Date
May 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.918610] ================================================================== [ 17.918968] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.919083] Read of size 1 at addr fff00000c78c2378 by task kunit_try_catch/196 [ 17.919212] [ 17.919274] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT [ 17.919442] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.919490] Hardware name: linux,dummy-virt (DT) [ 17.919544] Call trace: [ 17.919590] show_stack+0x20/0x38 (C) [ 17.919695] dump_stack_lvl+0x8c/0xd0 [ 17.919824] print_report+0x118/0x608 [ 17.919923] kasan_report+0xdc/0x128 [ 17.920074] __asan_report_load1_noabort+0x20/0x30 [ 17.920228] ksize_uaf+0x544/0x5f8 [ 17.920382] kunit_try_run_case+0x170/0x3f0 [ 17.920561] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.920688] kthread+0x328/0x630 [ 17.920787] ret_from_fork+0x10/0x20 [ 17.920889] [ 17.920928] Allocated by task 196: [ 17.920990] kasan_save_stack+0x3c/0x68 [ 17.921072] kasan_save_track+0x20/0x40 [ 17.921176] kasan_save_alloc_info+0x40/0x58 [ 17.921343] __kasan_kmalloc+0xd4/0xd8 [ 17.921571] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.921670] ksize_uaf+0xb8/0x5f8 [ 17.922012] kunit_try_run_case+0x170/0x3f0 [ 17.922137] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.922882] kthread+0x328/0x630 [ 17.923122] ret_from_fork+0x10/0x20 [ 17.923864] [ 17.924147] Freed by task 196: [ 17.924212] kasan_save_stack+0x3c/0x68 [ 17.924675] kasan_save_track+0x20/0x40 [ 17.924764] kasan_save_free_info+0x4c/0x78 [ 17.924851] __kasan_slab_free+0x6c/0x98 [ 17.925993] kfree+0x214/0x3c8 [ 17.926578] ksize_uaf+0x11c/0x5f8 [ 17.926839] kunit_try_run_case+0x170/0x3f0 [ 17.926919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.926997] kthread+0x328/0x630 [ 17.927062] ret_from_fork+0x10/0x20 [ 17.927875] [ 17.928062] The buggy address belongs to the object at fff00000c78c2300 [ 17.928062] which belongs to the cache kmalloc-128 of size 128 [ 17.928824] The buggy address is located 120 bytes inside of [ 17.928824] freed 128-byte region [fff00000c78c2300, fff00000c78c2380) [ 17.929329] [ 17.929483] The buggy address belongs to the physical page: [ 17.929574] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c2 [ 17.929806] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.930187] page_type: f5(slab) [ 17.930412] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.930623] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.930712] page dumped because: kasan: bad access detected [ 17.931055] [ 17.931100] Memory state around the buggy address: [ 17.931173] fff00000c78c2200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.931276] fff00000c78c2280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.931378] >fff00000c78c2300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.931456] ^ [ 17.931550] fff00000c78c2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.931645] fff00000c78c2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.931740] ================================================================== [ 17.909113] ================================================================== [ 17.909818] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.910267] Read of size 1 at addr fff00000c78c2300 by task kunit_try_catch/196 [ 17.910658] [ 17.910752] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT [ 17.911042] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.911101] Hardware name: linux,dummy-virt (DT) [ 17.911170] Call trace: [ 17.911226] show_stack+0x20/0x38 (C) [ 17.911367] dump_stack_lvl+0x8c/0xd0 [ 17.911484] print_report+0x118/0x608 [ 17.911584] kasan_report+0xdc/0x128 [ 17.911671] __asan_report_load1_noabort+0x20/0x30 [ 17.911771] ksize_uaf+0x598/0x5f8 [ 17.911846] kunit_try_run_case+0x170/0x3f0 [ 17.911959] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.912093] kthread+0x328/0x630 [ 17.912196] ret_from_fork+0x10/0x20 [ 17.912357] [ 17.912393] Allocated by task 196: [ 17.912457] kasan_save_stack+0x3c/0x68 [ 17.912538] kasan_save_track+0x20/0x40 [ 17.912850] kasan_save_alloc_info+0x40/0x58 [ 17.912937] __kasan_kmalloc+0xd4/0xd8 [ 17.913024] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.913383] ksize_uaf+0xb8/0x5f8 [ 17.913533] kunit_try_run_case+0x170/0x3f0 [ 17.913612] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.913698] kthread+0x328/0x630 [ 17.913762] ret_from_fork+0x10/0x20 [ 17.914022] [ 17.914098] Freed by task 196: [ 17.914168] kasan_save_stack+0x3c/0x68 [ 17.914246] kasan_save_track+0x20/0x40 [ 17.914333] kasan_save_free_info+0x4c/0x78 [ 17.914411] __kasan_slab_free+0x6c/0x98 [ 17.914477] kfree+0x214/0x3c8 [ 17.914548] ksize_uaf+0x11c/0x5f8 [ 17.914621] kunit_try_run_case+0x170/0x3f0 [ 17.914700] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.914804] kthread+0x328/0x630 [ 17.914877] ret_from_fork+0x10/0x20 [ 17.914954] [ 17.914998] The buggy address belongs to the object at fff00000c78c2300 [ 17.914998] which belongs to the cache kmalloc-128 of size 128 [ 17.915129] The buggy address is located 0 bytes inside of [ 17.915129] freed 128-byte region [fff00000c78c2300, fff00000c78c2380) [ 17.915262] [ 17.915307] The buggy address belongs to the physical page: [ 17.915387] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c2 [ 17.915494] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.915956] page_type: f5(slab) [ 17.916112] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.916259] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.916384] page dumped because: kasan: bad access detected [ 17.916456] [ 17.916496] Memory state around the buggy address: [ 17.916558] fff00000c78c2200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.916675] fff00000c78c2280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.916767] >fff00000c78c2300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.917004] ^ [ 17.917114] fff00000c78c2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.917211] fff00000c78c2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.917299] ================================================================== [ 17.897406] ================================================================== [ 17.897556] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.898039] Read of size 1 at addr fff00000c78c2300 by task kunit_try_catch/196 [ 17.898198] [ 17.898295] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT [ 17.898558] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.898628] Hardware name: linux,dummy-virt (DT) [ 17.898705] Call trace: [ 17.898791] show_stack+0x20/0x38 (C) [ 17.898970] dump_stack_lvl+0x8c/0xd0 [ 17.899110] print_report+0x118/0x608 [ 17.899206] kasan_report+0xdc/0x128 [ 17.899332] __kasan_check_byte+0x54/0x70 [ 17.899717] ksize+0x30/0x88 [ 17.900078] ksize_uaf+0x168/0x5f8 [ 17.900199] kunit_try_run_case+0x170/0x3f0 [ 17.900339] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.900479] kthread+0x328/0x630 [ 17.900603] ret_from_fork+0x10/0x20 [ 17.900745] [ 17.900789] Allocated by task 196: [ 17.900862] kasan_save_stack+0x3c/0x68 [ 17.900999] kasan_save_track+0x20/0x40 [ 17.901114] kasan_save_alloc_info+0x40/0x58 [ 17.901233] __kasan_kmalloc+0xd4/0xd8 [ 17.901333] __kmalloc_cache_noprof+0x15c/0x3c0 [ 17.901409] ksize_uaf+0xb8/0x5f8 [ 17.901481] kunit_try_run_case+0x170/0x3f0 [ 17.901828] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.901984] kthread+0x328/0x630 [ 17.902215] ret_from_fork+0x10/0x20 [ 17.902262] [ 17.902284] Freed by task 196: [ 17.902333] kasan_save_stack+0x3c/0x68 [ 17.902437] kasan_save_track+0x20/0x40 [ 17.902547] kasan_save_free_info+0x4c/0x78 [ 17.902633] __kasan_slab_free+0x6c/0x98 [ 17.902709] kfree+0x214/0x3c8 [ 17.902815] ksize_uaf+0x11c/0x5f8 [ 17.902904] kunit_try_run_case+0x170/0x3f0 [ 17.902975] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.903057] kthread+0x328/0x630 [ 17.903119] ret_from_fork+0x10/0x20 [ 17.903223] [ 17.903262] The buggy address belongs to the object at fff00000c78c2300 [ 17.903262] which belongs to the cache kmalloc-128 of size 128 [ 17.903629] The buggy address is located 0 bytes inside of [ 17.903629] freed 128-byte region [fff00000c78c2300, fff00000c78c2380) [ 17.903778] [ 17.903843] The buggy address belongs to the physical page: [ 17.903954] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c2 [ 17.904093] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.904327] page_type: f5(slab) [ 17.904571] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.904707] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.905016] page dumped because: kasan: bad access detected [ 17.905235] [ 17.905387] Memory state around the buggy address: [ 17.905684] fff00000c78c2200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.906034] fff00000c78c2280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.906164] >fff00000c78c2300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.906248] ^ [ 17.906642] fff00000c78c2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.906847] fff00000c78c2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.906938] ==================================================================
[ 11.471326] ================================================================== [ 11.472417] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.472642] Read of size 1 at addr ffff888102a7ae00 by task kunit_try_catch/214 [ 11.473766] [ 11.474158] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT(voluntary) [ 11.474211] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.474236] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.474257] Call Trace: [ 11.474271] <TASK> [ 11.474286] dump_stack_lvl+0x73/0xb0 [ 11.474320] print_report+0xd1/0x650 [ 11.474342] ? __virt_addr_valid+0x1db/0x2d0 [ 11.474364] ? ksize_uaf+0x5fe/0x6c0 [ 11.474393] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.474415] ? ksize_uaf+0x5fe/0x6c0 [ 11.474436] kasan_report+0x141/0x180 [ 11.474457] ? ksize_uaf+0x5fe/0x6c0 [ 11.474483] __asan_report_load1_noabort+0x18/0x20 [ 11.474502] ksize_uaf+0x5fe/0x6c0 [ 11.474523] ? __pfx_ksize_uaf+0x10/0x10 [ 11.474544] ? __schedule+0x10cc/0x2b60 [ 11.474567] ? __pfx_read_tsc+0x10/0x10 [ 11.474586] ? ktime_get_ts64+0x86/0x230 [ 11.474609] kunit_try_run_case+0x1a5/0x480 [ 11.474629] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.474648] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.474671] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.474695] ? __kthread_parkme+0x82/0x180 [ 11.474744] ? preempt_count_sub+0x50/0x80 [ 11.474767] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.474788] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.474811] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.474835] kthread+0x337/0x6f0 [ 11.474853] ? trace_preempt_on+0x20/0xc0 [ 11.474875] ? __pfx_kthread+0x10/0x10 [ 11.474895] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.474918] ? calculate_sigpending+0x7b/0xa0 [ 11.474940] ? __pfx_kthread+0x10/0x10 [ 11.474961] ret_from_fork+0x116/0x1d0 [ 11.474979] ? __pfx_kthread+0x10/0x10 [ 11.474998] ret_from_fork_asm+0x1a/0x30 [ 11.475077] </TASK> [ 11.475088] [ 11.489923] Allocated by task 214: [ 11.490317] kasan_save_stack+0x45/0x70 [ 11.490609] kasan_save_track+0x18/0x40 [ 11.490995] kasan_save_alloc_info+0x3b/0x50 [ 11.491396] __kasan_kmalloc+0xb7/0xc0 [ 11.491602] __kmalloc_cache_noprof+0x189/0x420 [ 11.492115] ksize_uaf+0xaa/0x6c0 [ 11.492427] kunit_try_run_case+0x1a5/0x480 [ 11.492574] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.492764] kthread+0x337/0x6f0 [ 11.492887] ret_from_fork+0x116/0x1d0 [ 11.493030] ret_from_fork_asm+0x1a/0x30 [ 11.493434] [ 11.493661] Freed by task 214: [ 11.494097] kasan_save_stack+0x45/0x70 [ 11.494552] kasan_save_track+0x18/0x40 [ 11.494913] kasan_save_free_info+0x3f/0x60 [ 11.495122] __kasan_slab_free+0x56/0x70 [ 11.495563] kfree+0x222/0x3f0 [ 11.495859] ksize_uaf+0x12c/0x6c0 [ 11.496269] kunit_try_run_case+0x1a5/0x480 [ 11.496525] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.497005] kthread+0x337/0x6f0 [ 11.497411] ret_from_fork+0x116/0x1d0 [ 11.497741] ret_from_fork_asm+0x1a/0x30 [ 11.498141] [ 11.498213] The buggy address belongs to the object at ffff888102a7ae00 [ 11.498213] which belongs to the cache kmalloc-128 of size 128 [ 11.499072] The buggy address is located 0 bytes inside of [ 11.499072] freed 128-byte region [ffff888102a7ae00, ffff888102a7ae80) [ 11.500269] [ 11.500460] The buggy address belongs to the physical page: [ 11.500773] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a7a [ 11.501554] flags: 0x200000000000000(node=0|zone=2) [ 11.501731] page_type: f5(slab) [ 11.502030] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.502942] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.503325] page dumped because: kasan: bad access detected [ 11.503508] [ 11.503590] Memory state around the buggy address: [ 11.503746] ffff888102a7ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.504491] ffff888102a7ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.505237] >ffff888102a7ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.505693] ^ [ 11.505908] ffff888102a7ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.506482] ffff888102a7af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.506699] ================================================================== [ 11.507936] ================================================================== [ 11.508735] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.509412] Read of size 1 at addr ffff888102a7ae78 by task kunit_try_catch/214 [ 11.509886] [ 11.509976] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT(voluntary) [ 11.510019] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.510035] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.510055] Call Trace: [ 11.510066] <TASK> [ 11.510082] dump_stack_lvl+0x73/0xb0 [ 11.510109] print_report+0xd1/0x650 [ 11.510132] ? __virt_addr_valid+0x1db/0x2d0 [ 11.510154] ? ksize_uaf+0x5e4/0x6c0 [ 11.510174] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.510196] ? ksize_uaf+0x5e4/0x6c0 [ 11.510217] kasan_report+0x141/0x180 [ 11.510239] ? ksize_uaf+0x5e4/0x6c0 [ 11.510264] __asan_report_load1_noabort+0x18/0x20 [ 11.510284] ksize_uaf+0x5e4/0x6c0 [ 11.510304] ? __pfx_ksize_uaf+0x10/0x10 [ 11.510325] ? __schedule+0x10cc/0x2b60 [ 11.510349] ? __pfx_read_tsc+0x10/0x10 [ 11.510369] ? ktime_get_ts64+0x86/0x230 [ 11.510407] kunit_try_run_case+0x1a5/0x480 [ 11.510427] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.510446] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.510470] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.510494] ? __kthread_parkme+0x82/0x180 [ 11.510513] ? preempt_count_sub+0x50/0x80 [ 11.510537] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.510557] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.510580] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.510604] kthread+0x337/0x6f0 [ 11.510622] ? trace_preempt_on+0x20/0xc0 [ 11.510645] ? __pfx_kthread+0x10/0x10 [ 11.510665] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.510687] ? calculate_sigpending+0x7b/0xa0 [ 11.510711] ? __pfx_kthread+0x10/0x10 [ 11.510731] ret_from_fork+0x116/0x1d0 [ 11.510799] ? __pfx_kthread+0x10/0x10 [ 11.510820] ret_from_fork_asm+0x1a/0x30 [ 11.510862] </TASK> [ 11.510872] [ 11.518387] Allocated by task 214: [ 11.518715] kasan_save_stack+0x45/0x70 [ 11.518981] kasan_save_track+0x18/0x40 [ 11.519277] kasan_save_alloc_info+0x3b/0x50 [ 11.519618] __kasan_kmalloc+0xb7/0xc0 [ 11.519859] __kmalloc_cache_noprof+0x189/0x420 [ 11.520072] ksize_uaf+0xaa/0x6c0 [ 11.520252] kunit_try_run_case+0x1a5/0x480 [ 11.520472] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.520710] kthread+0x337/0x6f0 [ 11.520905] ret_from_fork+0x116/0x1d0 [ 11.521096] ret_from_fork_asm+0x1a/0x30 [ 11.521329] [ 11.521435] Freed by task 214: [ 11.521625] kasan_save_stack+0x45/0x70 [ 11.521798] kasan_save_track+0x18/0x40 [ 11.522010] kasan_save_free_info+0x3f/0x60 [ 11.522410] __kasan_slab_free+0x56/0x70 [ 11.522724] kfree+0x222/0x3f0 [ 11.522847] ksize_uaf+0x12c/0x6c0 [ 11.522973] kunit_try_run_case+0x1a5/0x480 [ 11.523116] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.523370] kthread+0x337/0x6f0 [ 11.523553] ret_from_fork+0x116/0x1d0 [ 11.523739] ret_from_fork_asm+0x1a/0x30 [ 11.524070] [ 11.524146] The buggy address belongs to the object at ffff888102a7ae00 [ 11.524146] which belongs to the cache kmalloc-128 of size 128 [ 11.524588] The buggy address is located 120 bytes inside of [ 11.524588] freed 128-byte region [ffff888102a7ae00, ffff888102a7ae80) [ 11.525492] [ 11.525613] The buggy address belongs to the physical page: [ 11.525844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a7a [ 11.526343] flags: 0x200000000000000(node=0|zone=2) [ 11.526601] page_type: f5(slab) [ 11.526807] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.527189] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.527677] page dumped because: kasan: bad access detected [ 11.528017] [ 11.528218] Memory state around the buggy address: [ 11.528454] ffff888102a7ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.528768] ffff888102a7ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.529141] >ffff888102a7ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.529477] ^ [ 11.529818] ffff888102a7ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.530171] ffff888102a7af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.530460] ================================================================== [ 11.446445] ================================================================== [ 11.446975] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.447477] Read of size 1 at addr ffff888102a7ae00 by task kunit_try_catch/214 [ 11.447806] [ 11.447905] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7-next-20250526 #1 PREEMPT(voluntary) [ 11.447949] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.447961] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.447981] Call Trace: [ 11.447992] <TASK> [ 11.448007] dump_stack_lvl+0x73/0xb0 [ 11.448034] print_report+0xd1/0x650 [ 11.448056] ? __virt_addr_valid+0x1db/0x2d0 [ 11.448078] ? ksize_uaf+0x19d/0x6c0 [ 11.448098] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.448120] ? ksize_uaf+0x19d/0x6c0 [ 11.448141] kasan_report+0x141/0x180 [ 11.448162] ? ksize_uaf+0x19d/0x6c0 [ 11.448186] ? ksize_uaf+0x19d/0x6c0 [ 11.448206] __kasan_check_byte+0x3d/0x50 [ 11.448228] ksize+0x20/0x60 [ 11.448248] ksize_uaf+0x19d/0x6c0 [ 11.448269] ? __pfx_ksize_uaf+0x10/0x10 [ 11.448291] ? __schedule+0x10cc/0x2b60 [ 11.448314] ? __pfx_read_tsc+0x10/0x10 [ 11.448334] ? ktime_get_ts64+0x86/0x230 [ 11.448358] kunit_try_run_case+0x1a5/0x480 [ 11.448388] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.448407] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.448431] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.448455] ? __kthread_parkme+0x82/0x180 [ 11.448474] ? preempt_count_sub+0x50/0x80 [ 11.448497] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.448517] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.448540] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.448563] kthread+0x337/0x6f0 [ 11.448582] ? trace_preempt_on+0x20/0xc0 [ 11.448604] ? __pfx_kthread+0x10/0x10 [ 11.448624] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.448646] ? calculate_sigpending+0x7b/0xa0 [ 11.448668] ? __pfx_kthread+0x10/0x10 [ 11.448689] ret_from_fork+0x116/0x1d0 [ 11.448707] ? __pfx_kthread+0x10/0x10 [ 11.448778] ret_from_fork_asm+0x1a/0x30 [ 11.448808] </TASK> [ 11.448818] [ 11.456309] Allocated by task 214: [ 11.456491] kasan_save_stack+0x45/0x70 [ 11.456662] kasan_save_track+0x18/0x40 [ 11.456890] kasan_save_alloc_info+0x3b/0x50 [ 11.457160] __kasan_kmalloc+0xb7/0xc0 [ 11.457298] __kmalloc_cache_noprof+0x189/0x420 [ 11.457494] ksize_uaf+0xaa/0x6c0 [ 11.457669] kunit_try_run_case+0x1a5/0x480 [ 11.457903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.458414] kthread+0x337/0x6f0 [ 11.458578] ret_from_fork+0x116/0x1d0 [ 11.458712] ret_from_fork_asm+0x1a/0x30 [ 11.458893] [ 11.458990] Freed by task 214: [ 11.459286] kasan_save_stack+0x45/0x70 [ 11.459491] kasan_save_track+0x18/0x40 [ 11.459687] kasan_save_free_info+0x3f/0x60 [ 11.459947] __kasan_slab_free+0x56/0x70 [ 11.460188] kfree+0x222/0x3f0 [ 11.460347] ksize_uaf+0x12c/0x6c0 [ 11.460587] kunit_try_run_case+0x1a5/0x480 [ 11.460827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.461031] kthread+0x337/0x6f0 [ 11.461225] ret_from_fork+0x116/0x1d0 [ 11.461414] ret_from_fork_asm+0x1a/0x30 [ 11.461641] [ 11.461780] The buggy address belongs to the object at ffff888102a7ae00 [ 11.461780] which belongs to the cache kmalloc-128 of size 128 [ 11.462347] The buggy address is located 0 bytes inside of [ 11.462347] freed 128-byte region [ffff888102a7ae00, ffff888102a7ae80) [ 11.462710] [ 11.462829] The buggy address belongs to the physical page: [ 11.463083] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a7a [ 11.463677] flags: 0x200000000000000(node=0|zone=2) [ 11.464081] page_type: f5(slab) [ 11.464300] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.464715] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.464972] page dumped because: kasan: bad access detected [ 11.465146] [ 11.465275] Memory state around the buggy address: [ 11.465545] ffff888102a7ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.465946] ffff888102a7ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.466334] >ffff888102a7ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.466611] ^ [ 11.467420] ffff888102a7ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.467940] ffff888102a7af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.468800] ==================================================================