Date
June 26, 2025, 11:12 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.242697] ================================================================== [ 32.249759] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 32.256092] Read of size 1 at addr ffff000802d02d78 by task kunit_try_catch/245 [ 32.263383] [ 32.264867] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 32.264919] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.264934] Hardware name: WinLink E850-96 board (DT) [ 32.264952] Call trace: [ 32.264962] show_stack+0x20/0x38 (C) [ 32.264995] dump_stack_lvl+0x8c/0xd0 [ 32.265031] print_report+0x118/0x608 [ 32.265063] kasan_report+0xdc/0x128 [ 32.265091] __asan_report_load1_noabort+0x20/0x30 [ 32.265126] ksize_uaf+0x544/0x5f8 [ 32.265160] kunit_try_run_case+0x170/0x3f0 [ 32.265195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.265232] kthread+0x328/0x630 [ 32.265264] ret_from_fork+0x10/0x20 [ 32.265297] [ 32.326923] Allocated by task 245: [ 32.330311] kasan_save_stack+0x3c/0x68 [ 32.334128] kasan_save_track+0x20/0x40 [ 32.337948] kasan_save_alloc_info+0x40/0x58 [ 32.342201] __kasan_kmalloc+0xd4/0xd8 [ 32.345933] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.350447] ksize_uaf+0xb8/0x5f8 [ 32.353747] kunit_try_run_case+0x170/0x3f0 [ 32.357913] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.363381] kthread+0x328/0x630 [ 32.366593] ret_from_fork+0x10/0x20 [ 32.370152] [ 32.371628] Freed by task 245: [ 32.374667] kasan_save_stack+0x3c/0x68 [ 32.378485] kasan_save_track+0x20/0x40 [ 32.382305] kasan_save_free_info+0x4c/0x78 [ 32.386471] __kasan_slab_free+0x6c/0x98 [ 32.390377] kfree+0x214/0x3c8 [ 32.393415] ksize_uaf+0x11c/0x5f8 [ 32.396801] kunit_try_run_case+0x170/0x3f0 [ 32.400967] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.406438] kthread+0x328/0x630 [ 32.409648] ret_from_fork+0x10/0x20 [ 32.413207] [ 32.414683] The buggy address belongs to the object at ffff000802d02d00 [ 32.414683] which belongs to the cache kmalloc-128 of size 128 [ 32.427184] The buggy address is located 120 bytes inside of [ 32.427184] freed 128-byte region [ffff000802d02d00, ffff000802d02d80) [ 32.439422] [ 32.440901] The buggy address belongs to the physical page: [ 32.446459] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882d02 [ 32.454441] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.462079] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.469022] page_type: f5(slab) [ 32.472159] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.479879] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.487606] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.495417] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.503230] head: 0bfffe0000000001 fffffdffe00b4081 00000000ffffffff 00000000ffffffff [ 32.511042] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.518848] page dumped because: kasan: bad access detected [ 32.524404] [ 32.525879] Memory state around the buggy address: [ 32.530660] ffff000802d02c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.537862] ffff000802d02c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.545067] >ffff000802d02d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.552267] ^ [ 32.559389] ffff000802d02d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.566594] ffff000802d02e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.573795] ================================================================== [ 31.908452] ================================================================== [ 31.915391] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 31.921723] Read of size 1 at addr ffff000802d02d00 by task kunit_try_catch/245 [ 31.929013] [ 31.930499] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 31.930551] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.930566] Hardware name: WinLink E850-96 board (DT) [ 31.930588] Call trace: [ 31.930600] show_stack+0x20/0x38 (C) [ 31.930637] dump_stack_lvl+0x8c/0xd0 [ 31.930674] print_report+0x118/0x608 [ 31.930709] kasan_report+0xdc/0x128 [ 31.930740] __asan_report_load1_noabort+0x20/0x30 [ 31.930774] ksize_uaf+0x598/0x5f8 [ 31.930808] kunit_try_run_case+0x170/0x3f0 [ 31.930844] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.930881] kthread+0x328/0x630 [ 31.930915] ret_from_fork+0x10/0x20 [ 31.930953] [ 31.992553] Allocated by task 245: [ 31.995942] kasan_save_stack+0x3c/0x68 [ 31.999758] kasan_save_track+0x20/0x40 [ 32.003578] kasan_save_alloc_info+0x40/0x58 [ 32.007831] __kasan_kmalloc+0xd4/0xd8 [ 32.011565] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.016078] ksize_uaf+0xb8/0x5f8 [ 32.019377] kunit_try_run_case+0x170/0x3f0 [ 32.023543] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.029011] kthread+0x328/0x630 [ 32.032223] ret_from_fork+0x10/0x20 [ 32.035782] [ 32.037257] Freed by task 245: [ 32.040297] kasan_save_stack+0x3c/0x68 [ 32.044115] kasan_save_track+0x20/0x40 [ 32.047935] kasan_save_free_info+0x4c/0x78 [ 32.052101] __kasan_slab_free+0x6c/0x98 [ 32.056007] kfree+0x214/0x3c8 [ 32.059046] ksize_uaf+0x11c/0x5f8 [ 32.062431] kunit_try_run_case+0x170/0x3f0 [ 32.066598] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.072068] kthread+0x328/0x630 [ 32.075278] ret_from_fork+0x10/0x20 [ 32.078837] [ 32.080312] The buggy address belongs to the object at ffff000802d02d00 [ 32.080312] which belongs to the cache kmalloc-128 of size 128 [ 32.092816] The buggy address is located 0 bytes inside of [ 32.092816] freed 128-byte region [ffff000802d02d00, ffff000802d02d80) [ 32.104878] [ 32.106357] The buggy address belongs to the physical page: [ 32.111913] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882d02 [ 32.119897] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 32.127536] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 32.134478] page_type: f5(slab) [ 32.137615] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.145336] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.153063] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 32.160873] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.168687] head: 0bfffe0000000001 fffffdffe00b4081 00000000ffffffff 00000000ffffffff [ 32.176499] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 32.184304] page dumped because: kasan: bad access detected [ 32.189861] [ 32.191335] Memory state around the buggy address: [ 32.196115] ffff000802d02c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.203318] ffff000802d02c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.210523] >ffff000802d02d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.217725] ^ [ 32.220938] ffff000802d02d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.228144] ffff000802d02e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.235345] ================================================================== [ 31.569422] ================================================================== [ 31.578936] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 31.585271] Read of size 1 at addr ffff000802d02d00 by task kunit_try_catch/245 [ 31.592561] [ 31.594048] CPU: 0 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 31.594101] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.594118] Hardware name: WinLink E850-96 board (DT) [ 31.594140] Call trace: [ 31.594153] show_stack+0x20/0x38 (C) [ 31.594192] dump_stack_lvl+0x8c/0xd0 [ 31.594228] print_report+0x118/0x608 [ 31.594256] kasan_report+0xdc/0x128 [ 31.594286] __kasan_check_byte+0x54/0x70 [ 31.594319] ksize+0x30/0x88 [ 31.594347] ksize_uaf+0x168/0x5f8 [ 31.594379] kunit_try_run_case+0x170/0x3f0 [ 31.594415] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.594457] kthread+0x328/0x630 [ 31.594496] ret_from_fork+0x10/0x20 [ 31.594532] [ 31.658185] Allocated by task 245: [ 31.661573] kasan_save_stack+0x3c/0x68 [ 31.665388] kasan_save_track+0x20/0x40 [ 31.669208] kasan_save_alloc_info+0x40/0x58 [ 31.673461] __kasan_kmalloc+0xd4/0xd8 [ 31.677194] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.681707] ksize_uaf+0xb8/0x5f8 [ 31.685006] kunit_try_run_case+0x170/0x3f0 [ 31.689173] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.694641] kthread+0x328/0x630 [ 31.697853] ret_from_fork+0x10/0x20 [ 31.701412] [ 31.702887] Freed by task 245: [ 31.705927] kasan_save_stack+0x3c/0x68 [ 31.709745] kasan_save_track+0x20/0x40 [ 31.713564] kasan_save_free_info+0x4c/0x78 [ 31.717731] __kasan_slab_free+0x6c/0x98 [ 31.721637] kfree+0x214/0x3c8 [ 31.724675] ksize_uaf+0x11c/0x5f8 [ 31.728061] kunit_try_run_case+0x170/0x3f0 [ 31.732227] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.737696] kthread+0x328/0x630 [ 31.740908] ret_from_fork+0x10/0x20 [ 31.744467] [ 31.745944] The buggy address belongs to the object at ffff000802d02d00 [ 31.745944] which belongs to the cache kmalloc-128 of size 128 [ 31.758446] The buggy address is located 0 bytes inside of [ 31.758446] freed 128-byte region [ffff000802d02d00, ffff000802d02d80) [ 31.770508] [ 31.771988] The buggy address belongs to the physical page: [ 31.777544] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882d02 [ 31.785528] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 31.793166] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 31.800111] page_type: f5(slab) [ 31.803249] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.810965] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.818694] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000 [ 31.826505] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.834318] head: 0bfffe0000000001 fffffdffe00b4081 00000000ffffffff 00000000ffffffff [ 31.842129] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 31.849934] page dumped because: kasan: bad access detected [ 31.855491] [ 31.856964] Memory state around the buggy address: [ 31.861747] ffff000802d02c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.868948] ffff000802d02c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.876153] >ffff000802d02d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.883354] ^ [ 31.886569] ffff000802d02d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.893775] ffff000802d02e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.900975] ==================================================================
[ 18.255060] ================================================================== [ 18.255278] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.255342] Read of size 1 at addr fff00000c5bdcd00 by task kunit_try_catch/198 [ 18.255554] [ 18.255621] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 18.255713] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.255934] Hardware name: linux,dummy-virt (DT) [ 18.256100] Call trace: [ 18.256152] show_stack+0x20/0x38 (C) [ 18.256294] dump_stack_lvl+0x8c/0xd0 [ 18.256471] print_report+0x118/0x608 [ 18.256601] kasan_report+0xdc/0x128 [ 18.256790] __kasan_check_byte+0x54/0x70 [ 18.256975] ksize+0x30/0x88 [ 18.257047] ksize_uaf+0x168/0x5f8 [ 18.257199] kunit_try_run_case+0x170/0x3f0 [ 18.257356] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.257484] kthread+0x328/0x630 [ 18.257722] ret_from_fork+0x10/0x20 [ 18.258128] [ 18.258174] Allocated by task 198: [ 18.258242] kasan_save_stack+0x3c/0x68 [ 18.258403] kasan_save_track+0x20/0x40 [ 18.258536] kasan_save_alloc_info+0x40/0x58 [ 18.258600] __kasan_kmalloc+0xd4/0xd8 [ 18.258635] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.259038] ksize_uaf+0xb8/0x5f8 [ 18.259181] kunit_try_run_case+0x170/0x3f0 [ 18.259312] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.259508] kthread+0x328/0x630 [ 18.259557] ret_from_fork+0x10/0x20 [ 18.259592] [ 18.259668] Freed by task 198: [ 18.260002] kasan_save_stack+0x3c/0x68 [ 18.260072] kasan_save_track+0x20/0x40 [ 18.260227] kasan_save_free_info+0x4c/0x78 [ 18.260419] __kasan_slab_free+0x6c/0x98 [ 18.260554] kfree+0x214/0x3c8 [ 18.260589] ksize_uaf+0x11c/0x5f8 [ 18.260625] kunit_try_run_case+0x170/0x3f0 [ 18.260940] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.261099] kthread+0x328/0x630 [ 18.261301] ret_from_fork+0x10/0x20 [ 18.261439] [ 18.261602] The buggy address belongs to the object at fff00000c5bdcd00 [ 18.261602] which belongs to the cache kmalloc-128 of size 128 [ 18.261697] The buggy address is located 0 bytes inside of [ 18.261697] freed 128-byte region [fff00000c5bdcd00, fff00000c5bdcd80) [ 18.261897] [ 18.261943] The buggy address belongs to the physical page: [ 18.261991] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bdc [ 18.262046] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.262097] page_type: f5(slab) [ 18.262137] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.262200] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.262259] page dumped because: kasan: bad access detected [ 18.262302] [ 18.262320] Memory state around the buggy address: [ 18.262370] fff00000c5bdcc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.262416] fff00000c5bdcc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.262467] >fff00000c5bdcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.262519] ^ [ 18.262556] fff00000c5bdcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.262601] fff00000c5bdce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.262642] ================================================================== [ 18.272994] ================================================================== [ 18.273048] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.273341] Read of size 1 at addr fff00000c5bdcd78 by task kunit_try_catch/198 [ 18.273529] [ 18.273564] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 18.273660] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.274046] Hardware name: linux,dummy-virt (DT) [ 18.274168] Call trace: [ 18.274195] show_stack+0x20/0x38 (C) [ 18.274248] dump_stack_lvl+0x8c/0xd0 [ 18.274357] print_report+0x118/0x608 [ 18.274407] kasan_report+0xdc/0x128 [ 18.274451] __asan_report_load1_noabort+0x20/0x30 [ 18.274500] ksize_uaf+0x544/0x5f8 [ 18.274786] kunit_try_run_case+0x170/0x3f0 [ 18.274881] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.274937] kthread+0x328/0x630 [ 18.275064] ret_from_fork+0x10/0x20 [ 18.275153] [ 18.275201] Allocated by task 198: [ 18.275299] kasan_save_stack+0x3c/0x68 [ 18.275386] kasan_save_track+0x20/0x40 [ 18.275440] kasan_save_alloc_info+0x40/0x58 [ 18.275774] __kasan_kmalloc+0xd4/0xd8 [ 18.275820] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.275897] ksize_uaf+0xb8/0x5f8 [ 18.276006] kunit_try_run_case+0x170/0x3f0 [ 18.276170] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.276305] kthread+0x328/0x630 [ 18.276427] ret_from_fork+0x10/0x20 [ 18.276604] [ 18.276809] Freed by task 198: [ 18.276872] kasan_save_stack+0x3c/0x68 [ 18.276986] kasan_save_track+0x20/0x40 [ 18.277122] kasan_save_free_info+0x4c/0x78 [ 18.277225] __kasan_slab_free+0x6c/0x98 [ 18.277458] kfree+0x214/0x3c8 [ 18.277523] ksize_uaf+0x11c/0x5f8 [ 18.277806] kunit_try_run_case+0x170/0x3f0 [ 18.277907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.277959] kthread+0x328/0x630 [ 18.277995] ret_from_fork+0x10/0x20 [ 18.278033] [ 18.278056] The buggy address belongs to the object at fff00000c5bdcd00 [ 18.278056] which belongs to the cache kmalloc-128 of size 128 [ 18.278120] The buggy address is located 120 bytes inside of [ 18.278120] freed 128-byte region [fff00000c5bdcd00, fff00000c5bdcd80) [ 18.278261] [ 18.278310] The buggy address belongs to the physical page: [ 18.278369] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bdc [ 18.278431] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.278480] page_type: f5(slab) [ 18.278518] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.278571] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.278623] page dumped because: kasan: bad access detected [ 18.278655] [ 18.278674] Memory state around the buggy address: [ 18.278713] fff00000c5bdcc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.278758] fff00000c5bdcc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.278804] >fff00000c5bdcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.278844] ^ [ 18.278916] fff00000c5bdcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.278976] fff00000c5bdce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.279017] ================================================================== [ 18.264812] ================================================================== [ 18.265057] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.265203] Read of size 1 at addr fff00000c5bdcd00 by task kunit_try_catch/198 [ 18.265318] [ 18.265414] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT [ 18.265505] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.265792] Hardware name: linux,dummy-virt (DT) [ 18.265882] Call trace: [ 18.265909] show_stack+0x20/0x38 (C) [ 18.266014] dump_stack_lvl+0x8c/0xd0 [ 18.266066] print_report+0x118/0x608 [ 18.266148] kasan_report+0xdc/0x128 [ 18.266202] __asan_report_load1_noabort+0x20/0x30 [ 18.266523] ksize_uaf+0x598/0x5f8 [ 18.266591] kunit_try_run_case+0x170/0x3f0 [ 18.266669] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.266725] kthread+0x328/0x630 [ 18.266770] ret_from_fork+0x10/0x20 [ 18.267065] [ 18.267112] Allocated by task 198: [ 18.267376] kasan_save_stack+0x3c/0x68 [ 18.267447] kasan_save_track+0x20/0x40 [ 18.267483] kasan_save_alloc_info+0x40/0x58 [ 18.267586] __kasan_kmalloc+0xd4/0xd8 [ 18.267632] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.267671] ksize_uaf+0xb8/0x5f8 [ 18.267706] kunit_try_run_case+0x170/0x3f0 [ 18.267874] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.268051] kthread+0x328/0x630 [ 18.268171] ret_from_fork+0x10/0x20 [ 18.268219] [ 18.268240] Freed by task 198: [ 18.268268] kasan_save_stack+0x3c/0x68 [ 18.268304] kasan_save_track+0x20/0x40 [ 18.268611] kasan_save_free_info+0x4c/0x78 [ 18.268682] __kasan_slab_free+0x6c/0x98 [ 18.269064] kfree+0x214/0x3c8 [ 18.269306] ksize_uaf+0x11c/0x5f8 [ 18.269398] kunit_try_run_case+0x170/0x3f0 [ 18.269714] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.269849] kthread+0x328/0x630 [ 18.270062] ret_from_fork+0x10/0x20 [ 18.270401] [ 18.270450] The buggy address belongs to the object at fff00000c5bdcd00 [ 18.270450] which belongs to the cache kmalloc-128 of size 128 [ 18.270591] The buggy address is located 0 bytes inside of [ 18.270591] freed 128-byte region [fff00000c5bdcd00, fff00000c5bdcd80) [ 18.270742] [ 18.270812] The buggy address belongs to the physical page: [ 18.270843] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105bdc [ 18.271326] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.271454] page_type: f5(slab) [ 18.271498] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.271706] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.271769] page dumped because: kasan: bad access detected [ 18.271809] [ 18.271827] Memory state around the buggy address: [ 18.271894] fff00000c5bdcc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.271940] fff00000c5bdcc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.271984] >fff00000c5bdcd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.272026] ^ [ 18.272064] fff00000c5bdcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.272109] fff00000c5bdce00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.272152] ==================================================================
[ 11.446672] ================================================================== [ 11.447142] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.447665] Read of size 1 at addr ffff888102f60978 by task kunit_try_catch/215 [ 11.448128] [ 11.448465] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 11.448526] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.448537] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.448557] Call Trace: [ 11.448569] <TASK> [ 11.448586] dump_stack_lvl+0x73/0xb0 [ 11.448622] print_report+0xd1/0x650 [ 11.448645] ? __virt_addr_valid+0x1db/0x2d0 [ 11.448666] ? ksize_uaf+0x5e4/0x6c0 [ 11.448698] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.448773] ? ksize_uaf+0x5e4/0x6c0 [ 11.448796] kasan_report+0x141/0x180 [ 11.448829] ? ksize_uaf+0x5e4/0x6c0 [ 11.448855] __asan_report_load1_noabort+0x18/0x20 [ 11.448875] ksize_uaf+0x5e4/0x6c0 [ 11.448906] ? __pfx_ksize_uaf+0x10/0x10 [ 11.448936] ? __schedule+0x10cc/0x2b60 [ 11.448959] ? __pfx_read_tsc+0x10/0x10 [ 11.448979] ? ktime_get_ts64+0x86/0x230 [ 11.449005] kunit_try_run_case+0x1a5/0x480 [ 11.449029] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.449050] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.449073] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.449097] ? __kthread_parkme+0x82/0x180 [ 11.449118] ? preempt_count_sub+0x50/0x80 [ 11.449144] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.449177] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.449200] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.449222] kthread+0x337/0x6f0 [ 11.449249] ? trace_preempt_on+0x20/0xc0 [ 11.449273] ? __pfx_kthread+0x10/0x10 [ 11.449290] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.449311] ? calculate_sigpending+0x7b/0xa0 [ 11.449332] ? __pfx_kthread+0x10/0x10 [ 11.449350] ret_from_fork+0x41/0x80 [ 11.449371] ? __pfx_kthread+0x10/0x10 [ 11.449397] ret_from_fork_asm+0x1a/0x30 [ 11.449427] </TASK> [ 11.449437] [ 11.457187] Allocated by task 215: [ 11.457360] kasan_save_stack+0x45/0x70 [ 11.457587] kasan_save_track+0x18/0x40 [ 11.457880] kasan_save_alloc_info+0x3b/0x50 [ 11.458083] __kasan_kmalloc+0xb7/0xc0 [ 11.458298] __kmalloc_cache_noprof+0x189/0x420 [ 11.458455] ksize_uaf+0xaa/0x6c0 [ 11.458577] kunit_try_run_case+0x1a5/0x480 [ 11.458737] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.459238] kthread+0x337/0x6f0 [ 11.459415] ret_from_fork+0x41/0x80 [ 11.459639] ret_from_fork_asm+0x1a/0x30 [ 11.459930] [ 11.460020] Freed by task 215: [ 11.460173] kasan_save_stack+0x45/0x70 [ 11.460375] kasan_save_track+0x18/0x40 [ 11.460547] kasan_save_free_info+0x3f/0x60 [ 11.460860] __kasan_slab_free+0x56/0x70 [ 11.461067] kfree+0x222/0x3f0 [ 11.461227] ksize_uaf+0x12c/0x6c0 [ 11.461393] kunit_try_run_case+0x1a5/0x480 [ 11.461625] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.462008] kthread+0x337/0x6f0 [ 11.462134] ret_from_fork+0x41/0x80 [ 11.462264] ret_from_fork_asm+0x1a/0x30 [ 11.462412] [ 11.462505] The buggy address belongs to the object at ffff888102f60900 [ 11.462505] which belongs to the cache kmalloc-128 of size 128 [ 11.463283] The buggy address is located 120 bytes inside of [ 11.463283] freed 128-byte region [ffff888102f60900, ffff888102f60980) [ 11.463841] [ 11.463924] The buggy address belongs to the physical page: [ 11.464153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f60 [ 11.464519] flags: 0x200000000000000(node=0|zone=2) [ 11.464743] page_type: f5(slab) [ 11.464896] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.465214] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.465503] page dumped because: kasan: bad access detected [ 11.465743] [ 11.465820] Memory state around the buggy address: [ 11.466168] ffff888102f60800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.466475] ffff888102f60880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.467028] >ffff888102f60900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.467292] ^ [ 11.467642] ffff888102f60980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.468026] ffff888102f60a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.468327] ================================================================== [ 11.400079] ================================================================== [ 11.401027] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.401377] Read of size 1 at addr ffff888102f60900 by task kunit_try_catch/215 [ 11.401693] [ 11.401972] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 11.402035] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.402046] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.402069] Call Trace: [ 11.402081] <TASK> [ 11.402101] dump_stack_lvl+0x73/0xb0 [ 11.402129] print_report+0xd1/0x650 [ 11.402162] ? __virt_addr_valid+0x1db/0x2d0 [ 11.402186] ? ksize_uaf+0x19d/0x6c0 [ 11.402206] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.402238] ? ksize_uaf+0x19d/0x6c0 [ 11.402259] kasan_report+0x141/0x180 [ 11.402281] ? ksize_uaf+0x19d/0x6c0 [ 11.402304] ? ksize_uaf+0x19d/0x6c0 [ 11.402325] __kasan_check_byte+0x3d/0x50 [ 11.402347] ksize+0x20/0x60 [ 11.402369] ksize_uaf+0x19d/0x6c0 [ 11.402389] ? __pfx_ksize_uaf+0x10/0x10 [ 11.402410] ? __schedule+0x10cc/0x2b60 [ 11.402434] ? __pfx_read_tsc+0x10/0x10 [ 11.402454] ? ktime_get_ts64+0x86/0x230 [ 11.402490] kunit_try_run_case+0x1a5/0x480 [ 11.402516] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.402537] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.402572] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.402595] ? __kthread_parkme+0x82/0x180 [ 11.402647] ? preempt_count_sub+0x50/0x80 [ 11.402674] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.402697] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.402719] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.402740] kthread+0x337/0x6f0 [ 11.402757] ? trace_preempt_on+0x20/0xc0 [ 11.402781] ? __pfx_kthread+0x10/0x10 [ 11.402798] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.402818] ? calculate_sigpending+0x7b/0xa0 [ 11.402840] ? __pfx_kthread+0x10/0x10 [ 11.402858] ret_from_fork+0x41/0x80 [ 11.402879] ? __pfx_kthread+0x10/0x10 [ 11.402896] ret_from_fork_asm+0x1a/0x30 [ 11.402939] </TASK> [ 11.402952] [ 11.411192] Allocated by task 215: [ 11.411352] kasan_save_stack+0x45/0x70 [ 11.411510] kasan_save_track+0x18/0x40 [ 11.411817] kasan_save_alloc_info+0x3b/0x50 [ 11.412037] __kasan_kmalloc+0xb7/0xc0 [ 11.412389] __kmalloc_cache_noprof+0x189/0x420 [ 11.412807] ksize_uaf+0xaa/0x6c0 [ 11.413117] kunit_try_run_case+0x1a5/0x480 [ 11.413333] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.413633] kthread+0x337/0x6f0 [ 11.413866] ret_from_fork+0x41/0x80 [ 11.414053] ret_from_fork_asm+0x1a/0x30 [ 11.414219] [ 11.414337] Freed by task 215: [ 11.414495] kasan_save_stack+0x45/0x70 [ 11.414656] kasan_save_track+0x18/0x40 [ 11.414791] kasan_save_free_info+0x3f/0x60 [ 11.415008] __kasan_slab_free+0x56/0x70 [ 11.415203] kfree+0x222/0x3f0 [ 11.415416] ksize_uaf+0x12c/0x6c0 [ 11.415545] kunit_try_run_case+0x1a5/0x480 [ 11.415692] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.416116] kthread+0x337/0x6f0 [ 11.416294] ret_from_fork+0x41/0x80 [ 11.416475] ret_from_fork_asm+0x1a/0x30 [ 11.416860] [ 11.416977] The buggy address belongs to the object at ffff888102f60900 [ 11.416977] which belongs to the cache kmalloc-128 of size 128 [ 11.417359] The buggy address is located 0 bytes inside of [ 11.417359] freed 128-byte region [ffff888102f60900, ffff888102f60980) [ 11.418278] [ 11.418394] The buggy address belongs to the physical page: [ 11.418620] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f60 [ 11.419087] flags: 0x200000000000000(node=0|zone=2) [ 11.419395] page_type: f5(slab) [ 11.419594] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.420067] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.420498] page dumped because: kasan: bad access detected [ 11.420857] [ 11.420951] Memory state around the buggy address: [ 11.421146] ffff888102f60800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.421362] ffff888102f60880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.421672] >ffff888102f60900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.422236] ^ [ 11.422362] ffff888102f60980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.422582] ffff888102f60a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.422868] ================================================================== [ 11.423597] ================================================================== [ 11.424453] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.424906] Read of size 1 at addr ffff888102f60900 by task kunit_try_catch/215 [ 11.425137] [ 11.425226] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc3 #1 PREEMPT(voluntary) [ 11.425350] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.425364] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.425385] Call Trace: [ 11.425418] <TASK> [ 11.425437] dump_stack_lvl+0x73/0xb0 [ 11.425463] print_report+0xd1/0x650 [ 11.425499] ? __virt_addr_valid+0x1db/0x2d0 [ 11.425520] ? ksize_uaf+0x5fe/0x6c0 [ 11.425540] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.425562] ? ksize_uaf+0x5fe/0x6c0 [ 11.425583] kasan_report+0x141/0x180 [ 11.425605] ? ksize_uaf+0x5fe/0x6c0 [ 11.425630] __asan_report_load1_noabort+0x18/0x20 [ 11.425650] ksize_uaf+0x5fe/0x6c0 [ 11.425671] ? __pfx_ksize_uaf+0x10/0x10 [ 11.425692] ? __schedule+0x10cc/0x2b60 [ 11.425755] ? __pfx_read_tsc+0x10/0x10 [ 11.425788] ? ktime_get_ts64+0x86/0x230 [ 11.425815] kunit_try_run_case+0x1a5/0x480 [ 11.425839] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.425871] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.425894] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.425926] ? __kthread_parkme+0x82/0x180 [ 11.425948] ? preempt_count_sub+0x50/0x80 [ 11.425982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.426006] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.426029] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.426062] kthread+0x337/0x6f0 [ 11.426079] ? trace_preempt_on+0x20/0xc0 [ 11.426102] ? __pfx_kthread+0x10/0x10 [ 11.426120] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.426150] ? calculate_sigpending+0x7b/0xa0 [ 11.426171] ? __pfx_kthread+0x10/0x10 [ 11.426188] ret_from_fork+0x41/0x80 [ 11.426219] ? __pfx_kthread+0x10/0x10 [ 11.426237] ret_from_fork_asm+0x1a/0x30 [ 11.426267] </TASK> [ 11.426278] [ 11.434186] Allocated by task 215: [ 11.434475] kasan_save_stack+0x45/0x70 [ 11.434701] kasan_save_track+0x18/0x40 [ 11.434882] kasan_save_alloc_info+0x3b/0x50 [ 11.435139] __kasan_kmalloc+0xb7/0xc0 [ 11.435354] __kmalloc_cache_noprof+0x189/0x420 [ 11.435537] ksize_uaf+0xaa/0x6c0 [ 11.435736] kunit_try_run_case+0x1a5/0x480 [ 11.435914] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.436360] kthread+0x337/0x6f0 [ 11.436545] ret_from_fork+0x41/0x80 [ 11.436816] ret_from_fork_asm+0x1a/0x30 [ 11.437043] [ 11.437128] Freed by task 215: [ 11.437284] kasan_save_stack+0x45/0x70 [ 11.437477] kasan_save_track+0x18/0x40 [ 11.437692] kasan_save_free_info+0x3f/0x60 [ 11.437832] __kasan_slab_free+0x56/0x70 [ 11.437978] kfree+0x222/0x3f0 [ 11.438092] ksize_uaf+0x12c/0x6c0 [ 11.438291] kunit_try_run_case+0x1a5/0x480 [ 11.438509] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.438811] kthread+0x337/0x6f0 [ 11.439057] ret_from_fork+0x41/0x80 [ 11.439250] ret_from_fork_asm+0x1a/0x30 [ 11.439441] [ 11.439540] The buggy address belongs to the object at ffff888102f60900 [ 11.439540] which belongs to the cache kmalloc-128 of size 128 [ 11.440182] The buggy address is located 0 bytes inside of [ 11.440182] freed 128-byte region [ffff888102f60900, ffff888102f60980) [ 11.440774] [ 11.441057] The buggy address belongs to the physical page: [ 11.441274] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f60 [ 11.441681] flags: 0x200000000000000(node=0|zone=2) [ 11.441985] page_type: f5(slab) [ 11.442136] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.442453] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.442769] page dumped because: kasan: bad access detected [ 11.442952] [ 11.443021] Memory state around the buggy address: [ 11.443308] ffff888102f60800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.443864] ffff888102f60880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.444216] >ffff888102f60900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.444507] ^ [ 11.444713] ffff888102f60980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.445029] ffff888102f60a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.445286] ==================================================================