Hay
Sign in
Date
July 18, 2025, 11:11 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   15.662409] ==================================================================
[   15.662465] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   15.662514] Read of size 1 at addr fff00000c3f56278 by task kunit_try_catch/196
[   15.662567] 
[   15.662600] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.663019] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.663137] Hardware name: linux,dummy-virt (DT)
[   15.663492] Call trace:
[   15.663559]  show_stack+0x20/0x38 (C)
[   15.663682]  dump_stack_lvl+0x8c/0xd0
[   15.663738]  print_report+0x118/0x5d0
[   15.663790]  kasan_report+0xdc/0x128
[   15.663839]  __asan_report_load1_noabort+0x20/0x30
[   15.664358]  ksize_uaf+0x544/0x5f8
[   15.664555]  kunit_try_run_case+0x170/0x3f0
[   15.664831]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.665026]  kthread+0x328/0x630
[   15.665082]  ret_from_fork+0x10/0x20
[   15.665132] 
[   15.665152] Allocated by task 196:
[   15.665353]  kasan_save_stack+0x3c/0x68
[   15.665601]  kasan_save_track+0x20/0x40
[   15.666021]  kasan_save_alloc_info+0x40/0x58
[   15.666166]  __kasan_kmalloc+0xd4/0xd8
[   15.666349]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.666721]  ksize_uaf+0xb8/0x5f8
[   15.666836]  kunit_try_run_case+0x170/0x3f0
[   15.666882]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.667252]  kthread+0x328/0x630
[   15.667321]  ret_from_fork+0x10/0x20
[   15.667370] 
[   15.667392] Freed by task 196:
[   15.667471]  kasan_save_stack+0x3c/0x68
[   15.667537]  kasan_save_track+0x20/0x40
[   15.667582]  kasan_save_free_info+0x4c/0x78
[   15.667627]  __kasan_slab_free+0x6c/0x98
[   15.667667]  kfree+0x214/0x3c8
[   15.667715]  ksize_uaf+0x11c/0x5f8
[   15.667752]  kunit_try_run_case+0x170/0x3f0
[   15.667791]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.667846]  kthread+0x328/0x630
[   15.667880]  ret_from_fork+0x10/0x20
[   15.667927] 
[   15.667953] The buggy address belongs to the object at fff00000c3f56200
[   15.667953]  which belongs to the cache kmalloc-128 of size 128
[   15.668015] The buggy address is located 120 bytes inside of
[   15.668015]  freed 128-byte region [fff00000c3f56200, fff00000c3f56280)
[   15.668078] 
[   15.668098] The buggy address belongs to the physical page:
[   15.668149] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f56
[   15.668210] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.668258] page_type: f5(slab)
[   15.668297] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.668642] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.668781] page dumped because: kasan: bad access detected
[   15.668854] 
[   15.669478] Memory state around the buggy address:
[   15.669592]  fff00000c3f56100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.669641]  fff00000c3f56180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.669687] >fff00000c3f56200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.670085]                                                                 ^
[   15.670422]  fff00000c3f56280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.670581]  fff00000c3f56300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.670650] ==================================================================
[   15.651121] ==================================================================
[   15.651183] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   15.651240] Read of size 1 at addr fff00000c3f56200 by task kunit_try_catch/196
[   15.651486] 
[   15.651530] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.651831] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.651945] Hardware name: linux,dummy-virt (DT)
[   15.652104] Call trace:
[   15.652172]  show_stack+0x20/0x38 (C)
[   15.652324]  dump_stack_lvl+0x8c/0xd0
[   15.652389]  print_report+0x118/0x5d0
[   15.652604]  kasan_report+0xdc/0x128
[   15.652837]  __asan_report_load1_noabort+0x20/0x30
[   15.652908]  ksize_uaf+0x598/0x5f8
[   15.652962]  kunit_try_run_case+0x170/0x3f0
[   15.653085]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.653193]  kthread+0x328/0x630
[   15.653246]  ret_from_fork+0x10/0x20
[   15.653516] 
[   15.653598] Allocated by task 196:
[   15.653737]  kasan_save_stack+0x3c/0x68
[   15.653932]  kasan_save_track+0x20/0x40
[   15.654022]  kasan_save_alloc_info+0x40/0x58
[   15.654183]  __kasan_kmalloc+0xd4/0xd8
[   15.654238]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.654286]  ksize_uaf+0xb8/0x5f8
[   15.654321]  kunit_try_run_case+0x170/0x3f0
[   15.654519]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.654799]  kthread+0x328/0x630
[   15.655039]  ret_from_fork+0x10/0x20
[   15.655173] 
[   15.655197] Freed by task 196:
[   15.655262]  kasan_save_stack+0x3c/0x68
[   15.655541]  kasan_save_track+0x20/0x40
[   15.655662]  kasan_save_free_info+0x4c/0x78
[   15.655914]  __kasan_slab_free+0x6c/0x98
[   15.656091]  kfree+0x214/0x3c8
[   15.656153]  ksize_uaf+0x11c/0x5f8
[   15.656231]  kunit_try_run_case+0x170/0x3f0
[   15.656494]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.656621]  kthread+0x328/0x630
[   15.656800]  ret_from_fork+0x10/0x20
[   15.656982] 
[   15.657054] The buggy address belongs to the object at fff00000c3f56200
[   15.657054]  which belongs to the cache kmalloc-128 of size 128
[   15.657278] The buggy address is located 0 bytes inside of
[   15.657278]  freed 128-byte region [fff00000c3f56200, fff00000c3f56280)
[   15.657522] 
[   15.657711] The buggy address belongs to the physical page:
[   15.657865] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f56
[   15.658113] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.658348] page_type: f5(slab)
[   15.658414] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.658918] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.659228] page dumped because: kasan: bad access detected
[   15.659299] 
[   15.659383] Memory state around the buggy address:
[   15.659438]  fff00000c3f56100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.659531]  fff00000c3f56180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.660191] >fff00000c3f56200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.660299]                    ^
[   15.660593]  fff00000c3f56280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.660974]  fff00000c3f56300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.661200] ==================================================================
[   15.642848] ==================================================================
[   15.642969] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   15.643031] Read of size 1 at addr fff00000c3f56200 by task kunit_try_catch/196
[   15.643083] 
[   15.643121] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.643208] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.643238] Hardware name: linux,dummy-virt (DT)
[   15.643270] Call trace:
[   15.643312]  show_stack+0x20/0x38 (C)
[   15.643378]  dump_stack_lvl+0x8c/0xd0
[   15.643428]  print_report+0x118/0x5d0
[   15.643477]  kasan_report+0xdc/0x128
[   15.643536]  __kasan_check_byte+0x54/0x70
[   15.643593]  ksize+0x30/0x88
[   15.643638]  ksize_uaf+0x168/0x5f8
[   15.643694]  kunit_try_run_case+0x170/0x3f0
[   15.643744]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.643806]  kthread+0x328/0x630
[   15.643850]  ret_from_fork+0x10/0x20
[   15.643899] 
[   15.643919] Allocated by task 196:
[   15.643956]  kasan_save_stack+0x3c/0x68
[   15.644000]  kasan_save_track+0x20/0x40
[   15.644041]  kasan_save_alloc_info+0x40/0x58
[   15.644085]  __kasan_kmalloc+0xd4/0xd8
[   15.644129]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.644180]  ksize_uaf+0xb8/0x5f8
[   15.644218]  kunit_try_run_case+0x170/0x3f0
[   15.644256]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.644312]  kthread+0x328/0x630
[   15.645098]  ret_from_fork+0x10/0x20
[   15.645222] 
[   15.645252] Freed by task 196:
[   15.645315]  kasan_save_stack+0x3c/0x68
[   15.645536]  kasan_save_track+0x20/0x40
[   15.645670]  kasan_save_free_info+0x4c/0x78
[   15.645716]  __kasan_slab_free+0x6c/0x98
[   15.645756]  kfree+0x214/0x3c8
[   15.645792]  ksize_uaf+0x11c/0x5f8
[   15.646236]  kunit_try_run_case+0x170/0x3f0
[   15.646382]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.646499]  kthread+0x328/0x630
[   15.646594]  ret_from_fork+0x10/0x20
[   15.646684] 
[   15.646805] The buggy address belongs to the object at fff00000c3f56200
[   15.646805]  which belongs to the cache kmalloc-128 of size 128
[   15.646885] The buggy address is located 0 bytes inside of
[   15.646885]  freed 128-byte region [fff00000c3f56200, fff00000c3f56280)
[   15.647285] 
[   15.647393] The buggy address belongs to the physical page:
[   15.647531] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f56
[   15.647690] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.647811] page_type: f5(slab)
[   15.647852] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.648288] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.648392] page dumped because: kasan: bad access detected
[   15.648522] 
[   15.648603] Memory state around the buggy address:
[   15.648746]  fff00000c3f56100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.648821]  fff00000c3f56180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.648887] >fff00000c3f56200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.649180]                    ^
[   15.649393]  fff00000c3f56280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.649582]  fff00000c3f56300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.649672] ==================================================================
Metadata Full log Test run details 

[   12.704428] ==================================================================
[   12.704749] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   12.705299] Read of size 1 at addr ffff8881029ce400 by task kunit_try_catch/215
[   12.705665] 
[   12.705775] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.705815] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.705825] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.705844] Call Trace:
[   12.705855]  <TASK>
[   12.705867]  dump_stack_lvl+0x73/0xb0
[   12.705895]  print_report+0xd1/0x610
[   12.705916]  ? __virt_addr_valid+0x1db/0x2d0
[   12.705937]  ? ksize_uaf+0x5fe/0x6c0
[   12.705957]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.705979]  ? ksize_uaf+0x5fe/0x6c0
[   12.705999]  kasan_report+0x141/0x180
[   12.706020]  ? ksize_uaf+0x5fe/0x6c0
[   12.706044]  __asan_report_load1_noabort+0x18/0x20
[   12.706068]  ksize_uaf+0x5fe/0x6c0
[   12.706087]  ? __pfx_ksize_uaf+0x10/0x10
[   12.706108]  ? __schedule+0x10cc/0x2b60
[   12.706129]  ? __pfx_read_tsc+0x10/0x10
[   12.706149]  ? ktime_get_ts64+0x86/0x230
[   12.706172]  kunit_try_run_case+0x1a5/0x480
[   12.706195]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.706218]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.706240]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.706263]  ? __kthread_parkme+0x82/0x180
[   12.706293]  ? preempt_count_sub+0x50/0x80
[   12.706317]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.706340]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.706363]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.706386]  kthread+0x337/0x6f0
[   12.706404]  ? trace_preempt_on+0x20/0xc0
[   12.706426]  ? __pfx_kthread+0x10/0x10
[   12.706445]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.706465]  ? calculate_sigpending+0x7b/0xa0
[   12.706487]  ? __pfx_kthread+0x10/0x10
[   12.706507]  ret_from_fork+0x116/0x1d0
[   12.706525]  ? __pfx_kthread+0x10/0x10
[   12.706544]  ret_from_fork_asm+0x1a/0x30
[   12.706573]  </TASK>
[   12.706582] 
[   12.713148] Allocated by task 215:
[   12.713291]  kasan_save_stack+0x45/0x70
[   12.713430]  kasan_save_track+0x18/0x40
[   12.713624]  kasan_save_alloc_info+0x3b/0x50
[   12.713829]  __kasan_kmalloc+0xb7/0xc0
[   12.714014]  __kmalloc_cache_noprof+0x189/0x420
[   12.714186]  ksize_uaf+0xaa/0x6c0
[   12.714319]  kunit_try_run_case+0x1a5/0x480
[   12.714478]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.714736]  kthread+0x337/0x6f0
[   12.714901]  ret_from_fork+0x116/0x1d0
[   12.715092]  ret_from_fork_asm+0x1a/0x30
[   12.715296] 
[   12.715392] Freed by task 215:
[   12.715591]  kasan_save_stack+0x45/0x70
[   12.715775]  kasan_save_track+0x18/0x40
[   12.715941]  kasan_save_free_info+0x3f/0x60
[   12.716117]  __kasan_slab_free+0x56/0x70
[   12.716320]  kfree+0x222/0x3f0
[   12.716441]  ksize_uaf+0x12c/0x6c0
[   12.716625]  kunit_try_run_case+0x1a5/0x480
[   12.716800]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.717010]  kthread+0x337/0x6f0
[   12.717129]  ret_from_fork+0x116/0x1d0
[   12.717260]  ret_from_fork_asm+0x1a/0x30
[   12.717409] 
[   12.717478] The buggy address belongs to the object at ffff8881029ce400
[   12.717478]  which belongs to the cache kmalloc-128 of size 128
[   12.717830] The buggy address is located 0 bytes inside of
[   12.717830]  freed 128-byte region [ffff8881029ce400, ffff8881029ce480)
[   12.718174] 
[   12.718244] The buggy address belongs to the physical page:
[   12.718493] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ce
[   12.719037] flags: 0x200000000000000(node=0|zone=2)
[   12.719273] page_type: f5(slab)
[   12.719453] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.720022] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.720357] page dumped because: kasan: bad access detected
[   12.720600] 
[   12.720689] Memory state around the buggy address:
[   12.720874]  ffff8881029ce300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.721095]  ffff8881029ce380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.721318] >ffff8881029ce400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.721532]                    ^
[   12.721644]  ffff8881029ce480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.721856]  ffff8881029ce500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.722169] ==================================================================
[   12.723495] ==================================================================
[   12.723851] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   12.724456] Read of size 1 at addr ffff8881029ce478 by task kunit_try_catch/215
[   12.724812] 
[   12.724924] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.724970] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.724981] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.724999] Call Trace:
[   12.725013]  <TASK>
[   12.725026]  dump_stack_lvl+0x73/0xb0
[   12.725052]  print_report+0xd1/0x610
[   12.725072]  ? __virt_addr_valid+0x1db/0x2d0
[   12.725093]  ? ksize_uaf+0x5e4/0x6c0
[   12.725112]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.725135]  ? ksize_uaf+0x5e4/0x6c0
[   12.725155]  kasan_report+0x141/0x180
[   12.725176]  ? ksize_uaf+0x5e4/0x6c0
[   12.725200]  __asan_report_load1_noabort+0x18/0x20
[   12.725224]  ksize_uaf+0x5e4/0x6c0
[   12.725244]  ? __pfx_ksize_uaf+0x10/0x10
[   12.725265]  ? __schedule+0x10cc/0x2b60
[   12.725298]  ? __pfx_read_tsc+0x10/0x10
[   12.725317]  ? ktime_get_ts64+0x86/0x230
[   12.725340]  kunit_try_run_case+0x1a5/0x480
[   12.725363]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.725384]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.725407]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.725429]  ? __kthread_parkme+0x82/0x180
[   12.725448]  ? preempt_count_sub+0x50/0x80
[   12.725470]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.725493]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.725516]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.725539]  kthread+0x337/0x6f0
[   12.725558]  ? trace_preempt_on+0x20/0xc0
[   12.725579]  ? __pfx_kthread+0x10/0x10
[   12.725598]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.725619]  ? calculate_sigpending+0x7b/0xa0
[   12.725641]  ? __pfx_kthread+0x10/0x10
[   12.725661]  ret_from_fork+0x116/0x1d0
[   12.725678]  ? __pfx_kthread+0x10/0x10
[   12.725697]  ret_from_fork_asm+0x1a/0x30
[   12.725726]  </TASK>
[   12.725735] 
[   12.732716] Allocated by task 215:
[   12.732972]  kasan_save_stack+0x45/0x70
[   12.733152]  kasan_save_track+0x18/0x40
[   12.733341]  kasan_save_alloc_info+0x3b/0x50
[   12.733572]  __kasan_kmalloc+0xb7/0xc0
[   12.733709]  __kmalloc_cache_noprof+0x189/0x420
[   12.733931]  ksize_uaf+0xaa/0x6c0
[   12.734072]  kunit_try_run_case+0x1a5/0x480
[   12.734216]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.734401]  kthread+0x337/0x6f0
[   12.734695]  ret_from_fork+0x116/0x1d0
[   12.734887]  ret_from_fork_asm+0x1a/0x30
[   12.735089] 
[   12.735182] Freed by task 215:
[   12.735347]  kasan_save_stack+0x45/0x70
[   12.735550]  kasan_save_track+0x18/0x40
[   12.735706]  kasan_save_free_info+0x3f/0x60
[   12.735915]  __kasan_slab_free+0x56/0x70
[   12.736116]  kfree+0x222/0x3f0
[   12.736274]  ksize_uaf+0x12c/0x6c0
[   12.736406]  kunit_try_run_case+0x1a5/0x480
[   12.736702]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.737015]  kthread+0x337/0x6f0
[   12.737138]  ret_from_fork+0x116/0x1d0
[   12.737335]  ret_from_fork_asm+0x1a/0x30
[   12.737532] 
[   12.737599] The buggy address belongs to the object at ffff8881029ce400
[   12.737599]  which belongs to the cache kmalloc-128 of size 128
[   12.737941] The buggy address is located 120 bytes inside of
[   12.737941]  freed 128-byte region [ffff8881029ce400, ffff8881029ce480)
[   12.738292] 
[   12.738414] The buggy address belongs to the physical page:
[   12.738925] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ce
[   12.739266] flags: 0x200000000000000(node=0|zone=2)
[   12.739551] page_type: f5(slab)
[   12.739712] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.740035] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.740256] page dumped because: kasan: bad access detected
[   12.740428] 
[   12.740596] Memory state around the buggy address:
[   12.740820]  ffff8881029ce300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.741149]  ffff8881029ce380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.741453] >ffff8881029ce400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.741696]                                                                 ^
[   12.741932]  ffff8881029ce480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.742232]  ffff8881029ce500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.742597] ==================================================================
[   12.683171] ==================================================================
[   12.683957] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   12.684206] Read of size 1 at addr ffff8881029ce400 by task kunit_try_catch/215
[   12.684973] 
[   12.685158] CPU: 0 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.685203] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.685214] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.685235] Call Trace:
[   12.685246]  <TASK>
[   12.685262]  dump_stack_lvl+0x73/0xb0
[   12.685308]  print_report+0xd1/0x610
[   12.685331]  ? __virt_addr_valid+0x1db/0x2d0
[   12.685354]  ? ksize_uaf+0x19d/0x6c0
[   12.685373]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.685395]  ? ksize_uaf+0x19d/0x6c0
[   12.685415]  kasan_report+0x141/0x180
[   12.685437]  ? ksize_uaf+0x19d/0x6c0
[   12.685469]  ? ksize_uaf+0x19d/0x6c0
[   12.685490]  __kasan_check_byte+0x3d/0x50
[   12.685512]  ksize+0x20/0x60
[   12.685532]  ksize_uaf+0x19d/0x6c0
[   12.685551]  ? __pfx_ksize_uaf+0x10/0x10
[   12.685572]  ? __schedule+0x10cc/0x2b60
[   12.685594]  ? __pfx_read_tsc+0x10/0x10
[   12.685614]  ? ktime_get_ts64+0x86/0x230
[   12.685639]  kunit_try_run_case+0x1a5/0x480
[   12.685663]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.685684]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.685708]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.685730]  ? __kthread_parkme+0x82/0x180
[   12.685750]  ? preempt_count_sub+0x50/0x80
[   12.685774]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.685797]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.685820]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.685843]  kthread+0x337/0x6f0
[   12.685861]  ? trace_preempt_on+0x20/0xc0
[   12.685883]  ? __pfx_kthread+0x10/0x10
[   12.685902]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.685923]  ? calculate_sigpending+0x7b/0xa0
[   12.685948]  ? __pfx_kthread+0x10/0x10
[   12.685968]  ret_from_fork+0x116/0x1d0
[   12.685986]  ? __pfx_kthread+0x10/0x10
[   12.686005]  ret_from_fork_asm+0x1a/0x30
[   12.686035]  </TASK>
[   12.686044] 
[   12.694511] Allocated by task 215:
[   12.694692]  kasan_save_stack+0x45/0x70
[   12.694895]  kasan_save_track+0x18/0x40
[   12.695083]  kasan_save_alloc_info+0x3b/0x50
[   12.695275]  __kasan_kmalloc+0xb7/0xc0
[   12.695448]  __kmalloc_cache_noprof+0x189/0x420
[   12.695652]  ksize_uaf+0xaa/0x6c0
[   12.695773]  kunit_try_run_case+0x1a5/0x480
[   12.695918]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.696093]  kthread+0x337/0x6f0
[   12.696212]  ret_from_fork+0x116/0x1d0
[   12.696404]  ret_from_fork_asm+0x1a/0x30
[   12.696608] 
[   12.696699] Freed by task 215:
[   12.696852]  kasan_save_stack+0x45/0x70
[   12.697046]  kasan_save_track+0x18/0x40
[   12.697232]  kasan_save_free_info+0x3f/0x60
[   12.697445]  __kasan_slab_free+0x56/0x70
[   12.697642]  kfree+0x222/0x3f0
[   12.697757]  ksize_uaf+0x12c/0x6c0
[   12.697881]  kunit_try_run_case+0x1a5/0x480
[   12.698051]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.698313]  kthread+0x337/0x6f0
[   12.698490]  ret_from_fork+0x116/0x1d0
[   12.698673]  ret_from_fork_asm+0x1a/0x30
[   12.698865] 
[   12.698959] The buggy address belongs to the object at ffff8881029ce400
[   12.698959]  which belongs to the cache kmalloc-128 of size 128
[   12.699436] The buggy address is located 0 bytes inside of
[   12.699436]  freed 128-byte region [ffff8881029ce400, ffff8881029ce480)
[   12.699894] 
[   12.699968] The buggy address belongs to the physical page:
[   12.700200] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ce
[   12.700528] flags: 0x200000000000000(node=0|zone=2)
[   12.700741] page_type: f5(slab)
[   12.700905] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.701199] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.701436] page dumped because: kasan: bad access detected
[   12.701695] 
[   12.701787] Memory state around the buggy address:
[   12.702005]  ffff8881029ce300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.702261]  ffff8881029ce380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.702682] >ffff8881029ce400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.702961]                    ^
[   12.703103]  ffff8881029ce480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.703373]  ffff8881029ce500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.703732] ==================================================================
Metadata Full log Test run details