Date
July 17, 2025, 10:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.812090] ================================================================== [ 29.812143] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 29.812426] Read of size 1 at addr fff00000c9b1e478 by task kunit_try_catch/227 [ 29.812600] [ 29.812715] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 29.812835] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.812864] Hardware name: linux,dummy-virt (DT) [ 29.812893] Call trace: [ 29.812930] show_stack+0x20/0x38 (C) [ 29.813176] dump_stack_lvl+0x8c/0xd0 [ 29.813338] print_report+0x118/0x5d0 [ 29.813491] kasan_report+0xdc/0x128 [ 29.813603] __asan_report_load1_noabort+0x20/0x30 [ 29.813689] ksize_uaf+0x544/0x5f8 [ 29.813837] kunit_try_run_case+0x170/0x3f0 [ 29.813888] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.814119] kthread+0x328/0x630 [ 29.814169] ret_from_fork+0x10/0x20 [ 29.814241] [ 29.814297] Allocated by task 227: [ 29.814327] kasan_save_stack+0x3c/0x68 [ 29.814373] kasan_save_track+0x20/0x40 [ 29.814409] kasan_save_alloc_info+0x40/0x58 [ 29.814462] __kasan_kmalloc+0xd4/0xd8 [ 29.814505] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.814547] ksize_uaf+0xb8/0x5f8 [ 29.814598] kunit_try_run_case+0x170/0x3f0 [ 29.814635] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.814685] kthread+0x328/0x630 [ 29.814718] ret_from_fork+0x10/0x20 [ 29.814754] [ 29.814779] Freed by task 227: [ 29.814806] kasan_save_stack+0x3c/0x68 [ 29.814841] kasan_save_track+0x20/0x40 [ 29.814874] kasan_save_free_info+0x4c/0x78 [ 29.814922] __kasan_slab_free+0x6c/0x98 [ 29.814958] kfree+0x214/0x3c8 [ 29.815001] ksize_uaf+0x11c/0x5f8 [ 29.815037] kunit_try_run_case+0x170/0x3f0 [ 29.815087] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.815138] kthread+0x328/0x630 [ 29.815181] ret_from_fork+0x10/0x20 [ 29.815216] [ 29.815235] The buggy address belongs to the object at fff00000c9b1e400 [ 29.815235] which belongs to the cache kmalloc-128 of size 128 [ 29.815301] The buggy address is located 120 bytes inside of [ 29.815301] freed 128-byte region [fff00000c9b1e400, fff00000c9b1e480) [ 29.815365] [ 29.815394] The buggy address belongs to the physical page: [ 29.815423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b1e [ 29.815474] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.815529] page_type: f5(slab) [ 29.815575] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.815626] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.815675] page dumped because: kasan: bad access detected [ 29.815713] [ 29.815731] Memory state around the buggy address: [ 29.815772] fff00000c9b1e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.815830] fff00000c9b1e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.815871] >fff00000c9b1e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.815908] ^ [ 29.815954] fff00000c9b1e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.815996] fff00000c9b1e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.816034] ================================================================== [ 29.795545] ================================================================== [ 29.795791] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 29.796142] Read of size 1 at addr fff00000c9b1e400 by task kunit_try_catch/227 [ 29.796284] [ 29.796317] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 29.796456] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.796512] Hardware name: linux,dummy-virt (DT) [ 29.796550] Call trace: [ 29.796574] show_stack+0x20/0x38 (C) [ 29.796633] dump_stack_lvl+0x8c/0xd0 [ 29.796683] print_report+0x118/0x5d0 [ 29.796967] kasan_report+0xdc/0x128 [ 29.797332] __kasan_check_byte+0x54/0x70 [ 29.797521] ksize+0x30/0x88 [ 29.797576] ksize_uaf+0x168/0x5f8 [ 29.797631] kunit_try_run_case+0x170/0x3f0 [ 29.797680] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.797801] kthread+0x328/0x630 [ 29.797864] ret_from_fork+0x10/0x20 [ 29.797917] [ 29.797944] Allocated by task 227: [ 29.797974] kasan_save_stack+0x3c/0x68 [ 29.798014] kasan_save_track+0x20/0x40 [ 29.798081] kasan_save_alloc_info+0x40/0x58 [ 29.798131] __kasan_kmalloc+0xd4/0xd8 [ 29.798164] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.798205] ksize_uaf+0xb8/0x5f8 [ 29.798242] kunit_try_run_case+0x170/0x3f0 [ 29.798279] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.798331] kthread+0x328/0x630 [ 29.798364] ret_from_fork+0x10/0x20 [ 29.798407] [ 29.798427] Freed by task 227: [ 29.798453] kasan_save_stack+0x3c/0x68 [ 29.798487] kasan_save_track+0x20/0x40 [ 29.798529] kasan_save_free_info+0x4c/0x78 [ 29.798575] __kasan_slab_free+0x6c/0x98 [ 29.798627] kfree+0x214/0x3c8 [ 29.798667] ksize_uaf+0x11c/0x5f8 [ 29.798704] kunit_try_run_case+0x170/0x3f0 [ 29.798750] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.798798] kthread+0x328/0x630 [ 29.798831] ret_from_fork+0x10/0x20 [ 29.798868] [ 29.798895] The buggy address belongs to the object at fff00000c9b1e400 [ 29.798895] which belongs to the cache kmalloc-128 of size 128 [ 29.798953] The buggy address is located 0 bytes inside of [ 29.798953] freed 128-byte region [fff00000c9b1e400, fff00000c9b1e480) [ 29.799024] [ 29.799044] The buggy address belongs to the physical page: [ 29.799433] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b1e [ 29.800008] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.800124] page_type: f5(slab) [ 29.800200] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.800326] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.800418] page dumped because: kasan: bad access detected [ 29.800529] [ 29.800572] Memory state around the buggy address: [ 29.800606] fff00000c9b1e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.801074] fff00000c9b1e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.801200] >fff00000c9b1e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.801305] ^ [ 29.801382] fff00000c9b1e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.801492] fff00000c9b1e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.801606] ================================================================== [ 29.803086] ================================================================== [ 29.803289] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 29.803362] Read of size 1 at addr fff00000c9b1e400 by task kunit_try_catch/227 [ 29.803413] [ 29.803499] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 29.803587] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.803776] Hardware name: linux,dummy-virt (DT) [ 29.803819] Call trace: [ 29.803865] show_stack+0x20/0x38 (C) [ 29.803918] dump_stack_lvl+0x8c/0xd0 [ 29.804104] print_report+0x118/0x5d0 [ 29.804217] kasan_report+0xdc/0x128 [ 29.804311] __asan_report_load1_noabort+0x20/0x30 [ 29.804362] ksize_uaf+0x598/0x5f8 [ 29.804514] kunit_try_run_case+0x170/0x3f0 [ 29.804607] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.804661] kthread+0x328/0x630 [ 29.804721] ret_from_fork+0x10/0x20 [ 29.805123] [ 29.805165] Allocated by task 227: [ 29.805248] kasan_save_stack+0x3c/0x68 [ 29.805375] kasan_save_track+0x20/0x40 [ 29.805450] kasan_save_alloc_info+0x40/0x58 [ 29.805596] __kasan_kmalloc+0xd4/0xd8 [ 29.805687] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.805730] ksize_uaf+0xb8/0x5f8 [ 29.806016] kunit_try_run_case+0x170/0x3f0 [ 29.806250] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.806352] kthread+0x328/0x630 [ 29.806467] ret_from_fork+0x10/0x20 [ 29.806505] [ 29.806651] Freed by task 227: [ 29.806725] kasan_save_stack+0x3c/0x68 [ 29.807015] kasan_save_track+0x20/0x40 [ 29.807193] kasan_save_free_info+0x4c/0x78 [ 29.807273] __kasan_slab_free+0x6c/0x98 [ 29.807385] kfree+0x214/0x3c8 [ 29.807423] ksize_uaf+0x11c/0x5f8 [ 29.807578] kunit_try_run_case+0x170/0x3f0 [ 29.807860] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.807945] kthread+0x328/0x630 [ 29.808112] ret_from_fork+0x10/0x20 [ 29.808198] [ 29.808272] The buggy address belongs to the object at fff00000c9b1e400 [ 29.808272] which belongs to the cache kmalloc-128 of size 128 [ 29.808623] The buggy address is located 0 bytes inside of [ 29.808623] freed 128-byte region [fff00000c9b1e400, fff00000c9b1e480) [ 29.808778] [ 29.808853] The buggy address belongs to the physical page: [ 29.808939] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b1e [ 29.809104] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.809322] page_type: f5(slab) [ 29.809541] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 29.809613] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 29.809773] page dumped because: kasan: bad access detected [ 29.809841] [ 29.809988] Memory state around the buggy address: [ 29.810069] fff00000c9b1e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.810198] fff00000c9b1e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.810287] >fff00000c9b1e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.810347] ^ [ 29.810731] fff00000c9b1e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.810790] fff00000c9b1e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.810968] ==================================================================
[ 26.173155] ================================================================== [ 26.173799] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 26.174120] Read of size 1 at addr ffff88810553d978 by task kunit_try_catch/245 [ 26.174442] [ 26.174544] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 26.174588] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.174599] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.174618] Call Trace: [ 26.174630] <TASK> [ 26.174644] dump_stack_lvl+0x73/0xb0 [ 26.174671] print_report+0xd1/0x610 [ 26.174692] ? __virt_addr_valid+0x1db/0x2d0 [ 26.174714] ? ksize_uaf+0x5e4/0x6c0 [ 26.174733] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.174758] ? ksize_uaf+0x5e4/0x6c0 [ 26.174779] kasan_report+0x141/0x180 [ 26.174799] ? ksize_uaf+0x5e4/0x6c0 [ 26.174824] __asan_report_load1_noabort+0x18/0x20 [ 26.174847] ksize_uaf+0x5e4/0x6c0 [ 26.174866] ? __pfx_ksize_uaf+0x10/0x10 [ 26.174886] ? __schedule+0x10c6/0x2b60 [ 26.174908] ? __pfx_read_tsc+0x10/0x10 [ 26.174928] ? ktime_get_ts64+0x86/0x230 [ 26.174951] kunit_try_run_case+0x1a5/0x480 [ 26.174973] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.174994] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.175015] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.175037] ? __kthread_parkme+0x82/0x180 [ 26.175060] ? preempt_count_sub+0x50/0x80 [ 26.175092] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.175115] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.175136] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.175158] kthread+0x337/0x6f0 [ 26.175176] ? trace_preempt_on+0x20/0xc0 [ 26.175198] ? __pfx_kthread+0x10/0x10 [ 26.175217] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.175238] ? calculate_sigpending+0x7b/0xa0 [ 26.175259] ? __pfx_kthread+0x10/0x10 [ 26.175291] ret_from_fork+0x116/0x1d0 [ 26.175309] ? __pfx_kthread+0x10/0x10 [ 26.175328] ret_from_fork_asm+0x1a/0x30 [ 26.175359] </TASK> [ 26.175369] [ 26.181772] Allocated by task 245: [ 26.181937] kasan_save_stack+0x45/0x70 [ 26.182110] kasan_save_track+0x18/0x40 [ 26.182289] kasan_save_alloc_info+0x3b/0x50 [ 26.182438] __kasan_kmalloc+0xb7/0xc0 [ 26.182622] __kmalloc_cache_noprof+0x189/0x420 [ 26.182803] ksize_uaf+0xaa/0x6c0 [ 26.182917] kunit_try_run_case+0x1a5/0x480 [ 26.183053] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.183228] kthread+0x337/0x6f0 [ 26.183338] ret_from_fork+0x116/0x1d0 [ 26.183461] ret_from_fork_asm+0x1a/0x30 [ 26.183590] [ 26.183651] Freed by task 245: [ 26.183752] kasan_save_stack+0x45/0x70 [ 26.183923] kasan_save_track+0x18/0x40 [ 26.184176] kasan_save_free_info+0x3f/0x60 [ 26.184512] __kasan_slab_free+0x56/0x70 [ 26.184695] kfree+0x222/0x3f0 [ 26.184846] ksize_uaf+0x12c/0x6c0 [ 26.185009] kunit_try_run_case+0x1a5/0x480 [ 26.185210] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.185504] kthread+0x337/0x6f0 [ 26.185615] ret_from_fork+0x116/0x1d0 [ 26.185738] ret_from_fork_asm+0x1a/0x30 [ 26.185867] [ 26.185933] The buggy address belongs to the object at ffff88810553d900 [ 26.185933] which belongs to the cache kmalloc-128 of size 128 [ 26.186290] The buggy address is located 120 bytes inside of [ 26.186290] freed 128-byte region [ffff88810553d900, ffff88810553d980) [ 26.187250] [ 26.187427] The buggy address belongs to the physical page: [ 26.187672] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10553d [ 26.188021] flags: 0x200000000000000(node=0|zone=2) [ 26.188257] page_type: f5(slab) [ 26.188422] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.188700] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.188917] page dumped because: kasan: bad access detected [ 26.189177] [ 26.189262] Memory state around the buggy address: [ 26.189631] ffff88810553d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.189874] ffff88810553d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.190106] >ffff88810553d900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.190598] ^ [ 26.190877] ffff88810553d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.191097] ffff88810553da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.191575] ================================================================== [ 26.128722] ================================================================== [ 26.129106] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 26.129459] Read of size 1 at addr ffff88810553d900 by task kunit_try_catch/245 [ 26.130055] [ 26.130233] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 26.130282] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.130293] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.130313] Call Trace: [ 26.130325] <TASK> [ 26.130340] dump_stack_lvl+0x73/0xb0 [ 26.130369] print_report+0xd1/0x610 [ 26.130390] ? __virt_addr_valid+0x1db/0x2d0 [ 26.130414] ? ksize_uaf+0x19d/0x6c0 [ 26.130433] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.130457] ? ksize_uaf+0x19d/0x6c0 [ 26.130477] kasan_report+0x141/0x180 [ 26.130498] ? ksize_uaf+0x19d/0x6c0 [ 26.130520] ? ksize_uaf+0x19d/0x6c0 [ 26.130797] __kasan_check_byte+0x3d/0x50 [ 26.130820] ksize+0x20/0x60 [ 26.130841] ksize_uaf+0x19d/0x6c0 [ 26.130860] ? __pfx_ksize_uaf+0x10/0x10 [ 26.130881] ? __schedule+0x10c6/0x2b60 [ 26.130903] ? __pfx_read_tsc+0x10/0x10 [ 26.130924] ? ktime_get_ts64+0x86/0x230 [ 26.130948] kunit_try_run_case+0x1a5/0x480 [ 26.130971] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.130992] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.131013] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.131035] ? __kthread_parkme+0x82/0x180 [ 26.131059] ? preempt_count_sub+0x50/0x80 [ 26.131094] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.131116] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.131138] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.131160] kthread+0x337/0x6f0 [ 26.131178] ? trace_preempt_on+0x20/0xc0 [ 26.131200] ? __pfx_kthread+0x10/0x10 [ 26.131220] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.131240] ? calculate_sigpending+0x7b/0xa0 [ 26.131263] ? __pfx_kthread+0x10/0x10 [ 26.131292] ret_from_fork+0x116/0x1d0 [ 26.131310] ? __pfx_kthread+0x10/0x10 [ 26.131330] ret_from_fork_asm+0x1a/0x30 [ 26.131361] </TASK> [ 26.131371] [ 26.139585] Allocated by task 245: [ 26.139848] kasan_save_stack+0x45/0x70 [ 26.140110] kasan_save_track+0x18/0x40 [ 26.140275] kasan_save_alloc_info+0x3b/0x50 [ 26.140659] __kasan_kmalloc+0xb7/0xc0 [ 26.140832] __kmalloc_cache_noprof+0x189/0x420 [ 26.141145] ksize_uaf+0xaa/0x6c0 [ 26.141343] kunit_try_run_case+0x1a5/0x480 [ 26.141524] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.141742] kthread+0x337/0x6f0 [ 26.141885] ret_from_fork+0x116/0x1d0 [ 26.142060] ret_from_fork_asm+0x1a/0x30 [ 26.142227] [ 26.142325] Freed by task 245: [ 26.142841] kasan_save_stack+0x45/0x70 [ 26.143000] kasan_save_track+0x18/0x40 [ 26.143201] kasan_save_free_info+0x3f/0x60 [ 26.143460] __kasan_slab_free+0x56/0x70 [ 26.143790] kfree+0x222/0x3f0 [ 26.143942] ksize_uaf+0x12c/0x6c0 [ 26.144219] kunit_try_run_case+0x1a5/0x480 [ 26.144442] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.144798] kthread+0x337/0x6f0 [ 26.144957] ret_from_fork+0x116/0x1d0 [ 26.145255] ret_from_fork_asm+0x1a/0x30 [ 26.145429] [ 26.145589] The buggy address belongs to the object at ffff88810553d900 [ 26.145589] which belongs to the cache kmalloc-128 of size 128 [ 26.146048] The buggy address is located 0 bytes inside of [ 26.146048] freed 128-byte region [ffff88810553d900, ffff88810553d980) [ 26.146825] [ 26.146924] The buggy address belongs to the physical page: [ 26.147134] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10553d [ 26.147692] flags: 0x200000000000000(node=0|zone=2) [ 26.147900] page_type: f5(slab) [ 26.148193] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.148657] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.148927] page dumped because: kasan: bad access detected [ 26.149287] [ 26.149412] Memory state around the buggy address: [ 26.149714] ffff88810553d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.150054] ffff88810553d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.150468] >ffff88810553d900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.150747] ^ [ 26.150888] ffff88810553d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.151192] ffff88810553da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.151656] ================================================================== [ 26.152606] ================================================================== [ 26.153194] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 26.153526] Read of size 1 at addr ffff88810553d900 by task kunit_try_catch/245 [ 26.153823] [ 26.153910] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 26.153960] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.153971] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.153990] Call Trace: [ 26.154003] <TASK> [ 26.154016] dump_stack_lvl+0x73/0xb0 [ 26.154043] print_report+0xd1/0x610 [ 26.154064] ? __virt_addr_valid+0x1db/0x2d0 [ 26.154096] ? ksize_uaf+0x5fe/0x6c0 [ 26.154115] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.154139] ? ksize_uaf+0x5fe/0x6c0 [ 26.154159] kasan_report+0x141/0x180 [ 26.154179] ? ksize_uaf+0x5fe/0x6c0 [ 26.154203] __asan_report_load1_noabort+0x18/0x20 [ 26.154226] ksize_uaf+0x5fe/0x6c0 [ 26.154245] ? __pfx_ksize_uaf+0x10/0x10 [ 26.154265] ? __schedule+0x10c6/0x2b60 [ 26.154576] ? __pfx_read_tsc+0x10/0x10 [ 26.154599] ? ktime_get_ts64+0x86/0x230 [ 26.154623] kunit_try_run_case+0x1a5/0x480 [ 26.154646] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.154667] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.154689] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.154711] ? __kthread_parkme+0x82/0x180 [ 26.154734] ? preempt_count_sub+0x50/0x80 [ 26.154756] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.154778] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.154800] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.154822] kthread+0x337/0x6f0 [ 26.154840] ? trace_preempt_on+0x20/0xc0 [ 26.154862] ? __pfx_kthread+0x10/0x10 [ 26.154881] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.154902] ? calculate_sigpending+0x7b/0xa0 [ 26.154924] ? __pfx_kthread+0x10/0x10 [ 26.154944] ret_from_fork+0x116/0x1d0 [ 26.154962] ? __pfx_kthread+0x10/0x10 [ 26.154981] ret_from_fork_asm+0x1a/0x30 [ 26.155012] </TASK> [ 26.155022] [ 26.163287] Allocated by task 245: [ 26.163580] kasan_save_stack+0x45/0x70 [ 26.163732] kasan_save_track+0x18/0x40 [ 26.163907] kasan_save_alloc_info+0x3b/0x50 [ 26.164120] __kasan_kmalloc+0xb7/0xc0 [ 26.164250] __kmalloc_cache_noprof+0x189/0x420 [ 26.164455] ksize_uaf+0xaa/0x6c0 [ 26.164632] kunit_try_run_case+0x1a5/0x480 [ 26.164779] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.165000] kthread+0x337/0x6f0 [ 26.165147] ret_from_fork+0x116/0x1d0 [ 26.165299] ret_from_fork_asm+0x1a/0x30 [ 26.165496] [ 26.165576] Freed by task 245: [ 26.165711] kasan_save_stack+0x45/0x70 [ 26.165870] kasan_save_track+0x18/0x40 [ 26.166052] kasan_save_free_info+0x3f/0x60 [ 26.166242] __kasan_slab_free+0x56/0x70 [ 26.166439] kfree+0x222/0x3f0 [ 26.166547] ksize_uaf+0x12c/0x6c0 [ 26.166661] kunit_try_run_case+0x1a5/0x480 [ 26.166843] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.167189] kthread+0x337/0x6f0 [ 26.167377] ret_from_fork+0x116/0x1d0 [ 26.167527] ret_from_fork_asm+0x1a/0x30 [ 26.167704] [ 26.167765] The buggy address belongs to the object at ffff88810553d900 [ 26.167765] which belongs to the cache kmalloc-128 of size 128 [ 26.168226] The buggy address is located 0 bytes inside of [ 26.168226] freed 128-byte region [ffff88810553d900, ffff88810553d980) [ 26.168716] [ 26.168805] The buggy address belongs to the physical page: [ 26.169004] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10553d [ 26.169297] flags: 0x200000000000000(node=0|zone=2) [ 26.169530] page_type: f5(slab) [ 26.169658] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.169966] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.170293] page dumped because: kasan: bad access detected [ 26.170469] [ 26.170529] Memory state around the buggy address: [ 26.170675] ffff88810553d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.170923] ffff88810553d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.171238] >ffff88810553d900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.171664] ^ [ 26.171817] ffff88810553d980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.172139] ffff88810553da00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.172434] ==================================================================