Date
June 2, 2025, 2:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.318961] ================================================================== [ 19.319612] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 19.320298] Read of size 1 at addr fff00000c65b6100 by task kunit_try_catch/186 [ 19.321027] [ 19.321387] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 19.321645] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.321719] Hardware name: linux,dummy-virt (DT) [ 19.321800] Call trace: [ 19.321856] show_stack+0x20/0x38 (C) [ 19.322020] dump_stack_lvl+0x8c/0xd0 [ 19.322924] print_report+0x118/0x608 [ 19.323002] kasan_report+0xdc/0x128 [ 19.323052] __kasan_check_byte+0x54/0x70 [ 19.323101] ksize+0x30/0x88 [ 19.323176] ksize_uaf+0x168/0x600 [ 19.323237] kunit_try_run_case+0x170/0x3f0 [ 19.323293] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.323351] kthread+0x318/0x620 [ 19.323401] ret_from_fork+0x10/0x20 [ 19.323457] [ 19.329404] Allocated by task 186: [ 19.329709] kasan_save_stack+0x3c/0x68 [ 19.330423] kasan_save_track+0x20/0x40 [ 19.330744] kasan_save_alloc_info+0x40/0x58 [ 19.331031] __kasan_kmalloc+0xd4/0xd8 [ 19.331318] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.332939] ksize_uaf+0xb8/0x600 [ 19.333372] kunit_try_run_case+0x170/0x3f0 [ 19.333742] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.334905] kthread+0x318/0x620 [ 19.335251] ret_from_fork+0x10/0x20 [ 19.335445] [ 19.335550] Freed by task 186: [ 19.335681] kasan_save_stack+0x3c/0x68 [ 19.335847] kasan_save_track+0x20/0x40 [ 19.336002] kasan_save_free_info+0x4c/0x78 [ 19.336188] __kasan_slab_free+0x6c/0x98 [ 19.336539] kfree+0x214/0x3c8 [ 19.336927] ksize_uaf+0x11c/0x600 [ 19.337440] kunit_try_run_case+0x170/0x3f0 [ 19.337852] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.338510] kthread+0x318/0x620 [ 19.339186] ret_from_fork+0x10/0x20 [ 19.339661] [ 19.339895] The buggy address belongs to the object at fff00000c65b6100 [ 19.339895] which belongs to the cache kmalloc-128 of size 128 [ 19.340869] The buggy address is located 0 bytes inside of [ 19.340869] freed 128-byte region [fff00000c65b6100, fff00000c65b6180) [ 19.342837] [ 19.343060] The buggy address belongs to the physical page: [ 19.343939] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b6 [ 19.344641] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.345227] page_type: f5(slab) [ 19.345594] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.346353] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.347070] page dumped because: kasan: bad access detected [ 19.347842] [ 19.348005] Memory state around the buggy address: [ 19.348278] fff00000c65b6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.348628] fff00000c65b6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.348966] >fff00000c65b6100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.349940] ^ [ 19.350755] fff00000c65b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.351400] fff00000c65b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.351905] ================================================================== [ 19.353900] ================================================================== [ 19.354556] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 19.354966] Read of size 1 at addr fff00000c65b6100 by task kunit_try_catch/186 [ 19.355442] [ 19.356452] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 19.356686] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.356724] Hardware name: linux,dummy-virt (DT) [ 19.356764] Call trace: [ 19.356794] show_stack+0x20/0x38 (C) [ 19.356864] dump_stack_lvl+0x8c/0xd0 [ 19.356922] print_report+0x118/0x608 [ 19.356978] kasan_report+0xdc/0x128 [ 19.357030] __asan_report_load1_noabort+0x20/0x30 [ 19.357085] ksize_uaf+0x59c/0x600 [ 19.357132] kunit_try_run_case+0x170/0x3f0 [ 19.357215] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.357274] kthread+0x318/0x620 [ 19.357324] ret_from_fork+0x10/0x20 [ 19.357380] [ 19.362889] Allocated by task 186: [ 19.363622] kasan_save_stack+0x3c/0x68 [ 19.364095] kasan_save_track+0x20/0x40 [ 19.364468] kasan_save_alloc_info+0x40/0x58 [ 19.364853] __kasan_kmalloc+0xd4/0xd8 [ 19.365660] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.366081] ksize_uaf+0xb8/0x600 [ 19.366710] kunit_try_run_case+0x170/0x3f0 [ 19.367330] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.368023] kthread+0x318/0x620 [ 19.368440] ret_from_fork+0x10/0x20 [ 19.368969] [ 19.369227] Freed by task 186: [ 19.369535] kasan_save_stack+0x3c/0x68 [ 19.369885] kasan_save_track+0x20/0x40 [ 19.370650] kasan_save_free_info+0x4c/0x78 [ 19.370980] __kasan_slab_free+0x6c/0x98 [ 19.371364] kfree+0x214/0x3c8 [ 19.371810] ksize_uaf+0x11c/0x600 [ 19.372323] kunit_try_run_case+0x170/0x3f0 [ 19.372845] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.373660] kthread+0x318/0x620 [ 19.374590] ret_from_fork+0x10/0x20 [ 19.374924] [ 19.375181] The buggy address belongs to the object at fff00000c65b6100 [ 19.375181] which belongs to the cache kmalloc-128 of size 128 [ 19.376187] The buggy address is located 0 bytes inside of [ 19.376187] freed 128-byte region [fff00000c65b6100, fff00000c65b6180) [ 19.377107] [ 19.377360] The buggy address belongs to the physical page: [ 19.377814] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b6 [ 19.379227] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.379871] page_type: f5(slab) [ 19.380284] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.380984] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.381618] page dumped because: kasan: bad access detected [ 19.382106] [ 19.382391] Memory state around the buggy address: [ 19.382805] fff00000c65b6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.383716] fff00000c65b6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.384328] >fff00000c65b6100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.384932] ^ [ 19.385332] fff00000c65b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.386015] fff00000c65b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.386673] ================================================================== [ 19.388558] ================================================================== [ 19.389556] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 19.389978] Read of size 1 at addr fff00000c65b6178 by task kunit_try_catch/186 [ 19.391388] [ 19.391714] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 19.391892] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.391954] Hardware name: linux,dummy-virt (DT) [ 19.392014] Call trace: [ 19.392061] show_stack+0x20/0x38 (C) [ 19.392172] dump_stack_lvl+0x8c/0xd0 [ 19.392476] print_report+0x118/0x608 [ 19.392541] kasan_report+0xdc/0x128 [ 19.392591] __asan_report_load1_noabort+0x20/0x30 [ 19.392643] ksize_uaf+0x548/0x600 [ 19.392688] kunit_try_run_case+0x170/0x3f0 [ 19.392740] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.392794] kthread+0x318/0x620 [ 19.392840] ret_from_fork+0x10/0x20 [ 19.392892] [ 19.397908] Allocated by task 186: [ 19.399270] kasan_save_stack+0x3c/0x68 [ 19.399929] kasan_save_track+0x20/0x40 [ 19.400334] kasan_save_alloc_info+0x40/0x58 [ 19.400854] __kasan_kmalloc+0xd4/0xd8 [ 19.401328] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.401731] ksize_uaf+0xb8/0x600 [ 19.402059] kunit_try_run_case+0x170/0x3f0 [ 19.402924] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.403589] kthread+0x318/0x620 [ 19.403912] ret_from_fork+0x10/0x20 [ 19.404215] [ 19.404426] Freed by task 186: [ 19.404739] kasan_save_stack+0x3c/0x68 [ 19.405065] kasan_save_track+0x20/0x40 [ 19.405933] kasan_save_free_info+0x4c/0x78 [ 19.406610] __kasan_slab_free+0x6c/0x98 [ 19.407350] kfree+0x214/0x3c8 [ 19.407729] ksize_uaf+0x11c/0x600 [ 19.407978] kunit_try_run_case+0x170/0x3f0 [ 19.408427] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.408842] kthread+0x318/0x620 [ 19.409121] ret_from_fork+0x10/0x20 [ 19.409998] [ 19.410709] The buggy address belongs to the object at fff00000c65b6100 [ 19.410709] which belongs to the cache kmalloc-128 of size 128 [ 19.411464] The buggy address is located 120 bytes inside of [ 19.411464] freed 128-byte region [fff00000c65b6100, fff00000c65b6180) [ 19.412169] [ 19.412366] The buggy address belongs to the physical page: [ 19.412757] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065b6 [ 19.413337] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.413944] page_type: f5(slab) [ 19.414955] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.415526] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.416516] page dumped because: kasan: bad access detected [ 19.417026] [ 19.417364] Memory state around the buggy address: [ 19.417836] fff00000c65b6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.418944] fff00000c65b6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.419595] >fff00000c65b6100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.420170] ^ [ 19.420756] fff00000c65b6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.421363] fff00000c65b6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.421978] ==================================================================
[ 13.161301] ================================================================== [ 13.162128] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 13.162649] Read of size 1 at addr ffff888101bd1c00 by task kunit_try_catch/204 [ 13.163316] [ 13.163424] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 13.163592] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.163606] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.163625] Call Trace: [ 13.163637] <TASK> [ 13.163653] dump_stack_lvl+0x73/0xb0 [ 13.163681] print_report+0xd1/0x650 [ 13.163702] ? __virt_addr_valid+0x1db/0x2d0 [ 13.163724] ? ksize_uaf+0x19e/0x6c0 [ 13.163755] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.163779] ? ksize_uaf+0x19e/0x6c0 [ 13.163798] kasan_report+0x140/0x180 [ 13.163879] ? ksize_uaf+0x19e/0x6c0 [ 13.163906] ? ksize_uaf+0x19e/0x6c0 [ 13.163927] __kasan_check_byte+0x3d/0x50 [ 13.163948] ksize+0x20/0x60 [ 13.163968] ksize_uaf+0x19e/0x6c0 [ 13.163987] ? __pfx_ksize_uaf+0x10/0x10 [ 13.164008] ? __schedule+0xce8/0x2840 [ 13.164043] ? __pfx_read_tsc+0x10/0x10 [ 13.164063] ? ktime_get_ts64+0x86/0x230 [ 13.164098] kunit_try_run_case+0x1a6/0x480 [ 13.164121] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164142] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.164175] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.164198] ? __kthread_parkme+0x82/0x160 [ 13.164219] ? preempt_count_sub+0x50/0x80 [ 13.164243] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164274] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.164299] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.164324] kthread+0x324/0x6e0 [ 13.164355] ? trace_preempt_on+0x20/0xc0 [ 13.164377] ? __pfx_kthread+0x10/0x10 [ 13.164399] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.164420] ? calculate_sigpending+0x7b/0xa0 [ 13.164441] ? __pfx_kthread+0x10/0x10 [ 13.164463] ret_from_fork+0x41/0x80 [ 13.164481] ? __pfx_kthread+0x10/0x10 [ 13.164502] ret_from_fork_asm+0x1a/0x30 [ 13.164532] </TASK> [ 13.164543] [ 13.172255] Allocated by task 204: [ 13.172398] kasan_save_stack+0x45/0x70 [ 13.172621] kasan_save_track+0x18/0x40 [ 13.172812] kasan_save_alloc_info+0x3b/0x50 [ 13.173026] __kasan_kmalloc+0xb7/0xc0 [ 13.173209] __kmalloc_cache_noprof+0x18a/0x420 [ 13.173399] ksize_uaf+0xab/0x6c0 [ 13.173520] kunit_try_run_case+0x1a6/0x480 [ 13.174124] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.174445] kthread+0x324/0x6e0 [ 13.174701] ret_from_fork+0x41/0x80 [ 13.174835] ret_from_fork_asm+0x1a/0x30 [ 13.174969] [ 13.175078] Freed by task 204: [ 13.175229] kasan_save_stack+0x45/0x70 [ 13.175417] kasan_save_track+0x18/0x40 [ 13.175595] kasan_save_free_info+0x3f/0x60 [ 13.175749] __kasan_slab_free+0x56/0x70 [ 13.175880] kfree+0x224/0x3f0 [ 13.176052] ksize_uaf+0x12d/0x6c0 [ 13.176228] kunit_try_run_case+0x1a6/0x480 [ 13.176538] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.176877] kthread+0x324/0x6e0 [ 13.177069] ret_from_fork+0x41/0x80 [ 13.177194] ret_from_fork_asm+0x1a/0x30 [ 13.177374] [ 13.177469] The buggy address belongs to the object at ffff888101bd1c00 [ 13.177469] which belongs to the cache kmalloc-128 of size 128 [ 13.178253] The buggy address is located 0 bytes inside of [ 13.178253] freed 128-byte region [ffff888101bd1c00, ffff888101bd1c80) [ 13.178950] [ 13.179079] The buggy address belongs to the physical page: [ 13.179292] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bd1 [ 13.179632] flags: 0x200000000000000(node=0|zone=2) [ 13.179884] page_type: f5(slab) [ 13.180004] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.180271] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.180607] page dumped because: kasan: bad access detected [ 13.180848] [ 13.181066] Memory state around the buggy address: [ 13.181298] ffff888101bd1b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.181780] ffff888101bd1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.182127] >ffff888101bd1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.182387] ^ [ 13.182512] ffff888101bd1c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.182870] ffff888101bd1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.183277] ================================================================== [ 13.183998] ================================================================== [ 13.184346] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 13.184672] Read of size 1 at addr ffff888101bd1c00 by task kunit_try_catch/204 [ 13.185031] [ 13.185153] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 13.185190] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.185212] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.185232] Call Trace: [ 13.185243] <TASK> [ 13.185256] dump_stack_lvl+0x73/0xb0 [ 13.185279] print_report+0xd1/0x650 [ 13.185299] ? __virt_addr_valid+0x1db/0x2d0 [ 13.185321] ? ksize_uaf+0x600/0x6c0 [ 13.185340] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.185364] ? ksize_uaf+0x600/0x6c0 [ 13.185384] kasan_report+0x140/0x180 [ 13.185405] ? ksize_uaf+0x600/0x6c0 [ 13.185429] __asan_report_load1_noabort+0x18/0x20 [ 13.185451] ksize_uaf+0x600/0x6c0 [ 13.185480] ? __pfx_ksize_uaf+0x10/0x10 [ 13.185501] ? __schedule+0xce8/0x2840 [ 13.185522] ? __pfx_read_tsc+0x10/0x10 [ 13.185554] ? ktime_get_ts64+0x86/0x230 [ 13.185578] kunit_try_run_case+0x1a6/0x480 [ 13.185601] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.185621] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.185644] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.185666] ? __kthread_parkme+0x82/0x160 [ 13.185688] ? preempt_count_sub+0x50/0x80 [ 13.185711] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.185738] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.185763] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.185788] kthread+0x324/0x6e0 [ 13.185974] ? trace_preempt_on+0x20/0xc0 [ 13.185999] ? __pfx_kthread+0x10/0x10 [ 13.186040] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.186064] ? calculate_sigpending+0x7b/0xa0 [ 13.186085] ? __pfx_kthread+0x10/0x10 [ 13.186108] ret_from_fork+0x41/0x80 [ 13.186126] ? __pfx_kthread+0x10/0x10 [ 13.186147] ret_from_fork_asm+0x1a/0x30 [ 13.186177] </TASK> [ 13.186187] [ 13.193555] Allocated by task 204: [ 13.193853] kasan_save_stack+0x45/0x70 [ 13.194147] kasan_save_track+0x18/0x40 [ 13.194351] kasan_save_alloc_info+0x3b/0x50 [ 13.194567] __kasan_kmalloc+0xb7/0xc0 [ 13.194875] __kmalloc_cache_noprof+0x18a/0x420 [ 13.195123] ksize_uaf+0xab/0x6c0 [ 13.195292] kunit_try_run_case+0x1a6/0x480 [ 13.195467] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.195838] kthread+0x324/0x6e0 [ 13.196049] ret_from_fork+0x41/0x80 [ 13.196219] ret_from_fork_asm+0x1a/0x30 [ 13.196406] [ 13.196508] Freed by task 204: [ 13.196731] kasan_save_stack+0x45/0x70 [ 13.196946] kasan_save_track+0x18/0x40 [ 13.197139] kasan_save_free_info+0x3f/0x60 [ 13.197325] __kasan_slab_free+0x56/0x70 [ 13.197495] kfree+0x224/0x3f0 [ 13.198062] ksize_uaf+0x12d/0x6c0 [ 13.198211] kunit_try_run_case+0x1a6/0x480 [ 13.198359] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.198538] kthread+0x324/0x6e0 [ 13.198661] ret_from_fork+0x41/0x80 [ 13.198798] ret_from_fork_asm+0x1a/0x30 [ 13.199041] [ 13.199136] The buggy address belongs to the object at ffff888101bd1c00 [ 13.199136] which belongs to the cache kmalloc-128 of size 128 [ 13.199855] The buggy address is located 0 bytes inside of [ 13.199855] freed 128-byte region [ffff888101bd1c00, ffff888101bd1c80) [ 13.200394] [ 13.200491] The buggy address belongs to the physical page: [ 13.200794] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bd1 [ 13.201132] flags: 0x200000000000000(node=0|zone=2) [ 13.201408] page_type: f5(slab) [ 13.201814] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.202214] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.202523] page dumped because: kasan: bad access detected [ 13.202923] [ 13.203006] Memory state around the buggy address: [ 13.203165] ffff888101bd1b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.203370] ffff888101bd1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.203705] >ffff888101bd1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.204133] ^ [ 13.204319] ffff888101bd1c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.204820] ffff888101bd1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.205139] ================================================================== [ 13.205512] ================================================================== [ 13.205843] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 13.206276] Read of size 1 at addr ffff888101bd1c78 by task kunit_try_catch/204 [ 13.206496] [ 13.206575] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.14.10-rc1 #1 [ 13.206613] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.206624] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.206643] Call Trace: [ 13.206658] <TASK> [ 13.206672] dump_stack_lvl+0x73/0xb0 [ 13.206865] print_report+0xd1/0x650 [ 13.206888] ? __virt_addr_valid+0x1db/0x2d0 [ 13.206909] ? ksize_uaf+0x5e6/0x6c0 [ 13.206928] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.206952] ? ksize_uaf+0x5e6/0x6c0 [ 13.206972] kasan_report+0x140/0x180 [ 13.206993] ? ksize_uaf+0x5e6/0x6c0 [ 13.207028] __asan_report_load1_noabort+0x18/0x20 [ 13.207051] ksize_uaf+0x5e6/0x6c0 [ 13.207070] ? __pfx_ksize_uaf+0x10/0x10 [ 13.207090] ? __schedule+0xce8/0x2840 [ 13.207112] ? __pfx_read_tsc+0x10/0x10 [ 13.207133] ? ktime_get_ts64+0x86/0x230 [ 13.207156] kunit_try_run_case+0x1a6/0x480 [ 13.207179] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.207199] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 13.207222] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.207244] ? __kthread_parkme+0x82/0x160 [ 13.207266] ? preempt_count_sub+0x50/0x80 [ 13.207289] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.207311] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.207336] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.207371] kthread+0x324/0x6e0 [ 13.207391] ? trace_preempt_on+0x20/0xc0 [ 13.207414] ? __pfx_kthread+0x10/0x10 [ 13.207446] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.207467] ? calculate_sigpending+0x7b/0xa0 [ 13.207497] ? __pfx_kthread+0x10/0x10 [ 13.207520] ret_from_fork+0x41/0x80 [ 13.207538] ? __pfx_kthread+0x10/0x10 [ 13.207569] ret_from_fork_asm+0x1a/0x30 [ 13.207599] </TASK> [ 13.207609] [ 13.215160] Allocated by task 204: [ 13.215320] kasan_save_stack+0x45/0x70 [ 13.215463] kasan_save_track+0x18/0x40 [ 13.215597] kasan_save_alloc_info+0x3b/0x50 [ 13.215805] __kasan_kmalloc+0xb7/0xc0 [ 13.216000] __kmalloc_cache_noprof+0x18a/0x420 [ 13.216237] ksize_uaf+0xab/0x6c0 [ 13.216418] kunit_try_run_case+0x1a6/0x480 [ 13.216668] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.216900] kthread+0x324/0x6e0 [ 13.217030] ret_from_fork+0x41/0x80 [ 13.217237] ret_from_fork_asm+0x1a/0x30 [ 13.217458] [ 13.217620] Freed by task 204: [ 13.217782] kasan_save_stack+0x45/0x70 [ 13.217929] kasan_save_track+0x18/0x40 [ 13.218095] kasan_save_free_info+0x3f/0x60 [ 13.218301] __kasan_slab_free+0x56/0x70 [ 13.218521] kfree+0x224/0x3f0 [ 13.218825] ksize_uaf+0x12d/0x6c0 [ 13.219085] kunit_try_run_case+0x1a6/0x480 [ 13.219261] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.219523] kthread+0x324/0x6e0 [ 13.219778] ret_from_fork+0x41/0x80 [ 13.219999] ret_from_fork_asm+0x1a/0x30 [ 13.220219] [ 13.220289] The buggy address belongs to the object at ffff888101bd1c00 [ 13.220289] which belongs to the cache kmalloc-128 of size 128 [ 13.220636] The buggy address is located 120 bytes inside of [ 13.220636] freed 128-byte region [ffff888101bd1c00, ffff888101bd1c80) [ 13.221075] [ 13.221168] The buggy address belongs to the physical page: [ 13.221444] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bd1 [ 13.221801] flags: 0x200000000000000(node=0|zone=2) [ 13.222042] page_type: f5(slab) [ 13.222353] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.222849] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.223232] page dumped because: kasan: bad access detected [ 13.223407] [ 13.223502] Memory state around the buggy address: [ 13.223958] ffff888101bd1b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.224301] ffff888101bd1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.224596] >ffff888101bd1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.224953] ^ [ 13.225264] ffff888101bd1c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.225562] ffff888101bd1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.226002] ==================================================================