Hay
Sign in
Date
July 8, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   31.367364] ==================================================================
[   31.367423] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   31.367471] Read of size 1 at addr fff00000c9a9c800 by task kunit_try_catch/227
[   31.367519] 
[   31.367572] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT 
[   31.367667] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.367694] Hardware name: linux,dummy-virt (DT)
[   31.367755] Call trace:
[   31.367797]  show_stack+0x20/0x38 (C)
[   31.367844]  dump_stack_lvl+0x8c/0xd0
[   31.367907]  print_report+0x118/0x5d0
[   31.367954]  kasan_report+0xdc/0x128
[   31.368001]  __kasan_check_byte+0x54/0x70
[   31.368049]  ksize+0x30/0x88
[   31.368143]  ksize_uaf+0x168/0x5f8
[   31.368187]  kunit_try_run_case+0x170/0x3f0
[   31.368269]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.368333]  kthread+0x328/0x630
[   31.368383]  ret_from_fork+0x10/0x20
[   31.368430] 
[   31.368447] Allocated by task 227:
[   31.368483]  kasan_save_stack+0x3c/0x68
[   31.368534]  kasan_save_track+0x20/0x40
[   31.368600]  kasan_save_alloc_info+0x40/0x58
[   31.368673]  __kasan_kmalloc+0xd4/0xd8
[   31.368713]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.368780]  ksize_uaf+0xb8/0x5f8
[   31.368817]  kunit_try_run_case+0x170/0x3f0
[   31.369019]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.369071]  kthread+0x328/0x630
[   31.369115]  ret_from_fork+0x10/0x20
[   31.369151] 
[   31.369171] Freed by task 227:
[   31.369196]  kasan_save_stack+0x3c/0x68
[   31.369248]  kasan_save_track+0x20/0x40
[   31.369353]  kasan_save_free_info+0x4c/0x78
[   31.369436]  __kasan_slab_free+0x6c/0x98
[   31.369550]  kfree+0x214/0x3c8
[   31.369610]  ksize_uaf+0x11c/0x5f8
[   31.369669]  kunit_try_run_case+0x170/0x3f0
[   31.369762]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.369842]  kthread+0x328/0x630
[   31.369899]  ret_from_fork+0x10/0x20
[   31.370000] 
[   31.370050] The buggy address belongs to the object at fff00000c9a9c800
[   31.370050]  which belongs to the cache kmalloc-128 of size 128
[   31.370157] The buggy address is located 0 bytes inside of
[   31.370157]  freed 128-byte region [fff00000c9a9c800, fff00000c9a9c880)
[   31.370279] 
[   31.370343] The buggy address belongs to the physical page:
[   31.370419] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a9c
[   31.370510] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.370559] page_type: f5(slab)
[   31.370612] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   31.370831] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.370878] page dumped because: kasan: bad access detected
[   31.370910] 
[   31.370927] Memory state around the buggy address:
[   31.371012]  fff00000c9a9c700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.371078]  fff00000c9a9c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.371190] >fff00000c9a9c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.371263]                    ^
[   31.371324]  fff00000c9a9c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.371391]  fff00000c9a9c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.371526] ==================================================================
[   31.371991] ==================================================================
[   31.372039] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   31.372086] Read of size 1 at addr fff00000c9a9c800 by task kunit_try_catch/227
[   31.372133] 
[   31.372400] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT 
[   31.372491] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.372559] Hardware name: linux,dummy-virt (DT)
[   31.372630] Call trace:
[   31.372724]  show_stack+0x20/0x38 (C)
[   31.372798]  dump_stack_lvl+0x8c/0xd0
[   31.372884]  print_report+0x118/0x5d0
[   31.372997]  kasan_report+0xdc/0x128
[   31.373076]  __asan_report_load1_noabort+0x20/0x30
[   31.373226]  ksize_uaf+0x598/0x5f8
[   31.373309]  kunit_try_run_case+0x170/0x3f0
[   31.373393]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.373456]  kthread+0x328/0x630
[   31.373499]  ret_from_fork+0x10/0x20
[   31.373677] 
[   31.373696] Allocated by task 227:
[   31.373724]  kasan_save_stack+0x3c/0x68
[   31.373767]  kasan_save_track+0x20/0x40
[   31.373806]  kasan_save_alloc_info+0x40/0x58
[   31.373844]  __kasan_kmalloc+0xd4/0xd8
[   31.373971]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.374069]  ksize_uaf+0xb8/0x5f8
[   31.374134]  kunit_try_run_case+0x170/0x3f0
[   31.374230]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.374310]  kthread+0x328/0x630
[   31.374350]  ret_from_fork+0x10/0x20
[   31.374387] 
[   31.374411] Freed by task 227:
[   31.374442]  kasan_save_stack+0x3c/0x68
[   31.374481]  kasan_save_track+0x20/0x40
[   31.374520]  kasan_save_free_info+0x4c/0x78
[   31.374567]  __kasan_slab_free+0x6c/0x98
[   31.374611]  kfree+0x214/0x3c8
[   31.374655]  ksize_uaf+0x11c/0x5f8
[   31.374700]  kunit_try_run_case+0x170/0x3f0
[   31.374750]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.374802]  kthread+0x328/0x630
[   31.374842]  ret_from_fork+0x10/0x20
[   31.374879] 
[   31.374897] The buggy address belongs to the object at fff00000c9a9c800
[   31.374897]  which belongs to the cache kmalloc-128 of size 128
[   31.374954] The buggy address is located 0 bytes inside of
[   31.374954]  freed 128-byte region [fff00000c9a9c800, fff00000c9a9c880)
[   31.375016] 
[   31.375035] The buggy address belongs to the physical page:
[   31.375066] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a9c
[   31.375116] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.375174] page_type: f5(slab)
[   31.375220] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   31.375269] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.375307] page dumped because: kasan: bad access detected
[   31.375339] 
[   31.375356] Memory state around the buggy address:
[   31.375387]  fff00000c9a9c700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.375428]  fff00000c9a9c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.375512] >fff00000c9a9c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.375548]                    ^
[   31.375576]  fff00000c9a9c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.375618]  fff00000c9a9c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.375655] ==================================================================
[   31.376173] ==================================================================
[   31.376280] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   31.376328] Read of size 1 at addr fff00000c9a9c878 by task kunit_try_catch/227
[   31.376385] 
[   31.376464] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT 
[   31.376548] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.376594] Hardware name: linux,dummy-virt (DT)
[   31.376623] Call trace:
[   31.376646]  show_stack+0x20/0x38 (C)
[   31.376694]  dump_stack_lvl+0x8c/0xd0
[   31.376886]  print_report+0x118/0x5d0
[   31.377005]  kasan_report+0xdc/0x128
[   31.377098]  __asan_report_load1_noabort+0x20/0x30
[   31.377246]  ksize_uaf+0x544/0x5f8
[   31.377309]  kunit_try_run_case+0x170/0x3f0
[   31.377366]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.377444]  kthread+0x328/0x630
[   31.377579]  ret_from_fork+0x10/0x20
[   31.377657] 
[   31.377704] Allocated by task 227:
[   31.377732]  kasan_save_stack+0x3c/0x68
[   31.377813]  kasan_save_track+0x20/0x40
[   31.377885]  kasan_save_alloc_info+0x40/0x58
[   31.377924]  __kasan_kmalloc+0xd4/0xd8
[   31.377976]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.378050]  ksize_uaf+0xb8/0x5f8
[   31.378103]  kunit_try_run_case+0x170/0x3f0
[   31.378143]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.378189]  kthread+0x328/0x630
[   31.378266]  ret_from_fork+0x10/0x20
[   31.378305] 
[   31.378323] Freed by task 227:
[   31.378349]  kasan_save_stack+0x3c/0x68
[   31.378389]  kasan_save_track+0x20/0x40
[   31.378427]  kasan_save_free_info+0x4c/0x78
[   31.378464]  __kasan_slab_free+0x6c/0x98
[   31.378509]  kfree+0x214/0x3c8
[   31.378648]  ksize_uaf+0x11c/0x5f8
[   31.378720]  kunit_try_run_case+0x170/0x3f0
[   31.378787]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.378903]  kthread+0x328/0x630
[   31.378967]  ret_from_fork+0x10/0x20
[   31.379051] 
[   31.379109] The buggy address belongs to the object at fff00000c9a9c800
[   31.379109]  which belongs to the cache kmalloc-128 of size 128
[   31.379251] The buggy address is located 120 bytes inside of
[   31.379251]  freed 128-byte region [fff00000c9a9c800, fff00000c9a9c880)
[   31.379333] 
[   31.379443] The buggy address belongs to the physical page:
[   31.379490] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a9c
[   31.379560] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.379623] page_type: f5(slab)
[   31.379659] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   31.379843] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   31.379883] page dumped because: kasan: bad access detected
[   31.379915] 
[   31.379932] Memory state around the buggy address:
[   31.380005]  fff00000c9a9c700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.380130]  fff00000c9a9c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.380220] >fff00000c9a9c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.380287]                                                                 ^
[   31.380346]  fff00000c9a9c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.380444]  fff00000c9a9c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.380492] ==================================================================
Metadata Full log Test run details 

[   23.873988] ==================================================================
[   23.874390] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   23.874667] Read of size 1 at addr ffff8881062af178 by task kunit_try_catch/244
[   23.874928] 
[   23.875380] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) 
[   23.875435] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.875511] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.875533] Call Trace:
[   23.875553]  <TASK>
[   23.875572]  dump_stack_lvl+0x73/0xb0
[   23.875605]  print_report+0xd1/0x610
[   23.875627]  ? __virt_addr_valid+0x1db/0x2d0
[   23.875652]  ? ksize_uaf+0x5e4/0x6c0
[   23.875673]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.875701]  ? ksize_uaf+0x5e4/0x6c0
[   23.875725]  kasan_report+0x141/0x180
[   23.875747]  ? ksize_uaf+0x5e4/0x6c0
[   23.875788]  __asan_report_load1_noabort+0x18/0x20
[   23.875815]  ksize_uaf+0x5e4/0x6c0
[   23.875919]  ? __pfx_ksize_uaf+0x10/0x10
[   23.875942]  ? __schedule+0x10cc/0x2b60
[   23.875971]  ? __pfx_read_tsc+0x10/0x10
[   23.875996]  ? ktime_get_ts64+0x86/0x230
[   23.876022]  kunit_try_run_case+0x1a5/0x480
[   23.876045]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.876065]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.876086]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.876115]  ? __kthread_parkme+0x82/0x180
[   23.876137]  ? preempt_count_sub+0x50/0x80
[   23.876161]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.876182]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.876209]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.876236]  kthread+0x337/0x6f0
[   23.876270]  ? trace_preempt_on+0x20/0xc0
[   23.876295]  ? __pfx_kthread+0x10/0x10
[   23.876317]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.876345]  ? calculate_sigpending+0x7b/0xa0
[   23.876372]  ? __pfx_kthread+0x10/0x10
[   23.876395]  ret_from_fork+0x116/0x1d0
[   23.876414]  ? __pfx_kthread+0x10/0x10
[   23.876437]  ret_from_fork_asm+0x1a/0x30
[   23.876471]  </TASK>
[   23.876482] 
[   23.885338] Allocated by task 244:
[   23.885716]  kasan_save_stack+0x45/0x70
[   23.886224]  kasan_save_track+0x18/0x40
[   23.886584]  kasan_save_alloc_info+0x3b/0x50
[   23.886966]  __kasan_kmalloc+0xb7/0xc0
[   23.887418]  __kmalloc_cache_noprof+0x189/0x420
[   23.887652]  ksize_uaf+0xaa/0x6c0
[   23.887813]  kunit_try_run_case+0x1a5/0x480
[   23.888229]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.888658]  kthread+0x337/0x6f0
[   23.888988]  ret_from_fork+0x116/0x1d0
[   23.889178]  ret_from_fork_asm+0x1a/0x30
[   23.889372] 
[   23.889459] Freed by task 244:
[   23.889601]  kasan_save_stack+0x45/0x70
[   23.890094]  kasan_save_track+0x18/0x40
[   23.890308]  kasan_save_free_info+0x3f/0x60
[   23.890721]  __kasan_slab_free+0x56/0x70
[   23.891208]  kfree+0x222/0x3f0
[   23.891518]  ksize_uaf+0x12c/0x6c0
[   23.891833]  kunit_try_run_case+0x1a5/0x480
[   23.892235]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.892626]  kthread+0x337/0x6f0
[   23.892945]  ret_from_fork+0x116/0x1d0
[   23.893149]  ret_from_fork_asm+0x1a/0x30
[   23.893337] 
[   23.893424] The buggy address belongs to the object at ffff8881062af100
[   23.893424]  which belongs to the cache kmalloc-128 of size 128
[   23.894251] The buggy address is located 120 bytes inside of
[   23.894251]  freed 128-byte region [ffff8881062af100, ffff8881062af180)
[   23.895304] 
[   23.895425] The buggy address belongs to the physical page:
[   23.896034] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062af
[   23.896454] flags: 0x200000000000000(node=0|zone=2)
[   23.896667] page_type: f5(slab)
[   23.897108] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.897573] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.898085] page dumped because: kasan: bad access detected
[   23.898676] 
[   23.898949] Memory state around the buggy address:
[   23.899183]  ffff8881062af000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.899480]  ffff8881062af080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.899979] >ffff8881062af100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.900424]                                                                 ^
[   23.901007]  ffff8881062af180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.901696]  ffff8881062af200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.902387] ==================================================================
[   23.820734] ==================================================================
[   23.821216] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   23.821580] Read of size 1 at addr ffff8881062af100 by task kunit_try_catch/244
[   23.821881] 
[   23.822110] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) 
[   23.822171] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.822184] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.822207] Call Trace:
[   23.822222]  <TASK>
[   23.822255]  dump_stack_lvl+0x73/0xb0
[   23.822327]  print_report+0xd1/0x610
[   23.822352]  ? __virt_addr_valid+0x1db/0x2d0
[   23.822378]  ? ksize_uaf+0x19d/0x6c0
[   23.822399]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.822429]  ? ksize_uaf+0x19d/0x6c0
[   23.822472]  kasan_report+0x141/0x180
[   23.822495]  ? ksize_uaf+0x19d/0x6c0
[   23.822521]  ? ksize_uaf+0x19d/0x6c0
[   23.822543]  __kasan_check_byte+0x3d/0x50
[   23.822566]  ksize+0x20/0x60
[   23.822595]  ksize_uaf+0x19d/0x6c0
[   23.822617]  ? __pfx_ksize_uaf+0x10/0x10
[   23.822639]  ? __schedule+0x10cc/0x2b60
[   23.822669]  ? __pfx_read_tsc+0x10/0x10
[   23.822712]  ? ktime_get_ts64+0x86/0x230
[   23.822740]  kunit_try_run_case+0x1a5/0x480
[   23.822934]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.822957]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.822979]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.823008]  ? __kthread_parkme+0x82/0x180
[   23.823031]  ? preempt_count_sub+0x50/0x80
[   23.823055]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.823078]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.823105]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.823132]  kthread+0x337/0x6f0
[   23.823153]  ? trace_preempt_on+0x20/0xc0
[   23.823179]  ? __pfx_kthread+0x10/0x10
[   23.823202]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.823229]  ? calculate_sigpending+0x7b/0xa0
[   23.823270]  ? __pfx_kthread+0x10/0x10
[   23.823293]  ret_from_fork+0x116/0x1d0
[   23.823313]  ? __pfx_kthread+0x10/0x10
[   23.823335]  ret_from_fork_asm+0x1a/0x30
[   23.823371]  </TASK>
[   23.823383] 
[   23.831543] Allocated by task 244:
[   23.831743]  kasan_save_stack+0x45/0x70
[   23.832010]  kasan_save_track+0x18/0x40
[   23.832174]  kasan_save_alloc_info+0x3b/0x50
[   23.832414]  __kasan_kmalloc+0xb7/0xc0
[   23.832595]  __kmalloc_cache_noprof+0x189/0x420
[   23.832840]  ksize_uaf+0xaa/0x6c0
[   23.833085]  kunit_try_run_case+0x1a5/0x480
[   23.833417]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.833660]  kthread+0x337/0x6f0
[   23.834067]  ret_from_fork+0x116/0x1d0
[   23.834197]  ret_from_fork_asm+0x1a/0x30
[   23.834341] 
[   23.834426] Freed by task 244:
[   23.834616]  kasan_save_stack+0x45/0x70
[   23.835060]  kasan_save_track+0x18/0x40
[   23.835272]  kasan_save_free_info+0x3f/0x60
[   23.835478]  __kasan_slab_free+0x56/0x70
[   23.835633]  kfree+0x222/0x3f0
[   23.835742]  ksize_uaf+0x12c/0x6c0
[   23.836538]  kunit_try_run_case+0x1a5/0x480
[   23.837135]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.837894]  kthread+0x337/0x6f0
[   23.838260]  ret_from_fork+0x116/0x1d0
[   23.838396]  ret_from_fork_asm+0x1a/0x30
[   23.838533] 
[   23.838599] The buggy address belongs to the object at ffff8881062af100
[   23.838599]  which belongs to the cache kmalloc-128 of size 128
[   23.839356] The buggy address is located 0 bytes inside of
[   23.839356]  freed 128-byte region [ffff8881062af100, ffff8881062af180)
[   23.840434] 
[   23.840528] The buggy address belongs to the physical page:
[   23.840712] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062af
[   23.841253] flags: 0x200000000000000(node=0|zone=2)
[   23.841486] page_type: f5(slab)
[   23.841769] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.842198] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.842519] page dumped because: kasan: bad access detected
[   23.842742] 
[   23.843131] Memory state around the buggy address:
[   23.843428]  ffff8881062af000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.843673]  ffff8881062af080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.844355] >ffff8881062af100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.844632]                    ^
[   23.844775]  ffff8881062af180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.845210]  ffff8881062af200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.845505] ==================================================================
[   23.846054] ==================================================================
[   23.846806] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   23.847074] Read of size 1 at addr ffff8881062af100 by task kunit_try_catch/244
[   23.847389] 
[   23.847738] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) 
[   23.847821] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.847834] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.847856] Call Trace:
[   23.847871]  <TASK>
[   23.847889]  dump_stack_lvl+0x73/0xb0
[   23.847921]  print_report+0xd1/0x610
[   23.847945]  ? __virt_addr_valid+0x1db/0x2d0
[   23.847970]  ? ksize_uaf+0x5fe/0x6c0
[   23.847991]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.848020]  ? ksize_uaf+0x5fe/0x6c0
[   23.848042]  kasan_report+0x141/0x180
[   23.848229]  ? ksize_uaf+0x5fe/0x6c0
[   23.848269]  __asan_report_load1_noabort+0x18/0x20
[   23.848296]  ksize_uaf+0x5fe/0x6c0
[   23.848318]  ? __pfx_ksize_uaf+0x10/0x10
[   23.848340]  ? __schedule+0x10cc/0x2b60
[   23.848370]  ? __pfx_read_tsc+0x10/0x10
[   23.848396]  ? ktime_get_ts64+0x86/0x230
[   23.848422]  kunit_try_run_case+0x1a5/0x480
[   23.848445]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.848465]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.848487]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.848516]  ? __kthread_parkme+0x82/0x180
[   23.848537]  ? preempt_count_sub+0x50/0x80
[   23.848562]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.848584]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.848610]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.848637]  kthread+0x337/0x6f0
[   23.848658]  ? trace_preempt_on+0x20/0xc0
[   23.848683]  ? __pfx_kthread+0x10/0x10
[   23.848705]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.848733]  ? calculate_sigpending+0x7b/0xa0
[   23.848839]  ? __pfx_kthread+0x10/0x10
[   23.848866]  ret_from_fork+0x116/0x1d0
[   23.848887]  ? __pfx_kthread+0x10/0x10
[   23.848909]  ret_from_fork_asm+0x1a/0x30
[   23.848943]  </TASK>
[   23.848955] 
[   23.858387] Allocated by task 244:
[   23.858590]  kasan_save_stack+0x45/0x70
[   23.858778]  kasan_save_track+0x18/0x40
[   23.858903]  kasan_save_alloc_info+0x3b/0x50
[   23.859277]  __kasan_kmalloc+0xb7/0xc0
[   23.859488]  __kmalloc_cache_noprof+0x189/0x420
[   23.859837]  ksize_uaf+0xaa/0x6c0
[   23.860054]  kunit_try_run_case+0x1a5/0x480
[   23.860433]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.861116]  kthread+0x337/0x6f0
[   23.861381]  ret_from_fork+0x116/0x1d0
[   23.861569]  ret_from_fork_asm+0x1a/0x30
[   23.862204] 
[   23.862386] Freed by task 244:
[   23.862535]  kasan_save_stack+0x45/0x70
[   23.862737]  kasan_save_track+0x18/0x40
[   23.863372]  kasan_save_free_info+0x3f/0x60
[   23.863590]  __kasan_slab_free+0x56/0x70
[   23.863726]  kfree+0x222/0x3f0
[   23.863932]  ksize_uaf+0x12c/0x6c0
[   23.864093]  kunit_try_run_case+0x1a5/0x480
[   23.864482]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.864703]  kthread+0x337/0x6f0
[   23.865329]  ret_from_fork+0x116/0x1d0
[   23.865516]  ret_from_fork_asm+0x1a/0x30
[   23.865910] 
[   23.866182] The buggy address belongs to the object at ffff8881062af100
[   23.866182]  which belongs to the cache kmalloc-128 of size 128
[   23.866851] The buggy address is located 0 bytes inside of
[   23.866851]  freed 128-byte region [ffff8881062af100, ffff8881062af180)
[   23.867694] 
[   23.867970] The buggy address belongs to the physical page:
[   23.868177] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062af
[   23.868545] flags: 0x200000000000000(node=0|zone=2)
[   23.868783] page_type: f5(slab)
[   23.869300] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.869790] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.870207] page dumped because: kasan: bad access detected
[   23.870648] 
[   23.870752] Memory state around the buggy address:
[   23.871212]  ffff8881062af000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.871604]  ffff8881062af080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.872113] >ffff8881062af100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.872422]                    ^
[   23.872565]  ffff8881062af180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.873052]  ffff8881062af200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.873360] ==================================================================
Metadata Full log Test run details