Date
July 25, 2025, 3:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.655909] ================================================================== [ 32.656189] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 32.656261] Read of size 1 at addr fff00000c9726a00 by task kunit_try_catch/228 [ 32.656312] [ 32.656626] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 32.657009] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.657061] Hardware name: linux,dummy-virt (DT) [ 32.657204] Call trace: [ 32.657236] show_stack+0x20/0x38 (C) [ 32.657289] dump_stack_lvl+0x8c/0xd0 [ 32.657334] print_report+0x118/0x5e8 [ 32.657627] kasan_report+0xdc/0x128 [ 32.657690] __asan_report_load1_noabort+0x20/0x30 [ 32.657935] ksize_uaf+0x598/0x5f8 [ 32.658041] kunit_try_run_case+0x170/0x3f0 [ 32.658115] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.658166] kthread+0x328/0x630 [ 32.658420] ret_from_fork+0x10/0x20 [ 32.658505] [ 32.658692] Allocated by task 228: [ 32.658742] kasan_save_stack+0x3c/0x68 [ 32.658787] kasan_save_track+0x20/0x40 [ 32.658834] kasan_save_alloc_info+0x40/0x58 [ 32.658912] __kasan_kmalloc+0xd4/0xd8 [ 32.658959] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.659143] ksize_uaf+0xb8/0x5f8 [ 32.659364] kunit_try_run_case+0x170/0x3f0 [ 32.659460] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.659600] kthread+0x328/0x630 [ 32.659679] ret_from_fork+0x10/0x20 [ 32.659826] [ 32.659877] Freed by task 228: [ 32.659905] kasan_save_stack+0x3c/0x68 [ 32.659949] kasan_save_track+0x20/0x40 [ 32.659985] kasan_save_free_info+0x4c/0x78 [ 32.660384] __kasan_slab_free+0x7c/0xa8 [ 32.660500] kfree+0x214/0x3c8 [ 32.660571] ksize_uaf+0x11c/0x5f8 [ 32.660724] kunit_try_run_case+0x170/0x3f0 [ 32.660819] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.661189] kthread+0x328/0x630 [ 32.661277] ret_from_fork+0x10/0x20 [ 32.661466] [ 32.661569] The buggy address belongs to the object at fff00000c9726a00 [ 32.661569] which belongs to the cache kmalloc-128 of size 128 [ 32.661742] The buggy address is located 0 bytes inside of [ 32.661742] freed 128-byte region [fff00000c9726a00, fff00000c9726a80) [ 32.661812] [ 32.661844] The buggy address belongs to the physical page: [ 32.661909] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109726 [ 32.661968] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.662024] page_type: f5(slab) [ 32.662072] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.662130] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.662169] page dumped because: kasan: bad access detected [ 32.662200] [ 32.662222] Memory state around the buggy address: [ 32.662265] fff00000c9726900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.662309] fff00000c9726980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.662353] >fff00000c9726a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.662402] ^ [ 32.662429] fff00000c9726a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.662471] fff00000c9726b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.662509] ================================================================== [ 32.664140] ================================================================== [ 32.664243] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.664372] Read of size 1 at addr fff00000c9726a78 by task kunit_try_catch/228 [ 32.664424] [ 32.664455] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 32.664976] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.665021] Hardware name: linux,dummy-virt (DT) [ 32.665070] Call trace: [ 32.665095] show_stack+0x20/0x38 (C) [ 32.665232] dump_stack_lvl+0x8c/0xd0 [ 32.665284] print_report+0x118/0x5e8 [ 32.665328] kasan_report+0xdc/0x128 [ 32.665371] __asan_report_load1_noabort+0x20/0x30 [ 32.665567] ksize_uaf+0x544/0x5f8 [ 32.665612] kunit_try_run_case+0x170/0x3f0 [ 32.665673] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.665726] kthread+0x328/0x630 [ 32.665965] ret_from_fork+0x10/0x20 [ 32.666112] [ 32.666150] Allocated by task 228: [ 32.666253] kasan_save_stack+0x3c/0x68 [ 32.666297] kasan_save_track+0x20/0x40 [ 32.666331] kasan_save_alloc_info+0x40/0x58 [ 32.666368] __kasan_kmalloc+0xd4/0xd8 [ 32.666403] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.666735] ksize_uaf+0xb8/0x5f8 [ 32.666817] kunit_try_run_case+0x170/0x3f0 [ 32.667012] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.667059] kthread+0x328/0x630 [ 32.667105] ret_from_fork+0x10/0x20 [ 32.667152] [ 32.667172] Freed by task 228: [ 32.667201] kasan_save_stack+0x3c/0x68 [ 32.667236] kasan_save_track+0x20/0x40 [ 32.667272] kasan_save_free_info+0x4c/0x78 [ 32.667884] __kasan_slab_free+0x7c/0xa8 [ 32.667958] kfree+0x214/0x3c8 [ 32.668131] ksize_uaf+0x11c/0x5f8 [ 32.668215] kunit_try_run_case+0x170/0x3f0 [ 32.668709] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.668856] kthread+0x328/0x630 [ 32.668934] ret_from_fork+0x10/0x20 [ 32.669171] [ 32.669319] The buggy address belongs to the object at fff00000c9726a00 [ 32.669319] which belongs to the cache kmalloc-128 of size 128 [ 32.669534] The buggy address is located 120 bytes inside of [ 32.669534] freed 128-byte region [fff00000c9726a00, fff00000c9726a80) [ 32.669722] [ 32.669801] The buggy address belongs to the physical page: [ 32.669956] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109726 [ 32.670050] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.670324] page_type: f5(slab) [ 32.670521] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.670654] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.670748] page dumped because: kasan: bad access detected [ 32.670946] [ 32.671040] Memory state around the buggy address: [ 32.671192] fff00000c9726900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.671264] fff00000c9726980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.671400] >fff00000c9726a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.671496] ^ [ 32.671567] fff00000c9726a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.671608] fff00000c9726b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.671845] ================================================================== [ 32.643149] ================================================================== [ 32.643271] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 32.643444] Read of size 1 at addr fff00000c9726a00 by task kunit_try_catch/228 [ 32.643707] [ 32.643877] CPU: 1 UID: 0 PID: 228 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250725 #1 PREEMPT [ 32.644094] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.644311] Hardware name: linux,dummy-virt (DT) [ 32.644468] Call trace: [ 32.644536] show_stack+0x20/0x38 (C) [ 32.644618] dump_stack_lvl+0x8c/0xd0 [ 32.645062] print_report+0x118/0x5e8 [ 32.645195] kasan_report+0xdc/0x128 [ 32.645294] __kasan_check_byte+0x54/0x70 [ 32.645425] ksize+0x30/0x88 [ 32.645502] ksize_uaf+0x168/0x5f8 [ 32.645587] kunit_try_run_case+0x170/0x3f0 [ 32.646111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.646456] kthread+0x328/0x630 [ 32.646532] ret_from_fork+0x10/0x20 [ 32.646581] [ 32.646601] Allocated by task 228: [ 32.646650] kasan_save_stack+0x3c/0x68 [ 32.646698] kasan_save_track+0x20/0x40 [ 32.646735] kasan_save_alloc_info+0x40/0x58 [ 32.646772] __kasan_kmalloc+0xd4/0xd8 [ 32.646808] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.646857] ksize_uaf+0xb8/0x5f8 [ 32.646891] kunit_try_run_case+0x170/0x3f0 [ 32.646937] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.647016] kthread+0x328/0x630 [ 32.647100] ret_from_fork+0x10/0x20 [ 32.647169] [ 32.647230] Freed by task 228: [ 32.647282] kasan_save_stack+0x3c/0x68 [ 32.647338] kasan_save_track+0x20/0x40 [ 32.647405] kasan_save_free_info+0x4c/0x78 [ 32.647471] __kasan_slab_free+0x7c/0xa8 [ 32.647678] kfree+0x214/0x3c8 [ 32.647940] ksize_uaf+0x11c/0x5f8 [ 32.648265] kunit_try_run_case+0x170/0x3f0 [ 32.648330] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.648628] kthread+0x328/0x630 [ 32.648939] ret_from_fork+0x10/0x20 [ 32.649017] [ 32.649061] The buggy address belongs to the object at fff00000c9726a00 [ 32.649061] which belongs to the cache kmalloc-128 of size 128 [ 32.649147] The buggy address is located 0 bytes inside of [ 32.649147] freed 128-byte region [fff00000c9726a00, fff00000c9726a80) [ 32.649284] [ 32.649364] The buggy address belongs to the physical page: [ 32.649514] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109726 [ 32.649588] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.649925] page_type: f5(slab) [ 32.650118] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.650176] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.650432] page dumped because: kasan: bad access detected [ 32.650582] [ 32.650648] Memory state around the buggy address: [ 32.650791] fff00000c9726900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.651019] fff00000c9726980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.651405] >fff00000c9726a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.651632] ^ [ 32.651856] fff00000c9726a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.651971] fff00000c9726b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.652117] ==================================================================
[ 26.307202] ================================================================== [ 26.308106] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 26.308416] Read of size 1 at addr ffff888105800578 by task kunit_try_catch/245 [ 26.308716] [ 26.308899] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 26.308957] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.308969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.308990] Call Trace: [ 26.309002] <TASK> [ 26.309016] dump_stack_lvl+0x73/0xb0 [ 26.309071] print_report+0xd1/0x640 [ 26.309094] ? __virt_addr_valid+0x1db/0x2d0 [ 26.309118] ? ksize_uaf+0x5e4/0x6c0 [ 26.309146] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.309172] ? ksize_uaf+0x5e4/0x6c0 [ 26.309194] kasan_report+0x141/0x180 [ 26.309217] ? ksize_uaf+0x5e4/0x6c0 [ 26.309243] __asan_report_load1_noabort+0x18/0x20 [ 26.309287] ksize_uaf+0x5e4/0x6c0 [ 26.309308] ? __pfx_ksize_uaf+0x10/0x10 [ 26.309331] ? __schedule+0x10da/0x2b60 [ 26.309352] ? __pfx_read_tsc+0x10/0x10 [ 26.309374] ? ktime_get_ts64+0x86/0x230 [ 26.309398] kunit_try_run_case+0x1a5/0x480 [ 26.309424] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.309462] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.309484] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.309524] ? __kthread_parkme+0x82/0x180 [ 26.309558] ? preempt_count_sub+0x50/0x80 [ 26.309595] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.309633] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.309670] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.309708] kthread+0x337/0x6f0 [ 26.309728] ? trace_preempt_on+0x20/0xc0 [ 26.309765] ? __pfx_kthread+0x10/0x10 [ 26.309796] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.309821] ? calculate_sigpending+0x7b/0xa0 [ 26.309845] ? __pfx_kthread+0x10/0x10 [ 26.309867] ret_from_fork+0x116/0x1d0 [ 26.309887] ? __pfx_kthread+0x10/0x10 [ 26.309908] ret_from_fork_asm+0x1a/0x30 [ 26.309940] </TASK> [ 26.309961] [ 26.317850] Allocated by task 245: [ 26.318042] kasan_save_stack+0x45/0x70 [ 26.318238] kasan_save_track+0x18/0x40 [ 26.318429] kasan_save_alloc_info+0x3b/0x50 [ 26.318619] __kasan_kmalloc+0xb7/0xc0 [ 26.318803] __kmalloc_cache_noprof+0x189/0x420 [ 26.319211] ksize_uaf+0xaa/0x6c0 [ 26.319362] kunit_try_run_case+0x1a5/0x480 [ 26.319575] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.319849] kthread+0x337/0x6f0 [ 26.320044] ret_from_fork+0x116/0x1d0 [ 26.320208] ret_from_fork_asm+0x1a/0x30 [ 26.320398] [ 26.320486] Freed by task 245: [ 26.320599] kasan_save_stack+0x45/0x70 [ 26.320830] kasan_save_track+0x18/0x40 [ 26.321069] kasan_save_free_info+0x3f/0x60 [ 26.321265] __kasan_slab_free+0x5e/0x80 [ 26.321468] kfree+0x222/0x3f0 [ 26.321638] ksize_uaf+0x12c/0x6c0 [ 26.321833] kunit_try_run_case+0x1a5/0x480 [ 26.322045] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.322306] kthread+0x337/0x6f0 [ 26.322467] ret_from_fork+0x116/0x1d0 [ 26.322646] ret_from_fork_asm+0x1a/0x30 [ 26.322832] [ 26.322897] The buggy address belongs to the object at ffff888105800500 [ 26.322897] which belongs to the cache kmalloc-128 of size 128 [ 26.323265] The buggy address is located 120 bytes inside of [ 26.323265] freed 128-byte region [ffff888105800500, ffff888105800580) [ 26.323800] [ 26.323890] The buggy address belongs to the physical page: [ 26.324248] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105800 [ 26.324522] flags: 0x200000000000000(node=0|zone=2) [ 26.324679] page_type: f5(slab) [ 26.324796] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.325235] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.325604] page dumped because: kasan: bad access detected [ 26.325974] [ 26.326066] Memory state around the buggy address: [ 26.326312] ffff888105800400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.326629] ffff888105800480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.327136] >ffff888105800500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.327357] ^ [ 26.327571] ffff888105800580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.327781] ffff888105800600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.328293] ================================================================== [ 26.259359] ================================================================== [ 26.259851] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 26.260255] Read of size 1 at addr ffff888105800500 by task kunit_try_catch/245 [ 26.260552] [ 26.260657] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 26.260723] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.260735] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.260756] Call Trace: [ 26.260768] <TASK> [ 26.260784] dump_stack_lvl+0x73/0xb0 [ 26.260859] print_report+0xd1/0x640 [ 26.260883] ? __virt_addr_valid+0x1db/0x2d0 [ 26.260930] ? ksize_uaf+0x19d/0x6c0 [ 26.260961] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.260988] ? ksize_uaf+0x19d/0x6c0 [ 26.261010] kasan_report+0x141/0x180 [ 26.261049] ? ksize_uaf+0x19d/0x6c0 [ 26.261083] ? ksize_uaf+0x19d/0x6c0 [ 26.261105] __kasan_check_byte+0x3d/0x50 [ 26.261132] ksize+0x20/0x60 [ 26.261152] ksize_uaf+0x19d/0x6c0 [ 26.261175] ? __pfx_ksize_uaf+0x10/0x10 [ 26.261198] ? __schedule+0x10da/0x2b60 [ 26.261220] ? __pfx_read_tsc+0x10/0x10 [ 26.261245] ? ktime_get_ts64+0x86/0x230 [ 26.261287] kunit_try_run_case+0x1a5/0x480 [ 26.261325] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.261349] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.261371] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.261397] ? __kthread_parkme+0x82/0x180 [ 26.261418] ? preempt_count_sub+0x50/0x80 [ 26.261442] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.261467] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.261491] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.261515] kthread+0x337/0x6f0 [ 26.261535] ? trace_preempt_on+0x20/0xc0 [ 26.261559] ? __pfx_kthread+0x10/0x10 [ 26.261580] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.261604] ? calculate_sigpending+0x7b/0xa0 [ 26.261629] ? __pfx_kthread+0x10/0x10 [ 26.261651] ret_from_fork+0x116/0x1d0 [ 26.261670] ? __pfx_kthread+0x10/0x10 [ 26.261691] ret_from_fork_asm+0x1a/0x30 [ 26.261724] </TASK> [ 26.261735] [ 26.272930] Allocated by task 245: [ 26.273212] kasan_save_stack+0x45/0x70 [ 26.273401] kasan_save_track+0x18/0x40 [ 26.273605] kasan_save_alloc_info+0x3b/0x50 [ 26.273825] __kasan_kmalloc+0xb7/0xc0 [ 26.274017] __kmalloc_cache_noprof+0x189/0x420 [ 26.274243] ksize_uaf+0xaa/0x6c0 [ 26.274445] kunit_try_run_case+0x1a5/0x480 [ 26.274596] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.274819] kthread+0x337/0x6f0 [ 26.274997] ret_from_fork+0x116/0x1d0 [ 26.275365] ret_from_fork_asm+0x1a/0x30 [ 26.275600] [ 26.275691] Freed by task 245: [ 26.275978] kasan_save_stack+0x45/0x70 [ 26.276224] kasan_save_track+0x18/0x40 [ 26.276393] kasan_save_free_info+0x3f/0x60 [ 26.276582] __kasan_slab_free+0x5e/0x80 [ 26.276777] kfree+0x222/0x3f0 [ 26.277024] ksize_uaf+0x12c/0x6c0 [ 26.277192] kunit_try_run_case+0x1a5/0x480 [ 26.277417] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.277617] kthread+0x337/0x6f0 [ 26.277733] ret_from_fork+0x116/0x1d0 [ 26.277860] ret_from_fork_asm+0x1a/0x30 [ 26.278005] [ 26.278070] The buggy address belongs to the object at ffff888105800500 [ 26.278070] which belongs to the cache kmalloc-128 of size 128 [ 26.278997] The buggy address is located 0 bytes inside of [ 26.278997] freed 128-byte region [ffff888105800500, ffff888105800580) [ 26.279446] [ 26.279513] The buggy address belongs to the physical page: [ 26.279684] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105800 [ 26.280313] flags: 0x200000000000000(node=0|zone=2) [ 26.280564] page_type: f5(slab) [ 26.280743] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.281452] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.281754] page dumped because: kasan: bad access detected [ 26.282207] [ 26.282326] Memory state around the buggy address: [ 26.282551] ffff888105800400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.282823] ffff888105800480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.283248] >ffff888105800500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.283540] ^ [ 26.283725] ffff888105800580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.284064] ffff888105800600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.284384] ================================================================== [ 26.285311] ================================================================== [ 26.285613] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 26.285822] Read of size 1 at addr ffff888105800500 by task kunit_try_catch/245 [ 26.286462] [ 26.286654] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) [ 26.286720] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.286732] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.286751] Call Trace: [ 26.286764] <TASK> [ 26.286778] dump_stack_lvl+0x73/0xb0 [ 26.286857] print_report+0xd1/0x640 [ 26.286881] ? __virt_addr_valid+0x1db/0x2d0 [ 26.286904] ? ksize_uaf+0x5fe/0x6c0 [ 26.286925] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.286967] ? ksize_uaf+0x5fe/0x6c0 [ 26.286989] kasan_report+0x141/0x180 [ 26.287011] ? ksize_uaf+0x5fe/0x6c0 [ 26.287038] __asan_report_load1_noabort+0x18/0x20 [ 26.287063] ksize_uaf+0x5fe/0x6c0 [ 26.287107] ? __pfx_ksize_uaf+0x10/0x10 [ 26.287130] ? __schedule+0x10da/0x2b60 [ 26.287152] ? __pfx_read_tsc+0x10/0x10 [ 26.287174] ? ktime_get_ts64+0x86/0x230 [ 26.287215] kunit_try_run_case+0x1a5/0x480 [ 26.287240] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.287263] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.287285] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.287338] ? __kthread_parkme+0x82/0x180 [ 26.287360] ? preempt_count_sub+0x50/0x80 [ 26.287384] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.287409] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.287434] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.287458] kthread+0x337/0x6f0 [ 26.287479] ? trace_preempt_on+0x20/0xc0 [ 26.287503] ? __pfx_kthread+0x10/0x10 [ 26.287524] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.287549] ? calculate_sigpending+0x7b/0xa0 [ 26.287573] ? __pfx_kthread+0x10/0x10 [ 26.287595] ret_from_fork+0x116/0x1d0 [ 26.287614] ? __pfx_kthread+0x10/0x10 [ 26.287635] ret_from_fork_asm+0x1a/0x30 [ 26.287667] </TASK> [ 26.287694] [ 26.295280] Allocated by task 245: [ 26.295452] kasan_save_stack+0x45/0x70 [ 26.295647] kasan_save_track+0x18/0x40 [ 26.295892] kasan_save_alloc_info+0x3b/0x50 [ 26.296054] __kasan_kmalloc+0xb7/0xc0 [ 26.296360] __kmalloc_cache_noprof+0x189/0x420 [ 26.296585] ksize_uaf+0xaa/0x6c0 [ 26.296770] kunit_try_run_case+0x1a5/0x480 [ 26.296979] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.297265] kthread+0x337/0x6f0 [ 26.297436] ret_from_fork+0x116/0x1d0 [ 26.297826] ret_from_fork_asm+0x1a/0x30 [ 26.298034] [ 26.298168] Freed by task 245: [ 26.298324] kasan_save_stack+0x45/0x70 [ 26.298540] kasan_save_track+0x18/0x40 [ 26.298705] kasan_save_free_info+0x3f/0x60 [ 26.298993] __kasan_slab_free+0x5e/0x80 [ 26.299174] kfree+0x222/0x3f0 [ 26.299286] ksize_uaf+0x12c/0x6c0 [ 26.299405] kunit_try_run_case+0x1a5/0x480 [ 26.299631] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.299979] kthread+0x337/0x6f0 [ 26.300251] ret_from_fork+0x116/0x1d0 [ 26.300405] ret_from_fork_asm+0x1a/0x30 [ 26.300540] [ 26.300604] The buggy address belongs to the object at ffff888105800500 [ 26.300604] which belongs to the cache kmalloc-128 of size 128 [ 26.300977] The buggy address is located 0 bytes inside of [ 26.300977] freed 128-byte region [ffff888105800500, ffff888105800580) [ 26.301489] [ 26.301641] The buggy address belongs to the physical page: [ 26.302020] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105800 [ 26.302381] flags: 0x200000000000000(node=0|zone=2) [ 26.302573] page_type: f5(slab) [ 26.302689] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.302916] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.303568] page dumped because: kasan: bad access detected [ 26.303919] [ 26.304044] Memory state around the buggy address: [ 26.304323] ffff888105800400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.304707] ffff888105800480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.305209] >ffff888105800500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.305445] ^ [ 26.305559] ffff888105800580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.305813] ffff888105800600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.306153] ==================================================================