Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.318646] ================================================================== [ 18.318952] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.319013] Read of size 1 at addr fff00000c68f1978 by task kunit_try_catch/196 [ 18.319317] [ 18.319614] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 18.319732] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.319762] Hardware name: linux,dummy-virt (DT) [ 18.319902] Call trace: [ 18.320076] show_stack+0x20/0x38 (C) [ 18.320288] dump_stack_lvl+0x8c/0xd0 [ 18.320376] print_report+0x118/0x608 [ 18.320532] kasan_report+0xdc/0x128 [ 18.320593] __asan_report_load1_noabort+0x20/0x30 [ 18.320674] ksize_uaf+0x544/0x5f8 [ 18.320728] kunit_try_run_case+0x170/0x3f0 [ 18.321099] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.321185] kthread+0x328/0x630 [ 18.321240] ret_from_fork+0x10/0x20 [ 18.321389] [ 18.321416] Allocated by task 196: [ 18.321443] kasan_save_stack+0x3c/0x68 [ 18.321484] kasan_save_track+0x20/0x40 [ 18.321521] kasan_save_alloc_info+0x40/0x58 [ 18.321559] __kasan_kmalloc+0xd4/0xd8 [ 18.321594] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.321634] ksize_uaf+0xb8/0x5f8 [ 18.321665] kunit_try_run_case+0x170/0x3f0 [ 18.321702] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.322147] kthread+0x328/0x630 [ 18.322272] ret_from_fork+0x10/0x20 [ 18.322312] [ 18.322332] Freed by task 196: [ 18.322798] kasan_save_stack+0x3c/0x68 [ 18.322893] kasan_save_track+0x20/0x40 [ 18.323188] kasan_save_free_info+0x4c/0x78 [ 18.323435] __kasan_slab_free+0x6c/0x98 [ 18.323608] kfree+0x214/0x3c8 [ 18.323771] ksize_uaf+0x11c/0x5f8 [ 18.323812] kunit_try_run_case+0x170/0x3f0 [ 18.324026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.324196] kthread+0x328/0x630 [ 18.324314] ret_from_fork+0x10/0x20 [ 18.324546] [ 18.324670] The buggy address belongs to the object at fff00000c68f1900 [ 18.324670] which belongs to the cache kmalloc-128 of size 128 [ 18.324798] The buggy address is located 120 bytes inside of [ 18.324798] freed 128-byte region [fff00000c68f1900, fff00000c68f1980) [ 18.325037] [ 18.325281] The buggy address belongs to the physical page: [ 18.325396] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1068f1 [ 18.325525] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.325677] page_type: f5(slab) [ 18.325923] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.326196] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.326282] page dumped because: kasan: bad access detected [ 18.326358] [ 18.326386] Memory state around the buggy address: [ 18.326460] fff00000c68f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.326506] fff00000c68f1880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.326573] >fff00000c68f1900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.326614] ^ [ 18.326656] fff00000c68f1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.327068] fff00000c68f1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.327139] ================================================================== [ 18.305381] ================================================================== [ 18.305543] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.305709] Read of size 1 at addr fff00000c68f1900 by task kunit_try_catch/196 [ 18.305928] [ 18.305990] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 18.306539] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.306665] Hardware name: linux,dummy-virt (DT) [ 18.306713] Call trace: [ 18.306865] show_stack+0x20/0x38 (C) [ 18.307005] dump_stack_lvl+0x8c/0xd0 [ 18.307136] print_report+0x118/0x608 [ 18.307452] kasan_report+0xdc/0x128 [ 18.307575] __asan_report_load1_noabort+0x20/0x30 [ 18.307793] ksize_uaf+0x598/0x5f8 [ 18.307896] kunit_try_run_case+0x170/0x3f0 [ 18.308011] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.308317] kthread+0x328/0x630 [ 18.308645] ret_from_fork+0x10/0x20 [ 18.308758] [ 18.308837] Allocated by task 196: [ 18.309046] kasan_save_stack+0x3c/0x68 [ 18.309298] kasan_save_track+0x20/0x40 [ 18.309443] kasan_save_alloc_info+0x40/0x58 [ 18.309607] __kasan_kmalloc+0xd4/0xd8 [ 18.309760] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.310045] ksize_uaf+0xb8/0x5f8 [ 18.310292] kunit_try_run_case+0x170/0x3f0 [ 18.310473] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.310625] kthread+0x328/0x630 [ 18.310795] ret_from_fork+0x10/0x20 [ 18.310839] [ 18.310859] Freed by task 196: [ 18.311109] kasan_save_stack+0x3c/0x68 [ 18.311769] kasan_save_track+0x20/0x40 [ 18.312010] kasan_save_free_info+0x4c/0x78 [ 18.312202] __kasan_slab_free+0x6c/0x98 [ 18.312368] kfree+0x214/0x3c8 [ 18.312426] ksize_uaf+0x11c/0x5f8 [ 18.312836] kunit_try_run_case+0x170/0x3f0 [ 18.313372] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.313670] kthread+0x328/0x630 [ 18.314140] ret_from_fork+0x10/0x20 [ 18.314198] [ 18.314371] The buggy address belongs to the object at fff00000c68f1900 [ 18.314371] which belongs to the cache kmalloc-128 of size 128 [ 18.314464] The buggy address is located 0 bytes inside of [ 18.314464] freed 128-byte region [fff00000c68f1900, fff00000c68f1980) [ 18.315001] [ 18.315123] The buggy address belongs to the physical page: [ 18.315304] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1068f1 [ 18.315488] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.315640] page_type: f5(slab) [ 18.315769] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.316117] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.316236] page dumped because: kasan: bad access detected [ 18.316469] [ 18.316599] Memory state around the buggy address: [ 18.316670] fff00000c68f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.316748] fff00000c68f1880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.316791] >fff00000c68f1900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.316833] ^ [ 18.316871] fff00000c68f1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.316913] fff00000c68f1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.316958] ================================================================== [ 18.293218] ================================================================== [ 18.293280] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.293331] Read of size 1 at addr fff00000c68f1900 by task kunit_try_catch/196 [ 18.293925] [ 18.294011] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 18.294261] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.294418] Hardware name: linux,dummy-virt (DT) [ 18.294611] Call trace: [ 18.294661] show_stack+0x20/0x38 (C) [ 18.294801] dump_stack_lvl+0x8c/0xd0 [ 18.294918] print_report+0x118/0x608 [ 18.295095] kasan_report+0xdc/0x128 [ 18.295191] __kasan_check_byte+0x54/0x70 [ 18.295677] ksize+0x30/0x88 [ 18.295803] ksize_uaf+0x168/0x5f8 [ 18.295976] kunit_try_run_case+0x170/0x3f0 [ 18.296111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.296175] kthread+0x328/0x630 [ 18.296500] ret_from_fork+0x10/0x20 [ 18.296664] [ 18.296837] Allocated by task 196: [ 18.296952] kasan_save_stack+0x3c/0x68 [ 18.297262] kasan_save_track+0x20/0x40 [ 18.297447] kasan_save_alloc_info+0x40/0x58 [ 18.297534] __kasan_kmalloc+0xd4/0xd8 [ 18.297891] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.297966] ksize_uaf+0xb8/0x5f8 [ 18.298114] kunit_try_run_case+0x170/0x3f0 [ 18.298274] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.298383] kthread+0x328/0x630 [ 18.298599] ret_from_fork+0x10/0x20 [ 18.299038] [ 18.299121] Freed by task 196: [ 18.299275] kasan_save_stack+0x3c/0x68 [ 18.299450] kasan_save_track+0x20/0x40 [ 18.299588] kasan_save_free_info+0x4c/0x78 [ 18.299985] __kasan_slab_free+0x6c/0x98 [ 18.300054] kfree+0x214/0x3c8 [ 18.300086] ksize_uaf+0x11c/0x5f8 [ 18.300130] kunit_try_run_case+0x170/0x3f0 [ 18.300229] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.300275] kthread+0x328/0x630 [ 18.300318] ret_from_fork+0x10/0x20 [ 18.300355] [ 18.300383] The buggy address belongs to the object at fff00000c68f1900 [ 18.300383] which belongs to the cache kmalloc-128 of size 128 [ 18.300451] The buggy address is located 0 bytes inside of [ 18.300451] freed 128-byte region [fff00000c68f1900, fff00000c68f1980) [ 18.300511] [ 18.300530] The buggy address belongs to the physical page: [ 18.300560] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1068f1 [ 18.300620] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.300677] page_type: f5(slab) [ 18.300721] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.300770] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.300816] page dumped because: kasan: bad access detected [ 18.300846] [ 18.300865] Memory state around the buggy address: [ 18.300895] fff00000c68f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.300946] fff00000c68f1880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.300987] >fff00000c68f1900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.301024] ^ [ 18.301058] fff00000c68f1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.301100] fff00000c68f1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.301138] ==================================================================
[ 14.601965] ================================================================== [ 14.602407] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 14.603102] Read of size 1 at addr ffff888102b5b000 by task kunit_try_catch/214 [ 14.603439] [ 14.603644] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT(voluntary) [ 14.603738] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.603761] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.603801] Call Trace: [ 14.603828] <TASK> [ 14.603863] dump_stack_lvl+0x73/0xb0 [ 14.603910] print_report+0xd1/0x650 [ 14.603936] ? __virt_addr_valid+0x1db/0x2d0 [ 14.603961] ? ksize_uaf+0x19d/0x6c0 [ 14.603981] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.604002] ? ksize_uaf+0x19d/0x6c0 [ 14.604025] kasan_report+0x141/0x180 [ 14.604060] ? ksize_uaf+0x19d/0x6c0 [ 14.604097] ? ksize_uaf+0x19d/0x6c0 [ 14.604128] __kasan_check_byte+0x3d/0x50 [ 14.604160] ksize+0x20/0x60 [ 14.604196] ksize_uaf+0x19d/0x6c0 [ 14.604247] ? __pfx_ksize_uaf+0x10/0x10 [ 14.604291] ? __schedule+0x10cc/0x2b60 [ 14.604337] ? __pfx_read_tsc+0x10/0x10 [ 14.604378] ? ktime_get_ts64+0x86/0x230 [ 14.604427] kunit_try_run_case+0x1a5/0x480 [ 14.604476] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.604519] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.604553] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.604576] ? __kthread_parkme+0x82/0x180 [ 14.604599] ? preempt_count_sub+0x50/0x80 [ 14.604623] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.604647] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.604668] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.604690] kthread+0x337/0x6f0 [ 14.604709] ? trace_preempt_on+0x20/0xc0 [ 14.604732] ? __pfx_kthread+0x10/0x10 [ 14.604751] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.604771] ? calculate_sigpending+0x7b/0xa0 [ 14.604795] ? __pfx_kthread+0x10/0x10 [ 14.604816] ret_from_fork+0x116/0x1d0 [ 14.604833] ? __pfx_kthread+0x10/0x10 [ 14.604853] ret_from_fork_asm+0x1a/0x30 [ 14.604885] </TASK> [ 14.604897] [ 14.613017] Allocated by task 214: [ 14.613339] kasan_save_stack+0x45/0x70 [ 14.613669] kasan_save_track+0x18/0x40 [ 14.613966] kasan_save_alloc_info+0x3b/0x50 [ 14.614360] __kasan_kmalloc+0xb7/0xc0 [ 14.614701] __kmalloc_cache_noprof+0x189/0x420 [ 14.615039] ksize_uaf+0xaa/0x6c0 [ 14.615370] kunit_try_run_case+0x1a5/0x480 [ 14.615642] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.616014] kthread+0x337/0x6f0 [ 14.616265] ret_from_fork+0x116/0x1d0 [ 14.616587] ret_from_fork_asm+0x1a/0x30 [ 14.616769] [ 14.616871] Freed by task 214: [ 14.617010] kasan_save_stack+0x45/0x70 [ 14.617183] kasan_save_track+0x18/0x40 [ 14.617486] kasan_save_free_info+0x3f/0x60 [ 14.617808] __kasan_slab_free+0x56/0x70 [ 14.618119] kfree+0x222/0x3f0 [ 14.618444] ksize_uaf+0x12c/0x6c0 [ 14.618782] kunit_try_run_case+0x1a5/0x480 [ 14.619125] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.619517] kthread+0x337/0x6f0 [ 14.619782] ret_from_fork+0x116/0x1d0 [ 14.620098] ret_from_fork_asm+0x1a/0x30 [ 14.620283] [ 14.620386] The buggy address belongs to the object at ffff888102b5b000 [ 14.620386] which belongs to the cache kmalloc-128 of size 128 [ 14.620747] The buggy address is located 0 bytes inside of [ 14.620747] freed 128-byte region [ffff888102b5b000, ffff888102b5b080) [ 14.621101] [ 14.621263] The buggy address belongs to the physical page: [ 14.621685] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b5b [ 14.622214] flags: 0x200000000000000(node=0|zone=2) [ 14.622595] page_type: f5(slab) [ 14.622880] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.623323] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.623571] page dumped because: kasan: bad access detected [ 14.623855] [ 14.624008] Memory state around the buggy address: [ 14.624406] ffff888102b5af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.624927] ffff888102b5af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.625306] >ffff888102b5b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.625816] ^ [ 14.626025] ffff888102b5b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.626486] ffff888102b5b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.626825] ================================================================== [ 14.628129] ================================================================== [ 14.628539] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 14.628813] Read of size 1 at addr ffff888102b5b000 by task kunit_try_catch/214 [ 14.629016] [ 14.629128] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT(voluntary) [ 14.629203] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.629233] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.629265] Call Trace: [ 14.629299] <TASK> [ 14.629327] dump_stack_lvl+0x73/0xb0 [ 14.629369] print_report+0xd1/0x650 [ 14.629402] ? __virt_addr_valid+0x1db/0x2d0 [ 14.629434] ? ksize_uaf+0x5fe/0x6c0 [ 14.629476] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.629508] ? ksize_uaf+0x5fe/0x6c0 [ 14.629540] kasan_report+0x141/0x180 [ 14.629577] ? ksize_uaf+0x5fe/0x6c0 [ 14.629619] __asan_report_load1_noabort+0x18/0x20 [ 14.629731] ksize_uaf+0x5fe/0x6c0 [ 14.629771] ? __pfx_ksize_uaf+0x10/0x10 [ 14.629816] ? __schedule+0x10cc/0x2b60 [ 14.629860] ? __pfx_read_tsc+0x10/0x10 [ 14.629901] ? ktime_get_ts64+0x86/0x230 [ 14.629944] kunit_try_run_case+0x1a5/0x480 [ 14.629990] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.630030] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.630075] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.630119] ? __kthread_parkme+0x82/0x180 [ 14.630163] ? preempt_count_sub+0x50/0x80 [ 14.630213] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.630295] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.630354] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.630396] kthread+0x337/0x6f0 [ 14.630433] ? trace_preempt_on+0x20/0xc0 [ 14.630481] ? __pfx_kthread+0x10/0x10 [ 14.630550] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.630619] ? calculate_sigpending+0x7b/0xa0 [ 14.630667] ? __pfx_kthread+0x10/0x10 [ 14.630727] ret_from_fork+0x116/0x1d0 [ 14.630767] ? __pfx_kthread+0x10/0x10 [ 14.630810] ret_from_fork_asm+0x1a/0x30 [ 14.630879] </TASK> [ 14.630905] [ 14.641720] Allocated by task 214: [ 14.641960] kasan_save_stack+0x45/0x70 [ 14.642247] kasan_save_track+0x18/0x40 [ 14.642534] kasan_save_alloc_info+0x3b/0x50 [ 14.642711] __kasan_kmalloc+0xb7/0xc0 [ 14.642901] __kmalloc_cache_noprof+0x189/0x420 [ 14.643234] ksize_uaf+0xaa/0x6c0 [ 14.643520] kunit_try_run_case+0x1a5/0x480 [ 14.643846] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.644180] kthread+0x337/0x6f0 [ 14.644462] ret_from_fork+0x116/0x1d0 [ 14.644688] ret_from_fork_asm+0x1a/0x30 [ 14.644860] [ 14.644963] Freed by task 214: [ 14.645105] kasan_save_stack+0x45/0x70 [ 14.645323] kasan_save_track+0x18/0x40 [ 14.645615] kasan_save_free_info+0x3f/0x60 [ 14.645924] __kasan_slab_free+0x56/0x70 [ 14.646245] kfree+0x222/0x3f0 [ 14.646505] ksize_uaf+0x12c/0x6c0 [ 14.646800] kunit_try_run_case+0x1a5/0x480 [ 14.647141] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.647490] kthread+0x337/0x6f0 [ 14.647651] ret_from_fork+0x116/0x1d0 [ 14.647818] ret_from_fork_asm+0x1a/0x30 [ 14.648114] [ 14.648300] The buggy address belongs to the object at ffff888102b5b000 [ 14.648300] which belongs to the cache kmalloc-128 of size 128 [ 14.649075] The buggy address is located 0 bytes inside of [ 14.649075] freed 128-byte region [ffff888102b5b000, ffff888102b5b080) [ 14.649523] [ 14.649635] The buggy address belongs to the physical page: [ 14.650011] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b5b [ 14.650550] flags: 0x200000000000000(node=0|zone=2) [ 14.650874] page_type: f5(slab) [ 14.651047] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.651563] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.651981] page dumped because: kasan: bad access detected [ 14.652174] [ 14.652315] Memory state around the buggy address: [ 14.652681] ffff888102b5af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.653160] ffff888102b5af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.653484] >ffff888102b5b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.653848] ^ [ 14.654046] ffff888102b5b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.654427] ffff888102b5b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.654666] ================================================================== [ 14.656094] ================================================================== [ 14.656870] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 14.657362] Read of size 1 at addr ffff888102b5b078 by task kunit_try_catch/214 [ 14.657844] [ 14.658047] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT(voluntary) [ 14.658141] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.658163] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.658202] Call Trace: [ 14.658826] <TASK> [ 14.658888] dump_stack_lvl+0x73/0xb0 [ 14.658953] print_report+0xd1/0x650 [ 14.659002] ? __virt_addr_valid+0x1db/0x2d0 [ 14.659053] ? ksize_uaf+0x5e4/0x6c0 [ 14.659098] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.659143] ? ksize_uaf+0x5e4/0x6c0 [ 14.659187] kasan_report+0x141/0x180 [ 14.659243] ? ksize_uaf+0x5e4/0x6c0 [ 14.659299] __asan_report_load1_noabort+0x18/0x20 [ 14.659341] ksize_uaf+0x5e4/0x6c0 [ 14.659383] ? __pfx_ksize_uaf+0x10/0x10 [ 14.659428] ? __schedule+0x10cc/0x2b60 [ 14.659472] ? __pfx_read_tsc+0x10/0x10 [ 14.659514] ? ktime_get_ts64+0x86/0x230 [ 14.659561] kunit_try_run_case+0x1a5/0x480 [ 14.659608] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.659650] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.659696] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.659736] ? __kthread_parkme+0x82/0x180 [ 14.659764] ? preempt_count_sub+0x50/0x80 [ 14.659787] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.659810] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.659832] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.659854] kthread+0x337/0x6f0 [ 14.659872] ? trace_preempt_on+0x20/0xc0 [ 14.659896] ? __pfx_kthread+0x10/0x10 [ 14.659917] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.659936] ? calculate_sigpending+0x7b/0xa0 [ 14.659960] ? __pfx_kthread+0x10/0x10 [ 14.659980] ret_from_fork+0x116/0x1d0 [ 14.659998] ? __pfx_kthread+0x10/0x10 [ 14.660018] ret_from_fork_asm+0x1a/0x30 [ 14.660050] </TASK> [ 14.660061] [ 14.667721] Allocated by task 214: [ 14.668022] kasan_save_stack+0x45/0x70 [ 14.668369] kasan_save_track+0x18/0x40 [ 14.668673] kasan_save_alloc_info+0x3b/0x50 [ 14.668980] __kasan_kmalloc+0xb7/0xc0 [ 14.669289] __kmalloc_cache_noprof+0x189/0x420 [ 14.670145] ksize_uaf+0xaa/0x6c0 [ 14.670806] kunit_try_run_case+0x1a5/0x480 [ 14.671508] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.671743] kthread+0x337/0x6f0 [ 14.671897] ret_from_fork+0x116/0x1d0 [ 14.671990] ret_from_fork_asm+0x1a/0x30 [ 14.672082] [ 14.672134] Freed by task 214: [ 14.672209] kasan_save_stack+0x45/0x70 [ 14.673171] kasan_save_track+0x18/0x40 [ 14.673544] kasan_save_free_info+0x3f/0x60 [ 14.673845] __kasan_slab_free+0x56/0x70 [ 14.674056] kfree+0x222/0x3f0 [ 14.674328] ksize_uaf+0x12c/0x6c0 [ 14.674580] kunit_try_run_case+0x1a5/0x480 [ 14.674915] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.675146] kthread+0x337/0x6f0 [ 14.675450] ret_from_fork+0x116/0x1d0 [ 14.675651] ret_from_fork_asm+0x1a/0x30 [ 14.675950] [ 14.676080] The buggy address belongs to the object at ffff888102b5b000 [ 14.676080] which belongs to the cache kmalloc-128 of size 128 [ 14.676594] The buggy address is located 120 bytes inside of [ 14.676594] freed 128-byte region [ffff888102b5b000, ffff888102b5b080) [ 14.677260] [ 14.677436] The buggy address belongs to the physical page: [ 14.677724] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b5b [ 14.678039] flags: 0x200000000000000(node=0|zone=2) [ 14.678420] page_type: f5(slab) [ 14.678690] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 14.679081] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 14.679447] page dumped because: kasan: bad access detected [ 14.679746] [ 14.679912] Memory state around the buggy address: [ 14.680146] ffff888102b5af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.680386] ffff888102b5af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.680891] >ffff888102b5b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 14.681327] ^ [ 14.681678] ffff888102b5b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.682076] ffff888102b5b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.682473] ==================================================================