Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 41.553421] ================================================================== [ 41.565067] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 41.571514] Read of size 1 at addr ffff0000822c2a00 by task kunit_try_catch/294 [ 41.578926] [ 41.580463] CPU: 3 UID: 0 PID: 294 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 41.580493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.580502] Hardware name: Thundercomm Dragonboard 845c (DT) [ 41.580514] Call trace: [ 41.580522] show_stack+0x20/0x38 (C) [ 41.580541] dump_stack_lvl+0x8c/0xd0 [ 41.580560] print_report+0x118/0x608 [ 41.580579] kasan_report+0xdc/0x128 [ 41.580599] __kasan_check_byte+0x54/0x70 [ 41.580619] ksize+0x30/0x88 [ 41.580639] ksize_uaf+0x168/0x5f8 [ 41.580655] kunit_try_run_case+0x170/0x3f0 [ 41.580675] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.580698] kthread+0x328/0x630 [ 41.580714] ret_from_fork+0x10/0x20 [ 41.580732] [ 41.647781] Allocated by task 294: [ 41.651245] kasan_save_stack+0x3c/0x68 [ 41.655148] kasan_save_track+0x20/0x40 [ 41.659058] kasan_save_alloc_info+0x40/0x58 [ 41.663396] __kasan_kmalloc+0xd4/0xd8 [ 41.667219] __kmalloc_cache_noprof+0x16c/0x3c0 [ 41.671828] ksize_uaf+0xb8/0x5f8 [ 41.675211] kunit_try_run_case+0x170/0x3f0 [ 41.679467] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.685038] kthread+0x328/0x630 [ 41.688331] ret_from_fork+0x10/0x20 [ 41.691971] [ 41.693500] Freed by task 294: [ 41.696613] kasan_save_stack+0x3c/0x68 [ 41.700525] kasan_save_track+0x20/0x40 [ 41.704434] kasan_save_free_info+0x4c/0x78 [ 41.708689] __kasan_slab_free+0x6c/0x98 [ 41.712686] kfree+0x214/0x3c8 [ 41.715806] ksize_uaf+0x11c/0x5f8 [ 41.719272] kunit_try_run_case+0x170/0x3f0 [ 41.723526] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.729097] kthread+0x328/0x630 [ 41.732389] ret_from_fork+0x10/0x20 [ 41.736029] [ 41.737558] The buggy address belongs to the object at ffff0000822c2a00 [ 41.737558] which belongs to the cache kmalloc-128 of size 128 [ 41.750214] The buggy address is located 0 bytes inside of [ 41.750214] freed 128-byte region [ffff0000822c2a00, ffff0000822c2a80) [ 41.762440] [ 41.763977] The buggy address belongs to the physical page: [ 41.769629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022c2 [ 41.777735] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 41.785494] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 41.792550] page_type: f5(slab) [ 41.795755] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 41.803601] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 41.811449] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 41.819382] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 41.827315] head: 0bfffe0000000001 fffffdffc208b081 00000000ffffffff 00000000ffffffff [ 41.835248] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 41.843173] page dumped because: kasan: bad access detected [ 41.848821] [ 41.850350] Memory state around the buggy address: [ 41.855211] ffff0000822c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.862527] ffff0000822c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.869843] >ffff0000822c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.877157] ^ [ 41.880446] ffff0000822c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.887760] ffff0000822c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.895075] ================================================================== [ 41.902448] ================================================================== [ 41.909763] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 41.916203] Read of size 1 at addr ffff0000822c2a00 by task kunit_try_catch/294 [ 41.923618] [ 41.925149] CPU: 3 UID: 0 PID: 294 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 41.925179] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.925189] Hardware name: Thundercomm Dragonboard 845c (DT) [ 41.925200] Call trace: [ 41.925207] show_stack+0x20/0x38 (C) [ 41.925225] dump_stack_lvl+0x8c/0xd0 [ 41.925246] print_report+0x118/0x608 [ 41.925265] kasan_report+0xdc/0x128 [ 41.925286] __asan_report_load1_noabort+0x20/0x30 [ 41.925305] ksize_uaf+0x598/0x5f8 [ 41.925323] kunit_try_run_case+0x170/0x3f0 [ 41.925341] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.925365] kthread+0x328/0x630 [ 41.925380] ret_from_fork+0x10/0x20 [ 41.925399] [ 41.990316] Allocated by task 294: [ 41.993778] kasan_save_stack+0x3c/0x68 [ 41.997689] kasan_save_track+0x20/0x40 [ 42.001599] kasan_save_alloc_info+0x40/0x58 [ 42.005939] __kasan_kmalloc+0xd4/0xd8 [ 42.009762] __kmalloc_cache_noprof+0x16c/0x3c0 [ 42.014363] ksize_uaf+0xb8/0x5f8 [ 42.017743] kunit_try_run_case+0x170/0x3f0 [ 42.021999] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.027569] kthread+0x328/0x630 [ 42.030854] ret_from_fork+0x10/0x20 [ 42.034492] [ 42.036026] Freed by task 294: [ 42.039132] kasan_save_stack+0x3c/0x68 [ 42.043042] kasan_save_track+0x20/0x40 [ 42.046952] kasan_save_free_info+0x4c/0x78 [ 42.051201] __kasan_slab_free+0x6c/0x98 [ 42.055197] kfree+0x214/0x3c8 [ 42.058309] ksize_uaf+0x11c/0x5f8 [ 42.061776] kunit_try_run_case+0x170/0x3f0 [ 42.066031] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.071601] kthread+0x328/0x630 [ 42.074885] ret_from_fork+0x10/0x20 [ 42.078523] [ 42.080056] The buggy address belongs to the object at ffff0000822c2a00 [ 42.080056] which belongs to the cache kmalloc-128 of size 128 [ 42.092723] The buggy address is located 0 bytes inside of [ 42.092723] freed 128-byte region [ffff0000822c2a00, ffff0000822c2a80) [ 42.104949] [ 42.106479] The buggy address belongs to the physical page: [ 42.112122] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022c2 [ 42.120227] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 42.127984] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 42.135045] page_type: f5(slab) [ 42.138248] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 42.146096] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.153940] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 42.161874] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.169807] head: 0bfffe0000000001 fffffdffc208b081 00000000ffffffff 00000000ffffffff [ 42.177740] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 42.185668] page dumped because: kasan: bad access detected [ 42.191317] [ 42.192844] Memory state around the buggy address: [ 42.197708] ffff0000822c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.205022] ffff0000822c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.212338] >ffff0000822c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.219650] ^ [ 42.222930] ffff0000822c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.230244] ffff0000822c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.237556] ================================================================== [ 42.245727] ================================================================== [ 42.253057] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 42.259504] Read of size 1 at addr ffff0000822c2a78 by task kunit_try_catch/294 [ 42.266907] [ 42.268442] CPU: 4 UID: 0 PID: 294 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 42.268472] Tainted: [B]=BAD_PAGE, [N]=TEST [ 42.268482] Hardware name: Thundercomm Dragonboard 845c (DT) [ 42.268493] Call trace: [ 42.268499] show_stack+0x20/0x38 (C) [ 42.268517] dump_stack_lvl+0x8c/0xd0 [ 42.268537] print_report+0x118/0x608 [ 42.268555] kasan_report+0xdc/0x128 [ 42.268574] __asan_report_load1_noabort+0x20/0x30 [ 42.268590] ksize_uaf+0x544/0x5f8 [ 42.268606] kunit_try_run_case+0x170/0x3f0 [ 42.268624] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.268644] kthread+0x328/0x630 [ 42.268658] ret_from_fork+0x10/0x20 [ 42.268675] [ 42.333535] Allocated by task 294: [ 42.336989] kasan_save_stack+0x3c/0x68 [ 42.340895] kasan_save_track+0x20/0x40 [ 42.344800] kasan_save_alloc_info+0x40/0x58 [ 42.349135] __kasan_kmalloc+0xd4/0xd8 [ 42.352950] __kmalloc_cache_noprof+0x16c/0x3c0 [ 42.357547] ksize_uaf+0xb8/0x5f8 [ 42.360919] kunit_try_run_case+0x170/0x3f0 [ 42.365168] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.370735] kthread+0x328/0x630 [ 42.374018] ret_from_fork+0x10/0x20 [ 42.377649] [ 42.379181] Freed by task 294: [ 42.382287] kasan_save_stack+0x3c/0x68 [ 42.386192] kasan_save_track+0x20/0x40 [ 42.390096] kasan_save_free_info+0x4c/0x78 [ 42.394344] __kasan_slab_free+0x6c/0x98 [ 42.398335] kfree+0x214/0x3c8 [ 42.401444] ksize_uaf+0x11c/0x5f8 [ 42.404901] kunit_try_run_case+0x170/0x3f0 [ 42.409151] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.414716] kthread+0x328/0x630 [ 42.417998] ret_from_fork+0x10/0x20 [ 42.421629] [ 42.423161] The buggy address belongs to the object at ffff0000822c2a00 [ 42.423161] which belongs to the cache kmalloc-128 of size 128 [ 42.435811] The buggy address is located 120 bytes inside of [ 42.435811] freed 128-byte region [ffff0000822c2a00, ffff0000822c2a80) [ 42.448207] [ 42.449731] The buggy address belongs to the physical page: [ 42.455372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022c2 [ 42.463471] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 42.471225] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 42.478275] page_type: f5(slab) [ 42.481471] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 42.489314] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.497155] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 42.505083] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.513010] head: 0bfffe0000000001 fffffdffc208b081 00000000ffffffff 00000000ffffffff [ 42.520936] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 42.528859] page dumped because: kasan: bad access detected [ 42.534503] [ 42.536032] Memory state around the buggy address: [ 42.540883] ffff0000822c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.548199] ffff0000822c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.555514] >ffff0000822c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.562821] ^ [ 42.570038] ffff0000822c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.577343] ffff0000822c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.584657] ==================================================================
[ 33.405260] ================================================================== [ 33.405363] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 33.405468] Read of size 1 at addr fff00000c7732600 by task kunit_try_catch/207 [ 33.405581] [ 33.405648] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.405848] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.406326] Hardware name: linux,dummy-virt (DT) [ 33.407596] Call trace: [ 33.408168] show_stack+0x20/0x38 (C) [ 33.408775] dump_stack_lvl+0x8c/0xd0 [ 33.409070] print_report+0x118/0x608 [ 33.409212] kasan_report+0xdc/0x128 [ 33.409856] __asan_report_load1_noabort+0x20/0x30 [ 33.410641] ksize_uaf+0x598/0x5f8 [ 33.410855] kunit_try_run_case+0x170/0x3f0 [ 33.411004] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.411250] kthread+0x328/0x630 [ 33.411471] ret_from_fork+0x10/0x20 [ 33.411619] [ 33.411664] Allocated by task 207: [ 33.411737] kasan_save_stack+0x3c/0x68 [ 33.411833] kasan_save_track+0x20/0x40 [ 33.411951] kasan_save_alloc_info+0x40/0x58 [ 33.412071] __kasan_kmalloc+0xd4/0xd8 [ 33.412182] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.412453] ksize_uaf+0xb8/0x5f8 [ 33.412668] kunit_try_run_case+0x170/0x3f0 [ 33.412769] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.412874] kthread+0x328/0x630 [ 33.412981] ret_from_fork+0x10/0x20 [ 33.413092] [ 33.413147] Freed by task 207: [ 33.413226] kasan_save_stack+0x3c/0x68 [ 33.413874] kasan_save_track+0x20/0x40 [ 33.414046] kasan_save_free_info+0x4c/0x78 [ 33.414174] __kasan_slab_free+0x6c/0x98 [ 33.414306] kfree+0x214/0x3c8 [ 33.414527] ksize_uaf+0x11c/0x5f8 [ 33.414708] kunit_try_run_case+0x170/0x3f0 [ 33.414949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.415149] kthread+0x328/0x630 [ 33.415322] ret_from_fork+0x10/0x20 [ 33.415426] [ 33.415482] The buggy address belongs to the object at fff00000c7732600 [ 33.415482] which belongs to the cache kmalloc-128 of size 128 [ 33.415662] The buggy address is located 0 bytes inside of [ 33.415662] freed 128-byte region [fff00000c7732600, fff00000c7732680) [ 33.416104] [ 33.416149] The buggy address belongs to the physical page: [ 33.416216] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 33.416342] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.416557] page_type: f5(slab) [ 33.416654] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.416790] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.416904] page dumped because: kasan: bad access detected [ 33.417009] [ 33.417084] Memory state around the buggy address: [ 33.417164] fff00000c7732500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.417268] fff00000c7732580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.417372] >fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.417494] ^ [ 33.417565] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.417666] fff00000c7732700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.417758] ================================================================== [ 33.418986] ================================================================== [ 33.419094] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 33.419277] Read of size 1 at addr fff00000c7732678 by task kunit_try_catch/207 [ 33.419376] [ 33.419450] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.419569] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.419603] Hardware name: linux,dummy-virt (DT) [ 33.419679] Call trace: [ 33.419727] show_stack+0x20/0x38 (C) [ 33.419792] dump_stack_lvl+0x8c/0xd0 [ 33.419847] print_report+0x118/0x608 [ 33.419931] kasan_report+0xdc/0x128 [ 33.419995] __asan_report_load1_noabort+0x20/0x30 [ 33.420054] ksize_uaf+0x544/0x5f8 [ 33.420106] kunit_try_run_case+0x170/0x3f0 [ 33.420165] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.420226] kthread+0x328/0x630 [ 33.420279] ret_from_fork+0x10/0x20 [ 33.420334] [ 33.420356] Allocated by task 207: [ 33.420391] kasan_save_stack+0x3c/0x68 [ 33.420443] kasan_save_track+0x20/0x40 [ 33.420490] kasan_save_alloc_info+0x40/0x58 [ 33.420535] __kasan_kmalloc+0xd4/0xd8 [ 33.420580] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.420630] ksize_uaf+0xb8/0x5f8 [ 33.420672] kunit_try_run_case+0x170/0x3f0 [ 33.420719] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.420772] kthread+0x328/0x630 [ 33.420812] ret_from_fork+0x10/0x20 [ 33.420857] [ 33.420880] Freed by task 207: [ 33.420986] kasan_save_stack+0x3c/0x68 [ 33.421089] kasan_save_track+0x20/0x40 [ 33.421192] kasan_save_free_info+0x4c/0x78 [ 33.421357] __kasan_slab_free+0x6c/0x98 [ 33.421481] kfree+0x214/0x3c8 [ 33.421673] ksize_uaf+0x11c/0x5f8 [ 33.422210] kunit_try_run_case+0x170/0x3f0 [ 33.423168] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.423657] kthread+0x328/0x630 [ 33.424002] ret_from_fork+0x10/0x20 [ 33.424109] [ 33.424156] The buggy address belongs to the object at fff00000c7732600 [ 33.424156] which belongs to the cache kmalloc-128 of size 128 [ 33.424337] The buggy address is located 120 bytes inside of [ 33.424337] freed 128-byte region [fff00000c7732600, fff00000c7732680) [ 33.424484] [ 33.424536] The buggy address belongs to the physical page: [ 33.424608] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 33.425248] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.426079] page_type: f5(slab) [ 33.426459] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.427118] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.427511] page dumped because: kasan: bad access detected [ 33.427614] [ 33.427665] Memory state around the buggy address: [ 33.427800] fff00000c7732500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.428014] fff00000c7732580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.428149] >fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.428320] ^ [ 33.428573] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.428727] fff00000c7732700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.428949] ================================================================== [ 33.387870] ================================================================== [ 33.388012] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 33.388139] Read of size 1 at addr fff00000c7732600 by task kunit_try_catch/207 [ 33.388261] [ 33.388332] CPU: 0 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.390960] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.391209] Hardware name: linux,dummy-virt (DT) [ 33.391316] Call trace: [ 33.391380] show_stack+0x20/0x38 (C) [ 33.391508] dump_stack_lvl+0x8c/0xd0 [ 33.391882] print_report+0x118/0x608 [ 33.392055] kasan_report+0xdc/0x128 [ 33.392179] __kasan_check_byte+0x54/0x70 [ 33.392338] ksize+0x30/0x88 [ 33.392476] ksize_uaf+0x168/0x5f8 [ 33.392594] kunit_try_run_case+0x170/0x3f0 [ 33.392754] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.392939] kthread+0x328/0x630 [ 33.393056] ret_from_fork+0x10/0x20 [ 33.393183] [ 33.393232] Allocated by task 207: [ 33.393307] kasan_save_stack+0x3c/0x68 [ 33.393789] kasan_save_track+0x20/0x40 [ 33.393948] kasan_save_alloc_info+0x40/0x58 [ 33.394087] __kasan_kmalloc+0xd4/0xd8 [ 33.394208] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.394334] ksize_uaf+0xb8/0x5f8 [ 33.394444] kunit_try_run_case+0x170/0x3f0 [ 33.394554] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.394663] kthread+0x328/0x630 [ 33.394764] ret_from_fork+0x10/0x20 [ 33.394864] [ 33.394929] Freed by task 207: [ 33.395007] kasan_save_stack+0x3c/0x68 [ 33.395309] kasan_save_track+0x20/0x40 [ 33.395420] kasan_save_free_info+0x4c/0x78 [ 33.395612] __kasan_slab_free+0x6c/0x98 [ 33.395826] kfree+0x214/0x3c8 [ 33.396019] ksize_uaf+0x11c/0x5f8 [ 33.396216] kunit_try_run_case+0x170/0x3f0 [ 33.396812] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.397278] kthread+0x328/0x630 [ 33.397670] ret_from_fork+0x10/0x20 [ 33.398008] [ 33.398206] The buggy address belongs to the object at fff00000c7732600 [ 33.398206] which belongs to the cache kmalloc-128 of size 128 [ 33.398343] The buggy address is located 0 bytes inside of [ 33.398343] freed 128-byte region [fff00000c7732600, fff00000c7732680) [ 33.398932] [ 33.399042] The buggy address belongs to the physical page: [ 33.399240] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107732 [ 33.399480] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.399661] page_type: f5(slab) [ 33.399944] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 33.400186] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 33.400343] page dumped because: kasan: bad access detected [ 33.400563] [ 33.400706] Memory state around the buggy address: [ 33.400915] fff00000c7732500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.401033] fff00000c7732580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.401228] >fff00000c7732600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.401322] ^ [ 33.401461] fff00000c7732680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.401572] fff00000c7732700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.401666] ==================================================================
[ 29.738362] ================================================================== [ 29.738998] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 29.739455] Read of size 1 at addr ffff888100aaea00 by task kunit_try_catch/226 [ 29.740639] [ 29.740847] CPU: 1 UID: 0 PID: 226 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 29.740958] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.740980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.741007] Call Trace: [ 29.741024] <TASK> [ 29.741047] dump_stack_lvl+0x73/0xb0 [ 29.741102] print_report+0xd1/0x650 [ 29.741151] ? __virt_addr_valid+0x1db/0x2d0 [ 29.741187] ? ksize_uaf+0x5fe/0x6c0 [ 29.741215] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.741248] ? ksize_uaf+0x5fe/0x6c0 [ 29.741275] kasan_report+0x141/0x180 [ 29.741303] ? ksize_uaf+0x5fe/0x6c0 [ 29.741335] __asan_report_load1_noabort+0x18/0x20 [ 29.741366] ksize_uaf+0x5fe/0x6c0 [ 29.741392] ? __pfx_ksize_uaf+0x10/0x10 [ 29.741420] ? __schedule+0x10cc/0x2b60 [ 29.741451] ? __pfx_read_tsc+0x10/0x10 [ 29.741478] ? ktime_get_ts64+0x86/0x230 [ 29.741509] kunit_try_run_case+0x1a5/0x480 [ 29.741559] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.741611] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.741665] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.741716] ? __kthread_parkme+0x82/0x180 [ 29.741759] ? preempt_count_sub+0x50/0x80 [ 29.741810] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.741861] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.741912] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.741965] kthread+0x337/0x6f0 [ 29.742069] ? trace_preempt_on+0x20/0xc0 [ 29.742137] ? __pfx_kthread+0x10/0x10 [ 29.742196] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.742262] ? calculate_sigpending+0x7b/0xa0 [ 29.742328] ? __pfx_kthread+0x10/0x10 [ 29.742389] ret_from_fork+0x116/0x1d0 [ 29.742446] ? __pfx_kthread+0x10/0x10 [ 29.742497] ret_from_fork_asm+0x1a/0x30 [ 29.742591] </TASK> [ 29.742618] [ 29.755863] Allocated by task 226: [ 29.756453] kasan_save_stack+0x45/0x70 [ 29.756732] kasan_save_track+0x18/0x40 [ 29.757118] kasan_save_alloc_info+0x3b/0x50 [ 29.757697] __kasan_kmalloc+0xb7/0xc0 [ 29.758264] __kmalloc_cache_noprof+0x189/0x420 [ 29.758783] ksize_uaf+0xaa/0x6c0 [ 29.759261] kunit_try_run_case+0x1a5/0x480 [ 29.759481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.760211] kthread+0x337/0x6f0 [ 29.760512] ret_from_fork+0x116/0x1d0 [ 29.760969] ret_from_fork_asm+0x1a/0x30 [ 29.761456] [ 29.761917] Freed by task 226: [ 29.762364] kasan_save_stack+0x45/0x70 [ 29.762753] kasan_save_track+0x18/0x40 [ 29.763299] kasan_save_free_info+0x3f/0x60 [ 29.763672] __kasan_slab_free+0x56/0x70 [ 29.764136] kfree+0x222/0x3f0 [ 29.764517] ksize_uaf+0x12c/0x6c0 [ 29.764769] kunit_try_run_case+0x1a5/0x480 [ 29.765292] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.765860] kthread+0x337/0x6f0 [ 29.766301] ret_from_fork+0x116/0x1d0 [ 29.766980] ret_from_fork_asm+0x1a/0x30 [ 29.767354] [ 29.767572] The buggy address belongs to the object at ffff888100aaea00 [ 29.767572] which belongs to the cache kmalloc-128 of size 128 [ 29.768523] The buggy address is located 0 bytes inside of [ 29.768523] freed 128-byte region [ffff888100aaea00, ffff888100aaea80) [ 29.769468] [ 29.769700] The buggy address belongs to the physical page: [ 29.770405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aae [ 29.770999] flags: 0x200000000000000(node=0|zone=2) [ 29.771569] page_type: f5(slab) [ 29.771909] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.773433] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.773785] page dumped because: kasan: bad access detected [ 29.774279] [ 29.774608] Memory state around the buggy address: [ 29.775505] ffff888100aae900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.775854] ffff888100aae980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.776589] >ffff888100aaea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.777425] ^ [ 29.777632] ffff888100aaea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.778341] ffff888100aaeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.779390] ================================================================== [ 29.780870] ================================================================== [ 29.781893] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 29.782431] Read of size 1 at addr ffff888100aaea78 by task kunit_try_catch/226 [ 29.783202] [ 29.783366] CPU: 1 UID: 0 PID: 226 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 29.783685] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.783704] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.783728] Call Trace: [ 29.783764] <TASK> [ 29.783793] dump_stack_lvl+0x73/0xb0 [ 29.783849] print_report+0xd1/0x650 [ 29.783880] ? __virt_addr_valid+0x1db/0x2d0 [ 29.783911] ? ksize_uaf+0x5e4/0x6c0 [ 29.783938] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.783971] ? ksize_uaf+0x5e4/0x6c0 [ 29.783998] kasan_report+0x141/0x180 [ 29.784026] ? ksize_uaf+0x5e4/0x6c0 [ 29.784091] __asan_report_load1_noabort+0x18/0x20 [ 29.784164] ksize_uaf+0x5e4/0x6c0 [ 29.784258] ? __pfx_ksize_uaf+0x10/0x10 [ 29.784318] ? __schedule+0x10cc/0x2b60 [ 29.784386] ? __pfx_read_tsc+0x10/0x10 [ 29.784439] ? ktime_get_ts64+0x86/0x230 [ 29.784494] kunit_try_run_case+0x1a5/0x480 [ 29.784533] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.784587] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.784620] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.784675] ? __kthread_parkme+0x82/0x180 [ 29.784703] ? preempt_count_sub+0x50/0x80 [ 29.784733] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.784764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.784795] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.784826] kthread+0x337/0x6f0 [ 29.784851] ? trace_preempt_on+0x20/0xc0 [ 29.784882] ? __pfx_kthread+0x10/0x10 [ 29.784908] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.784936] ? calculate_sigpending+0x7b/0xa0 [ 29.784966] ? __pfx_kthread+0x10/0x10 [ 29.784993] ret_from_fork+0x116/0x1d0 [ 29.785018] ? __pfx_kthread+0x10/0x10 [ 29.785044] ret_from_fork_asm+0x1a/0x30 [ 29.785110] </TASK> [ 29.785135] [ 29.801686] Allocated by task 226: [ 29.802628] kasan_save_stack+0x45/0x70 [ 29.802998] kasan_save_track+0x18/0x40 [ 29.803523] kasan_save_alloc_info+0x3b/0x50 [ 29.804241] __kasan_kmalloc+0xb7/0xc0 [ 29.804653] __kmalloc_cache_noprof+0x189/0x420 [ 29.804957] ksize_uaf+0xaa/0x6c0 [ 29.805375] kunit_try_run_case+0x1a5/0x480 [ 29.805605] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.806591] kthread+0x337/0x6f0 [ 29.807180] ret_from_fork+0x116/0x1d0 [ 29.807758] ret_from_fork_asm+0x1a/0x30 [ 29.808182] [ 29.808680] Freed by task 226: [ 29.809008] kasan_save_stack+0x45/0x70 [ 29.809414] kasan_save_track+0x18/0x40 [ 29.809741] kasan_save_free_info+0x3f/0x60 [ 29.810029] __kasan_slab_free+0x56/0x70 [ 29.810779] kfree+0x222/0x3f0 [ 29.811253] ksize_uaf+0x12c/0x6c0 [ 29.811488] kunit_try_run_case+0x1a5/0x480 [ 29.812333] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.812945] kthread+0x337/0x6f0 [ 29.813493] ret_from_fork+0x116/0x1d0 [ 29.813960] ret_from_fork_asm+0x1a/0x30 [ 29.814335] [ 29.814557] The buggy address belongs to the object at ffff888100aaea00 [ 29.814557] which belongs to the cache kmalloc-128 of size 128 [ 29.815198] The buggy address is located 120 bytes inside of [ 29.815198] freed 128-byte region [ffff888100aaea00, ffff888100aaea80) [ 29.816531] [ 29.816748] The buggy address belongs to the physical page: [ 29.817247] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aae [ 29.817834] flags: 0x200000000000000(node=0|zone=2) [ 29.818127] page_type: f5(slab) [ 29.818444] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.819022] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.819633] page dumped because: kasan: bad access detected [ 29.819983] [ 29.820166] Memory state around the buggy address: [ 29.820800] ffff888100aae900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.821436] ffff888100aae980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.821934] >ffff888100aaea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.822621] ^ [ 29.823294] ffff888100aaea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.823976] ffff888100aaeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.825010] ================================================================== [ 29.693585] ================================================================== [ 29.694663] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 29.695309] Read of size 1 at addr ffff888100aaea00 by task kunit_try_catch/226 [ 29.695785] [ 29.696029] CPU: 1 UID: 0 PID: 226 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 29.696269] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.696302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.696345] Call Trace: [ 29.696375] <TASK> [ 29.696414] dump_stack_lvl+0x73/0xb0 [ 29.696529] print_report+0xd1/0x650 [ 29.696659] ? __virt_addr_valid+0x1db/0x2d0 [ 29.696731] ? ksize_uaf+0x19d/0x6c0 [ 29.696787] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.696856] ? ksize_uaf+0x19d/0x6c0 [ 29.696909] kasan_report+0x141/0x180 [ 29.696954] ? ksize_uaf+0x19d/0x6c0 [ 29.696987] ? ksize_uaf+0x19d/0x6c0 [ 29.697015] __kasan_check_byte+0x3d/0x50 [ 29.697044] ksize+0x20/0x60 [ 29.697135] ksize_uaf+0x19d/0x6c0 [ 29.697181] ? __pfx_ksize_uaf+0x10/0x10 [ 29.697212] ? __schedule+0x10cc/0x2b60 [ 29.697245] ? __pfx_read_tsc+0x10/0x10 [ 29.697274] ? ktime_get_ts64+0x86/0x230 [ 29.697307] kunit_try_run_case+0x1a5/0x480 [ 29.697341] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.697371] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.697402] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.697433] ? __kthread_parkme+0x82/0x180 [ 29.697461] ? preempt_count_sub+0x50/0x80 [ 29.697491] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.697521] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.697572] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.697605] kthread+0x337/0x6f0 [ 29.697631] ? trace_preempt_on+0x20/0xc0 [ 29.697674] ? __pfx_kthread+0x10/0x10 [ 29.697702] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.697731] ? calculate_sigpending+0x7b/0xa0 [ 29.697762] ? __pfx_kthread+0x10/0x10 [ 29.697789] ret_from_fork+0x116/0x1d0 [ 29.697813] ? __pfx_kthread+0x10/0x10 [ 29.697840] ret_from_fork_asm+0x1a/0x30 [ 29.697879] </TASK> [ 29.697894] [ 29.711937] Allocated by task 226: [ 29.712530] kasan_save_stack+0x45/0x70 [ 29.713213] kasan_save_track+0x18/0x40 [ 29.713690] kasan_save_alloc_info+0x3b/0x50 [ 29.714380] __kasan_kmalloc+0xb7/0xc0 [ 29.714880] __kmalloc_cache_noprof+0x189/0x420 [ 29.715450] ksize_uaf+0xaa/0x6c0 [ 29.716084] kunit_try_run_case+0x1a5/0x480 [ 29.716685] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.717234] kthread+0x337/0x6f0 [ 29.717666] ret_from_fork+0x116/0x1d0 [ 29.717976] ret_from_fork_asm+0x1a/0x30 [ 29.718608] [ 29.718877] Freed by task 226: [ 29.719115] kasan_save_stack+0x45/0x70 [ 29.719732] kasan_save_track+0x18/0x40 [ 29.720172] kasan_save_free_info+0x3f/0x60 [ 29.720944] __kasan_slab_free+0x56/0x70 [ 29.721425] kfree+0x222/0x3f0 [ 29.721880] ksize_uaf+0x12c/0x6c0 [ 29.722355] kunit_try_run_case+0x1a5/0x480 [ 29.722849] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.723469] kthread+0x337/0x6f0 [ 29.723911] ret_from_fork+0x116/0x1d0 [ 29.724271] ret_from_fork_asm+0x1a/0x30 [ 29.724686] [ 29.724893] The buggy address belongs to the object at ffff888100aaea00 [ 29.724893] which belongs to the cache kmalloc-128 of size 128 [ 29.726250] The buggy address is located 0 bytes inside of [ 29.726250] freed 128-byte region [ffff888100aaea00, ffff888100aaea80) [ 29.727379] [ 29.727558] The buggy address belongs to the physical page: [ 29.728289] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aae [ 29.728755] flags: 0x200000000000000(node=0|zone=2) [ 29.729249] page_type: f5(slab) [ 29.729498] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.730267] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.730965] page dumped because: kasan: bad access detected [ 29.731353] [ 29.731570] Memory state around the buggy address: [ 29.731863] ffff888100aae900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.732491] ffff888100aae980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.733402] >ffff888100aaea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.734244] ^ [ 29.734507] ffff888100aaea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.735296] ffff888100aaeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.735917] ==================================================================