Hay
Sign in
Date
July 10, 2025, 9:07 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   29.711176] ==================================================================
[   29.711227] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   29.711272] Read of size 1 at addr fff00000c9af0500 by task kunit_try_catch/227
[   29.711321] 
[   29.711380] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   29.711469] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.711494] Hardware name: linux,dummy-virt (DT)
[   29.711530] Call trace:
[   29.711551]  show_stack+0x20/0x38 (C)
[   29.711597]  dump_stack_lvl+0x8c/0xd0
[   29.711640]  print_report+0x118/0x5d0
[   29.711683]  kasan_report+0xdc/0x128
[   29.711725]  __asan_report_load1_noabort+0x20/0x30
[   29.711771]  ksize_uaf+0x598/0x5f8
[   29.711814]  kunit_try_run_case+0x170/0x3f0
[   29.711862]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.711914]  kthread+0x328/0x630
[   29.711967]  ret_from_fork+0x10/0x20
[   29.712014] 
[   29.712031] Allocated by task 227:
[   29.712057]  kasan_save_stack+0x3c/0x68
[   29.712098]  kasan_save_track+0x20/0x40
[   29.712147]  kasan_save_alloc_info+0x40/0x58
[   29.712185]  __kasan_kmalloc+0xd4/0xd8
[   29.712271]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.712372]  ksize_uaf+0xb8/0x5f8
[   29.712406]  kunit_try_run_case+0x170/0x3f0
[   29.712643]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.712692]  kthread+0x328/0x630
[   29.712725]  ret_from_fork+0x10/0x20
[   29.712761] 
[   29.712780] Freed by task 227:
[   29.712806]  kasan_save_stack+0x3c/0x68
[   29.712844]  kasan_save_track+0x20/0x40
[   29.712882]  kasan_save_free_info+0x4c/0x78
[   29.712919]  __kasan_slab_free+0x6c/0x98
[   29.712956]  kfree+0x214/0x3c8
[   29.712990]  ksize_uaf+0x11c/0x5f8
[   29.713034]  kunit_try_run_case+0x170/0x3f0
[   29.713223]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.713424]  kthread+0x328/0x630
[   29.713536]  ret_from_fork+0x10/0x20
[   29.713572] 
[   29.713660] The buggy address belongs to the object at fff00000c9af0500
[   29.713660]  which belongs to the cache kmalloc-128 of size 128
[   29.713922] The buggy address is located 0 bytes inside of
[   29.713922]  freed 128-byte region [fff00000c9af0500, fff00000c9af0580)
[   29.715250] 
[   29.715281] The buggy address belongs to the physical page:
[   29.715315] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af0
[   29.715367] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.715416] page_type: f5(slab)
[   29.715454] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   29.715508] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.715550] page dumped because: kasan: bad access detected
[   29.715581] 
[   29.715600] Memory state around the buggy address:
[   29.715630]  fff00000c9af0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.715674]  fff00000c9af0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.715718] >fff00000c9af0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.715758]                    ^
[   29.715783]  fff00000c9af0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.715826]  fff00000c9af0600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.715866] ==================================================================
[   29.706215] ==================================================================
[   29.706272] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   29.706318] Read of size 1 at addr fff00000c9af0500 by task kunit_try_catch/227
[   29.706373] 
[   29.706401] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   29.706617] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.706694] Hardware name: linux,dummy-virt (DT)
[   29.706861] Call trace:
[   29.706918]  show_stack+0x20/0x38 (C)
[   29.706985]  dump_stack_lvl+0x8c/0xd0
[   29.707029]  print_report+0x118/0x5d0
[   29.707124]  kasan_report+0xdc/0x128
[   29.707179]  __kasan_check_byte+0x54/0x70
[   29.707227]  ksize+0x30/0x88
[   29.707269]  ksize_uaf+0x168/0x5f8
[   29.707313]  kunit_try_run_case+0x170/0x3f0
[   29.707359]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.707412]  kthread+0x328/0x630
[   29.707454]  ret_from_fork+0x10/0x20
[   29.707504] 
[   29.707522] Allocated by task 227:
[   29.707550]  kasan_save_stack+0x3c/0x68
[   29.707590]  kasan_save_track+0x20/0x40
[   29.707640]  kasan_save_alloc_info+0x40/0x58
[   29.707678]  __kasan_kmalloc+0xd4/0xd8
[   29.707716]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.707755]  ksize_uaf+0xb8/0x5f8
[   29.707792]  kunit_try_run_case+0x170/0x3f0
[   29.707830]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.707882]  kthread+0x328/0x630
[   29.708014]  ret_from_fork+0x10/0x20
[   29.708096] 
[   29.708153] Freed by task 227:
[   29.708181]  kasan_save_stack+0x3c/0x68
[   29.708325]  kasan_save_track+0x20/0x40
[   29.708364]  kasan_save_free_info+0x4c/0x78
[   29.708402]  __kasan_slab_free+0x6c/0x98
[   29.708439]  kfree+0x214/0x3c8
[   29.708472]  ksize_uaf+0x11c/0x5f8
[   29.708547]  kunit_try_run_case+0x170/0x3f0
[   29.708720]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.708794]  kthread+0x328/0x630
[   29.708827]  ret_from_fork+0x10/0x20
[   29.708903] 
[   29.708992] The buggy address belongs to the object at fff00000c9af0500
[   29.708992]  which belongs to the cache kmalloc-128 of size 128
[   29.709053] The buggy address is located 0 bytes inside of
[   29.709053]  freed 128-byte region [fff00000c9af0500, fff00000c9af0580)
[   29.709550] 
[   29.709709] The buggy address belongs to the physical page:
[   29.709745] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af0
[   29.709800] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.709848] page_type: f5(slab)
[   29.709886] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   29.709938] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.709980] page dumped because: kasan: bad access detected
[   29.710012] 
[   29.710031] Memory state around the buggy address:
[   29.710062]  fff00000c9af0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.710107]  fff00000c9af0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.710169] >fff00000c9af0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.710289]                    ^
[   29.710349]  fff00000c9af0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.710417]  fff00000c9af0600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.710476] ==================================================================
[   29.716100] ==================================================================
[   29.716161] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   29.716216] Read of size 1 at addr fff00000c9af0578 by task kunit_try_catch/227
[   29.716450] 
[   29.716478] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT 
[   29.716564] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.716598] Hardware name: linux,dummy-virt (DT)
[   29.716735] Call trace:
[   29.716791]  show_stack+0x20/0x38 (C)
[   29.716885]  dump_stack_lvl+0x8c/0xd0
[   29.716994]  print_report+0x118/0x5d0
[   29.717138]  kasan_report+0xdc/0x128
[   29.717186]  __asan_report_load1_noabort+0x20/0x30
[   29.717234]  ksize_uaf+0x544/0x5f8
[   29.717277]  kunit_try_run_case+0x170/0x3f0
[   29.717325]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.717379]  kthread+0x328/0x630
[   29.717420]  ret_from_fork+0x10/0x20
[   29.717464] 
[   29.717482] Allocated by task 227:
[   29.717507]  kasan_save_stack+0x3c/0x68
[   29.717549]  kasan_save_track+0x20/0x40
[   29.717588]  kasan_save_alloc_info+0x40/0x58
[   29.717626]  __kasan_kmalloc+0xd4/0xd8
[   29.717664]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.717705]  ksize_uaf+0xb8/0x5f8
[   29.717738]  kunit_try_run_case+0x170/0x3f0
[   29.717778]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.717824]  kthread+0x328/0x630
[   29.717856]  ret_from_fork+0x10/0x20
[   29.717892] 
[   29.717910] Freed by task 227:
[   29.717935]  kasan_save_stack+0x3c/0x68
[   29.717973]  kasan_save_track+0x20/0x40
[   29.718017]  kasan_save_free_info+0x4c/0x78
[   29.718762]  __kasan_slab_free+0x6c/0x98
[   29.718957]  kfree+0x214/0x3c8
[   29.719022]  ksize_uaf+0x11c/0x5f8
[   29.719075]  kunit_try_run_case+0x170/0x3f0
[   29.719115]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.719172]  kthread+0x328/0x630
[   29.719203]  ret_from_fork+0x10/0x20
[   29.719239] 
[   29.719258] The buggy address belongs to the object at fff00000c9af0500
[   29.719258]  which belongs to the cache kmalloc-128 of size 128
[   29.719343] The buggy address is located 120 bytes inside of
[   29.719343]  freed 128-byte region [fff00000c9af0500, fff00000c9af0580)
[   29.719409] 
[   29.719428] The buggy address belongs to the physical page:
[   29.719458] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109af0
[   29.719514] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.719562] page_type: f5(slab)
[   29.719596] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   29.719771] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   29.719872] page dumped because: kasan: bad access detected
[   29.719905] 
[   29.719922] Memory state around the buggy address:
[   29.719971]  fff00000c9af0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.720016]  fff00000c9af0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.720060] >fff00000c9af0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.720099]                                                                 ^
[   29.720151]  fff00000c9af0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.720207]  fff00000c9af0600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.720248] ==================================================================
Metadata Full log Test run details 

[   25.589466] ==================================================================
[   25.590155] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   25.590969] Read of size 1 at addr ffff88810583a778 by task kunit_try_catch/244
[   25.591622] 
[   25.591807] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   25.591859] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.591871] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.591892] Call Trace:
[   25.591905]  <TASK>
[   25.591923]  dump_stack_lvl+0x73/0xb0
[   25.591965]  print_report+0xd1/0x610
[   25.591987]  ? __virt_addr_valid+0x1db/0x2d0
[   25.592013]  ? ksize_uaf+0x5e4/0x6c0
[   25.592033]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.592058]  ? ksize_uaf+0x5e4/0x6c0
[   25.592078]  kasan_report+0x141/0x180
[   25.592099]  ? ksize_uaf+0x5e4/0x6c0
[   25.592124]  __asan_report_load1_noabort+0x18/0x20
[   25.592147]  ksize_uaf+0x5e4/0x6c0
[   25.592167]  ? __pfx_ksize_uaf+0x10/0x10
[   25.592189]  ? __schedule+0x10cc/0x2b60
[   25.592211]  ? __pfx_read_tsc+0x10/0x10
[   25.592235]  ? ktime_get_ts64+0x86/0x230
[   25.592261]  kunit_try_run_case+0x1a5/0x480
[   25.592284]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.592304]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.592326]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.592349]  ? __kthread_parkme+0x82/0x180
[   25.592370]  ? preempt_count_sub+0x50/0x80
[   25.592393]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.592414]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.592439]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.592463]  kthread+0x337/0x6f0
[   25.592484]  ? trace_preempt_on+0x20/0xc0
[   25.592570]  ? __pfx_kthread+0x10/0x10
[   25.592591]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.592613]  ? calculate_sigpending+0x7b/0xa0
[   25.592636]  ? __pfx_kthread+0x10/0x10
[   25.592658]  ret_from_fork+0x116/0x1d0
[   25.592677]  ? __pfx_kthread+0x10/0x10
[   25.592709]  ret_from_fork_asm+0x1a/0x30
[   25.592740]  </TASK>
[   25.592752] 
[   25.604410] Allocated by task 244:
[   25.604691]  kasan_save_stack+0x45/0x70
[   25.605035]  kasan_save_track+0x18/0x40
[   25.605375]  kasan_save_alloc_info+0x3b/0x50
[   25.605641]  __kasan_kmalloc+0xb7/0xc0
[   25.605823]  __kmalloc_cache_noprof+0x189/0x420
[   25.606230]  ksize_uaf+0xaa/0x6c0
[   25.606542]  kunit_try_run_case+0x1a5/0x480
[   25.607053]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.607282]  kthread+0x337/0x6f0
[   25.607400]  ret_from_fork+0x116/0x1d0
[   25.607605]  ret_from_fork_asm+0x1a/0x30
[   25.608048] 
[   25.608226] Freed by task 244:
[   25.608502]  kasan_save_stack+0x45/0x70
[   25.608931]  kasan_save_track+0x18/0x40
[   25.609288]  kasan_save_free_info+0x3f/0x60
[   25.609677]  __kasan_slab_free+0x56/0x70
[   25.609909]  kfree+0x222/0x3f0
[   25.610028]  ksize_uaf+0x12c/0x6c0
[   25.610149]  kunit_try_run_case+0x1a5/0x480
[   25.610289]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.610460]  kthread+0x337/0x6f0
[   25.610771]  ret_from_fork+0x116/0x1d0
[   25.611140]  ret_from_fork_asm+0x1a/0x30
[   25.611662] 
[   25.611863] The buggy address belongs to the object at ffff88810583a700
[   25.611863]  which belongs to the cache kmalloc-128 of size 128
[   25.613087] The buggy address is located 120 bytes inside of
[   25.613087]  freed 128-byte region [ffff88810583a700, ffff88810583a780)
[   25.614179] 
[   25.614336] The buggy address belongs to the physical page:
[   25.614978] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10583a
[   25.615338] flags: 0x200000000000000(node=0|zone=2)
[   25.615523] page_type: f5(slab)
[   25.615884] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   25.616549] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.617259] page dumped because: kasan: bad access detected
[   25.617683] 
[   25.617762] Memory state around the buggy address:
[   25.618227]  ffff88810583a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.618676]  ffff88810583a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.619090] >ffff88810583a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.619736]                                                                 ^
[   25.620408]  ffff88810583a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.621160]  ffff88810583a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.621561] ==================================================================
[   25.556857] ==================================================================
[   25.557888] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   25.558664] Read of size 1 at addr ffff88810583a700 by task kunit_try_catch/244
[   25.559421] 
[   25.559541] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   25.559593] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.559605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.559629] Call Trace:
[   25.559648]  <TASK>
[   25.559667]  dump_stack_lvl+0x73/0xb0
[   25.559712]  print_report+0xd1/0x610
[   25.559734]  ? __virt_addr_valid+0x1db/0x2d0
[   25.559758]  ? ksize_uaf+0x5fe/0x6c0
[   25.559778]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.559804]  ? ksize_uaf+0x5fe/0x6c0
[   25.559824]  kasan_report+0x141/0x180
[   25.559853]  ? ksize_uaf+0x5fe/0x6c0
[   25.559877]  __asan_report_load1_noabort+0x18/0x20
[   25.559953]  ksize_uaf+0x5fe/0x6c0
[   25.559973]  ? __pfx_ksize_uaf+0x10/0x10
[   25.559995]  ? __schedule+0x10cc/0x2b60
[   25.560018]  ? __pfx_read_tsc+0x10/0x10
[   25.560041]  ? ktime_get_ts64+0x86/0x230
[   25.560069]  kunit_try_run_case+0x1a5/0x480
[   25.560092]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.560111]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.560134]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.560157]  ? __kthread_parkme+0x82/0x180
[   25.560177]  ? preempt_count_sub+0x50/0x80
[   25.560200]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.560223]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.560247]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.560272]  kthread+0x337/0x6f0
[   25.560293]  ? trace_preempt_on+0x20/0xc0
[   25.560315]  ? __pfx_kthread+0x10/0x10
[   25.560337]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.560358]  ? calculate_sigpending+0x7b/0xa0
[   25.560382]  ? __pfx_kthread+0x10/0x10
[   25.560403]  ret_from_fork+0x116/0x1d0
[   25.560422]  ? __pfx_kthread+0x10/0x10
[   25.560443]  ret_from_fork_asm+0x1a/0x30
[   25.560473]  </TASK>
[   25.560485] 
[   25.572739] Allocated by task 244:
[   25.573124]  kasan_save_stack+0x45/0x70
[   25.573464]  kasan_save_track+0x18/0x40
[   25.573916]  kasan_save_alloc_info+0x3b/0x50
[   25.574176]  __kasan_kmalloc+0xb7/0xc0
[   25.574305]  __kmalloc_cache_noprof+0x189/0x420
[   25.574458]  ksize_uaf+0xaa/0x6c0
[   25.574861]  kunit_try_run_case+0x1a5/0x480
[   25.575243]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.575806]  kthread+0x337/0x6f0
[   25.576137]  ret_from_fork+0x116/0x1d0
[   25.576484]  ret_from_fork_asm+0x1a/0x30
[   25.576857] 
[   25.576963] Freed by task 244:
[   25.577123]  kasan_save_stack+0x45/0x70
[   25.577260]  kasan_save_track+0x18/0x40
[   25.577390]  kasan_save_free_info+0x3f/0x60
[   25.577554]  __kasan_slab_free+0x56/0x70
[   25.577905]  kfree+0x222/0x3f0
[   25.578246]  ksize_uaf+0x12c/0x6c0
[   25.578596]  kunit_try_run_case+0x1a5/0x480
[   25.579172]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.579902]  kthread+0x337/0x6f0
[   25.580210]  ret_from_fork+0x116/0x1d0
[   25.580540]  ret_from_fork_asm+0x1a/0x30
[   25.580980] 
[   25.581136] The buggy address belongs to the object at ffff88810583a700
[   25.581136]  which belongs to the cache kmalloc-128 of size 128
[   25.581506] The buggy address is located 0 bytes inside of
[   25.581506]  freed 128-byte region [ffff88810583a700, ffff88810583a780)
[   25.582152] 
[   25.582313] The buggy address belongs to the physical page:
[   25.582947] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10583a
[   25.583463] flags: 0x200000000000000(node=0|zone=2)
[   25.583640] page_type: f5(slab)
[   25.583775] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   25.584477] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.585230] page dumped because: kasan: bad access detected
[   25.585555] 
[   25.585622] Memory state around the buggy address:
[   25.585785]  ffff88810583a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.586409]  ffff88810583a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.587142] >ffff88810583a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.587929]                    ^
[   25.588094]  ffff88810583a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.588307]  ffff88810583a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.588534] ==================================================================
[   25.523063] ==================================================================
[   25.524305] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   25.524640] Read of size 1 at addr ffff88810583a700 by task kunit_try_catch/244
[   25.525438] 
[   25.525684] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250710 #1 PREEMPT(voluntary) 
[   25.525749] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.525761] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.525843] Call Trace:
[   25.525858]  <TASK>
[   25.525878]  dump_stack_lvl+0x73/0xb0
[   25.525945]  print_report+0xd1/0x610
[   25.525971]  ? __virt_addr_valid+0x1db/0x2d0
[   25.525996]  ? ksize_uaf+0x19d/0x6c0
[   25.526016]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.526041]  ? ksize_uaf+0x19d/0x6c0
[   25.526061]  kasan_report+0x141/0x180
[   25.526082]  ? ksize_uaf+0x19d/0x6c0
[   25.526105]  ? ksize_uaf+0x19d/0x6c0
[   25.526125]  __kasan_check_byte+0x3d/0x50
[   25.526146]  ksize+0x20/0x60
[   25.526170]  ksize_uaf+0x19d/0x6c0
[   25.526191]  ? __pfx_ksize_uaf+0x10/0x10
[   25.526211]  ? __schedule+0x10cc/0x2b60
[   25.526234]  ? __pfx_read_tsc+0x10/0x10
[   25.526256]  ? ktime_get_ts64+0x86/0x230
[   25.526282]  kunit_try_run_case+0x1a5/0x480
[   25.526304]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.526324]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.526346]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.526368]  ? __kthread_parkme+0x82/0x180
[   25.526389]  ? preempt_count_sub+0x50/0x80
[   25.526412]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.526434]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.526457]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.526482]  kthread+0x337/0x6f0
[   25.526516]  ? trace_preempt_on+0x20/0xc0
[   25.526539]  ? __pfx_kthread+0x10/0x10
[   25.526559]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.526580]  ? calculate_sigpending+0x7b/0xa0
[   25.526604]  ? __pfx_kthread+0x10/0x10
[   25.526625]  ret_from_fork+0x116/0x1d0
[   25.526644]  ? __pfx_kthread+0x10/0x10
[   25.526664]  ret_from_fork_asm+0x1a/0x30
[   25.526694]  </TASK>
[   25.526720] 
[   25.538727] Allocated by task 244:
[   25.539133]  kasan_save_stack+0x45/0x70
[   25.539513]  kasan_save_track+0x18/0x40
[   25.539984]  kasan_save_alloc_info+0x3b/0x50
[   25.540393]  __kasan_kmalloc+0xb7/0xc0
[   25.540826]  __kmalloc_cache_noprof+0x189/0x420
[   25.541117]  ksize_uaf+0xaa/0x6c0
[   25.541238]  kunit_try_run_case+0x1a5/0x480
[   25.541377]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.541688]  kthread+0x337/0x6f0
[   25.542011]  ret_from_fork+0x116/0x1d0
[   25.542478]  ret_from_fork_asm+0x1a/0x30
[   25.542929] 
[   25.543115] Freed by task 244:
[   25.543415]  kasan_save_stack+0x45/0x70
[   25.543859]  kasan_save_track+0x18/0x40
[   25.544234]  kasan_save_free_info+0x3f/0x60
[   25.544416]  __kasan_slab_free+0x56/0x70
[   25.544887]  kfree+0x222/0x3f0
[   25.545201]  ksize_uaf+0x12c/0x6c0
[   25.545387]  kunit_try_run_case+0x1a5/0x480
[   25.545711]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.546335]  kthread+0x337/0x6f0
[   25.546586]  ret_from_fork+0x116/0x1d0
[   25.546818]  ret_from_fork_asm+0x1a/0x30
[   25.547261] 
[   25.547415] The buggy address belongs to the object at ffff88810583a700
[   25.547415]  which belongs to the cache kmalloc-128 of size 128
[   25.548306] The buggy address is located 0 bytes inside of
[   25.548306]  freed 128-byte region [ffff88810583a700, ffff88810583a780)
[   25.549183] 
[   25.549260] The buggy address belongs to the physical page:
[   25.549430] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10583a
[   25.550094] flags: 0x200000000000000(node=0|zone=2)
[   25.550551] page_type: f5(slab)
[   25.550926] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   25.551683] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   25.552105] page dumped because: kasan: bad access detected
[   25.552274] 
[   25.552337] Memory state around the buggy address:
[   25.552487]  ffff88810583a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.553246]  ffff88810583a680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.553971] >ffff88810583a700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   25.554588]                    ^
[   25.554935]  ffff88810583a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.555468]  ffff88810583a800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.556043] ==================================================================
Metadata Full log Test run details