Date
Nov. 27, 2024, 3:37 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.668959] ================================================================== [ 48.670242] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 48.671150] Read of size 1 at addr fff00000c61b5500 by task kunit_try_catch/185 [ 48.671894] [ 48.672233] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 48.673905] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.674760] Hardware name: linux,dummy-virt (DT) [ 48.675268] Call trace: [ 48.675742] show_stack+0x20/0x38 (C) [ 48.676387] dump_stack_lvl+0x8c/0xd0 [ 48.676972] print_report+0x118/0x5e0 [ 48.678056] kasan_report+0xc8/0x118 [ 48.678720] __asan_report_load1_noabort+0x20/0x30 [ 48.679441] ksize_uaf+0x59c/0x600 [ 48.680071] kunit_try_run_case+0x14c/0x3d0 [ 48.680675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.681769] kthread+0x24c/0x2d0 [ 48.682236] ret_from_fork+0x10/0x20 [ 48.683175] [ 48.683669] Allocated by task 185: [ 48.684370] kasan_save_stack+0x3c/0x68 [ 48.685072] kasan_save_track+0x20/0x40 [ 48.685848] kasan_save_alloc_info+0x40/0x58 [ 48.686449] __kasan_kmalloc+0xd4/0xd8 [ 48.687014] __kmalloc_cache_noprof+0x15c/0x3c0 [ 48.687738] ksize_uaf+0xb8/0x600 [ 48.688347] kunit_try_run_case+0x14c/0x3d0 [ 48.689031] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.690425] kthread+0x24c/0x2d0 [ 48.690984] ret_from_fork+0x10/0x20 [ 48.691599] [ 48.691887] Freed by task 185: [ 48.692493] kasan_save_stack+0x3c/0x68 [ 48.692950] kasan_save_track+0x20/0x40 [ 48.693882] kasan_save_free_info+0x4c/0x78 [ 48.694428] __kasan_slab_free+0x6c/0x98 [ 48.695072] kfree+0x114/0x3c8 [ 48.695603] ksize_uaf+0x11c/0x600 [ 48.696148] kunit_try_run_case+0x14c/0x3d0 [ 48.696792] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.697964] kthread+0x24c/0x2d0 [ 48.698499] ret_from_fork+0x10/0x20 [ 48.699436] [ 48.699722] The buggy address belongs to the object at fff00000c61b5500 [ 48.699722] which belongs to the cache kmalloc-128 of size 128 [ 48.701053] The buggy address is located 0 bytes inside of [ 48.701053] freed 128-byte region [fff00000c61b5500, fff00000c61b5580) [ 48.702987] [ 48.703255] The buggy address belongs to the physical page: [ 48.704068] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061b5 [ 48.704976] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 48.705984] page_type: f5(slab) [ 48.706517] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 48.707804] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 48.709049] page dumped because: kasan: bad access detected [ 48.710068] [ 48.710616] Memory state around the buggy address: [ 48.711230] fff00000c61b5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 48.712085] fff00000c61b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.712953] >fff00000c61b5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.714034] ^ [ 48.714492] fff00000c61b5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.715994] fff00000c61b5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.716782] ================================================================== [ 48.718553] ================================================================== [ 48.719276] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 48.720759] Read of size 1 at addr fff00000c61b5578 by task kunit_try_catch/185 [ 48.722051] [ 48.722533] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 48.724410] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.724912] Hardware name: linux,dummy-virt (DT) [ 48.725988] Call trace: [ 48.726605] show_stack+0x20/0x38 (C) [ 48.727334] dump_stack_lvl+0x8c/0xd0 [ 48.728094] print_report+0x118/0x5e0 [ 48.728755] kasan_report+0xc8/0x118 [ 48.729409] __asan_report_load1_noabort+0x20/0x30 [ 48.730250] ksize_uaf+0x548/0x600 [ 48.731466] kunit_try_run_case+0x14c/0x3d0 [ 48.732081] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.732785] kthread+0x24c/0x2d0 [ 48.733880] ret_from_fork+0x10/0x20 [ 48.734766] [ 48.735118] Allocated by task 185: [ 48.735591] kasan_save_stack+0x3c/0x68 [ 48.736108] kasan_save_track+0x20/0x40 [ 48.736661] kasan_save_alloc_info+0x40/0x58 [ 48.737679] __kasan_kmalloc+0xd4/0xd8 [ 48.738191] __kmalloc_cache_noprof+0x15c/0x3c0 [ 48.738863] ksize_uaf+0xb8/0x600 [ 48.739844] kunit_try_run_case+0x14c/0x3d0 [ 48.740470] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.741179] kthread+0x24c/0x2d0 [ 48.741696] ret_from_fork+0x10/0x20 [ 48.742276] [ 48.742919] Freed by task 185: [ 48.743274] kasan_save_stack+0x3c/0x68 [ 48.743820] kasan_save_track+0x20/0x40 [ 48.744462] kasan_save_free_info+0x4c/0x78 [ 48.745499] __kasan_slab_free+0x6c/0x98 [ 48.745949] kfree+0x114/0x3c8 [ 48.746932] ksize_uaf+0x11c/0x600 [ 48.747509] kunit_try_run_case+0x14c/0x3d0 [ 48.748090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.748823] kthread+0x24c/0x2d0 [ 48.749930] ret_from_fork+0x10/0x20 [ 48.750466] [ 48.750823] The buggy address belongs to the object at fff00000c61b5500 [ 48.750823] which belongs to the cache kmalloc-128 of size 128 [ 48.752277] The buggy address is located 120 bytes inside of [ 48.752277] freed 128-byte region [fff00000c61b5500, fff00000c61b5580) [ 48.753343] [ 48.753629] The buggy address belongs to the physical page: [ 48.754288] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061b5 [ 48.755233] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 48.756760] page_type: f5(slab) [ 48.757471] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 48.758474] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 48.759371] page dumped because: kasan: bad access detected [ 48.760202] [ 48.760735] Memory state around the buggy address: [ 48.761669] fff00000c61b5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 48.762771] fff00000c61b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.763643] >fff00000c61b5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.764587] ^ [ 48.765415] fff00000c61b5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.766674] fff00000c61b5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.767454] ================================================================== [ 48.617768] ================================================================== [ 48.619140] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 48.619850] Read of size 1 at addr fff00000c61b5500 by task kunit_try_catch/185 [ 48.620930] [ 48.622044] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 48.622979] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.623587] Hardware name: linux,dummy-virt (DT) [ 48.624131] Call trace: [ 48.624699] show_stack+0x20/0x38 (C) [ 48.625677] dump_stack_lvl+0x8c/0xd0 [ 48.626843] print_report+0x118/0x5e0 [ 48.627465] kasan_report+0xc8/0x118 [ 48.628386] __kasan_check_byte+0x54/0x70 [ 48.628919] ksize+0x30/0x88 [ 48.629701] ksize_uaf+0x168/0x600 [ 48.630372] kunit_try_run_case+0x14c/0x3d0 [ 48.631046] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.631684] kthread+0x24c/0x2d0 [ 48.632339] ret_from_fork+0x10/0x20 [ 48.632972] [ 48.633734] Allocated by task 185: [ 48.634489] kasan_save_stack+0x3c/0x68 [ 48.635208] kasan_save_track+0x20/0x40 [ 48.635781] kasan_save_alloc_info+0x40/0x58 [ 48.636389] __kasan_kmalloc+0xd4/0xd8 [ 48.637030] __kmalloc_cache_noprof+0x15c/0x3c0 [ 48.638137] ksize_uaf+0xb8/0x600 [ 48.638813] kunit_try_run_case+0x14c/0x3d0 [ 48.639379] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.640165] kthread+0x24c/0x2d0 [ 48.640680] ret_from_fork+0x10/0x20 [ 48.641511] [ 48.641900] Freed by task 185: [ 48.642414] kasan_save_stack+0x3c/0x68 [ 48.642993] kasan_save_track+0x20/0x40 [ 48.643509] kasan_save_free_info+0x4c/0x78 [ 48.644189] __kasan_slab_free+0x6c/0x98 [ 48.644846] kfree+0x114/0x3c8 [ 48.645383] ksize_uaf+0x11c/0x600 [ 48.645981] kunit_try_run_case+0x14c/0x3d0 [ 48.646604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.647502] kthread+0x24c/0x2d0 [ 48.648064] ret_from_fork+0x10/0x20 [ 48.648733] [ 48.649249] The buggy address belongs to the object at fff00000c61b5500 [ 48.649249] which belongs to the cache kmalloc-128 of size 128 [ 48.650986] The buggy address is located 0 bytes inside of [ 48.650986] freed 128-byte region [fff00000c61b5500, fff00000c61b5580) [ 48.652243] [ 48.652570] The buggy address belongs to the physical page: [ 48.653587] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061b5 [ 48.654550] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 48.655334] page_type: f5(slab) [ 48.655886] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 48.656715] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 48.658419] page dumped because: kasan: bad access detected [ 48.659517] [ 48.659833] Memory state around the buggy address: [ 48.660366] fff00000c61b5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 48.661888] fff00000c61b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.662941] >fff00000c61b5500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.663811] ^ [ 48.664456] fff00000c61b5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.666149] fff00000c61b5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.667590] ==================================================================
[ 25.872511] ================================================================== [ 25.873510] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 25.874482] Read of size 1 at addr ffff888102a4af00 by task kunit_try_catch/204 [ 25.875111] [ 25.875286] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.876479] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.876803] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.877829] Call Trace: [ 25.878361] <TASK> [ 25.878661] dump_stack_lvl+0x73/0xb0 [ 25.879307] print_report+0xd1/0x640 [ 25.879676] ? __virt_addr_valid+0x1db/0x2d0 [ 25.880443] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.881226] kasan_report+0x102/0x140 [ 25.881647] ? ksize_uaf+0x19e/0x6c0 [ 25.882317] ? ksize_uaf+0x19e/0x6c0 [ 25.882863] ? ksize_uaf+0x19e/0x6c0 [ 25.883474] __kasan_check_byte+0x3d/0x50 [ 25.884139] ksize+0x20/0x60 [ 25.884519] ksize_uaf+0x19e/0x6c0 [ 25.885072] ? __pfx_ksize_uaf+0x10/0x10 [ 25.885611] ? __schedule+0xc3e/0x2790 [ 25.886191] ? __pfx_read_tsc+0x10/0x10 [ 25.886600] ? ktime_get_ts64+0x84/0x230 [ 25.887293] kunit_try_run_case+0x1b3/0x490 [ 25.887756] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.888560] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.889296] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.889881] ? __kthread_parkme+0x82/0x160 [ 25.890363] ? preempt_count_sub+0x50/0x80 [ 25.890777] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.891166] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.891686] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.892354] kthread+0x257/0x310 [ 25.892751] ? __pfx_kthread+0x10/0x10 [ 25.893456] ret_from_fork+0x41/0x80 [ 25.893808] ? __pfx_kthread+0x10/0x10 [ 25.894487] ret_from_fork_asm+0x1a/0x30 [ 25.894832] </TASK> [ 25.895336] [ 25.895625] Allocated by task 204: [ 25.896281] kasan_save_stack+0x3d/0x60 [ 25.896568] kasan_save_track+0x18/0x40 [ 25.897249] kasan_save_alloc_info+0x3b/0x50 [ 25.897748] __kasan_kmalloc+0xb7/0xc0 [ 25.898304] __kmalloc_cache_noprof+0x184/0x410 [ 25.898769] ksize_uaf+0xab/0x6c0 [ 25.899340] kunit_try_run_case+0x1b3/0x490 [ 25.899756] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.900616] kthread+0x257/0x310 [ 25.900860] ret_from_fork+0x41/0x80 [ 25.901765] ret_from_fork_asm+0x1a/0x30 [ 25.902376] [ 25.902524] Freed by task 204: [ 25.903154] kasan_save_stack+0x3d/0x60 [ 25.903537] kasan_save_track+0x18/0x40 [ 25.903878] kasan_save_free_info+0x3f/0x60 [ 25.904545] __kasan_slab_free+0x56/0x70 [ 25.905134] kfree+0x123/0x3f0 [ 25.905513] ksize_uaf+0x12d/0x6c0 [ 25.906088] kunit_try_run_case+0x1b3/0x490 [ 25.906527] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.907338] kthread+0x257/0x310 [ 25.907655] ret_from_fork+0x41/0x80 [ 25.908347] ret_from_fork_asm+0x1a/0x30 [ 25.908662] [ 25.909138] The buggy address belongs to the object at ffff888102a4af00 [ 25.909138] which belongs to the cache kmalloc-128 of size 128 [ 25.910463] The buggy address is located 0 bytes inside of [ 25.910463] freed 128-byte region [ffff888102a4af00, ffff888102a4af80) [ 25.911636] [ 25.912132] The buggy address belongs to the physical page: [ 25.912643] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a4a [ 25.913586] flags: 0x200000000000000(node=0|zone=2) [ 25.914235] page_type: f5(slab) [ 25.914503] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.915406] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.916107] page dumped because: kasan: bad access detected [ 25.916915] [ 25.917157] Memory state around the buggy address: [ 25.917923] ffff888102a4ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.919414] ffff888102a4ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.920283] >ffff888102a4af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.920784] ^ [ 25.921514] ffff888102a4af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.922524] ffff888102a4b000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.923475] ================================================================== [ 25.926653] ================================================================== [ 25.927354] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 25.927913] Read of size 1 at addr ffff888102a4af00 by task kunit_try_catch/204 [ 25.928750] [ 25.929283] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.930093] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.930867] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.932019] Call Trace: [ 25.932598] <TASK> [ 25.932723] dump_stack_lvl+0x73/0xb0 [ 25.932907] print_report+0xd1/0x640 [ 25.933203] ? __virt_addr_valid+0x1db/0x2d0 [ 25.933564] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.934548] kasan_report+0x102/0x140 [ 25.934962] ? ksize_uaf+0x600/0x6c0 [ 25.935836] ? ksize_uaf+0x600/0x6c0 [ 25.936756] __asan_report_load1_noabort+0x18/0x20 [ 25.937319] ksize_uaf+0x600/0x6c0 [ 25.937792] ? __pfx_ksize_uaf+0x10/0x10 [ 25.938511] ? __schedule+0xc3e/0x2790 [ 25.938922] ? __pfx_read_tsc+0x10/0x10 [ 25.939348] ? ktime_get_ts64+0x84/0x230 [ 25.939748] kunit_try_run_case+0x1b3/0x490 [ 25.940281] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.940614] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.941335] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.941818] ? __kthread_parkme+0x82/0x160 [ 25.942507] ? preempt_count_sub+0x50/0x80 [ 25.943070] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.943612] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.944210] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.944941] kthread+0x257/0x310 [ 25.945427] ? __pfx_kthread+0x10/0x10 [ 25.945870] ret_from_fork+0x41/0x80 [ 25.946437] ? __pfx_kthread+0x10/0x10 [ 25.946965] ret_from_fork_asm+0x1a/0x30 [ 25.947644] </TASK> [ 25.947959] [ 25.948352] Allocated by task 204: [ 25.948948] kasan_save_stack+0x3d/0x60 [ 25.949416] kasan_save_track+0x18/0x40 [ 25.949860] kasan_save_alloc_info+0x3b/0x50 [ 25.950712] __kasan_kmalloc+0xb7/0xc0 [ 25.951453] __kmalloc_cache_noprof+0x184/0x410 [ 25.951931] ksize_uaf+0xab/0x6c0 [ 25.952980] kunit_try_run_case+0x1b3/0x490 [ 25.953667] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.954294] kthread+0x257/0x310 [ 25.955292] ret_from_fork+0x41/0x80 [ 25.955651] ret_from_fork_asm+0x1a/0x30 [ 25.956065] [ 25.956703] Freed by task 204: [ 25.957107] kasan_save_stack+0x3d/0x60 [ 25.957407] kasan_save_track+0x18/0x40 [ 25.957862] kasan_save_free_info+0x3f/0x60 [ 25.958975] __kasan_slab_free+0x56/0x70 [ 25.959416] kfree+0x123/0x3f0 [ 25.959742] ksize_uaf+0x12d/0x6c0 [ 25.960416] kunit_try_run_case+0x1b3/0x490 [ 25.960980] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.961673] kthread+0x257/0x310 [ 25.962087] ret_from_fork+0x41/0x80 [ 25.962821] ret_from_fork_asm+0x1a/0x30 [ 25.963430] [ 25.963627] The buggy address belongs to the object at ffff888102a4af00 [ 25.963627] which belongs to the cache kmalloc-128 of size 128 [ 25.965177] The buggy address is located 0 bytes inside of [ 25.965177] freed 128-byte region [ffff888102a4af00, ffff888102a4af80) [ 25.966275] [ 25.966447] The buggy address belongs to the physical page: [ 25.966958] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a4a [ 25.968025] flags: 0x200000000000000(node=0|zone=2) [ 25.968409] page_type: f5(slab) [ 25.969019] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.969741] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 25.970589] page dumped because: kasan: bad access detected [ 25.971299] [ 25.971624] Memory state around the buggy address: [ 25.972301] ffff888102a4ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.972881] ffff888102a4ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.973702] >ffff888102a4af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.974501] ^ [ 25.974906] ffff888102a4af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.975908] ffff888102a4b000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.976682] ================================================================== [ 25.979399] ================================================================== [ 25.980411] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 25.981003] Read of size 1 at addr ffff888102a4af78 by task kunit_try_catch/204 [ 25.981632] [ 25.982149] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.982958] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.983616] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.984554] Call Trace: [ 25.984876] <TASK> [ 25.985290] dump_stack_lvl+0x73/0xb0 [ 25.985781] print_report+0xd1/0x640 [ 25.986399] ? __virt_addr_valid+0x1db/0x2d0 [ 25.987209] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.987707] kasan_report+0x102/0x140 [ 25.988433] ? ksize_uaf+0x5e6/0x6c0 [ 25.988731] ? ksize_uaf+0x5e6/0x6c0 [ 25.989307] __asan_report_load1_noabort+0x18/0x20 [ 25.989684] ksize_uaf+0x5e6/0x6c0 [ 25.990301] ? __pfx_ksize_uaf+0x10/0x10 [ 25.990685] ? __schedule+0xc3e/0x2790 [ 25.991404] ? __pfx_read_tsc+0x10/0x10 [ 25.992082] ? ktime_get_ts64+0x84/0x230 [ 25.992868] kunit_try_run_case+0x1b3/0x490 [ 25.993320] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.994029] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.994566] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.994917] ? __kthread_parkme+0x82/0x160 [ 25.995573] ? preempt_count_sub+0x50/0x80 [ 25.996046] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.996649] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.997299] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.997933] kthread+0x257/0x310 [ 25.998429] ? __pfx_kthread+0x10/0x10 [ 25.998816] ret_from_fork+0x41/0x80 [ 25.999308] ? __pfx_kthread+0x10/0x10 [ 25.999716] ret_from_fork_asm+0x1a/0x30 [ 26.000123] </TASK> [ 26.000444] [ 26.000693] Allocated by task 204: [ 26.001200] kasan_save_stack+0x3d/0x60 [ 26.001562] kasan_save_track+0x18/0x40 [ 26.001951] kasan_save_alloc_info+0x3b/0x50 [ 26.002271] __kasan_kmalloc+0xb7/0xc0 [ 26.002642] __kmalloc_cache_noprof+0x184/0x410 [ 26.003251] ksize_uaf+0xab/0x6c0 [ 26.003835] kunit_try_run_case+0x1b3/0x490 [ 26.004354] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.004793] kthread+0x257/0x310 [ 26.005062] ret_from_fork+0x41/0x80 [ 26.005401] ret_from_fork_asm+0x1a/0x30 [ 26.005923] [ 26.006352] Freed by task 204: [ 26.006770] kasan_save_stack+0x3d/0x60 [ 26.007521] kasan_save_track+0x18/0x40 [ 26.007799] kasan_save_free_info+0x3f/0x60 [ 26.008465] __kasan_slab_free+0x56/0x70 [ 26.008961] kfree+0x123/0x3f0 [ 26.009331] ksize_uaf+0x12d/0x6c0 [ 26.009899] kunit_try_run_case+0x1b3/0x490 [ 26.010229] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.010647] kthread+0x257/0x310 [ 26.012113] ret_from_fork+0x41/0x80 [ 26.013078] ret_from_fork_asm+0x1a/0x30 [ 26.014105] [ 26.014410] The buggy address belongs to the object at ffff888102a4af00 [ 26.014410] which belongs to the cache kmalloc-128 of size 128 [ 26.015797] The buggy address is located 120 bytes inside of [ 26.015797] freed 128-byte region [ffff888102a4af00, ffff888102a4af80) [ 26.017876] [ 26.018110] The buggy address belongs to the physical page: [ 26.018430] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a4a [ 26.018743] flags: 0x200000000000000(node=0|zone=2) [ 26.018945] page_type: f5(slab) [ 26.019191] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.020419] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 26.021257] page dumped because: kasan: bad access detected [ 26.021704] [ 26.022058] Memory state around the buggy address: [ 26.022822] ffff888102a4ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.023578] ffff888102a4ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.024163] >ffff888102a4af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.024695] ^ [ 26.025301] ffff888102a4af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.026166] ffff888102a4b000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.027126] ==================================================================