Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.124812] ================================================================== [ 16.124874] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.124922] Read of size 1 at addr fff00000c5866778 by task kunit_try_catch/197 [ 16.124972] [ 16.125001] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.125377] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.125418] Hardware name: linux,dummy-virt (DT) [ 16.125450] Call trace: [ 16.125473] show_stack+0x20/0x38 (C) [ 16.125523] dump_stack_lvl+0x8c/0xd0 [ 16.125579] print_report+0x118/0x5d0 [ 16.125625] kasan_report+0xdc/0x128 [ 16.125669] __asan_report_load1_noabort+0x20/0x30 [ 16.125721] ksize_uaf+0x544/0x5f8 [ 16.125764] kunit_try_run_case+0x170/0x3f0 [ 16.125809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.125862] kthread+0x328/0x630 [ 16.125904] ret_from_fork+0x10/0x20 [ 16.125950] [ 16.125968] Allocated by task 197: [ 16.125995] kasan_save_stack+0x3c/0x68 [ 16.126035] kasan_save_track+0x20/0x40 [ 16.126073] kasan_save_alloc_info+0x40/0x58 [ 16.126114] __kasan_kmalloc+0xd4/0xd8 [ 16.126149] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.126187] ksize_uaf+0xb8/0x5f8 [ 16.126239] kunit_try_run_case+0x170/0x3f0 [ 16.126275] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.126317] kthread+0x328/0x630 [ 16.126350] ret_from_fork+0x10/0x20 [ 16.126384] [ 16.126403] Freed by task 197: [ 16.126427] kasan_save_stack+0x3c/0x68 [ 16.126462] kasan_save_track+0x20/0x40 [ 16.126499] kasan_save_free_info+0x4c/0x78 [ 16.126577] __kasan_slab_free+0x6c/0x98 [ 16.126627] kfree+0x214/0x3c8 [ 16.126663] ksize_uaf+0x11c/0x5f8 [ 16.126697] kunit_try_run_case+0x170/0x3f0 [ 16.126735] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.126779] kthread+0x328/0x630 [ 16.126819] ret_from_fork+0x10/0x20 [ 16.126863] [ 16.126884] The buggy address belongs to the object at fff00000c5866700 [ 16.126884] which belongs to the cache kmalloc-128 of size 128 [ 16.126943] The buggy address is located 120 bytes inside of [ 16.126943] freed 128-byte region [fff00000c5866700, fff00000c5866780) [ 16.127005] [ 16.127024] The buggy address belongs to the physical page: [ 16.127068] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105866 [ 16.127121] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.127167] page_type: f5(slab) [ 16.127215] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.127266] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.127308] page dumped because: kasan: bad access detected [ 16.127338] [ 16.127357] Memory state around the buggy address: [ 16.127386] fff00000c5866600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.127438] fff00000c5866680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.127481] >fff00000c5866700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.127519] ^ [ 16.127562] fff00000c5866780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.127605] fff00000c5866800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.127643] ================================================================== [ 16.115952] ================================================================== [ 16.116005] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.116053] Read of size 1 at addr fff00000c5866700 by task kunit_try_catch/197 [ 16.116371] [ 16.116966] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.117189] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.117247] Hardware name: linux,dummy-virt (DT) [ 16.117306] Call trace: [ 16.117343] show_stack+0x20/0x38 (C) [ 16.117406] dump_stack_lvl+0x8c/0xd0 [ 16.117453] print_report+0x118/0x5d0 [ 16.117500] kasan_report+0xdc/0x128 [ 16.117554] __asan_report_load1_noabort+0x20/0x30 [ 16.117606] ksize_uaf+0x598/0x5f8 [ 16.117665] kunit_try_run_case+0x170/0x3f0 [ 16.117717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.117786] kthread+0x328/0x630 [ 16.117827] ret_from_fork+0x10/0x20 [ 16.117879] [ 16.117899] Allocated by task 197: [ 16.117926] kasan_save_stack+0x3c/0x68 [ 16.117967] kasan_save_track+0x20/0x40 [ 16.118005] kasan_save_alloc_info+0x40/0x58 [ 16.118055] __kasan_kmalloc+0xd4/0xd8 [ 16.118096] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.118143] ksize_uaf+0xb8/0x5f8 [ 16.118186] kunit_try_run_case+0x170/0x3f0 [ 16.118477] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.119055] kthread+0x328/0x630 [ 16.119176] ret_from_fork+0x10/0x20 [ 16.119244] [ 16.119291] Freed by task 197: [ 16.119352] kasan_save_stack+0x3c/0x68 [ 16.119432] kasan_save_track+0x20/0x40 [ 16.119515] kasan_save_free_info+0x4c/0x78 [ 16.119567] __kasan_slab_free+0x6c/0x98 [ 16.119836] kfree+0x214/0x3c8 [ 16.119920] ksize_uaf+0x11c/0x5f8 [ 16.120004] kunit_try_run_case+0x170/0x3f0 [ 16.120088] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.120141] kthread+0x328/0x630 [ 16.120355] ret_from_fork+0x10/0x20 [ 16.120505] [ 16.120554] The buggy address belongs to the object at fff00000c5866700 [ 16.120554] which belongs to the cache kmalloc-128 of size 128 [ 16.120702] The buggy address is located 0 bytes inside of [ 16.120702] freed 128-byte region [fff00000c5866700, fff00000c5866780) [ 16.120794] [ 16.120814] The buggy address belongs to the physical page: [ 16.120957] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105866 [ 16.121129] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.121242] page_type: f5(slab) [ 16.121308] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.121374] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.121643] page dumped because: kasan: bad access detected [ 16.121731] [ 16.121826] Memory state around the buggy address: [ 16.121874] fff00000c5866600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.121920] fff00000c5866680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.122190] >fff00000c5866700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.122284] ^ [ 16.122350] fff00000c5866780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.122421] fff00000c5866800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.122476] ================================================================== [ 16.107383] ================================================================== [ 16.107456] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.107508] Read of size 1 at addr fff00000c5866700 by task kunit_try_catch/197 [ 16.107823] [ 16.107928] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.108032] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.108069] Hardware name: linux,dummy-virt (DT) [ 16.108117] Call trace: [ 16.108225] show_stack+0x20/0x38 (C) [ 16.108300] dump_stack_lvl+0x8c/0xd0 [ 16.108355] print_report+0x118/0x5d0 [ 16.108401] kasan_report+0xdc/0x128 [ 16.108445] __kasan_check_byte+0x54/0x70 [ 16.108492] ksize+0x30/0x88 [ 16.108782] ksize_uaf+0x168/0x5f8 [ 16.109037] kunit_try_run_case+0x170/0x3f0 [ 16.109191] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.109363] kthread+0x328/0x630 [ 16.109446] ret_from_fork+0x10/0x20 [ 16.109774] [ 16.109820] Allocated by task 197: [ 16.109881] kasan_save_stack+0x3c/0x68 [ 16.110004] kasan_save_track+0x20/0x40 [ 16.110072] kasan_save_alloc_info+0x40/0x58 [ 16.110234] __kasan_kmalloc+0xd4/0xd8 [ 16.110315] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.110567] ksize_uaf+0xb8/0x5f8 [ 16.110877] kunit_try_run_case+0x170/0x3f0 [ 16.110945] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.111097] kthread+0x328/0x630 [ 16.111175] ret_from_fork+0x10/0x20 [ 16.111318] [ 16.111364] Freed by task 197: [ 16.111395] kasan_save_stack+0x3c/0x68 [ 16.111477] kasan_save_track+0x20/0x40 [ 16.111762] kasan_save_free_info+0x4c/0x78 [ 16.111946] __kasan_slab_free+0x6c/0x98 [ 16.112041] kfree+0x214/0x3c8 [ 16.112075] ksize_uaf+0x11c/0x5f8 [ 16.112108] kunit_try_run_case+0x170/0x3f0 [ 16.112148] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.112483] kthread+0x328/0x630 [ 16.112544] ret_from_fork+0x10/0x20 [ 16.112671] [ 16.112721] The buggy address belongs to the object at fff00000c5866700 [ 16.112721] which belongs to the cache kmalloc-128 of size 128 [ 16.112807] The buggy address is located 0 bytes inside of [ 16.112807] freed 128-byte region [fff00000c5866700, fff00000c5866780) [ 16.113050] [ 16.113074] The buggy address belongs to the physical page: [ 16.113107] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105866 [ 16.113280] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.113419] page_type: f5(slab) [ 16.113507] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.113600] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.113720] page dumped because: kasan: bad access detected [ 16.113780] [ 16.113830] Memory state around the buggy address: [ 16.113932] fff00000c5866600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.113996] fff00000c5866680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.114039] >fff00000c5866700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.114569] ^ [ 16.114639] fff00000c5866780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.114719] fff00000c5866800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.114768] ==================================================================
[ 16.851291] ================================================================== [ 16.851404] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.851544] Read of size 1 at addr fff00000c5aae700 by task kunit_try_catch/197 [ 16.851630] [ 16.851718] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.851839] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.851864] Hardware name: linux,dummy-virt (DT) [ 16.852109] Call trace: [ 16.852136] show_stack+0x20/0x38 (C) [ 16.852200] dump_stack_lvl+0x8c/0xd0 [ 16.852359] print_report+0x118/0x5d0 [ 16.852426] kasan_report+0xdc/0x128 [ 16.852511] __kasan_check_byte+0x54/0x70 [ 16.852645] ksize+0x30/0x88 [ 16.852767] ksize_uaf+0x168/0x5f8 [ 16.852873] kunit_try_run_case+0x170/0x3f0 [ 16.852919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.852990] kthread+0x328/0x630 [ 16.853332] ret_from_fork+0x10/0x20 [ 16.853476] [ 16.853565] Allocated by task 197: [ 16.853652] kasan_save_stack+0x3c/0x68 [ 16.853693] kasan_save_track+0x20/0x40 [ 16.853771] kasan_save_alloc_info+0x40/0x58 [ 16.854046] __kasan_kmalloc+0xd4/0xd8 [ 16.854138] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.854272] ksize_uaf+0xb8/0x5f8 [ 16.854388] kunit_try_run_case+0x170/0x3f0 [ 16.854427] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.854574] kthread+0x328/0x630 [ 16.854611] ret_from_fork+0x10/0x20 [ 16.854647] [ 16.854666] Freed by task 197: [ 16.854787] kasan_save_stack+0x3c/0x68 [ 16.854904] kasan_save_track+0x20/0x40 [ 16.854990] kasan_save_free_info+0x4c/0x78 [ 16.855083] __kasan_slab_free+0x6c/0x98 [ 16.855151] kfree+0x214/0x3c8 [ 16.855194] ksize_uaf+0x11c/0x5f8 [ 16.855229] kunit_try_run_case+0x170/0x3f0 [ 16.855463] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.855561] kthread+0x328/0x630 [ 16.855613] ret_from_fork+0x10/0x20 [ 16.855708] [ 16.855825] The buggy address belongs to the object at fff00000c5aae700 [ 16.855825] which belongs to the cache kmalloc-128 of size 128 [ 16.855901] The buggy address is located 0 bytes inside of [ 16.855901] freed 128-byte region [fff00000c5aae700, fff00000c5aae780) [ 16.855976] [ 16.855997] The buggy address belongs to the physical page: [ 16.856029] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aae [ 16.856263] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.856410] page_type: f5(slab) [ 16.856512] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.856595] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.856638] page dumped because: kasan: bad access detected [ 16.856668] [ 16.856686] Memory state around the buggy address: [ 16.856719] fff00000c5aae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.856763] fff00000c5aae680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.856954] >fff00000c5aae700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.857013] ^ [ 16.857041] fff00000c5aae780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.857084] fff00000c5aae800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.857123] ================================================================== [ 16.864483] ================================================================== [ 16.864539] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.864585] Read of size 1 at addr fff00000c5aae778 by task kunit_try_catch/197 [ 16.864846] [ 16.864914] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.865057] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.865104] Hardware name: linux,dummy-virt (DT) [ 16.865141] Call trace: [ 16.865191] show_stack+0x20/0x38 (C) [ 16.865316] dump_stack_lvl+0x8c/0xd0 [ 16.865401] print_report+0x118/0x5d0 [ 16.865482] kasan_report+0xdc/0x128 [ 16.865546] __asan_report_load1_noabort+0x20/0x30 [ 16.865598] ksize_uaf+0x544/0x5f8 [ 16.865638] kunit_try_run_case+0x170/0x3f0 [ 16.865859] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.866032] kthread+0x328/0x630 [ 16.866083] ret_from_fork+0x10/0x20 [ 16.866148] [ 16.866216] Allocated by task 197: [ 16.866265] kasan_save_stack+0x3c/0x68 [ 16.866343] kasan_save_track+0x20/0x40 [ 16.866409] kasan_save_alloc_info+0x40/0x58 [ 16.866450] __kasan_kmalloc+0xd4/0xd8 [ 16.866486] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.866687] ksize_uaf+0xb8/0x5f8 [ 16.866747] kunit_try_run_case+0x170/0x3f0 [ 16.866817] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.866890] kthread+0x328/0x630 [ 16.866924] ret_from_fork+0x10/0x20 [ 16.866961] [ 16.866980] Freed by task 197: [ 16.867035] kasan_save_stack+0x3c/0x68 [ 16.867103] kasan_save_track+0x20/0x40 [ 16.867218] kasan_save_free_info+0x4c/0x78 [ 16.867263] __kasan_slab_free+0x6c/0x98 [ 16.867300] kfree+0x214/0x3c8 [ 16.867359] ksize_uaf+0x11c/0x5f8 [ 16.867395] kunit_try_run_case+0x170/0x3f0 [ 16.867625] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.867798] kthread+0x328/0x630 [ 16.867923] ret_from_fork+0x10/0x20 [ 16.868077] [ 16.868156] The buggy address belongs to the object at fff00000c5aae700 [ 16.868156] which belongs to the cache kmalloc-128 of size 128 [ 16.868311] The buggy address is located 120 bytes inside of [ 16.868311] freed 128-byte region [fff00000c5aae700, fff00000c5aae780) [ 16.868501] [ 16.868550] The buggy address belongs to the physical page: [ 16.868582] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aae [ 16.868634] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.868682] page_type: f5(slab) [ 16.868965] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.869050] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.869091] page dumped because: kasan: bad access detected [ 16.869323] [ 16.869449] Memory state around the buggy address: [ 16.869621] fff00000c5aae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.869727] fff00000c5aae680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.869844] >fff00000c5aae700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.869973] ^ [ 16.870058] fff00000c5aae780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.870102] fff00000c5aae800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.870401] ================================================================== [ 16.858106] ================================================================== [ 16.858157] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.858217] Read of size 1 at addr fff00000c5aae700 by task kunit_try_catch/197 [ 16.858272] [ 16.858303] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.858392] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.858418] Hardware name: linux,dummy-virt (DT) [ 16.858449] Call trace: [ 16.858479] show_stack+0x20/0x38 (C) [ 16.858526] dump_stack_lvl+0x8c/0xd0 [ 16.858570] print_report+0x118/0x5d0 [ 16.858616] kasan_report+0xdc/0x128 [ 16.858659] __asan_report_load1_noabort+0x20/0x30 [ 16.858711] ksize_uaf+0x598/0x5f8 [ 16.858756] kunit_try_run_case+0x170/0x3f0 [ 16.858803] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.858864] kthread+0x328/0x630 [ 16.858905] ret_from_fork+0x10/0x20 [ 16.858952] [ 16.858969] Allocated by task 197: [ 16.858996] kasan_save_stack+0x3c/0x68 [ 16.859045] kasan_save_track+0x20/0x40 [ 16.859089] kasan_save_alloc_info+0x40/0x58 [ 16.859129] __kasan_kmalloc+0xd4/0xd8 [ 16.859166] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.859705] ksize_uaf+0xb8/0x5f8 [ 16.859780] kunit_try_run_case+0x170/0x3f0 [ 16.859960] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.860008] kthread+0x328/0x630 [ 16.860042] ret_from_fork+0x10/0x20 [ 16.860078] [ 16.860098] Freed by task 197: [ 16.860232] kasan_save_stack+0x3c/0x68 [ 16.860345] kasan_save_track+0x20/0x40 [ 16.860556] kasan_save_free_info+0x4c/0x78 [ 16.860671] __kasan_slab_free+0x6c/0x98 [ 16.860709] kfree+0x214/0x3c8 [ 16.860766] ksize_uaf+0x11c/0x5f8 [ 16.860831] kunit_try_run_case+0x170/0x3f0 [ 16.860869] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.861049] kthread+0x328/0x630 [ 16.861094] ret_from_fork+0x10/0x20 [ 16.861216] [ 16.861310] The buggy address belongs to the object at fff00000c5aae700 [ 16.861310] which belongs to the cache kmalloc-128 of size 128 [ 16.861470] The buggy address is located 0 bytes inside of [ 16.861470] freed 128-byte region [fff00000c5aae700, fff00000c5aae780) [ 16.861542] [ 16.861823] The buggy address belongs to the physical page: [ 16.861931] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105aae [ 16.862028] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.862116] page_type: f5(slab) [ 16.862224] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.862331] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.862455] page dumped because: kasan: bad access detected [ 16.862488] [ 16.862507] Memory state around the buggy address: [ 16.862746] fff00000c5aae600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.862882] fff00000c5aae680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.863002] >fff00000c5aae700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.863109] ^ [ 16.863139] fff00000c5aae780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.863193] fff00000c5aae800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.863418] ==================================================================
[ 13.161812] ================================================================== [ 13.162737] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.163459] Read of size 1 at addr ffff8881026b2e00 by task kunit_try_catch/213 [ 13.164003] [ 13.164098] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.164141] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.164152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.164172] Call Trace: [ 13.164184] <TASK> [ 13.164198] dump_stack_lvl+0x73/0xb0 [ 13.164227] print_report+0xd1/0x610 [ 13.164248] ? __virt_addr_valid+0x1db/0x2d0 [ 13.164270] ? ksize_uaf+0x5fe/0x6c0 [ 13.164297] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.164320] ? ksize_uaf+0x5fe/0x6c0 [ 13.164341] kasan_report+0x141/0x180 [ 13.164362] ? ksize_uaf+0x5fe/0x6c0 [ 13.164387] __asan_report_load1_noabort+0x18/0x20 [ 13.164413] ksize_uaf+0x5fe/0x6c0 [ 13.164433] ? __pfx_ksize_uaf+0x10/0x10 [ 13.164469] ? __schedule+0x10cc/0x2b60 [ 13.164491] ? __pfx_read_tsc+0x10/0x10 [ 13.164511] ? ktime_get_ts64+0x86/0x230 [ 13.164535] kunit_try_run_case+0x1a5/0x480 [ 13.164559] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164583] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.164607] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.164630] ? __kthread_parkme+0x82/0x180 [ 13.164650] ? preempt_count_sub+0x50/0x80 [ 13.164674] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164698] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.164722] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.164747] kthread+0x337/0x6f0 [ 13.164766] ? trace_preempt_on+0x20/0xc0 [ 13.164789] ? __pfx_kthread+0x10/0x10 [ 13.164930] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.164952] ? calculate_sigpending+0x7b/0xa0 [ 13.164975] ? __pfx_kthread+0x10/0x10 [ 13.164996] ret_from_fork+0x116/0x1d0 [ 13.165015] ? __pfx_kthread+0x10/0x10 [ 13.165035] ret_from_fork_asm+0x1a/0x30 [ 13.165065] </TASK> [ 13.165075] [ 13.174336] Allocated by task 213: [ 13.174538] kasan_save_stack+0x45/0x70 [ 13.174704] kasan_save_track+0x18/0x40 [ 13.174986] kasan_save_alloc_info+0x3b/0x50 [ 13.175465] __kasan_kmalloc+0xb7/0xc0 [ 13.175690] __kmalloc_cache_noprof+0x189/0x420 [ 13.175982] ksize_uaf+0xaa/0x6c0 [ 13.176148] kunit_try_run_case+0x1a5/0x480 [ 13.176537] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.176937] kthread+0x337/0x6f0 [ 13.177180] ret_from_fork+0x116/0x1d0 [ 13.177484] ret_from_fork_asm+0x1a/0x30 [ 13.177667] [ 13.177842] Freed by task 213: [ 13.178083] kasan_save_stack+0x45/0x70 [ 13.178425] kasan_save_track+0x18/0x40 [ 13.178614] kasan_save_free_info+0x3f/0x60 [ 13.178976] __kasan_slab_free+0x56/0x70 [ 13.179164] kfree+0x222/0x3f0 [ 13.179325] ksize_uaf+0x12c/0x6c0 [ 13.179503] kunit_try_run_case+0x1a5/0x480 [ 13.179813] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.180049] kthread+0x337/0x6f0 [ 13.180220] ret_from_fork+0x116/0x1d0 [ 13.180384] ret_from_fork_asm+0x1a/0x30 [ 13.180617] [ 13.181053] The buggy address belongs to the object at ffff8881026b2e00 [ 13.181053] which belongs to the cache kmalloc-128 of size 128 [ 13.181608] The buggy address is located 0 bytes inside of [ 13.181608] freed 128-byte region [ffff8881026b2e00, ffff8881026b2e80) [ 13.182303] [ 13.182546] The buggy address belongs to the physical page: [ 13.182777] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026b2 [ 13.183344] flags: 0x200000000000000(node=0|zone=2) [ 13.183614] page_type: f5(slab) [ 13.183905] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.184311] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.184782] page dumped because: kasan: bad access detected [ 13.185015] [ 13.185095] Memory state around the buggy address: [ 13.185298] ffff8881026b2d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.185874] ffff8881026b2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.186240] >ffff8881026b2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.186550] ^ [ 13.186736] ffff8881026b2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.187309] ffff8881026b2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.187778] ================================================================== [ 13.188331] ================================================================== [ 13.188902] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.189157] Read of size 1 at addr ffff8881026b2e78 by task kunit_try_catch/213 [ 13.189501] [ 13.189799] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.189842] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.189853] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.189932] Call Trace: [ 13.189997] <TASK> [ 13.190011] dump_stack_lvl+0x73/0xb0 [ 13.190039] print_report+0xd1/0x610 [ 13.190060] ? __virt_addr_valid+0x1db/0x2d0 [ 13.190082] ? ksize_uaf+0x5e4/0x6c0 [ 13.190102] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.190125] ? ksize_uaf+0x5e4/0x6c0 [ 13.190145] kasan_report+0x141/0x180 [ 13.190166] ? ksize_uaf+0x5e4/0x6c0 [ 13.190191] __asan_report_load1_noabort+0x18/0x20 [ 13.190216] ksize_uaf+0x5e4/0x6c0 [ 13.190236] ? __pfx_ksize_uaf+0x10/0x10 [ 13.190257] ? __schedule+0x10cc/0x2b60 [ 13.190278] ? __pfx_read_tsc+0x10/0x10 [ 13.190390] ? ktime_get_ts64+0x86/0x230 [ 13.190425] kunit_try_run_case+0x1a5/0x480 [ 13.190462] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.190485] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.190509] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.190533] ? __kthread_parkme+0x82/0x180 [ 13.190552] ? preempt_count_sub+0x50/0x80 [ 13.190595] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.190620] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.190644] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.190670] kthread+0x337/0x6f0 [ 13.190689] ? trace_preempt_on+0x20/0xc0 [ 13.190711] ? __pfx_kthread+0x10/0x10 [ 13.190731] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.190753] ? calculate_sigpending+0x7b/0xa0 [ 13.190776] ? __pfx_kthread+0x10/0x10 [ 13.190797] ret_from_fork+0x116/0x1d0 [ 13.190815] ? __pfx_kthread+0x10/0x10 [ 13.190835] ret_from_fork_asm+0x1a/0x30 [ 13.190865] </TASK> [ 13.190874] [ 13.200055] Allocated by task 213: [ 13.200217] kasan_save_stack+0x45/0x70 [ 13.200404] kasan_save_track+0x18/0x40 [ 13.200959] kasan_save_alloc_info+0x3b/0x50 [ 13.201217] __kasan_kmalloc+0xb7/0xc0 [ 13.201465] __kmalloc_cache_noprof+0x189/0x420 [ 13.201745] ksize_uaf+0xaa/0x6c0 [ 13.201914] kunit_try_run_case+0x1a5/0x480 [ 13.202075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.202309] kthread+0x337/0x6f0 [ 13.202472] ret_from_fork+0x116/0x1d0 [ 13.202924] ret_from_fork_asm+0x1a/0x30 [ 13.203193] [ 13.203343] Freed by task 213: [ 13.203517] kasan_save_stack+0x45/0x70 [ 13.203881] kasan_save_track+0x18/0x40 [ 13.204034] kasan_save_free_info+0x3f/0x60 [ 13.204242] __kasan_slab_free+0x56/0x70 [ 13.204656] kfree+0x222/0x3f0 [ 13.204809] ksize_uaf+0x12c/0x6c0 [ 13.205056] kunit_try_run_case+0x1a5/0x480 [ 13.205238] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.205750] kthread+0x337/0x6f0 [ 13.205881] ret_from_fork+0x116/0x1d0 [ 13.206076] ret_from_fork_asm+0x1a/0x30 [ 13.206374] [ 13.206577] The buggy address belongs to the object at ffff8881026b2e00 [ 13.206577] which belongs to the cache kmalloc-128 of size 128 [ 13.207092] The buggy address is located 120 bytes inside of [ 13.207092] freed 128-byte region [ffff8881026b2e00, ffff8881026b2e80) [ 13.207778] [ 13.207949] The buggy address belongs to the physical page: [ 13.208251] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026b2 [ 13.208796] flags: 0x200000000000000(node=0|zone=2) [ 13.209036] page_type: f5(slab) [ 13.209189] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.209714] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.210056] page dumped because: kasan: bad access detected [ 13.210289] [ 13.210383] Memory state around the buggy address: [ 13.210894] ffff8881026b2d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.211197] ffff8881026b2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.211593] >ffff8881026b2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.212018] ^ [ 13.212558] ffff8881026b2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.212971] ffff8881026b2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.213386] ================================================================== [ 13.130310] ================================================================== [ 13.131065] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.131372] Read of size 1 at addr ffff8881026b2e00 by task kunit_try_catch/213 [ 13.131882] [ 13.132309] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.132479] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.132493] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.132512] Call Trace: [ 13.132524] <TASK> [ 13.132538] dump_stack_lvl+0x73/0xb0 [ 13.132583] print_report+0xd1/0x610 [ 13.132606] ? __virt_addr_valid+0x1db/0x2d0 [ 13.132629] ? ksize_uaf+0x19d/0x6c0 [ 13.132649] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.132672] ? ksize_uaf+0x19d/0x6c0 [ 13.132692] kasan_report+0x141/0x180 [ 13.132714] ? ksize_uaf+0x19d/0x6c0 [ 13.132736] ? ksize_uaf+0x19d/0x6c0 [ 13.132756] __kasan_check_byte+0x3d/0x50 [ 13.132778] ksize+0x20/0x60 [ 13.132797] ksize_uaf+0x19d/0x6c0 [ 13.132817] ? __pfx_ksize_uaf+0x10/0x10 [ 13.132838] ? __schedule+0x10cc/0x2b60 [ 13.132860] ? __pfx_read_tsc+0x10/0x10 [ 13.132880] ? ktime_get_ts64+0x86/0x230 [ 13.132903] kunit_try_run_case+0x1a5/0x480 [ 13.132927] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.132950] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.132974] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.132997] ? __kthread_parkme+0x82/0x180 [ 13.133018] ? preempt_count_sub+0x50/0x80 [ 13.133041] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.133065] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.133089] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.133114] kthread+0x337/0x6f0 [ 13.133133] ? trace_preempt_on+0x20/0xc0 [ 13.133155] ? __pfx_kthread+0x10/0x10 [ 13.133175] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.133196] ? calculate_sigpending+0x7b/0xa0 [ 13.133220] ? __pfx_kthread+0x10/0x10 [ 13.133241] ret_from_fork+0x116/0x1d0 [ 13.133259] ? __pfx_kthread+0x10/0x10 [ 13.133279] ret_from_fork_asm+0x1a/0x30 [ 13.133309] </TASK> [ 13.133319] [ 13.145887] Allocated by task 213: [ 13.146052] kasan_save_stack+0x45/0x70 [ 13.146258] kasan_save_track+0x18/0x40 [ 13.146443] kasan_save_alloc_info+0x3b/0x50 [ 13.147659] __kasan_kmalloc+0xb7/0xc0 [ 13.148286] __kmalloc_cache_noprof+0x189/0x420 [ 13.148490] ksize_uaf+0xaa/0x6c0 [ 13.148617] kunit_try_run_case+0x1a5/0x480 [ 13.148763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.148940] kthread+0x337/0x6f0 [ 13.149060] ret_from_fork+0x116/0x1d0 [ 13.149191] ret_from_fork_asm+0x1a/0x30 [ 13.149331] [ 13.149403] Freed by task 213: [ 13.150284] kasan_save_stack+0x45/0x70 [ 13.150541] kasan_save_track+0x18/0x40 [ 13.150741] kasan_save_free_info+0x3f/0x60 [ 13.150950] __kasan_slab_free+0x56/0x70 [ 13.151153] kfree+0x222/0x3f0 [ 13.151357] ksize_uaf+0x12c/0x6c0 [ 13.151710] kunit_try_run_case+0x1a5/0x480 [ 13.151903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.152097] kthread+0x337/0x6f0 [ 13.152217] ret_from_fork+0x116/0x1d0 [ 13.152353] ret_from_fork_asm+0x1a/0x30 [ 13.152633] [ 13.152740] The buggy address belongs to the object at ffff8881026b2e00 [ 13.152740] which belongs to the cache kmalloc-128 of size 128 [ 13.153298] The buggy address is located 0 bytes inside of [ 13.153298] freed 128-byte region [ffff8881026b2e00, ffff8881026b2e80) [ 13.154305] [ 13.154486] The buggy address belongs to the physical page: [ 13.154884] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026b2 [ 13.155227] flags: 0x200000000000000(node=0|zone=2) [ 13.155978] page_type: f5(slab) [ 13.156135] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.156429] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.156931] page dumped because: kasan: bad access detected [ 13.157304] [ 13.157390] Memory state around the buggy address: [ 13.157696] ffff8881026b2d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.158309] ffff8881026b2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.158845] >ffff8881026b2e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.159540] ^ [ 13.159959] ffff8881026b2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.160183] ffff8881026b2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.160495] ==================================================================
[ 13.363091] ================================================================== [ 13.363431] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.363906] Read of size 1 at addr ffff888102594600 by task kunit_try_catch/214 [ 13.364173] [ 13.364326] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.364368] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.364379] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.364399] Call Trace: [ 13.364410] <TASK> [ 13.364424] dump_stack_lvl+0x73/0xb0 [ 13.364456] print_report+0xd1/0x610 [ 13.364479] ? __virt_addr_valid+0x1db/0x2d0 [ 13.364501] ? ksize_uaf+0x5fe/0x6c0 [ 13.364531] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.364555] ? ksize_uaf+0x5fe/0x6c0 [ 13.364575] kasan_report+0x141/0x180 [ 13.364597] ? ksize_uaf+0x5fe/0x6c0 [ 13.364622] __asan_report_load1_noabort+0x18/0x20 [ 13.364647] ksize_uaf+0x5fe/0x6c0 [ 13.364667] ? __pfx_ksize_uaf+0x10/0x10 [ 13.364688] ? __schedule+0x10cc/0x2b60 [ 13.364712] ? __pfx_read_tsc+0x10/0x10 [ 13.364732] ? ktime_get_ts64+0x86/0x230 [ 13.364757] kunit_try_run_case+0x1a5/0x480 [ 13.364782] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.364805] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.364830] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.364854] ? __kthread_parkme+0x82/0x180 [ 13.364875] ? preempt_count_sub+0x50/0x80 [ 13.364899] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.364923] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.364948] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.364973] kthread+0x337/0x6f0 [ 13.364992] ? trace_preempt_on+0x20/0xc0 [ 13.365015] ? __pfx_kthread+0x10/0x10 [ 13.365035] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.365077] ? calculate_sigpending+0x7b/0xa0 [ 13.365102] ? __pfx_kthread+0x10/0x10 [ 13.365123] ret_from_fork+0x116/0x1d0 [ 13.365142] ? __pfx_kthread+0x10/0x10 [ 13.365163] ret_from_fork_asm+0x1a/0x30 [ 13.365193] </TASK> [ 13.365202] [ 13.377995] Allocated by task 214: [ 13.378276] kasan_save_stack+0x45/0x70 [ 13.378700] kasan_save_track+0x18/0x40 [ 13.379129] kasan_save_alloc_info+0x3b/0x50 [ 13.379569] __kasan_kmalloc+0xb7/0xc0 [ 13.379717] __kmalloc_cache_noprof+0x189/0x420 [ 13.379873] ksize_uaf+0xaa/0x6c0 [ 13.379994] kunit_try_run_case+0x1a5/0x480 [ 13.380424] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.380942] kthread+0x337/0x6f0 [ 13.381306] ret_from_fork+0x116/0x1d0 [ 13.381687] ret_from_fork_asm+0x1a/0x30 [ 13.382089] [ 13.382321] Freed by task 214: [ 13.382633] kasan_save_stack+0x45/0x70 [ 13.382786] kasan_save_track+0x18/0x40 [ 13.382922] kasan_save_free_info+0x3f/0x60 [ 13.383082] __kasan_slab_free+0x56/0x70 [ 13.383493] kfree+0x222/0x3f0 [ 13.383804] ksize_uaf+0x12c/0x6c0 [ 13.384180] kunit_try_run_case+0x1a5/0x480 [ 13.384588] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.385087] kthread+0x337/0x6f0 [ 13.385442] ret_from_fork+0x116/0x1d0 [ 13.385813] ret_from_fork_asm+0x1a/0x30 [ 13.386188] [ 13.386262] The buggy address belongs to the object at ffff888102594600 [ 13.386262] which belongs to the cache kmalloc-128 of size 128 [ 13.386621] The buggy address is located 0 bytes inside of [ 13.386621] freed 128-byte region [ffff888102594600, ffff888102594680) [ 13.386975] [ 13.387048] The buggy address belongs to the physical page: [ 13.387259] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102594 [ 13.387587] flags: 0x200000000000000(node=0|zone=2) [ 13.387825] page_type: f5(slab) [ 13.387973] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.388313] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.388542] page dumped because: kasan: bad access detected [ 13.388779] [ 13.388872] Memory state around the buggy address: [ 13.389163] ffff888102594500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.389488] ffff888102594580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.389880] >ffff888102594600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.390221] ^ [ 13.390401] ffff888102594680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.390729] ffff888102594700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.391020] ================================================================== [ 13.335760] ================================================================== [ 13.336379] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.336676] Read of size 1 at addr ffff888102594600 by task kunit_try_catch/214 [ 13.337060] [ 13.337159] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.337201] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.337212] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.337230] Call Trace: [ 13.337242] <TASK> [ 13.337257] dump_stack_lvl+0x73/0xb0 [ 13.337289] print_report+0xd1/0x610 [ 13.337311] ? __virt_addr_valid+0x1db/0x2d0 [ 13.337334] ? ksize_uaf+0x19d/0x6c0 [ 13.337355] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.337378] ? ksize_uaf+0x19d/0x6c0 [ 13.337410] kasan_report+0x141/0x180 [ 13.337444] ? ksize_uaf+0x19d/0x6c0 [ 13.337467] ? ksize_uaf+0x19d/0x6c0 [ 13.337488] __kasan_check_byte+0x3d/0x50 [ 13.337521] ksize+0x20/0x60 [ 13.337542] ksize_uaf+0x19d/0x6c0 [ 13.337563] ? __pfx_ksize_uaf+0x10/0x10 [ 13.337585] ? __schedule+0x10cc/0x2b60 [ 13.337608] ? __pfx_read_tsc+0x10/0x10 [ 13.337629] ? ktime_get_ts64+0x86/0x230 [ 13.337652] kunit_try_run_case+0x1a5/0x480 [ 13.337677] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.337748] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.337774] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.337800] ? __kthread_parkme+0x82/0x180 [ 13.337820] ? preempt_count_sub+0x50/0x80 [ 13.337844] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.337868] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.337893] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.337919] kthread+0x337/0x6f0 [ 13.337938] ? trace_preempt_on+0x20/0xc0 [ 13.337962] ? __pfx_kthread+0x10/0x10 [ 13.337982] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.338005] ? calculate_sigpending+0x7b/0xa0 [ 13.338030] ? __pfx_kthread+0x10/0x10 [ 13.338062] ret_from_fork+0x116/0x1d0 [ 13.338081] ? __pfx_kthread+0x10/0x10 [ 13.338102] ret_from_fork_asm+0x1a/0x30 [ 13.338132] </TASK> [ 13.338142] [ 13.345733] Allocated by task 214: [ 13.346071] kasan_save_stack+0x45/0x70 [ 13.346318] kasan_save_track+0x18/0x40 [ 13.346552] kasan_save_alloc_info+0x3b/0x50 [ 13.346929] __kasan_kmalloc+0xb7/0xc0 [ 13.347115] __kmalloc_cache_noprof+0x189/0x420 [ 13.347338] ksize_uaf+0xaa/0x6c0 [ 13.347466] kunit_try_run_case+0x1a5/0x480 [ 13.347707] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.347990] kthread+0x337/0x6f0 [ 13.348616] ret_from_fork+0x116/0x1d0 [ 13.348871] ret_from_fork_asm+0x1a/0x30 [ 13.349044] [ 13.349163] Freed by task 214: [ 13.349346] kasan_save_stack+0x45/0x70 [ 13.349546] kasan_save_track+0x18/0x40 [ 13.350176] kasan_save_free_info+0x3f/0x60 [ 13.350408] __kasan_slab_free+0x56/0x70 [ 13.350587] kfree+0x222/0x3f0 [ 13.352714] ksize_uaf+0x12c/0x6c0 [ 13.352888] kunit_try_run_case+0x1a5/0x480 [ 13.353117] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.354029] kthread+0x337/0x6f0 [ 13.354245] ret_from_fork+0x116/0x1d0 [ 13.354412] ret_from_fork_asm+0x1a/0x30 [ 13.354594] [ 13.354680] The buggy address belongs to the object at ffff888102594600 [ 13.354680] which belongs to the cache kmalloc-128 of size 128 [ 13.356546] The buggy address is located 0 bytes inside of [ 13.356546] freed 128-byte region [ffff888102594600, ffff888102594680) [ 13.356905] [ 13.356979] The buggy address belongs to the physical page: [ 13.357163] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102594 [ 13.357397] flags: 0x200000000000000(node=0|zone=2) [ 13.357555] page_type: f5(slab) [ 13.357673] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.358467] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.358722] page dumped because: kasan: bad access detected [ 13.358975] [ 13.359515] Memory state around the buggy address: [ 13.359681] ffff888102594500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.359975] ffff888102594580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.360264] >ffff888102594600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.360514] ^ [ 13.361118] ffff888102594680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.361464] ffff888102594700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.361796] ================================================================== [ 13.391855] ================================================================== [ 13.392246] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.392469] Read of size 1 at addr ffff888102594678 by task kunit_try_catch/214 [ 13.393034] [ 13.393190] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.393268] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.393281] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.393301] Call Trace: [ 13.393328] <TASK> [ 13.393344] dump_stack_lvl+0x73/0xb0 [ 13.393376] print_report+0xd1/0x610 [ 13.393398] ? __virt_addr_valid+0x1db/0x2d0 [ 13.393421] ? ksize_uaf+0x5e4/0x6c0 [ 13.393441] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.393464] ? ksize_uaf+0x5e4/0x6c0 [ 13.393485] kasan_report+0x141/0x180 [ 13.393506] ? ksize_uaf+0x5e4/0x6c0 [ 13.393564] __asan_report_load1_noabort+0x18/0x20 [ 13.393589] ksize_uaf+0x5e4/0x6c0 [ 13.393647] ? __pfx_ksize_uaf+0x10/0x10 [ 13.393680] ? __schedule+0x10cc/0x2b60 [ 13.393713] ? __pfx_read_tsc+0x10/0x10 [ 13.393735] ? ktime_get_ts64+0x86/0x230 [ 13.393759] kunit_try_run_case+0x1a5/0x480 [ 13.393784] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.393807] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.393832] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.393856] ? __kthread_parkme+0x82/0x180 [ 13.393877] ? preempt_count_sub+0x50/0x80 [ 13.393901] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.393925] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.393949] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.393974] kthread+0x337/0x6f0 [ 13.393993] ? trace_preempt_on+0x20/0xc0 [ 13.394017] ? __pfx_kthread+0x10/0x10 [ 13.394037] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.394068] ? calculate_sigpending+0x7b/0xa0 [ 13.394093] ? __pfx_kthread+0x10/0x10 [ 13.394134] ret_from_fork+0x116/0x1d0 [ 13.394154] ? __pfx_kthread+0x10/0x10 [ 13.394174] ret_from_fork_asm+0x1a/0x30 [ 13.394206] </TASK> [ 13.394216] [ 13.401092] Allocated by task 214: [ 13.401293] kasan_save_stack+0x45/0x70 [ 13.401496] kasan_save_track+0x18/0x40 [ 13.401690] kasan_save_alloc_info+0x3b/0x50 [ 13.401846] __kasan_kmalloc+0xb7/0xc0 [ 13.402122] __kmalloc_cache_noprof+0x189/0x420 [ 13.402376] ksize_uaf+0xaa/0x6c0 [ 13.402521] kunit_try_run_case+0x1a5/0x480 [ 13.402765] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.402947] kthread+0x337/0x6f0 [ 13.403079] ret_from_fork+0x116/0x1d0 [ 13.403233] ret_from_fork_asm+0x1a/0x30 [ 13.403374] [ 13.403447] Freed by task 214: [ 13.403605] kasan_save_stack+0x45/0x70 [ 13.403850] kasan_save_track+0x18/0x40 [ 13.404048] kasan_save_free_info+0x3f/0x60 [ 13.404291] __kasan_slab_free+0x56/0x70 [ 13.404492] kfree+0x222/0x3f0 [ 13.404657] ksize_uaf+0x12c/0x6c0 [ 13.404896] kunit_try_run_case+0x1a5/0x480 [ 13.405203] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.405460] kthread+0x337/0x6f0 [ 13.405628] ret_from_fork+0x116/0x1d0 [ 13.405825] ret_from_fork_asm+0x1a/0x30 [ 13.405966] [ 13.406037] The buggy address belongs to the object at ffff888102594600 [ 13.406037] which belongs to the cache kmalloc-128 of size 128 [ 13.406507] The buggy address is located 120 bytes inside of [ 13.406507] freed 128-byte region [ffff888102594600, ffff888102594680) [ 13.407097] [ 13.407215] The buggy address belongs to the physical page: [ 13.407529] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102594 [ 13.407982] flags: 0x200000000000000(node=0|zone=2) [ 13.408271] page_type: f5(slab) [ 13.408397] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.408628] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.408853] page dumped because: kasan: bad access detected [ 13.409023] [ 13.409102] Memory state around the buggy address: [ 13.409273] ffff888102594500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.409488] ffff888102594580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.409706] >ffff888102594600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.410003] ^ [ 13.410320] ffff888102594680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.410632] ffff888102594700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.410986] ==================================================================