Date
Dec. 4, 2024, 3:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.964754] ================================================================== [ 32.965497] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 32.966963] Read of size 1 at addr fff00000c6763a78 by task kunit_try_catch/184 [ 32.968791] [ 32.969321] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 32.971137] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.971935] Hardware name: linux,dummy-virt (DT) [ 32.972785] Call trace: [ 32.973254] show_stack+0x20/0x38 (C) [ 32.973846] dump_stack_lvl+0x8c/0xd0 [ 32.974355] print_report+0x118/0x5e0 [ 32.975400] kasan_report+0xc8/0x118 [ 32.976039] __asan_report_load1_noabort+0x20/0x30 [ 32.976738] ksize_uaf+0x548/0x600 [ 32.977382] kunit_try_run_case+0x14c/0x3d0 [ 32.978729] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.979307] kthread+0x24c/0x2d0 [ 32.979843] ret_from_fork+0x10/0x20 [ 32.980290] [ 32.980567] Allocated by task 184: [ 32.981302] kasan_save_stack+0x3c/0x68 [ 32.982127] kasan_save_track+0x20/0x40 [ 32.983600] kasan_save_alloc_info+0x40/0x58 [ 32.984336] __kasan_kmalloc+0xd4/0xd8 [ 32.984873] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.985486] ksize_uaf+0xb8/0x600 [ 32.986031] kunit_try_run_case+0x14c/0x3d0 [ 32.986617] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.987398] kthread+0x24c/0x2d0 [ 32.988694] ret_from_fork+0x10/0x20 [ 32.989585] [ 32.990702] Freed by task 184: [ 32.991103] kasan_save_stack+0x3c/0x68 [ 32.991874] kasan_save_track+0x20/0x40 [ 32.992334] kasan_save_free_info+0x4c/0x78 [ 32.993125] __kasan_slab_free+0x6c/0x98 [ 32.994404] kfree+0x114/0x3c8 [ 32.995330] ksize_uaf+0x11c/0x600 [ 32.996017] kunit_try_run_case+0x14c/0x3d0 [ 32.996859] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.998193] kthread+0x24c/0x2d0 [ 32.998770] ret_from_fork+0x10/0x20 [ 32.999371] [ 32.999867] The buggy address belongs to the object at fff00000c6763a00 [ 32.999867] which belongs to the cache kmalloc-128 of size 128 [ 33.001448] The buggy address is located 120 bytes inside of [ 33.001448] freed 128-byte region [fff00000c6763a00, fff00000c6763a80) [ 33.003992] [ 33.004406] The buggy address belongs to the physical page: [ 33.005211] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106763 [ 33.006548] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.007480] page_type: f5(slab) [ 33.008355] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.009229] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.010463] page dumped because: kasan: bad access detected [ 33.011013] [ 33.011253] Memory state around the buggy address: [ 33.011725] fff00000c6763900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.012557] fff00000c6763980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.013226] >fff00000c6763a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.014575] ^ [ 33.016013] fff00000c6763a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.016868] fff00000c6763b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.017785] ================================================================== [ 32.909432] ================================================================== [ 32.910500] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 32.911841] Read of size 1 at addr fff00000c6763a00 by task kunit_try_catch/184 [ 32.912568] [ 32.912934] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 32.914774] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.915461] Hardware name: linux,dummy-virt (DT) [ 32.916251] Call trace: [ 32.916779] show_stack+0x20/0x38 (C) [ 32.917530] dump_stack_lvl+0x8c/0xd0 [ 32.918465] print_report+0x118/0x5e0 [ 32.919459] kasan_report+0xc8/0x118 [ 32.920282] __asan_report_load1_noabort+0x20/0x30 [ 32.921048] ksize_uaf+0x59c/0x600 [ 32.921508] kunit_try_run_case+0x14c/0x3d0 [ 32.922817] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.923742] kthread+0x24c/0x2d0 [ 32.924304] ret_from_fork+0x10/0x20 [ 32.925098] [ 32.925407] Allocated by task 184: [ 32.926668] kasan_save_stack+0x3c/0x68 [ 32.927261] kasan_save_track+0x20/0x40 [ 32.927727] kasan_save_alloc_info+0x40/0x58 [ 32.928181] __kasan_kmalloc+0xd4/0xd8 [ 32.928716] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.929437] ksize_uaf+0xb8/0x600 [ 32.930671] kunit_try_run_case+0x14c/0x3d0 [ 32.931510] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.932399] kthread+0x24c/0x2d0 [ 32.932959] ret_from_fork+0x10/0x20 [ 32.933651] [ 32.934306] Freed by task 184: [ 32.934819] kasan_save_stack+0x3c/0x68 [ 32.935384] kasan_save_track+0x20/0x40 [ 32.936524] kasan_save_free_info+0x4c/0x78 [ 32.937432] __kasan_slab_free+0x6c/0x98 [ 32.938215] kfree+0x114/0x3c8 [ 32.939284] ksize_uaf+0x11c/0x600 [ 32.939847] kunit_try_run_case+0x14c/0x3d0 [ 32.940459] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.941266] kthread+0x24c/0x2d0 [ 32.941759] ret_from_fork+0x10/0x20 [ 32.942860] [ 32.943427] The buggy address belongs to the object at fff00000c6763a00 [ 32.943427] which belongs to the cache kmalloc-128 of size 128 [ 32.945429] The buggy address is located 0 bytes inside of [ 32.945429] freed 128-byte region [fff00000c6763a00, fff00000c6763a80) [ 32.947160] [ 32.947673] The buggy address belongs to the physical page: [ 32.948176] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106763 [ 32.949307] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.950145] page_type: f5(slab) [ 32.950619] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.952669] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.954019] page dumped because: kasan: bad access detected [ 32.955290] [ 32.955565] Memory state around the buggy address: [ 32.956534] fff00000c6763900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.957619] fff00000c6763980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.958878] >fff00000c6763a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.959862] ^ [ 32.960961] fff00000c6763a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.961993] fff00000c6763b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.963034] ================================================================== [ 32.851199] ================================================================== [ 32.852616] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 32.854343] Read of size 1 at addr fff00000c6763a00 by task kunit_try_catch/184 [ 32.855198] [ 32.855476] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 32.856986] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.858017] Hardware name: linux,dummy-virt (DT) [ 32.859085] Call trace: [ 32.859786] show_stack+0x20/0x38 (C) [ 32.860304] dump_stack_lvl+0x8c/0xd0 [ 32.860914] print_report+0x118/0x5e0 [ 32.861397] kasan_report+0xc8/0x118 [ 32.862545] __kasan_check_byte+0x54/0x70 [ 32.863855] ksize+0x30/0x88 [ 32.864256] ksize_uaf+0x168/0x600 [ 32.865055] kunit_try_run_case+0x14c/0x3d0 [ 32.866218] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.867007] kthread+0x24c/0x2d0 [ 32.867616] ret_from_fork+0x10/0x20 [ 32.868187] [ 32.868502] Allocated by task 184: [ 32.869510] kasan_save_stack+0x3c/0x68 [ 32.870257] kasan_save_track+0x20/0x40 [ 32.871046] kasan_save_alloc_info+0x40/0x58 [ 32.872256] __kasan_kmalloc+0xd4/0xd8 [ 32.872686] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.873132] ksize_uaf+0xb8/0x600 [ 32.873804] kunit_try_run_case+0x14c/0x3d0 [ 32.874896] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.876087] kthread+0x24c/0x2d0 [ 32.876472] ret_from_fork+0x10/0x20 [ 32.877351] [ 32.877731] Freed by task 184: [ 32.878120] kasan_save_stack+0x3c/0x68 [ 32.879411] kasan_save_track+0x20/0x40 [ 32.880110] kasan_save_free_info+0x4c/0x78 [ 32.881025] __kasan_slab_free+0x6c/0x98 [ 32.881939] kfree+0x114/0x3c8 [ 32.882784] ksize_uaf+0x11c/0x600 [ 32.883347] kunit_try_run_case+0x14c/0x3d0 [ 32.883927] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.884412] kthread+0x24c/0x2d0 [ 32.885555] ret_from_fork+0x10/0x20 [ 32.886565] [ 32.887256] The buggy address belongs to the object at fff00000c6763a00 [ 32.887256] which belongs to the cache kmalloc-128 of size 128 [ 32.888884] The buggy address is located 0 bytes inside of [ 32.888884] freed 128-byte region [fff00000c6763a00, fff00000c6763a80) [ 32.891288] [ 32.891845] The buggy address belongs to the physical page: [ 32.892688] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106763 [ 32.893827] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.894900] page_type: f5(slab) [ 32.895354] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.897241] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.898362] page dumped because: kasan: bad access detected [ 32.899608] [ 32.899966] Memory state around the buggy address: [ 32.900773] fff00000c6763900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.901651] fff00000c6763980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.902983] >fff00000c6763a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.904291] ^ [ 32.905028] fff00000c6763a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.906445] fff00000c6763b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.907325] ==================================================================
[ 23.649576] ================================================================== [ 23.650901] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 23.652053] Read of size 1 at addr ffff888102992000 by task kunit_try_catch/204 [ 23.653235] [ 23.653585] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 23.655692] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.656345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.657580] Call Trace: [ 23.657931] <TASK> [ 23.658195] dump_stack_lvl+0x73/0xb0 [ 23.659042] print_report+0xd1/0x640 [ 23.659581] ? __virt_addr_valid+0x1db/0x2d0 [ 23.660086] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.661131] kasan_report+0x102/0x140 [ 23.661936] ? ksize_uaf+0x19e/0x6c0 [ 23.662261] ? ksize_uaf+0x19e/0x6c0 [ 23.662751] ? ksize_uaf+0x19e/0x6c0 [ 23.663192] __kasan_check_byte+0x3d/0x50 [ 23.664789] ksize+0x20/0x60 [ 23.665138] ksize_uaf+0x19e/0x6c0 [ 23.665394] ? __pfx_ksize_uaf+0x10/0x10 [ 23.666508] ? __schedule+0xc3e/0x2790 [ 23.666939] ? __pfx_read_tsc+0x10/0x10 [ 23.667345] ? ktime_get_ts64+0x86/0x230 [ 23.667821] kunit_try_run_case+0x1b3/0x490 [ 23.668651] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.670008] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.670693] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.671218] ? __kthread_parkme+0x82/0x160 [ 23.671701] ? preempt_count_sub+0x50/0x80 [ 23.672666] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.673031] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.674461] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.675316] kthread+0x257/0x310 [ 23.675877] ? __pfx_kthread+0x10/0x10 [ 23.676653] ret_from_fork+0x41/0x80 [ 23.677446] ? __pfx_kthread+0x10/0x10 [ 23.678007] ret_from_fork_asm+0x1a/0x30 [ 23.679048] </TASK> [ 23.679234] [ 23.679860] Allocated by task 204: [ 23.680274] kasan_save_stack+0x3d/0x60 [ 23.681151] kasan_save_track+0x18/0x40 [ 23.681409] kasan_save_alloc_info+0x3b/0x50 [ 23.682232] __kasan_kmalloc+0xb7/0xc0 [ 23.683052] __kmalloc_cache_noprof+0x184/0x410 [ 23.683724] ksize_uaf+0xab/0x6c0 [ 23.684094] kunit_try_run_case+0x1b3/0x490 [ 23.685181] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.685734] kthread+0x257/0x310 [ 23.685899] ret_from_fork+0x41/0x80 [ 23.686101] ret_from_fork_asm+0x1a/0x30 [ 23.686313] [ 23.686973] Freed by task 204: [ 23.687209] kasan_save_stack+0x3d/0x60 [ 23.687539] kasan_save_track+0x18/0x40 [ 23.688017] kasan_save_free_info+0x3f/0x60 [ 23.688535] __kasan_slab_free+0x56/0x70 [ 23.689106] kfree+0x123/0x3f0 [ 23.689364] ksize_uaf+0x12d/0x6c0 [ 23.690119] kunit_try_run_case+0x1b3/0x490 [ 23.691549] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.692181] kthread+0x257/0x310 [ 23.692856] ret_from_fork+0x41/0x80 [ 23.693624] ret_from_fork_asm+0x1a/0x30 [ 23.694164] [ 23.694597] The buggy address belongs to the object at ffff888102992000 [ 23.694597] which belongs to the cache kmalloc-128 of size 128 [ 23.696518] The buggy address is located 0 bytes inside of [ 23.696518] freed 128-byte region [ffff888102992000, ffff888102992080) [ 23.697432] [ 23.698077] The buggy address belongs to the physical page: [ 23.699153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102992 [ 23.699735] flags: 0x200000000000000(node=0|zone=2) [ 23.700231] page_type: f5(slab) [ 23.700655] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.701777] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.702781] page dumped because: kasan: bad access detected [ 23.703288] [ 23.703818] Memory state around the buggy address: [ 23.704626] ffff888102991f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.705689] ffff888102991f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.705994] >ffff888102992000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.706610] ^ [ 23.706914] ffff888102992080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.708070] ffff888102992100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.708985] ================================================================== [ 23.771503] ================================================================== [ 23.772261] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 23.773018] Read of size 1 at addr ffff888102992078 by task kunit_try_catch/204 [ 23.774093] [ 23.774337] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 23.776235] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.777020] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.778598] Call Trace: [ 23.779023] <TASK> [ 23.779235] dump_stack_lvl+0x73/0xb0 [ 23.780182] print_report+0xd1/0x640 [ 23.780641] ? __virt_addr_valid+0x1db/0x2d0 [ 23.781404] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.782424] kasan_report+0x102/0x140 [ 23.782838] ? ksize_uaf+0x5e6/0x6c0 [ 23.783236] ? ksize_uaf+0x5e6/0x6c0 [ 23.784843] __asan_report_load1_noabort+0x18/0x20 [ 23.785550] ksize_uaf+0x5e6/0x6c0 [ 23.785734] ? __pfx_ksize_uaf+0x10/0x10 [ 23.785919] ? __schedule+0xc3e/0x2790 [ 23.786631] ? __pfx_read_tsc+0x10/0x10 [ 23.787957] ? ktime_get_ts64+0x86/0x230 [ 23.788986] kunit_try_run_case+0x1b3/0x490 [ 23.789774] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.790318] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.790990] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.791225] ? __kthread_parkme+0x82/0x160 [ 23.791477] ? preempt_count_sub+0x50/0x80 [ 23.792508] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.793881] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.794571] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.795107] kthread+0x257/0x310 [ 23.795453] ? __pfx_kthread+0x10/0x10 [ 23.795837] ret_from_fork+0x41/0x80 [ 23.796181] ? __pfx_kthread+0x10/0x10 [ 23.796829] ret_from_fork_asm+0x1a/0x30 [ 23.797487] </TASK> [ 23.797809] [ 23.798018] Allocated by task 204: [ 23.798256] kasan_save_stack+0x3d/0x60 [ 23.799793] kasan_save_track+0x18/0x40 [ 23.800646] kasan_save_alloc_info+0x3b/0x50 [ 23.801946] __kasan_kmalloc+0xb7/0xc0 [ 23.802549] __kmalloc_cache_noprof+0x184/0x410 [ 23.803643] ksize_uaf+0xab/0x6c0 [ 23.804079] kunit_try_run_case+0x1b3/0x490 [ 23.804984] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.806029] kthread+0x257/0x310 [ 23.807013] ret_from_fork+0x41/0x80 [ 23.807779] ret_from_fork_asm+0x1a/0x30 [ 23.808277] [ 23.808424] Freed by task 204: [ 23.808665] kasan_save_stack+0x3d/0x60 [ 23.809189] kasan_save_track+0x18/0x40 [ 23.809665] kasan_save_free_info+0x3f/0x60 [ 23.811277] __kasan_slab_free+0x56/0x70 [ 23.811827] kfree+0x123/0x3f0 [ 23.812474] ksize_uaf+0x12d/0x6c0 [ 23.813143] kunit_try_run_case+0x1b3/0x490 [ 23.814016] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.814641] kthread+0x257/0x310 [ 23.815406] ret_from_fork+0x41/0x80 [ 23.815779] ret_from_fork_asm+0x1a/0x30 [ 23.816188] [ 23.816394] The buggy address belongs to the object at ffff888102992000 [ 23.816394] which belongs to the cache kmalloc-128 of size 128 [ 23.818064] The buggy address is located 120 bytes inside of [ 23.818064] freed 128-byte region [ffff888102992000, ffff888102992080) [ 23.820809] [ 23.821127] The buggy address belongs to the physical page: [ 23.821957] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102992 [ 23.822853] flags: 0x200000000000000(node=0|zone=2) [ 23.823989] page_type: f5(slab) [ 23.824472] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.825466] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.826268] page dumped because: kasan: bad access detected [ 23.826993] [ 23.827224] Memory state around the buggy address: [ 23.827842] ffff888102991f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.828904] ffff888102991f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.829789] >ffff888102992000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.831038] ^ [ 23.832236] ffff888102992080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.833540] ffff888102992100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.834499] ================================================================== [ 23.710351] ================================================================== [ 23.711403] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 23.712463] Read of size 1 at addr ffff888102992000 by task kunit_try_catch/204 [ 23.713370] [ 23.713643] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 23.714999] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.715929] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.716912] Call Trace: [ 23.717584] <TASK> [ 23.717935] dump_stack_lvl+0x73/0xb0 [ 23.718703] print_report+0xd1/0x640 [ 23.719499] ? __virt_addr_valid+0x1db/0x2d0 [ 23.719906] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.720859] kasan_report+0x102/0x140 [ 23.721222] ? ksize_uaf+0x600/0x6c0 [ 23.721893] ? ksize_uaf+0x600/0x6c0 [ 23.722595] __asan_report_load1_noabort+0x18/0x20 [ 23.723109] ksize_uaf+0x600/0x6c0 [ 23.723600] ? __pfx_ksize_uaf+0x10/0x10 [ 23.724233] ? __schedule+0xc3e/0x2790 [ 23.725046] ? __pfx_read_tsc+0x10/0x10 [ 23.725326] ? ktime_get_ts64+0x86/0x230 [ 23.726074] kunit_try_run_case+0x1b3/0x490 [ 23.726849] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.727402] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.728373] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.729177] ? __kthread_parkme+0x82/0x160 [ 23.729663] ? preempt_count_sub+0x50/0x80 [ 23.730366] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.731296] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.732144] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.733071] kthread+0x257/0x310 [ 23.733406] ? __pfx_kthread+0x10/0x10 [ 23.734135] ret_from_fork+0x41/0x80 [ 23.734626] ? __pfx_kthread+0x10/0x10 [ 23.735575] ret_from_fork_asm+0x1a/0x30 [ 23.736078] </TASK> [ 23.736409] [ 23.736909] Allocated by task 204: [ 23.737485] kasan_save_stack+0x3d/0x60 [ 23.737994] kasan_save_track+0x18/0x40 [ 23.738494] kasan_save_alloc_info+0x3b/0x50 [ 23.739272] __kasan_kmalloc+0xb7/0xc0 [ 23.740016] __kmalloc_cache_noprof+0x184/0x410 [ 23.740867] ksize_uaf+0xab/0x6c0 [ 23.741196] kunit_try_run_case+0x1b3/0x490 [ 23.741737] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.742548] kthread+0x257/0x310 [ 23.742927] ret_from_fork+0x41/0x80 [ 23.743416] ret_from_fork_asm+0x1a/0x30 [ 23.743841] [ 23.744325] Freed by task 204: [ 23.744649] kasan_save_stack+0x3d/0x60 [ 23.745281] kasan_save_track+0x18/0x40 [ 23.746049] kasan_save_free_info+0x3f/0x60 [ 23.746838] __kasan_slab_free+0x56/0x70 [ 23.747605] kfree+0x123/0x3f0 [ 23.748179] ksize_uaf+0x12d/0x6c0 [ 23.748891] kunit_try_run_case+0x1b3/0x490 [ 23.749719] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.750265] kthread+0x257/0x310 [ 23.751169] ret_from_fork+0x41/0x80 [ 23.751461] ret_from_fork_asm+0x1a/0x30 [ 23.751956] [ 23.752179] The buggy address belongs to the object at ffff888102992000 [ 23.752179] which belongs to the cache kmalloc-128 of size 128 [ 23.753348] The buggy address is located 0 bytes inside of [ 23.753348] freed 128-byte region [ffff888102992000, ffff888102992080) [ 23.755265] [ 23.755692] The buggy address belongs to the physical page: [ 23.756244] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102992 [ 23.758014] flags: 0x200000000000000(node=0|zone=2) [ 23.758525] page_type: f5(slab) [ 23.758836] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.759513] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.760822] page dumped because: kasan: bad access detected [ 23.762061] [ 23.762266] Memory state around the buggy address: [ 23.763053] ffff888102991f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.764221] ffff888102991f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.765144] >ffff888102992000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.766201] ^ [ 23.767136] ffff888102992080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.767915] ffff888102992100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.769244] ==================================================================