Date
July 15, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 105.975078] ================================================================== [ 105.976041] BUG: KASAN: use-after-free in kmalloc_uaf2+0x10c/0x2a0 [ 105.977352] Read of size 1 at addr ffff0000c65d8628 by task kunit_try_catch/229 [ 105.978737] [ 105.979132] CPU: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 105.980507] Hardware name: linux,dummy-virt (DT) [ 105.981485] Call trace: [ 105.982024] dump_backtrace+0xe0/0x134 [ 105.982855] show_stack+0x20/0x2c [ 105.983657] dump_stack_lvl+0x88/0xb4 [ 105.984575] print_report+0x158/0x44c [ 105.985316] kasan_report+0xc8/0x180 [ 105.986163] __asan_load1+0x68/0x74 [ 105.987067] kmalloc_uaf2+0x10c/0x2a0 [ 105.987761] kunit_try_run_case+0x8c/0x124 [ 105.988186] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.988978] kthread+0x15c/0x170 [ 105.989393] ret_from_fork+0x10/0x20 [ 105.989869] [ 105.990071] Allocated by task 229: [ 105.990418] kasan_save_stack+0x3c/0x70 [ 105.990851] kasan_set_track+0x2c/0x40 [ 105.991279] kasan_save_alloc_info+0x24/0x34 [ 105.991761] __kasan_kmalloc+0xd4/0xe0 [ 105.992186] kmalloc_trace+0x8c/0x150 [ 105.992633] kmalloc_uaf2+0xb4/0x2a0 [ 105.993078] kunit_try_run_case+0x8c/0x124 [ 105.993563] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.994119] kthread+0x15c/0x170 [ 105.994547] ret_from_fork+0x10/0x20 [ 105.995172] [ 105.995396] Freed by task 229: [ 105.995777] kasan_save_stack+0x3c/0x70 [ 105.996219] kasan_set_track+0x2c/0x40 [ 105.997792] kasan_save_free_info+0x38/0x5c [ 105.998250] __kasan_slab_free+0x100/0x170 [ 105.998724] slab_free_freelist_hook+0xd8/0x1c0 [ 105.999176] __kmem_cache_free+0x15c/0x2a0 [ 105.999669] kfree+0x88/0x150 [ 106.000034] kmalloc_uaf2+0xcc/0x2a0 [ 106.000724] kunit_try_run_case+0x8c/0x124 [ 106.001236] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 106.001820] kthread+0x15c/0x170 [ 106.002229] ret_from_fork+0x10/0x20 [ 106.002614] [ 106.002848] The buggy address belongs to the object at ffff0000c65d8600 [ 106.002848] which belongs to the cache kmalloc-128 of size 128 [ 106.003828] The buggy address is located 40 bytes inside of [ 106.003828] 128-byte region [ffff0000c65d8600, ffff0000c65d8680) [ 106.004921] [ 106.005130] The buggy address belongs to the physical page: [ 106.005626] page:00000000d460a56f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065d8 [ 106.006397] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 106.007083] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 106.007722] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 106.008358] page dumped because: kasan: bad access detected [ 106.009034] [ 106.009246] Memory state around the buggy address: [ 106.009670] ffff0000c65d8500: 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.010299] ffff0000c65d8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.010940] >ffff0000c65d8600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.011522] ^ [ 106.011949] ffff0000c65d8680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.012808] ffff0000c65d8700: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 106.013448] ==================================================================
[ 75.724399] ================================================================== [ 75.725890] BUG: KASAN: use-after-free in kmalloc_uaf2+0xfc/0x1e8 [ 75.726816] Read of size 1 at addr ffff0000c5a46f28 by task kunit_try_catch/145 [ 75.727722] [ 75.728030] CPU: 1 PID: 145 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.729070] Hardware name: linux,dummy-virt (DT) [ 75.729783] Call trace: [ 75.730098] dump_backtrace+0xf8/0x118 [ 75.730728] show_stack+0x18/0x24 [ 75.731317] __dump_stack+0x28/0x38 [ 75.731899] dump_stack_lvl+0x54/0x6c [ 75.732497] print_address_description+0x7c/0x1ec [ 75.733458] print_report+0x50/0x68 [ 75.733975] kasan_report+0xac/0x100 [ 75.734389] __asan_load1+0x6c/0x70 [ 75.734802] kmalloc_uaf2+0xfc/0x1e8 [ 75.735224] kunit_try_run_case+0x80/0x184 [ 75.735709] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.736331] kthread+0x16c/0x21c [ 75.736841] ret_from_fork+0x10/0x20 [ 75.737287] [ 75.737655] Allocated by task 145: [ 75.738064] kasan_set_track+0x4c/0x80 [ 75.738562] kasan_save_alloc_info+0x28/0x34 [ 75.739032] __kasan_kmalloc+0x88/0xa0 [ 75.739480] kmalloc_trace+0x54/0x68 [ 75.739901] kmalloc_uaf2+0x48/0x1e8 [ 75.740339] kunit_try_run_case+0x80/0x184 [ 75.741092] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.741689] kthread+0x16c/0x21c [ 75.742140] ret_from_fork+0x10/0x20 [ 75.742567] [ 75.742767] Freed by task 145: [ 75.743108] kasan_set_track+0x4c/0x80 [ 75.743591] kasan_save_free_info+0x3c/0x60 [ 75.744102] ____kasan_slab_free+0xe8/0x140 [ 75.745100] __kasan_slab_free+0x18/0x28 [ 75.745588] __kmem_cache_free+0xdc/0x284 [ 75.746062] kfree+0x60/0x74 [ 75.746433] kmalloc_uaf2+0x90/0x1e8 [ 75.746848] kunit_try_run_case+0x80/0x184 [ 75.747313] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.747926] kthread+0x16c/0x21c [ 75.748332] ret_from_fork+0x10/0x20 [ 75.748972] [ 75.749178] The buggy address belongs to the object at ffff0000c5a46f00 [ 75.749178] which belongs to the cache kmalloc-128 of size 128 [ 75.750117] The buggy address is located 40 bytes inside of [ 75.750117] 128-byte region [ffff0000c5a46f00, ffff0000c5a46f80) [ 75.750997] [ 75.751214] The buggy address belongs to the physical page: [ 75.751667] page:00000000e850444c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a46 [ 75.752480] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 75.753308] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 75.754011] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 75.754635] page dumped because: kasan: bad access detected [ 75.755161] [ 75.755351] Memory state around the buggy address: [ 75.755817] ffff0000c5a46e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.756464] ffff0000c5a46e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.757400] >ffff0000c5a46f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.758017] ^ [ 75.758437] ffff0000c5a46f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.759079] ffff0000c5a47000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.759660] ==================================================================
[ 74.770299] ================================================================== [ 74.771175] BUG: KASAN: use-after-free in kmalloc_uaf2+0xfc/0x1e8 [ 74.771813] Read of size 1 at addr ffff0000c5a14228 by task kunit_try_catch/145 [ 74.772671] [ 74.773021] CPU: 0 PID: 145 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.773842] Hardware name: linux,dummy-virt (DT) [ 74.774364] Call trace: [ 74.774763] dump_backtrace+0xf4/0x114 [ 74.775331] show_stack+0x18/0x24 [ 74.776010] __dump_stack+0x28/0x38 [ 74.776440] dump_stack_lvl+0x50/0x68 [ 74.776886] print_address_description+0x7c/0x1ec [ 74.777509] print_report+0x50/0x68 [ 74.778036] kasan_report+0xac/0xfc [ 74.778469] __asan_load1+0x6c/0x70 [ 74.778911] kmalloc_uaf2+0xfc/0x1e8 [ 74.779315] kunit_try_run_case+0x80/0x184 [ 74.779818] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.780400] kthread+0x16c/0x21c [ 74.780848] ret_from_fork+0x10/0x20 [ 74.781263] [ 74.781469] Allocated by task 145: [ 74.781816] kasan_set_track+0x4c/0x80 [ 74.782309] kasan_save_alloc_info+0x28/0x34 [ 74.782785] __kasan_kmalloc+0x88/0xa0 [ 74.783287] kmalloc_trace+0x54/0x68 [ 74.783746] kmalloc_uaf2+0x48/0x1e8 [ 74.784169] kunit_try_run_case+0x80/0x184 [ 74.784675] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.785286] kthread+0x16c/0x21c [ 74.785748] ret_from_fork+0x10/0x20 [ 74.786200] [ 74.786386] Freed by task 145: [ 74.786721] kasan_set_track+0x4c/0x80 [ 74.787379] kasan_save_free_info+0x3c/0x60 [ 74.787869] ____kasan_slab_free+0xe8/0x140 [ 74.788372] __kasan_slab_free+0x18/0x28 [ 74.788847] __kmem_cache_free+0xdc/0x27c [ 74.789283] kfree+0x60/0x74 [ 74.789684] kmalloc_uaf2+0x90/0x1e8 [ 74.790094] kunit_try_run_case+0x80/0x184 [ 74.790551] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.791147] kthread+0x16c/0x21c [ 74.791576] ret_from_fork+0x10/0x20 [ 74.792545] [ 74.792761] The buggy address belongs to the object at ffff0000c5a14200 [ 74.792761] which belongs to the cache kmalloc-128 of size 128 [ 74.793703] The buggy address is located 40 bytes inside of [ 74.793703] 128-byte region [ffff0000c5a14200, ffff0000c5a14280) [ 74.794595] [ 74.794826] The buggy address belongs to the physical page: [ 74.795268] page:000000002a39f223 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a14 [ 74.796067] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 74.796768] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 74.797472] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.798114] page dumped because: kasan: bad access detected [ 74.798586] [ 74.798788] Memory state around the buggy address: [ 74.799285] ffff0000c5a14100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.800503] ffff0000c5a14180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.801165] >ffff0000c5a14200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.801780] ^ [ 74.802208] ffff0000c5a14280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.802832] ffff0000c5a14300: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 74.803302] ==================================================================
[ 73.357743] ================================================================== [ 73.358837] BUG: KASAN: use-after-free in kmalloc_uaf2+0x104/0x290 [ 73.359501] Read of size 1 at addr ffff0000c589dc28 by task kunit_try_catch/145 [ 73.360122] [ 73.360359] CPU: 1 PID: 145 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 73.361108] Hardware name: linux,dummy-virt (DT) [ 73.361567] Call trace: [ 73.362181] dump_backtrace.part.0+0xdc/0xf0 [ 73.362738] show_stack+0x18/0x30 [ 73.363201] dump_stack_lvl+0x64/0x80 [ 73.363666] print_report+0x158/0x438 [ 73.364142] kasan_report+0xb4/0xf4 [ 73.364559] __asan_load1+0x68/0x74 [ 73.364972] kmalloc_uaf2+0x104/0x290 [ 73.365437] kunit_try_run_case+0x84/0x120 [ 73.366119] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 73.366691] kthread+0x180/0x190 [ 73.367236] ret_from_fork+0x10/0x20 [ 73.367692] [ 73.367892] Allocated by task 145: [ 73.368236] kasan_save_stack+0x3c/0x70 [ 73.368677] kasan_set_track+0x2c/0x40 [ 73.369111] kasan_save_alloc_info+0x24/0x34 [ 73.369609] __kasan_kmalloc+0xb8/0xc0 [ 73.370284] kmalloc_trace+0x58/0x6c [ 73.370737] kmalloc_uaf2+0xac/0x290 [ 73.371153] kunit_try_run_case+0x84/0x120 [ 73.371655] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 73.372249] kthread+0x180/0x190 [ 73.372663] ret_from_fork+0x10/0x20 [ 73.373053] [ 73.373280] Freed by task 145: [ 73.373626] kasan_save_stack+0x3c/0x70 [ 73.374038] kasan_set_track+0x2c/0x40 [ 73.374490] kasan_save_free_info+0x38/0x5c [ 73.374935] __kasan_slab_free+0xe4/0x150 [ 73.375312] __kmem_cache_free+0x130/0x2a4 [ 73.376148] kfree+0x58/0x80 [ 73.376528] kmalloc_uaf2+0xc4/0x290 [ 73.376990] kunit_try_run_case+0x84/0x120 [ 73.377443] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 73.378317] kthread+0x180/0x190 [ 73.378711] ret_from_fork+0x10/0x20 [ 73.379153] [ 73.379412] The buggy address belongs to the object at ffff0000c589dc00 [ 73.379412] which belongs to the cache kmalloc-128 of size 128 [ 73.380378] The buggy address is located 40 bytes inside of [ 73.380378] 128-byte region [ffff0000c589dc00, ffff0000c589dc80) [ 73.381270] [ 73.381512] The buggy address belongs to the physical page: [ 73.382160] page:00000000b8b1210d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10589d [ 73.382902] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 73.383825] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 73.384510] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 73.385106] page dumped because: kasan: bad access detected [ 73.385599] [ 73.385787] Memory state around the buggy address: [ 73.386382] ffff0000c589db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 73.387167] ffff0000c589db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.387798] >ffff0000c589dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.388382] ^ [ 73.388858] ffff0000c589dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.389507] ffff0000c589dd00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 73.390299] ==================================================================
[ 64.865057] ================================================================== [ 64.866460] BUG: KASAN: use-after-free in kmalloc_uaf2+0x110/0x298 [ 64.867112] Read of size 1 at addr ffff0000c59b5128 by task kunit_try_catch/143 [ 64.867566] [ 64.867735] CPU: 1 PID: 143 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 64.868488] Hardware name: linux,dummy-virt (DT) [ 64.869506] Call trace: [ 64.870217] dump_backtrace+0x110/0x120 [ 64.870996] show_stack+0x18/0x28 [ 64.871668] dump_stack_lvl+0x68/0x84 [ 64.872363] print_report+0x158/0x484 [ 64.873011] kasan_report+0x98/0xe0 [ 64.874180] __asan_load1+0x68/0x78 [ 64.874861] kmalloc_uaf2+0x110/0x298 [ 64.875540] kunit_try_run_case+0x7c/0x120 [ 64.876261] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.877120] kthread+0x1a4/0x1b8 [ 64.878027] ret_from_fork+0x10/0x20 [ 64.878712] [ 64.879017] Allocated by task 143: [ 64.879423] kasan_save_stack+0x2c/0x58 [ 64.879749] kasan_set_track+0x2c/0x40 [ 64.880047] kasan_save_alloc_info+0x24/0x38 [ 64.880596] __kasan_kmalloc+0xa0/0xb8 [ 64.880988] kmalloc_trace+0x50/0x68 [ 64.881411] kmalloc_uaf2+0xb4/0x298 [ 64.882071] kunit_try_run_case+0x7c/0x120 [ 64.882779] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.883590] kthread+0x1a4/0x1b8 [ 64.884121] ret_from_fork+0x10/0x20 [ 64.884674] [ 64.884832] Freed by task 143: [ 64.885060] kasan_save_stack+0x2c/0x58 [ 64.885469] kasan_set_track+0x2c/0x40 [ 64.885939] kasan_save_free_info+0x38/0x60 [ 64.886386] __kasan_slab_free+0xe8/0x158 [ 64.886933] __kmem_cache_free+0x138/0x2b0 [ 64.887442] kfree+0x5c/0x70 [ 64.887806] kmalloc_uaf2+0xcc/0x298 [ 64.888252] kunit_try_run_case+0x7c/0x120 [ 64.888713] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.889290] kthread+0x1a4/0x1b8 [ 64.890123] ret_from_fork+0x10/0x20 [ 64.890556] [ 64.890778] The buggy address belongs to the object at ffff0000c59b5100 [ 64.890778] which belongs to the cache kmalloc-128 of size 128 [ 64.891739] The buggy address is located 40 bytes inside of [ 64.891739] 128-byte region [ffff0000c59b5100, ffff0000c59b5180) [ 64.892631] [ 64.892882] The buggy address belongs to the physical page: [ 64.893368] page:000000007eb50857 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059b5 [ 64.894090] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 64.894968] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 64.895596] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 64.896157] page dumped because: kasan: bad access detected [ 64.896637] [ 64.896823] Memory state around the buggy address: [ 64.897233] ffff0000c59b5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.898044] ffff0000c59b5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.898650] >ffff0000c59b5100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.899148] ^ [ 64.899527] ffff0000c59b5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.900086] ffff0000c59b5200: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 64.900997] ==================================================================
[ 31.113581] ================================================================== [ 31.114864] BUG: KASAN: use-after-free in kmalloc_uaf2+0x11e/0x2b0 [ 31.115149] Read of size 1 at addr ffff888103492da8 by task kunit_try_catch/249 [ 31.116712] [ 31.117090] CPU: 0 PID: 249 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 31.118203] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.119112] Call Trace: [ 31.119536] <TASK> [ 31.119931] dump_stack_lvl+0x49/0x62 [ 31.120734] print_report+0x189/0x492 [ 31.121117] ? kasan_complete_mode_report_info+0x7c/0x200 [ 31.121891] ? kmalloc_uaf2+0x11e/0x2b0 [ 31.122103] kasan_report+0x10c/0x190 [ 31.122692] ? kmalloc_uaf2+0x11e/0x2b0 [ 31.123311] __asan_load1+0x62/0x70 [ 31.123861] kmalloc_uaf2+0x11e/0x2b0 [ 31.124443] ? kfree_via_page+0x190/0x190 [ 31.125006] ? preempt_count_sub+0x4c/0x70 [ 31.125704] ? _raw_spin_unlock_irqrestore+0x2d/0x60 [ 31.126076] ? __kunit_add_resource+0xd1/0x100 [ 31.126325] kunit_try_run_case+0x8f/0xd0 [ 31.126519] ? kunit_catch_run_case+0x80/0x80 [ 31.126719] ? kunit_try_catch_throw+0x40/0x40 [ 31.126924] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.127158] kthread+0x17b/0x1b0 [ 31.127579] ? kthread_complete_and_exit+0x30/0x30 [ 31.128036] ret_from_fork+0x22/0x30 [ 31.128366] </TASK> [ 31.128600] [ 31.128788] Allocated by task 249: [ 31.129046] kasan_save_stack+0x41/0x70 [ 31.129302] kasan_set_track+0x25/0x40 [ 31.129746] kasan_save_alloc_info+0x1e/0x30 [ 31.130203] __kasan_kmalloc+0xb6/0xc0 [ 31.130724] kmalloc_trace+0x48/0xb0 [ 31.131096] kmalloc_uaf2+0xac/0x2b0 [ 31.131562] kunit_try_run_case+0x8f/0xd0 [ 31.131748] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.131970] kthread+0x17b/0x1b0 [ 31.132125] ret_from_fork+0x22/0x30 [ 31.132365] [ 31.132470] Freed by task 249: [ 31.132677] kasan_save_stack+0x41/0x70 [ 31.132881] kasan_set_track+0x25/0x40 [ 31.133239] kasan_save_free_info+0x2e/0x50 [ 31.133577] ____kasan_slab_free+0x175/0x1d0 [ 31.133804] __kasan_slab_free+0x12/0x20 [ 31.134030] __kmem_cache_free+0x188/0x2f0 [ 31.134259] kfree+0x78/0x120 [ 31.134521] kmalloc_uaf2+0xcc/0x2b0 [ 31.135025] kunit_try_run_case+0x8f/0xd0 [ 31.135318] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.135849] kthread+0x17b/0x1b0 [ 31.136040] ret_from_fork+0x22/0x30 [ 31.136274] [ 31.136413] The buggy address belongs to the object at ffff888103492d80 [ 31.136413] which belongs to the cache kmalloc-64 of size 64 [ 31.136994] The buggy address is located 40 bytes inside of [ 31.136994] 64-byte region [ffff888103492d80, ffff888103492dc0) [ 31.137498] [ 31.137614] The buggy address belongs to the physical page: [ 31.137868] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103492 [ 31.138843] flags: 0x200000000000200(slab|node=0|zone=2) [ 31.139182] raw: 0200000000000200 0000000000000000 dead000000000122 ffff888100041640 [ 31.139947] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 31.140406] page dumped because: kasan: bad access detected [ 31.140897] [ 31.141152] Memory state around the buggy address: [ 31.141622] ffff888103492c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.142081] ffff888103492d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.142535] >ffff888103492d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.143310] ^ [ 31.143796] ffff888103492e00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.144526] ffff888103492e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.145172] ==================================================================