13.880290] kasan_report+0x141/0x180 [ 13.880325] ? ksize_uaf+0x19d/0x6c0 [ 13.880383] ? ksize_uaf+0x19d/0x6c0 [ 13.880420] __kasan_check_byte+0x3d/0x50 [ 13.880456] ksize+0x20/0x60 [ 13.880492] ksize_uaf+0x19d/0x6c0 [ 13.880525] ? __pfx_ksize_uaf+0x10/0x10 [ 13.880560] ? __schedule+0x10cc/0x2b60 [ 13.880601] ? __pfx_read_tsc+0x10/0x10 [ 13.880652] ? ktime_get_ts64+0x86/0x230 [ 13.880699] kunit_try_run_case+0x1a5/0x480 [ 13.880743] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.880781] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.880822] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.880861] ? __kthread_parkme+0x82/0x180 [ 13.880896] ? preempt_count_sub+0x50/0x80 [ 13.880937] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.880977] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.881017] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.881056] kthread+0x337/0x6f0 [ 13.881083] ? trace_preempt_on+0x20/0xc0 [ 13.881116] ? __pfx_kthread+0x10/0x10 [ 13.881143] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.881170] ? calculate_sigpending+0x7b/0xa0 [ 13.881204] ? __pfx_kthread+0x10/0x10 [ 13.881231] ret_from_fork+0x116/0x1d0 [ 13.881256] ? __pfx_kthread+0x10/0x10 [ 13.881286] ret_from_fork_asm+0x1a/0x30 [ 13.881342] </TASK> [ 13.881362] [ 13.893432] Allocated by task 214: [ 13.893666] kasan_save_stack+0x45/0x70 [ 13.893993] kasan_save_track+0x18/0x40 [ 13.894301] kasan_save_alloc_info+0x3b/0x50 [ 13.894601] __kasan_kmalloc+0xb7/0xc0 [ 13.895208] __kmalloc_cache_noprof+0x189/0x420 [ 13.895710] ksize_uaf+0xaa/0x6c0 [ 13.895912] kunit_try_run_case+0x1a5/0x480 [ 13.896243] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.896878] kthread+0x337/0x6f0 [ 13.897201] ret_from_fork+0x116/0x1d0 [ 13.897640] ret_from_fork_asm+0x1a/0x30 [ 13.897882] [ 13.898059] Freed by task 214: [ 13.898334] kasan_save_stack+0x45/0x70 [ 13.899200] kasan_save_track+0x18/0x40 [ 13.899365] kasan_save_free_info+0x3f/0x60 [ 13.899803] __kasan_slab_free+0x56/0x70 [ 13.900084] kfree+0x222/0x3f0 [ 13.900373] ksize_uaf+0x12c/0x6c0 [ 13.900859] kunit_try_run_case+0x1a5/0x480 [ 13.901156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.901717] kthread+0x337/0x6f0 [ 13.901979] ret_from_fork+0x116/0x1d0 [ 13.902303] ret_from_fork_asm+0x1a/0x30 [ 13.902461] [ 13.903031] The buggy address belongs to the object at ffff88810254d600 [ 13.903031] which belongs to the cache kmalloc-128 of size 128 [ 13.903830] The buggy address is located 0 bytes inside of [ 13.903830] freed 128-byte region [ffff88810254d600, ffff88810254d680) [ 13.904451] [ 13.904881] The buggy address belongs to the physical page: [ 13.905277] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10254d [ 13.905815] flags: 0x200000000000000(node=0|zone=2) [ 13.906043] page_type: f5(slab) [ 13.906359] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.906772] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.907475] page dumped because: kasan: bad access detected [ 13.907951] [ 13.908064] Memory state around the buggy address: [ 13.908342] ffff88810254d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.909008] ffff88810254d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.909435] >ffff88810254d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.909895] ^ [ 13.910218] ffff88810254d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.910472] ffff88810254d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.911338] ==================================================================
[ 14.066631] ================================================================== [ 14.067251] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 14.067565] Read of size 1 at addr ffff888102c3fe00 by task kunit_try_catch/213 [ 14.068181] [ 14.068418] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.068463] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.068475] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.068495] Call Trace: [ 14.068509] <TASK> [ 14.068526] dump_stack_lvl+0x73/0xb0 [ 14.068559] print_report+0xd1/0x650 [ 14.068582] ? __virt_addr_valid+0x1db/0x2d0 [ 14.068606] ? ksize_uaf+0x5fe/0x6c0 [ 14.068628] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.068655] ? ksize_uaf+0x5fe/0x6c0 [ 14.068677] kasan_report+0x141/0x180 [ 14.068710] ? ksize_uaf+0x5fe/0x6c0 [ 14.068738] __asan_report_load1_noabort+0x18/0x20 [ 14.068763] ksize_uaf+0x5fe/0x6c0 [ 14.068784] ? __pfx_ksize_uaf+0x10/0x10 [ 14.068806] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 14.068831] ? trace_hardirqs_on+0x37/0xe0 [ 14.068856] ? __pfx_read_tsc+0x10/0x10 [ 14.068879] ? ktime_get_ts64+0x86/0x230 [ 14.068905] kunit_try_run_case+0x1a5/0x480 [ 14.068930] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.068956] ? queued_spin_lock_slowpath+0x116/0xb40 [ 14.068980] ? __kthread_parkme+0x82/0x180 [ 14.069001] ? preempt_count_sub+0x50/0x80 [ 14.069026] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.069062] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.069085] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.069109] kthread+0x337/0x6f0 [ 14.069131] ? trace_preempt_on+0x20/0xc0 [ 14.069154] ? __pfx_kthread+0x10/0x10 [ 14.069176] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.069198] ? calculate_sigpending+0x7b/0xa0 [ 14.069222] ? __pfx_kthread+0x10/0x10 [ 14.069245] ret_from_fork+0x116/0x1d0 [ 14.069264] ? __pfx_kthread+0x10/0x10 [ 14.069286] ret_from_fork_asm+0x1a/0x30 [ 14.069318] </TASK> [ 14.069349] [ 14.080068] Allocated by task 213: [ 14.080388] kasan_save_stack+0x45/0x70 [ 14.080594] kasan_save_track+0x18/0x40 [ 14.080898] kasan_save_alloc_info+0x3b/0x50 [ 14.081123] __kasan_kmalloc+0xb7/0xc0 [ 14.081302] __kmalloc_cache_noprof+0x189/0x420 [ 14.081512] ksize_uaf+0xaa/0x6c0 [ 14.081682] kunit_try_run_case+0x1a5/0x480 [ 14.082485] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.083018] kthread+0x337/0x6f0 [ 14.083417] ret_from_fork+0x116/0x1d0 [ 14.083732] ret_from_fork_asm+0x1a/0x30 [ 14.083957] [ 14.084066] Freed by task 213: [ 14.084221] kasan_save_stack+0x45/0x70 [ 14.084410] kasan_save_track+0x18/0x40 [ 14.084591] kasan_save_free_info+0x3f/0x60 [ 14.085189] __kasan_slab_free+0x56/0x70 [ 14.085638] kfree+0x222/0x3f0 [ 14.085932] ksize_uaf+0x12c/0x6c0 [ 14.086239] kunit_try_run_case+0x1a5/0x480 [ 14.086624] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.087302] kthread+0x337/0x6f0 [ 14.087553] ret_from_fork+0x116/0x1d0 [ 14.088097] ret_from_fork_asm+0x1a/0x30 [ 14.088305] [ 14.088405] The buggy address belongs to the object at ffff888102c3fe00 [ 14.088405] which belongs to the cache kmalloc-128 of size 128 [ 14.089476] The buggy address is located 0 bytes inside of [ 14.089476] freed 128-byte region [ffff888102c3fe00, ffff888102c3fe80) [ 14.090622] [ 14.090952] The buggy address belongs to the physical page: [ 14.091220] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c3f [ 14.091569] flags: 0x200000000000000(node=0|zone=2) [ 14.092203] page_type: f5(slab) [ 14.092466] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.093255] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.093577] page dumped because: kasan: bad access detected [ 14.094199] [ 14.094471] Memory state around the buggy address: [ 14.095035] ffff888102c3fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.095331] ffff888102c3fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.095638] >ffff888102c3fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.095944] ^ [ 14.096234] ffff888102c3fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.096607] ffff888102c3ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.097139] ================================================================== [ 14.027888] ================================================================== [ 14.028411] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 14.028736] Read of size 1 at addr ffff888102c3fe00 by task kunit_try_catch/213 [ 14.029074] [ 14.029181] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.029225] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.029237] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.029258] Call Trace: [ 14.029272] <TASK> [ 14.029289] dump_stack_lvl+0x73/0xb0 [ 14.029319] print_report+0xd1/0x650 [ 14.029343] ? __virt_addr_valid+0x1db/0x2d0 [ 14.029367] ? ksize_uaf+0x19d/0x6c0 [ 14.029390] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.029418] ? ksize_uaf+0x19d/0x6c0 [ 14.029440] kasan_report+0x141/0x180 [ 14.029464] ? ksize_uaf+0x19d/0x6c0 [ 14.029490] ? ksize_uaf+0x19d/0x6c0 [ 14.029512] __kasan_check_byte+0x3d/0x50 [ 14.029541] ksize+0x20/0x60 [ 14.029563] ksize_uaf+0x19d/0x6c0 [ 14.029585] ? __pfx_ksize_uaf+0x10/0x10 [ 14.029607] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 14.029634] ? trace_hardirqs_on+0x37/0xe0 [ 14.029658] ? __pfx_read_tsc+0x10/0x10 [ 14.029681] ? ktime_get_ts64+0x86/0x230 [ 14.029707] kunit_try_run_case+0x1a5/0x480 [ 14.029877] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.029905] ? queued_spin_lock_slowpath+0x116/0xb40 [ 14.029932] ? __kthread_parkme+0x82/0x180 [ 14.029955] ? preempt_count_sub+0x50/0x80 [ 14.030003] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.030033] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.030069] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.030095] kthread+0x337/0x6f0 [ 14.030118] ? trace_preempt_on+0x20/0xc0 [ 14.030142] ? __pfx_kthread+0x10/0x10 [ 14.030166] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.030189] ? calculate_sigpending+0x7b/0xa0 [ 14.030215] ? __pfx_kthread+0x10/0x10 [ 14.030239] ret_from_fork+0x116/0x1d0 [ 14.030259] ? __pfx_kthread+0x10/0x10 [ 14.030288] ret_from_fork_asm+0x1a/0x30 [ 14.030322] </TASK> [ 14.030335] [ 14.042334] Allocated by task 213: [ 14.042486] kasan_save_stack+0x45/0x70 [ 14.042646] kasan_save_track+0x18/0x40 [ 14.043103] kasan_save_alloc_info+0x3b/0x50 [ 14.043356] __kasan_kmalloc+0xb7/0xc0 [ 14.043558] __kmalloc_cache_noprof+0x189/0x420 [ 14.044269] ksize_uaf+0xaa/0x6c0 [ 14.045076] kunit_try_run_case+0x1a5/0x480 [ 14.045578] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.046157] kthread+0x337/0x6f0 [ 14.046859] ret_from_fork+0x116/0x1d0 [ 14.047501] ret_from_fork_asm+0x1a/0x30 [ 14.047672] [ 14.048131] Freed by task 213: [ 14.048686] kasan_save_stack+0x45/0x70 [ 14.049314] kasan_save_track+0x18/0x40 [ 14.049472] kasan_save_free_info+0x3f/0x60 [ 14.049637] __kasan_slab_free+0x56/0x70 [ 14.050329] kfree+0x222/0x3f0 [ 14.050800] ksize_uaf+0x12c/0x6c0 [ 14.051341] kunit_try_run_case+0x1a5/0x480 [ 14.052139] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.052951] kthread+0x337/0x6f0 [ 14.053438] ret_from_fork+0x116/0x1d0 [ 14.053600] ret_from_fork_asm+0x1a/0x30 [ 14.054160] [ 14.054509] The buggy address belongs to the object at ffff888102c3fe00 [ 14.054509] which belongs to the cache kmalloc-128 of size 128 [ 14.056393] The buggy address is located 0 bytes inside of [ 14.056393] freed 128-byte region [ffff888102c3fe00, ffff888102c3fe80) [ 14.057800] [ 14.058176] The buggy address belongs to the physical page: [ 14.058858] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c3f [ 14.059515] flags: 0x200000000000000(node=0|zone=2) [ 14.059695] page_type: f5(slab) [ 14.060364] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.061515] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.062514] page dumped because: kasan: bad access detected [ 14.062914] [ 14.063140] Memory state around the buggy address: [ 14.063380] ffff888102c3fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.064044] ffff888102c3fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.064290] >ffff888102c3fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.064509] ^ [ 14.064629] ffff888102c3fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.064937] ffff888102c3ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.065589] ================================================================== [ 14.097593] ================================================================== [ 14.098190] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 14.098481] Read of size 1 at addr ffff888102c3fe78 by task kunit_try_catch/213 [ 14.098785] [ 14.099036] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.099098] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.099111] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.099131] Call Trace: [ 14.099151] <TASK> [ 14.099170] dump_stack_lvl+0x73/0xb0 [ 14.099201] print_report+0xd1/0x650 [ 14.099226] ? __virt_addr_valid+0x1db/0x2d0 [ 14.099251] ? ksize_uaf+0x5e4/0x6c0 [ 14.099273] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.099301] ? ksize_uaf+0x5e4/0x6c0 [ 14.099325] kasan_report+0x141/0x180 [ 14.099350] ? ksize_uaf+0x5e4/0x6c0 [ 14.099378] __asan_report_load1_noabort+0x18/0x20 [ 14.099405] ksize_uaf+0x5e4/0x6c0 [ 14.099428] ? __pfx_ksize_uaf+0x10/0x10 [ 14.099452] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 14.099478] ? trace_hardirqs_on+0x37/0xe0 [ 14.099504] ? __pfx_read_tsc+0x10/0x10 [ 14.099527] ? ktime_get_ts64+0x86/0x230 [ 14.099553] kunit_try_run_case+0x1a5/0x480 [ 14.099579] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.099605] ? queued_spin_lock_slowpath+0x116/0xb40 [ 14.099632] ? __kthread_parkme+0x82/0x180 [ 14.099654] ? preempt_count_sub+0x50/0x80 [ 14.099681] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.099707] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.099732] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.099757] kthread+0x337/0x6f0 [ 14.099779] ? trace_preempt_on+0x20/0xc0 [ 14.099804] ? __pfx_kthread+0x10/0x10 [ 14.099827] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.099851] ? calculate_sigpending+0x7b/0xa0 [ 14.099877] ? __pfx_kthread+0x10/0x10 [ 14.099902] ret_from_fork+0x116/0x1d0 [ 14.099922] ? __pfx_kthread+0x10/0x10 [ 14.099945] ret_from_fork_asm+0x1a/0x30 [ 14.099979] </TASK> [ 14.099991] [ 14.109042] Allocated by task 213: [ 14.109228] kasan_save_stack+0x45/0x70 [ 14.109420] kasan_save_track+0x18/0x40 [ 14.109614] kasan_save_alloc_info+0x3b/0x50 [ 14.110213] __kasan_kmalloc+0xb7/0xc0 [ 14.110555] __kmalloc_cache_noprof+0x189/0x420 [ 14.110855] ksize_uaf+0xaa/0x6c0 [ 14.111009] kunit_try_run_case+0x1a5/0x480 [ 14.111361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.111615] kthread+0x337/0x6f0 [ 14.111978] ret_from_fork+0x116/0x1d0 [ 14.112267] ret_from_fork_asm+0x1a/0x30 [ 14.112431] [ 14.112535] Freed by task 213: [ 14.113082] kasan_save_stack+0x45/0x70 [ 14.113298] kasan_save_track+0x18/0x40 [ 14.113451] kasan_save_free_info+0x3f/0x60 [ 14.113609] __kasan_slab_free+0x56/0x70 [ 14.114037] kfree+0x222/0x3f0 [ 14.114475] ksize_uaf+0x12c/0x6c0 [ 14.115104] kunit_try_run_case+0x1a5/0x480 [ 14.115763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.116489] kthread+0x337/0x6f0 [ 14.117097] ret_from_fork+0x116/0x1d0 [ 14.117518] ret_from_fork_asm+0x1a/0x30 [ 14.117679] [ 14.118011] The buggy address belongs to the object at ffff888102c3fe00 [ 14.118011] which belongs to the cache kmalloc-128 of size 128 [ 14.119682] The buggy address is located 120 bytes inside of [ 14.119682] freed 128-byte region [ffff888102c3fe00, ffff888102c3fe80) [ 14.120084] [ 14.120532] The buggy address belongs to the physical page: [ 14.121426] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c3f [ 14.121767] flags: 0x200000000000000(node=0|zone=2) [ 14.122008] page_type: f5(slab) [ 14.122201] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.122488] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.122834] page dumped because: kasan: bad access detected [ 14.123499] [ 14.123601] Memory state around the buggy address: [ 14.124211] ffff888102c3fd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.124651] ffff888102c3fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.125163] >ffff888102c3fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.125609] ^ [ 14.126120] ffff888102c3fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.126525] ffff888102c3ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.127017] ==================================================================
[ 30.928057] ================================================================== [ 30.935313] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 30.941698] Read of size 1 at addr ffff888105bb0200 by task kunit_try_catch/237 [ 30.949005] [ 30.950508] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 30.950516] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 30.950518] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 30.950522] Call Trace: [ 30.950523] <TASK> [ 30.950525] dump_stack_lvl+0x73/0xb0 [ 30.950529] print_report+0xd1/0x650 [ 30.950533] ? __virt_addr_valid+0x1db/0x2d0 [ 30.950537] ? ksize_uaf+0x5fe/0x6c0 [ 30.950541] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.950546] ? ksize_uaf+0x5fe/0x6c0 [ 30.950550] kasan_report+0x141/0x180 [ 30.950554] ? ksize_uaf+0x5fe/0x6c0 [ 30.950558] __asan_report_load1_noabort+0x18/0x20 [ 30.950563] ksize_uaf+0x5fe/0x6c0 [ 30.950566] ? __pfx_ksize_uaf+0x10/0x10 [ 30.950570] ? __schedule+0x10cc/0x2b60 [ 30.950574] ? ktime_get_ts64+0x83/0x230 [ 30.950579] kunit_try_run_case+0x1a2/0x480 [ 30.950583] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.950587] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 30.950591] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.950595] ? __kthread_parkme+0x82/0x180 [ 30.950599] ? preempt_count_sub+0x50/0x80 [ 30.950603] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.950607] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.950611] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.950615] kthread+0x334/0x6f0 [ 30.950619] ? trace_preempt_on+0x20/0xc0 [ 30.950623] ? __pfx_kthread+0x10/0x10 [ 30.950626] ? _raw_spin_unlock_irq+0x47/0x80 [ 30.950630] ? calculate_sigpending+0x7b/0xa0 [ 30.950634] ? __pfx_kthread+0x10/0x10 [ 30.950638] ret_from_fork+0x113/0x1d0 [ 30.950641] ? __pfx_kthread+0x10/0x10 [ 30.950645] ret_from_fork_asm+0x1a/0x30 [ 30.950651] </TASK> [ 30.950652] [ 31.112032] Allocated by task 237: [ 31.115440] kasan_save_stack+0x45/0x70 [ 31.119278] kasan_save_track+0x18/0x40 [ 31.123119] kasan_save_alloc_info+0x3b/0x50 [ 31.127406] __kasan_kmalloc+0xb7/0xc0 [ 31.131160] __kmalloc_cache_noprof+0x189/0x420 [ 31.135693] ksize_uaf+0xaa/0x6c0 [ 31.139012] kunit_try_run_case+0x1a2/0x480 [ 31.143199] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.148599] kthread+0x334/0x6f0 [ 31.151830] ret_from_fork+0x113/0x1d0 [ 31.155584] ret_from_fork_asm+0x1a/0x30 [ 31.159510] [ 31.161008] Freed by task 237: [ 31.164067] kasan_save_stack+0x45/0x70 [ 31.167907] kasan_save_track+0x18/0x40 [ 31.171747] kasan_save_free_info+0x3f/0x60 [ 31.175942] __kasan_slab_free+0x56/0x70 [ 31.179867] kfree+0x222/0x3f0 [ 31.182928] ksize_uaf+0x12c/0x6c0 [ 31.186361] kunit_try_run_case+0x1a2/0x480 [ 31.190571] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.195969] kthread+0x334/0x6f0 [ 31.199203] ret_from_fork+0x113/0x1d0 [ 31.202956] ret_from_fork_asm+0x1a/0x30 [ 31.206881] [ 31.208379] The buggy address belongs to the object at ffff888105bb0200 [ 31.208379] which belongs to the cache kmalloc-128 of size 128 [ 31.220914] The buggy address is located 0 bytes inside of [ 31.220914] freed 128-byte region [ffff888105bb0200, ffff888105bb0280) [ 31.232994] [ 31.234494] The buggy address belongs to the physical page: [ 31.240065] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bb0 [ 31.248065] flags: 0x200000000000000(node=0|zone=2) [ 31.252944] page_type: f5(slab) [ 31.256093] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 31.263838] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.271578] page dumped because: kasan: bad access detected [ 31.277150] [ 31.278648] Memory state around the buggy address: [ 31.283444] ffff888105bb0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.290670] ffff888105bb0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.297891] >ffff888105bb0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.305110] ^ [ 31.308364] ffff888105bb0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.315586] ffff888105bb0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.322806] ================================================================== [ 30.516166] ================================================================== [ 30.527669] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 30.534031] Read of size 1 at addr ffff888105bb0200 by task kunit_try_catch/237 [ 30.541364] [ 30.542881] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 30.542890] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 30.542893] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 30.542897] Call Trace: [ 30.542898] <TASK> [ 30.542900] dump_stack_lvl+0x73/0xb0 [ 30.542905] print_report+0xd1/0x650 [ 30.542909] ? __virt_addr_valid+0x1db/0x2d0 [ 30.542913] ? ksize_uaf+0x19d/0x6c0 [ 30.542916] ? kasan_complete_mode_report_info+0x64/0x200 [ 30.542922] ? ksize_uaf+0x19d/0x6c0 [ 30.542925] kasan_report+0x141/0x180 [ 30.542929] ? ksize_uaf+0x19d/0x6c0 [ 30.542934] ? ksize_uaf+0x19d/0x6c0 [ 30.542937] __kasan_check_byte+0x3d/0x50 [ 30.542941] ksize+0x20/0x60 [ 30.542944] ksize_uaf+0x19d/0x6c0 [ 30.542948] ? __pfx_ksize_uaf+0x10/0x10 [ 30.542952] ? __schedule+0x10cc/0x2b60 [ 30.542956] ? ktime_get_ts64+0x83/0x230 [ 30.542960] kunit_try_run_case+0x1a2/0x480 [ 30.542965] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.542969] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 30.542973] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 30.542977] ? __kthread_parkme+0x82/0x180 [ 30.542981] ? preempt_count_sub+0x50/0x80 [ 30.542985] ? __pfx_kunit_try_run_case+0x10/0x10 [ 30.542989] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.542993] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 30.542997] kthread+0x334/0x6f0 [ 30.543001] ? trace_preempt_on+0x20/0xc0 [ 30.543005] ? __pfx_kthread+0x10/0x10 [ 30.543009] ? _raw_spin_unlock_irq+0x47/0x80 [ 30.543012] ? calculate_sigpending+0x7b/0xa0 [ 30.543017] ? __pfx_kthread+0x10/0x10 [ 30.543021] ret_from_fork+0x113/0x1d0 [ 30.543024] ? __pfx_kthread+0x10/0x10 [ 30.543027] ret_from_fork_asm+0x1a/0x30 [ 30.543033] </TASK> [ 30.543035] [ 30.709997] Allocated by task 237: [ 30.713403] kasan_save_stack+0x45/0x70 [ 30.717243] kasan_save_track+0x18/0x40 [ 30.721081] kasan_save_alloc_info+0x3b/0x50 [ 30.725367] __kasan_kmalloc+0xb7/0xc0 [ 30.729140] __kmalloc_cache_noprof+0x189/0x420 [ 30.733674] ksize_uaf+0xaa/0x6c0 [ 30.736994] kunit_try_run_case+0x1a2/0x480 [ 30.741180] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.746580] kthread+0x334/0x6f0 [ 30.749811] ret_from_fork+0x113/0x1d0 [ 30.753565] ret_from_fork_asm+0x1a/0x30 [ 30.757499] [ 30.758997] Freed by task 237: [ 30.762058] kasan_save_stack+0x45/0x70 [ 30.765897] kasan_save_track+0x18/0x40 [ 30.769737] kasan_save_free_info+0x3f/0x60 [ 30.773922] __kasan_slab_free+0x56/0x70 [ 30.777850] kfree+0x222/0x3f0 [ 30.780918] ksize_uaf+0x12c/0x6c0 [ 30.784323] kunit_try_run_case+0x1a2/0x480 [ 30.788542] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 30.793943] kthread+0x334/0x6f0 [ 30.797176] ret_from_fork+0x113/0x1d0 [ 30.800927] ret_from_fork_asm+0x1a/0x30 [ 30.804853] [ 30.806363] The buggy address belongs to the object at ffff888105bb0200 [ 30.806363] which belongs to the cache kmalloc-128 of size 128 [ 30.818895] The buggy address is located 0 bytes inside of [ 30.818895] freed 128-byte region [ffff888105bb0200, ffff888105bb0280) [ 30.830975] [ 30.832475] The buggy address belongs to the physical page: [ 30.838046] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bb0 [ 30.846045] flags: 0x200000000000000(node=0|zone=2) [ 30.850925] page_type: f5(slab) [ 30.854074] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 30.861819] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.869560] page dumped because: kasan: bad access detected [ 30.875130] [ 30.876631] Memory state around the buggy address: [ 30.881425] ffff888105bb0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.888653] ffff888105bb0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.895870] >ffff888105bb0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.903088] ^ [ 30.906322] ffff888105bb0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.913567] ffff888105bb0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.920788] ================================================================== [ 31.330048] ================================================================== [ 31.337279] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 31.343631] Read of size 1 at addr ffff888105bb0278 by task kunit_try_catch/237 [ 31.350937] [ 31.352437] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 31.352445] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 31.352448] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 31.352451] Call Trace: [ 31.352452] <TASK> [ 31.352454] dump_stack_lvl+0x73/0xb0 [ 31.352458] print_report+0xd1/0x650 [ 31.352462] ? __virt_addr_valid+0x1db/0x2d0 [ 31.352466] ? ksize_uaf+0x5e4/0x6c0 [ 31.352470] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.352475] ? ksize_uaf+0x5e4/0x6c0 [ 31.352478] kasan_report+0x141/0x180 [ 31.352482] ? ksize_uaf+0x5e4/0x6c0 [ 31.352487] __asan_report_load1_noabort+0x18/0x20 [ 31.352492] ksize_uaf+0x5e4/0x6c0 [ 31.352495] ? __pfx_ksize_uaf+0x10/0x10 [ 31.352499] ? __schedule+0x10cc/0x2b60 [ 31.352503] ? ktime_get_ts64+0x83/0x230 [ 31.352507] kunit_try_run_case+0x1a2/0x480 [ 31.352512] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.352516] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.352520] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.352524] ? __kthread_parkme+0x82/0x180 [ 31.352527] ? preempt_count_sub+0x50/0x80 [ 31.352531] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.352536] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.352540] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.352544] kthread+0x334/0x6f0 [ 31.352547] ? trace_preempt_on+0x20/0xc0 [ 31.352551] ? __pfx_kthread+0x10/0x10 [ 31.352555] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.352559] ? calculate_sigpending+0x7b/0xa0 [ 31.352563] ? __pfx_kthread+0x10/0x10 [ 31.352567] ret_from_fork+0x113/0x1d0 [ 31.352570] ? __pfx_kthread+0x10/0x10 [ 31.352574] ret_from_fork_asm+0x1a/0x30 [ 31.352579] </TASK> [ 31.352581] [ 31.513906] Allocated by task 237: [ 31.517311] kasan_save_stack+0x45/0x70 [ 31.521150] kasan_save_track+0x18/0x40 [ 31.524988] kasan_save_alloc_info+0x3b/0x50 [ 31.529263] __kasan_kmalloc+0xb7/0xc0 [ 31.533016] __kmalloc_cache_noprof+0x189/0x420 [ 31.537555] ksize_uaf+0xaa/0x6c0 [ 31.540876] kunit_try_run_case+0x1a2/0x480 [ 31.545061] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.550460] kthread+0x334/0x6f0 [ 31.553692] ret_from_fork+0x113/0x1d0 [ 31.557445] ret_from_fork_asm+0x1a/0x30 [ 31.561372] [ 31.562897] Freed by task 237: [ 31.565956] kasan_save_stack+0x45/0x70 [ 31.569796] kasan_save_track+0x18/0x40 [ 31.573635] kasan_save_free_info+0x3f/0x60 [ 31.577821] __kasan_slab_free+0x56/0x70 [ 31.581747] kfree+0x222/0x3f0 [ 31.584808] ksize_uaf+0x12c/0x6c0 [ 31.588214] kunit_try_run_case+0x1a2/0x480 [ 31.592409] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 31.597817] kthread+0x334/0x6f0 [ 31.601047] ret_from_fork+0x113/0x1d0 [ 31.604802] ret_from_fork_asm+0x1a/0x30 [ 31.608726] [ 31.610226] The buggy address belongs to the object at ffff888105bb0200 [ 31.610226] which belongs to the cache kmalloc-128 of size 128 [ 31.622742] The buggy address is located 120 bytes inside of [ 31.622742] freed 128-byte region [ffff888105bb0200, ffff888105bb0280) [ 31.634995] [ 31.636494] The buggy address belongs to the physical page: [ 31.642066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bb0 [ 31.650065] flags: 0x200000000000000(node=0|zone=2) [ 31.654946] page_type: f5(slab) [ 31.658093] raw: 0200000000000000 ffff888100042a00 dead000000000122 0000000000000000 [ 31.665833] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.673580] page dumped because: kasan: bad access detected [ 31.679151] [ 31.680649] Memory state around the buggy address: [ 31.685445] ffff888105bb0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.692671] ffff888105bb0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.699890] >ffff888105bb0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.707112] ^ [ 31.714243] ffff888105bb0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.721461] ffff888105bb0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.728680] ==================================================================