Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.021508] ================================================================== [ 32.023192] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 32.023912] Read of size 1 at addr fff00000c5e72800 by task kunit_try_catch/185 [ 32.024863] [ 32.025296] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.026746] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.027348] Hardware name: linux,dummy-virt (DT) [ 32.028328] Call trace: [ 32.028737] show_stack+0x20/0x38 (C) [ 32.029489] dump_stack_lvl+0x8c/0xd0 [ 32.030568] print_report+0x118/0x5e0 [ 32.031071] kasan_report+0xc8/0x118 [ 32.031711] __kasan_check_byte+0x54/0x70 [ 32.032347] ksize+0x30/0x88 [ 32.032931] ksize_uaf+0x168/0x600 [ 32.033560] kunit_try_run_case+0x14c/0x3d0 [ 32.034689] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.035385] kthread+0x24c/0x2d0 [ 32.035967] ret_from_fork+0x10/0x20 [ 32.036567] [ 32.036907] Allocated by task 185: [ 32.037349] kasan_save_stack+0x3c/0x68 [ 32.038421] kasan_save_track+0x20/0x40 [ 32.039059] kasan_save_alloc_info+0x40/0x58 [ 32.039647] __kasan_kmalloc+0xd4/0xd8 [ 32.040264] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.040849] ksize_uaf+0xb8/0x600 [ 32.041430] kunit_try_run_case+0x14c/0x3d0 [ 32.042514] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.043217] kthread+0x24c/0x2d0 [ 32.043750] ret_from_fork+0x10/0x20 [ 32.044300] [ 32.044684] Freed by task 185: [ 32.045187] kasan_save_stack+0x3c/0x68 [ 32.046248] kasan_save_track+0x20/0x40 [ 32.046780] kasan_save_free_info+0x4c/0x78 [ 32.047435] __kasan_slab_free+0x6c/0x98 [ 32.048388] kfree+0x114/0x3d0 [ 32.048875] ksize_uaf+0x11c/0x600 [ 32.049395] kunit_try_run_case+0x14c/0x3d0 [ 32.050556] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.051250] kthread+0x24c/0x2d0 [ 32.051749] ret_from_fork+0x10/0x20 [ 32.052271] [ 32.053057] The buggy address belongs to the object at fff00000c5e72800 [ 32.053057] which belongs to the cache kmalloc-128 of size 128 [ 32.054807] The buggy address is located 0 bytes inside of [ 32.054807] freed 128-byte region [fff00000c5e72800, fff00000c5e72880) [ 32.056012] [ 32.056387] The buggy address belongs to the physical page: [ 32.056941] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e72 [ 32.058394] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.059239] page_type: f5(slab) [ 32.059753] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.060616] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.061544] page dumped because: kasan: bad access detected [ 32.062322] [ 32.063105] Memory state around the buggy address: [ 32.063776] fff00000c5e72700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 32.064618] fff00000c5e72780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.065424] >fff00000c5e72800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.066753] ^ [ 32.067294] fff00000c5e72880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.068115] fff00000c5e72900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.068895] ================================================================== [ 32.127164] ================================================================== [ 32.128057] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 32.128695] Read of size 1 at addr fff00000c5e72878 by task kunit_try_catch/185 [ 32.129763] [ 32.130163] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.132108] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.132638] Hardware name: linux,dummy-virt (DT) [ 32.133283] Call trace: [ 32.133821] show_stack+0x20/0x38 (C) [ 32.134422] dump_stack_lvl+0x8c/0xd0 [ 32.135128] print_report+0x118/0x5e0 [ 32.135889] kasan_report+0xc8/0x118 [ 32.136595] __asan_report_load1_noabort+0x20/0x30 [ 32.137405] ksize_uaf+0x548/0x600 [ 32.138153] kunit_try_run_case+0x14c/0x3d0 [ 32.139148] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.139862] kthread+0x24c/0x2d0 [ 32.140786] ret_from_fork+0x10/0x20 [ 32.141494] [ 32.142212] Allocated by task 185: [ 32.143325] kasan_save_stack+0x3c/0x68 [ 32.144142] kasan_save_track+0x20/0x40 [ 32.144792] kasan_save_alloc_info+0x40/0x58 [ 32.145487] __kasan_kmalloc+0xd4/0xd8 [ 32.146582] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.147100] ksize_uaf+0xb8/0x600 [ 32.147691] kunit_try_run_case+0x14c/0x3d0 [ 32.148364] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.149203] kthread+0x24c/0x2d0 [ 32.149868] ret_from_fork+0x10/0x20 [ 32.150948] [ 32.151284] Freed by task 185: [ 32.151824] kasan_save_stack+0x3c/0x68 [ 32.152423] kasan_save_track+0x20/0x40 [ 32.153072] kasan_save_free_info+0x4c/0x78 [ 32.154140] __kasan_slab_free+0x6c/0x98 [ 32.155003] kfree+0x114/0x3d0 [ 32.155435] ksize_uaf+0x11c/0x600 [ 32.155876] kunit_try_run_case+0x14c/0x3d0 [ 32.156843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.157580] kthread+0x24c/0x2d0 [ 32.158065] ret_from_fork+0x10/0x20 [ 32.159079] [ 32.159601] The buggy address belongs to the object at fff00000c5e72800 [ 32.159601] which belongs to the cache kmalloc-128 of size 128 [ 32.161249] The buggy address is located 120 bytes inside of [ 32.161249] freed 128-byte region [fff00000c5e72800, fff00000c5e72880) [ 32.163491] [ 32.163823] The buggy address belongs to the physical page: [ 32.164612] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e72 [ 32.165643] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.166872] page_type: f5(slab) [ 32.167495] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.168578] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.169487] page dumped because: kasan: bad access detected [ 32.170110] [ 32.170479] Memory state around the buggy address: [ 32.171187] fff00000c5e72700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.172509] fff00000c5e72780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.174086] >fff00000c5e72800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.175148] ^ [ 32.175961] fff00000c5e72880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.176824] fff00000c5e72900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.178028] ================================================================== [ 32.073268] ================================================================== [ 32.074169] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 32.074861] Read of size 1 at addr fff00000c5e72800 by task kunit_try_catch/185 [ 32.076942] [ 32.077329] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.078598] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.079685] Hardware name: linux,dummy-virt (DT) [ 32.080634] Call trace: [ 32.081131] show_stack+0x20/0x38 (C) [ 32.082502] dump_stack_lvl+0x8c/0xd0 [ 32.083452] print_report+0x118/0x5e0 [ 32.084110] kasan_report+0xc8/0x118 [ 32.084740] __asan_report_load1_noabort+0x20/0x30 [ 32.085519] ksize_uaf+0x59c/0x600 [ 32.086518] kunit_try_run_case+0x14c/0x3d0 [ 32.087252] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.088108] kthread+0x24c/0x2d0 [ 32.088807] ret_from_fork+0x10/0x20 [ 32.089355] [ 32.089736] Allocated by task 185: [ 32.090294] kasan_save_stack+0x3c/0x68 [ 32.090796] kasan_save_track+0x20/0x40 [ 32.091425] kasan_save_alloc_info+0x40/0x58 [ 32.092915] __kasan_kmalloc+0xd4/0xd8 [ 32.093290] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.094006] ksize_uaf+0xb8/0x600 [ 32.094458] kunit_try_run_case+0x14c/0x3d0 [ 32.095599] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.096375] kthread+0x24c/0x2d0 [ 32.096977] ret_from_fork+0x10/0x20 [ 32.097487] [ 32.098687] Freed by task 185: [ 32.099340] kasan_save_stack+0x3c/0x68 [ 32.099870] kasan_save_track+0x20/0x40 [ 32.100506] kasan_save_free_info+0x4c/0x78 [ 32.101136] __kasan_slab_free+0x6c/0x98 [ 32.102062] kfree+0x114/0x3d0 [ 32.102675] ksize_uaf+0x11c/0x600 [ 32.103265] kunit_try_run_case+0x14c/0x3d0 [ 32.103923] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.104607] kthread+0x24c/0x2d0 [ 32.105181] ret_from_fork+0x10/0x20 [ 32.106553] [ 32.106918] The buggy address belongs to the object at fff00000c5e72800 [ 32.106918] which belongs to the cache kmalloc-128 of size 128 [ 32.108600] The buggy address is located 0 bytes inside of [ 32.108600] freed 128-byte region [fff00000c5e72800, fff00000c5e72880) [ 32.110338] [ 32.110777] The buggy address belongs to the physical page: [ 32.111465] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e72 [ 32.112692] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.113436] page_type: f5(slab) [ 32.113987] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.115490] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.116370] page dumped because: kasan: bad access detected [ 32.117264] [ 32.117743] Memory state around the buggy address: [ 32.118625] fff00000c5e72700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.119937] fff00000c5e72780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.120815] >fff00000c5e72800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.121641] ^ [ 32.122294] fff00000c5e72880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.123243] fff00000c5e72900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.124713] ==================================================================
[ 32.091015] ================================================================== [ 32.091893] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 32.092729] Read of size 1 at addr fff00000c5915300 by task kunit_try_catch/185 [ 32.093525] [ 32.094374] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.095473] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.096074] Hardware name: linux,dummy-virt (DT) [ 32.097837] Call trace: [ 32.098274] show_stack+0x20/0x38 (C) [ 32.098794] dump_stack_lvl+0x8c/0xd0 [ 32.099459] print_report+0x118/0x5e0 [ 32.099987] kasan_report+0xc8/0x118 [ 32.101017] __asan_report_load1_noabort+0x20/0x30 [ 32.101681] ksize_uaf+0x59c/0x600 [ 32.102178] kunit_try_run_case+0x14c/0x3d0 [ 32.102878] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.103559] kthread+0x24c/0x2d0 [ 32.104218] ret_from_fork+0x10/0x20 [ 32.105442] [ 32.105734] Allocated by task 185: [ 32.106611] kasan_save_stack+0x3c/0x68 [ 32.107351] kasan_save_track+0x20/0x40 [ 32.107879] kasan_save_alloc_info+0x40/0x58 [ 32.108512] __kasan_kmalloc+0xd4/0xd8 [ 32.109504] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.110155] ksize_uaf+0xb8/0x600 [ 32.110689] kunit_try_run_case+0x14c/0x3d0 [ 32.111403] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.112139] kthread+0x24c/0x2d0 [ 32.113212] ret_from_fork+0x10/0x20 [ 32.113935] [ 32.114227] Freed by task 185: [ 32.114825] kasan_save_stack+0x3c/0x68 [ 32.115544] kasan_save_track+0x20/0x40 [ 32.116217] kasan_save_free_info+0x4c/0x78 [ 32.117263] __kasan_slab_free+0x6c/0x98 [ 32.117856] kfree+0x114/0x3d0 [ 32.118418] ksize_uaf+0x11c/0x600 [ 32.119015] kunit_try_run_case+0x14c/0x3d0 [ 32.119538] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.120555] kthread+0x24c/0x2d0 [ 32.121616] ret_from_fork+0x10/0x20 [ 32.122460] [ 32.122826] The buggy address belongs to the object at fff00000c5915300 [ 32.122826] which belongs to the cache kmalloc-128 of size 128 [ 32.124014] The buggy address is located 0 bytes inside of [ 32.124014] freed 128-byte region [fff00000c5915300, fff00000c5915380) [ 32.125922] [ 32.126322] The buggy address belongs to the physical page: [ 32.126958] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105915 [ 32.127897] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.128863] page_type: f5(slab) [ 32.129869] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.130680] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.131849] page dumped because: kasan: bad access detected [ 32.133317] [ 32.133619] Memory state around the buggy address: [ 32.134513] fff00000c5915200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.135463] fff00000c5915280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.136264] >fff00000c5915300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.137242] ^ [ 32.137641] fff00000c5915380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.138469] fff00000c5915400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.139402] ================================================================== [ 32.140955] ================================================================== [ 32.141861] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 32.142787] Read of size 1 at addr fff00000c5915378 by task kunit_try_catch/185 [ 32.143687] [ 32.144164] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.145542] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.146165] Hardware name: linux,dummy-virt (DT) [ 32.146842] Call trace: [ 32.147933] show_stack+0x20/0x38 (C) [ 32.148800] dump_stack_lvl+0x8c/0xd0 [ 32.149315] print_report+0x118/0x5e0 [ 32.150237] kasan_report+0xc8/0x118 [ 32.150864] __asan_report_load1_noabort+0x20/0x30 [ 32.151711] ksize_uaf+0x548/0x600 [ 32.152761] kunit_try_run_case+0x14c/0x3d0 [ 32.153475] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.154457] kthread+0x24c/0x2d0 [ 32.154826] ret_from_fork+0x10/0x20 [ 32.155499] [ 32.155919] Allocated by task 185: [ 32.156439] kasan_save_stack+0x3c/0x68 [ 32.157357] kasan_save_track+0x20/0x40 [ 32.158123] kasan_save_alloc_info+0x40/0x58 [ 32.158798] __kasan_kmalloc+0xd4/0xd8 [ 32.159382] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.160072] ksize_uaf+0xb8/0x600 [ 32.160541] kunit_try_run_case+0x14c/0x3d0 [ 32.161204] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.161896] kthread+0x24c/0x2d0 [ 32.163248] ret_from_fork+0x10/0x20 [ 32.163765] [ 32.164148] Freed by task 185: [ 32.165129] kasan_save_stack+0x3c/0x68 [ 32.165696] kasan_save_track+0x20/0x40 [ 32.166325] kasan_save_free_info+0x4c/0x78 [ 32.166934] __kasan_slab_free+0x6c/0x98 [ 32.167515] kfree+0x114/0x3d0 [ 32.168212] ksize_uaf+0x11c/0x600 [ 32.169669] kunit_try_run_case+0x14c/0x3d0 [ 32.170251] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.171069] kthread+0x24c/0x2d0 [ 32.171592] ret_from_fork+0x10/0x20 [ 32.172207] [ 32.172559] The buggy address belongs to the object at fff00000c5915300 [ 32.172559] which belongs to the cache kmalloc-128 of size 128 [ 32.174470] The buggy address is located 120 bytes inside of [ 32.174470] freed 128-byte region [fff00000c5915300, fff00000c5915380) [ 32.176311] [ 32.176820] The buggy address belongs to the physical page: [ 32.177563] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105915 [ 32.178464] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.179359] page_type: f5(slab) [ 32.179870] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.180482] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.180854] page dumped because: kasan: bad access detected [ 32.182094] [ 32.182500] Memory state around the buggy address: [ 32.183232] fff00000c5915200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.184179] fff00000c5915280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.186113] >fff00000c5915300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.187271] ^ [ 32.188469] fff00000c5915380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.189639] fff00000c5915400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.190373] ================================================================== [ 32.038917] ================================================================== [ 32.040073] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 32.040884] Read of size 1 at addr fff00000c5915300 by task kunit_try_catch/185 [ 32.042321] [ 32.042664] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 32.043858] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.044884] Hardware name: linux,dummy-virt (DT) [ 32.046090] Call trace: [ 32.046552] show_stack+0x20/0x38 (C) [ 32.047291] dump_stack_lvl+0x8c/0xd0 [ 32.047962] print_report+0x118/0x5e0 [ 32.048721] kasan_report+0xc8/0x118 [ 32.049217] __kasan_check_byte+0x54/0x70 [ 32.049798] ksize+0x30/0x88 [ 32.050547] ksize_uaf+0x168/0x600 [ 32.051045] kunit_try_run_case+0x14c/0x3d0 [ 32.051768] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.052592] kthread+0x24c/0x2d0 [ 32.053575] ret_from_fork+0x10/0x20 [ 32.054191] [ 32.054606] Allocated by task 185: [ 32.055146] kasan_save_stack+0x3c/0x68 [ 32.055757] kasan_save_track+0x20/0x40 [ 32.056321] kasan_save_alloc_info+0x40/0x58 [ 32.057043] __kasan_kmalloc+0xd4/0xd8 [ 32.057654] __kmalloc_cache_noprof+0x15c/0x3c8 [ 32.058233] ksize_uaf+0xb8/0x600 [ 32.058692] kunit_try_run_case+0x14c/0x3d0 [ 32.060037] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.061028] kthread+0x24c/0x2d0 [ 32.061759] ret_from_fork+0x10/0x20 [ 32.062433] [ 32.062852] Freed by task 185: [ 32.063542] kasan_save_stack+0x3c/0x68 [ 32.064290] kasan_save_track+0x20/0x40 [ 32.065018] kasan_save_free_info+0x4c/0x78 [ 32.065508] __kasan_slab_free+0x6c/0x98 [ 32.066269] kfree+0x114/0x3d0 [ 32.066958] ksize_uaf+0x11c/0x600 [ 32.067623] kunit_try_run_case+0x14c/0x3d0 [ 32.068455] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.069309] kthread+0x24c/0x2d0 [ 32.070247] ret_from_fork+0x10/0x20 [ 32.070789] [ 32.071220] The buggy address belongs to the object at fff00000c5915300 [ 32.071220] which belongs to the cache kmalloc-128 of size 128 [ 32.072574] The buggy address is located 0 bytes inside of [ 32.072574] freed 128-byte region [fff00000c5915300, fff00000c5915380) [ 32.074682] [ 32.075117] The buggy address belongs to the physical page: [ 32.075773] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105915 [ 32.076845] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.078055] page_type: f5(slab) [ 32.078631] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.079597] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 32.081209] page dumped because: kasan: bad access detected [ 32.081985] [ 32.082385] Memory state around the buggy address: [ 32.083049] fff00000c5915200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.084004] fff00000c5915280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.084891] >fff00000c5915300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.086015] ^ [ 32.086536] fff00000c5915380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.087323] fff00000c5915400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.088147] ==================================================================
[ 26.196817] ================================================================== [ 26.197217] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 26.197217] Read of size 1 at addr ffff88810293c500 by task kunit_try_catch/205 [ 26.197217] [ 26.197217] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 26.197217] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.197217] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.197217] Call Trace: [ 26.197217] <TASK> [ 26.197217] dump_stack_lvl+0x73/0xb0 [ 26.197217] print_report+0xd1/0x640 [ 26.197217] ? __virt_addr_valid+0x1db/0x2d0 [ 26.197217] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.197217] kasan_report+0x102/0x140 [ 26.197217] ? ksize_uaf+0x19e/0x6c0 [ 26.197217] ? ksize_uaf+0x19e/0x6c0 [ 26.197217] ? ksize_uaf+0x19e/0x6c0 [ 26.197217] __kasan_check_byte+0x3d/0x50 [ 26.197217] ksize+0x20/0x60 [ 26.197217] ksize_uaf+0x19e/0x6c0 [ 26.197217] ? __pfx_ksize_uaf+0x10/0x10 [ 26.197217] ? __schedule+0xc3e/0x2790 [ 26.197217] ? ktime_get_ts64+0x84/0x230 [ 26.197217] kunit_try_run_case+0x1b3/0x490 [ 26.197217] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.197217] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.197217] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.197217] ? __kthread_parkme+0x82/0x160 [ 26.197217] ? preempt_count_sub+0x50/0x80 [ 26.197217] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.197217] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.197217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.197217] kthread+0x257/0x310 [ 26.197217] ? __pfx_kthread+0x10/0x10 [ 26.197217] ret_from_fork+0x41/0x80 [ 26.197217] ? __pfx_kthread+0x10/0x10 [ 26.197217] ret_from_fork_asm+0x1a/0x30 [ 26.197217] </TASK> [ 26.197217] [ 26.197217] Allocated by task 205: [ 26.197217] kasan_save_stack+0x3d/0x60 [ 26.197217] kasan_save_track+0x18/0x40 [ 26.197217] kasan_save_alloc_info+0x3b/0x50 [ 26.197217] __kasan_kmalloc+0xb7/0xc0 [ 26.197217] __kmalloc_cache_noprof+0x184/0x410 [ 26.197217] ksize_uaf+0xab/0x6c0 [ 26.197217] kunit_try_run_case+0x1b3/0x490 [ 26.197217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.197217] kthread+0x257/0x310 [ 26.197217] ret_from_fork+0x41/0x80 [ 26.197217] ret_from_fork_asm+0x1a/0x30 [ 26.197217] [ 26.197217] Freed by task 205: [ 26.197217] kasan_save_stack+0x3d/0x60 [ 26.197217] kasan_save_track+0x18/0x40 [ 26.197217] kasan_save_free_info+0x3f/0x60 [ 26.197217] __kasan_slab_free+0x56/0x70 [ 26.197217] kfree+0x123/0x3f0 [ 26.197217] ksize_uaf+0x12d/0x6c0 [ 26.197217] kunit_try_run_case+0x1b3/0x490 [ 26.197217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.197217] kthread+0x257/0x310 [ 26.197217] ret_from_fork+0x41/0x80 [ 26.197217] ret_from_fork_asm+0x1a/0x30 [ 26.197217] [ 26.197217] The buggy address belongs to the object at ffff88810293c500 [ 26.197217] which belongs to the cache kmalloc-128 of size 128 [ 26.197217] The buggy address is located 0 bytes inside of [ 26.197217] freed 128-byte region [ffff88810293c500, ffff88810293c580) [ 26.197217] [ 26.197217] The buggy address belongs to the physical page: [ 26.197217] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10293c [ 26.197217] flags: 0x200000000000000(node=0|zone=2) [ 26.197217] page_type: f5(slab) [ 26.197217] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.197217] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 26.197217] page dumped because: kasan: bad access detected [ 26.197217] [ 26.197217] Memory state around the buggy address: [ 26.197217] ffff88810293c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 26.197217] ffff88810293c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.197217] >ffff88810293c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.197217] ^ [ 26.197217] ffff88810293c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.197217] ffff88810293c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.197217] ================================================================== [ 26.255446] ================================================================== [ 26.256187] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 26.256187] Read of size 1 at addr ffff88810293c500 by task kunit_try_catch/205 [ 26.256187] [ 26.256187] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 26.256187] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.256187] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.256187] Call Trace: [ 26.256187] <TASK> [ 26.256187] dump_stack_lvl+0x73/0xb0 [ 26.256187] print_report+0xd1/0x640 [ 26.256187] ? __virt_addr_valid+0x1db/0x2d0 [ 26.256187] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.256187] kasan_report+0x102/0x140 [ 26.256187] ? ksize_uaf+0x600/0x6c0 [ 26.256187] ? ksize_uaf+0x600/0x6c0 [ 26.256187] __asan_report_load1_noabort+0x18/0x20 [ 26.256187] ksize_uaf+0x600/0x6c0 [ 26.256187] ? __pfx_ksize_uaf+0x10/0x10 [ 26.256187] ? __schedule+0xc3e/0x2790 [ 26.256187] ? ktime_get_ts64+0x84/0x230 [ 26.256187] kunit_try_run_case+0x1b3/0x490 [ 26.256187] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.256187] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.256187] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.256187] ? __kthread_parkme+0x82/0x160 [ 26.256187] ? preempt_count_sub+0x50/0x80 [ 26.256187] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.256187] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.256187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.256187] kthread+0x257/0x310 [ 26.256187] ? __pfx_kthread+0x10/0x10 [ 26.256187] ret_from_fork+0x41/0x80 [ 26.256187] ? __pfx_kthread+0x10/0x10 [ 26.256187] ret_from_fork_asm+0x1a/0x30 [ 26.256187] </TASK> [ 26.256187] [ 26.256187] Allocated by task 205: [ 26.256187] kasan_save_stack+0x3d/0x60 [ 26.256187] kasan_save_track+0x18/0x40 [ 26.256187] kasan_save_alloc_info+0x3b/0x50 [ 26.256187] __kasan_kmalloc+0xb7/0xc0 [ 26.256187] __kmalloc_cache_noprof+0x184/0x410 [ 26.256187] ksize_uaf+0xab/0x6c0 [ 26.256187] kunit_try_run_case+0x1b3/0x490 [ 26.256187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.256187] kthread+0x257/0x310 [ 26.256187] ret_from_fork+0x41/0x80 [ 26.256187] ret_from_fork_asm+0x1a/0x30 [ 26.256187] [ 26.256187] Freed by task 205: [ 26.256187] kasan_save_stack+0x3d/0x60 [ 26.256187] kasan_save_track+0x18/0x40 [ 26.256187] kasan_save_free_info+0x3f/0x60 [ 26.256187] __kasan_slab_free+0x56/0x70 [ 26.256187] kfree+0x123/0x3f0 [ 26.256187] ksize_uaf+0x12d/0x6c0 [ 26.256187] kunit_try_run_case+0x1b3/0x490 [ 26.256187] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.256187] kthread+0x257/0x310 [ 26.256187] ret_from_fork+0x41/0x80 [ 26.256187] ret_from_fork_asm+0x1a/0x30 [ 26.256187] [ 26.256187] The buggy address belongs to the object at ffff88810293c500 [ 26.256187] which belongs to the cache kmalloc-128 of size 128 [ 26.256187] The buggy address is located 0 bytes inside of [ 26.256187] freed 128-byte region [ffff88810293c500, ffff88810293c580) [ 26.256187] [ 26.256187] The buggy address belongs to the physical page: [ 26.256187] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10293c [ 26.256187] flags: 0x200000000000000(node=0|zone=2) [ 26.256187] page_type: f5(slab) [ 26.256187] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.256187] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 26.256187] page dumped because: kasan: bad access detected [ 26.256187] [ 26.256187] Memory state around the buggy address: [ 26.256187] ffff88810293c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.256187] ffff88810293c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.256187] >ffff88810293c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.256187] ^ [ 26.256187] ffff88810293c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.256187] ffff88810293c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.256187] ================================================================== [ 26.314540] ================================================================== [ 26.315151] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 26.315151] Read of size 1 at addr ffff88810293c578 by task kunit_try_catch/205 [ 26.315151] [ 26.315151] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 26.315151] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.315151] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.315151] Call Trace: [ 26.315151] <TASK> [ 26.315151] dump_stack_lvl+0x73/0xb0 [ 26.315151] print_report+0xd1/0x640 [ 26.315151] ? __virt_addr_valid+0x1db/0x2d0 [ 26.315151] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.315151] kasan_report+0x102/0x140 [ 26.315151] ? ksize_uaf+0x5e6/0x6c0 [ 26.315151] ? ksize_uaf+0x5e6/0x6c0 [ 26.315151] __asan_report_load1_noabort+0x18/0x20 [ 26.315151] ksize_uaf+0x5e6/0x6c0 [ 26.315151] ? __pfx_ksize_uaf+0x10/0x10 [ 26.315151] ? __schedule+0xc3e/0x2790 [ 26.315151] ? ktime_get_ts64+0x84/0x230 [ 26.315151] kunit_try_run_case+0x1b3/0x490 [ 26.315151] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.315151] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.315151] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.315151] ? __kthread_parkme+0x82/0x160 [ 26.315151] ? preempt_count_sub+0x50/0x80 [ 26.315151] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.315151] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.315151] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.315151] kthread+0x257/0x310 [ 26.315151] ? __pfx_kthread+0x10/0x10 [ 26.315151] ret_from_fork+0x41/0x80 [ 26.315151] ? __pfx_kthread+0x10/0x10 [ 26.315151] ret_from_fork_asm+0x1a/0x30 [ 26.315151] </TASK> [ 26.315151] [ 26.315151] Allocated by task 205: [ 26.315151] kasan_save_stack+0x3d/0x60 [ 26.315151] kasan_save_track+0x18/0x40 [ 26.315151] kasan_save_alloc_info+0x3b/0x50 [ 26.315151] __kasan_kmalloc+0xb7/0xc0 [ 26.315151] __kmalloc_cache_noprof+0x184/0x410 [ 26.315151] ksize_uaf+0xab/0x6c0 [ 26.315151] kunit_try_run_case+0x1b3/0x490 [ 26.315151] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.315151] kthread+0x257/0x310 [ 26.315151] ret_from_fork+0x41/0x80 [ 26.315151] ret_from_fork_asm+0x1a/0x30 [ 26.315151] [ 26.315151] Freed by task 205: [ 26.315151] kasan_save_stack+0x3d/0x60 [ 26.315151] kasan_save_track+0x18/0x40 [ 26.315151] kasan_save_free_info+0x3f/0x60 [ 26.315151] __kasan_slab_free+0x56/0x70 [ 26.315151] kfree+0x123/0x3f0 [ 26.315151] ksize_uaf+0x12d/0x6c0 [ 26.315151] kunit_try_run_case+0x1b3/0x490 [ 26.315151] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.315151] kthread+0x257/0x310 [ 26.315151] ret_from_fork+0x41/0x80 [ 26.315151] ret_from_fork_asm+0x1a/0x30 [ 26.315151] [ 26.315151] The buggy address belongs to the object at ffff88810293c500 [ 26.315151] which belongs to the cache kmalloc-128 of size 128 [ 26.315151] The buggy address is located 120 bytes inside of [ 26.315151] freed 128-byte region [ffff88810293c500, ffff88810293c580) [ 26.315151] [ 26.315151] The buggy address belongs to the physical page: [ 26.315151] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10293c [ 26.315151] flags: 0x200000000000000(node=0|zone=2) [ 26.315151] page_type: f5(slab) [ 26.315151] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.315151] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 26.315151] page dumped because: kasan: bad access detected [ 26.315151] [ 26.315151] Memory state around the buggy address: [ 26.315151] ffff88810293c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.315151] ffff88810293c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.315151] >ffff88810293c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.315151] ^ [ 26.315151] ffff88810293c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.315151] ffff88810293c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.315151] ==================================================================
[ 21.208205] ================================================================== [ 21.209258] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 21.210179] Read of size 1 at addr ffff888102961500 by task kunit_try_catch/203 [ 21.210936] [ 21.211130] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 21.213004] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.213655] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.214655] Call Trace: [ 21.214886] <TASK> [ 21.215173] dump_stack_lvl+0x73/0xb0 [ 21.215957] print_report+0xd1/0x640 [ 21.216461] ? __virt_addr_valid+0x1db/0x2d0 [ 21.217551] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.218517] kasan_report+0x102/0x140 [ 21.218944] ? ksize_uaf+0x19e/0x6c0 [ 21.219611] ? ksize_uaf+0x19e/0x6c0 [ 21.220092] ? ksize_uaf+0x19e/0x6c0 [ 21.220481] __kasan_check_byte+0x3d/0x50 [ 21.220972] ksize+0x20/0x60 [ 21.221348] ksize_uaf+0x19e/0x6c0 [ 21.221734] ? __pfx_ksize_uaf+0x10/0x10 [ 21.222023] ? __schedule+0xc3e/0x2790 [ 21.222460] ? __pfx_read_tsc+0x10/0x10 [ 21.223345] ? ktime_get_ts64+0x84/0x230 [ 21.223917] kunit_try_run_case+0x1b3/0x490 [ 21.224433] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.224923] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.225543] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.226544] ? __kthread_parkme+0x82/0x160 [ 21.226985] ? preempt_count_sub+0x50/0x80 [ 21.227293] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.228360] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.229612] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.230448] kthread+0x257/0x310 [ 21.230918] ? __pfx_kthread+0x10/0x10 [ 21.231508] ret_from_fork+0x41/0x80 [ 21.231847] ? __pfx_kthread+0x10/0x10 [ 21.232222] ret_from_fork_asm+0x1a/0x30 [ 21.232871] </TASK> [ 21.233154] [ 21.233544] Allocated by task 203: [ 21.233805] kasan_save_stack+0x3d/0x60 [ 21.234100] kasan_save_track+0x18/0x40 [ 21.235034] kasan_save_alloc_info+0x3b/0x50 [ 21.235658] __kasan_kmalloc+0xb7/0xc0 [ 21.235998] __kmalloc_cache_noprof+0x184/0x410 [ 21.236585] ksize_uaf+0xab/0x6c0 [ 21.237529] kunit_try_run_case+0x1b3/0x490 [ 21.238070] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.238535] kthread+0x257/0x310 [ 21.238881] ret_from_fork+0x41/0x80 [ 21.239397] ret_from_fork_asm+0x1a/0x30 [ 21.239891] [ 21.240967] Freed by task 203: [ 21.241198] kasan_save_stack+0x3d/0x60 [ 21.242107] kasan_save_track+0x18/0x40 [ 21.242512] kasan_save_free_info+0x3f/0x60 [ 21.242936] __kasan_slab_free+0x56/0x70 [ 21.244173] kfree+0x123/0x3f0 [ 21.244551] ksize_uaf+0x12d/0x6c0 [ 21.245113] kunit_try_run_case+0x1b3/0x490 [ 21.246399] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.246886] kthread+0x257/0x310 [ 21.247635] ret_from_fork+0x41/0x80 [ 21.248257] ret_from_fork_asm+0x1a/0x30 [ 21.248931] [ 21.249309] The buggy address belongs to the object at ffff888102961500 [ 21.249309] which belongs to the cache kmalloc-128 of size 128 [ 21.250592] The buggy address is located 0 bytes inside of [ 21.250592] freed 128-byte region [ffff888102961500, ffff888102961580) [ 21.252354] [ 21.252682] The buggy address belongs to the physical page: [ 21.253257] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102961 [ 21.253917] flags: 0x200000000000000(node=0|zone=2) [ 21.254451] page_type: f5(slab) [ 21.254943] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 21.255749] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 21.256534] page dumped because: kasan: bad access detected [ 21.256952] [ 21.257185] Memory state around the buggy address: [ 21.258038] ffff888102961400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.258601] ffff888102961480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.259924] >ffff888102961500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.260710] ^ [ 21.261045] ffff888102961580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.261574] ffff888102961600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.262097] ================================================================== [ 21.311625] ================================================================== [ 21.312233] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 21.312823] Read of size 1 at addr ffff888102961578 by task kunit_try_catch/203 [ 21.313423] [ 21.314146] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 21.315045] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.315807] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.316876] Call Trace: [ 21.317122] <TASK> [ 21.317329] dump_stack_lvl+0x73/0xb0 [ 21.317745] print_report+0xd1/0x640 [ 21.318181] ? __virt_addr_valid+0x1db/0x2d0 [ 21.318892] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.319639] kasan_report+0x102/0x140 [ 21.320270] ? ksize_uaf+0x5e6/0x6c0 [ 21.320758] ? ksize_uaf+0x5e6/0x6c0 [ 21.321397] __asan_report_load1_noabort+0x18/0x20 [ 21.322792] ksize_uaf+0x5e6/0x6c0 [ 21.323255] ? __pfx_ksize_uaf+0x10/0x10 [ 21.323878] ? __schedule+0xc3e/0x2790 [ 21.324623] ? __pfx_read_tsc+0x10/0x10 [ 21.325319] ? ktime_get_ts64+0x84/0x230 [ 21.325840] kunit_try_run_case+0x1b3/0x490 [ 21.326315] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.327480] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.328187] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.328662] ? __kthread_parkme+0x82/0x160 [ 21.329218] ? preempt_count_sub+0x50/0x80 [ 21.329703] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.330356] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.331126] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.331745] kthread+0x257/0x310 [ 21.332645] ? __pfx_kthread+0x10/0x10 [ 21.333296] ret_from_fork+0x41/0x80 [ 21.333807] ? __pfx_kthread+0x10/0x10 [ 21.334258] ret_from_fork_asm+0x1a/0x30 [ 21.334967] </TASK> [ 21.335502] [ 21.335811] Allocated by task 203: [ 21.336285] kasan_save_stack+0x3d/0x60 [ 21.336815] kasan_save_track+0x18/0x40 [ 21.337766] kasan_save_alloc_info+0x3b/0x50 [ 21.338297] __kasan_kmalloc+0xb7/0xc0 [ 21.338604] __kmalloc_cache_noprof+0x184/0x410 [ 21.338896] ksize_uaf+0xab/0x6c0 [ 21.339136] kunit_try_run_case+0x1b3/0x490 [ 21.339850] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.340570] kthread+0x257/0x310 [ 21.341154] ret_from_fork+0x41/0x80 [ 21.341644] ret_from_fork_asm+0x1a/0x30 [ 21.342262] [ 21.342543] Freed by task 203: [ 21.342922] kasan_save_stack+0x3d/0x60 [ 21.343870] kasan_save_track+0x18/0x40 [ 21.344634] kasan_save_free_info+0x3f/0x60 [ 21.345323] __kasan_slab_free+0x56/0x70 [ 21.345760] kfree+0x123/0x3f0 [ 21.346170] ksize_uaf+0x12d/0x6c0 [ 21.346618] kunit_try_run_case+0x1b3/0x490 [ 21.347185] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.347900] kthread+0x257/0x310 [ 21.348912] ret_from_fork+0x41/0x80 [ 21.349471] ret_from_fork_asm+0x1a/0x30 [ 21.350099] [ 21.350377] The buggy address belongs to the object at ffff888102961500 [ 21.350377] which belongs to the cache kmalloc-128 of size 128 [ 21.351289] The buggy address is located 120 bytes inside of [ 21.351289] freed 128-byte region [ffff888102961500, ffff888102961580) [ 21.352520] [ 21.352795] The buggy address belongs to the physical page: [ 21.353865] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102961 [ 21.354837] flags: 0x200000000000000(node=0|zone=2) [ 21.355540] page_type: f5(slab) [ 21.355831] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 21.356370] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 21.357243] page dumped because: kasan: bad access detected [ 21.357783] [ 21.358006] Memory state around the buggy address: [ 21.358482] ffff888102961400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.359867] ffff888102961480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.360699] >ffff888102961500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.361372] ^ [ 21.362217] ffff888102961580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.362862] ffff888102961600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.363892] ================================================================== [ 21.265807] ================================================================== [ 21.266705] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 21.267656] Read of size 1 at addr ffff888102961500 by task kunit_try_catch/203 [ 21.268351] [ 21.268913] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 21.270322] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.270630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.271591] Call Trace: [ 21.272169] <TASK> [ 21.272674] dump_stack_lvl+0x73/0xb0 [ 21.273290] print_report+0xd1/0x640 [ 21.273746] ? __virt_addr_valid+0x1db/0x2d0 [ 21.274205] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.275162] kasan_report+0x102/0x140 [ 21.275782] ? ksize_uaf+0x600/0x6c0 [ 21.275965] ? ksize_uaf+0x600/0x6c0 [ 21.277189] __asan_report_load1_noabort+0x18/0x20 [ 21.277616] ksize_uaf+0x600/0x6c0 [ 21.278091] ? __pfx_ksize_uaf+0x10/0x10 [ 21.278646] ? __schedule+0xc3e/0x2790 [ 21.279269] ? __pfx_read_tsc+0x10/0x10 [ 21.279817] ? ktime_get_ts64+0x84/0x230 [ 21.280403] kunit_try_run_case+0x1b3/0x490 [ 21.280919] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.282159] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.283021] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.283754] ? __kthread_parkme+0x82/0x160 [ 21.284193] ? preempt_count_sub+0x50/0x80 [ 21.284858] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.285628] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.286085] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.286682] kthread+0x257/0x310 [ 21.287087] ? __pfx_kthread+0x10/0x10 [ 21.287699] ret_from_fork+0x41/0x80 [ 21.287972] ? __pfx_kthread+0x10/0x10 [ 21.288307] ret_from_fork_asm+0x1a/0x30 [ 21.288775] </TASK> [ 21.289052] [ 21.289256] Allocated by task 203: [ 21.289478] kasan_save_stack+0x3d/0x60 [ 21.289928] kasan_save_track+0x18/0x40 [ 21.290398] kasan_save_alloc_info+0x3b/0x50 [ 21.291049] __kasan_kmalloc+0xb7/0xc0 [ 21.291301] __kmalloc_cache_noprof+0x184/0x410 [ 21.291759] ksize_uaf+0xab/0x6c0 [ 21.292317] kunit_try_run_case+0x1b3/0x490 [ 21.292672] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.293343] kthread+0x257/0x310 [ 21.293719] ret_from_fork+0x41/0x80 [ 21.294238] ret_from_fork_asm+0x1a/0x30 [ 21.294719] [ 21.294935] Freed by task 203: [ 21.295396] kasan_save_stack+0x3d/0x60 [ 21.295733] kasan_save_track+0x18/0x40 [ 21.296006] kasan_save_free_info+0x3f/0x60 [ 21.296288] __kasan_slab_free+0x56/0x70 [ 21.296774] kfree+0x123/0x3f0 [ 21.297288] ksize_uaf+0x12d/0x6c0 [ 21.297708] kunit_try_run_case+0x1b3/0x490 [ 21.298189] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.298752] kthread+0x257/0x310 [ 21.299227] ret_from_fork+0x41/0x80 [ 21.299770] ret_from_fork_asm+0x1a/0x30 [ 21.300242] [ 21.300541] The buggy address belongs to the object at ffff888102961500 [ 21.300541] which belongs to the cache kmalloc-128 of size 128 [ 21.301463] The buggy address is located 0 bytes inside of [ 21.301463] freed 128-byte region [ffff888102961500, ffff888102961580) [ 21.302090] [ 21.302368] The buggy address belongs to the physical page: [ 21.302926] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102961 [ 21.303752] flags: 0x200000000000000(node=0|zone=2) [ 21.304395] page_type: f5(slab) [ 21.304842] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 21.305537] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 21.306064] page dumped because: kasan: bad access detected [ 21.306368] [ 21.306558] Memory state around the buggy address: [ 21.307097] ffff888102961400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.307768] ffff888102961480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.308421] >ffff888102961500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.308989] ^ [ 21.309341] ffff888102961580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.309845] ffff888102961600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.310547] ==================================================================