Date
July 11, 2025, 10:11 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.697141] ================================================================== [ 48.706786] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 48.713118] Read of size 1 at addr ffff00080193b000 by task kunit_try_catch/280 [ 48.720408] [ 48.721896] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 48.721959] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.721976] Hardware name: WinLink E850-96 board (DT) [ 48.722001] Call trace: [ 48.722015] show_stack+0x20/0x38 (C) [ 48.722050] dump_stack_lvl+0x8c/0xd0 [ 48.722085] print_report+0x118/0x5d0 [ 48.722115] kasan_report+0xdc/0x128 [ 48.722143] __kasan_check_byte+0x54/0x70 [ 48.722181] ksize+0x30/0x88 [ 48.722216] ksize_uaf+0x168/0x5f8 [ 48.722249] kunit_try_run_case+0x170/0x3f0 [ 48.722288] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.722322] kthread+0x328/0x630 [ 48.722349] ret_from_fork+0x10/0x20 [ 48.722387] [ 48.787249] Allocated by task 280: [ 48.790634] kasan_save_stack+0x3c/0x68 [ 48.794454] kasan_save_track+0x20/0x40 [ 48.798272] kasan_save_alloc_info+0x40/0x58 [ 48.802525] __kasan_kmalloc+0xd4/0xd8 [ 48.806257] __kmalloc_cache_noprof+0x16c/0x3c0 [ 48.810771] ksize_uaf+0xb8/0x5f8 [ 48.814070] kunit_try_run_case+0x170/0x3f0 [ 48.818236] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.823708] kthread+0x328/0x630 [ 48.826917] ret_from_fork+0x10/0x20 [ 48.830476] [ 48.831952] Freed by task 280: [ 48.834990] kasan_save_stack+0x3c/0x68 [ 48.838809] kasan_save_track+0x20/0x40 [ 48.842630] kasan_save_free_info+0x4c/0x78 [ 48.846795] __kasan_slab_free+0x6c/0x98 [ 48.850701] kfree+0x214/0x3c8 [ 48.853740] ksize_uaf+0x11c/0x5f8 [ 48.857125] kunit_try_run_case+0x170/0x3f0 [ 48.861291] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.866760] kthread+0x328/0x630 [ 48.869972] ret_from_fork+0x10/0x20 [ 48.873531] [ 48.875008] The buggy address belongs to the object at ffff00080193b000 [ 48.875008] which belongs to the cache kmalloc-128 of size 128 [ 48.887512] The buggy address is located 0 bytes inside of [ 48.887512] freed 128-byte region [ffff00080193b000, ffff00080193b080) [ 48.899573] [ 48.901051] The buggy address belongs to the physical page: [ 48.906609] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88193a [ 48.914591] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 48.922230] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 48.929174] page_type: f5(slab) [ 48.932310] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.940030] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.947756] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.955567] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.963380] head: 0bfffe0000000001 fffffdffe0064e81 00000000ffffffff 00000000ffffffff [ 48.971192] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 48.978998] page dumped because: kasan: bad access detected [ 48.984553] [ 48.986029] Memory state around the buggy address: [ 48.990810] ffff00080193af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.998012] ffff00080193af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.005218] >ffff00080193b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.012418] ^ [ 49.015633] ffff00080193b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.022838] ffff00080193b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.030041] ================================================================== [ 49.037366] ================================================================== [ 49.044455] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 49.050786] Read of size 1 at addr ffff00080193b000 by task kunit_try_catch/280 [ 49.058077] [ 49.059559] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 49.059612] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.059627] Hardware name: WinLink E850-96 board (DT) [ 49.059649] Call trace: [ 49.059662] show_stack+0x20/0x38 (C) [ 49.059696] dump_stack_lvl+0x8c/0xd0 [ 49.059729] print_report+0x118/0x5d0 [ 49.059755] kasan_report+0xdc/0x128 [ 49.059782] __asan_report_load1_noabort+0x20/0x30 [ 49.059814] ksize_uaf+0x598/0x5f8 [ 49.059844] kunit_try_run_case+0x170/0x3f0 [ 49.059882] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.059914] kthread+0x328/0x630 [ 49.059944] ret_from_fork+0x10/0x20 [ 49.059979] [ 49.122833] Allocated by task 280: [ 49.126221] kasan_save_stack+0x3c/0x68 [ 49.130037] kasan_save_track+0x20/0x40 [ 49.133857] kasan_save_alloc_info+0x40/0x58 [ 49.138110] __kasan_kmalloc+0xd4/0xd8 [ 49.141843] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.146357] ksize_uaf+0xb8/0x5f8 [ 49.149655] kunit_try_run_case+0x170/0x3f0 [ 49.153822] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.159292] kthread+0x328/0x630 [ 49.162502] ret_from_fork+0x10/0x20 [ 49.166061] [ 49.167537] Freed by task 280: [ 49.170575] kasan_save_stack+0x3c/0x68 [ 49.174394] kasan_save_track+0x20/0x40 [ 49.178213] kasan_save_free_info+0x4c/0x78 [ 49.182381] __kasan_slab_free+0x6c/0x98 [ 49.186287] kfree+0x214/0x3c8 [ 49.189325] ksize_uaf+0x11c/0x5f8 [ 49.192710] kunit_try_run_case+0x170/0x3f0 [ 49.196877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.202345] kthread+0x328/0x630 [ 49.205557] ret_from_fork+0x10/0x20 [ 49.209116] [ 49.210593] The buggy address belongs to the object at ffff00080193b000 [ 49.210593] which belongs to the cache kmalloc-128 of size 128 [ 49.223092] The buggy address is located 0 bytes inside of [ 49.223092] freed 128-byte region [ffff00080193b000, ffff00080193b080) [ 49.235157] [ 49.236636] The buggy address belongs to the physical page: [ 49.242193] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88193a [ 49.250176] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.257815] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.264759] page_type: f5(slab) [ 49.267897] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.275615] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.283341] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.291152] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.298966] head: 0bfffe0000000001 fffffdffe0064e81 00000000ffffffff 00000000ffffffff [ 49.306778] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 49.314583] page dumped because: kasan: bad access detected [ 49.320139] [ 49.321614] Memory state around the buggy address: [ 49.326394] ffff00080193af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.333597] ffff00080193af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.340803] >ffff00080193b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.348003] ^ [ 49.351219] ffff00080193b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.358423] ffff00080193b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.365624] ================================================================== [ 49.373019] ================================================================== [ 49.380042] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 49.386371] Read of size 1 at addr ffff00080193b078 by task kunit_try_catch/280 [ 49.393662] [ 49.395146] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 49.395196] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.395212] Hardware name: WinLink E850-96 board (DT) [ 49.395234] Call trace: [ 49.395246] show_stack+0x20/0x38 (C) [ 49.395282] dump_stack_lvl+0x8c/0xd0 [ 49.395314] print_report+0x118/0x5d0 [ 49.395340] kasan_report+0xdc/0x128 [ 49.395368] __asan_report_load1_noabort+0x20/0x30 [ 49.395399] ksize_uaf+0x544/0x5f8 [ 49.395429] kunit_try_run_case+0x170/0x3f0 [ 49.395465] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.395498] kthread+0x328/0x630 [ 49.395528] ret_from_fork+0x10/0x20 [ 49.395563] [ 49.458418] Allocated by task 280: [ 49.461807] kasan_save_stack+0x3c/0x68 [ 49.465624] kasan_save_track+0x20/0x40 [ 49.469442] kasan_save_alloc_info+0x40/0x58 [ 49.473695] __kasan_kmalloc+0xd4/0xd8 [ 49.477428] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.481942] ksize_uaf+0xb8/0x5f8 [ 49.485240] kunit_try_run_case+0x170/0x3f0 [ 49.489407] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.494877] kthread+0x328/0x630 [ 49.498088] ret_from_fork+0x10/0x20 [ 49.501647] [ 49.503122] Freed by task 280: [ 49.506160] kasan_save_stack+0x3c/0x68 [ 49.509980] kasan_save_track+0x20/0x40 [ 49.513799] kasan_save_free_info+0x4c/0x78 [ 49.517965] __kasan_slab_free+0x6c/0x98 [ 49.521872] kfree+0x214/0x3c8 [ 49.524909] ksize_uaf+0x11c/0x5f8 [ 49.528295] kunit_try_run_case+0x170/0x3f0 [ 49.532462] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.537931] kthread+0x328/0x630 [ 49.541142] ret_from_fork+0x10/0x20 [ 49.544701] [ 49.546178] The buggy address belongs to the object at ffff00080193b000 [ 49.546178] which belongs to the cache kmalloc-128 of size 128 [ 49.558677] The buggy address is located 120 bytes inside of [ 49.558677] freed 128-byte region [ffff00080193b000, ffff00080193b080) [ 49.570916] [ 49.572395] The buggy address belongs to the physical page: [ 49.577950] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88193a [ 49.585935] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.593574] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.600518] page_type: f5(slab) [ 49.603654] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.611373] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.619100] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.626911] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.634724] head: 0bfffe0000000001 fffffdffe0064e81 00000000ffffffff 00000000ffffffff [ 49.642536] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 49.650342] page dumped because: kasan: bad access detected [ 49.655897] [ 49.657373] Memory state around the buggy address: [ 49.662153] ffff00080193af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.669356] ffff00080193af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.676562] >ffff00080193b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.683762] ^ [ 49.690883] ffff00080193b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.698088] ffff00080193b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.705289] ==================================================================
[ 30.719097] ================================================================== [ 30.719297] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 30.719380] Read of size 1 at addr fff00000c91b3d00 by task kunit_try_catch/227 [ 30.719433] [ 30.719469] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.719667] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.719697] Hardware name: linux,dummy-virt (DT) [ 30.719730] Call trace: [ 30.719756] show_stack+0x20/0x38 (C) [ 30.719822] dump_stack_lvl+0x8c/0xd0 [ 30.719918] print_report+0x118/0x5d0 [ 30.719963] kasan_report+0xdc/0x128 [ 30.720022] __kasan_check_byte+0x54/0x70 [ 30.720073] ksize+0x30/0x88 [ 30.720145] ksize_uaf+0x168/0x5f8 [ 30.720189] kunit_try_run_case+0x170/0x3f0 [ 30.720257] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.721456] kthread+0x328/0x630 [ 30.721512] ret_from_fork+0x10/0x20 [ 30.721564] [ 30.721582] Allocated by task 227: [ 30.721611] kasan_save_stack+0x3c/0x68 [ 30.721654] kasan_save_track+0x20/0x40 [ 30.721692] kasan_save_alloc_info+0x40/0x58 [ 30.721730] __kasan_kmalloc+0xd4/0xd8 [ 30.721768] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.721810] ksize_uaf+0xb8/0x5f8 [ 30.721845] kunit_try_run_case+0x170/0x3f0 [ 30.721884] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.721924] kthread+0x328/0x630 [ 30.721957] ret_from_fork+0x10/0x20 [ 30.721992] [ 30.722012] Freed by task 227: [ 30.722039] kasan_save_stack+0x3c/0x68 [ 30.722077] kasan_save_track+0x20/0x40 [ 30.722115] kasan_save_free_info+0x4c/0x78 [ 30.722152] __kasan_slab_free+0x6c/0x98 [ 30.722190] kfree+0x214/0x3c8 [ 30.722225] ksize_uaf+0x11c/0x5f8 [ 30.722260] kunit_try_run_case+0x170/0x3f0 [ 30.722300] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.722396] kthread+0x328/0x630 [ 30.722454] ret_from_fork+0x10/0x20 [ 30.722500] [ 30.722519] The buggy address belongs to the object at fff00000c91b3d00 [ 30.722519] which belongs to the cache kmalloc-128 of size 128 [ 30.722584] The buggy address is located 0 bytes inside of [ 30.722584] freed 128-byte region [fff00000c91b3d00, fff00000c91b3d80) [ 30.722695] [ 30.722779] The buggy address belongs to the physical page: [ 30.722858] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091b3 [ 30.722913] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.722963] page_type: f5(slab) [ 30.723015] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.723073] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.723318] page dumped because: kasan: bad access detected [ 30.723362] [ 30.723380] Memory state around the buggy address: [ 30.723425] fff00000c91b3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.723467] fff00000c91b3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.723520] >fff00000c91b3d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.723557] ^ [ 30.723591] fff00000c91b3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.723635] fff00000c91b3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.723674] ================================================================== [ 30.724610] ================================================================== [ 30.724666] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 30.724718] Read of size 1 at addr fff00000c91b3d00 by task kunit_try_catch/227 [ 30.724767] [ 30.724797] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.724910] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.724957] Hardware name: linux,dummy-virt (DT) [ 30.725016] Call trace: [ 30.725055] show_stack+0x20/0x38 (C) [ 30.725110] dump_stack_lvl+0x8c/0xd0 [ 30.725158] print_report+0x118/0x5d0 [ 30.725200] kasan_report+0xdc/0x128 [ 30.725243] __asan_report_load1_noabort+0x20/0x30 [ 30.725291] ksize_uaf+0x598/0x5f8 [ 30.725365] kunit_try_run_case+0x170/0x3f0 [ 30.725429] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.725479] kthread+0x328/0x630 [ 30.725604] ret_from_fork+0x10/0x20 [ 30.725731] [ 30.725789] Allocated by task 227: [ 30.725831] kasan_save_stack+0x3c/0x68 [ 30.725907] kasan_save_track+0x20/0x40 [ 30.726000] kasan_save_alloc_info+0x40/0x58 [ 30.726055] __kasan_kmalloc+0xd4/0xd8 [ 30.726134] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.726188] ksize_uaf+0xb8/0x5f8 [ 30.726235] kunit_try_run_case+0x170/0x3f0 [ 30.726365] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.726446] kthread+0x328/0x630 [ 30.726506] ret_from_fork+0x10/0x20 [ 30.726629] [ 30.726668] Freed by task 227: [ 30.726694] kasan_save_stack+0x3c/0x68 [ 30.726733] kasan_save_track+0x20/0x40 [ 30.726770] kasan_save_free_info+0x4c/0x78 [ 30.726809] __kasan_slab_free+0x6c/0x98 [ 30.726872] kfree+0x214/0x3c8 [ 30.726907] ksize_uaf+0x11c/0x5f8 [ 30.726943] kunit_try_run_case+0x170/0x3f0 [ 30.726981] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.727027] kthread+0x328/0x630 [ 30.727058] ret_from_fork+0x10/0x20 [ 30.727101] [ 30.727119] The buggy address belongs to the object at fff00000c91b3d00 [ 30.727119] which belongs to the cache kmalloc-128 of size 128 [ 30.727177] The buggy address is located 0 bytes inside of [ 30.727177] freed 128-byte region [fff00000c91b3d00, fff00000c91b3d80) [ 30.727237] [ 30.727269] The buggy address belongs to the physical page: [ 30.727348] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091b3 [ 30.727413] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.727516] page_type: f5(slab) [ 30.727564] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.727660] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.727766] page dumped because: kasan: bad access detected [ 30.727845] [ 30.727900] Memory state around the buggy address: [ 30.727989] fff00000c91b3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.728340] fff00000c91b3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.728385] >fff00000c91b3d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.728557] ^ [ 30.728584] fff00000c91b3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.728626] fff00000c91b3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.728747] ================================================================== [ 30.729997] ================================================================== [ 30.730053] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 30.730104] Read of size 1 at addr fff00000c91b3d78 by task kunit_try_catch/227 [ 30.730155] [ 30.730196] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT [ 30.730305] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.730349] Hardware name: linux,dummy-virt (DT) [ 30.730398] Call trace: [ 30.730438] show_stack+0x20/0x38 (C) [ 30.730536] dump_stack_lvl+0x8c/0xd0 [ 30.730602] print_report+0x118/0x5d0 [ 30.730646] kasan_report+0xdc/0x128 [ 30.730724] __asan_report_load1_noabort+0x20/0x30 [ 30.730791] ksize_uaf+0x544/0x5f8 [ 30.730857] kunit_try_run_case+0x170/0x3f0 [ 30.730949] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.731002] kthread+0x328/0x630 [ 30.731079] ret_from_fork+0x10/0x20 [ 30.731129] [ 30.731180] Allocated by task 227: [ 30.731227] kasan_save_stack+0x3c/0x68 [ 30.731274] kasan_save_track+0x20/0x40 [ 30.731330] kasan_save_alloc_info+0x40/0x58 [ 30.731408] __kasan_kmalloc+0xd4/0xd8 [ 30.731454] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.731497] ksize_uaf+0xb8/0x5f8 [ 30.731533] kunit_try_run_case+0x170/0x3f0 [ 30.731591] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.731734] kthread+0x328/0x630 [ 30.731823] ret_from_fork+0x10/0x20 [ 30.731902] [ 30.731941] Freed by task 227: [ 30.732006] kasan_save_stack+0x3c/0x68 [ 30.732066] kasan_save_track+0x20/0x40 [ 30.732118] kasan_save_free_info+0x4c/0x78 [ 30.732157] __kasan_slab_free+0x6c/0x98 [ 30.732195] kfree+0x214/0x3c8 [ 30.732239] ksize_uaf+0x11c/0x5f8 [ 30.732274] kunit_try_run_case+0x170/0x3f0 [ 30.732314] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.732366] kthread+0x328/0x630 [ 30.732398] ret_from_fork+0x10/0x20 [ 30.732434] [ 30.732452] The buggy address belongs to the object at fff00000c91b3d00 [ 30.732452] which belongs to the cache kmalloc-128 of size 128 [ 30.732509] The buggy address is located 120 bytes inside of [ 30.732509] freed 128-byte region [fff00000c91b3d00, fff00000c91b3d80) [ 30.732570] [ 30.732589] The buggy address belongs to the physical page: [ 30.732629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1091b3 [ 30.732680] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.732740] page_type: f5(slab) [ 30.732779] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.732829] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.732867] page dumped because: kasan: bad access detected [ 30.732908] [ 30.732926] Memory state around the buggy address: [ 30.732957] fff00000c91b3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.733000] fff00000c91b3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.733042] >fff00000c91b3d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.733087] ^ [ 30.733128] fff00000c91b3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.733169] fff00000c91b3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.733207] ==================================================================
[ 24.222017] ================================================================== [ 24.223311] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 24.223762] Read of size 1 at addr ffff888104cac400 by task kunit_try_catch/246 [ 24.225144] [ 24.225664] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.225940] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.225957] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.225980] Call Trace: [ 24.225994] <TASK> [ 24.226014] dump_stack_lvl+0x73/0xb0 [ 24.226051] print_report+0xd1/0x610 [ 24.226076] ? __virt_addr_valid+0x1db/0x2d0 [ 24.226103] ? ksize_uaf+0x19d/0x6c0 [ 24.226124] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.226149] ? ksize_uaf+0x19d/0x6c0 [ 24.226170] kasan_report+0x141/0x180 [ 24.226191] ? ksize_uaf+0x19d/0x6c0 [ 24.226213] ? ksize_uaf+0x19d/0x6c0 [ 24.226233] __kasan_check_byte+0x3d/0x50 [ 24.226254] ksize+0x20/0x60 [ 24.226292] ksize_uaf+0x19d/0x6c0 [ 24.226312] ? __pfx_ksize_uaf+0x10/0x10 [ 24.226335] ? __pfx_ksize_uaf+0x10/0x10 [ 24.226359] kunit_try_run_case+0x1a5/0x480 [ 24.226381] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.226401] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.226433] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.226458] ? __kthread_parkme+0x82/0x180 [ 24.226480] ? preempt_count_sub+0x50/0x80 [ 24.226503] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.226525] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.226550] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.226575] kthread+0x337/0x6f0 [ 24.226595] ? trace_preempt_on+0x20/0xc0 [ 24.226618] ? __pfx_kthread+0x10/0x10 [ 24.226639] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.226660] ? calculate_sigpending+0x7b/0xa0 [ 24.226685] ? __pfx_kthread+0x10/0x10 [ 24.226707] ret_from_fork+0x116/0x1d0 [ 24.226727] ? __pfx_kthread+0x10/0x10 [ 24.226757] ret_from_fork_asm+0x1a/0x30 [ 24.226788] </TASK> [ 24.226800] [ 24.237522] Allocated by task 246: [ 24.237691] kasan_save_stack+0x45/0x70 [ 24.237886] kasan_save_track+0x18/0x40 [ 24.238053] kasan_save_alloc_info+0x3b/0x50 [ 24.238239] __kasan_kmalloc+0xb7/0xc0 [ 24.238827] __kmalloc_cache_noprof+0x189/0x420 [ 24.239256] ksize_uaf+0xaa/0x6c0 [ 24.239554] kunit_try_run_case+0x1a5/0x480 [ 24.239754] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.239979] kthread+0x337/0x6f0 [ 24.240130] ret_from_fork+0x116/0x1d0 [ 24.240344] ret_from_fork_asm+0x1a/0x30 [ 24.240535] [ 24.240619] Freed by task 246: [ 24.240768] kasan_save_stack+0x45/0x70 [ 24.240935] kasan_save_track+0x18/0x40 [ 24.241103] kasan_save_free_info+0x3f/0x60 [ 24.241431] __kasan_slab_free+0x56/0x70 [ 24.241627] kfree+0x222/0x3f0 [ 24.241782] ksize_uaf+0x12c/0x6c0 [ 24.241935] kunit_try_run_case+0x1a5/0x480 [ 24.242111] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.242402] kthread+0x337/0x6f0 [ 24.242553] ret_from_fork+0x116/0x1d0 [ 24.242713] ret_from_fork_asm+0x1a/0x30 [ 24.242857] [ 24.242923] The buggy address belongs to the object at ffff888104cac400 [ 24.242923] which belongs to the cache kmalloc-128 of size 128 [ 24.243275] The buggy address is located 0 bytes inside of [ 24.243275] freed 128-byte region [ffff888104cac400, ffff888104cac480) [ 24.243608] [ 24.243680] The buggy address belongs to the physical page: [ 24.244041] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cac [ 24.244551] flags: 0x200000000000000(node=0|zone=2) [ 24.244793] page_type: f5(slab) [ 24.244960] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.245278] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.245865] page dumped because: kasan: bad access detected [ 24.246066] [ 24.246132] Memory state around the buggy address: [ 24.246282] ffff888104cac300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.246489] ffff888104cac380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.246694] >ffff888104cac400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.246909] ^ [ 24.247265] ffff888104cac480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.247644] ffff888104cac500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.248210] ================================================================== [ 24.280914] ================================================================== [ 24.281238] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 24.281765] Read of size 1 at addr ffff888104cac478 by task kunit_try_catch/246 [ 24.282069] [ 24.282175] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.282226] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.282238] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.282259] Call Trace: [ 24.282613] <TASK> [ 24.282635] dump_stack_lvl+0x73/0xb0 [ 24.282670] print_report+0xd1/0x610 [ 24.282701] ? __virt_addr_valid+0x1db/0x2d0 [ 24.282724] ? ksize_uaf+0x5e4/0x6c0 [ 24.282754] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.282779] ? ksize_uaf+0x5e4/0x6c0 [ 24.282799] kasan_report+0x141/0x180 [ 24.282820] ? ksize_uaf+0x5e4/0x6c0 [ 24.282845] __asan_report_load1_noabort+0x18/0x20 [ 24.282868] ksize_uaf+0x5e4/0x6c0 [ 24.282888] ? __pfx_ksize_uaf+0x10/0x10 [ 24.282912] ? __pfx_ksize_uaf+0x10/0x10 [ 24.282936] kunit_try_run_case+0x1a5/0x480 [ 24.282957] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.282979] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.283003] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.283025] ? __kthread_parkme+0x82/0x180 [ 24.283046] ? preempt_count_sub+0x50/0x80 [ 24.283070] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.283091] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.283116] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.283140] kthread+0x337/0x6f0 [ 24.283160] ? trace_preempt_on+0x20/0xc0 [ 24.283183] ? __pfx_kthread+0x10/0x10 [ 24.283203] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.283224] ? calculate_sigpending+0x7b/0xa0 [ 24.283248] ? __pfx_kthread+0x10/0x10 [ 24.283339] ret_from_fork+0x116/0x1d0 [ 24.283362] ? __pfx_kthread+0x10/0x10 [ 24.283382] ret_from_fork_asm+0x1a/0x30 [ 24.283413] </TASK> [ 24.283424] [ 24.291937] Allocated by task 246: [ 24.292345] kasan_save_stack+0x45/0x70 [ 24.292649] kasan_save_track+0x18/0x40 [ 24.292988] kasan_save_alloc_info+0x3b/0x50 [ 24.293397] __kasan_kmalloc+0xb7/0xc0 [ 24.293704] __kmalloc_cache_noprof+0x189/0x420 [ 24.293925] ksize_uaf+0xaa/0x6c0 [ 24.294086] kunit_try_run_case+0x1a5/0x480 [ 24.294508] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.294792] kthread+0x337/0x6f0 [ 24.295049] ret_from_fork+0x116/0x1d0 [ 24.295456] ret_from_fork_asm+0x1a/0x30 [ 24.295826] [ 24.295927] Freed by task 246: [ 24.296065] kasan_save_stack+0x45/0x70 [ 24.296239] kasan_save_track+0x18/0x40 [ 24.296619] kasan_save_free_info+0x3f/0x60 [ 24.297019] __kasan_slab_free+0x56/0x70 [ 24.297206] kfree+0x222/0x3f0 [ 24.297517] ksize_uaf+0x12c/0x6c0 [ 24.297802] kunit_try_run_case+0x1a5/0x480 [ 24.298008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.298237] kthread+0x337/0x6f0 [ 24.298665] ret_from_fork+0x116/0x1d0 [ 24.298969] ret_from_fork_asm+0x1a/0x30 [ 24.299258] [ 24.299372] The buggy address belongs to the object at ffff888104cac400 [ 24.299372] which belongs to the cache kmalloc-128 of size 128 [ 24.300086] The buggy address is located 120 bytes inside of [ 24.300086] freed 128-byte region [ffff888104cac400, ffff888104cac480) [ 24.301260] [ 24.301538] The buggy address belongs to the physical page: [ 24.301950] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cac [ 24.302637] flags: 0x200000000000000(node=0|zone=2) [ 24.302874] page_type: f5(slab) [ 24.303026] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.303592] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.304088] page dumped because: kasan: bad access detected [ 24.304543] [ 24.304637] Memory state around the buggy address: [ 24.304854] ffff888104cac300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.305144] ffff888104cac380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.306013] >ffff888104cac400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.306573] ^ [ 24.306968] ffff888104cac480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.307259] ffff888104cac500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.307981] ================================================================== [ 24.250056] ================================================================== [ 24.250986] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 24.251265] Read of size 1 at addr ffff888104cac400 by task kunit_try_catch/246 [ 24.251817] [ 24.252086] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) [ 24.252140] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.252152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.252173] Call Trace: [ 24.252191] <TASK> [ 24.252208] dump_stack_lvl+0x73/0xb0 [ 24.252240] print_report+0xd1/0x610 [ 24.252261] ? __virt_addr_valid+0x1db/0x2d0 [ 24.252285] ? ksize_uaf+0x5fe/0x6c0 [ 24.252305] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.252335] ? ksize_uaf+0x5fe/0x6c0 [ 24.252368] kasan_report+0x141/0x180 [ 24.252390] ? ksize_uaf+0x5fe/0x6c0 [ 24.252584] __asan_report_load1_noabort+0x18/0x20 [ 24.252614] ksize_uaf+0x5fe/0x6c0 [ 24.252635] ? __pfx_ksize_uaf+0x10/0x10 [ 24.252658] ? __pfx_ksize_uaf+0x10/0x10 [ 24.252682] kunit_try_run_case+0x1a5/0x480 [ 24.252704] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.252724] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.252772] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.252808] ? __kthread_parkme+0x82/0x180 [ 24.252841] ? preempt_count_sub+0x50/0x80 [ 24.252864] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.252886] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.252910] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.252934] kthread+0x337/0x6f0 [ 24.252954] ? trace_preempt_on+0x20/0xc0 [ 24.252977] ? __pfx_kthread+0x10/0x10 [ 24.252998] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.253019] ? calculate_sigpending+0x7b/0xa0 [ 24.253044] ? __pfx_kthread+0x10/0x10 [ 24.253067] ret_from_fork+0x116/0x1d0 [ 24.253086] ? __pfx_kthread+0x10/0x10 [ 24.253107] ret_from_fork_asm+0x1a/0x30 [ 24.253137] </TASK> [ 24.253148] [ 24.263246] Allocated by task 246: [ 24.263414] kasan_save_stack+0x45/0x70 [ 24.263604] kasan_save_track+0x18/0x40 [ 24.264168] kasan_save_alloc_info+0x3b/0x50 [ 24.264380] __kasan_kmalloc+0xb7/0xc0 [ 24.264717] __kmalloc_cache_noprof+0x189/0x420 [ 24.265330] ksize_uaf+0xaa/0x6c0 [ 24.265844] kunit_try_run_case+0x1a5/0x480 [ 24.266057] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.266297] kthread+0x337/0x6f0 [ 24.266697] ret_from_fork+0x116/0x1d0 [ 24.266938] ret_from_fork_asm+0x1a/0x30 [ 24.267291] [ 24.267547] Freed by task 246: [ 24.267843] kasan_save_stack+0x45/0x70 [ 24.268031] kasan_save_track+0x18/0x40 [ 24.268204] kasan_save_free_info+0x3f/0x60 [ 24.268723] __kasan_slab_free+0x56/0x70 [ 24.269040] kfree+0x222/0x3f0 [ 24.269549] ksize_uaf+0x12c/0x6c0 [ 24.269923] kunit_try_run_case+0x1a5/0x480 [ 24.270111] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.270535] kthread+0x337/0x6f0 [ 24.270863] ret_from_fork+0x116/0x1d0 [ 24.271039] ret_from_fork_asm+0x1a/0x30 [ 24.271214] [ 24.271549] The buggy address belongs to the object at ffff888104cac400 [ 24.271549] which belongs to the cache kmalloc-128 of size 128 [ 24.272308] The buggy address is located 0 bytes inside of [ 24.272308] freed 128-byte region [ffff888104cac400, ffff888104cac480) [ 24.273118] [ 24.273215] The buggy address belongs to the physical page: [ 24.273862] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cac [ 24.274200] flags: 0x200000000000000(node=0|zone=2) [ 24.274809] page_type: f5(slab) [ 24.275100] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.275816] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.276251] page dumped because: kasan: bad access detected [ 24.276682] [ 24.276784] Memory state around the buggy address: [ 24.276984] ffff888104cac300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.277267] ffff888104cac380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.278377] >ffff888104cac400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.278684] ^ [ 24.278849] ffff888104cac480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.279143] ffff888104cac500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.279931] ==================================================================