Date
July 15, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 105.586206] ================================================================== [ 105.586997] BUG: KASAN: use-after-free in kmalloc_uaf_16+0x104/0x2a0 [ 105.587606] Read of size 16 at addr ffff0000c67f5900 by task kunit_try_catch/219 [ 105.588107] [ 105.588308] CPU: 1 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 105.588889] Hardware name: linux,dummy-virt (DT) [ 105.589363] Call trace: [ 105.590095] dump_backtrace+0xe0/0x134 [ 105.590655] show_stack+0x20/0x2c [ 105.591087] dump_stack_lvl+0x88/0xb4 [ 105.591572] print_report+0x158/0x44c [ 105.592000] kasan_report+0xc8/0x180 [ 105.592568] __asan_load16+0x68/0x9c [ 105.593205] kmalloc_uaf_16+0x104/0x2a0 [ 105.593707] kunit_try_run_case+0x8c/0x124 [ 105.594218] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.594826] kthread+0x15c/0x170 [ 105.595256] ret_from_fork+0x10/0x20 [ 105.595739] [ 105.595998] Allocated by task 219: [ 105.596384] kasan_save_stack+0x3c/0x70 [ 105.597039] kasan_set_track+0x2c/0x40 [ 105.597537] kasan_save_alloc_info+0x24/0x34 [ 105.598050] __kasan_kmalloc+0xd4/0xe0 [ 105.598552] kmalloc_trace+0x8c/0x150 [ 105.598998] kmalloc_uaf_16+0xcc/0x2a0 [ 105.599470] kunit_try_run_case+0x8c/0x124 [ 105.599961] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.600699] kthread+0x15c/0x170 [ 105.601110] ret_from_fork+0x10/0x20 [ 105.601672] [ 105.601920] Freed by task 219: [ 105.602267] kasan_save_stack+0x3c/0x70 [ 105.602775] kasan_set_track+0x2c/0x40 [ 105.603245] kasan_save_free_info+0x38/0x5c [ 105.603776] __kasan_slab_free+0x100/0x170 [ 105.604279] slab_free_freelist_hook+0xd8/0x1c0 [ 105.605127] __kmem_cache_free+0x15c/0x2a0 [ 105.605580] kfree+0x88/0x150 [ 105.606014] kmalloc_uaf_16+0xec/0x2a0 [ 105.606484] kunit_try_run_case+0x8c/0x124 [ 105.607034] kunit_generic_run_threadfn_adapter+0x38/0x54 [ 105.607605] kthread+0x15c/0x170 [ 105.608061] ret_from_fork+0x10/0x20 [ 105.608765] [ 105.609011] The buggy address belongs to the object at ffff0000c67f5900 [ 105.609011] which belongs to the cache kmalloc-128 of size 128 [ 105.609994] The buggy address is located 0 bytes inside of [ 105.609994] 128-byte region [ffff0000c67f5900, ffff0000c67f5980) [ 105.610930] [ 105.611175] The buggy address belongs to the physical page: [ 105.611650] page:00000000678f5464 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1067f5 [ 105.612415] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 105.613130] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 105.614030] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 105.614520] page dumped because: kasan: bad access detected [ 105.614908] [ 105.615132] Memory state around the buggy address: [ 105.615564] ffff0000c67f5800: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.616186] ffff0000c67f5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.617067] >ffff0000c67f5900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.617672] ^ [ 105.618014] ffff0000c67f5980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.618649] ffff0000c67f5a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 105.619316] ==================================================================
[ 75.343257] ================================================================== [ 75.343987] BUG: KASAN: use-after-free in kmalloc_uaf_16+0x104/0x1ac [ 75.344530] Read of size 16 at addr ffff0000c5a76100 by task kunit_try_catch/135 [ 75.345885] [ 75.346136] CPU: 0 PID: 135 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.346988] Hardware name: linux,dummy-virt (DT) [ 75.347439] Call trace: [ 75.347697] dump_backtrace+0xf8/0x118 [ 75.348213] show_stack+0x18/0x24 [ 75.348795] __dump_stack+0x28/0x38 [ 75.349256] dump_stack_lvl+0x54/0x6c [ 75.349712] print_address_description+0x7c/0x1ec [ 75.350251] print_report+0x50/0x68 [ 75.350777] kasan_report+0xac/0x100 [ 75.351296] kasan_check_range+0x260/0x2a0 [ 75.351786] memcpy+0x48/0x90 [ 75.352151] kmalloc_uaf_16+0x104/0x1ac [ 75.352629] kunit_try_run_case+0x80/0x184 [ 75.353156] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.353778] kthread+0x16c/0x21c [ 75.354223] ret_from_fork+0x10/0x20 [ 75.354665] [ 75.354886] Allocated by task 135: [ 75.355220] kasan_set_track+0x4c/0x80 [ 75.355699] kasan_save_alloc_info+0x28/0x34 [ 75.356188] __kasan_kmalloc+0x88/0xa0 [ 75.356886] kmalloc_trace+0x54/0x68 [ 75.357327] kmalloc_uaf_16+0xa0/0x1ac [ 75.357786] kunit_try_run_case+0x80/0x184 [ 75.358251] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.359125] kthread+0x16c/0x21c [ 75.359569] ret_from_fork+0x10/0x20 [ 75.360035] [ 75.360231] Freed by task 135: [ 75.360581] kasan_set_track+0x4c/0x80 [ 75.361297] kasan_save_free_info+0x3c/0x60 [ 75.361781] ____kasan_slab_free+0xe8/0x140 [ 75.362268] __kasan_slab_free+0x18/0x28 [ 75.362723] __kmem_cache_free+0xdc/0x284 [ 75.363194] kfree+0x60/0x74 [ 75.363552] kmalloc_uaf_16+0xe8/0x1ac [ 75.364012] kunit_try_run_case+0x80/0x184 [ 75.364486] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.365552] kthread+0x16c/0x21c [ 75.365975] ret_from_fork+0x10/0x20 [ 75.366405] [ 75.366618] The buggy address belongs to the object at ffff0000c5a76100 [ 75.366618] which belongs to the cache kmalloc-128 of size 128 [ 75.367525] The buggy address is located 0 bytes inside of [ 75.367525] 128-byte region [ffff0000c5a76100, ffff0000c5a76180) [ 75.368472] [ 75.368916] The buggy address belongs to the physical page: [ 75.369418] page:00000000e5b61371 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a76 [ 75.370187] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 75.370984] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 75.371645] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.372248] page dumped because: kasan: bad access detected [ 75.372713] [ 75.373102] Memory state around the buggy address: [ 75.373554] ffff0000c5a76000: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.374176] ffff0000c5a76080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.375135] >ffff0000c5a76100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.375703] ^ [ 75.376066] ffff0000c5a76180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.376950] ffff0000c5a76200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.377530] ==================================================================
[ 74.360677] ================================================================== [ 74.361479] BUG: KASAN: use-after-free in kmalloc_uaf_16+0x104/0x1ac [ 74.362050] Read of size 16 at addr ffff0000c5919800 by task kunit_try_catch/135 [ 74.363382] [ 74.363897] CPU: 1 PID: 135 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.364662] Hardware name: linux,dummy-virt (DT) [ 74.365026] Call trace: [ 74.365260] dump_backtrace+0xf4/0x114 [ 74.365697] show_stack+0x18/0x24 [ 74.366686] __dump_stack+0x28/0x38 [ 74.367440] dump_stack_lvl+0x50/0x68 [ 74.368260] print_address_description+0x7c/0x1ec [ 74.369129] print_report+0x50/0x68 [ 74.369908] kasan_report+0xac/0xfc [ 74.370628] kasan_check_range+0x258/0x290 [ 74.371426] memcpy+0x48/0x90 [ 74.372109] kmalloc_uaf_16+0x104/0x1ac [ 74.372841] kunit_try_run_case+0x80/0x184 [ 74.373614] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.374530] kthread+0x16c/0x21c [ 74.375224] ret_from_fork+0x10/0x20 [ 74.375901] [ 74.376247] Allocated by task 135: [ 74.376786] kasan_set_track+0x4c/0x80 [ 74.377467] kasan_save_alloc_info+0x28/0x34 [ 74.378166] __kasan_kmalloc+0x88/0xa0 [ 74.378853] kmalloc_trace+0x54/0x68 [ 74.379483] kmalloc_uaf_16+0xa0/0x1ac [ 74.380198] kunit_try_run_case+0x80/0x184 [ 74.380866] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.381378] kthread+0x16c/0x21c [ 74.381769] ret_from_fork+0x10/0x20 [ 74.382467] [ 74.382818] Freed by task 135: [ 74.383139] kasan_set_track+0x4c/0x80 [ 74.383934] kasan_save_free_info+0x3c/0x60 [ 74.384449] ____kasan_slab_free+0xe8/0x140 [ 74.384915] __kasan_slab_free+0x18/0x28 [ 74.385456] __kmem_cache_free+0xdc/0x27c [ 74.386003] kfree+0x60/0x74 [ 74.386440] kmalloc_uaf_16+0xe8/0x1ac [ 74.386947] kunit_try_run_case+0x80/0x184 [ 74.387410] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 74.388187] kthread+0x16c/0x21c [ 74.388599] ret_from_fork+0x10/0x20 [ 74.389079] [ 74.389278] The buggy address belongs to the object at ffff0000c5919800 [ 74.389278] which belongs to the cache kmalloc-128 of size 128 [ 74.390244] The buggy address is located 0 bytes inside of [ 74.390244] 128-byte region [ffff0000c5919800, ffff0000c5919880) [ 74.391077] [ 74.391264] The buggy address belongs to the physical page: [ 74.391634] page:0000000087a007df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105919 [ 74.393204] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 74.394455] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 74.395718] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.397018] page dumped because: kasan: bad access detected [ 74.397941] [ 74.398359] Memory state around the buggy address: [ 74.399229] ffff0000c5919700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.400530] ffff0000c5919780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.401208] >ffff0000c5919800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.401684] ^ [ 74.401998] ffff0000c5919880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.402491] ffff0000c5919900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.403474] ==================================================================
[ 72.967443] ================================================================== [ 72.968303] BUG: KASAN: use-after-free in kmalloc_uaf_16+0xfc/0x290 [ 72.968955] Read of size 16 at addr ffff0000c5952f00 by task kunit_try_catch/135 [ 72.969478] [ 72.969663] CPU: 0 PID: 135 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 72.970979] Hardware name: linux,dummy-virt (DT) [ 72.971604] Call trace: [ 72.971981] dump_backtrace.part.0+0xdc/0xf0 [ 72.972673] show_stack+0x18/0x30 [ 72.973235] dump_stack_lvl+0x64/0x80 [ 72.973866] print_report+0x158/0x438 [ 72.974521] kasan_report+0xb4/0xf4 [ 72.975055] __asan_load16+0x68/0x9c [ 72.975406] kmalloc_uaf_16+0xfc/0x290 [ 72.975779] kunit_try_run_case+0x84/0x120 [ 72.976157] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.976891] kthread+0x180/0x190 [ 72.977413] ret_from_fork+0x10/0x20 [ 72.978193] [ 72.978484] Allocated by task 135: [ 72.979020] kasan_save_stack+0x3c/0x70 [ 72.979623] kasan_set_track+0x2c/0x40 [ 72.980190] kasan_save_alloc_info+0x24/0x34 [ 72.980839] __kasan_kmalloc+0xb8/0xc0 [ 72.981406] kmalloc_trace+0x58/0x6c [ 72.982058] kmalloc_uaf_16+0xc4/0x290 [ 72.982739] kunit_try_run_case+0x84/0x120 [ 72.983362] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.984143] kthread+0x180/0x190 [ 72.984662] ret_from_fork+0x10/0x20 [ 72.985223] [ 72.985512] Freed by task 135: [ 72.986045] kasan_save_stack+0x3c/0x70 [ 72.986809] kasan_set_track+0x2c/0x40 [ 72.987389] kasan_save_free_info+0x38/0x5c [ 72.988039] __kasan_slab_free+0xe4/0x150 [ 72.988662] __kmem_cache_free+0x130/0x2a4 [ 72.989208] kfree+0x58/0x80 [ 72.989537] kmalloc_uaf_16+0xe4/0x290 [ 72.990176] kunit_try_run_case+0x84/0x120 [ 72.990907] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 72.991696] kthread+0x180/0x190 [ 72.992301] ret_from_fork+0x10/0x20 [ 72.992951] [ 72.993217] The buggy address belongs to the object at ffff0000c5952f00 [ 72.993217] which belongs to the cache kmalloc-128 of size 128 [ 72.994838] The buggy address is located 0 bytes inside of [ 72.994838] 128-byte region [ffff0000c5952f00, ffff0000c5952f80) [ 72.996791] [ 72.996989] The buggy address belongs to the physical page: [ 72.997525] page:000000000a751a16 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105952 [ 72.998747] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 72.999285] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 72.999802] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 73.000253] page dumped because: kasan: bad access detected [ 73.001220] [ 73.001571] Memory state around the buggy address: [ 73.002479] ffff0000c5952e00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.003361] ffff0000c5952e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.004262] >ffff0000c5952f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.005241] ^ [ 73.006015] ffff0000c5952f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.007045] ffff0000c5953000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.007909] ==================================================================
[ 64.557018] ================================================================== [ 64.557814] BUG: KASAN: use-after-free in kmalloc_uaf_16+0x110/0x278 [ 64.558380] Read of size 16 at addr ffff0000c58b8500 by task kunit_try_catch/133 [ 64.558918] [ 64.559121] CPU: 0 PID: 133 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 64.559799] Hardware name: linux,dummy-virt (DT) [ 64.560154] Call trace: [ 64.560410] dump_backtrace+0x110/0x120 [ 64.560841] show_stack+0x18/0x28 [ 64.561242] dump_stack_lvl+0x68/0x84 [ 64.561749] print_report+0x158/0x484 [ 64.562105] kasan_report+0x98/0xe0 [ 64.562527] __asan_load16+0x7c/0xa8 [ 64.562968] kmalloc_uaf_16+0x110/0x278 [ 64.563595] kunit_try_run_case+0x7c/0x120 [ 64.564134] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.564733] kthread+0x1a4/0x1b8 [ 64.565179] ret_from_fork+0x10/0x20 [ 64.565648] [ 64.565902] Allocated by task 133: [ 64.566207] kasan_save_stack+0x2c/0x58 [ 64.566552] kasan_set_track+0x2c/0x40 [ 64.566967] kasan_save_alloc_info+0x24/0x38 [ 64.567378] __kasan_kmalloc+0xa0/0xb8 [ 64.567712] kmalloc_trace+0x50/0x68 [ 64.568087] kmalloc_uaf_16+0xd4/0x278 [ 64.568509] kunit_try_run_case+0x7c/0x120 [ 64.568916] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.569425] kthread+0x1a4/0x1b8 [ 64.569756] ret_from_fork+0x10/0x20 [ 64.570118] [ 64.570318] Freed by task 133: [ 64.570567] kasan_save_stack+0x2c/0x58 [ 64.570956] kasan_set_track+0x2c/0x40 [ 64.571315] kasan_save_free_info+0x38/0x60 [ 64.571718] __kasan_slab_free+0xe8/0x158 [ 64.572119] __kmem_cache_free+0x138/0x2b0 [ 64.572566] kfree+0x5c/0x70 [ 64.572906] kmalloc_uaf_16+0xf4/0x278 [ 64.573303] kunit_try_run_case+0x7c/0x120 [ 64.573727] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 64.574219] kthread+0x1a4/0x1b8 [ 64.574565] ret_from_fork+0x10/0x20 [ 64.574921] [ 64.575121] The buggy address belongs to the object at ffff0000c58b8500 [ 64.575121] which belongs to the cache kmalloc-128 of size 128 [ 64.575953] The buggy address is located 0 bytes inside of [ 64.575953] 128-byte region [ffff0000c58b8500, ffff0000c58b8580) [ 64.576734] [ 64.576900] The buggy address belongs to the physical page: [ 64.577307] page:0000000079d9b0ef refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058b8 [ 64.578035] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 64.578645] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 64.579238] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 64.579796] page dumped because: kasan: bad access detected [ 64.580204] [ 64.580398] Memory state around the buggy address: [ 64.580788] ffff0000c58b8400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.581344] ffff0000c58b8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.581874] >ffff0000c58b8500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.582439] ^ [ 64.582729] ffff0000c58b8580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.583311] ffff0000c58b8600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.583813] ==================================================================
[ 30.844709] ================================================================== [ 30.845240] BUG: KASAN: use-after-free in kmalloc_uaf_16+0x104/0x250 [ 30.846036] Read of size 16 at addr ffff888102f54b40 by task kunit_try_catch/239 [ 30.846786] [ 30.847027] CPU: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 30.847980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 30.848922] Call Trace: [ 30.849214] <TASK> [ 30.849511] dump_stack_lvl+0x49/0x62 [ 30.849919] print_report+0x189/0x492 [ 30.850116] ? kasan_complete_mode_report_info+0x7c/0x200 [ 30.850594] ? kmalloc_uaf_16+0x104/0x250 [ 30.851177] kasan_report+0x10c/0x190 [ 30.851681] ? kmalloc_uaf_16+0x104/0x250 [ 30.852134] __asan_load16+0x65/0x90 [ 30.852757] kmalloc_uaf_16+0x104/0x250 [ 30.853186] ? kmalloc_uaf+0x1c0/0x1c0 [ 30.853789] ? __kunit_add_resource+0xd1/0x100 [ 30.854018] ? kasan_test_init+0x13e/0x1b0 [ 30.854230] kunit_try_run_case+0x8f/0xd0 [ 30.854638] ? kunit_catch_run_case+0x80/0x80 [ 30.855088] ? kunit_try_catch_throw+0x40/0x40 [ 30.855631] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.856308] kthread+0x17b/0x1b0 [ 30.856749] ? kthread_complete_and_exit+0x30/0x30 [ 30.857242] ret_from_fork+0x22/0x30 [ 30.857670] </TASK> [ 30.858140] [ 30.858338] Allocated by task 239: [ 30.858615] kasan_save_stack+0x41/0x70 [ 30.858812] kasan_set_track+0x25/0x40 [ 30.858993] kasan_save_alloc_info+0x1e/0x30 [ 30.859191] __kasan_kmalloc+0xb6/0xc0 [ 30.859480] kmalloc_trace+0x48/0xb0 [ 30.859864] kmalloc_uaf_16+0xc5/0x250 [ 30.860039] kunit_try_run_case+0x8f/0xd0 [ 30.860234] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.860724] kthread+0x17b/0x1b0 [ 30.861065] ret_from_fork+0x22/0x30 [ 30.861666] [ 30.861856] Freed by task 239: [ 30.862204] kasan_save_stack+0x41/0x70 [ 30.862717] kasan_set_track+0x25/0x40 [ 30.863100] kasan_save_free_info+0x2e/0x50 [ 30.863568] ____kasan_slab_free+0x175/0x1d0 [ 30.864077] __kasan_slab_free+0x12/0x20 [ 30.864306] __kmem_cache_free+0x188/0x2f0 [ 30.864851] kfree+0x78/0x120 [ 30.865226] kmalloc_uaf_16+0xe5/0x250 [ 30.865905] kunit_try_run_case+0x8f/0xd0 [ 30.866202] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 30.866922] kthread+0x17b/0x1b0 [ 30.867215] ret_from_fork+0x22/0x30 [ 30.867517] [ 30.867730] The buggy address belongs to the object at ffff888102f54b40 [ 30.867730] which belongs to the cache kmalloc-16 of size 16 [ 30.868848] The buggy address is located 0 bytes inside of [ 30.868848] 16-byte region [ffff888102f54b40, ffff888102f54b50) [ 30.869256] [ 30.869347] The buggy address belongs to the physical page: [ 30.869596] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f54 [ 30.870017] flags: 0x200000000000200(slab|node=0|zone=2) [ 30.870615] raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000413c0 [ 30.871031] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 30.871486] page dumped because: kasan: bad access detected [ 30.871764] [ 30.871880] Memory state around the buggy address: [ 30.872139] ffff888102f54a00: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 30.872629] ffff888102f54a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.873012] >ffff888102f54b00: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 30.873481] ^ [ 30.873765] ffff888102f54b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.874106] ffff888102f54c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.874467] ==================================================================