Date
Dec. 3, 2024, 11:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.237461] ================================================================== [ 31.238723] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 31.239395] Read of size 1 at addr fff00000c58f4400 by task kunit_try_catch/185 [ 31.240436] [ 31.240931] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 31.242294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.243595] Hardware name: linux,dummy-virt (DT) [ 31.244224] Call trace: [ 31.244733] show_stack+0x20/0x38 (C) [ 31.245319] dump_stack_lvl+0x8c/0xd0 [ 31.245997] print_report+0x118/0x5e0 [ 31.246655] kasan_report+0xc8/0x118 [ 31.247479] __kasan_check_byte+0x54/0x70 [ 31.248093] ksize+0x30/0x88 [ 31.248700] ksize_uaf+0x168/0x600 [ 31.249187] kunit_try_run_case+0x14c/0x3d0 [ 31.249919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.250727] kthread+0x24c/0x2d0 [ 31.251563] ret_from_fork+0x10/0x20 [ 31.252149] [ 31.252464] Allocated by task 185: [ 31.252964] kasan_save_stack+0x3c/0x68 [ 31.253745] kasan_save_track+0x20/0x40 [ 31.254223] kasan_save_alloc_info+0x40/0x58 [ 31.255055] __kasan_kmalloc+0xd4/0xd8 [ 31.255572] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.256298] ksize_uaf+0xb8/0x600 [ 31.256798] kunit_try_run_case+0x14c/0x3d0 [ 31.257276] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.257942] kthread+0x24c/0x2d0 [ 31.258564] ret_from_fork+0x10/0x20 [ 31.259849] [ 31.260267] Freed by task 185: [ 31.260677] kasan_save_stack+0x3c/0x68 [ 31.261366] kasan_save_track+0x20/0x40 [ 31.262036] kasan_save_free_info+0x4c/0x78 [ 31.262547] __kasan_slab_free+0x6c/0x98 [ 31.263545] kfree+0x114/0x3c8 [ 31.264085] ksize_uaf+0x11c/0x600 [ 31.264612] kunit_try_run_case+0x14c/0x3d0 [ 31.265109] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.265920] kthread+0x24c/0x2d0 [ 31.266383] ret_from_fork+0x10/0x20 [ 31.267253] [ 31.267682] The buggy address belongs to the object at fff00000c58f4400 [ 31.267682] which belongs to the cache kmalloc-128 of size 128 [ 31.269116] The buggy address is located 0 bytes inside of [ 31.269116] freed 128-byte region [fff00000c58f4400, fff00000c58f4480) [ 31.270597] [ 31.270906] The buggy address belongs to the physical page: [ 31.271953] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058f4 [ 31.272936] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.273756] page_type: f5(slab) [ 31.274247] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.275371] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.276626] page dumped because: kasan: bad access detected [ 31.277320] [ 31.277709] Memory state around the buggy address: [ 31.278257] fff00000c58f4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.279578] fff00000c58f4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.280340] >fff00000c58f4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.281360] ^ [ 31.281814] fff00000c58f4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.282672] fff00000c58f4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.283953] ================================================================== [ 31.336639] ================================================================== [ 31.337449] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 31.338179] Read of size 1 at addr fff00000c58f4478 by task kunit_try_catch/185 [ 31.339062] [ 31.339868] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 31.341402] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.342115] Hardware name: linux,dummy-virt (DT) [ 31.342855] Call trace: [ 31.343411] show_stack+0x20/0x38 (C) [ 31.344000] dump_stack_lvl+0x8c/0xd0 [ 31.344618] print_report+0x118/0x5e0 [ 31.345112] kasan_report+0xc8/0x118 [ 31.346010] __asan_report_load1_noabort+0x20/0x30 [ 31.346700] ksize_uaf+0x548/0x600 [ 31.347591] kunit_try_run_case+0x14c/0x3d0 [ 31.348219] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.348973] kthread+0x24c/0x2d0 [ 31.349570] ret_from_fork+0x10/0x20 [ 31.350145] [ 31.350456] Allocated by task 185: [ 31.351112] kasan_save_stack+0x3c/0x68 [ 31.351895] kasan_save_track+0x20/0x40 [ 31.352359] kasan_save_alloc_info+0x40/0x58 [ 31.353007] __kasan_kmalloc+0xd4/0xd8 [ 31.353757] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.354321] ksize_uaf+0xb8/0x600 [ 31.354901] kunit_try_run_case+0x14c/0x3d0 [ 31.356353] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.357129] kthread+0x24c/0x2d0 [ 31.357653] ret_from_fork+0x10/0x20 [ 31.358307] [ 31.358603] Freed by task 185: [ 31.359579] kasan_save_stack+0x3c/0x68 [ 31.360041] kasan_save_track+0x20/0x40 [ 31.360640] kasan_save_free_info+0x4c/0x78 [ 31.361204] __kasan_slab_free+0x6c/0x98 [ 31.362396] kfree+0x114/0x3c8 [ 31.362908] ksize_uaf+0x11c/0x600 [ 31.363286] kunit_try_run_case+0x14c/0x3d0 [ 31.364647] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.365317] kthread+0x24c/0x2d0 [ 31.365873] ret_from_fork+0x10/0x20 [ 31.366354] [ 31.366681] The buggy address belongs to the object at fff00000c58f4400 [ 31.366681] which belongs to the cache kmalloc-128 of size 128 [ 31.369066] The buggy address is located 120 bytes inside of [ 31.369066] freed 128-byte region [fff00000c58f4400, fff00000c58f4480) [ 31.370628] [ 31.370996] The buggy address belongs to the physical page: [ 31.372142] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058f4 [ 31.373264] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.374191] page_type: f5(slab) [ 31.374830] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.375799] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.376966] page dumped because: kasan: bad access detected [ 31.377754] [ 31.378217] Memory state around the buggy address: [ 31.378960] fff00000c58f4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.380669] fff00000c58f4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.381642] >fff00000c58f4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.382574] ^ [ 31.383596] fff00000c58f4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.384722] fff00000c58f4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.385580] ================================================================== [ 31.285915] ================================================================== [ 31.286706] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 31.288454] Read of size 1 at addr fff00000c58f4400 by task kunit_try_catch/185 [ 31.289284] [ 31.290135] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 31.291493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.291952] Hardware name: linux,dummy-virt (DT) [ 31.292554] Call trace: [ 31.293044] show_stack+0x20/0x38 (C) [ 31.293968] dump_stack_lvl+0x8c/0xd0 [ 31.294765] print_report+0x118/0x5e0 [ 31.295546] kasan_report+0xc8/0x118 [ 31.296099] __asan_report_load1_noabort+0x20/0x30 [ 31.296858] ksize_uaf+0x59c/0x600 [ 31.297514] kunit_try_run_case+0x14c/0x3d0 [ 31.298158] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.299118] kthread+0x24c/0x2d0 [ 31.299620] ret_from_fork+0x10/0x20 [ 31.300182] [ 31.300556] Allocated by task 185: [ 31.301069] kasan_save_stack+0x3c/0x68 [ 31.301859] kasan_save_track+0x20/0x40 [ 31.302419] kasan_save_alloc_info+0x40/0x58 [ 31.303199] __kasan_kmalloc+0xd4/0xd8 [ 31.303729] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.304424] ksize_uaf+0xb8/0x600 [ 31.304911] kunit_try_run_case+0x14c/0x3d0 [ 31.305960] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.306708] kthread+0x24c/0x2d0 [ 31.307284] ret_from_fork+0x10/0x20 [ 31.308663] [ 31.308998] Freed by task 185: [ 31.309408] kasan_save_stack+0x3c/0x68 [ 31.310029] kasan_save_track+0x20/0x40 [ 31.310800] kasan_save_free_info+0x4c/0x78 [ 31.311767] __kasan_slab_free+0x6c/0x98 [ 31.312448] kfree+0x114/0x3c8 [ 31.313016] ksize_uaf+0x11c/0x600 [ 31.313508] kunit_try_run_case+0x14c/0x3d0 [ 31.314237] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.315232] kthread+0x24c/0x2d0 [ 31.315756] ret_from_fork+0x10/0x20 [ 31.316303] [ 31.316655] The buggy address belongs to the object at fff00000c58f4400 [ 31.316655] which belongs to the cache kmalloc-128 of size 128 [ 31.318129] The buggy address is located 0 bytes inside of [ 31.318129] freed 128-byte region [fff00000c58f4400, fff00000c58f4480) [ 31.319824] [ 31.320124] The buggy address belongs to the physical page: [ 31.320791] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058f4 [ 31.321730] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.322746] page_type: f5(slab) [ 31.323487] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.324475] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.325494] page dumped because: kasan: bad access detected [ 31.326188] [ 31.326540] Memory state around the buggy address: [ 31.327354] fff00000c58f4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.328241] fff00000c58f4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.329120] >fff00000c58f4400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.330780] ^ [ 31.331420] fff00000c58f4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.332464] fff00000c58f4500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.333289] ==================================================================
[ 26.793433] ================================================================== [ 26.794273] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 26.794933] Read of size 1 at addr ffff888102a15400 by task kunit_try_catch/205 [ 26.795507] [ 26.795735] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 26.796510] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.796828] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.797606] Call Trace: [ 26.797902] <TASK> [ 26.798179] dump_stack_lvl+0x73/0xb0 [ 26.798651] print_report+0xd1/0x640 [ 26.799035] ? __virt_addr_valid+0x1db/0x2d0 [ 26.799522] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.800070] kasan_report+0x102/0x140 [ 26.800478] ? ksize_uaf+0x600/0x6c0 [ 26.800872] ? ksize_uaf+0x600/0x6c0 [ 26.801344] __asan_report_load1_noabort+0x18/0x20 [ 26.801829] ksize_uaf+0x600/0x6c0 [ 26.802219] ? __pfx_ksize_uaf+0x10/0x10 [ 26.802693] ? __pfx_ksize_uaf+0x10/0x10 [ 26.803125] kunit_try_run_case+0x1b3/0x490 [ 26.803413] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.803934] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.804490] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.805072] ? __kthread_parkme+0x82/0x160 [ 26.805516] ? preempt_count_sub+0x50/0x80 [ 26.805869] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.806249] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.806848] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.807377] kthread+0x257/0x310 [ 26.807781] ? __pfx_kthread+0x10/0x10 [ 26.808180] ret_from_fork+0x41/0x80 [ 26.808615] ? __pfx_kthread+0x10/0x10 [ 26.809066] ret_from_fork_asm+0x1a/0x30 [ 26.809544] </TASK> [ 26.809778] [ 26.809972] Allocated by task 205: [ 26.810309] kasan_save_stack+0x3d/0x60 [ 26.810748] kasan_save_track+0x18/0x40 [ 26.811102] kasan_save_alloc_info+0x3b/0x50 [ 26.811586] __kasan_kmalloc+0xb7/0xc0 [ 26.811963] __kmalloc_cache_noprof+0x184/0x410 [ 26.812358] ksize_uaf+0xab/0x6c0 [ 26.812747] kunit_try_run_case+0x1b3/0x490 [ 26.813196] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.813728] kthread+0x257/0x310 [ 26.814103] ret_from_fork+0x41/0x80 [ 26.814936] ret_from_fork_asm+0x1a/0x30 [ 26.815352] [ 26.815609] Freed by task 205: [ 26.815926] kasan_save_stack+0x3d/0x60 [ 26.816209] kasan_save_track+0x18/0x40 [ 26.816546] kasan_save_free_info+0x3f/0x60 [ 26.816995] __kasan_slab_free+0x56/0x70 [ 26.817465] kfree+0x123/0x3f0 [ 26.817816] ksize_uaf+0x12d/0x6c0 [ 26.818216] kunit_try_run_case+0x1b3/0x490 [ 26.818662] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.819157] kthread+0x257/0x310 [ 26.819495] ret_from_fork+0x41/0x80 [ 26.819831] ret_from_fork_asm+0x1a/0x30 [ 26.820208] [ 26.820426] The buggy address belongs to the object at ffff888102a15400 [ 26.820426] which belongs to the cache kmalloc-128 of size 128 [ 26.821470] The buggy address is located 0 bytes inside of [ 26.821470] freed 128-byte region [ffff888102a15400, ffff888102a15480) [ 26.822383] [ 26.822578] The buggy address belongs to the physical page: [ 26.822863] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a15 [ 26.823468] flags: 0x200000000000000(node=0|zone=2) [ 26.823957] page_type: f5(slab) [ 26.824349] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.825127] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.825610] page dumped because: kasan: bad access detected [ 26.825963] [ 26.826198] Memory state around the buggy address: [ 26.826672] ffff888102a15300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.827291] ffff888102a15380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.827951] >ffff888102a15400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.828641] ^ [ 26.828975] ffff888102a15480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.829559] ffff888102a15500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.829995] ================================================================== [ 26.831754] ================================================================== [ 26.832364] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 26.832734] Read of size 1 at addr ffff888102a15478 by task kunit_try_catch/205 [ 26.834426] [ 26.834975] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 26.836023] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.836466] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.837529] Call Trace: [ 26.838662] <TASK> [ 26.838955] dump_stack_lvl+0x73/0xb0 [ 26.839381] print_report+0xd1/0x640 [ 26.839794] ? __virt_addr_valid+0x1db/0x2d0 [ 26.840189] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.840580] kasan_report+0x102/0x140 [ 26.840836] ? ksize_uaf+0x5e6/0x6c0 [ 26.841100] ? ksize_uaf+0x5e6/0x6c0 [ 26.841561] __asan_report_load1_noabort+0x18/0x20 [ 26.842109] ksize_uaf+0x5e6/0x6c0 [ 26.842535] ? __pfx_ksize_uaf+0x10/0x10 [ 26.842982] ? __pfx_ksize_uaf+0x10/0x10 [ 26.843476] kunit_try_run_case+0x1b3/0x490 [ 26.843922] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.844473] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.844997] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.846030] ? __kthread_parkme+0x82/0x160 [ 26.846738] ? preempt_count_sub+0x50/0x80 [ 26.847018] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.847324] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.847702] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.848021] kthread+0x257/0x310 [ 26.848393] ? __pfx_kthread+0x10/0x10 [ 26.848899] ret_from_fork+0x41/0x80 [ 26.849361] ? __pfx_kthread+0x10/0x10 [ 26.849835] ret_from_fork_asm+0x1a/0x30 [ 26.850332] </TASK> [ 26.850635] [ 26.850871] Allocated by task 205: [ 26.851207] kasan_save_stack+0x3d/0x60 [ 26.851673] kasan_save_track+0x18/0x40 [ 26.852075] kasan_save_alloc_info+0x3b/0x50 [ 26.852584] __kasan_kmalloc+0xb7/0xc0 [ 26.852962] __kmalloc_cache_noprof+0x184/0x410 [ 26.853491] ksize_uaf+0xab/0x6c0 [ 26.853855] kunit_try_run_case+0x1b3/0x490 [ 26.854327] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.854823] kthread+0x257/0x310 [ 26.855097] ret_from_fork+0x41/0x80 [ 26.855550] ret_from_fork_asm+0x1a/0x30 [ 26.855976] [ 26.856204] Freed by task 205: [ 26.856579] kasan_save_stack+0x3d/0x60 [ 26.856973] kasan_save_track+0x18/0x40 [ 26.857401] kasan_save_free_info+0x3f/0x60 [ 26.857817] __kasan_slab_free+0x56/0x70 [ 26.858172] kfree+0x123/0x3f0 [ 26.858542] ksize_uaf+0x12d/0x6c0 [ 26.858906] kunit_try_run_case+0x1b3/0x490 [ 26.859368] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.859753] kthread+0x257/0x310 [ 26.859980] ret_from_fork+0x41/0x80 [ 26.860390] ret_from_fork_asm+0x1a/0x30 [ 26.860885] [ 26.861129] The buggy address belongs to the object at ffff888102a15400 [ 26.861129] which belongs to the cache kmalloc-128 of size 128 [ 26.862003] The buggy address is located 120 bytes inside of [ 26.862003] freed 128-byte region [ffff888102a15400, ffff888102a15480) [ 26.862606] [ 26.862753] The buggy address belongs to the physical page: [ 26.863263] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a15 [ 26.863989] flags: 0x200000000000000(node=0|zone=2) [ 26.864540] page_type: f5(slab) [ 26.864969] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.865690] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.866336] page dumped because: kasan: bad access detected [ 26.866689] [ 26.866833] Memory state around the buggy address: [ 26.867134] ffff888102a15300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.867814] ffff888102a15380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.868471] >ffff888102a15400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.869111] ^ [ 26.869594] ffff888102a15480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.870103] ffff888102a15500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.870648] ================================================================== [ 26.752092] ================================================================== [ 26.752941] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 26.753532] Read of size 1 at addr ffff888102a15400 by task kunit_try_catch/205 [ 26.754826] [ 26.755072] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 26.755574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.755956] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.757255] Call Trace: [ 26.757504] <TASK> [ 26.757789] dump_stack_lvl+0x73/0xb0 [ 26.758175] print_report+0xd1/0x640 [ 26.758555] ? __virt_addr_valid+0x1db/0x2d0 [ 26.759405] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.759879] kasan_report+0x102/0x140 [ 26.760191] ? ksize_uaf+0x19e/0x6c0 [ 26.760668] ? ksize_uaf+0x19e/0x6c0 [ 26.761475] ? ksize_uaf+0x19e/0x6c0 [ 26.761889] __kasan_check_byte+0x3d/0x50 [ 26.762186] ksize+0x20/0x60 [ 26.762598] ksize_uaf+0x19e/0x6c0 [ 26.763106] ? __pfx_ksize_uaf+0x10/0x10 [ 26.763631] ? __pfx_ksize_uaf+0x10/0x10 [ 26.764159] kunit_try_run_case+0x1b3/0x490 [ 26.764730] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.765168] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.765598] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.766101] ? __kthread_parkme+0x82/0x160 [ 26.766617] ? preempt_count_sub+0x50/0x80 [ 26.767110] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.767635] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.768008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.768562] kthread+0x257/0x310 [ 26.768899] ? __pfx_kthread+0x10/0x10 [ 26.769181] ret_from_fork+0x41/0x80 [ 26.769609] ? __pfx_kthread+0x10/0x10 [ 26.769990] ret_from_fork_asm+0x1a/0x30 [ 26.770422] </TASK> [ 26.770713] [ 26.770858] Allocated by task 205: [ 26.771218] kasan_save_stack+0x3d/0x60 [ 26.771648] kasan_save_track+0x18/0x40 [ 26.771984] kasan_save_alloc_info+0x3b/0x50 [ 26.772274] __kasan_kmalloc+0xb7/0xc0 [ 26.772628] __kmalloc_cache_noprof+0x184/0x410 [ 26.773089] ksize_uaf+0xab/0x6c0 [ 26.773465] kunit_try_run_case+0x1b3/0x490 [ 26.773885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.774388] kthread+0x257/0x310 [ 26.774775] ret_from_fork+0x41/0x80 [ 26.775027] ret_from_fork_asm+0x1a/0x30 [ 26.775305] [ 26.775565] Freed by task 205: [ 26.775868] kasan_save_stack+0x3d/0x60 [ 26.776272] kasan_save_track+0x18/0x40 [ 26.776706] kasan_save_free_info+0x3f/0x60 [ 26.777130] __kasan_slab_free+0x56/0x70 [ 26.777476] kfree+0x123/0x3f0 [ 26.777713] ksize_uaf+0x12d/0x6c0 [ 26.777941] kunit_try_run_case+0x1b3/0x490 [ 26.778366] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.778882] kthread+0x257/0x310 [ 26.779236] ret_from_fork+0x41/0x80 [ 26.779640] ret_from_fork_asm+0x1a/0x30 [ 26.780022] [ 26.780245] The buggy address belongs to the object at ffff888102a15400 [ 26.780245] which belongs to the cache kmalloc-128 of size 128 [ 26.780941] The buggy address is located 0 bytes inside of [ 26.780941] freed 128-byte region [ffff888102a15400, ffff888102a15480) [ 26.781885] [ 26.782100] The buggy address belongs to the physical page: [ 26.782402] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a15 [ 26.783084] flags: 0x200000000000000(node=0|zone=2) [ 26.784228] page_type: f5(slab) [ 26.785356] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.786038] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.786631] page dumped because: kasan: bad access detected [ 26.787242] [ 26.787451] Memory state around the buggy address: [ 26.787941] ffff888102a15300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.788416] ffff888102a15380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.789050] >ffff888102a15400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.789570] ^ [ 26.789913] ffff888102a15480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.790521] ffff888102a15500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.791150] ==================================================================