Date
May 12, 2025, 6:12 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.292292] ================================================================== [ 19.293173] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 19.293931] Read of size 1 at addr fff00000c59c2a78 by task kunit_try_catch/185 [ 19.294208] [ 19.294340] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 19.294443] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.294496] Hardware name: linux,dummy-virt (DT) [ 19.294594] Call trace: [ 19.294647] show_stack+0x20/0x38 (C) [ 19.294769] dump_stack_lvl+0x8c/0xd0 [ 19.294861] print_report+0x118/0x608 [ 19.294949] kasan_report+0xdc/0x128 [ 19.295052] __asan_report_load1_noabort+0x20/0x30 [ 19.295149] ksize_uaf+0x548/0x600 [ 19.295226] kunit_try_run_case+0x170/0x3f0 [ 19.295334] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.295442] kthread+0x318/0x620 [ 19.295522] ret_from_fork+0x10/0x20 [ 19.295617] [ 19.303060] Allocated by task 185: [ 19.303319] kasan_save_stack+0x3c/0x68 [ 19.303719] kasan_save_track+0x20/0x40 [ 19.304112] kasan_save_alloc_info+0x40/0x58 [ 19.304530] __kasan_kmalloc+0xd4/0xd8 [ 19.305896] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.306201] ksize_uaf+0xb8/0x600 [ 19.306359] kunit_try_run_case+0x170/0x3f0 [ 19.307036] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.308853] kthread+0x318/0x620 [ 19.309320] ret_from_fork+0x10/0x20 [ 19.309923] [ 19.310132] Freed by task 185: [ 19.310592] kasan_save_stack+0x3c/0x68 [ 19.311907] kasan_save_track+0x20/0x40 [ 19.312170] kasan_save_free_info+0x4c/0x78 [ 19.312411] __kasan_slab_free+0x6c/0x98 [ 19.312636] kfree+0x214/0x3c8 [ 19.312842] ksize_uaf+0x11c/0x600 [ 19.313050] kunit_try_run_case+0x170/0x3f0 [ 19.313285] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.313564] kthread+0x318/0x620 [ 19.315232] ret_from_fork+0x10/0x20 [ 19.315546] [ 19.315768] The buggy address belongs to the object at fff00000c59c2a00 [ 19.315768] which belongs to the cache kmalloc-128 of size 128 [ 19.317095] The buggy address is located 120 bytes inside of [ 19.317095] freed 128-byte region [fff00000c59c2a00, fff00000c59c2a80) [ 19.318042] [ 19.318366] The buggy address belongs to the physical page: [ 19.319049] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c2 [ 19.320454] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.321204] page_type: f5(slab) [ 19.321764] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.322586] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.323189] page dumped because: kasan: bad access detected [ 19.323609] [ 19.324186] Memory state around the buggy address: [ 19.324905] fff00000c59c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.325603] fff00000c59c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.326353] >fff00000c59c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.327167] ^ [ 19.327744] fff00000c59c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.328270] fff00000c59c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.329785] ================================================================== [ 19.259123] ================================================================== [ 19.260101] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 19.260673] Read of size 1 at addr fff00000c59c2a00 by task kunit_try_catch/185 [ 19.261267] [ 19.261578] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 19.261816] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.261892] Hardware name: linux,dummy-virt (DT) [ 19.261965] Call trace: [ 19.262023] show_stack+0x20/0x38 (C) [ 19.262178] dump_stack_lvl+0x8c/0xd0 [ 19.262301] print_report+0x118/0x608 [ 19.262378] kasan_report+0xdc/0x128 [ 19.262430] __asan_report_load1_noabort+0x20/0x30 [ 19.262489] ksize_uaf+0x59c/0x600 [ 19.262859] kunit_try_run_case+0x170/0x3f0 [ 19.262968] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.263071] kthread+0x318/0x620 [ 19.263166] ret_from_fork+0x10/0x20 [ 19.263272] [ 19.265526] Allocated by task 185: [ 19.265683] kasan_save_stack+0x3c/0x68 [ 19.266208] kasan_save_track+0x20/0x40 [ 19.266865] kasan_save_alloc_info+0x40/0x58 [ 19.268570] __kasan_kmalloc+0xd4/0xd8 [ 19.269203] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.269804] ksize_uaf+0xb8/0x600 [ 19.270366] kunit_try_run_case+0x170/0x3f0 [ 19.271111] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.271976] kthread+0x318/0x620 [ 19.272345] ret_from_fork+0x10/0x20 [ 19.272675] [ 19.272859] Freed by task 185: [ 19.273101] kasan_save_stack+0x3c/0x68 [ 19.273342] kasan_save_track+0x20/0x40 [ 19.273573] kasan_save_free_info+0x4c/0x78 [ 19.273864] __kasan_slab_free+0x6c/0x98 [ 19.274209] kfree+0x214/0x3c8 [ 19.275806] ksize_uaf+0x11c/0x600 [ 19.276243] kunit_try_run_case+0x170/0x3f0 [ 19.276852] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.277468] kthread+0x318/0x620 [ 19.277985] ret_from_fork+0x10/0x20 [ 19.278503] [ 19.278885] The buggy address belongs to the object at fff00000c59c2a00 [ 19.278885] which belongs to the cache kmalloc-128 of size 128 [ 19.279884] The buggy address is located 0 bytes inside of [ 19.279884] freed 128-byte region [fff00000c59c2a00, fff00000c59c2a80) [ 19.280484] [ 19.280625] The buggy address belongs to the physical page: [ 19.280907] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c2 [ 19.281268] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.281580] page_type: f5(slab) [ 19.282913] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.283483] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.284556] page dumped because: kasan: bad access detected [ 19.285122] [ 19.285418] Memory state around the buggy address: [ 19.285912] fff00000c59c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.287499] fff00000c59c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.288128] >fff00000c59c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.288807] ^ [ 19.289289] fff00000c59c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.289950] fff00000c59c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.290462] ================================================================== [ 19.223047] ================================================================== [ 19.224264] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 19.224985] Read of size 1 at addr fff00000c59c2a00 by task kunit_try_catch/185 [ 19.225556] [ 19.225823] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 19.226016] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.226098] Hardware name: linux,dummy-virt (DT) [ 19.226181] Call trace: [ 19.226246] show_stack+0x20/0x38 (C) [ 19.226407] dump_stack_lvl+0x8c/0xd0 [ 19.226543] print_report+0x118/0x608 [ 19.226671] kasan_report+0xdc/0x128 [ 19.226799] __kasan_check_byte+0x54/0x70 [ 19.226898] ksize+0x30/0x88 [ 19.226954] ksize_uaf+0x168/0x600 [ 19.227005] kunit_try_run_case+0x170/0x3f0 [ 19.227061] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.227119] kthread+0x318/0x620 [ 19.227167] ret_from_fork+0x10/0x20 [ 19.227223] [ 19.231449] Allocated by task 185: [ 19.231902] kasan_save_stack+0x3c/0x68 [ 19.232454] kasan_save_track+0x20/0x40 [ 19.233009] kasan_save_alloc_info+0x40/0x58 [ 19.233515] __kasan_kmalloc+0xd4/0xd8 [ 19.233792] __kmalloc_cache_noprof+0x15c/0x3c0 [ 19.234079] ksize_uaf+0xb8/0x600 [ 19.234335] kunit_try_run_case+0x170/0x3f0 [ 19.234805] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.235447] kthread+0x318/0x620 [ 19.235914] ret_from_fork+0x10/0x20 [ 19.236383] [ 19.236667] Freed by task 185: [ 19.237081] kasan_save_stack+0x3c/0x68 [ 19.237475] kasan_save_track+0x20/0x40 [ 19.237846] kasan_save_free_info+0x4c/0x78 [ 19.238198] __kasan_slab_free+0x6c/0x98 [ 19.238701] kfree+0x214/0x3c8 [ 19.239165] ksize_uaf+0x11c/0x600 [ 19.239610] kunit_try_run_case+0x170/0x3f0 [ 19.240163] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.240791] kthread+0x318/0x620 [ 19.241218] ret_from_fork+0x10/0x20 [ 19.241648] [ 19.241922] The buggy address belongs to the object at fff00000c59c2a00 [ 19.241922] which belongs to the cache kmalloc-128 of size 128 [ 19.242752] The buggy address is located 0 bytes inside of [ 19.242752] freed 128-byte region [fff00000c59c2a00, fff00000c59c2a80) [ 19.243700] [ 19.244049] The buggy address belongs to the physical page: [ 19.244627] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059c2 [ 19.245134] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.245732] page_type: f5(slab) [ 19.246192] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.247183] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.248001] page dumped because: kasan: bad access detected [ 19.248679] [ 19.249001] Memory state around the buggy address: [ 19.249463] fff00000c59c2900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.252373] fff00000c59c2980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.253115] >fff00000c59c2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.253699] ^ [ 19.254003] fff00000c59c2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.256297] fff00000c59c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.257096] ==================================================================
[ 12.925287] ================================================================== [ 12.925637] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 12.925959] Read of size 1 at addr ffff888101b0ed00 by task kunit_try_catch/204 [ 12.926365] [ 12.926458] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 12.926504] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.926516] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.926538] Call Trace: [ 12.926563] <TASK> [ 12.926583] dump_stack_lvl+0x73/0xb0 [ 12.926613] print_report+0xd1/0x650 [ 12.926635] ? __virt_addr_valid+0x1db/0x2d0 [ 12.926658] ? ksize_uaf+0x600/0x6c0 [ 12.926677] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.926702] ? ksize_uaf+0x600/0x6c0 [ 12.926721] kasan_report+0x140/0x180 [ 12.926742] ? ksize_uaf+0x600/0x6c0 [ 12.926766] __asan_report_load1_noabort+0x18/0x20 [ 12.926788] ksize_uaf+0x600/0x6c0 [ 12.926807] ? __pfx_ksize_uaf+0x10/0x10 [ 12.926827] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.926861] ? trace_hardirqs_on+0x37/0xe0 [ 12.926884] ? __pfx_read_tsc+0x10/0x10 [ 12.926905] ? ktime_get_ts64+0x86/0x230 [ 12.926930] kunit_try_run_case+0x1a6/0x480 [ 12.926952] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.926974] ? queued_spin_lock_slowpath+0x117/0xb40 [ 12.927100] ? __kthread_parkme+0x82/0x160 [ 12.927125] ? preempt_count_sub+0x50/0x80 [ 12.927150] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.927172] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.927197] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.927223] kthread+0x324/0x6e0 [ 12.927243] ? trace_preempt_on+0x20/0xc0 [ 12.927266] ? __pfx_kthread+0x10/0x10 [ 12.927287] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.927311] ? calculate_sigpending+0x7b/0xa0 [ 12.927333] ? __pfx_kthread+0x10/0x10 [ 12.927354] ret_from_fork+0x41/0x80 [ 12.927373] ? __pfx_kthread+0x10/0x10 [ 12.927394] ret_from_fork_asm+0x1a/0x30 [ 12.927426] </TASK> [ 12.927436] [ 12.934775] Allocated by task 204: [ 12.934978] kasan_save_stack+0x45/0x70 [ 12.935260] kasan_save_track+0x18/0x40 [ 12.935451] kasan_save_alloc_info+0x3b/0x50 [ 12.935653] __kasan_kmalloc+0xb7/0xc0 [ 12.935805] __kmalloc_cache_noprof+0x18a/0x420 [ 12.936202] ksize_uaf+0xab/0x6c0 [ 12.936356] kunit_try_run_case+0x1a6/0x480 [ 12.936556] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.936790] kthread+0x324/0x6e0 [ 12.936931] ret_from_fork+0x41/0x80 [ 12.937189] ret_from_fork_asm+0x1a/0x30 [ 12.937396] [ 12.937493] Freed by task 204: [ 12.937657] kasan_save_stack+0x45/0x70 [ 12.937867] kasan_save_track+0x18/0x40 [ 12.938162] kasan_save_free_info+0x3f/0x60 [ 12.938341] __kasan_slab_free+0x56/0x70 [ 12.938524] kfree+0x224/0x3f0 [ 12.938694] ksize_uaf+0x12d/0x6c0 [ 12.938883] kunit_try_run_case+0x1a6/0x480 [ 12.939193] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.939432] kthread+0x324/0x6e0 [ 12.939580] ret_from_fork+0x41/0x80 [ 12.939749] ret_from_fork_asm+0x1a/0x30 [ 12.939938] [ 12.940269] The buggy address belongs to the object at ffff888101b0ed00 [ 12.940269] which belongs to the cache kmalloc-128 of size 128 [ 12.940743] The buggy address is located 0 bytes inside of [ 12.940743] freed 128-byte region [ffff888101b0ed00, ffff888101b0ed80) [ 12.941199] [ 12.941280] The buggy address belongs to the physical page: [ 12.941507] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b0e [ 12.941876] flags: 0x200000000000000(node=0|zone=2) [ 12.942256] page_type: f5(slab) [ 12.942434] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.942775] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.943218] page dumped because: kasan: bad access detected [ 12.943434] [ 12.943528] Memory state around the buggy address: [ 12.943737] ffff888101b0ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.944289] ffff888101b0ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.944521] >ffff888101b0ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.944747] ^ [ 12.944926] ffff888101b0ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.945364] ffff888101b0ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.945697] ================================================================== [ 12.946275] ================================================================== [ 12.946633] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 12.946933] Read of size 1 at addr ffff888101b0ed78 by task kunit_try_catch/204 [ 12.947341] [ 12.947446] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 12.947490] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.947502] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.947523] Call Trace: [ 12.947542] <TASK> [ 12.947561] dump_stack_lvl+0x73/0xb0 [ 12.947589] print_report+0xd1/0x650 [ 12.947610] ? __virt_addr_valid+0x1db/0x2d0 [ 12.947632] ? ksize_uaf+0x5e6/0x6c0 [ 12.947651] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.947675] ? ksize_uaf+0x5e6/0x6c0 [ 12.947695] kasan_report+0x140/0x180 [ 12.947716] ? ksize_uaf+0x5e6/0x6c0 [ 12.947740] __asan_report_load1_noabort+0x18/0x20 [ 12.947763] ksize_uaf+0x5e6/0x6c0 [ 12.947782] ? __pfx_ksize_uaf+0x10/0x10 [ 12.947801] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.947824] ? trace_hardirqs_on+0x37/0xe0 [ 12.947859] ? __pfx_read_tsc+0x10/0x10 [ 12.947880] ? ktime_get_ts64+0x86/0x230 [ 12.947905] kunit_try_run_case+0x1a6/0x480 [ 12.947928] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.947950] ? queued_spin_lock_slowpath+0x117/0xb40 [ 12.947971] ? __kthread_parkme+0x82/0x160 [ 12.948254] ? preempt_count_sub+0x50/0x80 [ 12.948289] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.948312] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.948337] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.948363] kthread+0x324/0x6e0 [ 12.948385] ? trace_preempt_on+0x20/0xc0 [ 12.948408] ? __pfx_kthread+0x10/0x10 [ 12.948429] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.948452] ? calculate_sigpending+0x7b/0xa0 [ 12.948474] ? __pfx_kthread+0x10/0x10 [ 12.948496] ret_from_fork+0x41/0x80 [ 12.948514] ? __pfx_kthread+0x10/0x10 [ 12.948535] ret_from_fork_asm+0x1a/0x30 [ 12.948566] </TASK> [ 12.948577] [ 12.955691] Allocated by task 204: [ 12.955869] kasan_save_stack+0x45/0x70 [ 12.956305] kasan_save_track+0x18/0x40 [ 12.956465] kasan_save_alloc_info+0x3b/0x50 [ 12.956616] __kasan_kmalloc+0xb7/0xc0 [ 12.956748] __kmalloc_cache_noprof+0x18a/0x420 [ 12.956933] ksize_uaf+0xab/0x6c0 [ 12.957215] kunit_try_run_case+0x1a6/0x480 [ 12.957470] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.957737] kthread+0x324/0x6e0 [ 12.957930] ret_from_fork+0x41/0x80 [ 12.958257] ret_from_fork_asm+0x1a/0x30 [ 12.958464] [ 12.958560] Freed by task 204: [ 12.958721] kasan_save_stack+0x45/0x70 [ 12.958901] kasan_save_track+0x18/0x40 [ 12.959171] kasan_save_free_info+0x3f/0x60 [ 12.959329] __kasan_slab_free+0x56/0x70 [ 12.959466] kfree+0x224/0x3f0 [ 12.959585] ksize_uaf+0x12d/0x6c0 [ 12.959711] kunit_try_run_case+0x1a6/0x480 [ 12.959926] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.960519] kthread+0x324/0x6e0 [ 12.960712] ret_from_fork+0x41/0x80 [ 12.960905] ret_from_fork_asm+0x1a/0x30 [ 12.961164] [ 12.961240] The buggy address belongs to the object at ffff888101b0ed00 [ 12.961240] which belongs to the cache kmalloc-128 of size 128 [ 12.961781] The buggy address is located 120 bytes inside of [ 12.961781] freed 128-byte region [ffff888101b0ed00, ffff888101b0ed80) [ 12.962394] [ 12.962495] The buggy address belongs to the physical page: [ 12.962724] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b0e [ 12.963146] flags: 0x200000000000000(node=0|zone=2) [ 12.963352] page_type: f5(slab) [ 12.963525] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.963797] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.964337] page dumped because: kasan: bad access detected [ 12.964588] [ 12.964662] Memory state around the buggy address: [ 12.964881] ffff888101b0ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.965268] ffff888101b0ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.965551] >ffff888101b0ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.965852] ^ [ 12.966249] ffff888101b0ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.966498] ffff888101b0ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.966779] ================================================================== [ 12.901085] ================================================================== [ 12.901502] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 12.901729] Read of size 1 at addr ffff888101b0ed00 by task kunit_try_catch/204 [ 12.902004] [ 12.902192] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.7-rc1 #1 [ 12.902240] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.902251] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.902273] Call Trace: [ 12.902287] <TASK> [ 12.902307] dump_stack_lvl+0x73/0xb0 [ 12.902336] print_report+0xd1/0x650 [ 12.902357] ? __virt_addr_valid+0x1db/0x2d0 [ 12.902380] ? ksize_uaf+0x19e/0x6c0 [ 12.902399] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.902424] ? ksize_uaf+0x19e/0x6c0 [ 12.902444] kasan_report+0x140/0x180 [ 12.902464] ? ksize_uaf+0x19e/0x6c0 [ 12.902486] ? ksize_uaf+0x19e/0x6c0 [ 12.902505] __kasan_check_byte+0x3d/0x50 [ 12.902526] ksize+0x20/0x60 [ 12.902545] ksize_uaf+0x19e/0x6c0 [ 12.902564] ? __pfx_ksize_uaf+0x10/0x10 [ 12.902583] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 12.902605] ? trace_hardirqs_on+0x37/0xe0 [ 12.902629] ? __pfx_read_tsc+0x10/0x10 [ 12.902650] ? ktime_get_ts64+0x86/0x230 [ 12.902676] kunit_try_run_case+0x1a6/0x480 [ 12.902699] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.902721] ? queued_spin_lock_slowpath+0x117/0xb40 [ 12.902742] ? __kthread_parkme+0x82/0x160 [ 12.902765] ? preempt_count_sub+0x50/0x80 [ 12.902789] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.902811] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.902848] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.902873] kthread+0x324/0x6e0 [ 12.902894] ? trace_preempt_on+0x20/0xc0 [ 12.902915] ? __pfx_kthread+0x10/0x10 [ 12.902937] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.902960] ? calculate_sigpending+0x7b/0xa0 [ 12.902981] ? __pfx_kthread+0x10/0x10 [ 12.903003] ret_from_fork+0x41/0x80 [ 12.903775] ? __pfx_kthread+0x10/0x10 [ 12.903825] ret_from_fork_asm+0x1a/0x30 [ 12.903872] </TASK> [ 12.903885] [ 12.913817] Allocated by task 204: [ 12.914140] kasan_save_stack+0x45/0x70 [ 12.914369] kasan_save_track+0x18/0x40 [ 12.914550] kasan_save_alloc_info+0x3b/0x50 [ 12.914753] __kasan_kmalloc+0xb7/0xc0 [ 12.914902] __kmalloc_cache_noprof+0x18a/0x420 [ 12.915201] ksize_uaf+0xab/0x6c0 [ 12.915359] kunit_try_run_case+0x1a6/0x480 [ 12.915566] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.915819] kthread+0x324/0x6e0 [ 12.916190] ret_from_fork+0x41/0x80 [ 12.916400] ret_from_fork_asm+0x1a/0x30 [ 12.916598] [ 12.916685] Freed by task 204: [ 12.916818] kasan_save_stack+0x45/0x70 [ 12.917122] kasan_save_track+0x18/0x40 [ 12.917298] kasan_save_free_info+0x3f/0x60 [ 12.917476] __kasan_slab_free+0x56/0x70 [ 12.917616] kfree+0x224/0x3f0 [ 12.917783] ksize_uaf+0x12d/0x6c0 [ 12.917970] kunit_try_run_case+0x1a6/0x480 [ 12.918283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.918467] kthread+0x324/0x6e0 [ 12.918591] ret_from_fork+0x41/0x80 [ 12.918720] ret_from_fork_asm+0x1a/0x30 [ 12.918874] [ 12.918961] The buggy address belongs to the object at ffff888101b0ed00 [ 12.918961] which belongs to the cache kmalloc-128 of size 128 [ 12.919574] The buggy address is located 0 bytes inside of [ 12.919574] freed 128-byte region [ffff888101b0ed00, ffff888101b0ed80) [ 12.920309] [ 12.920414] The buggy address belongs to the physical page: [ 12.920665] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b0e [ 12.920961] flags: 0x200000000000000(node=0|zone=2) [ 12.921218] page_type: f5(slab) [ 12.921377] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.921733] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.922201] page dumped because: kasan: bad access detected [ 12.922459] [ 12.922553] Memory state around the buggy address: [ 12.922762] ffff888101b0ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.923153] ffff888101b0ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.923443] >ffff888101b0ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.923725] ^ [ 12.923865] ffff888101b0ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.924397] ffff888101b0ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.924678] ==================================================================