Date
July 9, 2025, 1:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.560360] ================================================================== [ 29.560414] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 29.560569] Read of size 1 at addr fff00000c5998278 by task kunit_try_catch/228 [ 29.560624] [ 29.560655] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 29.560741] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.560936] Hardware name: linux,dummy-virt (DT) [ 29.561225] Call trace: [ 29.561301] show_stack+0x20/0x38 (C) [ 29.561361] dump_stack_lvl+0x8c/0xd0 [ 29.561542] print_report+0x118/0x5d0 [ 29.561680] kasan_report+0xdc/0x128 [ 29.561740] __asan_report_load1_noabort+0x20/0x30 [ 29.562135] ksize_uaf+0x544/0x5f8 [ 29.562206] kunit_try_run_case+0x170/0x3f0 [ 29.562259] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.562311] kthread+0x328/0x630 [ 29.562355] ret_from_fork+0x10/0x20 [ 29.562401] [ 29.562709] Allocated by task 228: [ 29.562833] kasan_save_stack+0x3c/0x68 [ 29.562947] kasan_save_track+0x20/0x40 [ 29.563079] kasan_save_alloc_info+0x40/0x58 [ 29.563121] __kasan_kmalloc+0xd4/0xd8 [ 29.563403] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.563466] ksize_uaf+0xb8/0x5f8 [ 29.563578] kunit_try_run_case+0x170/0x3f0 [ 29.563654] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.563830] kthread+0x328/0x630 [ 29.563901] ret_from_fork+0x10/0x20 [ 29.564117] [ 29.564142] Freed by task 228: [ 29.564175] kasan_save_stack+0x3c/0x68 [ 29.564382] kasan_save_track+0x20/0x40 [ 29.564545] kasan_save_free_info+0x4c/0x78 [ 29.564664] __kasan_slab_free+0x6c/0x98 [ 29.564842] kfree+0x214/0x3c8 [ 29.564939] ksize_uaf+0x11c/0x5f8 [ 29.565245] kunit_try_run_case+0x170/0x3f0 [ 29.565466] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.565690] kthread+0x328/0x630 [ 29.565765] ret_from_fork+0x10/0x20 [ 29.565871] [ 29.565901] The buggy address belongs to the object at fff00000c5998200 [ 29.565901] which belongs to the cache kmalloc-128 of size 128 [ 29.566105] The buggy address is located 120 bytes inside of [ 29.566105] freed 128-byte region [fff00000c5998200, fff00000c5998280) [ 29.566174] [ 29.566305] The buggy address belongs to the physical page: [ 29.566429] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105998 [ 29.566513] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.566571] page_type: f5(slab) [ 29.566611] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.566663] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.566712] page dumped because: kasan: bad access detected [ 29.566744] [ 29.566774] Memory state around the buggy address: [ 29.566824] fff00000c5998100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.566886] fff00000c5998180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.566930] >fff00000c5998200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.566968] ^ [ 29.567009] fff00000c5998280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.567091] fff00000c5998300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.567166] ================================================================== [ 29.541256] ================================================================== [ 29.541319] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 29.541372] Read of size 1 at addr fff00000c5998200 by task kunit_try_catch/228 [ 29.541861] [ 29.541924] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 29.542027] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.542066] Hardware name: linux,dummy-virt (DT) [ 29.542097] Call trace: [ 29.542120] show_stack+0x20/0x38 (C) [ 29.542183] dump_stack_lvl+0x8c/0xd0 [ 29.542233] print_report+0x118/0x5d0 [ 29.542277] kasan_report+0xdc/0x128 [ 29.542320] __kasan_check_byte+0x54/0x70 [ 29.542375] ksize+0x30/0x88 [ 29.542419] ksize_uaf+0x168/0x5f8 [ 29.542473] kunit_try_run_case+0x170/0x3f0 [ 29.542523] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.542578] kthread+0x328/0x630 [ 29.542621] ret_from_fork+0x10/0x20 [ 29.542677] [ 29.542696] Allocated by task 228: [ 29.542725] kasan_save_stack+0x3c/0x68 [ 29.542765] kasan_save_track+0x20/0x40 [ 29.542804] kasan_save_alloc_info+0x40/0x58 [ 29.542842] __kasan_kmalloc+0xd4/0xd8 [ 29.542880] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.542920] ksize_uaf+0xb8/0x5f8 [ 29.542954] kunit_try_run_case+0x170/0x3f0 [ 29.543002] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.543820] kthread+0x328/0x630 [ 29.544036] ret_from_fork+0x10/0x20 [ 29.544189] [ 29.544212] Freed by task 228: [ 29.544242] kasan_save_stack+0x3c/0x68 [ 29.544282] kasan_save_track+0x20/0x40 [ 29.544320] kasan_save_free_info+0x4c/0x78 [ 29.544358] __kasan_slab_free+0x6c/0x98 [ 29.544739] kfree+0x214/0x3c8 [ 29.544817] ksize_uaf+0x11c/0x5f8 [ 29.545181] kunit_try_run_case+0x170/0x3f0 [ 29.545307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.545382] kthread+0x328/0x630 [ 29.545605] ret_from_fork+0x10/0x20 [ 29.545892] [ 29.545951] The buggy address belongs to the object at fff00000c5998200 [ 29.545951] which belongs to the cache kmalloc-128 of size 128 [ 29.546081] The buggy address is located 0 bytes inside of [ 29.546081] freed 128-byte region [fff00000c5998200, fff00000c5998280) [ 29.546169] [ 29.546387] The buggy address belongs to the physical page: [ 29.546510] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105998 [ 29.546668] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.547309] page_type: f5(slab) [ 29.547419] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.547656] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.547731] page dumped because: kasan: bad access detected [ 29.547905] [ 29.547985] Memory state around the buggy address: [ 29.548148] fff00000c5998100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.548234] fff00000c5998180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.548700] >fff00000c5998200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.548791] ^ [ 29.548823] fff00000c5998280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.549105] fff00000c5998300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.549271] ================================================================== [ 29.551174] ================================================================== [ 29.551236] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 29.551427] Read of size 1 at addr fff00000c5998200 by task kunit_try_catch/228 [ 29.551490] [ 29.551523] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 29.552004] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.552067] Hardware name: linux,dummy-virt (DT) [ 29.552159] Call trace: [ 29.552229] show_stack+0x20/0x38 (C) [ 29.552434] dump_stack_lvl+0x8c/0xd0 [ 29.552547] print_report+0x118/0x5d0 [ 29.552601] kasan_report+0xdc/0x128 [ 29.552770] __asan_report_load1_noabort+0x20/0x30 [ 29.552830] ksize_uaf+0x598/0x5f8 [ 29.552876] kunit_try_run_case+0x170/0x3f0 [ 29.552926] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.553237] kthread+0x328/0x630 [ 29.553322] ret_from_fork+0x10/0x20 [ 29.553501] [ 29.553581] Allocated by task 228: [ 29.553683] kasan_save_stack+0x3c/0x68 [ 29.553740] kasan_save_track+0x20/0x40 [ 29.553847] kasan_save_alloc_info+0x40/0x58 [ 29.553886] __kasan_kmalloc+0xd4/0xd8 [ 29.554277] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.554457] ksize_uaf+0xb8/0x5f8 [ 29.554542] kunit_try_run_case+0x170/0x3f0 [ 29.554665] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.554724] kthread+0x328/0x630 [ 29.554964] ret_from_fork+0x10/0x20 [ 29.555155] [ 29.555209] Freed by task 228: [ 29.555379] kasan_save_stack+0x3c/0x68 [ 29.555779] kasan_save_track+0x20/0x40 [ 29.555854] kasan_save_free_info+0x4c/0x78 [ 29.556025] __kasan_slab_free+0x6c/0x98 [ 29.556259] kfree+0x214/0x3c8 [ 29.556299] ksize_uaf+0x11c/0x5f8 [ 29.556457] kunit_try_run_case+0x170/0x3f0 [ 29.556564] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.556734] kthread+0x328/0x630 [ 29.556821] ret_from_fork+0x10/0x20 [ 29.556985] [ 29.557129] The buggy address belongs to the object at fff00000c5998200 [ 29.557129] which belongs to the cache kmalloc-128 of size 128 [ 29.557211] The buggy address is located 0 bytes inside of [ 29.557211] freed 128-byte region [fff00000c5998200, fff00000c5998280) [ 29.557273] [ 29.557294] The buggy address belongs to the physical page: [ 29.557543] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105998 [ 29.557757] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.557910] page_type: f5(slab) [ 29.558093] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.558181] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.558443] page dumped because: kasan: bad access detected [ 29.558592] [ 29.558636] Memory state around the buggy address: [ 29.558712] fff00000c5998100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.558760] fff00000c5998180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.558803] >fff00000c5998200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.558850] ^ [ 29.558879] fff00000c5998280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.558938] fff00000c5998300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.558985] ==================================================================
[ 24.588792] ================================================================== [ 24.589259] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 24.589538] Read of size 1 at addr ffff88810456ae00 by task kunit_try_catch/246 [ 24.589941] [ 24.590025] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 24.590072] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.590085] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.590104] Call Trace: [ 24.590120] <TASK> [ 24.590136] dump_stack_lvl+0x73/0xb0 [ 24.590164] print_report+0xd1/0x610 [ 24.590367] ? __virt_addr_valid+0x1db/0x2d0 [ 24.590397] ? ksize_uaf+0x5fe/0x6c0 [ 24.590418] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.590471] ? ksize_uaf+0x5fe/0x6c0 [ 24.590493] kasan_report+0x141/0x180 [ 24.590515] ? ksize_uaf+0x5fe/0x6c0 [ 24.590552] __asan_report_load1_noabort+0x18/0x20 [ 24.590575] ksize_uaf+0x5fe/0x6c0 [ 24.590595] ? __pfx_ksize_uaf+0x10/0x10 [ 24.590616] ? __schedule+0x10cc/0x2b60 [ 24.590639] ? __pfx_read_tsc+0x10/0x10 [ 24.590659] ? ktime_get_ts64+0x86/0x230 [ 24.590683] kunit_try_run_case+0x1a5/0x480 [ 24.590716] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.590736] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.590759] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.590803] ? __kthread_parkme+0x82/0x180 [ 24.590823] ? preempt_count_sub+0x50/0x80 [ 24.590846] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.590866] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.590962] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.590987] kthread+0x337/0x6f0 [ 24.591006] ? trace_preempt_on+0x20/0xc0 [ 24.591028] ? __pfx_kthread+0x10/0x10 [ 24.591049] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.591071] ? calculate_sigpending+0x7b/0xa0 [ 24.591094] ? __pfx_kthread+0x10/0x10 [ 24.591115] ret_from_fork+0x116/0x1d0 [ 24.591133] ? __pfx_kthread+0x10/0x10 [ 24.591153] ret_from_fork_asm+0x1a/0x30 [ 24.591183] </TASK> [ 24.591194] [ 24.598448] Allocated by task 246: [ 24.598590] kasan_save_stack+0x45/0x70 [ 24.598817] kasan_save_track+0x18/0x40 [ 24.599011] kasan_save_alloc_info+0x3b/0x50 [ 24.599184] __kasan_kmalloc+0xb7/0xc0 [ 24.599447] __kmalloc_cache_noprof+0x189/0x420 [ 24.599655] ksize_uaf+0xaa/0x6c0 [ 24.599934] kunit_try_run_case+0x1a5/0x480 [ 24.600094] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.600345] kthread+0x337/0x6f0 [ 24.600504] ret_from_fork+0x116/0x1d0 [ 24.600630] ret_from_fork_asm+0x1a/0x30 [ 24.600798] [ 24.600865] Freed by task 246: [ 24.601074] kasan_save_stack+0x45/0x70 [ 24.601265] kasan_save_track+0x18/0x40 [ 24.601448] kasan_save_free_info+0x3f/0x60 [ 24.601668] __kasan_slab_free+0x56/0x70 [ 24.602077] kfree+0x222/0x3f0 [ 24.602273] ksize_uaf+0x12c/0x6c0 [ 24.602458] kunit_try_run_case+0x1a5/0x480 [ 24.602595] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.602834] kthread+0x337/0x6f0 [ 24.603037] ret_from_fork+0x116/0x1d0 [ 24.603221] ret_from_fork_asm+0x1a/0x30 [ 24.603385] [ 24.603450] The buggy address belongs to the object at ffff88810456ae00 [ 24.603450] which belongs to the cache kmalloc-128 of size 128 [ 24.603819] The buggy address is located 0 bytes inside of [ 24.603819] freed 128-byte region [ffff88810456ae00, ffff88810456ae80) [ 24.604336] [ 24.604426] The buggy address belongs to the physical page: [ 24.604679] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10456a [ 24.605220] flags: 0x200000000000000(node=0|zone=2) [ 24.605385] page_type: f5(slab) [ 24.605566] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.606141] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.606417] page dumped because: kasan: bad access detected [ 24.606672] [ 24.606752] Memory state around the buggy address: [ 24.607056] ffff88810456ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.607313] ffff88810456ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.607519] >ffff88810456ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.607734] ^ [ 24.608009] ffff88810456ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.608350] ffff88810456af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.608668] ================================================================== [ 24.609261] ================================================================== [ 24.609620] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 24.609860] Read of size 1 at addr ffff88810456ae78 by task kunit_try_catch/246 [ 24.610439] [ 24.610569] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 24.610617] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.610630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.610650] Call Trace: [ 24.610666] <TASK> [ 24.610682] dump_stack_lvl+0x73/0xb0 [ 24.610724] print_report+0xd1/0x610 [ 24.610745] ? __virt_addr_valid+0x1db/0x2d0 [ 24.610788] ? ksize_uaf+0x5e4/0x6c0 [ 24.610808] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.610833] ? ksize_uaf+0x5e4/0x6c0 [ 24.610853] kasan_report+0x141/0x180 [ 24.610874] ? ksize_uaf+0x5e4/0x6c0 [ 24.610899] __asan_report_load1_noabort+0x18/0x20 [ 24.610922] ksize_uaf+0x5e4/0x6c0 [ 24.610941] ? __pfx_ksize_uaf+0x10/0x10 [ 24.610962] ? __schedule+0x10cc/0x2b60 [ 24.611053] ? __pfx_read_tsc+0x10/0x10 [ 24.611076] ? ktime_get_ts64+0x86/0x230 [ 24.611101] kunit_try_run_case+0x1a5/0x480 [ 24.611123] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.611143] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.611166] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.611189] ? __kthread_parkme+0x82/0x180 [ 24.611209] ? preempt_count_sub+0x50/0x80 [ 24.611232] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.611253] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.611294] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.611319] kthread+0x337/0x6f0 [ 24.611338] ? trace_preempt_on+0x20/0xc0 [ 24.611360] ? __pfx_kthread+0x10/0x10 [ 24.611380] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.611401] ? calculate_sigpending+0x7b/0xa0 [ 24.611424] ? __pfx_kthread+0x10/0x10 [ 24.611447] ret_from_fork+0x116/0x1d0 [ 24.611465] ? __pfx_kthread+0x10/0x10 [ 24.611485] ret_from_fork_asm+0x1a/0x30 [ 24.611516] </TASK> [ 24.611526] [ 24.618736] Allocated by task 246: [ 24.618863] kasan_save_stack+0x45/0x70 [ 24.619157] kasan_save_track+0x18/0x40 [ 24.619354] kasan_save_alloc_info+0x3b/0x50 [ 24.619580] __kasan_kmalloc+0xb7/0xc0 [ 24.619778] __kmalloc_cache_noprof+0x189/0x420 [ 24.620099] ksize_uaf+0xaa/0x6c0 [ 24.620281] kunit_try_run_case+0x1a5/0x480 [ 24.620470] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.620641] kthread+0x337/0x6f0 [ 24.620784] ret_from_fork+0x116/0x1d0 [ 24.621050] ret_from_fork_asm+0x1a/0x30 [ 24.621269] [ 24.621360] Freed by task 246: [ 24.621509] kasan_save_stack+0x45/0x70 [ 24.621686] kasan_save_track+0x18/0x40 [ 24.622093] kasan_save_free_info+0x3f/0x60 [ 24.622247] __kasan_slab_free+0x56/0x70 [ 24.622376] kfree+0x222/0x3f0 [ 24.622564] ksize_uaf+0x12c/0x6c0 [ 24.622761] kunit_try_run_case+0x1a5/0x480 [ 24.622964] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.623233] kthread+0x337/0x6f0 [ 24.623428] ret_from_fork+0x116/0x1d0 [ 24.623566] ret_from_fork_asm+0x1a/0x30 [ 24.623792] [ 24.623945] The buggy address belongs to the object at ffff88810456ae00 [ 24.623945] which belongs to the cache kmalloc-128 of size 128 [ 24.624468] The buggy address is located 120 bytes inside of [ 24.624468] freed 128-byte region [ffff88810456ae00, ffff88810456ae80) [ 24.624982] [ 24.625093] The buggy address belongs to the physical page: [ 24.625336] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10456a [ 24.625670] flags: 0x200000000000000(node=0|zone=2) [ 24.626029] page_type: f5(slab) [ 24.626237] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.626568] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.626968] page dumped because: kasan: bad access detected [ 24.627219] [ 24.627298] Memory state around the buggy address: [ 24.627513] ffff88810456ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.627844] ffff88810456ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.628209] >ffff88810456ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.628500] ^ [ 24.628740] ffff88810456ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.629159] ffff88810456af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.629450] ================================================================== [ 24.567448] ================================================================== [ 24.567981] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 24.568393] Read of size 1 at addr ffff88810456ae00 by task kunit_try_catch/246 [ 24.568690] [ 24.568804] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 24.568857] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.568870] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.568890] Call Trace: [ 24.569113] <TASK> [ 24.569137] dump_stack_lvl+0x73/0xb0 [ 24.569172] print_report+0xd1/0x610 [ 24.569194] ? __virt_addr_valid+0x1db/0x2d0 [ 24.569218] ? ksize_uaf+0x19d/0x6c0 [ 24.569237] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.569263] ? ksize_uaf+0x19d/0x6c0 [ 24.569282] kasan_report+0x141/0x180 [ 24.569303] ? ksize_uaf+0x19d/0x6c0 [ 24.569326] ? ksize_uaf+0x19d/0x6c0 [ 24.569346] __kasan_check_byte+0x3d/0x50 [ 24.569367] ksize+0x20/0x60 [ 24.569390] ksize_uaf+0x19d/0x6c0 [ 24.569410] ? __pfx_ksize_uaf+0x10/0x10 [ 24.569430] ? __schedule+0x10cc/0x2b60 [ 24.569453] ? __pfx_read_tsc+0x10/0x10 [ 24.569474] ? ktime_get_ts64+0x86/0x230 [ 24.569499] kunit_try_run_case+0x1a5/0x480 [ 24.569521] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.569541] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.569563] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.569587] ? __kthread_parkme+0x82/0x180 [ 24.569607] ? preempt_count_sub+0x50/0x80 [ 24.569629] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.569650] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.569674] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.569713] kthread+0x337/0x6f0 [ 24.569732] ? trace_preempt_on+0x20/0xc0 [ 24.569754] ? __pfx_kthread+0x10/0x10 [ 24.569775] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.569808] ? calculate_sigpending+0x7b/0xa0 [ 24.569832] ? __pfx_kthread+0x10/0x10 [ 24.569852] ret_from_fork+0x116/0x1d0 [ 24.569871] ? __pfx_kthread+0x10/0x10 [ 24.569960] ret_from_fork_asm+0x1a/0x30 [ 24.569992] </TASK> [ 24.570003] [ 24.577420] Allocated by task 246: [ 24.577583] kasan_save_stack+0x45/0x70 [ 24.577764] kasan_save_track+0x18/0x40 [ 24.578015] kasan_save_alloc_info+0x3b/0x50 [ 24.578193] __kasan_kmalloc+0xb7/0xc0 [ 24.578318] __kmalloc_cache_noprof+0x189/0x420 [ 24.578464] ksize_uaf+0xaa/0x6c0 [ 24.578625] kunit_try_run_case+0x1a5/0x480 [ 24.578831] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.579255] kthread+0x337/0x6f0 [ 24.579400] ret_from_fork+0x116/0x1d0 [ 24.579528] ret_from_fork_asm+0x1a/0x30 [ 24.579659] [ 24.579736] Freed by task 246: [ 24.579852] kasan_save_stack+0x45/0x70 [ 24.580033] kasan_save_track+0x18/0x40 [ 24.580213] kasan_save_free_info+0x3f/0x60 [ 24.580409] __kasan_slab_free+0x56/0x70 [ 24.580595] kfree+0x222/0x3f0 [ 24.580791] ksize_uaf+0x12c/0x6c0 [ 24.580946] kunit_try_run_case+0x1a5/0x480 [ 24.581130] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.581359] kthread+0x337/0x6f0 [ 24.581511] ret_from_fork+0x116/0x1d0 [ 24.581675] ret_from_fork_asm+0x1a/0x30 [ 24.581906] [ 24.581972] The buggy address belongs to the object at ffff88810456ae00 [ 24.581972] which belongs to the cache kmalloc-128 of size 128 [ 24.582321] The buggy address is located 0 bytes inside of [ 24.582321] freed 128-byte region [ffff88810456ae00, ffff88810456ae80) [ 24.583213] [ 24.583316] The buggy address belongs to the physical page: [ 24.583562] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10456a [ 24.584039] flags: 0x200000000000000(node=0|zone=2) [ 24.584261] page_type: f5(slab) [ 24.584377] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.584668] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.585108] page dumped because: kasan: bad access detected [ 24.585307] [ 24.585371] Memory state around the buggy address: [ 24.585518] ffff88810456ad00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.585828] ffff88810456ad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.586316] >ffff88810456ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.586633] ^ [ 24.586830] ffff88810456ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.587216] ffff88810456af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.587442] ==================================================================