Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.017872] ================================================================== [ 31.017963] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.018026] Read of size 1 at addr fff00000c91f0200 by task kunit_try_catch/229 [ 31.018087] [ 31.018126] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 31.018223] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.018252] Hardware name: linux,dummy-virt (DT) [ 31.018282] Call trace: [ 31.018306] show_stack+0x20/0x38 (C) [ 31.018361] dump_stack_lvl+0x8c/0xd0 [ 31.018409] print_report+0x118/0x608 [ 31.018457] kasan_report+0xdc/0x128 [ 31.018505] __kasan_check_byte+0x54/0x70 [ 31.018554] ksize+0x30/0x88 [ 31.018609] ksize_uaf+0x168/0x5f8 [ 31.018652] kunit_try_run_case+0x170/0x3f0 [ 31.018701] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.018754] kthread+0x328/0x630 [ 31.018797] ret_from_fork+0x10/0x20 [ 31.018844] [ 31.018863] Allocated by task 229: [ 31.018898] kasan_save_stack+0x3c/0x68 [ 31.019535] kasan_save_track+0x20/0x40 [ 31.019604] kasan_save_alloc_info+0x40/0x58 [ 31.020001] __kasan_kmalloc+0xd4/0xd8 [ 31.020114] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.020561] ksize_uaf+0xb8/0x5f8 [ 31.020624] kunit_try_run_case+0x170/0x3f0 [ 31.020702] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.020765] kthread+0x328/0x630 [ 31.020822] ret_from_fork+0x10/0x20 [ 31.020974] [ 31.021312] Freed by task 229: [ 31.021398] kasan_save_stack+0x3c/0x68 [ 31.021497] kasan_save_track+0x20/0x40 [ 31.022069] kasan_save_free_info+0x4c/0x78 [ 31.022286] __kasan_slab_free+0x6c/0x98 [ 31.022345] kfree+0x214/0x3c8 [ 31.022460] ksize_uaf+0x11c/0x5f8 [ 31.022529] kunit_try_run_case+0x170/0x3f0 [ 31.022639] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.022781] kthread+0x328/0x630 [ 31.022844] ret_from_fork+0x10/0x20 [ 31.022963] [ 31.023014] The buggy address belongs to the object at fff00000c91f0200 [ 31.023014] which belongs to the cache kmalloc-128 of size 128 [ 31.023100] The buggy address is located 0 bytes inside of [ 31.023100] freed 128-byte region [fff00000c91f0200, fff00000c91f0280) [ 31.023237] [ 31.023294] The buggy address belongs to the physical page: [ 31.023438] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091f0 [ 31.023692] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.023794] page_type: f5(slab) [ 31.023881] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.023947] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.024138] page dumped because: kasan: bad access detected [ 31.024319] [ 31.024359] Memory state around the buggy address: [ 31.024407] fff00000c91f0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.024512] fff00000c91f0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.024576] >fff00000c91f0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.024828] ^ [ 31.025051] fff00000c91f0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.025135] fff00000c91f0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.025288] ================================================================== [ 31.036323] ================================================================== [ 31.036651] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 31.036784] Read of size 1 at addr fff00000c91f0278 by task kunit_try_catch/229 [ 31.036841] [ 31.036999] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 31.037164] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.037229] Hardware name: linux,dummy-virt (DT) [ 31.037361] Call trace: [ 31.037429] show_stack+0x20/0x38 (C) [ 31.037484] dump_stack_lvl+0x8c/0xd0 [ 31.037678] print_report+0x118/0x608 [ 31.037732] kasan_report+0xdc/0x128 [ 31.037779] __asan_report_load1_noabort+0x20/0x30 [ 31.037958] ksize_uaf+0x544/0x5f8 [ 31.038037] kunit_try_run_case+0x170/0x3f0 [ 31.038094] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.038215] kthread+0x328/0x630 [ 31.038261] ret_from_fork+0x10/0x20 [ 31.038446] [ 31.038469] Allocated by task 229: [ 31.038497] kasan_save_stack+0x3c/0x68 [ 31.038543] kasan_save_track+0x20/0x40 [ 31.038582] kasan_save_alloc_info+0x40/0x58 [ 31.038620] __kasan_kmalloc+0xd4/0xd8 [ 31.038983] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.039132] ksize_uaf+0xb8/0x5f8 [ 31.039200] kunit_try_run_case+0x170/0x3f0 [ 31.039241] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.039408] kthread+0x328/0x630 [ 31.039450] ret_from_fork+0x10/0x20 [ 31.039487] [ 31.039507] Freed by task 229: [ 31.039537] kasan_save_stack+0x3c/0x68 [ 31.039907] kasan_save_track+0x20/0x40 [ 31.040058] kasan_save_free_info+0x4c/0x78 [ 31.040229] __kasan_slab_free+0x6c/0x98 [ 31.040306] kfree+0x214/0x3c8 [ 31.040365] ksize_uaf+0x11c/0x5f8 [ 31.040555] kunit_try_run_case+0x170/0x3f0 [ 31.040669] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.040833] kthread+0x328/0x630 [ 31.040873] ret_from_fork+0x10/0x20 [ 31.040911] [ 31.040941] The buggy address belongs to the object at fff00000c91f0200 [ 31.040941] which belongs to the cache kmalloc-128 of size 128 [ 31.041001] The buggy address is located 120 bytes inside of [ 31.041001] freed 128-byte region [fff00000c91f0200, fff00000c91f0280) [ 31.041067] [ 31.041087] The buggy address belongs to the physical page: [ 31.041355] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091f0 [ 31.041531] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.041619] page_type: f5(slab) [ 31.041721] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.041788] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.041872] page dumped because: kasan: bad access detected [ 31.042102] [ 31.042284] Memory state around the buggy address: [ 31.042364] fff00000c91f0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.042504] fff00000c91f0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.042575] >fff00000c91f0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.042706] ^ [ 31.042761] fff00000c91f0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.042829] fff00000c91f0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.043008] ================================================================== [ 31.026770] ================================================================== [ 31.026831] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.026995] Read of size 1 at addr fff00000c91f0200 by task kunit_try_catch/229 [ 31.027121] [ 31.027168] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 31.027261] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.027454] Hardware name: linux,dummy-virt (DT) [ 31.027488] Call trace: [ 31.027628] show_stack+0x20/0x38 (C) [ 31.027736] dump_stack_lvl+0x8c/0xd0 [ 31.027870] print_report+0x118/0x608 [ 31.027921] kasan_report+0xdc/0x128 [ 31.028268] __asan_report_load1_noabort+0x20/0x30 [ 31.028425] ksize_uaf+0x598/0x5f8 [ 31.028492] kunit_try_run_case+0x170/0x3f0 [ 31.028619] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.028676] kthread+0x328/0x630 [ 31.028741] ret_from_fork+0x10/0x20 [ 31.029083] [ 31.029232] Allocated by task 229: [ 31.029286] kasan_save_stack+0x3c/0x68 [ 31.029621] kasan_save_track+0x20/0x40 [ 31.029755] kasan_save_alloc_info+0x40/0x58 [ 31.029830] __kasan_kmalloc+0xd4/0xd8 [ 31.029869] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.030174] ksize_uaf+0xb8/0x5f8 [ 31.030236] kunit_try_run_case+0x170/0x3f0 [ 31.030360] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.030437] kthread+0x328/0x630 [ 31.030550] ret_from_fork+0x10/0x20 [ 31.030598] [ 31.030620] Freed by task 229: [ 31.030667] kasan_save_stack+0x3c/0x68 [ 31.030954] kasan_save_track+0x20/0x40 [ 31.031365] kasan_save_free_info+0x4c/0x78 [ 31.031432] __kasan_slab_free+0x6c/0x98 [ 31.031533] kfree+0x214/0x3c8 [ 31.031598] ksize_uaf+0x11c/0x5f8 [ 31.031753] kunit_try_run_case+0x170/0x3f0 [ 31.031832] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.032033] kthread+0x328/0x630 [ 31.032103] ret_from_fork+0x10/0x20 [ 31.032256] [ 31.032338] The buggy address belongs to the object at fff00000c91f0200 [ 31.032338] which belongs to the cache kmalloc-128 of size 128 [ 31.032449] The buggy address is located 0 bytes inside of [ 31.032449] freed 128-byte region [fff00000c91f0200, fff00000c91f0280) [ 31.032915] [ 31.032979] The buggy address belongs to the physical page: [ 31.033067] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091f0 [ 31.033125] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.033191] page_type: f5(slab) [ 31.033394] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.033568] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.033665] page dumped because: kasan: bad access detected [ 31.033697] [ 31.033923] Memory state around the buggy address: [ 31.034033] fff00000c91f0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.034132] fff00000c91f0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.034183] >fff00000c91f0200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.034426] ^ [ 31.034653] fff00000c91f0280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.034732] fff00000c91f0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.034843] ==================================================================
[ 32.760313] ================================================================== [ 32.760446] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.760515] Read of size 1 at addr fff00000c63fbd78 by task kunit_try_catch/227 [ 32.760584] [ 32.760679] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.760769] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.760811] Hardware name: linux,dummy-virt (DT) [ 32.760845] Call trace: [ 32.760903] show_stack+0x20/0x38 (C) [ 32.760961] dump_stack_lvl+0x8c/0xd0 [ 32.761027] print_report+0x118/0x608 [ 32.761131] kasan_report+0xdc/0x128 [ 32.761191] __asan_report_load1_noabort+0x20/0x30 [ 32.761403] ksize_uaf+0x544/0x5f8 [ 32.761470] kunit_try_run_case+0x170/0x3f0 [ 32.761584] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.761660] kthread+0x328/0x630 [ 32.761712] ret_from_fork+0x10/0x20 [ 32.761813] [ 32.761854] Allocated by task 227: [ 32.761901] kasan_save_stack+0x3c/0x68 [ 32.762002] kasan_save_track+0x20/0x40 [ 32.762063] kasan_save_alloc_info+0x40/0x58 [ 32.762111] __kasan_kmalloc+0xd4/0xd8 [ 32.762326] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.762514] ksize_uaf+0xb8/0x5f8 [ 32.762558] kunit_try_run_case+0x170/0x3f0 [ 32.762606] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.762660] kthread+0x328/0x630 [ 32.762747] ret_from_fork+0x10/0x20 [ 32.762805] [ 32.762845] Freed by task 227: [ 32.762883] kasan_save_stack+0x3c/0x68 [ 32.762930] kasan_save_track+0x20/0x40 [ 32.763018] kasan_save_free_info+0x4c/0x78 [ 32.763087] __kasan_slab_free+0x6c/0x98 [ 32.763133] kfree+0x214/0x3c8 [ 32.763178] ksize_uaf+0x11c/0x5f8 [ 32.763212] kunit_try_run_case+0x170/0x3f0 [ 32.763473] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.763616] kthread+0x328/0x630 [ 32.763678] ret_from_fork+0x10/0x20 [ 32.763773] [ 32.763796] The buggy address belongs to the object at fff00000c63fbd00 [ 32.763796] which belongs to the cache kmalloc-128 of size 128 [ 32.763856] The buggy address is located 120 bytes inside of [ 32.763856] freed 128-byte region [fff00000c63fbd00, fff00000c63fbd80) [ 32.763920] [ 32.764117] The buggy address belongs to the physical page: [ 32.764224] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063fb [ 32.764308] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.764440] page_type: f5(slab) [ 32.764505] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.764572] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.764671] page dumped because: kasan: bad access detected [ 32.764707] [ 32.764725] Memory state around the buggy address: [ 32.764766] fff00000c63fbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.764811] fff00000c63fbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.764853] >fff00000c63fbd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.764892] ^ [ 32.764950] fff00000c63fbd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.764994] fff00000c63fbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.765033] ================================================================== [ 32.753373] ================================================================== [ 32.753537] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 32.753591] Read of size 1 at addr fff00000c63fbd00 by task kunit_try_catch/227 [ 32.753732] [ 32.753781] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.753910] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.753960] Hardware name: linux,dummy-virt (DT) [ 32.753994] Call trace: [ 32.754035] show_stack+0x20/0x38 (C) [ 32.754139] dump_stack_lvl+0x8c/0xd0 [ 32.754203] print_report+0x118/0x608 [ 32.754251] kasan_report+0xdc/0x128 [ 32.754304] __asan_report_load1_noabort+0x20/0x30 [ 32.754353] ksize_uaf+0x598/0x5f8 [ 32.754397] kunit_try_run_case+0x170/0x3f0 [ 32.754611] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.754792] kthread+0x328/0x630 [ 32.754870] ret_from_fork+0x10/0x20 [ 32.754922] [ 32.754941] Allocated by task 227: [ 32.754990] kasan_save_stack+0x3c/0x68 [ 32.755072] kasan_save_track+0x20/0x40 [ 32.755129] kasan_save_alloc_info+0x40/0x58 [ 32.755321] __kasan_kmalloc+0xd4/0xd8 [ 32.755482] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.755556] ksize_uaf+0xb8/0x5f8 [ 32.755619] kunit_try_run_case+0x170/0x3f0 [ 32.755687] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.755784] kthread+0x328/0x630 [ 32.755816] ret_from_fork+0x10/0x20 [ 32.755870] [ 32.755909] Freed by task 227: [ 32.756231] kasan_save_stack+0x3c/0x68 [ 32.756309] kasan_save_track+0x20/0x40 [ 32.756427] kasan_save_free_info+0x4c/0x78 [ 32.756496] __kasan_slab_free+0x6c/0x98 [ 32.756618] kfree+0x214/0x3c8 [ 32.756697] ksize_uaf+0x11c/0x5f8 [ 32.756765] kunit_try_run_case+0x170/0x3f0 [ 32.756892] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.756968] kthread+0x328/0x630 [ 32.757002] ret_from_fork+0x10/0x20 [ 32.757256] [ 32.757303] The buggy address belongs to the object at fff00000c63fbd00 [ 32.757303] which belongs to the cache kmalloc-128 of size 128 [ 32.757476] The buggy address is located 0 bytes inside of [ 32.757476] freed 128-byte region [fff00000c63fbd00, fff00000c63fbd80) [ 32.757620] [ 32.757668] The buggy address belongs to the physical page: [ 32.757737] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063fb [ 32.757842] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.757940] page_type: f5(slab) [ 32.758045] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.758100] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.758176] page dumped because: kasan: bad access detected [ 32.758470] [ 32.758510] Memory state around the buggy address: [ 32.758629] fff00000c63fbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.758692] fff00000c63fbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.758755] >fff00000c63fbd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.758884] ^ [ 32.758933] fff00000c63fbd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.758989] fff00000c63fbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.759142] ================================================================== [ 32.747404] ================================================================== [ 32.747774] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 32.747863] Read of size 1 at addr fff00000c63fbd00 by task kunit_try_catch/227 [ 32.747970] [ 32.748028] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.748150] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.748186] Hardware name: linux,dummy-virt (DT) [ 32.748385] Call trace: [ 32.748538] show_stack+0x20/0x38 (C) [ 32.748593] dump_stack_lvl+0x8c/0xd0 [ 32.748643] print_report+0x118/0x608 [ 32.748692] kasan_report+0xdc/0x128 [ 32.748750] __kasan_check_byte+0x54/0x70 [ 32.748797] ksize+0x30/0x88 [ 32.748844] ksize_uaf+0x168/0x5f8 [ 32.748897] kunit_try_run_case+0x170/0x3f0 [ 32.748947] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.749002] kthread+0x328/0x630 [ 32.749045] ret_from_fork+0x10/0x20 [ 32.749094] [ 32.749130] Allocated by task 227: [ 32.749170] kasan_save_stack+0x3c/0x68 [ 32.749213] kasan_save_track+0x20/0x40 [ 32.749260] kasan_save_alloc_info+0x40/0x58 [ 32.749298] __kasan_kmalloc+0xd4/0xd8 [ 32.749336] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.749375] ksize_uaf+0xb8/0x5f8 [ 32.749412] kunit_try_run_case+0x170/0x3f0 [ 32.749460] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.749511] kthread+0x328/0x630 [ 32.749551] ret_from_fork+0x10/0x20 [ 32.749589] [ 32.749626] Freed by task 227: [ 32.749669] kasan_save_stack+0x3c/0x68 [ 32.749708] kasan_save_track+0x20/0x40 [ 32.749747] kasan_save_free_info+0x4c/0x78 [ 32.749793] __kasan_slab_free+0x6c/0x98 [ 32.749832] kfree+0x214/0x3c8 [ 32.749867] ksize_uaf+0x11c/0x5f8 [ 32.749908] kunit_try_run_case+0x170/0x3f0 [ 32.749949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.750003] kthread+0x328/0x630 [ 32.750036] ret_from_fork+0x10/0x20 [ 32.750072] [ 32.750091] The buggy address belongs to the object at fff00000c63fbd00 [ 32.750091] which belongs to the cache kmalloc-128 of size 128 [ 32.750272] The buggy address is located 0 bytes inside of [ 32.750272] freed 128-byte region [fff00000c63fbd00, fff00000c63fbd80) [ 32.750349] [ 32.750370] The buggy address belongs to the physical page: [ 32.750402] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063fb [ 32.750657] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.750923] page_type: f5(slab) [ 32.751003] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.751230] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.751484] page dumped because: kasan: bad access detected [ 32.751551] [ 32.751655] Memory state around the buggy address: [ 32.751713] fff00000c63fbc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.751784] fff00000c63fbc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.751889] >fff00000c63fbd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.751929] ^ [ 32.751959] fff00000c63fbd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.752127] fff00000c63fbe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.752314] ==================================================================
[ 23.535291] ================================================================== [ 23.535624] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 23.535831] Read of size 1 at addr ffff888104950600 by task kunit_try_catch/244 [ 23.536191] [ 23.536324] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.536372] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.536384] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.536405] Call Trace: [ 23.536418] <TASK> [ 23.536435] dump_stack_lvl+0x73/0xb0 [ 23.536463] print_report+0xd1/0x650 [ 23.536485] ? __virt_addr_valid+0x1db/0x2d0 [ 23.536520] ? ksize_uaf+0x5fe/0x6c0 [ 23.536549] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.536575] ? ksize_uaf+0x5fe/0x6c0 [ 23.536595] kasan_report+0x141/0x180 [ 23.536628] ? ksize_uaf+0x5fe/0x6c0 [ 23.536653] __asan_report_load1_noabort+0x18/0x20 [ 23.536676] ksize_uaf+0x5fe/0x6c0 [ 23.536696] ? __pfx_ksize_uaf+0x10/0x10 [ 23.536725] ? __schedule+0x10cc/0x2b60 [ 23.536746] ? __pfx_read_tsc+0x10/0x10 [ 23.536767] ? ktime_get_ts64+0x86/0x230 [ 23.536884] kunit_try_run_case+0x1a5/0x480 [ 23.536918] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.536941] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.536974] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.536996] ? __kthread_parkme+0x82/0x180 [ 23.537017] ? preempt_count_sub+0x50/0x80 [ 23.537050] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.537075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.537098] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.537133] kthread+0x337/0x6f0 [ 23.537153] ? trace_preempt_on+0x20/0xc0 [ 23.537176] ? __pfx_kthread+0x10/0x10 [ 23.537196] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.537220] ? calculate_sigpending+0x7b/0xa0 [ 23.537243] ? __pfx_kthread+0x10/0x10 [ 23.537264] ret_from_fork+0x116/0x1d0 [ 23.537283] ? __pfx_kthread+0x10/0x10 [ 23.537304] ret_from_fork_asm+0x1a/0x30 [ 23.537344] </TASK> [ 23.537355] [ 23.544815] Allocated by task 244: [ 23.545037] kasan_save_stack+0x45/0x70 [ 23.545273] kasan_save_track+0x18/0x40 [ 23.545521] kasan_save_alloc_info+0x3b/0x50 [ 23.545841] __kasan_kmalloc+0xb7/0xc0 [ 23.546039] __kmalloc_cache_noprof+0x189/0x420 [ 23.546230] ksize_uaf+0xaa/0x6c0 [ 23.546417] kunit_try_run_case+0x1a5/0x480 [ 23.546885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.547139] kthread+0x337/0x6f0 [ 23.547291] ret_from_fork+0x116/0x1d0 [ 23.547511] ret_from_fork_asm+0x1a/0x30 [ 23.547772] [ 23.547876] Freed by task 244: [ 23.548030] kasan_save_stack+0x45/0x70 [ 23.548213] kasan_save_track+0x18/0x40 [ 23.548391] kasan_save_free_info+0x3f/0x60 [ 23.548634] __kasan_slab_free+0x56/0x70 [ 23.548919] kfree+0x222/0x3f0 [ 23.549097] ksize_uaf+0x12c/0x6c0 [ 23.549272] kunit_try_run_case+0x1a5/0x480 [ 23.549424] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.549593] kthread+0x337/0x6f0 [ 23.549708] ret_from_fork+0x116/0x1d0 [ 23.549846] ret_from_fork_asm+0x1a/0x30 [ 23.550117] [ 23.550213] The buggy address belongs to the object at ffff888104950600 [ 23.550213] which belongs to the cache kmalloc-128 of size 128 [ 23.551046] The buggy address is located 0 bytes inside of [ 23.551046] freed 128-byte region [ffff888104950600, ffff888104950680) [ 23.551619] [ 23.551763] The buggy address belongs to the physical page: [ 23.552018] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104950 [ 23.552256] flags: 0x200000000000000(node=0|zone=2) [ 23.552425] page_type: f5(slab) [ 23.552572] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.552935] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.553303] page dumped because: kasan: bad access detected [ 23.553697] [ 23.553894] Memory state around the buggy address: [ 23.554059] ffff888104950500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.554285] ffff888104950580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.554892] >ffff888104950600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.555221] ^ [ 23.555391] ffff888104950680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.555708] ffff888104950700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.555916] ================================================================== [ 23.506471] ================================================================== [ 23.507072] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 23.507281] Read of size 1 at addr ffff888104950600 by task kunit_try_catch/244 [ 23.507515] [ 23.507594] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.507640] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.507652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.507672] Call Trace: [ 23.507683] <TASK> [ 23.507698] dump_stack_lvl+0x73/0xb0 [ 23.507725] print_report+0xd1/0x650 [ 23.507746] ? __virt_addr_valid+0x1db/0x2d0 [ 23.507768] ? ksize_uaf+0x19d/0x6c0 [ 23.507787] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.507812] ? ksize_uaf+0x19d/0x6c0 [ 23.507833] kasan_report+0x141/0x180 [ 23.507853] ? ksize_uaf+0x19d/0x6c0 [ 23.507876] ? ksize_uaf+0x19d/0x6c0 [ 23.507895] __kasan_check_byte+0x3d/0x50 [ 23.507916] ksize+0x20/0x60 [ 23.507939] ksize_uaf+0x19d/0x6c0 [ 23.507959] ? __pfx_ksize_uaf+0x10/0x10 [ 23.507979] ? __schedule+0x10cc/0x2b60 [ 23.508000] ? __pfx_read_tsc+0x10/0x10 [ 23.508020] ? ktime_get_ts64+0x86/0x230 [ 23.508044] kunit_try_run_case+0x1a5/0x480 [ 23.508068] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.508091] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.508111] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.508132] ? __kthread_parkme+0x82/0x180 [ 23.508152] ? preempt_count_sub+0x50/0x80 [ 23.508175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.508198] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.508221] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.508245] kthread+0x337/0x6f0 [ 23.508264] ? trace_preempt_on+0x20/0xc0 [ 23.508286] ? __pfx_kthread+0x10/0x10 [ 23.508325] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.508348] ? calculate_sigpending+0x7b/0xa0 [ 23.508371] ? __pfx_kthread+0x10/0x10 [ 23.508391] ret_from_fork+0x116/0x1d0 [ 23.508410] ? __pfx_kthread+0x10/0x10 [ 23.508429] ret_from_fork_asm+0x1a/0x30 [ 23.508459] </TASK> [ 23.508470] [ 23.522996] Allocated by task 244: [ 23.523253] kasan_save_stack+0x45/0x70 [ 23.523662] kasan_save_track+0x18/0x40 [ 23.523857] kasan_save_alloc_info+0x3b/0x50 [ 23.524050] __kasan_kmalloc+0xb7/0xc0 [ 23.524232] __kmalloc_cache_noprof+0x189/0x420 [ 23.524459] ksize_uaf+0xaa/0x6c0 [ 23.524650] kunit_try_run_case+0x1a5/0x480 [ 23.524907] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.525098] kthread+0x337/0x6f0 [ 23.525289] ret_from_fork+0x116/0x1d0 [ 23.525454] ret_from_fork_asm+0x1a/0x30 [ 23.525587] [ 23.525653] Freed by task 244: [ 23.525770] kasan_save_stack+0x45/0x70 [ 23.526049] kasan_save_track+0x18/0x40 [ 23.526240] kasan_save_free_info+0x3f/0x60 [ 23.526454] __kasan_slab_free+0x56/0x70 [ 23.526930] kfree+0x222/0x3f0 [ 23.527098] ksize_uaf+0x12c/0x6c0 [ 23.527264] kunit_try_run_case+0x1a5/0x480 [ 23.527488] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.527792] kthread+0x337/0x6f0 [ 23.527929] ret_from_fork+0x116/0x1d0 [ 23.528105] ret_from_fork_asm+0x1a/0x30 [ 23.528247] [ 23.528322] The buggy address belongs to the object at ffff888104950600 [ 23.528322] which belongs to the cache kmalloc-128 of size 128 [ 23.528751] The buggy address is located 0 bytes inside of [ 23.528751] freed 128-byte region [ffff888104950600, ffff888104950680) [ 23.529328] [ 23.529399] The buggy address belongs to the physical page: [ 23.529719] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104950 [ 23.530163] flags: 0x200000000000000(node=0|zone=2) [ 23.530505] page_type: f5(slab) [ 23.530683] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.531242] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.531601] page dumped because: kasan: bad access detected [ 23.531887] [ 23.531957] Memory state around the buggy address: [ 23.532116] ffff888104950500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.532442] ffff888104950580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.532731] >ffff888104950600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.533035] ^ [ 23.533207] ffff888104950680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.533584] ffff888104950700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.533992] ================================================================== [ 23.556542] ================================================================== [ 23.557142] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 23.557403] Read of size 1 at addr ffff888104950678 by task kunit_try_catch/244 [ 23.557743] [ 23.557935] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.557996] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.558011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.558032] Call Trace: [ 23.558051] <TASK> [ 23.558067] dump_stack_lvl+0x73/0xb0 [ 23.558105] print_report+0xd1/0x650 [ 23.558127] ? __virt_addr_valid+0x1db/0x2d0 [ 23.558150] ? ksize_uaf+0x5e4/0x6c0 [ 23.558180] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.558205] ? ksize_uaf+0x5e4/0x6c0 [ 23.558226] kasan_report+0x141/0x180 [ 23.558247] ? ksize_uaf+0x5e4/0x6c0 [ 23.558278] __asan_report_load1_noabort+0x18/0x20 [ 23.558301] ksize_uaf+0x5e4/0x6c0 [ 23.558337] ? __pfx_ksize_uaf+0x10/0x10 [ 23.558358] ? __schedule+0x10cc/0x2b60 [ 23.558379] ? __pfx_read_tsc+0x10/0x10 [ 23.558399] ? ktime_get_ts64+0x86/0x230 [ 23.558424] kunit_try_run_case+0x1a5/0x480 [ 23.558458] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.558481] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.558502] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.558543] ? __kthread_parkme+0x82/0x180 [ 23.558563] ? preempt_count_sub+0x50/0x80 [ 23.558586] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.558610] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.558643] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.558667] kthread+0x337/0x6f0 [ 23.558687] ? trace_preempt_on+0x20/0xc0 [ 23.558730] ? __pfx_kthread+0x10/0x10 [ 23.558750] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.558773] ? calculate_sigpending+0x7b/0xa0 [ 23.558797] ? __pfx_kthread+0x10/0x10 [ 23.558818] ret_from_fork+0x116/0x1d0 [ 23.558837] ? __pfx_kthread+0x10/0x10 [ 23.558857] ret_from_fork_asm+0x1a/0x30 [ 23.558888] </TASK> [ 23.558899] [ 23.566180] Allocated by task 244: [ 23.566369] kasan_save_stack+0x45/0x70 [ 23.566813] kasan_save_track+0x18/0x40 [ 23.567123] kasan_save_alloc_info+0x3b/0x50 [ 23.567357] __kasan_kmalloc+0xb7/0xc0 [ 23.567621] __kmalloc_cache_noprof+0x189/0x420 [ 23.567857] ksize_uaf+0xaa/0x6c0 [ 23.568029] kunit_try_run_case+0x1a5/0x480 [ 23.568241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.568510] kthread+0x337/0x6f0 [ 23.568657] ret_from_fork+0x116/0x1d0 [ 23.568885] ret_from_fork_asm+0x1a/0x30 [ 23.569078] [ 23.569164] Freed by task 244: [ 23.569319] kasan_save_stack+0x45/0x70 [ 23.569529] kasan_save_track+0x18/0x40 [ 23.569788] kasan_save_free_info+0x3f/0x60 [ 23.569995] __kasan_slab_free+0x56/0x70 [ 23.570186] kfree+0x222/0x3f0 [ 23.570354] ksize_uaf+0x12c/0x6c0 [ 23.570508] kunit_try_run_case+0x1a5/0x480 [ 23.570647] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.570814] kthread+0x337/0x6f0 [ 23.570927] ret_from_fork+0x116/0x1d0 [ 23.571051] ret_from_fork_asm+0x1a/0x30 [ 23.571183] [ 23.571301] The buggy address belongs to the object at ffff888104950600 [ 23.571301] which belongs to the cache kmalloc-128 of size 128 [ 23.572269] The buggy address is located 120 bytes inside of [ 23.572269] freed 128-byte region [ffff888104950600, ffff888104950680) [ 23.573147] [ 23.573218] The buggy address belongs to the physical page: [ 23.573441] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104950 [ 23.573931] flags: 0x200000000000000(node=0|zone=2) [ 23.574189] page_type: f5(slab) [ 23.574319] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.574543] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.574761] page dumped because: kasan: bad access detected [ 23.575125] [ 23.575300] Memory state around the buggy address: [ 23.575740] ffff888104950500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.576245] ffff888104950580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.576560] >ffff888104950600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.576871] ^ [ 23.577162] ffff888104950680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.577379] ffff888104950700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.577584] ==================================================================
[ 23.795105] ================================================================== [ 23.796701] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 23.797633] Read of size 1 at addr ffff8881049c5d00 by task kunit_try_catch/245 [ 23.797987] [ 23.798138] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.798198] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.798211] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.798235] Call Trace: [ 23.798251] <TASK> [ 23.798288] dump_stack_lvl+0x73/0xb0 [ 23.798323] print_report+0xd1/0x650 [ 23.798361] ? __virt_addr_valid+0x1db/0x2d0 [ 23.798387] ? ksize_uaf+0x19d/0x6c0 [ 23.798407] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.798531] ? ksize_uaf+0x19d/0x6c0 [ 23.798553] kasan_report+0x141/0x180 [ 23.798575] ? ksize_uaf+0x19d/0x6c0 [ 23.798597] ? ksize_uaf+0x19d/0x6c0 [ 23.798618] __kasan_check_byte+0x3d/0x50 [ 23.798640] ksize+0x20/0x60 [ 23.798667] ksize_uaf+0x19d/0x6c0 [ 23.798687] ? __pfx_ksize_uaf+0x10/0x10 [ 23.798708] ? __schedule+0x10cc/0x2b60 [ 23.798731] ? __pfx_read_tsc+0x10/0x10 [ 23.798754] ? ktime_get_ts64+0x86/0x230 [ 23.798781] kunit_try_run_case+0x1a5/0x480 [ 23.798808] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.798832] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.798854] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.798876] ? __kthread_parkme+0x82/0x180 [ 23.798898] ? preempt_count_sub+0x50/0x80 [ 23.798927] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.798952] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.798976] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.799000] kthread+0x337/0x6f0 [ 23.799020] ? trace_preempt_on+0x20/0xc0 [ 23.799044] ? __pfx_kthread+0x10/0x10 [ 23.799073] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.799097] ? calculate_sigpending+0x7b/0xa0 [ 23.799122] ? __pfx_kthread+0x10/0x10 [ 23.799144] ret_from_fork+0x116/0x1d0 [ 23.799163] ? __pfx_kthread+0x10/0x10 [ 23.799472] ret_from_fork_asm+0x1a/0x30 [ 23.799515] </TASK> [ 23.799528] [ 23.812580] Allocated by task 245: [ 23.813012] kasan_save_stack+0x45/0x70 [ 23.813394] kasan_save_track+0x18/0x40 [ 23.813666] kasan_save_alloc_info+0x3b/0x50 [ 23.814271] __kasan_kmalloc+0xb7/0xc0 [ 23.814483] __kmalloc_cache_noprof+0x189/0x420 [ 23.814694] ksize_uaf+0xaa/0x6c0 [ 23.814857] kunit_try_run_case+0x1a5/0x480 [ 23.815790] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.816309] kthread+0x337/0x6f0 [ 23.816847] ret_from_fork+0x116/0x1d0 [ 23.817965] ret_from_fork_asm+0x1a/0x30 [ 23.818135] [ 23.818204] Freed by task 245: [ 23.818329] kasan_save_stack+0x45/0x70 [ 23.818511] kasan_save_track+0x18/0x40 [ 23.818681] kasan_save_free_info+0x3f/0x60 [ 23.818868] __kasan_slab_free+0x56/0x70 [ 23.819025] kfree+0x222/0x3f0 [ 23.819180] ksize_uaf+0x12c/0x6c0 [ 23.819520] kunit_try_run_case+0x1a5/0x480 [ 23.819894] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.820777] kthread+0x337/0x6f0 [ 23.821782] ret_from_fork+0x116/0x1d0 [ 23.822232] ret_from_fork_asm+0x1a/0x30 [ 23.822617] [ 23.822692] The buggy address belongs to the object at ffff8881049c5d00 [ 23.822692] which belongs to the cache kmalloc-128 of size 128 [ 23.823634] The buggy address is located 0 bytes inside of [ 23.823634] freed 128-byte region [ffff8881049c5d00, ffff8881049c5d80) [ 23.823989] [ 23.824098] The buggy address belongs to the physical page: [ 23.824299] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049c5 [ 23.824606] flags: 0x200000000000000(node=0|zone=2) [ 23.824832] page_type: f5(slab) [ 23.824985] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.825232] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.825578] page dumped because: kasan: bad access detected [ 23.825884] [ 23.825952] Memory state around the buggy address: [ 23.826115] ffff8881049c5c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.826326] ffff8881049c5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.826534] >ffff8881049c5d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.827404] ^ [ 23.827545] ffff8881049c5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.827759] ffff8881049c5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.828055] ================================================================== [ 23.828678] ================================================================== [ 23.829020] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 23.829400] Read of size 1 at addr ffff8881049c5d00 by task kunit_try_catch/245 [ 23.829766] [ 23.829873] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.829925] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.829952] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.829974] Call Trace: [ 23.830033] <TASK> [ 23.830055] dump_stack_lvl+0x73/0xb0 [ 23.830098] print_report+0xd1/0x650 [ 23.830121] ? __virt_addr_valid+0x1db/0x2d0 [ 23.830145] ? ksize_uaf+0x5fe/0x6c0 [ 23.830165] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.830224] ? ksize_uaf+0x5fe/0x6c0 [ 23.830244] kasan_report+0x141/0x180 [ 23.830265] ? ksize_uaf+0x5fe/0x6c0 [ 23.830307] __asan_report_load1_noabort+0x18/0x20 [ 23.830331] ksize_uaf+0x5fe/0x6c0 [ 23.830351] ? __pfx_ksize_uaf+0x10/0x10 [ 23.830372] ? __schedule+0x10cc/0x2b60 [ 23.830394] ? __pfx_read_tsc+0x10/0x10 [ 23.830416] ? ktime_get_ts64+0x86/0x230 [ 23.830441] kunit_try_run_case+0x1a5/0x480 [ 23.830467] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.830490] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.830512] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.830532] ? __kthread_parkme+0x82/0x180 [ 23.830552] ? preempt_count_sub+0x50/0x80 [ 23.830575] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.830599] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.830622] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.830646] kthread+0x337/0x6f0 [ 23.830665] ? trace_preempt_on+0x20/0xc0 [ 23.830688] ? __pfx_kthread+0x10/0x10 [ 23.830709] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.830733] ? calculate_sigpending+0x7b/0xa0 [ 23.830756] ? __pfx_kthread+0x10/0x10 [ 23.830777] ret_from_fork+0x116/0x1d0 [ 23.830796] ? __pfx_kthread+0x10/0x10 [ 23.830816] ret_from_fork_asm+0x1a/0x30 [ 23.830846] </TASK> [ 23.830859] [ 23.837769] Allocated by task 245: [ 23.837907] kasan_save_stack+0x45/0x70 [ 23.838121] kasan_save_track+0x18/0x40 [ 23.838310] kasan_save_alloc_info+0x3b/0x50 [ 23.838513] __kasan_kmalloc+0xb7/0xc0 [ 23.838673] __kmalloc_cache_noprof+0x189/0x420 [ 23.838819] ksize_uaf+0xaa/0x6c0 [ 23.838930] kunit_try_run_case+0x1a5/0x480 [ 23.839074] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.839236] kthread+0x337/0x6f0 [ 23.839345] ret_from_fork+0x116/0x1d0 [ 23.839467] ret_from_fork_asm+0x1a/0x30 [ 23.839594] [ 23.839656] Freed by task 245: [ 23.839756] kasan_save_stack+0x45/0x70 [ 23.839878] kasan_save_track+0x18/0x40 [ 23.840002] kasan_save_free_info+0x3f/0x60 [ 23.840144] __kasan_slab_free+0x56/0x70 [ 23.840272] kfree+0x222/0x3f0 [ 23.840379] ksize_uaf+0x12c/0x6c0 [ 23.840540] kunit_try_run_case+0x1a5/0x480 [ 23.840837] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.841127] kthread+0x337/0x6f0 [ 23.841244] ret_from_fork+0x116/0x1d0 [ 23.841363] ret_from_fork_asm+0x1a/0x30 [ 23.841562] [ 23.841648] The buggy address belongs to the object at ffff8881049c5d00 [ 23.841648] which belongs to the cache kmalloc-128 of size 128 [ 23.842335] The buggy address is located 0 bytes inside of [ 23.842335] freed 128-byte region [ffff8881049c5d00, ffff8881049c5d80) [ 23.842664] [ 23.842729] The buggy address belongs to the physical page: [ 23.843168] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049c5 [ 23.843507] flags: 0x200000000000000(node=0|zone=2) [ 23.843738] page_type: f5(slab) [ 23.843944] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.844522] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.844994] page dumped because: kasan: bad access detected [ 23.845337] [ 23.845428] Memory state around the buggy address: [ 23.845759] ffff8881049c5c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.846130] ffff8881049c5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.846608] >ffff8881049c5d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.846827] ^ [ 23.847055] ffff8881049c5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.847418] ffff8881049c5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.847705] ================================================================== [ 23.848430] ================================================================== [ 23.848819] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 23.849227] Read of size 1 at addr ffff8881049c5d78 by task kunit_try_catch/245 [ 23.849599] [ 23.849689] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.849740] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.849754] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.849777] Call Trace: [ 23.849793] <TASK> [ 23.849812] dump_stack_lvl+0x73/0xb0 [ 23.849849] print_report+0xd1/0x650 [ 23.849872] ? __virt_addr_valid+0x1db/0x2d0 [ 23.849896] ? ksize_uaf+0x5e4/0x6c0 [ 23.849916] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.849942] ? ksize_uaf+0x5e4/0x6c0 [ 23.849963] kasan_report+0x141/0x180 [ 23.849984] ? ksize_uaf+0x5e4/0x6c0 [ 23.850009] __asan_report_load1_noabort+0x18/0x20 [ 23.850042] ksize_uaf+0x5e4/0x6c0 [ 23.850073] ? __pfx_ksize_uaf+0x10/0x10 [ 23.850094] ? __schedule+0x10cc/0x2b60 [ 23.850154] ? __pfx_read_tsc+0x10/0x10 [ 23.850177] ? ktime_get_ts64+0x86/0x230 [ 23.850203] kunit_try_run_case+0x1a5/0x480 [ 23.850229] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.850253] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.850274] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.850307] ? __kthread_parkme+0x82/0x180 [ 23.850328] ? preempt_count_sub+0x50/0x80 [ 23.850353] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.850378] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.850431] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.850456] kthread+0x337/0x6f0 [ 23.850475] ? trace_preempt_on+0x20/0xc0 [ 23.850499] ? __pfx_kthread+0x10/0x10 [ 23.850519] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.850543] ? calculate_sigpending+0x7b/0xa0 [ 23.850567] ? __pfx_kthread+0x10/0x10 [ 23.850589] ret_from_fork+0x116/0x1d0 [ 23.850607] ? __pfx_kthread+0x10/0x10 [ 23.850628] ret_from_fork_asm+0x1a/0x30 [ 23.850660] </TASK> [ 23.850672] [ 23.856391] Allocated by task 245: [ 23.856566] kasan_save_stack+0x45/0x70 [ 23.856760] kasan_save_track+0x18/0x40 [ 23.856938] kasan_save_alloc_info+0x3b/0x50 [ 23.857288] __kasan_kmalloc+0xb7/0xc0 [ 23.857497] __kmalloc_cache_noprof+0x189/0x420 [ 23.857899] ksize_uaf+0xaa/0x6c0 [ 23.858256] kunit_try_run_case+0x1a5/0x480 [ 23.858423] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.858586] kthread+0x337/0x6f0 [ 23.858696] ret_from_fork+0x116/0x1d0 [ 23.858817] ret_from_fork_asm+0x1a/0x30 [ 23.858944] [ 23.859006] Freed by task 245: [ 23.859117] kasan_save_stack+0x45/0x70 [ 23.859240] kasan_save_track+0x18/0x40 [ 23.859362] kasan_save_free_info+0x3f/0x60 [ 23.859494] __kasan_slab_free+0x56/0x70 [ 23.859618] kfree+0x222/0x3f0 [ 23.859724] ksize_uaf+0x12c/0x6c0 [ 23.860168] kunit_try_run_case+0x1a5/0x480 [ 23.860373] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.860594] kthread+0x337/0x6f0 [ 23.861414] ret_from_fork+0x116/0x1d0 [ 23.861701] ret_from_fork_asm+0x1a/0x30 [ 23.861903] [ 23.861983] The buggy address belongs to the object at ffff8881049c5d00 [ 23.861983] which belongs to the cache kmalloc-128 of size 128 [ 23.862740] The buggy address is located 120 bytes inside of [ 23.862740] freed 128-byte region [ffff8881049c5d00, ffff8881049c5d80) [ 23.865152] [ 23.865249] The buggy address belongs to the physical page: [ 23.865708] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049c5 [ 23.865978] flags: 0x200000000000000(node=0|zone=2) [ 23.866152] page_type: f5(slab) [ 23.866274] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.866507] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.866732] page dumped because: kasan: bad access detected [ 23.866899] [ 23.866963] Memory state around the buggy address: [ 23.868394] ffff8881049c5c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.868886] ffff8881049c5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.869893] >ffff8881049c5d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.870556] ^ [ 23.871223] ffff8881049c5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.871557] ffff8881049c5e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.871847] ==================================================================