Date
July 15, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.867356] ================================================================== [ 15.867421] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 15.867476] Read of size 1 at addr fff00000c592cf00 by task kunit_try_catch/197 [ 15.867527] [ 15.867560] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.867645] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.867670] Hardware name: linux,dummy-virt (DT) [ 15.867699] Call trace: [ 15.867722] show_stack+0x20/0x38 (C) [ 15.867769] dump_stack_lvl+0x8c/0xd0 [ 15.868413] print_report+0x118/0x5d0 [ 15.868953] kasan_report+0xdc/0x128 [ 15.869355] __kasan_check_byte+0x54/0x70 [ 15.869407] ksize+0x30/0x88 [ 15.869451] ksize_uaf+0x168/0x5f8 [ 15.869502] kunit_try_run_case+0x170/0x3f0 [ 15.869931] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.869993] kthread+0x328/0x630 [ 15.870038] ret_from_fork+0x10/0x20 [ 15.870216] [ 15.870240] Allocated by task 197: [ 15.870285] kasan_save_stack+0x3c/0x68 [ 15.870456] kasan_save_track+0x20/0x40 [ 15.870533] kasan_save_alloc_info+0x40/0x58 [ 15.870972] __kasan_kmalloc+0xd4/0xd8 [ 15.871155] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.871419] ksize_uaf+0xb8/0x5f8 [ 15.871463] kunit_try_run_case+0x170/0x3f0 [ 15.871738] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.872224] kthread+0x328/0x630 [ 15.872266] ret_from_fork+0x10/0x20 [ 15.872301] [ 15.872586] Freed by task 197: [ 15.872737] kasan_save_stack+0x3c/0x68 [ 15.872978] kasan_save_track+0x20/0x40 [ 15.873075] kasan_save_free_info+0x4c/0x78 [ 15.873116] __kasan_slab_free+0x6c/0x98 [ 15.873153] kfree+0x214/0x3c8 [ 15.873251] ksize_uaf+0x11c/0x5f8 [ 15.873288] kunit_try_run_case+0x170/0x3f0 [ 15.873379] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.873548] kthread+0x328/0x630 [ 15.873595] ret_from_fork+0x10/0x20 [ 15.873739] [ 15.873878] The buggy address belongs to the object at fff00000c592cf00 [ 15.873878] which belongs to the cache kmalloc-128 of size 128 [ 15.874251] The buggy address is located 0 bytes inside of [ 15.874251] freed 128-byte region [fff00000c592cf00, fff00000c592cf80) [ 15.874544] [ 15.874566] The buggy address belongs to the physical page: [ 15.874599] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10592c [ 15.874995] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.875061] page_type: f5(slab) [ 15.875101] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.875188] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.875488] page dumped because: kasan: bad access detected [ 15.875540] [ 15.875557] Memory state around the buggy address: [ 15.875852] fff00000c592ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.876212] fff00000c592ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.876398] >fff00000c592cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.876693] ^ [ 15.876776] fff00000c592cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.876821] fff00000c592d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.877311] ================================================================== [ 15.878316] ================================================================== [ 15.878372] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 15.878421] Read of size 1 at addr fff00000c592cf00 by task kunit_try_catch/197 [ 15.878471] [ 15.878900] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.879010] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.879720] Hardware name: linux,dummy-virt (DT) [ 15.879969] Call trace: [ 15.880005] show_stack+0x20/0x38 (C) [ 15.880108] dump_stack_lvl+0x8c/0xd0 [ 15.880318] print_report+0x118/0x5d0 [ 15.880382] kasan_report+0xdc/0x128 [ 15.880628] __asan_report_load1_noabort+0x20/0x30 [ 15.880741] ksize_uaf+0x598/0x5f8 [ 15.880785] kunit_try_run_case+0x170/0x3f0 [ 15.880831] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.880883] kthread+0x328/0x630 [ 15.880926] ret_from_fork+0x10/0x20 [ 15.881350] [ 15.881464] Allocated by task 197: [ 15.881691] kasan_save_stack+0x3c/0x68 [ 15.881737] kasan_save_track+0x20/0x40 [ 15.881776] kasan_save_alloc_info+0x40/0x58 [ 15.881815] __kasan_kmalloc+0xd4/0xd8 [ 15.881851] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.881890] ksize_uaf+0xb8/0x5f8 [ 15.882447] kunit_try_run_case+0x170/0x3f0 [ 15.882907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.882963] kthread+0x328/0x630 [ 15.882997] ret_from_fork+0x10/0x20 [ 15.883032] [ 15.883051] Freed by task 197: [ 15.883078] kasan_save_stack+0x3c/0x68 [ 15.883115] kasan_save_track+0x20/0x40 [ 15.883926] kasan_save_free_info+0x4c/0x78 [ 15.884201] __kasan_slab_free+0x6c/0x98 [ 15.884269] kfree+0x214/0x3c8 [ 15.884315] ksize_uaf+0x11c/0x5f8 [ 15.884348] kunit_try_run_case+0x170/0x3f0 [ 15.884544] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.884594] kthread+0x328/0x630 [ 15.884685] ret_from_fork+0x10/0x20 [ 15.884743] [ 15.885096] The buggy address belongs to the object at fff00000c592cf00 [ 15.885096] which belongs to the cache kmalloc-128 of size 128 [ 15.885349] The buggy address is located 0 bytes inside of [ 15.885349] freed 128-byte region [fff00000c592cf00, fff00000c592cf80) [ 15.885415] [ 15.885435] The buggy address belongs to the physical page: [ 15.885589] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10592c [ 15.885670] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.886132] page_type: f5(slab) [ 15.886173] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.886355] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.886763] page dumped because: kasan: bad access detected [ 15.886801] [ 15.887016] Memory state around the buggy address: [ 15.887129] fff00000c592ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.887380] fff00000c592ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.887431] >fff00000c592cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.887886] ^ [ 15.888012] fff00000c592cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.888057] fff00000c592d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.888096] ================================================================== [ 15.890099] ================================================================== [ 15.890419] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 15.890613] Read of size 1 at addr fff00000c592cf78 by task kunit_try_catch/197 [ 15.890781] [ 15.890969] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.891054] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.891081] Hardware name: linux,dummy-virt (DT) [ 15.891576] Call trace: [ 15.891630] show_stack+0x20/0x38 (C) [ 15.891913] dump_stack_lvl+0x8c/0xd0 [ 15.892058] print_report+0x118/0x5d0 [ 15.892105] kasan_report+0xdc/0x128 [ 15.892149] __asan_report_load1_noabort+0x20/0x30 [ 15.892244] ksize_uaf+0x544/0x5f8 [ 15.892288] kunit_try_run_case+0x170/0x3f0 [ 15.892346] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.892640] kthread+0x328/0x630 [ 15.892933] ret_from_fork+0x10/0x20 [ 15.893337] [ 15.893372] Allocated by task 197: [ 15.893405] kasan_save_stack+0x3c/0x68 [ 15.893498] kasan_save_track+0x20/0x40 [ 15.893539] kasan_save_alloc_info+0x40/0x58 [ 15.893713] __kasan_kmalloc+0xd4/0xd8 [ 15.893764] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.894109] ksize_uaf+0xb8/0x5f8 [ 15.894145] kunit_try_run_case+0x170/0x3f0 [ 15.894633] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.894688] kthread+0x328/0x630 [ 15.894724] ret_from_fork+0x10/0x20 [ 15.894762] [ 15.894781] Freed by task 197: [ 15.894807] kasan_save_stack+0x3c/0x68 [ 15.894848] kasan_save_track+0x20/0x40 [ 15.895400] kasan_save_free_info+0x4c/0x78 [ 15.895783] __kasan_slab_free+0x6c/0x98 [ 15.895846] kfree+0x214/0x3c8 [ 15.895880] ksize_uaf+0x11c/0x5f8 [ 15.895913] kunit_try_run_case+0x170/0x3f0 [ 15.895949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.896348] kthread+0x328/0x630 [ 15.896400] ret_from_fork+0x10/0x20 [ 15.896483] [ 15.896791] The buggy address belongs to the object at fff00000c592cf00 [ 15.896791] which belongs to the cache kmalloc-128 of size 128 [ 15.897000] The buggy address is located 120 bytes inside of [ 15.897000] freed 128-byte region [fff00000c592cf00, fff00000c592cf80) [ 15.897127] [ 15.897342] The buggy address belongs to the physical page: [ 15.897373] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10592c [ 15.897584] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.897639] page_type: f5(slab) [ 15.898213] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.898515] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.898561] page dumped because: kasan: bad access detected [ 15.898593] [ 15.898612] Memory state around the buggy address: [ 15.898644] fff00000c592ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.898689] fff00000c592ce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.899112] >fff00000c592cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.899154] ^ [ 15.899337] fff00000c592cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.899398] fff00000c592d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.899439] ==================================================================
[ 13.083478] ================================================================== [ 13.084300] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.085100] Read of size 1 at addr ffff888102afc578 by task kunit_try_catch/213 [ 13.085662] [ 13.085792] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.085836] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.085848] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.085867] Call Trace: [ 13.085878] <TASK> [ 13.085893] dump_stack_lvl+0x73/0xb0 [ 13.085925] print_report+0xd1/0x610 [ 13.085947] ? __virt_addr_valid+0x1db/0x2d0 [ 13.085969] ? ksize_uaf+0x5e4/0x6c0 [ 13.085990] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.086014] ? ksize_uaf+0x5e4/0x6c0 [ 13.086035] kasan_report+0x141/0x180 [ 13.086056] ? ksize_uaf+0x5e4/0x6c0 [ 13.086081] __asan_report_load1_noabort+0x18/0x20 [ 13.086107] ksize_uaf+0x5e4/0x6c0 [ 13.086128] ? __pfx_ksize_uaf+0x10/0x10 [ 13.086150] ? __schedule+0x10cc/0x2b60 [ 13.086172] ? __pfx_read_tsc+0x10/0x10 [ 13.086192] ? ktime_get_ts64+0x86/0x230 [ 13.086217] kunit_try_run_case+0x1a5/0x480 [ 13.086241] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.086263] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.086288] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.086313] ? __kthread_parkme+0x82/0x180 [ 13.086596] ? preempt_count_sub+0x50/0x80 [ 13.086625] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.086651] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.086677] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.086702] kthread+0x337/0x6f0 [ 13.086721] ? trace_preempt_on+0x20/0xc0 [ 13.086744] ? __pfx_kthread+0x10/0x10 [ 13.086780] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.086801] ? calculate_sigpending+0x7b/0xa0 [ 13.086825] ? __pfx_kthread+0x10/0x10 [ 13.086846] ret_from_fork+0x116/0x1d0 [ 13.086864] ? __pfx_kthread+0x10/0x10 [ 13.086884] ret_from_fork_asm+0x1a/0x30 [ 13.086914] </TASK> [ 13.086924] [ 13.097335] Allocated by task 213: [ 13.097933] kasan_save_stack+0x45/0x70 [ 13.098140] kasan_save_track+0x18/0x40 [ 13.098529] kasan_save_alloc_info+0x3b/0x50 [ 13.098750] __kasan_kmalloc+0xb7/0xc0 [ 13.098926] __kmalloc_cache_noprof+0x189/0x420 [ 13.099285] ksize_uaf+0xaa/0x6c0 [ 13.099773] kunit_try_run_case+0x1a5/0x480 [ 13.100135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.100595] kthread+0x337/0x6f0 [ 13.100886] ret_from_fork+0x116/0x1d0 [ 13.101165] ret_from_fork_asm+0x1a/0x30 [ 13.101540] [ 13.101706] Freed by task 213: [ 13.102054] kasan_save_stack+0x45/0x70 [ 13.102248] kasan_save_track+0x18/0x40 [ 13.102592] kasan_save_free_info+0x3f/0x60 [ 13.102803] __kasan_slab_free+0x56/0x70 [ 13.102993] kfree+0x222/0x3f0 [ 13.103147] ksize_uaf+0x12c/0x6c0 [ 13.103310] kunit_try_run_case+0x1a5/0x480 [ 13.103982] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.104234] kthread+0x337/0x6f0 [ 13.104562] ret_from_fork+0x116/0x1d0 [ 13.104781] ret_from_fork_asm+0x1a/0x30 [ 13.105121] [ 13.105224] The buggy address belongs to the object at ffff888102afc500 [ 13.105224] which belongs to the cache kmalloc-128 of size 128 [ 13.106104] The buggy address is located 120 bytes inside of [ 13.106104] freed 128-byte region [ffff888102afc500, ffff888102afc580) [ 13.106824] [ 13.106928] The buggy address belongs to the physical page: [ 13.107170] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102afc [ 13.107950] flags: 0x200000000000000(node=0|zone=2) [ 13.108181] page_type: f5(slab) [ 13.108529] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.108914] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.109332] page dumped because: kasan: bad access detected [ 13.109669] [ 13.109745] Memory state around the buggy address: [ 13.109987] ffff888102afc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.110284] ffff888102afc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.110920] >ffff888102afc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.111289] ^ [ 13.111959] ffff888102afc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.112226] ffff888102afc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.112859] ================================================================== [ 13.052970] ================================================================== [ 13.053305] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.053985] Read of size 1 at addr ffff888102afc500 by task kunit_try_catch/213 [ 13.054386] [ 13.054536] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.054578] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.054590] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.054610] Call Trace: [ 13.054621] <TASK> [ 13.054634] dump_stack_lvl+0x73/0xb0 [ 13.054664] print_report+0xd1/0x610 [ 13.054696] ? __virt_addr_valid+0x1db/0x2d0 [ 13.054721] ? ksize_uaf+0x5fe/0x6c0 [ 13.054741] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.054778] ? ksize_uaf+0x5fe/0x6c0 [ 13.054799] kasan_report+0x141/0x180 [ 13.054821] ? ksize_uaf+0x5fe/0x6c0 [ 13.054846] __asan_report_load1_noabort+0x18/0x20 [ 13.054872] ksize_uaf+0x5fe/0x6c0 [ 13.054893] ? __pfx_ksize_uaf+0x10/0x10 [ 13.054915] ? __schedule+0x10cc/0x2b60 [ 13.054936] ? __pfx_read_tsc+0x10/0x10 [ 13.054957] ? ktime_get_ts64+0x86/0x230 [ 13.054982] kunit_try_run_case+0x1a5/0x480 [ 13.055006] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.055030] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.055053] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.055077] ? __kthread_parkme+0x82/0x180 [ 13.055098] ? preempt_count_sub+0x50/0x80 [ 13.055121] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.055146] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.055170] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.055195] kthread+0x337/0x6f0 [ 13.055214] ? trace_preempt_on+0x20/0xc0 [ 13.055237] ? __pfx_kthread+0x10/0x10 [ 13.055257] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.055279] ? calculate_sigpending+0x7b/0xa0 [ 13.055327] ? __pfx_kthread+0x10/0x10 [ 13.055622] ret_from_fork+0x116/0x1d0 [ 13.055657] ? __pfx_kthread+0x10/0x10 [ 13.055678] ret_from_fork_asm+0x1a/0x30 [ 13.055708] </TASK> [ 13.055719] [ 13.065822] Allocated by task 213: [ 13.065970] kasan_save_stack+0x45/0x70 [ 13.066177] kasan_save_track+0x18/0x40 [ 13.066367] kasan_save_alloc_info+0x3b/0x50 [ 13.066637] __kasan_kmalloc+0xb7/0xc0 [ 13.066933] __kmalloc_cache_noprof+0x189/0x420 [ 13.067119] ksize_uaf+0xaa/0x6c0 [ 13.067243] kunit_try_run_case+0x1a5/0x480 [ 13.067391] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.067638] kthread+0x337/0x6f0 [ 13.067896] ret_from_fork+0x116/0x1d0 [ 13.068393] ret_from_fork_asm+0x1a/0x30 [ 13.068579] [ 13.068676] Freed by task 213: [ 13.068821] kasan_save_stack+0x45/0x70 [ 13.068962] kasan_save_track+0x18/0x40 [ 13.069125] kasan_save_free_info+0x3f/0x60 [ 13.069331] __kasan_slab_free+0x56/0x70 [ 13.069740] kfree+0x222/0x3f0 [ 13.069924] ksize_uaf+0x12c/0x6c0 [ 13.070093] kunit_try_run_case+0x1a5/0x480 [ 13.070282] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.070655] kthread+0x337/0x6f0 [ 13.070831] ret_from_fork+0x116/0x1d0 [ 13.070992] ret_from_fork_asm+0x1a/0x30 [ 13.071167] [ 13.071263] The buggy address belongs to the object at ffff888102afc500 [ 13.071263] which belongs to the cache kmalloc-128 of size 128 [ 13.071859] The buggy address is located 0 bytes inside of [ 13.071859] freed 128-byte region [ffff888102afc500, ffff888102afc580) [ 13.072286] [ 13.072389] The buggy address belongs to the physical page: [ 13.072651] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102afc [ 13.074642] flags: 0x200000000000000(node=0|zone=2) [ 13.074834] page_type: f5(slab) [ 13.074958] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.075192] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.075426] page dumped because: kasan: bad access detected [ 13.075599] [ 13.075671] Memory state around the buggy address: [ 13.077509] ffff888102afc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.078675] ffff888102afc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.079941] >ffff888102afc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.081075] ^ [ 13.081232] ffff888102afc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.082235] ffff888102afc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.082528] ================================================================== [ 13.032211] ================================================================== [ 13.032842] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.033116] Read of size 1 at addr ffff888102afc500 by task kunit_try_catch/213 [ 13.033411] [ 13.033553] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.033599] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.033610] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.033631] Call Trace: [ 13.033642] <TASK> [ 13.033658] dump_stack_lvl+0x73/0xb0 [ 13.033687] print_report+0xd1/0x610 [ 13.033709] ? __virt_addr_valid+0x1db/0x2d0 [ 13.033733] ? ksize_uaf+0x19d/0x6c0 [ 13.033764] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.033788] ? ksize_uaf+0x19d/0x6c0 [ 13.033809] kasan_report+0x141/0x180 [ 13.033833] ? ksize_uaf+0x19d/0x6c0 [ 13.033860] ? ksize_uaf+0x19d/0x6c0 [ 13.033882] __kasan_check_byte+0x3d/0x50 [ 13.033905] ksize+0x20/0x60 [ 13.033926] ksize_uaf+0x19d/0x6c0 [ 13.033946] ? __pfx_ksize_uaf+0x10/0x10 [ 13.033968] ? __schedule+0x10cc/0x2b60 [ 13.033990] ? __pfx_read_tsc+0x10/0x10 [ 13.034011] ? ktime_get_ts64+0x86/0x230 [ 13.034037] kunit_try_run_case+0x1a5/0x480 [ 13.034062] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.034085] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.034110] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.034134] ? __kthread_parkme+0x82/0x180 [ 13.034155] ? preempt_count_sub+0x50/0x80 [ 13.034179] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.034204] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.034230] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.034255] kthread+0x337/0x6f0 [ 13.034274] ? trace_preempt_on+0x20/0xc0 [ 13.034297] ? __pfx_kthread+0x10/0x10 [ 13.034318] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.034340] ? calculate_sigpending+0x7b/0xa0 [ 13.034365] ? __pfx_kthread+0x10/0x10 [ 13.034391] ret_from_fork+0x116/0x1d0 [ 13.034422] ? __pfx_kthread+0x10/0x10 [ 13.034453] ret_from_fork_asm+0x1a/0x30 [ 13.034493] </TASK> [ 13.034503] [ 13.041814] Allocated by task 213: [ 13.042129] kasan_save_stack+0x45/0x70 [ 13.042341] kasan_save_track+0x18/0x40 [ 13.042565] kasan_save_alloc_info+0x3b/0x50 [ 13.042712] __kasan_kmalloc+0xb7/0xc0 [ 13.042856] __kmalloc_cache_noprof+0x189/0x420 [ 13.043138] ksize_uaf+0xaa/0x6c0 [ 13.043313] kunit_try_run_case+0x1a5/0x480 [ 13.043654] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.043921] kthread+0x337/0x6f0 [ 13.044068] ret_from_fork+0x116/0x1d0 [ 13.044227] ret_from_fork_asm+0x1a/0x30 [ 13.044547] [ 13.044648] Freed by task 213: [ 13.044816] kasan_save_stack+0x45/0x70 [ 13.044987] kasan_save_track+0x18/0x40 [ 13.045169] kasan_save_free_info+0x3f/0x60 [ 13.045438] __kasan_slab_free+0x56/0x70 [ 13.045640] kfree+0x222/0x3f0 [ 13.045801] ksize_uaf+0x12c/0x6c0 [ 13.045932] kunit_try_run_case+0x1a5/0x480 [ 13.046079] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.046253] kthread+0x337/0x6f0 [ 13.046372] ret_from_fork+0x116/0x1d0 [ 13.046510] ret_from_fork_asm+0x1a/0x30 [ 13.046713] [ 13.046821] The buggy address belongs to the object at ffff888102afc500 [ 13.046821] which belongs to the cache kmalloc-128 of size 128 [ 13.047596] The buggy address is located 0 bytes inside of [ 13.047596] freed 128-byte region [ffff888102afc500, ffff888102afc580) [ 13.048152] [ 13.048253] The buggy address belongs to the physical page: [ 13.048567] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102afc [ 13.048880] flags: 0x200000000000000(node=0|zone=2) [ 13.049047] page_type: f5(slab) [ 13.049175] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.049453] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.049792] page dumped because: kasan: bad access detected [ 13.049977] [ 13.050046] Memory state around the buggy address: [ 13.050247] ffff888102afc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.050781] ffff888102afc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.051108] >ffff888102afc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.051438] ^ [ 13.051551] ffff888102afc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.051770] ffff888102afc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.052219] ==================================================================