Date
July 22, 2025, 5:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.604242] ================================================================== [ 30.604804] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 30.604887] Read of size 1 at addr fff00000c9a95078 by task kunit_try_catch/227 [ 30.605070] [ 30.605123] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 30.605571] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 30.605661] Hardware name: linux,dummy-virt (DT) [ 30.605846] Call trace: [ 30.605928] show_stack+0x20/0x38 (C) [ 30.606221] dump_stack_lvl+0x8c/0xd0 [ 30.606522] print_report+0x118/0x5e8 [ 30.606696] kasan_report+0xdc/0x128 [ 30.606862] __asan_report_load1_noabort+0x20/0x30 [ 30.606952] ksize_uaf+0x544/0x5f8 [ 30.607041] kunit_try_run_case+0x170/0x3f0 [ 30.607471] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.607704] kthread+0x328/0x630 [ 30.607801] ret_from_fork+0x10/0x20 [ 30.608096] [ 30.608201] Allocated by task 227: [ 30.608444] kasan_save_stack+0x3c/0x68 [ 30.608550] kasan_save_track+0x20/0x40 [ 30.608693] kasan_save_alloc_info+0x40/0x58 [ 30.608781] __kasan_kmalloc+0xd4/0xd8 [ 30.608892] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.608936] ksize_uaf+0xb8/0x5f8 [ 30.608970] kunit_try_run_case+0x170/0x3f0 [ 30.609007] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.609230] kthread+0x328/0x630 [ 30.610147] ret_from_fork+0x10/0x20 [ 30.610217] [ 30.610260] Freed by task 227: [ 30.610357] kasan_save_stack+0x3c/0x68 [ 30.610421] kasan_save_track+0x20/0x40 [ 30.610459] kasan_save_free_info+0x4c/0x78 [ 30.610523] __kasan_slab_free+0x6c/0x98 [ 30.610609] kfree+0x214/0x3c8 [ 30.610674] ksize_uaf+0x11c/0x5f8 [ 30.610840] kunit_try_run_case+0x170/0x3f0 [ 30.611166] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.611254] kthread+0x328/0x630 [ 30.611473] ret_from_fork+0x10/0x20 [ 30.611944] [ 30.612001] The buggy address belongs to the object at fff00000c9a95000 [ 30.612001] which belongs to the cache kmalloc-128 of size 128 [ 30.612158] The buggy address is located 120 bytes inside of [ 30.612158] freed 128-byte region [fff00000c9a95000, fff00000c9a95080) [ 30.612229] [ 30.612249] The buggy address belongs to the physical page: [ 30.612284] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a95 [ 30.612340] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.612411] page_type: f5(slab) [ 30.612448] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.612511] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.612553] page dumped because: kasan: bad access detected [ 30.612584] [ 30.612618] Memory state around the buggy address: [ 30.612659] fff00000c9a94f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.612712] fff00000c9a94f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.612755] >fff00000c9a95000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.612793] ^ [ 30.612848] fff00000c9a95080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.613157] fff00000c9a95100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.613504] ================================================================== [ 30.593974] ================================================================== [ 30.594044] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 30.594290] Read of size 1 at addr fff00000c9a95000 by task kunit_try_catch/227 [ 30.594355] [ 30.594957] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 30.595069] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 30.595116] Hardware name: linux,dummy-virt (DT) [ 30.595163] Call trace: [ 30.595188] show_stack+0x20/0x38 (C) [ 30.595255] dump_stack_lvl+0x8c/0xd0 [ 30.595703] print_report+0x118/0x5e8 [ 30.595770] kasan_report+0xdc/0x128 [ 30.595962] __asan_report_load1_noabort+0x20/0x30 [ 30.596054] ksize_uaf+0x598/0x5f8 [ 30.596145] kunit_try_run_case+0x170/0x3f0 [ 30.596234] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.596317] kthread+0x328/0x630 [ 30.596528] ret_from_fork+0x10/0x20 [ 30.596748] [ 30.596846] Allocated by task 227: [ 30.596987] kasan_save_stack+0x3c/0x68 [ 30.597082] kasan_save_track+0x20/0x40 [ 30.597198] kasan_save_alloc_info+0x40/0x58 [ 30.597286] __kasan_kmalloc+0xd4/0xd8 [ 30.597559] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.597844] ksize_uaf+0xb8/0x5f8 [ 30.598008] kunit_try_run_case+0x170/0x3f0 [ 30.598089] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.598226] kthread+0x328/0x630 [ 30.598302] ret_from_fork+0x10/0x20 [ 30.598375] [ 30.598506] Freed by task 227: [ 30.598537] kasan_save_stack+0x3c/0x68 [ 30.598619] kasan_save_track+0x20/0x40 [ 30.599022] kasan_save_free_info+0x4c/0x78 [ 30.599083] __kasan_slab_free+0x6c/0x98 [ 30.599227] kfree+0x214/0x3c8 [ 30.599285] ksize_uaf+0x11c/0x5f8 [ 30.599366] kunit_try_run_case+0x170/0x3f0 [ 30.599508] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.599552] kthread+0x328/0x630 [ 30.599753] ret_from_fork+0x10/0x20 [ 30.599893] [ 30.600146] The buggy address belongs to the object at fff00000c9a95000 [ 30.600146] which belongs to the cache kmalloc-128 of size 128 [ 30.600233] The buggy address is located 0 bytes inside of [ 30.600233] freed 128-byte region [fff00000c9a95000, fff00000c9a95080) [ 30.600414] [ 30.600485] The buggy address belongs to the physical page: [ 30.600520] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a95 [ 30.600774] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.600864] page_type: f5(slab) [ 30.600960] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.601347] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.601586] page dumped because: kasan: bad access detected [ 30.601628] [ 30.601671] Memory state around the buggy address: [ 30.601955] fff00000c9a94f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.602113] fff00000c9a94f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.602225] >fff00000c9a95000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.602265] ^ [ 30.602501] fff00000c9a95080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.602893] fff00000c9a95100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.603010] ================================================================== [ 30.587185] ================================================================== [ 30.587251] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 30.587515] Read of size 1 at addr fff00000c9a95000 by task kunit_try_catch/227 [ 30.587652] [ 30.587703] CPU: 1 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 30.588110] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 30.588161] Hardware name: linux,dummy-virt (DT) [ 30.588195] Call trace: [ 30.588420] show_stack+0x20/0x38 (C) [ 30.588694] dump_stack_lvl+0x8c/0xd0 [ 30.588764] print_report+0x118/0x5e8 [ 30.588809] kasan_report+0xdc/0x128 [ 30.589104] __kasan_check_byte+0x54/0x70 [ 30.589199] ksize+0x30/0x88 [ 30.589452] ksize_uaf+0x168/0x5f8 [ 30.589629] kunit_try_run_case+0x170/0x3f0 [ 30.589873] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.589968] kthread+0x328/0x630 [ 30.590241] ret_from_fork+0x10/0x20 [ 30.590506] [ 30.590561] Allocated by task 227: [ 30.590696] kasan_save_stack+0x3c/0x68 [ 30.590761] kasan_save_track+0x20/0x40 [ 30.590796] kasan_save_alloc_info+0x40/0x58 [ 30.590846] __kasan_kmalloc+0xd4/0xd8 [ 30.590890] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.590939] ksize_uaf+0xb8/0x5f8 [ 30.590984] kunit_try_run_case+0x170/0x3f0 [ 30.591022] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.591064] kthread+0x328/0x630 [ 30.591097] ret_from_fork+0x10/0x20 [ 30.591142] [ 30.591162] Freed by task 227: [ 30.591196] kasan_save_stack+0x3c/0x68 [ 30.591233] kasan_save_track+0x20/0x40 [ 30.591277] kasan_save_free_info+0x4c/0x78 [ 30.591315] __kasan_slab_free+0x6c/0x98 [ 30.591361] kfree+0x214/0x3c8 [ 30.591405] ksize_uaf+0x11c/0x5f8 [ 30.591450] kunit_try_run_case+0x170/0x3f0 [ 30.591487] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.591529] kthread+0x328/0x630 [ 30.591563] ret_from_fork+0x10/0x20 [ 30.591598] [ 30.591627] The buggy address belongs to the object at fff00000c9a95000 [ 30.591627] which belongs to the cache kmalloc-128 of size 128 [ 30.591696] The buggy address is located 0 bytes inside of [ 30.591696] freed 128-byte region [fff00000c9a95000, fff00000c9a95080) [ 30.591757] [ 30.591791] The buggy address belongs to the physical page: [ 30.591844] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a95 [ 30.591899] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.591958] page_type: f5(slab) [ 30.592013] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 30.592071] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 30.592120] page dumped because: kasan: bad access detected [ 30.592151] [ 30.592177] Memory state around the buggy address: [ 30.592224] fff00000c9a94f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.592273] fff00000c9a94f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.592322] >fff00000c9a95000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.592360] ^ [ 30.592394] fff00000c9a95080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.592436] fff00000c9a95100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.592474] ==================================================================
[ 25.623602] ================================================================== [ 25.623951] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 25.624349] Read of size 1 at addr ffff8881058a9678 by task kunit_try_catch/244 [ 25.624820] [ 25.624952] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 25.624998] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.625011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.625032] Call Trace: [ 25.625046] <TASK> [ 25.625059] dump_stack_lvl+0x73/0xb0 [ 25.625088] print_report+0xd1/0x640 [ 25.625111] ? __virt_addr_valid+0x1db/0x2d0 [ 25.625135] ? ksize_uaf+0x5e4/0x6c0 [ 25.625156] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.625182] ? ksize_uaf+0x5e4/0x6c0 [ 25.625204] kasan_report+0x141/0x180 [ 25.625227] ? ksize_uaf+0x5e4/0x6c0 [ 25.625252] __asan_report_load1_noabort+0x18/0x20 [ 25.625277] ksize_uaf+0x5e4/0x6c0 [ 25.625298] ? __pfx_ksize_uaf+0x10/0x10 [ 25.625321] ? __schedule+0x10da/0x2b60 [ 25.625347] ? __pfx_read_tsc+0x10/0x10 [ 25.625369] ? ktime_get_ts64+0x86/0x230 [ 25.625393] kunit_try_run_case+0x1a5/0x480 [ 25.625418] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.625441] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.625466] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.625492] ? __kthread_parkme+0x82/0x180 [ 25.625512] ? preempt_count_sub+0x50/0x80 [ 25.625535] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.625560] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.625584] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.625726] kthread+0x337/0x6f0 [ 25.625756] ? trace_preempt_on+0x20/0xc0 [ 25.625807] ? __pfx_kthread+0x10/0x10 [ 25.625865] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.625891] ? calculate_sigpending+0x7b/0xa0 [ 25.625914] ? __pfx_kthread+0x10/0x10 [ 25.625960] ret_from_fork+0x116/0x1d0 [ 25.626004] ? __pfx_kthread+0x10/0x10 [ 25.626049] ret_from_fork_asm+0x1a/0x30 [ 25.626080] </TASK> [ 25.626091] [ 25.634049] Allocated by task 244: [ 25.634277] kasan_save_stack+0x45/0x70 [ 25.634484] kasan_save_track+0x18/0x40 [ 25.634799] kasan_save_alloc_info+0x3b/0x50 [ 25.635306] __kasan_kmalloc+0xb7/0xc0 [ 25.635742] __kmalloc_cache_noprof+0x189/0x420 [ 25.636053] ksize_uaf+0xaa/0x6c0 [ 25.636275] kunit_try_run_case+0x1a5/0x480 [ 25.636498] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.636737] kthread+0x337/0x6f0 [ 25.636894] ret_from_fork+0x116/0x1d0 [ 25.637030] ret_from_fork_asm+0x1a/0x30 [ 25.637168] [ 25.637235] Freed by task 244: [ 25.637345] kasan_save_stack+0x45/0x70 [ 25.637804] kasan_save_track+0x18/0x40 [ 25.638024] kasan_save_free_info+0x3f/0x60 [ 25.638307] __kasan_slab_free+0x56/0x70 [ 25.638591] kfree+0x222/0x3f0 [ 25.638764] ksize_uaf+0x12c/0x6c0 [ 25.638985] kunit_try_run_case+0x1a5/0x480 [ 25.639235] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.639637] kthread+0x337/0x6f0 [ 25.639856] ret_from_fork+0x116/0x1d0 [ 25.640081] ret_from_fork_asm+0x1a/0x30 [ 25.640293] [ 25.640363] The buggy address belongs to the object at ffff8881058a9600 [ 25.640363] which belongs to the cache kmalloc-128 of size 128 [ 25.641176] The buggy address is located 120 bytes inside of [ 25.641176] freed 128-byte region [ffff8881058a9600, ffff8881058a9680) [ 25.641774] [ 25.641943] The buggy address belongs to the physical page: [ 25.642226] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a9 [ 25.642721] flags: 0x200000000000000(node=0|zone=2) [ 25.642978] page_type: f5(slab) [ 25.643147] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.643599] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.644051] page dumped because: kasan: bad access detected [ 25.644335] [ 25.644426] Memory state around the buggy address: [ 25.644749] ffff8881058a9500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.645065] ffff8881058a9580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.645528] >ffff8881058a9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.645961] ^ [ 25.646272] ffff8881058a9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.646590] ffff8881058a9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.647046] ================================================================== [ 25.576364] ================================================================== [ 25.576906] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 25.577404] Read of size 1 at addr ffff8881058a9600 by task kunit_try_catch/244 [ 25.578008] [ 25.578115] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 25.578164] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.578220] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.578242] Call Trace: [ 25.578256] <TASK> [ 25.578271] dump_stack_lvl+0x73/0xb0 [ 25.578303] print_report+0xd1/0x640 [ 25.578327] ? __virt_addr_valid+0x1db/0x2d0 [ 25.578351] ? ksize_uaf+0x19d/0x6c0 [ 25.578372] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.578398] ? ksize_uaf+0x19d/0x6c0 [ 25.578420] kasan_report+0x141/0x180 [ 25.578442] ? ksize_uaf+0x19d/0x6c0 [ 25.578466] ? ksize_uaf+0x19d/0x6c0 [ 25.578487] __kasan_check_byte+0x3d/0x50 [ 25.578509] ksize+0x20/0x60 [ 25.578590] ksize_uaf+0x19d/0x6c0 [ 25.578612] ? __pfx_ksize_uaf+0x10/0x10 [ 25.578634] ? __schedule+0x10da/0x2b60 [ 25.578661] ? __pfx_read_tsc+0x10/0x10 [ 25.578683] ? ktime_get_ts64+0x86/0x230 [ 25.578707] kunit_try_run_case+0x1a5/0x480 [ 25.578732] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.578755] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.578780] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.578807] ? __kthread_parkme+0x82/0x180 [ 25.578827] ? preempt_count_sub+0x50/0x80 [ 25.578862] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.578886] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.578911] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.578935] kthread+0x337/0x6f0 [ 25.578955] ? trace_preempt_on+0x20/0xc0 [ 25.578978] ? __pfx_kthread+0x10/0x10 [ 25.578998] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.579022] ? calculate_sigpending+0x7b/0xa0 [ 25.579046] ? __pfx_kthread+0x10/0x10 [ 25.579068] ret_from_fork+0x116/0x1d0 [ 25.579088] ? __pfx_kthread+0x10/0x10 [ 25.579109] ret_from_fork_asm+0x1a/0x30 [ 25.579140] </TASK> [ 25.579150] [ 25.587401] Allocated by task 244: [ 25.587586] kasan_save_stack+0x45/0x70 [ 25.587760] kasan_save_track+0x18/0x40 [ 25.587914] kasan_save_alloc_info+0x3b/0x50 [ 25.588125] __kasan_kmalloc+0xb7/0xc0 [ 25.588526] __kmalloc_cache_noprof+0x189/0x420 [ 25.588745] ksize_uaf+0xaa/0x6c0 [ 25.589239] kunit_try_run_case+0x1a5/0x480 [ 25.589475] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.589814] kthread+0x337/0x6f0 [ 25.590038] ret_from_fork+0x116/0x1d0 [ 25.590232] ret_from_fork_asm+0x1a/0x30 [ 25.590451] [ 25.590522] Freed by task 244: [ 25.590846] kasan_save_stack+0x45/0x70 [ 25.591041] kasan_save_track+0x18/0x40 [ 25.591223] kasan_save_free_info+0x3f/0x60 [ 25.591410] __kasan_slab_free+0x56/0x70 [ 25.591636] kfree+0x222/0x3f0 [ 25.591853] ksize_uaf+0x12c/0x6c0 [ 25.592051] kunit_try_run_case+0x1a5/0x480 [ 25.592276] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.592706] kthread+0x337/0x6f0 [ 25.592862] ret_from_fork+0x116/0x1d0 [ 25.593056] ret_from_fork_asm+0x1a/0x30 [ 25.593384] [ 25.593599] The buggy address belongs to the object at ffff8881058a9600 [ 25.593599] which belongs to the cache kmalloc-128 of size 128 [ 25.594094] The buggy address is located 0 bytes inside of [ 25.594094] freed 128-byte region [ffff8881058a9600, ffff8881058a9680) [ 25.594638] [ 25.594759] The buggy address belongs to the physical page: [ 25.595126] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a9 [ 25.595540] flags: 0x200000000000000(node=0|zone=2) [ 25.595845] page_type: f5(slab) [ 25.596011] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.596263] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.596492] page dumped because: kasan: bad access detected [ 25.596662] [ 25.596750] Memory state around the buggy address: [ 25.596985] ffff8881058a9500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.597884] ffff8881058a9580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.598219] >ffff8881058a9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.598452] ^ [ 25.598710] ffff8881058a9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.599088] ffff8881058a9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.599351] ================================================================== [ 25.600102] ================================================================== [ 25.600712] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 25.601080] Read of size 1 at addr ffff8881058a9600 by task kunit_try_catch/244 [ 25.601449] [ 25.601742] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 25.601792] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.601804] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.601825] Call Trace: [ 25.601863] <TASK> [ 25.601915] dump_stack_lvl+0x73/0xb0 [ 25.601950] print_report+0xd1/0x640 [ 25.601975] ? __virt_addr_valid+0x1db/0x2d0 [ 25.602001] ? ksize_uaf+0x5fe/0x6c0 [ 25.602023] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.602050] ? ksize_uaf+0x5fe/0x6c0 [ 25.602105] kasan_report+0x141/0x180 [ 25.602128] ? ksize_uaf+0x5fe/0x6c0 [ 25.602154] __asan_report_load1_noabort+0x18/0x20 [ 25.602179] ksize_uaf+0x5fe/0x6c0 [ 25.602202] ? __pfx_ksize_uaf+0x10/0x10 [ 25.602224] ? __schedule+0x10da/0x2b60 [ 25.602282] ? __pfx_read_tsc+0x10/0x10 [ 25.602305] ? ktime_get_ts64+0x86/0x230 [ 25.602331] kunit_try_run_case+0x1a5/0x480 [ 25.602358] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.602411] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.602437] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.602519] ? __kthread_parkme+0x82/0x180 [ 25.602543] ? preempt_count_sub+0x50/0x80 [ 25.602604] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.602628] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.602653] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.602677] kthread+0x337/0x6f0 [ 25.602697] ? trace_preempt_on+0x20/0xc0 [ 25.602722] ? __pfx_kthread+0x10/0x10 [ 25.602743] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.602767] ? calculate_sigpending+0x7b/0xa0 [ 25.602791] ? __pfx_kthread+0x10/0x10 [ 25.602813] ret_from_fork+0x116/0x1d0 [ 25.602845] ? __pfx_kthread+0x10/0x10 [ 25.602866] ret_from_fork_asm+0x1a/0x30 [ 25.602898] </TASK> [ 25.602909] [ 25.611041] Allocated by task 244: [ 25.611265] kasan_save_stack+0x45/0x70 [ 25.611485] kasan_save_track+0x18/0x40 [ 25.611795] kasan_save_alloc_info+0x3b/0x50 [ 25.612026] __kasan_kmalloc+0xb7/0xc0 [ 25.612213] __kmalloc_cache_noprof+0x189/0x420 [ 25.612454] ksize_uaf+0xaa/0x6c0 [ 25.612706] kunit_try_run_case+0x1a5/0x480 [ 25.612942] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.613218] kthread+0x337/0x6f0 [ 25.613407] ret_from_fork+0x116/0x1d0 [ 25.613805] ret_from_fork_asm+0x1a/0x30 [ 25.614024] [ 25.614091] Freed by task 244: [ 25.614223] kasan_save_stack+0x45/0x70 [ 25.614419] kasan_save_track+0x18/0x40 [ 25.614773] kasan_save_free_info+0x3f/0x60 [ 25.615045] __kasan_slab_free+0x56/0x70 [ 25.615234] kfree+0x222/0x3f0 [ 25.615351] ksize_uaf+0x12c/0x6c0 [ 25.615474] kunit_try_run_case+0x1a5/0x480 [ 25.615668] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.615931] kthread+0x337/0x6f0 [ 25.616102] ret_from_fork+0x116/0x1d0 [ 25.616295] ret_from_fork_asm+0x1a/0x30 [ 25.616488] [ 25.616578] The buggy address belongs to the object at ffff8881058a9600 [ 25.616578] which belongs to the cache kmalloc-128 of size 128 [ 25.617115] The buggy address is located 0 bytes inside of [ 25.617115] freed 128-byte region [ffff8881058a9600, ffff8881058a9680) [ 25.617962] [ 25.618041] The buggy address belongs to the physical page: [ 25.618386] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a9 [ 25.619079] flags: 0x200000000000000(node=0|zone=2) [ 25.619593] page_type: f5(slab) [ 25.619791] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.620134] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.620593] page dumped because: kasan: bad access detected [ 25.620806] [ 25.620890] Memory state around the buggy address: [ 25.621109] ffff8881058a9500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.621640] ffff8881058a9580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.622056] >ffff8881058a9600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.622444] ^ [ 25.622711] ffff8881058a9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.622967] ffff8881058a9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.623230] ==================================================================