Hay
Sign in
Date
June 5, 2025, 7:08 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   25.585970] ==================================================================
[   25.586091] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   25.586199] Read of size 1 at addr fff00000c6419800 by task kunit_try_catch/196
[   25.586315] 
[   25.586403] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT 
[   25.588031] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.588115] Hardware name: linux,dummy-virt (DT)
[   25.588201] Call trace:
[   25.588258]  show_stack+0x20/0x38 (C)
[   25.588419]  dump_stack_lvl+0x8c/0xd0
[   25.588550]  print_report+0x118/0x608
[   25.588672]  kasan_report+0xdc/0x128
[   25.588796]  __kasan_check_byte+0x54/0x70
[   25.588917]  ksize+0x30/0x88
[   25.589021]  ksize_uaf+0x168/0x5f8
[   25.589124]  kunit_try_run_case+0x170/0x3f0
[   25.589238]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.589405]  kthread+0x328/0x630
[   25.589697]  ret_from_fork+0x10/0x20
[   25.590018] 
[   25.591202] Allocated by task 196:
[   25.591283]  kasan_save_stack+0x3c/0x68
[   25.595237]  kasan_save_track+0x20/0x40
[   25.595384]  kasan_save_alloc_info+0x40/0x58
[   25.595603]  __kasan_kmalloc+0xd4/0xd8
[   25.595733]  __kmalloc_cache_noprof+0x16c/0x3c0
[   25.597372]  ksize_uaf+0xb8/0x5f8
[   25.597524]  kunit_try_run_case+0x170/0x3f0
[   25.597638]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.597760]  kthread+0x328/0x630
[   25.597889]  ret_from_fork+0x10/0x20
[   25.598478] 
[   25.598534] Freed by task 196:
[   25.598630]  kasan_save_stack+0x3c/0x68
[   25.598738]  kasan_save_track+0x20/0x40
[   25.598846]  kasan_save_free_info+0x4c/0x78
[   25.598953]  __kasan_slab_free+0x6c/0x98
[   25.599060]  kfree+0x214/0x3c8
[   25.599144]  ksize_uaf+0x11c/0x5f8
[   25.599240]  kunit_try_run_case+0x170/0x3f0
[   25.599367]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.599480]  kthread+0x328/0x630
[   25.599567]  ret_from_fork+0x10/0x20
[   25.599668] 
[   25.599718] The buggy address belongs to the object at fff00000c6419800
[   25.599718]  which belongs to the cache kmalloc-128 of size 128
[   25.599883] The buggy address is located 0 bytes inside of
[   25.599883]  freed 128-byte region [fff00000c6419800, fff00000c6419880)
[   25.600042] 
[   25.600309] The buggy address belongs to the physical page:
[   25.600409] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106419
[   25.601731] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   25.601970] page_type: f5(slab)
[   25.602071] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   25.602212] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.602325] page dumped because: kasan: bad access detected
[   25.602428] 
[   25.602491] Memory state around the buggy address:
[   25.602573]  fff00000c6419700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.602679]  fff00000c6419780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.602789] >fff00000c6419800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.603758]                    ^
[   25.603988]  fff00000c6419880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.604117]  fff00000c6419900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.604228] ==================================================================
[   25.607539] ==================================================================
[   25.607651] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   25.607756] Read of size 1 at addr fff00000c6419800 by task kunit_try_catch/196
[   25.608014] 
[   25.608124] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT 
[   25.608363] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.608563] Hardware name: linux,dummy-virt (DT)
[   25.608675] Call trace:
[   25.608822]  show_stack+0x20/0x38 (C)
[   25.609154]  dump_stack_lvl+0x8c/0xd0
[   25.609410]  print_report+0x118/0x608
[   25.609617]  kasan_report+0xdc/0x128
[   25.609765]  __asan_report_load1_noabort+0x20/0x30
[   25.610049]  ksize_uaf+0x598/0x5f8
[   25.610235]  kunit_try_run_case+0x170/0x3f0
[   25.610395]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.610553]  kthread+0x328/0x630
[   25.610774]  ret_from_fork+0x10/0x20
[   25.610967] 
[   25.611430] Allocated by task 196:
[   25.611765]  kasan_save_stack+0x3c/0x68
[   25.612350]  kasan_save_track+0x20/0x40
[   25.612723]  kasan_save_alloc_info+0x40/0x58
[   25.613237]  __kasan_kmalloc+0xd4/0xd8
[   25.613669]  __kmalloc_cache_noprof+0x16c/0x3c0
[   25.613844]  ksize_uaf+0xb8/0x5f8
[   25.613931]  kunit_try_run_case+0x170/0x3f0
[   25.614034]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.614142]  kthread+0x328/0x630
[   25.614220]  ret_from_fork+0x10/0x20
[   25.615879] 
[   25.616325] Freed by task 196:
[   25.616574]  kasan_save_stack+0x3c/0x68
[   25.616672]  kasan_save_track+0x20/0x40
[   25.616768]  kasan_save_free_info+0x4c/0x78
[   25.616879]  __kasan_slab_free+0x6c/0x98
[   25.616978]  kfree+0x214/0x3c8
[   25.618537]  ksize_uaf+0x11c/0x5f8
[   25.618638]  kunit_try_run_case+0x170/0x3f0
[   25.619290]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.619554]  kthread+0x328/0x630
[   25.619765]  ret_from_fork+0x10/0x20
[   25.620190] 
[   25.620403] The buggy address belongs to the object at fff00000c6419800
[   25.620403]  which belongs to the cache kmalloc-128 of size 128
[   25.620666] The buggy address is located 0 bytes inside of
[   25.620666]  freed 128-byte region [fff00000c6419800, fff00000c6419880)
[   25.620834] 
[   25.621466] The buggy address belongs to the physical page:
[   25.622167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106419
[   25.622562] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   25.622821] page_type: f5(slab)
[   25.623635] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   25.623798] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.624666] page dumped because: kasan: bad access detected
[   25.624762] 
[   25.624832] Memory state around the buggy address:
[   25.624907]  fff00000c6419700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.625278]  fff00000c6419780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.625517] >fff00000c6419800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.625639]                    ^
[   25.626032]  fff00000c6419880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.626138]  fff00000c6419900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.626238] ==================================================================
[   25.631790] ==================================================================
[   25.632512] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   25.633629] Read of size 1 at addr fff00000c6419878 by task kunit_try_catch/196
[   25.633735] 
[   25.633803] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT 
[   25.633912] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.633947] Hardware name: linux,dummy-virt (DT)
[   25.633987] Call trace:
[   25.634017]  show_stack+0x20/0x38 (C)
[   25.634080]  dump_stack_lvl+0x8c/0xd0
[   25.634138]  print_report+0x118/0x608
[   25.634197]  kasan_report+0xdc/0x128
[   25.634252]  __asan_report_load1_noabort+0x20/0x30
[   25.634311]  ksize_uaf+0x544/0x5f8
[   25.634621]  kunit_try_run_case+0x170/0x3f0
[   25.634766]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.634934]  kthread+0x328/0x630
[   25.635249]  ret_from_fork+0x10/0x20
[   25.635907] 
[   25.636010] Allocated by task 196:
[   25.636436]  kasan_save_stack+0x3c/0x68
[   25.636836]  kasan_save_track+0x20/0x40
[   25.636948]  kasan_save_alloc_info+0x40/0x58
[   25.637051]  __kasan_kmalloc+0xd4/0xd8
[   25.637179]  __kmalloc_cache_noprof+0x16c/0x3c0
[   25.637323]  ksize_uaf+0xb8/0x5f8
[   25.637577]  kunit_try_run_case+0x170/0x3f0
[   25.637681]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.637828]  kthread+0x328/0x630
[   25.637988]  ret_from_fork+0x10/0x20
[   25.638092] 
[   25.638253] Freed by task 196:
[   25.638323]  kasan_save_stack+0x3c/0x68
[   25.638440]  kasan_save_track+0x20/0x40
[   25.638537]  kasan_save_free_info+0x4c/0x78
[   25.638647]  __kasan_slab_free+0x6c/0x98
[   25.638886]  kfree+0x214/0x3c8
[   25.639033]  ksize_uaf+0x11c/0x5f8
[   25.639118]  kunit_try_run_case+0x170/0x3f0
[   25.639221]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   25.639585]  kthread+0x328/0x630
[   25.639695]  ret_from_fork+0x10/0x20
[   25.640123] 
[   25.640419] The buggy address belongs to the object at fff00000c6419800
[   25.640419]  which belongs to the cache kmalloc-128 of size 128
[   25.640726] The buggy address is located 120 bytes inside of
[   25.640726]  freed 128-byte region [fff00000c6419800, fff00000c6419880)
[   25.640898] 
[   25.640950] The buggy address belongs to the physical page:
[   25.641033] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106419
[   25.641161] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   25.641683] page_type: f5(slab)
[   25.641885] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   25.642107] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.642219] page dumped because: kasan: bad access detected
[   25.642467] 
[   25.642547] Memory state around the buggy address:
[   25.642866]  fff00000c6419700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.642984]  fff00000c6419780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.643264] >fff00000c6419800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.643425]                                                                 ^
[   25.643538]  fff00000c6419880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.643646]  fff00000c6419900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.643762] ==================================================================
Metadata Full log Test run details 

[   11.868331] ==================================================================
[   11.868746] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.869197] Read of size 1 at addr ffff888102b2d500 by task kunit_try_catch/213
[   11.870038] 
[   11.870287] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT(voluntary) 
[   11.870333] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.870344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.870364] Call Trace:
[   11.870375]  <TASK>
[   11.870390]  dump_stack_lvl+0x73/0xb0
[   11.870417]  print_report+0xd1/0x650
[   11.870438]  ? __virt_addr_valid+0x1db/0x2d0
[   11.870462]  ? ksize_uaf+0x19d/0x6c0
[   11.870481]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.870503]  ? ksize_uaf+0x19d/0x6c0
[   11.870524]  kasan_report+0x141/0x180
[   11.870545]  ? ksize_uaf+0x19d/0x6c0
[   11.870568]  ? ksize_uaf+0x19d/0x6c0
[   11.870588]  __kasan_check_byte+0x3d/0x50
[   11.870609]  ksize+0x20/0x60
[   11.870628]  ksize_uaf+0x19d/0x6c0
[   11.870647]  ? __pfx_ksize_uaf+0x10/0x10
[   11.870668]  ? __schedule+0x10cc/0x2b60
[   11.870691]  ? __pfx_read_tsc+0x10/0x10
[   11.870712]  ? ktime_get_ts64+0x86/0x230
[   11.870735]  kunit_try_run_case+0x1a5/0x480
[   11.870755]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.870774]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.870798]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.870821]  ? __kthread_parkme+0x82/0x180
[   11.870841]  ? preempt_count_sub+0x50/0x80
[   11.870864]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.870884]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.870919]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.870952]  kthread+0x337/0x6f0
[   11.870970]  ? trace_preempt_on+0x20/0xc0
[   11.870992]  ? __pfx_kthread+0x10/0x10
[   11.871013]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.871035]  ? calculate_sigpending+0x7b/0xa0
[   11.871058]  ? __pfx_kthread+0x10/0x10
[   11.871079]  ret_from_fork+0x116/0x1d0
[   11.871096]  ? __pfx_kthread+0x10/0x10
[   11.871116]  ret_from_fork_asm+0x1a/0x30
[   11.871145]  </TASK>
[   11.871155] 
[   11.885422] Allocated by task 213:
[   11.885621]  kasan_save_stack+0x45/0x70
[   11.885800]  kasan_save_track+0x18/0x40
[   11.886208]  kasan_save_alloc_info+0x3b/0x50
[   11.886756]  __kasan_kmalloc+0xb7/0xc0
[   11.887158]  __kmalloc_cache_noprof+0x189/0x420
[   11.887683]  ksize_uaf+0xaa/0x6c0
[   11.887811]  kunit_try_run_case+0x1a5/0x480
[   11.887981]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.888164]  kthread+0x337/0x6f0
[   11.888285]  ret_from_fork+0x116/0x1d0
[   11.888416]  ret_from_fork_asm+0x1a/0x30
[   11.888554] 
[   11.888670] Freed by task 213:
[   11.889062]  kasan_save_stack+0x45/0x70
[   11.889473]  kasan_save_track+0x18/0x40
[   11.889856]  kasan_save_free_info+0x3f/0x60
[   11.890328]  __kasan_slab_free+0x56/0x70
[   11.890725]  kfree+0x222/0x3f0
[   11.891284]  ksize_uaf+0x12c/0x6c0
[   11.891611]  kunit_try_run_case+0x1a5/0x480
[   11.892005]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.892545]  kthread+0x337/0x6f0
[   11.892909]  ret_from_fork+0x116/0x1d0
[   11.893311]  ret_from_fork_asm+0x1a/0x30
[   11.893661] 
[   11.893735] The buggy address belongs to the object at ffff888102b2d500
[   11.893735]  which belongs to the cache kmalloc-128 of size 128
[   11.894524] The buggy address is located 0 bytes inside of
[   11.894524]  freed 128-byte region [ffff888102b2d500, ffff888102b2d580)
[   11.895647] 
[   11.895836] The buggy address belongs to the physical page:
[   11.896295] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b2d
[   11.896788] flags: 0x200000000000000(node=0|zone=2)
[   11.897070] page_type: f5(slab)
[   11.897381] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.898194] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.898759] page dumped because: kasan: bad access detected
[   11.898954] 
[   11.899113] Memory state around the buggy address:
[   11.899573]  ffff888102b2d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.900295]  ffff888102b2d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.900753] >ffff888102b2d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.901130]                    ^
[   11.901513]  ffff888102b2d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.902322]  ffff888102b2d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.902536] ==================================================================
[   11.930570] ==================================================================
[   11.930794] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.931420] Read of size 1 at addr ffff888102b2d578 by task kunit_try_catch/213
[   11.931920] 
[   11.932551] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT(voluntary) 
[   11.932596] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.932607] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.932627] Call Trace:
[   11.932642]  <TASK>
[   11.932656]  dump_stack_lvl+0x73/0xb0
[   11.932683]  print_report+0xd1/0x650
[   11.932704]  ? __virt_addr_valid+0x1db/0x2d0
[   11.932726]  ? ksize_uaf+0x5e4/0x6c0
[   11.932746]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.932768]  ? ksize_uaf+0x5e4/0x6c0
[   11.932789]  kasan_report+0x141/0x180
[   11.932810]  ? ksize_uaf+0x5e4/0x6c0
[   11.932835]  __asan_report_load1_noabort+0x18/0x20
[   11.932858]  ksize_uaf+0x5e4/0x6c0
[   11.932878]  ? __pfx_ksize_uaf+0x10/0x10
[   11.932914]  ? __schedule+0x10cc/0x2b60
[   11.932937]  ? __pfx_read_tsc+0x10/0x10
[   11.932969]  ? ktime_get_ts64+0x86/0x230
[   11.932992]  kunit_try_run_case+0x1a5/0x480
[   11.933013]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.933032]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.933059]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.933083]  ? __kthread_parkme+0x82/0x180
[   11.933101]  ? preempt_count_sub+0x50/0x80
[   11.933125]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.933145]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.933168]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.933192]  kthread+0x337/0x6f0
[   11.933210]  ? trace_preempt_on+0x20/0xc0
[   11.933231]  ? __pfx_kthread+0x10/0x10
[   11.933251]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.933273]  ? calculate_sigpending+0x7b/0xa0
[   11.933295]  ? __pfx_kthread+0x10/0x10
[   11.933316]  ret_from_fork+0x116/0x1d0
[   11.933334]  ? __pfx_kthread+0x10/0x10
[   11.933354]  ret_from_fork_asm+0x1a/0x30
[   11.933384]  </TASK>
[   11.933393] 
[   11.942072] Allocated by task 213:
[   11.942399]  kasan_save_stack+0x45/0x70
[   11.942551]  kasan_save_track+0x18/0x40
[   11.942695]  kasan_save_alloc_info+0x3b/0x50
[   11.942846]  __kasan_kmalloc+0xb7/0xc0
[   11.942991]  __kmalloc_cache_noprof+0x189/0x420
[   11.943148]  ksize_uaf+0xaa/0x6c0
[   11.943271]  kunit_try_run_case+0x1a5/0x480
[   11.943412]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.943586]  kthread+0x337/0x6f0
[   11.943705]  ret_from_fork+0x116/0x1d0
[   11.943836]  ret_from_fork_asm+0x1a/0x30
[   11.944831] 
[   11.945160] Freed by task 213:
[   11.945676]  kasan_save_stack+0x45/0x70
[   11.946320]  kasan_save_track+0x18/0x40
[   11.946890]  kasan_save_free_info+0x3f/0x60
[   11.947516]  __kasan_slab_free+0x56/0x70
[   11.948270]  kfree+0x222/0x3f0
[   11.948763]  ksize_uaf+0x12c/0x6c0
[   11.949443]  kunit_try_run_case+0x1a5/0x480
[   11.950170]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.950884]  kthread+0x337/0x6f0
[   11.951384]  ret_from_fork+0x116/0x1d0
[   11.951916]  ret_from_fork_asm+0x1a/0x30
[   11.952574] 
[   11.952937] The buggy address belongs to the object at ffff888102b2d500
[   11.952937]  which belongs to the cache kmalloc-128 of size 128
[   11.954423] The buggy address is located 120 bytes inside of
[   11.954423]  freed 128-byte region [ffff888102b2d500, ffff888102b2d580)
[   11.954919] 
[   11.955007] The buggy address belongs to the physical page:
[   11.955255] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b2d
[   11.955563] flags: 0x200000000000000(node=0|zone=2)
[   11.955804] page_type: f5(slab)
[   11.956530] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.957056] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.957571] page dumped because: kasan: bad access detected
[   11.957985] 
[   11.958085] Memory state around the buggy address:
[   11.958462]  ffff888102b2d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.958865]  ffff888102b2d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.959305] >ffff888102b2d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.959716]                                                                 ^
[   11.960134]  ffff888102b2d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.960457]  ffff888102b2d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.961066] ==================================================================
[   11.903334] ==================================================================
[   11.903974] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.904606] Read of size 1 at addr ffff888102b2d500 by task kunit_try_catch/213
[   11.905295] 
[   11.905526] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250605 #1 PREEMPT(voluntary) 
[   11.905572] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.905583] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.905602] Call Trace:
[   11.905614]  <TASK>
[   11.905627]  dump_stack_lvl+0x73/0xb0
[   11.905651]  print_report+0xd1/0x650
[   11.905672]  ? __virt_addr_valid+0x1db/0x2d0
[   11.905694]  ? ksize_uaf+0x5fe/0x6c0
[   11.905715]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.905737]  ? ksize_uaf+0x5fe/0x6c0
[   11.905758]  kasan_report+0x141/0x180
[   11.905779]  ? ksize_uaf+0x5fe/0x6c0
[   11.905804]  __asan_report_load1_noabort+0x18/0x20
[   11.905828]  ksize_uaf+0x5fe/0x6c0
[   11.905848]  ? __pfx_ksize_uaf+0x10/0x10
[   11.905869]  ? __schedule+0x10cc/0x2b60
[   11.905901]  ? __pfx_read_tsc+0x10/0x10
[   11.905922]  ? ktime_get_ts64+0x86/0x230
[   11.906093]  kunit_try_run_case+0x1a5/0x480
[   11.906123]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.906142]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.906167]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.906190]  ? __kthread_parkme+0x82/0x180
[   11.906210]  ? preempt_count_sub+0x50/0x80
[   11.906232]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.906253]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.906276]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.906299]  kthread+0x337/0x6f0
[   11.906318]  ? trace_preempt_on+0x20/0xc0
[   11.906340]  ? __pfx_kthread+0x10/0x10
[   11.906360]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.906382]  ? calculate_sigpending+0x7b/0xa0
[   11.906404]  ? __pfx_kthread+0x10/0x10
[   11.906425]  ret_from_fork+0x116/0x1d0
[   11.906442]  ? __pfx_kthread+0x10/0x10
[   11.906462]  ret_from_fork_asm+0x1a/0x30
[   11.906491]  </TASK>
[   11.906500] 
[   11.915633] Allocated by task 213:
[   11.915818]  kasan_save_stack+0x45/0x70
[   11.915980]  kasan_save_track+0x18/0x40
[   11.916116]  kasan_save_alloc_info+0x3b/0x50
[   11.916328]  __kasan_kmalloc+0xb7/0xc0
[   11.916517]  __kmalloc_cache_noprof+0x189/0x420
[   11.916806]  ksize_uaf+0xaa/0x6c0
[   11.916938]  kunit_try_run_case+0x1a5/0x480
[   11.917086]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.917277]  kthread+0x337/0x6f0
[   11.917452]  ret_from_fork+0x116/0x1d0
[   11.917642]  ret_from_fork_asm+0x1a/0x30
[   11.918150] 
[   11.918244] Freed by task 213:
[   11.918357]  kasan_save_stack+0x45/0x70
[   11.918501]  kasan_save_track+0x18/0x40
[   11.920473]  kasan_save_free_info+0x3f/0x60
[   11.920636]  __kasan_slab_free+0x56/0x70
[   11.920774]  kfree+0x222/0x3f0
[   11.920909]  ksize_uaf+0x12c/0x6c0
[   11.921036]  kunit_try_run_case+0x1a5/0x480
[   11.921182]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.921520]  kthread+0x337/0x6f0
[   11.921646]  ret_from_fork+0x116/0x1d0
[   11.921830]  ret_from_fork_asm+0x1a/0x30
[   11.922213] 
[   11.922291] The buggy address belongs to the object at ffff888102b2d500
[   11.922291]  which belongs to the cache kmalloc-128 of size 128
[   11.922976] The buggy address is located 0 bytes inside of
[   11.922976]  freed 128-byte region [ffff888102b2d500, ffff888102b2d580)
[   11.923321] 
[   11.923705] The buggy address belongs to the physical page:
[   11.924101] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b2d
[   11.924464] flags: 0x200000000000000(node=0|zone=2)
[   11.924698] page_type: f5(slab)
[   11.924853] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.925149] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.925378] page dumped because: kasan: bad access detected
[   11.925553] 
[   11.927924] Memory state around the buggy address:
[   11.928348]  ffff888102b2d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.928815]  ffff888102b2d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.929343] >ffff888102b2d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.929558]                    ^
[   11.929675]  ffff888102b2d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.929885]  ffff888102b2d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.930119] ==================================================================
Metadata Full log Test run details