Date
July 18, 2025, 1:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.746860] ================================================================== [ 31.746982] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.747131] Read of size 1 at addr fff00000c3efde00 by task kunit_try_catch/227 [ 31.747186] [ 31.747217] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT [ 31.747558] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.747589] Hardware name: linux,dummy-virt (DT) [ 31.747622] Call trace: [ 31.747772] show_stack+0x20/0x38 (C) [ 31.747983] dump_stack_lvl+0x8c/0xd0 [ 31.748183] print_report+0x118/0x5e8 [ 31.748253] kasan_report+0xdc/0x128 [ 31.748423] __kasan_check_byte+0x54/0x70 [ 31.748579] ksize+0x30/0x88 [ 31.748648] ksize_uaf+0x168/0x5f8 [ 31.748792] kunit_try_run_case+0x170/0x3f0 [ 31.748877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.749018] kthread+0x328/0x630 [ 31.749098] ret_from_fork+0x10/0x20 [ 31.749220] [ 31.749239] Allocated by task 227: [ 31.749291] kasan_save_stack+0x3c/0x68 [ 31.749577] kasan_save_track+0x20/0x40 [ 31.749647] kasan_save_alloc_info+0x40/0x58 [ 31.749685] __kasan_kmalloc+0xd4/0xd8 [ 31.749722] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.749821] ksize_uaf+0xb8/0x5f8 [ 31.749860] kunit_try_run_case+0x170/0x3f0 [ 31.749902] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.749961] kthread+0x328/0x630 [ 31.749994] ret_from_fork+0x10/0x20 [ 31.750045] [ 31.750070] Freed by task 227: [ 31.750353] kasan_save_stack+0x3c/0x68 [ 31.750469] kasan_save_track+0x20/0x40 [ 31.750619] kasan_save_free_info+0x4c/0x78 [ 31.750685] __kasan_slab_free+0x6c/0x98 [ 31.751017] kfree+0x214/0x3c8 [ 31.751075] ksize_uaf+0x11c/0x5f8 [ 31.751144] kunit_try_run_case+0x170/0x3f0 [ 31.751486] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.751567] kthread+0x328/0x630 [ 31.751652] ret_from_fork+0x10/0x20 [ 31.751755] [ 31.751799] The buggy address belongs to the object at fff00000c3efde00 [ 31.751799] which belongs to the cache kmalloc-128 of size 128 [ 31.751976] The buggy address is located 0 bytes inside of [ 31.751976] freed 128-byte region [fff00000c3efde00, fff00000c3efde80) [ 31.752092] [ 31.752329] The buggy address belongs to the physical page: [ 31.752428] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103efd [ 31.752584] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.752670] page_type: f5(slab) [ 31.752727] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 31.752859] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.752983] page dumped because: kasan: bad access detected [ 31.753043] [ 31.753106] Memory state around the buggy address: [ 31.753194] fff00000c3efdd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.753265] fff00000c3efdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.753307] >fff00000c3efde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.753584] ^ [ 31.753670] fff00000c3efde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.753757] fff00000c3efdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.753846] ================================================================== [ 31.754478] ================================================================== [ 31.754742] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.754951] Read of size 1 at addr fff00000c3efde00 by task kunit_try_catch/227 [ 31.755027] [ 31.755086] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT [ 31.755215] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.755253] Hardware name: linux,dummy-virt (DT) [ 31.755284] Call trace: [ 31.755313] show_stack+0x20/0x38 (C) [ 31.755525] dump_stack_lvl+0x8c/0xd0 [ 31.755686] print_report+0x118/0x5e8 [ 31.755817] kasan_report+0xdc/0x128 [ 31.755926] __asan_report_load1_noabort+0x20/0x30 [ 31.756012] ksize_uaf+0x598/0x5f8 [ 31.756198] kunit_try_run_case+0x170/0x3f0 [ 31.756245] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.756294] kthread+0x328/0x630 [ 31.756631] ret_from_fork+0x10/0x20 [ 31.756697] [ 31.756717] Allocated by task 227: [ 31.756783] kasan_save_stack+0x3c/0x68 [ 31.756825] kasan_save_track+0x20/0x40 [ 31.756859] kasan_save_alloc_info+0x40/0x58 [ 31.756897] __kasan_kmalloc+0xd4/0xd8 [ 31.756941] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.756982] ksize_uaf+0xb8/0x5f8 [ 31.757016] kunit_try_run_case+0x170/0x3f0 [ 31.757051] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.757320] kthread+0x328/0x630 [ 31.757441] ret_from_fork+0x10/0x20 [ 31.757522] [ 31.757604] Freed by task 227: [ 31.757685] kasan_save_stack+0x3c/0x68 [ 31.757735] kasan_save_track+0x20/0x40 [ 31.758061] kasan_save_free_info+0x4c/0x78 [ 31.758152] __kasan_slab_free+0x6c/0x98 [ 31.758205] kfree+0x214/0x3c8 [ 31.758258] ksize_uaf+0x11c/0x5f8 [ 31.758512] kunit_try_run_case+0x170/0x3f0 [ 31.758682] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.758732] kthread+0x328/0x630 [ 31.758982] ret_from_fork+0x10/0x20 [ 31.759181] [ 31.759234] The buggy address belongs to the object at fff00000c3efde00 [ 31.759234] which belongs to the cache kmalloc-128 of size 128 [ 31.759357] The buggy address is located 0 bytes inside of [ 31.759357] freed 128-byte region [fff00000c3efde00, fff00000c3efde80) [ 31.759514] [ 31.759565] The buggy address belongs to the physical page: [ 31.759846] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103efd [ 31.759990] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.760183] page_type: f5(slab) [ 31.760256] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 31.760392] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.760469] page dumped because: kasan: bad access detected [ 31.760615] [ 31.760653] Memory state around the buggy address: [ 31.760688] fff00000c3efdd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.760733] fff00000c3efdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.760775] >fff00000c3efde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.761095] ^ [ 31.761149] fff00000c3efde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.761214] fff00000c3efdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.761316] ================================================================== [ 31.761905] ================================================================== [ 31.761954] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 31.762003] Read of size 1 at addr fff00000c3efde78 by task kunit_try_catch/227 [ 31.762087] [ 31.762118] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT [ 31.762202] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.762237] Hardware name: linux,dummy-virt (DT) [ 31.762266] Call trace: [ 31.762289] show_stack+0x20/0x38 (C) [ 31.762342] dump_stack_lvl+0x8c/0xd0 [ 31.762390] print_report+0x118/0x5e8 [ 31.762433] kasan_report+0xdc/0x128 [ 31.762473] __asan_report_load1_noabort+0x20/0x30 [ 31.762521] ksize_uaf+0x544/0x5f8 [ 31.762563] kunit_try_run_case+0x170/0x3f0 [ 31.762614] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.762665] kthread+0x328/0x630 [ 31.762710] ret_from_fork+0x10/0x20 [ 31.762754] [ 31.762773] Allocated by task 227: [ 31.762810] kasan_save_stack+0x3c/0x68 [ 31.762847] kasan_save_track+0x20/0x40 [ 31.762890] kasan_save_alloc_info+0x40/0x58 [ 31.762930] __kasan_kmalloc+0xd4/0xd8 [ 31.762964] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.763004] ksize_uaf+0xb8/0x5f8 [ 31.763039] kunit_try_run_case+0x170/0x3f0 [ 31.763076] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.763128] kthread+0x328/0x630 [ 31.763431] ret_from_fork+0x10/0x20 [ 31.763584] [ 31.763622] Freed by task 227: [ 31.763799] kasan_save_stack+0x3c/0x68 [ 31.763954] kasan_save_track+0x20/0x40 [ 31.764131] kasan_save_free_info+0x4c/0x78 [ 31.764218] __kasan_slab_free+0x6c/0x98 [ 31.764580] kfree+0x214/0x3c8 [ 31.764651] ksize_uaf+0x11c/0x5f8 [ 31.765189] kunit_try_run_case+0x170/0x3f0 [ 31.765496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.765573] kthread+0x328/0x630 [ 31.765637] ret_from_fork+0x10/0x20 [ 31.765727] [ 31.765819] The buggy address belongs to the object at fff00000c3efde00 [ 31.765819] which belongs to the cache kmalloc-128 of size 128 [ 31.765939] The buggy address is located 120 bytes inside of [ 31.765939] freed 128-byte region [fff00000c3efde00, fff00000c3efde80) [ 31.766003] [ 31.766026] The buggy address belongs to the physical page: [ 31.766208] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103efd [ 31.766330] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.766653] page_type: f5(slab) [ 31.766964] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000100 dead000000000122 [ 31.767030] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.767385] page dumped because: kasan: bad access detected [ 31.767448] [ 31.767498] Memory state around the buggy address: [ 31.767767] fff00000c3efdd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.767833] fff00000c3efdd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.767884] >fff00000c3efde00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.767993] ^ [ 31.768068] fff00000c3efde80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.768189] fff00000c3efdf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.768257] ==================================================================
[ 25.314132] ================================================================== [ 25.315499] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 25.316249] Read of size 1 at addr ffff8881053b7300 by task kunit_try_catch/244 [ 25.317261] [ 25.317616] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT(voluntary) [ 25.317671] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.317684] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.317707] Call Trace: [ 25.317719] <TASK> [ 25.317737] dump_stack_lvl+0x73/0xb0 [ 25.317772] print_report+0xd1/0x640 [ 25.317794] ? __virt_addr_valid+0x1db/0x2d0 [ 25.317819] ? ksize_uaf+0x19d/0x6c0 [ 25.317933] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.317961] ? ksize_uaf+0x19d/0x6c0 [ 25.317981] kasan_report+0x141/0x180 [ 25.318002] ? ksize_uaf+0x19d/0x6c0 [ 25.318025] ? ksize_uaf+0x19d/0x6c0 [ 25.318044] __kasan_check_byte+0x3d/0x50 [ 25.318065] ksize+0x20/0x60 [ 25.318086] ksize_uaf+0x19d/0x6c0 [ 25.318106] ? __pfx_ksize_uaf+0x10/0x10 [ 25.318126] ? __schedule+0x10da/0x2b60 [ 25.318149] ? __pfx_read_tsc+0x10/0x10 [ 25.318171] ? ktime_get_ts64+0x86/0x230 [ 25.318196] kunit_try_run_case+0x1a5/0x480 [ 25.318237] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.318259] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.318292] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.318324] ? __kthread_parkme+0x82/0x180 [ 25.318344] ? preempt_count_sub+0x50/0x80 [ 25.318367] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.318389] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.318411] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.318433] kthread+0x337/0x6f0 [ 25.318452] ? trace_preempt_on+0x20/0xc0 [ 25.318475] ? __pfx_kthread+0x10/0x10 [ 25.318494] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.318523] ? calculate_sigpending+0x7b/0xa0 [ 25.318546] ? __pfx_kthread+0x10/0x10 [ 25.318566] ret_from_fork+0x116/0x1d0 [ 25.318584] ? __pfx_kthread+0x10/0x10 [ 25.318604] ret_from_fork_asm+0x1a/0x30 [ 25.318640] </TASK> [ 25.318652] [ 25.332663] Allocated by task 244: [ 25.332858] kasan_save_stack+0x45/0x70 [ 25.333263] kasan_save_track+0x18/0x40 [ 25.333480] kasan_save_alloc_info+0x3b/0x50 [ 25.333685] __kasan_kmalloc+0xb7/0xc0 [ 25.333869] __kmalloc_cache_noprof+0x189/0x420 [ 25.334084] ksize_uaf+0xaa/0x6c0 [ 25.334246] kunit_try_run_case+0x1a5/0x480 [ 25.334686] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.335237] kthread+0x337/0x6f0 [ 25.335394] ret_from_fork+0x116/0x1d0 [ 25.335816] ret_from_fork_asm+0x1a/0x30 [ 25.336110] [ 25.336182] Freed by task 244: [ 25.336338] kasan_save_stack+0x45/0x70 [ 25.336467] kasan_save_track+0x18/0x40 [ 25.336693] kasan_save_free_info+0x3f/0x60 [ 25.337123] __kasan_slab_free+0x56/0x70 [ 25.337561] kfree+0x222/0x3f0 [ 25.337905] ksize_uaf+0x12c/0x6c0 [ 25.338332] kunit_try_run_case+0x1a5/0x480 [ 25.338821] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.338987] kthread+0x337/0x6f0 [ 25.339096] ret_from_fork+0x116/0x1d0 [ 25.339225] ret_from_fork_asm+0x1a/0x30 [ 25.339350] [ 25.339417] The buggy address belongs to the object at ffff8881053b7300 [ 25.339417] which belongs to the cache kmalloc-128 of size 128 [ 25.339848] The buggy address is located 0 bytes inside of [ 25.339848] freed 128-byte region [ffff8881053b7300, ffff8881053b7380) [ 25.340300] [ 25.340368] The buggy address belongs to the physical page: [ 25.340611] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1053b7 [ 25.340938] flags: 0x200000000000000(node=0|zone=2) [ 25.341138] page_type: f5(slab) [ 25.341285] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.341698] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.342027] page dumped because: kasan: bad access detected [ 25.342252] [ 25.342318] Memory state around the buggy address: [ 25.342528] ffff8881053b7200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.342799] ffff8881053b7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.343073] >ffff8881053b7300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.343424] ^ [ 25.343563] ffff8881053b7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.344083] ffff8881053b7400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.344358] ================================================================== [ 25.346033] ================================================================== [ 25.346514] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 25.346902] Read of size 1 at addr ffff8881053b7300 by task kunit_try_catch/244 [ 25.347154] [ 25.347251] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT(voluntary) [ 25.347298] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.347310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.347332] Call Trace: [ 25.347351] <TASK> [ 25.347368] dump_stack_lvl+0x73/0xb0 [ 25.347399] print_report+0xd1/0x640 [ 25.347421] ? __virt_addr_valid+0x1db/0x2d0 [ 25.347443] ? ksize_uaf+0x5fe/0x6c0 [ 25.347462] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.347486] ? ksize_uaf+0x5fe/0x6c0 [ 25.347506] kasan_report+0x141/0x180 [ 25.347526] ? ksize_uaf+0x5fe/0x6c0 [ 25.347550] __asan_report_load1_noabort+0x18/0x20 [ 25.347573] ksize_uaf+0x5fe/0x6c0 [ 25.347592] ? __pfx_ksize_uaf+0x10/0x10 [ 25.347612] ? __schedule+0x10da/0x2b60 [ 25.347635] ? __pfx_read_tsc+0x10/0x10 [ 25.347656] ? ktime_get_ts64+0x86/0x230 [ 25.347680] kunit_try_run_case+0x1a5/0x480 [ 25.347703] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.347723] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.347757] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.347861] ? __kthread_parkme+0x82/0x180 [ 25.347882] ? preempt_count_sub+0x50/0x80 [ 25.347905] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.347927] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.347950] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.347971] kthread+0x337/0x6f0 [ 25.347990] ? trace_preempt_on+0x20/0xc0 [ 25.348012] ? __pfx_kthread+0x10/0x10 [ 25.348031] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.348061] ? calculate_sigpending+0x7b/0xa0 [ 25.348084] ? __pfx_kthread+0x10/0x10 [ 25.348104] ret_from_fork+0x116/0x1d0 [ 25.348122] ? __pfx_kthread+0x10/0x10 [ 25.348141] ret_from_fork_asm+0x1a/0x30 [ 25.348171] </TASK> [ 25.348181] [ 25.354963] Allocated by task 244: [ 25.355130] kasan_save_stack+0x45/0x70 [ 25.355320] kasan_save_track+0x18/0x40 [ 25.355471] kasan_save_alloc_info+0x3b/0x50 [ 25.355652] __kasan_kmalloc+0xb7/0xc0 [ 25.356019] __kmalloc_cache_noprof+0x189/0x420 [ 25.356249] ksize_uaf+0xaa/0x6c0 [ 25.356417] kunit_try_run_case+0x1a5/0x480 [ 25.356603] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.356880] kthread+0x337/0x6f0 [ 25.357036] ret_from_fork+0x116/0x1d0 [ 25.357207] ret_from_fork_asm+0x1a/0x30 [ 25.357389] [ 25.357451] Freed by task 244: [ 25.357601] kasan_save_stack+0x45/0x70 [ 25.357759] kasan_save_track+0x18/0x40 [ 25.357976] kasan_save_free_info+0x3f/0x60 [ 25.358173] __kasan_slab_free+0x56/0x70 [ 25.358343] kfree+0x222/0x3f0 [ 25.358502] ksize_uaf+0x12c/0x6c0 [ 25.358661] kunit_try_run_case+0x1a5/0x480 [ 25.358909] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.359122] kthread+0x337/0x6f0 [ 25.359288] ret_from_fork+0x116/0x1d0 [ 25.359473] ret_from_fork_asm+0x1a/0x30 [ 25.359634] [ 25.359698] The buggy address belongs to the object at ffff8881053b7300 [ 25.359698] which belongs to the cache kmalloc-128 of size 128 [ 25.360280] The buggy address is located 0 bytes inside of [ 25.360280] freed 128-byte region [ffff8881053b7300, ffff8881053b7380) [ 25.360720] [ 25.361035] The buggy address belongs to the physical page: [ 25.361267] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1053b7 [ 25.361576] flags: 0x200000000000000(node=0|zone=2) [ 25.361887] page_type: f5(slab) [ 25.362034] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.362348] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.362568] page dumped because: kasan: bad access detected [ 25.362738] [ 25.362874] Memory state around the buggy address: [ 25.363034] ffff8881053b7200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.363319] ffff8881053b7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.363632] >ffff8881053b7300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.364015] ^ [ 25.364181] ffff8881053b7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.364498] ffff8881053b7400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.364769] ================================================================== [ 25.365986] ================================================================== [ 25.366354] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 25.366655] Read of size 1 at addr ffff8881053b7378 by task kunit_try_catch/244 [ 25.366989] [ 25.367096] CPU: 0 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250718 #1 PREEMPT(voluntary) [ 25.367141] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.367152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.367172] Call Trace: [ 25.367189] <TASK> [ 25.367204] dump_stack_lvl+0x73/0xb0 [ 25.367244] print_report+0xd1/0x640 [ 25.367264] ? __virt_addr_valid+0x1db/0x2d0 [ 25.367286] ? ksize_uaf+0x5e4/0x6c0 [ 25.367305] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.367329] ? ksize_uaf+0x5e4/0x6c0 [ 25.367348] kasan_report+0x141/0x180 [ 25.367368] ? ksize_uaf+0x5e4/0x6c0 [ 25.367392] __asan_report_load1_noabort+0x18/0x20 [ 25.367414] ksize_uaf+0x5e4/0x6c0 [ 25.367434] ? __pfx_ksize_uaf+0x10/0x10 [ 25.367454] ? __schedule+0x10da/0x2b60 [ 25.367476] ? __pfx_read_tsc+0x10/0x10 [ 25.367496] ? ktime_get_ts64+0x86/0x230 [ 25.367519] kunit_try_run_case+0x1a5/0x480 [ 25.367541] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.367562] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.367594] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.367625] ? __kthread_parkme+0x82/0x180 [ 25.367644] ? preempt_count_sub+0x50/0x80 [ 25.367666] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.367688] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.367710] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.367731] kthread+0x337/0x6f0 [ 25.367749] ? trace_preempt_on+0x20/0xc0 [ 25.367773] ? __pfx_kthread+0x10/0x10 [ 25.367794] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.367825] ? calculate_sigpending+0x7b/0xa0 [ 25.367848] ? __pfx_kthread+0x10/0x10 [ 25.367868] ret_from_fork+0x116/0x1d0 [ 25.367885] ? __pfx_kthread+0x10/0x10 [ 25.367904] ret_from_fork_asm+0x1a/0x30 [ 25.367934] </TASK> [ 25.367944] [ 25.377035] Allocated by task 244: [ 25.377657] kasan_save_stack+0x45/0x70 [ 25.378094] kasan_save_track+0x18/0x40 [ 25.378267] kasan_save_alloc_info+0x3b/0x50 [ 25.378479] __kasan_kmalloc+0xb7/0xc0 [ 25.378666] __kmalloc_cache_noprof+0x189/0x420 [ 25.378859] ksize_uaf+0xaa/0x6c0 [ 25.379023] kunit_try_run_case+0x1a5/0x480 [ 25.379230] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.379463] kthread+0x337/0x6f0 [ 25.379612] ret_from_fork+0x116/0x1d0 [ 25.379785] ret_from_fork_asm+0x1a/0x30 [ 25.379970] [ 25.380046] Freed by task 244: [ 25.380205] kasan_save_stack+0x45/0x70 [ 25.380640] kasan_save_track+0x18/0x40 [ 25.380776] kasan_save_free_info+0x3f/0x60 [ 25.381010] __kasan_slab_free+0x56/0x70 [ 25.381185] kfree+0x222/0x3f0 [ 25.381361] ksize_uaf+0x12c/0x6c0 [ 25.381547] kunit_try_run_case+0x1a5/0x480 [ 25.381769] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.382102] kthread+0x337/0x6f0 [ 25.382277] ret_from_fork+0x116/0x1d0 [ 25.382439] ret_from_fork_asm+0x1a/0x30 [ 25.382642] [ 25.382759] The buggy address belongs to the object at ffff8881053b7300 [ 25.382759] which belongs to the cache kmalloc-128 of size 128 [ 25.383348] The buggy address is located 120 bytes inside of [ 25.383348] freed 128-byte region [ffff8881053b7300, ffff8881053b7380) [ 25.383913] [ 25.384032] The buggy address belongs to the physical page: [ 25.384260] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1053b7 [ 25.384599] flags: 0x200000000000000(node=0|zone=2) [ 25.385059] page_type: f5(slab) [ 25.385214] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.385565] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.385978] page dumped because: kasan: bad access detected [ 25.386262] [ 25.386349] Memory state around the buggy address: [ 25.386566] ffff8881053b7200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.386931] ffff8881053b7280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.387214] >ffff8881053b7300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.387542] ^ [ 25.387908] ffff8881053b7380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.388233] ffff8881053b7400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.388543] ==================================================================