Date
July 15, 2025, 11:35 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.595577] ================================================================== [ 48.605627] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 48.611962] Read of size 1 at addr ffff00080244dc00 by task kunit_try_catch/277 [ 48.619250] [ 48.620736] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 48.620790] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.620806] Hardware name: WinLink E850-96 board (DT) [ 48.620826] Call trace: [ 48.620842] show_stack+0x20/0x38 (C) [ 48.620875] dump_stack_lvl+0x8c/0xd0 [ 48.620911] print_report+0x118/0x5d0 [ 48.620941] kasan_report+0xdc/0x128 [ 48.620967] __kasan_check_byte+0x54/0x70 [ 48.620995] ksize+0x30/0x88 [ 48.621030] ksize_uaf+0x168/0x5f8 [ 48.621058] kunit_try_run_case+0x170/0x3f0 [ 48.621087] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.621122] kthread+0x328/0x630 [ 48.621151] ret_from_fork+0x10/0x20 [ 48.621182] [ 48.686091] Allocated by task 277: [ 48.689478] kasan_save_stack+0x3c/0x68 [ 48.693294] kasan_save_track+0x20/0x40 [ 48.697113] kasan_save_alloc_info+0x40/0x58 [ 48.701367] __kasan_kmalloc+0xd4/0xd8 [ 48.705099] __kmalloc_cache_noprof+0x16c/0x3c0 [ 48.709613] ksize_uaf+0xb8/0x5f8 [ 48.712912] kunit_try_run_case+0x170/0x3f0 [ 48.717078] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.722548] kthread+0x328/0x630 [ 48.725759] ret_from_fork+0x10/0x20 [ 48.729318] [ 48.730793] Freed by task 277: [ 48.733833] kasan_save_stack+0x3c/0x68 [ 48.737651] kasan_save_track+0x20/0x40 [ 48.741470] kasan_save_free_info+0x4c/0x78 [ 48.745637] __kasan_slab_free+0x6c/0x98 [ 48.749543] kfree+0x214/0x3c8 [ 48.752581] ksize_uaf+0x11c/0x5f8 [ 48.755967] kunit_try_run_case+0x170/0x3f0 [ 48.760133] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.765602] kthread+0x328/0x630 [ 48.768814] ret_from_fork+0x10/0x20 [ 48.772373] [ 48.773850] The buggy address belongs to the object at ffff00080244dc00 [ 48.773850] which belongs to the cache kmalloc-128 of size 128 [ 48.786348] The buggy address is located 0 bytes inside of [ 48.786348] freed 128-byte region [ffff00080244dc00, ffff00080244dc80) [ 48.798414] [ 48.799894] The buggy address belongs to the physical page: [ 48.805449] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88244c [ 48.813433] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 48.821073] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 48.828016] page_type: f5(slab) [ 48.831153] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.838872] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.846599] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 48.854410] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 48.862222] head: 0bfffe0000000001 fffffdffe0091301 00000000ffffffff 00000000ffffffff [ 48.870034] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 48.877842] page dumped because: kasan: bad access detected [ 48.883395] [ 48.884871] Memory state around the buggy address: [ 48.889654] ffff00080244db00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.896855] ffff00080244db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.904058] >ffff00080244dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.911259] ^ [ 48.914475] ffff00080244dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.921679] ffff00080244dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.928882] ================================================================== [ 49.271892] ================================================================== [ 49.278880] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 49.285215] Read of size 1 at addr ffff00080244dc78 by task kunit_try_catch/277 [ 49.292504] [ 49.293989] CPU: 6 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 49.294042] Tainted: [B]=BAD_PAGE, [N]=TEST [ 49.294057] Hardware name: WinLink E850-96 board (DT) [ 49.294081] Call trace: [ 49.294095] show_stack+0x20/0x38 (C) [ 49.294128] dump_stack_lvl+0x8c/0xd0 [ 49.294165] print_report+0x118/0x5d0 [ 49.294193] kasan_report+0xdc/0x128 [ 49.294220] __asan_report_load1_noabort+0x20/0x30 [ 49.294254] ksize_uaf+0x544/0x5f8 [ 49.294283] kunit_try_run_case+0x170/0x3f0 [ 49.294316] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.294351] kthread+0x328/0x630 [ 49.294378] ret_from_fork+0x10/0x20 [ 49.294410] [ 49.357261] Allocated by task 277: [ 49.360648] kasan_save_stack+0x3c/0x68 [ 49.364464] kasan_save_track+0x20/0x40 [ 49.368284] kasan_save_alloc_info+0x40/0x58 [ 49.372537] __kasan_kmalloc+0xd4/0xd8 [ 49.376269] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.380784] ksize_uaf+0xb8/0x5f8 [ 49.384082] kunit_try_run_case+0x170/0x3f0 [ 49.388249] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.393718] kthread+0x328/0x630 [ 49.396930] ret_from_fork+0x10/0x20 [ 49.400488] [ 49.401964] Freed by task 277: [ 49.405002] kasan_save_stack+0x3c/0x68 [ 49.408822] kasan_save_track+0x20/0x40 [ 49.412641] kasan_save_free_info+0x4c/0x78 [ 49.416808] __kasan_slab_free+0x6c/0x98 [ 49.420714] kfree+0x214/0x3c8 [ 49.423752] ksize_uaf+0x11c/0x5f8 [ 49.427137] kunit_try_run_case+0x170/0x3f0 [ 49.431304] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.436772] kthread+0x328/0x630 [ 49.439984] ret_from_fork+0x10/0x20 [ 49.443543] [ 49.445019] The buggy address belongs to the object at ffff00080244dc00 [ 49.445019] which belongs to the cache kmalloc-128 of size 128 [ 49.457520] The buggy address is located 120 bytes inside of [ 49.457520] freed 128-byte region [ffff00080244dc00, ffff00080244dc80) [ 49.469758] [ 49.471236] The buggy address belongs to the physical page: [ 49.476795] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88244c [ 49.484778] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.492416] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.499359] page_type: f5(slab) [ 49.502494] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.510215] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.517942] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.525753] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.533566] head: 0bfffe0000000001 fffffdffe0091301 00000000ffffffff 00000000ffffffff [ 49.541378] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 49.549184] page dumped because: kasan: bad access detected [ 49.554739] [ 49.556215] Memory state around the buggy address: [ 49.560994] ffff00080244db00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.568198] ffff00080244db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.575404] >ffff00080244dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.582604] ^ [ 49.589725] ffff00080244dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.596930] ffff00080244dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.604131] ================================================================== [ 48.936266] ================================================================== [ 48.943294] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 48.949629] Read of size 1 at addr ffff00080244dc00 by task kunit_try_catch/277 [ 48.956918] [ 48.958403] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 48.958456] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.958473] Hardware name: WinLink E850-96 board (DT) [ 48.958493] Call trace: [ 48.958507] show_stack+0x20/0x38 (C) [ 48.958538] dump_stack_lvl+0x8c/0xd0 [ 48.958572] print_report+0x118/0x5d0 [ 48.958599] kasan_report+0xdc/0x128 [ 48.958626] __asan_report_load1_noabort+0x20/0x30 [ 48.958657] ksize_uaf+0x598/0x5f8 [ 48.958687] kunit_try_run_case+0x170/0x3f0 [ 48.958717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.958753] kthread+0x328/0x630 [ 48.958779] ret_from_fork+0x10/0x20 [ 48.958807] [ 49.021674] Allocated by task 277: [ 49.025061] kasan_save_stack+0x3c/0x68 [ 49.028879] kasan_save_track+0x20/0x40 [ 49.032698] kasan_save_alloc_info+0x40/0x58 [ 49.036952] __kasan_kmalloc+0xd4/0xd8 [ 49.040684] __kmalloc_cache_noprof+0x16c/0x3c0 [ 49.045199] ksize_uaf+0xb8/0x5f8 [ 49.048497] kunit_try_run_case+0x170/0x3f0 [ 49.052663] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.058134] kthread+0x328/0x630 [ 49.061344] ret_from_fork+0x10/0x20 [ 49.064903] [ 49.066379] Freed by task 277: [ 49.069417] kasan_save_stack+0x3c/0x68 [ 49.073236] kasan_save_track+0x20/0x40 [ 49.077055] kasan_save_free_info+0x4c/0x78 [ 49.081222] __kasan_slab_free+0x6c/0x98 [ 49.085128] kfree+0x214/0x3c8 [ 49.088167] ksize_uaf+0x11c/0x5f8 [ 49.091552] kunit_try_run_case+0x170/0x3f0 [ 49.095718] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 49.101187] kthread+0x328/0x630 [ 49.104399] ret_from_fork+0x10/0x20 [ 49.107958] [ 49.109433] The buggy address belongs to the object at ffff00080244dc00 [ 49.109433] which belongs to the cache kmalloc-128 of size 128 [ 49.121934] The buggy address is located 0 bytes inside of [ 49.121934] freed 128-byte region [ffff00080244dc00, ffff00080244dc80) [ 49.133999] [ 49.135477] The buggy address belongs to the physical page: [ 49.141035] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88244c [ 49.149018] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 49.156658] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 49.163600] page_type: f5(slab) [ 49.166735] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.174457] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.182183] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 49.189994] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 49.197808] head: 0bfffe0000000001 fffffdffe0091301 00000000ffffffff 00000000ffffffff [ 49.205620] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 49.213425] page dumped because: kasan: bad access detected [ 49.218981] [ 49.220456] Memory state around the buggy address: [ 49.225237] ffff00080244db00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.232439] ffff00080244db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.239643] >ffff00080244dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.246845] ^ [ 49.250060] ffff00080244dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.257265] ffff00080244dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.264468] ==================================================================
[ 30.882819] ================================================================== [ 30.882870] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 30.882919] Read of size 1 at addr fff00000c64f4d78 by task kunit_try_catch/228 [ 30.883417] [ 30.883479] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 30.883832] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.883860] Hardware name: linux,dummy-virt (DT) [ 30.883890] Call trace: [ 30.884317] show_stack+0x20/0x38 (C) [ 30.884526] dump_stack_lvl+0x8c/0xd0 [ 30.884611] print_report+0x118/0x5d0 [ 30.884996] kasan_report+0xdc/0x128 [ 30.885047] __asan_report_load1_noabort+0x20/0x30 [ 30.885458] ksize_uaf+0x544/0x5f8 [ 30.885605] kunit_try_run_case+0x170/0x3f0 [ 30.885800] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.885922] kthread+0x328/0x630 [ 30.885967] ret_from_fork+0x10/0x20 [ 30.886014] [ 30.886034] Allocated by task 228: [ 30.886563] kasan_save_stack+0x3c/0x68 [ 30.886669] kasan_save_track+0x20/0x40 [ 30.886710] kasan_save_alloc_info+0x40/0x58 [ 30.886754] __kasan_kmalloc+0xd4/0xd8 [ 30.886998] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.887322] ksize_uaf+0xb8/0x5f8 [ 30.887544] kunit_try_run_case+0x170/0x3f0 [ 30.887604] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.887689] kthread+0x328/0x630 [ 30.888047] ret_from_fork+0x10/0x20 [ 30.888218] [ 30.888243] Freed by task 228: [ 30.888270] kasan_save_stack+0x3c/0x68 [ 30.888311] kasan_save_track+0x20/0x40 [ 30.888788] kasan_save_free_info+0x4c/0x78 [ 30.888952] __kasan_slab_free+0x6c/0x98 [ 30.889275] kfree+0x214/0x3c8 [ 30.889317] ksize_uaf+0x11c/0x5f8 [ 30.889353] kunit_try_run_case+0x170/0x3f0 [ 30.889390] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.889433] kthread+0x328/0x630 [ 30.889475] ret_from_fork+0x10/0x20 [ 30.889513] [ 30.889535] The buggy address belongs to the object at fff00000c64f4d00 [ 30.889535] which belongs to the cache kmalloc-128 of size 128 [ 30.889593] The buggy address is located 120 bytes inside of [ 30.889593] freed 128-byte region [fff00000c64f4d00, fff00000c64f4d80) [ 30.890124] [ 30.890149] The buggy address belongs to the physical page: [ 30.890421] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064f4 [ 30.890496] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.891061] page_type: f5(slab) [ 30.891103] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.891156] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.891197] page dumped because: kasan: bad access detected [ 30.891659] [ 30.891685] Memory state around the buggy address: [ 30.891929] fff00000c64f4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.892131] fff00000c64f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.892299] >fff00000c64f4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.892339] ^ [ 30.892380] fff00000c64f4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.892422] fff00000c64f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.892473] ================================================================== [ 30.869388] ================================================================== [ 30.870007] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 30.870071] Read of size 1 at addr fff00000c64f4d00 by task kunit_try_catch/228 [ 30.870488] [ 30.870526] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 30.870875] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.870919] Hardware name: linux,dummy-virt (DT) [ 30.871131] Call trace: [ 30.871353] show_stack+0x20/0x38 (C) [ 30.871632] dump_stack_lvl+0x8c/0xd0 [ 30.871827] print_report+0x118/0x5d0 [ 30.871909] kasan_report+0xdc/0x128 [ 30.872041] __asan_report_load1_noabort+0x20/0x30 [ 30.872281] ksize_uaf+0x598/0x5f8 [ 30.872511] kunit_try_run_case+0x170/0x3f0 [ 30.872567] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.872942] kthread+0x328/0x630 [ 30.872988] ret_from_fork+0x10/0x20 [ 30.873044] [ 30.873251] Allocated by task 228: [ 30.873367] kasan_save_stack+0x3c/0x68 [ 30.873566] kasan_save_track+0x20/0x40 [ 30.873606] kasan_save_alloc_info+0x40/0x58 [ 30.873653] __kasan_kmalloc+0xd4/0xd8 [ 30.873693] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.873734] ksize_uaf+0xb8/0x5f8 [ 30.874410] kunit_try_run_case+0x170/0x3f0 [ 30.874531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.874576] kthread+0x328/0x630 [ 30.874873] ret_from_fork+0x10/0x20 [ 30.875551] [ 30.875591] Freed by task 228: [ 30.875760] kasan_save_stack+0x3c/0x68 [ 30.875806] kasan_save_track+0x20/0x40 [ 30.876026] kasan_save_free_info+0x4c/0x78 [ 30.876081] __kasan_slab_free+0x6c/0x98 [ 30.876665] kfree+0x214/0x3c8 [ 30.876771] ksize_uaf+0x11c/0x5f8 [ 30.877201] kunit_try_run_case+0x170/0x3f0 [ 30.877241] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.877288] kthread+0x328/0x630 [ 30.877321] ret_from_fork+0x10/0x20 [ 30.877359] [ 30.877381] The buggy address belongs to the object at fff00000c64f4d00 [ 30.877381] which belongs to the cache kmalloc-128 of size 128 [ 30.878183] The buggy address is located 0 bytes inside of [ 30.878183] freed 128-byte region [fff00000c64f4d00, fff00000c64f4d80) [ 30.878543] [ 30.878593] The buggy address belongs to the physical page: [ 30.878849] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064f4 [ 30.878903] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.879112] page_type: f5(slab) [ 30.879411] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.879736] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.879778] page dumped because: kasan: bad access detected [ 30.879810] [ 30.879828] Memory state around the buggy address: [ 30.880123] fff00000c64f4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.880341] fff00000c64f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.880418] >fff00000c64f4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.880465] ^ [ 30.880494] fff00000c64f4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.880536] fff00000c64f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.880574] ================================================================== [ 30.855683] ================================================================== [ 30.855786] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 30.855858] Read of size 1 at addr fff00000c64f4d00 by task kunit_try_catch/228 [ 30.855910] [ 30.855950] CPU: 0 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 30.856038] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.856471] Hardware name: linux,dummy-virt (DT) [ 30.856562] Call trace: [ 30.856773] show_stack+0x20/0x38 (C) [ 30.857391] dump_stack_lvl+0x8c/0xd0 [ 30.857533] print_report+0x118/0x5d0 [ 30.857580] kasan_report+0xdc/0x128 [ 30.857809] __kasan_check_byte+0x54/0x70 [ 30.858105] ksize+0x30/0x88 [ 30.858190] ksize_uaf+0x168/0x5f8 [ 30.858237] kunit_try_run_case+0x170/0x3f0 [ 30.858283] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.859136] kthread+0x328/0x630 [ 30.859253] ret_from_fork+0x10/0x20 [ 30.859742] [ 30.859913] Allocated by task 228: [ 30.859947] kasan_save_stack+0x3c/0x68 [ 30.860026] kasan_save_track+0x20/0x40 [ 30.860067] kasan_save_alloc_info+0x40/0x58 [ 30.860483] __kasan_kmalloc+0xd4/0xd8 [ 30.860685] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.861097] ksize_uaf+0xb8/0x5f8 [ 30.861220] kunit_try_run_case+0x170/0x3f0 [ 30.861261] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.861696] kthread+0x328/0x630 [ 30.861734] ret_from_fork+0x10/0x20 [ 30.861801] [ 30.861825] Freed by task 228: [ 30.862078] kasan_save_stack+0x3c/0x68 [ 30.862174] kasan_save_track+0x20/0x40 [ 30.862223] kasan_save_free_info+0x4c/0x78 [ 30.862307] __kasan_slab_free+0x6c/0x98 [ 30.862348] kfree+0x214/0x3c8 [ 30.862383] ksize_uaf+0x11c/0x5f8 [ 30.862764] kunit_try_run_case+0x170/0x3f0 [ 30.862992] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.863086] kthread+0x328/0x630 [ 30.863365] ret_from_fork+0x10/0x20 [ 30.863555] [ 30.863744] The buggy address belongs to the object at fff00000c64f4d00 [ 30.863744] which belongs to the cache kmalloc-128 of size 128 [ 30.863858] The buggy address is located 0 bytes inside of [ 30.863858] freed 128-byte region [fff00000c64f4d00, fff00000c64f4d80) [ 30.863919] [ 30.864469] The buggy address belongs to the physical page: [ 30.864689] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064f4 [ 30.864837] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.865084] page_type: f5(slab) [ 30.865133] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.865587] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.865647] page dumped because: kasan: bad access detected [ 30.866213] [ 30.866236] Memory state around the buggy address: [ 30.866271] fff00000c64f4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.866399] fff00000c64f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.866725] >fff00000c64f4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.866970] ^ [ 30.867130] fff00000c64f4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.867568] fff00000c64f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.867627] ==================================================================
[ 24.539128] ================================================================== [ 24.539686] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 24.540026] Read of size 1 at addr ffff8881041b9a00 by task kunit_try_catch/244 [ 24.540336] [ 24.540425] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) [ 24.540474] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.540488] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.540509] Call Trace: [ 24.540535] <TASK> [ 24.540551] dump_stack_lvl+0x73/0xb0 [ 24.540629] print_report+0xd1/0x610 [ 24.540661] ? __virt_addr_valid+0x1db/0x2d0 [ 24.540688] ? ksize_uaf+0x5fe/0x6c0 [ 24.540713] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.540744] ? ksize_uaf+0x5fe/0x6c0 [ 24.540770] kasan_report+0x141/0x180 [ 24.540797] ? ksize_uaf+0x5fe/0x6c0 [ 24.540829] __asan_report_load1_noabort+0x18/0x20 [ 24.540858] ksize_uaf+0x5fe/0x6c0 [ 24.540883] ? __pfx_ksize_uaf+0x10/0x10 [ 24.540910] ? __schedule+0x10cc/0x2b60 [ 24.540936] ? __pfx_read_tsc+0x10/0x10 [ 24.540962] ? ktime_get_ts64+0x86/0x230 [ 24.541009] kunit_try_run_case+0x1a5/0x480 [ 24.541037] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.541063] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.541090] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.541117] ? __kthread_parkme+0x82/0x180 [ 24.541142] ? preempt_count_sub+0x50/0x80 [ 24.541172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.541201] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.541232] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.541263] kthread+0x337/0x6f0 [ 24.541287] ? trace_preempt_on+0x20/0xc0 [ 24.541315] ? __pfx_kthread+0x10/0x10 [ 24.541340] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.541369] ? calculate_sigpending+0x7b/0xa0 [ 24.541398] ? __pfx_kthread+0x10/0x10 [ 24.541425] ret_from_fork+0x116/0x1d0 [ 24.541448] ? __pfx_kthread+0x10/0x10 [ 24.541475] ret_from_fork_asm+0x1a/0x30 [ 24.541516] </TASK> [ 24.541539] [ 24.551694] Allocated by task 244: [ 24.551825] kasan_save_stack+0x45/0x70 [ 24.552030] kasan_save_track+0x18/0x40 [ 24.552220] kasan_save_alloc_info+0x3b/0x50 [ 24.552411] __kasan_kmalloc+0xb7/0xc0 [ 24.552592] __kmalloc_cache_noprof+0x189/0x420 [ 24.552946] ksize_uaf+0xaa/0x6c0 [ 24.553075] kunit_try_run_case+0x1a5/0x480 [ 24.553223] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.553481] kthread+0x337/0x6f0 [ 24.553665] ret_from_fork+0x116/0x1d0 [ 24.553852] ret_from_fork_asm+0x1a/0x30 [ 24.553992] [ 24.554061] Freed by task 244: [ 24.554284] kasan_save_stack+0x45/0x70 [ 24.554568] kasan_save_track+0x18/0x40 [ 24.554825] kasan_save_free_info+0x3f/0x60 [ 24.555015] __kasan_slab_free+0x56/0x70 [ 24.555200] kfree+0x222/0x3f0 [ 24.555368] ksize_uaf+0x12c/0x6c0 [ 24.555534] kunit_try_run_case+0x1a5/0x480 [ 24.555835] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.556051] kthread+0x337/0x6f0 [ 24.556214] ret_from_fork+0x116/0x1d0 [ 24.556394] ret_from_fork_asm+0x1a/0x30 [ 24.556611] [ 24.556685] The buggy address belongs to the object at ffff8881041b9a00 [ 24.556685] which belongs to the cache kmalloc-128 of size 128 [ 24.557171] The buggy address is located 0 bytes inside of [ 24.557171] freed 128-byte region [ffff8881041b9a00, ffff8881041b9a80) [ 24.557807] [ 24.557911] The buggy address belongs to the physical page: [ 24.558131] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1041b9 [ 24.558442] flags: 0x200000000000000(node=0|zone=2) [ 24.558698] page_type: f5(slab) [ 24.558858] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.559247] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.559471] page dumped because: kasan: bad access detected [ 24.559881] [ 24.560036] Memory state around the buggy address: [ 24.560263] ffff8881041b9900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.560557] ffff8881041b9980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.560905] >ffff8881041b9a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.561185] ^ [ 24.561318] ffff8881041b9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.561566] ffff8881041b9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.561892] ================================================================== [ 24.562647] ================================================================== [ 24.563024] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 24.563290] Read of size 1 at addr ffff8881041b9a78 by task kunit_try_catch/244 [ 24.563580] [ 24.563705] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) [ 24.563755] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.563768] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.563790] Call Trace: [ 24.563804] <TASK> [ 24.563820] dump_stack_lvl+0x73/0xb0 [ 24.563854] print_report+0xd1/0x610 [ 24.563881] ? __virt_addr_valid+0x1db/0x2d0 [ 24.563909] ? ksize_uaf+0x5e4/0x6c0 [ 24.563934] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.563965] ? ksize_uaf+0x5e4/0x6c0 [ 24.563990] kasan_report+0x141/0x180 [ 24.564017] ? ksize_uaf+0x5e4/0x6c0 [ 24.564049] __asan_report_load1_noabort+0x18/0x20 [ 24.564078] ksize_uaf+0x5e4/0x6c0 [ 24.564103] ? __pfx_ksize_uaf+0x10/0x10 [ 24.564129] ? __schedule+0x10cc/0x2b60 [ 24.564155] ? __pfx_read_tsc+0x10/0x10 [ 24.564180] ? ktime_get_ts64+0x86/0x230 [ 24.564210] kunit_try_run_case+0x1a5/0x480 [ 24.564238] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.564264] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.564291] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.564318] ? __kthread_parkme+0x82/0x180 [ 24.564342] ? preempt_count_sub+0x50/0x80 [ 24.564372] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.564399] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.564430] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.564460] kthread+0x337/0x6f0 [ 24.564484] ? trace_preempt_on+0x20/0xc0 [ 24.564512] ? __pfx_kthread+0x10/0x10 [ 24.564549] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.564579] ? calculate_sigpending+0x7b/0xa0 [ 24.564607] ? __pfx_kthread+0x10/0x10 [ 24.564634] ret_from_fork+0x116/0x1d0 [ 24.564657] ? __pfx_kthread+0x10/0x10 [ 24.564683] ret_from_fork_asm+0x1a/0x30 [ 24.564786] </TASK> [ 24.564800] [ 24.571838] Allocated by task 244: [ 24.571976] kasan_save_stack+0x45/0x70 [ 24.572280] kasan_save_track+0x18/0x40 [ 24.572485] kasan_save_alloc_info+0x3b/0x50 [ 24.572799] __kasan_kmalloc+0xb7/0xc0 [ 24.573035] __kmalloc_cache_noprof+0x189/0x420 [ 24.573389] ksize_uaf+0xaa/0x6c0 [ 24.573589] kunit_try_run_case+0x1a5/0x480 [ 24.573793] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.574305] kthread+0x337/0x6f0 [ 24.574517] ret_from_fork+0x116/0x1d0 [ 24.574787] ret_from_fork_asm+0x1a/0x30 [ 24.574930] [ 24.574997] Freed by task 244: [ 24.575104] kasan_save_stack+0x45/0x70 [ 24.575248] kasan_save_track+0x18/0x40 [ 24.575440] kasan_save_free_info+0x3f/0x60 [ 24.575703] __kasan_slab_free+0x56/0x70 [ 24.575901] kfree+0x222/0x3f0 [ 24.576066] ksize_uaf+0x12c/0x6c0 [ 24.576244] kunit_try_run_case+0x1a5/0x480 [ 24.576452] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.576812] kthread+0x337/0x6f0 [ 24.577030] ret_from_fork+0x116/0x1d0 [ 24.577223] ret_from_fork_asm+0x1a/0x30 [ 24.577434] [ 24.577501] The buggy address belongs to the object at ffff8881041b9a00 [ 24.577501] which belongs to the cache kmalloc-128 of size 128 [ 24.577864] The buggy address is located 120 bytes inside of [ 24.577864] freed 128-byte region [ffff8881041b9a00, ffff8881041b9a80) [ 24.578286] [ 24.578377] The buggy address belongs to the physical page: [ 24.578663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1041b9 [ 24.579317] flags: 0x200000000000000(node=0|zone=2) [ 24.579808] page_type: f5(slab) [ 24.580084] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.580427] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.580657] page dumped because: kasan: bad access detected [ 24.580820] [ 24.580886] Memory state around the buggy address: [ 24.581187] ffff8881041b9900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.581913] ffff8881041b9980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.582280] >ffff8881041b9a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.582646] ^ [ 24.583113] ffff8881041b9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.583411] ffff8881041b9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.583909] ================================================================== [ 24.509892] ================================================================== [ 24.510309] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 24.510745] Read of size 1 at addr ffff8881041b9a00 by task kunit_try_catch/244 [ 24.511109] [ 24.511195] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) [ 24.511249] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.511264] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.511286] Call Trace: [ 24.511300] <TASK> [ 24.511316] dump_stack_lvl+0x73/0xb0 [ 24.511351] print_report+0xd1/0x610 [ 24.511381] ? __virt_addr_valid+0x1db/0x2d0 [ 24.511411] ? ksize_uaf+0x19d/0x6c0 [ 24.511436] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.511467] ? ksize_uaf+0x19d/0x6c0 [ 24.511493] kasan_report+0x141/0x180 [ 24.511535] ? ksize_uaf+0x19d/0x6c0 [ 24.511565] ? ksize_uaf+0x19d/0x6c0 [ 24.511591] __kasan_check_byte+0x3d/0x50 [ 24.511619] ksize+0x20/0x60 [ 24.511710] ksize_uaf+0x19d/0x6c0 [ 24.511736] ? __pfx_ksize_uaf+0x10/0x10 [ 24.511763] ? __schedule+0x10cc/0x2b60 [ 24.511790] ? __pfx_read_tsc+0x10/0x10 [ 24.511817] ? ktime_get_ts64+0x86/0x230 [ 24.511848] kunit_try_run_case+0x1a5/0x480 [ 24.511877] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.511904] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.511930] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.511958] ? __kthread_parkme+0x82/0x180 [ 24.511983] ? preempt_count_sub+0x50/0x80 [ 24.512013] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.512041] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.512071] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.512102] kthread+0x337/0x6f0 [ 24.512127] ? trace_preempt_on+0x20/0xc0 [ 24.512155] ? __pfx_kthread+0x10/0x10 [ 24.512181] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.512210] ? calculate_sigpending+0x7b/0xa0 [ 24.512238] ? __pfx_kthread+0x10/0x10 [ 24.512265] ret_from_fork+0x116/0x1d0 [ 24.512289] ? __pfx_kthread+0x10/0x10 [ 24.512315] ret_from_fork_asm+0x1a/0x30 [ 24.512354] </TASK> [ 24.512367] [ 24.521246] Allocated by task 244: [ 24.521377] kasan_save_stack+0x45/0x70 [ 24.522006] kasan_save_track+0x18/0x40 [ 24.522571] kasan_save_alloc_info+0x3b/0x50 [ 24.523235] __kasan_kmalloc+0xb7/0xc0 [ 24.523846] __kmalloc_cache_noprof+0x189/0x420 [ 24.524494] ksize_uaf+0xaa/0x6c0 [ 24.525047] kunit_try_run_case+0x1a5/0x480 [ 24.525632] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.525972] kthread+0x337/0x6f0 [ 24.526309] ret_from_fork+0x116/0x1d0 [ 24.526471] ret_from_fork_asm+0x1a/0x30 [ 24.526910] [ 24.527008] Freed by task 244: [ 24.527121] kasan_save_stack+0x45/0x70 [ 24.527319] kasan_save_track+0x18/0x40 [ 24.527838] kasan_save_free_info+0x3f/0x60 [ 24.528033] __kasan_slab_free+0x56/0x70 [ 24.528305] kfree+0x222/0x3f0 [ 24.528470] ksize_uaf+0x12c/0x6c0 [ 24.528880] kunit_try_run_case+0x1a5/0x480 [ 24.529093] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.529482] kthread+0x337/0x6f0 [ 24.529773] ret_from_fork+0x116/0x1d0 [ 24.530225] ret_from_fork_asm+0x1a/0x30 [ 24.530494] [ 24.530623] The buggy address belongs to the object at ffff8881041b9a00 [ 24.530623] which belongs to the cache kmalloc-128 of size 128 [ 24.531133] The buggy address is located 0 bytes inside of [ 24.531133] freed 128-byte region [ffff8881041b9a00, ffff8881041b9a80) [ 24.532022] [ 24.532129] The buggy address belongs to the physical page: [ 24.532468] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1041b9 [ 24.533081] flags: 0x200000000000000(node=0|zone=2) [ 24.533423] page_type: f5(slab) [ 24.533572] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 24.534079] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 24.534404] page dumped because: kasan: bad access detected [ 24.534821] [ 24.534903] Memory state around the buggy address: [ 24.535098] ffff8881041b9900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.535400] ffff8881041b9980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.535724] >ffff8881041b9a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 24.536124] ^ [ 24.536311] ffff8881041b9a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.536574] ffff8881041b9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.536915] ==================================================================