Date
May 12, 2025, 11:48 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.088829] ================================================================== [ 17.088959] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.089071] Read of size 1 at addr fff00000c78d9400 by task kunit_try_catch/196 [ 17.089176] [ 17.089240] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT [ 17.089432] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.089490] Hardware name: linux,dummy-virt (DT) [ 17.089556] Call trace: [ 17.089604] show_stack+0x20/0x38 (C) [ 17.089710] dump_stack_lvl+0x8c/0xd0 [ 17.089814] print_report+0x118/0x608 [ 17.089954] kasan_report+0xdc/0x128 [ 17.090054] __kasan_check_byte+0x54/0x70 [ 17.090191] ksize+0x30/0x88 [ 17.090276] ksize_uaf+0x168/0x5f8 [ 17.090362] kunit_try_run_case+0x170/0x3f0 [ 17.090468] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.090603] kthread+0x328/0x630 [ 17.090729] ret_from_fork+0x10/0x20 [ 17.090863] [ 17.090912] Allocated by task 196: [ 17.090986] kasan_save_stack+0x3c/0x68 [ 17.091107] kasan_save_track+0x20/0x40 [ 17.091208] kasan_save_alloc_info+0x40/0x58 [ 17.091313] __kasan_kmalloc+0xd4/0xd8 [ 17.091409] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.091509] ksize_uaf+0xb8/0x5f8 [ 17.091601] kunit_try_run_case+0x170/0x3f0 [ 17.091699] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.091816] kthread+0x328/0x630 [ 17.092078] ret_from_fork+0x10/0x20 [ 17.092165] [ 17.092206] Freed by task 196: [ 17.092264] kasan_save_stack+0x3c/0x68 [ 17.092331] kasan_save_track+0x20/0x40 [ 17.092425] kasan_save_free_info+0x4c/0x78 [ 17.092552] __kasan_slab_free+0x6c/0x98 [ 17.092646] kfree+0x214/0x3c8 [ 17.092781] ksize_uaf+0x11c/0x5f8 [ 17.092860] kunit_try_run_case+0x170/0x3f0 [ 17.092951] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.093052] kthread+0x328/0x630 [ 17.093128] ret_from_fork+0x10/0x20 [ 17.093259] [ 17.093314] The buggy address belongs to the object at fff00000c78d9400 [ 17.093314] which belongs to the cache kmalloc-128 of size 128 [ 17.093844] The buggy address is located 0 bytes inside of [ 17.093844] freed 128-byte region [fff00000c78d9400, fff00000c78d9480) [ 17.094051] [ 17.094147] The buggy address belongs to the physical page: [ 17.094287] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d9 [ 17.094799] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.095298] page_type: f5(slab) [ 17.095513] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.095623] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.095713] page dumped because: kasan: bad access detected [ 17.096153] [ 17.096214] Memory state around the buggy address: [ 17.096370] fff00000c78d9300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.096671] fff00000c78d9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.096938] >fff00000c78d9400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.097035] ^ [ 17.097104] fff00000c78d9480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.097282] fff00000c78d9500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.097372] ================================================================== [ 17.099062] ================================================================== [ 17.099170] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.099270] Read of size 1 at addr fff00000c78d9400 by task kunit_try_catch/196 [ 17.100140] [ 17.100299] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT [ 17.100892] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.100960] Hardware name: linux,dummy-virt (DT) [ 17.101034] Call trace: [ 17.101089] show_stack+0x20/0x38 (C) [ 17.101300] dump_stack_lvl+0x8c/0xd0 [ 17.101405] print_report+0x118/0x608 [ 17.101944] kasan_report+0xdc/0x128 [ 17.102183] __asan_report_load1_noabort+0x20/0x30 [ 17.102389] ksize_uaf+0x598/0x5f8 [ 17.102679] kunit_try_run_case+0x170/0x3f0 [ 17.103011] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.103145] kthread+0x328/0x630 [ 17.103551] ret_from_fork+0x10/0x20 [ 17.103660] [ 17.103701] Allocated by task 196: [ 17.103756] kasan_save_stack+0x3c/0x68 [ 17.104816] kasan_save_track+0x20/0x40 [ 17.104931] kasan_save_alloc_info+0x40/0x58 [ 17.105223] __kasan_kmalloc+0xd4/0xd8 [ 17.105460] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.105755] ksize_uaf+0xb8/0x5f8 [ 17.105827] kunit_try_run_case+0x170/0x3f0 [ 17.106280] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.106738] kthread+0x328/0x630 [ 17.106821] ret_from_fork+0x10/0x20 [ 17.106997] [ 17.107083] Freed by task 196: [ 17.107143] kasan_save_stack+0x3c/0x68 [ 17.107227] kasan_save_track+0x20/0x40 [ 17.107304] kasan_save_free_info+0x4c/0x78 [ 17.107381] __kasan_slab_free+0x6c/0x98 [ 17.107471] kfree+0x214/0x3c8 [ 17.107539] ksize_uaf+0x11c/0x5f8 [ 17.107607] kunit_try_run_case+0x170/0x3f0 [ 17.107683] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.107774] kthread+0x328/0x630 [ 17.107846] ret_from_fork+0x10/0x20 [ 17.107931] [ 17.107976] The buggy address belongs to the object at fff00000c78d9400 [ 17.107976] which belongs to the cache kmalloc-128 of size 128 [ 17.108102] The buggy address is located 0 bytes inside of [ 17.108102] freed 128-byte region [fff00000c78d9400, fff00000c78d9480) [ 17.108251] [ 17.108308] The buggy address belongs to the physical page: [ 17.108376] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d9 [ 17.108491] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.108592] page_type: f5(slab) [ 17.108674] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.108784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.108873] page dumped because: kasan: bad access detected [ 17.108944] [ 17.108996] Memory state around the buggy address: [ 17.109562] fff00000c78d9300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.109687] fff00000c78d9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.109845] >fff00000c78d9400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.109960] ^ [ 17.110020] fff00000c78d9480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.110111] fff00000c78d9500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.111011] ================================================================== [ 17.112379] ================================================================== [ 17.112488] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.112585] Read of size 1 at addr fff00000c78d9478 by task kunit_try_catch/196 [ 17.112689] [ 17.112750] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT [ 17.113213] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.113866] Hardware name: linux,dummy-virt (DT) [ 17.114078] Call trace: [ 17.114149] show_stack+0x20/0x38 (C) [ 17.114662] dump_stack_lvl+0x8c/0xd0 [ 17.114903] print_report+0x118/0x608 [ 17.115059] kasan_report+0xdc/0x128 [ 17.115175] __asan_report_load1_noabort+0x20/0x30 [ 17.115451] ksize_uaf+0x544/0x5f8 [ 17.115547] kunit_try_run_case+0x170/0x3f0 [ 17.115644] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.115754] kthread+0x328/0x630 [ 17.116777] ret_from_fork+0x10/0x20 [ 17.117661] [ 17.117822] Allocated by task 196: [ 17.118046] kasan_save_stack+0x3c/0x68 [ 17.118260] kasan_save_track+0x20/0x40 [ 17.118381] kasan_save_alloc_info+0x40/0x58 [ 17.118801] __kasan_kmalloc+0xd4/0xd8 [ 17.119103] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.119377] ksize_uaf+0xb8/0x5f8 [ 17.119479] kunit_try_run_case+0x170/0x3f0 [ 17.119639] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.119797] kthread+0x328/0x630 [ 17.120002] ret_from_fork+0x10/0x20 [ 17.120238] [ 17.120298] Freed by task 196: [ 17.120365] kasan_save_stack+0x3c/0x68 [ 17.120452] kasan_save_track+0x20/0x40 [ 17.120529] kasan_save_free_info+0x4c/0x78 [ 17.120603] __kasan_slab_free+0x6c/0x98 [ 17.120894] kfree+0x214/0x3c8 [ 17.121008] ksize_uaf+0x11c/0x5f8 [ 17.121464] kunit_try_run_case+0x170/0x3f0 [ 17.121553] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.121645] kthread+0x328/0x630 [ 17.121719] ret_from_fork+0x10/0x20 [ 17.121790] [ 17.121830] The buggy address belongs to the object at fff00000c78d9400 [ 17.121830] which belongs to the cache kmalloc-128 of size 128 [ 17.122856] The buggy address is located 120 bytes inside of [ 17.122856] freed 128-byte region [fff00000c78d9400, fff00000c78d9480) [ 17.123154] [ 17.123718] The buggy address belongs to the physical page: [ 17.123897] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078d9 [ 17.124127] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.124305] page_type: f5(slab) [ 17.124388] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.124498] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.124929] page dumped because: kasan: bad access detected [ 17.125267] [ 17.125325] Memory state around the buggy address: [ 17.125400] fff00000c78d9300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.125697] fff00000c78d9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.125842] >fff00000c78d9400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.125991] ^ [ 17.126242] fff00000c78d9480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.126341] fff00000c78d9500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.126423] ==================================================================
[ 17.273666] ================================================================== [ 17.274718] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 17.275631] Read of size 1 at addr ffff888102b42900 by task kunit_try_catch/213 [ 17.276429] [ 17.276540] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT(voluntary) [ 17.276600] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.276612] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.276638] Call Trace: [ 17.276668] <TASK> [ 17.276703] dump_stack_lvl+0x73/0xb0 [ 17.276765] print_report+0xd1/0x650 [ 17.276810] ? __virt_addr_valid+0x1db/0x2d0 [ 17.276853] ? ksize_uaf+0x5fe/0x6c0 [ 17.276888] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.276923] ? ksize_uaf+0x5fe/0x6c0 [ 17.276961] kasan_report+0x141/0x180 [ 17.277002] ? ksize_uaf+0x5fe/0x6c0 [ 17.277055] __asan_report_load1_noabort+0x18/0x20 [ 17.277092] ksize_uaf+0x5fe/0x6c0 [ 17.277132] ? __pfx_ksize_uaf+0x10/0x10 [ 17.277176] ? __schedule+0x10cc/0x2b60 [ 17.277215] ? __pfx_read_tsc+0x10/0x10 [ 17.277295] ? ktime_get_ts64+0x86/0x230 [ 17.277358] kunit_try_run_case+0x1a5/0x480 [ 17.277411] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.277473] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.277511] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.277547] ? __kthread_parkme+0x82/0x180 [ 17.277581] ? preempt_count_sub+0x50/0x80 [ 17.277620] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.277657] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.277695] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.277731] kthread+0x337/0x6f0 [ 17.277763] ? trace_preempt_on+0x20/0xc0 [ 17.277802] ? __pfx_kthread+0x10/0x10 [ 17.277836] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.277869] ? calculate_sigpending+0x7b/0xa0 [ 17.277913] ? __pfx_kthread+0x10/0x10 [ 17.277936] ret_from_fork+0x116/0x1d0 [ 17.277956] ? __pfx_kthread+0x10/0x10 [ 17.277977] ret_from_fork_asm+0x1a/0x30 [ 17.278009] </TASK> [ 17.278023] [ 17.292234] Allocated by task 213: [ 17.292743] kasan_save_stack+0x45/0x70 [ 17.293307] kasan_save_track+0x18/0x40 [ 17.293887] kasan_save_alloc_info+0x3b/0x50 [ 17.294087] __kasan_kmalloc+0xb7/0xc0 [ 17.294347] __kmalloc_cache_noprof+0x189/0x420 [ 17.294732] ksize_uaf+0xaa/0x6c0 [ 17.295193] kunit_try_run_case+0x1a5/0x480 [ 17.295545] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.296175] kthread+0x337/0x6f0 [ 17.296457] ret_from_fork+0x116/0x1d0 [ 17.296631] ret_from_fork_asm+0x1a/0x30 [ 17.297021] [ 17.297588] Freed by task 213: [ 17.297901] kasan_save_stack+0x45/0x70 [ 17.298387] kasan_save_track+0x18/0x40 [ 17.298774] kasan_save_free_info+0x3f/0x60 [ 17.299018] __kasan_slab_free+0x56/0x70 [ 17.299642] kfree+0x222/0x3f0 [ 17.299962] ksize_uaf+0x12c/0x6c0 [ 17.300414] kunit_try_run_case+0x1a5/0x480 [ 17.300847] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.301728] kthread+0x337/0x6f0 [ 17.302218] ret_from_fork+0x116/0x1d0 [ 17.302521] ret_from_fork_asm+0x1a/0x30 [ 17.302893] [ 17.303087] The buggy address belongs to the object at ffff888102b42900 [ 17.303087] which belongs to the cache kmalloc-128 of size 128 [ 17.304070] The buggy address is located 0 bytes inside of [ 17.304070] freed 128-byte region [ffff888102b42900, ffff888102b42980) [ 17.304983] [ 17.305800] The buggy address belongs to the physical page: [ 17.306234] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b42 [ 17.306969] flags: 0x200000000000000(node=0|zone=2) [ 17.307555] page_type: f5(slab) [ 17.307830] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.308552] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.309001] page dumped because: kasan: bad access detected [ 17.309995] [ 17.310158] Memory state around the buggy address: [ 17.310638] ffff888102b42800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.311478] ffff888102b42880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.312057] >ffff888102b42900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.312510] ^ [ 17.312728] ffff888102b42980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.313875] ffff888102b42a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.314156] ================================================================== [ 17.315089] ================================================================== [ 17.316417] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 17.316902] Read of size 1 at addr ffff888102b42978 by task kunit_try_catch/213 [ 17.317475] [ 17.317910] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT(voluntary) [ 17.318291] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.318312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.318340] Call Trace: [ 17.318389] <TASK> [ 17.318441] dump_stack_lvl+0x73/0xb0 [ 17.318515] print_report+0xd1/0x650 [ 17.318562] ? __virt_addr_valid+0x1db/0x2d0 [ 17.318612] ? ksize_uaf+0x5e4/0x6c0 [ 17.318699] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.318737] ? ksize_uaf+0x5e4/0x6c0 [ 17.318778] kasan_report+0x141/0x180 [ 17.318810] ? ksize_uaf+0x5e4/0x6c0 [ 17.318838] __asan_report_load1_noabort+0x18/0x20 [ 17.318860] ksize_uaf+0x5e4/0x6c0 [ 17.318882] ? __pfx_ksize_uaf+0x10/0x10 [ 17.318905] ? __schedule+0x10cc/0x2b60 [ 17.318928] ? __pfx_read_tsc+0x10/0x10 [ 17.318950] ? ktime_get_ts64+0x86/0x230 [ 17.318977] kunit_try_run_case+0x1a5/0x480 [ 17.319021] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.319090] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.319133] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.319184] ? __kthread_parkme+0x82/0x180 [ 17.319213] ? preempt_count_sub+0x50/0x80 [ 17.319238] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.319283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.319311] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.319336] kthread+0x337/0x6f0 [ 17.319357] ? trace_preempt_on+0x20/0xc0 [ 17.319382] ? __pfx_kthread+0x10/0x10 [ 17.319404] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.319425] ? calculate_sigpending+0x7b/0xa0 [ 17.319451] ? __pfx_kthread+0x10/0x10 [ 17.319474] ret_from_fork+0x116/0x1d0 [ 17.319493] ? __pfx_kthread+0x10/0x10 [ 17.319514] ret_from_fork_asm+0x1a/0x30 [ 17.319546] </TASK> [ 17.319560] [ 17.332087] Allocated by task 213: [ 17.332609] kasan_save_stack+0x45/0x70 [ 17.333193] kasan_save_track+0x18/0x40 [ 17.333840] kasan_save_alloc_info+0x3b/0x50 [ 17.334046] __kasan_kmalloc+0xb7/0xc0 [ 17.334253] __kmalloc_cache_noprof+0x189/0x420 [ 17.334727] ksize_uaf+0xaa/0x6c0 [ 17.335508] kunit_try_run_case+0x1a5/0x480 [ 17.335809] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.336074] kthread+0x337/0x6f0 [ 17.336413] ret_from_fork+0x116/0x1d0 [ 17.336730] ret_from_fork_asm+0x1a/0x30 [ 17.337052] [ 17.337204] Freed by task 213: [ 17.337982] kasan_save_stack+0x45/0x70 [ 17.338451] kasan_save_track+0x18/0x40 [ 17.338768] kasan_save_free_info+0x3f/0x60 [ 17.339211] __kasan_slab_free+0x56/0x70 [ 17.339519] kfree+0x222/0x3f0 [ 17.339791] ksize_uaf+0x12c/0x6c0 [ 17.340216] kunit_try_run_case+0x1a5/0x480 [ 17.340577] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.340983] kthread+0x337/0x6f0 [ 17.341601] ret_from_fork+0x116/0x1d0 [ 17.341851] ret_from_fork_asm+0x1a/0x30 [ 17.342092] [ 17.342480] The buggy address belongs to the object at ffff888102b42900 [ 17.342480] which belongs to the cache kmalloc-128 of size 128 [ 17.343505] The buggy address is located 120 bytes inside of [ 17.343505] freed 128-byte region [ffff888102b42900, ffff888102b42980) [ 17.344434] [ 17.344630] The buggy address belongs to the physical page: [ 17.344925] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b42 [ 17.345524] flags: 0x200000000000000(node=0|zone=2) [ 17.346481] page_type: f5(slab) [ 17.346692] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.347165] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.347871] page dumped because: kasan: bad access detected [ 17.348449] [ 17.348690] Memory state around the buggy address: [ 17.348999] ffff888102b42800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.349982] ffff888102b42880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.350700] >ffff888102b42900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.351188] ^ [ 17.351644] ffff888102b42980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.352300] ffff888102b42a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.352753] ================================================================== [ 17.234383] ================================================================== [ 17.235286] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 17.235676] Read of size 1 at addr ffff888102b42900 by task kunit_try_catch/213 [ 17.236839] [ 17.237029] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250512 #1 PREEMPT(voluntary) [ 17.237130] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.237183] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.237221] Call Trace: [ 17.237247] <TASK> [ 17.237293] dump_stack_lvl+0x73/0xb0 [ 17.237355] print_report+0xd1/0x650 [ 17.237394] ? __virt_addr_valid+0x1db/0x2d0 [ 17.237441] ? ksize_uaf+0x19d/0x6c0 [ 17.237481] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.237527] ? ksize_uaf+0x19d/0x6c0 [ 17.237572] kasan_report+0x141/0x180 [ 17.237619] ? ksize_uaf+0x19d/0x6c0 [ 17.237666] ? ksize_uaf+0x19d/0x6c0 [ 17.237746] __kasan_check_byte+0x3d/0x50 [ 17.237797] ksize+0x20/0x60 [ 17.237840] ksize_uaf+0x19d/0x6c0 [ 17.237866] ? __pfx_ksize_uaf+0x10/0x10 [ 17.237890] ? __schedule+0x10cc/0x2b60 [ 17.237913] ? __pfx_read_tsc+0x10/0x10 [ 17.237937] ? ktime_get_ts64+0x86/0x230 [ 17.237963] kunit_try_run_case+0x1a5/0x480 [ 17.237991] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.238015] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.238059] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.238202] ? __kthread_parkme+0x82/0x180 [ 17.238227] ? preempt_count_sub+0x50/0x80 [ 17.238254] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.238302] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.238327] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.238351] kthread+0x337/0x6f0 [ 17.238372] ? trace_preempt_on+0x20/0xc0 [ 17.238398] ? __pfx_kthread+0x10/0x10 [ 17.238418] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.238439] ? calculate_sigpending+0x7b/0xa0 [ 17.238465] ? __pfx_kthread+0x10/0x10 [ 17.238486] ret_from_fork+0x116/0x1d0 [ 17.238505] ? __pfx_kthread+0x10/0x10 [ 17.238526] ret_from_fork_asm+0x1a/0x30 [ 17.238557] </TASK> [ 17.238571] [ 17.251790] Allocated by task 213: [ 17.252333] kasan_save_stack+0x45/0x70 [ 17.252639] kasan_save_track+0x18/0x40 [ 17.252992] kasan_save_alloc_info+0x3b/0x50 [ 17.253210] __kasan_kmalloc+0xb7/0xc0 [ 17.253411] __kmalloc_cache_noprof+0x189/0x420 [ 17.253802] ksize_uaf+0xaa/0x6c0 [ 17.254103] kunit_try_run_case+0x1a5/0x480 [ 17.254837] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.255529] kthread+0x337/0x6f0 [ 17.255950] ret_from_fork+0x116/0x1d0 [ 17.256594] ret_from_fork_asm+0x1a/0x30 [ 17.256905] [ 17.257241] Freed by task 213: [ 17.257567] kasan_save_stack+0x45/0x70 [ 17.257846] kasan_save_track+0x18/0x40 [ 17.258181] kasan_save_free_info+0x3f/0x60 [ 17.258600] __kasan_slab_free+0x56/0x70 [ 17.258980] kfree+0x222/0x3f0 [ 17.259526] ksize_uaf+0x12c/0x6c0 [ 17.259775] kunit_try_run_case+0x1a5/0x480 [ 17.260537] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.260735] kthread+0x337/0x6f0 [ 17.261010] ret_from_fork+0x116/0x1d0 [ 17.261519] ret_from_fork_asm+0x1a/0x30 [ 17.261904] [ 17.262097] The buggy address belongs to the object at ffff888102b42900 [ 17.262097] which belongs to the cache kmalloc-128 of size 128 [ 17.262917] The buggy address is located 0 bytes inside of [ 17.262917] freed 128-byte region [ffff888102b42900, ffff888102b42980) [ 17.263946] [ 17.264603] The buggy address belongs to the physical page: [ 17.265271] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b42 [ 17.265773] flags: 0x200000000000000(node=0|zone=2) [ 17.266423] page_type: f5(slab) [ 17.266733] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.267476] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.267952] page dumped because: kasan: bad access detected [ 17.268617] [ 17.268810] Memory state around the buggy address: [ 17.269191] ffff888102b42800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.269765] ffff888102b42880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.270346] >ffff888102b42900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.270749] ^ [ 17.271180] ffff888102b42980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.271725] ffff888102b42a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.272168] ==================================================================