Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 44.083669] ================================================================== [ 44.090987] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 44.097437] Read of size 1 at addr ffff000082240200 by task kunit_try_catch/305 [ 44.104845] [ 44.106379] CPU: 3 UID: 0 PID: 305 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 44.106410] Tainted: [B]=BAD_PAGE, [N]=TEST [ 44.106419] Hardware name: Thundercomm Dragonboard 845c (DT) [ 44.106431] Call trace: [ 44.106438] show_stack+0x20/0x38 (C) [ 44.106458] dump_stack_lvl+0x8c/0xd0 [ 44.106480] print_report+0x118/0x608 [ 44.106499] kasan_report+0xdc/0x128 [ 44.106518] __asan_report_load1_noabort+0x20/0x30 [ 44.106536] ksize_uaf+0x598/0x5f8 [ 44.106552] kunit_try_run_case+0x170/0x3f0 [ 44.106573] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.106596] kthread+0x328/0x630 [ 44.106612] ret_from_fork+0x10/0x20 [ 44.106630] [ 44.171536] Allocated by task 305: [ 44.174997] kasan_save_stack+0x3c/0x68 [ 44.178900] kasan_save_track+0x20/0x40 [ 44.182809] kasan_save_alloc_info+0x40/0x58 [ 44.187146] __kasan_kmalloc+0xd4/0xd8 [ 44.190968] __kmalloc_cache_noprof+0x16c/0x3c0 [ 44.195578] ksize_uaf+0xb8/0x5f8 [ 44.198959] kunit_try_run_case+0x170/0x3f0 [ 44.203215] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.208787] kthread+0x328/0x630 [ 44.212076] ret_from_fork+0x10/0x20 [ 44.215716] [ 44.217246] Freed by task 305: [ 44.220358] kasan_save_stack+0x3c/0x68 [ 44.224269] kasan_save_track+0x20/0x40 [ 44.228180] kasan_save_free_info+0x4c/0x78 [ 44.232432] __kasan_slab_free+0x6c/0x98 [ 44.236428] kfree+0x214/0x3c8 [ 44.239540] ksize_uaf+0x11c/0x5f8 [ 44.243007] kunit_try_run_case+0x170/0x3f0 [ 44.247260] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.252830] kthread+0x328/0x630 [ 44.256124] ret_from_fork+0x10/0x20 [ 44.259764] [ 44.261291] The buggy address belongs to the object at ffff000082240200 [ 44.261291] which belongs to the cache kmalloc-128 of size 128 [ 44.273958] The buggy address is located 0 bytes inside of [ 44.273958] freed 128-byte region [ffff000082240200, ffff000082240280) [ 44.286181] [ 44.287718] The buggy address belongs to the physical page: [ 44.293367] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 44.301483] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 44.309244] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 44.316301] page_type: f5(slab) [ 44.319509] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 44.327355] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 44.335203] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 44.343137] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 44.351072] head: 0bfffe0000000001 fffffdffc2089001 00000000ffffffff 00000000ffffffff [ 44.359006] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 44.366934] page dumped because: kasan: bad access detected [ 44.372582] [ 44.374111] Memory state around the buggy address: [ 44.378973] ffff000082240100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.386289] ffff000082240180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.393604] >ffff000082240200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.400916] ^ [ 44.404203] ffff000082240280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.411521] ffff000082240300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.418834] ================================================================== [ 44.427005] ================================================================== [ 44.434324] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 44.440772] Read of size 1 at addr ffff000082240278 by task kunit_try_catch/305 [ 44.448182] [ 44.449712] CPU: 4 UID: 0 PID: 305 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 44.449743] Tainted: [B]=BAD_PAGE, [N]=TEST [ 44.449751] Hardware name: Thundercomm Dragonboard 845c (DT) [ 44.449763] Call trace: [ 44.449770] show_stack+0x20/0x38 (C) [ 44.449788] dump_stack_lvl+0x8c/0xd0 [ 44.449807] print_report+0x118/0x608 [ 44.449825] kasan_report+0xdc/0x128 [ 44.449844] __asan_report_load1_noabort+0x20/0x30 [ 44.449861] ksize_uaf+0x544/0x5f8 [ 44.449877] kunit_try_run_case+0x170/0x3f0 [ 44.449896] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.449916] kthread+0x328/0x630 [ 44.449929] ret_from_fork+0x10/0x20 [ 44.449947] [ 44.514800] Allocated by task 305: [ 44.518255] kasan_save_stack+0x3c/0x68 [ 44.522162] kasan_save_track+0x20/0x40 [ 44.526068] kasan_save_alloc_info+0x40/0x58 [ 44.530407] __kasan_kmalloc+0xd4/0xd8 [ 44.534226] __kmalloc_cache_noprof+0x16c/0x3c0 [ 44.538825] ksize_uaf+0xb8/0x5f8 [ 44.542197] kunit_try_run_case+0x170/0x3f0 [ 44.546447] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.552012] kthread+0x328/0x630 [ 44.555296] ret_from_fork+0x10/0x20 [ 44.558931] [ 44.560462] Freed by task 305: [ 44.563568] kasan_save_stack+0x3c/0x68 [ 44.567474] kasan_save_track+0x20/0x40 [ 44.571378] kasan_save_free_info+0x4c/0x78 [ 44.575626] __kasan_slab_free+0x6c/0x98 [ 44.579619] kfree+0x214/0x3c8 [ 44.582733] ksize_uaf+0x11c/0x5f8 [ 44.586190] kunit_try_run_case+0x170/0x3f0 [ 44.590443] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 44.596005] kthread+0x328/0x630 [ 44.599288] ret_from_fork+0x10/0x20 [ 44.602923] [ 44.604453] The buggy address belongs to the object at ffff000082240200 [ 44.604453] which belongs to the cache kmalloc-128 of size 128 [ 44.617110] The buggy address is located 120 bytes inside of [ 44.617110] freed 128-byte region [ffff000082240200, ffff000082240280) [ 44.629499] [ 44.631034] The buggy address belongs to the physical page: [ 44.636677] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 44.644782] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 44.652538] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 44.659587] page_type: f5(slab) [ 44.662789] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 44.670634] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 44.678477] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 44.686405] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 44.694334] head: 0bfffe0000000001 fffffdffc2089001 00000000ffffffff 00000000ffffffff [ 44.702262] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 44.710185] page dumped because: kasan: bad access detected [ 44.715822] [ 44.717346] Memory state around the buggy address: [ 44.722197] ffff000082240100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.729513] ffff000082240180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.736830] >ffff000082240200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.744146] ^ [ 44.751362] ffff000082240280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.758674] ffff000082240300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.765989] ================================================================== [ 43.734638] ================================================================== [ 43.746285] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 43.752731] Read of size 1 at addr ffff000082240200 by task kunit_try_catch/305 [ 43.760147] [ 43.761682] CPU: 3 UID: 0 PID: 305 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 43.761714] Tainted: [B]=BAD_PAGE, [N]=TEST [ 43.761723] Hardware name: Thundercomm Dragonboard 845c (DT) [ 43.761736] Call trace: [ 43.761743] show_stack+0x20/0x38 (C) [ 43.761762] dump_stack_lvl+0x8c/0xd0 [ 43.761784] print_report+0x118/0x608 [ 43.761804] kasan_report+0xdc/0x128 [ 43.761823] __kasan_check_byte+0x54/0x70 [ 43.761842] ksize+0x30/0x88 [ 43.761863] ksize_uaf+0x168/0x5f8 [ 43.761879] kunit_try_run_case+0x170/0x3f0 [ 43.761897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.761920] kthread+0x328/0x630 [ 43.761934] ret_from_fork+0x10/0x20 [ 43.761953] [ 43.829008] Allocated by task 305: [ 43.832474] kasan_save_stack+0x3c/0x68 [ 43.836380] kasan_save_track+0x20/0x40 [ 43.840285] kasan_save_alloc_info+0x40/0x58 [ 43.844631] __kasan_kmalloc+0xd4/0xd8 [ 43.848448] __kmalloc_cache_noprof+0x16c/0x3c0 [ 43.853055] ksize_uaf+0xb8/0x5f8 [ 43.856430] kunit_try_run_case+0x170/0x3f0 [ 43.860690] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.866260] kthread+0x328/0x630 [ 43.869547] ret_from_fork+0x10/0x20 [ 43.873192] [ 43.874722] Freed by task 305: [ 43.877830] kasan_save_stack+0x3c/0x68 [ 43.881736] kasan_save_track+0x20/0x40 [ 43.885641] kasan_save_free_info+0x4c/0x78 [ 43.889899] __kasan_slab_free+0x6c/0x98 [ 43.893890] kfree+0x214/0x3c8 [ 43.897005] ksize_uaf+0x11c/0x5f8 [ 43.900476] kunit_try_run_case+0x170/0x3f0 [ 43.904737] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 43.910305] kthread+0x328/0x630 [ 43.913591] ret_from_fork+0x10/0x20 [ 43.917235] [ 43.918765] The buggy address belongs to the object at ffff000082240200 [ 43.918765] which belongs to the cache kmalloc-128 of size 128 [ 43.931429] The buggy address is located 0 bytes inside of [ 43.931429] freed 128-byte region [ffff000082240200, ffff000082240280) [ 43.943650] [ 43.945181] The buggy address belongs to the physical page: [ 43.950826] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102240 [ 43.958933] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 43.966692] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 43.973750] page_type: f5(slab) [ 43.976951] raw: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 43.984799] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 43.992649] head: 0bfffe0000000040 ffff000080002a00 dead000000000122 0000000000000000 [ 44.000584] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 44.008517] head: 0bfffe0000000001 fffffdffc2089001 00000000ffffffff 00000000ffffffff [ 44.016450] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 44.024379] page dumped because: kasan: bad access detected [ 44.030026] [ 44.031557] Memory state around the buggy address: [ 44.036416] ffff000082240100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.043732] ffff000082240180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.051049] >ffff000082240200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.058364] ^ [ 44.061650] ffff000082240280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.068968] ffff000082240300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.076281] ==================================================================
[ 31.334948] ================================================================== [ 31.335298] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.335382] Read of size 1 at addr fff00000c9ae3500 by task kunit_try_catch/228 [ 31.335482] [ 31.335517] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.335660] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.335689] Hardware name: linux,dummy-virt (DT) [ 31.335913] Call trace: [ 31.335954] show_stack+0x20/0x38 (C) [ 31.336016] dump_stack_lvl+0x8c/0xd0 [ 31.336211] print_report+0x118/0x608 [ 31.336294] kasan_report+0xdc/0x128 [ 31.336588] __kasan_check_byte+0x54/0x70 [ 31.336750] ksize+0x30/0x88 [ 31.336796] ksize_uaf+0x168/0x5f8 [ 31.336849] kunit_try_run_case+0x170/0x3f0 [ 31.337299] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.337464] kthread+0x328/0x630 [ 31.337644] ret_from_fork+0x10/0x20 [ 31.337736] [ 31.338017] Allocated by task 228: [ 31.338194] kasan_save_stack+0x3c/0x68 [ 31.338354] kasan_save_track+0x20/0x40 [ 31.338538] kasan_save_alloc_info+0x40/0x58 [ 31.338613] __kasan_kmalloc+0xd4/0xd8 [ 31.338651] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.338885] ksize_uaf+0xb8/0x5f8 [ 31.339048] kunit_try_run_case+0x170/0x3f0 [ 31.339821] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.339989] kthread+0x328/0x630 [ 31.340055] ret_from_fork+0x10/0x20 [ 31.340110] [ 31.340266] Freed by task 228: [ 31.340384] kasan_save_stack+0x3c/0x68 [ 31.340750] kasan_save_track+0x20/0x40 [ 31.340829] kasan_save_free_info+0x4c/0x78 [ 31.341138] __kasan_slab_free+0x6c/0x98 [ 31.341454] kfree+0x214/0x3c8 [ 31.341689] ksize_uaf+0x11c/0x5f8 [ 31.341887] kunit_try_run_case+0x170/0x3f0 [ 31.342313] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.342666] kthread+0x328/0x630 [ 31.342727] ret_from_fork+0x10/0x20 [ 31.342767] [ 31.342790] The buggy address belongs to the object at fff00000c9ae3500 [ 31.342790] which belongs to the cache kmalloc-128 of size 128 [ 31.343014] The buggy address is located 0 bytes inside of [ 31.343014] freed 128-byte region [fff00000c9ae3500, fff00000c9ae3580) [ 31.343096] [ 31.343116] The buggy address belongs to the physical page: [ 31.343158] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ae3 [ 31.343332] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.343394] page_type: f5(slab) [ 31.343436] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.343509] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.343552] page dumped because: kasan: bad access detected [ 31.343584] [ 31.343613] Memory state around the buggy address: [ 31.343656] fff00000c9ae3400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.343699] fff00000c9ae3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.343750] >fff00000c9ae3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.343787] ^ [ 31.343825] fff00000c9ae3580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.344342] fff00000c9ae3600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.344498] ================================================================== [ 31.359479] ================================================================== [ 31.359531] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 31.359579] Read of size 1 at addr fff00000c9ae3578 by task kunit_try_catch/228 [ 31.359653] [ 31.359692] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.359780] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.359817] Hardware name: linux,dummy-virt (DT) [ 31.360302] Call trace: [ 31.360351] show_stack+0x20/0x38 (C) [ 31.360633] dump_stack_lvl+0x8c/0xd0 [ 31.361032] print_report+0x118/0x608 [ 31.361253] kasan_report+0xdc/0x128 [ 31.361341] __asan_report_load1_noabort+0x20/0x30 [ 31.361524] ksize_uaf+0x544/0x5f8 [ 31.361855] kunit_try_run_case+0x170/0x3f0 [ 31.361979] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.362156] kthread+0x328/0x630 [ 31.362376] ret_from_fork+0x10/0x20 [ 31.362687] [ 31.362860] Allocated by task 228: [ 31.362936] kasan_save_stack+0x3c/0x68 [ 31.363111] kasan_save_track+0x20/0x40 [ 31.363303] kasan_save_alloc_info+0x40/0x58 [ 31.363378] __kasan_kmalloc+0xd4/0xd8 [ 31.363609] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.364037] ksize_uaf+0xb8/0x5f8 [ 31.364094] kunit_try_run_case+0x170/0x3f0 [ 31.364495] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.364682] kthread+0x328/0x630 [ 31.364870] ret_from_fork+0x10/0x20 [ 31.364975] [ 31.365000] Freed by task 228: [ 31.365037] kasan_save_stack+0x3c/0x68 [ 31.365079] kasan_save_track+0x20/0x40 [ 31.365118] kasan_save_free_info+0x4c/0x78 [ 31.365435] __kasan_slab_free+0x6c/0x98 [ 31.365629] kfree+0x214/0x3c8 [ 31.365719] ksize_uaf+0x11c/0x5f8 [ 31.365986] kunit_try_run_case+0x170/0x3f0 [ 31.366051] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.366314] kthread+0x328/0x630 [ 31.366569] ret_from_fork+0x10/0x20 [ 31.366675] [ 31.366867] The buggy address belongs to the object at fff00000c9ae3500 [ 31.366867] which belongs to the cache kmalloc-128 of size 128 [ 31.367130] The buggy address is located 120 bytes inside of [ 31.367130] freed 128-byte region [fff00000c9ae3500, fff00000c9ae3580) [ 31.367607] [ 31.367706] The buggy address belongs to the physical page: [ 31.367907] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ae3 [ 31.367985] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.368222] page_type: f5(slab) [ 31.368431] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.368507] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.368829] page dumped because: kasan: bad access detected [ 31.368881] [ 31.368925] Memory state around the buggy address: [ 31.369030] fff00000c9ae3400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.369455] fff00000c9ae3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.369708] >fff00000c9ae3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.369883] ^ [ 31.369983] fff00000c9ae3580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.370186] fff00000c9ae3600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.370414] ================================================================== [ 31.349133] ================================================================== [ 31.349192] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.349246] Read of size 1 at addr fff00000c9ae3500 by task kunit_try_catch/228 [ 31.349775] [ 31.349993] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.350239] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.350632] Hardware name: linux,dummy-virt (DT) [ 31.350690] Call trace: [ 31.350715] show_stack+0x20/0x38 (C) [ 31.350880] dump_stack_lvl+0x8c/0xd0 [ 31.350937] print_report+0x118/0x608 [ 31.351155] kasan_report+0xdc/0x128 [ 31.351459] __asan_report_load1_noabort+0x20/0x30 [ 31.351565] ksize_uaf+0x598/0x5f8 [ 31.351617] kunit_try_run_case+0x170/0x3f0 [ 31.351738] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.351961] kthread+0x328/0x630 [ 31.352070] ret_from_fork+0x10/0x20 [ 31.352220] [ 31.352246] Allocated by task 228: [ 31.352306] kasan_save_stack+0x3c/0x68 [ 31.352676] kasan_save_track+0x20/0x40 [ 31.352936] kasan_save_alloc_info+0x40/0x58 [ 31.353189] __kasan_kmalloc+0xd4/0xd8 [ 31.353314] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.353470] ksize_uaf+0xb8/0x5f8 [ 31.353574] kunit_try_run_case+0x170/0x3f0 [ 31.353733] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.353868] kthread+0x328/0x630 [ 31.354305] ret_from_fork+0x10/0x20 [ 31.354377] [ 31.354616] Freed by task 228: [ 31.354830] kasan_save_stack+0x3c/0x68 [ 31.354918] kasan_save_track+0x20/0x40 [ 31.355135] kasan_save_free_info+0x4c/0x78 [ 31.355289] __kasan_slab_free+0x6c/0x98 [ 31.355386] kfree+0x214/0x3c8 [ 31.355786] ksize_uaf+0x11c/0x5f8 [ 31.355861] kunit_try_run_case+0x170/0x3f0 [ 31.356024] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.356209] kthread+0x328/0x630 [ 31.356269] ret_from_fork+0x10/0x20 [ 31.356334] [ 31.356687] The buggy address belongs to the object at fff00000c9ae3500 [ 31.356687] which belongs to the cache kmalloc-128 of size 128 [ 31.356942] The buggy address is located 0 bytes inside of [ 31.356942] freed 128-byte region [fff00000c9ae3500, fff00000c9ae3580) [ 31.357130] [ 31.357231] The buggy address belongs to the physical page: [ 31.357597] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ae3 [ 31.357903] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.358051] page_type: f5(slab) [ 31.358323] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.358395] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.358437] page dumped because: kasan: bad access detected [ 31.358467] [ 31.358485] Memory state around the buggy address: [ 31.358518] fff00000c9ae3400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.358600] fff00000c9ae3480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.358653] >fff00000c9ae3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.358695] ^ [ 31.358750] fff00000c9ae3580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.358792] fff00000c9ae3600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.358831] ==================================================================
[ 23.648523] ================================================================== [ 23.648829] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 23.649105] Read of size 1 at addr ffff888105540100 by task kunit_try_catch/245 [ 23.650262] [ 23.650448] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.650570] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.650583] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.650604] Call Trace: [ 23.650622] <TASK> [ 23.650638] dump_stack_lvl+0x73/0xb0 [ 23.650668] print_report+0xd1/0x650 [ 23.650689] ? __virt_addr_valid+0x1db/0x2d0 [ 23.650712] ? ksize_uaf+0x5fe/0x6c0 [ 23.650731] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.650756] ? ksize_uaf+0x5fe/0x6c0 [ 23.650775] kasan_report+0x141/0x180 [ 23.650796] ? ksize_uaf+0x5fe/0x6c0 [ 23.650820] __asan_report_load1_noabort+0x18/0x20 [ 23.650843] ksize_uaf+0x5fe/0x6c0 [ 23.650862] ? __pfx_ksize_uaf+0x10/0x10 [ 23.650882] ? __schedule+0x10cc/0x2b60 [ 23.650907] ? __pfx_read_tsc+0x10/0x10 [ 23.650928] ? ktime_get_ts64+0x86/0x230 [ 23.650952] kunit_try_run_case+0x1a5/0x480 [ 23.650978] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.651000] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.651021] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.651045] ? __kthread_parkme+0x82/0x180 [ 23.651065] ? preempt_count_sub+0x50/0x80 [ 23.651088] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.651111] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.651134] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.651230] kthread+0x337/0x6f0 [ 23.651252] ? trace_preempt_on+0x20/0xc0 [ 23.651275] ? __pfx_kthread+0x10/0x10 [ 23.651295] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.651318] ? calculate_sigpending+0x7b/0xa0 [ 23.651341] ? __pfx_kthread+0x10/0x10 [ 23.651363] ret_from_fork+0x116/0x1d0 [ 23.651381] ? __pfx_kthread+0x10/0x10 [ 23.651401] ret_from_fork_asm+0x1a/0x30 [ 23.651431] </TASK> [ 23.651442] [ 23.659965] Allocated by task 245: [ 23.660094] kasan_save_stack+0x45/0x70 [ 23.660523] kasan_save_track+0x18/0x40 [ 23.660672] kasan_save_alloc_info+0x3b/0x50 [ 23.660874] __kasan_kmalloc+0xb7/0xc0 [ 23.661224] __kmalloc_cache_noprof+0x189/0x420 [ 23.661399] ksize_uaf+0xaa/0x6c0 [ 23.661581] kunit_try_run_case+0x1a5/0x480 [ 23.661755] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.661979] kthread+0x337/0x6f0 [ 23.662132] ret_from_fork+0x116/0x1d0 [ 23.662279] ret_from_fork_asm+0x1a/0x30 [ 23.662781] [ 23.662861] Freed by task 245: [ 23.662984] kasan_save_stack+0x45/0x70 [ 23.663333] kasan_save_track+0x18/0x40 [ 23.663544] kasan_save_free_info+0x3f/0x60 [ 23.663845] __kasan_slab_free+0x56/0x70 [ 23.663984] kfree+0x222/0x3f0 [ 23.664202] ksize_uaf+0x12c/0x6c0 [ 23.664429] kunit_try_run_case+0x1a5/0x480 [ 23.664713] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.664913] kthread+0x337/0x6f0 [ 23.665072] ret_from_fork+0x116/0x1d0 [ 23.665239] ret_from_fork_asm+0x1a/0x30 [ 23.665660] [ 23.665757] The buggy address belongs to the object at ffff888105540100 [ 23.665757] which belongs to the cache kmalloc-128 of size 128 [ 23.666295] The buggy address is located 0 bytes inside of [ 23.666295] freed 128-byte region [ffff888105540100, ffff888105540180) [ 23.666907] [ 23.667004] The buggy address belongs to the physical page: [ 23.667331] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105540 [ 23.667661] flags: 0x200000000000000(node=0|zone=2) [ 23.667860] page_type: f5(slab) [ 23.668005] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.668599] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.668866] page dumped because: kasan: bad access detected [ 23.669214] [ 23.669357] Memory state around the buggy address: [ 23.669544] ffff888105540000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.669981] ffff888105540080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.670404] >ffff888105540100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.670770] ^ [ 23.670981] ffff888105540180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.671311] ffff888105540200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.671776] ================================================================== [ 23.620053] ================================================================== [ 23.620554] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 23.620765] Read of size 1 at addr ffff888105540100 by task kunit_try_catch/245 [ 23.620980] [ 23.621059] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.621107] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.621119] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.621140] Call Trace: [ 23.621152] <TASK> [ 23.621169] dump_stack_lvl+0x73/0xb0 [ 23.621224] print_report+0xd1/0x650 [ 23.621245] ? __virt_addr_valid+0x1db/0x2d0 [ 23.621267] ? ksize_uaf+0x19d/0x6c0 [ 23.621286] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.621338] ? ksize_uaf+0x19d/0x6c0 [ 23.621359] kasan_report+0x141/0x180 [ 23.621379] ? ksize_uaf+0x19d/0x6c0 [ 23.621402] ? ksize_uaf+0x19d/0x6c0 [ 23.621421] __kasan_check_byte+0x3d/0x50 [ 23.621442] ksize+0x20/0x60 [ 23.621474] ksize_uaf+0x19d/0x6c0 [ 23.621494] ? __pfx_ksize_uaf+0x10/0x10 [ 23.621514] ? __schedule+0x10cc/0x2b60 [ 23.621539] ? __pfx_read_tsc+0x10/0x10 [ 23.621559] ? ktime_get_ts64+0x86/0x230 [ 23.621582] kunit_try_run_case+0x1a5/0x480 [ 23.621608] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.621631] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.621651] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.621676] ? __kthread_parkme+0x82/0x180 [ 23.621695] ? preempt_count_sub+0x50/0x80 [ 23.621718] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.621742] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.621764] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.621788] kthread+0x337/0x6f0 [ 23.621807] ? trace_preempt_on+0x20/0xc0 [ 23.621828] ? __pfx_kthread+0x10/0x10 [ 23.621853] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.621875] ? calculate_sigpending+0x7b/0xa0 [ 23.621899] ? __pfx_kthread+0x10/0x10 [ 23.621920] ret_from_fork+0x116/0x1d0 [ 23.621938] ? __pfx_kthread+0x10/0x10 [ 23.621958] ret_from_fork_asm+0x1a/0x30 [ 23.621989] </TASK> [ 23.622001] [ 23.633061] Allocated by task 245: [ 23.633210] kasan_save_stack+0x45/0x70 [ 23.633559] kasan_save_track+0x18/0x40 [ 23.633892] kasan_save_alloc_info+0x3b/0x50 [ 23.634277] __kasan_kmalloc+0xb7/0xc0 [ 23.634635] __kmalloc_cache_noprof+0x189/0x420 [ 23.635034] ksize_uaf+0xaa/0x6c0 [ 23.635356] kunit_try_run_case+0x1a5/0x480 [ 23.635741] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.636234] kthread+0x337/0x6f0 [ 23.636536] ret_from_fork+0x116/0x1d0 [ 23.636871] ret_from_fork_asm+0x1a/0x30 [ 23.637241] [ 23.637390] Freed by task 245: [ 23.637663] kasan_save_stack+0x45/0x70 [ 23.638017] kasan_save_track+0x18/0x40 [ 23.638317] kasan_save_free_info+0x3f/0x60 [ 23.638465] __kasan_slab_free+0x56/0x70 [ 23.638593] kfree+0x222/0x3f0 [ 23.638701] ksize_uaf+0x12c/0x6c0 [ 23.638817] kunit_try_run_case+0x1a5/0x480 [ 23.638954] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.639119] kthread+0x337/0x6f0 [ 23.639361] ret_from_fork+0x116/0x1d0 [ 23.639688] ret_from_fork_asm+0x1a/0x30 [ 23.640025] [ 23.640173] The buggy address belongs to the object at ffff888105540100 [ 23.640173] which belongs to the cache kmalloc-128 of size 128 [ 23.641231] The buggy address is located 0 bytes inside of [ 23.641231] freed 128-byte region [ffff888105540100, ffff888105540180) [ 23.642231] [ 23.642400] The buggy address belongs to the physical page: [ 23.642873] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105540 [ 23.643747] flags: 0x200000000000000(node=0|zone=2) [ 23.644232] page_type: f5(slab) [ 23.644535] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.644825] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.645052] page dumped because: kasan: bad access detected [ 23.645225] [ 23.645288] Memory state around the buggy address: [ 23.645512] ffff888105540000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.645816] ffff888105540080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.646114] >ffff888105540100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.646399] ^ [ 23.646780] ffff888105540180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.647079] ffff888105540200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.647708] ================================================================== [ 23.672400] ================================================================== [ 23.672712] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 23.672973] Read of size 1 at addr ffff888105540178 by task kunit_try_catch/245 [ 23.673632] [ 23.673721] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.673767] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.673779] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.673799] Call Trace: [ 23.673812] <TASK> [ 23.673827] dump_stack_lvl+0x73/0xb0 [ 23.673867] print_report+0xd1/0x650 [ 23.673888] ? __virt_addr_valid+0x1db/0x2d0 [ 23.674061] ? ksize_uaf+0x5e4/0x6c0 [ 23.674084] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.674109] ? ksize_uaf+0x5e4/0x6c0 [ 23.674131] kasan_report+0x141/0x180 [ 23.674153] ? ksize_uaf+0x5e4/0x6c0 [ 23.674178] __asan_report_load1_noabort+0x18/0x20 [ 23.674201] ksize_uaf+0x5e4/0x6c0 [ 23.674221] ? __pfx_ksize_uaf+0x10/0x10 [ 23.674241] ? __schedule+0x10cc/0x2b60 [ 23.674266] ? __pfx_read_tsc+0x10/0x10 [ 23.674286] ? ktime_get_ts64+0x86/0x230 [ 23.674309] kunit_try_run_case+0x1a5/0x480 [ 23.674333] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.674356] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.674375] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.674400] ? __kthread_parkme+0x82/0x180 [ 23.674420] ? preempt_count_sub+0x50/0x80 [ 23.674443] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.674481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.674606] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.674630] kthread+0x337/0x6f0 [ 23.674649] ? trace_preempt_on+0x20/0xc0 [ 23.674671] ? __pfx_kthread+0x10/0x10 [ 23.674691] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.674714] ? calculate_sigpending+0x7b/0xa0 [ 23.674738] ? __pfx_kthread+0x10/0x10 [ 23.674759] ret_from_fork+0x116/0x1d0 [ 23.674777] ? __pfx_kthread+0x10/0x10 [ 23.674797] ret_from_fork_asm+0x1a/0x30 [ 23.674827] </TASK> [ 23.674838] [ 23.683099] Allocated by task 245: [ 23.683278] kasan_save_stack+0x45/0x70 [ 23.683837] kasan_save_track+0x18/0x40 [ 23.684016] kasan_save_alloc_info+0x3b/0x50 [ 23.684370] __kasan_kmalloc+0xb7/0xc0 [ 23.684558] __kmalloc_cache_noprof+0x189/0x420 [ 23.684904] ksize_uaf+0xaa/0x6c0 [ 23.685047] kunit_try_run_case+0x1a5/0x480 [ 23.685385] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.685606] kthread+0x337/0x6f0 [ 23.685874] ret_from_fork+0x116/0x1d0 [ 23.686049] ret_from_fork_asm+0x1a/0x30 [ 23.686341] [ 23.686437] Freed by task 245: [ 23.686576] kasan_save_stack+0x45/0x70 [ 23.686774] kasan_save_track+0x18/0x40 [ 23.686955] kasan_save_free_info+0x3f/0x60 [ 23.687126] __kasan_slab_free+0x56/0x70 [ 23.687597] kfree+0x222/0x3f0 [ 23.687809] ksize_uaf+0x12c/0x6c0 [ 23.687951] kunit_try_run_case+0x1a5/0x480 [ 23.688156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.688561] kthread+0x337/0x6f0 [ 23.688734] ret_from_fork+0x116/0x1d0 [ 23.688892] ret_from_fork_asm+0x1a/0x30 [ 23.689194] [ 23.689340] The buggy address belongs to the object at ffff888105540100 [ 23.689340] which belongs to the cache kmalloc-128 of size 128 [ 23.689831] The buggy address is located 120 bytes inside of [ 23.689831] freed 128-byte region [ffff888105540100, ffff888105540180) [ 23.690307] [ 23.690686] The buggy address belongs to the physical page: [ 23.690926] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105540 [ 23.691367] flags: 0x200000000000000(node=0|zone=2) [ 23.691673] page_type: f5(slab) [ 23.691800] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 23.692127] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.692682] page dumped because: kasan: bad access detected [ 23.692909] [ 23.693123] Memory state around the buggy address: [ 23.693342] ffff888105540000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.693778] ffff888105540080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.694086] >ffff888105540100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.694511] ^ [ 23.694806] ffff888105540180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.695184] ffff888105540200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.695584] ==================================================================