Date
July 15, 2025, 2:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 76.552483] ================================================================== [ 76.553361] BUG: KASAN: use-after-free in ksize_uaf+0x130/0x24c [ 76.553907] Read of size 1 at addr ffff0000c5a87178 by task kunit_try_catch/158 [ 76.554643] [ 76.554856] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 76.555589] Hardware name: linux,dummy-virt (DT) [ 76.555998] Call trace: [ 76.556314] dump_backtrace+0xf8/0x118 [ 76.557264] show_stack+0x18/0x24 [ 76.557740] __dump_stack+0x28/0x38 [ 76.558157] dump_stack_lvl+0x54/0x6c [ 76.558614] print_address_description+0x7c/0x1ec [ 76.559160] print_report+0x50/0x68 [ 76.559593] kasan_report+0xac/0x100 [ 76.560042] __asan_load1+0x6c/0x70 [ 76.560518] ksize_uaf+0x130/0x24c [ 76.560967] kunit_try_run_case+0x80/0x184 [ 76.561428] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.562010] kthread+0x16c/0x21c [ 76.562452] ret_from_fork+0x10/0x20 [ 76.563150] [ 76.563370] Allocated by task 158: [ 76.563708] kasan_set_track+0x4c/0x80 [ 76.564220] kasan_save_alloc_info+0x28/0x34 [ 76.565161] __kasan_kmalloc+0x88/0xa0 [ 76.565642] kmalloc_trace+0x54/0x68 [ 76.566116] ksize_uaf+0x48/0x24c [ 76.566513] kunit_try_run_case+0x80/0x184 [ 76.567023] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.567583] kthread+0x16c/0x21c [ 76.567996] ret_from_fork+0x10/0x20 [ 76.568447] [ 76.568952] Freed by task 158: [ 76.569266] kasan_set_track+0x4c/0x80 [ 76.569773] kasan_save_free_info+0x3c/0x60 [ 76.570233] ____kasan_slab_free+0xe8/0x140 [ 76.570703] __kasan_slab_free+0x18/0x28 [ 76.571228] __kmem_cache_free+0xdc/0x284 [ 76.571706] kfree+0x60/0x74 [ 76.572110] ksize_uaf+0x90/0x24c [ 76.572520] kunit_try_run_case+0x80/0x184 [ 76.573020] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.573575] kthread+0x16c/0x21c [ 76.574022] ret_from_fork+0x10/0x20 [ 76.574419] [ 76.574630] The buggy address belongs to the object at ffff0000c5a87100 [ 76.574630] which belongs to the cache kmalloc-128 of size 128 [ 76.576011] The buggy address is located 120 bytes inside of [ 76.576011] 128-byte region [ffff0000c5a87100, ffff0000c5a87180) [ 76.577135] [ 76.577366] The buggy address belongs to the physical page: [ 76.577829] page:000000005da1e2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a87 [ 76.578614] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 76.579429] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 76.580096] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 76.581175] page dumped because: kasan: bad access detected [ 76.581640] [ 76.581858] Memory state around the buggy address: [ 76.582273] ffff0000c5a87000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.582931] ffff0000c5a87080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.583567] >ffff0000c5a87100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.584180] ^ [ 76.585080] ffff0000c5a87180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.585680] ffff0000c5a87200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.586287] ================================================================== [ 76.474519] ================================================================== [ 76.475275] BUG: KASAN: use-after-free in ksize_uaf+0xa4/0x24c [ 76.475789] Read of size 1 at addr ffff0000c5a87100 by task kunit_try_catch/158 [ 76.476303] [ 76.476495] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 76.478661] Hardware name: linux,dummy-virt (DT) [ 76.479890] Call trace: [ 76.480338] dump_backtrace+0xf8/0x118 [ 76.481358] show_stack+0x18/0x24 [ 76.482338] __dump_stack+0x28/0x38 [ 76.483302] dump_stack_lvl+0x54/0x6c [ 76.484278] print_address_description+0x7c/0x1ec [ 76.485449] print_report+0x50/0x68 [ 76.486450] kasan_report+0xac/0x100 [ 76.487452] __kasan_check_byte+0x3c/0x54 [ 76.488505] ksize+0x34/0x13c [ 76.489210] ksize_uaf+0xa4/0x24c [ 76.489802] kunit_try_run_case+0x80/0x184 [ 76.490277] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.490927] kthread+0x16c/0x21c [ 76.491348] ret_from_fork+0x10/0x20 [ 76.491817] [ 76.492027] Allocated by task 158: [ 76.492371] kasan_set_track+0x4c/0x80 [ 76.492928] kasan_save_alloc_info+0x28/0x34 [ 76.493397] __kasan_kmalloc+0x88/0xa0 [ 76.493867] kmalloc_trace+0x54/0x68 [ 76.494296] ksize_uaf+0x48/0x24c [ 76.494725] kunit_try_run_case+0x80/0x184 [ 76.495481] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.496100] kthread+0x16c/0x21c [ 76.496521] ret_from_fork+0x10/0x20 [ 76.497216] [ 76.497403] Freed by task 158: [ 76.497767] kasan_set_track+0x4c/0x80 [ 76.498259] kasan_save_free_info+0x3c/0x60 [ 76.498752] ____kasan_slab_free+0xe8/0x140 [ 76.499313] __kasan_slab_free+0x18/0x28 [ 76.499787] __kmem_cache_free+0xdc/0x284 [ 76.500299] kfree+0x60/0x74 [ 76.500961] ksize_uaf+0x90/0x24c [ 76.501418] kunit_try_run_case+0x80/0x184 [ 76.501903] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.502455] kthread+0x16c/0x21c [ 76.502877] ret_from_fork+0x10/0x20 [ 76.503301] [ 76.503501] The buggy address belongs to the object at ffff0000c5a87100 [ 76.503501] which belongs to the cache kmalloc-128 of size 128 [ 76.504473] The buggy address is located 0 bytes inside of [ 76.504473] 128-byte region [ffff0000c5a87100, ffff0000c5a87180) [ 76.505627] [ 76.505852] The buggy address belongs to the physical page: [ 76.506342] page:000000005da1e2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a87 [ 76.507127] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 76.507835] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 76.508538] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 76.509427] page dumped because: kasan: bad access detected [ 76.509920] [ 76.510107] Memory state around the buggy address: [ 76.510573] ffff0000c5a87000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.511214] ffff0000c5a87080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.511857] >ffff0000c5a87100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.512438] ^ [ 76.513087] ffff0000c5a87180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.513707] ffff0000c5a87200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.514329] ================================================================== [ 76.516368] ================================================================== [ 76.517434] BUG: KASAN: use-after-free in ksize_uaf+0xe8/0x24c [ 76.517966] Read of size 1 at addr ffff0000c5a87100 by task kunit_try_catch/158 [ 76.518478] [ 76.518674] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 76.519678] Hardware name: linux,dummy-virt (DT) [ 76.520045] Call trace: [ 76.520282] dump_backtrace+0xf8/0x118 [ 76.521816] show_stack+0x18/0x24 [ 76.522268] __dump_stack+0x28/0x38 [ 76.522739] dump_stack_lvl+0x54/0x6c [ 76.523208] print_address_description+0x7c/0x1ec [ 76.523787] print_report+0x50/0x68 [ 76.524286] kasan_report+0xac/0x100 [ 76.524961] __asan_load1+0x6c/0x70 [ 76.525593] ksize_uaf+0xe8/0x24c [ 76.526033] kunit_try_run_case+0x80/0x184 [ 76.526542] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.527176] kthread+0x16c/0x21c [ 76.527616] ret_from_fork+0x10/0x20 [ 76.528098] [ 76.528314] Allocated by task 158: [ 76.528925] kasan_set_track+0x4c/0x80 [ 76.529433] kasan_save_alloc_info+0x28/0x34 [ 76.529914] __kasan_kmalloc+0x88/0xa0 [ 76.530386] kmalloc_trace+0x54/0x68 [ 76.530884] ksize_uaf+0x48/0x24c [ 76.531330] kunit_try_run_case+0x80/0x184 [ 76.531840] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.532425] kthread+0x16c/0x21c [ 76.532841] ret_from_fork+0x10/0x20 [ 76.533272] [ 76.533453] Freed by task 158: [ 76.534315] kasan_set_track+0x4c/0x80 [ 76.534824] kasan_save_free_info+0x3c/0x60 [ 76.535291] ____kasan_slab_free+0xe8/0x140 [ 76.535805] __kasan_slab_free+0x18/0x28 [ 76.536303] __kmem_cache_free+0xdc/0x284 [ 76.537054] kfree+0x60/0x74 [ 76.537468] ksize_uaf+0x90/0x24c [ 76.537941] kunit_try_run_case+0x80/0x184 [ 76.538443] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 76.539099] kthread+0x16c/0x21c [ 76.539510] ret_from_fork+0x10/0x20 [ 76.539966] [ 76.540172] The buggy address belongs to the object at ffff0000c5a87100 [ 76.540172] which belongs to the cache kmalloc-128 of size 128 [ 76.541356] The buggy address is located 0 bytes inside of [ 76.541356] 128-byte region [ffff0000c5a87100, ffff0000c5a87180) [ 76.542244] [ 76.542451] The buggy address belongs to the physical page: [ 76.543307] page:000000005da1e2c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a87 [ 76.544115] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 76.545099] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 76.545786] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 76.546411] page dumped because: kasan: bad access detected [ 76.546923] [ 76.547123] Memory state around the buggy address: [ 76.547555] ffff0000c5a87000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.548209] ffff0000c5a87080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.549027] >ffff0000c5a87100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.549626] ^ [ 76.549989] ffff0000c5a87180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.550611] ffff0000c5a87200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.551491] ==================================================================
[ 75.590434] ================================================================== [ 75.591328] BUG: KASAN: use-after-free in ksize_uaf+0xe8/0x24c [ 75.592119] Read of size 1 at addr ffff0000c5a06600 by task kunit_try_catch/158 [ 75.593131] [ 75.593456] CPU: 0 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.594523] Hardware name: linux,dummy-virt (DT) [ 75.594936] Call trace: [ 75.595176] dump_backtrace+0xf4/0x114 [ 75.595599] show_stack+0x18/0x24 [ 75.596287] __dump_stack+0x28/0x38 [ 75.596910] dump_stack_lvl+0x50/0x68 [ 75.597562] print_address_description+0x7c/0x1ec [ 75.598314] print_report+0x50/0x68 [ 75.598927] kasan_report+0xac/0xfc [ 75.599540] __asan_load1+0x6c/0x70 [ 75.600273] ksize_uaf+0xe8/0x24c [ 75.600852] kunit_try_run_case+0x80/0x184 [ 75.601521] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.602337] kthread+0x16c/0x21c [ 75.602921] ret_from_fork+0x10/0x20 [ 75.603526] [ 75.603870] Allocated by task 158: [ 75.604367] kasan_set_track+0x4c/0x80 [ 75.604808] kasan_save_alloc_info+0x28/0x34 [ 75.605214] __kasan_kmalloc+0x88/0xa0 [ 75.605640] kmalloc_trace+0x54/0x68 [ 75.606238] ksize_uaf+0x48/0x24c [ 75.606805] kunit_try_run_case+0x80/0x184 [ 75.607468] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.608382] kthread+0x16c/0x21c [ 75.608999] ret_from_fork+0x10/0x20 [ 75.609599] [ 75.609884] Freed by task 158: [ 75.610337] kasan_set_track+0x4c/0x80 [ 75.610974] kasan_save_free_info+0x3c/0x60 [ 75.611620] ____kasan_slab_free+0xe8/0x140 [ 75.612411] __kasan_slab_free+0x18/0x28 [ 75.613113] __kmem_cache_free+0xdc/0x27c [ 75.613759] kfree+0x60/0x74 [ 75.614273] ksize_uaf+0x90/0x24c [ 75.614841] kunit_try_run_case+0x80/0x184 [ 75.615500] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.616414] kthread+0x16c/0x21c [ 75.617058] ret_from_fork+0x10/0x20 [ 75.617652] [ 75.617937] The buggy address belongs to the object at ffff0000c5a06600 [ 75.617937] which belongs to the cache kmalloc-128 of size 128 [ 75.619330] The buggy address is located 0 bytes inside of [ 75.619330] 128-byte region [ffff0000c5a06600, ffff0000c5a06680) [ 75.620760] [ 75.621067] The buggy address belongs to the physical page: [ 75.621772] page:00000000cc3fd307 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a06 [ 75.622674] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 75.623252] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 75.623947] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.624950] page dumped because: kasan: bad access detected [ 75.625652] [ 75.625935] Memory state around the buggy address: [ 75.626565] ffff0000c5a06500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.627459] ffff0000c5a06580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.628479] >ffff0000c5a06600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.629518] ^ [ 75.630062] ffff0000c5a06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.630983] ffff0000c5a06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.631926] ================================================================== [ 75.545296] ================================================================== [ 75.546698] BUG: KASAN: use-after-free in ksize_uaf+0xa4/0x24c [ 75.547537] Read of size 1 at addr ffff0000c5a06600 by task kunit_try_catch/158 [ 75.548619] [ 75.548967] CPU: 0 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.550167] Hardware name: linux,dummy-virt (DT) [ 75.550780] Call trace: [ 75.551159] dump_backtrace+0xf4/0x114 [ 75.551872] show_stack+0x18/0x24 [ 75.552554] __dump_stack+0x28/0x38 [ 75.553153] dump_stack_lvl+0x50/0x68 [ 75.553773] print_address_description+0x7c/0x1ec [ 75.554301] print_report+0x50/0x68 [ 75.554712] kasan_report+0xac/0xfc [ 75.555348] __kasan_check_byte+0x3c/0x54 [ 75.556123] ksize+0x34/0x13c [ 75.556716] ksize_uaf+0xa4/0x24c [ 75.557299] kunit_try_run_case+0x80/0x184 [ 75.557984] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.558803] kthread+0x16c/0x21c [ 75.559375] ret_from_fork+0x10/0x20 [ 75.560061] [ 75.560488] Allocated by task 158: [ 75.561004] kasan_set_track+0x4c/0x80 [ 75.561624] kasan_save_alloc_info+0x28/0x34 [ 75.562047] __kasan_kmalloc+0x88/0xa0 [ 75.562469] kmalloc_trace+0x54/0x68 [ 75.562983] ksize_uaf+0x48/0x24c [ 75.563539] kunit_try_run_case+0x80/0x184 [ 75.564346] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.565219] kthread+0x16c/0x21c [ 75.565812] ret_from_fork+0x10/0x20 [ 75.566399] [ 75.566672] Freed by task 158: [ 75.567138] kasan_set_track+0x4c/0x80 [ 75.567828] kasan_save_free_info+0x3c/0x60 [ 75.568489] ____kasan_slab_free+0xe8/0x140 [ 75.569185] __kasan_slab_free+0x18/0x28 [ 75.569848] __kmem_cache_free+0xdc/0x27c [ 75.570483] kfree+0x60/0x74 [ 75.571011] ksize_uaf+0x90/0x24c [ 75.571578] kunit_try_run_case+0x80/0x184 [ 75.572341] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.573225] kthread+0x16c/0x21c [ 75.573822] ret_from_fork+0x10/0x20 [ 75.574254] [ 75.574442] The buggy address belongs to the object at ffff0000c5a06600 [ 75.574442] which belongs to the cache kmalloc-128 of size 128 [ 75.575173] The buggy address is located 0 bytes inside of [ 75.575173] 128-byte region [ffff0000c5a06600, ffff0000c5a06680) [ 75.576223] [ 75.576508] The buggy address belongs to the physical page: [ 75.577338] page:00000000cc3fd307 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a06 [ 75.578485] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 75.579463] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 75.580531] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.581556] page dumped because: kasan: bad access detected [ 75.582346] [ 75.582635] Memory state around the buggy address: [ 75.583280] ffff0000c5a06500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.584296] ffff0000c5a06580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.585287] >ffff0000c5a06600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.586165] ^ [ 75.586652] ffff0000c5a06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.587548] ffff0000c5a06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.588492] ================================================================== [ 75.633076] ================================================================== [ 75.633723] BUG: KASAN: use-after-free in ksize_uaf+0x130/0x24c [ 75.634576] Read of size 1 at addr ffff0000c5a06678 by task kunit_try_catch/158 [ 75.635491] [ 75.635806] CPU: 0 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 75.636958] Hardware name: linux,dummy-virt (DT) [ 75.637411] Call trace: [ 75.637647] dump_backtrace+0xf4/0x114 [ 75.638093] show_stack+0x18/0x24 [ 75.638492] __dump_stack+0x28/0x38 [ 75.639031] dump_stack_lvl+0x50/0x68 [ 75.639624] print_address_description+0x7c/0x1ec [ 75.640505] print_report+0x50/0x68 [ 75.641134] kasan_report+0xac/0xfc [ 75.641748] __asan_load1+0x6c/0x70 [ 75.642361] ksize_uaf+0x130/0x24c [ 75.642947] kunit_try_run_case+0x80/0x184 [ 75.643620] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.644569] kthread+0x16c/0x21c [ 75.645226] ret_from_fork+0x10/0x20 [ 75.645828] [ 75.646103] Allocated by task 158: [ 75.646592] kasan_set_track+0x4c/0x80 [ 75.647236] kasan_save_alloc_info+0x28/0x34 [ 75.647970] __kasan_kmalloc+0x88/0xa0 [ 75.648689] kmalloc_trace+0x54/0x68 [ 75.649301] ksize_uaf+0x48/0x24c [ 75.649880] kunit_try_run_case+0x80/0x184 [ 75.650543] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.651361] kthread+0x16c/0x21c [ 75.652017] ret_from_fork+0x10/0x20 [ 75.652659] [ 75.652964] Freed by task 158: [ 75.653439] kasan_set_track+0x4c/0x80 [ 75.654006] kasan_save_free_info+0x3c/0x60 [ 75.654419] ____kasan_slab_free+0xe8/0x140 [ 75.654876] __kasan_slab_free+0x18/0x28 [ 75.655310] __kmem_cache_free+0xdc/0x27c [ 75.655825] kfree+0x60/0x74 [ 75.656351] ksize_uaf+0x90/0x24c [ 75.656975] kunit_try_run_case+0x80/0x184 [ 75.657632] kunit_generic_run_threadfn_adapter+0x30/0x4c [ 75.658457] kthread+0x16c/0x21c [ 75.659031] ret_from_fork+0x10/0x20 [ 75.659613] [ 75.659928] The buggy address belongs to the object at ffff0000c5a06600 [ 75.659928] which belongs to the cache kmalloc-128 of size 128 [ 75.661483] The buggy address is located 120 bytes inside of [ 75.661483] 128-byte region [ffff0000c5a06600, ffff0000c5a06680) [ 75.662850] [ 75.663130] The buggy address belongs to the physical page: [ 75.663851] page:00000000cc3fd307 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a06 [ 75.664999] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 75.665951] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 75.666941] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 75.667930] page dumped because: kasan: bad access detected [ 75.668668] [ 75.668962] Memory state around the buggy address: [ 75.669596] ffff0000c5a06500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.670346] ffff0000c5a06580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.670863] >ffff0000c5a06600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.671489] ^ [ 75.672172] ffff0000c5a06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.672785] ffff0000c5a06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.673387] ==================================================================
[ 74.244424] ================================================================== [ 74.244981] BUG: KASAN: use-after-free in ksize_uaf+0x100/0x32c [ 74.245628] Read of size 1 at addr ffff0000c5938278 by task kunit_try_catch/158 [ 74.246935] [ 74.247138] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.247943] Hardware name: linux,dummy-virt (DT) [ 74.248379] Call trace: [ 74.248667] dump_backtrace.part.0+0xdc/0xf0 [ 74.249174] show_stack+0x18/0x30 [ 74.249645] dump_stack_lvl+0x64/0x80 [ 74.250054] print_report+0x158/0x438 [ 74.250822] kasan_report+0xb4/0xf4 [ 74.251212] __asan_load1+0x68/0x74 [ 74.251671] ksize_uaf+0x100/0x32c [ 74.252099] kunit_try_run_case+0x84/0x120 [ 74.252608] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.253178] kthread+0x180/0x190 [ 74.253594] ret_from_fork+0x10/0x20 [ 74.254597] [ 74.254806] Allocated by task 158: [ 74.255163] kasan_save_stack+0x3c/0x70 [ 74.255633] kasan_set_track+0x2c/0x40 [ 74.256022] kasan_save_alloc_info+0x24/0x34 [ 74.256520] __kasan_kmalloc+0xb8/0xc0 [ 74.256952] kmalloc_trace+0x58/0x6c [ 74.257388] ksize_uaf+0x94/0x32c [ 74.257922] kunit_try_run_case+0x84/0x120 [ 74.258360] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.259157] kthread+0x180/0x190 [ 74.259578] ret_from_fork+0x10/0x20 [ 74.259966] [ 74.260193] Freed by task 158: [ 74.260521] kasan_save_stack+0x3c/0x70 [ 74.260997] kasan_set_track+0x2c/0x40 [ 74.261379] kasan_save_free_info+0x38/0x5c [ 74.262031] __kasan_slab_free+0xe4/0x150 [ 74.262495] __kmem_cache_free+0x130/0x2a4 [ 74.263510] kfree+0x58/0x80 [ 74.263914] ksize_uaf+0xb4/0x32c [ 74.264306] kunit_try_run_case+0x84/0x120 [ 74.264816] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.265416] kthread+0x180/0x190 [ 74.266156] ret_from_fork+0x10/0x20 [ 74.266584] [ 74.266803] The buggy address belongs to the object at ffff0000c5938200 [ 74.266803] which belongs to the cache kmalloc-128 of size 128 [ 74.267794] The buggy address is located 120 bytes inside of [ 74.267794] 128-byte region [ffff0000c5938200, ffff0000c5938280) [ 74.268747] [ 74.268992] The buggy address belongs to the physical page: [ 74.269485] page:000000003af4cecf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105938 [ 74.270577] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 74.271721] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 74.272421] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.273022] page dumped because: kasan: bad access detected [ 74.273489] [ 74.273693] Memory state around the buggy address: [ 74.274240] ffff0000c5938100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.275151] ffff0000c5938180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.275802] >ffff0000c5938200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.276359] ^ [ 74.276934] ffff0000c5938280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.277527] ffff0000c5938300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.278370] ================================================================== [ 74.169142] ================================================================== [ 74.170260] BUG: KASAN: use-after-free in ksize_uaf+0xc4/0x32c [ 74.170937] Read of size 1 at addr ffff0000c5938200 by task kunit_try_catch/158 [ 74.171875] [ 74.172200] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.173306] Hardware name: linux,dummy-virt (DT) [ 74.174100] Call trace: [ 74.174590] dump_backtrace.part.0+0xdc/0xf0 [ 74.175480] show_stack+0x18/0x30 [ 74.176012] dump_stack_lvl+0x64/0x80 [ 74.176703] print_report+0x158/0x438 [ 74.177341] kasan_report+0xb4/0xf4 [ 74.177694] __kasan_check_byte+0x54/0x70 [ 74.178558] ksize+0x3c/0x94 [ 74.179237] ksize_uaf+0xc4/0x32c [ 74.179965] kunit_try_run_case+0x84/0x120 [ 74.180740] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.181638] kthread+0x180/0x190 [ 74.182445] ret_from_fork+0x10/0x20 [ 74.183057] [ 74.183236] Allocated by task 158: [ 74.183519] kasan_save_stack+0x3c/0x70 [ 74.183881] kasan_set_track+0x2c/0x40 [ 74.184214] kasan_save_alloc_info+0x24/0x34 [ 74.185160] __kasan_kmalloc+0xb8/0xc0 [ 74.185895] kmalloc_trace+0x58/0x6c [ 74.186700] ksize_uaf+0x94/0x32c [ 74.187388] kunit_try_run_case+0x84/0x120 [ 74.188220] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.189127] kthread+0x180/0x190 [ 74.189805] ret_from_fork+0x10/0x20 [ 74.190553] [ 74.190998] Freed by task 158: [ 74.191571] kasan_save_stack+0x3c/0x70 [ 74.192280] kasan_set_track+0x2c/0x40 [ 74.192858] kasan_save_free_info+0x38/0x5c [ 74.193503] __kasan_slab_free+0xe4/0x150 [ 74.194165] __kmem_cache_free+0x130/0x2a4 [ 74.195087] kfree+0x58/0x80 [ 74.195700] ksize_uaf+0xb4/0x32c [ 74.196352] kunit_try_run_case+0x84/0x120 [ 74.197083] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.197934] kthread+0x180/0x190 [ 74.198575] ret_from_fork+0x10/0x20 [ 74.198924] [ 74.199091] The buggy address belongs to the object at ffff0000c5938200 [ 74.199091] which belongs to the cache kmalloc-128 of size 128 [ 74.199926] The buggy address is located 0 bytes inside of [ 74.199926] 128-byte region [ffff0000c5938200, ffff0000c5938280) [ 74.200821] [ 74.201046] The buggy address belongs to the physical page: [ 74.201464] page:000000003af4cecf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105938 [ 74.202605] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 74.203275] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 74.203943] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.204556] page dumped because: kasan: bad access detected [ 74.204998] [ 74.205225] Memory state around the buggy address: [ 74.205686] ffff0000c5938100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.206843] ffff0000c5938180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.207471] >ffff0000c5938200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.208068] ^ [ 74.208429] ffff0000c5938280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.209078] ffff0000c5938300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.209666] ================================================================== [ 74.211038] ================================================================== [ 74.211618] BUG: KASAN: use-after-free in ksize_uaf+0xe0/0x32c [ 74.212208] Read of size 1 at addr ffff0000c5938200 by task kunit_try_catch/158 [ 74.212829] [ 74.213070] CPU: 1 PID: 158 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 74.213835] Hardware name: linux,dummy-virt (DT) [ 74.214292] Call trace: [ 74.215082] dump_backtrace.part.0+0xdc/0xf0 [ 74.215625] show_stack+0x18/0x30 [ 74.216051] dump_stack_lvl+0x64/0x80 [ 74.216462] print_report+0x158/0x438 [ 74.216943] kasan_report+0xb4/0xf4 [ 74.217325] __asan_load1+0x68/0x74 [ 74.217766] ksize_uaf+0xe0/0x32c [ 74.218165] kunit_try_run_case+0x84/0x120 [ 74.218901] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.219468] kthread+0x180/0x190 [ 74.219887] ret_from_fork+0x10/0x20 [ 74.220288] [ 74.220512] Allocated by task 158: [ 74.220880] kasan_save_stack+0x3c/0x70 [ 74.221316] kasan_set_track+0x2c/0x40 [ 74.221710] kasan_save_alloc_info+0x24/0x34 [ 74.222292] __kasan_kmalloc+0xb8/0xc0 [ 74.223060] kmalloc_trace+0x58/0x6c [ 74.223550] ksize_uaf+0x94/0x32c [ 74.223956] kunit_try_run_case+0x84/0x120 [ 74.224440] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.224994] kthread+0x180/0x190 [ 74.225381] ret_from_fork+0x10/0x20 [ 74.225905] [ 74.226107] Freed by task 158: [ 74.226646] kasan_save_stack+0x3c/0x70 [ 74.227085] kasan_set_track+0x2c/0x40 [ 74.227484] kasan_save_free_info+0x38/0x5c [ 74.227965] __kasan_slab_free+0xe4/0x150 [ 74.228416] __kmem_cache_free+0x130/0x2a4 [ 74.228931] kfree+0x58/0x80 [ 74.229311] ksize_uaf+0xb4/0x32c [ 74.229754] kunit_try_run_case+0x84/0x120 [ 74.230290] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 74.231230] kthread+0x180/0x190 [ 74.231637] ret_from_fork+0x10/0x20 [ 74.232031] [ 74.232252] The buggy address belongs to the object at ffff0000c5938200 [ 74.232252] which belongs to the cache kmalloc-128 of size 128 [ 74.233221] The buggy address is located 0 bytes inside of [ 74.233221] 128-byte region [ffff0000c5938200, ffff0000c5938280) [ 74.234274] [ 74.234487] The buggy address belongs to the physical page: [ 74.235160] page:000000003af4cecf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105938 [ 74.235949] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 74.236651] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 74.237344] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 74.238082] page dumped because: kasan: bad access detected [ 74.238580] [ 74.238755] Memory state around the buggy address: [ 74.239172] ffff0000c5938100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.239831] ffff0000c5938180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.241007] >ffff0000c5938200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.241584] ^ [ 74.242101] ffff0000c5938280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.242788] ffff0000c5938300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.243556] ==================================================================
[ 65.683652] ================================================================== [ 65.684483] BUG: KASAN: use-after-free in ksize_uaf+0x100/0x320 [ 65.685292] Read of size 1 at addr ffff0000c58ade00 by task kunit_try_catch/156 [ 65.686710] [ 65.687008] CPU: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 65.688006] Hardware name: linux,dummy-virt (DT) [ 65.688590] Call trace: [ 65.688959] dump_backtrace+0x110/0x120 [ 65.689847] show_stack+0x18/0x28 [ 65.690424] dump_stack_lvl+0x68/0x84 [ 65.690862] print_report+0x158/0x484 [ 65.691180] kasan_report+0x98/0xe0 [ 65.691730] __asan_load1+0x68/0x78 [ 65.692261] ksize_uaf+0x100/0x320 [ 65.692802] kunit_try_run_case+0x7c/0x120 [ 65.693435] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.694546] kthread+0x1a4/0x1b8 [ 65.695065] ret_from_fork+0x10/0x20 [ 65.695441] [ 65.695611] Allocated by task 156: [ 65.695865] kasan_save_stack+0x2c/0x58 [ 65.696188] kasan_set_track+0x2c/0x40 [ 65.696525] kasan_save_alloc_info+0x24/0x38 [ 65.696978] __kasan_kmalloc+0xa0/0xb8 [ 65.697407] kmalloc_trace+0x50/0x68 [ 65.697811] ksize_uaf+0xa8/0x320 [ 65.698172] kunit_try_run_case+0x7c/0x120 [ 65.698859] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.699383] kthread+0x1a4/0x1b8 [ 65.699721] ret_from_fork+0x10/0x20 [ 65.700106] [ 65.700297] Freed by task 156: [ 65.700583] kasan_save_stack+0x2c/0x58 [ 65.700901] kasan_set_track+0x2c/0x40 [ 65.701325] kasan_save_free_info+0x38/0x60 [ 65.702182] __kasan_slab_free+0xe8/0x158 [ 65.702588] __kmem_cache_free+0x138/0x2b0 [ 65.702995] kfree+0x5c/0x70 [ 65.703323] ksize_uaf+0xc8/0x320 [ 65.703697] kunit_try_run_case+0x7c/0x120 [ 65.704104] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.704621] kthread+0x1a4/0x1b8 [ 65.704956] ret_from_fork+0x10/0x20 [ 65.705364] [ 65.705560] The buggy address belongs to the object at ffff0000c58ade00 [ 65.705560] which belongs to the cache kmalloc-128 of size 128 [ 65.706656] The buggy address is located 0 bytes inside of [ 65.706656] 128-byte region [ffff0000c58ade00, ffff0000c58ade80) [ 65.707510] [ 65.707693] The buggy address belongs to the physical page: [ 65.708101] page:00000000f12428ca refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058ad [ 65.708764] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 65.709373] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 65.710443] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 65.711004] page dumped because: kasan: bad access detected [ 65.711417] [ 65.711605] Memory state around the buggy address: [ 65.711987] ffff0000c58add00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.712517] ffff0000c58add80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.713051] >ffff0000c58ade00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.713959] ^ [ 65.714257] ffff0000c58ade80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.714863] ffff0000c58adf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.715381] ================================================================== [ 65.716120] ================================================================== [ 65.716642] BUG: KASAN: use-after-free in ksize_uaf+0x128/0x320 [ 65.717262] Read of size 1 at addr ffff0000c58ade78 by task kunit_try_catch/156 [ 65.717821] [ 65.718040] CPU: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 65.718722] Hardware name: linux,dummy-virt (DT) [ 65.719088] Call trace: [ 65.719331] dump_backtrace+0x110/0x120 [ 65.719761] show_stack+0x18/0x28 [ 65.720138] dump_stack_lvl+0x68/0x84 [ 65.721029] print_report+0x158/0x484 [ 65.721423] kasan_report+0x98/0xe0 [ 65.722018] __asan_load1+0x68/0x78 [ 65.722391] ksize_uaf+0x128/0x320 [ 65.722768] kunit_try_run_case+0x7c/0x120 [ 65.723190] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.723699] kthread+0x1a4/0x1b8 [ 65.724027] ret_from_fork+0x10/0x20 [ 65.724424] [ 65.724609] Allocated by task 156: [ 65.724907] kasan_save_stack+0x2c/0x58 [ 65.725298] kasan_set_track+0x2c/0x40 [ 65.725716] kasan_save_alloc_info+0x24/0x38 [ 65.726598] __kasan_kmalloc+0xa0/0xb8 [ 65.726975] kmalloc_trace+0x50/0x68 [ 65.727366] ksize_uaf+0xa8/0x320 [ 65.727748] kunit_try_run_case+0x7c/0x120 [ 65.728170] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.728662] kthread+0x1a4/0x1b8 [ 65.729013] ret_from_fork+0x10/0x20 [ 65.729415] [ 65.729861] Freed by task 156: [ 65.730151] kasan_save_stack+0x2c/0x58 [ 65.730557] kasan_set_track+0x2c/0x40 [ 65.730917] kasan_save_free_info+0x38/0x60 [ 65.731348] __kasan_slab_free+0xe8/0x158 [ 65.731744] __kmem_cache_free+0x138/0x2b0 [ 65.732204] kfree+0x5c/0x70 [ 65.732535] ksize_uaf+0xc8/0x320 [ 65.732917] kunit_try_run_case+0x7c/0x120 [ 65.733352] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.734315] kthread+0x1a4/0x1b8 [ 65.734663] ret_from_fork+0x10/0x20 [ 65.735018] [ 65.735195] The buggy address belongs to the object at ffff0000c58ade00 [ 65.735195] which belongs to the cache kmalloc-128 of size 128 [ 65.736067] The buggy address is located 120 bytes inside of [ 65.736067] 128-byte region [ffff0000c58ade00, ffff0000c58ade80) [ 65.736895] [ 65.737060] The buggy address belongs to the physical page: [ 65.737733] page:00000000f12428ca refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058ad [ 65.738463] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 65.739067] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 65.739679] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 65.740254] page dumped because: kasan: bad access detected [ 65.740674] [ 65.740854] Memory state around the buggy address: [ 65.741269] ffff0000c58add00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.742004] ffff0000c58add80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.742577] >ffff0000c58ade00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.743088] ^ [ 65.743605] ffff0000c58ade80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.744185] ffff0000c58adf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.744720] ================================================================== [ 65.649025] ================================================================== [ 65.650564] BUG: KASAN: use-after-free in ksize_uaf+0xdc/0x320 [ 65.651519] Read of size 1 at addr ffff0000c58ade00 by task kunit_try_catch/156 [ 65.652512] [ 65.652827] CPU: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 65.653867] Hardware name: linux,dummy-virt (DT) [ 65.654599] Call trace: [ 65.655005] dump_backtrace+0x110/0x120 [ 65.655653] show_stack+0x18/0x28 [ 65.656214] dump_stack_lvl+0x68/0x84 [ 65.656828] print_report+0x158/0x484 [ 65.657397] kasan_report+0x98/0xe0 [ 65.658119] __kasan_check_byte+0x58/0x70 [ 65.658604] ksize+0x30/0x80 [ 65.658890] ksize_uaf+0xdc/0x320 [ 65.659203] kunit_try_run_case+0x7c/0x120 [ 65.659651] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.660203] kthread+0x1a4/0x1b8 [ 65.660529] ret_from_fork+0x10/0x20 [ 65.660953] [ 65.661126] Allocated by task 156: [ 65.661489] kasan_save_stack+0x2c/0x58 [ 65.662062] kasan_set_track+0x2c/0x40 [ 65.662537] kasan_save_alloc_info+0x24/0x38 [ 65.663263] __kasan_kmalloc+0xa0/0xb8 [ 65.663681] kmalloc_trace+0x50/0x68 [ 65.664073] ksize_uaf+0xa8/0x320 [ 65.664447] kunit_try_run_case+0x7c/0x120 [ 65.664874] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.665403] kthread+0x1a4/0x1b8 [ 65.665857] ret_from_fork+0x10/0x20 [ 65.666448] [ 65.666686] Freed by task 156: [ 65.667004] kasan_save_stack+0x2c/0x58 [ 65.667425] kasan_set_track+0x2c/0x40 [ 65.667827] kasan_save_free_info+0x38/0x60 [ 65.668252] __kasan_slab_free+0xe8/0x158 [ 65.668645] __kmem_cache_free+0x138/0x2b0 [ 65.669073] kfree+0x5c/0x70 [ 65.669442] ksize_uaf+0xc8/0x320 [ 65.670310] kunit_try_run_case+0x7c/0x120 [ 65.670743] kunit_generic_run_threadfn_adapter+0x30/0x50 [ 65.671278] kthread+0x1a4/0x1b8 [ 65.671636] ret_from_fork+0x10/0x20 [ 65.672009] [ 65.672217] The buggy address belongs to the object at ffff0000c58ade00 [ 65.672217] which belongs to the cache kmalloc-128 of size 128 [ 65.673139] The buggy address is located 0 bytes inside of [ 65.673139] 128-byte region [ffff0000c58ade00, ffff0000c58ade80) [ 65.674244] [ 65.674484] The buggy address belongs to the physical page: [ 65.675155] page:00000000f12428ca refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058ad [ 65.675845] flags: 0xbfffc0000000200(slab|node=0|zone=2|lastcpupid=0xffff) [ 65.676471] raw: 0bfffc0000000200 0000000000000000 dead000000000122 ffff0000c0002300 [ 65.677098] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 65.678218] page dumped because: kasan: bad access detected [ 65.678684] [ 65.678883] Memory state around the buggy address: [ 65.679298] ffff0000c58add00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.679894] ffff0000c58add80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.680472] >ffff0000c58ade00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.681018] ^ [ 65.681332] ffff0000c58ade80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.682407] ffff0000c58adf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.682832] ==================================================================
[ 31.840463] ================================================================== [ 31.840998] BUG: KASAN: use-after-free in ksize_uaf+0xd0/0x2f0 [ 31.841423] Read of size 1 at addr ffff88810349f100 by task kunit_try_catch/262 [ 31.841760] [ 31.841899] CPU: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 31.842329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.842764] Call Trace: [ 31.842951] <TASK> [ 31.843118] dump_stack_lvl+0x49/0x62 [ 31.843518] print_report+0x189/0x492 [ 31.843807] ? kasan_complete_mode_report_info+0x7c/0x200 [ 31.844086] ? ksize_uaf+0xd0/0x2f0 [ 31.844292] kasan_report+0x10c/0x190 [ 31.844845] ? ksize_uaf+0xd0/0x2f0 [ 31.845109] ? ksize_uaf+0xd0/0x2f0 [ 31.845515] __kasan_check_byte+0x39/0x50 [ 31.845780] ksize+0x1e/0x70 [ 31.846010] ksize_uaf+0xd0/0x2f0 [ 31.846243] ? kmem_cache_oob+0x210/0x210 [ 31.846615] ? __kunit_add_resource+0xd1/0x100 [ 31.846912] ? kasan_test_init+0x13e/0x1b0 [ 31.847158] kunit_try_run_case+0x8f/0xd0 [ 31.847560] ? kunit_catch_run_case+0x80/0x80 [ 31.847830] ? kunit_try_catch_throw+0x40/0x40 [ 31.848116] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.848734] kthread+0x17b/0x1b0 [ 31.848948] ? kthread_complete_and_exit+0x30/0x30 [ 31.849251] ret_from_fork+0x22/0x30 [ 31.849615] </TASK> [ 31.849774] [ 31.849909] Allocated by task 262: [ 31.850107] kasan_save_stack+0x41/0x70 [ 31.850528] kasan_set_track+0x25/0x40 [ 31.850745] kasan_save_alloc_info+0x1e/0x30 [ 31.851025] __kasan_kmalloc+0xb6/0xc0 [ 31.851254] kmalloc_trace+0x48/0xb0 [ 31.851617] ksize_uaf+0x99/0x2f0 [ 31.851834] kunit_try_run_case+0x8f/0xd0 [ 31.852090] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.852659] kthread+0x17b/0x1b0 [ 31.852832] ret_from_fork+0x22/0x30 [ 31.853094] [ 31.853251] Freed by task 262: [ 31.853528] kasan_save_stack+0x41/0x70 [ 31.853777] kasan_set_track+0x25/0x40 [ 31.854045] kasan_save_free_info+0x2e/0x50 [ 31.854325] ____kasan_slab_free+0x175/0x1d0 [ 31.854707] __kasan_slab_free+0x12/0x20 [ 31.854974] __kmem_cache_free+0x188/0x2f0 [ 31.855250] kfree+0x78/0x120 [ 31.855553] ksize_uaf+0xb9/0x2f0 [ 31.855786] kunit_try_run_case+0x8f/0xd0 [ 31.856041] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.856465] kthread+0x17b/0x1b0 [ 31.856892] ret_from_fork+0x22/0x30 [ 31.857239] [ 31.857375] The buggy address belongs to the object at ffff88810349f100 [ 31.857375] which belongs to the cache kmalloc-128 of size 128 [ 31.858139] The buggy address is located 0 bytes inside of [ 31.858139] 128-byte region [ffff88810349f100, ffff88810349f180) [ 31.858684] [ 31.858799] The buggy address belongs to the physical page: [ 31.859077] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10349f [ 31.859764] flags: 0x200000000000200(slab|node=0|zone=2) [ 31.860104] raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000418c0 [ 31.860806] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 31.861198] page dumped because: kasan: bad access detected [ 31.861584] [ 31.861711] Memory state around the buggy address: [ 31.861956] ffff88810349f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 31.862459] ffff88810349f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.862821] >ffff88810349f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.863150] ^ [ 31.863422] ffff88810349f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.863796] ffff88810349f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.864148] ================================================================== [ 31.896286] ================================================================== [ 31.897020] BUG: KASAN: use-after-free in ksize_uaf+0x12e/0x2f0 [ 31.897401] Read of size 1 at addr ffff88810349f178 by task kunit_try_catch/262 [ 31.897774] [ 31.897895] CPU: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 31.898288] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.898723] Call Trace: [ 31.898892] <TASK> [ 31.899047] dump_stack_lvl+0x49/0x62 [ 31.899370] print_report+0x189/0x492 [ 31.899579] ? kasan_complete_mode_report_info+0x7c/0x200 [ 31.899881] ? ksize_uaf+0x12e/0x2f0 [ 31.900055] kasan_report+0x10c/0x190 [ 31.900311] ? ksize_uaf+0x12e/0x2f0 [ 31.900531] __asan_load1+0x62/0x70 [ 31.900693] ksize_uaf+0x12e/0x2f0 [ 31.900997] ? kmem_cache_oob+0x210/0x210 [ 31.901570] ? __kunit_add_resource+0xd1/0x100 [ 31.901986] ? kasan_test_init+0x13e/0x1b0 [ 31.902201] kunit_try_run_case+0x8f/0xd0 [ 31.902475] ? kunit_catch_run_case+0x80/0x80 [ 31.902740] ? kunit_try_catch_throw+0x40/0x40 [ 31.903008] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.903356] kthread+0x17b/0x1b0 [ 31.903571] ? kthread_complete_and_exit+0x30/0x30 [ 31.903861] ret_from_fork+0x22/0x30 [ 31.904123] </TASK> [ 31.904318] [ 31.904428] Allocated by task 262: [ 31.904643] kasan_save_stack+0x41/0x70 [ 31.904908] kasan_set_track+0x25/0x40 [ 31.905184] kasan_save_alloc_info+0x1e/0x30 [ 31.905392] __kasan_kmalloc+0xb6/0xc0 [ 31.905815] kmalloc_trace+0x48/0xb0 [ 31.906067] ksize_uaf+0x99/0x2f0 [ 31.906589] kunit_try_run_case+0x8f/0xd0 [ 31.906982] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.907331] kthread+0x17b/0x1b0 [ 31.907567] ret_from_fork+0x22/0x30 [ 31.907778] [ 31.907897] Freed by task 262: [ 31.908063] kasan_save_stack+0x41/0x70 [ 31.908328] kasan_set_track+0x25/0x40 [ 31.908657] kasan_save_free_info+0x2e/0x50 [ 31.908913] ____kasan_slab_free+0x175/0x1d0 [ 31.909169] __kasan_slab_free+0x12/0x20 [ 31.909530] __kmem_cache_free+0x188/0x2f0 [ 31.910051] kfree+0x78/0x120 [ 31.910215] ksize_uaf+0xb9/0x2f0 [ 31.910458] kunit_try_run_case+0x8f/0xd0 [ 31.910702] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.910978] kthread+0x17b/0x1b0 [ 31.911213] ret_from_fork+0x22/0x30 [ 31.911429] [ 31.911544] The buggy address belongs to the object at ffff88810349f100 [ 31.911544] which belongs to the cache kmalloc-128 of size 128 [ 31.912109] The buggy address is located 120 bytes inside of [ 31.912109] 128-byte region [ffff88810349f100, ffff88810349f180) [ 31.912748] [ 31.912864] The buggy address belongs to the physical page: [ 31.913173] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10349f [ 31.913631] flags: 0x200000000000200(slab|node=0|zone=2) [ 31.914039] raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000418c0 [ 31.914824] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 31.915157] page dumped because: kasan: bad access detected [ 31.915547] [ 31.915642] Memory state around the buggy address: [ 31.915912] ffff88810349f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 31.916309] ffff88810349f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.916631] >ffff88810349f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.916987] ^ [ 31.917338] ffff88810349f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.917929] ffff88810349f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.918405] ================================================================== [ 31.867226] ================================================================== [ 31.867613] BUG: KASAN: use-after-free in ksize_uaf+0xfd/0x2f0 [ 31.868274] Read of size 1 at addr ffff88810349f100 by task kunit_try_catch/262 [ 31.868684] [ 31.868791] CPU: 0 PID: 262 Comm: kunit_try_catch Tainted: G B N 6.1.146-rc1 #1 [ 31.869233] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.869641] Call Trace: [ 31.869868] <TASK> [ 31.870062] dump_stack_lvl+0x49/0x62 [ 31.870373] print_report+0x189/0x492 [ 31.870713] ? kasan_complete_mode_report_info+0x7c/0x200 [ 31.871089] ? ksize_uaf+0xfd/0x2f0 [ 31.871327] kasan_report+0x10c/0x190 [ 31.871614] ? ksize_uaf+0xfd/0x2f0 [ 31.872206] __asan_load1+0x62/0x70 [ 31.872471] ksize_uaf+0xfd/0x2f0 [ 31.872742] ? kmem_cache_oob+0x210/0x210 [ 31.873026] ? __kunit_add_resource+0xd1/0x100 [ 31.873364] ? kasan_test_init+0x13e/0x1b0 [ 31.873639] kunit_try_run_case+0x8f/0xd0 [ 31.873904] ? kunit_catch_run_case+0x80/0x80 [ 31.874178] ? kunit_try_catch_throw+0x40/0x40 [ 31.874496] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.874844] kthread+0x17b/0x1b0 [ 31.875096] ? kthread_complete_and_exit+0x30/0x30 [ 31.875800] ret_from_fork+0x22/0x30 [ 31.876080] </TASK> [ 31.876234] [ 31.876321] Allocated by task 262: [ 31.876584] kasan_save_stack+0x41/0x70 [ 31.876784] kasan_set_track+0x25/0x40 [ 31.877009] kasan_save_alloc_info+0x1e/0x30 [ 31.877629] __kasan_kmalloc+0xb6/0xc0 [ 31.877895] kmalloc_trace+0x48/0xb0 [ 31.878069] ksize_uaf+0x99/0x2f0 [ 31.878247] kunit_try_run_case+0x8f/0xd0 [ 31.878443] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.878674] kthread+0x17b/0x1b0 [ 31.878834] ret_from_fork+0x22/0x30 [ 31.879002] [ 31.879088] Freed by task 262: [ 31.879246] kasan_save_stack+0x41/0x70 [ 31.879774] kasan_set_track+0x25/0x40 [ 31.880232] kasan_save_free_info+0x2e/0x50 [ 31.881184] ____kasan_slab_free+0x175/0x1d0 [ 31.881684] __kasan_slab_free+0x12/0x20 [ 31.882120] __kmem_cache_free+0x188/0x2f0 [ 31.882658] kfree+0x78/0x120 [ 31.883026] ksize_uaf+0xb9/0x2f0 [ 31.883454] kunit_try_run_case+0x8f/0xd0 [ 31.883898] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 31.884504] kthread+0x17b/0x1b0 [ 31.885192] ret_from_fork+0x22/0x30 [ 31.885622] [ 31.885817] The buggy address belongs to the object at ffff88810349f100 [ 31.885817] which belongs to the cache kmalloc-128 of size 128 [ 31.887099] The buggy address is located 0 bytes inside of [ 31.887099] 128-byte region [ffff88810349f100, ffff88810349f180) [ 31.888251] [ 31.888549] The buggy address belongs to the physical page: [ 31.888893] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10349f [ 31.889264] flags: 0x200000000000200(slab|node=0|zone=2) [ 31.889902] raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000418c0 [ 31.890692] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 31.891506] page dumped because: kasan: bad access detected [ 31.891911] [ 31.892002] Memory state around the buggy address: [ 31.892200] ffff88810349f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 31.892892] ffff88810349f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.893741] >ffff88810349f100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.894484] ^ [ 31.894842] ffff88810349f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.895564] ffff88810349f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.895814] ==================================================================