Date
Nov. 22, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.583606] ================================================================== [ 34.584940] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 34.586458] Read of size 1 at addr fff00000c6357b00 by task kunit_try_catch/185 [ 34.587656] [ 34.588018] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 34.589230] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.590001] Hardware name: linux,dummy-virt (DT) [ 34.591349] Call trace: [ 34.591765] show_stack+0x20/0x38 (C) [ 34.592356] dump_stack_lvl+0x8c/0xd0 [ 34.592889] print_report+0x118/0x5e0 [ 34.594006] kasan_report+0xc8/0x118 [ 34.594635] __kasan_check_byte+0x54/0x70 [ 34.595263] ksize+0x30/0x88 [ 34.595748] ksize_uaf+0x168/0x600 [ 34.596465] kunit_try_run_case+0x14c/0x3d0 [ 34.597132] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.598625] kthread+0x24c/0x2d0 [ 34.599109] ret_from_fork+0x10/0x20 [ 34.599607] [ 34.599874] Allocated by task 185: [ 34.601103] kasan_save_stack+0x3c/0x68 [ 34.601998] kasan_save_track+0x20/0x40 [ 34.602816] kasan_save_alloc_info+0x40/0x58 [ 34.603668] __kasan_kmalloc+0xd4/0xd8 [ 34.604349] __kmalloc_cache_noprof+0x15c/0x3c8 [ 34.605183] ksize_uaf+0xb8/0x600 [ 34.605627] kunit_try_run_case+0x14c/0x3d0 [ 34.606398] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.608504] kthread+0x24c/0x2d0 [ 34.609248] ret_from_fork+0x10/0x20 [ 34.609735] [ 34.610208] Freed by task 185: [ 34.610793] kasan_save_stack+0x3c/0x68 [ 34.611419] kasan_save_track+0x20/0x40 [ 34.612112] kasan_save_free_info+0x4c/0x78 [ 34.612871] __kasan_slab_free+0x6c/0x98 [ 34.613980] kfree+0x114/0x3d0 [ 34.614977] ksize_uaf+0x11c/0x600 [ 34.615761] kunit_try_run_case+0x14c/0x3d0 [ 34.616321] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.617055] kthread+0x24c/0x2d0 [ 34.618068] ret_from_fork+0x10/0x20 [ 34.618697] [ 34.619051] The buggy address belongs to the object at fff00000c6357b00 [ 34.619051] which belongs to the cache kmalloc-128 of size 128 [ 34.621046] The buggy address is located 0 bytes inside of [ 34.621046] freed 128-byte region [fff00000c6357b00, fff00000c6357b80) [ 34.622456] [ 34.622863] The buggy address belongs to the physical page: [ 34.623601] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106357 [ 34.624911] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.626135] page_type: f5(slab) [ 34.627097] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.628082] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 34.629481] page dumped because: kasan: bad access detected [ 34.630338] [ 34.630709] Memory state around the buggy address: [ 34.631654] fff00000c6357a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 34.632813] fff00000c6357a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.634004] >fff00000c6357b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.635046] ^ [ 34.635658] fff00000c6357b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.636723] fff00000c6357c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.637645] ================================================================== [ 34.640313] ================================================================== [ 34.641067] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 34.642476] Read of size 1 at addr fff00000c6357b00 by task kunit_try_catch/185 [ 34.644275] [ 34.645040] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 34.646409] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.647368] Hardware name: linux,dummy-virt (DT) [ 34.648305] Call trace: [ 34.649074] show_stack+0x20/0x38 (C) [ 34.649733] dump_stack_lvl+0x8c/0xd0 [ 34.650279] print_report+0x118/0x5e0 [ 34.650869] kasan_report+0xc8/0x118 [ 34.652277] __asan_report_load1_noabort+0x20/0x30 [ 34.653082] ksize_uaf+0x59c/0x600 [ 34.653529] kunit_try_run_case+0x14c/0x3d0 [ 34.654008] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.655387] kthread+0x24c/0x2d0 [ 34.656149] ret_from_fork+0x10/0x20 [ 34.657105] [ 34.657431] Allocated by task 185: [ 34.657931] kasan_save_stack+0x3c/0x68 [ 34.659100] kasan_save_track+0x20/0x40 [ 34.659721] kasan_save_alloc_info+0x40/0x58 [ 34.660264] __kasan_kmalloc+0xd4/0xd8 [ 34.661232] __kmalloc_cache_noprof+0x15c/0x3c8 [ 34.662195] ksize_uaf+0xb8/0x600 [ 34.662722] kunit_try_run_case+0x14c/0x3d0 [ 34.664315] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.665823] kthread+0x24c/0x2d0 [ 34.666590] ret_from_fork+0x10/0x20 [ 34.666919] [ 34.667084] Freed by task 185: [ 34.667323] kasan_save_stack+0x3c/0x68 [ 34.667730] kasan_save_track+0x20/0x40 [ 34.668343] kasan_save_free_info+0x4c/0x78 [ 34.669709] __kasan_slab_free+0x6c/0x98 [ 34.670830] kfree+0x114/0x3d0 [ 34.671217] ksize_uaf+0x11c/0x600 [ 34.671625] kunit_try_run_case+0x14c/0x3d0 [ 34.672195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.673240] kthread+0x24c/0x2d0 [ 34.674068] ret_from_fork+0x10/0x20 [ 34.675067] [ 34.675707] The buggy address belongs to the object at fff00000c6357b00 [ 34.675707] which belongs to the cache kmalloc-128 of size 128 [ 34.677305] The buggy address is located 0 bytes inside of [ 34.677305] freed 128-byte region [fff00000c6357b00, fff00000c6357b80) [ 34.678631] [ 34.678931] The buggy address belongs to the physical page: [ 34.679975] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106357 [ 34.682427] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.683874] page_type: f5(slab) [ 34.684735] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.686321] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 34.687907] page dumped because: kasan: bad access detected [ 34.688724] [ 34.689365] Memory state around the buggy address: [ 34.690322] fff00000c6357a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 34.691502] fff00000c6357a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.692325] >fff00000c6357b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.693624] ^ [ 34.694142] fff00000c6357b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.694893] fff00000c6357c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.696347] ================================================================== [ 34.699394] ================================================================== [ 34.702943] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 34.705580] Read of size 1 at addr fff00000c6357b78 by task kunit_try_catch/185 [ 34.710154] [ 34.710529] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 34.711965] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.714862] Hardware name: linux,dummy-virt (DT) [ 34.716293] Call trace: [ 34.716687] show_stack+0x20/0x38 (C) [ 34.718342] dump_stack_lvl+0x8c/0xd0 [ 34.719193] print_report+0x118/0x5e0 [ 34.719893] kasan_report+0xc8/0x118 [ 34.720493] __asan_report_load1_noabort+0x20/0x30 [ 34.721145] ksize_uaf+0x548/0x600 [ 34.721704] kunit_try_run_case+0x14c/0x3d0 [ 34.722325] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.723531] kthread+0x24c/0x2d0 [ 34.723946] ret_from_fork+0x10/0x20 [ 34.725148] [ 34.725873] Allocated by task 185: [ 34.726982] kasan_save_stack+0x3c/0x68 [ 34.727899] kasan_save_track+0x20/0x40 [ 34.728497] kasan_save_alloc_info+0x40/0x58 [ 34.729599] __kasan_kmalloc+0xd4/0xd8 [ 34.730847] __kmalloc_cache_noprof+0x15c/0x3c8 [ 34.732338] ksize_uaf+0xb8/0x600 [ 34.733236] kunit_try_run_case+0x14c/0x3d0 [ 34.734799] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.736303] kthread+0x24c/0x2d0 [ 34.737213] ret_from_fork+0x10/0x20 [ 34.737787] [ 34.738071] Freed by task 185: [ 34.738472] kasan_save_stack+0x3c/0x68 [ 34.739571] kasan_save_track+0x20/0x40 [ 34.740760] kasan_save_free_info+0x4c/0x78 [ 34.742274] __kasan_slab_free+0x6c/0x98 [ 34.743072] kfree+0x114/0x3d0 [ 34.743815] ksize_uaf+0x11c/0x600 [ 34.744878] kunit_try_run_case+0x14c/0x3d0 [ 34.745369] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.746090] kthread+0x24c/0x2d0 [ 34.747116] ret_from_fork+0x10/0x20 [ 34.747698] [ 34.747942] The buggy address belongs to the object at fff00000c6357b00 [ 34.747942] which belongs to the cache kmalloc-128 of size 128 [ 34.750829] The buggy address is located 120 bytes inside of [ 34.750829] freed 128-byte region [fff00000c6357b00, fff00000c6357b80) [ 34.753048] [ 34.753419] The buggy address belongs to the physical page: [ 34.754520] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106357 [ 34.755852] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.756955] page_type: f5(slab) [ 34.757483] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 34.758718] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 34.760213] page dumped because: kasan: bad access detected [ 34.761199] [ 34.761639] Memory state around the buggy address: [ 34.762578] fff00000c6357a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.764656] fff00000c6357a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.765497] >fff00000c6357b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.767261] ^ [ 34.768576] fff00000c6357b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.769864] fff00000c6357c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.770877] ==================================================================
[ 25.969309] ================================================================== [ 25.970488] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 25.970917] Read of size 1 at addr ffff888102a0b578 by task kunit_try_catch/204 [ 25.971581] [ 25.971843] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.972537] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.972962] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.974037] Call Trace: [ 25.975011] <TASK> [ 25.975775] dump_stack_lvl+0x73/0xb0 [ 25.976244] print_report+0xd1/0x640 [ 25.976756] ? __virt_addr_valid+0x1db/0x2d0 [ 25.977038] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.977762] kasan_report+0x102/0x140 [ 25.978165] ? ksize_uaf+0x5e6/0x6c0 [ 25.978550] ? ksize_uaf+0x5e6/0x6c0 [ 25.979412] __asan_report_load1_noabort+0x18/0x20 [ 25.979730] ksize_uaf+0x5e6/0x6c0 [ 25.980560] ? __pfx_ksize_uaf+0x10/0x10 [ 25.981185] ? __pfx_ksize_uaf+0x10/0x10 [ 25.981915] kunit_try_run_case+0x1b3/0x490 [ 25.982885] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.983278] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.983863] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.984996] ? __kthread_parkme+0x82/0x160 [ 25.985354] ? preempt_count_sub+0x50/0x80 [ 25.985968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.986404] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.987114] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.987899] kthread+0x257/0x310 [ 25.988251] ? __pfx_kthread+0x10/0x10 [ 25.988968] ret_from_fork+0x41/0x80 [ 25.989559] ? __pfx_kthread+0x10/0x10 [ 25.990138] ret_from_fork_asm+0x1a/0x30 [ 25.990606] </TASK> [ 25.991180] [ 25.991420] Allocated by task 204: [ 25.992174] kasan_save_stack+0x3d/0x60 [ 25.992571] kasan_save_track+0x18/0x40 [ 25.992920] kasan_save_alloc_info+0x3b/0x50 [ 25.993638] __kasan_kmalloc+0xb7/0xc0 [ 25.994211] __kmalloc_cache_noprof+0x184/0x410 [ 25.994628] ksize_uaf+0xab/0x6c0 [ 25.995311] kunit_try_run_case+0x1b3/0x490 [ 25.996092] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.996734] kthread+0x257/0x310 [ 25.997110] ret_from_fork+0x41/0x80 [ 25.997774] ret_from_fork_asm+0x1a/0x30 [ 25.998358] [ 25.998723] Freed by task 204: [ 25.999021] kasan_save_stack+0x3d/0x60 [ 25.999981] kasan_save_track+0x18/0x40 [ 26.000574] kasan_save_free_info+0x3f/0x60 [ 26.001155] __kasan_slab_free+0x56/0x70 [ 26.001660] kfree+0x123/0x3f0 [ 26.002051] ksize_uaf+0x12d/0x6c0 [ 26.002783] kunit_try_run_case+0x1b3/0x490 [ 26.003190] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.003974] kthread+0x257/0x310 [ 26.004491] ret_from_fork+0x41/0x80 [ 26.005053] ret_from_fork_asm+0x1a/0x30 [ 26.005506] [ 26.005897] The buggy address belongs to the object at ffff888102a0b500 [ 26.005897] which belongs to the cache kmalloc-128 of size 128 [ 26.007027] The buggy address is located 120 bytes inside of [ 26.007027] freed 128-byte region [ffff888102a0b500, ffff888102a0b580) [ 26.008223] [ 26.008714] The buggy address belongs to the physical page: [ 26.009751] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a0b [ 26.010653] flags: 0x200000000000000(node=0|zone=2) [ 26.011330] page_type: f5(slab) [ 26.011920] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.012875] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 26.013481] page dumped because: kasan: bad access detected [ 26.014077] [ 26.014798] Memory state around the buggy address: [ 26.015205] ffff888102a0b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.016043] ffff888102a0b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.016965] >ffff888102a0b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.017542] ^ [ 26.018134] ffff888102a0b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.019410] ffff888102a0b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.019887] ================================================================== [ 25.925298] ================================================================== [ 25.925994] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 25.926586] Read of size 1 at addr ffff888102a0b500 by task kunit_try_catch/204 [ 25.928159] [ 25.928461] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.929322] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.929668] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.930315] Call Trace: [ 25.930633] <TASK> [ 25.930934] dump_stack_lvl+0x73/0xb0 [ 25.931412] print_report+0xd1/0x640 [ 25.931747] ? __virt_addr_valid+0x1db/0x2d0 [ 25.932159] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.932520] kasan_report+0x102/0x140 [ 25.932785] ? ksize_uaf+0x600/0x6c0 [ 25.933202] ? ksize_uaf+0x600/0x6c0 [ 25.933667] __asan_report_load1_noabort+0x18/0x20 [ 25.934202] ksize_uaf+0x600/0x6c0 [ 25.934636] ? __pfx_ksize_uaf+0x10/0x10 [ 25.935079] ? __pfx_ksize_uaf+0x10/0x10 [ 25.935568] kunit_try_run_case+0x1b3/0x490 [ 25.935915] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.936415] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.936810] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.937241] ? __kthread_parkme+0x82/0x160 [ 25.937575] ? preempt_count_sub+0x50/0x80 [ 25.938053] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.938508] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.938948] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.939325] kthread+0x257/0x310 [ 25.939588] ? __pfx_kthread+0x10/0x10 [ 25.939876] ret_from_fork+0x41/0x80 [ 25.940307] ? __pfx_kthread+0x10/0x10 [ 25.940732] ret_from_fork_asm+0x1a/0x30 [ 25.941195] </TASK> [ 25.941513] [ 25.941728] Allocated by task 204: [ 25.942126] kasan_save_stack+0x3d/0x60 [ 25.942546] kasan_save_track+0x18/0x40 [ 25.944525] kasan_save_alloc_info+0x3b/0x50 [ 25.944993] __kasan_kmalloc+0xb7/0xc0 [ 25.945406] __kmalloc_cache_noprof+0x184/0x410 [ 25.945856] ksize_uaf+0xab/0x6c0 [ 25.946238] kunit_try_run_case+0x1b3/0x490 [ 25.946600] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.948602] kthread+0x257/0x310 [ 25.948882] ret_from_fork+0x41/0x80 [ 25.949140] ret_from_fork_asm+0x1a/0x30 [ 25.949418] [ 25.949621] Freed by task 204: [ 25.950009] kasan_save_stack+0x3d/0x60 [ 25.950477] kasan_save_track+0x18/0x40 [ 25.950903] kasan_save_free_info+0x3f/0x60 [ 25.951368] __kasan_slab_free+0x56/0x70 [ 25.951780] kfree+0x123/0x3f0 [ 25.952138] ksize_uaf+0x12d/0x6c0 [ 25.952515] kunit_try_run_case+0x1b3/0x490 [ 25.952792] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.953130] kthread+0x257/0x310 [ 25.953425] ret_from_fork+0x41/0x80 [ 25.953845] ret_from_fork_asm+0x1a/0x30 [ 25.954325] [ 25.954539] The buggy address belongs to the object at ffff888102a0b500 [ 25.954539] which belongs to the cache kmalloc-128 of size 128 [ 25.955640] The buggy address is located 0 bytes inside of [ 25.955640] freed 128-byte region [ffff888102a0b500, ffff888102a0b580) [ 25.956609] [ 25.956769] The buggy address belongs to the physical page: [ 25.957324] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a0b [ 25.957989] flags: 0x200000000000000(node=0|zone=2) [ 25.958355] page_type: f5(slab) [ 25.958721] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.959224] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.959642] page dumped because: kasan: bad access detected [ 25.960156] [ 25.960411] Memory state around the buggy address: [ 25.960870] ffff888102a0b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.961542] ffff888102a0b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.962126] >ffff888102a0b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.962536] ^ [ 25.962863] ffff888102a0b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.963520] ffff888102a0b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.964058] ================================================================== [ 25.883503] ================================================================== [ 25.884528] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 25.885165] Read of size 1 at addr ffff888102a0b500 by task kunit_try_catch/204 [ 25.886084] [ 25.886284] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241122 #1 [ 25.887910] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.888197] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.888930] Call Trace: [ 25.889183] <TASK> [ 25.889667] dump_stack_lvl+0x73/0xb0 [ 25.890168] print_report+0xd1/0x640 [ 25.890851] ? __virt_addr_valid+0x1db/0x2d0 [ 25.891444] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.891905] kasan_report+0x102/0x140 [ 25.892178] ? ksize_uaf+0x19e/0x6c0 [ 25.892605] ? ksize_uaf+0x19e/0x6c0 [ 25.892917] ? ksize_uaf+0x19e/0x6c0 [ 25.893409] __kasan_check_byte+0x3d/0x50 [ 25.893848] ksize+0x20/0x60 [ 25.894233] ksize_uaf+0x19e/0x6c0 [ 25.894608] ? __pfx_ksize_uaf+0x10/0x10 [ 25.895000] ? __pfx_ksize_uaf+0x10/0x10 [ 25.895490] kunit_try_run_case+0x1b3/0x490 [ 25.895960] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.896552] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.897154] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.897849] ? __kthread_parkme+0x82/0x160 [ 25.898392] ? preempt_count_sub+0x50/0x80 [ 25.898757] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.899232] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.899982] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.900631] kthread+0x257/0x310 [ 25.901103] ? __pfx_kthread+0x10/0x10 [ 25.901655] ret_from_fork+0x41/0x80 [ 25.902168] ? __pfx_kthread+0x10/0x10 [ 25.902694] ret_from_fork_asm+0x1a/0x30 [ 25.903298] </TASK> [ 25.903645] [ 25.903811] Allocated by task 204: [ 25.904084] kasan_save_stack+0x3d/0x60 [ 25.904513] kasan_save_track+0x18/0x40 [ 25.904995] kasan_save_alloc_info+0x3b/0x50 [ 25.905459] __kasan_kmalloc+0xb7/0xc0 [ 25.905919] __kmalloc_cache_noprof+0x184/0x410 [ 25.906317] ksize_uaf+0xab/0x6c0 [ 25.906564] kunit_try_run_case+0x1b3/0x490 [ 25.907018] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.907638] kthread+0x257/0x310 [ 25.908030] ret_from_fork+0x41/0x80 [ 25.908385] ret_from_fork_asm+0x1a/0x30 [ 25.908691] [ 25.908935] Freed by task 204: [ 25.909343] kasan_save_stack+0x3d/0x60 [ 25.909759] kasan_save_track+0x18/0x40 [ 25.910238] kasan_save_free_info+0x3f/0x60 [ 25.910741] __kasan_slab_free+0x56/0x70 [ 25.911367] kfree+0x123/0x3f0 [ 25.911990] ksize_uaf+0x12d/0x6c0 [ 25.912852] kunit_try_run_case+0x1b3/0x490 [ 25.913450] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.913786] kthread+0x257/0x310 [ 25.914054] ret_from_fork+0x41/0x80 [ 25.914366] ret_from_fork_asm+0x1a/0x30 [ 25.914714] [ 25.914961] The buggy address belongs to the object at ffff888102a0b500 [ 25.914961] which belongs to the cache kmalloc-128 of size 128 [ 25.915790] The buggy address is located 0 bytes inside of [ 25.915790] freed 128-byte region [ffff888102a0b500, ffff888102a0b580) [ 25.916491] [ 25.916655] The buggy address belongs to the physical page: [ 25.917155] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a0b [ 25.917886] flags: 0x200000000000000(node=0|zone=2) [ 25.918428] page_type: f5(slab) [ 25.918772] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.919435] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.919980] page dumped because: kasan: bad access detected [ 25.920524] [ 25.920696] Memory state around the buggy address: [ 25.921090] ffff888102a0b400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.921687] ffff888102a0b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.922230] >ffff888102a0b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.922729] ^ [ 25.922980] ffff888102a0b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.923392] ffff888102a0b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.923787] ==================================================================