Date
June 20, 2025, 12:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.476269] ================================================================== [ 32.476876] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 32.477068] Read of size 1 at addr fff00000c44dfc00 by task kunit_try_catch/207 [ 32.477317] [ 32.477557] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 32.478422] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.478557] Hardware name: linux,dummy-virt (DT) [ 32.478769] Call trace: [ 32.478859] show_stack+0x20/0x38 (C) [ 32.479002] dump_stack_lvl+0x8c/0xd0 [ 32.479580] print_report+0x118/0x608 [ 32.479732] kasan_report+0xdc/0x128 [ 32.480172] __asan_report_load1_noabort+0x20/0x30 [ 32.480506] ksize_uaf+0x598/0x5f8 [ 32.480638] kunit_try_run_case+0x170/0x3f0 [ 32.480739] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.481359] kthread+0x328/0x630 [ 32.481525] ret_from_fork+0x10/0x20 [ 32.481940] [ 32.482047] Allocated by task 207: [ 32.482265] kasan_save_stack+0x3c/0x68 [ 32.482512] kasan_save_track+0x20/0x40 [ 32.482635] kasan_save_alloc_info+0x40/0x58 [ 32.482950] __kasan_kmalloc+0xd4/0xd8 [ 32.483357] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.483660] ksize_uaf+0xb8/0x5f8 [ 32.483789] kunit_try_run_case+0x170/0x3f0 [ 32.483894] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.484370] kthread+0x328/0x630 [ 32.484570] ret_from_fork+0x10/0x20 [ 32.484816] [ 32.484975] Freed by task 207: [ 32.485122] kasan_save_stack+0x3c/0x68 [ 32.485286] kasan_save_track+0x20/0x40 [ 32.485395] kasan_save_free_info+0x4c/0x78 [ 32.485662] __kasan_slab_free+0x6c/0x98 [ 32.485907] kfree+0x214/0x3c8 [ 32.486171] ksize_uaf+0x11c/0x5f8 [ 32.486252] kunit_try_run_case+0x170/0x3f0 [ 32.486399] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.486527] kthread+0x328/0x630 [ 32.486601] ret_from_fork+0x10/0x20 [ 32.486697] [ 32.486775] The buggy address belongs to the object at fff00000c44dfc00 [ 32.486775] which belongs to the cache kmalloc-128 of size 128 [ 32.486952] The buggy address is located 0 bytes inside of [ 32.486952] freed 128-byte region [fff00000c44dfc00, fff00000c44dfc80) [ 32.487134] [ 32.487212] The buggy address belongs to the physical page: [ 32.487339] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1044df [ 32.487545] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.487745] page_type: f5(slab) [ 32.487885] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.488022] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.488175] page dumped because: kasan: bad access detected [ 32.488283] [ 32.488374] Memory state around the buggy address: [ 32.488441] fff00000c44dfb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.488550] fff00000c44dfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.488671] >fff00000c44dfc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.488828] ^ [ 32.488891] fff00000c44dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.488999] fff00000c44dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.489096] ================================================================== [ 32.459046] ================================================================== [ 32.459811] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 32.460193] Read of size 1 at addr fff00000c44dfc00 by task kunit_try_catch/207 [ 32.460417] [ 32.460617] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 32.461153] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.461263] Hardware name: linux,dummy-virt (DT) [ 32.461387] Call trace: [ 32.461743] show_stack+0x20/0x38 (C) [ 32.462031] dump_stack_lvl+0x8c/0xd0 [ 32.462167] print_report+0x118/0x608 [ 32.462278] kasan_report+0xdc/0x128 [ 32.462392] __kasan_check_byte+0x54/0x70 [ 32.462508] ksize+0x30/0x88 [ 32.462622] ksize_uaf+0x168/0x5f8 [ 32.463231] kunit_try_run_case+0x170/0x3f0 [ 32.463519] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.463877] kthread+0x328/0x630 [ 32.464063] ret_from_fork+0x10/0x20 [ 32.464216] [ 32.464346] Allocated by task 207: [ 32.464547] kasan_save_stack+0x3c/0x68 [ 32.464774] kasan_save_track+0x20/0x40 [ 32.464866] kasan_save_alloc_info+0x40/0x58 [ 32.464942] __kasan_kmalloc+0xd4/0xd8 [ 32.465005] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.465084] ksize_uaf+0xb8/0x5f8 [ 32.465163] kunit_try_run_case+0x170/0x3f0 [ 32.465254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.465363] kthread+0x328/0x630 [ 32.466136] ret_from_fork+0x10/0x20 [ 32.466444] [ 32.466557] Freed by task 207: [ 32.466731] kasan_save_stack+0x3c/0x68 [ 32.466837] kasan_save_track+0x20/0x40 [ 32.466926] kasan_save_free_info+0x4c/0x78 [ 32.467033] __kasan_slab_free+0x6c/0x98 [ 32.467129] kfree+0x214/0x3c8 [ 32.467212] ksize_uaf+0x11c/0x5f8 [ 32.467294] kunit_try_run_case+0x170/0x3f0 [ 32.467395] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.467523] kthread+0x328/0x630 [ 32.467617] ret_from_fork+0x10/0x20 [ 32.467715] [ 32.467764] The buggy address belongs to the object at fff00000c44dfc00 [ 32.467764] which belongs to the cache kmalloc-128 of size 128 [ 32.467923] The buggy address is located 0 bytes inside of [ 32.467923] freed 128-byte region [fff00000c44dfc00, fff00000c44dfc80) [ 32.468088] [ 32.468152] The buggy address belongs to the physical page: [ 32.468836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1044df [ 32.469240] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.469388] page_type: f5(slab) [ 32.469490] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.469640] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.469799] page dumped because: kasan: bad access detected [ 32.470012] [ 32.470102] Memory state around the buggy address: [ 32.470223] fff00000c44dfb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.470337] fff00000c44dfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.470454] >fff00000c44dfc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.470555] ^ [ 32.470640] fff00000c44dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.470757] fff00000c44dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.470864] ================================================================== [ 32.490889] ================================================================== [ 32.491094] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.491267] Read of size 1 at addr fff00000c44dfc78 by task kunit_try_catch/207 [ 32.491452] [ 32.491580] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT [ 32.491842] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.491909] Hardware name: linux,dummy-virt (DT) [ 32.491991] Call trace: [ 32.492048] show_stack+0x20/0x38 (C) [ 32.492175] dump_stack_lvl+0x8c/0xd0 [ 32.492289] print_report+0x118/0x608 [ 32.492428] kasan_report+0xdc/0x128 [ 32.492534] __asan_report_load1_noabort+0x20/0x30 [ 32.492693] ksize_uaf+0x544/0x5f8 [ 32.492800] kunit_try_run_case+0x170/0x3f0 [ 32.492924] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.493055] kthread+0x328/0x630 [ 32.493198] ret_from_fork+0x10/0x20 [ 32.493319] [ 32.493388] Allocated by task 207: [ 32.493535] kasan_save_stack+0x3c/0x68 [ 32.493729] kasan_save_track+0x20/0x40 [ 32.493847] kasan_save_alloc_info+0x40/0x58 [ 32.493958] __kasan_kmalloc+0xd4/0xd8 [ 32.494070] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.494170] ksize_uaf+0xb8/0x5f8 [ 32.494240] kunit_try_run_case+0x170/0x3f0 [ 32.494325] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.494417] kthread+0x328/0x630 [ 32.494492] ret_from_fork+0x10/0x20 [ 32.494560] [ 32.494595] Freed by task 207: [ 32.494672] kasan_save_stack+0x3c/0x68 [ 32.494813] kasan_save_track+0x20/0x40 [ 32.494924] kasan_save_free_info+0x4c/0x78 [ 32.495018] __kasan_slab_free+0x6c/0x98 [ 32.495104] kfree+0x214/0x3c8 [ 32.495200] ksize_uaf+0x11c/0x5f8 [ 32.495285] kunit_try_run_case+0x170/0x3f0 [ 32.495381] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.495507] kthread+0x328/0x630 [ 32.495585] ret_from_fork+0x10/0x20 [ 32.495725] [ 32.495796] The buggy address belongs to the object at fff00000c44dfc00 [ 32.495796] which belongs to the cache kmalloc-128 of size 128 [ 32.496017] The buggy address is located 120 bytes inside of [ 32.496017] freed 128-byte region [fff00000c44dfc00, fff00000c44dfc80) [ 32.496177] [ 32.496244] The buggy address belongs to the physical page: [ 32.496372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1044df [ 32.496502] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.496826] page_type: f5(slab) [ 32.496946] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.497116] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.497235] page dumped because: kasan: bad access detected [ 32.497316] [ 32.497363] Memory state around the buggy address: [ 32.497437] fff00000c44dfb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.497522] fff00000c44dfb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.497647] >fff00000c44dfc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.497747] ^ [ 32.497895] fff00000c44dfc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.498004] fff00000c44dfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.498099] ==================================================================
[ 26.182362] ================================================================== [ 26.183860] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 26.184363] Read of size 1 at addr ffff88810232a300 by task kunit_try_catch/225 [ 26.184914] [ 26.185116] CPU: 0 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 26.185253] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.185281] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.185328] Call Trace: [ 26.185371] <TASK> [ 26.185413] dump_stack_lvl+0x73/0xb0 [ 26.185493] print_report+0xd1/0x650 [ 26.185541] ? __virt_addr_valid+0x1db/0x2d0 [ 26.185761] ? ksize_uaf+0x5fe/0x6c0 [ 26.185804] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.185850] ? ksize_uaf+0x5fe/0x6c0 [ 26.185890] kasan_report+0x141/0x180 [ 26.185938] ? ksize_uaf+0x5fe/0x6c0 [ 26.185994] __asan_report_load1_noabort+0x18/0x20 [ 26.186053] ksize_uaf+0x5fe/0x6c0 [ 26.186091] ? __pfx_ksize_uaf+0x10/0x10 [ 26.186116] ? __schedule+0x207f/0x2b60 [ 26.186155] ? __pfx_read_tsc+0x10/0x10 [ 26.186192] ? ktime_get_ts64+0x86/0x230 [ 26.186222] kunit_try_run_case+0x1a5/0x480 [ 26.186251] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.186275] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.186300] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.186324] ? __kthread_parkme+0x82/0x180 [ 26.186348] ? preempt_count_sub+0x50/0x80 [ 26.186373] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.186398] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.186424] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.186467] kthread+0x337/0x6f0 [ 26.186492] ? trace_preempt_on+0x20/0xc0 [ 26.186517] ? __pfx_kthread+0x10/0x10 [ 26.186540] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.186602] ? calculate_sigpending+0x7b/0xa0 [ 26.186653] ? __pfx_kthread+0x10/0x10 [ 26.186691] ret_from_fork+0x116/0x1d0 [ 26.186714] ? __pfx_kthread+0x10/0x10 [ 26.186737] ret_from_fork_asm+0x1a/0x30 [ 26.186770] </TASK> [ 26.186785] [ 26.200712] Allocated by task 225: [ 26.200991] kasan_save_stack+0x45/0x70 [ 26.202256] kasan_save_track+0x18/0x40 [ 26.202500] kasan_save_alloc_info+0x3b/0x50 [ 26.202755] __kasan_kmalloc+0xb7/0xc0 [ 26.202931] __kmalloc_cache_noprof+0x189/0x420 [ 26.203349] ksize_uaf+0xaa/0x6c0 [ 26.203638] kunit_try_run_case+0x1a5/0x480 [ 26.203875] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.204163] kthread+0x337/0x6f0 [ 26.204434] ret_from_fork+0x116/0x1d0 [ 26.205682] ret_from_fork_asm+0x1a/0x30 [ 26.205977] [ 26.206080] Freed by task 225: [ 26.206299] kasan_save_stack+0x45/0x70 [ 26.206841] kasan_save_track+0x18/0x40 [ 26.207123] kasan_save_free_info+0x3f/0x60 [ 26.207427] __kasan_slab_free+0x56/0x70 [ 26.208025] kfree+0x222/0x3f0 [ 26.208799] ksize_uaf+0x12c/0x6c0 [ 26.209305] kunit_try_run_case+0x1a5/0x480 [ 26.209524] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.209962] kthread+0x337/0x6f0 [ 26.210259] ret_from_fork+0x116/0x1d0 [ 26.210665] ret_from_fork_asm+0x1a/0x30 [ 26.211213] [ 26.211671] The buggy address belongs to the object at ffff88810232a300 [ 26.211671] which belongs to the cache kmalloc-128 of size 128 [ 26.212573] The buggy address is located 0 bytes inside of [ 26.212573] freed 128-byte region [ffff88810232a300, ffff88810232a380) [ 26.213202] [ 26.213387] The buggy address belongs to the physical page: [ 26.213799] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10232a [ 26.214177] flags: 0x200000000000000(node=0|zone=2) [ 26.214490] page_type: f5(slab) [ 26.214779] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.215067] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.215719] page dumped because: kasan: bad access detected [ 26.215941] [ 26.216069] Memory state around the buggy address: [ 26.216476] ffff88810232a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.217059] ffff88810232a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.217479] >ffff88810232a300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.218512] ^ [ 26.218952] ffff88810232a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.219480] ffff88810232a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.220104] ================================================================== [ 26.145215] ================================================================== [ 26.146239] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 26.146968] Read of size 1 at addr ffff88810232a300 by task kunit_try_catch/225 [ 26.147353] [ 26.147971] CPU: 0 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 26.148119] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.148149] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.148195] Call Trace: [ 26.148221] <TASK> [ 26.148257] dump_stack_lvl+0x73/0xb0 [ 26.148332] print_report+0xd1/0x650 [ 26.148374] ? __virt_addr_valid+0x1db/0x2d0 [ 26.148431] ? ksize_uaf+0x19d/0x6c0 [ 26.148497] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.148552] ? ksize_uaf+0x19d/0x6c0 [ 26.148590] kasan_report+0x141/0x180 [ 26.148630] ? ksize_uaf+0x19d/0x6c0 [ 26.148676] ? ksize_uaf+0x19d/0x6c0 [ 26.148718] __kasan_check_byte+0x3d/0x50 [ 26.148773] ksize+0x20/0x60 [ 26.148816] ksize_uaf+0x19d/0x6c0 [ 26.149000] ? __pfx_ksize_uaf+0x10/0x10 [ 26.149054] ? __schedule+0x207f/0x2b60 [ 26.149119] ? __pfx_read_tsc+0x10/0x10 [ 26.149170] ? ktime_get_ts64+0x86/0x230 [ 26.149219] kunit_try_run_case+0x1a5/0x480 [ 26.149267] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.149304] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.149329] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.149354] ? __kthread_parkme+0x82/0x180 [ 26.149378] ? preempt_count_sub+0x50/0x80 [ 26.149404] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.149429] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.149479] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.149506] kthread+0x337/0x6f0 [ 26.149528] ? trace_preempt_on+0x20/0xc0 [ 26.149564] ? __pfx_kthread+0x10/0x10 [ 26.149599] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.149632] ? calculate_sigpending+0x7b/0xa0 [ 26.149672] ? __pfx_kthread+0x10/0x10 [ 26.149704] ret_from_fork+0x116/0x1d0 [ 26.149725] ? __pfx_kthread+0x10/0x10 [ 26.149747] ret_from_fork_asm+0x1a/0x30 [ 26.149782] </TASK> [ 26.149796] [ 26.162979] Allocated by task 225: [ 26.163965] kasan_save_stack+0x45/0x70 [ 26.164355] kasan_save_track+0x18/0x40 [ 26.164547] kasan_save_alloc_info+0x3b/0x50 [ 26.165101] __kasan_kmalloc+0xb7/0xc0 [ 26.165278] __kmalloc_cache_noprof+0x189/0x420 [ 26.165436] ksize_uaf+0xaa/0x6c0 [ 26.165569] kunit_try_run_case+0x1a5/0x480 [ 26.165706] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.165930] kthread+0x337/0x6f0 [ 26.166389] ret_from_fork+0x116/0x1d0 [ 26.167333] ret_from_fork_asm+0x1a/0x30 [ 26.167685] [ 26.167833] Freed by task 225: [ 26.167973] kasan_save_stack+0x45/0x70 [ 26.168314] kasan_save_track+0x18/0x40 [ 26.168613] kasan_save_free_info+0x3f/0x60 [ 26.168887] __kasan_slab_free+0x56/0x70 [ 26.169132] kfree+0x222/0x3f0 [ 26.169346] ksize_uaf+0x12c/0x6c0 [ 26.169843] kunit_try_run_case+0x1a5/0x480 [ 26.170296] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.170916] kthread+0x337/0x6f0 [ 26.171316] ret_from_fork+0x116/0x1d0 [ 26.172149] ret_from_fork_asm+0x1a/0x30 [ 26.172370] [ 26.172567] The buggy address belongs to the object at ffff88810232a300 [ 26.172567] which belongs to the cache kmalloc-128 of size 128 [ 26.173586] The buggy address is located 0 bytes inside of [ 26.173586] freed 128-byte region [ffff88810232a300, ffff88810232a380) [ 26.174212] [ 26.174392] The buggy address belongs to the physical page: [ 26.174863] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10232a [ 26.175678] flags: 0x200000000000000(node=0|zone=2) [ 26.176032] page_type: f5(slab) [ 26.176213] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.176477] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.177039] page dumped because: kasan: bad access detected [ 26.177722] [ 26.178215] Memory state around the buggy address: [ 26.178620] ffff88810232a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.178890] ffff88810232a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.179233] >ffff88810232a300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.179951] ^ [ 26.180289] ffff88810232a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.180914] ffff88810232a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.181311] ================================================================== [ 26.222865] ================================================================== [ 26.223437] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 26.223831] Read of size 1 at addr ffff88810232a378 by task kunit_try_catch/225 [ 26.224653] [ 26.224886] CPU: 0 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250620 #1 PREEMPT(voluntary) [ 26.224984] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.225008] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.225053] Call Trace: [ 26.225081] <TASK> [ 26.225118] dump_stack_lvl+0x73/0xb0 [ 26.225182] print_report+0xd1/0x650 [ 26.225221] ? __virt_addr_valid+0x1db/0x2d0 [ 26.225270] ? ksize_uaf+0x5e4/0x6c0 [ 26.225309] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.225354] ? ksize_uaf+0x5e4/0x6c0 [ 26.225393] kasan_report+0x141/0x180 [ 26.225438] ? ksize_uaf+0x5e4/0x6c0 [ 26.225666] __asan_report_load1_noabort+0x18/0x20 [ 26.225710] ksize_uaf+0x5e4/0x6c0 [ 26.225734] ? __pfx_ksize_uaf+0x10/0x10 [ 26.225757] ? __schedule+0x207f/0x2b60 [ 26.225783] ? __pfx_read_tsc+0x10/0x10 [ 26.225806] ? ktime_get_ts64+0x86/0x230 [ 26.225835] kunit_try_run_case+0x1a5/0x480 [ 26.225862] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.225886] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.225910] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.225934] ? __kthread_parkme+0x82/0x180 [ 26.225957] ? preempt_count_sub+0x50/0x80 [ 26.225982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.226008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.226050] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.226078] kthread+0x337/0x6f0 [ 26.226099] ? trace_preempt_on+0x20/0xc0 [ 26.226124] ? __pfx_kthread+0x10/0x10 [ 26.226167] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.226202] ? calculate_sigpending+0x7b/0xa0 [ 26.226228] ? __pfx_kthread+0x10/0x10 [ 26.226251] ret_from_fork+0x116/0x1d0 [ 26.226271] ? __pfx_kthread+0x10/0x10 [ 26.226293] ret_from_fork_asm+0x1a/0x30 [ 26.226325] </TASK> [ 26.226339] [ 26.237527] Allocated by task 225: [ 26.237954] kasan_save_stack+0x45/0x70 [ 26.238290] kasan_save_track+0x18/0x40 [ 26.238525] kasan_save_alloc_info+0x3b/0x50 [ 26.238778] __kasan_kmalloc+0xb7/0xc0 [ 26.239007] __kmalloc_cache_noprof+0x189/0x420 [ 26.240096] ksize_uaf+0xaa/0x6c0 [ 26.241010] kunit_try_run_case+0x1a5/0x480 [ 26.241274] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.241502] kthread+0x337/0x6f0 [ 26.241658] ret_from_fork+0x116/0x1d0 [ 26.241890] ret_from_fork_asm+0x1a/0x30 [ 26.242126] [ 26.242297] Freed by task 225: [ 26.242562] kasan_save_stack+0x45/0x70 [ 26.243020] kasan_save_track+0x18/0x40 [ 26.243969] kasan_save_free_info+0x3f/0x60 [ 26.244353] __kasan_slab_free+0x56/0x70 [ 26.244548] kfree+0x222/0x3f0 [ 26.244799] ksize_uaf+0x12c/0x6c0 [ 26.245096] kunit_try_run_case+0x1a5/0x480 [ 26.245298] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.245697] kthread+0x337/0x6f0 [ 26.245927] ret_from_fork+0x116/0x1d0 [ 26.246335] ret_from_fork_asm+0x1a/0x30 [ 26.246574] [ 26.246680] The buggy address belongs to the object at ffff88810232a300 [ 26.246680] which belongs to the cache kmalloc-128 of size 128 [ 26.247364] The buggy address is located 120 bytes inside of [ 26.247364] freed 128-byte region [ffff88810232a300, ffff88810232a380) [ 26.248552] [ 26.249187] The buggy address belongs to the physical page: [ 26.249667] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10232a [ 26.250306] flags: 0x200000000000000(node=0|zone=2) [ 26.250896] page_type: f5(slab) [ 26.251367] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.252137] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.252766] page dumped because: kasan: bad access detected [ 26.253363] [ 26.253599] Memory state around the buggy address: [ 26.254616] ffff88810232a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.254926] ffff88810232a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.255157] >ffff88810232a300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.256037] ^ [ 26.256535] ffff88810232a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.257474] ffff88810232a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.257916] ==================================================================