Hay
Sign in
Date
July 19, 2025, 11:11 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   15.571769] ==================================================================
[   15.571822] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   15.571869] Read of size 1 at addr fff00000c6e65100 by task kunit_try_catch/197
[   15.571919] 
[   15.571949] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.572028] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.572055] Hardware name: linux,dummy-virt (DT)
[   15.572084] Call trace:
[   15.572106]  show_stack+0x20/0x38 (C)
[   15.572153]  dump_stack_lvl+0x8c/0xd0
[   15.572198]  print_report+0x118/0x5d0
[   15.572245]  kasan_report+0xdc/0x128
[   15.572288]  __asan_report_load1_noabort+0x20/0x30
[   15.572338]  ksize_uaf+0x598/0x5f8
[   15.572382]  kunit_try_run_case+0x170/0x3f0
[   15.572429]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.572480]  kthread+0x328/0x630
[   15.572520]  ret_from_fork+0x10/0x20
[   15.573011] 
[   15.573068] Allocated by task 197:
[   15.573132]  kasan_save_stack+0x3c/0x68
[   15.573186]  kasan_save_track+0x20/0x40
[   15.573232]  kasan_save_alloc_info+0x40/0x58
[   15.573274]  __kasan_kmalloc+0xd4/0xd8
[   15.573338]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.573378]  ksize_uaf+0xb8/0x5f8
[   15.573414]  kunit_try_run_case+0x170/0x3f0
[   15.573458]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.573502]  kthread+0x328/0x630
[   15.573704]  ret_from_fork+0x10/0x20
[   15.573895] 
[   15.573935] Freed by task 197:
[   15.574033]  kasan_save_stack+0x3c/0x68
[   15.574099]  kasan_save_track+0x20/0x40
[   15.574196]  kasan_save_free_info+0x4c/0x78
[   15.574285]  __kasan_slab_free+0x6c/0x98
[   15.574359]  kfree+0x214/0x3c8
[   15.574452]  ksize_uaf+0x11c/0x5f8
[   15.574510]  kunit_try_run_case+0x170/0x3f0
[   15.574641]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.574688]  kthread+0x328/0x630
[   15.574721]  ret_from_fork+0x10/0x20
[   15.574769] 
[   15.574789] The buggy address belongs to the object at fff00000c6e65100
[   15.574789]  which belongs to the cache kmalloc-128 of size 128
[   15.574847] The buggy address is located 0 bytes inside of
[   15.574847]  freed 128-byte region [fff00000c6e65100, fff00000c6e65180)
[   15.574909] 
[   15.574928] The buggy address belongs to the physical page:
[   15.574959] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e65
[   15.575140] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.575217] page_type: f5(slab)
[   15.575289] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.575354] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.575461] page dumped because: kasan: bad access detected
[   15.575570] 
[   15.575662] Memory state around the buggy address:
[   15.575740]  fff00000c6e65000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.575828]  fff00000c6e65080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.575905] >fff00000c6e65100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.575958]                    ^
[   15.576001]  fff00000c6e65180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.576044]  fff00000c6e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.576097] ==================================================================
[   15.576751] ==================================================================
[   15.576803] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   15.576864] Read of size 1 at addr fff00000c6e65178 by task kunit_try_catch/197
[   15.576914] 
[   15.576942] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.577195] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.577255] Hardware name: linux,dummy-virt (DT)
[   15.577289] Call trace:
[   15.577320]  show_stack+0x20/0x38 (C)
[   15.577369]  dump_stack_lvl+0x8c/0xd0
[   15.577416]  print_report+0x118/0x5d0
[   15.577471]  kasan_report+0xdc/0x128
[   15.577518]  __asan_report_load1_noabort+0x20/0x30
[   15.577583]  ksize_uaf+0x544/0x5f8
[   15.577626]  kunit_try_run_case+0x170/0x3f0
[   15.577672]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.577735]  kthread+0x328/0x630
[   15.577813]  ret_from_fork+0x10/0x20
[   15.577889] 
[   15.577960] Allocated by task 197:
[   15.578000]  kasan_save_stack+0x3c/0x68
[   15.578059]  kasan_save_track+0x20/0x40
[   15.578095]  kasan_save_alloc_info+0x40/0x58
[   15.578135]  __kasan_kmalloc+0xd4/0xd8
[   15.578170]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.578365]  ksize_uaf+0xb8/0x5f8
[   15.578437]  kunit_try_run_case+0x170/0x3f0
[   15.578576]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.578674]  kthread+0x328/0x630
[   15.578731]  ret_from_fork+0x10/0x20
[   15.578795] 
[   15.578843] Freed by task 197:
[   15.578892]  kasan_save_stack+0x3c/0x68
[   15.578955]  kasan_save_track+0x20/0x40
[   15.579043]  kasan_save_free_info+0x4c/0x78
[   15.579852]  __kasan_slab_free+0x6c/0x98
[   15.579902]  kfree+0x214/0x3c8
[   15.579938]  ksize_uaf+0x11c/0x5f8
[   15.579971]  kunit_try_run_case+0x170/0x3f0
[   15.580018]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.580062]  kthread+0x328/0x630
[   15.580094]  ret_from_fork+0x10/0x20
[   15.580133] 
[   15.580153] The buggy address belongs to the object at fff00000c6e65100
[   15.580153]  which belongs to the cache kmalloc-128 of size 128
[   15.580213] The buggy address is located 120 bytes inside of
[   15.580213]  freed 128-byte region [fff00000c6e65100, fff00000c6e65180)
[   15.580276] 
[   15.580296] The buggy address belongs to the physical page:
[   15.580326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e65
[   15.580376] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.580423] page_type: f5(slab)
[   15.580459] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.580509] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.581750] page dumped because: kasan: bad access detected
[   15.582383] 
[   15.582432] Memory state around the buggy address:
[   15.582469]  fff00000c6e65000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.582516]  fff00000c6e65080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.583023] >fff00000c6e65100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.583063]                                                                 ^
[   15.583106]  fff00000c6e65180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.583355]  fff00000c6e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.583696] ==================================================================
[   15.566937] ==================================================================
[   15.567001] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   15.567055] Read of size 1 at addr fff00000c6e65100 by task kunit_try_catch/197
[   15.567106] 
[   15.567138] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   15.567221] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.567248] Hardware name: linux,dummy-virt (DT)
[   15.567279] Call trace:
[   15.567303]  show_stack+0x20/0x38 (C)
[   15.567350]  dump_stack_lvl+0x8c/0xd0
[   15.567396]  print_report+0x118/0x5d0
[   15.567442]  kasan_report+0xdc/0x128
[   15.567488]  __kasan_check_byte+0x54/0x70
[   15.567549]  ksize+0x30/0x88
[   15.567591]  ksize_uaf+0x168/0x5f8
[   15.567636]  kunit_try_run_case+0x170/0x3f0
[   15.567684]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.567735]  kthread+0x328/0x630
[   15.567778]  ret_from_fork+0x10/0x20
[   15.567823] 
[   15.567843] Allocated by task 197:
[   15.567870]  kasan_save_stack+0x3c/0x68
[   15.567908]  kasan_save_track+0x20/0x40
[   15.567947]  kasan_save_alloc_info+0x40/0x58
[   15.567987]  __kasan_kmalloc+0xd4/0xd8
[   15.568024]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.568062]  ksize_uaf+0xb8/0x5f8
[   15.568130]  kunit_try_run_case+0x170/0x3f0
[   15.568176]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.568219]  kthread+0x328/0x630
[   15.568250]  ret_from_fork+0x10/0x20
[   15.568287] 
[   15.568305] Freed by task 197:
[   15.568331]  kasan_save_stack+0x3c/0x68
[   15.568367]  kasan_save_track+0x20/0x40
[   15.568404]  kasan_save_free_info+0x4c/0x78
[   15.568442]  __kasan_slab_free+0x6c/0x98
[   15.568479]  kfree+0x214/0x3c8
[   15.568511]  ksize_uaf+0x11c/0x5f8
[   15.568564]  kunit_try_run_case+0x170/0x3f0
[   15.568618]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.568774]  kthread+0x328/0x630
[   15.568947]  ret_from_fork+0x10/0x20
[   15.569046] 
[   15.569065] The buggy address belongs to the object at fff00000c6e65100
[   15.569065]  which belongs to the cache kmalloc-128 of size 128
[   15.569307] The buggy address is located 0 bytes inside of
[   15.569307]  freed 128-byte region [fff00000c6e65100, fff00000c6e65180)
[   15.569480] 
[   15.569519] The buggy address belongs to the physical page:
[   15.569947] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e65
[   15.570268] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.570318] page_type: f5(slab)
[   15.570360] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   15.570416] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.570458] page dumped because: kasan: bad access detected
[   15.570738] 
[   15.570804] Memory state around the buggy address:
[   15.570841]  fff00000c6e65000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.570931]  fff00000c6e65080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.570998] >fff00000c6e65100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.571096]                    ^
[   15.571128]  fff00000c6e65180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.571174]  fff00000c6e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.571223] ==================================================================
Metadata Full log Test run details 

[   12.549599] ==================================================================
[   12.549943] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   12.550215] Read of size 1 at addr ffff8881027e4500 by task kunit_try_catch/214
[   12.550529] 
[   12.550631] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.550674] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.550684] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.550705] Call Trace:
[   12.550717]  <TASK>
[   12.550731]  dump_stack_lvl+0x73/0xb0
[   12.550758]  print_report+0xd1/0x610
[   12.550779]  ? __virt_addr_valid+0x1db/0x2d0
[   12.550800]  ? ksize_uaf+0x5fe/0x6c0
[   12.550820]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.550841]  ? ksize_uaf+0x5fe/0x6c0
[   12.550861]  kasan_report+0x141/0x180
[   12.550882]  ? ksize_uaf+0x5fe/0x6c0
[   12.550906]  __asan_report_load1_noabort+0x18/0x20
[   12.550930]  ksize_uaf+0x5fe/0x6c0
[   12.550950]  ? __pfx_ksize_uaf+0x10/0x10
[   12.550971]  ? __schedule+0x10cc/0x2b60
[   12.550992]  ? __pfx_read_tsc+0x10/0x10
[   12.551012]  ? ktime_get_ts64+0x86/0x230
[   12.551036]  kunit_try_run_case+0x1a5/0x480
[   12.551058]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.551080]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.551103]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.551125]  ? __kthread_parkme+0x82/0x180
[   12.551167]  ? preempt_count_sub+0x50/0x80
[   12.551192]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.551215]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.551237]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.551262]  kthread+0x337/0x6f0
[   12.551281]  ? trace_preempt_on+0x20/0xc0
[   12.551548]  ? __pfx_kthread+0x10/0x10
[   12.551568]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.551588]  ? calculate_sigpending+0x7b/0xa0
[   12.551613]  ? __pfx_kthread+0x10/0x10
[   12.551635]  ret_from_fork+0x116/0x1d0
[   12.551654]  ? __pfx_kthread+0x10/0x10
[   12.551673]  ret_from_fork_asm+0x1a/0x30
[   12.551702]  </TASK>
[   12.551712] 
[   12.558583] Allocated by task 214:
[   12.558762]  kasan_save_stack+0x45/0x70
[   12.558947]  kasan_save_track+0x18/0x40
[   12.559112]  kasan_save_alloc_info+0x3b/0x50
[   12.559323]  __kasan_kmalloc+0xb7/0xc0
[   12.559483]  __kmalloc_cache_noprof+0x189/0x420
[   12.559696]  ksize_uaf+0xaa/0x6c0
[   12.559840]  kunit_try_run_case+0x1a5/0x480
[   12.560033]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.560263]  kthread+0x337/0x6f0
[   12.560386]  ret_from_fork+0x116/0x1d0
[   12.560530]  ret_from_fork_asm+0x1a/0x30
[   12.560723] 
[   12.560825] Freed by task 214:
[   12.560985]  kasan_save_stack+0x45/0x70
[   12.561206]  kasan_save_track+0x18/0x40
[   12.561399]  kasan_save_free_info+0x3f/0x60
[   12.561590]  __kasan_slab_free+0x56/0x70
[   12.561775]  kfree+0x222/0x3f0
[   12.561927]  ksize_uaf+0x12c/0x6c0
[   12.562102]  kunit_try_run_case+0x1a5/0x480
[   12.562299]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.562549]  kthread+0x337/0x6f0
[   12.562704]  ret_from_fork+0x116/0x1d0
[   12.562878]  ret_from_fork_asm+0x1a/0x30
[   12.563055] 
[   12.563159] The buggy address belongs to the object at ffff8881027e4500
[   12.563159]  which belongs to the cache kmalloc-128 of size 128
[   12.563655] The buggy address is located 0 bytes inside of
[   12.563655]  freed 128-byte region [ffff8881027e4500, ffff8881027e4580)
[   12.564121] 
[   12.564240] The buggy address belongs to the physical page:
[   12.564460] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e4
[   12.564786] flags: 0x200000000000000(node=0|zone=2)
[   12.565001] page_type: f5(slab)
[   12.565129] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.565381] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.565676] page dumped because: kasan: bad access detected
[   12.565928] 
[   12.566017] Memory state around the buggy address:
[   12.566269]  ffff8881027e4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.566590]  ffff8881027e4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.566831] >ffff8881027e4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.567103]                    ^
[   12.567295]  ffff8881027e4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.567622]  ffff8881027e4600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.567890] ==================================================================
[   12.526522] ==================================================================
[   12.526947] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   12.527373] Read of size 1 at addr ffff8881027e4500 by task kunit_try_catch/214
[   12.527688] 
[   12.527785] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.527830] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.527841] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.527863] Call Trace:
[   12.527875]  <TASK>
[   12.527891]  dump_stack_lvl+0x73/0xb0
[   12.527923]  print_report+0xd1/0x610
[   12.527944]  ? __virt_addr_valid+0x1db/0x2d0
[   12.527968]  ? ksize_uaf+0x19d/0x6c0
[   12.527988]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.528010]  ? ksize_uaf+0x19d/0x6c0
[   12.528030]  kasan_report+0x141/0x180
[   12.528050]  ? ksize_uaf+0x19d/0x6c0
[   12.528073]  ? ksize_uaf+0x19d/0x6c0
[   12.528092]  __kasan_check_byte+0x3d/0x50
[   12.528168]  ksize+0x20/0x60
[   12.528188]  ksize_uaf+0x19d/0x6c0
[   12.528208]  ? __pfx_ksize_uaf+0x10/0x10
[   12.528229]  ? __schedule+0x10cc/0x2b60
[   12.528251]  ? __pfx_read_tsc+0x10/0x10
[   12.528272]  ? ktime_get_ts64+0x86/0x230
[   12.528296]  kunit_try_run_case+0x1a5/0x480
[   12.528321]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.528343]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.528366]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.528388]  ? __kthread_parkme+0x82/0x180
[   12.528408]  ? preempt_count_sub+0x50/0x80
[   12.528433]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.528456]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.528478]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.528514]  kthread+0x337/0x6f0
[   12.528533]  ? trace_preempt_on+0x20/0xc0
[   12.528556]  ? __pfx_kthread+0x10/0x10
[   12.528575]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.528596]  ? calculate_sigpending+0x7b/0xa0
[   12.528621]  ? __pfx_kthread+0x10/0x10
[   12.528641]  ret_from_fork+0x116/0x1d0
[   12.528659]  ? __pfx_kthread+0x10/0x10
[   12.528679]  ret_from_fork_asm+0x1a/0x30
[   12.528709]  </TASK>
[   12.528719] 
[   12.536263] Allocated by task 214:
[   12.536402]  kasan_save_stack+0x45/0x70
[   12.536618]  kasan_save_track+0x18/0x40
[   12.536810]  kasan_save_alloc_info+0x3b/0x50
[   12.536964]  __kasan_kmalloc+0xb7/0xc0
[   12.537096]  __kmalloc_cache_noprof+0x189/0x420
[   12.537253]  ksize_uaf+0xaa/0x6c0
[   12.537428]  kunit_try_run_case+0x1a5/0x480
[   12.537630]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.537859]  kthread+0x337/0x6f0
[   12.538016]  ret_from_fork+0x116/0x1d0
[   12.538208]  ret_from_fork_asm+0x1a/0x30
[   12.538392] 
[   12.538480] Freed by task 214:
[   12.538812]  kasan_save_stack+0x45/0x70
[   12.538958]  kasan_save_track+0x18/0x40
[   12.539231]  kasan_save_free_info+0x3f/0x60
[   12.539447]  __kasan_slab_free+0x56/0x70
[   12.539655]  kfree+0x222/0x3f0
[   12.539824]  ksize_uaf+0x12c/0x6c0
[   12.540002]  kunit_try_run_case+0x1a5/0x480
[   12.540293]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.540548]  kthread+0x337/0x6f0
[   12.540704]  ret_from_fork+0x116/0x1d0
[   12.540835]  ret_from_fork_asm+0x1a/0x30
[   12.541010] 
[   12.541192] The buggy address belongs to the object at ffff8881027e4500
[   12.541192]  which belongs to the cache kmalloc-128 of size 128
[   12.541720] The buggy address is located 0 bytes inside of
[   12.541720]  freed 128-byte region [ffff8881027e4500, ffff8881027e4580)
[   12.542382] 
[   12.542459] The buggy address belongs to the physical page:
[   12.542645] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e4
[   12.542887] flags: 0x200000000000000(node=0|zone=2)
[   12.543134] page_type: f5(slab)
[   12.543325] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.543672] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.544000] page dumped because: kasan: bad access detected
[   12.544335] 
[   12.544433] Memory state around the buggy address:
[   12.544654]  ffff8881027e4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.544871]  ffff8881027e4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.545162] >ffff8881027e4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.545489]                    ^
[   12.545666]  ffff8881027e4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.545980]  ffff8881027e4600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.546517] ==================================================================
[   12.568928] ==================================================================
[   12.569292] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   12.569582] Read of size 1 at addr ffff8881027e4578 by task kunit_try_catch/214
[   12.569818] 
[   12.569907] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.569949] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.569960] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.569980] Call Trace:
[   12.569998]  <TASK>
[   12.570014]  dump_stack_lvl+0x73/0xb0
[   12.570040]  print_report+0xd1/0x610
[   12.570061]  ? __virt_addr_valid+0x1db/0x2d0
[   12.570083]  ? ksize_uaf+0x5e4/0x6c0
[   12.570102]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.570124]  ? ksize_uaf+0x5e4/0x6c0
[   12.570165]  kasan_report+0x141/0x180
[   12.570186]  ? ksize_uaf+0x5e4/0x6c0
[   12.570216]  __asan_report_load1_noabort+0x18/0x20
[   12.570239]  ksize_uaf+0x5e4/0x6c0
[   12.570259]  ? __pfx_ksize_uaf+0x10/0x10
[   12.570280]  ? __schedule+0x10cc/0x2b60
[   12.570301]  ? __pfx_read_tsc+0x10/0x10
[   12.570321]  ? ktime_get_ts64+0x86/0x230
[   12.570345]  kunit_try_run_case+0x1a5/0x480
[   12.570367]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.570389]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.570413]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.570435]  ? __kthread_parkme+0x82/0x180
[   12.570455]  ? preempt_count_sub+0x50/0x80
[   12.570478]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.570510]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.570533]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.570556]  kthread+0x337/0x6f0
[   12.570574]  ? trace_preempt_on+0x20/0xc0
[   12.570596]  ? __pfx_kthread+0x10/0x10
[   12.570616]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.570636]  ? calculate_sigpending+0x7b/0xa0
[   12.570659]  ? __pfx_kthread+0x10/0x10
[   12.570679]  ret_from_fork+0x116/0x1d0
[   12.570697]  ? __pfx_kthread+0x10/0x10
[   12.570717]  ret_from_fork_asm+0x1a/0x30
[   12.570746]  </TASK>
[   12.570755] 
[   12.577402] Allocated by task 214:
[   12.577588]  kasan_save_stack+0x45/0x70
[   12.577763]  kasan_save_track+0x18/0x40
[   12.577898]  kasan_save_alloc_info+0x3b/0x50
[   12.578087]  __kasan_kmalloc+0xb7/0xc0
[   12.578305]  __kmalloc_cache_noprof+0x189/0x420
[   12.578537]  ksize_uaf+0xaa/0x6c0
[   12.578706]  kunit_try_run_case+0x1a5/0x480
[   12.578874]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.579114]  kthread+0x337/0x6f0
[   12.579278]  ret_from_fork+0x116/0x1d0
[   12.579453]  ret_from_fork_asm+0x1a/0x30
[   12.579639] 
[   12.579726] Freed by task 214:
[   12.579879]  kasan_save_stack+0x45/0x70
[   12.580043]  kasan_save_track+0x18/0x40
[   12.580236]  kasan_save_free_info+0x3f/0x60
[   12.580383]  __kasan_slab_free+0x56/0x70
[   12.580581]  kfree+0x222/0x3f0
[   12.580725]  ksize_uaf+0x12c/0x6c0
[   12.580887]  kunit_try_run_case+0x1a5/0x480
[   12.581059]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.581336]  kthread+0x337/0x6f0
[   12.581478]  ret_from_fork+0x116/0x1d0
[   12.581616]  ret_from_fork_asm+0x1a/0x30
[   12.581753] 
[   12.581821] The buggy address belongs to the object at ffff8881027e4500
[   12.581821]  which belongs to the cache kmalloc-128 of size 128
[   12.582201] The buggy address is located 120 bytes inside of
[   12.582201]  freed 128-byte region [ffff8881027e4500, ffff8881027e4580)
[   12.584069] 
[   12.584473] The buggy address belongs to the physical page:
[   12.585224] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e4
[   12.586254] flags: 0x200000000000000(node=0|zone=2)
[   12.586910] page_type: f5(slab)
[   12.587462] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.588418] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.589328] page dumped because: kasan: bad access detected
[   12.590118] 
[   12.590462] Memory state around the buggy address:
[   12.591085]  ffff8881027e4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.591371]  ffff8881027e4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.591603] >ffff8881027e4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.591819]                                                                 ^
[   12.592034]  ffff8881027e4580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.592251]  ffff8881027e4600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.592758] ==================================================================
Metadata Full log Test run details