Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.968287] ================================================================== [ 21.968980] BUG: KASAN: slab-use-after-free in ksize_uaf+0x578/0x5d0 [ 21.969670] Read of size 1 at addr fff00000c4228300 by task kunit_try_catch/184 [ 21.970671] [ 21.971040] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 21.971250] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.971360] Hardware name: linux,dummy-virt (DT) [ 21.971466] Call trace: [ 21.971532] dump_backtrace+0x9c/0x128 [ 21.971652] show_stack+0x20/0x38 [ 21.972140] dump_stack_lvl+0x8c/0xd0 [ 21.972267] print_report+0x118/0x5f0 [ 21.972412] kasan_report+0xdc/0x128 [ 21.972528] __asan_report_load1_noabort+0x20/0x30 [ 21.972649] ksize_uaf+0x578/0x5d0 [ 21.972763] kunit_try_run_case+0x170/0x3f0 [ 21.972925] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.973073] kthread+0x24c/0x2d0 [ 21.973149] ret_from_fork+0x10/0x20 [ 21.973200] [ 21.980200] Allocated by task 184: [ 21.980530] kasan_save_stack+0x3c/0x68 [ 21.981121] kasan_save_track+0x20/0x40 [ 21.981738] kasan_save_alloc_info+0x40/0x58 [ 21.982473] __kasan_kmalloc+0xd4/0xd8 [ 21.983111] __kmalloc_cache_noprof+0x154/0x320 [ 21.983645] ksize_uaf+0xb8/0x5d0 [ 21.984517] kunit_try_run_case+0x170/0x3f0 [ 21.985438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.986390] kthread+0x24c/0x2d0 [ 21.987028] ret_from_fork+0x10/0x20 [ 21.987437] [ 21.987681] Freed by task 184: [ 21.989210] kasan_save_stack+0x3c/0x68 [ 21.989811] kasan_save_track+0x20/0x40 [ 21.990594] kasan_save_free_info+0x4c/0x78 [ 21.991234] __kasan_slab_free+0x6c/0x98 [ 21.991950] kfree+0x110/0x3b8 [ 21.993928] ksize_uaf+0x120/0x5d0 [ 21.994923] kunit_try_run_case+0x170/0x3f0 [ 21.995428] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.995916] kthread+0x24c/0x2d0 [ 21.996524] ret_from_fork+0x10/0x20 [ 21.996902] [ 21.997540] The buggy address belongs to the object at fff00000c4228300 [ 21.997540] which belongs to the cache kmalloc-128 of size 128 [ 22.000005] The buggy address is located 0 bytes inside of [ 22.000005] freed 128-byte region [fff00000c4228300, fff00000c4228380) [ 22.001181] [ 22.001491] The buggy address belongs to the physical page: [ 22.002977] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104228 [ 22.005167] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.006016] page_type: f5(slab) [ 22.006638] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 22.007799] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 22.008775] page dumped because: kasan: bad access detected [ 22.009511] [ 22.009797] Memory state around the buggy address: [ 22.010595] fff00000c4228200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.011670] fff00000c4228280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.012702] >fff00000c4228300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.013513] ^ [ 22.014113] fff00000c4228380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.014944] fff00000c4228400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.016003] ================================================================== [ 21.926425] ================================================================== [ 21.927804] BUG: KASAN: slab-use-after-free in ksize_uaf+0x174/0x5d0 [ 21.928504] Read of size 1 at addr fff00000c4228300 by task kunit_try_catch/184 [ 21.929123] [ 21.929438] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 21.929577] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.929612] Hardware name: linux,dummy-virt (DT) [ 21.929671] Call trace: [ 21.929767] dump_backtrace+0x9c/0x128 [ 21.929892] show_stack+0x20/0x38 [ 21.930019] dump_stack_lvl+0x8c/0xd0 [ 21.930138] print_report+0x118/0x5f0 [ 21.930249] kasan_report+0xdc/0x128 [ 21.930356] __kasan_check_byte+0x54/0x70 [ 21.930468] ksize+0x30/0x88 [ 21.930536] ksize_uaf+0x174/0x5d0 [ 21.930583] kunit_try_run_case+0x170/0x3f0 [ 21.930630] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.930684] kthread+0x24c/0x2d0 [ 21.930726] ret_from_fork+0x10/0x20 [ 21.930776] [ 21.938140] Allocated by task 184: [ 21.938624] kasan_save_stack+0x3c/0x68 [ 21.939109] kasan_save_track+0x20/0x40 [ 21.940024] kasan_save_alloc_info+0x40/0x58 [ 21.940667] __kasan_kmalloc+0xd4/0xd8 [ 21.941242] __kmalloc_cache_noprof+0x154/0x320 [ 21.941974] ksize_uaf+0xb8/0x5d0 [ 21.942479] kunit_try_run_case+0x170/0x3f0 [ 21.943001] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.943678] kthread+0x24c/0x2d0 [ 21.944989] ret_from_fork+0x10/0x20 [ 21.945535] [ 21.945833] Freed by task 184: [ 21.946350] kasan_save_stack+0x3c/0x68 [ 21.946923] kasan_save_track+0x20/0x40 [ 21.947511] kasan_save_free_info+0x4c/0x78 [ 21.948567] __kasan_slab_free+0x6c/0x98 [ 21.949153] kfree+0x110/0x3b8 [ 21.949624] ksize_uaf+0x120/0x5d0 [ 21.950144] kunit_try_run_case+0x170/0x3f0 [ 21.950693] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.951735] kthread+0x24c/0x2d0 [ 21.952236] ret_from_fork+0x10/0x20 [ 21.952672] [ 21.952974] The buggy address belongs to the object at fff00000c4228300 [ 21.952974] which belongs to the cache kmalloc-128 of size 128 [ 21.954079] The buggy address is located 0 bytes inside of [ 21.954079] freed 128-byte region [fff00000c4228300, fff00000c4228380) [ 21.955261] [ 21.955871] The buggy address belongs to the physical page: [ 21.956510] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104228 [ 21.957382] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.958170] page_type: f5(slab) [ 21.958641] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 21.959640] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 21.960387] page dumped because: kasan: bad access detected [ 21.961035] [ 21.961366] Memory state around the buggy address: [ 21.961937] fff00000c4228200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.962748] fff00000c4228280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.963507] >fff00000c4228300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 21.964726] ^ [ 21.965386] fff00000c4228380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.966079] fff00000c4228400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.966696] ================================================================== [ 22.017129] ================================================================== [ 22.017816] BUG: KASAN: slab-use-after-free in ksize_uaf+0x53c/0x5d0 [ 22.018776] Read of size 1 at addr fff00000c4228378 by task kunit_try_catch/184 [ 22.019665] [ 22.020064] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 22.020255] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.020325] Hardware name: linux,dummy-virt (DT) [ 22.020410] Call trace: [ 22.020478] dump_backtrace+0x9c/0x128 [ 22.020589] show_stack+0x20/0x38 [ 22.020702] dump_stack_lvl+0x8c/0xd0 [ 22.020829] print_report+0x118/0x5f0 [ 22.020943] kasan_report+0xdc/0x128 [ 22.021068] __asan_report_load1_noabort+0x20/0x30 [ 22.021190] ksize_uaf+0x53c/0x5d0 [ 22.021247] kunit_try_run_case+0x170/0x3f0 [ 22.021320] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.021375] kthread+0x24c/0x2d0 [ 22.021420] ret_from_fork+0x10/0x20 [ 22.021470] [ 22.029086] Allocated by task 184: [ 22.029414] kasan_save_stack+0x3c/0x68 [ 22.030006] kasan_save_track+0x20/0x40 [ 22.030507] kasan_save_alloc_info+0x40/0x58 [ 22.031000] __kasan_kmalloc+0xd4/0xd8 [ 22.031528] __kmalloc_cache_noprof+0x154/0x320 [ 22.032581] ksize_uaf+0xb8/0x5d0 [ 22.033289] kunit_try_run_case+0x170/0x3f0 [ 22.033843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.034469] kthread+0x24c/0x2d0 [ 22.034926] ret_from_fork+0x10/0x20 [ 22.035646] [ 22.036018] Freed by task 184: [ 22.036410] kasan_save_stack+0x3c/0x68 [ 22.036950] kasan_save_track+0x20/0x40 [ 22.037474] kasan_save_free_info+0x4c/0x78 [ 22.038076] __kasan_slab_free+0x6c/0x98 [ 22.038585] kfree+0x110/0x3b8 [ 22.039090] ksize_uaf+0x120/0x5d0 [ 22.040286] kunit_try_run_case+0x170/0x3f0 [ 22.040676] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.040996] kthread+0x24c/0x2d0 [ 22.041270] ret_from_fork+0x10/0x20 [ 22.042203] [ 22.042652] The buggy address belongs to the object at fff00000c4228300 [ 22.042652] which belongs to the cache kmalloc-128 of size 128 [ 22.043942] The buggy address is located 120 bytes inside of [ 22.043942] freed 128-byte region [fff00000c4228300, fff00000c4228380) [ 22.045109] [ 22.045408] The buggy address belongs to the physical page: [ 22.046004] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104228 [ 22.046938] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.048112] page_type: f5(slab) [ 22.048631] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 22.049283] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 22.050109] page dumped because: kasan: bad access detected [ 22.050629] [ 22.050923] Memory state around the buggy address: [ 22.051581] fff00000c4228200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.052753] fff00000c4228280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.053504] >fff00000c4228300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.054180] ^ [ 22.054909] fff00000c4228380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.055811] fff00000c4228400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.056884] ==================================================================
[ 18.427757] ================================================================== [ 18.428995] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 18.430835] Read of size 1 at addr ffff888102925800 by task kunit_try_catch/201 [ 18.431759] [ 18.431961] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 18.432071] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.432102] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.432155] Call Trace: [ 18.432193] <TASK> [ 18.432258] dump_stack_lvl+0x73/0xb0 [ 18.432340] print_report+0xd1/0x640 [ 18.432412] ? __virt_addr_valid+0x1db/0x2d0 [ 18.432481] ? ksize_uaf+0x19e/0x6c0 [ 18.432531] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.432587] ? ksize_uaf+0x19e/0x6c0 [ 18.432633] kasan_report+0x140/0x180 [ 18.432696] ? ksize_uaf+0x19e/0x6c0 [ 18.432750] ? ksize_uaf+0x19e/0x6c0 [ 18.432800] __kasan_check_byte+0x3d/0x50 [ 18.432859] ksize+0x20/0x60 [ 18.432907] ksize_uaf+0x19e/0x6c0 [ 18.432950] ? __pfx_ksize_uaf+0x10/0x10 [ 18.432999] ? __schedule+0xc49/0x27a0 [ 18.433060] ? __pfx_read_tsc+0x10/0x10 [ 18.433110] ? ktime_get_ts64+0x84/0x230 [ 18.433177] kunit_try_run_case+0x1a6/0x480 [ 18.434093] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.434162] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.434237] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.434303] ? __kthread_parkme+0x82/0x160 [ 18.434357] ? preempt_count_sub+0x50/0x80 [ 18.434412] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.434586] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.434652] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.434713] kthread+0x257/0x310 [ 18.434757] ? __pfx_kthread+0x10/0x10 [ 18.434803] ret_from_fork+0x41/0x80 [ 18.434886] ? __pfx_kthread+0x10/0x10 [ 18.434931] ret_from_fork_asm+0x1a/0x30 [ 18.435003] </TASK> [ 18.435028] [ 18.457431] Allocated by task 201: [ 18.458121] kasan_save_stack+0x45/0x70 [ 18.458840] kasan_save_track+0x18/0x40 [ 18.459322] kasan_save_alloc_info+0x3b/0x50 [ 18.460206] __kasan_kmalloc+0xb7/0xc0 [ 18.462127] __kmalloc_cache_noprof+0x168/0x350 [ 18.462754] ksize_uaf+0xab/0x6c0 [ 18.463136] kunit_try_run_case+0x1a6/0x480 [ 18.463575] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.464644] kthread+0x257/0x310 [ 18.464937] ret_from_fork+0x41/0x80 [ 18.465449] ret_from_fork_asm+0x1a/0x30 [ 18.465867] [ 18.466130] Freed by task 201: [ 18.466513] kasan_save_stack+0x45/0x70 [ 18.467046] kasan_save_track+0x18/0x40 [ 18.467951] kasan_save_free_info+0x3f/0x60 [ 18.468455] __kasan_slab_free+0x56/0x70 [ 18.468844] kfree+0x123/0x3d0 [ 18.469405] ksize_uaf+0x12d/0x6c0 [ 18.469811] kunit_try_run_case+0x1a6/0x480 [ 18.470468] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.471249] kthread+0x257/0x310 [ 18.472033] ret_from_fork+0x41/0x80 [ 18.472618] ret_from_fork_asm+0x1a/0x30 [ 18.473044] [ 18.473395] The buggy address belongs to the object at ffff888102925800 [ 18.473395] which belongs to the cache kmalloc-128 of size 128 [ 18.474277] The buggy address is located 0 bytes inside of [ 18.474277] freed 128-byte region [ffff888102925800, ffff888102925880) [ 18.475904] [ 18.476117] The buggy address belongs to the physical page: [ 18.476966] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102925 [ 18.477822] flags: 0x200000000000000(node=0|zone=2) [ 18.478328] page_type: f5(slab) [ 18.479003] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.479686] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 18.480150] page dumped because: kasan: bad access detected [ 18.480979] [ 18.481477] Memory state around the buggy address: [ 18.482382] ffff888102925700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 18.483169] ffff888102925780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.484005] >ffff888102925800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.484696] ^ [ 18.485277] ffff888102925880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.486676] ffff888102925900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.487197] ================================================================== [ 18.539988] ================================================================== [ 18.540599] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 18.541233] Read of size 1 at addr ffff888102925878 by task kunit_try_catch/201 [ 18.542021] [ 18.542308] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 18.542421] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.542854] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.542917] Call Trace: [ 18.542967] <TASK> [ 18.543017] dump_stack_lvl+0x73/0xb0 [ 18.543099] print_report+0xd1/0x640 [ 18.543177] ? __virt_addr_valid+0x1db/0x2d0 [ 18.543294] ? ksize_uaf+0x5e6/0x6c0 [ 18.543364] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.543437] ? ksize_uaf+0x5e6/0x6c0 [ 18.543502] kasan_report+0x140/0x180 [ 18.543580] ? ksize_uaf+0x5e6/0x6c0 [ 18.543655] __asan_report_load1_noabort+0x18/0x20 [ 18.543726] ksize_uaf+0x5e6/0x6c0 [ 18.543791] ? __pfx_ksize_uaf+0x10/0x10 [ 18.543874] ? __schedule+0xc49/0x27a0 [ 18.543947] ? __pfx_read_tsc+0x10/0x10 [ 18.543984] ? ktime_get_ts64+0x84/0x230 [ 18.544023] kunit_try_run_case+0x1a6/0x480 [ 18.544057] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.544087] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.544115] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.544150] ? __kthread_parkme+0x82/0x160 [ 18.544177] ? preempt_count_sub+0x50/0x80 [ 18.544208] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.544265] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.544303] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.544340] kthread+0x257/0x310 [ 18.544366] ? __pfx_kthread+0x10/0x10 [ 18.544392] ret_from_fork+0x41/0x80 [ 18.544422] ? __pfx_kthread+0x10/0x10 [ 18.544464] ret_from_fork_asm+0x1a/0x30 [ 18.544584] </TASK> [ 18.544601] [ 18.561497] Allocated by task 201: [ 18.562345] kasan_save_stack+0x45/0x70 [ 18.563287] kasan_save_track+0x18/0x40 [ 18.563971] kasan_save_alloc_info+0x3b/0x50 [ 18.564652] __kasan_kmalloc+0xb7/0xc0 [ 18.565183] __kmalloc_cache_noprof+0x168/0x350 [ 18.565879] ksize_uaf+0xab/0x6c0 [ 18.566354] kunit_try_run_case+0x1a6/0x480 [ 18.566853] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.567738] kthread+0x257/0x310 [ 18.568492] ret_from_fork+0x41/0x80 [ 18.569249] ret_from_fork_asm+0x1a/0x30 [ 18.569784] [ 18.570034] Freed by task 201: [ 18.570463] kasan_save_stack+0x45/0x70 [ 18.571096] kasan_save_track+0x18/0x40 [ 18.571953] kasan_save_free_info+0x3f/0x60 [ 18.572559] __kasan_slab_free+0x56/0x70 [ 18.573161] kfree+0x123/0x3d0 [ 18.573633] ksize_uaf+0x12d/0x6c0 [ 18.574173] kunit_try_run_case+0x1a6/0x480 [ 18.574980] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.575831] kthread+0x257/0x310 [ 18.576256] ret_from_fork+0x41/0x80 [ 18.577020] ret_from_fork_asm+0x1a/0x30 [ 18.577402] [ 18.578195] The buggy address belongs to the object at ffff888102925800 [ 18.578195] which belongs to the cache kmalloc-128 of size 128 [ 18.578902] The buggy address is located 120 bytes inside of [ 18.578902] freed 128-byte region [ffff888102925800, ffff888102925880) [ 18.579317] [ 18.579407] The buggy address belongs to the physical page: [ 18.580499] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102925 [ 18.581317] flags: 0x200000000000000(node=0|zone=2) [ 18.581988] page_type: f5(slab) [ 18.582246] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.583230] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 18.584437] page dumped because: kasan: bad access detected [ 18.585003] [ 18.585629] Memory state around the buggy address: [ 18.586459] ffff888102925700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 18.586986] ffff888102925780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.587523] >ffff888102925800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.588022] ^ [ 18.589135] ffff888102925880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.589911] ffff888102925900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.590685] ================================================================== [ 18.488811] ================================================================== [ 18.491201] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 18.492079] Read of size 1 at addr ffff888102925800 by task kunit_try_catch/201 [ 18.493312] [ 18.493640] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.12.33-rc1 #1 [ 18.493781] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.493801] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.493853] Call Trace: [ 18.493883] <TASK> [ 18.493929] dump_stack_lvl+0x73/0xb0 [ 18.493975] print_report+0xd1/0x640 [ 18.494011] ? __virt_addr_valid+0x1db/0x2d0 [ 18.494045] ? ksize_uaf+0x600/0x6c0 [ 18.494069] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.494102] ? ksize_uaf+0x600/0x6c0 [ 18.494126] kasan_report+0x140/0x180 [ 18.494160] ? ksize_uaf+0x600/0x6c0 [ 18.494192] __asan_report_load1_noabort+0x18/0x20 [ 18.494255] ksize_uaf+0x600/0x6c0 [ 18.494324] ? __pfx_ksize_uaf+0x10/0x10 [ 18.494392] ? __schedule+0xc49/0x27a0 [ 18.494465] ? __pfx_read_tsc+0x10/0x10 [ 18.494533] ? ktime_get_ts64+0x84/0x230 [ 18.494638] kunit_try_run_case+0x1a6/0x480 [ 18.494717] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.494750] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.494780] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.494821] ? __kthread_parkme+0x82/0x160 [ 18.494878] ? preempt_count_sub+0x50/0x80 [ 18.494910] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.494938] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.494975] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.495011] kthread+0x257/0x310 [ 18.495038] ? __pfx_kthread+0x10/0x10 [ 18.495064] ret_from_fork+0x41/0x80 [ 18.495093] ? __pfx_kthread+0x10/0x10 [ 18.495118] ret_from_fork_asm+0x1a/0x30 [ 18.495159] </TASK> [ 18.495174] [ 18.511956] Allocated by task 201: [ 18.512398] kasan_save_stack+0x45/0x70 [ 18.513019] kasan_save_track+0x18/0x40 [ 18.513389] kasan_save_alloc_info+0x3b/0x50 [ 18.514265] __kasan_kmalloc+0xb7/0xc0 [ 18.514880] __kmalloc_cache_noprof+0x168/0x350 [ 18.515392] ksize_uaf+0xab/0x6c0 [ 18.515874] kunit_try_run_case+0x1a6/0x480 [ 18.516361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.517086] kthread+0x257/0x310 [ 18.517389] ret_from_fork+0x41/0x80 [ 18.518149] ret_from_fork_asm+0x1a/0x30 [ 18.518790] [ 18.519055] Freed by task 201: [ 18.519592] kasan_save_stack+0x45/0x70 [ 18.520031] kasan_save_track+0x18/0x40 [ 18.520425] kasan_save_free_info+0x3f/0x60 [ 18.520991] __kasan_slab_free+0x56/0x70 [ 18.521381] kfree+0x123/0x3d0 [ 18.521749] ksize_uaf+0x12d/0x6c0 [ 18.522114] kunit_try_run_case+0x1a6/0x480 [ 18.522522] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.523706] kthread+0x257/0x310 [ 18.524112] ret_from_fork+0x41/0x80 [ 18.524637] ret_from_fork_asm+0x1a/0x30 [ 18.525097] [ 18.525315] The buggy address belongs to the object at ffff888102925800 [ 18.525315] which belongs to the cache kmalloc-128 of size 128 [ 18.526847] The buggy address is located 0 bytes inside of [ 18.526847] freed 128-byte region [ffff888102925800, ffff888102925880) [ 18.527928] [ 18.528175] The buggy address belongs to the physical page: [ 18.528627] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102925 [ 18.529347] flags: 0x200000000000000(node=0|zone=2) [ 18.530008] page_type: f5(slab) [ 18.530314] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.531599] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 18.532184] page dumped because: kasan: bad access detected [ 18.532796] [ 18.533042] Memory state around the buggy address: [ 18.533601] ffff888102925700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 18.534293] ffff888102925780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.535608] >ffff888102925800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.536236] ^ [ 18.536691] ffff888102925880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.537301] ffff888102925900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.538018] ==================================================================