Date
June 17, 2025, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.143872] ================================================================== [ 17.144568] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.144772] Read of size 1 at addr fff00000c748ac78 by task kunit_try_catch/205 [ 17.144836] [ 17.144871] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT [ 17.144972] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.144999] Hardware name: linux,dummy-virt (DT) [ 17.145179] Call trace: [ 17.145215] show_stack+0x20/0x38 (C) [ 17.145300] dump_stack_lvl+0x8c/0xd0 [ 17.145763] print_report+0x118/0x608 [ 17.145838] kasan_report+0xdc/0x128 [ 17.145990] __asan_report_load1_noabort+0x20/0x30 [ 17.146056] ksize_uaf+0x544/0x5f8 [ 17.146117] kunit_try_run_case+0x170/0x3f0 [ 17.146520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.146647] kthread+0x328/0x630 [ 17.146747] ret_from_fork+0x10/0x20 [ 17.146834] [ 17.146977] Allocated by task 205: [ 17.147016] kasan_save_stack+0x3c/0x68 [ 17.147129] kasan_save_track+0x20/0x40 [ 17.147186] kasan_save_alloc_info+0x40/0x58 [ 17.147225] __kasan_kmalloc+0xd4/0xd8 [ 17.147273] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.147315] ksize_uaf+0xb8/0x5f8 [ 17.147367] kunit_try_run_case+0x170/0x3f0 [ 17.147407] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.147461] kthread+0x328/0x630 [ 17.147495] ret_from_fork+0x10/0x20 [ 17.147532] [ 17.147550] Freed by task 205: [ 17.147578] kasan_save_stack+0x3c/0x68 [ 17.147617] kasan_save_track+0x20/0x40 [ 17.147662] kasan_save_free_info+0x4c/0x78 [ 17.147700] __kasan_slab_free+0x6c/0x98 [ 17.147739] kfree+0x214/0x3c8 [ 17.147798] ksize_uaf+0x11c/0x5f8 [ 17.147844] kunit_try_run_case+0x170/0x3f0 [ 17.147883] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.147937] kthread+0x328/0x630 [ 17.147992] ret_from_fork+0x10/0x20 [ 17.148030] [ 17.148048] The buggy address belongs to the object at fff00000c748ac00 [ 17.148048] which belongs to the cache kmalloc-128 of size 128 [ 17.148126] The buggy address is located 120 bytes inside of [ 17.148126] freed 128-byte region [fff00000c748ac00, fff00000c748ac80) [ 17.148195] [ 17.148223] The buggy address belongs to the physical page: [ 17.148260] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10748a [ 17.148324] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.148372] page_type: f5(slab) [ 17.148412] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.148465] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.148507] page dumped because: kasan: bad access detected [ 17.148539] [ 17.148564] Memory state around the buggy address: [ 17.148596] fff00000c748ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.148641] fff00000c748ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.148684] >fff00000c748ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.148721] ^ [ 17.148777] fff00000c748ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.148825] fff00000c748ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.148879] ================================================================== [ 17.133659] ================================================================== [ 17.133746] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.134219] Read of size 1 at addr fff00000c748ac00 by task kunit_try_catch/205 [ 17.134289] [ 17.134558] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT [ 17.134829] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.134883] Hardware name: linux,dummy-virt (DT) [ 17.134950] Call trace: [ 17.135037] show_stack+0x20/0x38 (C) [ 17.135117] dump_stack_lvl+0x8c/0xd0 [ 17.135259] print_report+0x118/0x608 [ 17.135328] kasan_report+0xdc/0x128 [ 17.135808] __asan_report_load1_noabort+0x20/0x30 [ 17.135904] ksize_uaf+0x598/0x5f8 [ 17.136059] kunit_try_run_case+0x170/0x3f0 [ 17.136137] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.136383] kthread+0x328/0x630 [ 17.136580] ret_from_fork+0x10/0x20 [ 17.136640] [ 17.136948] Allocated by task 205: [ 17.137095] kasan_save_stack+0x3c/0x68 [ 17.137282] kasan_save_track+0x20/0x40 [ 17.137371] kasan_save_alloc_info+0x40/0x58 [ 17.137540] __kasan_kmalloc+0xd4/0xd8 [ 17.137601] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.137687] ksize_uaf+0xb8/0x5f8 [ 17.137892] kunit_try_run_case+0x170/0x3f0 [ 17.138102] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.138220] kthread+0x328/0x630 [ 17.138392] ret_from_fork+0x10/0x20 [ 17.138467] [ 17.138660] Freed by task 205: [ 17.138694] kasan_save_stack+0x3c/0x68 [ 17.138947] kasan_save_track+0x20/0x40 [ 17.139024] kasan_save_free_info+0x4c/0x78 [ 17.139186] __kasan_slab_free+0x6c/0x98 [ 17.139349] kfree+0x214/0x3c8 [ 17.139428] ksize_uaf+0x11c/0x5f8 [ 17.139512] kunit_try_run_case+0x170/0x3f0 [ 17.139646] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.139706] kthread+0x328/0x630 [ 17.139973] ret_from_fork+0x10/0x20 [ 17.140242] [ 17.140335] The buggy address belongs to the object at fff00000c748ac00 [ 17.140335] which belongs to the cache kmalloc-128 of size 128 [ 17.140430] The buggy address is located 0 bytes inside of [ 17.140430] freed 128-byte region [fff00000c748ac00, fff00000c748ac80) [ 17.140577] [ 17.140639] The buggy address belongs to the physical page: [ 17.140697] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10748a [ 17.141028] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.141199] page_type: f5(slab) [ 17.141343] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.141434] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.141596] page dumped because: kasan: bad access detected [ 17.141666] [ 17.141684] Memory state around the buggy address: [ 17.142074] fff00000c748ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.142140] fff00000c748ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.142275] >fff00000c748ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.142362] ^ [ 17.142416] fff00000c748ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.142547] fff00000c748ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.142630] ================================================================== [ 17.123886] ================================================================== [ 17.123973] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.124039] Read of size 1 at addr fff00000c748ac00 by task kunit_try_catch/205 [ 17.124093] [ 17.124131] CPU: 1 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT [ 17.124240] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.124270] Hardware name: linux,dummy-virt (DT) [ 17.124302] Call trace: [ 17.124329] show_stack+0x20/0x38 (C) [ 17.124381] dump_stack_lvl+0x8c/0xd0 [ 17.124444] print_report+0x118/0x608 [ 17.124501] kasan_report+0xdc/0x128 [ 17.124548] __kasan_check_byte+0x54/0x70 [ 17.124597] ksize+0x30/0x88 [ 17.124642] ksize_uaf+0x168/0x5f8 [ 17.124686] kunit_try_run_case+0x170/0x3f0 [ 17.124737] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.124800] kthread+0x328/0x630 [ 17.124845] ret_from_fork+0x10/0x20 [ 17.124903] [ 17.125438] Allocated by task 205: [ 17.125494] kasan_save_stack+0x3c/0x68 [ 17.125960] kasan_save_track+0x20/0x40 [ 17.126029] kasan_save_alloc_info+0x40/0x58 [ 17.126579] __kasan_kmalloc+0xd4/0xd8 [ 17.126946] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.127251] ksize_uaf+0xb8/0x5f8 [ 17.127400] kunit_try_run_case+0x170/0x3f0 [ 17.127537] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.127806] kthread+0x328/0x630 [ 17.127850] ret_from_fork+0x10/0x20 [ 17.128226] [ 17.128306] Freed by task 205: [ 17.128355] kasan_save_stack+0x3c/0x68 [ 17.128457] kasan_save_track+0x20/0x40 [ 17.128806] kasan_save_free_info+0x4c/0x78 [ 17.129032] __kasan_slab_free+0x6c/0x98 [ 17.129318] kfree+0x214/0x3c8 [ 17.129509] ksize_uaf+0x11c/0x5f8 [ 17.129601] kunit_try_run_case+0x170/0x3f0 [ 17.129667] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.129777] kthread+0x328/0x630 [ 17.129842] ret_from_fork+0x10/0x20 [ 17.130041] [ 17.130073] The buggy address belongs to the object at fff00000c748ac00 [ 17.130073] which belongs to the cache kmalloc-128 of size 128 [ 17.130326] The buggy address is located 0 bytes inside of [ 17.130326] freed 128-byte region [fff00000c748ac00, fff00000c748ac80) [ 17.130416] [ 17.130481] The buggy address belongs to the physical page: [ 17.130545] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10748a [ 17.130616] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.130970] page_type: f5(slab) [ 17.131136] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.131212] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.131350] page dumped because: kasan: bad access detected [ 17.131411] [ 17.131589] Memory state around the buggy address: [ 17.131750] fff00000c748ab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.131991] fff00000c748ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.132077] >fff00000c748ac00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.132199] ^ [ 17.132248] fff00000c748ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.132293] fff00000c748ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.132471] ==================================================================
[ 18.726719] ================================================================== [ 18.727767] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 18.728757] Read of size 1 at addr ffff888103393c00 by task kunit_try_catch/223 [ 18.729666] [ 18.730207] CPU: 0 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) [ 18.730349] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.730387] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.730444] Call Trace: [ 18.730484] <TASK> [ 18.730529] dump_stack_lvl+0x73/0xb0 [ 18.730614] print_report+0xd1/0x650 [ 18.730690] ? __virt_addr_valid+0x1db/0x2d0 [ 18.730765] ? ksize_uaf+0x19d/0x6c0 [ 18.730854] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.730932] ? ksize_uaf+0x19d/0x6c0 [ 18.731003] kasan_report+0x141/0x180 [ 18.731078] ? ksize_uaf+0x19d/0x6c0 [ 18.731122] ? ksize_uaf+0x19d/0x6c0 [ 18.731166] __kasan_check_byte+0x3d/0x50 [ 18.731207] ksize+0x20/0x60 [ 18.731268] ksize_uaf+0x19d/0x6c0 [ 18.731344] ? __pfx_ksize_uaf+0x10/0x10 [ 18.731412] ? __schedule+0x10cc/0x2b60 [ 18.731444] ? __pfx_read_tsc+0x10/0x10 [ 18.731476] ? ktime_get_ts64+0x86/0x230 [ 18.731508] kunit_try_run_case+0x1a5/0x480 [ 18.731553] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.731588] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.731620] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.731655] ? __kthread_parkme+0x82/0x180 [ 18.731683] ? preempt_count_sub+0x50/0x80 [ 18.731713] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.731745] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.731775] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.731806] kthread+0x337/0x6f0 [ 18.731854] ? trace_preempt_on+0x20/0xc0 [ 18.731894] ? __pfx_kthread+0x10/0x10 [ 18.731922] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.731956] ? calculate_sigpending+0x7b/0xa0 [ 18.731990] ? __pfx_kthread+0x10/0x10 [ 18.732018] ret_from_fork+0x116/0x1d0 [ 18.732043] ? __pfx_kthread+0x10/0x10 [ 18.732070] ret_from_fork_asm+0x1a/0x30 [ 18.732112] </TASK> [ 18.732129] [ 18.750535] Allocated by task 223: [ 18.751450] kasan_save_stack+0x45/0x70 [ 18.751878] kasan_save_track+0x18/0x40 [ 18.752412] kasan_save_alloc_info+0x3b/0x50 [ 18.752875] __kasan_kmalloc+0xb7/0xc0 [ 18.753278] __kmalloc_cache_noprof+0x189/0x420 [ 18.753732] ksize_uaf+0xaa/0x6c0 [ 18.754096] kunit_try_run_case+0x1a5/0x480 [ 18.754527] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.755545] kthread+0x337/0x6f0 [ 18.755922] ret_from_fork+0x116/0x1d0 [ 18.756423] ret_from_fork_asm+0x1a/0x30 [ 18.756812] [ 18.757056] Freed by task 223: [ 18.757585] kasan_save_stack+0x45/0x70 [ 18.757984] kasan_save_track+0x18/0x40 [ 18.758699] kasan_save_free_info+0x3f/0x60 [ 18.759115] __kasan_slab_free+0x56/0x70 [ 18.759688] kfree+0x222/0x3f0 [ 18.760096] ksize_uaf+0x12c/0x6c0 [ 18.760594] kunit_try_run_case+0x1a5/0x480 [ 18.761032] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.761676] kthread+0x337/0x6f0 [ 18.762021] ret_from_fork+0x116/0x1d0 [ 18.762431] ret_from_fork_asm+0x1a/0x30 [ 18.763157] [ 18.763629] The buggy address belongs to the object at ffff888103393c00 [ 18.763629] which belongs to the cache kmalloc-128 of size 128 [ 18.764742] The buggy address is located 0 bytes inside of [ 18.764742] freed 128-byte region [ffff888103393c00, ffff888103393c80) [ 18.765802] [ 18.766054] The buggy address belongs to the physical page: [ 18.766764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103393 [ 18.767784] flags: 0x200000000000000(node=0|zone=2) [ 18.768434] page_type: f5(slab) [ 18.768765] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.769461] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.770111] page dumped because: kasan: bad access detected [ 18.770947] [ 18.771184] Memory state around the buggy address: [ 18.771756] ffff888103393b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.772335] ffff888103393b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.772895] >ffff888103393c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.773486] ^ [ 18.773780] ffff888103393c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.774428] ffff888103393d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.774960] ================================================================== [ 18.776561] ================================================================== [ 18.777137] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 18.778345] Read of size 1 at addr ffff888103393c00 by task kunit_try_catch/223 [ 18.778894] [ 18.779134] CPU: 0 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) [ 18.779438] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.779475] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.779530] Call Trace: [ 18.779576] <TASK> [ 18.779619] dump_stack_lvl+0x73/0xb0 [ 18.779700] print_report+0xd1/0x650 [ 18.779774] ? __virt_addr_valid+0x1db/0x2d0 [ 18.779865] ? ksize_uaf+0x5fe/0x6c0 [ 18.779934] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.780004] ? ksize_uaf+0x5fe/0x6c0 [ 18.780074] kasan_report+0x141/0x180 [ 18.780149] ? ksize_uaf+0x5fe/0x6c0 [ 18.780549] __asan_report_load1_noabort+0x18/0x20 [ 18.780637] ksize_uaf+0x5fe/0x6c0 [ 18.780709] ? __pfx_ksize_uaf+0x10/0x10 [ 18.780778] ? __schedule+0x10cc/0x2b60 [ 18.780862] ? __pfx_read_tsc+0x10/0x10 [ 18.780923] ? ktime_get_ts64+0x86/0x230 [ 18.781001] kunit_try_run_case+0x1a5/0x480 [ 18.781075] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.781147] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.781345] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.781408] ? __kthread_parkme+0x82/0x180 [ 18.781440] ? preempt_count_sub+0x50/0x80 [ 18.781473] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.781506] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.781539] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.781572] kthread+0x337/0x6f0 [ 18.781598] ? trace_preempt_on+0x20/0xc0 [ 18.781629] ? __pfx_kthread+0x10/0x10 [ 18.781657] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.781689] ? calculate_sigpending+0x7b/0xa0 [ 18.781723] ? __pfx_kthread+0x10/0x10 [ 18.781751] ret_from_fork+0x116/0x1d0 [ 18.781776] ? __pfx_kthread+0x10/0x10 [ 18.781803] ret_from_fork_asm+0x1a/0x30 [ 18.781868] </TASK> [ 18.781885] [ 18.796080] Allocated by task 223: [ 18.796745] kasan_save_stack+0x45/0x70 [ 18.797152] kasan_save_track+0x18/0x40 [ 18.797588] kasan_save_alloc_info+0x3b/0x50 [ 18.797940] __kasan_kmalloc+0xb7/0xc0 [ 18.798468] __kmalloc_cache_noprof+0x189/0x420 [ 18.798950] ksize_uaf+0xaa/0x6c0 [ 18.799495] kunit_try_run_case+0x1a5/0x480 [ 18.799932] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.800678] kthread+0x337/0x6f0 [ 18.800955] ret_from_fork+0x116/0x1d0 [ 18.801302] ret_from_fork_asm+0x1a/0x30 [ 18.801681] [ 18.801892] Freed by task 223: [ 18.802208] kasan_save_stack+0x45/0x70 [ 18.802715] kasan_save_track+0x18/0x40 [ 18.803116] kasan_save_free_info+0x3f/0x60 [ 18.803681] __kasan_slab_free+0x56/0x70 [ 18.804074] kfree+0x222/0x3f0 [ 18.804726] ksize_uaf+0x12c/0x6c0 [ 18.805028] kunit_try_run_case+0x1a5/0x480 [ 18.805451] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.805882] kthread+0x337/0x6f0 [ 18.806222] ret_from_fork+0x116/0x1d0 [ 18.806584] ret_from_fork_asm+0x1a/0x30 [ 18.807052] [ 18.807452] The buggy address belongs to the object at ffff888103393c00 [ 18.807452] which belongs to the cache kmalloc-128 of size 128 [ 18.808732] The buggy address is located 0 bytes inside of [ 18.808732] freed 128-byte region [ffff888103393c00, ffff888103393c80) [ 18.809845] [ 18.810048] The buggy address belongs to the physical page: [ 18.810590] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103393 [ 18.811201] flags: 0x200000000000000(node=0|zone=2) [ 18.811784] page_type: f5(slab) [ 18.812133] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.812970] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.813711] page dumped because: kasan: bad access detected [ 18.814180] [ 18.814523] Memory state around the buggy address: [ 18.814979] ffff888103393b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.815781] ffff888103393b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.816739] >ffff888103393c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.817286] ^ [ 18.817544] ffff888103393c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.818397] ffff888103393d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.818804] ================================================================== [ 18.821627] ================================================================== [ 18.822207] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 18.823426] Read of size 1 at addr ffff888103393c78 by task kunit_try_catch/223 [ 18.824030] [ 18.824359] CPU: 0 UID: 0 PID: 223 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) [ 18.824483] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.824517] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.824570] Call Trace: [ 18.824615] <TASK> [ 18.824661] dump_stack_lvl+0x73/0xb0 [ 18.824740] print_report+0xd1/0x650 [ 18.824810] ? __virt_addr_valid+0x1db/0x2d0 [ 18.824905] ? ksize_uaf+0x5e4/0x6c0 [ 18.824976] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.825047] ? ksize_uaf+0x5e4/0x6c0 [ 18.825738] kasan_report+0x141/0x180 [ 18.827202] ? ksize_uaf+0x5e4/0x6c0 [ 18.827283] __asan_report_load1_noabort+0x18/0x20 [ 18.827355] ksize_uaf+0x5e4/0x6c0 [ 18.827420] ? __pfx_ksize_uaf+0x10/0x10 [ 18.827481] ? __schedule+0x10cc/0x2b60 [ 18.827531] ? __pfx_read_tsc+0x10/0x10 [ 18.827597] ? ktime_get_ts64+0x86/0x230 [ 18.827661] kunit_try_run_case+0x1a5/0x480 [ 18.827720] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.827774] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.827824] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.827922] ? __kthread_parkme+0x82/0x180 [ 18.827994] ? preempt_count_sub+0x50/0x80 [ 18.828066] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.828121] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.828176] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.828240] kthread+0x337/0x6f0 [ 18.828310] ? trace_preempt_on+0x20/0xc0 [ 18.828383] ? __pfx_kthread+0x10/0x10 [ 18.828436] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.828496] ? calculate_sigpending+0x7b/0xa0 [ 18.828562] ? __pfx_kthread+0x10/0x10 [ 18.828623] ret_from_fork+0x116/0x1d0 [ 18.828679] ? __pfx_kthread+0x10/0x10 [ 18.828739] ret_from_fork_asm+0x1a/0x30 [ 18.828818] </TASK> [ 18.828877] [ 18.849140] Allocated by task 223: [ 18.849640] kasan_save_stack+0x45/0x70 [ 18.850050] kasan_save_track+0x18/0x40 [ 18.850727] kasan_save_alloc_info+0x3b/0x50 [ 18.851124] __kasan_kmalloc+0xb7/0xc0 [ 18.851627] __kmalloc_cache_noprof+0x189/0x420 [ 18.852028] ksize_uaf+0xaa/0x6c0 [ 18.852422] kunit_try_run_case+0x1a5/0x480 [ 18.852723] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.853216] kthread+0x337/0x6f0 [ 18.853586] ret_from_fork+0x116/0x1d0 [ 18.854037] ret_from_fork_asm+0x1a/0x30 [ 18.854329] [ 18.854825] Freed by task 223: [ 18.855171] kasan_save_stack+0x45/0x70 [ 18.855687] kasan_save_track+0x18/0x40 [ 18.856087] kasan_save_free_info+0x3f/0x60 [ 18.856815] __kasan_slab_free+0x56/0x70 [ 18.857146] kfree+0x222/0x3f0 [ 18.857399] ksize_uaf+0x12c/0x6c0 [ 18.857744] kunit_try_run_case+0x1a5/0x480 [ 18.858174] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.858965] kthread+0x337/0x6f0 [ 18.859400] ret_from_fork+0x116/0x1d0 [ 18.859707] ret_from_fork_asm+0x1a/0x30 [ 18.860104] [ 18.860267] The buggy address belongs to the object at ffff888103393c00 [ 18.860267] which belongs to the cache kmalloc-128 of size 128 [ 18.861009] The buggy address is located 120 bytes inside of [ 18.861009] freed 128-byte region [ffff888103393c00, ffff888103393c80) [ 18.862155] [ 18.862318] The buggy address belongs to the physical page: [ 18.862642] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103393 [ 18.863276] flags: 0x200000000000000(node=0|zone=2) [ 18.863722] page_type: f5(slab) [ 18.864073] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.864925] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.865991] page dumped because: kasan: bad access detected [ 18.866324] [ 18.866537] Memory state around the buggy address: [ 18.867159] ffff888103393b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.867751] ffff888103393b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.869193] >ffff888103393c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.870041] ^ [ 18.870576] ffff888103393c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.872129] ffff888103393d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.872816] ==================================================================