Date
July 14, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 47.348264] ================================================================== [ 47.358054] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 47.364387] Read of size 1 at addr ffff0008074f9100 by task kunit_try_catch/280 [ 47.371678] [ 47.373164] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 47.373218] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.373235] Hardware name: WinLink E850-96 board (DT) [ 47.373256] Call trace: [ 47.373269] show_stack+0x20/0x38 (C) [ 47.373304] dump_stack_lvl+0x8c/0xd0 [ 47.373340] print_report+0x118/0x5d0 [ 47.373367] kasan_report+0xdc/0x128 [ 47.373392] __kasan_check_byte+0x54/0x70 [ 47.373420] ksize+0x30/0x88 [ 47.373452] ksize_uaf+0x168/0x5f8 [ 47.373481] kunit_try_run_case+0x170/0x3f0 [ 47.373518] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.373551] kthread+0x328/0x630 [ 47.373582] ret_from_fork+0x10/0x20 [ 47.373614] [ 47.438518] Allocated by task 280: [ 47.441907] kasan_save_stack+0x3c/0x68 [ 47.445722] kasan_save_track+0x20/0x40 [ 47.449542] kasan_save_alloc_info+0x40/0x58 [ 47.453795] __kasan_kmalloc+0xd4/0xd8 [ 47.457528] __kmalloc_cache_noprof+0x16c/0x3c0 [ 47.462041] ksize_uaf+0xb8/0x5f8 [ 47.465340] kunit_try_run_case+0x170/0x3f0 [ 47.469506] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.474977] kthread+0x328/0x630 [ 47.478187] ret_from_fork+0x10/0x20 [ 47.481746] [ 47.483221] Freed by task 280: [ 47.486260] kasan_save_stack+0x3c/0x68 [ 47.490079] kasan_save_track+0x20/0x40 [ 47.493900] kasan_save_free_info+0x4c/0x78 [ 47.498065] __kasan_slab_free+0x6c/0x98 [ 47.501972] kfree+0x214/0x3c8 [ 47.505010] ksize_uaf+0x11c/0x5f8 [ 47.508395] kunit_try_run_case+0x170/0x3f0 [ 47.512562] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.518030] kthread+0x328/0x630 [ 47.521242] ret_from_fork+0x10/0x20 [ 47.524801] [ 47.526278] The buggy address belongs to the object at ffff0008074f9100 [ 47.526278] which belongs to the cache kmalloc-128 of size 128 [ 47.538780] The buggy address is located 0 bytes inside of [ 47.538780] freed 128-byte region [ffff0008074f9100, ffff0008074f9180) [ 47.550842] [ 47.552320] The buggy address belongs to the physical page: [ 47.557878] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8874f8 [ 47.565861] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.573500] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 47.580444] page_type: f5(slab) [ 47.583581] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 47.591300] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.599026] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 47.606838] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.614651] head: 0bfffe0000000001 fffffdffe01d3e01 00000000ffffffff 00000000ffffffff [ 47.622463] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 47.630269] page dumped because: kasan: bad access detected [ 47.635824] [ 47.637301] Memory state around the buggy address: [ 47.642080] ffff0008074f9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.649282] ffff0008074f9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.656488] >ffff0008074f9100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.663687] ^ [ 47.666903] ffff0008074f9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.674109] ffff0008074f9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.681312] ================================================================== [ 48.024250] ================================================================== [ 48.031313] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 48.037641] Read of size 1 at addr ffff0008074f9178 by task kunit_try_catch/280 [ 48.044932] [ 48.046417] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 48.046470] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.046486] Hardware name: WinLink E850-96 board (DT) [ 48.046506] Call trace: [ 48.046520] show_stack+0x20/0x38 (C) [ 48.046555] dump_stack_lvl+0x8c/0xd0 [ 48.046588] print_report+0x118/0x5d0 [ 48.046616] kasan_report+0xdc/0x128 [ 48.046642] __asan_report_load1_noabort+0x20/0x30 [ 48.046674] ksize_uaf+0x544/0x5f8 [ 48.046708] kunit_try_run_case+0x170/0x3f0 [ 48.046743] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.046776] kthread+0x328/0x630 [ 48.046805] ret_from_fork+0x10/0x20 [ 48.046839] [ 48.109688] Allocated by task 280: [ 48.113075] kasan_save_stack+0x3c/0x68 [ 48.116893] kasan_save_track+0x20/0x40 [ 48.120712] kasan_save_alloc_info+0x40/0x58 [ 48.124966] __kasan_kmalloc+0xd4/0xd8 [ 48.128698] __kmalloc_cache_noprof+0x16c/0x3c0 [ 48.133212] ksize_uaf+0xb8/0x5f8 [ 48.136512] kunit_try_run_case+0x170/0x3f0 [ 48.140677] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.146146] kthread+0x328/0x630 [ 48.149357] ret_from_fork+0x10/0x20 [ 48.152916] [ 48.154392] Freed by task 280: [ 48.157431] kasan_save_stack+0x3c/0x68 [ 48.161250] kasan_save_track+0x20/0x40 [ 48.165069] kasan_save_free_info+0x4c/0x78 [ 48.169236] __kasan_slab_free+0x6c/0x98 [ 48.173142] kfree+0x214/0x3c8 [ 48.176180] ksize_uaf+0x11c/0x5f8 [ 48.179566] kunit_try_run_case+0x170/0x3f0 [ 48.183732] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.189201] kthread+0x328/0x630 [ 48.192412] ret_from_fork+0x10/0x20 [ 48.195972] [ 48.197447] The buggy address belongs to the object at ffff0008074f9100 [ 48.197447] which belongs to the cache kmalloc-128 of size 128 [ 48.209950] The buggy address is located 120 bytes inside of [ 48.209950] freed 128-byte region [ffff0008074f9100, ffff0008074f9180) [ 48.222186] [ 48.223664] The buggy address belongs to the physical page: [ 48.229222] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8874f8 [ 48.237204] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 48.244844] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 48.251786] page_type: f5(slab) [ 48.254924] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.262643] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.270370] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.278181] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.285994] head: 0bfffe0000000001 fffffdffe01d3e01 00000000ffffffff 00000000ffffffff [ 48.293807] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 48.301613] page dumped because: kasan: bad access detected [ 48.307168] [ 48.308643] Memory state around the buggy address: [ 48.313423] ffff0008074f9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.320626] ffff0008074f9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.327833] >ffff0008074f9100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.335032] ^ [ 48.342153] ffff0008074f9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.349359] ffff0008074f9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.356559] ================================================================== [ 47.688890] ================================================================== [ 47.695725] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 47.702055] Read of size 1 at addr ffff0008074f9100 by task kunit_try_catch/280 [ 47.709347] [ 47.710833] CPU: 2 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 47.710886] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.710904] Hardware name: WinLink E850-96 board (DT) [ 47.710923] Call trace: [ 47.710938] show_stack+0x20/0x38 (C) [ 47.710973] dump_stack_lvl+0x8c/0xd0 [ 47.711007] print_report+0x118/0x5d0 [ 47.711035] kasan_report+0xdc/0x128 [ 47.711063] __asan_report_load1_noabort+0x20/0x30 [ 47.711096] ksize_uaf+0x598/0x5f8 [ 47.711125] kunit_try_run_case+0x170/0x3f0 [ 47.711159] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.711192] kthread+0x328/0x630 [ 47.711222] ret_from_fork+0x10/0x20 [ 47.711257] [ 47.774102] Allocated by task 280: [ 47.777490] kasan_save_stack+0x3c/0x68 [ 47.781307] kasan_save_track+0x20/0x40 [ 47.785127] kasan_save_alloc_info+0x40/0x58 [ 47.789380] __kasan_kmalloc+0xd4/0xd8 [ 47.793113] __kmalloc_cache_noprof+0x16c/0x3c0 [ 47.797626] ksize_uaf+0xb8/0x5f8 [ 47.800925] kunit_try_run_case+0x170/0x3f0 [ 47.805092] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.810562] kthread+0x328/0x630 [ 47.813772] ret_from_fork+0x10/0x20 [ 47.817331] [ 47.818807] Freed by task 280: [ 47.821845] kasan_save_stack+0x3c/0x68 [ 47.825665] kasan_save_track+0x20/0x40 [ 47.829484] kasan_save_free_info+0x4c/0x78 [ 47.833649] __kasan_slab_free+0x6c/0x98 [ 47.837557] kfree+0x214/0x3c8 [ 47.840595] ksize_uaf+0x11c/0x5f8 [ 47.843980] kunit_try_run_case+0x170/0x3f0 [ 47.848147] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.853615] kthread+0x328/0x630 [ 47.856829] ret_from_fork+0x10/0x20 [ 47.860386] [ 47.861863] The buggy address belongs to the object at ffff0008074f9100 [ 47.861863] which belongs to the cache kmalloc-128 of size 128 [ 47.874366] The buggy address is located 0 bytes inside of [ 47.874366] freed 128-byte region [ffff0008074f9100, ffff0008074f9180) [ 47.886427] [ 47.887906] The buggy address belongs to the physical page: [ 47.893463] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8874f8 [ 47.901445] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 47.909085] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 47.916028] page_type: f5(slab) [ 47.919166] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 47.926885] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.934611] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 47.942423] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 47.950236] head: 0bfffe0000000001 fffffdffe01d3e01 00000000ffffffff 00000000ffffffff [ 47.958048] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 47.965853] page dumped because: kasan: bad access detected [ 47.971409] [ 47.972884] Memory state around the buggy address: [ 47.977664] ffff0008074f9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.984867] ffff0008074f9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.992073] >ffff0008074f9100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.999273] ^ [ 48.002488] ffff0008074f9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.009694] ffff0008074f9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.016894] ==================================================================
[ 29.864269] ================================================================== [ 29.864325] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 29.864420] Read of size 1 at addr fff00000c636af78 by task kunit_try_catch/227 [ 29.864473] [ 29.864506] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.864590] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.864617] Hardware name: linux,dummy-virt (DT) [ 29.864648] Call trace: [ 29.864669] show_stack+0x20/0x38 (C) [ 29.864971] dump_stack_lvl+0x8c/0xd0 [ 29.865076] print_report+0x118/0x5d0 [ 29.865621] kasan_report+0xdc/0x128 [ 29.865746] __asan_report_load1_noabort+0x20/0x30 [ 29.865847] ksize_uaf+0x544/0x5f8 [ 29.865890] kunit_try_run_case+0x170/0x3f0 [ 29.865938] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.866204] kthread+0x328/0x630 [ 29.866396] ret_from_fork+0x10/0x20 [ 29.866463] [ 29.866483] Allocated by task 227: [ 29.866592] kasan_save_stack+0x3c/0x68 [ 29.866654] kasan_save_track+0x20/0x40 [ 29.867068] kasan_save_alloc_info+0x40/0x58 [ 29.867236] __kasan_kmalloc+0xd4/0xd8 [ 29.867277] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.867320] ksize_uaf+0xb8/0x5f8 [ 29.867394] kunit_try_run_case+0x170/0x3f0 [ 29.867451] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.867557] kthread+0x328/0x630 [ 29.867590] ret_from_fork+0x10/0x20 [ 29.867627] [ 29.867646] Freed by task 227: [ 29.867674] kasan_save_stack+0x3c/0x68 [ 29.867713] kasan_save_track+0x20/0x40 [ 29.867887] kasan_save_free_info+0x4c/0x78 [ 29.867937] __kasan_slab_free+0x6c/0x98 [ 29.867979] kfree+0x214/0x3c8 [ 29.868013] ksize_uaf+0x11c/0x5f8 [ 29.868059] kunit_try_run_case+0x170/0x3f0 [ 29.868098] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.868140] kthread+0x328/0x630 [ 29.868179] ret_from_fork+0x10/0x20 [ 29.868680] [ 29.868704] The buggy address belongs to the object at fff00000c636af00 [ 29.868704] which belongs to the cache kmalloc-128 of size 128 [ 29.868834] The buggy address is located 120 bytes inside of [ 29.868834] freed 128-byte region [fff00000c636af00, fff00000c636af80) [ 29.869111] [ 29.869198] The buggy address belongs to the physical page: [ 29.869236] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10636a [ 29.869380] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.869466] page_type: f5(slab) [ 29.869546] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.869650] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.869744] page dumped because: kasan: bad access detected [ 29.869862] [ 29.869927] Memory state around the buggy address: [ 29.869968] fff00000c636ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.870069] fff00000c636ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.870111] >fff00000c636af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.870148] ^ [ 29.870349] fff00000c636af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.870549] fff00000c636b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.870652] ================================================================== [ 29.847653] ================================================================== [ 29.847730] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 29.848058] Read of size 1 at addr fff00000c636af00 by task kunit_try_catch/227 [ 29.848126] [ 29.848749] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.848849] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.848948] Hardware name: linux,dummy-virt (DT) [ 29.848985] Call trace: [ 29.849254] show_stack+0x20/0x38 (C) [ 29.849460] dump_stack_lvl+0x8c/0xd0 [ 29.849522] print_report+0x118/0x5d0 [ 29.849566] kasan_report+0xdc/0x128 [ 29.849624] __kasan_check_byte+0x54/0x70 [ 29.849670] ksize+0x30/0x88 [ 29.850134] ksize_uaf+0x168/0x5f8 [ 29.850298] kunit_try_run_case+0x170/0x3f0 [ 29.850348] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.850399] kthread+0x328/0x630 [ 29.850443] ret_from_fork+0x10/0x20 [ 29.850502] [ 29.850521] Allocated by task 227: [ 29.850552] kasan_save_stack+0x3c/0x68 [ 29.850836] kasan_save_track+0x20/0x40 [ 29.851307] kasan_save_alloc_info+0x40/0x58 [ 29.851483] __kasan_kmalloc+0xd4/0xd8 [ 29.851524] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.851605] ksize_uaf+0xb8/0x5f8 [ 29.851774] kunit_try_run_case+0x170/0x3f0 [ 29.851866] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.851982] kthread+0x328/0x630 [ 29.852018] ret_from_fork+0x10/0x20 [ 29.852065] [ 29.852084] Freed by task 227: [ 29.852112] kasan_save_stack+0x3c/0x68 [ 29.852150] kasan_save_track+0x20/0x40 [ 29.852383] kasan_save_free_info+0x4c/0x78 [ 29.852423] __kasan_slab_free+0x6c/0x98 [ 29.852722] kfree+0x214/0x3c8 [ 29.852807] ksize_uaf+0x11c/0x5f8 [ 29.852871] kunit_try_run_case+0x170/0x3f0 [ 29.852913] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.852996] kthread+0x328/0x630 [ 29.853035] ret_from_fork+0x10/0x20 [ 29.853194] [ 29.853217] The buggy address belongs to the object at fff00000c636af00 [ 29.853217] which belongs to the cache kmalloc-128 of size 128 [ 29.853300] The buggy address is located 0 bytes inside of [ 29.853300] freed 128-byte region [fff00000c636af00, fff00000c636af80) [ 29.853694] [ 29.853723] The buggy address belongs to the physical page: [ 29.853813] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10636a [ 29.853944] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.854079] page_type: f5(slab) [ 29.854125] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.854215] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.854256] page dumped because: kasan: bad access detected [ 29.854287] [ 29.854307] Memory state around the buggy address: [ 29.854499] fff00000c636ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.854690] fff00000c636ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.854735] >fff00000c636af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.854930] ^ [ 29.855079] fff00000c636af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.855179] fff00000c636b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.855218] ================================================================== [ 29.856553] ================================================================== [ 29.856612] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 29.856668] Read of size 1 at addr fff00000c636af00 by task kunit_try_catch/227 [ 29.856822] [ 29.856859] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250714 #1 PREEMPT [ 29.856951] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.857090] Hardware name: linux,dummy-virt (DT) [ 29.857190] Call trace: [ 29.857212] show_stack+0x20/0x38 (C) [ 29.857438] dump_stack_lvl+0x8c/0xd0 [ 29.857485] print_report+0x118/0x5d0 [ 29.857529] kasan_report+0xdc/0x128 [ 29.857577] __asan_report_load1_noabort+0x20/0x30 [ 29.857801] ksize_uaf+0x598/0x5f8 [ 29.857851] kunit_try_run_case+0x170/0x3f0 [ 29.857988] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.858036] kthread+0x328/0x630 [ 29.858087] ret_from_fork+0x10/0x20 [ 29.858135] [ 29.858152] Allocated by task 227: [ 29.858222] kasan_save_stack+0x3c/0x68 [ 29.858265] kasan_save_track+0x20/0x40 [ 29.858462] kasan_save_alloc_info+0x40/0x58 [ 29.858780] __kasan_kmalloc+0xd4/0xd8 [ 29.858961] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.859200] ksize_uaf+0xb8/0x5f8 [ 29.859323] kunit_try_run_case+0x170/0x3f0 [ 29.859417] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.859459] kthread+0x328/0x630 [ 29.859493] ret_from_fork+0x10/0x20 [ 29.859530] [ 29.859551] Freed by task 227: [ 29.859578] kasan_save_stack+0x3c/0x68 [ 29.859688] kasan_save_track+0x20/0x40 [ 29.859736] kasan_save_free_info+0x4c/0x78 [ 29.859813] __kasan_slab_free+0x6c/0x98 [ 29.859850] kfree+0x214/0x3c8 [ 29.859885] ksize_uaf+0x11c/0x5f8 [ 29.860336] kunit_try_run_case+0x170/0x3f0 [ 29.860379] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.860422] kthread+0x328/0x630 [ 29.860457] ret_from_fork+0x10/0x20 [ 29.860494] [ 29.860516] The buggy address belongs to the object at fff00000c636af00 [ 29.860516] which belongs to the cache kmalloc-128 of size 128 [ 29.860602] The buggy address is located 0 bytes inside of [ 29.860602] freed 128-byte region [fff00000c636af00, fff00000c636af80) [ 29.860904] [ 29.860952] The buggy address belongs to the physical page: [ 29.860993] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10636a [ 29.861067] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.861117] page_type: f5(slab) [ 29.861554] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.861655] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.861695] page dumped because: kasan: bad access detected [ 29.861725] [ 29.861745] Memory state around the buggy address: [ 29.861788] fff00000c636ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.861830] fff00000c636ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.862023] >fff00000c636af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.862461] ^ [ 29.862541] fff00000c636af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.862607] fff00000c636b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.862645] ==================================================================
[ 24.811431] ================================================================== [ 24.811684] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 24.812042] Read of size 1 at addr ffff888105919378 by task kunit_try_catch/245 [ 24.812738] [ 24.812922] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.812988] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.813002] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.813024] Call Trace: [ 24.813043] <TASK> [ 24.813062] dump_stack_lvl+0x73/0xb0 [ 24.813095] print_report+0xd1/0x610 [ 24.813273] ? __virt_addr_valid+0x1db/0x2d0 [ 24.813298] ? ksize_uaf+0x5e4/0x6c0 [ 24.813317] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.813342] ? ksize_uaf+0x5e4/0x6c0 [ 24.813362] kasan_report+0x141/0x180 [ 24.813382] ? ksize_uaf+0x5e4/0x6c0 [ 24.813406] __asan_report_load1_noabort+0x18/0x20 [ 24.813429] ksize_uaf+0x5e4/0x6c0 [ 24.813448] ? __pfx_ksize_uaf+0x10/0x10 [ 24.813470] ? __pfx_ksize_uaf+0x10/0x10 [ 24.813495] kunit_try_run_case+0x1a5/0x480 [ 24.813517] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.813537] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.813561] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.813583] ? __kthread_parkme+0x82/0x180 [ 24.813605] ? preempt_count_sub+0x50/0x80 [ 24.813628] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.813649] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.813687] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.813711] kthread+0x337/0x6f0 [ 24.813731] ? trace_preempt_on+0x20/0xc0 [ 24.813762] ? __pfx_kthread+0x10/0x10 [ 24.813782] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.813803] ? calculate_sigpending+0x7b/0xa0 [ 24.813827] ? __pfx_kthread+0x10/0x10 [ 24.813847] ret_from_fork+0x116/0x1d0 [ 24.813867] ? __pfx_kthread+0x10/0x10 [ 24.813887] ret_from_fork_asm+0x1a/0x30 [ 24.813917] </TASK> [ 24.813928] [ 24.822480] Allocated by task 245: [ 24.822648] kasan_save_stack+0x45/0x70 [ 24.822900] kasan_save_track+0x18/0x40 [ 24.823385] kasan_save_alloc_info+0x3b/0x50 [ 24.823559] __kasan_kmalloc+0xb7/0xc0 [ 24.823864] __kmalloc_cache_noprof+0x189/0x420 [ 24.824218] ksize_uaf+0xaa/0x6c0 [ 24.824453] kunit_try_run_case+0x1a5/0x480 [ 24.824600] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.824864] kthread+0x337/0x6f0 [ 24.825098] ret_from_fork+0x116/0x1d0 [ 24.825360] ret_from_fork_asm+0x1a/0x30 [ 24.825593] [ 24.825960] Freed by task 245: [ 24.826116] kasan_save_stack+0x45/0x70 [ 24.826276] kasan_save_track+0x18/0x40 [ 24.826483] kasan_save_free_info+0x3f/0x60 [ 24.826677] __kasan_slab_free+0x56/0x70 [ 24.827198] kfree+0x222/0x3f0 [ 24.827404] ksize_uaf+0x12c/0x6c0 [ 24.827674] kunit_try_run_case+0x1a5/0x480 [ 24.827910] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.828277] kthread+0x337/0x6f0 [ 24.828567] ret_from_fork+0x116/0x1d0 [ 24.828732] ret_from_fork_asm+0x1a/0x30 [ 24.829005] [ 24.829089] The buggy address belongs to the object at ffff888105919300 [ 24.829089] which belongs to the cache kmalloc-128 of size 128 [ 24.829627] The buggy address is located 120 bytes inside of [ 24.829627] freed 128-byte region [ffff888105919300, ffff888105919380) [ 24.830340] [ 24.830436] The buggy address belongs to the physical page: [ 24.830668] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105919 [ 24.831057] flags: 0x200000000000000(node=0|zone=2) [ 24.831423] page_type: f5(slab) [ 24.831597] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.831942] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.832514] page dumped because: kasan: bad access detected [ 24.832789] [ 24.832860] Memory state around the buggy address: [ 24.833217] ffff888105919200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.833498] ffff888105919280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.833971] >ffff888105919300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.834377] ^ [ 24.834789] ffff888105919380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.835248] ffff888105919400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.835602] ================================================================== [ 24.755394] ================================================================== [ 24.755846] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 24.756357] Read of size 1 at addr ffff888105919300 by task kunit_try_catch/245 [ 24.756727] [ 24.756834] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.756888] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.756902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.756926] Call Trace: [ 24.756939] <TASK> [ 24.756959] dump_stack_lvl+0x73/0xb0 [ 24.756993] print_report+0xd1/0x610 [ 24.757016] ? __virt_addr_valid+0x1db/0x2d0 [ 24.757041] ? ksize_uaf+0x19d/0x6c0 [ 24.757060] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.757085] ? ksize_uaf+0x19d/0x6c0 [ 24.757105] kasan_report+0x141/0x180 [ 24.757126] ? ksize_uaf+0x19d/0x6c0 [ 24.757160] ? ksize_uaf+0x19d/0x6c0 [ 24.757180] __kasan_check_byte+0x3d/0x50 [ 24.757201] ksize+0x20/0x60 [ 24.757221] ksize_uaf+0x19d/0x6c0 [ 24.757241] ? __pfx_ksize_uaf+0x10/0x10 [ 24.757263] ? __pfx_ksize_uaf+0x10/0x10 [ 24.757287] kunit_try_run_case+0x1a5/0x480 [ 24.757310] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.757331] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.757355] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.757378] ? __kthread_parkme+0x82/0x180 [ 24.757399] ? preempt_count_sub+0x50/0x80 [ 24.757423] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.757443] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.757468] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.757492] kthread+0x337/0x6f0 [ 24.757511] ? trace_preempt_on+0x20/0xc0 [ 24.757535] ? __pfx_kthread+0x10/0x10 [ 24.757555] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.757576] ? calculate_sigpending+0x7b/0xa0 [ 24.757600] ? __pfx_kthread+0x10/0x10 [ 24.757621] ret_from_fork+0x116/0x1d0 [ 24.757641] ? __pfx_kthread+0x10/0x10 [ 24.757672] ret_from_fork_asm+0x1a/0x30 [ 24.757703] </TASK> [ 24.757714] [ 24.766980] Allocated by task 245: [ 24.767132] kasan_save_stack+0x45/0x70 [ 24.767290] kasan_save_track+0x18/0x40 [ 24.767418] kasan_save_alloc_info+0x3b/0x50 [ 24.767559] __kasan_kmalloc+0xb7/0xc0 [ 24.769368] __kmalloc_cache_noprof+0x189/0x420 [ 24.770710] ksize_uaf+0xaa/0x6c0 [ 24.771256] kunit_try_run_case+0x1a5/0x480 [ 24.772154] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.773199] kthread+0x337/0x6f0 [ 24.774697] ret_from_fork+0x116/0x1d0 [ 24.774954] ret_from_fork_asm+0x1a/0x30 [ 24.775131] [ 24.775233] Freed by task 245: [ 24.775379] kasan_save_stack+0x45/0x70 [ 24.775552] kasan_save_track+0x18/0x40 [ 24.775725] kasan_save_free_info+0x3f/0x60 [ 24.775923] __kasan_slab_free+0x56/0x70 [ 24.776170] kfree+0x222/0x3f0 [ 24.776287] ksize_uaf+0x12c/0x6c0 [ 24.776451] kunit_try_run_case+0x1a5/0x480 [ 24.776646] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.776889] kthread+0x337/0x6f0 [ 24.777081] ret_from_fork+0x116/0x1d0 [ 24.777518] ret_from_fork_asm+0x1a/0x30 [ 24.777748] [ 24.778060] The buggy address belongs to the object at ffff888105919300 [ 24.778060] which belongs to the cache kmalloc-128 of size 128 [ 24.778541] The buggy address is located 0 bytes inside of [ 24.778541] freed 128-byte region [ffff888105919300, ffff888105919380) [ 24.779613] [ 24.779895] The buggy address belongs to the physical page: [ 24.780186] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105919 [ 24.780615] flags: 0x200000000000000(node=0|zone=2) [ 24.781283] page_type: f5(slab) [ 24.781423] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.781759] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.782163] page dumped because: kasan: bad access detected [ 24.782391] [ 24.782458] Memory state around the buggy address: [ 24.782648] ffff888105919200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.783341] ffff888105919280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.783581] >ffff888105919300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.784187] ^ [ 24.784506] ffff888105919380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.784957] ffff888105919400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.785713] ================================================================== [ 24.786618] ================================================================== [ 24.787129] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 24.787419] Read of size 1 at addr ffff888105919300 by task kunit_try_catch/245 [ 24.787720] [ 24.788086] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) [ 24.788143] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 24.788262] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.788287] Call Trace: [ 24.788307] <TASK> [ 24.788327] dump_stack_lvl+0x73/0xb0 [ 24.788359] print_report+0xd1/0x610 [ 24.788381] ? __virt_addr_valid+0x1db/0x2d0 [ 24.788404] ? ksize_uaf+0x5fe/0x6c0 [ 24.788423] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.788448] ? ksize_uaf+0x5fe/0x6c0 [ 24.788560] kasan_report+0x141/0x180 [ 24.788585] ? ksize_uaf+0x5fe/0x6c0 [ 24.788608] __asan_report_load1_noabort+0x18/0x20 [ 24.788631] ksize_uaf+0x5fe/0x6c0 [ 24.788652] ? __pfx_ksize_uaf+0x10/0x10 [ 24.788685] ? __pfx_ksize_uaf+0x10/0x10 [ 24.788709] kunit_try_run_case+0x1a5/0x480 [ 24.788731] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.788766] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.788790] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.788812] ? __kthread_parkme+0x82/0x180 [ 24.788833] ? preempt_count_sub+0x50/0x80 [ 24.788855] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.788876] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.788900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.788924] kthread+0x337/0x6f0 [ 24.788955] ? trace_preempt_on+0x20/0xc0 [ 24.788978] ? __pfx_kthread+0x10/0x10 [ 24.788998] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.789019] ? calculate_sigpending+0x7b/0xa0 [ 24.789042] ? __pfx_kthread+0x10/0x10 [ 24.789063] ret_from_fork+0x116/0x1d0 [ 24.789082] ? __pfx_kthread+0x10/0x10 [ 24.789101] ret_from_fork_asm+0x1a/0x30 [ 24.789132] </TASK> [ 24.789143] [ 24.797691] Allocated by task 245: [ 24.797863] kasan_save_stack+0x45/0x70 [ 24.798237] kasan_save_track+0x18/0x40 [ 24.798497] kasan_save_alloc_info+0x3b/0x50 [ 24.798717] __kasan_kmalloc+0xb7/0xc0 [ 24.798925] __kmalloc_cache_noprof+0x189/0x420 [ 24.799133] ksize_uaf+0xaa/0x6c0 [ 24.799627] kunit_try_run_case+0x1a5/0x480 [ 24.799847] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.800260] kthread+0x337/0x6f0 [ 24.800423] ret_from_fork+0x116/0x1d0 [ 24.800566] ret_from_fork_asm+0x1a/0x30 [ 24.800796] [ 24.801052] Freed by task 245: [ 24.801347] kasan_save_stack+0x45/0x70 [ 24.801510] kasan_save_track+0x18/0x40 [ 24.801771] kasan_save_free_info+0x3f/0x60 [ 24.802094] __kasan_slab_free+0x56/0x70 [ 24.802394] kfree+0x222/0x3f0 [ 24.802544] ksize_uaf+0x12c/0x6c0 [ 24.802723] kunit_try_run_case+0x1a5/0x480 [ 24.803124] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.803522] kthread+0x337/0x6f0 [ 24.803677] ret_from_fork+0x116/0x1d0 [ 24.803860] ret_from_fork_asm+0x1a/0x30 [ 24.804096] [ 24.804191] The buggy address belongs to the object at ffff888105919300 [ 24.804191] which belongs to the cache kmalloc-128 of size 128 [ 24.804985] The buggy address is located 0 bytes inside of [ 24.804985] freed 128-byte region [ffff888105919300, ffff888105919380) [ 24.805600] [ 24.805771] The buggy address belongs to the physical page: [ 24.806179] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105919 [ 24.806624] flags: 0x200000000000000(node=0|zone=2) [ 24.806869] page_type: f5(slab) [ 24.807200] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.807492] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.807810] page dumped because: kasan: bad access detected [ 24.808176] [ 24.808247] Memory state around the buggy address: [ 24.808467] ffff888105919200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.808771] ffff888105919280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.809349] >ffff888105919300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.809848] ^ [ 24.810000] ffff888105919380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.810468] ffff888105919400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.810829] ==================================================================