Date
Nov. 22, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.048348] ================================================================== [ 34.049938] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 34.050843] Read of size 1 at addr fff00000c5ce67e8 by task kunit_try_catch/173 [ 34.051996] [ 34.052310] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 34.053966] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.054817] Hardware name: linux,dummy-virt (DT) [ 34.055777] Call trace: [ 34.056169] show_stack+0x20/0x38 (C) [ 34.057170] dump_stack_lvl+0x8c/0xd0 [ 34.057791] print_report+0x118/0x5e0 [ 34.058478] kasan_report+0xc8/0x118 [ 34.059060] __asan_report_load1_noabort+0x20/0x30 [ 34.059848] kmalloc_uaf+0x300/0x338 [ 34.060478] kunit_try_run_case+0x14c/0x3d0 [ 34.061208] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.062056] kthread+0x24c/0x2d0 [ 34.062749] ret_from_fork+0x10/0x20 [ 34.063410] [ 34.063748] Allocated by task 173: [ 34.064371] kasan_save_stack+0x3c/0x68 [ 34.065363] kasan_save_track+0x20/0x40 [ 34.065914] kasan_save_alloc_info+0x40/0x58 [ 34.066582] __kasan_kmalloc+0xd4/0xd8 [ 34.067207] __kmalloc_cache_noprof+0x15c/0x3c8 [ 34.068005] kmalloc_uaf+0xb8/0x338 [ 34.068947] kunit_try_run_case+0x14c/0x3d0 [ 34.069629] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.070359] kthread+0x24c/0x2d0 [ 34.070890] ret_from_fork+0x10/0x20 [ 34.071501] [ 34.071819] Freed by task 173: [ 34.072367] kasan_save_stack+0x3c/0x68 [ 34.074056] kasan_save_track+0x20/0x40 [ 34.074715] kasan_save_free_info+0x4c/0x78 [ 34.075292] __kasan_slab_free+0x6c/0x98 [ 34.075874] kfree+0x114/0x3d0 [ 34.076544] kmalloc_uaf+0x11c/0x338 [ 34.077503] kunit_try_run_case+0x14c/0x3d0 [ 34.078319] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.079131] kthread+0x24c/0x2d0 [ 34.079761] ret_from_fork+0x10/0x20 [ 34.080390] [ 34.081164] The buggy address belongs to the object at fff00000c5ce67e0 [ 34.081164] which belongs to the cache kmalloc-16 of size 16 [ 34.082494] The buggy address is located 8 bytes inside of [ 34.082494] freed 16-byte region [fff00000c5ce67e0, fff00000c5ce67f0) [ 34.083755] [ 34.084046] The buggy address belongs to the physical page: [ 34.085341] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ce6 [ 34.086410] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.087218] page_type: f5(slab) [ 34.087765] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 34.089155] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 34.089926] page dumped because: kasan: bad access detected [ 34.090611] [ 34.091030] Memory state around the buggy address: [ 34.091693] fff00000c5ce6680: 00 02 fc fc 00 02 fc fc 00 05 fc fc fa fb fc fc [ 34.092606] fff00000c5ce6700: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 34.094056] >fff00000c5ce6780: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 34.094959] ^ [ 34.096897] fff00000c5ce6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.097683] fff00000c5ce6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.098654] ================================================================== [ 33.529192] ================================================================== [ 33.530783] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 33.531865] Read of size 16 at addr fff00000c6105300 by task kunit_try_catch/157 [ 33.532604] [ 33.532923] CPU: 0 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 33.535035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.535825] Hardware name: linux,dummy-virt (DT) [ 33.536407] Call trace: [ 33.536976] show_stack+0x20/0x38 (C) [ 33.538062] dump_stack_lvl+0x8c/0xd0 [ 33.539281] print_report+0x118/0x5e0 [ 33.540344] kasan_report+0xc8/0x118 [ 33.541569] __asan_report_load16_noabort+0x20/0x30 [ 33.542290] kmalloc_uaf_16+0x3bc/0x438 [ 33.542788] kunit_try_run_case+0x14c/0x3d0 [ 33.544095] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.545131] kthread+0x24c/0x2d0 [ 33.545996] ret_from_fork+0x10/0x20 [ 33.547159] [ 33.547633] Allocated by task 157: [ 33.548877] kasan_save_stack+0x3c/0x68 [ 33.549867] kasan_save_track+0x20/0x40 [ 33.550712] kasan_save_alloc_info+0x40/0x58 [ 33.551408] __kasan_kmalloc+0xd4/0xd8 [ 33.552085] __kmalloc_cache_noprof+0x15c/0x3c8 [ 33.553623] kmalloc_uaf_16+0x140/0x438 [ 33.554633] kunit_try_run_case+0x14c/0x3d0 [ 33.555212] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.556301] kthread+0x24c/0x2d0 [ 33.557019] ret_from_fork+0x10/0x20 [ 33.557749] [ 33.558336] Freed by task 157: [ 33.558772] kasan_save_stack+0x3c/0x68 [ 33.559762] kasan_save_track+0x20/0x40 [ 33.560576] kasan_save_free_info+0x4c/0x78 [ 33.561237] __kasan_slab_free+0x6c/0x98 [ 33.561846] kfree+0x114/0x3d0 [ 33.562874] kmalloc_uaf_16+0x190/0x438 [ 33.563723] kunit_try_run_case+0x14c/0x3d0 [ 33.564561] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.565498] kthread+0x24c/0x2d0 [ 33.566343] ret_from_fork+0x10/0x20 [ 33.567402] [ 33.567722] The buggy address belongs to the object at fff00000c6105300 [ 33.567722] which belongs to the cache kmalloc-16 of size 16 [ 33.570193] The buggy address is located 0 bytes inside of [ 33.570193] freed 16-byte region [fff00000c6105300, fff00000c6105310) [ 33.572625] [ 33.573018] The buggy address belongs to the physical page: [ 33.574491] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106105 [ 33.574976] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.575372] page_type: f5(slab) [ 33.575961] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 33.577549] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 33.578749] page dumped because: kasan: bad access detected [ 33.579461] [ 33.579940] Memory state around the buggy address: [ 33.581134] fff00000c6105200: 00 06 fc fc 00 06 fc fc 00 00 fc fc fa fb fc fc [ 33.582532] fff00000c6105280: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 33.583797] >fff00000c6105300: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.584920] ^ [ 33.585860] fff00000c6105380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.587375] fff00000c6105400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.588992] ================================================================== [ 34.183030] ================================================================== [ 34.184318] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 34.185128] Read of size 1 at addr fff00000c6a9b128 by task kunit_try_catch/177 [ 34.186959] [ 34.187383] CPU: 0 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 34.189030] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.189578] Hardware name: linux,dummy-virt (DT) [ 34.190334] Call trace: [ 34.190879] show_stack+0x20/0x38 (C) [ 34.192316] dump_stack_lvl+0x8c/0xd0 [ 34.192984] print_report+0x118/0x5e0 [ 34.193535] kasan_report+0xc8/0x118 [ 34.194229] __asan_report_load1_noabort+0x20/0x30 [ 34.195538] kmalloc_uaf2+0x3f4/0x468 [ 34.196044] kunit_try_run_case+0x14c/0x3d0 [ 34.197721] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.198475] kthread+0x24c/0x2d0 [ 34.198895] ret_from_fork+0x10/0x20 [ 34.199632] [ 34.199925] Allocated by task 177: [ 34.200535] kasan_save_stack+0x3c/0x68 [ 34.201361] kasan_save_track+0x20/0x40 [ 34.202678] kasan_save_alloc_info+0x40/0x58 [ 34.203375] __kasan_kmalloc+0xd4/0xd8 [ 34.203976] __kmalloc_cache_noprof+0x15c/0x3c8 [ 34.204623] kmalloc_uaf2+0xc4/0x468 [ 34.205655] kunit_try_run_case+0x14c/0x3d0 [ 34.206273] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.206965] kthread+0x24c/0x2d0 [ 34.208197] ret_from_fork+0x10/0x20 [ 34.208667] [ 34.209154] Freed by task 177: [ 34.210609] kasan_save_stack+0x3c/0x68 [ 34.211244] kasan_save_track+0x20/0x40 [ 34.212023] kasan_save_free_info+0x4c/0x78 [ 34.213264] __kasan_slab_free+0x6c/0x98 [ 34.214031] kfree+0x114/0x3d0 [ 34.214907] kmalloc_uaf2+0x134/0x468 [ 34.215867] kunit_try_run_case+0x14c/0x3d0 [ 34.216933] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.217972] kthread+0x24c/0x2d0 [ 34.218751] ret_from_fork+0x10/0x20 [ 34.219413] [ 34.219808] The buggy address belongs to the object at fff00000c6a9b100 [ 34.219808] which belongs to the cache kmalloc-64 of size 64 [ 34.221717] The buggy address is located 40 bytes inside of [ 34.221717] freed 64-byte region [fff00000c6a9b100, fff00000c6a9b140) [ 34.223993] [ 34.224329] The buggy address belongs to the physical page: [ 34.225795] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a9b [ 34.226990] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.228125] page_type: f5(slab) [ 34.228649] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 34.229870] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 34.231926] page dumped because: kasan: bad access detected [ 34.232925] [ 34.233370] Memory state around the buggy address: [ 34.235079] fff00000c6a9b000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.235889] fff00000c6a9b080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.237658] >fff00000c6a9b100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.238877] ^ [ 34.239946] fff00000c6a9b180: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 34.241623] fff00000c6a9b200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.243691] ==================================================================
[ 25.442532] ================================================================== [ 25.443357] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 25.444554] Read of size 1 at addr ffff888100f9bcc8 by task kunit_try_catch/192 [ 25.445969] [ 25.446204] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.446702] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.447086] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.449410] Call Trace: [ 25.450155] <TASK> [ 25.450433] dump_stack_lvl+0x73/0xb0 [ 25.450806] print_report+0xd1/0x640 [ 25.451946] ? __virt_addr_valid+0x1db/0x2d0 [ 25.452472] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.452771] kasan_report+0x102/0x140 [ 25.453407] ? kmalloc_uaf+0x322/0x380 [ 25.454352] ? kmalloc_uaf+0x322/0x380 [ 25.454729] __asan_report_load1_noabort+0x18/0x20 [ 25.455615] kmalloc_uaf+0x322/0x380 [ 25.455976] ? __pfx_kmalloc_uaf+0x10/0x10 [ 25.456343] ? __pfx_kmalloc_uaf+0x10/0x10 [ 25.457533] kunit_try_run_case+0x1b3/0x490 [ 25.458216] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.459008] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.459868] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.461358] ? __kthread_parkme+0x82/0x160 [ 25.461707] ? preempt_count_sub+0x50/0x80 [ 25.462605] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.462999] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.464180] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.464445] kthread+0x257/0x310 [ 25.464625] ? __pfx_kthread+0x10/0x10 [ 25.464772] ret_from_fork+0x41/0x80 [ 25.465162] ? __pfx_kthread+0x10/0x10 [ 25.465573] ret_from_fork_asm+0x1a/0x30 [ 25.466048] </TASK> [ 25.466306] [ 25.466514] Allocated by task 192: [ 25.466951] kasan_save_stack+0x3d/0x60 [ 25.467308] kasan_save_track+0x18/0x40 [ 25.467800] kasan_save_alloc_info+0x3b/0x50 [ 25.468443] __kasan_kmalloc+0xb7/0xc0 [ 25.468895] __kmalloc_cache_noprof+0x184/0x410 [ 25.469405] kmalloc_uaf+0xab/0x380 [ 25.469807] kunit_try_run_case+0x1b3/0x490 [ 25.470433] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.470793] kthread+0x257/0x310 [ 25.471178] ret_from_fork+0x41/0x80 [ 25.471726] ret_from_fork_asm+0x1a/0x30 [ 25.472335] [ 25.472573] Freed by task 192: [ 25.473165] kasan_save_stack+0x3d/0x60 [ 25.473977] kasan_save_track+0x18/0x40 [ 25.474490] kasan_save_free_info+0x3f/0x60 [ 25.474952] __kasan_slab_free+0x56/0x70 [ 25.475583] kfree+0x123/0x3f0 [ 25.476108] kmalloc_uaf+0x12d/0x380 [ 25.476723] kunit_try_run_case+0x1b3/0x490 [ 25.477313] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.478248] kthread+0x257/0x310 [ 25.478727] ret_from_fork+0x41/0x80 [ 25.479167] ret_from_fork_asm+0x1a/0x30 [ 25.479771] [ 25.480075] The buggy address belongs to the object at ffff888100f9bcc0 [ 25.480075] which belongs to the cache kmalloc-16 of size 16 [ 25.481045] The buggy address is located 8 bytes inside of [ 25.481045] freed 16-byte region [ffff888100f9bcc0, ffff888100f9bcd0) [ 25.482482] [ 25.482776] The buggy address belongs to the physical page: [ 25.483163] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100f9b [ 25.483982] flags: 0x200000000000000(node=0|zone=2) [ 25.484737] page_type: f5(slab) [ 25.485473] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.486436] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.487066] page dumped because: kasan: bad access detected [ 25.487844] [ 25.488231] Memory state around the buggy address: [ 25.488851] ffff888100f9bb80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.489718] ffff888100f9bc00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.490329] >ffff888100f9bc80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 25.490642] ^ [ 25.491145] ffff888100f9bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.491771] ffff888100f9bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.492535] ================================================================== [ 25.031793] ================================================================== [ 25.032676] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 25.033221] Read of size 16 at addr ffff888100f9bca0 by task kunit_try_catch/176 [ 25.033748] [ 25.034145] CPU: 0 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.034976] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.035443] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.036090] Call Trace: [ 25.036392] <TASK> [ 25.036638] dump_stack_lvl+0x73/0xb0 [ 25.037129] print_report+0xd1/0x640 [ 25.037589] ? __virt_addr_valid+0x1db/0x2d0 [ 25.037991] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.038638] kasan_report+0x102/0x140 [ 25.039164] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.039506] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.040011] __asan_report_load16_noabort+0x18/0x20 [ 25.040586] kmalloc_uaf_16+0x47d/0x4c0 [ 25.041042] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 25.041388] ? __schedule+0xc3e/0x2790 [ 25.042026] ? __pfx_read_tsc+0x10/0x10 [ 25.042310] ? ktime_get_ts64+0x84/0x230 [ 25.042778] kunit_try_run_case+0x1b3/0x490 [ 25.043402] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.043710] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.044350] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.044878] ? __kthread_parkme+0x82/0x160 [ 25.045390] ? preempt_count_sub+0x50/0x80 [ 25.045865] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.046292] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.047038] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.047634] kthread+0x257/0x310 [ 25.048043] ? __pfx_kthread+0x10/0x10 [ 25.048558] ret_from_fork+0x41/0x80 [ 25.049113] ? __pfx_kthread+0x10/0x10 [ 25.049389] ret_from_fork_asm+0x1a/0x30 [ 25.049693] </TASK> [ 25.049898] [ 25.050129] Allocated by task 176: [ 25.050617] kasan_save_stack+0x3d/0x60 [ 25.051131] kasan_save_track+0x18/0x40 [ 25.051627] kasan_save_alloc_info+0x3b/0x50 [ 25.052034] __kasan_kmalloc+0xb7/0xc0 [ 25.052502] __kmalloc_cache_noprof+0x184/0x410 [ 25.052811] kmalloc_uaf_16+0x15c/0x4c0 [ 25.053262] kunit_try_run_case+0x1b3/0x490 [ 25.053650] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.054157] kthread+0x257/0x310 [ 25.054630] ret_from_fork+0x41/0x80 [ 25.055001] ret_from_fork_asm+0x1a/0x30 [ 25.055647] [ 25.055817] Freed by task 176: [ 25.056054] kasan_save_stack+0x3d/0x60 [ 25.056310] kasan_save_track+0x18/0x40 [ 25.056562] kasan_save_free_info+0x3f/0x60 [ 25.056845] __kasan_slab_free+0x56/0x70 [ 25.057357] kfree+0x123/0x3f0 [ 25.057714] kmalloc_uaf_16+0x1d7/0x4c0 [ 25.058155] kunit_try_run_case+0x1b3/0x490 [ 25.058593] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.059476] kthread+0x257/0x310 [ 25.060013] ret_from_fork+0x41/0x80 [ 25.060440] ret_from_fork_asm+0x1a/0x30 [ 25.060860] [ 25.061108] The buggy address belongs to the object at ffff888100f9bca0 [ 25.061108] which belongs to the cache kmalloc-16 of size 16 [ 25.062397] The buggy address is located 0 bytes inside of [ 25.062397] freed 16-byte region [ffff888100f9bca0, ffff888100f9bcb0) [ 25.063379] [ 25.063544] The buggy address belongs to the physical page: [ 25.063855] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100f9b [ 25.064542] flags: 0x200000000000000(node=0|zone=2) [ 25.065232] page_type: f5(slab) [ 25.065682] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.066546] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.067177] page dumped because: kasan: bad access detected [ 25.067602] [ 25.067921] Memory state around the buggy address: [ 25.068314] ffff888100f9bb80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.068982] ffff888100f9bc00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.069549] >ffff888100f9bc80: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 25.070113] ^ [ 25.070457] ffff888100f9bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.071319] ffff888100f9bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.071708] ================================================================== [ 25.555495] ================================================================== [ 25.556912] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 25.557543] Read of size 1 at addr ffff888101aad728 by task kunit_try_catch/196 [ 25.558764] [ 25.559442] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.560377] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.561376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.562281] Call Trace: [ 25.562518] <TASK> [ 25.562987] dump_stack_lvl+0x73/0xb0 [ 25.563405] print_report+0xd1/0x640 [ 25.564592] ? __virt_addr_valid+0x1db/0x2d0 [ 25.564920] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.565882] kasan_report+0x102/0x140 [ 25.566955] ? kmalloc_uaf2+0x4aa/0x520 [ 25.567296] ? kmalloc_uaf2+0x4aa/0x520 [ 25.568375] __asan_report_load1_noabort+0x18/0x20 [ 25.568749] kmalloc_uaf2+0x4aa/0x520 [ 25.569242] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 25.569783] ? finish_task_switch.isra.0+0x153/0x700 [ 25.570265] ? __switch_to+0x5d9/0xf60 [ 25.571422] ? __schedule+0xc3e/0x2790 [ 25.572000] ? __pfx_read_tsc+0x10/0x10 [ 25.572253] ? ktime_get_ts64+0x84/0x230 [ 25.572653] kunit_try_run_case+0x1b3/0x490 [ 25.574016] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.574473] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.575383] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.576424] ? __kthread_parkme+0x82/0x160 [ 25.576756] ? preempt_count_sub+0x50/0x80 [ 25.577192] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.578070] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.578987] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.579665] kthread+0x257/0x310 [ 25.579971] ? __pfx_kthread+0x10/0x10 [ 25.580981] ret_from_fork+0x41/0x80 [ 25.581409] ? __pfx_kthread+0x10/0x10 [ 25.581681] ret_from_fork_asm+0x1a/0x30 [ 25.582120] </TASK> [ 25.582811] [ 25.583100] Allocated by task 196: [ 25.584021] kasan_save_stack+0x3d/0x60 [ 25.584298] kasan_save_track+0x18/0x40 [ 25.584634] kasan_save_alloc_info+0x3b/0x50 [ 25.585101] __kasan_kmalloc+0xb7/0xc0 [ 25.585466] __kmalloc_cache_noprof+0x184/0x410 [ 25.586869] kmalloc_uaf2+0xc7/0x520 [ 25.587418] kunit_try_run_case+0x1b3/0x490 [ 25.587862] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.589123] kthread+0x257/0x310 [ 25.589465] ret_from_fork+0x41/0x80 [ 25.589784] ret_from_fork_asm+0x1a/0x30 [ 25.591000] [ 25.591155] Freed by task 196: [ 25.591541] kasan_save_stack+0x3d/0x60 [ 25.591908] kasan_save_track+0x18/0x40 [ 25.592142] kasan_save_free_info+0x3f/0x60 [ 25.592655] __kasan_slab_free+0x56/0x70 [ 25.593093] kfree+0x123/0x3f0 [ 25.593640] kmalloc_uaf2+0x14d/0x520 [ 25.593933] kunit_try_run_case+0x1b3/0x490 [ 25.594200] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.595154] kthread+0x257/0x310 [ 25.595945] ret_from_fork+0x41/0x80 [ 25.597046] ret_from_fork_asm+0x1a/0x30 [ 25.597783] [ 25.598059] The buggy address belongs to the object at ffff888101aad700 [ 25.598059] which belongs to the cache kmalloc-64 of size 64 [ 25.600372] The buggy address is located 40 bytes inside of [ 25.600372] freed 64-byte region [ffff888101aad700, ffff888101aad740) [ 25.601363] [ 25.601636] The buggy address belongs to the physical page: [ 25.602246] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101aad [ 25.602819] flags: 0x200000000000000(node=0|zone=2) [ 25.603562] page_type: f5(slab) [ 25.603958] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 25.604595] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 25.606096] page dumped because: kasan: bad access detected [ 25.606584] [ 25.606794] Memory state around the buggy address: [ 25.607417] ffff888101aad600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.607980] ffff888101aad680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.608804] >ffff888101aad700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.610602] ^ [ 25.611235] ffff888101aad780: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 25.612286] ffff888101aad800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.613421] ==================================================================