Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 32.351317] ================================================================== [ 32.358415] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.364748] Read of size 1 at addr ffff000803eb5978 by task kunit_try_catch/240 [ 32.372039] [ 32.373521] CPU: 4 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 32.373575] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.373589] Hardware name: WinLink E850-96 board (DT) [ 32.373609] Call trace: [ 32.373619] show_stack+0x20/0x38 (C) [ 32.373652] dump_stack_lvl+0x8c/0xd0 [ 32.373689] print_report+0x118/0x608 [ 32.373723] kasan_report+0xdc/0x128 [ 32.373756] __asan_report_load1_noabort+0x20/0x30 [ 32.373785] ksize_uaf+0x544/0x5f8 [ 32.373813] kunit_try_run_case+0x170/0x3f0 [ 32.373847] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.373885] kthread+0x328/0x630 [ 32.373912] ret_from_fork+0x10/0x20 [ 32.373944] [ 32.436448] Allocated by task 240: [ 32.439834] kasan_save_stack+0x3c/0x68 [ 32.443653] kasan_save_track+0x20/0x40 [ 32.447472] kasan_save_alloc_info+0x40/0x58 [ 32.451726] __kasan_kmalloc+0xd4/0xd8 [ 32.455458] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.459972] ksize_uaf+0xb8/0x5f8 [ 32.463270] kunit_try_run_case+0x170/0x3f0 [ 32.467437] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.472906] kthread+0x328/0x630 [ 32.476118] ret_from_fork+0x10/0x20 [ 32.479677] [ 32.481152] Freed by task 240: [ 32.484190] kasan_save_stack+0x3c/0x68 [ 32.488010] kasan_save_track+0x20/0x40 [ 32.491829] kasan_save_free_info+0x4c/0x78 [ 32.495996] __kasan_slab_free+0x6c/0x98 [ 32.499902] kfree+0x214/0x3c8 [ 32.502940] ksize_uaf+0x11c/0x5f8 [ 32.506326] kunit_try_run_case+0x170/0x3f0 [ 32.510492] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.515961] kthread+0x328/0x630 [ 32.519172] ret_from_fork+0x10/0x20 [ 32.522732] [ 32.524208] The buggy address belongs to the object at ffff000803eb5900 [ 32.524208] which belongs to the cache kmalloc-128 of size 128 [ 32.536707] The buggy address is located 120 bytes inside of [ 32.536707] freed 128-byte region [ffff000803eb5900, ffff000803eb5980) [ 32.548946] [ 32.550424] The buggy address belongs to the physical page: [ 32.555980] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883eb4 [ 32.563964] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.571602] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.578548] page_type: f5(slab) [ 32.581681] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.589404] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.597130] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.604941] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.612754] head: 0bfffe0000000001 fffffdffe00fad01 00000000ffffffff 00000000ffffffff [ 32.620566] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.628372] page dumped because: kasan: bad access detected [ 32.633927] [ 32.635403] Memory state around the buggy address: [ 32.640181] ffff000803eb5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.647386] ffff000803eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.654591] >ffff000803eb5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.661792] ^ [ 32.668913] ffff000803eb5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.676118] ffff000803eb5a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.683319] ================================================================== [ 31.676050] ================================================================== [ 31.685856] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.692190] Read of size 1 at addr ffff000803eb5900 by task kunit_try_catch/240 [ 31.699480] [ 31.700964] CPU: 4 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 31.701016] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.701031] Hardware name: WinLink E850-96 board (DT) [ 31.701051] Call trace: [ 31.701066] show_stack+0x20/0x38 (C) [ 31.701104] dump_stack_lvl+0x8c/0xd0 [ 31.701142] print_report+0x118/0x608 [ 31.701178] kasan_report+0xdc/0x128 [ 31.701208] __kasan_check_byte+0x54/0x70 [ 31.701243] ksize+0x30/0x88 [ 31.701277] ksize_uaf+0x168/0x5f8 [ 31.701305] kunit_try_run_case+0x170/0x3f0 [ 31.701342] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.701380] kthread+0x328/0x630 [ 31.701408] ret_from_fork+0x10/0x20 [ 31.701444] [ 31.765973] Allocated by task 240: [ 31.769360] kasan_save_stack+0x3c/0x68 [ 31.773176] kasan_save_track+0x20/0x40 [ 31.776996] kasan_save_alloc_info+0x40/0x58 [ 31.781250] __kasan_kmalloc+0xd4/0xd8 [ 31.784982] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.789496] ksize_uaf+0xb8/0x5f8 [ 31.792794] kunit_try_run_case+0x170/0x3f0 [ 31.796961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.802429] kthread+0x328/0x630 [ 31.805642] ret_from_fork+0x10/0x20 [ 31.809200] [ 31.810676] Freed by task 240: [ 31.813716] kasan_save_stack+0x3c/0x68 [ 31.817534] kasan_save_track+0x20/0x40 [ 31.821353] kasan_save_free_info+0x4c/0x78 [ 31.825520] __kasan_slab_free+0x6c/0x98 [ 31.829426] kfree+0x214/0x3c8 [ 31.832464] ksize_uaf+0x11c/0x5f8 [ 31.835850] kunit_try_run_case+0x170/0x3f0 [ 31.840016] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.845485] kthread+0x328/0x630 [ 31.848696] ret_from_fork+0x10/0x20 [ 31.852256] [ 31.853734] The buggy address belongs to the object at ffff000803eb5900 [ 31.853734] which belongs to the cache kmalloc-128 of size 128 [ 31.866233] The buggy address is located 0 bytes inside of [ 31.866233] freed 128-byte region [ffff000803eb5900, ffff000803eb5980) [ 31.878296] [ 31.879776] The buggy address belongs to the physical page: [ 31.885332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883eb4 [ 31.893317] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.900956] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.907899] page_type: f5(slab) [ 31.911036] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.918754] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.926481] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.934292] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.942105] head: 0bfffe0000000001 fffffdffe00fad01 00000000ffffffff 00000000ffffffff [ 31.949917] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.957723] page dumped because: kasan: bad access detected [ 31.963279] [ 31.964754] Memory state around the buggy address: [ 31.969533] ffff000803eb5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.976736] ffff000803eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.983941] >ffff000803eb5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.991142] ^ [ 31.994358] ffff000803eb5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.001563] ffff000803eb5a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.008763] ================================================================== [ 32.016297] ================================================================== [ 32.023178] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 32.029510] Read of size 1 at addr ffff000803eb5900 by task kunit_try_catch/240 [ 32.036801] [ 32.038284] CPU: 4 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 32.038340] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.038356] Hardware name: WinLink E850-96 board (DT) [ 32.038375] Call trace: [ 32.038386] show_stack+0x20/0x38 (C) [ 32.038421] dump_stack_lvl+0x8c/0xd0 [ 32.038457] print_report+0x118/0x608 [ 32.038490] kasan_report+0xdc/0x128 [ 32.038522] __asan_report_load1_noabort+0x20/0x30 [ 32.038554] ksize_uaf+0x598/0x5f8 [ 32.038582] kunit_try_run_case+0x170/0x3f0 [ 32.038615] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.038653] kthread+0x328/0x630 [ 32.038679] ret_from_fork+0x10/0x20 [ 32.038710] [ 32.101211] Allocated by task 240: [ 32.104596] kasan_save_stack+0x3c/0x68 [ 32.108415] kasan_save_track+0x20/0x40 [ 32.112234] kasan_save_alloc_info+0x40/0x58 [ 32.116487] __kasan_kmalloc+0xd4/0xd8 [ 32.120220] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.124734] ksize_uaf+0xb8/0x5f8 [ 32.128032] kunit_try_run_case+0x170/0x3f0 [ 32.132199] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.137667] kthread+0x328/0x630 [ 32.140879] ret_from_fork+0x10/0x20 [ 32.144438] [ 32.145914] Freed by task 240: [ 32.148952] kasan_save_stack+0x3c/0x68 [ 32.152771] kasan_save_track+0x20/0x40 [ 32.156591] kasan_save_free_info+0x4c/0x78 [ 32.160757] __kasan_slab_free+0x6c/0x98 [ 32.164664] kfree+0x214/0x3c8 [ 32.167702] ksize_uaf+0x11c/0x5f8 [ 32.171087] kunit_try_run_case+0x170/0x3f0 [ 32.175254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.180723] kthread+0x328/0x630 [ 32.183935] ret_from_fork+0x10/0x20 [ 32.187493] [ 32.188971] The buggy address belongs to the object at ffff000803eb5900 [ 32.188971] which belongs to the cache kmalloc-128 of size 128 [ 32.201469] The buggy address is located 0 bytes inside of [ 32.201469] freed 128-byte region [ffff000803eb5900, ffff000803eb5980) [ 32.213535] [ 32.215012] The buggy address belongs to the physical page: [ 32.220571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883eb4 [ 32.228552] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.236191] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.243136] page_type: f5(slab) [ 32.246271] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.253992] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.261718] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.269530] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.277343] head: 0bfffe0000000001 fffffdffe00fad01 00000000ffffffff 00000000ffffffff [ 32.285154] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.292960] page dumped because: kasan: bad access detected [ 32.298517] [ 32.299991] Memory state around the buggy address: [ 32.304770] ffff000803eb5800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.311975] ffff000803eb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.319179] >ffff000803eb5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.326380] ^ [ 32.329596] ffff000803eb5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.336802] ffff000803eb5a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.344003] ==================================================================
[ 25.325060] ================================================================== [ 25.325409] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 25.325566] Read of size 1 at addr fff00000c77e8378 by task kunit_try_catch/197 [ 25.325720] [ 25.325794] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.325990] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.326156] Hardware name: linux,dummy-virt (DT) [ 25.326242] Call trace: [ 25.326291] show_stack+0x20/0x38 (C) [ 25.326408] dump_stack_lvl+0x8c/0xd0 [ 25.326551] print_report+0x118/0x608 [ 25.326938] kasan_report+0xdc/0x128 [ 25.327193] __asan_report_load1_noabort+0x20/0x30 [ 25.327430] ksize_uaf+0x544/0x5f8 [ 25.327584] kunit_try_run_case+0x170/0x3f0 [ 25.327842] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.328096] kthread+0x328/0x630 [ 25.328258] ret_from_fork+0x10/0x20 [ 25.328473] [ 25.328523] Allocated by task 197: [ 25.328659] kasan_save_stack+0x3c/0x68 [ 25.329021] kasan_save_track+0x20/0x40 [ 25.329142] kasan_save_alloc_info+0x40/0x58 [ 25.329325] __kasan_kmalloc+0xd4/0xd8 [ 25.329450] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.330574] ksize_uaf+0xb8/0x5f8 [ 25.330708] kunit_try_run_case+0x170/0x3f0 [ 25.330816] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.330926] kthread+0x328/0x630 [ 25.331035] ret_from_fork+0x10/0x20 [ 25.331253] [ 25.331307] Freed by task 197: [ 25.331391] kasan_save_stack+0x3c/0x68 [ 25.331491] kasan_save_track+0x20/0x40 [ 25.331581] kasan_save_free_info+0x4c/0x78 [ 25.331742] __kasan_slab_free+0x6c/0x98 [ 25.331845] kfree+0x214/0x3c8 [ 25.331925] ksize_uaf+0x11c/0x5f8 [ 25.332016] kunit_try_run_case+0x170/0x3f0 [ 25.332285] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.332414] kthread+0x328/0x630 [ 25.332509] ret_from_fork+0x10/0x20 [ 25.332779] [ 25.332837] The buggy address belongs to the object at fff00000c77e8300 [ 25.332837] which belongs to the cache kmalloc-128 of size 128 [ 25.333431] The buggy address is located 120 bytes inside of [ 25.333431] freed 128-byte region [fff00000c77e8300, fff00000c77e8380) [ 25.334085] [ 25.334491] The buggy address belongs to the physical page: [ 25.334578] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 25.334778] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.334905] page_type: f5(slab) [ 25.335151] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.335283] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.335640] page dumped because: kasan: bad access detected [ 25.335739] [ 25.335787] Memory state around the buggy address: [ 25.335859] fff00000c77e8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.335960] fff00000c77e8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.336099] >fff00000c77e8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.336784] ^ [ 25.337065] fff00000c77e8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.337297] fff00000c77e8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.337441] ================================================================== [ 25.284579] ================================================================== [ 25.286327] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 25.287323] Read of size 1 at addr fff00000c77e8300 by task kunit_try_catch/197 [ 25.287527] [ 25.287637] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.288069] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.288195] Hardware name: linux,dummy-virt (DT) [ 25.288321] Call trace: [ 25.288409] show_stack+0x20/0x38 (C) [ 25.288589] dump_stack_lvl+0x8c/0xd0 [ 25.288735] print_report+0x118/0x608 [ 25.288858] kasan_report+0xdc/0x128 [ 25.288968] __kasan_check_byte+0x54/0x70 [ 25.289084] ksize+0x30/0x88 [ 25.289208] ksize_uaf+0x168/0x5f8 [ 25.289356] kunit_try_run_case+0x170/0x3f0 [ 25.289776] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.290391] kthread+0x328/0x630 [ 25.290539] ret_from_fork+0x10/0x20 [ 25.290819] [ 25.290909] Allocated by task 197: [ 25.290999] kasan_save_stack+0x3c/0x68 [ 25.291106] kasan_save_track+0x20/0x40 [ 25.291209] kasan_save_alloc_info+0x40/0x58 [ 25.291308] __kasan_kmalloc+0xd4/0xd8 [ 25.292630] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.292837] ksize_uaf+0xb8/0x5f8 [ 25.293024] kunit_try_run_case+0x170/0x3f0 [ 25.293192] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.293340] kthread+0x328/0x630 [ 25.293921] ret_from_fork+0x10/0x20 [ 25.294088] [ 25.294175] Freed by task 197: [ 25.294381] kasan_save_stack+0x3c/0x68 [ 25.294482] kasan_save_track+0x20/0x40 [ 25.294577] kasan_save_free_info+0x4c/0x78 [ 25.295511] __kasan_slab_free+0x6c/0x98 [ 25.295654] kfree+0x214/0x3c8 [ 25.295848] ksize_uaf+0x11c/0x5f8 [ 25.296115] kunit_try_run_case+0x170/0x3f0 [ 25.296390] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.296505] kthread+0x328/0x630 [ 25.297292] ret_from_fork+0x10/0x20 [ 25.297650] [ 25.297951] The buggy address belongs to the object at fff00000c77e8300 [ 25.297951] which belongs to the cache kmalloc-128 of size 128 [ 25.298535] The buggy address is located 0 bytes inside of [ 25.298535] freed 128-byte region [fff00000c77e8300, fff00000c77e8380) [ 25.298898] [ 25.299000] The buggy address belongs to the physical page: [ 25.299075] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 25.299950] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.300175] page_type: f5(slab) [ 25.300420] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.300557] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.301174] page dumped because: kasan: bad access detected [ 25.301621] [ 25.301674] Memory state around the buggy address: [ 25.301938] fff00000c77e8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.302409] fff00000c77e8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.302516] >fff00000c77e8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.302608] ^ [ 25.303294] fff00000c77e8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.303414] fff00000c77e8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.303983] ================================================================== [ 25.306985] ================================================================== [ 25.307728] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 25.308536] Read of size 1 at addr fff00000c77e8300 by task kunit_try_catch/197 [ 25.308694] [ 25.308768] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.309587] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.310178] Hardware name: linux,dummy-virt (DT) [ 25.310363] Call trace: [ 25.310449] show_stack+0x20/0x38 (C) [ 25.311015] dump_stack_lvl+0x8c/0xd0 [ 25.311481] print_report+0x118/0x608 [ 25.311611] kasan_report+0xdc/0x128 [ 25.312172] __asan_report_load1_noabort+0x20/0x30 [ 25.312539] ksize_uaf+0x598/0x5f8 [ 25.312924] kunit_try_run_case+0x170/0x3f0 [ 25.313046] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.313175] kthread+0x328/0x630 [ 25.313301] ret_from_fork+0x10/0x20 [ 25.313868] [ 25.314443] Allocated by task 197: [ 25.314528] kasan_save_stack+0x3c/0x68 [ 25.314884] kasan_save_track+0x20/0x40 [ 25.315113] kasan_save_alloc_info+0x40/0x58 [ 25.315223] __kasan_kmalloc+0xd4/0xd8 [ 25.315727] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.315846] ksize_uaf+0xb8/0x5f8 [ 25.316351] kunit_try_run_case+0x170/0x3f0 [ 25.316720] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.316934] kthread+0x328/0x630 [ 25.317034] ret_from_fork+0x10/0x20 [ 25.317144] [ 25.317195] Freed by task 197: [ 25.317355] kasan_save_stack+0x3c/0x68 [ 25.317488] kasan_save_track+0x20/0x40 [ 25.317614] kasan_save_free_info+0x4c/0x78 [ 25.317891] __kasan_slab_free+0x6c/0x98 [ 25.318063] kfree+0x214/0x3c8 [ 25.318207] ksize_uaf+0x11c/0x5f8 [ 25.318469] kunit_try_run_case+0x170/0x3f0 [ 25.318582] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.318809] kthread+0x328/0x630 [ 25.318940] ret_from_fork+0x10/0x20 [ 25.319050] [ 25.319105] The buggy address belongs to the object at fff00000c77e8300 [ 25.319105] which belongs to the cache kmalloc-128 of size 128 [ 25.319295] The buggy address is located 0 bytes inside of [ 25.319295] freed 128-byte region [fff00000c77e8300, fff00000c77e8380) [ 25.319542] [ 25.319599] The buggy address belongs to the physical page: [ 25.319788] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 25.319929] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.320044] page_type: f5(slab) [ 25.321132] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.321489] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.321592] page dumped because: kasan: bad access detected [ 25.322583] [ 25.322729] Memory state around the buggy address: [ 25.322836] fff00000c77e8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.322951] fff00000c77e8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.323060] >fff00000c77e8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.323214] ^ [ 25.323298] fff00000c77e8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.323452] fff00000c77e8400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.323557] ==================================================================
[ 19.087456] ================================================================== [ 19.088103] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 19.088709] Read of size 1 at addr ffff888102b56400 by task kunit_try_catch/213 [ 19.089463] [ 19.089897] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.090076] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.090120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.090181] Call Trace: [ 19.090222] <TASK> [ 19.090282] dump_stack_lvl+0x73/0xb0 [ 19.090367] print_report+0xd1/0x650 [ 19.090444] ? __virt_addr_valid+0x1db/0x2d0 [ 19.090524] ? ksize_uaf+0x5fe/0x6c0 [ 19.090590] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.090626] ? ksize_uaf+0x5fe/0x6c0 [ 19.090657] kasan_report+0x141/0x180 [ 19.090690] ? ksize_uaf+0x5fe/0x6c0 [ 19.090741] __asan_report_load1_noabort+0x18/0x20 [ 19.091121] ksize_uaf+0x5fe/0x6c0 [ 19.091296] ? __pfx_ksize_uaf+0x10/0x10 [ 19.091377] ? __schedule+0x10cc/0x2b60 [ 19.091447] ? __pfx_read_tsc+0x10/0x10 [ 19.091482] ? ktime_get_ts64+0x86/0x230 [ 19.091518] kunit_try_run_case+0x1a5/0x480 [ 19.091549] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.091576] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.091612] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.091646] ? __kthread_parkme+0x82/0x180 [ 19.091675] ? preempt_count_sub+0x50/0x80 [ 19.091706] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.091769] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.091808] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.091843] kthread+0x337/0x6f0 [ 19.091870] ? trace_preempt_on+0x20/0xc0 [ 19.091904] ? __pfx_kthread+0x10/0x10 [ 19.091932] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.091963] ? calculate_sigpending+0x7b/0xa0 [ 19.092019] ? __pfx_kthread+0x10/0x10 [ 19.092055] ret_from_fork+0x116/0x1d0 [ 19.092081] ? __pfx_kthread+0x10/0x10 [ 19.092109] ret_from_fork_asm+0x1a/0x30 [ 19.092151] </TASK> [ 19.092169] [ 19.110411] Allocated by task 213: [ 19.110716] kasan_save_stack+0x45/0x70 [ 19.111169] kasan_save_track+0x18/0x40 [ 19.111588] kasan_save_alloc_info+0x3b/0x50 [ 19.112495] __kasan_kmalloc+0xb7/0xc0 [ 19.113090] __kmalloc_cache_noprof+0x189/0x420 [ 19.113761] ksize_uaf+0xaa/0x6c0 [ 19.114120] kunit_try_run_case+0x1a5/0x480 [ 19.114844] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.115693] kthread+0x337/0x6f0 [ 19.116520] ret_from_fork+0x116/0x1d0 [ 19.116801] ret_from_fork_asm+0x1a/0x30 [ 19.117757] [ 19.118120] Freed by task 213: [ 19.118375] kasan_save_stack+0x45/0x70 [ 19.119092] kasan_save_track+0x18/0x40 [ 19.119929] kasan_save_free_info+0x3f/0x60 [ 19.120689] __kasan_slab_free+0x56/0x70 [ 19.121089] kfree+0x222/0x3f0 [ 19.121440] ksize_uaf+0x12c/0x6c0 [ 19.122618] kunit_try_run_case+0x1a5/0x480 [ 19.123011] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.123672] kthread+0x337/0x6f0 [ 19.123988] ret_from_fork+0x116/0x1d0 [ 19.124486] ret_from_fork_asm+0x1a/0x30 [ 19.125522] [ 19.125694] The buggy address belongs to the object at ffff888102b56400 [ 19.125694] which belongs to the cache kmalloc-128 of size 128 [ 19.127266] The buggy address is located 0 bytes inside of [ 19.127266] freed 128-byte region [ffff888102b56400, ffff888102b56480) [ 19.128065] [ 19.128303] The buggy address belongs to the physical page: [ 19.128803] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b56 [ 19.129959] flags: 0x200000000000000(node=0|zone=2) [ 19.130796] page_type: f5(slab) [ 19.131481] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.132334] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.133184] page dumped because: kasan: bad access detected [ 19.134087] [ 19.134869] Memory state around the buggy address: [ 19.135255] ffff888102b56300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.136012] ffff888102b56380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.136627] >ffff888102b56400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.137598] ^ [ 19.137974] ffff888102b56480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.139195] ffff888102b56500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.140121] ================================================================== [ 19.141504] ================================================================== [ 19.141981] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 19.144016] Read of size 1 at addr ffff888102b56478 by task kunit_try_catch/213 [ 19.145089] [ 19.145346] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.145469] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.145505] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.145554] Call Trace: [ 19.145575] <TASK> [ 19.145603] dump_stack_lvl+0x73/0xb0 [ 19.145675] print_report+0xd1/0x650 [ 19.145710] ? __virt_addr_valid+0x1db/0x2d0 [ 19.145771] ? ksize_uaf+0x5e4/0x6c0 [ 19.145802] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.145834] ? ksize_uaf+0x5e4/0x6c0 [ 19.145865] kasan_report+0x141/0x180 [ 19.145896] ? ksize_uaf+0x5e4/0x6c0 [ 19.145931] __asan_report_load1_noabort+0x18/0x20 [ 19.145959] ksize_uaf+0x5e4/0x6c0 [ 19.145989] ? __pfx_ksize_uaf+0x10/0x10 [ 19.146074] ? __schedule+0x10cc/0x2b60 [ 19.146145] ? __pfx_read_tsc+0x10/0x10 [ 19.146214] ? ktime_get_ts64+0x86/0x230 [ 19.146305] kunit_try_run_case+0x1a5/0x480 [ 19.146373] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.146405] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.146442] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.146477] ? __kthread_parkme+0x82/0x180 [ 19.146506] ? preempt_count_sub+0x50/0x80 [ 19.146538] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.146566] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.146601] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.146635] kthread+0x337/0x6f0 [ 19.146662] ? trace_preempt_on+0x20/0xc0 [ 19.146693] ? __pfx_kthread+0x10/0x10 [ 19.146736] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.146787] ? calculate_sigpending+0x7b/0xa0 [ 19.146822] ? __pfx_kthread+0x10/0x10 [ 19.146852] ret_from_fork+0x116/0x1d0 [ 19.146877] ? __pfx_kthread+0x10/0x10 [ 19.146905] ret_from_fork_asm+0x1a/0x30 [ 19.146947] </TASK> [ 19.146961] [ 19.162555] Allocated by task 213: [ 19.163165] kasan_save_stack+0x45/0x70 [ 19.163866] kasan_save_track+0x18/0x40 [ 19.164202] kasan_save_alloc_info+0x3b/0x50 [ 19.164630] __kasan_kmalloc+0xb7/0xc0 [ 19.165349] __kmalloc_cache_noprof+0x189/0x420 [ 19.165848] ksize_uaf+0xaa/0x6c0 [ 19.166360] kunit_try_run_case+0x1a5/0x480 [ 19.166802] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.169085] kthread+0x337/0x6f0 [ 19.169446] ret_from_fork+0x116/0x1d0 [ 19.171840] ret_from_fork_asm+0x1a/0x30 [ 19.172953] [ 19.173140] Freed by task 213: [ 19.173451] kasan_save_stack+0x45/0x70 [ 19.175855] kasan_save_track+0x18/0x40 [ 19.176260] kasan_save_free_info+0x3f/0x60 [ 19.176570] __kasan_slab_free+0x56/0x70 [ 19.176868] kfree+0x222/0x3f0 [ 19.177518] ksize_uaf+0x12c/0x6c0 [ 19.177790] kunit_try_run_case+0x1a5/0x480 [ 19.178133] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.178532] kthread+0x337/0x6f0 [ 19.179113] ret_from_fork+0x116/0x1d0 [ 19.179635] ret_from_fork_asm+0x1a/0x30 [ 19.181647] [ 19.182606] The buggy address belongs to the object at ffff888102b56400 [ 19.182606] which belongs to the cache kmalloc-128 of size 128 [ 19.183632] The buggy address is located 120 bytes inside of [ 19.183632] freed 128-byte region [ffff888102b56400, ffff888102b56480) [ 19.184227] [ 19.184367] The buggy address belongs to the physical page: [ 19.185935] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b56 [ 19.186899] flags: 0x200000000000000(node=0|zone=2) [ 19.187359] page_type: f5(slab) [ 19.187673] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.188334] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.189066] page dumped because: kasan: bad access detected [ 19.189546] [ 19.190033] Memory state around the buggy address: [ 19.190527] ffff888102b56300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.191461] ffff888102b56380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.192027] >ffff888102b56400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.192643] ^ [ 19.193675] ffff888102b56480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.194249] ffff888102b56500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.194955] ================================================================== [ 19.030128] ================================================================== [ 19.031231] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 19.032032] Read of size 1 at addr ffff888102b56400 by task kunit_try_catch/213 [ 19.033507] [ 19.033699] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 19.033785] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.033803] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.033834] Call Trace: [ 19.033850] <TASK> [ 19.033871] dump_stack_lvl+0x73/0xb0 [ 19.033909] print_report+0xd1/0x650 [ 19.033940] ? __virt_addr_valid+0x1db/0x2d0 [ 19.033971] ? ksize_uaf+0x19d/0x6c0 [ 19.034023] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.034098] ? ksize_uaf+0x19d/0x6c0 [ 19.034316] kasan_report+0x141/0x180 [ 19.034400] ? ksize_uaf+0x19d/0x6c0 [ 19.034484] ? ksize_uaf+0x19d/0x6c0 [ 19.034587] __kasan_check_byte+0x3d/0x50 [ 19.034675] ksize+0x20/0x60 [ 19.034750] ksize_uaf+0x19d/0x6c0 [ 19.034861] ? __pfx_ksize_uaf+0x10/0x10 [ 19.034896] ? __schedule+0x10cc/0x2b60 [ 19.034932] ? __pfx_read_tsc+0x10/0x10 [ 19.034963] ? ktime_get_ts64+0x86/0x230 [ 19.035017] kunit_try_run_case+0x1a5/0x480 [ 19.035058] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.035087] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.035121] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.035155] ? __kthread_parkme+0x82/0x180 [ 19.035276] ? preempt_count_sub+0x50/0x80 [ 19.035318] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.035348] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.035383] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.035418] kthread+0x337/0x6f0 [ 19.035444] ? trace_preempt_on+0x20/0xc0 [ 19.035477] ? __pfx_kthread+0x10/0x10 [ 19.035505] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.035536] ? calculate_sigpending+0x7b/0xa0 [ 19.035570] ? __pfx_kthread+0x10/0x10 [ 19.035599] ret_from_fork+0x116/0x1d0 [ 19.035623] ? __pfx_kthread+0x10/0x10 [ 19.035651] ret_from_fork_asm+0x1a/0x30 [ 19.035691] </TASK> [ 19.035706] [ 19.058085] Allocated by task 213: [ 19.058638] kasan_save_stack+0x45/0x70 [ 19.059366] kasan_save_track+0x18/0x40 [ 19.059773] kasan_save_alloc_info+0x3b/0x50 [ 19.060289] __kasan_kmalloc+0xb7/0xc0 [ 19.060759] __kmalloc_cache_noprof+0x189/0x420 [ 19.061374] ksize_uaf+0xaa/0x6c0 [ 19.061730] kunit_try_run_case+0x1a5/0x480 [ 19.062502] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.063096] kthread+0x337/0x6f0 [ 19.063557] ret_from_fork+0x116/0x1d0 [ 19.064047] ret_from_fork_asm+0x1a/0x30 [ 19.064612] [ 19.064917] Freed by task 213: [ 19.065582] kasan_save_stack+0x45/0x70 [ 19.066031] kasan_save_track+0x18/0x40 [ 19.066419] kasan_save_free_info+0x3f/0x60 [ 19.066859] __kasan_slab_free+0x56/0x70 [ 19.067461] kfree+0x222/0x3f0 [ 19.067813] ksize_uaf+0x12c/0x6c0 [ 19.068372] kunit_try_run_case+0x1a5/0x480 [ 19.068861] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.069649] kthread+0x337/0x6f0 [ 19.070090] ret_from_fork+0x116/0x1d0 [ 19.070670] ret_from_fork_asm+0x1a/0x30 [ 19.071331] [ 19.071546] The buggy address belongs to the object at ffff888102b56400 [ 19.071546] which belongs to the cache kmalloc-128 of size 128 [ 19.072681] The buggy address is located 0 bytes inside of [ 19.072681] freed 128-byte region [ffff888102b56400, ffff888102b56480) [ 19.073729] [ 19.074586] The buggy address belongs to the physical page: [ 19.075369] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b56 [ 19.076041] flags: 0x200000000000000(node=0|zone=2) [ 19.076653] page_type: f5(slab) [ 19.077058] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.077894] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.078885] page dumped because: kasan: bad access detected [ 19.079439] [ 19.079660] Memory state around the buggy address: [ 19.080388] ffff888102b56300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.080957] ffff888102b56380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.082028] >ffff888102b56400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.082698] ^ [ 19.083444] ffff888102b56480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.084348] ffff888102b56500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.084908] ==================================================================
[ 58.919952] ================================================================== [ 58.927246] BUG: KASAN: slab-use-after-free in ksize_uaf+0x68c/0x740 [ 58.933624] Read of size 1 at addr cc78ef78 by task kunit_try_catch/248 [ 58.940307] [ 58.941802] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 58.941833] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 58.941833] Hardware name: Generic DRA74X (Flattened Device Tree) [ 58.941833] Call trace: [ 58.941864] unwind_backtrace from show_stack+0x18/0x1c [ 58.941894] show_stack from dump_stack_lvl+0x70/0x90 [ 58.941894] dump_stack_lvl from print_report+0x158/0x528 [ 58.941925] print_report from kasan_report+0xdc/0x118 [ 58.941955] kasan_report from ksize_uaf+0x68c/0x740 [ 58.941986] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 58.941986] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.942016] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 58.942047] kthread from ret_from_fork+0x14/0x20 [ 58.942077] Exception stack(0xf2333fb0 to 0xf2333ff8) [ 58.942077] 3fa0: 00000000 00000000 00000000 00000000 [ 58.942108] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 58.942108] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 58.942138] [ 59.046478] Allocated by task 248: [ 59.049896] kasan_save_track+0x30/0x5c [ 59.053771] __kasan_kmalloc+0x8c/0x94 [ 59.057556] ksize_uaf+0xd0/0x740 [ 59.060882] kunit_try_run_case+0x22c/0x5a8 [ 59.065093] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.070648] kthread+0x464/0x810 [ 59.073883] ret_from_fork+0x14/0x20 [ 59.077484] [ 59.079010] Freed by task 248: [ 59.082061] kasan_save_track+0x30/0x5c [ 59.085937] kasan_save_free_info+0x3c/0x48 [ 59.090148] __kasan_slab_free+0x40/0x50 [ 59.094116] kfree+0xe8/0x384 [ 59.097106] ksize_uaf+0x174/0x740 [ 59.100524] kunit_try_run_case+0x22c/0x5a8 [ 59.104736] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 59.110290] kthread+0x464/0x810 [ 59.113525] ret_from_fork+0x14/0x20 [ 59.117126] [ 59.118621] The buggy address belongs to the object at cc78ef00 [ 59.118621] which belongs to the cache kmalloc-128 of size 128 [ 59.130523] The buggy address is located 120 bytes inside of [ 59.130523] freed 128-byte region [cc78ef00, cc78ef80) [ 59.141479] [ 59.142974] The buggy address belongs to the physical page: [ 59.148590] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c78e [ 59.155853] flags: 0x0(zone=0) [ 59.158935] page_type: f5(slab) [ 59.162109] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 59.170227] raw: 00000000 [ 59.172882] page dumped because: kasan: bad access detected [ 59.178497] [ 59.179992] Memory state around the buggy address: [ 59.184814] cc78ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.191375] cc78ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.197967] >cc78ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.204528] ^ [ 59.210998] cc78ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.217559] cc78f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.224151] ================================================================== [ 58.612335] ================================================================== [ 58.619598] BUG: KASAN: slab-use-after-free in ksize_uaf+0x6c8/0x740 [ 58.626007] Read of size 1 at addr cc78ef00 by task kunit_try_catch/248 [ 58.632659] [ 58.634155] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 58.634185] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 58.634216] Hardware name: Generic DRA74X (Flattened Device Tree) [ 58.634216] Call trace: [ 58.634216] unwind_backtrace from show_stack+0x18/0x1c [ 58.634246] show_stack from dump_stack_lvl+0x70/0x90 [ 58.634277] dump_stack_lvl from print_report+0x158/0x528 [ 58.634307] print_report from kasan_report+0xdc/0x118 [ 58.634307] kasan_report from ksize_uaf+0x6c8/0x740 [ 58.634338] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 58.634368] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.634399] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 58.634429] kthread from ret_from_fork+0x14/0x20 [ 58.634429] Exception stack(0xf2333fb0 to 0xf2333ff8) [ 58.634460] 3fa0: 00000000 00000000 00000000 00000000 [ 58.634460] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 58.634490] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 58.634490] [ 58.738830] Allocated by task 248: [ 58.742279] kasan_save_track+0x30/0x5c [ 58.746124] __kasan_kmalloc+0x8c/0x94 [ 58.749908] ksize_uaf+0xd0/0x740 [ 58.753265] kunit_try_run_case+0x22c/0x5a8 [ 58.757476] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.763000] kthread+0x464/0x810 [ 58.766265] ret_from_fork+0x14/0x20 [ 58.769866] [ 58.771362] Freed by task 248: [ 58.774444] kasan_save_track+0x30/0x5c [ 58.778320] kasan_save_free_info+0x3c/0x48 [ 58.782531] __kasan_slab_free+0x40/0x50 [ 58.786468] kfree+0xe8/0x384 [ 58.789459] ksize_uaf+0x174/0x740 [ 58.792907] kunit_try_run_case+0x22c/0x5a8 [ 58.797119] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.802642] kthread+0x464/0x810 [ 58.805908] ret_from_fork+0x14/0x20 [ 58.809509] [ 58.811004] The buggy address belongs to the object at cc78ef00 [ 58.811004] which belongs to the cache kmalloc-128 of size 128 [ 58.822906] The buggy address is located 0 bytes inside of [ 58.822906] freed 128-byte region [cc78ef00, cc78ef80) [ 58.833679] [ 58.835174] The buggy address belongs to the physical page: [ 58.840789] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c78e [ 58.848052] flags: 0x0(zone=0) [ 58.851135] page_type: f5(slab) [ 58.854309] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 58.862426] raw: 00000000 [ 58.865081] page dumped because: kasan: bad access detected [ 58.870697] [ 58.872192] Memory state around the buggy address: [ 58.877014] cc78ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.883575] cc78ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.890167] >cc78ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.896728] ^ [ 58.899261] cc78ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.905853] cc78f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.912414] ================================================================== [ 58.290374] ================================================================== [ 58.301940] BUG: KASAN: slab-use-after-free in ksize_uaf+0x1f0/0x740 [ 58.308349] Read of size 1 at addr cc78ef00 by task kunit_try_catch/248 [ 58.315002] [ 58.316497] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 58.316528] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 58.316558] Hardware name: Generic DRA74X (Flattened Device Tree) [ 58.316558] Call trace: [ 58.316558] unwind_backtrace from show_stack+0x18/0x1c [ 58.316589] show_stack from dump_stack_lvl+0x70/0x90 [ 58.316619] dump_stack_lvl from print_report+0x158/0x528 [ 58.316650] print_report from kasan_report+0xdc/0x118 [ 58.316650] kasan_report from __kasan_check_byte+0x34/0x3c [ 58.316680] __kasan_check_byte from ksize+0x20/0x3c [ 58.316711] ksize from ksize_uaf+0x1f0/0x740 [ 58.316711] ksize_uaf from kunit_try_run_case+0x22c/0x5a8 [ 58.316741] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.316772] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 58.316802] kthread from ret_from_fork+0x14/0x20 [ 58.316833] Exception stack(0xf2333fb0 to 0xf2333ff8) [ 58.316833] 3fa0: 00000000 00000000 00000000 00000000 [ 58.316864] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 58.316864] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 58.316894] [ 58.431213] Allocated by task 248: [ 58.434631] kasan_save_track+0x30/0x5c [ 58.438507] __kasan_kmalloc+0x8c/0x94 [ 58.442260] ksize_uaf+0xd0/0x740 [ 58.445617] kunit_try_run_case+0x22c/0x5a8 [ 58.449829] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.455352] kthread+0x464/0x810 [ 58.458618] ret_from_fork+0x14/0x20 [ 58.462219] [ 58.463714] Freed by task 248: [ 58.466796] kasan_save_track+0x30/0x5c [ 58.470672] kasan_save_free_info+0x3c/0x48 [ 58.474884] __kasan_slab_free+0x40/0x50 [ 58.478820] kfree+0xe8/0x384 [ 58.481842] ksize_uaf+0x174/0x740 [ 58.485260] kunit_try_run_case+0x22c/0x5a8 [ 58.489471] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 58.495025] kthread+0x464/0x810 [ 58.498260] ret_from_fork+0x14/0x20 [ 58.501861] [ 58.503387] The buggy address belongs to the object at cc78ef00 [ 58.503387] which belongs to the cache kmalloc-128 of size 128 [ 58.515258] The buggy address is located 0 bytes inside of [ 58.515258] freed 128-byte region [cc78ef00, cc78ef80) [ 58.526031] [ 58.527526] The buggy address belongs to the physical page: [ 58.533142] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c78e [ 58.540405] flags: 0x0(zone=0) [ 58.543487] page_type: f5(slab) [ 58.546661] raw: 00000000 c7001400 00000122 00000000 00000000 80100010 f5000000 00000000 [ 58.554809] raw: 00000000 [ 58.557434] page dumped because: kasan: bad access detected [ 58.563049] [ 58.564544] Memory state around the buggy address: [ 58.569366] cc78ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.575958] cc78ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.582519] >cc78ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.589080] ^ [ 58.591644] cc78ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.598205] cc78f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.604766] ==================================================================