Date
June 16, 2025, 7:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.686003] ================================================================== [ 19.686164] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.686285] Read of size 1 at addr fff00000c6408378 by task kunit_try_catch/205 [ 19.686403] [ 19.686472] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 19.686661] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.686733] Hardware name: linux,dummy-virt (DT) [ 19.686806] Call trace: [ 19.686865] show_stack+0x20/0x38 (C) [ 19.686977] dump_stack_lvl+0x8c/0xd0 [ 19.687088] print_report+0x118/0x608 [ 19.687250] kasan_report+0xdc/0x128 [ 19.687377] __asan_report_load1_noabort+0x20/0x30 [ 19.687501] ksize_uaf+0x544/0x5f8 [ 19.687635] kunit_try_run_case+0x170/0x3f0 [ 19.687780] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.687920] kthread+0x328/0x630 [ 19.688011] ret_from_fork+0x10/0x20 [ 19.688107] [ 19.688147] Allocated by task 205: [ 19.688212] kasan_save_stack+0x3c/0x68 [ 19.688326] kasan_save_track+0x20/0x40 [ 19.688574] kasan_save_alloc_info+0x40/0x58 [ 19.688695] __kasan_kmalloc+0xd4/0xd8 [ 19.688931] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.689052] ksize_uaf+0xb8/0x5f8 [ 19.689122] kunit_try_run_case+0x170/0x3f0 [ 19.689198] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.689287] kthread+0x328/0x630 [ 19.689359] ret_from_fork+0x10/0x20 [ 19.689447] [ 19.689525] Freed by task 205: [ 19.689588] kasan_save_stack+0x3c/0x68 [ 19.689675] kasan_save_track+0x20/0x40 [ 19.689751] kasan_save_free_info+0x4c/0x78 [ 19.689850] __kasan_slab_free+0x6c/0x98 [ 19.689939] kfree+0x214/0x3c8 [ 19.690037] ksize_uaf+0x11c/0x5f8 [ 19.690169] kunit_try_run_case+0x170/0x3f0 [ 19.690269] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.690445] kthread+0x328/0x630 [ 19.690555] ret_from_fork+0x10/0x20 [ 19.690665] [ 19.690718] The buggy address belongs to the object at fff00000c6408300 [ 19.690718] which belongs to the cache kmalloc-128 of size 128 [ 19.690876] The buggy address is located 120 bytes inside of [ 19.690876] freed 128-byte region [fff00000c6408300, fff00000c6408380) [ 19.691037] [ 19.691088] The buggy address belongs to the physical page: [ 19.691157] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 19.691308] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.691451] page_type: f5(slab) [ 19.691567] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.691724] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.691825] page dumped because: kasan: bad access detected [ 19.691914] [ 19.691956] Memory state around the buggy address: [ 19.692034] fff00000c6408200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.692139] fff00000c6408280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.692239] >fff00000c6408300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.692339] ^ [ 19.692465] fff00000c6408380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.692578] fff00000c6408400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.692695] ================================================================== [ 19.663212] ================================================================== [ 19.663574] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.663913] Read of size 1 at addr fff00000c6408300 by task kunit_try_catch/205 [ 19.664063] [ 19.664135] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 19.664328] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.664387] Hardware name: linux,dummy-virt (DT) [ 19.664487] Call trace: [ 19.664710] show_stack+0x20/0x38 (C) [ 19.664989] dump_stack_lvl+0x8c/0xd0 [ 19.665109] print_report+0x118/0x608 [ 19.665267] kasan_report+0xdc/0x128 [ 19.665361] __kasan_check_byte+0x54/0x70 [ 19.665466] ksize+0x30/0x88 [ 19.665696] ksize_uaf+0x168/0x5f8 [ 19.665798] kunit_try_run_case+0x170/0x3f0 [ 19.665976] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.666187] kthread+0x328/0x630 [ 19.666245] ret_from_fork+0x10/0x20 [ 19.666314] [ 19.666357] Allocated by task 205: [ 19.666446] kasan_save_stack+0x3c/0x68 [ 19.666592] kasan_save_track+0x20/0x40 [ 19.666719] kasan_save_alloc_info+0x40/0x58 [ 19.666862] __kasan_kmalloc+0xd4/0xd8 [ 19.666957] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.667049] ksize_uaf+0xb8/0x5f8 [ 19.667144] kunit_try_run_case+0x170/0x3f0 [ 19.667265] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.667404] kthread+0x328/0x630 [ 19.667481] ret_from_fork+0x10/0x20 [ 19.667570] [ 19.667620] Freed by task 205: [ 19.667678] kasan_save_stack+0x3c/0x68 [ 19.667790] kasan_save_track+0x20/0x40 [ 19.667922] kasan_save_free_info+0x4c/0x78 [ 19.668042] __kasan_slab_free+0x6c/0x98 [ 19.668158] kfree+0x214/0x3c8 [ 19.668253] ksize_uaf+0x11c/0x5f8 [ 19.668355] kunit_try_run_case+0x170/0x3f0 [ 19.668470] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.668595] kthread+0x328/0x630 [ 19.668672] ret_from_fork+0x10/0x20 [ 19.668801] [ 19.668857] The buggy address belongs to the object at fff00000c6408300 [ 19.668857] which belongs to the cache kmalloc-128 of size 128 [ 19.668992] The buggy address is located 0 bytes inside of [ 19.668992] freed 128-byte region [fff00000c6408300, fff00000c6408380) [ 19.669128] [ 19.669192] The buggy address belongs to the physical page: [ 19.669599] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 19.669732] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.669855] page_type: f5(slab) [ 19.669942] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.670085] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.670200] page dumped because: kasan: bad access detected [ 19.670278] [ 19.670379] Memory state around the buggy address: [ 19.670465] fff00000c6408200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.670752] fff00000c6408280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.670878] >fff00000c6408300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.671502] ^ [ 19.671671] fff00000c6408380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.672032] fff00000c6408400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.672151] ================================================================== [ 19.674290] ================================================================== [ 19.674406] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.674518] Read of size 1 at addr fff00000c6408300 by task kunit_try_catch/205 [ 19.674635] [ 19.674706] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 19.674926] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.674999] Hardware name: linux,dummy-virt (DT) [ 19.675072] Call trace: [ 19.675127] show_stack+0x20/0x38 (C) [ 19.675234] dump_stack_lvl+0x8c/0xd0 [ 19.675345] print_report+0x118/0x608 [ 19.675454] kasan_report+0xdc/0x128 [ 19.675564] __asan_report_load1_noabort+0x20/0x30 [ 19.675677] ksize_uaf+0x598/0x5f8 [ 19.675774] kunit_try_run_case+0x170/0x3f0 [ 19.676788] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.677114] kthread+0x328/0x630 [ 19.677214] ret_from_fork+0x10/0x20 [ 19.677314] [ 19.677517] Allocated by task 205: [ 19.677797] kasan_save_stack+0x3c/0x68 [ 19.677923] kasan_save_track+0x20/0x40 [ 19.678110] kasan_save_alloc_info+0x40/0x58 [ 19.678463] __kasan_kmalloc+0xd4/0xd8 [ 19.678640] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.678867] ksize_uaf+0xb8/0x5f8 [ 19.679020] kunit_try_run_case+0x170/0x3f0 [ 19.679172] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.679571] kthread+0x328/0x630 [ 19.679654] ret_from_fork+0x10/0x20 [ 19.679891] [ 19.679977] Freed by task 205: [ 19.680050] kasan_save_stack+0x3c/0x68 [ 19.680147] kasan_save_track+0x20/0x40 [ 19.680589] kasan_save_free_info+0x4c/0x78 [ 19.680736] __kasan_slab_free+0x6c/0x98 [ 19.680826] kfree+0x214/0x3c8 [ 19.680908] ksize_uaf+0x11c/0x5f8 [ 19.680992] kunit_try_run_case+0x170/0x3f0 [ 19.681548] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.681737] kthread+0x328/0x630 [ 19.681826] ret_from_fork+0x10/0x20 [ 19.682011] [ 19.682115] The buggy address belongs to the object at fff00000c6408300 [ 19.682115] which belongs to the cache kmalloc-128 of size 128 [ 19.682349] The buggy address is located 0 bytes inside of [ 19.682349] freed 128-byte region [fff00000c6408300, fff00000c6408380) [ 19.682505] [ 19.682601] The buggy address belongs to the physical page: [ 19.682679] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106408 [ 19.682808] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.682940] page_type: f5(slab) [ 19.683045] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.683177] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.683280] page dumped because: kasan: bad access detected [ 19.683360] [ 19.683403] Memory state around the buggy address: [ 19.683475] fff00000c6408200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.683590] fff00000c6408280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.683700] >fff00000c6408300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.683798] ^ [ 19.684162] fff00000c6408380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.684502] fff00000c6408400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.684610] ==================================================================
[ 12.003798] ================================================================== [ 12.004093] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.004386] Read of size 1 at addr ffff8881028e2678 by task kunit_try_catch/221 [ 12.004860] [ 12.005022] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 12.005081] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.005092] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.005110] Call Trace: [ 12.005127] <TASK> [ 12.005152] dump_stack_lvl+0x73/0xb0 [ 12.005180] print_report+0xd1/0x650 [ 12.005201] ? __virt_addr_valid+0x1db/0x2d0 [ 12.005234] ? ksize_uaf+0x5e4/0x6c0 [ 12.005254] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.005275] ? ksize_uaf+0x5e4/0x6c0 [ 12.005294] kasan_report+0x141/0x180 [ 12.005323] ? ksize_uaf+0x5e4/0x6c0 [ 12.005348] __asan_report_load1_noabort+0x18/0x20 [ 12.005370] ksize_uaf+0x5e4/0x6c0 [ 12.005400] ? __pfx_ksize_uaf+0x10/0x10 [ 12.005420] ? __schedule+0x10cc/0x2b60 [ 12.005441] ? __pfx_read_tsc+0x10/0x10 [ 12.005462] ? ktime_get_ts64+0x86/0x230 [ 12.005487] kunit_try_run_case+0x1a5/0x480 [ 12.005509] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.005529] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.005550] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.005571] ? __kthread_parkme+0x82/0x180 [ 12.005591] ? preempt_count_sub+0x50/0x80 [ 12.005615] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.005679] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.005706] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.005795] kthread+0x337/0x6f0 [ 12.005818] ? trace_preempt_on+0x20/0xc0 [ 12.005842] ? __pfx_kthread+0x10/0x10 [ 12.005861] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.005881] ? calculate_sigpending+0x7b/0xa0 [ 12.005904] ? __pfx_kthread+0x10/0x10 [ 12.005924] ret_from_fork+0x116/0x1d0 [ 12.005953] ? __pfx_kthread+0x10/0x10 [ 12.005973] ret_from_fork_asm+0x1a/0x30 [ 12.006013] </TASK> [ 12.006024] [ 12.014398] Allocated by task 221: [ 12.014564] kasan_save_stack+0x45/0x70 [ 12.014738] kasan_save_track+0x18/0x40 [ 12.014908] kasan_save_alloc_info+0x3b/0x50 [ 12.015101] __kasan_kmalloc+0xb7/0xc0 [ 12.015260] __kmalloc_cache_noprof+0x189/0x420 [ 12.016012] ksize_uaf+0xaa/0x6c0 [ 12.016369] kunit_try_run_case+0x1a5/0x480 [ 12.017078] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.017538] kthread+0x337/0x6f0 [ 12.017875] ret_from_fork+0x116/0x1d0 [ 12.018293] ret_from_fork_asm+0x1a/0x30 [ 12.018755] [ 12.019001] Freed by task 221: [ 12.019291] kasan_save_stack+0x45/0x70 [ 12.019694] kasan_save_track+0x18/0x40 [ 12.019876] kasan_save_free_info+0x3f/0x60 [ 12.020067] __kasan_slab_free+0x56/0x70 [ 12.020234] kfree+0x222/0x3f0 [ 12.020369] ksize_uaf+0x12c/0x6c0 [ 12.020817] kunit_try_run_case+0x1a5/0x480 [ 12.021007] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.021243] kthread+0x337/0x6f0 [ 12.021390] ret_from_fork+0x116/0x1d0 [ 12.021512] ret_from_fork_asm+0x1a/0x30 [ 12.021642] [ 12.021731] The buggy address belongs to the object at ffff8881028e2600 [ 12.021731] which belongs to the cache kmalloc-128 of size 128 [ 12.022419] The buggy address is located 120 bytes inside of [ 12.022419] freed 128-byte region [ffff8881028e2600, ffff8881028e2680) [ 12.023114] [ 12.023205] The buggy address belongs to the physical page: [ 12.024044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e2 [ 12.024311] flags: 0x200000000000000(node=0|zone=2) [ 12.024482] page_type: f5(slab) [ 12.024598] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.024819] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.025477] page dumped because: kasan: bad access detected [ 12.025811] [ 12.025879] Memory state around the buggy address: [ 12.026301] ffff8881028e2500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.026816] ffff8881028e2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.027050] >ffff8881028e2600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.027258] ^ [ 12.027856] ffff8881028e2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.028580] ffff8881028e2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.029216] ================================================================== [ 11.950501] ================================================================== [ 11.950894] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.951127] Read of size 1 at addr ffff8881028e2600 by task kunit_try_catch/221 [ 11.951346] [ 11.951849] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 11.951904] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.951917] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.951949] Call Trace: [ 11.951964] <TASK> [ 11.951983] dump_stack_lvl+0x73/0xb0 [ 11.952015] print_report+0xd1/0x650 [ 11.952036] ? __virt_addr_valid+0x1db/0x2d0 [ 11.952061] ? ksize_uaf+0x19d/0x6c0 [ 11.952081] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.952102] ? ksize_uaf+0x19d/0x6c0 [ 11.952122] kasan_report+0x141/0x180 [ 11.952142] ? ksize_uaf+0x19d/0x6c0 [ 11.952165] ? ksize_uaf+0x19d/0x6c0 [ 11.952184] __kasan_check_byte+0x3d/0x50 [ 11.952205] ksize+0x20/0x60 [ 11.952225] ksize_uaf+0x19d/0x6c0 [ 11.952244] ? __pfx_ksize_uaf+0x10/0x10 [ 11.952264] ? __schedule+0x10cc/0x2b60 [ 11.952285] ? __pfx_read_tsc+0x10/0x10 [ 11.952307] ? ktime_get_ts64+0x86/0x230 [ 11.952331] kunit_try_run_case+0x1a5/0x480 [ 11.952355] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.952376] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.952441] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.952465] ? __kthread_parkme+0x82/0x180 [ 11.952487] ? preempt_count_sub+0x50/0x80 [ 11.952523] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.952546] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.952568] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.952589] kthread+0x337/0x6f0 [ 11.952607] ? trace_preempt_on+0x20/0xc0 [ 11.952631] ? __pfx_kthread+0x10/0x10 [ 11.952651] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.952670] ? calculate_sigpending+0x7b/0xa0 [ 11.952694] ? __pfx_kthread+0x10/0x10 [ 11.952714] ret_from_fork+0x116/0x1d0 [ 11.952732] ? __pfx_kthread+0x10/0x10 [ 11.952751] ret_from_fork_asm+0x1a/0x30 [ 11.952782] </TASK> [ 11.952793] [ 11.963221] Allocated by task 221: [ 11.963394] kasan_save_stack+0x45/0x70 [ 11.963556] kasan_save_track+0x18/0x40 [ 11.964202] kasan_save_alloc_info+0x3b/0x50 [ 11.964498] __kasan_kmalloc+0xb7/0xc0 [ 11.964909] __kmalloc_cache_noprof+0x189/0x420 [ 11.965221] ksize_uaf+0xaa/0x6c0 [ 11.965338] kunit_try_run_case+0x1a5/0x480 [ 11.965762] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.966250] kthread+0x337/0x6f0 [ 11.966383] ret_from_fork+0x116/0x1d0 [ 11.966923] ret_from_fork_asm+0x1a/0x30 [ 11.967398] [ 11.967677] Freed by task 221: [ 11.968135] kasan_save_stack+0x45/0x70 [ 11.968275] kasan_save_track+0x18/0x40 [ 11.968424] kasan_save_free_info+0x3f/0x60 [ 11.968708] __kasan_slab_free+0x56/0x70 [ 11.968926] kfree+0x222/0x3f0 [ 11.969274] ksize_uaf+0x12c/0x6c0 [ 11.969753] kunit_try_run_case+0x1a5/0x480 [ 11.969908] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.970088] kthread+0x337/0x6f0 [ 11.970205] ret_from_fork+0x116/0x1d0 [ 11.970329] ret_from_fork_asm+0x1a/0x30 [ 11.970473] [ 11.970540] The buggy address belongs to the object at ffff8881028e2600 [ 11.970540] which belongs to the cache kmalloc-128 of size 128 [ 11.971736] The buggy address is located 0 bytes inside of [ 11.971736] freed 128-byte region [ffff8881028e2600, ffff8881028e2680) [ 11.972213] [ 11.972303] The buggy address belongs to the physical page: [ 11.973086] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e2 [ 11.973825] flags: 0x200000000000000(node=0|zone=2) [ 11.974312] page_type: f5(slab) [ 11.974630] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.974957] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.975237] page dumped because: kasan: bad access detected [ 11.975869] [ 11.975976] Memory state around the buggy address: [ 11.976172] ffff8881028e2500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.976923] ffff8881028e2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.977337] >ffff8881028e2600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.977889] ^ [ 11.978055] ffff8881028e2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.978339] ffff8881028e2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.979203] ================================================================== [ 11.980149] ================================================================== [ 11.980443] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.980857] Read of size 1 at addr ffff8881028e2600 by task kunit_try_catch/221 [ 11.981163] [ 11.981269] CPU: 1 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 11.981314] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.981325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.981344] Call Trace: [ 11.981361] <TASK> [ 11.981378] dump_stack_lvl+0x73/0xb0 [ 11.981407] print_report+0xd1/0x650 [ 11.981428] ? __virt_addr_valid+0x1db/0x2d0 [ 11.981451] ? ksize_uaf+0x5fe/0x6c0 [ 11.981470] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.981491] ? ksize_uaf+0x5fe/0x6c0 [ 11.981510] kasan_report+0x141/0x180 [ 11.981531] ? ksize_uaf+0x5fe/0x6c0 [ 11.981555] __asan_report_load1_noabort+0x18/0x20 [ 11.981578] ksize_uaf+0x5fe/0x6c0 [ 11.981597] ? __pfx_ksize_uaf+0x10/0x10 [ 11.981617] ? __schedule+0x10cc/0x2b60 [ 11.981639] ? __pfx_read_tsc+0x10/0x10 [ 11.981659] ? ktime_get_ts64+0x86/0x230 [ 11.981689] kunit_try_run_case+0x1a5/0x480 [ 11.981712] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.981816] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.981843] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.981865] ? __kthread_parkme+0x82/0x180 [ 11.981899] ? preempt_count_sub+0x50/0x80 [ 11.981923] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.981954] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.981976] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.981998] kthread+0x337/0x6f0 [ 11.982016] ? trace_preempt_on+0x20/0xc0 [ 11.982040] ? __pfx_kthread+0x10/0x10 [ 11.982059] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.982079] ? calculate_sigpending+0x7b/0xa0 [ 11.982102] ? __pfx_kthread+0x10/0x10 [ 11.982132] ret_from_fork+0x116/0x1d0 [ 11.982150] ? __pfx_kthread+0x10/0x10 [ 11.982170] ret_from_fork_asm+0x1a/0x30 [ 11.982210] </TASK> [ 11.982221] [ 11.989463] Allocated by task 221: [ 11.989634] kasan_save_stack+0x45/0x70 [ 11.989822] kasan_save_track+0x18/0x40 [ 11.990005] kasan_save_alloc_info+0x3b/0x50 [ 11.990196] __kasan_kmalloc+0xb7/0xc0 [ 11.990362] __kmalloc_cache_noprof+0x189/0x420 [ 11.991055] ksize_uaf+0xaa/0x6c0 [ 11.991186] kunit_try_run_case+0x1a5/0x480 [ 11.991345] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.992093] kthread+0x337/0x6f0 [ 11.992287] ret_from_fork+0x116/0x1d0 [ 11.992659] ret_from_fork_asm+0x1a/0x30 [ 11.993085] [ 11.993450] Freed by task 221: [ 11.993698] kasan_save_stack+0x45/0x70 [ 11.993877] kasan_save_track+0x18/0x40 [ 11.994052] kasan_save_free_info+0x3f/0x60 [ 11.994227] __kasan_slab_free+0x56/0x70 [ 11.994873] kfree+0x222/0x3f0 [ 11.995182] ksize_uaf+0x12c/0x6c0 [ 11.995376] kunit_try_run_case+0x1a5/0x480 [ 11.995735] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.995976] kthread+0x337/0x6f0 [ 11.996128] ret_from_fork+0x116/0x1d0 [ 11.996291] ret_from_fork_asm+0x1a/0x30 [ 11.997011] [ 11.997112] The buggy address belongs to the object at ffff8881028e2600 [ 11.997112] which belongs to the cache kmalloc-128 of size 128 [ 11.998280] The buggy address is located 0 bytes inside of [ 11.998280] freed 128-byte region [ffff8881028e2600, ffff8881028e2680) [ 11.998812] [ 11.998900] The buggy address belongs to the physical page: [ 11.999085] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028e2 [ 11.999394] flags: 0x200000000000000(node=0|zone=2) [ 11.999799] page_type: f5(slab) [ 11.999954] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.000267] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.000650] page dumped because: kasan: bad access detected [ 12.000979] [ 12.001060] Memory state around the buggy address: [ 12.001231] ffff8881028e2500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.001749] ffff8881028e2580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.002061] >ffff8881028e2600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.002350] ^ [ 12.002611] ffff8881028e2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.002954] ffff8881028e2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.003186] ==================================================================