Date
July 4, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.729604] ================================================================== [ 29.729693] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 29.729849] Read of size 1 at addr fff00000c9b7a000 by task kunit_try_catch/229 [ 29.729965] [ 29.729997] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 29.730206] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.730237] Hardware name: linux,dummy-virt (DT) [ 29.730267] Call trace: [ 29.730291] show_stack+0x20/0x38 (C) [ 29.730391] dump_stack_lvl+0x8c/0xd0 [ 29.730507] print_report+0x118/0x608 [ 29.730653] kasan_report+0xdc/0x128 [ 29.730723] __kasan_check_byte+0x54/0x70 [ 29.730805] ksize+0x30/0x88 [ 29.730920] ksize_uaf+0x168/0x5f8 [ 29.731068] kunit_try_run_case+0x170/0x3f0 [ 29.731189] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.731283] kthread+0x328/0x630 [ 29.731491] ret_from_fork+0x10/0x20 [ 29.731689] [ 29.731747] Allocated by task 229: [ 29.731893] kasan_save_stack+0x3c/0x68 [ 29.732069] kasan_save_track+0x20/0x40 [ 29.732147] kasan_save_alloc_info+0x40/0x58 [ 29.732210] __kasan_kmalloc+0xd4/0xd8 [ 29.732258] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.732301] ksize_uaf+0xb8/0x5f8 [ 29.732335] kunit_try_run_case+0x170/0x3f0 [ 29.732375] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.732628] kthread+0x328/0x630 [ 29.732737] ret_from_fork+0x10/0x20 [ 29.732809] [ 29.732884] Freed by task 229: [ 29.732977] kasan_save_stack+0x3c/0x68 [ 29.733064] kasan_save_track+0x20/0x40 [ 29.733212] kasan_save_free_info+0x4c/0x78 [ 29.733319] __kasan_slab_free+0x6c/0x98 [ 29.733560] kfree+0x214/0x3c8 [ 29.733680] ksize_uaf+0x11c/0x5f8 [ 29.733953] kunit_try_run_case+0x170/0x3f0 [ 29.734097] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.734196] kthread+0x328/0x630 [ 29.734312] ret_from_fork+0x10/0x20 [ 29.734433] [ 29.734479] The buggy address belongs to the object at fff00000c9b7a000 [ 29.734479] which belongs to the cache kmalloc-128 of size 128 [ 29.734540] The buggy address is located 0 bytes inside of [ 29.734540] freed 128-byte region [fff00000c9b7a000, fff00000c9b7a080) [ 29.734602] [ 29.734840] The buggy address belongs to the physical page: [ 29.734956] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b7a [ 29.735052] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.735102] page_type: f5(slab) [ 29.735141] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.735192] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.735366] page dumped because: kasan: bad access detected [ 29.735426] [ 29.735504] Memory state around the buggy address: [ 29.735640] fff00000c9b79f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.735745] fff00000c9b79f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.735984] >fff00000c9b7a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.736044] ^ [ 29.736074] fff00000c9b7a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.736308] fff00000c9b7a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.736461] ================================================================== [ 29.749197] ================================================================== [ 29.749251] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 29.749302] Read of size 1 at addr fff00000c9b7a078 by task kunit_try_catch/229 [ 29.749362] [ 29.749392] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 29.749488] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.749515] Hardware name: linux,dummy-virt (DT) [ 29.749546] Call trace: [ 29.749569] show_stack+0x20/0x38 (C) [ 29.749616] dump_stack_lvl+0x8c/0xd0 [ 29.749663] print_report+0x118/0x608 [ 29.749951] kasan_report+0xdc/0x128 [ 29.750197] __asan_report_load1_noabort+0x20/0x30 [ 29.750258] ksize_uaf+0x544/0x5f8 [ 29.750842] kunit_try_run_case+0x170/0x3f0 [ 29.751048] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.751183] kthread+0x328/0x630 [ 29.751273] ret_from_fork+0x10/0x20 [ 29.751723] [ 29.751771] Allocated by task 229: [ 29.751837] kasan_save_stack+0x3c/0x68 [ 29.751951] kasan_save_track+0x20/0x40 [ 29.752057] kasan_save_alloc_info+0x40/0x58 [ 29.752203] __kasan_kmalloc+0xd4/0xd8 [ 29.752294] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.752352] ksize_uaf+0xb8/0x5f8 [ 29.752705] kunit_try_run_case+0x170/0x3f0 [ 29.752778] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.752948] kthread+0x328/0x630 [ 29.753055] ret_from_fork+0x10/0x20 [ 29.753223] [ 29.753275] Freed by task 229: [ 29.753305] kasan_save_stack+0x3c/0x68 [ 29.753748] kasan_save_track+0x20/0x40 [ 29.753828] kasan_save_free_info+0x4c/0x78 [ 29.754455] __kasan_slab_free+0x6c/0x98 [ 29.754586] kfree+0x214/0x3c8 [ 29.754650] ksize_uaf+0x11c/0x5f8 [ 29.754728] kunit_try_run_case+0x170/0x3f0 [ 29.754802] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.754974] kthread+0x328/0x630 [ 29.755248] ret_from_fork+0x10/0x20 [ 29.755527] [ 29.755568] The buggy address belongs to the object at fff00000c9b7a000 [ 29.755568] which belongs to the cache kmalloc-128 of size 128 [ 29.755880] The buggy address is located 120 bytes inside of [ 29.755880] freed 128-byte region [fff00000c9b7a000, fff00000c9b7a080) [ 29.756081] [ 29.756160] The buggy address belongs to the physical page: [ 29.756393] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b7a [ 29.756451] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.756648] page_type: f5(slab) [ 29.757129] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.757222] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.757359] page dumped because: kasan: bad access detected [ 29.757504] [ 29.757623] Memory state around the buggy address: [ 29.757923] fff00000c9b79f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.758051] fff00000c9b79f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.758418] >fff00000c9b7a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.758521] ^ [ 29.758567] fff00000c9b7a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.758645] fff00000c9b7a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.758733] ================================================================== [ 29.737841] ================================================================== [ 29.737895] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 29.737960] Read of size 1 at addr fff00000c9b7a000 by task kunit_try_catch/229 [ 29.738205] [ 29.738560] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT [ 29.738698] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.738755] Hardware name: linux,dummy-virt (DT) [ 29.738942] Call trace: [ 29.739092] show_stack+0x20/0x38 (C) [ 29.739208] dump_stack_lvl+0x8c/0xd0 [ 29.739552] print_report+0x118/0x608 [ 29.739637] kasan_report+0xdc/0x128 [ 29.739720] __asan_report_load1_noabort+0x20/0x30 [ 29.739785] ksize_uaf+0x598/0x5f8 [ 29.740071] kunit_try_run_case+0x170/0x3f0 [ 29.740199] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.740410] kthread+0x328/0x630 [ 29.740497] ret_from_fork+0x10/0x20 [ 29.740729] [ 29.740796] Allocated by task 229: [ 29.740828] kasan_save_stack+0x3c/0x68 [ 29.741166] kasan_save_track+0x20/0x40 [ 29.741250] kasan_save_alloc_info+0x40/0x58 [ 29.741358] __kasan_kmalloc+0xd4/0xd8 [ 29.741468] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.741568] ksize_uaf+0xb8/0x5f8 [ 29.742151] kunit_try_run_case+0x170/0x3f0 [ 29.742229] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.742422] kthread+0x328/0x630 [ 29.742581] ret_from_fork+0x10/0x20 [ 29.742701] [ 29.742782] Freed by task 229: [ 29.742978] kasan_save_stack+0x3c/0x68 [ 29.743212] kasan_save_track+0x20/0x40 [ 29.743318] kasan_save_free_info+0x4c/0x78 [ 29.743461] __kasan_slab_free+0x6c/0x98 [ 29.743596] kfree+0x214/0x3c8 [ 29.743674] ksize_uaf+0x11c/0x5f8 [ 29.743767] kunit_try_run_case+0x170/0x3f0 [ 29.743953] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.744031] kthread+0x328/0x630 [ 29.744065] ret_from_fork+0x10/0x20 [ 29.744240] [ 29.744418] The buggy address belongs to the object at fff00000c9b7a000 [ 29.744418] which belongs to the cache kmalloc-128 of size 128 [ 29.744598] The buggy address is located 0 bytes inside of [ 29.744598] freed 128-byte region [fff00000c9b7a000, fff00000c9b7a080) [ 29.744781] [ 29.744883] The buggy address belongs to the physical page: [ 29.745044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b7a [ 29.745143] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.745376] page_type: f5(slab) [ 29.745446] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.745627] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.745757] page dumped because: kasan: bad access detected [ 29.745940] [ 29.746089] Memory state around the buggy address: [ 29.746123] fff00000c9b79f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.746166] fff00000c9b79f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.746521] >fff00000c9b7a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.746585] ^ [ 29.746625] fff00000c9b7a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.746723] fff00000c9b7a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.746765] ==================================================================
[ 25.419485] ================================================================== [ 25.419981] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 25.420542] Read of size 1 at addr ffff888103d62f00 by task kunit_try_catch/245 [ 25.420832] [ 25.420942] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 25.421013] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.421026] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.421051] Call Trace: [ 25.421065] <TASK> [ 25.421086] dump_stack_lvl+0x73/0xb0 [ 25.421118] print_report+0xd1/0x650 [ 25.421142] ? __virt_addr_valid+0x1db/0x2d0 [ 25.421188] ? ksize_uaf+0x19d/0x6c0 [ 25.421210] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.421237] ? ksize_uaf+0x19d/0x6c0 [ 25.421259] kasan_report+0x141/0x180 [ 25.421282] ? ksize_uaf+0x19d/0x6c0 [ 25.421306] ? ksize_uaf+0x19d/0x6c0 [ 25.421328] __kasan_check_byte+0x3d/0x50 [ 25.421351] ksize+0x20/0x60 [ 25.421376] ksize_uaf+0x19d/0x6c0 [ 25.421413] ? __pfx_ksize_uaf+0x10/0x10 [ 25.421436] ? __schedule+0x10cc/0x2b60 [ 25.421462] ? __pfx_read_tsc+0x10/0x10 [ 25.421486] ? ktime_get_ts64+0x86/0x230 [ 25.421512] kunit_try_run_case+0x1a5/0x480 [ 25.421541] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.421565] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.421591] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.421616] ? __kthread_parkme+0x82/0x180 [ 25.421638] ? preempt_count_sub+0x50/0x80 [ 25.421663] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.421689] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.421715] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.421740] kthread+0x337/0x6f0 [ 25.421761] ? trace_preempt_on+0x20/0xc0 [ 25.421788] ? __pfx_kthread+0x10/0x10 [ 25.421810] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.421834] ? calculate_sigpending+0x7b/0xa0 [ 25.421860] ? __pfx_kthread+0x10/0x10 [ 25.421900] ret_from_fork+0x116/0x1d0 [ 25.421920] ? __pfx_kthread+0x10/0x10 [ 25.421942] ret_from_fork_asm+0x1a/0x30 [ 25.421976] </TASK> [ 25.421990] [ 25.435051] Allocated by task 245: [ 25.435591] kasan_save_stack+0x45/0x70 [ 25.435771] kasan_save_track+0x18/0x40 [ 25.435938] kasan_save_alloc_info+0x3b/0x50 [ 25.436386] __kasan_kmalloc+0xb7/0xc0 [ 25.436872] __kmalloc_cache_noprof+0x189/0x420 [ 25.437367] ksize_uaf+0xaa/0x6c0 [ 25.437790] kunit_try_run_case+0x1a5/0x480 [ 25.438317] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.438805] kthread+0x337/0x6f0 [ 25.438954] ret_from_fork+0x116/0x1d0 [ 25.439096] ret_from_fork_asm+0x1a/0x30 [ 25.439265] [ 25.439711] Freed by task 245: [ 25.440028] kasan_save_stack+0x45/0x70 [ 25.440514] kasan_save_track+0x18/0x40 [ 25.441064] kasan_save_free_info+0x3f/0x60 [ 25.441964] __kasan_slab_free+0x56/0x70 [ 25.442410] kfree+0x222/0x3f0 [ 25.442781] ksize_uaf+0x12c/0x6c0 [ 25.442939] kunit_try_run_case+0x1a5/0x480 [ 25.443368] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.443952] kthread+0x337/0x6f0 [ 25.444264] ret_from_fork+0x116/0x1d0 [ 25.444589] ret_from_fork_asm+0x1a/0x30 [ 25.444735] [ 25.444807] The buggy address belongs to the object at ffff888103d62f00 [ 25.444807] which belongs to the cache kmalloc-128 of size 128 [ 25.445865] The buggy address is located 0 bytes inside of [ 25.445865] freed 128-byte region [ffff888103d62f00, ffff888103d62f80) [ 25.447608] [ 25.447793] The buggy address belongs to the physical page: [ 25.448130] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d62 [ 25.448402] flags: 0x200000000000000(node=0|zone=2) [ 25.448906] page_type: f5(slab) [ 25.449282] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.449983] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.450900] page dumped because: kasan: bad access detected [ 25.451605] [ 25.451682] Memory state around the buggy address: [ 25.451845] ffff888103d62e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.452798] ffff888103d62e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.453607] >ffff888103d62f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.454318] ^ [ 25.454648] ffff888103d62f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.454905] ffff888103d63000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.455646] ================================================================== [ 25.456918] ================================================================== [ 25.457584] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 25.457822] Read of size 1 at addr ffff888103d62f00 by task kunit_try_catch/245 [ 25.458495] [ 25.458687] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 25.458740] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.458752] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.458776] Call Trace: [ 25.458793] <TASK> [ 25.458813] dump_stack_lvl+0x73/0xb0 [ 25.458844] print_report+0xd1/0x650 [ 25.458867] ? __virt_addr_valid+0x1db/0x2d0 [ 25.458893] ? ksize_uaf+0x5fe/0x6c0 [ 25.458917] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.458944] ? ksize_uaf+0x5fe/0x6c0 [ 25.459216] kasan_report+0x141/0x180 [ 25.459250] ? ksize_uaf+0x5fe/0x6c0 [ 25.459278] __asan_report_load1_noabort+0x18/0x20 [ 25.459304] ksize_uaf+0x5fe/0x6c0 [ 25.459327] ? __pfx_ksize_uaf+0x10/0x10 [ 25.459349] ? __schedule+0x10cc/0x2b60 [ 25.459376] ? __pfx_read_tsc+0x10/0x10 [ 25.459414] ? ktime_get_ts64+0x86/0x230 [ 25.459440] kunit_try_run_case+0x1a5/0x480 [ 25.459467] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.459492] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.459517] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.459543] ? __kthread_parkme+0x82/0x180 [ 25.459565] ? preempt_count_sub+0x50/0x80 [ 25.459590] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.459616] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.459642] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.459667] kthread+0x337/0x6f0 [ 25.459688] ? trace_preempt_on+0x20/0xc0 [ 25.459713] ? __pfx_kthread+0x10/0x10 [ 25.459735] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.459758] ? calculate_sigpending+0x7b/0xa0 [ 25.459784] ? __pfx_kthread+0x10/0x10 [ 25.459807] ret_from_fork+0x116/0x1d0 [ 25.459826] ? __pfx_kthread+0x10/0x10 [ 25.459848] ret_from_fork_asm+0x1a/0x30 [ 25.459881] </TASK> [ 25.459894] [ 25.472022] Allocated by task 245: [ 25.472470] kasan_save_stack+0x45/0x70 [ 25.472691] kasan_save_track+0x18/0x40 [ 25.472877] kasan_save_alloc_info+0x3b/0x50 [ 25.473074] __kasan_kmalloc+0xb7/0xc0 [ 25.473267] __kmalloc_cache_noprof+0x189/0x420 [ 25.473495] ksize_uaf+0xaa/0x6c0 [ 25.473660] kunit_try_run_case+0x1a5/0x480 [ 25.473863] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.474102] kthread+0x337/0x6f0 [ 25.474268] ret_from_fork+0x116/0x1d0 [ 25.474555] ret_from_fork_asm+0x1a/0x30 [ 25.474708] [ 25.474777] Freed by task 245: [ 25.474888] kasan_save_stack+0x45/0x70 [ 25.475053] kasan_save_track+0x18/0x40 [ 25.475244] kasan_save_free_info+0x3f/0x60 [ 25.475616] __kasan_slab_free+0x56/0x70 [ 25.476306] kfree+0x222/0x3f0 [ 25.476458] ksize_uaf+0x12c/0x6c0 [ 25.477064] kunit_try_run_case+0x1a5/0x480 [ 25.477496] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.477779] kthread+0x337/0x6f0 [ 25.478028] ret_from_fork+0x116/0x1d0 [ 25.478192] ret_from_fork_asm+0x1a/0x30 [ 25.478739] [ 25.478851] The buggy address belongs to the object at ffff888103d62f00 [ 25.478851] which belongs to the cache kmalloc-128 of size 128 [ 25.479697] The buggy address is located 0 bytes inside of [ 25.479697] freed 128-byte region [ffff888103d62f00, ffff888103d62f80) [ 25.480305] [ 25.480637] The buggy address belongs to the physical page: [ 25.480871] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d62 [ 25.481182] flags: 0x200000000000000(node=0|zone=2) [ 25.481468] page_type: f5(slab) [ 25.481629] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.482470] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.482783] page dumped because: kasan: bad access detected [ 25.483274] [ 25.483366] Memory state around the buggy address: [ 25.483800] ffff888103d62e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.484372] ffff888103d62e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.484785] >ffff888103d62f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.485529] ^ [ 25.485670] ffff888103d62f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.486322] ffff888103d63000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.486754] ================================================================== [ 25.487481] ================================================================== [ 25.488175] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 25.488602] Read of size 1 at addr ffff888103d62f78 by task kunit_try_catch/245 [ 25.489057] [ 25.489183] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) [ 25.489237] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.489250] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.489275] Call Trace: [ 25.489298] <TASK> [ 25.489319] dump_stack_lvl+0x73/0xb0 [ 25.489351] print_report+0xd1/0x650 [ 25.489375] ? __virt_addr_valid+0x1db/0x2d0 [ 25.489415] ? ksize_uaf+0x5e4/0x6c0 [ 25.489437] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.489464] ? ksize_uaf+0x5e4/0x6c0 [ 25.489730] kasan_report+0x141/0x180 [ 25.489759] ? ksize_uaf+0x5e4/0x6c0 [ 25.489787] __asan_report_load1_noabort+0x18/0x20 [ 25.489812] ksize_uaf+0x5e4/0x6c0 [ 25.489834] ? __pfx_ksize_uaf+0x10/0x10 [ 25.489859] ? __schedule+0x10cc/0x2b60 [ 25.489885] ? __pfx_read_tsc+0x10/0x10 [ 25.489908] ? ktime_get_ts64+0x86/0x230 [ 25.489935] kunit_try_run_case+0x1a5/0x480 [ 25.489962] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.489987] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.490012] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.490038] ? __kthread_parkme+0x82/0x180 [ 25.490060] ? preempt_count_sub+0x50/0x80 [ 25.490085] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.490111] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.490137] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.490179] kthread+0x337/0x6f0 [ 25.490200] ? trace_preempt_on+0x20/0xc0 [ 25.490226] ? __pfx_kthread+0x10/0x10 [ 25.490248] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.490273] ? calculate_sigpending+0x7b/0xa0 [ 25.490299] ? __pfx_kthread+0x10/0x10 [ 25.490322] ret_from_fork+0x116/0x1d0 [ 25.490343] ? __pfx_kthread+0x10/0x10 [ 25.490365] ret_from_fork_asm+0x1a/0x30 [ 25.490411] </TASK> [ 25.490424] [ 25.501646] Allocated by task 245: [ 25.502019] kasan_save_stack+0x45/0x70 [ 25.502201] kasan_save_track+0x18/0x40 [ 25.502606] kasan_save_alloc_info+0x3b/0x50 [ 25.502812] __kasan_kmalloc+0xb7/0xc0 [ 25.503384] __kmalloc_cache_noprof+0x189/0x420 [ 25.503629] ksize_uaf+0xaa/0x6c0 [ 25.503775] kunit_try_run_case+0x1a5/0x480 [ 25.504387] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.504682] kthread+0x337/0x6f0 [ 25.504847] ret_from_fork+0x116/0x1d0 [ 25.505185] ret_from_fork_asm+0x1a/0x30 [ 25.505563] [ 25.505668] Freed by task 245: [ 25.505824] kasan_save_stack+0x45/0x70 [ 25.506021] kasan_save_track+0x18/0x40 [ 25.506255] kasan_save_free_info+0x3f/0x60 [ 25.506456] __kasan_slab_free+0x56/0x70 [ 25.506624] kfree+0x222/0x3f0 [ 25.506796] ksize_uaf+0x12c/0x6c0 [ 25.507033] kunit_try_run_case+0x1a5/0x480 [ 25.507240] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.507608] kthread+0x337/0x6f0 [ 25.507777] ret_from_fork+0x116/0x1d0 [ 25.507984] ret_from_fork_asm+0x1a/0x30 [ 25.508131] [ 25.508272] The buggy address belongs to the object at ffff888103d62f00 [ 25.508272] which belongs to the cache kmalloc-128 of size 128 [ 25.508756] The buggy address is located 120 bytes inside of [ 25.508756] freed 128-byte region [ffff888103d62f00, ffff888103d62f80) [ 25.509581] [ 25.509688] The buggy address belongs to the physical page: [ 25.509988] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103d62 [ 25.510253] flags: 0x200000000000000(node=0|zone=2) [ 25.510685] page_type: f5(slab) [ 25.510894] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.511371] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.511668] page dumped because: kasan: bad access detected [ 25.511848] [ 25.511920] Memory state around the buggy address: [ 25.512157] ffff888103d62e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.512511] ffff888103d62e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.512984] >ffff888103d62f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.513344] ^ [ 25.513622] ffff888103d62f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.513882] ffff888103d63000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.514358] ==================================================================