Date
July 23, 2025, 3:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.299890] ================================================================== [ 31.299972] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 31.300111] Read of size 1 at addr fff00000c99bcf78 by task kunit_try_catch/229 [ 31.300189] [ 31.300249] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 31.300427] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 31.300460] Hardware name: linux,dummy-virt (DT) [ 31.300492] Call trace: [ 31.300515] show_stack+0x20/0x38 (C) [ 31.300850] dump_stack_lvl+0x8c/0xd0 [ 31.300967] print_report+0x118/0x5e8 [ 31.301087] kasan_report+0xdc/0x128 [ 31.301191] __asan_report_load1_noabort+0x20/0x30 [ 31.301281] ksize_uaf+0x544/0x5f8 [ 31.301407] kunit_try_run_case+0x170/0x3f0 [ 31.301451] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.301503] kthread+0x328/0x630 [ 31.301789] ret_from_fork+0x10/0x20 [ 31.301941] [ 31.302012] Allocated by task 229: [ 31.302081] kasan_save_stack+0x3c/0x68 [ 31.302247] kasan_save_track+0x20/0x40 [ 31.302352] kasan_save_alloc_info+0x40/0x58 [ 31.302722] __kasan_kmalloc+0xd4/0xd8 [ 31.302797] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.302916] ksize_uaf+0xb8/0x5f8 [ 31.302974] kunit_try_run_case+0x170/0x3f0 [ 31.303496] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.303882] kthread+0x328/0x630 [ 31.303977] ret_from_fork+0x10/0x20 [ 31.304044] [ 31.304088] Freed by task 229: [ 31.304153] kasan_save_stack+0x3c/0x68 [ 31.304227] kasan_save_track+0x20/0x40 [ 31.304281] kasan_save_free_info+0x4c/0x78 [ 31.304421] __kasan_slab_free+0x6c/0x98 [ 31.304621] kfree+0x214/0x3c8 [ 31.304768] ksize_uaf+0x11c/0x5f8 [ 31.304807] kunit_try_run_case+0x170/0x3f0 [ 31.304843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.305138] kthread+0x328/0x630 [ 31.305318] ret_from_fork+0x10/0x20 [ 31.305402] [ 31.305805] The buggy address belongs to the object at fff00000c99bcf00 [ 31.305805] which belongs to the cache kmalloc-128 of size 128 [ 31.305879] The buggy address is located 120 bytes inside of [ 31.305879] freed 128-byte region [fff00000c99bcf00, fff00000c99bcf80) [ 31.306124] [ 31.306333] The buggy address belongs to the physical page: [ 31.306458] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099bc [ 31.306594] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.306692] page_type: f5(slab) [ 31.306795] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.306846] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.307053] page dumped because: kasan: bad access detected [ 31.307240] [ 31.307284] Memory state around the buggy address: [ 31.307349] fff00000c99bce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.307679] fff00000c99bce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.307771] >fff00000c99bcf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.307921] ^ [ 31.307996] fff00000c99bcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.308099] fff00000c99bd000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.308138] ================================================================== [ 31.279873] ================================================================== [ 31.280164] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.280444] Read of size 1 at addr fff00000c99bcf00 by task kunit_try_catch/229 [ 31.280514] [ 31.281403] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 31.281524] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 31.281591] Hardware name: linux,dummy-virt (DT) [ 31.281644] Call trace: [ 31.281676] show_stack+0x20/0x38 (C) [ 31.281755] dump_stack_lvl+0x8c/0xd0 [ 31.281940] print_report+0x118/0x5e8 [ 31.281997] kasan_report+0xdc/0x128 [ 31.282040] __kasan_check_byte+0x54/0x70 [ 31.282084] ksize+0x30/0x88 [ 31.282129] ksize_uaf+0x168/0x5f8 [ 31.282173] kunit_try_run_case+0x170/0x3f0 [ 31.282219] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.282270] kthread+0x328/0x630 [ 31.282310] ret_from_fork+0x10/0x20 [ 31.282362] [ 31.282381] Allocated by task 229: [ 31.282410] kasan_save_stack+0x3c/0x68 [ 31.282450] kasan_save_track+0x20/0x40 [ 31.282486] kasan_save_alloc_info+0x40/0x58 [ 31.282523] __kasan_kmalloc+0xd4/0xd8 [ 31.282558] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.282609] ksize_uaf+0xb8/0x5f8 [ 31.282682] kunit_try_run_case+0x170/0x3f0 [ 31.282764] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.282870] kthread+0x328/0x630 [ 31.282911] ret_from_fork+0x10/0x20 [ 31.282946] [ 31.282964] Freed by task 229: [ 31.282991] kasan_save_stack+0x3c/0x68 [ 31.283067] kasan_save_track+0x20/0x40 [ 31.283198] kasan_save_free_info+0x4c/0x78 [ 31.283237] __kasan_slab_free+0x6c/0x98 [ 31.283281] kfree+0x214/0x3c8 [ 31.283326] ksize_uaf+0x11c/0x5f8 [ 31.283363] kunit_try_run_case+0x170/0x3f0 [ 31.283401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.283444] kthread+0x328/0x630 [ 31.283477] ret_from_fork+0x10/0x20 [ 31.283514] [ 31.283532] The buggy address belongs to the object at fff00000c99bcf00 [ 31.283532] which belongs to the cache kmalloc-128 of size 128 [ 31.283591] The buggy address is located 0 bytes inside of [ 31.283591] freed 128-byte region [fff00000c99bcf00, fff00000c99bcf80) [ 31.283674] [ 31.283777] The buggy address belongs to the physical page: [ 31.283846] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099bc [ 31.284677] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.284740] page_type: f5(slab) [ 31.284787] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.284839] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.285525] page dumped because: kasan: bad access detected [ 31.286126] [ 31.286175] Memory state around the buggy address: [ 31.286212] fff00000c99bce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.286256] fff00000c99bce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.286826] >fff00000c99bcf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.287240] ^ [ 31.287293] fff00000c99bcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.287337] fff00000c99bd000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.287875] ================================================================== [ 31.289784] ================================================================== [ 31.289867] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.290225] Read of size 1 at addr fff00000c99bcf00 by task kunit_try_catch/229 [ 31.290368] [ 31.290411] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250723 #1 PREEMPT [ 31.290503] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 31.290586] Hardware name: linux,dummy-virt (DT) [ 31.290681] Call trace: [ 31.290729] show_stack+0x20/0x38 (C) [ 31.290853] dump_stack_lvl+0x8c/0xd0 [ 31.290916] print_report+0x118/0x5e8 [ 31.290960] kasan_report+0xdc/0x128 [ 31.291009] __asan_report_load1_noabort+0x20/0x30 [ 31.291054] ksize_uaf+0x598/0x5f8 [ 31.291098] kunit_try_run_case+0x170/0x3f0 [ 31.291144] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.291505] kthread+0x328/0x630 [ 31.291589] ret_from_fork+0x10/0x20 [ 31.291710] [ 31.291734] Allocated by task 229: [ 31.291762] kasan_save_stack+0x3c/0x68 [ 31.291812] kasan_save_track+0x20/0x40 [ 31.291856] kasan_save_alloc_info+0x40/0x58 [ 31.291892] __kasan_kmalloc+0xd4/0xd8 [ 31.292185] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.292251] ksize_uaf+0xb8/0x5f8 [ 31.292554] kunit_try_run_case+0x170/0x3f0 [ 31.292771] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.292870] kthread+0x328/0x630 [ 31.293013] ret_from_fork+0x10/0x20 [ 31.293090] [ 31.293184] Freed by task 229: [ 31.293215] kasan_save_stack+0x3c/0x68 [ 31.293254] kasan_save_track+0x20/0x40 [ 31.293297] kasan_save_free_info+0x4c/0x78 [ 31.293344] __kasan_slab_free+0x6c/0x98 [ 31.293754] kfree+0x214/0x3c8 [ 31.293856] ksize_uaf+0x11c/0x5f8 [ 31.293954] kunit_try_run_case+0x170/0x3f0 [ 31.294097] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.294196] kthread+0x328/0x630 [ 31.294305] ret_from_fork+0x10/0x20 [ 31.294363] [ 31.294383] The buggy address belongs to the object at fff00000c99bcf00 [ 31.294383] which belongs to the cache kmalloc-128 of size 128 [ 31.294816] The buggy address is located 0 bytes inside of [ 31.294816] freed 128-byte region [fff00000c99bcf00, fff00000c99bcf80) [ 31.294917] [ 31.294992] The buggy address belongs to the physical page: [ 31.295084] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099bc [ 31.295339] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.295568] page_type: f5(slab) [ 31.295631] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 31.296007] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 31.296061] page dumped because: kasan: bad access detected [ 31.296373] [ 31.296437] Memory state around the buggy address: [ 31.296525] fff00000c99bce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.296592] fff00000c99bce80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.296727] >fff00000c99bcf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.296837] ^ [ 31.296880] fff00000c99bcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.297000] fff00000c99bd000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.297039] ==================================================================
[ 25.690357] ================================================================== [ 25.690797] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 25.691211] Read of size 1 at addr ffff888104657f00 by task kunit_try_catch/245 [ 25.691458] [ 25.691572] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 25.691735] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.691748] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.691770] Call Trace: [ 25.691783] <TASK> [ 25.691801] dump_stack_lvl+0x73/0xb0 [ 25.691832] print_report+0xd1/0x640 [ 25.691856] ? __virt_addr_valid+0x1db/0x2d0 [ 25.691880] ? ksize_uaf+0x19d/0x6c0 [ 25.691900] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.691926] ? ksize_uaf+0x19d/0x6c0 [ 25.691947] kasan_report+0x141/0x180 [ 25.691969] ? ksize_uaf+0x19d/0x6c0 [ 25.691992] ? ksize_uaf+0x19d/0x6c0 [ 25.692013] __kasan_check_byte+0x3d/0x50 [ 25.692045] ksize+0x20/0x60 [ 25.692067] ksize_uaf+0x19d/0x6c0 [ 25.692088] ? __pfx_ksize_uaf+0x10/0x10 [ 25.692109] ? __schedule+0x10da/0x2b60 [ 25.692134] ? __pfx_read_tsc+0x10/0x10 [ 25.692168] ? ktime_get_ts64+0x86/0x230 [ 25.692193] kunit_try_run_case+0x1a5/0x480 [ 25.692218] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.692241] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.692266] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.692291] ? __kthread_parkme+0x82/0x180 [ 25.692311] ? preempt_count_sub+0x50/0x80 [ 25.692334] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.692358] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.692432] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.692457] kthread+0x337/0x6f0 [ 25.692477] ? trace_preempt_on+0x20/0xc0 [ 25.692501] ? __pfx_kthread+0x10/0x10 [ 25.692521] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.692545] ? calculate_sigpending+0x7b/0xa0 [ 25.692569] ? __pfx_kthread+0x10/0x10 [ 25.692590] ret_from_fork+0x116/0x1d0 [ 25.692610] ? __pfx_kthread+0x10/0x10 [ 25.692630] ret_from_fork_asm+0x1a/0x30 [ 25.692662] </TASK> [ 25.692673] [ 25.700373] Allocated by task 245: [ 25.700600] kasan_save_stack+0x45/0x70 [ 25.700771] kasan_save_track+0x18/0x40 [ 25.700903] kasan_save_alloc_info+0x3b/0x50 [ 25.701053] __kasan_kmalloc+0xb7/0xc0 [ 25.701194] __kmalloc_cache_noprof+0x189/0x420 [ 25.701349] ksize_uaf+0xaa/0x6c0 [ 25.701512] kunit_try_run_case+0x1a5/0x480 [ 25.701714] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.702081] kthread+0x337/0x6f0 [ 25.702251] ret_from_fork+0x116/0x1d0 [ 25.702432] ret_from_fork_asm+0x1a/0x30 [ 25.702622] [ 25.702965] Freed by task 245: [ 25.703121] kasan_save_stack+0x45/0x70 [ 25.703273] kasan_save_track+0x18/0x40 [ 25.703585] kasan_save_free_info+0x3f/0x60 [ 25.703777] __kasan_slab_free+0x56/0x70 [ 25.704055] kfree+0x222/0x3f0 [ 25.704200] ksize_uaf+0x12c/0x6c0 [ 25.704418] kunit_try_run_case+0x1a5/0x480 [ 25.704614] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.704842] kthread+0x337/0x6f0 [ 25.705014] ret_from_fork+0x116/0x1d0 [ 25.705182] ret_from_fork_asm+0x1a/0x30 [ 25.705357] [ 25.705493] The buggy address belongs to the object at ffff888104657f00 [ 25.705493] which belongs to the cache kmalloc-128 of size 128 [ 25.705941] The buggy address is located 0 bytes inside of [ 25.705941] freed 128-byte region [ffff888104657f00, ffff888104657f80) [ 25.706496] [ 25.706607] The buggy address belongs to the physical page: [ 25.706867] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104657 [ 25.707229] flags: 0x200000000000000(node=0|zone=2) [ 25.707532] page_type: f5(slab) [ 25.707690] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.708031] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.708264] page dumped because: kasan: bad access detected [ 25.708432] [ 25.708495] Memory state around the buggy address: [ 25.708647] ffff888104657e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.708860] ffff888104657e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.709071] >ffff888104657f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.709386] ^ [ 25.709660] ffff888104657f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.709996] ffff888104658000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.710320] ================================================================== [ 25.733404] ================================================================== [ 25.734333] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 25.734652] Read of size 1 at addr ffff888104657f78 by task kunit_try_catch/245 [ 25.734983] [ 25.735091] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 25.735141] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.735165] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.735186] Call Trace: [ 25.735206] <TASK> [ 25.735225] dump_stack_lvl+0x73/0xb0 [ 25.735253] print_report+0xd1/0x640 [ 25.735276] ? __virt_addr_valid+0x1db/0x2d0 [ 25.735300] ? ksize_uaf+0x5e4/0x6c0 [ 25.735320] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.735346] ? ksize_uaf+0x5e4/0x6c0 [ 25.735366] kasan_report+0x141/0x180 [ 25.735388] ? ksize_uaf+0x5e4/0x6c0 [ 25.735413] __asan_report_load1_noabort+0x18/0x20 [ 25.735436] ksize_uaf+0x5e4/0x6c0 [ 25.735457] ? __pfx_ksize_uaf+0x10/0x10 [ 25.735478] ? __schedule+0x10da/0x2b60 [ 25.735502] ? __pfx_read_tsc+0x10/0x10 [ 25.735524] ? ktime_get_ts64+0x86/0x230 [ 25.735548] kunit_try_run_case+0x1a5/0x480 [ 25.735572] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.735594] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.735622] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.735647] ? __kthread_parkme+0x82/0x180 [ 25.735668] ? preempt_count_sub+0x50/0x80 [ 25.735691] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.735715] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.735738] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.735761] kthread+0x337/0x6f0 [ 25.735781] ? trace_preempt_on+0x20/0xc0 [ 25.735806] ? __pfx_kthread+0x10/0x10 [ 25.735899] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.735928] ? calculate_sigpending+0x7b/0xa0 [ 25.735952] ? __pfx_kthread+0x10/0x10 [ 25.735974] ret_from_fork+0x116/0x1d0 [ 25.735994] ? __pfx_kthread+0x10/0x10 [ 25.736015] ret_from_fork_asm+0x1a/0x30 [ 25.736046] </TASK> [ 25.736057] [ 25.744351] Allocated by task 245: [ 25.744554] kasan_save_stack+0x45/0x70 [ 25.744699] kasan_save_track+0x18/0x40 [ 25.744828] kasan_save_alloc_info+0x3b/0x50 [ 25.745287] __kasan_kmalloc+0xb7/0xc0 [ 25.745707] __kmalloc_cache_noprof+0x189/0x420 [ 25.745968] ksize_uaf+0xaa/0x6c0 [ 25.746129] kunit_try_run_case+0x1a5/0x480 [ 25.746283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.746764] kthread+0x337/0x6f0 [ 25.746919] ret_from_fork+0x116/0x1d0 [ 25.747050] ret_from_fork_asm+0x1a/0x30 [ 25.747196] [ 25.747262] Freed by task 245: [ 25.747369] kasan_save_stack+0x45/0x70 [ 25.747500] kasan_save_track+0x18/0x40 [ 25.747807] kasan_save_free_info+0x3f/0x60 [ 25.748106] __kasan_slab_free+0x56/0x70 [ 25.748310] kfree+0x222/0x3f0 [ 25.748465] ksize_uaf+0x12c/0x6c0 [ 25.748634] kunit_try_run_case+0x1a5/0x480 [ 25.748835] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.749455] kthread+0x337/0x6f0 [ 25.749611] ret_from_fork+0x116/0x1d0 [ 25.749742] ret_from_fork_asm+0x1a/0x30 [ 25.749877] [ 25.749942] The buggy address belongs to the object at ffff888104657f00 [ 25.749942] which belongs to the cache kmalloc-128 of size 128 [ 25.750794] The buggy address is located 120 bytes inside of [ 25.750794] freed 128-byte region [ffff888104657f00, ffff888104657f80) [ 25.751354] [ 25.751424] The buggy address belongs to the physical page: [ 25.751598] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104657 [ 25.751838] flags: 0x200000000000000(node=0|zone=2) [ 25.751996] page_type: f5(slab) [ 25.752111] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.752344] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.752783] page dumped because: kasan: bad access detected [ 25.753023] [ 25.753109] Memory state around the buggy address: [ 25.753336] ffff888104657e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.753640] ffff888104657e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.753940] >ffff888104657f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.754255] ^ [ 25.754555] ffff888104657f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.754828] ffff888104658000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.755028] ================================================================== [ 25.710980] ================================================================== [ 25.711725] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 25.712136] Read of size 1 at addr ffff888104657f00 by task kunit_try_catch/245 [ 25.712545] [ 25.712641] CPU: 1 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) [ 25.712690] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.712703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.712725] Call Trace: [ 25.712740] <TASK> [ 25.712758] dump_stack_lvl+0x73/0xb0 [ 25.712787] print_report+0xd1/0x640 [ 25.712809] ? __virt_addr_valid+0x1db/0x2d0 [ 25.712833] ? ksize_uaf+0x5fe/0x6c0 [ 25.712853] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.712879] ? ksize_uaf+0x5fe/0x6c0 [ 25.712900] kasan_report+0x141/0x180 [ 25.712922] ? ksize_uaf+0x5fe/0x6c0 [ 25.712947] __asan_report_load1_noabort+0x18/0x20 [ 25.712972] ksize_uaf+0x5fe/0x6c0 [ 25.712993] ? __pfx_ksize_uaf+0x10/0x10 [ 25.713014] ? __schedule+0x10da/0x2b60 [ 25.713038] ? __pfx_read_tsc+0x10/0x10 [ 25.713061] ? ktime_get_ts64+0x86/0x230 [ 25.713085] kunit_try_run_case+0x1a5/0x480 [ 25.713109] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.713131] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.713168] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.713193] ? __kthread_parkme+0x82/0x180 [ 25.713212] ? preempt_count_sub+0x50/0x80 [ 25.713235] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.713259] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.713282] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.713305] kthread+0x337/0x6f0 [ 25.713325] ? trace_preempt_on+0x20/0xc0 [ 25.713350] ? __pfx_kthread+0x10/0x10 [ 25.713370] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.713443] ? calculate_sigpending+0x7b/0xa0 [ 25.713467] ? __pfx_kthread+0x10/0x10 [ 25.713489] ret_from_fork+0x116/0x1d0 [ 25.713509] ? __pfx_kthread+0x10/0x10 [ 25.713529] ret_from_fork_asm+0x1a/0x30 [ 25.713560] </TASK> [ 25.713572] [ 25.721095] Allocated by task 245: [ 25.721269] kasan_save_stack+0x45/0x70 [ 25.721417] kasan_save_track+0x18/0x40 [ 25.721801] kasan_save_alloc_info+0x3b/0x50 [ 25.722008] __kasan_kmalloc+0xb7/0xc0 [ 25.722171] __kmalloc_cache_noprof+0x189/0x420 [ 25.722390] ksize_uaf+0xaa/0x6c0 [ 25.722518] kunit_try_run_case+0x1a5/0x480 [ 25.722712] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.722934] kthread+0x337/0x6f0 [ 25.723102] ret_from_fork+0x116/0x1d0 [ 25.723271] ret_from_fork_asm+0x1a/0x30 [ 25.723440] [ 25.723530] Freed by task 245: [ 25.723644] kasan_save_stack+0x45/0x70 [ 25.723775] kasan_save_track+0x18/0x40 [ 25.723904] kasan_save_free_info+0x3f/0x60 [ 25.724044] __kasan_slab_free+0x56/0x70 [ 25.724185] kfree+0x222/0x3f0 [ 25.724298] ksize_uaf+0x12c/0x6c0 [ 25.724417] kunit_try_run_case+0x1a5/0x480 [ 25.724556] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.724724] kthread+0x337/0x6f0 [ 25.724839] ret_from_fork+0x116/0x1d0 [ 25.724964] ret_from_fork_asm+0x1a/0x30 [ 25.725098] [ 25.725470] The buggy address belongs to the object at ffff888104657f00 [ 25.725470] which belongs to the cache kmalloc-128 of size 128 [ 25.726102] The buggy address is located 0 bytes inside of [ 25.726102] freed 128-byte region [ffff888104657f00, ffff888104657f80) [ 25.726973] [ 25.727122] The buggy address belongs to the physical page: [ 25.727381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104657 [ 25.728063] flags: 0x200000000000000(node=0|zone=2) [ 25.728311] page_type: f5(slab) [ 25.728762] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 25.729121] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.729589] page dumped because: kasan: bad access detected [ 25.729849] [ 25.729916] Memory state around the buggy address: [ 25.730263] ffff888104657e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.730680] ffff888104657e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.730896] >ffff888104657f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.731574] ^ [ 25.731716] ffff888104657f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.732077] ffff888104658000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.732840] ==================================================================