Date
July 20, 2025, 11:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.549065] ================================================================== [ 15.549124] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 15.549228] Read of size 1 at addr fff00000c7025000 by task kunit_try_catch/196 [ 15.549280] [ 15.549312] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.549393] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.549419] Hardware name: linux,dummy-virt (DT) [ 15.549450] Call trace: [ 15.549475] show_stack+0x20/0x38 (C) [ 15.549530] dump_stack_lvl+0x8c/0xd0 [ 15.549695] print_report+0x118/0x5d0 [ 15.549741] kasan_report+0xdc/0x128 [ 15.549872] __kasan_check_byte+0x54/0x70 [ 15.550181] ksize+0x30/0x88 [ 15.550503] ksize_uaf+0x168/0x5f8 [ 15.550809] kunit_try_run_case+0x170/0x3f0 [ 15.551204] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.551275] kthread+0x328/0x630 [ 15.551375] ret_from_fork+0x10/0x20 [ 15.551590] [ 15.551611] Allocated by task 196: [ 15.551802] kasan_save_stack+0x3c/0x68 [ 15.551951] kasan_save_track+0x20/0x40 [ 15.552004] kasan_save_alloc_info+0x40/0x58 [ 15.552075] __kasan_kmalloc+0xd4/0xd8 [ 15.552112] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.552154] ksize_uaf+0xb8/0x5f8 [ 15.552188] kunit_try_run_case+0x170/0x3f0 [ 15.552226] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.552270] kthread+0x328/0x630 [ 15.552302] ret_from_fork+0x10/0x20 [ 15.552340] [ 15.552360] Freed by task 196: [ 15.552392] kasan_save_stack+0x3c/0x68 [ 15.552428] kasan_save_track+0x20/0x40 [ 15.552476] kasan_save_free_info+0x4c/0x78 [ 15.552517] __kasan_slab_free+0x6c/0x98 [ 15.552552] kfree+0x214/0x3c8 [ 15.552830] ksize_uaf+0x11c/0x5f8 [ 15.552980] kunit_try_run_case+0x170/0x3f0 [ 15.553164] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.553370] kthread+0x328/0x630 [ 15.553520] ret_from_fork+0x10/0x20 [ 15.553673] [ 15.553694] The buggy address belongs to the object at fff00000c7025000 [ 15.553694] which belongs to the cache kmalloc-128 of size 128 [ 15.553869] The buggy address is located 0 bytes inside of [ 15.553869] freed 128-byte region [fff00000c7025000, fff00000c7025080) [ 15.553946] [ 15.553999] The buggy address belongs to the physical page: [ 15.554150] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107025 [ 15.554224] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.554319] page_type: f5(slab) [ 15.554367] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.554493] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.554577] page dumped because: kasan: bad access detected [ 15.554684] [ 15.554704] Memory state around the buggy address: [ 15.554736] fff00000c7024f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.554778] fff00000c7024f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.554856] >fff00000c7025000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.554893] ^ [ 15.554919] fff00000c7025080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.555240] fff00000c7025100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.555316] ================================================================== [ 15.565897] ================================================================== [ 15.565949] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 15.565997] Read of size 1 at addr fff00000c7025078 by task kunit_try_catch/196 [ 15.566048] [ 15.566076] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.566389] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.566511] Hardware name: linux,dummy-virt (DT) [ 15.566783] Call trace: [ 15.566931] show_stack+0x20/0x38 (C) [ 15.567133] dump_stack_lvl+0x8c/0xd0 [ 15.567202] print_report+0x118/0x5d0 [ 15.567249] kasan_report+0xdc/0x128 [ 15.567569] __asan_report_load1_noabort+0x20/0x30 [ 15.567822] ksize_uaf+0x544/0x5f8 [ 15.567879] kunit_try_run_case+0x170/0x3f0 [ 15.567925] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.568238] kthread+0x328/0x630 [ 15.568281] ret_from_fork+0x10/0x20 [ 15.568328] [ 15.568346] Allocated by task 196: [ 15.568380] kasan_save_stack+0x3c/0x68 [ 15.568652] kasan_save_track+0x20/0x40 [ 15.568828] kasan_save_alloc_info+0x40/0x58 [ 15.568872] __kasan_kmalloc+0xd4/0xd8 [ 15.568916] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.568955] ksize_uaf+0xb8/0x5f8 [ 15.569095] kunit_try_run_case+0x170/0x3f0 [ 15.569381] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.569429] kthread+0x328/0x630 [ 15.569713] ret_from_fork+0x10/0x20 [ 15.569884] [ 15.569904] Freed by task 196: [ 15.569931] kasan_save_stack+0x3c/0x68 [ 15.569981] kasan_save_track+0x20/0x40 [ 15.570040] kasan_save_free_info+0x4c/0x78 [ 15.570248] __kasan_slab_free+0x6c/0x98 [ 15.570298] kfree+0x214/0x3c8 [ 15.570523] ksize_uaf+0x11c/0x5f8 [ 15.570564] kunit_try_run_case+0x170/0x3f0 [ 15.570602] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.570646] kthread+0x328/0x630 [ 15.570727] ret_from_fork+0x10/0x20 [ 15.570769] [ 15.571074] The buggy address belongs to the object at fff00000c7025000 [ 15.571074] which belongs to the cache kmalloc-128 of size 128 [ 15.571241] The buggy address is located 120 bytes inside of [ 15.571241] freed 128-byte region [fff00000c7025000, fff00000c7025080) [ 15.571302] [ 15.571451] The buggy address belongs to the physical page: [ 15.571484] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107025 [ 15.571551] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.571691] page_type: f5(slab) [ 15.571751] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.571851] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.571960] page dumped because: kasan: bad access detected [ 15.571990] [ 15.572023] Memory state around the buggy address: [ 15.572054] fff00000c7024f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.572097] fff00000c7024f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.572230] >fff00000c7025000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.572538] ^ [ 15.572608] fff00000c7025080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.572652] fff00000c7025100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.572749] ================================================================== [ 15.559074] ================================================================== [ 15.559127] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 15.559689] Read of size 1 at addr fff00000c7025000 by task kunit_try_catch/196 [ 15.559745] [ 15.559775] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.560003] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.560032] Hardware name: linux,dummy-virt (DT) [ 15.560062] Call trace: [ 15.560086] show_stack+0x20/0x38 (C) [ 15.560254] dump_stack_lvl+0x8c/0xd0 [ 15.560302] print_report+0x118/0x5d0 [ 15.560361] kasan_report+0xdc/0x128 [ 15.560473] __asan_report_load1_noabort+0x20/0x30 [ 15.560562] ksize_uaf+0x598/0x5f8 [ 15.560626] kunit_try_run_case+0x170/0x3f0 [ 15.560756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.560810] kthread+0x328/0x630 [ 15.560851] ret_from_fork+0x10/0x20 [ 15.560907] [ 15.560971] Allocated by task 196: [ 15.561051] kasan_save_stack+0x3c/0x68 [ 15.561092] kasan_save_track+0x20/0x40 [ 15.561131] kasan_save_alloc_info+0x40/0x58 [ 15.561169] __kasan_kmalloc+0xd4/0xd8 [ 15.561203] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.561651] ksize_uaf+0xb8/0x5f8 [ 15.561750] kunit_try_run_case+0x170/0x3f0 [ 15.561946] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.562015] kthread+0x328/0x630 [ 15.562049] ret_from_fork+0x10/0x20 [ 15.562085] [ 15.562104] Freed by task 196: [ 15.562167] kasan_save_stack+0x3c/0x68 [ 15.562245] kasan_save_track+0x20/0x40 [ 15.562331] kasan_save_free_info+0x4c/0x78 [ 15.562377] __kasan_slab_free+0x6c/0x98 [ 15.562415] kfree+0x214/0x3c8 [ 15.562448] ksize_uaf+0x11c/0x5f8 [ 15.562486] kunit_try_run_case+0x170/0x3f0 [ 15.562523] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.562566] kthread+0x328/0x630 [ 15.562599] ret_from_fork+0x10/0x20 [ 15.562637] [ 15.562656] The buggy address belongs to the object at fff00000c7025000 [ 15.562656] which belongs to the cache kmalloc-128 of size 128 [ 15.562725] The buggy address is located 0 bytes inside of [ 15.562725] freed 128-byte region [fff00000c7025000, fff00000c7025080) [ 15.562784] [ 15.562803] The buggy address belongs to the physical page: [ 15.562834] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107025 [ 15.562913] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.563507] page_type: f5(slab) [ 15.563552] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.563603] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.563643] page dumped because: kasan: bad access detected [ 15.564233] [ 15.564268] Memory state around the buggy address: [ 15.564303] fff00000c7024f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.564551] fff00000c7024f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.564598] >fff00000c7025000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.564795] ^ [ 15.565004] fff00000c7025080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.565116] fff00000c7025100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.565193] ==================================================================
[ 12.834479] ================================================================== [ 12.835207] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.835771] Read of size 1 at addr ffff88810272ba78 by task kunit_try_catch/213 [ 12.836012] [ 12.836096] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.836134] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.836145] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.836164] Call Trace: [ 12.836174] <TASK> [ 12.836187] dump_stack_lvl+0x73/0xb0 [ 12.836213] print_report+0xd1/0x610 [ 12.836234] ? __virt_addr_valid+0x1db/0x2d0 [ 12.836254] ? ksize_uaf+0x5e4/0x6c0 [ 12.836274] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.836294] ? ksize_uaf+0x5e4/0x6c0 [ 12.836314] kasan_report+0x141/0x180 [ 12.836334] ? ksize_uaf+0x5e4/0x6c0 [ 12.836358] __asan_report_load1_noabort+0x18/0x20 [ 12.836381] ksize_uaf+0x5e4/0x6c0 [ 12.836400] ? __pfx_ksize_uaf+0x10/0x10 [ 12.836420] ? __schedule+0x10cc/0x2b60 [ 12.836441] ? __pfx_read_tsc+0x10/0x10 [ 12.836460] ? ktime_get_ts64+0x86/0x230 [ 12.836483] kunit_try_run_case+0x1a5/0x480 [ 12.836505] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.836525] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.836546] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.836664] ? __kthread_parkme+0x82/0x180 [ 12.836685] ? preempt_count_sub+0x50/0x80 [ 12.836707] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.836730] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.836752] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.836774] kthread+0x337/0x6f0 [ 12.836792] ? trace_preempt_on+0x20/0xc0 [ 12.836813] ? __pfx_kthread+0x10/0x10 [ 12.836832] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.836852] ? calculate_sigpending+0x7b/0xa0 [ 12.836874] ? __pfx_kthread+0x10/0x10 [ 12.836894] ret_from_fork+0x116/0x1d0 [ 12.836923] ? __pfx_kthread+0x10/0x10 [ 12.836942] ret_from_fork_asm+0x1a/0x30 [ 12.836971] </TASK> [ 12.836980] [ 12.846167] Allocated by task 213: [ 12.846302] kasan_save_stack+0x45/0x70 [ 12.846538] kasan_save_track+0x18/0x40 [ 12.846895] kasan_save_alloc_info+0x3b/0x50 [ 12.847131] __kasan_kmalloc+0xb7/0xc0 [ 12.847317] __kmalloc_cache_noprof+0x189/0x420 [ 12.847612] ksize_uaf+0xaa/0x6c0 [ 12.847776] kunit_try_run_case+0x1a5/0x480 [ 12.848039] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.848293] kthread+0x337/0x6f0 [ 12.848505] ret_from_fork+0x116/0x1d0 [ 12.848642] ret_from_fork_asm+0x1a/0x30 [ 12.849024] [ 12.849149] Freed by task 213: [ 12.849401] kasan_save_stack+0x45/0x70 [ 12.849598] kasan_save_track+0x18/0x40 [ 12.849903] kasan_save_free_info+0x3f/0x60 [ 12.850162] __kasan_slab_free+0x56/0x70 [ 12.850306] kfree+0x222/0x3f0 [ 12.850635] ksize_uaf+0x12c/0x6c0 [ 12.851007] kunit_try_run_case+0x1a5/0x480 [ 12.851166] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.851536] kthread+0x337/0x6f0 [ 12.851962] ret_from_fork+0x116/0x1d0 [ 12.852135] ret_from_fork_asm+0x1a/0x30 [ 12.852419] [ 12.852547] The buggy address belongs to the object at ffff88810272ba00 [ 12.852547] which belongs to the cache kmalloc-128 of size 128 [ 12.853098] The buggy address is located 120 bytes inside of [ 12.853098] freed 128-byte region [ffff88810272ba00, ffff88810272ba80) [ 12.853757] [ 12.853887] The buggy address belongs to the physical page: [ 12.854149] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10272b [ 12.854641] flags: 0x200000000000000(node=0|zone=2) [ 12.855062] page_type: f5(slab) [ 12.855219] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.855487] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.855961] page dumped because: kasan: bad access detected [ 12.856407] [ 12.856541] Memory state around the buggy address: [ 12.856845] ffff88810272b900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.857181] ffff88810272b980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.857579] >ffff88810272ba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.857856] ^ [ 12.858298] ffff88810272ba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.858876] ffff88810272bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.859224] ================================================================== [ 12.810817] ================================================================== [ 12.811223] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.811434] Read of size 1 at addr ffff88810272ba00 by task kunit_try_catch/213 [ 12.811699] [ 12.811803] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.811843] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.811951] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.811975] Call Trace: [ 12.811986] <TASK> [ 12.811998] dump_stack_lvl+0x73/0xb0 [ 12.812062] print_report+0xd1/0x610 [ 12.812082] ? __virt_addr_valid+0x1db/0x2d0 [ 12.812103] ? ksize_uaf+0x5fe/0x6c0 [ 12.812122] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.812143] ? ksize_uaf+0x5fe/0x6c0 [ 12.812162] kasan_report+0x141/0x180 [ 12.812183] ? ksize_uaf+0x5fe/0x6c0 [ 12.812208] __asan_report_load1_noabort+0x18/0x20 [ 12.812230] ksize_uaf+0x5fe/0x6c0 [ 12.812249] ? __pfx_ksize_uaf+0x10/0x10 [ 12.812269] ? __schedule+0x10cc/0x2b60 [ 12.812290] ? __pfx_read_tsc+0x10/0x10 [ 12.812309] ? ktime_get_ts64+0x86/0x230 [ 12.812331] kunit_try_run_case+0x1a5/0x480 [ 12.812395] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.812451] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.812498] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.812544] ? __kthread_parkme+0x82/0x180 [ 12.812562] ? preempt_count_sub+0x50/0x80 [ 12.812584] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.812607] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.812628] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.812650] kthread+0x337/0x6f0 [ 12.812668] ? trace_preempt_on+0x20/0xc0 [ 12.812689] ? __pfx_kthread+0x10/0x10 [ 12.812709] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.812728] ? calculate_sigpending+0x7b/0xa0 [ 12.812750] ? __pfx_kthread+0x10/0x10 [ 12.812770] ret_from_fork+0x116/0x1d0 [ 12.812787] ? __pfx_kthread+0x10/0x10 [ 12.812806] ret_from_fork_asm+0x1a/0x30 [ 12.812834] </TASK> [ 12.812843] [ 12.821319] Allocated by task 213: [ 12.821533] kasan_save_stack+0x45/0x70 [ 12.821707] kasan_save_track+0x18/0x40 [ 12.821842] kasan_save_alloc_info+0x3b/0x50 [ 12.822001] __kasan_kmalloc+0xb7/0xc0 [ 12.822248] __kmalloc_cache_noprof+0x189/0x420 [ 12.822764] ksize_uaf+0xaa/0x6c0 [ 12.822947] kunit_try_run_case+0x1a5/0x480 [ 12.823273] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.823638] kthread+0x337/0x6f0 [ 12.823965] ret_from_fork+0x116/0x1d0 [ 12.824181] ret_from_fork_asm+0x1a/0x30 [ 12.824411] [ 12.824508] Freed by task 213: [ 12.824721] kasan_save_stack+0x45/0x70 [ 12.824923] kasan_save_track+0x18/0x40 [ 12.825139] kasan_save_free_info+0x3f/0x60 [ 12.825403] __kasan_slab_free+0x56/0x70 [ 12.825629] kfree+0x222/0x3f0 [ 12.825808] ksize_uaf+0x12c/0x6c0 [ 12.826026] kunit_try_run_case+0x1a5/0x480 [ 12.826242] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.826575] kthread+0x337/0x6f0 [ 12.826769] ret_from_fork+0x116/0x1d0 [ 12.826978] ret_from_fork_asm+0x1a/0x30 [ 12.827211] [ 12.827302] The buggy address belongs to the object at ffff88810272ba00 [ 12.827302] which belongs to the cache kmalloc-128 of size 128 [ 12.828090] The buggy address is located 0 bytes inside of [ 12.828090] freed 128-byte region [ffff88810272ba00, ffff88810272ba80) [ 12.828699] [ 12.828775] The buggy address belongs to the physical page: [ 12.828978] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10272b [ 12.829564] flags: 0x200000000000000(node=0|zone=2) [ 12.829951] page_type: f5(slab) [ 12.830222] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.830578] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.830918] page dumped because: kasan: bad access detected [ 12.831123] [ 12.831191] Memory state around the buggy address: [ 12.831345] ffff88810272b900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.831822] ffff88810272b980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.832223] >ffff88810272ba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.832832] ^ [ 12.833180] ffff88810272ba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.833690] ffff88810272bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.834021] ================================================================== [ 12.786479] ================================================================== [ 12.787650] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.788091] Read of size 1 at addr ffff88810272ba00 by task kunit_try_catch/213 [ 12.788867] [ 12.788979] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.789026] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.789037] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.789060] Call Trace: [ 12.789073] <TASK> [ 12.789089] dump_stack_lvl+0x73/0xb0 [ 12.789119] print_report+0xd1/0x610 [ 12.789141] ? __virt_addr_valid+0x1db/0x2d0 [ 12.789164] ? ksize_uaf+0x19d/0x6c0 [ 12.789183] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.789204] ? ksize_uaf+0x19d/0x6c0 [ 12.789224] kasan_report+0x141/0x180 [ 12.789244] ? ksize_uaf+0x19d/0x6c0 [ 12.789266] ? ksize_uaf+0x19d/0x6c0 [ 12.789286] __kasan_check_byte+0x3d/0x50 [ 12.789306] ksize+0x20/0x60 [ 12.789326] ksize_uaf+0x19d/0x6c0 [ 12.789345] ? __pfx_ksize_uaf+0x10/0x10 [ 12.789366] ? __schedule+0x10cc/0x2b60 [ 12.789464] ? __pfx_read_tsc+0x10/0x10 [ 12.789486] ? ktime_get_ts64+0x86/0x230 [ 12.789510] kunit_try_run_case+0x1a5/0x480 [ 12.789535] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.789556] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.789577] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.789599] ? __kthread_parkme+0x82/0x180 [ 12.789641] ? preempt_count_sub+0x50/0x80 [ 12.789664] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.789686] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.789708] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.789747] kthread+0x337/0x6f0 [ 12.789766] ? trace_preempt_on+0x20/0xc0 [ 12.789787] ? __pfx_kthread+0x10/0x10 [ 12.789806] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.789826] ? calculate_sigpending+0x7b/0xa0 [ 12.789848] ? __pfx_kthread+0x10/0x10 [ 12.789868] ret_from_fork+0x116/0x1d0 [ 12.789886] ? __pfx_kthread+0x10/0x10 [ 12.789916] ret_from_fork_asm+0x1a/0x30 [ 12.789946] </TASK> [ 12.789956] [ 12.798059] Allocated by task 213: [ 12.798249] kasan_save_stack+0x45/0x70 [ 12.798625] kasan_save_track+0x18/0x40 [ 12.798805] kasan_save_alloc_info+0x3b/0x50 [ 12.799032] __kasan_kmalloc+0xb7/0xc0 [ 12.799241] __kmalloc_cache_noprof+0x189/0x420 [ 12.799565] ksize_uaf+0xaa/0x6c0 [ 12.799753] kunit_try_run_case+0x1a5/0x480 [ 12.799924] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.800101] kthread+0x337/0x6f0 [ 12.800223] ret_from_fork+0x116/0x1d0 [ 12.800353] ret_from_fork_asm+0x1a/0x30 [ 12.800549] [ 12.800643] Freed by task 213: [ 12.800800] kasan_save_stack+0x45/0x70 [ 12.801022] kasan_save_track+0x18/0x40 [ 12.801218] kasan_save_free_info+0x3f/0x60 [ 12.801760] __kasan_slab_free+0x56/0x70 [ 12.801924] kfree+0x222/0x3f0 [ 12.802042] ksize_uaf+0x12c/0x6c0 [ 12.802166] kunit_try_run_case+0x1a5/0x480 [ 12.802400] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.802761] kthread+0x337/0x6f0 [ 12.802955] ret_from_fork+0x116/0x1d0 [ 12.803144] ret_from_fork_asm+0x1a/0x30 [ 12.803411] [ 12.803489] The buggy address belongs to the object at ffff88810272ba00 [ 12.803489] which belongs to the cache kmalloc-128 of size 128 [ 12.803994] The buggy address is located 0 bytes inside of [ 12.803994] freed 128-byte region [ffff88810272ba00, ffff88810272ba80) [ 12.804586] [ 12.804662] The buggy address belongs to the physical page: [ 12.805094] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10272b [ 12.805512] flags: 0x200000000000000(node=0|zone=2) [ 12.805801] page_type: f5(slab) [ 12.806133] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.806523] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.806949] page dumped because: kasan: bad access detected [ 12.807249] [ 12.807363] Memory state around the buggy address: [ 12.807743] ffff88810272b900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.808096] ffff88810272b980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.808505] >ffff88810272ba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.808896] ^ [ 12.809103] ffff88810272ba80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.809621] ffff88810272bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.809983] ==================================================================