Date
July 20, 2025, 11:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.859478] ================================================================== [ 16.859549] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.859601] Read of size 1 at addr fff00000c3edda00 by task kunit_try_catch/196 [ 16.860138] [ 16.860229] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.860323] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.860469] Hardware name: linux,dummy-virt (DT) [ 16.860536] Call trace: [ 16.860561] show_stack+0x20/0x38 (C) [ 16.860785] dump_stack_lvl+0x8c/0xd0 [ 16.860989] print_report+0x118/0x5d0 [ 16.861088] kasan_report+0xdc/0x128 [ 16.861279] __asan_report_load1_noabort+0x20/0x30 [ 16.861434] ksize_uaf+0x598/0x5f8 [ 16.861479] kunit_try_run_case+0x170/0x3f0 [ 16.861643] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.861805] kthread+0x328/0x630 [ 16.861919] ret_from_fork+0x10/0x20 [ 16.862099] [ 16.862342] Allocated by task 196: [ 16.862396] kasan_save_stack+0x3c/0x68 [ 16.862504] kasan_save_track+0x20/0x40 [ 16.862545] kasan_save_alloc_info+0x40/0x58 [ 16.862586] __kasan_kmalloc+0xd4/0xd8 [ 16.862622] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.862683] ksize_uaf+0xb8/0x5f8 [ 16.862719] kunit_try_run_case+0x170/0x3f0 [ 16.862764] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.862808] kthread+0x328/0x630 [ 16.862842] ret_from_fork+0x10/0x20 [ 16.862879] [ 16.862917] Freed by task 196: [ 16.862946] kasan_save_stack+0x3c/0x68 [ 16.862983] kasan_save_track+0x20/0x40 [ 16.863020] kasan_save_free_info+0x4c/0x78 [ 16.863074] __kasan_slab_free+0x6c/0x98 [ 16.863112] kfree+0x214/0x3c8 [ 16.863155] ksize_uaf+0x11c/0x5f8 [ 16.863188] kunit_try_run_case+0x170/0x3f0 [ 16.863226] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.863269] kthread+0x328/0x630 [ 16.863309] ret_from_fork+0x10/0x20 [ 16.863345] [ 16.863364] The buggy address belongs to the object at fff00000c3edda00 [ 16.863364] which belongs to the cache kmalloc-128 of size 128 [ 16.863438] The buggy address is located 0 bytes inside of [ 16.863438] freed 128-byte region [fff00000c3edda00, fff00000c3edda80) [ 16.863509] [ 16.863540] The buggy address belongs to the physical page: [ 16.863573] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103edd [ 16.863639] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.863697] page_type: f5(slab) [ 16.863735] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.863786] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.863828] page dumped because: kasan: bad access detected [ 16.863878] [ 16.863912] Memory state around the buggy address: [ 16.864262] fff00000c3edd900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.864422] fff00000c3edd980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.864540] >fff00000c3edda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.865090] ^ [ 16.865206] fff00000c3edda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.865265] fff00000c3eddb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.865462] ================================================================== [ 16.867126] ================================================================== [ 16.867248] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.867343] Read of size 1 at addr fff00000c3edda78 by task kunit_try_catch/196 [ 16.867433] [ 16.867468] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.867714] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.867941] Hardware name: linux,dummy-virt (DT) [ 16.867984] Call trace: [ 16.868016] show_stack+0x20/0x38 (C) [ 16.868074] dump_stack_lvl+0x8c/0xd0 [ 16.868157] print_report+0x118/0x5d0 [ 16.868280] kasan_report+0xdc/0x128 [ 16.868589] __asan_report_load1_noabort+0x20/0x30 [ 16.868657] ksize_uaf+0x544/0x5f8 [ 16.868712] kunit_try_run_case+0x170/0x3f0 [ 16.868983] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.869190] kthread+0x328/0x630 [ 16.869276] ret_from_fork+0x10/0x20 [ 16.869330] [ 16.869348] Allocated by task 196: [ 16.869446] kasan_save_stack+0x3c/0x68 [ 16.869491] kasan_save_track+0x20/0x40 [ 16.869547] kasan_save_alloc_info+0x40/0x58 [ 16.869628] __kasan_kmalloc+0xd4/0xd8 [ 16.869742] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.870106] ksize_uaf+0xb8/0x5f8 [ 16.870182] kunit_try_run_case+0x170/0x3f0 [ 16.870260] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.870517] kthread+0x328/0x630 [ 16.870682] ret_from_fork+0x10/0x20 [ 16.870792] [ 16.870814] Freed by task 196: [ 16.870843] kasan_save_stack+0x3c/0x68 [ 16.870882] kasan_save_track+0x20/0x40 [ 16.871207] kasan_save_free_info+0x4c/0x78 [ 16.871379] __kasan_slab_free+0x6c/0x98 [ 16.871575] kfree+0x214/0x3c8 [ 16.871667] ksize_uaf+0x11c/0x5f8 [ 16.871702] kunit_try_run_case+0x170/0x3f0 [ 16.871739] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.871785] kthread+0x328/0x630 [ 16.871817] ret_from_fork+0x10/0x20 [ 16.871856] [ 16.871891] The buggy address belongs to the object at fff00000c3edda00 [ 16.871891] which belongs to the cache kmalloc-128 of size 128 [ 16.871973] The buggy address is located 120 bytes inside of [ 16.871973] freed 128-byte region [fff00000c3edda00, fff00000c3edda80) [ 16.872052] [ 16.872073] The buggy address belongs to the physical page: [ 16.872127] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103edd [ 16.872190] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.872242] page_type: f5(slab) [ 16.872280] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.872331] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.872374] page dumped because: kasan: bad access detected [ 16.872407] [ 16.872426] Memory state around the buggy address: [ 16.872476] fff00000c3edd900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.872715] fff00000c3edd980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.872965] >fff00000c3edda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.873071] ^ [ 16.873136] fff00000c3edda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.873200] fff00000c3eddb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.873572] ================================================================== [ 16.848599] ================================================================== [ 16.848716] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.848832] Read of size 1 at addr fff00000c3edda00 by task kunit_try_catch/196 [ 16.848952] [ 16.848995] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.849220] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.849301] Hardware name: linux,dummy-virt (DT) [ 16.849427] Call trace: [ 16.849569] show_stack+0x20/0x38 (C) [ 16.849660] dump_stack_lvl+0x8c/0xd0 [ 16.849709] print_report+0x118/0x5d0 [ 16.850059] kasan_report+0xdc/0x128 [ 16.850206] __kasan_check_byte+0x54/0x70 [ 16.850333] ksize+0x30/0x88 [ 16.850553] ksize_uaf+0x168/0x5f8 [ 16.850598] kunit_try_run_case+0x170/0x3f0 [ 16.850657] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.850709] kthread+0x328/0x630 [ 16.850752] ret_from_fork+0x10/0x20 [ 16.850802] [ 16.850820] Allocated by task 196: [ 16.851124] kasan_save_stack+0x3c/0x68 [ 16.851359] kasan_save_track+0x20/0x40 [ 16.851496] kasan_save_alloc_info+0x40/0x58 [ 16.851977] __kasan_kmalloc+0xd4/0xd8 [ 16.852067] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.852120] ksize_uaf+0xb8/0x5f8 [ 16.852198] kunit_try_run_case+0x170/0x3f0 [ 16.852238] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.852284] kthread+0x328/0x630 [ 16.852317] ret_from_fork+0x10/0x20 [ 16.852355] [ 16.852376] Freed by task 196: [ 16.852430] kasan_save_stack+0x3c/0x68 [ 16.852488] kasan_save_track+0x20/0x40 [ 16.852525] kasan_save_free_info+0x4c/0x78 [ 16.852565] __kasan_slab_free+0x6c/0x98 [ 16.852607] kfree+0x214/0x3c8 [ 16.852650] ksize_uaf+0x11c/0x5f8 [ 16.852699] kunit_try_run_case+0x170/0x3f0 [ 16.852743] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.852788] kthread+0x328/0x630 [ 16.852819] ret_from_fork+0x10/0x20 [ 16.852858] [ 16.852888] The buggy address belongs to the object at fff00000c3edda00 [ 16.852888] which belongs to the cache kmalloc-128 of size 128 [ 16.853560] The buggy address is located 0 bytes inside of [ 16.853560] freed 128-byte region [fff00000c3edda00, fff00000c3edda80) [ 16.853851] [ 16.854115] The buggy address belongs to the physical page: [ 16.854200] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103edd [ 16.854816] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.854879] page_type: f5(slab) [ 16.855310] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.855425] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.855538] page dumped because: kasan: bad access detected [ 16.855619] [ 16.855778] Memory state around the buggy address: [ 16.855850] fff00000c3edd900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.856100] fff00000c3edd980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.856460] >fff00000c3edda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.856541] ^ [ 16.856595] fff00000c3edda80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.856753] fff00000c3eddb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.856848] ==================================================================
[ 16.788822] ================================================================== [ 16.788918] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.789038] Read of size 1 at addr fff00000c58dce00 by task kunit_try_catch/196 [ 16.789347] [ 16.789426] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.789534] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.789606] Hardware name: linux,dummy-virt (DT) [ 16.789716] Call trace: [ 16.789775] show_stack+0x20/0x38 (C) [ 16.789878] dump_stack_lvl+0x8c/0xd0 [ 16.789933] print_report+0x118/0x5d0 [ 16.790000] kasan_report+0xdc/0x128 [ 16.790355] __kasan_check_byte+0x54/0x70 [ 16.790503] ksize+0x30/0x88 [ 16.790599] ksize_uaf+0x168/0x5f8 [ 16.790721] kunit_try_run_case+0x170/0x3f0 [ 16.790828] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.790930] kthread+0x328/0x630 [ 16.791025] ret_from_fork+0x10/0x20 [ 16.791368] [ 16.791471] Allocated by task 196: [ 16.791551] kasan_save_stack+0x3c/0x68 [ 16.791648] kasan_save_track+0x20/0x40 [ 16.791807] kasan_save_alloc_info+0x40/0x58 [ 16.791896] __kasan_kmalloc+0xd4/0xd8 [ 16.791943] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.791984] ksize_uaf+0xb8/0x5f8 [ 16.792018] kunit_try_run_case+0x170/0x3f0 [ 16.792066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.792111] kthread+0x328/0x630 [ 16.792143] ret_from_fork+0x10/0x20 [ 16.792189] [ 16.792219] Freed by task 196: [ 16.792245] kasan_save_stack+0x3c/0x68 [ 16.792287] kasan_save_track+0x20/0x40 [ 16.792324] kasan_save_free_info+0x4c/0x78 [ 16.792366] __kasan_slab_free+0x6c/0x98 [ 16.792403] kfree+0x214/0x3c8 [ 16.792447] ksize_uaf+0x11c/0x5f8 [ 16.792491] kunit_try_run_case+0x170/0x3f0 [ 16.792535] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.792593] kthread+0x328/0x630 [ 16.792635] ret_from_fork+0x10/0x20 [ 16.792670] [ 16.792689] The buggy address belongs to the object at fff00000c58dce00 [ 16.792689] which belongs to the cache kmalloc-128 of size 128 [ 16.792749] The buggy address is located 0 bytes inside of [ 16.792749] freed 128-byte region [fff00000c58dce00, fff00000c58dce80) [ 16.792813] [ 16.792833] The buggy address belongs to the physical page: [ 16.793146] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058dc [ 16.793295] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.793409] page_type: f5(slab) [ 16.793466] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.793537] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.793678] page dumped because: kasan: bad access detected [ 16.793724] [ 16.793742] Memory state around the buggy address: [ 16.793799] fff00000c58dcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.793845] fff00000c58dcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.793920] >fff00000c58dce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.793960] ^ [ 16.793988] fff00000c58dce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.794068] fff00000c58dcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.794233] ================================================================== [ 16.800509] ================================================================== [ 16.800555] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.800853] Read of size 1 at addr fff00000c58dce78 by task kunit_try_catch/196 [ 16.801038] [ 16.801090] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.801217] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.801285] Hardware name: linux,dummy-virt (DT) [ 16.801316] Call trace: [ 16.801338] show_stack+0x20/0x38 (C) [ 16.801526] dump_stack_lvl+0x8c/0xd0 [ 16.801683] print_report+0x118/0x5d0 [ 16.801871] kasan_report+0xdc/0x128 [ 16.802014] __asan_report_load1_noabort+0x20/0x30 [ 16.802106] ksize_uaf+0x544/0x5f8 [ 16.802211] kunit_try_run_case+0x170/0x3f0 [ 16.802317] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.802402] kthread+0x328/0x630 [ 16.802466] ret_from_fork+0x10/0x20 [ 16.802553] [ 16.802595] Allocated by task 196: [ 16.802654] kasan_save_stack+0x3c/0x68 [ 16.802760] kasan_save_track+0x20/0x40 [ 16.802842] kasan_save_alloc_info+0x40/0x58 [ 16.802881] __kasan_kmalloc+0xd4/0xd8 [ 16.802968] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.803010] ksize_uaf+0xb8/0x5f8 [ 16.803044] kunit_try_run_case+0x170/0x3f0 [ 16.803083] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.803312] kthread+0x328/0x630 [ 16.803422] ret_from_fork+0x10/0x20 [ 16.803548] [ 16.803648] Freed by task 196: [ 16.803755] kasan_save_stack+0x3c/0x68 [ 16.803843] kasan_save_track+0x20/0x40 [ 16.803985] kasan_save_free_info+0x4c/0x78 [ 16.804097] __kasan_slab_free+0x6c/0x98 [ 16.804159] kfree+0x214/0x3c8 [ 16.804195] ksize_uaf+0x11c/0x5f8 [ 16.804441] kunit_try_run_case+0x170/0x3f0 [ 16.804520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.804661] kthread+0x328/0x630 [ 16.804730] ret_from_fork+0x10/0x20 [ 16.804803] [ 16.804894] The buggy address belongs to the object at fff00000c58dce00 [ 16.804894] which belongs to the cache kmalloc-128 of size 128 [ 16.805050] The buggy address is located 120 bytes inside of [ 16.805050] freed 128-byte region [fff00000c58dce00, fff00000c58dce80) [ 16.805149] [ 16.805197] The buggy address belongs to the physical page: [ 16.805229] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058dc [ 16.805299] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.805697] page_type: f5(slab) [ 16.805755] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.806099] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.806239] page dumped because: kasan: bad access detected [ 16.806355] [ 16.806442] Memory state around the buggy address: [ 16.806556] fff00000c58dcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.806640] fff00000c58dcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.806686] >fff00000c58dce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.806957] ^ [ 16.807048] fff00000c58dce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.807163] fff00000c58dcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.807253] ================================================================== [ 16.795350] ================================================================== [ 16.795401] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.795589] Read of size 1 at addr fff00000c58dce00 by task kunit_try_catch/196 [ 16.795696] [ 16.795763] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT [ 16.795864] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.795949] Hardware name: linux,dummy-virt (DT) [ 16.795998] Call trace: [ 16.796047] show_stack+0x20/0x38 (C) [ 16.796097] dump_stack_lvl+0x8c/0xd0 [ 16.796160] print_report+0x118/0x5d0 [ 16.796225] kasan_report+0xdc/0x128 [ 16.796328] __asan_report_load1_noabort+0x20/0x30 [ 16.796381] ksize_uaf+0x598/0x5f8 [ 16.796425] kunit_try_run_case+0x170/0x3f0 [ 16.796472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.796651] kthread+0x328/0x630 [ 16.796805] ret_from_fork+0x10/0x20 [ 16.796911] [ 16.796971] Allocated by task 196: [ 16.797005] kasan_save_stack+0x3c/0x68 [ 16.797083] kasan_save_track+0x20/0x40 [ 16.797194] kasan_save_alloc_info+0x40/0x58 [ 16.797257] __kasan_kmalloc+0xd4/0xd8 [ 16.797295] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.797334] ksize_uaf+0xb8/0x5f8 [ 16.797368] kunit_try_run_case+0x170/0x3f0 [ 16.797407] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.797451] kthread+0x328/0x630 [ 16.797605] ret_from_fork+0x10/0x20 [ 16.797703] [ 16.797735] Freed by task 196: [ 16.797879] kasan_save_stack+0x3c/0x68 [ 16.798059] kasan_save_track+0x20/0x40 [ 16.798149] kasan_save_free_info+0x4c/0x78 [ 16.798235] __kasan_slab_free+0x6c/0x98 [ 16.798361] kfree+0x214/0x3c8 [ 16.798429] ksize_uaf+0x11c/0x5f8 [ 16.798559] kunit_try_run_case+0x170/0x3f0 [ 16.798626] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.798870] kthread+0x328/0x630 [ 16.799198] ret_from_fork+0x10/0x20 [ 16.799296] [ 16.799358] The buggy address belongs to the object at fff00000c58dce00 [ 16.799358] which belongs to the cache kmalloc-128 of size 128 [ 16.799429] The buggy address is located 0 bytes inside of [ 16.799429] freed 128-byte region [fff00000c58dce00, fff00000c58dce80) [ 16.799500] [ 16.799519] The buggy address belongs to the physical page: [ 16.799565] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058dc [ 16.799630] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.799678] page_type: f5(slab) [ 16.799729] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.799788] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.799828] page dumped because: kasan: bad access detected [ 16.799872] [ 16.799890] Memory state around the buggy address: [ 16.799923] fff00000c58dcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.799975] fff00000c58dcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.800021] >fff00000c58dce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.800071] ^ [ 16.800099] fff00000c58dce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.800152] fff00000c58dcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.800206] ==================================================================
[ 13.119737] ================================================================== [ 13.120776] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.121003] Read of size 1 at addr ffff88810313a800 by task kunit_try_catch/214 [ 13.121240] [ 13.121331] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.121374] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.121386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.121448] Call Trace: [ 13.121462] <TASK> [ 13.121478] dump_stack_lvl+0x73/0xb0 [ 13.121507] print_report+0xd1/0x610 [ 13.121529] ? __virt_addr_valid+0x1db/0x2d0 [ 13.121552] ? ksize_uaf+0x19d/0x6c0 [ 13.121579] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.121600] ? ksize_uaf+0x19d/0x6c0 [ 13.121621] kasan_report+0x141/0x180 [ 13.121642] ? ksize_uaf+0x19d/0x6c0 [ 13.121666] ? ksize_uaf+0x19d/0x6c0 [ 13.121686] __kasan_check_byte+0x3d/0x50 [ 13.121707] ksize+0x20/0x60 [ 13.121727] ksize_uaf+0x19d/0x6c0 [ 13.121747] ? __pfx_ksize_uaf+0x10/0x10 [ 13.121768] ? __schedule+0x2079/0x2b60 [ 13.121790] ? __pfx_read_tsc+0x10/0x10 [ 13.121830] ? ktime_get_ts64+0x86/0x230 [ 13.121855] kunit_try_run_case+0x1a5/0x480 [ 13.121890] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.121912] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.121935] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.121958] ? __kthread_parkme+0x82/0x180 [ 13.121978] ? preempt_count_sub+0x50/0x80 [ 13.122002] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.122042] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.122064] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.122087] kthread+0x337/0x6f0 [ 13.122106] ? trace_preempt_on+0x20/0xc0 [ 13.122129] ? __pfx_kthread+0x10/0x10 [ 13.122149] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.122169] ? calculate_sigpending+0x7b/0xa0 [ 13.122192] ? __pfx_kthread+0x10/0x10 [ 13.122213] ret_from_fork+0x116/0x1d0 [ 13.122230] ? __pfx_kthread+0x10/0x10 [ 13.122251] ret_from_fork_asm+0x1a/0x30 [ 13.122292] </TASK> [ 13.122302] [ 13.136466] Allocated by task 214: [ 13.136932] kasan_save_stack+0x45/0x70 [ 13.137438] kasan_save_track+0x18/0x40 [ 13.137923] kasan_save_alloc_info+0x3b/0x50 [ 13.138515] __kasan_kmalloc+0xb7/0xc0 [ 13.138915] __kmalloc_cache_noprof+0x189/0x420 [ 13.139621] ksize_uaf+0xaa/0x6c0 [ 13.139995] kunit_try_run_case+0x1a5/0x480 [ 13.140458] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.140773] kthread+0x337/0x6f0 [ 13.141179] ret_from_fork+0x116/0x1d0 [ 13.141576] ret_from_fork_asm+0x1a/0x30 [ 13.141729] [ 13.141801] Freed by task 214: [ 13.141912] kasan_save_stack+0x45/0x70 [ 13.142147] kasan_save_track+0x18/0x40 [ 13.142622] kasan_save_free_info+0x3f/0x60 [ 13.143058] __kasan_slab_free+0x56/0x70 [ 13.143552] kfree+0x222/0x3f0 [ 13.143899] ksize_uaf+0x12c/0x6c0 [ 13.144439] kunit_try_run_case+0x1a5/0x480 [ 13.144885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.145063] kthread+0x337/0x6f0 [ 13.145477] ret_from_fork+0x116/0x1d0 [ 13.145894] ret_from_fork_asm+0x1a/0x30 [ 13.146362] [ 13.146526] The buggy address belongs to the object at ffff88810313a800 [ 13.146526] which belongs to the cache kmalloc-128 of size 128 [ 13.147471] The buggy address is located 0 bytes inside of [ 13.147471] freed 128-byte region [ffff88810313a800, ffff88810313a880) [ 13.148328] [ 13.148417] The buggy address belongs to the physical page: [ 13.148587] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10313a [ 13.148830] flags: 0x200000000000000(node=0|zone=2) [ 13.148992] page_type: f5(slab) [ 13.149497] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.150293] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.151080] page dumped because: kasan: bad access detected [ 13.151627] [ 13.151823] Memory state around the buggy address: [ 13.152337] ffff88810313a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.153115] ffff88810313a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.153724] >ffff88810313a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.153941] ^ [ 13.154264] ffff88810313a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.154954] ffff88810313a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.155809] ================================================================== [ 13.156767] ================================================================== [ 13.157010] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.157225] Read of size 1 at addr ffff88810313a800 by task kunit_try_catch/214 [ 13.157634] [ 13.157858] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.157909] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.157921] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.157942] Call Trace: [ 13.157958] <TASK> [ 13.157976] dump_stack_lvl+0x73/0xb0 [ 13.158004] print_report+0xd1/0x610 [ 13.158077] ? __virt_addr_valid+0x1db/0x2d0 [ 13.158110] ? ksize_uaf+0x5fe/0x6c0 [ 13.158131] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.158152] ? ksize_uaf+0x5fe/0x6c0 [ 13.158174] kasan_report+0x141/0x180 [ 13.158195] ? ksize_uaf+0x5fe/0x6c0 [ 13.158221] __asan_report_load1_noabort+0x18/0x20 [ 13.158245] ksize_uaf+0x5fe/0x6c0 [ 13.158265] ? __pfx_ksize_uaf+0x10/0x10 [ 13.158286] ? __schedule+0x2079/0x2b60 [ 13.158308] ? __pfx_read_tsc+0x10/0x10 [ 13.158329] ? ktime_get_ts64+0x86/0x230 [ 13.158355] kunit_try_run_case+0x1a5/0x480 [ 13.158379] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.158410] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.158434] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.158457] ? __kthread_parkme+0x82/0x180 [ 13.158477] ? preempt_count_sub+0x50/0x80 [ 13.158501] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.158524] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.158546] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.158569] kthread+0x337/0x6f0 [ 13.158588] ? trace_preempt_on+0x20/0xc0 [ 13.158627] ? __pfx_kthread+0x10/0x10 [ 13.158648] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.158668] ? calculate_sigpending+0x7b/0xa0 [ 13.158703] ? __pfx_kthread+0x10/0x10 [ 13.158724] ret_from_fork+0x116/0x1d0 [ 13.158742] ? __pfx_kthread+0x10/0x10 [ 13.158762] ret_from_fork_asm+0x1a/0x30 [ 13.158793] </TASK> [ 13.158803] [ 13.171366] Allocated by task 214: [ 13.171723] kasan_save_stack+0x45/0x70 [ 13.171875] kasan_save_track+0x18/0x40 [ 13.172021] kasan_save_alloc_info+0x3b/0x50 [ 13.172172] __kasan_kmalloc+0xb7/0xc0 [ 13.172306] __kmalloc_cache_noprof+0x189/0x420 [ 13.172482] ksize_uaf+0xaa/0x6c0 [ 13.172642] kunit_try_run_case+0x1a5/0x480 [ 13.172900] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.173436] kthread+0x337/0x6f0 [ 13.173581] ret_from_fork+0x116/0x1d0 [ 13.173839] ret_from_fork_asm+0x1a/0x30 [ 13.173985] [ 13.174057] Freed by task 214: [ 13.174168] kasan_save_stack+0x45/0x70 [ 13.174304] kasan_save_track+0x18/0x40 [ 13.174451] kasan_save_free_info+0x3f/0x60 [ 13.174599] __kasan_slab_free+0x56/0x70 [ 13.174736] kfree+0x222/0x3f0 [ 13.174852] ksize_uaf+0x12c/0x6c0 [ 13.174977] kunit_try_run_case+0x1a5/0x480 [ 13.175217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.175415] kthread+0x337/0x6f0 [ 13.175538] ret_from_fork+0x116/0x1d0 [ 13.175671] ret_from_fork_asm+0x1a/0x30 [ 13.175811] [ 13.175883] The buggy address belongs to the object at ffff88810313a800 [ 13.175883] which belongs to the cache kmalloc-128 of size 128 [ 13.176390] The buggy address is located 0 bytes inside of [ 13.176390] freed 128-byte region [ffff88810313a800, ffff88810313a880) [ 13.177084] [ 13.177183] The buggy address belongs to the physical page: [ 13.177632] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10313a [ 13.177989] flags: 0x200000000000000(node=0|zone=2) [ 13.178229] page_type: f5(slab) [ 13.178353] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.178778] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.179554] page dumped because: kasan: bad access detected [ 13.179877] [ 13.179967] Memory state around the buggy address: [ 13.180209] ffff88810313a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.180445] ffff88810313a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.180836] >ffff88810313a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.181249] ^ [ 13.181447] ffff88810313a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.181672] ffff88810313a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.182057] ================================================================== [ 13.182490] ================================================================== [ 13.183154] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.183544] Read of size 1 at addr ffff88810313a878 by task kunit_try_catch/214 [ 13.183999] [ 13.184252] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.184297] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.184309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.184341] Call Trace: [ 13.184358] <TASK> [ 13.184373] dump_stack_lvl+0x73/0xb0 [ 13.184411] print_report+0xd1/0x610 [ 13.184432] ? __virt_addr_valid+0x1db/0x2d0 [ 13.184463] ? ksize_uaf+0x5e4/0x6c0 [ 13.184484] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.184505] ? ksize_uaf+0x5e4/0x6c0 [ 13.184536] kasan_report+0x141/0x180 [ 13.184558] ? ksize_uaf+0x5e4/0x6c0 [ 13.184584] __asan_report_load1_noabort+0x18/0x20 [ 13.184607] ksize_uaf+0x5e4/0x6c0 [ 13.184628] ? __pfx_ksize_uaf+0x10/0x10 [ 13.184658] ? __schedule+0x2079/0x2b60 [ 13.184684] ? __pfx_read_tsc+0x10/0x10 [ 13.184704] ? ktime_get_ts64+0x86/0x230 [ 13.184741] kunit_try_run_case+0x1a5/0x480 [ 13.184777] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.184799] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.184822] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.184844] ? __kthread_parkme+0x82/0x180 [ 13.184873] ? preempt_count_sub+0x50/0x80 [ 13.184896] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.184920] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.184952] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.184975] kthread+0x337/0x6f0 [ 13.184994] ? trace_preempt_on+0x20/0xc0 [ 13.185017] ? __pfx_kthread+0x10/0x10 [ 13.185037] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.185058] ? calculate_sigpending+0x7b/0xa0 [ 13.185081] ? __pfx_kthread+0x10/0x10 [ 13.185102] ret_from_fork+0x116/0x1d0 [ 13.185120] ? __pfx_kthread+0x10/0x10 [ 13.185140] ret_from_fork_asm+0x1a/0x30 [ 13.185171] </TASK> [ 13.185181] [ 13.193392] Allocated by task 214: [ 13.193542] kasan_save_stack+0x45/0x70 [ 13.193784] kasan_save_track+0x18/0x40 [ 13.194005] kasan_save_alloc_info+0x3b/0x50 [ 13.194165] __kasan_kmalloc+0xb7/0xc0 [ 13.194299] __kmalloc_cache_noprof+0x189/0x420 [ 13.194468] ksize_uaf+0xaa/0x6c0 [ 13.194593] kunit_try_run_case+0x1a5/0x480 [ 13.194741] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.194916] kthread+0x337/0x6f0 [ 13.195037] ret_from_fork+0x116/0x1d0 [ 13.195170] ret_from_fork_asm+0x1a/0x30 [ 13.195309] [ 13.195414] Freed by task 214: [ 13.195737] kasan_save_stack+0x45/0x70 [ 13.195937] kasan_save_track+0x18/0x40 [ 13.196298] kasan_save_free_info+0x3f/0x60 [ 13.196521] __kasan_slab_free+0x56/0x70 [ 13.196724] kfree+0x222/0x3f0 [ 13.196908] ksize_uaf+0x12c/0x6c0 [ 13.197188] kunit_try_run_case+0x1a5/0x480 [ 13.197421] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.197775] kthread+0x337/0x6f0 [ 13.197915] ret_from_fork+0x116/0x1d0 [ 13.198101] ret_from_fork_asm+0x1a/0x30 [ 13.198301] [ 13.198408] The buggy address belongs to the object at ffff88810313a800 [ 13.198408] which belongs to the cache kmalloc-128 of size 128 [ 13.199192] The buggy address is located 120 bytes inside of [ 13.199192] freed 128-byte region [ffff88810313a800, ffff88810313a880) [ 13.199578] [ 13.199738] The buggy address belongs to the physical page: [ 13.199994] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10313a [ 13.200553] flags: 0x200000000000000(node=0|zone=2) [ 13.200825] page_type: f5(slab) [ 13.200971] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.201466] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.201780] page dumped because: kasan: bad access detected [ 13.201960] [ 13.202072] Memory state around the buggy address: [ 13.202308] ffff88810313a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.202693] ffff88810313a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.202984] >ffff88810313a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.203389] ^ [ 13.203747] ffff88810313a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.204185] ffff88810313a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.204492] ==================================================================
[ 13.274673] ================================================================== [ 13.275133] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.275613] Read of size 1 at addr ffff888102a51200 by task kunit_try_catch/213 [ 13.275905] [ 13.276006] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.276054] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.276065] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.276086] Call Trace: [ 13.276099] <TASK> [ 13.276117] dump_stack_lvl+0x73/0xb0 [ 13.276158] print_report+0xd1/0x610 [ 13.276181] ? __virt_addr_valid+0x1db/0x2d0 [ 13.276205] ? ksize_uaf+0x19d/0x6c0 [ 13.276225] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.276246] ? ksize_uaf+0x19d/0x6c0 [ 13.276266] kasan_report+0x141/0x180 [ 13.276287] ? ksize_uaf+0x19d/0x6c0 [ 13.276335] ? ksize_uaf+0x19d/0x6c0 [ 13.276356] __kasan_check_byte+0x3d/0x50 [ 13.276377] ksize+0x20/0x60 [ 13.276397] ksize_uaf+0x19d/0x6c0 [ 13.276417] ? __pfx_ksize_uaf+0x10/0x10 [ 13.276438] ? __schedule+0x10c6/0x2b60 [ 13.276460] ? __pfx_read_tsc+0x10/0x10 [ 13.276481] ? ktime_get_ts64+0x86/0x230 [ 13.276504] kunit_try_run_case+0x1a5/0x480 [ 13.276529] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.276550] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.276574] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.276596] ? __kthread_parkme+0x82/0x180 [ 13.276617] ? preempt_count_sub+0x50/0x80 [ 13.276640] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.276663] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.276686] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.276708] kthread+0x337/0x6f0 [ 13.276727] ? trace_preempt_on+0x20/0xc0 [ 13.276750] ? __pfx_kthread+0x10/0x10 [ 13.276770] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.276791] ? calculate_sigpending+0x7b/0xa0 [ 13.276816] ? __pfx_kthread+0x10/0x10 [ 13.276838] ret_from_fork+0x116/0x1d0 [ 13.276855] ? __pfx_kthread+0x10/0x10 [ 13.276875] ret_from_fork_asm+0x1a/0x30 [ 13.276905] </TASK> [ 13.276916] [ 13.283554] Allocated by task 213: [ 13.283722] kasan_save_stack+0x45/0x70 [ 13.283887] kasan_save_track+0x18/0x40 [ 13.284067] kasan_save_alloc_info+0x3b/0x50 [ 13.284249] __kasan_kmalloc+0xb7/0xc0 [ 13.284447] __kmalloc_cache_noprof+0x189/0x420 [ 13.284643] ksize_uaf+0xaa/0x6c0 [ 13.284794] kunit_try_run_case+0x1a5/0x480 [ 13.284975] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.285153] kthread+0x337/0x6f0 [ 13.285272] ret_from_fork+0x116/0x1d0 [ 13.285426] ret_from_fork_asm+0x1a/0x30 [ 13.285571] [ 13.285666] Freed by task 213: [ 13.285823] kasan_save_stack+0x45/0x70 [ 13.286011] kasan_save_track+0x18/0x40 [ 13.286211] kasan_save_free_info+0x3f/0x60 [ 13.286444] __kasan_slab_free+0x56/0x70 [ 13.286639] kfree+0x222/0x3f0 [ 13.286802] ksize_uaf+0x12c/0x6c0 [ 13.286978] kunit_try_run_case+0x1a5/0x480 [ 13.287164] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.287434] kthread+0x337/0x6f0 [ 13.287591] ret_from_fork+0x116/0x1d0 [ 13.287753] ret_from_fork_asm+0x1a/0x30 [ 13.287914] [ 13.287987] The buggy address belongs to the object at ffff888102a51200 [ 13.287987] which belongs to the cache kmalloc-128 of size 128 [ 13.288370] The buggy address is located 0 bytes inside of [ 13.288370] freed 128-byte region [ffff888102a51200, ffff888102a51280) [ 13.288708] [ 13.288786] The buggy address belongs to the physical page: [ 13.289031] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a51 [ 13.289413] flags: 0x200000000000000(node=0|zone=2) [ 13.289662] page_type: f5(slab) [ 13.289837] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.290183] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.290517] page dumped because: kasan: bad access detected [ 13.290714] [ 13.290785] Memory state around the buggy address: [ 13.290939] ffff888102a51100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.291158] ffff888102a51180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.291395] >ffff888102a51200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.291698] ^ [ 13.291862] ffff888102a51280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.292185] ffff888102a51300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.292539] ================================================================== [ 13.293226] ================================================================== [ 13.293964] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.294282] Read of size 1 at addr ffff888102a51200 by task kunit_try_catch/213 [ 13.294604] [ 13.294708] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.294752] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.294763] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.294785] Call Trace: [ 13.294801] <TASK> [ 13.294816] dump_stack_lvl+0x73/0xb0 [ 13.294843] print_report+0xd1/0x610 [ 13.294864] ? __virt_addr_valid+0x1db/0x2d0 [ 13.294886] ? ksize_uaf+0x5fe/0x6c0 [ 13.294907] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.294928] ? ksize_uaf+0x5fe/0x6c0 [ 13.294948] kasan_report+0x141/0x180 [ 13.294969] ? ksize_uaf+0x5fe/0x6c0 [ 13.294993] __asan_report_load1_noabort+0x18/0x20 [ 13.295016] ksize_uaf+0x5fe/0x6c0 [ 13.295036] ? __pfx_ksize_uaf+0x10/0x10 [ 13.295057] ? __schedule+0x10c6/0x2b60 [ 13.295080] ? __pfx_read_tsc+0x10/0x10 [ 13.295100] ? ktime_get_ts64+0x86/0x230 [ 13.295124] kunit_try_run_case+0x1a5/0x480 [ 13.295156] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.295178] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.295201] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.295223] ? __kthread_parkme+0x82/0x180 [ 13.295243] ? preempt_count_sub+0x50/0x80 [ 13.295267] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.295291] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.295335] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.295358] kthread+0x337/0x6f0 [ 13.295377] ? trace_preempt_on+0x20/0xc0 [ 13.295400] ? __pfx_kthread+0x10/0x10 [ 13.295420] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.295440] ? calculate_sigpending+0x7b/0xa0 [ 13.295465] ? __pfx_kthread+0x10/0x10 [ 13.295486] ret_from_fork+0x116/0x1d0 [ 13.295504] ? __pfx_kthread+0x10/0x10 [ 13.295523] ret_from_fork_asm+0x1a/0x30 [ 13.295553] </TASK> [ 13.295563] [ 13.302269] Allocated by task 213: [ 13.302467] kasan_save_stack+0x45/0x70 [ 13.302650] kasan_save_track+0x18/0x40 [ 13.302837] kasan_save_alloc_info+0x3b/0x50 [ 13.303042] __kasan_kmalloc+0xb7/0xc0 [ 13.303221] __kmalloc_cache_noprof+0x189/0x420 [ 13.303432] ksize_uaf+0xaa/0x6c0 [ 13.303615] kunit_try_run_case+0x1a5/0x480 [ 13.303796] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.304010] kthread+0x337/0x6f0 [ 13.304192] ret_from_fork+0x116/0x1d0 [ 13.304390] ret_from_fork_asm+0x1a/0x30 [ 13.304559] [ 13.304656] Freed by task 213: [ 13.304773] kasan_save_stack+0x45/0x70 [ 13.304964] kasan_save_track+0x18/0x40 [ 13.305133] kasan_save_free_info+0x3f/0x60 [ 13.305313] __kasan_slab_free+0x56/0x70 [ 13.305451] kfree+0x222/0x3f0 [ 13.305570] ksize_uaf+0x12c/0x6c0 [ 13.305697] kunit_try_run_case+0x1a5/0x480 [ 13.305845] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.306021] kthread+0x337/0x6f0 [ 13.306143] ret_from_fork+0x116/0x1d0 [ 13.306380] ret_from_fork_asm+0x1a/0x30 [ 13.306580] [ 13.306676] The buggy address belongs to the object at ffff888102a51200 [ 13.306676] which belongs to the cache kmalloc-128 of size 128 [ 13.307220] The buggy address is located 0 bytes inside of [ 13.307220] freed 128-byte region [ffff888102a51200, ffff888102a51280) [ 13.307708] [ 13.307783] The buggy address belongs to the physical page: [ 13.307960] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a51 [ 13.308214] flags: 0x200000000000000(node=0|zone=2) [ 13.308482] page_type: f5(slab) [ 13.308656] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.309007] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.309379] page dumped because: kasan: bad access detected [ 13.309637] [ 13.309734] Memory state around the buggy address: [ 13.309944] ffff888102a51100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.310241] ffff888102a51180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.310538] >ffff888102a51200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.310839] ^ [ 13.310984] ffff888102a51280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.311279] ffff888102a51300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.311571] ================================================================== [ 13.312413] ================================================================== [ 13.312743] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.312968] Read of size 1 at addr ffff888102a51278 by task kunit_try_catch/213 [ 13.313296] [ 13.313412] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7 #1 PREEMPT(voluntary) [ 13.313456] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.313467] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.313488] Call Trace: [ 13.313506] <TASK> [ 13.313523] dump_stack_lvl+0x73/0xb0 [ 13.313550] print_report+0xd1/0x610 [ 13.313571] ? __virt_addr_valid+0x1db/0x2d0 [ 13.313593] ? ksize_uaf+0x5e4/0x6c0 [ 13.313612] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.313634] ? ksize_uaf+0x5e4/0x6c0 [ 13.313653] kasan_report+0x141/0x180 [ 13.313674] ? ksize_uaf+0x5e4/0x6c0 [ 13.313698] __asan_report_load1_noabort+0x18/0x20 [ 13.313721] ksize_uaf+0x5e4/0x6c0 [ 13.313740] ? __pfx_ksize_uaf+0x10/0x10 [ 13.313761] ? __schedule+0x10c6/0x2b60 [ 13.313782] ? __pfx_read_tsc+0x10/0x10 [ 13.313802] ? ktime_get_ts64+0x86/0x230 [ 13.313826] kunit_try_run_case+0x1a5/0x480 [ 13.313850] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.313871] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.313894] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.313916] ? __kthread_parkme+0x82/0x180 [ 13.313936] ? preempt_count_sub+0x50/0x80 [ 13.313959] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.313981] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.314003] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.314025] kthread+0x337/0x6f0 [ 13.314044] ? trace_preempt_on+0x20/0xc0 [ 13.314066] ? __pfx_kthread+0x10/0x10 [ 13.314085] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.314105] ? calculate_sigpending+0x7b/0xa0 [ 13.314130] ? __pfx_kthread+0x10/0x10 [ 13.314672] ret_from_fork+0x116/0x1d0 [ 13.314701] ? __pfx_kthread+0x10/0x10 [ 13.314722] ret_from_fork_asm+0x1a/0x30 [ 13.314752] </TASK> [ 13.314762] [ 13.321339] Allocated by task 213: [ 13.321469] kasan_save_stack+0x45/0x70 [ 13.321615] kasan_save_track+0x18/0x40 [ 13.321752] kasan_save_alloc_info+0x3b/0x50 [ 13.321904] __kasan_kmalloc+0xb7/0xc0 [ 13.322038] __kmalloc_cache_noprof+0x189/0x420 [ 13.322227] ksize_uaf+0xaa/0x6c0 [ 13.322428] kunit_try_run_case+0x1a5/0x480 [ 13.322646] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.322913] kthread+0x337/0x6f0 [ 13.323085] ret_from_fork+0x116/0x1d0 [ 13.323280] ret_from_fork_asm+0x1a/0x30 [ 13.323497] [ 13.323592] Freed by task 213: [ 13.323747] kasan_save_stack+0x45/0x70 [ 13.323940] kasan_save_track+0x18/0x40 [ 13.324130] kasan_save_free_info+0x3f/0x60 [ 13.324385] __kasan_slab_free+0x56/0x70 [ 13.324585] kfree+0x222/0x3f0 [ 13.324748] ksize_uaf+0x12c/0x6c0 [ 13.324924] kunit_try_run_case+0x1a5/0x480 [ 13.325072] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.325258] kthread+0x337/0x6f0 [ 13.325407] ret_from_fork+0x116/0x1d0 [ 13.325541] ret_from_fork_asm+0x1a/0x30 [ 13.325680] [ 13.325752] The buggy address belongs to the object at ffff888102a51200 [ 13.325752] which belongs to the cache kmalloc-128 of size 128 [ 13.326256] The buggy address is located 120 bytes inside of [ 13.326256] freed 128-byte region [ffff888102a51200, ffff888102a51280) [ 13.326814] [ 13.326913] The buggy address belongs to the physical page: [ 13.327172] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a51 [ 13.327551] flags: 0x200000000000000(node=0|zone=2) [ 13.327789] page_type: f5(slab) [ 13.327961] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.328342] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.328680] page dumped because: kasan: bad access detected [ 13.328892] [ 13.328983] Memory state around the buggy address: [ 13.329166] ffff888102a51100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.329481] ffff888102a51180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.329762] >ffff888102a51200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.330010] ^ [ 13.330323] ffff888102a51280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.330621] ffff888102a51300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.330845] ==================================================================