Hay
Sign in
Date
June 23, 2025, 7:07 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   33.372348] ==================================================================
[   33.372470] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   33.372595] Read of size 1 at addr fff00000c63f7500 by task kunit_try_catch/208
[   33.372704] 
[   33.372774] CPU: 1 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT 
[   33.372968] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.373065] Hardware name: linux,dummy-virt (DT)
[   33.373152] Call trace:
[   33.373218]  show_stack+0x20/0x38 (C)
[   33.373359]  dump_stack_lvl+0x8c/0xd0
[   33.373717]  print_report+0x118/0x608
[   33.373857]  kasan_report+0xdc/0x128
[   33.373993]  __kasan_check_byte+0x54/0x70
[   33.374342]  ksize+0x30/0x88
[   33.374463]  ksize_uaf+0x168/0x5f8
[   33.374689]  kunit_try_run_case+0x170/0x3f0
[   33.374826]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.375014]  kthread+0x328/0x630
[   33.375281]  ret_from_fork+0x10/0x20
[   33.375417] 
[   33.375464] Allocated by task 208:
[   33.375541]  kasan_save_stack+0x3c/0x68
[   33.375700]  kasan_save_track+0x20/0x40
[   33.375843]  kasan_save_alloc_info+0x40/0x58
[   33.375963]  __kasan_kmalloc+0xd4/0xd8
[   33.376220]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.376332]  ksize_uaf+0xb8/0x5f8
[   33.376427]  kunit_try_run_case+0x170/0x3f0
[   33.376543]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.376936]  kthread+0x328/0x630
[   33.377439]  ret_from_fork+0x10/0x20
[   33.377535] 
[   33.378176] Freed by task 208:
[   33.378267]  kasan_save_stack+0x3c/0x68
[   33.378366]  kasan_save_track+0x20/0x40
[   33.378459]  kasan_save_free_info+0x4c/0x78
[   33.379284]  __kasan_slab_free+0x6c/0x98
[   33.379425]  kfree+0x214/0x3c8
[   33.379521]  ksize_uaf+0x11c/0x5f8
[   33.379746]  kunit_try_run_case+0x170/0x3f0
[   33.379841]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.380360]  kthread+0x328/0x630
[   33.380452]  ret_from_fork+0x10/0x20
[   33.380901] 
[   33.381070] The buggy address belongs to the object at fff00000c63f7500
[   33.381070]  which belongs to the cache kmalloc-128 of size 128
[   33.381939] The buggy address is located 0 bytes inside of
[   33.381939]  freed 128-byte region [fff00000c63f7500, fff00000c63f7580)
[   33.382645] 
[   33.382697] The buggy address belongs to the physical page:
[   33.382767] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f7
[   33.382839] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.382900] page_type: f5(slab)
[   33.382946] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   33.383007] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   33.383257] page dumped because: kasan: bad access detected
[   33.383534] 
[   33.383685] Memory state around the buggy address:
[   33.383834]  fff00000c63f7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.383946]  fff00000c63f7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.384327] >fff00000c63f7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.384745]                    ^
[   33.384964]  fff00000c63f7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.385084]  fff00000c63f7600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.385897] ==================================================================
[   33.401168] ==================================================================
[   33.401276] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   33.401397] Read of size 1 at addr fff00000c63f7578 by task kunit_try_catch/208
[   33.401509] 
[   33.401580] CPU: 1 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT 
[   33.401776] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.401842] Hardware name: linux,dummy-virt (DT)
[   33.401910] Call trace:
[   33.401961]  show_stack+0x20/0x38 (C)
[   33.403370]  dump_stack_lvl+0x8c/0xd0
[   33.403659]  print_report+0x118/0x608
[   33.403786]  kasan_report+0xdc/0x128
[   33.403908]  __asan_report_load1_noabort+0x20/0x30
[   33.404066]  ksize_uaf+0x544/0x5f8
[   33.404253]  kunit_try_run_case+0x170/0x3f0
[   33.404419]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.404641]  kthread+0x328/0x630
[   33.404831]  ret_from_fork+0x10/0x20
[   33.405073] 
[   33.405235] Allocated by task 208:
[   33.405311]  kasan_save_stack+0x3c/0x68
[   33.405421]  kasan_save_track+0x20/0x40
[   33.405514]  kasan_save_alloc_info+0x40/0x58
[   33.405605]  __kasan_kmalloc+0xd4/0xd8
[   33.405690]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.405783]  ksize_uaf+0xb8/0x5f8
[   33.405864]  kunit_try_run_case+0x170/0x3f0
[   33.406017]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.406245]  kthread+0x328/0x630
[   33.406337]  ret_from_fork+0x10/0x20
[   33.406506] 
[   33.406609] Freed by task 208:
[   33.406723]  kasan_save_stack+0x3c/0x68
[   33.406845]  kasan_save_track+0x20/0x40
[   33.406945]  kasan_save_free_info+0x4c/0x78
[   33.407121]  __kasan_slab_free+0x6c/0x98
[   33.407318]  kfree+0x214/0x3c8
[   33.407419]  ksize_uaf+0x11c/0x5f8
[   33.407586]  kunit_try_run_case+0x170/0x3f0
[   33.407887]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.408049]  kthread+0x328/0x630
[   33.408284]  ret_from_fork+0x10/0x20
[   33.408381] 
[   33.408428] The buggy address belongs to the object at fff00000c63f7500
[   33.408428]  which belongs to the cache kmalloc-128 of size 128
[   33.408615] The buggy address is located 120 bytes inside of
[   33.408615]  freed 128-byte region [fff00000c63f7500, fff00000c63f7580)
[   33.409044] 
[   33.409103] The buggy address belongs to the physical page:
[   33.409188] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f7
[   33.409571] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.410288] page_type: f5(slab)
[   33.411346] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   33.411746] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   33.412098] page dumped because: kasan: bad access detected
[   33.412283] 
[   33.412332] Memory state around the buggy address:
[   33.412420]  fff00000c63f7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.412535]  fff00000c63f7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.413305] >fff00000c63f7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.414323]                                                                 ^
[   33.414691]  fff00000c63f7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.415282]  fff00000c63f7600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.415622] ==================================================================
[   33.388375] ==================================================================
[   33.388495] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   33.388607] Read of size 1 at addr fff00000c63f7500 by task kunit_try_catch/208
[   33.388718] 
[   33.388789] CPU: 1 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT 
[   33.388980] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.389062] Hardware name: linux,dummy-virt (DT)
[   33.389148] Call trace:
[   33.389210]  show_stack+0x20/0x38 (C)
[   33.389408]  dump_stack_lvl+0x8c/0xd0
[   33.389637]  print_report+0x118/0x608
[   33.389781]  kasan_report+0xdc/0x128
[   33.389911]  __asan_report_load1_noabort+0x20/0x30
[   33.390129]  ksize_uaf+0x598/0x5f8
[   33.390352]  kunit_try_run_case+0x170/0x3f0
[   33.390475]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.390862]  kthread+0x328/0x630
[   33.390981]  ret_from_fork+0x10/0x20
[   33.391167] 
[   33.391227] Allocated by task 208:
[   33.391345]  kasan_save_stack+0x3c/0x68
[   33.391478]  kasan_save_track+0x20/0x40
[   33.391587]  kasan_save_alloc_info+0x40/0x58
[   33.391713]  __kasan_kmalloc+0xd4/0xd8
[   33.392047]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.392156]  ksize_uaf+0xb8/0x5f8
[   33.392245]  kunit_try_run_case+0x170/0x3f0
[   33.392367]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.392502]  kthread+0x328/0x630
[   33.392586]  ret_from_fork+0x10/0x20
[   33.392686] 
[   33.392815] Freed by task 208:
[   33.393011]  kasan_save_stack+0x3c/0x68
[   33.393133]  kasan_save_track+0x20/0x40
[   33.393251]  kasan_save_free_info+0x4c/0x78
[   33.393386]  __kasan_slab_free+0x6c/0x98
[   33.393798]  kfree+0x214/0x3c8
[   33.393907]  ksize_uaf+0x11c/0x5f8
[   33.394104]  kunit_try_run_case+0x170/0x3f0
[   33.394341]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.394527]  kthread+0x328/0x630
[   33.394673]  ret_from_fork+0x10/0x20
[   33.394797] 
[   33.394848] The buggy address belongs to the object at fff00000c63f7500
[   33.394848]  which belongs to the cache kmalloc-128 of size 128
[   33.395073] The buggy address is located 0 bytes inside of
[   33.395073]  freed 128-byte region [fff00000c63f7500, fff00000c63f7580)
[   33.395364] 
[   33.395435] The buggy address belongs to the physical page:
[   33.395522] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063f7
[   33.395698] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.395818] page_type: f5(slab)
[   33.395907] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   33.396043] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   33.396143] page dumped because: kasan: bad access detected
[   33.396236] 
[   33.396291] Memory state around the buggy address:
[   33.396378]  fff00000c63f7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.396825]  fff00000c63f7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.396964] >fff00000c63f7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.397477]                    ^
[   33.397555]  fff00000c63f7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.397659]  fff00000c63f7600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.397762] ==================================================================
Metadata Full log Test run details 

[   22.302785] ==================================================================
[   22.303207] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   22.303401] Read of size 1 at addr ffff888102b4ee00 by task kunit_try_catch/225
[   22.303677] 
[   22.303847] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT(voluntary) 
[   22.303921] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.303941] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.303970] Call Trace:
[   22.303988]  <TASK>
[   22.304011]  dump_stack_lvl+0x73/0xb0
[   22.304055]  print_report+0xd1/0x650
[   22.304089]  ? __virt_addr_valid+0x1db/0x2d0
[   22.304126]  ? ksize_uaf+0x19d/0x6c0
[   22.304161]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.304204]  ? ksize_uaf+0x19d/0x6c0
[   22.304241]  kasan_report+0x141/0x180
[   22.304280]  ? ksize_uaf+0x19d/0x6c0
[   22.304322]  ? ksize_uaf+0x19d/0x6c0
[   22.304358]  __kasan_check_byte+0x3d/0x50
[   22.304413]  ksize+0x20/0x60
[   22.304456]  ksize_uaf+0x19d/0x6c0
[   22.304488]  ? __pfx_ksize_uaf+0x10/0x10
[   22.304517]  ? __schedule+0x10cc/0x2b60
[   22.304551]  ? __pfx_read_tsc+0x10/0x10
[   22.304584]  ? ktime_get_ts64+0x86/0x230
[   22.304623]  kunit_try_run_case+0x1a5/0x480
[   22.304663]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.304700]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   22.304735]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.304766]  ? __kthread_parkme+0x82/0x180
[   22.304794]  ? preempt_count_sub+0x50/0x80
[   22.304827]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.304860]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.304896]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.304935]  kthread+0x337/0x6f0
[   22.304967]  ? trace_preempt_on+0x20/0xc0
[   22.305006]  ? __pfx_kthread+0x10/0x10
[   22.305037]  ? _raw_spin_unlock_irq+0x47/0x80
[   22.305060]  ? calculate_sigpending+0x7b/0xa0
[   22.305086]  ? __pfx_kthread+0x10/0x10
[   22.305108]  ret_from_fork+0x116/0x1d0
[   22.305124]  ? __pfx_kthread+0x10/0x10
[   22.305141]  ret_from_fork_asm+0x1a/0x30
[   22.305168]  </TASK>
[   22.305180] 
[   22.314337] Allocated by task 225:
[   22.314780]  kasan_save_stack+0x45/0x70
[   22.315213]  kasan_save_track+0x18/0x40
[   22.315579]  kasan_save_alloc_info+0x3b/0x50
[   22.315968]  __kasan_kmalloc+0xb7/0xc0
[   22.316287]  __kmalloc_cache_noprof+0x189/0x420
[   22.316673]  ksize_uaf+0xaa/0x6c0
[   22.316986]  kunit_try_run_case+0x1a5/0x480
[   22.317194]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.317529]  kthread+0x337/0x6f0
[   22.317790]  ret_from_fork+0x116/0x1d0
[   22.318197]  ret_from_fork_asm+0x1a/0x30
[   22.318637] 
[   22.318804] Freed by task 225:
[   22.319106]  kasan_save_stack+0x45/0x70
[   22.319427]  kasan_save_track+0x18/0x40
[   22.319581]  kasan_save_free_info+0x3f/0x60
[   22.319761]  __kasan_slab_free+0x56/0x70
[   22.320103]  kfree+0x222/0x3f0
[   22.320575]  ksize_uaf+0x12c/0x6c0
[   22.320822]  kunit_try_run_case+0x1a5/0x480
[   22.321154]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.321562]  kthread+0x337/0x6f0
[   22.321852]  ret_from_fork+0x116/0x1d0
[   22.322182]  ret_from_fork_asm+0x1a/0x30
[   22.322523] 
[   22.322649] The buggy address belongs to the object at ffff888102b4ee00
[   22.322649]  which belongs to the cache kmalloc-128 of size 128
[   22.323231] The buggy address is located 0 bytes inside of
[   22.323231]  freed 128-byte region [ffff888102b4ee00, ffff888102b4ee80)
[   22.323649] 
[   22.323806] The buggy address belongs to the physical page:
[   22.324094] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b4e
[   22.324525] flags: 0x200000000000000(node=0|zone=2)
[   22.324868] page_type: f5(slab)
[   22.325115] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   22.325513] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   22.325896] page dumped because: kasan: bad access detected
[   22.326168] 
[   22.326263] Memory state around the buggy address:
[   22.326626]  ffff888102b4ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.327130]  ffff888102b4ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.327440] >ffff888102b4ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.327816]                    ^
[   22.328085]  ffff888102b4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.328364]  ffff888102b4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.328797] ==================================================================
[   22.356028] ==================================================================
[   22.356631] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   22.357052] Read of size 1 at addr ffff888102b4ee78 by task kunit_try_catch/225
[   22.357277] 
[   22.357392] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT(voluntary) 
[   22.357470] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.357494] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.357528] Call Trace:
[   22.357554]  <TASK>
[   22.357579]  dump_stack_lvl+0x73/0xb0
[   22.357626]  print_report+0xd1/0x650
[   22.357664]  ? __virt_addr_valid+0x1db/0x2d0
[   22.357742]  ? ksize_uaf+0x5e4/0x6c0
[   22.357773]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.357813]  ? ksize_uaf+0x5e4/0x6c0
[   22.357865]  kasan_report+0x141/0x180
[   22.357905]  ? ksize_uaf+0x5e4/0x6c0
[   22.357951]  __asan_report_load1_noabort+0x18/0x20
[   22.357994]  ksize_uaf+0x5e4/0x6c0
[   22.358041]  ? __pfx_ksize_uaf+0x10/0x10
[   22.358084]  ? __schedule+0x10cc/0x2b60
[   22.358127]  ? __pfx_read_tsc+0x10/0x10
[   22.358168]  ? ktime_get_ts64+0x86/0x230
[   22.358217]  kunit_try_run_case+0x1a5/0x480
[   22.358263]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.358305]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   22.358347]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.358405]  ? __kthread_parkme+0x82/0x180
[   22.358448]  ? preempt_count_sub+0x50/0x80
[   22.358494]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.358539]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.358583]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.358626]  kthread+0x337/0x6f0
[   22.358664]  ? trace_preempt_on+0x20/0xc0
[   22.358696]  ? __pfx_kthread+0x10/0x10
[   22.358715]  ? _raw_spin_unlock_irq+0x47/0x80
[   22.358734]  ? calculate_sigpending+0x7b/0xa0
[   22.358763]  ? __pfx_kthread+0x10/0x10
[   22.358782]  ret_from_fork+0x116/0x1d0
[   22.358799]  ? __pfx_kthread+0x10/0x10
[   22.358817]  ret_from_fork_asm+0x1a/0x30
[   22.358858]  </TASK>
[   22.358870] 
[   22.369268] Allocated by task 225:
[   22.369619]  kasan_save_stack+0x45/0x70
[   22.369946]  kasan_save_track+0x18/0x40
[   22.370225]  kasan_save_alloc_info+0x3b/0x50
[   22.370606]  __kasan_kmalloc+0xb7/0xc0
[   22.370943]  __kmalloc_cache_noprof+0x189/0x420
[   22.371263]  ksize_uaf+0xaa/0x6c0
[   22.371556]  kunit_try_run_case+0x1a5/0x480
[   22.371718]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.372195]  kthread+0x337/0x6f0
[   22.372553]  ret_from_fork+0x116/0x1d0
[   22.372792]  ret_from_fork_asm+0x1a/0x30
[   22.372974] 
[   22.373057] Freed by task 225:
[   22.373275]  kasan_save_stack+0x45/0x70
[   22.373572]  kasan_save_track+0x18/0x40
[   22.373918]  kasan_save_free_info+0x3f/0x60
[   22.374335]  __kasan_slab_free+0x56/0x70
[   22.374607]  kfree+0x222/0x3f0
[   22.374913]  ksize_uaf+0x12c/0x6c0
[   22.375168]  kunit_try_run_case+0x1a5/0x480
[   22.375337]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.375531]  kthread+0x337/0x6f0
[   22.375666]  ret_from_fork+0x116/0x1d0
[   22.375960]  ret_from_fork_asm+0x1a/0x30
[   22.376445] 
[   22.376627] The buggy address belongs to the object at ffff888102b4ee00
[   22.376627]  which belongs to the cache kmalloc-128 of size 128
[   22.377433] The buggy address is located 120 bytes inside of
[   22.377433]  freed 128-byte region [ffff888102b4ee00, ffff888102b4ee80)
[   22.378292] 
[   22.378482] The buggy address belongs to the physical page:
[   22.378750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b4e
[   22.379046] flags: 0x200000000000000(node=0|zone=2)
[   22.379389] page_type: f5(slab)
[   22.379783] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   22.380244] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   22.380788] page dumped because: kasan: bad access detected
[   22.381151] 
[   22.381235] Memory state around the buggy address:
[   22.381451]  ffff888102b4ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.382096]  ffff888102b4ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.382438] >ffff888102b4ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.382973]                                                                 ^
[   22.383431]  ffff888102b4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.383824]  ffff888102b4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.384182] ==================================================================
[   22.330094] ==================================================================
[   22.330398] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   22.331078] Read of size 1 at addr ffff888102b4ee00 by task kunit_try_catch/225
[   22.331710] 
[   22.332443] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250623 #1 PREEMPT(voluntary) 
[   22.332534] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.332565] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.332597] Call Trace:
[   22.332636]  <TASK>
[   22.332663]  dump_stack_lvl+0x73/0xb0
[   22.332716]  print_report+0xd1/0x650
[   22.332751]  ? __virt_addr_valid+0x1db/0x2d0
[   22.332785]  ? ksize_uaf+0x5fe/0x6c0
[   22.332817]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.332891]  ? ksize_uaf+0x5fe/0x6c0
[   22.332927]  kasan_report+0x141/0x180
[   22.332963]  ? ksize_uaf+0x5fe/0x6c0
[   22.333008]  __asan_report_load1_noabort+0x18/0x20
[   22.333047]  ksize_uaf+0x5fe/0x6c0
[   22.333097]  ? __pfx_ksize_uaf+0x10/0x10
[   22.333134]  ? __schedule+0x10cc/0x2b60
[   22.333173]  ? __pfx_read_tsc+0x10/0x10
[   22.333203]  ? ktime_get_ts64+0x86/0x230
[   22.333226]  kunit_try_run_case+0x1a5/0x480
[   22.333247]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.333265]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   22.333283]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.333301]  ? __kthread_parkme+0x82/0x180
[   22.333318]  ? preempt_count_sub+0x50/0x80
[   22.333338]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.333357]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.333376]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.333415]  kthread+0x337/0x6f0
[   22.333431]  ? trace_preempt_on+0x20/0xc0
[   22.333450]  ? __pfx_kthread+0x10/0x10
[   22.333466]  ? _raw_spin_unlock_irq+0x47/0x80
[   22.333483]  ? calculate_sigpending+0x7b/0xa0
[   22.333503]  ? __pfx_kthread+0x10/0x10
[   22.333520]  ret_from_fork+0x116/0x1d0
[   22.333535]  ? __pfx_kthread+0x10/0x10
[   22.333552]  ret_from_fork_asm+0x1a/0x30
[   22.333578]  </TASK>
[   22.333589] 
[   22.340697] Allocated by task 225:
[   22.341019]  kasan_save_stack+0x45/0x70
[   22.341320]  kasan_save_track+0x18/0x40
[   22.341607]  kasan_save_alloc_info+0x3b/0x50
[   22.341940]  __kasan_kmalloc+0xb7/0xc0
[   22.342238]  __kmalloc_cache_noprof+0x189/0x420
[   22.342576]  ksize_uaf+0xaa/0x6c0
[   22.342866]  kunit_try_run_case+0x1a5/0x480
[   22.343191]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.343574]  kthread+0x337/0x6f0
[   22.343741]  ret_from_fork+0x116/0x1d0
[   22.343992]  ret_from_fork_asm+0x1a/0x30
[   22.344150] 
[   22.344247] Freed by task 225:
[   22.344496]  kasan_save_stack+0x45/0x70
[   22.344770]  kasan_save_track+0x18/0x40
[   22.345060]  kasan_save_free_info+0x3f/0x60
[   22.345339]  __kasan_slab_free+0x56/0x70
[   22.345550]  kfree+0x222/0x3f0
[   22.345682]  ksize_uaf+0x12c/0x6c0
[   22.345985]  kunit_try_run_case+0x1a5/0x480
[   22.346308]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.346486]  kthread+0x337/0x6f0
[   22.346613]  ret_from_fork+0x116/0x1d0
[   22.346753]  ret_from_fork_asm+0x1a/0x30
[   22.346930] 
[   22.347016] The buggy address belongs to the object at ffff888102b4ee00
[   22.347016]  which belongs to the cache kmalloc-128 of size 128
[   22.347346] The buggy address is located 0 bytes inside of
[   22.347346]  freed 128-byte region [ffff888102b4ee00, ffff888102b4ee80)
[   22.348128] 
[   22.348280] The buggy address belongs to the physical page:
[   22.348659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b4e
[   22.349175] flags: 0x200000000000000(node=0|zone=2)
[   22.349541] page_type: f5(slab)
[   22.349802] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   22.350274] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   22.350770] page dumped because: kasan: bad access detected
[   22.350994] 
[   22.351076] Memory state around the buggy address:
[   22.351238]  ffff888102b4ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.351707]  ffff888102b4ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.352196] >ffff888102b4ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.352669]                    ^
[   22.352953]  ffff888102b4ee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.353170]  ffff888102b4ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.353389] ==================================================================
Metadata Full log Test run details