Date
July 8, 2025, 4:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.052688] ================================================================== [ 18.052744] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.052798] Read of size 1 at addr fff00000c63d6800 by task kunit_try_catch/198 [ 18.052848] [ 18.052896] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT [ 18.052987] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.053016] Hardware name: linux,dummy-virt (DT) [ 18.053047] Call trace: [ 18.053068] show_stack+0x20/0x38 (C) [ 18.053116] dump_stack_lvl+0x8c/0xd0 [ 18.053163] print_report+0x118/0x608 [ 18.053216] kasan_report+0xdc/0x128 [ 18.053260] __kasan_check_byte+0x54/0x70 [ 18.053306] ksize+0x30/0x88 [ 18.053358] ksize_uaf+0x168/0x5f8 [ 18.053448] kunit_try_run_case+0x170/0x3f0 [ 18.053613] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.053799] kthread+0x328/0x630 [ 18.054061] ret_from_fork+0x10/0x20 [ 18.054143] [ 18.054167] Allocated by task 198: [ 18.054197] kasan_save_stack+0x3c/0x68 [ 18.054237] kasan_save_track+0x20/0x40 [ 18.054276] kasan_save_alloc_info+0x40/0x58 [ 18.054364] __kasan_kmalloc+0xd4/0xd8 [ 18.054424] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.054463] ksize_uaf+0xb8/0x5f8 [ 18.054500] kunit_try_run_case+0x170/0x3f0 [ 18.054541] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.054587] kthread+0x328/0x630 [ 18.054727] ret_from_fork+0x10/0x20 [ 18.054856] [ 18.054915] Freed by task 198: [ 18.054973] kasan_save_stack+0x3c/0x68 [ 18.055097] kasan_save_track+0x20/0x40 [ 18.055183] kasan_save_free_info+0x4c/0x78 [ 18.055283] __kasan_slab_free+0x6c/0x98 [ 18.055369] kfree+0x214/0x3c8 [ 18.055417] ksize_uaf+0x11c/0x5f8 [ 18.055480] kunit_try_run_case+0x170/0x3f0 [ 18.055557] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.055617] kthread+0x328/0x630 [ 18.055695] ret_from_fork+0x10/0x20 [ 18.055760] [ 18.055780] The buggy address belongs to the object at fff00000c63d6800 [ 18.055780] which belongs to the cache kmalloc-128 of size 128 [ 18.055839] The buggy address is located 0 bytes inside of [ 18.055839] freed 128-byte region [fff00000c63d6800, fff00000c63d6880) [ 18.055897] [ 18.056062] The buggy address belongs to the physical page: [ 18.056121] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063d6 [ 18.056183] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.056237] page_type: f5(slab) [ 18.056293] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.056359] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.056450] page dumped because: kasan: bad access detected [ 18.056524] [ 18.056576] Memory state around the buggy address: [ 18.056690] fff00000c63d6700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.056786] fff00000c63d6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.056841] >fff00000c63d6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.056879] ^ [ 18.056905] fff00000c63d6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.057081] fff00000c63d6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.057119] ================================================================== [ 18.057908] ================================================================== [ 18.057959] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.058027] Read of size 1 at addr fff00000c63d6800 by task kunit_try_catch/198 [ 18.058076] [ 18.058103] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT [ 18.058185] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.058216] Hardware name: linux,dummy-virt (DT) [ 18.058248] Call trace: [ 18.058269] show_stack+0x20/0x38 (C) [ 18.058314] dump_stack_lvl+0x8c/0xd0 [ 18.058505] print_report+0x118/0x608 [ 18.058552] kasan_report+0xdc/0x128 [ 18.058602] __asan_report_load1_noabort+0x20/0x30 [ 18.058654] ksize_uaf+0x598/0x5f8 [ 18.058845] kunit_try_run_case+0x170/0x3f0 [ 18.058921] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.059008] kthread+0x328/0x630 [ 18.059081] ret_from_fork+0x10/0x20 [ 18.059186] [ 18.059235] Allocated by task 198: [ 18.059283] kasan_save_stack+0x3c/0x68 [ 18.059324] kasan_save_track+0x20/0x40 [ 18.059438] kasan_save_alloc_info+0x40/0x58 [ 18.059481] __kasan_kmalloc+0xd4/0xd8 [ 18.059517] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.059575] ksize_uaf+0xb8/0x5f8 [ 18.059630] kunit_try_run_case+0x170/0x3f0 [ 18.059788] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.059841] kthread+0x328/0x630 [ 18.059970] ret_from_fork+0x10/0x20 [ 18.060075] [ 18.060180] Freed by task 198: [ 18.060241] kasan_save_stack+0x3c/0x68 [ 18.060294] kasan_save_track+0x20/0x40 [ 18.060400] kasan_save_free_info+0x4c/0x78 [ 18.060528] __kasan_slab_free+0x6c/0x98 [ 18.060605] kfree+0x214/0x3c8 [ 18.060799] ksize_uaf+0x11c/0x5f8 [ 18.060835] kunit_try_run_case+0x170/0x3f0 [ 18.060874] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.060918] kthread+0x328/0x630 [ 18.060953] ret_from_fork+0x10/0x20 [ 18.060988] [ 18.061694] The buggy address belongs to the object at fff00000c63d6800 [ 18.061694] which belongs to the cache kmalloc-128 of size 128 [ 18.061952] The buggy address is located 0 bytes inside of [ 18.061952] freed 128-byte region [fff00000c63d6800, fff00000c63d6880) [ 18.062067] [ 18.062143] The buggy address belongs to the physical page: [ 18.062238] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063d6 [ 18.062314] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.062396] page_type: f5(slab) [ 18.062435] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.062639] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.062777] page dumped because: kasan: bad access detected [ 18.062853] [ 18.062933] Memory state around the buggy address: [ 18.063011] fff00000c63d6700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.063084] fff00000c63d6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.063504] >fff00000c63d6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.063572] ^ [ 18.063620] fff00000c63d6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.063684] fff00000c63d6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.063767] ================================================================== [ 18.065495] ================================================================== [ 18.065727] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.065777] Read of size 1 at addr fff00000c63d6878 by task kunit_try_catch/198 [ 18.065932] [ 18.065969] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT [ 18.066113] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.066161] Hardware name: linux,dummy-virt (DT) [ 18.066196] Call trace: [ 18.066218] show_stack+0x20/0x38 (C) [ 18.066277] dump_stack_lvl+0x8c/0xd0 [ 18.066342] print_report+0x118/0x608 [ 18.066395] kasan_report+0xdc/0x128 [ 18.066448] __asan_report_load1_noabort+0x20/0x30 [ 18.066507] ksize_uaf+0x544/0x5f8 [ 18.066553] kunit_try_run_case+0x170/0x3f0 [ 18.066602] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.066656] kthread+0x328/0x630 [ 18.066701] ret_from_fork+0x10/0x20 [ 18.066748] [ 18.066770] Allocated by task 198: [ 18.066799] kasan_save_stack+0x3c/0x68 [ 18.066843] kasan_save_track+0x20/0x40 [ 18.066881] kasan_save_alloc_info+0x40/0x58 [ 18.066923] __kasan_kmalloc+0xd4/0xd8 [ 18.066960] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.067007] ksize_uaf+0xb8/0x5f8 [ 18.067044] kunit_try_run_case+0x170/0x3f0 [ 18.067084] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.067129] kthread+0x328/0x630 [ 18.067166] ret_from_fork+0x10/0x20 [ 18.067202] [ 18.067220] Freed by task 198: [ 18.067254] kasan_save_stack+0x3c/0x68 [ 18.067291] kasan_save_track+0x20/0x40 [ 18.067327] kasan_save_free_info+0x4c/0x78 [ 18.067375] __kasan_slab_free+0x6c/0x98 [ 18.067411] kfree+0x214/0x3c8 [ 18.067443] ksize_uaf+0x11c/0x5f8 [ 18.067479] kunit_try_run_case+0x170/0x3f0 [ 18.067516] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.067561] kthread+0x328/0x630 [ 18.067843] ret_from_fork+0x10/0x20 [ 18.067918] [ 18.067957] The buggy address belongs to the object at fff00000c63d6800 [ 18.067957] which belongs to the cache kmalloc-128 of size 128 [ 18.068044] The buggy address is located 120 bytes inside of [ 18.068044] freed 128-byte region [fff00000c63d6800, fff00000c63d6880) [ 18.068115] [ 18.068137] The buggy address belongs to the physical page: [ 18.068167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063d6 [ 18.068345] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.068499] page_type: f5(slab) [ 18.068544] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.068625] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.068681] page dumped because: kasan: bad access detected [ 18.068769] [ 18.068819] Memory state around the buggy address: [ 18.068859] fff00000c63d6700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.068904] fff00000c63d6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.068946] >fff00000c63d6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.068991] ^ [ 18.069034] fff00000c63d6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.069075] fff00000c63d6900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.069223] ==================================================================
[ 11.803363] ================================================================== [ 11.803752] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.804103] Read of size 1 at addr ffff8881029cab00 by task kunit_try_catch/216 [ 11.804413] [ 11.804528] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT(voluntary) [ 11.804570] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.804581] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.804601] Call Trace: [ 11.804615] <TASK> [ 11.804627] dump_stack_lvl+0x73/0xb0 [ 11.804651] print_report+0xd1/0x650 [ 11.804675] ? __virt_addr_valid+0x1db/0x2d0 [ 11.804697] ? ksize_uaf+0x5fe/0x6c0 [ 11.804714] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.804737] ? ksize_uaf+0x5fe/0x6c0 [ 11.804755] kasan_report+0x141/0x180 [ 11.804778] ? ksize_uaf+0x5fe/0x6c0 [ 11.804800] __asan_report_load1_noabort+0x18/0x20 [ 11.804822] ksize_uaf+0x5fe/0x6c0 [ 11.804839] ? __pfx_ksize_uaf+0x10/0x10 [ 11.804858] ? __schedule+0x10cc/0x2b60 [ 11.804894] ? __pfx_read_tsc+0x10/0x10 [ 11.804913] ? ktime_get_ts64+0x86/0x230 [ 11.804996] kunit_try_run_case+0x1a5/0x480 [ 11.805022] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.805041] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.805065] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.805090] ? __kthread_parkme+0x82/0x180 [ 11.805111] ? preempt_count_sub+0x50/0x80 [ 11.805137] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.805157] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.805180] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.805204] kthread+0x337/0x6f0 [ 11.805221] ? trace_preempt_on+0x20/0xc0 [ 11.805245] ? __pfx_kthread+0x10/0x10 [ 11.805263] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.805286] ? calculate_sigpending+0x7b/0xa0 [ 11.805307] ? __pfx_kthread+0x10/0x10 [ 11.805326] ret_from_fork+0x41/0x80 [ 11.805347] ? __pfx_kthread+0x10/0x10 [ 11.805365] ret_from_fork_asm+0x1a/0x30 [ 11.805395] </TASK> [ 11.805406] [ 11.813262] Allocated by task 216: [ 11.813403] kasan_save_stack+0x45/0x70 [ 11.813553] kasan_save_track+0x18/0x40 [ 11.813691] kasan_save_alloc_info+0x3b/0x50 [ 11.813944] __kasan_kmalloc+0xb7/0xc0 [ 11.814328] __kmalloc_cache_noprof+0x189/0x420 [ 11.814571] ksize_uaf+0xaa/0x6c0 [ 11.814730] kunit_try_run_case+0x1a5/0x480 [ 11.815020] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.815280] kthread+0x337/0x6f0 [ 11.815447] ret_from_fork+0x41/0x80 [ 11.815608] ret_from_fork_asm+0x1a/0x30 [ 11.815811] [ 11.815919] Freed by task 216: [ 11.816046] kasan_save_stack+0x45/0x70 [ 11.816314] kasan_save_track+0x18/0x40 [ 11.816532] kasan_save_free_info+0x3f/0x60 [ 11.816728] __kasan_slab_free+0x56/0x70 [ 11.818143] kfree+0x222/0x3f0 [ 11.818290] ksize_uaf+0x12c/0x6c0 [ 11.818414] kunit_try_run_case+0x1a5/0x480 [ 11.818556] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.818750] kthread+0x337/0x6f0 [ 11.818933] ret_from_fork+0x41/0x80 [ 11.819121] ret_from_fork_asm+0x1a/0x30 [ 11.819358] [ 11.820846] The buggy address belongs to the object at ffff8881029cab00 [ 11.820846] which belongs to the cache kmalloc-128 of size 128 [ 11.821461] The buggy address is located 0 bytes inside of [ 11.821461] freed 128-byte region [ffff8881029cab00, ffff8881029cab80) [ 11.821805] [ 11.821890] The buggy address belongs to the physical page: [ 11.822259] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ca [ 11.822590] flags: 0x200000000000000(node=0|zone=2) [ 11.822831] page_type: f5(slab) [ 11.824750] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.825022] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.825253] page dumped because: kasan: bad access detected [ 11.825426] [ 11.825499] Memory state around the buggy address: [ 11.825656] ffff8881029caa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.825887] ffff8881029caa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.827513] >ffff8881029cab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.828534] ^ [ 11.829778] ffff8881029cab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.830839] ffff8881029cac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.831370] ================================================================== [ 11.832350] ================================================================== [ 11.834371] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.835000] Read of size 1 at addr ffff8881029cab78 by task kunit_try_catch/216 [ 11.835986] [ 11.836096] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT(voluntary) [ 11.836142] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.836154] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.836175] Call Trace: [ 11.836192] <TASK> [ 11.836209] dump_stack_lvl+0x73/0xb0 [ 11.836236] print_report+0xd1/0x650 [ 11.836260] ? __virt_addr_valid+0x1db/0x2d0 [ 11.836282] ? ksize_uaf+0x5e4/0x6c0 [ 11.836299] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.836322] ? ksize_uaf+0x5e4/0x6c0 [ 11.836340] kasan_report+0x141/0x180 [ 11.836364] ? ksize_uaf+0x5e4/0x6c0 [ 11.836386] __asan_report_load1_noabort+0x18/0x20 [ 11.836407] ksize_uaf+0x5e4/0x6c0 [ 11.836425] ? __pfx_ksize_uaf+0x10/0x10 [ 11.836444] ? __schedule+0x10cc/0x2b60 [ 11.836467] ? __pfx_read_tsc+0x10/0x10 [ 11.836486] ? ktime_get_ts64+0x86/0x230 [ 11.836511] kunit_try_run_case+0x1a5/0x480 [ 11.836534] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.836556] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.836581] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.836607] ? __kthread_parkme+0x82/0x180 [ 11.836629] ? preempt_count_sub+0x50/0x80 [ 11.836734] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.836768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.836792] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.836815] kthread+0x337/0x6f0 [ 11.836832] ? trace_preempt_on+0x20/0xc0 [ 11.836855] ? __pfx_kthread+0x10/0x10 [ 11.836883] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.836914] ? calculate_sigpending+0x7b/0xa0 [ 11.836936] ? __pfx_kthread+0x10/0x10 [ 11.836954] ret_from_fork+0x41/0x80 [ 11.836974] ? __pfx_kthread+0x10/0x10 [ 11.836993] ret_from_fork_asm+0x1a/0x30 [ 11.837023] </TASK> [ 11.837034] [ 11.850207] Allocated by task 216: [ 11.850531] kasan_save_stack+0x45/0x70 [ 11.850784] kasan_save_track+0x18/0x40 [ 11.851144] kasan_save_alloc_info+0x3b/0x50 [ 11.851554] __kasan_kmalloc+0xb7/0xc0 [ 11.851904] __kmalloc_cache_noprof+0x189/0x420 [ 11.852386] ksize_uaf+0xaa/0x6c0 [ 11.852677] kunit_try_run_case+0x1a5/0x480 [ 11.852824] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.853372] kthread+0x337/0x6f0 [ 11.853699] ret_from_fork+0x41/0x80 [ 11.854209] ret_from_fork_asm+0x1a/0x30 [ 11.854588] [ 11.854762] Freed by task 216: [ 11.855085] kasan_save_stack+0x45/0x70 [ 11.855363] kasan_save_track+0x18/0x40 [ 11.855790] kasan_save_free_info+0x3f/0x60 [ 11.856093] __kasan_slab_free+0x56/0x70 [ 11.856391] kfree+0x222/0x3f0 [ 11.856511] ksize_uaf+0x12c/0x6c0 [ 11.856816] kunit_try_run_case+0x1a5/0x480 [ 11.857289] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.858062] kthread+0x337/0x6f0 [ 11.858266] ret_from_fork+0x41/0x80 [ 11.858401] ret_from_fork_asm+0x1a/0x30 [ 11.858604] [ 11.858806] The buggy address belongs to the object at ffff8881029cab00 [ 11.858806] which belongs to the cache kmalloc-128 of size 128 [ 11.860127] The buggy address is located 120 bytes inside of [ 11.860127] freed 128-byte region [ffff8881029cab00, ffff8881029cab80) [ 11.860862] [ 11.861106] The buggy address belongs to the physical page: [ 11.861619] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ca [ 11.862321] flags: 0x200000000000000(node=0|zone=2) [ 11.862494] page_type: f5(slab) [ 11.862832] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.863619] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.864573] page dumped because: kasan: bad access detected [ 11.865068] [ 11.865150] Memory state around the buggy address: [ 11.865383] ffff8881029caa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.866249] ffff8881029caa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.866653] >ffff8881029cab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.867152] ^ [ 11.867373] ffff8881029cab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.867618] ffff8881029cac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.868282] ================================================================== [ 11.782431] ================================================================== [ 11.783122] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.783396] Read of size 1 at addr ffff8881029cab00 by task kunit_try_catch/216 [ 11.783723] [ 11.783834] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.6-rc1 #1 PREEMPT(voluntary) [ 11.783902] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.783914] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.783937] Call Trace: [ 11.783950] <TASK> [ 11.783965] dump_stack_lvl+0x73/0xb0 [ 11.783993] print_report+0xd1/0x650 [ 11.784017] ? __virt_addr_valid+0x1db/0x2d0 [ 11.784040] ? ksize_uaf+0x19d/0x6c0 [ 11.784058] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.784081] ? ksize_uaf+0x19d/0x6c0 [ 11.784100] kasan_report+0x141/0x180 [ 11.784123] ? ksize_uaf+0x19d/0x6c0 [ 11.784144] ? ksize_uaf+0x19d/0x6c0 [ 11.784162] __kasan_check_byte+0x3d/0x50 [ 11.784185] ksize+0x20/0x60 [ 11.784208] ksize_uaf+0x19d/0x6c0 [ 11.784226] ? __pfx_ksize_uaf+0x10/0x10 [ 11.784245] ? __schedule+0x10cc/0x2b60 [ 11.784269] ? __pfx_read_tsc+0x10/0x10 [ 11.784290] ? ktime_get_ts64+0x86/0x230 [ 11.784316] kunit_try_run_case+0x1a5/0x480 [ 11.784338] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.784357] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.784382] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.784407] ? __kthread_parkme+0x82/0x180 [ 11.784429] ? preempt_count_sub+0x50/0x80 [ 11.784454] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.784475] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.784499] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.784585] kthread+0x337/0x6f0 [ 11.784605] ? trace_preempt_on+0x20/0xc0 [ 11.784630] ? __pfx_kthread+0x10/0x10 [ 11.784648] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.784671] ? calculate_sigpending+0x7b/0xa0 [ 11.784693] ? __pfx_kthread+0x10/0x10 [ 11.784712] ret_from_fork+0x41/0x80 [ 11.784732] ? __pfx_kthread+0x10/0x10 [ 11.784751] ret_from_fork_asm+0x1a/0x30 [ 11.784781] </TASK> [ 11.784792] [ 11.792291] Allocated by task 216: [ 11.792483] kasan_save_stack+0x45/0x70 [ 11.792708] kasan_save_track+0x18/0x40 [ 11.792921] kasan_save_alloc_info+0x3b/0x50 [ 11.793160] __kasan_kmalloc+0xb7/0xc0 [ 11.793364] __kmalloc_cache_noprof+0x189/0x420 [ 11.793592] ksize_uaf+0xaa/0x6c0 [ 11.793719] kunit_try_run_case+0x1a5/0x480 [ 11.794150] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.794344] kthread+0x337/0x6f0 [ 11.794517] ret_from_fork+0x41/0x80 [ 11.794705] ret_from_fork_asm+0x1a/0x30 [ 11.794988] [ 11.795065] Freed by task 216: [ 11.795179] kasan_save_stack+0x45/0x70 [ 11.795322] kasan_save_track+0x18/0x40 [ 11.795459] kasan_save_free_info+0x3f/0x60 [ 11.795669] __kasan_slab_free+0x56/0x70 [ 11.795869] kfree+0x222/0x3f0 [ 11.796101] ksize_uaf+0x12c/0x6c0 [ 11.796277] kunit_try_run_case+0x1a5/0x480 [ 11.796485] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.796755] kthread+0x337/0x6f0 [ 11.797032] ret_from_fork+0x41/0x80 [ 11.797210] ret_from_fork_asm+0x1a/0x30 [ 11.797405] [ 11.797482] The buggy address belongs to the object at ffff8881029cab00 [ 11.797482] which belongs to the cache kmalloc-128 of size 128 [ 11.797917] The buggy address is located 0 bytes inside of [ 11.797917] freed 128-byte region [ffff8881029cab00, ffff8881029cab80) [ 11.798676] [ 11.798778] The buggy address belongs to the physical page: [ 11.798969] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029ca [ 11.799212] flags: 0x200000000000000(node=0|zone=2) [ 11.799375] page_type: f5(slab) [ 11.799558] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.799920] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.800253] page dumped because: kasan: bad access detected [ 11.800426] [ 11.800496] Memory state around the buggy address: [ 11.800652] ffff8881029caa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.800896] ffff8881029caa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.801408] >ffff8881029cab00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.801729] ^ [ 11.802086] ffff8881029cab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.802422] ffff8881029cac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.802952] ==================================================================