Date
July 17, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.575677] ================================================================== [ 15.575736] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 15.575787] Read of size 1 at addr fff00000c786a800 by task kunit_try_catch/197 [ 15.575837] [ 15.575868] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.575952] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.578301] Hardware name: linux,dummy-virt (DT) [ 15.578359] Call trace: [ 15.578384] show_stack+0x20/0x38 (C) [ 15.578440] dump_stack_lvl+0x8c/0xd0 [ 15.578486] print_report+0x118/0x5d0 [ 15.578530] kasan_report+0xdc/0x128 [ 15.578575] __kasan_check_byte+0x54/0x70 [ 15.578620] ksize+0x30/0x88 [ 15.578661] ksize_uaf+0x168/0x5f8 [ 15.578705] kunit_try_run_case+0x170/0x3f0 [ 15.578752] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.578803] kthread+0x328/0x630 [ 15.578844] ret_from_fork+0x10/0x20 [ 15.578891] [ 15.578908] Allocated by task 197: [ 15.578938] kasan_save_stack+0x3c/0x68 [ 15.578990] kasan_save_track+0x20/0x40 [ 15.579027] kasan_save_alloc_info+0x40/0x58 [ 15.579067] __kasan_kmalloc+0xd4/0xd8 [ 15.579103] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.579142] ksize_uaf+0xb8/0x5f8 [ 15.579175] kunit_try_run_case+0x170/0x3f0 [ 15.579213] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.579257] kthread+0x328/0x630 [ 15.579288] ret_from_fork+0x10/0x20 [ 15.579324] [ 15.579342] Freed by task 197: [ 15.579366] kasan_save_stack+0x3c/0x68 [ 15.579404] kasan_save_track+0x20/0x40 [ 15.579445] kasan_save_free_info+0x4c/0x78 [ 15.579485] __kasan_slab_free+0x6c/0x98 [ 15.579520] kfree+0x214/0x3c8 [ 15.579554] ksize_uaf+0x11c/0x5f8 [ 15.579586] kunit_try_run_case+0x170/0x3f0 [ 15.579624] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.579668] kthread+0x328/0x630 [ 15.579699] ret_from_fork+0x10/0x20 [ 15.579733] [ 15.579752] The buggy address belongs to the object at fff00000c786a800 [ 15.579752] which belongs to the cache kmalloc-128 of size 128 [ 15.579810] The buggy address is located 0 bytes inside of [ 15.579810] freed 128-byte region [fff00000c786a800, fff00000c786a880) [ 15.579873] [ 15.579892] The buggy address belongs to the physical page: [ 15.579923] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 15.580903] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.581024] page_type: f5(slab) [ 15.581069] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.581119] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.581213] page dumped because: kasan: bad access detected [ 15.581302] [ 15.581415] Memory state around the buggy address: [ 15.581514] fff00000c786a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.581570] fff00000c786a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.581709] >fff00000c786a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.581750] ^ [ 15.581804] fff00000c786a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.581882] fff00000c786a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.581921] ================================================================== [ 15.583370] ================================================================== [ 15.583458] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 15.583541] Read of size 1 at addr fff00000c786a800 by task kunit_try_catch/197 [ 15.583616] [ 15.583664] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.583774] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.583801] Hardware name: linux,dummy-virt (DT) [ 15.583831] Call trace: [ 15.583851] show_stack+0x20/0x38 (C) [ 15.583898] dump_stack_lvl+0x8c/0xd0 [ 15.583942] print_report+0x118/0x5d0 [ 15.584007] kasan_report+0xdc/0x128 [ 15.584062] __asan_report_load1_noabort+0x20/0x30 [ 15.584287] ksize_uaf+0x598/0x5f8 [ 15.584340] kunit_try_run_case+0x170/0x3f0 [ 15.584384] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.584484] kthread+0x328/0x630 [ 15.584529] ret_from_fork+0x10/0x20 [ 15.584573] [ 15.584648] Allocated by task 197: [ 15.584675] kasan_save_stack+0x3c/0x68 [ 15.584743] kasan_save_track+0x20/0x40 [ 15.584832] kasan_save_alloc_info+0x40/0x58 [ 15.584959] __kasan_kmalloc+0xd4/0xd8 [ 15.585131] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.585273] ksize_uaf+0xb8/0x5f8 [ 15.585308] kunit_try_run_case+0x170/0x3f0 [ 15.585345] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.585388] kthread+0x328/0x630 [ 15.585418] ret_from_fork+0x10/0x20 [ 15.585454] [ 15.585472] Freed by task 197: [ 15.585498] kasan_save_stack+0x3c/0x68 [ 15.585535] kasan_save_track+0x20/0x40 [ 15.585570] kasan_save_free_info+0x4c/0x78 [ 15.585610] __kasan_slab_free+0x6c/0x98 [ 15.585645] kfree+0x214/0x3c8 [ 15.585679] ksize_uaf+0x11c/0x5f8 [ 15.585713] kunit_try_run_case+0x170/0x3f0 [ 15.585751] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.585921] kthread+0x328/0x630 [ 15.586048] ret_from_fork+0x10/0x20 [ 15.586156] [ 15.586186] The buggy address belongs to the object at fff00000c786a800 [ 15.586186] which belongs to the cache kmalloc-128 of size 128 [ 15.586295] The buggy address is located 0 bytes inside of [ 15.586295] freed 128-byte region [fff00000c786a800, fff00000c786a880) [ 15.586439] [ 15.586507] The buggy address belongs to the physical page: [ 15.586645] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 15.586799] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.586905] page_type: f5(slab) [ 15.587046] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.587137] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.587529] page dumped because: kasan: bad access detected [ 15.587653] [ 15.587684] Memory state around the buggy address: [ 15.587725] fff00000c786a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.587834] fff00000c786a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.587876] >fff00000c786a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.587960] ^ [ 15.588113] fff00000c786a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.588177] fff00000c786a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.588541] ================================================================== [ 15.590639] ================================================================== [ 15.590694] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 15.590785] Read of size 1 at addr fff00000c786a878 by task kunit_try_catch/197 [ 15.590893] [ 15.590931] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.591026] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.591053] Hardware name: linux,dummy-virt (DT) [ 15.591082] Call trace: [ 15.591102] show_stack+0x20/0x38 (C) [ 15.591410] dump_stack_lvl+0x8c/0xd0 [ 15.591478] print_report+0x118/0x5d0 [ 15.591524] kasan_report+0xdc/0x128 [ 15.591634] __asan_report_load1_noabort+0x20/0x30 [ 15.591750] ksize_uaf+0x544/0x5f8 [ 15.591833] kunit_try_run_case+0x170/0x3f0 [ 15.591894] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.591971] kthread+0x328/0x630 [ 15.592025] ret_from_fork+0x10/0x20 [ 15.592151] [ 15.592199] Allocated by task 197: [ 15.592227] kasan_save_stack+0x3c/0x68 [ 15.592269] kasan_save_track+0x20/0x40 [ 15.592304] kasan_save_alloc_info+0x40/0x58 [ 15.592344] __kasan_kmalloc+0xd4/0xd8 [ 15.592629] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.592716] ksize_uaf+0xb8/0x5f8 [ 15.592752] kunit_try_run_case+0x170/0x3f0 [ 15.592932] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.593033] kthread+0x328/0x630 [ 15.593182] ret_from_fork+0x10/0x20 [ 15.593231] [ 15.593249] Freed by task 197: [ 15.593277] kasan_save_stack+0x3c/0x68 [ 15.593314] kasan_save_track+0x20/0x40 [ 15.593361] kasan_save_free_info+0x4c/0x78 [ 15.593401] __kasan_slab_free+0x6c/0x98 [ 15.593461] kfree+0x214/0x3c8 [ 15.593493] ksize_uaf+0x11c/0x5f8 [ 15.593528] kunit_try_run_case+0x170/0x3f0 [ 15.593566] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.593618] kthread+0x328/0x630 [ 15.593651] ret_from_fork+0x10/0x20 [ 15.593686] [ 15.593719] The buggy address belongs to the object at fff00000c786a800 [ 15.593719] which belongs to the cache kmalloc-128 of size 128 [ 15.593780] The buggy address is located 120 bytes inside of [ 15.593780] freed 128-byte region [fff00000c786a800, fff00000c786a880) [ 15.593843] [ 15.593862] The buggy address belongs to the physical page: [ 15.593903] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786a [ 15.593956] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.594025] page_type: f5(slab) [ 15.594060] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.594111] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.594152] page dumped because: kasan: bad access detected [ 15.594185] [ 15.594203] Memory state around the buggy address: [ 15.594255] fff00000c786a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.594319] fff00000c786a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.594370] >fff00000c786a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.594416] ^ [ 15.594458] fff00000c786a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.594523] fff00000c786a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.594570] ==================================================================
[ 13.549443] ================================================================== [ 13.549980] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.550308] Read of size 1 at addr ffff8881025cc578 by task kunit_try_catch/213 [ 13.550654] [ 13.550745] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.550788] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.550799] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.550819] Call Trace: [ 13.550833] <TASK> [ 13.550847] dump_stack_lvl+0x73/0xb0 [ 13.550876] print_report+0xd1/0x610 [ 13.550900] ? __virt_addr_valid+0x1db/0x2d0 [ 13.550923] ? ksize_uaf+0x5e4/0x6c0 [ 13.550943] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.550966] ? ksize_uaf+0x5e4/0x6c0 [ 13.550987] kasan_report+0x141/0x180 [ 13.551008] ? ksize_uaf+0x5e4/0x6c0 [ 13.551034] __asan_report_load1_noabort+0x18/0x20 [ 13.551059] ksize_uaf+0x5e4/0x6c0 [ 13.551080] ? __pfx_ksize_uaf+0x10/0x10 [ 13.551101] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.551127] ? trace_hardirqs_on+0x37/0xe0 [ 13.551149] ? __pfx_read_tsc+0x10/0x10 [ 13.551170] ? ktime_get_ts64+0x86/0x230 [ 13.551193] kunit_try_run_case+0x1a5/0x480 [ 13.551217] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.551313] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.551339] ? __kthread_parkme+0x82/0x180 [ 13.551360] ? preempt_count_sub+0x50/0x80 [ 13.551384] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.551426] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.551451] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.551476] kthread+0x337/0x6f0 [ 13.551495] ? trace_preempt_on+0x20/0xc0 [ 13.551517] ? __pfx_kthread+0x10/0x10 [ 13.551538] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.551569] ? calculate_sigpending+0x7b/0xa0 [ 13.551592] ? __pfx_kthread+0x10/0x10 [ 13.551614] ret_from_fork+0x116/0x1d0 [ 13.551632] ? __pfx_kthread+0x10/0x10 [ 13.551653] ret_from_fork_asm+0x1a/0x30 [ 13.551683] </TASK> [ 13.551693] [ 13.558837] Allocated by task 213: [ 13.558997] kasan_save_stack+0x45/0x70 [ 13.559180] kasan_save_track+0x18/0x40 [ 13.559548] kasan_save_alloc_info+0x3b/0x50 [ 13.559772] __kasan_kmalloc+0xb7/0xc0 [ 13.559942] __kmalloc_cache_noprof+0x189/0x420 [ 13.560151] ksize_uaf+0xaa/0x6c0 [ 13.560368] kunit_try_run_case+0x1a5/0x480 [ 13.560594] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.560785] kthread+0x337/0x6f0 [ 13.560952] ret_from_fork+0x116/0x1d0 [ 13.561141] ret_from_fork_asm+0x1a/0x30 [ 13.561407] [ 13.561518] Freed by task 213: [ 13.561638] kasan_save_stack+0x45/0x70 [ 13.561840] kasan_save_track+0x18/0x40 [ 13.562037] kasan_save_free_info+0x3f/0x60 [ 13.562212] __kasan_slab_free+0x56/0x70 [ 13.562465] kfree+0x222/0x3f0 [ 13.562651] ksize_uaf+0x12c/0x6c0 [ 13.562832] kunit_try_run_case+0x1a5/0x480 [ 13.563034] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.563309] kthread+0x337/0x6f0 [ 13.563507] ret_from_fork+0x116/0x1d0 [ 13.563705] ret_from_fork_asm+0x1a/0x30 [ 13.563872] [ 13.563942] The buggy address belongs to the object at ffff8881025cc500 [ 13.563942] which belongs to the cache kmalloc-128 of size 128 [ 13.564514] The buggy address is located 120 bytes inside of [ 13.564514] freed 128-byte region [ffff8881025cc500, ffff8881025cc580) [ 13.565078] [ 13.565174] The buggy address belongs to the physical page: [ 13.565441] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025cc [ 13.565766] flags: 0x200000000000000(node=0|zone=2) [ 13.565930] page_type: f5(slab) [ 13.566050] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.566294] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.566641] page dumped because: kasan: bad access detected [ 13.566886] [ 13.566986] Memory state around the buggy address: [ 13.567213] ffff8881025cc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.567529] ffff8881025cc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.567918] >ffff8881025cc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.568191] ^ [ 13.568605] ffff8881025cc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.568892] ffff8881025cc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.569157] ================================================================== [ 13.528518] ================================================================== [ 13.528845] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.529084] Read of size 1 at addr ffff8881025cc500 by task kunit_try_catch/213 [ 13.529531] [ 13.529645] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.529687] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.529698] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.529718] Call Trace: [ 13.529729] <TASK> [ 13.529743] dump_stack_lvl+0x73/0xb0 [ 13.529769] print_report+0xd1/0x610 [ 13.529791] ? __virt_addr_valid+0x1db/0x2d0 [ 13.529813] ? ksize_uaf+0x5fe/0x6c0 [ 13.529833] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.529856] ? ksize_uaf+0x5fe/0x6c0 [ 13.529877] kasan_report+0x141/0x180 [ 13.529898] ? ksize_uaf+0x5fe/0x6c0 [ 13.529924] __asan_report_load1_noabort+0x18/0x20 [ 13.529949] ksize_uaf+0x5fe/0x6c0 [ 13.529970] ? __pfx_ksize_uaf+0x10/0x10 [ 13.529991] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.530016] ? trace_hardirqs_on+0x37/0xe0 [ 13.530039] ? __pfx_read_tsc+0x10/0x10 [ 13.530059] ? ktime_get_ts64+0x86/0x230 [ 13.530083] kunit_try_run_case+0x1a5/0x480 [ 13.530107] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.530132] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.530157] ? __kthread_parkme+0x82/0x180 [ 13.530176] ? preempt_count_sub+0x50/0x80 [ 13.530200] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.530224] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.530248] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.530274] kthread+0x337/0x6f0 [ 13.530293] ? trace_preempt_on+0x20/0xc0 [ 13.530314] ? __pfx_kthread+0x10/0x10 [ 13.530335] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.530356] ? calculate_sigpending+0x7b/0xa0 [ 13.530380] ? __pfx_kthread+0x10/0x10 [ 13.530401] ret_from_fork+0x116/0x1d0 [ 13.530419] ? __pfx_kthread+0x10/0x10 [ 13.530439] ret_from_fork_asm+0x1a/0x30 [ 13.530470] </TASK> [ 13.530479] [ 13.537958] Allocated by task 213: [ 13.538137] kasan_save_stack+0x45/0x70 [ 13.538506] kasan_save_track+0x18/0x40 [ 13.538696] kasan_save_alloc_info+0x3b/0x50 [ 13.538888] __kasan_kmalloc+0xb7/0xc0 [ 13.539073] __kmalloc_cache_noprof+0x189/0x420 [ 13.539349] ksize_uaf+0xaa/0x6c0 [ 13.539588] kunit_try_run_case+0x1a5/0x480 [ 13.539768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.539970] kthread+0x337/0x6f0 [ 13.540100] ret_from_fork+0x116/0x1d0 [ 13.540234] ret_from_fork_asm+0x1a/0x30 [ 13.540496] [ 13.540621] Freed by task 213: [ 13.540776] kasan_save_stack+0x45/0x70 [ 13.540979] kasan_save_track+0x18/0x40 [ 13.541166] kasan_save_free_info+0x3f/0x60 [ 13.541531] __kasan_slab_free+0x56/0x70 [ 13.541720] kfree+0x222/0x3f0 [ 13.541848] ksize_uaf+0x12c/0x6c0 [ 13.541972] kunit_try_run_case+0x1a5/0x480 [ 13.542146] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.542542] kthread+0x337/0x6f0 [ 13.542731] ret_from_fork+0x116/0x1d0 [ 13.542918] ret_from_fork_asm+0x1a/0x30 [ 13.543093] [ 13.543189] The buggy address belongs to the object at ffff8881025cc500 [ 13.543189] which belongs to the cache kmalloc-128 of size 128 [ 13.543736] The buggy address is located 0 bytes inside of [ 13.543736] freed 128-byte region [ffff8881025cc500, ffff8881025cc580) [ 13.544099] [ 13.544170] The buggy address belongs to the physical page: [ 13.544428] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025cc [ 13.544797] flags: 0x200000000000000(node=0|zone=2) [ 13.545028] page_type: f5(slab) [ 13.545191] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.545524] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.545871] page dumped because: kasan: bad access detected [ 13.546096] [ 13.546164] Memory state around the buggy address: [ 13.546318] ffff8881025cc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.546532] ffff8881025cc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.547807] >ffff8881025cc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.548131] ^ [ 13.548302] ffff8881025cc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.548625] ffff8881025cc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.548932] ================================================================== [ 13.507442] ================================================================== [ 13.507941] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.508207] Read of size 1 at addr ffff8881025cc500 by task kunit_try_catch/213 [ 13.508703] [ 13.508800] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.508844] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.508856] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.508875] Call Trace: [ 13.508887] <TASK> [ 13.508901] dump_stack_lvl+0x73/0xb0 [ 13.508930] print_report+0xd1/0x610 [ 13.508952] ? __virt_addr_valid+0x1db/0x2d0 [ 13.508976] ? ksize_uaf+0x19d/0x6c0 [ 13.508996] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.509019] ? ksize_uaf+0x19d/0x6c0 [ 13.509039] kasan_report+0x141/0x180 [ 13.509061] ? ksize_uaf+0x19d/0x6c0 [ 13.509084] ? ksize_uaf+0x19d/0x6c0 [ 13.509105] __kasan_check_byte+0x3d/0x50 [ 13.509127] ksize+0x20/0x60 [ 13.509147] ksize_uaf+0x19d/0x6c0 [ 13.509167] ? __pfx_ksize_uaf+0x10/0x10 [ 13.509188] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.509213] ? trace_hardirqs_on+0x37/0xe0 [ 13.509236] ? __pfx_read_tsc+0x10/0x10 [ 13.509500] ? ktime_get_ts64+0x86/0x230 [ 13.509527] kunit_try_run_case+0x1a5/0x480 [ 13.509565] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.509592] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.509617] ? __kthread_parkme+0x82/0x180 [ 13.509638] ? preempt_count_sub+0x50/0x80 [ 13.509662] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.509687] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.509712] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.509737] kthread+0x337/0x6f0 [ 13.509756] ? trace_preempt_on+0x20/0xc0 [ 13.509778] ? __pfx_kthread+0x10/0x10 [ 13.509799] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.509820] ? calculate_sigpending+0x7b/0xa0 [ 13.509844] ? __pfx_kthread+0x10/0x10 [ 13.509866] ret_from_fork+0x116/0x1d0 [ 13.509884] ? __pfx_kthread+0x10/0x10 [ 13.509904] ret_from_fork_asm+0x1a/0x30 [ 13.509935] </TASK> [ 13.509944] [ 13.517448] Allocated by task 213: [ 13.517654] kasan_save_stack+0x45/0x70 [ 13.517865] kasan_save_track+0x18/0x40 [ 13.518014] kasan_save_alloc_info+0x3b/0x50 [ 13.518163] __kasan_kmalloc+0xb7/0xc0 [ 13.518295] __kmalloc_cache_noprof+0x189/0x420 [ 13.518516] ksize_uaf+0xaa/0x6c0 [ 13.518697] kunit_try_run_case+0x1a5/0x480 [ 13.519087] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.519518] kthread+0x337/0x6f0 [ 13.519661] ret_from_fork+0x116/0x1d0 [ 13.519798] ret_from_fork_asm+0x1a/0x30 [ 13.519994] [ 13.520099] Freed by task 213: [ 13.520304] kasan_save_stack+0x45/0x70 [ 13.520505] kasan_save_track+0x18/0x40 [ 13.520695] kasan_save_free_info+0x3f/0x60 [ 13.520901] __kasan_slab_free+0x56/0x70 [ 13.521077] kfree+0x222/0x3f0 [ 13.521229] ksize_uaf+0x12c/0x6c0 [ 13.521380] kunit_try_run_case+0x1a5/0x480 [ 13.521635] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.521853] kthread+0x337/0x6f0 [ 13.522009] ret_from_fork+0x116/0x1d0 [ 13.522152] ret_from_fork_asm+0x1a/0x30 [ 13.522485] [ 13.522591] The buggy address belongs to the object at ffff8881025cc500 [ 13.522591] which belongs to the cache kmalloc-128 of size 128 [ 13.522991] The buggy address is located 0 bytes inside of [ 13.522991] freed 128-byte region [ffff8881025cc500, ffff8881025cc580) [ 13.523335] [ 13.523407] The buggy address belongs to the physical page: [ 13.523665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025cc [ 13.524225] flags: 0x200000000000000(node=0|zone=2) [ 13.524394] page_type: f5(slab) [ 13.524754] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.525060] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.525475] page dumped because: kasan: bad access detected [ 13.525661] [ 13.525732] Memory state around the buggy address: [ 13.525887] ffff8881025cc400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.526210] ffff8881025cc480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.526763] >ffff8881025cc500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.527087] ^ [ 13.527293] ffff8881025cc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.527600] ffff8881025cc600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.527913] ==================================================================