Hay
Sign in
Date
June 18, 2025, 6:43 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   21.400177] ==================================================================
[   21.400310] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   21.400425] Read of size 1 at addr fff00000c6423c00 by task kunit_try_catch/206
[   21.400562] 
[   21.400652] CPU: 0 UID: 0 PID: 206 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc2-next-20250618 #1 PREEMPT 
[   21.400875] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   21.400953] Hardware name: linux,dummy-virt (DT)
[   21.401043] Call trace:
[   21.401098]  show_stack+0x20/0x38 (C)
[   21.401218]  dump_stack_lvl+0x8c/0xd0
[   21.401335]  print_report+0x118/0x608
[   21.401456]  kasan_report+0xdc/0x128
[   21.401576]  __asan_report_load1_noabort+0x20/0x30
[   21.401704]  ksize_uaf+0x598/0x5f8
[   21.401811]  kunit_try_run_case+0x170/0x3f0
[   21.401934]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.403206]  kthread+0x328/0x630
[   21.403348]  ret_from_fork+0x10/0x20
[   21.403450] 
[   21.403485] Allocated by task 206:
[   21.403535]  kasan_save_stack+0x3c/0x68
[   21.403604]  kasan_save_track+0x20/0x40
[   21.403677]  kasan_save_alloc_info+0x40/0x58
[   21.404267]  __kasan_kmalloc+0xd4/0xd8
[   21.404491]  __kmalloc_cache_noprof+0x16c/0x3c0
[   21.404920]  ksize_uaf+0xb8/0x5f8
[   21.405089]  kunit_try_run_case+0x170/0x3f0
[   21.405362]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.405541]  kthread+0x328/0x630
[   21.405624]  ret_from_fork+0x10/0x20
[   21.405875] 
[   21.405940] Freed by task 206:
[   21.406164]  kasan_save_stack+0x3c/0x68
[   21.406254]  kasan_save_track+0x20/0x40
[   21.406351]  kasan_save_free_info+0x4c/0x78
[   21.407312]  __kasan_slab_free+0x6c/0x98
[   21.407407]  kfree+0x214/0x3c8
[   21.407871]  ksize_uaf+0x11c/0x5f8
[   21.408014]  kunit_try_run_case+0x170/0x3f0
[   21.408154]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.408560]  kthread+0x328/0x630
[   21.408682]  ret_from_fork+0x10/0x20
[   21.408809] 
[   21.408966] The buggy address belongs to the object at fff00000c6423c00
[   21.408966]  which belongs to the cache kmalloc-128 of size 128
[   21.409442] The buggy address is located 0 bytes inside of
[   21.409442]  freed 128-byte region [fff00000c6423c00, fff00000c6423c80)
[   21.409721] 
[   21.409963] The buggy address belongs to the physical page:
[   21.410164] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106423
[   21.410454] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.410682] page_type: f5(slab)
[   21.410771] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   21.411202] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   21.411312] page dumped because: kasan: bad access detected
[   21.411386] 
[   21.411440] Memory state around the buggy address:
[   21.411546]  fff00000c6423b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.411674]  fff00000c6423b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.411766] >fff00000c6423c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.411881]                    ^
[   21.411968]  fff00000c6423c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.412115]  fff00000c6423d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.412238] ==================================================================
[   21.413491] ==================================================================
[   21.413648] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   21.413756] Read of size 1 at addr fff00000c6423c78 by task kunit_try_catch/206
[   21.413868] 
[   21.413943] CPU: 0 UID: 0 PID: 206 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc2-next-20250618 #1 PREEMPT 
[   21.414161] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   21.414231] Hardware name: linux,dummy-virt (DT)
[   21.414303] Call trace:
[   21.414352]  show_stack+0x20/0x38 (C)
[   21.414457]  dump_stack_lvl+0x8c/0xd0
[   21.414564]  print_report+0x118/0x608
[   21.414672]  kasan_report+0xdc/0x128
[   21.414770]  __asan_report_load1_noabort+0x20/0x30
[   21.414887]  ksize_uaf+0x544/0x5f8
[   21.414986]  kunit_try_run_case+0x170/0x3f0
[   21.415104]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.415222]  kthread+0x328/0x630
[   21.415318]  ret_from_fork+0x10/0x20
[   21.415427] 
[   21.415472] Allocated by task 206:
[   21.415536]  kasan_save_stack+0x3c/0x68
[   21.415624]  kasan_save_track+0x20/0x40
[   21.415739]  kasan_save_alloc_info+0x40/0x58
[   21.415825]  __kasan_kmalloc+0xd4/0xd8
[   21.415934]  __kmalloc_cache_noprof+0x16c/0x3c0
[   21.416055]  ksize_uaf+0xb8/0x5f8
[   21.416151]  kunit_try_run_case+0x170/0x3f0
[   21.416245]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.416332]  kthread+0x328/0x630
[   21.416404]  ret_from_fork+0x10/0x20
[   21.416497] 
[   21.416564] Freed by task 206:
[   21.416634]  kasan_save_stack+0x3c/0x68
[   21.416738]  kasan_save_track+0x20/0x40
[   21.416849]  kasan_save_free_info+0x4c/0x78
[   21.417111]  __kasan_slab_free+0x6c/0x98
[   21.417234]  kfree+0x214/0x3c8
[   21.417302]  ksize_uaf+0x11c/0x5f8
[   21.417361]  kunit_try_run_case+0x170/0x3f0
[   21.417457]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.417542]  kthread+0x328/0x630
[   21.417636]  ret_from_fork+0x10/0x20
[   21.417709] 
[   21.417765] The buggy address belongs to the object at fff00000c6423c00
[   21.417765]  which belongs to the cache kmalloc-128 of size 128
[   21.417908] The buggy address is located 120 bytes inside of
[   21.417908]  freed 128-byte region [fff00000c6423c00, fff00000c6423c80)
[   21.418092] 
[   21.418135] The buggy address belongs to the physical page:
[   21.418217] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106423
[   21.418340] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.418448] page_type: f5(slab)
[   21.418550] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   21.418641] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   21.418723] page dumped because: kasan: bad access detected
[   21.418798] 
[   21.418839] Memory state around the buggy address:
[   21.418900]  fff00000c6423b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.419010]  fff00000c6423b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.419109] >fff00000c6423c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.419227]                                                                 ^
[   21.419358]  fff00000c6423c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.419487]  fff00000c6423d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.419611] ==================================================================
[   21.387913] ==================================================================
[   21.388079] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   21.388208] Read of size 1 at addr fff00000c6423c00 by task kunit_try_catch/206
[   21.388321] 
[   21.388404] CPU: 0 UID: 0 PID: 206 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc2-next-20250618 #1 PREEMPT 
[   21.388627] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   21.388703] Hardware name: linux,dummy-virt (DT)
[   21.388782] Call trace:
[   21.388834]  show_stack+0x20/0x38 (C)
[   21.388948]  dump_stack_lvl+0x8c/0xd0
[   21.390851]  print_report+0x118/0x608
[   21.391151]  kasan_report+0xdc/0x128
[   21.391496]  __kasan_check_byte+0x54/0x70
[   21.391617]  ksize+0x30/0x88
[   21.391716]  ksize_uaf+0x168/0x5f8
[   21.391811]  kunit_try_run_case+0x170/0x3f0
[   21.391925]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.392055]  kthread+0x328/0x630
[   21.392157]  ret_from_fork+0x10/0x20
[   21.392265] 
[   21.392311] Allocated by task 206:
[   21.392373]  kasan_save_stack+0x3c/0x68
[   21.392468]  kasan_save_track+0x20/0x40
[   21.392561]  kasan_save_alloc_info+0x40/0x58
[   21.392666]  __kasan_kmalloc+0xd4/0xd8
[   21.392781]  __kmalloc_cache_noprof+0x16c/0x3c0
[   21.392886]  ksize_uaf+0xb8/0x5f8
[   21.392994]  kunit_try_run_case+0x170/0x3f0
[   21.393090]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.393181]  kthread+0x328/0x630
[   21.394082]  ret_from_fork+0x10/0x20
[   21.394203] 
[   21.394283] Freed by task 206:
[   21.394392]  kasan_save_stack+0x3c/0x68
[   21.394480]  kasan_save_track+0x20/0x40
[   21.394559]  kasan_save_free_info+0x4c/0x78
[   21.394671]  __kasan_slab_free+0x6c/0x98
[   21.394760]  kfree+0x214/0x3c8
[   21.394843]  ksize_uaf+0x11c/0x5f8
[   21.394909]  kunit_try_run_case+0x170/0x3f0
[   21.394982]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.395078]  kthread+0x328/0x630
[   21.395152]  ret_from_fork+0x10/0x20
[   21.395230] 
[   21.395272] The buggy address belongs to the object at fff00000c6423c00
[   21.395272]  which belongs to the cache kmalloc-128 of size 128
[   21.395788] The buggy address is located 0 bytes inside of
[   21.395788]  freed 128-byte region [fff00000c6423c00, fff00000c6423c80)
[   21.396282] 
[   21.396393] The buggy address belongs to the physical page:
[   21.396484] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106423
[   21.396642] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.396782] page_type: f5(slab)
[   21.396870] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   21.397244] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   21.397389] page dumped because: kasan: bad access detected
[   21.397517] 
[   21.397556] Memory state around the buggy address:
[   21.397645]  fff00000c6423b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.397920]  fff00000c6423b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.398016] >fff00000c6423c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   21.398188]                    ^
[   21.398286]  fff00000c6423c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.398380]  fff00000c6423d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.398468] ==================================================================
Metadata Full log Test run details 

[   11.641538] ==================================================================
[   11.641844] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.642274] Read of size 1 at addr ffff888102c54b00 by task kunit_try_catch/222
[   11.642816] 
[   11.643169] CPU: 1 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) 
[   11.643231] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.643243] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.643264] Call Trace:
[   11.643276]  <TASK>
[   11.643290]  dump_stack_lvl+0x73/0xb0
[   11.643320]  print_report+0xd1/0x650
[   11.643340]  ? __virt_addr_valid+0x1db/0x2d0
[   11.643363]  ? ksize_uaf+0x5fe/0x6c0
[   11.643381]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.643405]  ? ksize_uaf+0x5fe/0x6c0
[   11.643424]  kasan_report+0x141/0x180
[   11.643444]  ? ksize_uaf+0x5fe/0x6c0
[   11.643467]  __asan_report_load1_noabort+0x18/0x20
[   11.643490]  ksize_uaf+0x5fe/0x6c0
[   11.643508]  ? __pfx_ksize_uaf+0x10/0x10
[   11.643528]  ? __schedule+0x10cc/0x2b60
[   11.643549]  ? __pfx_read_tsc+0x10/0x10
[   11.643570]  ? ktime_get_ts64+0x86/0x230
[   11.643594]  kunit_try_run_case+0x1a5/0x480
[   11.643617]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.643637]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.643659]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.643680]  ? __kthread_parkme+0x82/0x180
[   11.643699]  ? preempt_count_sub+0x50/0x80
[   11.643721]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.643743]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.643764]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.643785]  kthread+0x337/0x6f0
[   11.643803]  ? trace_preempt_on+0x20/0xc0
[   11.643826]  ? __pfx_kthread+0x10/0x10
[   11.643845]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.643864]  ? calculate_sigpending+0x7b/0xa0
[   11.643887]  ? __pfx_kthread+0x10/0x10
[   11.643907]  ret_from_fork+0x116/0x1d0
[   11.643924]  ? __pfx_kthread+0x10/0x10
[   11.643943]  ret_from_fork_asm+0x1a/0x30
[   11.643972]  </TASK>
[   11.643981] 
[   11.653337] Allocated by task 222:
[   11.653974]  kasan_save_stack+0x45/0x70
[   11.654172]  kasan_save_track+0x18/0x40
[   11.654315]  kasan_save_alloc_info+0x3b/0x50
[   11.654534]  __kasan_kmalloc+0xb7/0xc0
[   11.654879]  __kmalloc_cache_noprof+0x189/0x420
[   11.655390]  ksize_uaf+0xaa/0x6c0
[   11.655900]  kunit_try_run_case+0x1a5/0x480
[   11.656319]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.656855]  kthread+0x337/0x6f0
[   11.656976]  ret_from_fork+0x116/0x1d0
[   11.657100]  ret_from_fork_asm+0x1a/0x30
[   11.657344] 
[   11.657840] Freed by task 222:
[   11.658134]  kasan_save_stack+0x45/0x70
[   11.658647]  kasan_save_track+0x18/0x40
[   11.659076]  kasan_save_free_info+0x3f/0x60
[   11.659888]  __kasan_slab_free+0x56/0x70
[   11.660308]  kfree+0x222/0x3f0
[   11.660424]  ksize_uaf+0x12c/0x6c0
[   11.660854]  kunit_try_run_case+0x1a5/0x480
[   11.661355]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.661880]  kthread+0x337/0x6f0
[   11.662119]  ret_from_fork+0x116/0x1d0
[   11.662458]  ret_from_fork_asm+0x1a/0x30
[   11.662802] 
[   11.662943] The buggy address belongs to the object at ffff888102c54b00
[   11.662943]  which belongs to the cache kmalloc-128 of size 128
[   11.663986] The buggy address is located 0 bytes inside of
[   11.663986]  freed 128-byte region [ffff888102c54b00, ffff888102c54b80)
[   11.664936] 
[   11.665007] The buggy address belongs to the physical page:
[   11.665166] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c54
[   11.665401] flags: 0x200000000000000(node=0|zone=2)
[   11.665576] page_type: f5(slab)
[   11.665738] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.665993] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.666304] page dumped because: kasan: bad access detected
[   11.666474] 
[   11.666591] Memory state around the buggy address:
[   11.666788]  ffff888102c54a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.667002]  ffff888102c54a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.667665] >ffff888102c54b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.668104]                    ^
[   11.668359]  ffff888102c54b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.668617]  ffff888102c54c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.668927] ==================================================================
[   11.616725] ==================================================================
[   11.617098] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.617666] Read of size 1 at addr ffff888102c54b00 by task kunit_try_catch/222
[   11.618757] 
[   11.618852] CPU: 1 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) 
[   11.618902] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.618913] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.618934] Call Trace:
[   11.618945]  <TASK>
[   11.618961]  dump_stack_lvl+0x73/0xb0
[   11.618989]  print_report+0xd1/0x650
[   11.619010]  ? __virt_addr_valid+0x1db/0x2d0
[   11.619030]  ? ksize_uaf+0x19d/0x6c0
[   11.619049]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.619073]  ? ksize_uaf+0x19d/0x6c0
[   11.619092]  kasan_report+0x141/0x180
[   11.619112]  ? ksize_uaf+0x19d/0x6c0
[   11.619134]  ? ksize_uaf+0x19d/0x6c0
[   11.619152]  __kasan_check_byte+0x3d/0x50
[   11.619172]  ksize+0x20/0x60
[   11.619190]  ksize_uaf+0x19d/0x6c0
[   11.619221]  ? __pfx_ksize_uaf+0x10/0x10
[   11.619242]  ? __schedule+0x10cc/0x2b60
[   11.619262]  ? __pfx_read_tsc+0x10/0x10
[   11.619418]  ? ktime_get_ts64+0x86/0x230
[   11.619447]  kunit_try_run_case+0x1a5/0x480
[   11.619471]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.619492]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.619513]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.619534]  ? __kthread_parkme+0x82/0x180
[   11.619553]  ? preempt_count_sub+0x50/0x80
[   11.619576]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.619598]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.619620]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.619641]  kthread+0x337/0x6f0
[   11.619659]  ? trace_preempt_on+0x20/0xc0
[   11.619681]  ? __pfx_kthread+0x10/0x10
[   11.619700]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.619719]  ? calculate_sigpending+0x7b/0xa0
[   11.619742]  ? __pfx_kthread+0x10/0x10
[   11.619761]  ret_from_fork+0x116/0x1d0
[   11.619779]  ? __pfx_kthread+0x10/0x10
[   11.619798]  ret_from_fork_asm+0x1a/0x30
[   11.619826]  </TASK>
[   11.619837] 
[   11.627500] Allocated by task 222:
[   11.627765]  kasan_save_stack+0x45/0x70
[   11.627966]  kasan_save_track+0x18/0x40
[   11.628133]  kasan_save_alloc_info+0x3b/0x50
[   11.628384]  __kasan_kmalloc+0xb7/0xc0
[   11.628531]  __kmalloc_cache_noprof+0x189/0x420
[   11.628810]  ksize_uaf+0xaa/0x6c0
[   11.628940]  kunit_try_run_case+0x1a5/0x480
[   11.629078]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.629254]  kthread+0x337/0x6f0
[   11.629366]  ret_from_fork+0x116/0x1d0
[   11.629536]  ret_from_fork_asm+0x1a/0x30
[   11.629723] 
[   11.629813] Freed by task 222:
[   11.630000]  kasan_save_stack+0x45/0x70
[   11.630185]  kasan_save_track+0x18/0x40
[   11.630447]  kasan_save_free_info+0x3f/0x60
[   11.630595]  __kasan_slab_free+0x56/0x70
[   11.630722]  kfree+0x222/0x3f0
[   11.630830]  ksize_uaf+0x12c/0x6c0
[   11.631176]  kunit_try_run_case+0x1a5/0x480
[   11.631386]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.631625]  kthread+0x337/0x6f0
[   11.631756]  ret_from_fork+0x116/0x1d0
[   11.632123]  ret_from_fork_asm+0x1a/0x30
[   11.632397] 
[   11.632623] The buggy address belongs to the object at ffff888102c54b00
[   11.632623]  which belongs to the cache kmalloc-128 of size 128
[   11.633072] The buggy address is located 0 bytes inside of
[   11.633072]  freed 128-byte region [ffff888102c54b00, ffff888102c54b80)
[   11.633911] 
[   11.634016] The buggy address belongs to the physical page:
[   11.634557] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c54
[   11.634915] flags: 0x200000000000000(node=0|zone=2)
[   11.635085] page_type: f5(slab)
[   11.635230] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.635974] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.636802] page dumped because: kasan: bad access detected
[   11.637233] 
[   11.637320] Memory state around the buggy address:
[   11.637876]  ffff888102c54a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.638378]  ffff888102c54a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.639160] >ffff888102c54b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.639875]                    ^
[   11.640034]  ffff888102c54b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.640551]  ffff888102c54c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.640898] ==================================================================
[   11.671238] ==================================================================
[   11.671601] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.672199] Read of size 1 at addr ffff888102c54b78 by task kunit_try_catch/222
[   11.672451] 
[   11.672824] CPU: 1 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) 
[   11.672873] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.672884] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.672904] Call Trace:
[   11.672915]  <TASK>
[   11.672930]  dump_stack_lvl+0x73/0xb0
[   11.672959]  print_report+0xd1/0x650
[   11.672978]  ? __virt_addr_valid+0x1db/0x2d0
[   11.672999]  ? ksize_uaf+0x5e4/0x6c0
[   11.673017]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.673042]  ? ksize_uaf+0x5e4/0x6c0
[   11.673062]  kasan_report+0x141/0x180
[   11.673082]  ? ksize_uaf+0x5e4/0x6c0
[   11.673105]  __asan_report_load1_noabort+0x18/0x20
[   11.673127]  ksize_uaf+0x5e4/0x6c0
[   11.673146]  ? __pfx_ksize_uaf+0x10/0x10
[   11.673165]  ? __schedule+0x10cc/0x2b60
[   11.673196]  ? __pfx_read_tsc+0x10/0x10
[   11.673233]  ? ktime_get_ts64+0x86/0x230
[   11.673257]  kunit_try_run_case+0x1a5/0x480
[   11.673279]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.673299]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.673321]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.673342]  ? __kthread_parkme+0x82/0x180
[   11.673361]  ? preempt_count_sub+0x50/0x80
[   11.673385]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.673407]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.673427]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.673449]  kthread+0x337/0x6f0
[   11.673467]  ? trace_preempt_on+0x20/0xc0
[   11.673488]  ? __pfx_kthread+0x10/0x10
[   11.673507]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.673526]  ? calculate_sigpending+0x7b/0xa0
[   11.673550]  ? __pfx_kthread+0x10/0x10
[   11.673570]  ret_from_fork+0x116/0x1d0
[   11.673587]  ? __pfx_kthread+0x10/0x10
[   11.673608]  ret_from_fork_asm+0x1a/0x30
[   11.673638]  </TASK>
[   11.673648] 
[   11.686174] Allocated by task 222:
[   11.686312]  kasan_save_stack+0x45/0x70
[   11.686563]  kasan_save_track+0x18/0x40
[   11.687366]  kasan_save_alloc_info+0x3b/0x50
[   11.687765]  __kasan_kmalloc+0xb7/0xc0
[   11.688098]  __kmalloc_cache_noprof+0x189/0x420
[   11.688544]  ksize_uaf+0xaa/0x6c0
[   11.688846]  kunit_try_run_case+0x1a5/0x480
[   11.689261]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.689727]  kthread+0x337/0x6f0
[   11.690048]  ret_from_fork+0x116/0x1d0
[   11.690256]  ret_from_fork_asm+0x1a/0x30
[   11.690641] 
[   11.690816] Freed by task 222:
[   11.691115]  kasan_save_stack+0x45/0x70
[   11.691398]  kasan_save_track+0x18/0x40
[   11.691574]  kasan_save_free_info+0x3f/0x60
[   11.691963]  __kasan_slab_free+0x56/0x70
[   11.692197]  kfree+0x222/0x3f0
[   11.692413]  ksize_uaf+0x12c/0x6c0
[   11.692733]  kunit_try_run_case+0x1a5/0x480
[   11.692873]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.693037]  kthread+0x337/0x6f0
[   11.693148]  ret_from_fork+0x116/0x1d0
[   11.693300]  ret_from_fork_asm+0x1a/0x30
[   11.693429] 
[   11.693538] The buggy address belongs to the object at ffff888102c54b00
[   11.693538]  which belongs to the cache kmalloc-128 of size 128
[   11.694013] The buggy address is located 120 bytes inside of
[   11.694013]  freed 128-byte region [ffff888102c54b00, ffff888102c54b80)
[   11.694491] 
[   11.694557] The buggy address belongs to the physical page:
[   11.694859] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c54
[   11.695222] flags: 0x200000000000000(node=0|zone=2)
[   11.695411] page_type: f5(slab)
[   11.695542] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.695891] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.696181] page dumped because: kasan: bad access detected
[   11.696354] 
[   11.696440] Memory state around the buggy address:
[   11.696682]  ffff888102c54a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.696995]  ffff888102c54a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.697330] >ffff888102c54b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.697616]                                                                 ^
[   11.697921]  ffff888102c54b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.698223]  ffff888102c54c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.698604] ==================================================================
Metadata Full log Test run details