Date
June 19, 2025, 12:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.940490] ================================================================== [ 30.940637] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 30.940772] Read of size 1 at addr fff00000c6466e78 by task kunit_try_catch/207 [ 30.940912] [ 30.941005] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 30.941226] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.941299] Hardware name: linux,dummy-virt (DT) [ 30.941383] Call trace: [ 30.943681] show_stack+0x20/0x38 (C) [ 30.943915] dump_stack_lvl+0x8c/0xd0 [ 30.944099] print_report+0x118/0x608 [ 30.945617] kasan_report+0xdc/0x128 [ 30.945744] __asan_report_load1_noabort+0x20/0x30 [ 30.945881] ksize_uaf+0x544/0x5f8 [ 30.946001] kunit_try_run_case+0x170/0x3f0 [ 30.946127] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.946265] kthread+0x328/0x630 [ 30.947651] ret_from_fork+0x10/0x20 [ 30.947863] [ 30.947925] Allocated by task 207: [ 30.948376] kasan_save_stack+0x3c/0x68 [ 30.948501] kasan_save_track+0x20/0x40 [ 30.948600] kasan_save_alloc_info+0x40/0x58 [ 30.949425] __kasan_kmalloc+0xd4/0xd8 [ 30.949647] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.949816] ksize_uaf+0xb8/0x5f8 [ 30.949912] kunit_try_run_case+0x170/0x3f0 [ 30.950604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.950774] kthread+0x328/0x630 [ 30.950923] ret_from_fork+0x10/0x20 [ 30.951326] [ 30.951522] Freed by task 207: [ 30.951642] kasan_save_stack+0x3c/0x68 [ 30.951751] kasan_save_track+0x20/0x40 [ 30.951847] kasan_save_free_info+0x4c/0x78 [ 30.951955] __kasan_slab_free+0x6c/0x98 [ 30.952345] kfree+0x214/0x3c8 [ 30.952656] ksize_uaf+0x11c/0x5f8 [ 30.952967] kunit_try_run_case+0x170/0x3f0 [ 30.953265] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.953382] kthread+0x328/0x630 [ 30.953455] ret_from_fork+0x10/0x20 [ 30.953546] [ 30.953598] The buggy address belongs to the object at fff00000c6466e00 [ 30.953598] which belongs to the cache kmalloc-128 of size 128 [ 30.954061] The buggy address is located 120 bytes inside of [ 30.954061] freed 128-byte region [fff00000c6466e00, fff00000c6466e80) [ 30.954679] [ 30.954730] The buggy address belongs to the physical page: [ 30.954796] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106466 [ 30.955166] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.955420] page_type: f5(slab) [ 30.955530] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 30.955662] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.955776] page dumped because: kasan: bad access detected [ 30.955844] [ 30.955903] Memory state around the buggy address: [ 30.956005] fff00000c6466d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.956109] fff00000c6466d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.956213] >fff00000c6466e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.956341] ^ [ 30.956457] fff00000c6466e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.956573] fff00000c6466f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.956667] ================================================================== [ 30.907685] ================================================================== [ 30.907865] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 30.908021] Read of size 1 at addr fff00000c6466e00 by task kunit_try_catch/207 [ 30.908146] [ 30.908235] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 30.908458] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.908523] Hardware name: linux,dummy-virt (DT) [ 30.908604] Call trace: [ 30.908660] show_stack+0x20/0x38 (C) [ 30.908786] dump_stack_lvl+0x8c/0xd0 [ 30.908921] print_report+0x118/0x608 [ 30.909043] kasan_report+0xdc/0x128 [ 30.909158] __kasan_check_byte+0x54/0x70 [ 30.909274] ksize+0x30/0x88 [ 30.909377] ksize_uaf+0x168/0x5f8 [ 30.909487] kunit_try_run_case+0x170/0x3f0 [ 30.909603] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.909784] kthread+0x328/0x630 [ 30.909928] ret_from_fork+0x10/0x20 [ 30.910038] [ 30.910083] Allocated by task 207: [ 30.910156] kasan_save_stack+0x3c/0x68 [ 30.910268] kasan_save_track+0x20/0x40 [ 30.910367] kasan_save_alloc_info+0x40/0x58 [ 30.910472] __kasan_kmalloc+0xd4/0xd8 [ 30.910552] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.910674] ksize_uaf+0xb8/0x5f8 [ 30.910790] kunit_try_run_case+0x170/0x3f0 [ 30.910927] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.911082] kthread+0x328/0x630 [ 30.911185] ret_from_fork+0x10/0x20 [ 30.911300] [ 30.911358] Freed by task 207: [ 30.911426] kasan_save_stack+0x3c/0x68 [ 30.911524] kasan_save_track+0x20/0x40 [ 30.911618] kasan_save_free_info+0x4c/0x78 [ 30.911716] __kasan_slab_free+0x6c/0x98 [ 30.911810] kfree+0x214/0x3c8 [ 30.911905] ksize_uaf+0x11c/0x5f8 [ 30.911976] kunit_try_run_case+0x170/0x3f0 [ 30.912049] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.912176] kthread+0x328/0x630 [ 30.912258] ret_from_fork+0x10/0x20 [ 30.912371] [ 30.912416] The buggy address belongs to the object at fff00000c6466e00 [ 30.912416] which belongs to the cache kmalloc-128 of size 128 [ 30.912560] The buggy address is located 0 bytes inside of [ 30.912560] freed 128-byte region [fff00000c6466e00, fff00000c6466e80) [ 30.912778] [ 30.912860] The buggy address belongs to the physical page: [ 30.913168] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106466 [ 30.913360] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.913506] page_type: f5(slab) [ 30.913633] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 30.913793] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.913939] page dumped because: kasan: bad access detected [ 30.914037] [ 30.914096] Memory state around the buggy address: [ 30.914204] fff00000c6466d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.914543] fff00000c6466d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.914655] >fff00000c6466e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.914778] ^ [ 30.914844] fff00000c6466e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.915148] fff00000c6466f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.915342] ================================================================== [ 30.923863] ================================================================== [ 30.924043] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 30.924187] Read of size 1 at addr fff00000c6466e00 by task kunit_try_catch/207 [ 30.924315] [ 30.924403] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT [ 30.924624] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.924690] Hardware name: linux,dummy-virt (DT) [ 30.924770] Call trace: [ 30.924831] show_stack+0x20/0x38 (C) [ 30.924953] dump_stack_lvl+0x8c/0xd0 [ 30.925776] print_report+0x118/0x608 [ 30.926065] kasan_report+0xdc/0x128 [ 30.926187] __asan_report_load1_noabort+0x20/0x30 [ 30.926307] ksize_uaf+0x598/0x5f8 [ 30.926485] kunit_try_run_case+0x170/0x3f0 [ 30.927116] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.927541] kthread+0x328/0x630 [ 30.927664] ret_from_fork+0x10/0x20 [ 30.927783] [ 30.927840] Allocated by task 207: [ 30.927929] kasan_save_stack+0x3c/0x68 [ 30.928038] kasan_save_track+0x20/0x40 [ 30.928132] kasan_save_alloc_info+0x40/0x58 [ 30.928231] __kasan_kmalloc+0xd4/0xd8 [ 30.928334] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.928440] ksize_uaf+0xb8/0x5f8 [ 30.928519] kunit_try_run_case+0x170/0x3f0 [ 30.928904] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.929025] kthread+0x328/0x630 [ 30.929225] ret_from_fork+0x10/0x20 [ 30.929361] [ 30.929431] Freed by task 207: [ 30.929531] kasan_save_stack+0x3c/0x68 [ 30.929667] kasan_save_track+0x20/0x40 [ 30.929800] kasan_save_free_info+0x4c/0x78 [ 30.929917] __kasan_slab_free+0x6c/0x98 [ 30.930018] kfree+0x214/0x3c8 [ 30.930103] ksize_uaf+0x11c/0x5f8 [ 30.930189] kunit_try_run_case+0x170/0x3f0 [ 30.930297] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.930455] kthread+0x328/0x630 [ 30.930571] ret_from_fork+0x10/0x20 [ 30.930660] [ 30.930715] The buggy address belongs to the object at fff00000c6466e00 [ 30.930715] which belongs to the cache kmalloc-128 of size 128 [ 30.930880] The buggy address is located 0 bytes inside of [ 30.930880] freed 128-byte region [fff00000c6466e00, fff00000c6466e80) [ 30.931032] [ 30.931089] The buggy address belongs to the physical page: [ 30.931174] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106466 [ 30.931311] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.931441] page_type: f5(slab) [ 30.931527] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 30.932119] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.932436] page dumped because: kasan: bad access detected [ 30.932566] [ 30.932632] Memory state around the buggy address: [ 30.932759] fff00000c6466d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.932932] fff00000c6466d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.933083] >fff00000c6466e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.933201] ^ [ 30.933272] fff00000c6466e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.933408] fff00000c6466f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.933493] ==================================================================
[ 27.554263] ================================================================== [ 27.555649] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 27.555982] Read of size 1 at addr ffff888103777100 by task kunit_try_catch/225 [ 27.556571] [ 27.556787] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 27.556899] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.556925] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.556971] Call Trace: [ 27.557013] <TASK> [ 27.557051] dump_stack_lvl+0x73/0xb0 [ 27.557134] print_report+0xd1/0x650 [ 27.557181] ? __virt_addr_valid+0x1db/0x2d0 [ 27.557233] ? ksize_uaf+0x5fe/0x6c0 [ 27.557278] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.557332] ? ksize_uaf+0x5fe/0x6c0 [ 27.557377] kasan_report+0x141/0x180 [ 27.557421] ? ksize_uaf+0x5fe/0x6c0 [ 27.557465] __asan_report_load1_noabort+0x18/0x20 [ 27.557510] ksize_uaf+0x5fe/0x6c0 [ 27.557551] ? __pfx_ksize_uaf+0x10/0x10 [ 27.557589] ? __schedule+0x10cc/0x2b60 [ 27.557628] ? __pfx_read_tsc+0x10/0x10 [ 27.557669] ? ktime_get_ts64+0x86/0x230 [ 27.557713] kunit_try_run_case+0x1a5/0x480 [ 27.557761] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.557804] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.557849] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.557892] ? __kthread_parkme+0x82/0x180 [ 27.557958] ? preempt_count_sub+0x50/0x80 [ 27.558005] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.558048] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.558095] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.558156] kthread+0x337/0x6f0 [ 27.558193] ? trace_preempt_on+0x20/0xc0 [ 27.558220] ? __pfx_kthread+0x10/0x10 [ 27.558242] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.558265] ? calculate_sigpending+0x7b/0xa0 [ 27.558291] ? __pfx_kthread+0x10/0x10 [ 27.558314] ret_from_fork+0x116/0x1d0 [ 27.558338] ? __pfx_kthread+0x10/0x10 [ 27.558360] ret_from_fork_asm+0x1a/0x30 [ 27.558395] </TASK> [ 27.558408] [ 27.567141] Allocated by task 225: [ 27.567548] kasan_save_stack+0x45/0x70 [ 27.567963] kasan_save_track+0x18/0x40 [ 27.568320] kasan_save_alloc_info+0x3b/0x50 [ 27.568679] __kasan_kmalloc+0xb7/0xc0 [ 27.568879] __kmalloc_cache_noprof+0x189/0x420 [ 27.569282] ksize_uaf+0xaa/0x6c0 [ 27.569525] kunit_try_run_case+0x1a5/0x480 [ 27.569821] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.571012] kthread+0x337/0x6f0 [ 27.571256] ret_from_fork+0x116/0x1d0 [ 27.571472] ret_from_fork_asm+0x1a/0x30 [ 27.573156] [ 27.573363] Freed by task 225: [ 27.573668] kasan_save_stack+0x45/0x70 [ 27.574161] kasan_save_track+0x18/0x40 [ 27.574880] kasan_save_free_info+0x3f/0x60 [ 27.575071] __kasan_slab_free+0x56/0x70 [ 27.575195] kfree+0x222/0x3f0 [ 27.575279] ksize_uaf+0x12c/0x6c0 [ 27.575368] kunit_try_run_case+0x1a5/0x480 [ 27.575462] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.575569] kthread+0x337/0x6f0 [ 27.575647] ret_from_fork+0x116/0x1d0 [ 27.575731] ret_from_fork_asm+0x1a/0x30 [ 27.575820] [ 27.575871] The buggy address belongs to the object at ffff888103777100 [ 27.575871] which belongs to the cache kmalloc-128 of size 128 [ 27.576162] The buggy address is located 0 bytes inside of [ 27.576162] freed 128-byte region [ffff888103777100, ffff888103777180) [ 27.576717] [ 27.576837] The buggy address belongs to the physical page: [ 27.578495] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103777 [ 27.578837] flags: 0x200000000000000(node=0|zone=2) [ 27.579700] page_type: f5(slab) [ 27.579899] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.580326] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.580671] page dumped because: kasan: bad access detected [ 27.581090] [ 27.581211] Memory state around the buggy address: [ 27.581454] ffff888103777000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.581782] ffff888103777080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.582781] >ffff888103777100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.583193] ^ [ 27.583689] ffff888103777180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.583928] ffff888103777200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.584671] ================================================================== [ 27.586082] ================================================================== [ 27.587353] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 27.588210] Read of size 1 at addr ffff888103777178 by task kunit_try_catch/225 [ 27.589359] [ 27.589724] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 27.589856] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.589885] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.589932] Call Trace: [ 27.589977] <TASK> [ 27.590016] dump_stack_lvl+0x73/0xb0 [ 27.590066] print_report+0xd1/0x650 [ 27.590091] ? __virt_addr_valid+0x1db/0x2d0 [ 27.590143] ? ksize_uaf+0x5e4/0x6c0 [ 27.590165] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.590192] ? ksize_uaf+0x5e4/0x6c0 [ 27.590214] kasan_report+0x141/0x180 [ 27.590237] ? ksize_uaf+0x5e4/0x6c0 [ 27.590262] __asan_report_load1_noabort+0x18/0x20 [ 27.590287] ksize_uaf+0x5e4/0x6c0 [ 27.590308] ? __pfx_ksize_uaf+0x10/0x10 [ 27.590330] ? __schedule+0x10cc/0x2b60 [ 27.590354] ? __pfx_read_tsc+0x10/0x10 [ 27.590376] ? ktime_get_ts64+0x86/0x230 [ 27.590404] kunit_try_run_case+0x1a5/0x480 [ 27.590430] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.590453] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.590477] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.590500] ? __kthread_parkme+0x82/0x180 [ 27.590522] ? preempt_count_sub+0x50/0x80 [ 27.590546] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.590570] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.590593] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.590616] kthread+0x337/0x6f0 [ 27.590636] ? trace_preempt_on+0x20/0xc0 [ 27.590660] ? __pfx_kthread+0x10/0x10 [ 27.590682] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.590703] ? calculate_sigpending+0x7b/0xa0 [ 27.590728] ? __pfx_kthread+0x10/0x10 [ 27.590750] ret_from_fork+0x116/0x1d0 [ 27.590770] ? __pfx_kthread+0x10/0x10 [ 27.590791] ret_from_fork_asm+0x1a/0x30 [ 27.590823] </TASK> [ 27.590835] [ 27.603118] Allocated by task 225: [ 27.604040] kasan_save_stack+0x45/0x70 [ 27.604348] kasan_save_track+0x18/0x40 [ 27.604645] kasan_save_alloc_info+0x3b/0x50 [ 27.605074] __kasan_kmalloc+0xb7/0xc0 [ 27.605647] __kmalloc_cache_noprof+0x189/0x420 [ 27.605823] ksize_uaf+0xaa/0x6c0 [ 27.606339] kunit_try_run_case+0x1a5/0x480 [ 27.606567] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.607318] kthread+0x337/0x6f0 [ 27.607614] ret_from_fork+0x116/0x1d0 [ 27.608127] ret_from_fork_asm+0x1a/0x30 [ 27.608349] [ 27.608463] Freed by task 225: [ 27.608779] kasan_save_stack+0x45/0x70 [ 27.609278] kasan_save_track+0x18/0x40 [ 27.609432] kasan_save_free_info+0x3f/0x60 [ 27.609754] __kasan_slab_free+0x56/0x70 [ 27.610193] kfree+0x222/0x3f0 [ 27.610715] ksize_uaf+0x12c/0x6c0 [ 27.610869] kunit_try_run_case+0x1a5/0x480 [ 27.611241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.611951] kthread+0x337/0x6f0 [ 27.612238] ret_from_fork+0x116/0x1d0 [ 27.612759] ret_from_fork_asm+0x1a/0x30 [ 27.613116] [ 27.613215] The buggy address belongs to the object at ffff888103777100 [ 27.613215] which belongs to the cache kmalloc-128 of size 128 [ 27.614002] The buggy address is located 120 bytes inside of [ 27.614002] freed 128-byte region [ffff888103777100, ffff888103777180) [ 27.614662] [ 27.614785] The buggy address belongs to the physical page: [ 27.615340] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103777 [ 27.616361] flags: 0x200000000000000(node=0|zone=2) [ 27.616913] page_type: f5(slab) [ 27.617225] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.617812] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.618782] page dumped because: kasan: bad access detected [ 27.619178] [ 27.619300] Memory state around the buggy address: [ 27.619546] ffff888103777000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.619900] ffff888103777080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.620175] >ffff888103777100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.620508] ^ [ 27.620863] ffff888103777180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.622312] ffff888103777200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.622912] ================================================================== [ 27.514523] ================================================================== [ 27.515117] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 27.515755] Read of size 1 at addr ffff888103777100 by task kunit_try_catch/225 [ 27.516819] [ 27.517237] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250619 #1 PREEMPT(voluntary) [ 27.517330] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.517355] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.517400] Call Trace: [ 27.517431] <TASK> [ 27.517515] dump_stack_lvl+0x73/0xb0 [ 27.517622] print_report+0xd1/0x650 [ 27.517677] ? __virt_addr_valid+0x1db/0x2d0 [ 27.517707] ? ksize_uaf+0x19d/0x6c0 [ 27.517729] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.517757] ? ksize_uaf+0x19d/0x6c0 [ 27.517779] kasan_report+0x141/0x180 [ 27.517802] ? ksize_uaf+0x19d/0x6c0 [ 27.517825] ? ksize_uaf+0x19d/0x6c0 [ 27.517847] __kasan_check_byte+0x3d/0x50 [ 27.517869] ksize+0x20/0x60 [ 27.517892] ksize_uaf+0x19d/0x6c0 [ 27.517993] ? __pfx_ksize_uaf+0x10/0x10 [ 27.518018] ? __schedule+0x10cc/0x2b60 [ 27.518043] ? __pfx_read_tsc+0x10/0x10 [ 27.518066] ? ktime_get_ts64+0x86/0x230 [ 27.518094] kunit_try_run_case+0x1a5/0x480 [ 27.518144] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.518168] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.518192] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.518216] ? __kthread_parkme+0x82/0x180 [ 27.518240] ? preempt_count_sub+0x50/0x80 [ 27.518266] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.518290] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.518314] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.518337] kthread+0x337/0x6f0 [ 27.518359] ? trace_preempt_on+0x20/0xc0 [ 27.518385] ? __pfx_kthread+0x10/0x10 [ 27.518407] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.518429] ? calculate_sigpending+0x7b/0xa0 [ 27.518455] ? __pfx_kthread+0x10/0x10 [ 27.518478] ret_from_fork+0x116/0x1d0 [ 27.518499] ? __pfx_kthread+0x10/0x10 [ 27.518521] ret_from_fork_asm+0x1a/0x30 [ 27.518553] </TASK> [ 27.518567] [ 27.532692] Allocated by task 225: [ 27.533074] kasan_save_stack+0x45/0x70 [ 27.533546] kasan_save_track+0x18/0x40 [ 27.533940] kasan_save_alloc_info+0x3b/0x50 [ 27.534423] __kasan_kmalloc+0xb7/0xc0 [ 27.534718] __kmalloc_cache_noprof+0x189/0x420 [ 27.535322] ksize_uaf+0xaa/0x6c0 [ 27.535793] kunit_try_run_case+0x1a5/0x480 [ 27.536147] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.536751] kthread+0x337/0x6f0 [ 27.537134] ret_from_fork+0x116/0x1d0 [ 27.537416] ret_from_fork_asm+0x1a/0x30 [ 27.537707] [ 27.537839] Freed by task 225: [ 27.538536] kasan_save_stack+0x45/0x70 [ 27.538996] kasan_save_track+0x18/0x40 [ 27.539184] kasan_save_free_info+0x3f/0x60 [ 27.539469] __kasan_slab_free+0x56/0x70 [ 27.539821] kfree+0x222/0x3f0 [ 27.540255] ksize_uaf+0x12c/0x6c0 [ 27.540548] kunit_try_run_case+0x1a5/0x480 [ 27.540832] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.541619] kthread+0x337/0x6f0 [ 27.542009] ret_from_fork+0x116/0x1d0 [ 27.542198] ret_from_fork_asm+0x1a/0x30 [ 27.542469] [ 27.542649] The buggy address belongs to the object at ffff888103777100 [ 27.542649] which belongs to the cache kmalloc-128 of size 128 [ 27.543393] The buggy address is located 0 bytes inside of [ 27.543393] freed 128-byte region [ffff888103777100, ffff888103777180) [ 27.544990] [ 27.545217] The buggy address belongs to the physical page: [ 27.545574] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103777 [ 27.546041] flags: 0x200000000000000(node=0|zone=2) [ 27.546450] page_type: f5(slab) [ 27.546773] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 27.547157] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.547907] page dumped because: kasan: bad access detected [ 27.548273] [ 27.548450] Memory state around the buggy address: [ 27.548806] ffff888103777000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.549754] ffff888103777080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.550531] >ffff888103777100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.551002] ^ [ 27.551553] ffff888103777180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.552027] ffff888103777200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.552487] ==================================================================