Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.426807] ================================================================== [ 23.427850] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 23.428670] Read of size 1 at addr fff00000c6331c00 by task kunit_try_catch/185 [ 23.429512] [ 23.430259] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 23.430451] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.430525] Hardware name: linux,dummy-virt (DT) [ 23.430610] Call trace: [ 23.430664] show_stack+0x20/0x38 (C) [ 23.430779] dump_stack_lvl+0x8c/0xd0 [ 23.430932] print_report+0x118/0x608 [ 23.431069] kasan_report+0xdc/0x128 [ 23.431198] __kasan_check_byte+0x54/0x70 [ 23.431270] ksize+0x30/0x88 [ 23.431326] ksize_uaf+0x168/0x600 [ 23.431379] kunit_try_run_case+0x170/0x3f0 [ 23.431436] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.431501] kthread+0x318/0x620 [ 23.431554] ret_from_fork+0x10/0x20 [ 23.431613] [ 23.439581] Allocated by task 185: [ 23.440726] kasan_save_stack+0x3c/0x68 [ 23.441784] kasan_save_track+0x20/0x40 [ 23.442339] kasan_save_alloc_info+0x40/0x58 [ 23.443070] __kasan_kmalloc+0xd4/0xd8 [ 23.443812] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.444486] ksize_uaf+0xb8/0x600 [ 23.445004] kunit_try_run_case+0x170/0x3f0 [ 23.446620] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.447275] kthread+0x318/0x620 [ 23.447829] ret_from_fork+0x10/0x20 [ 23.448341] [ 23.448705] Freed by task 185: [ 23.449386] kasan_save_stack+0x3c/0x68 [ 23.449931] kasan_save_track+0x20/0x40 [ 23.450609] kasan_save_free_info+0x4c/0x78 [ 23.451210] __kasan_slab_free+0x6c/0x98 [ 23.451781] kfree+0x214/0x3c8 [ 23.452293] ksize_uaf+0x11c/0x600 [ 23.452810] kunit_try_run_case+0x170/0x3f0 [ 23.453546] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.454722] kthread+0x318/0x620 [ 23.455335] ret_from_fork+0x10/0x20 [ 23.455796] [ 23.456097] The buggy address belongs to the object at fff00000c6331c00 [ 23.456097] which belongs to the cache kmalloc-128 of size 128 [ 23.457724] The buggy address is located 0 bytes inside of [ 23.457724] freed 128-byte region [fff00000c6331c00, fff00000c6331c80) [ 23.458807] [ 23.459805] The buggy address belongs to the physical page: [ 23.460271] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106331 [ 23.461165] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.461770] page_type: f5(slab) [ 23.462193] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 23.462781] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.463402] page dumped because: kasan: bad access detected [ 23.465121] [ 23.465451] Memory state around the buggy address: [ 23.466098] fff00000c6331b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.466690] fff00000c6331b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.468427] >fff00000c6331c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.469429] ^ [ 23.470824] fff00000c6331c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.471587] fff00000c6331d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.472317] ================================================================== [ 23.518196] ================================================================== [ 23.519035] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 23.519827] Read of size 1 at addr fff00000c6331c78 by task kunit_try_catch/185 [ 23.520742] [ 23.521673] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 23.521947] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.522028] Hardware name: linux,dummy-virt (DT) [ 23.522115] Call trace: [ 23.522185] show_stack+0x20/0x38 (C) [ 23.522274] dump_stack_lvl+0x8c/0xd0 [ 23.522341] print_report+0x118/0x608 [ 23.522402] kasan_report+0xdc/0x128 [ 23.522459] __asan_report_load1_noabort+0x20/0x30 [ 23.522518] ksize_uaf+0x548/0x600 [ 23.522569] kunit_try_run_case+0x170/0x3f0 [ 23.522624] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.522687] kthread+0x318/0x620 [ 23.522741] ret_from_fork+0x10/0x20 [ 23.522800] [ 23.529490] Allocated by task 185: [ 23.530220] kasan_save_stack+0x3c/0x68 [ 23.530832] kasan_save_track+0x20/0x40 [ 23.531307] kasan_save_alloc_info+0x40/0x58 [ 23.531945] __kasan_kmalloc+0xd4/0xd8 [ 23.532490] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.533094] ksize_uaf+0xb8/0x600 [ 23.534536] kunit_try_run_case+0x170/0x3f0 [ 23.535357] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.535998] kthread+0x318/0x620 [ 23.536573] ret_from_fork+0x10/0x20 [ 23.537450] [ 23.537810] Freed by task 185: [ 23.538185] kasan_save_stack+0x3c/0x68 [ 23.538592] kasan_save_track+0x20/0x40 [ 23.539583] kasan_save_free_info+0x4c/0x78 [ 23.540147] __kasan_slab_free+0x6c/0x98 [ 23.540633] kfree+0x214/0x3c8 [ 23.541800] ksize_uaf+0x11c/0x600 [ 23.542297] kunit_try_run_case+0x170/0x3f0 [ 23.542823] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.543491] kthread+0x318/0x620 [ 23.544053] ret_from_fork+0x10/0x20 [ 23.544714] [ 23.544975] The buggy address belongs to the object at fff00000c6331c00 [ 23.544975] which belongs to the cache kmalloc-128 of size 128 [ 23.546474] The buggy address is located 120 bytes inside of [ 23.546474] freed 128-byte region [fff00000c6331c00, fff00000c6331c80) [ 23.547614] [ 23.547944] The buggy address belongs to the physical page: [ 23.548583] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106331 [ 23.549405] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.550571] page_type: f5(slab) [ 23.551447] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 23.552230] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.553007] page dumped because: kasan: bad access detected [ 23.553844] [ 23.554152] Memory state around the buggy address: [ 23.554673] fff00000c6331b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.555410] fff00000c6331b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.556193] >fff00000c6331c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.556915] ^ [ 23.558305] fff00000c6331c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.559039] fff00000c6331d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.559731] ================================================================== [ 23.474200] ================================================================== [ 23.475063] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 23.475596] Read of size 1 at addr fff00000c6331c00 by task kunit_try_catch/185 [ 23.476240] [ 23.476581] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 23.476766] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.476837] Hardware name: linux,dummy-virt (DT) [ 23.476961] Call trace: [ 23.477116] show_stack+0x20/0x38 (C) [ 23.477265] dump_stack_lvl+0x8c/0xd0 [ 23.477424] print_report+0x118/0x608 [ 23.477591] kasan_report+0xdc/0x128 [ 23.477726] __asan_report_load1_noabort+0x20/0x30 [ 23.477866] ksize_uaf+0x59c/0x600 [ 23.478005] kunit_try_run_case+0x170/0x3f0 [ 23.478195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.478396] kthread+0x318/0x620 [ 23.478559] ret_from_fork+0x10/0x20 [ 23.478686] [ 23.484933] Allocated by task 185: [ 23.485516] kasan_save_stack+0x3c/0x68 [ 23.486074] kasan_save_track+0x20/0x40 [ 23.486465] kasan_save_alloc_info+0x40/0x58 [ 23.487877] __kasan_kmalloc+0xd4/0xd8 [ 23.488550] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.489046] ksize_uaf+0xb8/0x600 [ 23.489909] kunit_try_run_case+0x170/0x3f0 [ 23.490412] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.491116] kthread+0x318/0x620 [ 23.491655] ret_from_fork+0x10/0x20 [ 23.492235] [ 23.492589] Freed by task 185: [ 23.493094] kasan_save_stack+0x3c/0x68 [ 23.493733] kasan_save_track+0x20/0x40 [ 23.494271] kasan_save_free_info+0x4c/0x78 [ 23.494817] __kasan_slab_free+0x6c/0x98 [ 23.495306] kfree+0x214/0x3c8 [ 23.495858] ksize_uaf+0x11c/0x600 [ 23.496332] kunit_try_run_case+0x170/0x3f0 [ 23.497075] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.497691] kthread+0x318/0x620 [ 23.498502] ret_from_fork+0x10/0x20 [ 23.499252] [ 23.499613] The buggy address belongs to the object at fff00000c6331c00 [ 23.499613] which belongs to the cache kmalloc-128 of size 128 [ 23.500755] The buggy address is located 0 bytes inside of [ 23.500755] freed 128-byte region [fff00000c6331c00, fff00000c6331c80) [ 23.502979] [ 23.503219] The buggy address belongs to the physical page: [ 23.503652] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106331 [ 23.504467] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.505690] page_type: f5(slab) [ 23.506591] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 23.507792] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 23.508867] page dumped because: kasan: bad access detected [ 23.510351] [ 23.510647] Memory state around the buggy address: [ 23.511128] fff00000c6331b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.511786] fff00000c6331b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.512610] >fff00000c6331c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 23.513595] ^ [ 23.514192] fff00000c6331c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.514767] fff00000c6331d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.515509] ==================================================================
[ 18.370990] ================================================================== [ 18.371547] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 18.372149] Read of size 1 at addr ffff8881024bff78 by task kunit_try_catch/204 [ 18.372636] [ 18.373421] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 18.373539] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.373569] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.373619] Call Trace: [ 18.373655] <TASK> [ 18.373698] dump_stack_lvl+0x73/0xb0 [ 18.373782] print_report+0xd1/0x650 [ 18.373841] ? __virt_addr_valid+0x1db/0x2d0 [ 18.373913] ? ksize_uaf+0x5e6/0x6c0 [ 18.373957] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.374017] ? ksize_uaf+0x5e6/0x6c0 [ 18.374066] kasan_report+0x140/0x180 [ 18.374144] ? ksize_uaf+0x5e6/0x6c0 [ 18.374206] __asan_report_load1_noabort+0x18/0x20 [ 18.374278] ksize_uaf+0x5e6/0x6c0 [ 18.374325] ? __pfx_ksize_uaf+0x10/0x10 [ 18.374374] ? __pfx_ksize_uaf+0x10/0x10 [ 18.374429] kunit_try_run_case+0x1a6/0x480 [ 18.374492] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.374546] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.374608] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.374644] ? __kthread_parkme+0x82/0x160 [ 18.374675] ? preempt_count_sub+0x50/0x80 [ 18.374706] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.374735] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.374768] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.374799] kthread+0x324/0x6e0 [ 18.374826] ? trace_preempt_on+0x20/0xc0 [ 18.374855] ? __pfx_kthread+0x10/0x10 [ 18.374907] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.374936] ? calculate_sigpending+0x7b/0xa0 [ 18.374964] ? __pfx_kthread+0x10/0x10 [ 18.374992] ret_from_fork+0x41/0x80 [ 18.375017] ? __pfx_kthread+0x10/0x10 [ 18.375044] ret_from_fork_asm+0x1a/0x30 [ 18.375084] </TASK> [ 18.375098] [ 18.386216] Allocated by task 204: [ 18.386793] kasan_save_stack+0x45/0x70 [ 18.387258] kasan_save_track+0x18/0x40 [ 18.387773] kasan_save_alloc_info+0x3b/0x50 [ 18.388282] __kasan_kmalloc+0xb7/0xc0 [ 18.388649] __kmalloc_cache_noprof+0x18a/0x420 [ 18.388937] ksize_uaf+0xab/0x6c0 [ 18.389405] kunit_try_run_case+0x1a6/0x480 [ 18.389896] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.390407] kthread+0x324/0x6e0 [ 18.390741] ret_from_fork+0x41/0x80 [ 18.391032] ret_from_fork_asm+0x1a/0x30 [ 18.391480] [ 18.391628] Freed by task 204: [ 18.391839] kasan_save_stack+0x45/0x70 [ 18.392247] kasan_save_track+0x18/0x40 [ 18.392742] kasan_save_free_info+0x3f/0x60 [ 18.393242] __kasan_slab_free+0x56/0x70 [ 18.393719] kfree+0x224/0x3f0 [ 18.394120] ksize_uaf+0x12d/0x6c0 [ 18.394480] kunit_try_run_case+0x1a6/0x480 [ 18.394987] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.395404] kthread+0x324/0x6e0 [ 18.395845] ret_from_fork+0x41/0x80 [ 18.396162] ret_from_fork_asm+0x1a/0x30 [ 18.396615] [ 18.396762] The buggy address belongs to the object at ffff8881024bff00 [ 18.396762] which belongs to the cache kmalloc-128 of size 128 [ 18.397298] The buggy address is located 120 bytes inside of [ 18.397298] freed 128-byte region [ffff8881024bff00, ffff8881024bff80) [ 18.397796] [ 18.398001] The buggy address belongs to the physical page: [ 18.398482] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024bf [ 18.399167] flags: 0x200000000000000(node=0|zone=2) [ 18.400124] page_type: f5(slab) [ 18.400810] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.401997] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.402347] page dumped because: kasan: bad access detected [ 18.402613] [ 18.402747] Memory state around the buggy address: [ 18.402987] ffff8881024bfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.403162] ffff8881024bfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.403352] >ffff8881024bff00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.403969] ^ [ 18.405271] ffff8881024bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.405925] ffff8881024c0000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.406668] ================================================================== [ 18.328655] ================================================================== [ 18.329216] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 18.329850] Read of size 1 at addr ffff8881024bff00 by task kunit_try_catch/204 [ 18.330197] [ 18.330433] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 18.330540] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.330571] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.330614] Call Trace: [ 18.330652] <TASK> [ 18.330687] dump_stack_lvl+0x73/0xb0 [ 18.330754] print_report+0xd1/0x650 [ 18.330796] ? __virt_addr_valid+0x1db/0x2d0 [ 18.330839] ? ksize_uaf+0x600/0x6c0 [ 18.330892] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.330944] ? ksize_uaf+0x600/0x6c0 [ 18.330987] kasan_report+0x140/0x180 [ 18.331029] ? ksize_uaf+0x600/0x6c0 [ 18.331080] __asan_report_load1_noabort+0x18/0x20 [ 18.331136] ksize_uaf+0x600/0x6c0 [ 18.331183] ? __pfx_ksize_uaf+0x10/0x10 [ 18.331232] ? __pfx_ksize_uaf+0x10/0x10 [ 18.331282] kunit_try_run_case+0x1a6/0x480 [ 18.331376] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.331455] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.331523] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.331584] ? __kthread_parkme+0x82/0x160 [ 18.331643] ? preempt_count_sub+0x50/0x80 [ 18.331713] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.331772] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.331831] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.331908] kthread+0x324/0x6e0 [ 18.331957] ? trace_preempt_on+0x20/0xc0 [ 18.332009] ? __pfx_kthread+0x10/0x10 [ 18.332053] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.332097] ? calculate_sigpending+0x7b/0xa0 [ 18.332136] ? __pfx_kthread+0x10/0x10 [ 18.332179] ret_from_fork+0x41/0x80 [ 18.332219] ? __pfx_kthread+0x10/0x10 [ 18.332267] ret_from_fork_asm+0x1a/0x30 [ 18.332376] </TASK> [ 18.332404] [ 18.342329] Allocated by task 204: [ 18.342762] kasan_save_stack+0x45/0x70 [ 18.343206] kasan_save_track+0x18/0x40 [ 18.343619] kasan_save_alloc_info+0x3b/0x50 [ 18.343987] __kasan_kmalloc+0xb7/0xc0 [ 18.344390] __kmalloc_cache_noprof+0x18a/0x420 [ 18.344853] ksize_uaf+0xab/0x6c0 [ 18.345099] kunit_try_run_case+0x1a6/0x480 [ 18.345521] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.346018] kthread+0x324/0x6e0 [ 18.346277] ret_from_fork+0x41/0x80 [ 18.346598] ret_from_fork_asm+0x1a/0x30 [ 18.347007] [ 18.347167] Freed by task 204: [ 18.347538] kasan_save_stack+0x45/0x70 [ 18.347795] kasan_save_track+0x18/0x40 [ 18.348200] kasan_save_free_info+0x3f/0x60 [ 18.348658] __kasan_slab_free+0x56/0x70 [ 18.349036] kfree+0x224/0x3f0 [ 18.349324] ksize_uaf+0x12d/0x6c0 [ 18.349597] kunit_try_run_case+0x1a6/0x480 [ 18.349959] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.350257] kthread+0x324/0x6e0 [ 18.350521] ret_from_fork+0x41/0x80 [ 18.350743] ret_from_fork_asm+0x1a/0x30 [ 18.351113] [ 18.351367] The buggy address belongs to the object at ffff8881024bff00 [ 18.351367] which belongs to the cache kmalloc-128 of size 128 [ 18.352622] The buggy address is located 0 bytes inside of [ 18.352622] freed 128-byte region [ffff8881024bff00, ffff8881024bff80) [ 18.354955] [ 18.355186] The buggy address belongs to the physical page: [ 18.356105] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024bf [ 18.357194] flags: 0x200000000000000(node=0|zone=2) [ 18.359595] page_type: f5(slab) [ 18.360219] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.360844] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.361278] page dumped because: kasan: bad access detected [ 18.361602] [ 18.362988] Memory state around the buggy address: [ 18.363883] ffff8881024bfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.365394] ffff8881024bfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.366107] >ffff8881024bff00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.366802] ^ [ 18.367036] ffff8881024bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.368403] ffff8881024c0000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.369170] ================================================================== [ 18.284933] ================================================================== [ 18.285611] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 18.286677] Read of size 1 at addr ffff8881024bff00 by task kunit_try_catch/204 [ 18.287241] [ 18.288053] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 18.288152] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.288183] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.288233] Call Trace: [ 18.288570] <TASK> [ 18.288628] dump_stack_lvl+0x73/0xb0 [ 18.288706] print_report+0xd1/0x650 [ 18.288749] ? __virt_addr_valid+0x1db/0x2d0 [ 18.288795] ? ksize_uaf+0x19e/0x6c0 [ 18.288833] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.288900] ? ksize_uaf+0x19e/0x6c0 [ 18.288940] kasan_report+0x140/0x180 [ 18.288988] ? ksize_uaf+0x19e/0x6c0 [ 18.289042] ? ksize_uaf+0x19e/0x6c0 [ 18.289124] __kasan_check_byte+0x3d/0x50 [ 18.289177] ksize+0x20/0x60 [ 18.289223] ksize_uaf+0x19e/0x6c0 [ 18.289270] ? __pfx_ksize_uaf+0x10/0x10 [ 18.289324] ? __pfx_ksize_uaf+0x10/0x10 [ 18.289374] kunit_try_run_case+0x1a6/0x480 [ 18.289434] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.289481] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 18.289534] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.289577] ? __kthread_parkme+0x82/0x160 [ 18.289619] ? preempt_count_sub+0x50/0x80 [ 18.289667] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.289698] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.289732] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.289764] kthread+0x324/0x6e0 [ 18.289792] ? trace_preempt_on+0x20/0xc0 [ 18.289823] ? __pfx_kthread+0x10/0x10 [ 18.289851] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.289903] ? calculate_sigpending+0x7b/0xa0 [ 18.289931] ? __pfx_kthread+0x10/0x10 [ 18.289959] ret_from_fork+0x41/0x80 [ 18.289985] ? __pfx_kthread+0x10/0x10 [ 18.290013] ret_from_fork_asm+0x1a/0x30 [ 18.290053] </TASK> [ 18.290069] [ 18.305774] Allocated by task 204: [ 18.306217] kasan_save_stack+0x45/0x70 [ 18.307352] kasan_save_track+0x18/0x40 [ 18.308075] kasan_save_alloc_info+0x3b/0x50 [ 18.308785] __kasan_kmalloc+0xb7/0xc0 [ 18.309172] __kmalloc_cache_noprof+0x18a/0x420 [ 18.309669] ksize_uaf+0xab/0x6c0 [ 18.310024] kunit_try_run_case+0x1a6/0x480 [ 18.310382] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.310807] kthread+0x324/0x6e0 [ 18.311079] ret_from_fork+0x41/0x80 [ 18.311259] ret_from_fork_asm+0x1a/0x30 [ 18.311532] [ 18.311740] Freed by task 204: [ 18.312257] kasan_save_stack+0x45/0x70 [ 18.312661] kasan_save_track+0x18/0x40 [ 18.313057] kasan_save_free_info+0x3f/0x60 [ 18.313387] __kasan_slab_free+0x56/0x70 [ 18.313683] kfree+0x224/0x3f0 [ 18.314027] ksize_uaf+0x12d/0x6c0 [ 18.314525] kunit_try_run_case+0x1a6/0x480 [ 18.314823] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.315156] kthread+0x324/0x6e0 [ 18.315499] ret_from_fork+0x41/0x80 [ 18.315814] ret_from_fork_asm+0x1a/0x30 [ 18.316079] [ 18.316227] The buggy address belongs to the object at ffff8881024bff00 [ 18.316227] which belongs to the cache kmalloc-128 of size 128 [ 18.316955] The buggy address is located 0 bytes inside of [ 18.316955] freed 128-byte region [ffff8881024bff00, ffff8881024bff80) [ 18.317988] [ 18.318130] The buggy address belongs to the physical page: [ 18.318445] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024bf [ 18.318815] flags: 0x200000000000000(node=0|zone=2) [ 18.319260] page_type: f5(slab) [ 18.319614] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.320225] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.320824] page dumped because: kasan: bad access detected [ 18.321127] [ 18.321265] Memory state around the buggy address: [ 18.322699] ffff8881024bfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.323333] ffff8881024bfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.324728] >ffff8881024bff00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.325905] ^ [ 18.326727] ffff8881024bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.327293] ffff8881024c0000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.327609] ==================================================================