Date
June 2, 2025, 2:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.788242] ================================================================== [ 29.795255] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 29.801587] Read of size 1 at addr ffff000800dac200 by task kunit_try_catch/243 [ 29.808879] [ 29.810365] CPU: 1 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 29.810418] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.810434] Hardware name: WinLink E850-96 board (DT) [ 29.810454] Call trace: [ 29.810465] show_stack+0x20/0x38 (C) [ 29.810495] dump_stack_lvl+0x8c/0xd0 [ 29.810529] print_report+0x118/0x608 [ 29.810557] kasan_report+0xdc/0x128 [ 29.810585] __asan_report_load1_noabort+0x20/0x30 [ 29.810616] ksize_uaf+0x598/0x5f8 [ 29.810646] kunit_try_run_case+0x170/0x3f0 [ 29.810679] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.810717] kthread+0x328/0x630 [ 29.810754] ret_from_fork+0x10/0x20 [ 29.810788] [ 29.872421] Allocated by task 243: [ 29.875808] kasan_save_stack+0x3c/0x68 [ 29.879624] kasan_save_track+0x20/0x40 [ 29.883444] kasan_save_alloc_info+0x40/0x58 [ 29.887697] __kasan_kmalloc+0xd4/0xd8 [ 29.891430] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.895943] ksize_uaf+0xb8/0x5f8 [ 29.899242] kunit_try_run_case+0x170/0x3f0 [ 29.903409] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.908877] kthread+0x328/0x630 [ 29.912089] ret_from_fork+0x10/0x20 [ 29.915648] [ 29.917124] Freed by task 243: [ 29.920163] kasan_save_stack+0x3c/0x68 [ 29.923981] kasan_save_track+0x20/0x40 [ 29.927800] kasan_save_free_info+0x4c/0x78 [ 29.931967] __kasan_slab_free+0x6c/0x98 [ 29.935873] kfree+0x214/0x3c8 [ 29.938911] ksize_uaf+0x11c/0x5f8 [ 29.942298] kunit_try_run_case+0x170/0x3f0 [ 29.946463] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.951932] kthread+0x328/0x630 [ 29.955144] ret_from_fork+0x10/0x20 [ 29.958703] [ 29.960180] The buggy address belongs to the object at ffff000800dac200 [ 29.960180] which belongs to the cache kmalloc-128 of size 128 [ 29.972679] The buggy address is located 0 bytes inside of [ 29.972679] freed 128-byte region [ffff000800dac200, ffff000800dac280) [ 29.984744] [ 29.986224] The buggy address belongs to the physical page: [ 29.991780] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880dac [ 29.999761] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.007403] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.014346] page_type: f5(slab) [ 30.017478] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 30.025201] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.032928] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 30.040739] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.048552] head: 0bfffe0000000001 fffffdffe0036b01 00000000ffffffff 00000000ffffffff [ 30.056364] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 30.064170] page dumped because: kasan: bad access detected [ 30.069725] [ 30.071201] Memory state around the buggy address: [ 30.075981] ffff000800dac100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.083184] ffff000800dac180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.090389] >ffff000800dac200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.097590] ^ [ 30.100805] ffff000800dac280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.108009] ffff000800dac300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.115211] ================================================================== [ 29.448975] ================================================================== [ 29.458801] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 29.465135] Read of size 1 at addr ffff000800dac200 by task kunit_try_catch/243 [ 29.472425] [ 29.473911] CPU: 1 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 29.473968] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.473983] Hardware name: WinLink E850-96 board (DT) [ 29.474007] Call trace: [ 29.474020] show_stack+0x20/0x38 (C) [ 29.474061] dump_stack_lvl+0x8c/0xd0 [ 29.474095] print_report+0x118/0x608 [ 29.474130] kasan_report+0xdc/0x128 [ 29.474159] __kasan_check_byte+0x54/0x70 [ 29.474188] ksize+0x30/0x88 [ 29.474216] ksize_uaf+0x168/0x5f8 [ 29.474250] kunit_try_run_case+0x170/0x3f0 [ 29.474288] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.474330] kthread+0x328/0x630 [ 29.474364] ret_from_fork+0x10/0x20 [ 29.474399] [ 29.538050] Allocated by task 243: [ 29.541439] kasan_save_stack+0x3c/0x68 [ 29.545254] kasan_save_track+0x20/0x40 [ 29.549074] kasan_save_alloc_info+0x40/0x58 [ 29.553327] __kasan_kmalloc+0xd4/0xd8 [ 29.557060] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.561573] ksize_uaf+0xb8/0x5f8 [ 29.564872] kunit_try_run_case+0x170/0x3f0 [ 29.569039] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.574507] kthread+0x328/0x630 [ 29.577719] ret_from_fork+0x10/0x20 [ 29.581278] [ 29.582754] Freed by task 243: [ 29.585792] kasan_save_stack+0x3c/0x68 [ 29.589611] kasan_save_track+0x20/0x40 [ 29.593431] kasan_save_free_info+0x4c/0x78 [ 29.597597] __kasan_slab_free+0x6c/0x98 [ 29.601503] kfree+0x214/0x3c8 [ 29.604541] ksize_uaf+0x11c/0x5f8 [ 29.607928] kunit_try_run_case+0x170/0x3f0 [ 29.612094] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.617562] kthread+0x328/0x630 [ 29.620774] ret_from_fork+0x10/0x20 [ 29.624333] [ 29.625811] The buggy address belongs to the object at ffff000800dac200 [ 29.625811] which belongs to the cache kmalloc-128 of size 128 [ 29.638311] The buggy address is located 0 bytes inside of [ 29.638311] freed 128-byte region [ffff000800dac200, ffff000800dac280) [ 29.650374] [ 29.651854] The buggy address belongs to the physical page: [ 29.657409] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880dac [ 29.665395] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 29.673034] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 29.679976] page_type: f5(slab) [ 29.683112] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 29.690832] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.698558] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 29.706370] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.714182] head: 0bfffe0000000001 fffffdffe0036b01 00000000ffffffff 00000000ffffffff [ 29.721994] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 29.729800] page dumped because: kasan: bad access detected [ 29.735355] [ 29.736831] Memory state around the buggy address: [ 29.741612] ffff000800dac100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.748814] ffff000800dac180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.756020] >ffff000800dac200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.763220] ^ [ 29.766435] ffff000800dac280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.773640] ffff000800dac300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.780842] ================================================================== [ 30.122630] ================================================================== [ 30.129625] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 30.135957] Read of size 1 at addr ffff000800dac278 by task kunit_try_catch/243 [ 30.143249] [ 30.144733] CPU: 1 UID: 0 PID: 243 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT [ 30.144787] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.144802] Hardware name: WinLink E850-96 board (DT) [ 30.144820] Call trace: [ 30.144832] show_stack+0x20/0x38 (C) [ 30.144862] dump_stack_lvl+0x8c/0xd0 [ 30.144896] print_report+0x118/0x608 [ 30.144924] kasan_report+0xdc/0x128 [ 30.144951] __asan_report_load1_noabort+0x20/0x30 [ 30.144983] ksize_uaf+0x544/0x5f8 [ 30.145016] kunit_try_run_case+0x170/0x3f0 [ 30.145049] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.145087] kthread+0x328/0x630 [ 30.145120] ret_from_fork+0x10/0x20 [ 30.145152] [ 30.206789] Allocated by task 243: [ 30.210177] kasan_save_stack+0x3c/0x68 [ 30.213994] kasan_save_track+0x20/0x40 [ 30.217814] kasan_save_alloc_info+0x40/0x58 [ 30.222067] __kasan_kmalloc+0xd4/0xd8 [ 30.225800] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.230313] ksize_uaf+0xb8/0x5f8 [ 30.233612] kunit_try_run_case+0x170/0x3f0 [ 30.237779] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.243247] kthread+0x328/0x630 [ 30.246459] ret_from_fork+0x10/0x20 [ 30.250018] [ 30.251494] Freed by task 243: [ 30.254533] kasan_save_stack+0x3c/0x68 [ 30.258351] kasan_save_track+0x20/0x40 [ 30.262170] kasan_save_free_info+0x4c/0x78 [ 30.266337] __kasan_slab_free+0x6c/0x98 [ 30.270243] kfree+0x214/0x3c8 [ 30.273281] ksize_uaf+0x11c/0x5f8 [ 30.276667] kunit_try_run_case+0x170/0x3f0 [ 30.280833] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.286302] kthread+0x328/0x630 [ 30.289514] ret_from_fork+0x10/0x20 [ 30.293073] [ 30.294550] The buggy address belongs to the object at ffff000800dac200 [ 30.294550] which belongs to the cache kmalloc-128 of size 128 [ 30.307049] The buggy address is located 120 bytes inside of [ 30.307049] freed 128-byte region [ffff000800dac200, ffff000800dac280) [ 30.319288] [ 30.320763] The buggy address belongs to the physical page: [ 30.326324] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880dac [ 30.334307] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.341945] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.348889] page_type: f5(slab) [ 30.352023] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 30.359745] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.367471] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 30.375282] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.383096] head: 0bfffe0000000001 fffffdffe0036b01 00000000ffffffff 00000000ffffffff [ 30.390908] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 30.398713] page dumped because: kasan: bad access detected [ 30.404268] [ 30.405745] Memory state around the buggy address: [ 30.410525] ffff000800dac100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.417727] ffff000800dac180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.424932] >ffff000800dac200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.432133] ^ [ 30.439255] ffff000800dac280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.446459] ffff000800dac300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.453661] ==================================================================
[ 19.230386] ================================================================== [ 19.230466] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.230522] Read of size 1 at addr fff00000c3f75900 by task kunit_try_catch/199 [ 19.230598] [ 19.230630] CPU: 1 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.230715] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.230762] Hardware name: linux,dummy-virt (DT) [ 19.230794] Call trace: [ 19.230816] show_stack+0x20/0x38 (C) [ 19.230862] dump_stack_lvl+0x8c/0xd0 [ 19.230921] print_report+0x118/0x608 [ 19.230967] kasan_report+0xdc/0x128 [ 19.231029] __asan_report_load1_noabort+0x20/0x30 [ 19.231085] ksize_uaf+0x598/0x5f8 [ 19.231198] kunit_try_run_case+0x170/0x3f0 [ 19.231253] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.231314] kthread+0x328/0x630 [ 19.231378] ret_from_fork+0x10/0x20 [ 19.231455] [ 19.231523] Allocated by task 199: [ 19.231560] kasan_save_stack+0x3c/0x68 [ 19.231618] kasan_save_track+0x20/0x40 [ 19.231655] kasan_save_alloc_info+0x40/0x58 [ 19.231696] __kasan_kmalloc+0xd4/0xd8 [ 19.231733] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.231774] ksize_uaf+0xb8/0x5f8 [ 19.231821] kunit_try_run_case+0x170/0x3f0 [ 19.231860] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.231931] kthread+0x328/0x630 [ 19.231978] ret_from_fork+0x10/0x20 [ 19.232097] [ 19.232156] Freed by task 199: [ 19.232191] kasan_save_stack+0x3c/0x68 [ 19.232299] kasan_save_track+0x20/0x40 [ 19.232394] kasan_save_free_info+0x4c/0x78 [ 19.232442] __kasan_slab_free+0x6c/0x98 [ 19.232498] kfree+0x214/0x3c8 [ 19.232534] ksize_uaf+0x11c/0x5f8 [ 19.232570] kunit_try_run_case+0x170/0x3f0 [ 19.232792] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.232895] kthread+0x328/0x630 [ 19.232931] ret_from_fork+0x10/0x20 [ 19.232997] [ 19.233037] The buggy address belongs to the object at fff00000c3f75900 [ 19.233037] which belongs to the cache kmalloc-128 of size 128 [ 19.233116] The buggy address is located 0 bytes inside of [ 19.233116] freed 128-byte region [fff00000c3f75900, fff00000c3f75980) [ 19.233234] [ 19.233289] The buggy address belongs to the physical page: [ 19.233399] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f75 [ 19.233557] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.233607] page_type: f5(slab) [ 19.233659] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.233986] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.234153] page dumped because: kasan: bad access detected [ 19.234263] [ 19.234466] Memory state around the buggy address: [ 19.234501] fff00000c3f75800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.234792] fff00000c3f75880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.234984] >fff00000c3f75900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.235121] ^ [ 19.235214] fff00000c3f75980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.235274] fff00000c3f75a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.235312] ================================================================== [ 19.236052] ================================================================== [ 19.236214] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.236323] Read of size 1 at addr fff00000c3f75978 by task kunit_try_catch/199 [ 19.236421] [ 19.236470] CPU: 1 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.236555] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.236623] Hardware name: linux,dummy-virt (DT) [ 19.236654] Call trace: [ 19.236676] show_stack+0x20/0x38 (C) [ 19.236833] dump_stack_lvl+0x8c/0xd0 [ 19.236992] print_report+0x118/0x608 [ 19.237041] kasan_report+0xdc/0x128 [ 19.237106] __asan_report_load1_noabort+0x20/0x30 [ 19.237159] ksize_uaf+0x544/0x5f8 [ 19.237206] kunit_try_run_case+0x170/0x3f0 [ 19.237262] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.237384] kthread+0x328/0x630 [ 19.237451] ret_from_fork+0x10/0x20 [ 19.237499] [ 19.237519] Allocated by task 199: [ 19.237782] kasan_save_stack+0x3c/0x68 [ 19.237832] kasan_save_track+0x20/0x40 [ 19.237917] kasan_save_alloc_info+0x40/0x58 [ 19.238044] __kasan_kmalloc+0xd4/0xd8 [ 19.238160] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.238272] ksize_uaf+0xb8/0x5f8 [ 19.238374] kunit_try_run_case+0x170/0x3f0 [ 19.238415] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.238565] kthread+0x328/0x630 [ 19.238602] ret_from_fork+0x10/0x20 [ 19.238816] [ 19.238898] Freed by task 199: [ 19.238959] kasan_save_stack+0x3c/0x68 [ 19.239003] kasan_save_track+0x20/0x40 [ 19.239045] kasan_save_free_info+0x4c/0x78 [ 19.239095] __kasan_slab_free+0x6c/0x98 [ 19.239132] kfree+0x214/0x3c8 [ 19.239170] ksize_uaf+0x11c/0x5f8 [ 19.239207] kunit_try_run_case+0x170/0x3f0 [ 19.239257] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.239304] kthread+0x328/0x630 [ 19.239340] ret_from_fork+0x10/0x20 [ 19.239386] [ 19.239405] The buggy address belongs to the object at fff00000c3f75900 [ 19.239405] which belongs to the cache kmalloc-128 of size 128 [ 19.239463] The buggy address is located 120 bytes inside of [ 19.239463] freed 128-byte region [fff00000c3f75900, fff00000c3f75980) [ 19.239524] [ 19.239543] The buggy address belongs to the physical page: [ 19.239571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f75 [ 19.239748] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.239798] page_type: f5(slab) [ 19.239836] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.239887] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.239927] page dumped because: kasan: bad access detected [ 19.239958] [ 19.239977] Memory state around the buggy address: [ 19.240009] fff00000c3f75800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.240126] fff00000c3f75880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.240293] >fff00000c3f75900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.240489] ^ [ 19.240576] fff00000c3f75980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.240687] fff00000c3f75a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.240728] ================================================================== [ 19.224771] ================================================================== [ 19.224913] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.224982] Read of size 1 at addr fff00000c3f75900 by task kunit_try_catch/199 [ 19.225039] [ 19.225087] CPU: 1 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G B W N 6.15.1-rc1 #1 PREEMPT [ 19.225195] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.225263] Hardware name: linux,dummy-virt (DT) [ 19.225311] Call trace: [ 19.225362] show_stack+0x20/0x38 (C) [ 19.225420] dump_stack_lvl+0x8c/0xd0 [ 19.225497] print_report+0x118/0x608 [ 19.225546] kasan_report+0xdc/0x128 [ 19.225591] __kasan_check_byte+0x54/0x70 [ 19.225748] ksize+0x30/0x88 [ 19.225830] ksize_uaf+0x168/0x5f8 [ 19.225947] kunit_try_run_case+0x170/0x3f0 [ 19.226090] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.226217] kthread+0x328/0x630 [ 19.226333] ret_from_fork+0x10/0x20 [ 19.226407] [ 19.226426] Allocated by task 199: [ 19.226455] kasan_save_stack+0x3c/0x68 [ 19.226515] kasan_save_track+0x20/0x40 [ 19.226553] kasan_save_alloc_info+0x40/0x58 [ 19.226593] __kasan_kmalloc+0xd4/0xd8 [ 19.226630] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.226674] ksize_uaf+0xb8/0x5f8 [ 19.226711] kunit_try_run_case+0x170/0x3f0 [ 19.226752] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.226951] kthread+0x328/0x630 [ 19.227084] ret_from_fork+0x10/0x20 [ 19.227164] [ 19.227198] Freed by task 199: [ 19.227225] kasan_save_stack+0x3c/0x68 [ 19.227263] kasan_save_track+0x20/0x40 [ 19.227299] kasan_save_free_info+0x4c/0x78 [ 19.227339] __kasan_slab_free+0x6c/0x98 [ 19.227527] kfree+0x214/0x3c8 [ 19.227610] ksize_uaf+0x11c/0x5f8 [ 19.227735] kunit_try_run_case+0x170/0x3f0 [ 19.227848] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.228003] kthread+0x328/0x630 [ 19.228052] ret_from_fork+0x10/0x20 [ 19.228087] [ 19.228150] The buggy address belongs to the object at fff00000c3f75900 [ 19.228150] which belongs to the cache kmalloc-128 of size 128 [ 19.228231] The buggy address is located 0 bytes inside of [ 19.228231] freed 128-byte region [fff00000c3f75900, fff00000c3f75980) [ 19.228301] [ 19.228331] The buggy address belongs to the physical page: [ 19.228383] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f75 [ 19.228450] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.228505] page_type: f5(slab) [ 19.228559] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.228611] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.228653] page dumped because: kasan: bad access detected [ 19.228685] [ 19.228704] Memory state around the buggy address: [ 19.228761] fff00000c3f75800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.228814] fff00000c3f75880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.228867] >fff00000c3f75900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.228905] ^ [ 19.228932] fff00000c3f75980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.228986] fff00000c3f75a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.229039] ==================================================================
[ 17.189849] ================================================================== [ 17.190530] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 17.191102] Read of size 1 at addr ffff888102b31100 by task kunit_try_catch/217 [ 17.191570] [ 17.191757] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.191860] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.191882] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.191925] Call Trace: [ 17.191955] <TASK> [ 17.191996] dump_stack_lvl+0x73/0xb0 [ 17.192063] print_report+0xd1/0x650 [ 17.192116] ? __virt_addr_valid+0x1db/0x2d0 [ 17.192173] ? ksize_uaf+0x19d/0x6c0 [ 17.192221] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.192260] ? ksize_uaf+0x19d/0x6c0 [ 17.192298] kasan_report+0x141/0x180 [ 17.192341] ? ksize_uaf+0x19d/0x6c0 [ 17.192390] ? ksize_uaf+0x19d/0x6c0 [ 17.192430] __kasan_check_byte+0x3d/0x50 [ 17.192480] ksize+0x20/0x60 [ 17.192519] ksize_uaf+0x19d/0x6c0 [ 17.192555] ? __pfx_ksize_uaf+0x10/0x10 [ 17.192591] ? __schedule+0x10cc/0x2b30 [ 17.192627] ? __pfx_read_tsc+0x10/0x10 [ 17.192664] ? ktime_get_ts64+0x86/0x230 [ 17.192742] kunit_try_run_case+0x1a5/0x480 [ 17.192802] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.192844] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.192896] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.192940] ? __kthread_parkme+0x82/0x180 [ 17.192981] ? preempt_count_sub+0x50/0x80 [ 17.193025] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.193066] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.193108] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.193152] kthread+0x337/0x6f0 [ 17.193190] ? trace_preempt_on+0x20/0xc0 [ 17.193240] ? __pfx_kthread+0x10/0x10 [ 17.193281] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.193325] ? calculate_sigpending+0x7b/0xa0 [ 17.193366] ? __pfx_kthread+0x10/0x10 [ 17.193415] ret_from_fork+0x41/0x80 [ 17.193455] ? __pfx_kthread+0x10/0x10 [ 17.193492] ret_from_fork_asm+0x1a/0x30 [ 17.193549] </TASK> [ 17.193572] [ 17.205769] Allocated by task 217: [ 17.206172] kasan_save_stack+0x45/0x70 [ 17.206570] kasan_save_track+0x18/0x40 [ 17.207817] kasan_save_alloc_info+0x3b/0x50 [ 17.208245] __kasan_kmalloc+0xb7/0xc0 [ 17.208581] __kmalloc_cache_noprof+0x189/0x420 [ 17.208851] ksize_uaf+0xaa/0x6c0 [ 17.209049] kunit_try_run_case+0x1a5/0x480 [ 17.209421] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.210091] kthread+0x337/0x6f0 [ 17.210586] ret_from_fork+0x41/0x80 [ 17.210936] ret_from_fork_asm+0x1a/0x30 [ 17.211594] [ 17.211810] Freed by task 217: [ 17.212111] kasan_save_stack+0x45/0x70 [ 17.212550] kasan_save_track+0x18/0x40 [ 17.212923] kasan_save_free_info+0x3f/0x60 [ 17.213386] __kasan_slab_free+0x56/0x70 [ 17.213770] kfree+0x222/0x3f0 [ 17.214069] ksize_uaf+0x12c/0x6c0 [ 17.214546] kunit_try_run_case+0x1a5/0x480 [ 17.214804] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.215154] kthread+0x337/0x6f0 [ 17.215790] ret_from_fork+0x41/0x80 [ 17.216141] ret_from_fork_asm+0x1a/0x30 [ 17.216515] [ 17.216712] The buggy address belongs to the object at ffff888102b31100 [ 17.216712] which belongs to the cache kmalloc-128 of size 128 [ 17.217597] The buggy address is located 0 bytes inside of [ 17.217597] freed 128-byte region [ffff888102b31100, ffff888102b31180) [ 17.218343] [ 17.218484] The buggy address belongs to the physical page: [ 17.219093] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 17.219919] flags: 0x200000000000000(node=0|zone=2) [ 17.221031] page_type: f5(slab) [ 17.221498] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.221798] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.222315] page dumped because: kasan: bad access detected [ 17.222609] [ 17.222729] Memory state around the buggy address: [ 17.223221] ffff888102b31000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.223773] ffff888102b31080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.224546] >ffff888102b31100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.224855] ^ [ 17.225167] ffff888102b31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.225828] ffff888102b31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.226103] ================================================================== [ 17.270784] ================================================================== [ 17.271134] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 17.271480] Read of size 1 at addr ffff888102b31178 by task kunit_try_catch/217 [ 17.271790] [ 17.272097] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.272254] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.272286] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.272335] Call Trace: [ 17.272378] <TASK> [ 17.272419] dump_stack_lvl+0x73/0xb0 [ 17.272494] print_report+0xd1/0x650 [ 17.272550] ? __virt_addr_valid+0x1db/0x2d0 [ 17.272604] ? ksize_uaf+0x5e4/0x6c0 [ 17.272651] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.272701] ? ksize_uaf+0x5e4/0x6c0 [ 17.272760] kasan_report+0x141/0x180 [ 17.272815] ? ksize_uaf+0x5e4/0x6c0 [ 17.272872] __asan_report_load1_noabort+0x18/0x20 [ 17.272911] ksize_uaf+0x5e4/0x6c0 [ 17.272953] ? __pfx_ksize_uaf+0x10/0x10 [ 17.272999] ? __schedule+0x10cc/0x2b30 [ 17.273044] ? __pfx_read_tsc+0x10/0x10 [ 17.273125] ? ktime_get_ts64+0x86/0x230 [ 17.273189] kunit_try_run_case+0x1a5/0x480 [ 17.273237] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.273273] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.273312] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.273350] ? __kthread_parkme+0x82/0x180 [ 17.273389] ? preempt_count_sub+0x50/0x80 [ 17.273432] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.273472] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.273510] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.273549] kthread+0x337/0x6f0 [ 17.273578] ? trace_preempt_on+0x20/0xc0 [ 17.273623] ? __pfx_kthread+0x10/0x10 [ 17.273656] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.273692] ? calculate_sigpending+0x7b/0xa0 [ 17.273902] ? __pfx_kthread+0x10/0x10 [ 17.273950] ret_from_fork+0x41/0x80 [ 17.273998] ? __pfx_kthread+0x10/0x10 [ 17.274036] ret_from_fork_asm+0x1a/0x30 [ 17.274104] </TASK> [ 17.274238] [ 17.287886] Allocated by task 217: [ 17.288526] kasan_save_stack+0x45/0x70 [ 17.288961] kasan_save_track+0x18/0x40 [ 17.289409] kasan_save_alloc_info+0x3b/0x50 [ 17.289638] __kasan_kmalloc+0xb7/0xc0 [ 17.289985] __kmalloc_cache_noprof+0x189/0x420 [ 17.291087] ksize_uaf+0xaa/0x6c0 [ 17.291321] kunit_try_run_case+0x1a5/0x480 [ 17.291581] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.292021] kthread+0x337/0x6f0 [ 17.292254] ret_from_fork+0x41/0x80 [ 17.292504] ret_from_fork_asm+0x1a/0x30 [ 17.292729] [ 17.293386] Freed by task 217: [ 17.293675] kasan_save_stack+0x45/0x70 [ 17.293962] kasan_save_track+0x18/0x40 [ 17.295041] kasan_save_free_info+0x3f/0x60 [ 17.295441] __kasan_slab_free+0x56/0x70 [ 17.295691] kfree+0x222/0x3f0 [ 17.296089] ksize_uaf+0x12c/0x6c0 [ 17.296671] kunit_try_run_case+0x1a5/0x480 [ 17.297075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.297505] kthread+0x337/0x6f0 [ 17.297846] ret_from_fork+0x41/0x80 [ 17.298160] ret_from_fork_asm+0x1a/0x30 [ 17.298439] [ 17.298574] The buggy address belongs to the object at ffff888102b31100 [ 17.298574] which belongs to the cache kmalloc-128 of size 128 [ 17.299191] The buggy address is located 120 bytes inside of [ 17.299191] freed 128-byte region [ffff888102b31100, ffff888102b31180) [ 17.301186] [ 17.301323] The buggy address belongs to the physical page: [ 17.301643] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 17.302077] flags: 0x200000000000000(node=0|zone=2) [ 17.302744] page_type: f5(slab) [ 17.303034] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.303499] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.304176] page dumped because: kasan: bad access detected [ 17.305294] [ 17.305426] Memory state around the buggy address: [ 17.305648] ffff888102b31000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.306239] ffff888102b31080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.306812] >ffff888102b31100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.307969] ^ [ 17.308624] ffff888102b31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.308874] ffff888102b31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.309108] ================================================================== [ 17.228926] ================================================================== [ 17.229472] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 17.229802] Read of size 1 at addr ffff888102b31100 by task kunit_try_catch/217 [ 17.230507] [ 17.231189] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.1-rc1 #1 PREEMPT(voluntary) [ 17.231481] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.231511] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.231560] Call Trace: [ 17.231599] <TASK> [ 17.231643] dump_stack_lvl+0x73/0xb0 [ 17.231713] print_report+0xd1/0x650 [ 17.231765] ? __virt_addr_valid+0x1db/0x2d0 [ 17.231805] ? ksize_uaf+0x5fe/0x6c0 [ 17.231838] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.231875] ? ksize_uaf+0x5fe/0x6c0 [ 17.231911] kasan_report+0x141/0x180 [ 17.231946] ? ksize_uaf+0x5fe/0x6c0 [ 17.231990] __asan_report_load1_noabort+0x18/0x20 [ 17.232026] ksize_uaf+0x5fe/0x6c0 [ 17.232061] ? __pfx_ksize_uaf+0x10/0x10 [ 17.232103] ? __schedule+0x10cc/0x2b30 [ 17.232148] ? __pfx_read_tsc+0x10/0x10 [ 17.232192] ? ktime_get_ts64+0x86/0x230 [ 17.232246] kunit_try_run_case+0x1a5/0x480 [ 17.232290] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.232328] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.232373] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.232400] ? __kthread_parkme+0x82/0x180 [ 17.232426] ? preempt_count_sub+0x50/0x80 [ 17.232455] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.232481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.232507] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.232532] kthread+0x337/0x6f0 [ 17.232552] ? trace_preempt_on+0x20/0xc0 [ 17.232579] ? __pfx_kthread+0x10/0x10 [ 17.232600] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.232623] ? calculate_sigpending+0x7b/0xa0 [ 17.232648] ? __pfx_kthread+0x10/0x10 [ 17.232668] ret_from_fork+0x41/0x80 [ 17.232692] ? __pfx_kthread+0x10/0x10 [ 17.232712] ret_from_fork_asm+0x1a/0x30 [ 17.232770] </TASK> [ 17.232793] [ 17.246789] Allocated by task 217: [ 17.247190] kasan_save_stack+0x45/0x70 [ 17.247457] kasan_save_track+0x18/0x40 [ 17.247790] kasan_save_alloc_info+0x3b/0x50 [ 17.248109] __kasan_kmalloc+0xb7/0xc0 [ 17.248481] __kmalloc_cache_noprof+0x189/0x420 [ 17.249236] ksize_uaf+0xaa/0x6c0 [ 17.249449] kunit_try_run_case+0x1a5/0x480 [ 17.250147] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.250655] kthread+0x337/0x6f0 [ 17.251468] ret_from_fork+0x41/0x80 [ 17.251742] ret_from_fork_asm+0x1a/0x30 [ 17.251971] [ 17.252096] Freed by task 217: [ 17.252692] kasan_save_stack+0x45/0x70 [ 17.252942] kasan_save_track+0x18/0x40 [ 17.253263] kasan_save_free_info+0x3f/0x60 [ 17.254072] __kasan_slab_free+0x56/0x70 [ 17.254837] kfree+0x222/0x3f0 [ 17.255327] ksize_uaf+0x12c/0x6c0 [ 17.255598] kunit_try_run_case+0x1a5/0x480 [ 17.256195] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.256444] kthread+0x337/0x6f0 [ 17.256789] ret_from_fork+0x41/0x80 [ 17.257162] ret_from_fork_asm+0x1a/0x30 [ 17.257502] [ 17.257604] The buggy address belongs to the object at ffff888102b31100 [ 17.257604] which belongs to the cache kmalloc-128 of size 128 [ 17.258549] The buggy address is located 0 bytes inside of [ 17.258549] freed 128-byte region [ffff888102b31100, ffff888102b31180) [ 17.259494] [ 17.259715] The buggy address belongs to the physical page: [ 17.260572] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b31 [ 17.261471] flags: 0x200000000000000(node=0|zone=2) [ 17.262316] page_type: f5(slab) [ 17.262655] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 17.263402] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.264026] page dumped because: kasan: bad access detected [ 17.264583] [ 17.264787] Memory state around the buggy address: [ 17.265168] ffff888102b31000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.266395] ffff888102b31080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.266793] >ffff888102b31100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.267549] ^ [ 17.267785] ffff888102b31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.268260] ffff888102b31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.268679] ==================================================================