Date
June 23, 2025, 1:39 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.137026] ================================================================== [ 25.137133] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 25.137261] Read of size 1 at addr fff00000c76cf400 by task kunit_try_catch/198 [ 25.137380] [ 25.137482] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT [ 25.137695] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.137772] Hardware name: linux,dummy-virt (DT) [ 25.138066] Call trace: [ 25.138244] show_stack+0x20/0x38 (C) [ 25.138548] dump_stack_lvl+0x8c/0xd0 [ 25.139511] print_report+0x118/0x608 [ 25.140653] kasan_report+0xdc/0x128 [ 25.140910] __asan_report_load1_noabort+0x20/0x30 [ 25.141049] ksize_uaf+0x598/0x5f8 [ 25.141401] kunit_try_run_case+0x170/0x3f0 [ 25.141533] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.142329] kthread+0x328/0x630 [ 25.142800] ret_from_fork+0x10/0x20 [ 25.143339] [ 25.143406] Allocated by task 198: [ 25.143640] kasan_save_stack+0x3c/0x68 [ 25.143758] kasan_save_track+0x20/0x40 [ 25.144281] kasan_save_alloc_info+0x40/0x58 [ 25.144589] __kasan_kmalloc+0xd4/0xd8 [ 25.144925] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.145087] ksize_uaf+0xb8/0x5f8 [ 25.145192] kunit_try_run_case+0x170/0x3f0 [ 25.145877] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.146633] kthread+0x328/0x630 [ 25.147111] ret_from_fork+0x10/0x20 [ 25.147213] [ 25.147688] Freed by task 198: [ 25.147790] kasan_save_stack+0x3c/0x68 [ 25.147955] kasan_save_track+0x20/0x40 [ 25.148158] kasan_save_free_info+0x4c/0x78 [ 25.148489] __kasan_slab_free+0x6c/0x98 [ 25.148627] kfree+0x214/0x3c8 [ 25.149057] ksize_uaf+0x11c/0x5f8 [ 25.149380] kunit_try_run_case+0x170/0x3f0 [ 25.149742] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.150104] kthread+0x328/0x630 [ 25.150302] ret_from_fork+0x10/0x20 [ 25.150412] [ 25.150463] The buggy address belongs to the object at fff00000c76cf400 [ 25.150463] which belongs to the cache kmalloc-128 of size 128 [ 25.151366] The buggy address is located 0 bytes inside of [ 25.151366] freed 128-byte region [fff00000c76cf400, fff00000c76cf480) [ 25.151631] [ 25.151768] The buggy address belongs to the physical page: [ 25.152147] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076cf [ 25.152267] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.152942] page_type: f5(slab) [ 25.153048] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.153172] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.153355] page dumped because: kasan: bad access detected [ 25.153488] [ 25.153539] Memory state around the buggy address: [ 25.153629] fff00000c76cf300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.154271] fff00000c76cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.155559] >fff00000c76cf400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.155695] ^ [ 25.155762] fff00000c76cf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.155853] fff00000c76cf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.155967] ================================================================== [ 25.116936] ================================================================== [ 25.117248] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 25.118668] Read of size 1 at addr fff00000c76cf400 by task kunit_try_catch/198 [ 25.118738] [ 25.118800] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT [ 25.119132] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.119201] Hardware name: linux,dummy-virt (DT) [ 25.119281] Call trace: [ 25.119336] show_stack+0x20/0x38 (C) [ 25.119611] dump_stack_lvl+0x8c/0xd0 [ 25.119732] print_report+0x118/0x608 [ 25.119853] kasan_report+0xdc/0x128 [ 25.120127] __kasan_check_byte+0x54/0x70 [ 25.120336] ksize+0x30/0x88 [ 25.120470] ksize_uaf+0x168/0x5f8 [ 25.120643] kunit_try_run_case+0x170/0x3f0 [ 25.121016] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.121360] kthread+0x328/0x630 [ 25.121529] ret_from_fork+0x10/0x20 [ 25.121650] [ 25.121722] Allocated by task 198: [ 25.121794] kasan_save_stack+0x3c/0x68 [ 25.121899] kasan_save_track+0x20/0x40 [ 25.122124] kasan_save_alloc_info+0x40/0x58 [ 25.122237] __kasan_kmalloc+0xd4/0xd8 [ 25.122332] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.122635] ksize_uaf+0xb8/0x5f8 [ 25.122768] kunit_try_run_case+0x170/0x3f0 [ 25.122892] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.122999] kthread+0x328/0x630 [ 25.123086] ret_from_fork+0x10/0x20 [ 25.123184] [ 25.123328] Freed by task 198: [ 25.124322] kasan_save_stack+0x3c/0x68 [ 25.124552] kasan_save_track+0x20/0x40 [ 25.124903] kasan_save_free_info+0x4c/0x78 [ 25.125293] __kasan_slab_free+0x6c/0x98 [ 25.125685] kfree+0x214/0x3c8 [ 25.125840] ksize_uaf+0x11c/0x5f8 [ 25.125989] kunit_try_run_case+0x170/0x3f0 [ 25.126159] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.126333] kthread+0x328/0x630 [ 25.126439] ret_from_fork+0x10/0x20 [ 25.126611] [ 25.126670] The buggy address belongs to the object at fff00000c76cf400 [ 25.126670] which belongs to the cache kmalloc-128 of size 128 [ 25.126823] The buggy address is located 0 bytes inside of [ 25.126823] freed 128-byte region [fff00000c76cf400, fff00000c76cf480) [ 25.126986] [ 25.127047] The buggy address belongs to the physical page: [ 25.127564] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076cf [ 25.127699] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.127816] page_type: f5(slab) [ 25.127915] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.128273] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.128778] page dumped because: kasan: bad access detected [ 25.129123] [ 25.129446] Memory state around the buggy address: [ 25.129629] fff00000c76cf300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.129888] fff00000c76cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.130643] >fff00000c76cf400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.130954] ^ [ 25.131155] fff00000c76cf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.131259] fff00000c76cf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.132276] ================================================================== [ 25.157769] ================================================================== [ 25.158115] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 25.158328] Read of size 1 at addr fff00000c76cf478 by task kunit_try_catch/198 [ 25.158523] [ 25.159094] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT [ 25.159293] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.159360] Hardware name: linux,dummy-virt (DT) [ 25.159563] Call trace: [ 25.159635] show_stack+0x20/0x38 (C) [ 25.160356] dump_stack_lvl+0x8c/0xd0 [ 25.161361] print_report+0x118/0x608 [ 25.161552] kasan_report+0xdc/0x128 [ 25.162242] __asan_report_load1_noabort+0x20/0x30 [ 25.162518] ksize_uaf+0x544/0x5f8 [ 25.162770] kunit_try_run_case+0x170/0x3f0 [ 25.162903] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.163572] kthread+0x328/0x630 [ 25.164034] ret_from_fork+0x10/0x20 [ 25.164163] [ 25.164209] Allocated by task 198: [ 25.164723] kasan_save_stack+0x3c/0x68 [ 25.164854] kasan_save_track+0x20/0x40 [ 25.165201] kasan_save_alloc_info+0x40/0x58 [ 25.165910] __kasan_kmalloc+0xd4/0xd8 [ 25.166060] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.166233] ksize_uaf+0xb8/0x5f8 [ 25.166660] kunit_try_run_case+0x170/0x3f0 [ 25.166773] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.167075] kthread+0x328/0x630 [ 25.167215] ret_from_fork+0x10/0x20 [ 25.167371] [ 25.167438] Freed by task 198: [ 25.167535] kasan_save_stack+0x3c/0x68 [ 25.167687] kasan_save_track+0x20/0x40 [ 25.167813] kasan_save_free_info+0x4c/0x78 [ 25.168055] __kasan_slab_free+0x6c/0x98 [ 25.168213] kfree+0x214/0x3c8 [ 25.168298] ksize_uaf+0x11c/0x5f8 [ 25.168712] kunit_try_run_case+0x170/0x3f0 [ 25.168829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.168944] kthread+0x328/0x630 [ 25.169050] ret_from_fork+0x10/0x20 [ 25.169157] [ 25.169249] The buggy address belongs to the object at fff00000c76cf400 [ 25.169249] which belongs to the cache kmalloc-128 of size 128 [ 25.169530] The buggy address is located 120 bytes inside of [ 25.169530] freed 128-byte region [fff00000c76cf400, fff00000c76cf480) [ 25.170053] [ 25.170146] The buggy address belongs to the physical page: [ 25.170248] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076cf [ 25.170421] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.170602] page_type: f5(slab) [ 25.171013] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 25.171620] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 25.171779] page dumped because: kasan: bad access detected [ 25.171969] [ 25.172019] Memory state around the buggy address: [ 25.172135] fff00000c76cf300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.172374] fff00000c76cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.172516] >fff00000c76cf400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.172681] ^ [ 25.172796] fff00000c76cf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.172927] fff00000c76cf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.173037] ==================================================================
[ 18.104181] ================================================================== [ 18.104938] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 18.105468] Read of size 1 at addr ffff888102a13478 by task kunit_try_catch/217 [ 18.106068] [ 18.106326] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT(voluntary) [ 18.106437] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.106472] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.106522] Call Trace: [ 18.106557] <TASK> [ 18.106592] dump_stack_lvl+0x73/0xb0 [ 18.106682] print_report+0xd1/0x650 [ 18.106759] ? __virt_addr_valid+0x1db/0x2d0 [ 18.106832] ? ksize_uaf+0x5e4/0x6c0 [ 18.106901] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.106976] ? ksize_uaf+0x5e4/0x6c0 [ 18.107050] kasan_report+0x141/0x180 [ 18.107128] ? ksize_uaf+0x5e4/0x6c0 [ 18.107262] __asan_report_load1_noabort+0x18/0x20 [ 18.107342] ksize_uaf+0x5e4/0x6c0 [ 18.107418] ? __pfx_ksize_uaf+0x10/0x10 [ 18.107479] ? __schedule+0x10cc/0x2b60 [ 18.107514] ? __pfx_read_tsc+0x10/0x10 [ 18.107543] ? ktime_get_ts64+0x86/0x230 [ 18.107579] kunit_try_run_case+0x1a5/0x480 [ 18.107637] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.107674] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.107710] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.107745] ? __kthread_parkme+0x82/0x180 [ 18.107778] ? preempt_count_sub+0x50/0x80 [ 18.107813] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.107848] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.107882] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.107914] kthread+0x337/0x6f0 [ 18.107938] ? trace_preempt_on+0x20/0xc0 [ 18.107971] ? __pfx_kthread+0x10/0x10 [ 18.107996] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.108027] ? calculate_sigpending+0x7b/0xa0 [ 18.108058] ? __pfx_kthread+0x10/0x10 [ 18.108082] ret_from_fork+0x41/0x80 [ 18.108112] ? __pfx_kthread+0x10/0x10 [ 18.108135] ret_from_fork_asm+0x1a/0x30 [ 18.108176] </TASK> [ 18.108191] [ 18.124015] Allocated by task 217: [ 18.124431] kasan_save_stack+0x45/0x70 [ 18.124876] kasan_save_track+0x18/0x40 [ 18.125265] kasan_save_alloc_info+0x3b/0x50 [ 18.125688] __kasan_kmalloc+0xb7/0xc0 [ 18.126007] __kmalloc_cache_noprof+0x189/0x420 [ 18.126461] ksize_uaf+0xaa/0x6c0 [ 18.126864] kunit_try_run_case+0x1a5/0x480 [ 18.127334] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.127869] kthread+0x337/0x6f0 [ 18.128182] ret_from_fork+0x41/0x80 [ 18.128528] ret_from_fork_asm+0x1a/0x30 [ 18.128945] [ 18.129165] Freed by task 217: [ 18.129538] kasan_save_stack+0x45/0x70 [ 18.129971] kasan_save_track+0x18/0x40 [ 18.130422] kasan_save_free_info+0x3f/0x60 [ 18.130879] __kasan_slab_free+0x56/0x70 [ 18.131337] kfree+0x222/0x3f0 [ 18.131635] ksize_uaf+0x12c/0x6c0 [ 18.132014] kunit_try_run_case+0x1a5/0x480 [ 18.132503] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.132998] kthread+0x337/0x6f0 [ 18.133343] ret_from_fork+0x41/0x80 [ 18.133685] ret_from_fork_asm+0x1a/0x30 [ 18.134110] [ 18.134392] The buggy address belongs to the object at ffff888102a13400 [ 18.134392] which belongs to the cache kmalloc-128 of size 128 [ 18.135387] The buggy address is located 120 bytes inside of [ 18.135387] freed 128-byte region [ffff888102a13400, ffff888102a13480) [ 18.136363] [ 18.136590] The buggy address belongs to the physical page: [ 18.136972] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a13 [ 18.137599] flags: 0x200000000000000(node=0|zone=2) [ 18.138118] page_type: f5(slab) [ 18.138553] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.139052] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.139650] page dumped because: kasan: bad access detected [ 18.140129] [ 18.140404] Memory state around the buggy address: [ 18.140866] ffff888102a13300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.141530] ffff888102a13380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.142111] >ffff888102a13400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.142685] ^ [ 18.143351] ffff888102a13480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.143917] ffff888102a13500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.144455] ================================================================== [ 18.057092] ================================================================== [ 18.057891] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 18.058658] Read of size 1 at addr ffff888102a13400 by task kunit_try_catch/217 [ 18.059314] [ 18.059534] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT(voluntary) [ 18.059730] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.059768] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.059821] Call Trace: [ 18.060029] <TASK> [ 18.060190] dump_stack_lvl+0x73/0xb0 [ 18.060317] print_report+0xd1/0x650 [ 18.060391] ? __virt_addr_valid+0x1db/0x2d0 [ 18.060460] ? ksize_uaf+0x5fe/0x6c0 [ 18.060525] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.060593] ? ksize_uaf+0x5fe/0x6c0 [ 18.060679] kasan_report+0x141/0x180 [ 18.060716] ? ksize_uaf+0x5fe/0x6c0 [ 18.060754] __asan_report_load1_noabort+0x18/0x20 [ 18.060782] ksize_uaf+0x5fe/0x6c0 [ 18.060813] ? __pfx_ksize_uaf+0x10/0x10 [ 18.060844] ? __schedule+0x10cc/0x2b60 [ 18.060875] ? __pfx_read_tsc+0x10/0x10 [ 18.060900] ? ktime_get_ts64+0x86/0x230 [ 18.060935] kunit_try_run_case+0x1a5/0x480 [ 18.060968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.061000] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.061033] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.061066] ? __kthread_parkme+0x82/0x180 [ 18.061094] ? preempt_count_sub+0x50/0x80 [ 18.061128] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.061160] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.061193] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.061259] kthread+0x337/0x6f0 [ 18.061290] ? trace_preempt_on+0x20/0xc0 [ 18.061324] ? __pfx_kthread+0x10/0x10 [ 18.061349] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.061380] ? calculate_sigpending+0x7b/0xa0 [ 18.061409] ? __pfx_kthread+0x10/0x10 [ 18.061433] ret_from_fork+0x41/0x80 [ 18.061464] ? __pfx_kthread+0x10/0x10 [ 18.061488] ret_from_fork_asm+0x1a/0x30 [ 18.061529] </TASK> [ 18.061542] [ 18.077686] Allocated by task 217: [ 18.078364] kasan_save_stack+0x45/0x70 [ 18.079079] kasan_save_track+0x18/0x40 [ 18.079669] kasan_save_alloc_info+0x3b/0x50 [ 18.079995] __kasan_kmalloc+0xb7/0xc0 [ 18.080405] __kmalloc_cache_noprof+0x189/0x420 [ 18.081048] ksize_uaf+0xaa/0x6c0 [ 18.081742] kunit_try_run_case+0x1a5/0x480 [ 18.082390] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.082959] kthread+0x337/0x6f0 [ 18.083107] ret_from_fork+0x41/0x80 [ 18.083578] ret_from_fork_asm+0x1a/0x30 [ 18.084280] [ 18.084578] Freed by task 217: [ 18.085096] kasan_save_stack+0x45/0x70 [ 18.085630] kasan_save_track+0x18/0x40 [ 18.086415] kasan_save_free_info+0x3f/0x60 [ 18.087056] __kasan_slab_free+0x56/0x70 [ 18.087500] kfree+0x222/0x3f0 [ 18.087875] ksize_uaf+0x12c/0x6c0 [ 18.088303] kunit_try_run_case+0x1a5/0x480 [ 18.088921] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.089403] kthread+0x337/0x6f0 [ 18.089880] ret_from_fork+0x41/0x80 [ 18.090253] ret_from_fork_asm+0x1a/0x30 [ 18.091210] [ 18.091526] The buggy address belongs to the object at ffff888102a13400 [ 18.091526] which belongs to the cache kmalloc-128 of size 128 [ 18.092369] The buggy address is located 0 bytes inside of [ 18.092369] freed 128-byte region [ffff888102a13400, ffff888102a13480) [ 18.093121] [ 18.093345] The buggy address belongs to the physical page: [ 18.093896] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a13 [ 18.094529] flags: 0x200000000000000(node=0|zone=2) [ 18.094911] page_type: f5(slab) [ 18.095278] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.095950] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.096552] page dumped because: kasan: bad access detected [ 18.097000] [ 18.097260] Memory state around the buggy address: [ 18.097685] ffff888102a13300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.098264] ffff888102a13380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.098895] >ffff888102a13400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.099454] ^ [ 18.099823] ffff888102a13480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.100481] ffff888102a13500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.101038] ================================================================== [ 18.009412] ================================================================== [ 18.010694] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 18.011420] Read of size 1 at addr ffff888102a13400 by task kunit_try_catch/217 [ 18.012111] [ 18.012451] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.4-rc1 #1 PREEMPT(voluntary) [ 18.012570] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.012620] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.012676] Call Trace: [ 18.012713] <TASK> [ 18.012752] dump_stack_lvl+0x73/0xb0 [ 18.012829] print_report+0xd1/0x650 [ 18.012906] ? __virt_addr_valid+0x1db/0x2d0 [ 18.012982] ? ksize_uaf+0x19d/0x6c0 [ 18.013050] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.013123] ? ksize_uaf+0x19d/0x6c0 [ 18.013197] kasan_report+0x141/0x180 [ 18.013267] ? ksize_uaf+0x19d/0x6c0 [ 18.013308] ? ksize_uaf+0x19d/0x6c0 [ 18.013340] __kasan_check_byte+0x3d/0x50 [ 18.013374] ksize+0x20/0x60 [ 18.013407] ksize_uaf+0x19d/0x6c0 [ 18.013437] ? __pfx_ksize_uaf+0x10/0x10 [ 18.013469] ? __schedule+0x10cc/0x2b60 [ 18.013502] ? __pfx_read_tsc+0x10/0x10 [ 18.013531] ? ktime_get_ts64+0x86/0x230 [ 18.013568] kunit_try_run_case+0x1a5/0x480 [ 18.013626] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.013664] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.013700] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.013734] ? __kthread_parkme+0x82/0x180 [ 18.013775] ? preempt_count_sub+0x50/0x80 [ 18.013812] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.013846] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.013879] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.013912] kthread+0x337/0x6f0 [ 18.013935] ? trace_preempt_on+0x20/0xc0 [ 18.013968] ? __pfx_kthread+0x10/0x10 [ 18.013993] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.014023] ? calculate_sigpending+0x7b/0xa0 [ 18.014054] ? __pfx_kthread+0x10/0x10 [ 18.014080] ret_from_fork+0x41/0x80 [ 18.014109] ? __pfx_kthread+0x10/0x10 [ 18.014133] ret_from_fork_asm+0x1a/0x30 [ 18.014175] </TASK> [ 18.014188] [ 18.031234] Allocated by task 217: [ 18.031599] kasan_save_stack+0x45/0x70 [ 18.032156] kasan_save_track+0x18/0x40 [ 18.032646] kasan_save_alloc_info+0x3b/0x50 [ 18.033088] __kasan_kmalloc+0xb7/0xc0 [ 18.033417] __kmalloc_cache_noprof+0x189/0x420 [ 18.033910] ksize_uaf+0xaa/0x6c0 [ 18.034202] kunit_try_run_case+0x1a5/0x480 [ 18.034595] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.035163] kthread+0x337/0x6f0 [ 18.035690] ret_from_fork+0x41/0x80 [ 18.036028] ret_from_fork_asm+0x1a/0x30 [ 18.036727] [ 18.036904] Freed by task 217: [ 18.037254] kasan_save_stack+0x45/0x70 [ 18.037674] kasan_save_track+0x18/0x40 [ 18.038125] kasan_save_free_info+0x3f/0x60 [ 18.038528] __kasan_slab_free+0x56/0x70 [ 18.039211] kfree+0x222/0x3f0 [ 18.039546] ksize_uaf+0x12c/0x6c0 [ 18.039976] kunit_try_run_case+0x1a5/0x480 [ 18.040587] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.040996] kthread+0x337/0x6f0 [ 18.041796] ret_from_fork+0x41/0x80 [ 18.042203] ret_from_fork_asm+0x1a/0x30 [ 18.042663] [ 18.042900] The buggy address belongs to the object at ffff888102a13400 [ 18.042900] which belongs to the cache kmalloc-128 of size 128 [ 18.043867] The buggy address is located 0 bytes inside of [ 18.043867] freed 128-byte region [ffff888102a13400, ffff888102a13480) [ 18.044889] [ 18.045122] The buggy address belongs to the physical page: [ 18.046481] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a13 [ 18.047170] flags: 0x200000000000000(node=0|zone=2) [ 18.047740] page_type: f5(slab) [ 18.048086] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.048863] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.049617] page dumped because: kasan: bad access detected [ 18.050033] [ 18.050355] Memory state around the buggy address: [ 18.050908] ffff888102a13300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.051699] ffff888102a13380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.052389] >ffff888102a13400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.052920] ^ [ 18.053354] ffff888102a13480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.054089] ffff888102a13500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.054913] ==================================================================