Hay
Sign in
Date
June 24, 2025, 12:47 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   24.357077] ==================================================================
[   24.357177] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   24.357293] Read of size 1 at addr fff00000c59ef578 by task kunit_try_catch/198
[   24.357432] 
[   24.357503] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT 
[   24.357697] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.357758] Hardware name: linux,dummy-virt (DT)
[   24.357830] Call trace:
[   24.357878]  show_stack+0x20/0x38 (C)
[   24.357996]  dump_stack_lvl+0x8c/0xd0
[   24.358113]  print_report+0x118/0x608
[   24.358238]  kasan_report+0xdc/0x128
[   24.358461]  __asan_report_load1_noabort+0x20/0x30
[   24.358605]  ksize_uaf+0x544/0x5f8
[   24.359299]  kunit_try_run_case+0x170/0x3f0
[   24.359491]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.359725]  kthread+0x328/0x630
[   24.359931]  ret_from_fork+0x10/0x20
[   24.360135] 
[   24.360180] Allocated by task 198:
[   24.360328]  kasan_save_stack+0x3c/0x68
[   24.360467]  kasan_save_track+0x20/0x40
[   24.361048]  kasan_save_alloc_info+0x40/0x58
[   24.361169]  __kasan_kmalloc+0xd4/0xd8
[   24.361421]  __kmalloc_cache_noprof+0x16c/0x3c0
[   24.361624]  ksize_uaf+0xb8/0x5f8
[   24.361717]  kunit_try_run_case+0x170/0x3f0
[   24.361813]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.361920]  kthread+0x328/0x630
[   24.363539]  ret_from_fork+0x10/0x20
[   24.363643] 
[   24.364737] Freed by task 198:
[   24.364910]  kasan_save_stack+0x3c/0x68
[   24.365412]  kasan_save_track+0x20/0x40
[   24.365996]  kasan_save_free_info+0x4c/0x78
[   24.366121]  __kasan_slab_free+0x6c/0x98
[   24.366575]  kfree+0x214/0x3c8
[   24.366973]  ksize_uaf+0x11c/0x5f8
[   24.367276]  kunit_try_run_case+0x170/0x3f0
[   24.367814]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.368144]  kthread+0x328/0x630
[   24.368252]  ret_from_fork+0x10/0x20
[   24.368364] 
[   24.368435] The buggy address belongs to the object at fff00000c59ef500
[   24.368435]  which belongs to the cache kmalloc-128 of size 128
[   24.368658] The buggy address is located 120 bytes inside of
[   24.368658]  freed 128-byte region [fff00000c59ef500, fff00000c59ef580)
[   24.368819] 
[   24.368871] The buggy address belongs to the physical page:
[   24.369106] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ef
[   24.369254] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   24.369410] page_type: f5(slab)
[   24.369589] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   24.369732] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.370326] page dumped because: kasan: bad access detected
[   24.370653] 
[   24.370747] Memory state around the buggy address:
[   24.370832]  fff00000c59ef400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.371168]  fff00000c59ef480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.372009] >fff00000c59ef500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.372602]                                                                 ^
[   24.372711]  fff00000c59ef580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.372827]  fff00000c59ef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.373128] ==================================================================
[   24.341669] ==================================================================
[   24.341770] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   24.341900] Read of size 1 at addr fff00000c59ef500 by task kunit_try_catch/198
[   24.342144] 
[   24.342226] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT 
[   24.343182] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.343268] Hardware name: linux,dummy-virt (DT)
[   24.343548] Call trace:
[   24.343617]  show_stack+0x20/0x38 (C)
[   24.344394]  dump_stack_lvl+0x8c/0xd0
[   24.344602]  print_report+0x118/0x608
[   24.344938]  kasan_report+0xdc/0x128
[   24.345177]  __asan_report_load1_noabort+0x20/0x30
[   24.345401]  ksize_uaf+0x598/0x5f8
[   24.345530]  kunit_try_run_case+0x170/0x3f0
[   24.345687]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.345856]  kthread+0x328/0x630
[   24.346015]  ret_from_fork+0x10/0x20
[   24.346329] 
[   24.346824] Allocated by task 198:
[   24.346910]  kasan_save_stack+0x3c/0x68
[   24.347014]  kasan_save_track+0x20/0x40
[   24.347106]  kasan_save_alloc_info+0x40/0x58
[   24.347202]  __kasan_kmalloc+0xd4/0xd8
[   24.347297]  __kmalloc_cache_noprof+0x16c/0x3c0
[   24.347427]  ksize_uaf+0xb8/0x5f8
[   24.347543]  kunit_try_run_case+0x170/0x3f0
[   24.347792]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.348236]  kthread+0x328/0x630
[   24.348421]  ret_from_fork+0x10/0x20
[   24.348963] 
[   24.349189] Freed by task 198:
[   24.349376]  kasan_save_stack+0x3c/0x68
[   24.349751]  kasan_save_track+0x20/0x40
[   24.349970]  kasan_save_free_info+0x4c/0x78
[   24.350677]  __kasan_slab_free+0x6c/0x98
[   24.350799]  kfree+0x214/0x3c8
[   24.350896]  ksize_uaf+0x11c/0x5f8
[   24.351599]  kunit_try_run_case+0x170/0x3f0
[   24.351888]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.352291]  kthread+0x328/0x630
[   24.352634]  ret_from_fork+0x10/0x20
[   24.352743] 
[   24.352891] The buggy address belongs to the object at fff00000c59ef500
[   24.352891]  which belongs to the cache kmalloc-128 of size 128
[   24.353059] The buggy address is located 0 bytes inside of
[   24.353059]  freed 128-byte region [fff00000c59ef500, fff00000c59ef580)
[   24.353237] 
[   24.353289] The buggy address belongs to the physical page:
[   24.353499] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ef
[   24.353650] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   24.353993] page_type: f5(slab)
[   24.354193] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   24.354326] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.354469] page dumped because: kasan: bad access detected
[   24.354588] 
[   24.354641] Memory state around the buggy address:
[   24.354734]  fff00000c59ef400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.354860]  fff00000c59ef480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.355007] >fff00000c59ef500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.355144]                    ^
[   24.355222]  fff00000c59ef580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.355345]  fff00000c59ef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.355459] ==================================================================
[   24.322895] ==================================================================
[   24.323035] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   24.323227] Read of size 1 at addr fff00000c59ef500 by task kunit_try_catch/198
[   24.323536] 
[   24.323613] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT 
[   24.324155] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.324242] Hardware name: linux,dummy-virt (DT)
[   24.324339] Call trace:
[   24.324437]  show_stack+0x20/0x38 (C)
[   24.324593]  dump_stack_lvl+0x8c/0xd0
[   24.324904]  print_report+0x118/0x608
[   24.325031]  kasan_report+0xdc/0x128
[   24.325147]  __kasan_check_byte+0x54/0x70
[   24.325309]  ksize+0x30/0x88
[   24.325533]  ksize_uaf+0x168/0x5f8
[   24.325654]  kunit_try_run_case+0x170/0x3f0
[   24.325786]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.325965]  kthread+0x328/0x630
[   24.326300]  ret_from_fork+0x10/0x20
[   24.326677] 
[   24.326931] Allocated by task 198:
[   24.327019]  kasan_save_stack+0x3c/0x68
[   24.327172]  kasan_save_track+0x20/0x40
[   24.327270]  kasan_save_alloc_info+0x40/0x58
[   24.327531]  __kasan_kmalloc+0xd4/0xd8
[   24.327626]  __kmalloc_cache_noprof+0x16c/0x3c0
[   24.327732]  ksize_uaf+0xb8/0x5f8
[   24.328006]  kunit_try_run_case+0x170/0x3f0
[   24.328249]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.328435]  kthread+0x328/0x630
[   24.328623]  ret_from_fork+0x10/0x20
[   24.328729] 
[   24.328787] Freed by task 198:
[   24.328867]  kasan_save_stack+0x3c/0x68
[   24.329005]  kasan_save_track+0x20/0x40
[   24.329190]  kasan_save_free_info+0x4c/0x78
[   24.329397]  __kasan_slab_free+0x6c/0x98
[   24.329558]  kfree+0x214/0x3c8
[   24.329721]  ksize_uaf+0x11c/0x5f8
[   24.329838]  kunit_try_run_case+0x170/0x3f0
[   24.329940]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   24.330115]  kthread+0x328/0x630
[   24.330571]  ret_from_fork+0x10/0x20
[   24.330680] 
[   24.330737] The buggy address belongs to the object at fff00000c59ef500
[   24.330737]  which belongs to the cache kmalloc-128 of size 128
[   24.331872] The buggy address is located 0 bytes inside of
[   24.331872]  freed 128-byte region [fff00000c59ef500, fff00000c59ef580)
[   24.332632] 
[   24.332797] The buggy address belongs to the physical page:
[   24.333746] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ef
[   24.334724] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   24.334845] page_type: f5(slab)
[   24.335193] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   24.336056] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.336455] page dumped because: kasan: bad access detected
[   24.336543] 
[   24.336592] Memory state around the buggy address:
[   24.337375]  fff00000c59ef400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.337698]  fff00000c59ef480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.337812] >fff00000c59ef500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.337938]                    ^
[   24.338101]  fff00000c59ef580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.338213]  fff00000c59ef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.338325] ==================================================================
Metadata Full log Test run details 

[   12.325222] ==================================================================
[   12.326180] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   12.326668] Read of size 1 at addr ffff8881029da400 by task kunit_try_catch/216
[   12.327185] 
[   12.327320] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT(voluntary) 
[   12.327409] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.327430] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.327469] Call Trace:
[   12.327508]  <TASK>
[   12.327561]  dump_stack_lvl+0x73/0xb0
[   12.327969]  print_report+0xd1/0x650
[   12.328059]  ? __virt_addr_valid+0x1db/0x2d0
[   12.328104]  ? ksize_uaf+0x5fe/0x6c0
[   12.328126]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.328147]  ? ksize_uaf+0x5fe/0x6c0
[   12.328167]  kasan_report+0x141/0x180
[   12.328187]  ? ksize_uaf+0x5fe/0x6c0
[   12.328211]  __asan_report_load1_noabort+0x18/0x20
[   12.328230]  ksize_uaf+0x5fe/0x6c0
[   12.328249]  ? __pfx_ksize_uaf+0x10/0x10
[   12.328269]  ? __schedule+0x10cc/0x2b60
[   12.328291]  ? __pfx_read_tsc+0x10/0x10
[   12.328309]  ? ktime_get_ts64+0x86/0x230
[   12.328333]  kunit_try_run_case+0x1a5/0x480
[   12.328357]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.328376]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.328397]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.328418]  ? __kthread_parkme+0x82/0x180
[   12.328438]  ? preempt_count_sub+0x50/0x80
[   12.328461]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.328482]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.328502]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.328522]  kthread+0x337/0x6f0
[   12.328546]  ? trace_preempt_on+0x20/0xc0
[   12.328571]  ? __pfx_kthread+0x10/0x10
[   12.328588]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.328607]  ? calculate_sigpending+0x7b/0xa0
[   12.328646]  ? __pfx_kthread+0x10/0x10
[   12.328666]  ret_from_fork+0x41/0x80
[   12.328685]  ? __pfx_kthread+0x10/0x10
[   12.328701]  ret_from_fork_asm+0x1a/0x30
[   12.328732]  </TASK>
[   12.328744] 
[   12.338523] Allocated by task 216:
[   12.339956]  kasan_save_stack+0x45/0x70
[   12.340271]  kasan_save_track+0x18/0x40
[   12.340529]  kasan_save_alloc_info+0x3b/0x50
[   12.340770]  __kasan_kmalloc+0xb7/0xc0
[   12.340973]  __kmalloc_cache_noprof+0x189/0x420
[   12.341153]  ksize_uaf+0xaa/0x6c0
[   12.341307]  kunit_try_run_case+0x1a5/0x480
[   12.341858]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.342380]  kthread+0x337/0x6f0
[   12.342693]  ret_from_fork+0x41/0x80
[   12.342969]  ret_from_fork_asm+0x1a/0x30
[   12.343188] 
[   12.343320] Freed by task 216:
[   12.343524]  kasan_save_stack+0x45/0x70
[   12.344279]  kasan_save_track+0x18/0x40
[   12.344787]  kasan_save_free_info+0x3f/0x60
[   12.344983]  __kasan_slab_free+0x56/0x70
[   12.345237]  kfree+0x222/0x3f0
[   12.345579]  ksize_uaf+0x12c/0x6c0
[   12.345753]  kunit_try_run_case+0x1a5/0x480
[   12.345983]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.346182]  kthread+0x337/0x6f0
[   12.346332]  ret_from_fork+0x41/0x80
[   12.346507]  ret_from_fork_asm+0x1a/0x30
[   12.346820] 
[   12.347200] The buggy address belongs to the object at ffff8881029da400
[   12.347200]  which belongs to the cache kmalloc-128 of size 128
[   12.348325] The buggy address is located 0 bytes inside of
[   12.348325]  freed 128-byte region [ffff8881029da400, ffff8881029da480)
[   12.349077] 
[   12.349189] The buggy address belongs to the physical page:
[   12.349406] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029da
[   12.350683] flags: 0x200000000000000(node=0|zone=2)
[   12.351049] page_type: f5(slab)
[   12.351221] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.351461] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.352006] page dumped because: kasan: bad access detected
[   12.352375] 
[   12.352525] Memory state around the buggy address:
[   12.353075]  ffff8881029da300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.353319]  ffff8881029da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.353745] >ffff8881029da400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.354183]                    ^
[   12.355015]  ffff8881029da480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.355374]  ffff8881029da500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.355809] ==================================================================
[   12.356808] ==================================================================
[   12.357473] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   12.357889] Read of size 1 at addr ffff8881029da478 by task kunit_try_catch/216
[   12.358531] 
[   12.359333] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT(voluntary) 
[   12.359441] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.359462] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.359495] Call Trace:
[   12.359536]  <TASK>
[   12.359573]  dump_stack_lvl+0x73/0xb0
[   12.359652]  print_report+0xd1/0x650
[   12.359700]  ? __virt_addr_valid+0x1db/0x2d0
[   12.359734]  ? ksize_uaf+0x5e4/0x6c0
[   12.359768]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.359805]  ? ksize_uaf+0x5e4/0x6c0
[   12.359837]  kasan_report+0x141/0x180
[   12.359871]  ? ksize_uaf+0x5e4/0x6c0
[   12.359910]  __asan_report_load1_noabort+0x18/0x20
[   12.359945]  ksize_uaf+0x5e4/0x6c0
[   12.359983]  ? __pfx_ksize_uaf+0x10/0x10
[   12.360020]  ? __schedule+0x10cc/0x2b60
[   12.360054]  ? __pfx_read_tsc+0x10/0x10
[   12.360089]  ? ktime_get_ts64+0x86/0x230
[   12.360132]  kunit_try_run_case+0x1a5/0x480
[   12.360177]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.360217]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.360258]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.360294]  ? __kthread_parkme+0x82/0x180
[   12.360333]  ? preempt_count_sub+0x50/0x80
[   12.360375]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.360411]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.360452]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.360489]  kthread+0x337/0x6f0
[   12.360522]  ? trace_preempt_on+0x20/0xc0
[   12.360574]  ? __pfx_kthread+0x10/0x10
[   12.360606]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.360660]  ? calculate_sigpending+0x7b/0xa0
[   12.360696]  ? __pfx_kthread+0x10/0x10
[   12.360730]  ret_from_fork+0x41/0x80
[   12.360767]  ? __pfx_kthread+0x10/0x10
[   12.360802]  ret_from_fork_asm+0x1a/0x30
[   12.360858]  </TASK>
[   12.360879] 
[   12.371132] Allocated by task 216:
[   12.371432]  kasan_save_stack+0x45/0x70
[   12.372298]  kasan_save_track+0x18/0x40
[   12.372460]  kasan_save_alloc_info+0x3b/0x50
[   12.372866]  __kasan_kmalloc+0xb7/0xc0
[   12.373316]  __kmalloc_cache_noprof+0x189/0x420
[   12.373973]  ksize_uaf+0xaa/0x6c0
[   12.374374]  kunit_try_run_case+0x1a5/0x480
[   12.374894]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.375212]  kthread+0x337/0x6f0
[   12.375505]  ret_from_fork+0x41/0x80
[   12.376392]  ret_from_fork_asm+0x1a/0x30
[   12.376904] 
[   12.377084] Freed by task 216:
[   12.377258]  kasan_save_stack+0x45/0x70
[   12.377731]  kasan_save_track+0x18/0x40
[   12.377998]  kasan_save_free_info+0x3f/0x60
[   12.378310]  __kasan_slab_free+0x56/0x70
[   12.378677]  kfree+0x222/0x3f0
[   12.379030]  ksize_uaf+0x12c/0x6c0
[   12.379849]  kunit_try_run_case+0x1a5/0x480
[   12.380172]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.380820]  kthread+0x337/0x6f0
[   12.380973]  ret_from_fork+0x41/0x80
[   12.381221]  ret_from_fork_asm+0x1a/0x30
[   12.381453] 
[   12.381546] The buggy address belongs to the object at ffff8881029da400
[   12.381546]  which belongs to the cache kmalloc-128 of size 128
[   12.382213] The buggy address is located 120 bytes inside of
[   12.382213]  freed 128-byte region [ffff8881029da400, ffff8881029da480)
[   12.383398] 
[   12.383500] The buggy address belongs to the physical page:
[   12.383670] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029da
[   12.383962] flags: 0x200000000000000(node=0|zone=2)
[   12.384871] page_type: f5(slab)
[   12.385443] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.386067] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.386679] page dumped because: kasan: bad access detected
[   12.387072] 
[   12.387252] Memory state around the buggy address:
[   12.387669]  ffff8881029da300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.388441]  ffff8881029da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.389215] >ffff8881029da400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.389648]                                                                 ^
[   12.390364]  ffff8881029da480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.390779]  ffff8881029da500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.391209] ==================================================================
[   12.290731] ==================================================================
[   12.291181] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   12.291897] Read of size 1 at addr ffff8881029da400 by task kunit_try_catch/216
[   12.292283] 
[   12.292478] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc2 #1 PREEMPT(voluntary) 
[   12.292574] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.292599] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.292657] Call Trace:
[   12.292679]  <TASK>
[   12.292709]  dump_stack_lvl+0x73/0xb0
[   12.292747]  print_report+0xd1/0x650
[   12.292770]  ? __virt_addr_valid+0x1db/0x2d0
[   12.292793]  ? ksize_uaf+0x19d/0x6c0
[   12.292813]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.292834]  ? ksize_uaf+0x19d/0x6c0
[   12.292854]  kasan_report+0x141/0x180
[   12.292875]  ? ksize_uaf+0x19d/0x6c0
[   12.292898]  ? ksize_uaf+0x19d/0x6c0
[   12.292918]  __kasan_check_byte+0x3d/0x50
[   12.292939]  ksize+0x20/0x60
[   12.292959]  ksize_uaf+0x19d/0x6c0
[   12.292979]  ? __pfx_ksize_uaf+0x10/0x10
[   12.293000]  ? __schedule+0x10cc/0x2b60
[   12.293023]  ? __pfx_read_tsc+0x10/0x10
[   12.293043]  ? ktime_get_ts64+0x86/0x230
[   12.293068]  kunit_try_run_case+0x1a5/0x480
[   12.293093]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.293113]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.293136]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.293157]  ? __kthread_parkme+0x82/0x180
[   12.293179]  ? preempt_count_sub+0x50/0x80
[   12.293204]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.293225]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.293246]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.293267]  kthread+0x337/0x6f0
[   12.293287]  ? trace_preempt_on+0x20/0xc0
[   12.293324]  ? __pfx_kthread+0x10/0x10
[   12.293350]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.293385]  ? calculate_sigpending+0x7b/0xa0
[   12.293414]  ? __pfx_kthread+0x10/0x10
[   12.293440]  ret_from_fork+0x41/0x80
[   12.293472]  ? __pfx_kthread+0x10/0x10
[   12.293502]  ret_from_fork_asm+0x1a/0x30
[   12.293557]  </TASK>
[   12.293577] 
[   12.306838] Allocated by task 216:
[   12.307388]  kasan_save_stack+0x45/0x70
[   12.307850]  kasan_save_track+0x18/0x40
[   12.308248]  kasan_save_alloc_info+0x3b/0x50
[   12.308653]  __kasan_kmalloc+0xb7/0xc0
[   12.308939]  __kmalloc_cache_noprof+0x189/0x420
[   12.309181]  ksize_uaf+0xaa/0x6c0
[   12.309388]  kunit_try_run_case+0x1a5/0x480
[   12.309711]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.310088]  kthread+0x337/0x6f0
[   12.310261]  ret_from_fork+0x41/0x80
[   12.310518]  ret_from_fork_asm+0x1a/0x30
[   12.310960] 
[   12.311078] Freed by task 216:
[   12.311330]  kasan_save_stack+0x45/0x70
[   12.312590]  kasan_save_track+0x18/0x40
[   12.312902]  kasan_save_free_info+0x3f/0x60
[   12.313062]  __kasan_slab_free+0x56/0x70
[   12.313494]  kfree+0x222/0x3f0
[   12.313759]  ksize_uaf+0x12c/0x6c0
[   12.313905]  kunit_try_run_case+0x1a5/0x480
[   12.314083]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.314668]  kthread+0x337/0x6f0
[   12.314949]  ret_from_fork+0x41/0x80
[   12.315204]  ret_from_fork_asm+0x1a/0x30
[   12.315938] 
[   12.316062] The buggy address belongs to the object at ffff8881029da400
[   12.316062]  which belongs to the cache kmalloc-128 of size 128
[   12.317075] The buggy address is located 0 bytes inside of
[   12.317075]  freed 128-byte region [ffff8881029da400, ffff8881029da480)
[   12.317728] 
[   12.317898] The buggy address belongs to the physical page:
[   12.318420] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029da
[   12.318828] flags: 0x200000000000000(node=0|zone=2)
[   12.319179] page_type: f5(slab)
[   12.319412] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   12.319717] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   12.320184] page dumped because: kasan: bad access detected
[   12.320530] 
[   12.320938] Memory state around the buggy address:
[   12.321265]  ffff8881029da300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.322063]  ffff8881029da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.322462] >ffff8881029da400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.323313]                    ^
[   12.323531]  ffff8881029da480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.323949]  ffff8881029da500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.324211] ==================================================================
Metadata Full log Test run details