Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 42.903806] ================================================================== [ 42.915450] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 42.921895] Read of size 1 at addr ffff00009462ca00 by task kunit_try_catch/282 [ 42.929299] [ 42.930826] CPU: 7 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 42.930856] Tainted: [B]=BAD_PAGE, [N]=TEST [ 42.930864] Hardware name: Thundercomm Dragonboard 845c (DT) [ 42.930877] Call trace: [ 42.930884] show_stack+0x20/0x38 (C) [ 42.930902] dump_stack_lvl+0x8c/0xd0 [ 42.930920] print_report+0x118/0x608 [ 42.930939] kasan_report+0xdc/0x128 [ 42.930957] __kasan_check_byte+0x54/0x70 [ 42.930975] ksize+0x30/0x88 [ 42.930992] ksize_uaf+0x168/0x5f8 [ 42.931009] kunit_try_run_case+0x170/0x3f0 [ 42.931026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.931046] kthread+0x328/0x630 [ 42.931060] ret_from_fork+0x10/0x20 [ 42.931077] [ 42.998083] Allocated by task 282: [ 43.001535] kasan_save_stack+0x3c/0x68 [ 43.005439] kasan_save_track+0x20/0x40 [ 43.009342] kasan_save_alloc_info+0x40/0x58 [ 43.013677] __kasan_kmalloc+0xd4/0xd8 [ 43.017490] __kmalloc_cache_noprof+0x16c/0x3c0 [ 43.022088] ksize_uaf+0xb8/0x5f8 [ 43.025459] kunit_try_run_case+0x170/0x3f0 [ 43.029703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.035264] kthread+0x328/0x630 [ 43.038546] ret_from_fork+0x10/0x20 [ 43.042185] [ 43.043713] Freed by task 282: [ 43.046821] kasan_save_stack+0x3c/0x68 [ 43.050724] kasan_save_track+0x20/0x40 [ 43.054627] kasan_save_free_info+0x4c/0x78 [ 43.058873] __kasan_slab_free+0x6c/0x98 [ 43.062861] kfree+0x214/0x3c8 [ 43.065967] ksize_uaf+0x11c/0x5f8 [ 43.069422] kunit_try_run_case+0x170/0x3f0 [ 43.073671] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.079232] kthread+0x328/0x630 [ 43.082513] ret_from_fork+0x10/0x20 [ 43.086144] [ 43.087672] The buggy address belongs to the object at ffff00009462ca00 [ 43.087672] which belongs to the cache kmalloc-128 of size 128 [ 43.100322] The buggy address is located 0 bytes inside of [ 43.100322] freed 128-byte region [ffff00009462ca00, ffff00009462ca80) [ 43.112540] [ 43.114063] The buggy address belongs to the physical page: [ 43.119702] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11462c [ 43.127808] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.135554] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 43.142604] page_type: f5(slab) [ 43.145799] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.153638] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.161476] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.169397] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.177322] head: 0bfffe0000000001 fffffdffc2518b01 00000000ffffffff 00000000ffffffff [ 43.185244] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 43.193162] page dumped because: kasan: bad access detected [ 43.198804] [ 43.200332] Memory state around the buggy address: [ 43.205194] ffff00009462c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.212507] ffff00009462c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.219818] >ffff00009462ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.227124] ^ [ 43.230401] ffff00009462ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.237714] ffff00009462cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.245026] ================================================================== [ 43.252643] ================================================================== [ 43.259963] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 43.266403] Read of size 1 at addr ffff00009462ca00 by task kunit_try_catch/282 [ 43.273802] [ 43.275339] CPU: 6 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 43.275370] Tainted: [B]=BAD_PAGE, [N]=TEST [ 43.275378] Hardware name: Thundercomm Dragonboard 845c (DT) [ 43.275389] Call trace: [ 43.275395] show_stack+0x20/0x38 (C) [ 43.275413] dump_stack_lvl+0x8c/0xd0 [ 43.275431] print_report+0x118/0x608 [ 43.275449] kasan_report+0xdc/0x128 [ 43.275466] __asan_report_load1_noabort+0x20/0x30 [ 43.275482] ksize_uaf+0x598/0x5f8 [ 43.275497] kunit_try_run_case+0x170/0x3f0 [ 43.275515] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.275536] kthread+0x328/0x630 [ 43.275548] ret_from_fork+0x10/0x20 [ 43.275564] [ 43.340411] Allocated by task 282: [ 43.343866] kasan_save_stack+0x3c/0x68 [ 43.347762] kasan_save_track+0x20/0x40 [ 43.351656] kasan_save_alloc_info+0x40/0x58 [ 43.355993] __kasan_kmalloc+0xd4/0xd8 [ 43.359810] __kmalloc_cache_noprof+0x16c/0x3c0 [ 43.364408] ksize_uaf+0xb8/0x5f8 [ 43.367779] kunit_try_run_case+0x170/0x3f0 [ 43.372030] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.377595] kthread+0x328/0x630 [ 43.380877] ret_from_fork+0x10/0x20 [ 43.384508] [ 43.386032] Freed by task 282: [ 43.389137] kasan_save_stack+0x3c/0x68 [ 43.393031] kasan_save_track+0x20/0x40 [ 43.396936] kasan_save_free_info+0x4c/0x78 [ 43.401182] __kasan_slab_free+0x6c/0x98 [ 43.405174] kfree+0x214/0x3c8 [ 43.408285] ksize_uaf+0x11c/0x5f8 [ 43.411741] kunit_try_run_case+0x170/0x3f0 [ 43.415992] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.421557] kthread+0x328/0x630 [ 43.424840] ret_from_fork+0x10/0x20 [ 43.428471] [ 43.429993] The buggy address belongs to the object at ffff00009462ca00 [ 43.429993] which belongs to the cache kmalloc-128 of size 128 [ 43.442651] The buggy address is located 0 bytes inside of [ 43.442651] freed 128-byte region [ffff00009462ca00, ffff00009462ca80) [ 43.454863] [ 43.456394] The buggy address belongs to the physical page: [ 43.462040] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11462c [ 43.470142] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.477894] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 43.484944] page_type: f5(slab) [ 43.488140] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.495983] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.503825] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.511752] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.519680] head: 0bfffe0000000001 fffffdffc2518b01 00000000ffffffff 00000000ffffffff [ 43.527605] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 43.535528] page dumped because: kasan: bad access detected [ 43.541171] [ 43.542692] Memory state around the buggy address: [ 43.547549] ffff00009462c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.554858] ffff00009462c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.562165] >ffff00009462ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.569471] ^ [ 43.572751] ffff00009462ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.580056] ffff00009462cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.587361] ================================================================== [ 43.594721] ================================================================== [ 43.602033] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 43.608478] Read of size 1 at addr ffff00009462ca78 by task kunit_try_catch/282 [ 43.615875] [ 43.617401] CPU: 6 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 43.617429] Tainted: [B]=BAD_PAGE, [N]=TEST [ 43.617436] Hardware name: Thundercomm Dragonboard 845c (DT) [ 43.617445] Call trace: [ 43.617451] show_stack+0x20/0x38 (C) [ 43.617469] dump_stack_lvl+0x8c/0xd0 [ 43.617486] print_report+0x118/0x608 [ 43.617504] kasan_report+0xdc/0x128 [ 43.617523] __asan_report_load1_noabort+0x20/0x30 [ 43.617540] ksize_uaf+0x544/0x5f8 [ 43.617555] kunit_try_run_case+0x170/0x3f0 [ 43.617571] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.617590] kthread+0x328/0x630 [ 43.617603] ret_from_fork+0x10/0x20 [ 43.617620] [ 43.682465] Allocated by task 282: [ 43.685919] kasan_save_stack+0x3c/0x68 [ 43.689825] kasan_save_track+0x20/0x40 [ 43.693719] kasan_save_alloc_info+0x40/0x58 [ 43.698053] __kasan_kmalloc+0xd4/0xd8 [ 43.701859] __kmalloc_cache_noprof+0x16c/0x3c0 [ 43.706457] ksize_uaf+0xb8/0x5f8 [ 43.709827] kunit_try_run_case+0x170/0x3f0 [ 43.714076] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.719640] kthread+0x328/0x630 [ 43.722924] ret_from_fork+0x10/0x20 [ 43.726556] [ 43.728085] Freed by task 282: [ 43.731191] kasan_save_stack+0x3c/0x68 [ 43.735086] kasan_save_track+0x20/0x40 [ 43.738979] kasan_save_free_info+0x4c/0x78 [ 43.743224] __kasan_slab_free+0x6c/0x98 [ 43.747206] kfree+0x214/0x3c8 [ 43.750315] ksize_uaf+0x11c/0x5f8 [ 43.753773] kunit_try_run_case+0x170/0x3f0 [ 43.758023] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.763585] kthread+0x328/0x630 [ 43.766870] ret_from_fork+0x10/0x20 [ 43.770500] [ 43.772029] The buggy address belongs to the object at ffff00009462ca00 [ 43.772029] which belongs to the cache kmalloc-128 of size 128 [ 43.784685] The buggy address is located 120 bytes inside of [ 43.784685] freed 128-byte region [ffff00009462ca00, ffff00009462ca80) [ 43.797071] [ 43.798594] The buggy address belongs to the physical page: [ 43.804235] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11462c [ 43.812336] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.820089] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 43.827139] page_type: f5(slab) [ 43.830335] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.838179] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.846020] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.853947] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.861875] head: 0bfffe0000000001 fffffdffc2518b01 00000000ffffffff 00000000ffffffff [ 43.869800] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 43.877723] page dumped because: kasan: bad access detected [ 43.883365] [ 43.884886] Memory state around the buggy address: [ 43.889738] ffff00009462c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.897052] ffff00009462c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.904357] >ffff00009462ca00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.911663] ^ [ 43.918884] ffff00009462ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.926190] ffff00009462cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.933495] ==================================================================
[ 27.107209] ================================================================== [ 27.107319] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 27.107388] Read of size 1 at addr fff00000c643fa00 by task kunit_try_catch/208 [ 27.107437] [ 27.107467] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 27.107553] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.108297] Hardware name: linux,dummy-virt (DT) [ 27.108350] Call trace: [ 27.108372] show_stack+0x20/0x38 (C) [ 27.108424] dump_stack_lvl+0x8c/0xd0 [ 27.108472] print_report+0x118/0x608 [ 27.108845] kasan_report+0xdc/0x128 [ 27.108899] __asan_report_load1_noabort+0x20/0x30 [ 27.108956] ksize_uaf+0x598/0x5f8 [ 27.109339] kunit_try_run_case+0x170/0x3f0 [ 27.109396] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.109739] kthread+0x328/0x630 [ 27.109944] ret_from_fork+0x10/0x20 [ 27.110335] [ 27.110365] Allocated by task 208: [ 27.110397] kasan_save_stack+0x3c/0x68 [ 27.110668] kasan_save_track+0x20/0x40 [ 27.110732] kasan_save_alloc_info+0x40/0x58 [ 27.110768] __kasan_kmalloc+0xd4/0xd8 [ 27.110804] __kmalloc_cache_noprof+0x16c/0x3c0 [ 27.111380] ksize_uaf+0xb8/0x5f8 [ 27.111434] kunit_try_run_case+0x170/0x3f0 [ 27.111472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.111718] kthread+0x328/0x630 [ 27.111948] ret_from_fork+0x10/0x20 [ 27.111997] [ 27.112016] Freed by task 208: [ 27.112052] kasan_save_stack+0x3c/0x68 [ 27.112189] kasan_save_track+0x20/0x40 [ 27.112461] kasan_save_free_info+0x4c/0x78 [ 27.112555] __kasan_slab_free+0x6c/0x98 [ 27.112592] kfree+0x214/0x3c8 [ 27.112624] ksize_uaf+0x11c/0x5f8 [ 27.112659] kunit_try_run_case+0x170/0x3f0 [ 27.112696] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.112740] kthread+0x328/0x630 [ 27.112773] ret_from_fork+0x10/0x20 [ 27.112810] [ 27.112829] The buggy address belongs to the object at fff00000c643fa00 [ 27.112829] which belongs to the cache kmalloc-128 of size 128 [ 27.113912] The buggy address is located 0 bytes inside of [ 27.113912] freed 128-byte region [fff00000c643fa00, fff00000c643fa80) [ 27.114325] [ 27.114557] The buggy address belongs to the physical page: [ 27.114769] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10643f [ 27.114822] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.114872] page_type: f5(slab) [ 27.115481] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 27.115537] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.115577] page dumped because: kasan: bad access detected [ 27.115608] [ 27.115842] Memory state around the buggy address: [ 27.116272] fff00000c643f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.116441] fff00000c643f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.116490] >fff00000c643fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.116857] ^ [ 27.116893] fff00000c643fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.117234] fff00000c643fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.117276] ================================================================== [ 27.097452] ================================================================== [ 27.097511] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 27.097562] Read of size 1 at addr fff00000c643fa00 by task kunit_try_catch/208 [ 27.097610] [ 27.097640] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 27.097726] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.097753] Hardware name: linux,dummy-virt (DT) [ 27.097783] Call trace: [ 27.097805] show_stack+0x20/0x38 (C) [ 27.097854] dump_stack_lvl+0x8c/0xd0 [ 27.097903] print_report+0x118/0x608 [ 27.097951] kasan_report+0xdc/0x128 [ 27.097997] __kasan_check_byte+0x54/0x70 [ 27.098043] ksize+0x30/0x88 [ 27.098670] ksize_uaf+0x168/0x5f8 [ 27.098719] kunit_try_run_case+0x170/0x3f0 [ 27.099328] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.099410] kthread+0x328/0x630 [ 27.099457] ret_from_fork+0x10/0x20 [ 27.099506] [ 27.099524] Allocated by task 208: [ 27.099552] kasan_save_stack+0x3c/0x68 [ 27.099594] kasan_save_track+0x20/0x40 [ 27.099632] kasan_save_alloc_info+0x40/0x58 [ 27.099669] __kasan_kmalloc+0xd4/0xd8 [ 27.099706] __kmalloc_cache_noprof+0x16c/0x3c0 [ 27.099747] ksize_uaf+0xb8/0x5f8 [ 27.099791] kunit_try_run_case+0x170/0x3f0 [ 27.099829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.099872] kthread+0x328/0x630 [ 27.099905] ret_from_fork+0x10/0x20 [ 27.099941] [ 27.099960] Freed by task 208: [ 27.099984] kasan_save_stack+0x3c/0x68 [ 27.100020] kasan_save_track+0x20/0x40 [ 27.100065] kasan_save_free_info+0x4c/0x78 [ 27.100101] __kasan_slab_free+0x6c/0x98 [ 27.101143] kfree+0x214/0x3c8 [ 27.101198] ksize_uaf+0x11c/0x5f8 [ 27.101287] kunit_try_run_case+0x170/0x3f0 [ 27.101324] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.101368] kthread+0x328/0x630 [ 27.101517] ret_from_fork+0x10/0x20 [ 27.101827] [ 27.101908] The buggy address belongs to the object at fff00000c643fa00 [ 27.101908] which belongs to the cache kmalloc-128 of size 128 [ 27.102276] The buggy address is located 0 bytes inside of [ 27.102276] freed 128-byte region [fff00000c643fa00, fff00000c643fa80) [ 27.102727] [ 27.102994] The buggy address belongs to the physical page: [ 27.103128] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10643f [ 27.103519] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.103579] page_type: f5(slab) [ 27.103624] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 27.103674] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.104049] page dumped because: kasan: bad access detected [ 27.104098] [ 27.104118] Memory state around the buggy address: [ 27.104149] fff00000c643f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.104658] fff00000c643f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.104710] >fff00000c643fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.104958] ^ [ 27.104990] fff00000c643fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.105032] fff00000c643fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.105095] ================================================================== [ 27.118633] ================================================================== [ 27.118683] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 27.118734] Read of size 1 at addr fff00000c643fa78 by task kunit_try_catch/208 [ 27.118784] [ 27.118813] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 27.118900] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.118927] Hardware name: linux,dummy-virt (DT) [ 27.120230] Call trace: [ 27.120271] show_stack+0x20/0x38 (C) [ 27.120391] dump_stack_lvl+0x8c/0xd0 [ 27.120441] print_report+0x118/0x608 [ 27.120488] kasan_report+0xdc/0x128 [ 27.120533] __asan_report_load1_noabort+0x20/0x30 [ 27.120676] ksize_uaf+0x544/0x5f8 [ 27.120949] kunit_try_run_case+0x170/0x3f0 [ 27.121386] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.121512] kthread+0x328/0x630 [ 27.121763] ret_from_fork+0x10/0x20 [ 27.122125] [ 27.122176] Allocated by task 208: [ 27.122239] kasan_save_stack+0x3c/0x68 [ 27.122284] kasan_save_track+0x20/0x40 [ 27.122321] kasan_save_alloc_info+0x40/0x58 [ 27.122358] __kasan_kmalloc+0xd4/0xd8 [ 27.122394] __kmalloc_cache_noprof+0x16c/0x3c0 [ 27.123317] ksize_uaf+0xb8/0x5f8 [ 27.123747] kunit_try_run_case+0x170/0x3f0 [ 27.123859] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.123905] kthread+0x328/0x630 [ 27.123937] ret_from_fork+0x10/0x20 [ 27.124115] [ 27.124483] Freed by task 208: [ 27.124728] kasan_save_stack+0x3c/0x68 [ 27.124778] kasan_save_track+0x20/0x40 [ 27.124816] kasan_save_free_info+0x4c/0x78 [ 27.124853] __kasan_slab_free+0x6c/0x98 [ 27.125690] kfree+0x214/0x3c8 [ 27.125736] ksize_uaf+0x11c/0x5f8 [ 27.125773] kunit_try_run_case+0x170/0x3f0 [ 27.125809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 27.126358] kthread+0x328/0x630 [ 27.126689] ret_from_fork+0x10/0x20 [ 27.126991] [ 27.127114] The buggy address belongs to the object at fff00000c643fa00 [ 27.127114] which belongs to the cache kmalloc-128 of size 128 [ 27.127416] The buggy address is located 120 bytes inside of [ 27.127416] freed 128-byte region [fff00000c643fa00, fff00000c643fa80) [ 27.127522] [ 27.127801] The buggy address belongs to the physical page: [ 27.127870] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10643f [ 27.127946] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.128268] page_type: f5(slab) [ 27.128521] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 27.128702] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 27.128749] page dumped because: kasan: bad access detected [ 27.128782] [ 27.128799] Memory state around the buggy address: [ 27.129118] fff00000c643f900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.129337] fff00000c643f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.129654] >fff00000c643fa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 27.129736] ^ [ 27.130097] fff00000c643fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.130181] fff00000c643fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.130220] ==================================================================
[ 22.624510] ================================================================== [ 22.624925] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 22.625345] Read of size 1 at addr ffff888102d56700 by task kunit_try_catch/225 [ 22.625634] [ 22.625746] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.625794] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.625805] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.625827] Call Trace: [ 22.625841] <TASK> [ 22.625861] dump_stack_lvl+0x73/0xb0 [ 22.625888] print_report+0xd1/0x650 [ 22.625911] ? __virt_addr_valid+0x1db/0x2d0 [ 22.625935] ? ksize_uaf+0x5fe/0x6c0 [ 22.625955] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.625982] ? ksize_uaf+0x5fe/0x6c0 [ 22.626002] kasan_report+0x141/0x180 [ 22.626023] ? ksize_uaf+0x5fe/0x6c0 [ 22.626046] __asan_report_load1_noabort+0x18/0x20 [ 22.626069] ksize_uaf+0x5fe/0x6c0 [ 22.626089] ? __pfx_ksize_uaf+0x10/0x10 [ 22.626109] ? __schedule+0x10cc/0x2b60 [ 22.626133] ? __pfx_read_tsc+0x10/0x10 [ 22.626155] ? ktime_get_ts64+0x86/0x230 [ 22.626179] kunit_try_run_case+0x1a5/0x480 [ 22.626205] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.626252] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.626275] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.626300] ? __kthread_parkme+0x82/0x180 [ 22.626320] ? preempt_count_sub+0x50/0x80 [ 22.626345] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.626371] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.626395] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.626418] kthread+0x337/0x6f0 [ 22.626437] ? trace_preempt_on+0x20/0xc0 [ 22.626460] ? __pfx_kthread+0x10/0x10 [ 22.626480] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.626503] ? calculate_sigpending+0x7b/0xa0 [ 22.626526] ? __pfx_kthread+0x10/0x10 [ 22.626547] ret_from_fork+0x116/0x1d0 [ 22.626565] ? __pfx_kthread+0x10/0x10 [ 22.626585] ret_from_fork_asm+0x1a/0x30 [ 22.626615] </TASK> [ 22.626626] [ 22.633268] Allocated by task 225: [ 22.633453] kasan_save_stack+0x45/0x70 [ 22.633620] kasan_save_track+0x18/0x40 [ 22.633840] kasan_save_alloc_info+0x3b/0x50 [ 22.634016] __kasan_kmalloc+0xb7/0xc0 [ 22.634186] __kmalloc_cache_noprof+0x189/0x420 [ 22.634380] ksize_uaf+0xaa/0x6c0 [ 22.634530] kunit_try_run_case+0x1a5/0x480 [ 22.634670] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.634837] kthread+0x337/0x6f0 [ 22.634964] ret_from_fork+0x116/0x1d0 [ 22.635284] ret_from_fork_asm+0x1a/0x30 [ 22.635477] [ 22.635569] Freed by task 225: [ 22.635720] kasan_save_stack+0x45/0x70 [ 22.635983] kasan_save_track+0x18/0x40 [ 22.636528] kasan_save_free_info+0x3f/0x60 [ 22.636751] __kasan_slab_free+0x56/0x70 [ 22.636987] kfree+0x222/0x3f0 [ 22.637143] ksize_uaf+0x12c/0x6c0 [ 22.637305] kunit_try_run_case+0x1a5/0x480 [ 22.637446] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.637613] kthread+0x337/0x6f0 [ 22.637725] ret_from_fork+0x116/0x1d0 [ 22.637849] ret_from_fork_asm+0x1a/0x30 [ 22.638025] [ 22.638115] The buggy address belongs to the object at ffff888102d56700 [ 22.638115] which belongs to the cache kmalloc-128 of size 128 [ 22.638862] The buggy address is located 0 bytes inside of [ 22.638862] freed 128-byte region [ffff888102d56700, ffff888102d56780) [ 22.639438] [ 22.639516] The buggy address belongs to the physical page: [ 22.639685] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d56 [ 22.639920] flags: 0x200000000000000(node=0|zone=2) [ 22.640142] page_type: f5(slab) [ 22.640421] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.640764] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.641092] page dumped because: kasan: bad access detected [ 22.641396] [ 22.641473] Memory state around the buggy address: [ 22.641711] ffff888102d56600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.642028] ffff888102d56680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.642371] >ffff888102d56700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.642683] ^ [ 22.642828] ffff888102d56780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.643041] ffff888102d56800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.643291] ================================================================== [ 22.591692] ================================================================== [ 22.592829] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 22.593344] Read of size 1 at addr ffff888102d56700 by task kunit_try_catch/225 [ 22.594046] [ 22.594179] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.594243] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.594256] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.594279] Call Trace: [ 22.594294] <TASK> [ 22.594315] dump_stack_lvl+0x73/0xb0 [ 22.594374] print_report+0xd1/0x650 [ 22.594398] ? __virt_addr_valid+0x1db/0x2d0 [ 22.594435] ? ksize_uaf+0x19d/0x6c0 [ 22.594464] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.594521] ? ksize_uaf+0x19d/0x6c0 [ 22.594542] kasan_report+0x141/0x180 [ 22.594563] ? ksize_uaf+0x19d/0x6c0 [ 22.594585] ? ksize_uaf+0x19d/0x6c0 [ 22.594604] __kasan_check_byte+0x3d/0x50 [ 22.594626] ksize+0x20/0x60 [ 22.594650] ksize_uaf+0x19d/0x6c0 [ 22.594669] ? __pfx_ksize_uaf+0x10/0x10 [ 22.594690] ? __schedule+0x10cc/0x2b60 [ 22.594714] ? __pfx_read_tsc+0x10/0x10 [ 22.594736] ? ktime_get_ts64+0x86/0x230 [ 22.594760] kunit_try_run_case+0x1a5/0x480 [ 22.594791] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.594813] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.594837] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.594861] ? __kthread_parkme+0x82/0x180 [ 22.594881] ? preempt_count_sub+0x50/0x80 [ 22.594903] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.594926] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.594949] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.594972] kthread+0x337/0x6f0 [ 22.594992] ? trace_preempt_on+0x20/0xc0 [ 22.595014] ? __pfx_kthread+0x10/0x10 [ 22.595045] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.595067] ? calculate_sigpending+0x7b/0xa0 [ 22.595090] ? __pfx_kthread+0x10/0x10 [ 22.595111] ret_from_fork+0x116/0x1d0 [ 22.595129] ? __pfx_kthread+0x10/0x10 [ 22.595149] ret_from_fork_asm+0x1a/0x30 [ 22.595180] </TASK> [ 22.595192] [ 22.607995] Allocated by task 225: [ 22.608354] kasan_save_stack+0x45/0x70 [ 22.608746] kasan_save_track+0x18/0x40 [ 22.609184] kasan_save_alloc_info+0x3b/0x50 [ 22.609585] __kasan_kmalloc+0xb7/0xc0 [ 22.609939] __kmalloc_cache_noprof+0x189/0x420 [ 22.610258] ksize_uaf+0xaa/0x6c0 [ 22.610582] kunit_try_run_case+0x1a5/0x480 [ 22.610937] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.611122] kthread+0x337/0x6f0 [ 22.611245] ret_from_fork+0x116/0x1d0 [ 22.611369] ret_from_fork_asm+0x1a/0x30 [ 22.611498] [ 22.611561] Freed by task 225: [ 22.611664] kasan_save_stack+0x45/0x70 [ 22.611788] kasan_save_track+0x18/0x40 [ 22.611912] kasan_save_free_info+0x3f/0x60 [ 22.612046] __kasan_slab_free+0x56/0x70 [ 22.612172] kfree+0x222/0x3f0 [ 22.612424] ksize_uaf+0x12c/0x6c0 [ 22.613279] kunit_try_run_case+0x1a5/0x480 [ 22.613722] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.614290] kthread+0x337/0x6f0 [ 22.614606] ret_from_fork+0x116/0x1d0 [ 22.615040] ret_from_fork_asm+0x1a/0x30 [ 22.615420] [ 22.615584] The buggy address belongs to the object at ffff888102d56700 [ 22.615584] which belongs to the cache kmalloc-128 of size 128 [ 22.616713] The buggy address is located 0 bytes inside of [ 22.616713] freed 128-byte region [ffff888102d56700, ffff888102d56780) [ 22.618109] [ 22.618293] The buggy address belongs to the physical page: [ 22.618760] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d56 [ 22.619438] flags: 0x200000000000000(node=0|zone=2) [ 22.619605] page_type: f5(slab) [ 22.619723] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.620409] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.621165] page dumped because: kasan: bad access detected [ 22.621745] [ 22.622117] Memory state around the buggy address: [ 22.622310] ffff888102d56600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.622522] ffff888102d56680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.622730] >ffff888102d56700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.623009] ^ [ 22.623242] ffff888102d56780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.623491] ffff888102d56800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.623788] ================================================================== [ 22.644027] ================================================================== [ 22.644661] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 22.645147] Read of size 1 at addr ffff888102d56778 by task kunit_try_catch/225 [ 22.645436] [ 22.645522] CPU: 1 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.645569] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.645581] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.645603] Call Trace: [ 22.645622] <TASK> [ 22.645640] dump_stack_lvl+0x73/0xb0 [ 22.645667] print_report+0xd1/0x650 [ 22.645689] ? __virt_addr_valid+0x1db/0x2d0 [ 22.645712] ? ksize_uaf+0x5e4/0x6c0 [ 22.645731] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.645756] ? ksize_uaf+0x5e4/0x6c0 [ 22.645776] kasan_report+0x141/0x180 [ 22.645797] ? ksize_uaf+0x5e4/0x6c0 [ 22.645821] __asan_report_load1_noabort+0x18/0x20 [ 22.645843] ksize_uaf+0x5e4/0x6c0 [ 22.645862] ? __pfx_ksize_uaf+0x10/0x10 [ 22.645882] ? __schedule+0x10cc/0x2b60 [ 22.645907] ? __pfx_read_tsc+0x10/0x10 [ 22.645928] ? ktime_get_ts64+0x86/0x230 [ 22.645951] kunit_try_run_case+0x1a5/0x480 [ 22.645975] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.645997] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.646020] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.646044] ? __kthread_parkme+0x82/0x180 [ 22.646064] ? preempt_count_sub+0x50/0x80 [ 22.646086] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.646109] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.646131] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.646154] kthread+0x337/0x6f0 [ 22.646172] ? trace_preempt_on+0x20/0xc0 [ 22.646195] ? __pfx_kthread+0x10/0x10 [ 22.646214] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.646293] ? calculate_sigpending+0x7b/0xa0 [ 22.646317] ? __pfx_kthread+0x10/0x10 [ 22.646338] ret_from_fork+0x116/0x1d0 [ 22.646356] ? __pfx_kthread+0x10/0x10 [ 22.646375] ret_from_fork_asm+0x1a/0x30 [ 22.646405] </TASK> [ 22.646416] [ 22.653438] Allocated by task 225: [ 22.653628] kasan_save_stack+0x45/0x70 [ 22.653820] kasan_save_track+0x18/0x40 [ 22.654003] kasan_save_alloc_info+0x3b/0x50 [ 22.654209] __kasan_kmalloc+0xb7/0xc0 [ 22.654403] __kmalloc_cache_noprof+0x189/0x420 [ 22.654614] ksize_uaf+0xaa/0x6c0 [ 22.654743] kunit_try_run_case+0x1a5/0x480 [ 22.654885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.655157] kthread+0x337/0x6f0 [ 22.655333] ret_from_fork+0x116/0x1d0 [ 22.655516] ret_from_fork_asm+0x1a/0x30 [ 22.655709] [ 22.655798] Freed by task 225: [ 22.655952] kasan_save_stack+0x45/0x70 [ 22.656265] kasan_save_track+0x18/0x40 [ 22.656408] kasan_save_free_info+0x3f/0x60 [ 22.656547] __kasan_slab_free+0x56/0x70 [ 22.656689] kfree+0x222/0x3f0 [ 22.656843] ksize_uaf+0x12c/0x6c0 [ 22.657010] kunit_try_run_case+0x1a5/0x480 [ 22.657240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.657472] kthread+0x337/0x6f0 [ 22.657588] ret_from_fork+0x116/0x1d0 [ 22.657769] ret_from_fork_asm+0x1a/0x30 [ 22.657956] [ 22.658029] The buggy address belongs to the object at ffff888102d56700 [ 22.658029] which belongs to the cache kmalloc-128 of size 128 [ 22.658490] The buggy address is located 120 bytes inside of [ 22.658490] freed 128-byte region [ffff888102d56700, ffff888102d56780) [ 22.658972] [ 22.659100] The buggy address belongs to the physical page: [ 22.659438] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d56 [ 22.659731] flags: 0x200000000000000(node=0|zone=2) [ 22.660002] page_type: f5(slab) [ 22.660146] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 22.660477] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 22.660846] page dumped because: kasan: bad access detected [ 22.661035] [ 22.661123] Memory state around the buggy address: [ 22.661355] ffff888102d56600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.661565] ffff888102d56680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.661775] >ffff888102d56700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.661980] ^ [ 22.662183] ffff888102d56780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.662624] ffff888102d56800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.663359] ==================================================================