Date
Nov. 28, 2024, 2:36 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.293651] ================================================================== [ 31.294744] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 31.295427] Read of size 1 at addr fff00000c403f400 by task kunit_try_catch/184 [ 31.296682] [ 31.297760] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 31.298737] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.299281] Hardware name: linux,dummy-virt (DT) [ 31.300102] Call trace: [ 31.300695] show_stack+0x20/0x38 (C) [ 31.301606] dump_stack_lvl+0x8c/0xd0 [ 31.302232] print_report+0x118/0x5e0 [ 31.303010] kasan_report+0xc8/0x118 [ 31.303728] __kasan_check_byte+0x54/0x70 [ 31.304457] ksize+0x30/0x88 [ 31.304956] ksize_uaf+0x168/0x600 [ 31.305819] kunit_try_run_case+0x14c/0x3d0 [ 31.306589] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.307462] kthread+0x24c/0x2d0 [ 31.308180] ret_from_fork+0x10/0x20 [ 31.308906] [ 31.309551] Allocated by task 184: [ 31.310221] kasan_save_stack+0x3c/0x68 [ 31.310954] kasan_save_track+0x20/0x40 [ 31.311650] kasan_save_alloc_info+0x40/0x58 [ 31.312381] __kasan_kmalloc+0xd4/0xd8 [ 31.312881] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.313468] ksize_uaf+0xb8/0x600 [ 31.313921] kunit_try_run_case+0x14c/0x3d0 [ 31.315042] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.315700] kthread+0x24c/0x2d0 [ 31.316147] ret_from_fork+0x10/0x20 [ 31.316708] [ 31.316989] Freed by task 184: [ 31.317937] kasan_save_stack+0x3c/0x68 [ 31.318479] kasan_save_track+0x20/0x40 [ 31.319050] kasan_save_free_info+0x4c/0x78 [ 31.319593] __kasan_slab_free+0x6c/0x98 [ 31.320195] kfree+0x114/0x3c8 [ 31.320713] ksize_uaf+0x11c/0x600 [ 31.321467] kunit_try_run_case+0x14c/0x3d0 [ 31.322061] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.322733] kthread+0x24c/0x2d0 [ 31.323284] ret_from_fork+0x10/0x20 [ 31.323811] [ 31.324172] The buggy address belongs to the object at fff00000c403f400 [ 31.324172] which belongs to the cache kmalloc-128 of size 128 [ 31.325533] The buggy address is located 0 bytes inside of [ 31.325533] freed 128-byte region [fff00000c403f400, fff00000c403f480) [ 31.326693] [ 31.327034] The buggy address belongs to the physical page: [ 31.327608] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10403f [ 31.328397] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.329459] page_type: f5(slab) [ 31.329989] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.330745] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.331626] page dumped because: kasan: bad access detected [ 31.332229] [ 31.332575] Memory state around the buggy address: [ 31.333441] fff00000c403f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.334241] fff00000c403f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.335032] >fff00000c403f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.335746] ^ [ 31.336269] fff00000c403f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.337262] fff00000c403f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.338069] ================================================================== [ 31.341407] ================================================================== [ 31.342270] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 31.343011] Read of size 1 at addr fff00000c403f400 by task kunit_try_catch/184 [ 31.344025] [ 31.344373] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 31.345836] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.346412] Hardware name: linux,dummy-virt (DT) [ 31.346975] Call trace: [ 31.347332] show_stack+0x20/0x38 (C) [ 31.347929] dump_stack_lvl+0x8c/0xd0 [ 31.348445] print_report+0x118/0x5e0 [ 31.349420] kasan_report+0xc8/0x118 [ 31.350076] __asan_report_load1_noabort+0x20/0x30 [ 31.350776] ksize_uaf+0x59c/0x600 [ 31.351353] kunit_try_run_case+0x14c/0x3d0 [ 31.351968] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.352729] kthread+0x24c/0x2d0 [ 31.353586] ret_from_fork+0x10/0x20 [ 31.354162] [ 31.354403] Allocated by task 184: [ 31.354950] kasan_save_stack+0x3c/0x68 [ 31.355538] kasan_save_track+0x20/0x40 [ 31.356033] kasan_save_alloc_info+0x40/0x58 [ 31.356575] __kasan_kmalloc+0xd4/0xd8 [ 31.357392] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.358030] ksize_uaf+0xb8/0x600 [ 31.358562] kunit_try_run_case+0x14c/0x3d0 [ 31.359184] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.359838] kthread+0x24c/0x2d0 [ 31.360397] ret_from_fork+0x10/0x20 [ 31.360938] [ 31.361766] Freed by task 184: [ 31.362290] kasan_save_stack+0x3c/0x68 [ 31.362777] kasan_save_track+0x20/0x40 [ 31.363365] kasan_save_free_info+0x4c/0x78 [ 31.363905] __kasan_slab_free+0x6c/0x98 [ 31.364455] kfree+0x114/0x3c8 [ 31.364903] ksize_uaf+0x11c/0x600 [ 31.365666] kunit_try_run_case+0x14c/0x3d0 [ 31.366293] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.366920] kthread+0x24c/0x2d0 [ 31.368049] ret_from_fork+0x10/0x20 [ 31.368578] [ 31.368911] The buggy address belongs to the object at fff00000c403f400 [ 31.368911] which belongs to the cache kmalloc-128 of size 128 [ 31.370233] The buggy address is located 0 bytes inside of [ 31.370233] freed 128-byte region [fff00000c403f400, fff00000c403f480) [ 31.371361] [ 31.371699] The buggy address belongs to the physical page: [ 31.372398] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10403f [ 31.373518] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.374324] page_type: f5(slab) [ 31.374842] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.375650] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.376439] page dumped because: kasan: bad access detected [ 31.377335] [ 31.377789] Memory state around the buggy address: [ 31.378362] fff00000c403f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.379222] fff00000c403f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.380139] >fff00000c403f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.381023] ^ [ 31.381592] fff00000c403f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.382652] fff00000c403f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.383405] ================================================================== [ 31.386460] ================================================================== [ 31.387161] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 31.388057] Read of size 1 at addr fff00000c403f478 by task kunit_try_catch/184 [ 31.388647] [ 31.389556] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 31.390632] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.391180] Hardware name: linux,dummy-virt (DT) [ 31.391730] Call trace: [ 31.392078] show_stack+0x20/0x38 (C) [ 31.392598] dump_stack_lvl+0x8c/0xd0 [ 31.393403] print_report+0x118/0x5e0 [ 31.393964] kasan_report+0xc8/0x118 [ 31.394642] __asan_report_load1_noabort+0x20/0x30 [ 31.395395] ksize_uaf+0x548/0x600 [ 31.395927] kunit_try_run_case+0x14c/0x3d0 [ 31.396617] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.397611] kthread+0x24c/0x2d0 [ 31.398171] ret_from_fork+0x10/0x20 [ 31.398736] [ 31.399134] Allocated by task 184: [ 31.399670] kasan_save_stack+0x3c/0x68 [ 31.400233] kasan_save_track+0x20/0x40 [ 31.400847] kasan_save_alloc_info+0x40/0x58 [ 31.401746] __kasan_kmalloc+0xd4/0xd8 [ 31.402307] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.402927] ksize_uaf+0xb8/0x600 [ 31.403451] kunit_try_run_case+0x14c/0x3d0 [ 31.403999] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.404765] kthread+0x24c/0x2d0 [ 31.405561] ret_from_fork+0x10/0x20 [ 31.406103] [ 31.406497] Freed by task 184: [ 31.407014] kasan_save_stack+0x3c/0x68 [ 31.407548] kasan_save_track+0x20/0x40 [ 31.408177] kasan_save_free_info+0x4c/0x78 [ 31.408769] __kasan_slab_free+0x6c/0x98 [ 31.410437] kfree+0x114/0x3c8 [ 31.411223] ksize_uaf+0x11c/0x600 [ 31.411761] kunit_try_run_case+0x14c/0x3d0 [ 31.412433] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.413074] kthread+0x24c/0x2d0 [ 31.413823] ret_from_fork+0x10/0x20 [ 31.414508] [ 31.414849] The buggy address belongs to the object at fff00000c403f400 [ 31.414849] which belongs to the cache kmalloc-128 of size 128 [ 31.416134] The buggy address is located 120 bytes inside of [ 31.416134] freed 128-byte region [fff00000c403f400, fff00000c403f480) [ 31.417721] [ 31.418071] The buggy address belongs to the physical page: [ 31.418808] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10403f [ 31.419714] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.420567] page_type: f5(slab) [ 31.421063] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.422294] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 31.423071] page dumped because: kasan: bad access detected [ 31.423793] [ 31.424190] Memory state around the buggy address: [ 31.424831] fff00000c403f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.425838] fff00000c403f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.426722] >fff00000c403f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.427482] ^ [ 31.428393] fff00000c403f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.429721] fff00000c403f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.430463] ==================================================================
[ 22.238852] ================================================================== [ 22.240277] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 22.240911] Read of size 1 at addr ffff888102a1dd00 by task kunit_try_catch/204 [ 22.242181] [ 22.242830] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 22.244038] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.244607] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.245615] Call Trace: [ 22.245803] <TASK> [ 22.246119] dump_stack_lvl+0x73/0xb0 [ 22.246801] print_report+0xd1/0x640 [ 22.247415] ? __virt_addr_valid+0x1db/0x2d0 [ 22.247861] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.248744] kasan_report+0x102/0x140 [ 22.249121] ? ksize_uaf+0x19e/0x6c0 [ 22.249772] ? ksize_uaf+0x19e/0x6c0 [ 22.250154] ? ksize_uaf+0x19e/0x6c0 [ 22.251007] __kasan_check_byte+0x3d/0x50 [ 22.251460] ksize+0x20/0x60 [ 22.251869] ksize_uaf+0x19e/0x6c0 [ 22.252396] ? __pfx_ksize_uaf+0x10/0x10 [ 22.252923] ? __schedule+0xc3e/0x2790 [ 22.253483] ? __pfx_read_tsc+0x10/0x10 [ 22.253965] ? ktime_get_ts64+0x84/0x230 [ 22.254314] kunit_try_run_case+0x1b3/0x490 [ 22.255114] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.255806] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.256280] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.257034] ? __kthread_parkme+0x82/0x160 [ 22.257385] ? preempt_count_sub+0x50/0x80 [ 22.258469] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.258849] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.259444] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.260571] kthread+0x257/0x310 [ 22.260924] ? __pfx_kthread+0x10/0x10 [ 22.262007] ret_from_fork+0x41/0x80 [ 22.262572] ? __pfx_kthread+0x10/0x10 [ 22.263801] ret_from_fork_asm+0x1a/0x30 [ 22.264764] </TASK> [ 22.264989] [ 22.265202] Allocated by task 204: [ 22.265909] kasan_save_stack+0x3d/0x60 [ 22.266821] kasan_save_track+0x18/0x40 [ 22.267375] kasan_save_alloc_info+0x3b/0x50 [ 22.267877] __kasan_kmalloc+0xb7/0xc0 [ 22.268481] __kmalloc_cache_noprof+0x184/0x410 [ 22.268966] ksize_uaf+0xab/0x6c0 [ 22.269610] kunit_try_run_case+0x1b3/0x490 [ 22.269825] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.270047] kthread+0x257/0x310 [ 22.270781] ret_from_fork+0x41/0x80 [ 22.271790] ret_from_fork_asm+0x1a/0x30 [ 22.272434] [ 22.272754] Freed by task 204: [ 22.272981] kasan_save_stack+0x3d/0x60 [ 22.273659] kasan_save_track+0x18/0x40 [ 22.274397] kasan_save_free_info+0x3f/0x60 [ 22.274888] __kasan_slab_free+0x56/0x70 [ 22.275739] kfree+0x123/0x3f0 [ 22.276412] ksize_uaf+0x12d/0x6c0 [ 22.276789] kunit_try_run_case+0x1b3/0x490 [ 22.277300] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.278001] kthread+0x257/0x310 [ 22.278514] ret_from_fork+0x41/0x80 [ 22.278964] ret_from_fork_asm+0x1a/0x30 [ 22.279658] [ 22.279920] The buggy address belongs to the object at ffff888102a1dd00 [ 22.279920] which belongs to the cache kmalloc-128 of size 128 [ 22.281718] The buggy address is located 0 bytes inside of [ 22.281718] freed 128-byte region [ffff888102a1dd00, ffff888102a1dd80) [ 22.283025] [ 22.283532] The buggy address belongs to the physical page: [ 22.284047] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a1d [ 22.284931] flags: 0x200000000000000(node=0|zone=2) [ 22.285621] page_type: f5(slab) [ 22.285939] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.287228] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 22.287875] page dumped because: kasan: bad access detected [ 22.288391] [ 22.288734] Memory state around the buggy address: [ 22.289308] ffff888102a1dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.290114] ffff888102a1dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.290984] >ffff888102a1dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.291842] ^ [ 22.292610] ffff888102a1dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.293105] ffff888102a1de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.294316] ================================================================== [ 22.296548] ================================================================== [ 22.297292] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 22.297965] Read of size 1 at addr ffff888102a1dd00 by task kunit_try_catch/204 [ 22.299461] [ 22.299668] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 22.300518] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.300893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.301779] Call Trace: [ 22.302312] <TASK> [ 22.302649] dump_stack_lvl+0x73/0xb0 [ 22.303871] print_report+0xd1/0x640 [ 22.304187] ? __virt_addr_valid+0x1db/0x2d0 [ 22.304855] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.305654] kasan_report+0x102/0x140 [ 22.306468] ? ksize_uaf+0x600/0x6c0 [ 22.306989] ? ksize_uaf+0x600/0x6c0 [ 22.307269] __asan_report_load1_noabort+0x18/0x20 [ 22.308076] ksize_uaf+0x600/0x6c0 [ 22.308484] ? __pfx_ksize_uaf+0x10/0x10 [ 22.308895] ? __schedule+0xc3e/0x2790 [ 22.309296] ? __pfx_read_tsc+0x10/0x10 [ 22.310276] ? ktime_get_ts64+0x84/0x230 [ 22.310707] kunit_try_run_case+0x1b3/0x490 [ 22.311050] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.311816] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.312134] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.312618] ? __kthread_parkme+0x82/0x160 [ 22.313137] ? preempt_count_sub+0x50/0x80 [ 22.313755] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.314248] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.314874] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.315563] kthread+0x257/0x310 [ 22.315990] ? __pfx_kthread+0x10/0x10 [ 22.316572] ret_from_fork+0x41/0x80 [ 22.317226] ? __pfx_kthread+0x10/0x10 [ 22.317908] ret_from_fork_asm+0x1a/0x30 [ 22.318533] </TASK> [ 22.318818] [ 22.319088] Allocated by task 204: [ 22.319383] kasan_save_stack+0x3d/0x60 [ 22.319936] kasan_save_track+0x18/0x40 [ 22.320539] kasan_save_alloc_info+0x3b/0x50 [ 22.320973] __kasan_kmalloc+0xb7/0xc0 [ 22.321437] __kmalloc_cache_noprof+0x184/0x410 [ 22.322106] ksize_uaf+0xab/0x6c0 [ 22.322603] kunit_try_run_case+0x1b3/0x490 [ 22.322932] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.323940] kthread+0x257/0x310 [ 22.324648] ret_from_fork+0x41/0x80 [ 22.325124] ret_from_fork_asm+0x1a/0x30 [ 22.325575] [ 22.325752] Freed by task 204: [ 22.326020] kasan_save_stack+0x3d/0x60 [ 22.326624] kasan_save_track+0x18/0x40 [ 22.326982] kasan_save_free_info+0x3f/0x60 [ 22.327534] __kasan_slab_free+0x56/0x70 [ 22.328037] kfree+0x123/0x3f0 [ 22.328426] ksize_uaf+0x12d/0x6c0 [ 22.329388] kunit_try_run_case+0x1b3/0x490 [ 22.329699] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.330869] kthread+0x257/0x310 [ 22.331636] ret_from_fork+0x41/0x80 [ 22.331901] ret_from_fork_asm+0x1a/0x30 [ 22.332443] [ 22.332657] The buggy address belongs to the object at ffff888102a1dd00 [ 22.332657] which belongs to the cache kmalloc-128 of size 128 [ 22.333829] The buggy address is located 0 bytes inside of [ 22.333829] freed 128-byte region [ffff888102a1dd00, ffff888102a1dd80) [ 22.335036] [ 22.335276] The buggy address belongs to the physical page: [ 22.335997] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a1d [ 22.337025] flags: 0x200000000000000(node=0|zone=2) [ 22.337355] page_type: f5(slab) [ 22.338001] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.338759] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 22.339767] page dumped because: kasan: bad access detected [ 22.340316] [ 22.340679] Memory state around the buggy address: [ 22.341148] ffff888102a1dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.341843] ffff888102a1dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.342796] >ffff888102a1dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.344101] ^ [ 22.344506] ffff888102a1dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.345321] ffff888102a1de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.345980] ================================================================== [ 22.348018] ================================================================== [ 22.349132] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 22.349878] Read of size 1 at addr ffff888102a1dd78 by task kunit_try_catch/204 [ 22.350599] [ 22.350810] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 22.351651] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.352088] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.352820] Call Trace: [ 22.353026] <TASK> [ 22.353451] dump_stack_lvl+0x73/0xb0 [ 22.354002] print_report+0xd1/0x640 [ 22.354699] ? __virt_addr_valid+0x1db/0x2d0 [ 22.355784] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.356582] kasan_report+0x102/0x140 [ 22.357255] ? ksize_uaf+0x5e6/0x6c0 [ 22.357556] ? ksize_uaf+0x5e6/0x6c0 [ 22.358368] __asan_report_load1_noabort+0x18/0x20 [ 22.358949] ksize_uaf+0x5e6/0x6c0 [ 22.359609] ? __pfx_ksize_uaf+0x10/0x10 [ 22.360027] ? __schedule+0xc3e/0x2790 [ 22.360773] ? __pfx_read_tsc+0x10/0x10 [ 22.361058] ? ktime_get_ts64+0x84/0x230 [ 22.361864] kunit_try_run_case+0x1b3/0x490 [ 22.362702] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.363396] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.363781] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.364316] ? __kthread_parkme+0x82/0x160 [ 22.365035] ? preempt_count_sub+0x50/0x80 [ 22.365471] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.366325] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.366880] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.367361] kthread+0x257/0x310 [ 22.367679] ? __pfx_kthread+0x10/0x10 [ 22.368099] ret_from_fork+0x41/0x80 [ 22.368427] ? __pfx_kthread+0x10/0x10 [ 22.368883] ret_from_fork_asm+0x1a/0x30 [ 22.369317] </TASK> [ 22.369625] [ 22.369834] Allocated by task 204: [ 22.370365] kasan_save_stack+0x3d/0x60 [ 22.370729] kasan_save_track+0x18/0x40 [ 22.371015] kasan_save_alloc_info+0x3b/0x50 [ 22.371547] __kasan_kmalloc+0xb7/0xc0 [ 22.372059] __kmalloc_cache_noprof+0x184/0x410 [ 22.372638] ksize_uaf+0xab/0x6c0 [ 22.372893] kunit_try_run_case+0x1b3/0x490 [ 22.373419] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.373775] kthread+0x257/0x310 [ 22.374020] ret_from_fork+0x41/0x80 [ 22.374628] ret_from_fork_asm+0x1a/0x30 [ 22.375150] [ 22.375897] Freed by task 204: [ 22.376319] kasan_save_stack+0x3d/0x60 [ 22.376650] kasan_save_track+0x18/0x40 [ 22.377115] kasan_save_free_info+0x3f/0x60 [ 22.377583] __kasan_slab_free+0x56/0x70 [ 22.377951] kfree+0x123/0x3f0 [ 22.378206] ksize_uaf+0x12d/0x6c0 [ 22.378486] kunit_try_run_case+0x1b3/0x490 [ 22.378878] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.379712] kthread+0x257/0x310 [ 22.380456] ret_from_fork+0x41/0x80 [ 22.380737] ret_from_fork_asm+0x1a/0x30 [ 22.381310] [ 22.381516] The buggy address belongs to the object at ffff888102a1dd00 [ 22.381516] which belongs to the cache kmalloc-128 of size 128 [ 22.382478] The buggy address is located 120 bytes inside of [ 22.382478] freed 128-byte region [ffff888102a1dd00, ffff888102a1dd80) [ 22.383924] [ 22.384078] The buggy address belongs to the physical page: [ 22.384452] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a1d [ 22.385315] flags: 0x200000000000000(node=0|zone=2) [ 22.385924] page_type: f5(slab) [ 22.386451] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.387029] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 22.387646] page dumped because: kasan: bad access detected [ 22.388064] [ 22.388270] Memory state around the buggy address: [ 22.390610] ffff888102a1dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.391153] ffff888102a1dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.391719] >ffff888102a1dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.392473] ^ [ 22.393573] ffff888102a1dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.394123] ffff888102a1de00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.394922] ==================================================================