Date
July 19, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.451790] ================================================================== [ 15.451854] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 15.451906] Read of size 1 at addr fff00000c6417c78 by task kunit_try_catch/196 [ 15.451955] [ 15.451991] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.452959] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.453211] Hardware name: linux,dummy-virt (DT) [ 15.453300] Call trace: [ 15.453424] show_stack+0x20/0x38 (C) [ 15.453680] dump_stack_lvl+0x8c/0xd0 [ 15.454120] print_report+0x118/0x5d0 [ 15.454277] kasan_report+0xdc/0x128 [ 15.454385] __asan_report_load1_noabort+0x20/0x30 [ 15.454637] ksize_uaf+0x544/0x5f8 [ 15.454861] kunit_try_run_case+0x170/0x3f0 [ 15.455026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.455204] kthread+0x328/0x630 [ 15.455435] ret_from_fork+0x10/0x20 [ 15.455860] [ 15.455899] Allocated by task 196: [ 15.456053] kasan_save_stack+0x3c/0x68 [ 15.456137] kasan_save_track+0x20/0x40 [ 15.456277] kasan_save_alloc_info+0x40/0x58 [ 15.456462] __kasan_kmalloc+0xd4/0xd8 [ 15.456713] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.456783] ksize_uaf+0xb8/0x5f8 [ 15.456836] kunit_try_run_case+0x170/0x3f0 [ 15.457063] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.457289] kthread+0x328/0x630 [ 15.457505] ret_from_fork+0x10/0x20 [ 15.457770] [ 15.457817] Freed by task 196: [ 15.457931] kasan_save_stack+0x3c/0x68 [ 15.458087] kasan_save_track+0x20/0x40 [ 15.458223] kasan_save_free_info+0x4c/0x78 [ 15.458305] __kasan_slab_free+0x6c/0x98 [ 15.458343] kfree+0x214/0x3c8 [ 15.458431] ksize_uaf+0x11c/0x5f8 [ 15.458466] kunit_try_run_case+0x170/0x3f0 [ 15.458504] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.458558] kthread+0x328/0x630 [ 15.458590] ret_from_fork+0x10/0x20 [ 15.458626] [ 15.458669] The buggy address belongs to the object at fff00000c6417c00 [ 15.458669] which belongs to the cache kmalloc-128 of size 128 [ 15.458771] The buggy address is located 120 bytes inside of [ 15.458771] freed 128-byte region [fff00000c6417c00, fff00000c6417c80) [ 15.458842] [ 15.458862] The buggy address belongs to the physical page: [ 15.458903] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106417 [ 15.458963] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.459023] page_type: f5(slab) [ 15.459063] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.459125] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.459177] page dumped because: kasan: bad access detected [ 15.459220] [ 15.459249] Memory state around the buggy address: [ 15.459282] fff00000c6417b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.459340] fff00000c6417b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.459383] >fff00000c6417c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.459431] ^ [ 15.459490] fff00000c6417c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.459542] fff00000c6417d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.459591] ================================================================== [ 15.429635] ================================================================== [ 15.429730] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 15.429796] Read of size 1 at addr fff00000c6417c00 by task kunit_try_catch/196 [ 15.429865] [ 15.429908] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.429995] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.430023] Hardware name: linux,dummy-virt (DT) [ 15.430066] Call trace: [ 15.430100] show_stack+0x20/0x38 (C) [ 15.430154] dump_stack_lvl+0x8c/0xd0 [ 15.430203] print_report+0x118/0x5d0 [ 15.430250] kasan_report+0xdc/0x128 [ 15.430295] __kasan_check_byte+0x54/0x70 [ 15.430342] ksize+0x30/0x88 [ 15.430385] ksize_uaf+0x168/0x5f8 [ 15.430430] kunit_try_run_case+0x170/0x3f0 [ 15.430486] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.430539] kthread+0x328/0x630 [ 15.430582] ret_from_fork+0x10/0x20 [ 15.430631] [ 15.430658] Allocated by task 196: [ 15.430700] kasan_save_stack+0x3c/0x68 [ 15.430899] kasan_save_track+0x20/0x40 [ 15.431097] kasan_save_alloc_info+0x40/0x58 [ 15.431697] __kasan_kmalloc+0xd4/0xd8 [ 15.431758] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.431801] ksize_uaf+0xb8/0x5f8 [ 15.432178] kunit_try_run_case+0x170/0x3f0 [ 15.432290] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.432488] kthread+0x328/0x630 [ 15.432652] ret_from_fork+0x10/0x20 [ 15.432828] [ 15.432905] Freed by task 196: [ 15.433066] kasan_save_stack+0x3c/0x68 [ 15.433501] kasan_save_track+0x20/0x40 [ 15.433585] kasan_save_free_info+0x4c/0x78 [ 15.434050] __kasan_slab_free+0x6c/0x98 [ 15.434144] kfree+0x214/0x3c8 [ 15.434448] ksize_uaf+0x11c/0x5f8 [ 15.434540] kunit_try_run_case+0x170/0x3f0 [ 15.434646] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.435152] kthread+0x328/0x630 [ 15.435234] ret_from_fork+0x10/0x20 [ 15.435683] [ 15.435736] The buggy address belongs to the object at fff00000c6417c00 [ 15.435736] which belongs to the cache kmalloc-128 of size 128 [ 15.435947] The buggy address is located 0 bytes inside of [ 15.435947] freed 128-byte region [fff00000c6417c00, fff00000c6417c80) [ 15.436033] [ 15.436063] The buggy address belongs to the physical page: [ 15.436383] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106417 [ 15.436515] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.436734] page_type: f5(slab) [ 15.436782] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.437186] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.437248] page dumped because: kasan: bad access detected [ 15.437586] [ 15.437697] Memory state around the buggy address: [ 15.437743] fff00000c6417b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.438273] fff00000c6417b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.438349] >fff00000c6417c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.438454] ^ [ 15.438705] fff00000c6417c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.438788] fff00000c6417d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.439260] ================================================================== [ 15.441369] ================================================================== [ 15.442035] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 15.442113] Read of size 1 at addr fff00000c6417c00 by task kunit_try_catch/196 [ 15.442210] [ 15.442303] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.442677] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.442729] Hardware name: linux,dummy-virt (DT) [ 15.442850] Call trace: [ 15.442877] show_stack+0x20/0x38 (C) [ 15.442930] dump_stack_lvl+0x8c/0xd0 [ 15.443062] print_report+0x118/0x5d0 [ 15.443116] kasan_report+0xdc/0x128 [ 15.443172] __asan_report_load1_noabort+0x20/0x30 [ 15.443225] ksize_uaf+0x598/0x5f8 [ 15.443268] kunit_try_run_case+0x170/0x3f0 [ 15.443581] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.443852] kthread+0x328/0x630 [ 15.444046] ret_from_fork+0x10/0x20 [ 15.444268] [ 15.444290] Allocated by task 196: [ 15.444342] kasan_save_stack+0x3c/0x68 [ 15.444417] kasan_save_track+0x20/0x40 [ 15.444633] kasan_save_alloc_info+0x40/0x58 [ 15.444806] __kasan_kmalloc+0xd4/0xd8 [ 15.444943] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.445112] ksize_uaf+0xb8/0x5f8 [ 15.445219] kunit_try_run_case+0x170/0x3f0 [ 15.445391] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.445619] kthread+0x328/0x630 [ 15.445708] ret_from_fork+0x10/0x20 [ 15.445988] [ 15.446078] Freed by task 196: [ 15.446196] kasan_save_stack+0x3c/0x68 [ 15.446432] kasan_save_track+0x20/0x40 [ 15.446517] kasan_save_free_info+0x4c/0x78 [ 15.446596] __kasan_slab_free+0x6c/0x98 [ 15.446865] kfree+0x214/0x3c8 [ 15.447031] ksize_uaf+0x11c/0x5f8 [ 15.447166] kunit_try_run_case+0x170/0x3f0 [ 15.447354] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.447432] kthread+0x328/0x630 [ 15.447553] ret_from_fork+0x10/0x20 [ 15.447592] [ 15.447614] The buggy address belongs to the object at fff00000c6417c00 [ 15.447614] which belongs to the cache kmalloc-128 of size 128 [ 15.447723] The buggy address is located 0 bytes inside of [ 15.447723] freed 128-byte region [fff00000c6417c00, fff00000c6417c80) [ 15.448064] [ 15.448213] The buggy address belongs to the physical page: [ 15.448272] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106417 [ 15.448500] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.448582] page_type: f5(slab) [ 15.448621] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.448673] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.449053] page dumped because: kasan: bad access detected [ 15.449279] [ 15.449385] Memory state around the buggy address: [ 15.449491] fff00000c6417b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.449556] fff00000c6417b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.449677] >fff00000c6417c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.449793] ^ [ 15.450355] fff00000c6417c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.450505] fff00000c6417d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.450699] ==================================================================
[ 12.544647] ================================================================== [ 12.544994] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.545312] Read of size 1 at addr ffff888102fd1378 by task kunit_try_catch/213 [ 12.545706] [ 12.545814] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.545854] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.545864] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.545883] Call Trace: [ 12.545893] <TASK> [ 12.545906] dump_stack_lvl+0x73/0xb0 [ 12.545931] print_report+0xd1/0x610 [ 12.545951] ? __virt_addr_valid+0x1db/0x2d0 [ 12.545971] ? ksize_uaf+0x5e4/0x6c0 [ 12.545990] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.546022] ? ksize_uaf+0x5e4/0x6c0 [ 12.546042] kasan_report+0x141/0x180 [ 12.546062] ? ksize_uaf+0x5e4/0x6c0 [ 12.546086] __asan_report_load1_noabort+0x18/0x20 [ 12.546109] ksize_uaf+0x5e4/0x6c0 [ 12.546128] ? __pfx_ksize_uaf+0x10/0x10 [ 12.546148] ? __schedule+0x10cc/0x2b60 [ 12.546170] ? __pfx_read_tsc+0x10/0x10 [ 12.546189] ? ktime_get_ts64+0x86/0x230 [ 12.546212] kunit_try_run_case+0x1a5/0x480 [ 12.546234] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.546255] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.546277] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.546299] ? __kthread_parkme+0x82/0x180 [ 12.546317] ? preempt_count_sub+0x50/0x80 [ 12.546339] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.546361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.546401] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.546423] kthread+0x337/0x6f0 [ 12.546441] ? trace_preempt_on+0x20/0xc0 [ 12.546462] ? __pfx_kthread+0x10/0x10 [ 12.546481] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.546501] ? calculate_sigpending+0x7b/0xa0 [ 12.546523] ? __pfx_kthread+0x10/0x10 [ 12.546543] ret_from_fork+0x116/0x1d0 [ 12.546560] ? __pfx_kthread+0x10/0x10 [ 12.546579] ret_from_fork_asm+0x1a/0x30 [ 12.546607] </TASK> [ 12.546616] [ 12.553468] Allocated by task 213: [ 12.553788] kasan_save_stack+0x45/0x70 [ 12.553988] kasan_save_track+0x18/0x40 [ 12.554157] kasan_save_alloc_info+0x3b/0x50 [ 12.554303] __kasan_kmalloc+0xb7/0xc0 [ 12.554697] __kmalloc_cache_noprof+0x189/0x420 [ 12.554933] ksize_uaf+0xaa/0x6c0 [ 12.555121] kunit_try_run_case+0x1a5/0x480 [ 12.555304] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.555564] kthread+0x337/0x6f0 [ 12.555688] ret_from_fork+0x116/0x1d0 [ 12.555827] ret_from_fork_asm+0x1a/0x30 [ 12.555966] [ 12.556052] Freed by task 213: [ 12.556162] kasan_save_stack+0x45/0x70 [ 12.556296] kasan_save_track+0x18/0x40 [ 12.556428] kasan_save_free_info+0x3f/0x60 [ 12.556591] __kasan_slab_free+0x56/0x70 [ 12.556785] kfree+0x222/0x3f0 [ 12.556964] ksize_uaf+0x12c/0x6c0 [ 12.557157] kunit_try_run_case+0x1a5/0x480 [ 12.557362] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.557783] kthread+0x337/0x6f0 [ 12.558291] ret_from_fork+0x116/0x1d0 [ 12.558542] ret_from_fork_asm+0x1a/0x30 [ 12.558721] [ 12.558792] The buggy address belongs to the object at ffff888102fd1300 [ 12.558792] which belongs to the cache kmalloc-128 of size 128 [ 12.559161] The buggy address is located 120 bytes inside of [ 12.559161] freed 128-byte region [ffff888102fd1300, ffff888102fd1380) [ 12.560170] [ 12.560280] The buggy address belongs to the physical page: [ 12.560721] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102fd1 [ 12.561058] flags: 0x200000000000000(node=0|zone=2) [ 12.561282] page_type: f5(slab) [ 12.561660] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.561960] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.562283] page dumped because: kasan: bad access detected [ 12.562577] [ 12.562671] Memory state around the buggy address: [ 12.562881] ffff888102fd1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.563166] ffff888102fd1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.563535] >ffff888102fd1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.563808] ^ [ 12.564102] ffff888102fd1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.564458] ffff888102fd1400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.564712] ================================================================== [ 12.497982] ================================================================== [ 12.499724] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.500326] Read of size 1 at addr ffff888102fd1300 by task kunit_try_catch/213 [ 12.500727] [ 12.500825] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.500868] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.500879] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.500899] Call Trace: [ 12.500910] <TASK> [ 12.500924] dump_stack_lvl+0x73/0xb0 [ 12.500954] print_report+0xd1/0x610 [ 12.500978] ? __virt_addr_valid+0x1db/0x2d0 [ 12.500999] ? ksize_uaf+0x19d/0x6c0 [ 12.501032] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.501052] ? ksize_uaf+0x19d/0x6c0 [ 12.501072] kasan_report+0x141/0x180 [ 12.501092] ? ksize_uaf+0x19d/0x6c0 [ 12.501114] ? ksize_uaf+0x19d/0x6c0 [ 12.501134] __kasan_check_byte+0x3d/0x50 [ 12.501154] ksize+0x20/0x60 [ 12.501173] ksize_uaf+0x19d/0x6c0 [ 12.501192] ? __pfx_ksize_uaf+0x10/0x10 [ 12.501213] ? __schedule+0x10cc/0x2b60 [ 12.501234] ? __pfx_read_tsc+0x10/0x10 [ 12.501256] ? ktime_get_ts64+0x86/0x230 [ 12.501279] kunit_try_run_case+0x1a5/0x480 [ 12.501301] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.501322] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.501347] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.501415] ? __kthread_parkme+0x82/0x180 [ 12.501437] ? preempt_count_sub+0x50/0x80 [ 12.501459] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.501481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.501503] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.501525] kthread+0x337/0x6f0 [ 12.501542] ? trace_preempt_on+0x20/0xc0 [ 12.501563] ? __pfx_kthread+0x10/0x10 [ 12.501582] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.501602] ? calculate_sigpending+0x7b/0xa0 [ 12.501624] ? __pfx_kthread+0x10/0x10 [ 12.501644] ret_from_fork+0x116/0x1d0 [ 12.501662] ? __pfx_kthread+0x10/0x10 [ 12.501682] ret_from_fork_asm+0x1a/0x30 [ 12.501710] </TASK> [ 12.501720] [ 12.510035] Allocated by task 213: [ 12.510214] kasan_save_stack+0x45/0x70 [ 12.510445] kasan_save_track+0x18/0x40 [ 12.510610] kasan_save_alloc_info+0x3b/0x50 [ 12.510754] __kasan_kmalloc+0xb7/0xc0 [ 12.510879] __kmalloc_cache_noprof+0x189/0x420 [ 12.511093] ksize_uaf+0xaa/0x6c0 [ 12.511265] kunit_try_run_case+0x1a5/0x480 [ 12.511652] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.511909] kthread+0x337/0x6f0 [ 12.512217] ret_from_fork+0x116/0x1d0 [ 12.512910] ret_from_fork_asm+0x1a/0x30 [ 12.513127] [ 12.513219] Freed by task 213: [ 12.513368] kasan_save_stack+0x45/0x70 [ 12.514696] kasan_save_track+0x18/0x40 [ 12.514849] kasan_save_free_info+0x3f/0x60 [ 12.514995] __kasan_slab_free+0x56/0x70 [ 12.515164] kfree+0x222/0x3f0 [ 12.515343] ksize_uaf+0x12c/0x6c0 [ 12.515684] kunit_try_run_case+0x1a5/0x480 [ 12.516119] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.516364] kthread+0x337/0x6f0 [ 12.516674] ret_from_fork+0x116/0x1d0 [ 12.517209] ret_from_fork_asm+0x1a/0x30 [ 12.517687] [ 12.517851] The buggy address belongs to the object at ffff888102fd1300 [ 12.517851] which belongs to the cache kmalloc-128 of size 128 [ 12.518228] The buggy address is located 0 bytes inside of [ 12.518228] freed 128-byte region [ffff888102fd1300, ffff888102fd1380) [ 12.518592] [ 12.518695] The buggy address belongs to the physical page: [ 12.518946] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102fd1 [ 12.519239] flags: 0x200000000000000(node=0|zone=2) [ 12.519593] page_type: f5(slab) [ 12.519762] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.520058] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.520363] page dumped because: kasan: bad access detected [ 12.520733] [ 12.520805] Memory state around the buggy address: [ 12.520989] ffff888102fd1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.521330] ffff888102fd1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.521566] >ffff888102fd1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.521957] ^ [ 12.522135] ffff888102fd1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.522460] ffff888102fd1400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.522730] ================================================================== [ 12.523286] ================================================================== [ 12.523627] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.523907] Read of size 1 at addr ffff888102fd1300 by task kunit_try_catch/213 [ 12.524222] [ 12.524305] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.524345] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.524355] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.524375] Call Trace: [ 12.524389] <TASK> [ 12.524402] dump_stack_lvl+0x73/0xb0 [ 12.524428] print_report+0xd1/0x610 [ 12.524448] ? __virt_addr_valid+0x1db/0x2d0 [ 12.524469] ? ksize_uaf+0x5fe/0x6c0 [ 12.524488] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.524508] ? ksize_uaf+0x5fe/0x6c0 [ 12.524528] kasan_report+0x141/0x180 [ 12.524548] ? ksize_uaf+0x5fe/0x6c0 [ 12.524572] __asan_report_load1_noabort+0x18/0x20 [ 12.524594] ksize_uaf+0x5fe/0x6c0 [ 12.524613] ? __pfx_ksize_uaf+0x10/0x10 [ 12.524634] ? __schedule+0x10cc/0x2b60 [ 12.524655] ? __pfx_read_tsc+0x10/0x10 [ 12.524674] ? ktime_get_ts64+0x86/0x230 [ 12.524697] kunit_try_run_case+0x1a5/0x480 [ 12.524720] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.524741] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.524762] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.524784] ? __kthread_parkme+0x82/0x180 [ 12.524804] ? preempt_count_sub+0x50/0x80 [ 12.524826] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.524848] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.524870] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.524892] kthread+0x337/0x6f0 [ 12.524910] ? trace_preempt_on+0x20/0xc0 [ 12.524931] ? __pfx_kthread+0x10/0x10 [ 12.524950] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.524974] ? calculate_sigpending+0x7b/0xa0 [ 12.524996] ? __pfx_kthread+0x10/0x10 [ 12.525317] ret_from_fork+0x116/0x1d0 [ 12.525338] ? __pfx_kthread+0x10/0x10 [ 12.525358] ret_from_fork_asm+0x1a/0x30 [ 12.525387] </TASK> [ 12.525396] [ 12.532387] Allocated by task 213: [ 12.532576] kasan_save_stack+0x45/0x70 [ 12.532779] kasan_save_track+0x18/0x40 [ 12.532966] kasan_save_alloc_info+0x3b/0x50 [ 12.533144] __kasan_kmalloc+0xb7/0xc0 [ 12.534237] __kmalloc_cache_noprof+0x189/0x420 [ 12.534960] ksize_uaf+0xaa/0x6c0 [ 12.535173] kunit_try_run_case+0x1a5/0x480 [ 12.535358] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.535657] kthread+0x337/0x6f0 [ 12.535778] ret_from_fork+0x116/0x1d0 [ 12.535911] ret_from_fork_asm+0x1a/0x30 [ 12.536120] [ 12.536217] Freed by task 213: [ 12.536343] kasan_save_stack+0x45/0x70 [ 12.536720] kasan_save_track+0x18/0x40 [ 12.536882] kasan_save_free_info+0x3f/0x60 [ 12.537049] __kasan_slab_free+0x56/0x70 [ 12.537222] kfree+0x222/0x3f0 [ 12.537383] ksize_uaf+0x12c/0x6c0 [ 12.537626] kunit_try_run_case+0x1a5/0x480 [ 12.537897] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.538241] kthread+0x337/0x6f0 [ 12.538485] ret_from_fork+0x116/0x1d0 [ 12.538648] ret_from_fork_asm+0x1a/0x30 [ 12.538835] [ 12.538934] The buggy address belongs to the object at ffff888102fd1300 [ 12.538934] which belongs to the cache kmalloc-128 of size 128 [ 12.539445] The buggy address is located 0 bytes inside of [ 12.539445] freed 128-byte region [ffff888102fd1300, ffff888102fd1380) [ 12.539906] [ 12.539979] The buggy address belongs to the physical page: [ 12.540164] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102fd1 [ 12.540513] flags: 0x200000000000000(node=0|zone=2) [ 12.540744] page_type: f5(slab) [ 12.540908] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.541254] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.541638] page dumped because: kasan: bad access detected [ 12.541889] [ 12.541980] Memory state around the buggy address: [ 12.542163] ffff888102fd1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.542380] ffff888102fd1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.542853] >ffff888102fd1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.543193] ^ [ 12.543419] ffff888102fd1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.543717] ffff888102fd1400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.543978] ==================================================================