Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.492928] ================================================================== [ 18.492986] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.493036] Read of size 1 at addr fff00000c65b1600 by task kunit_try_catch/196 [ 18.493110] [ 18.493140] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.493252] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.493305] Hardware name: linux,dummy-virt (DT) [ 18.493334] Call trace: [ 18.493357] show_stack+0x20/0x38 (C) [ 18.493418] dump_stack_lvl+0x8c/0xd0 [ 18.493477] print_report+0x118/0x608 [ 18.493539] kasan_report+0xdc/0x128 [ 18.493594] __asan_report_load1_noabort+0x20/0x30 [ 18.493704] ksize_uaf+0x598/0x5f8 [ 18.493748] kunit_try_run_case+0x170/0x3f0 [ 18.493814] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.493890] kthread+0x328/0x630 [ 18.493957] ret_from_fork+0x10/0x20 [ 18.494012] [ 18.494079] Allocated by task 196: [ 18.494147] kasan_save_stack+0x3c/0x68 [ 18.494189] kasan_save_track+0x20/0x40 [ 18.494227] kasan_save_alloc_info+0x40/0x58 [ 18.494263] __kasan_kmalloc+0xd4/0xd8 [ 18.494298] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.494369] ksize_uaf+0xb8/0x5f8 [ 18.494404] kunit_try_run_case+0x170/0x3f0 [ 18.494461] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.494505] kthread+0x328/0x630 [ 18.494571] ret_from_fork+0x10/0x20 [ 18.494607] [ 18.494626] Freed by task 196: [ 18.494652] kasan_save_stack+0x3c/0x68 [ 18.494689] kasan_save_track+0x20/0x40 [ 18.494726] kasan_save_free_info+0x4c/0x78 [ 18.494770] __kasan_slab_free+0x6c/0x98 [ 18.494827] kfree+0x214/0x3c8 [ 18.494865] ksize_uaf+0x11c/0x5f8 [ 18.494900] kunit_try_run_case+0x170/0x3f0 [ 18.494955] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.495006] kthread+0x328/0x630 [ 18.495065] ret_from_fork+0x10/0x20 [ 18.495133] [ 18.495158] The buggy address belongs to the object at fff00000c65b1600 [ 18.495158] which belongs to the cache kmalloc-128 of size 128 [ 18.495227] The buggy address is located 0 bytes inside of [ 18.495227] freed 128-byte region [fff00000c65b1600, fff00000c65b1680) [ 18.495289] [ 18.495308] The buggy address belongs to the physical page: [ 18.495369] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b1 [ 18.495476] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.495539] page_type: f5(slab) [ 18.495846] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.495938] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.496042] page dumped because: kasan: bad access detected [ 18.496074] [ 18.496092] Memory state around the buggy address: [ 18.496187] fff00000c65b1500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.496342] fff00000c65b1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.496383] >fff00000c65b1600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.496420] ^ [ 18.496457] fff00000c65b1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.496540] fff00000c65b1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.496654] ================================================================== [ 18.497102] ================================================================== [ 18.497189] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.497236] Read of size 1 at addr fff00000c65b1678 by task kunit_try_catch/196 [ 18.497406] [ 18.497448] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.497545] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.497590] Hardware name: linux,dummy-virt (DT) [ 18.497637] Call trace: [ 18.497666] show_stack+0x20/0x38 (C) [ 18.497747] dump_stack_lvl+0x8c/0xd0 [ 18.497823] print_report+0x118/0x608 [ 18.497869] kasan_report+0xdc/0x128 [ 18.497932] __asan_report_load1_noabort+0x20/0x30 [ 18.497994] ksize_uaf+0x544/0x5f8 [ 18.498037] kunit_try_run_case+0x170/0x3f0 [ 18.498084] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.498136] kthread+0x328/0x630 [ 18.498181] ret_from_fork+0x10/0x20 [ 18.498229] [ 18.498247] Allocated by task 196: [ 18.498275] kasan_save_stack+0x3c/0x68 [ 18.498313] kasan_save_track+0x20/0x40 [ 18.498375] kasan_save_alloc_info+0x40/0x58 [ 18.498413] __kasan_kmalloc+0xd4/0xd8 [ 18.498469] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.498508] ksize_uaf+0xb8/0x5f8 [ 18.498552] kunit_try_run_case+0x170/0x3f0 [ 18.498589] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.498631] kthread+0x328/0x630 [ 18.498664] ret_from_fork+0x10/0x20 [ 18.498699] [ 18.498717] Freed by task 196: [ 18.498752] kasan_save_stack+0x3c/0x68 [ 18.498790] kasan_save_track+0x20/0x40 [ 18.498827] kasan_save_free_info+0x4c/0x78 [ 18.498864] __kasan_slab_free+0x6c/0x98 [ 18.498901] kfree+0x214/0x3c8 [ 18.498933] ksize_uaf+0x11c/0x5f8 [ 18.498967] kunit_try_run_case+0x170/0x3f0 [ 18.499005] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.499048] kthread+0x328/0x630 [ 18.499078] ret_from_fork+0x10/0x20 [ 18.499113] [ 18.499132] The buggy address belongs to the object at fff00000c65b1600 [ 18.499132] which belongs to the cache kmalloc-128 of size 128 [ 18.499190] The buggy address is located 120 bytes inside of [ 18.499190] freed 128-byte region [fff00000c65b1600, fff00000c65b1680) [ 18.499262] [ 18.499288] The buggy address belongs to the physical page: [ 18.499326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b1 [ 18.499435] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.499484] page_type: f5(slab) [ 18.499522] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.499783] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.499825] page dumped because: kasan: bad access detected [ 18.499854] [ 18.499872] Memory state around the buggy address: [ 18.499920] fff00000c65b1500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.499962] fff00000c65b1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.500003] >fff00000c65b1600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.500058] ^ [ 18.500099] fff00000c65b1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.500140] fff00000c65b1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.500178] ================================================================== [ 18.485014] ================================================================== [ 18.485106] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.485158] Read of size 1 at addr fff00000c65b1600 by task kunit_try_catch/196 [ 18.485235] [ 18.485267] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.485446] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.485487] Hardware name: linux,dummy-virt (DT) [ 18.485583] Call trace: [ 18.485624] show_stack+0x20/0x38 (C) [ 18.485729] dump_stack_lvl+0x8c/0xd0 [ 18.485815] print_report+0x118/0x608 [ 18.485861] kasan_report+0xdc/0x128 [ 18.485905] __kasan_check_byte+0x54/0x70 [ 18.485951] ksize+0x30/0x88 [ 18.485994] ksize_uaf+0x168/0x5f8 [ 18.486051] kunit_try_run_case+0x170/0x3f0 [ 18.486117] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.486170] kthread+0x328/0x630 [ 18.486212] ret_from_fork+0x10/0x20 [ 18.486349] [ 18.486376] Allocated by task 196: [ 18.486403] kasan_save_stack+0x3c/0x68 [ 18.486462] kasan_save_track+0x20/0x40 [ 18.486498] kasan_save_alloc_info+0x40/0x58 [ 18.486551] __kasan_kmalloc+0xd4/0xd8 [ 18.486655] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.486712] ksize_uaf+0xb8/0x5f8 [ 18.486747] kunit_try_run_case+0x170/0x3f0 [ 18.486785] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.486828] kthread+0x328/0x630 [ 18.486893] ret_from_fork+0x10/0x20 [ 18.486929] [ 18.486947] Freed by task 196: [ 18.486988] kasan_save_stack+0x3c/0x68 [ 18.487026] kasan_save_track+0x20/0x40 [ 18.487062] kasan_save_free_info+0x4c/0x78 [ 18.487204] __kasan_slab_free+0x6c/0x98 [ 18.487259] kfree+0x214/0x3c8 [ 18.487387] ksize_uaf+0x11c/0x5f8 [ 18.487451] kunit_try_run_case+0x170/0x3f0 [ 18.487587] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.487678] kthread+0x328/0x630 [ 18.487822] ret_from_fork+0x10/0x20 [ 18.487890] [ 18.487912] The buggy address belongs to the object at fff00000c65b1600 [ 18.487912] which belongs to the cache kmalloc-128 of size 128 [ 18.487970] The buggy address is located 0 bytes inside of [ 18.487970] freed 128-byte region [fff00000c65b1600, fff00000c65b1680) [ 18.488049] [ 18.488071] The buggy address belongs to the physical page: [ 18.488102] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b1 [ 18.488156] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.488390] page_type: f5(slab) [ 18.488503] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.488582] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.488709] page dumped because: kasan: bad access detected [ 18.488829] [ 18.488933] Memory state around the buggy address: [ 18.489072] fff00000c65b1500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.489134] fff00000c65b1580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.489288] >fff00000c65b1600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.489541] ^ [ 18.489634] fff00000c65b1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.489789] fff00000c65b1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.489891] ==================================================================
[ 15.218315] ================================================================== [ 15.219010] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 15.219597] Read of size 1 at addr ffff8881033dc200 by task kunit_try_catch/213 [ 15.219932] [ 15.220228] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 15.220334] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.220362] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.220408] Call Trace: [ 15.220445] <TASK> [ 15.220505] dump_stack_lvl+0x73/0xb0 [ 15.220592] print_report+0xd1/0x650 [ 15.220641] ? __virt_addr_valid+0x1db/0x2d0 [ 15.220693] ? ksize_uaf+0x5fe/0x6c0 [ 15.220749] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.220816] ? ksize_uaf+0x5fe/0x6c0 [ 15.220863] kasan_report+0x141/0x180 [ 15.220914] ? ksize_uaf+0x5fe/0x6c0 [ 15.220978] __asan_report_load1_noabort+0x18/0x20 [ 15.221041] ksize_uaf+0x5fe/0x6c0 [ 15.221092] ? __pfx_ksize_uaf+0x10/0x10 [ 15.221132] ? __schedule+0x10cc/0x2b60 [ 15.221175] ? __pfx_read_tsc+0x10/0x10 [ 15.221255] ? ktime_get_ts64+0x86/0x230 [ 15.221309] kunit_try_run_case+0x1a5/0x480 [ 15.221360] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.221403] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.221451] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.221520] ? __kthread_parkme+0x82/0x180 [ 15.221581] ? preempt_count_sub+0x50/0x80 [ 15.221638] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.221687] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.221742] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.221779] kthread+0x337/0x6f0 [ 15.221802] ? trace_preempt_on+0x20/0xc0 [ 15.221828] ? __pfx_kthread+0x10/0x10 [ 15.221851] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.221875] ? calculate_sigpending+0x7b/0xa0 [ 15.221903] ? __pfx_kthread+0x10/0x10 [ 15.221927] ret_from_fork+0x116/0x1d0 [ 15.221947] ? __pfx_kthread+0x10/0x10 [ 15.221969] ret_from_fork_asm+0x1a/0x30 [ 15.222003] </TASK> [ 15.222017] [ 15.232708] Allocated by task 213: [ 15.233049] kasan_save_stack+0x45/0x70 [ 15.233397] kasan_save_track+0x18/0x40 [ 15.233597] kasan_save_alloc_info+0x3b/0x50 [ 15.233978] __kasan_kmalloc+0xb7/0xc0 [ 15.234285] __kmalloc_cache_noprof+0x189/0x420 [ 15.234531] ksize_uaf+0xaa/0x6c0 [ 15.234805] kunit_try_run_case+0x1a5/0x480 [ 15.235056] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.235520] kthread+0x337/0x6f0 [ 15.235722] ret_from_fork+0x116/0x1d0 [ 15.235915] ret_from_fork_asm+0x1a/0x30 [ 15.236213] [ 15.236417] Freed by task 213: [ 15.236693] kasan_save_stack+0x45/0x70 [ 15.236951] kasan_save_track+0x18/0x40 [ 15.237233] kasan_save_free_info+0x3f/0x60 [ 15.237626] __kasan_slab_free+0x56/0x70 [ 15.237841] kfree+0x222/0x3f0 [ 15.238085] ksize_uaf+0x12c/0x6c0 [ 15.238448] kunit_try_run_case+0x1a5/0x480 [ 15.238755] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.239030] kthread+0x337/0x6f0 [ 15.239204] ret_from_fork+0x116/0x1d0 [ 15.239406] ret_from_fork_asm+0x1a/0x30 [ 15.239771] [ 15.239940] The buggy address belongs to the object at ffff8881033dc200 [ 15.239940] which belongs to the cache kmalloc-128 of size 128 [ 15.241087] The buggy address is located 0 bytes inside of [ 15.241087] freed 128-byte region [ffff8881033dc200, ffff8881033dc280) [ 15.241701] [ 15.241877] The buggy address belongs to the physical page: [ 15.242202] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033dc [ 15.242603] flags: 0x200000000000000(node=0|zone=2) [ 15.242841] page_type: f5(slab) [ 15.243032] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.243578] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.244098] page dumped because: kasan: bad access detected [ 15.244433] [ 15.244580] Memory state around the buggy address: [ 15.244788] ffff8881033dc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.245061] ffff8881033dc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.245577] >ffff8881033dc200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.246074] ^ [ 15.246423] ffff8881033dc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.246781] ffff8881033dc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.247154] ================================================================== [ 15.248769] ================================================================== [ 15.249182] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 15.251163] Read of size 1 at addr ffff8881033dc278 by task kunit_try_catch/213 [ 15.251622] [ 15.251855] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 15.251958] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.251986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.252028] Call Trace: [ 15.252069] <TASK> [ 15.252110] dump_stack_lvl+0x73/0xb0 [ 15.252192] print_report+0xd1/0x650 [ 15.252245] ? __virt_addr_valid+0x1db/0x2d0 [ 15.252313] ? ksize_uaf+0x5e4/0x6c0 [ 15.252357] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.252404] ? ksize_uaf+0x5e4/0x6c0 [ 15.252444] kasan_report+0x141/0x180 [ 15.252505] ? ksize_uaf+0x5e4/0x6c0 [ 15.252558] __asan_report_load1_noabort+0x18/0x20 [ 15.252601] ksize_uaf+0x5e4/0x6c0 [ 15.252641] ? __pfx_ksize_uaf+0x10/0x10 [ 15.252684] ? __schedule+0x10cc/0x2b60 [ 15.252735] ? __pfx_read_tsc+0x10/0x10 [ 15.252780] ? ktime_get_ts64+0x86/0x230 [ 15.252830] kunit_try_run_case+0x1a5/0x480 [ 15.252879] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.252922] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.252971] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.253017] ? __kthread_parkme+0x82/0x180 [ 15.253058] ? preempt_count_sub+0x50/0x80 [ 15.253111] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.253150] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.253194] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.253276] kthread+0x337/0x6f0 [ 15.253311] ? trace_preempt_on+0x20/0xc0 [ 15.253351] ? __pfx_kthread+0x10/0x10 [ 15.253392] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.253437] ? calculate_sigpending+0x7b/0xa0 [ 15.253495] ? __pfx_kthread+0x10/0x10 [ 15.253533] ret_from_fork+0x116/0x1d0 [ 15.253570] ? __pfx_kthread+0x10/0x10 [ 15.253612] ret_from_fork_asm+0x1a/0x30 [ 15.253678] </TASK> [ 15.253701] [ 15.266605] Allocated by task 213: [ 15.266852] kasan_save_stack+0x45/0x70 [ 15.267125] kasan_save_track+0x18/0x40 [ 15.267959] kasan_save_alloc_info+0x3b/0x50 [ 15.268282] __kasan_kmalloc+0xb7/0xc0 [ 15.268886] __kmalloc_cache_noprof+0x189/0x420 [ 15.269150] ksize_uaf+0xaa/0x6c0 [ 15.269328] kunit_try_run_case+0x1a5/0x480 [ 15.269995] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.270240] kthread+0x337/0x6f0 [ 15.270518] ret_from_fork+0x116/0x1d0 [ 15.270711] ret_from_fork_asm+0x1a/0x30 [ 15.271765] [ 15.271926] Freed by task 213: [ 15.272196] kasan_save_stack+0x45/0x70 [ 15.272382] kasan_save_track+0x18/0x40 [ 15.272990] kasan_save_free_info+0x3f/0x60 [ 15.273175] __kasan_slab_free+0x56/0x70 [ 15.273344] kfree+0x222/0x3f0 [ 15.273703] ksize_uaf+0x12c/0x6c0 [ 15.274017] kunit_try_run_case+0x1a5/0x480 [ 15.274282] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.274927] kthread+0x337/0x6f0 [ 15.275183] ret_from_fork+0x116/0x1d0 [ 15.277079] ret_from_fork_asm+0x1a/0x30 [ 15.277289] [ 15.277397] The buggy address belongs to the object at ffff8881033dc200 [ 15.277397] which belongs to the cache kmalloc-128 of size 128 [ 15.278970] The buggy address is located 120 bytes inside of [ 15.278970] freed 128-byte region [ffff8881033dc200, ffff8881033dc280) [ 15.279790] [ 15.279921] The buggy address belongs to the physical page: [ 15.280129] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033dc [ 15.280405] flags: 0x200000000000000(node=0|zone=2) [ 15.280608] page_type: f5(slab) [ 15.280776] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.282620] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.283121] page dumped because: kasan: bad access detected [ 15.284155] [ 15.284329] Memory state around the buggy address: [ 15.284614] ffff8881033dc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.284878] ffff8881033dc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.285169] >ffff8881033dc200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.285525] ^ [ 15.286693] ffff8881033dc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.287157] ffff8881033dc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.288002] ================================================================== [ 15.183372] ================================================================== [ 15.184673] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 15.185361] Read of size 1 at addr ffff8881033dc200 by task kunit_try_catch/213 [ 15.185653] [ 15.185815] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 15.185920] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.185944] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.185970] Call Trace: [ 15.185986] <TASK> [ 15.186010] dump_stack_lvl+0x73/0xb0 [ 15.186049] print_report+0xd1/0x650 [ 15.186081] ? __virt_addr_valid+0x1db/0x2d0 [ 15.186122] ? ksize_uaf+0x19d/0x6c0 [ 15.186146] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.186170] ? ksize_uaf+0x19d/0x6c0 [ 15.186196] kasan_report+0x141/0x180 [ 15.186282] ? ksize_uaf+0x19d/0x6c0 [ 15.186325] ? ksize_uaf+0x19d/0x6c0 [ 15.186385] __kasan_check_byte+0x3d/0x50 [ 15.186449] ksize+0x20/0x60 [ 15.186518] ksize_uaf+0x19d/0x6c0 [ 15.186584] ? __pfx_ksize_uaf+0x10/0x10 [ 15.186655] ? __schedule+0x10cc/0x2b60 [ 15.186728] ? __pfx_read_tsc+0x10/0x10 [ 15.186796] ? ktime_get_ts64+0x86/0x230 [ 15.186866] kunit_try_run_case+0x1a5/0x480 [ 15.186897] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.186919] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.186947] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.186974] ? __kthread_parkme+0x82/0x180 [ 15.186998] ? preempt_count_sub+0x50/0x80 [ 15.187024] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.187047] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.187074] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.187101] kthread+0x337/0x6f0 [ 15.187122] ? trace_preempt_on+0x20/0xc0 [ 15.187149] ? __pfx_kthread+0x10/0x10 [ 15.187172] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.187200] ? calculate_sigpending+0x7b/0xa0 [ 15.187264] ? __pfx_kthread+0x10/0x10 [ 15.187288] ret_from_fork+0x116/0x1d0 [ 15.187310] ? __pfx_kthread+0x10/0x10 [ 15.187333] ret_from_fork_asm+0x1a/0x30 [ 15.187380] </TASK> [ 15.187393] [ 15.199404] Allocated by task 213: [ 15.199773] kasan_save_stack+0x45/0x70 [ 15.200177] kasan_save_track+0x18/0x40 [ 15.200660] kasan_save_alloc_info+0x3b/0x50 [ 15.201126] __kasan_kmalloc+0xb7/0xc0 [ 15.201577] __kmalloc_cache_noprof+0x189/0x420 [ 15.201920] ksize_uaf+0xaa/0x6c0 [ 15.202282] kunit_try_run_case+0x1a5/0x480 [ 15.202655] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.202976] kthread+0x337/0x6f0 [ 15.203308] ret_from_fork+0x116/0x1d0 [ 15.203693] ret_from_fork_asm+0x1a/0x30 [ 15.204045] [ 15.204286] Freed by task 213: [ 15.204489] kasan_save_stack+0x45/0x70 [ 15.204867] kasan_save_track+0x18/0x40 [ 15.205184] kasan_save_free_info+0x3f/0x60 [ 15.205592] __kasan_slab_free+0x56/0x70 [ 15.205848] kfree+0x222/0x3f0 [ 15.206151] ksize_uaf+0x12c/0x6c0 [ 15.206428] kunit_try_run_case+0x1a5/0x480 [ 15.206682] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.207133] kthread+0x337/0x6f0 [ 15.207434] ret_from_fork+0x116/0x1d0 [ 15.207763] ret_from_fork_asm+0x1a/0x30 [ 15.208120] [ 15.208301] The buggy address belongs to the object at ffff8881033dc200 [ 15.208301] which belongs to the cache kmalloc-128 of size 128 [ 15.208937] The buggy address is located 0 bytes inside of [ 15.208937] freed 128-byte region [ffff8881033dc200, ffff8881033dc280) [ 15.209865] [ 15.210057] The buggy address belongs to the physical page: [ 15.210504] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033dc [ 15.211056] flags: 0x200000000000000(node=0|zone=2) [ 15.211410] page_type: f5(slab) [ 15.211610] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 15.212087] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.212725] page dumped because: kasan: bad access detected [ 15.212963] [ 15.213177] Memory state around the buggy address: [ 15.213598] ffff8881033dc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.214092] ffff8881033dc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.214614] >ffff8881033dc200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.215059] ^ [ 15.215292] ffff8881033dc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.215882] ffff8881033dc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.216285] ==================================================================