Date
July 17, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.879455] ================================================================== [ 16.879616] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.879679] Read of size 1 at addr fff00000c6691a00 by task kunit_try_catch/196 [ 16.879730] [ 16.879989] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.880306] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.880591] Hardware name: linux,dummy-virt (DT) [ 16.880688] Call trace: [ 16.880788] show_stack+0x20/0x38 (C) [ 16.880891] dump_stack_lvl+0x8c/0xd0 [ 16.881074] print_report+0x118/0x5d0 [ 16.881154] kasan_report+0xdc/0x128 [ 16.881344] __asan_report_load1_noabort+0x20/0x30 [ 16.881404] ksize_uaf+0x598/0x5f8 [ 16.881463] kunit_try_run_case+0x170/0x3f0 [ 16.881511] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.881562] kthread+0x328/0x630 [ 16.881605] ret_from_fork+0x10/0x20 [ 16.881651] [ 16.881669] Allocated by task 196: [ 16.881697] kasan_save_stack+0x3c/0x68 [ 16.881737] kasan_save_track+0x20/0x40 [ 16.881774] kasan_save_alloc_info+0x40/0x58 [ 16.881824] __kasan_kmalloc+0xd4/0xd8 [ 16.881881] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.881921] ksize_uaf+0xb8/0x5f8 [ 16.881961] kunit_try_run_case+0x170/0x3f0 [ 16.881999] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.882041] kthread+0x328/0x630 [ 16.882073] ret_from_fork+0x10/0x20 [ 16.882107] [ 16.882125] Freed by task 196: [ 16.882159] kasan_save_stack+0x3c/0x68 [ 16.882195] kasan_save_track+0x20/0x40 [ 16.882233] kasan_save_free_info+0x4c/0x78 [ 16.882286] __kasan_slab_free+0x6c/0x98 [ 16.882324] kfree+0x214/0x3c8 [ 16.882356] ksize_uaf+0x11c/0x5f8 [ 16.882389] kunit_try_run_case+0x170/0x3f0 [ 16.882427] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.882470] kthread+0x328/0x630 [ 16.882511] ret_from_fork+0x10/0x20 [ 16.882556] [ 16.882576] The buggy address belongs to the object at fff00000c6691a00 [ 16.882576] which belongs to the cache kmalloc-128 of size 128 [ 16.882644] The buggy address is located 0 bytes inside of [ 16.882644] freed 128-byte region [fff00000c6691a00, fff00000c6691a80) [ 16.882705] [ 16.882735] The buggy address belongs to the physical page: [ 16.882767] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106691 [ 16.882834] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.883150] page_type: f5(slab) [ 16.883225] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.884068] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.884163] page dumped because: kasan: bad access detected [ 16.884242] [ 16.884298] Memory state around the buggy address: [ 16.884449] fff00000c6691900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.884763] fff00000c6691980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.885202] >fff00000c6691a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.885900] ^ [ 16.886273] fff00000c6691a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.886653] fff00000c6691b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.886769] ================================================================== [ 16.865295] ================================================================== [ 16.865366] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.865426] Read of size 1 at addr fff00000c6691a00 by task kunit_try_catch/196 [ 16.865938] [ 16.866013] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.866424] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.866451] Hardware name: linux,dummy-virt (DT) [ 16.866601] Call trace: [ 16.866638] show_stack+0x20/0x38 (C) [ 16.866691] dump_stack_lvl+0x8c/0xd0 [ 16.866841] print_report+0x118/0x5d0 [ 16.866925] kasan_report+0xdc/0x128 [ 16.867296] __kasan_check_byte+0x54/0x70 [ 16.867363] ksize+0x30/0x88 [ 16.867408] ksize_uaf+0x168/0x5f8 [ 16.867560] kunit_try_run_case+0x170/0x3f0 [ 16.867622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.867768] kthread+0x328/0x630 [ 16.867856] ret_from_fork+0x10/0x20 [ 16.867961] [ 16.867980] Allocated by task 196: [ 16.868469] kasan_save_stack+0x3c/0x68 [ 16.868582] kasan_save_track+0x20/0x40 [ 16.868735] kasan_save_alloc_info+0x40/0x58 [ 16.868930] __kasan_kmalloc+0xd4/0xd8 [ 16.869000] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.869059] ksize_uaf+0xb8/0x5f8 [ 16.869365] kunit_try_run_case+0x170/0x3f0 [ 16.870111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.870191] kthread+0x328/0x630 [ 16.870257] ret_from_fork+0x10/0x20 [ 16.870331] [ 16.870392] Freed by task 196: [ 16.870938] kasan_save_stack+0x3c/0x68 [ 16.871245] kasan_save_track+0x20/0x40 [ 16.871725] kasan_save_free_info+0x4c/0x78 [ 16.871846] __kasan_slab_free+0x6c/0x98 [ 16.872140] kfree+0x214/0x3c8 [ 16.872290] ksize_uaf+0x11c/0x5f8 [ 16.872420] kunit_try_run_case+0x170/0x3f0 [ 16.872615] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.872873] kthread+0x328/0x630 [ 16.872990] ret_from_fork+0x10/0x20 [ 16.873153] [ 16.873287] The buggy address belongs to the object at fff00000c6691a00 [ 16.873287] which belongs to the cache kmalloc-128 of size 128 [ 16.873532] The buggy address is located 0 bytes inside of [ 16.873532] freed 128-byte region [fff00000c6691a00, fff00000c6691a80) [ 16.873648] [ 16.873671] The buggy address belongs to the physical page: [ 16.874066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106691 [ 16.874261] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.874544] page_type: f5(slab) [ 16.874726] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.874847] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.874931] page dumped because: kasan: bad access detected [ 16.875233] [ 16.875268] Memory state around the buggy address: [ 16.875307] fff00000c6691900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.875681] fff00000c6691980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.875799] >fff00000c6691a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.875853] ^ [ 16.875900] fff00000c6691a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.876251] fff00000c6691b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.876350] ================================================================== [ 16.889191] ================================================================== [ 16.889249] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.889473] Read of size 1 at addr fff00000c6691a78 by task kunit_try_catch/196 [ 16.889676] [ 16.889719] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.889911] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.890105] Hardware name: linux,dummy-virt (DT) [ 16.890310] Call trace: [ 16.890350] show_stack+0x20/0x38 (C) [ 16.890452] dump_stack_lvl+0x8c/0xd0 [ 16.890503] print_report+0x118/0x5d0 [ 16.890549] kasan_report+0xdc/0x128 [ 16.890592] __asan_report_load1_noabort+0x20/0x30 [ 16.890693] ksize_uaf+0x544/0x5f8 [ 16.890736] kunit_try_run_case+0x170/0x3f0 [ 16.890798] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.891182] kthread+0x328/0x630 [ 16.891276] ret_from_fork+0x10/0x20 [ 16.891532] [ 16.891599] Allocated by task 196: [ 16.891648] kasan_save_stack+0x3c/0x68 [ 16.891702] kasan_save_track+0x20/0x40 [ 16.891739] kasan_save_alloc_info+0x40/0x58 [ 16.892348] __kasan_kmalloc+0xd4/0xd8 [ 16.892451] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.892551] ksize_uaf+0xb8/0x5f8 [ 16.892621] kunit_try_run_case+0x170/0x3f0 [ 16.892747] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.892813] kthread+0x328/0x630 [ 16.892951] ret_from_fork+0x10/0x20 [ 16.893199] [ 16.893363] Freed by task 196: [ 16.893528] kasan_save_stack+0x3c/0x68 [ 16.893634] kasan_save_track+0x20/0x40 [ 16.893807] kasan_save_free_info+0x4c/0x78 [ 16.893896] __kasan_slab_free+0x6c/0x98 [ 16.894061] kfree+0x214/0x3c8 [ 16.894300] ksize_uaf+0x11c/0x5f8 [ 16.894433] kunit_try_run_case+0x170/0x3f0 [ 16.895141] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.897668] kthread+0x328/0x630 [ 16.897720] ret_from_fork+0x10/0x20 [ 16.897759] [ 16.897781] The buggy address belongs to the object at fff00000c6691a00 [ 16.897781] which belongs to the cache kmalloc-128 of size 128 [ 16.897841] The buggy address is located 120 bytes inside of [ 16.897841] freed 128-byte region [fff00000c6691a00, fff00000c6691a80) [ 16.897919] [ 16.897943] The buggy address belongs to the physical page: [ 16.897975] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106691 [ 16.898032] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.898083] page_type: f5(slab) [ 16.898123] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.898172] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.898212] page dumped because: kasan: bad access detected [ 16.898243] [ 16.898263] Memory state around the buggy address: [ 16.898295] fff00000c6691900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.898338] fff00000c6691980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.898381] >fff00000c6691a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.898416] ^ [ 16.898456] fff00000c6691a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.898497] fff00000c6691b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.898535] ==================================================================
[ 12.797873] ================================================================== [ 12.798160] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.798612] Read of size 1 at addr ffff8881026a6c00 by task kunit_try_catch/213 [ 12.798999] [ 12.799114] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.799156] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.799167] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.799187] Call Trace: [ 12.799199] <TASK> [ 12.799215] dump_stack_lvl+0x73/0xb0 [ 12.799243] print_report+0xd1/0x610 [ 12.799264] ? __virt_addr_valid+0x1db/0x2d0 [ 12.799298] ? ksize_uaf+0x5fe/0x6c0 [ 12.799318] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.799340] ? ksize_uaf+0x5fe/0x6c0 [ 12.799360] kasan_report+0x141/0x180 [ 12.799392] ? ksize_uaf+0x5fe/0x6c0 [ 12.799417] __asan_report_load1_noabort+0x18/0x20 [ 12.799441] ksize_uaf+0x5fe/0x6c0 [ 12.799460] ? __pfx_ksize_uaf+0x10/0x10 [ 12.799481] ? __schedule+0x10cc/0x2b60 [ 12.799513] ? __pfx_read_tsc+0x10/0x10 [ 12.799533] ? ktime_get_ts64+0x86/0x230 [ 12.799557] kunit_try_run_case+0x1a5/0x480 [ 12.799590] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.799613] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.799636] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.799659] ? __kthread_parkme+0x82/0x180 [ 12.799678] ? preempt_count_sub+0x50/0x80 [ 12.799702] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.799725] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.799748] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.799780] kthread+0x337/0x6f0 [ 12.799798] ? trace_preempt_on+0x20/0xc0 [ 12.799859] ? __pfx_kthread+0x10/0x10 [ 12.799879] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.799899] ? calculate_sigpending+0x7b/0xa0 [ 12.799923] ? __pfx_kthread+0x10/0x10 [ 12.799943] ret_from_fork+0x116/0x1d0 [ 12.799961] ? __pfx_kthread+0x10/0x10 [ 12.799981] ret_from_fork_asm+0x1a/0x30 [ 12.800012] </TASK> [ 12.800021] [ 12.807623] Allocated by task 213: [ 12.807757] kasan_save_stack+0x45/0x70 [ 12.808067] kasan_save_track+0x18/0x40 [ 12.808287] kasan_save_alloc_info+0x3b/0x50 [ 12.808522] __kasan_kmalloc+0xb7/0xc0 [ 12.808884] __kmalloc_cache_noprof+0x189/0x420 [ 12.809088] ksize_uaf+0xaa/0x6c0 [ 12.809212] kunit_try_run_case+0x1a5/0x480 [ 12.809396] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.809715] kthread+0x337/0x6f0 [ 12.809934] ret_from_fork+0x116/0x1d0 [ 12.810365] ret_from_fork_asm+0x1a/0x30 [ 12.810609] [ 12.810697] Freed by task 213: [ 12.810920] kasan_save_stack+0x45/0x70 [ 12.811122] kasan_save_track+0x18/0x40 [ 12.811308] kasan_save_free_info+0x3f/0x60 [ 12.811528] __kasan_slab_free+0x56/0x70 [ 12.811754] kfree+0x222/0x3f0 [ 12.812036] ksize_uaf+0x12c/0x6c0 [ 12.812176] kunit_try_run_case+0x1a5/0x480 [ 12.812324] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.812499] kthread+0x337/0x6f0 [ 12.812655] ret_from_fork+0x116/0x1d0 [ 12.812864] ret_from_fork_asm+0x1a/0x30 [ 12.813077] [ 12.813171] The buggy address belongs to the object at ffff8881026a6c00 [ 12.813171] which belongs to the cache kmalloc-128 of size 128 [ 12.813788] The buggy address is located 0 bytes inside of [ 12.813788] freed 128-byte region [ffff8881026a6c00, ffff8881026a6c80) [ 12.814143] [ 12.814294] The buggy address belongs to the physical page: [ 12.814584] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a6 [ 12.815086] flags: 0x200000000000000(node=0|zone=2) [ 12.815396] page_type: f5(slab) [ 12.815518] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.815824] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.816386] page dumped because: kasan: bad access detected [ 12.816717] [ 12.816860] Memory state around the buggy address: [ 12.817100] ffff8881026a6b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.817384] ffff8881026a6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.817629] >ffff8881026a6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.818036] ^ [ 12.818223] ffff8881026a6c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.818510] ffff8881026a6d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.818988] ================================================================== [ 12.769491] ================================================================== [ 12.770010] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.770367] Read of size 1 at addr ffff8881026a6c00 by task kunit_try_catch/213 [ 12.771268] [ 12.771375] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.771422] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.771433] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.771456] Call Trace: [ 12.771468] <TASK> [ 12.771487] dump_stack_lvl+0x73/0xb0 [ 12.771520] print_report+0xd1/0x610 [ 12.771542] ? __virt_addr_valid+0x1db/0x2d0 [ 12.771566] ? ksize_uaf+0x19d/0x6c0 [ 12.771585] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.771732] ? ksize_uaf+0x19d/0x6c0 [ 12.771766] kasan_report+0x141/0x180 [ 12.771788] ? ksize_uaf+0x19d/0x6c0 [ 12.771845] ? ksize_uaf+0x19d/0x6c0 [ 12.771868] __kasan_check_byte+0x3d/0x50 [ 12.771889] ksize+0x20/0x60 [ 12.771910] ksize_uaf+0x19d/0x6c0 [ 12.771930] ? __pfx_ksize_uaf+0x10/0x10 [ 12.771951] ? __schedule+0x10cc/0x2b60 [ 12.771974] ? __pfx_read_tsc+0x10/0x10 [ 12.771995] ? ktime_get_ts64+0x86/0x230 [ 12.772020] kunit_try_run_case+0x1a5/0x480 [ 12.772046] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.772078] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.772102] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.772125] ? __kthread_parkme+0x82/0x180 [ 12.772146] ? preempt_count_sub+0x50/0x80 [ 12.772171] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.772194] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.772217] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.772240] kthread+0x337/0x6f0 [ 12.772258] ? trace_preempt_on+0x20/0xc0 [ 12.772281] ? __pfx_kthread+0x10/0x10 [ 12.772301] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.772321] ? calculate_sigpending+0x7b/0xa0 [ 12.772346] ? __pfx_kthread+0x10/0x10 [ 12.772366] ret_from_fork+0x116/0x1d0 [ 12.772384] ? __pfx_kthread+0x10/0x10 [ 12.772404] ret_from_fork_asm+0x1a/0x30 [ 12.772437] </TASK> [ 12.772447] [ 12.785250] Allocated by task 213: [ 12.785388] kasan_save_stack+0x45/0x70 [ 12.785536] kasan_save_track+0x18/0x40 [ 12.785705] kasan_save_alloc_info+0x3b/0x50 [ 12.785854] __kasan_kmalloc+0xb7/0xc0 [ 12.786156] __kmalloc_cache_noprof+0x189/0x420 [ 12.786397] ksize_uaf+0xaa/0x6c0 [ 12.786575] kunit_try_run_case+0x1a5/0x480 [ 12.786744] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.786971] kthread+0x337/0x6f0 [ 12.787242] ret_from_fork+0x116/0x1d0 [ 12.787383] ret_from_fork_asm+0x1a/0x30 [ 12.787563] [ 12.787761] Freed by task 213: [ 12.788132] kasan_save_stack+0x45/0x70 [ 12.788379] kasan_save_track+0x18/0x40 [ 12.788560] kasan_save_free_info+0x3f/0x60 [ 12.788717] __kasan_slab_free+0x56/0x70 [ 12.789014] kfree+0x222/0x3f0 [ 12.789310] ksize_uaf+0x12c/0x6c0 [ 12.789639] kunit_try_run_case+0x1a5/0x480 [ 12.789936] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.790232] kthread+0x337/0x6f0 [ 12.790374] ret_from_fork+0x116/0x1d0 [ 12.790562] ret_from_fork_asm+0x1a/0x30 [ 12.790920] [ 12.791089] The buggy address belongs to the object at ffff8881026a6c00 [ 12.791089] which belongs to the cache kmalloc-128 of size 128 [ 12.791629] The buggy address is located 0 bytes inside of [ 12.791629] freed 128-byte region [ffff8881026a6c00, ffff8881026a6c80) [ 12.792147] [ 12.792248] The buggy address belongs to the physical page: [ 12.792585] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a6 [ 12.793045] flags: 0x200000000000000(node=0|zone=2) [ 12.793304] page_type: f5(slab) [ 12.793444] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.793892] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.794262] page dumped because: kasan: bad access detected [ 12.794947] [ 12.795070] Memory state around the buggy address: [ 12.795278] ffff8881026a6b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.795617] ffff8881026a6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.796037] >ffff8881026a6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.796387] ^ [ 12.796574] ffff8881026a6c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.796919] ffff8881026a6d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.797246] ================================================================== [ 12.819454] ================================================================== [ 12.820110] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.820423] Read of size 1 at addr ffff8881026a6c78 by task kunit_try_catch/213 [ 12.820773] [ 12.820986] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.821041] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.821070] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.821091] Call Trace: [ 12.821109] <TASK> [ 12.821127] dump_stack_lvl+0x73/0xb0 [ 12.821155] print_report+0xd1/0x610 [ 12.821177] ? __virt_addr_valid+0x1db/0x2d0 [ 12.821199] ? ksize_uaf+0x5e4/0x6c0 [ 12.821228] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.821250] ? ksize_uaf+0x5e4/0x6c0 [ 12.821272] kasan_report+0x141/0x180 [ 12.821304] ? ksize_uaf+0x5e4/0x6c0 [ 12.821330] __asan_report_load1_noabort+0x18/0x20 [ 12.821353] ksize_uaf+0x5e4/0x6c0 [ 12.821373] ? __pfx_ksize_uaf+0x10/0x10 [ 12.821394] ? __schedule+0x10cc/0x2b60 [ 12.821426] ? __pfx_read_tsc+0x10/0x10 [ 12.821446] ? ktime_get_ts64+0x86/0x230 [ 12.821470] kunit_try_run_case+0x1a5/0x480 [ 12.821504] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.821526] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.821549] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.821580] ? __kthread_parkme+0x82/0x180 [ 12.821610] ? preempt_count_sub+0x50/0x80 [ 12.821634] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.821669] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.821693] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.821716] kthread+0x337/0x6f0 [ 12.821734] ? trace_preempt_on+0x20/0xc0 [ 12.821757] ? __pfx_kthread+0x10/0x10 [ 12.821785] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.821806] ? calculate_sigpending+0x7b/0xa0 [ 12.821830] ? __pfx_kthread+0x10/0x10 [ 12.821908] ret_from_fork+0x116/0x1d0 [ 12.821928] ? __pfx_kthread+0x10/0x10 [ 12.821947] ret_from_fork_asm+0x1a/0x30 [ 12.821980] </TASK> [ 12.821990] [ 12.829476] Allocated by task 213: [ 12.829759] kasan_save_stack+0x45/0x70 [ 12.830014] kasan_save_track+0x18/0x40 [ 12.830223] kasan_save_alloc_info+0x3b/0x50 [ 12.830440] __kasan_kmalloc+0xb7/0xc0 [ 12.830715] __kmalloc_cache_noprof+0x189/0x420 [ 12.831155] ksize_uaf+0xaa/0x6c0 [ 12.831292] kunit_try_run_case+0x1a5/0x480 [ 12.831441] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.831754] kthread+0x337/0x6f0 [ 12.832065] ret_from_fork+0x116/0x1d0 [ 12.832514] ret_from_fork_asm+0x1a/0x30 [ 12.832934] [ 12.833011] Freed by task 213: [ 12.833135] kasan_save_stack+0x45/0x70 [ 12.833274] kasan_save_track+0x18/0x40 [ 12.833409] kasan_save_free_info+0x3f/0x60 [ 12.833555] __kasan_slab_free+0x56/0x70 [ 12.833699] kfree+0x222/0x3f0 [ 12.833861] ksize_uaf+0x12c/0x6c0 [ 12.834039] kunit_try_run_case+0x1a5/0x480 [ 12.834295] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.834580] kthread+0x337/0x6f0 [ 12.834772] ret_from_fork+0x116/0x1d0 [ 12.835195] ret_from_fork_asm+0x1a/0x30 [ 12.835427] [ 12.835548] The buggy address belongs to the object at ffff8881026a6c00 [ 12.835548] which belongs to the cache kmalloc-128 of size 128 [ 12.836197] The buggy address is located 120 bytes inside of [ 12.836197] freed 128-byte region [ffff8881026a6c00, ffff8881026a6c80) [ 12.836555] [ 12.836628] The buggy address belongs to the physical page: [ 12.836902] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a6 [ 12.837291] flags: 0x200000000000000(node=0|zone=2) [ 12.837784] page_type: f5(slab) [ 12.838267] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.838617] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.839062] page dumped because: kasan: bad access detected [ 12.839292] [ 12.839479] Memory state around the buggy address: [ 12.839700] ffff8881026a6b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.840089] ffff8881026a6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.840418] >ffff8881026a6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.840777] ^ [ 12.841202] ffff8881026a6c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.841513] ffff8881026a6d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.842074] ==================================================================