Hay
Sign in
Date
July 16, 2025, 12:11 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.827164] ==================================================================
[   30.827222] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   30.827274] Read of size 1 at addr fff00000c6361f00 by task kunit_try_catch/227
[   30.827325] 
[   30.827364] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT 
[   30.827464] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.827493] Hardware name: linux,dummy-virt (DT)
[   30.827910] Call trace:
[   30.828251]  show_stack+0x20/0x38 (C)
[   30.828308]  dump_stack_lvl+0x8c/0xd0
[   30.828376]  print_report+0x118/0x5d0
[   30.828579]  kasan_report+0xdc/0x128
[   30.828686]  __kasan_check_byte+0x54/0x70
[   30.828791]  ksize+0x30/0x88
[   30.828875]  ksize_uaf+0x168/0x5f8
[   30.829098]  kunit_try_run_case+0x170/0x3f0
[   30.829236]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.829360]  kthread+0x328/0x630
[   30.829500]  ret_from_fork+0x10/0x20
[   30.829696] 
[   30.829787] Allocated by task 227:
[   30.829911]  kasan_save_stack+0x3c/0x68
[   30.830000]  kasan_save_track+0x20/0x40
[   30.830146]  kasan_save_alloc_info+0x40/0x58
[   30.830212]  __kasan_kmalloc+0xd4/0xd8
[   30.830360]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.830607]  ksize_uaf+0xb8/0x5f8
[   30.830687]  kunit_try_run_case+0x170/0x3f0
[   30.830823]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.830901]  kthread+0x328/0x630
[   30.830933]  ret_from_fork+0x10/0x20
[   30.831119] 
[   30.831204] Freed by task 227:
[   30.831466]  kasan_save_stack+0x3c/0x68
[   30.831523]  kasan_save_track+0x20/0x40
[   30.831721]  kasan_save_free_info+0x4c/0x78
[   30.831925]  __kasan_slab_free+0x6c/0x98
[   30.832063]  kfree+0x214/0x3c8
[   30.832252]  ksize_uaf+0x11c/0x5f8
[   30.832387]  kunit_try_run_case+0x170/0x3f0
[   30.832548]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.832689]  kthread+0x328/0x630
[   30.832786]  ret_from_fork+0x10/0x20
[   30.832888] 
[   30.832940] The buggy address belongs to the object at fff00000c6361f00
[   30.832940]  which belongs to the cache kmalloc-128 of size 128
[   30.833050] The buggy address is located 0 bytes inside of
[   30.833050]  freed 128-byte region [fff00000c6361f00, fff00000c6361f80)
[   30.833501] 
[   30.833588] The buggy address belongs to the physical page:
[   30.833629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106361
[   30.833876] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.833985] page_type: f5(slab)
[   30.834043] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   30.834169] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.834417] page dumped because: kasan: bad access detected
[   30.834622] 
[   30.834835] Memory state around the buggy address:
[   30.834942]  fff00000c6361e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.835035]  fff00000c6361e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.835269] >fff00000c6361f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.835409]                    ^
[   30.835540]  fff00000c6361f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.835621]  fff00000c6362000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.835806] ==================================================================
[   30.836982] ==================================================================
[   30.837034] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   30.837083] Read of size 1 at addr fff00000c6361f00 by task kunit_try_catch/227
[   30.837334] 
[   30.837448] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT 
[   30.837718] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.837883] Hardware name: linux,dummy-virt (DT)
[   30.837949] Call trace:
[   30.838016]  show_stack+0x20/0x38 (C)
[   30.838068]  dump_stack_lvl+0x8c/0xd0
[   30.838143]  print_report+0x118/0x5d0
[   30.838193]  kasan_report+0xdc/0x128
[   30.838237]  __asan_report_load1_noabort+0x20/0x30
[   30.838568]  ksize_uaf+0x598/0x5f8
[   30.838677]  kunit_try_run_case+0x170/0x3f0
[   30.838732]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.838815]  kthread+0x328/0x630
[   30.838861]  ret_from_fork+0x10/0x20
[   30.838945] 
[   30.839124] Allocated by task 227:
[   30.839220]  kasan_save_stack+0x3c/0x68
[   30.839384]  kasan_save_track+0x20/0x40
[   30.839426]  kasan_save_alloc_info+0x40/0x58
[   30.839698]  __kasan_kmalloc+0xd4/0xd8
[   30.839813]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.839904]  ksize_uaf+0xb8/0x5f8
[   30.840027]  kunit_try_run_case+0x170/0x3f0
[   30.840085]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.840131]  kthread+0x328/0x630
[   30.840184]  ret_from_fork+0x10/0x20
[   30.840222] 
[   30.840383] Freed by task 227:
[   30.840530]  kasan_save_stack+0x3c/0x68
[   30.840679]  kasan_save_track+0x20/0x40
[   30.840793]  kasan_save_free_info+0x4c/0x78
[   30.840863]  __kasan_slab_free+0x6c/0x98
[   30.840901]  kfree+0x214/0x3c8
[   30.840936]  ksize_uaf+0x11c/0x5f8
[   30.840984]  kunit_try_run_case+0x170/0x3f0
[   30.841032]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.841077]  kthread+0x328/0x630
[   30.841110]  ret_from_fork+0x10/0x20
[   30.841147] 
[   30.841166] The buggy address belongs to the object at fff00000c6361f00
[   30.841166]  which belongs to the cache kmalloc-128 of size 128
[   30.841250] The buggy address is located 0 bytes inside of
[   30.841250]  freed 128-byte region [fff00000c6361f00, fff00000c6361f80)
[   30.841325] 
[   30.841356] The buggy address belongs to the physical page:
[   30.841388] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106361
[   30.841448] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.841497] page_type: f5(slab)
[   30.841554] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   30.841615] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.841662] page dumped because: kasan: bad access detected
[   30.841694] 
[   30.841711] Memory state around the buggy address:
[   30.841755]  fff00000c6361e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.841818]  fff00000c6361e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.841872] >fff00000c6361f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.841919]                    ^
[   30.841953]  fff00000c6361f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.842012]  fff00000c6362000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.842051] ==================================================================
[   30.842923] ==================================================================
[   30.842984] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   30.843041] Read of size 1 at addr fff00000c6361f78 by task kunit_try_catch/227
[   30.843215] 
[   30.843336] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT 
[   30.843467] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.843525] Hardware name: linux,dummy-virt (DT)
[   30.843719] Call trace:
[   30.843767]  show_stack+0x20/0x38 (C)
[   30.843920]  dump_stack_lvl+0x8c/0xd0
[   30.844097]  print_report+0x118/0x5d0
[   30.844215]  kasan_report+0xdc/0x128
[   30.844345]  __asan_report_load1_noabort+0x20/0x30
[   30.844455]  ksize_uaf+0x544/0x5f8
[   30.844536]  kunit_try_run_case+0x170/0x3f0
[   30.844714]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.844897]  kthread+0x328/0x630
[   30.844959]  ret_from_fork+0x10/0x20
[   30.845185] 
[   30.845272] Allocated by task 227:
[   30.845438]  kasan_save_stack+0x3c/0x68
[   30.845530]  kasan_save_track+0x20/0x40
[   30.845603]  kasan_save_alloc_info+0x40/0x58
[   30.845741]  __kasan_kmalloc+0xd4/0xd8
[   30.845787]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.845961]  ksize_uaf+0xb8/0x5f8
[   30.846111]  kunit_try_run_case+0x170/0x3f0
[   30.846244]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.846324]  kthread+0x328/0x630
[   30.846490]  ret_from_fork+0x10/0x20
[   30.846660] 
[   30.846739] Freed by task 227:
[   30.846976]  kasan_save_stack+0x3c/0x68
[   30.847060]  kasan_save_track+0x20/0x40
[   30.847217]  kasan_save_free_info+0x4c/0x78
[   30.847372]  __kasan_slab_free+0x6c/0x98
[   30.847462]  kfree+0x214/0x3c8
[   30.847619]  ksize_uaf+0x11c/0x5f8
[   30.847720]  kunit_try_run_case+0x170/0x3f0
[   30.847862]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.847909]  kthread+0x328/0x630
[   30.848134]  ret_from_fork+0x10/0x20
[   30.848307] 
[   30.848340] The buggy address belongs to the object at fff00000c6361f00
[   30.848340]  which belongs to the cache kmalloc-128 of size 128
[   30.848501] The buggy address is located 120 bytes inside of
[   30.848501]  freed 128-byte region [fff00000c6361f00, fff00000c6361f80)
[   30.848726] 
[   30.848859] The buggy address belongs to the physical page:
[   30.848950] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106361
[   30.849015] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.849188] page_type: f5(slab)
[   30.849262] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   30.849373] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.849440] page dumped because: kasan: bad access detected
[   30.849609] 
[   30.849834] Memory state around the buggy address:
[   30.849922]  fff00000c6361e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.850102]  fff00000c6361e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.850185] >fff00000c6361f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.850297]                                                                 ^
[   30.850400]  fff00000c6361f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.850502]  fff00000c6362000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   30.850553] ==================================================================
Metadata Full log Test run details 

[   23.796248] ==================================================================
[   23.796803] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   23.797496] Read of size 1 at addr ffff888104a24a00 by task kunit_try_catch/245
[   23.798140] 
[   23.798288] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) 
[   23.798663] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.798680] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.798701] Call Trace:
[   23.798715]  <TASK>
[   23.798732]  dump_stack_lvl+0x73/0xb0
[   23.798764]  print_report+0xd1/0x610
[   23.798785]  ? __virt_addr_valid+0x1db/0x2d0
[   23.798808]  ? ksize_uaf+0x5fe/0x6c0
[   23.798828]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.798860]  ? ksize_uaf+0x5fe/0x6c0
[   23.798901]  kasan_report+0x141/0x180
[   23.798922]  ? ksize_uaf+0x5fe/0x6c0
[   23.798947]  __asan_report_load1_noabort+0x18/0x20
[   23.798970]  ksize_uaf+0x5fe/0x6c0
[   23.798990]  ? __pfx_ksize_uaf+0x10/0x10
[   23.799011]  ? __schedule+0x10c6/0x2b60
[   23.799034]  ? __pfx_read_tsc+0x10/0x10
[   23.799055]  ? ktime_get_ts64+0x86/0x230
[   23.799080]  kunit_try_run_case+0x1a5/0x480
[   23.799104]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.799125]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.799147]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.799169]  ? __kthread_parkme+0x82/0x180
[   23.799188]  ? preempt_count_sub+0x50/0x80
[   23.799211]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.799233]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.799259]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.799295]  kthread+0x337/0x6f0
[   23.799315]  ? trace_preempt_on+0x20/0xc0
[   23.799337]  ? __pfx_kthread+0x10/0x10
[   23.799357]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.799377]  ? calculate_sigpending+0x7b/0xa0
[   23.799400]  ? __pfx_kthread+0x10/0x10
[   23.799421]  ret_from_fork+0x116/0x1d0
[   23.799439]  ? __pfx_kthread+0x10/0x10
[   23.799458]  ret_from_fork_asm+0x1a/0x30
[   23.799488]  </TASK>
[   23.799499] 
[   23.810437] Allocated by task 245:
[   23.810789]  kasan_save_stack+0x45/0x70
[   23.810970]  kasan_save_track+0x18/0x40
[   23.811372]  kasan_save_alloc_info+0x3b/0x50
[   23.811654]  __kasan_kmalloc+0xb7/0xc0
[   23.812040]  __kmalloc_cache_noprof+0x189/0x420
[   23.812262]  ksize_uaf+0xaa/0x6c0
[   23.812404]  kunit_try_run_case+0x1a5/0x480
[   23.812868]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.813160]  kthread+0x337/0x6f0
[   23.813437]  ret_from_fork+0x116/0x1d0
[   23.813652]  ret_from_fork_asm+0x1a/0x30
[   23.814035] 
[   23.814112] Freed by task 245:
[   23.814528]  kasan_save_stack+0x45/0x70
[   23.814781]  kasan_save_track+0x18/0x40
[   23.815134]  kasan_save_free_info+0x3f/0x60
[   23.815359]  __kasan_slab_free+0x56/0x70
[   23.815767]  kfree+0x222/0x3f0
[   23.815952]  ksize_uaf+0x12c/0x6c0
[   23.816479]  kunit_try_run_case+0x1a5/0x480
[   23.816645]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.817204]  kthread+0x337/0x6f0
[   23.817381]  ret_from_fork+0x116/0x1d0
[   23.817603]  ret_from_fork_asm+0x1a/0x30
[   23.817797] 
[   23.818066] The buggy address belongs to the object at ffff888104a24a00
[   23.818066]  which belongs to the cache kmalloc-128 of size 128
[   23.818748] The buggy address is located 0 bytes inside of
[   23.818748]  freed 128-byte region [ffff888104a24a00, ffff888104a24a80)
[   23.819563] 
[   23.819832] The buggy address belongs to the physical page:
[   23.820429] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104a24
[   23.820871] flags: 0x200000000000000(node=0|zone=2)
[   23.821308] page_type: f5(slab)
[   23.821501] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.821997] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.822462] page dumped because: kasan: bad access detected
[   23.822839] 
[   23.822924] Memory state around the buggy address:
[   23.823437]  ffff888104a24900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.823853]  ffff888104a24980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.824175] >ffff888104a24a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.824505]                    ^
[   23.825081]  ffff888104a24a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.825480]  ffff888104a24b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.825888] ==================================================================
[   23.769871] ==================================================================
[   23.771439] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   23.772646] Read of size 1 at addr ffff888104a24a00 by task kunit_try_catch/245
[   23.773788] 
[   23.774188] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) 
[   23.774244] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.774257] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.774426] Call Trace:
[   23.774444]  <TASK>
[   23.774463]  dump_stack_lvl+0x73/0xb0
[   23.774564]  print_report+0xd1/0x610
[   23.774588]  ? __virt_addr_valid+0x1db/0x2d0
[   23.774611]  ? ksize_uaf+0x19d/0x6c0
[   23.774630]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.774655]  ? ksize_uaf+0x19d/0x6c0
[   23.774675]  kasan_report+0x141/0x180
[   23.774696]  ? ksize_uaf+0x19d/0x6c0
[   23.774718]  ? ksize_uaf+0x19d/0x6c0
[   23.774738]  __kasan_check_byte+0x3d/0x50
[   23.774759]  ksize+0x20/0x60
[   23.774779]  ksize_uaf+0x19d/0x6c0
[   23.774798]  ? __pfx_ksize_uaf+0x10/0x10
[   23.774819]  ? __schedule+0x10c6/0x2b60
[   23.774842]  ? __pfx_read_tsc+0x10/0x10
[   23.774880]  ? ktime_get_ts64+0x86/0x230
[   23.774905]  kunit_try_run_case+0x1a5/0x480
[   23.774928]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.774949]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.774971]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.774992]  ? __kthread_parkme+0x82/0x180
[   23.775012]  ? preempt_count_sub+0x50/0x80
[   23.775035]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.775057]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.775083]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.775109]  kthread+0x337/0x6f0
[   23.775127]  ? trace_preempt_on+0x20/0xc0
[   23.775150]  ? __pfx_kthread+0x10/0x10
[   23.775170]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.775189]  ? calculate_sigpending+0x7b/0xa0
[   23.775212]  ? __pfx_kthread+0x10/0x10
[   23.775233]  ret_from_fork+0x116/0x1d0
[   23.775251]  ? __pfx_kthread+0x10/0x10
[   23.775271]  ret_from_fork_asm+0x1a/0x30
[   23.775310]  </TASK>
[   23.775321] 
[   23.783022] Allocated by task 245:
[   23.783205]  kasan_save_stack+0x45/0x70
[   23.783469]  kasan_save_track+0x18/0x40
[   23.783688]  kasan_save_alloc_info+0x3b/0x50
[   23.783996]  __kasan_kmalloc+0xb7/0xc0
[   23.784186]  __kmalloc_cache_noprof+0x189/0x420
[   23.784412]  ksize_uaf+0xaa/0x6c0
[   23.784643]  kunit_try_run_case+0x1a5/0x480
[   23.784801]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.785198]  kthread+0x337/0x6f0
[   23.785389]  ret_from_fork+0x116/0x1d0
[   23.785613]  ret_from_fork_asm+0x1a/0x30
[   23.785749] 
[   23.785841] Freed by task 245:
[   23.786146]  kasan_save_stack+0x45/0x70
[   23.786404]  kasan_save_track+0x18/0x40
[   23.786641]  kasan_save_free_info+0x3f/0x60
[   23.786956]  __kasan_slab_free+0x56/0x70
[   23.787127]  kfree+0x222/0x3f0
[   23.787317]  ksize_uaf+0x12c/0x6c0
[   23.787490]  kunit_try_run_case+0x1a5/0x480
[   23.787699]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.787917]  kthread+0x337/0x6f0
[   23.788071]  ret_from_fork+0x116/0x1d0
[   23.788228]  ret_from_fork_asm+0x1a/0x30
[   23.788419] 
[   23.788484] The buggy address belongs to the object at ffff888104a24a00
[   23.788484]  which belongs to the cache kmalloc-128 of size 128
[   23.788971] The buggy address is located 0 bytes inside of
[   23.788971]  freed 128-byte region [ffff888104a24a00, ffff888104a24a80)
[   23.789620] 
[   23.789724] The buggy address belongs to the physical page:
[   23.790078] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104a24
[   23.790355] flags: 0x200000000000000(node=0|zone=2)
[   23.790616] page_type: f5(slab)
[   23.790818] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.791336] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.791685] page dumped because: kasan: bad access detected
[   23.791911] 
[   23.791979] Memory state around the buggy address:
[   23.792130]  ffff888104a24900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.792355]  ffff888104a24980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.792697] >ffff888104a24a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.793129]                    ^
[   23.793309]  ffff888104a24a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.793659]  ffff888104a24b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.794069] ==================================================================
[   23.827120] ==================================================================
[   23.827462] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   23.827887] Read of size 1 at addr ffff888104a24a78 by task kunit_try_catch/245
[   23.828322] 
[   23.828442] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250716 #1 PREEMPT(voluntary) 
[   23.828930] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.828953] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.828975] Call Trace:
[   23.828991]  <TASK>
[   23.829009]  dump_stack_lvl+0x73/0xb0
[   23.829044]  print_report+0xd1/0x610
[   23.829066]  ? __virt_addr_valid+0x1db/0x2d0
[   23.829091]  ? ksize_uaf+0x5e4/0x6c0
[   23.829111]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.829136]  ? ksize_uaf+0x5e4/0x6c0
[   23.829156]  kasan_report+0x141/0x180
[   23.829177]  ? ksize_uaf+0x5e4/0x6c0
[   23.829201]  __asan_report_load1_noabort+0x18/0x20
[   23.829224]  ksize_uaf+0x5e4/0x6c0
[   23.829244]  ? __pfx_ksize_uaf+0x10/0x10
[   23.829265]  ? __schedule+0x10c6/0x2b60
[   23.829305]  ? __pfx_read_tsc+0x10/0x10
[   23.829327]  ? ktime_get_ts64+0x86/0x230
[   23.829353]  kunit_try_run_case+0x1a5/0x480
[   23.829377]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.829399]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.829421]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.829443]  ? __kthread_parkme+0x82/0x180
[   23.829463]  ? preempt_count_sub+0x50/0x80
[   23.829487]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.829509]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.829535]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.829578]  kthread+0x337/0x6f0
[   23.829598]  ? trace_preempt_on+0x20/0xc0
[   23.829621]  ? __pfx_kthread+0x10/0x10
[   23.829641]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.829661]  ? calculate_sigpending+0x7b/0xa0
[   23.829685]  ? __pfx_kthread+0x10/0x10
[   23.829706]  ret_from_fork+0x116/0x1d0
[   23.829724]  ? __pfx_kthread+0x10/0x10
[   23.829744]  ret_from_fork_asm+0x1a/0x30
[   23.829775]  </TASK>
[   23.829785] 
[   23.837487] Allocated by task 245:
[   23.837780]  kasan_save_stack+0x45/0x70
[   23.838041]  kasan_save_track+0x18/0x40
[   23.838216]  kasan_save_alloc_info+0x3b/0x50
[   23.838450]  __kasan_kmalloc+0xb7/0xc0
[   23.838574]  __kmalloc_cache_noprof+0x189/0x420
[   23.838719]  ksize_uaf+0xaa/0x6c0
[   23.838834]  kunit_try_run_case+0x1a5/0x480
[   23.838968]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.839353]  kthread+0x337/0x6f0
[   23.839598]  ret_from_fork+0x116/0x1d0
[   23.839818]  ret_from_fork_asm+0x1a/0x30
[   23.840049] 
[   23.840159] Freed by task 245:
[   23.840326]  kasan_save_stack+0x45/0x70
[   23.840544]  kasan_save_track+0x18/0x40
[   23.840971]  kasan_save_free_info+0x3f/0x60
[   23.841305]  __kasan_slab_free+0x56/0x70
[   23.841498]  kfree+0x222/0x3f0
[   23.841798]  ksize_uaf+0x12c/0x6c0
[   23.842150]  kunit_try_run_case+0x1a5/0x480
[   23.842312]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.842479]  kthread+0x337/0x6f0
[   23.842589]  ret_from_fork+0x116/0x1d0
[   23.842710]  ret_from_fork_asm+0x1a/0x30
[   23.842840] 
[   23.842903] The buggy address belongs to the object at ffff888104a24a00
[   23.842903]  which belongs to the cache kmalloc-128 of size 128
[   23.843478] The buggy address is located 120 bytes inside of
[   23.843478]  freed 128-byte region [ffff888104a24a00, ffff888104a24a80)
[   23.844003] 
[   23.844097] The buggy address belongs to the physical page:
[   23.844358] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104a24
[   23.844633] flags: 0x200000000000000(node=0|zone=2)
[   23.844789] page_type: f5(slab)
[   23.845198] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   23.845599] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.845892] page dumped because: kasan: bad access detected
[   23.846194] 
[   23.846306] Memory state around the buggy address:
[   23.846541]  ffff888104a24900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.846843]  ffff888104a24980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.847217] >ffff888104a24a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.847464]                                                                 ^
[   23.847880]  ffff888104a24a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.848300]  ffff888104a24b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.848834] ==================================================================
Metadata Full log Test run details