Date
July 15, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.152934] ================================================================== [ 18.152997] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.153169] Read of size 1 at addr fff00000c59e4300 by task kunit_try_catch/198 [ 18.153236] [ 18.153454] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT [ 18.153592] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.153825] Hardware name: linux,dummy-virt (DT) [ 18.153955] Call trace: [ 18.154026] show_stack+0x20/0x38 (C) [ 18.154094] dump_stack_lvl+0x8c/0xd0 [ 18.154365] print_report+0x118/0x5d0 [ 18.154576] kasan_report+0xdc/0x128 [ 18.154666] __asan_report_load1_noabort+0x20/0x30 [ 18.154827] ksize_uaf+0x598/0x5f8 [ 18.154916] kunit_try_run_case+0x170/0x3f0 [ 18.155052] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.155105] kthread+0x328/0x630 [ 18.155311] ret_from_fork+0x10/0x20 [ 18.155477] [ 18.155626] Allocated by task 198: [ 18.155683] kasan_save_stack+0x3c/0x68 [ 18.155815] kasan_save_track+0x20/0x40 [ 18.155897] kasan_save_alloc_info+0x40/0x58 [ 18.156012] __kasan_kmalloc+0xd4/0xd8 [ 18.156169] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.156408] ksize_uaf+0xb8/0x5f8 [ 18.156531] kunit_try_run_case+0x170/0x3f0 [ 18.156637] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.156732] kthread+0x328/0x630 [ 18.156869] ret_from_fork+0x10/0x20 [ 18.156931] [ 18.157120] Freed by task 198: [ 18.157217] kasan_save_stack+0x3c/0x68 [ 18.157438] kasan_save_track+0x20/0x40 [ 18.157566] kasan_save_free_info+0x4c/0x78 [ 18.157648] __kasan_slab_free+0x6c/0x98 [ 18.157825] kfree+0x214/0x3c8 [ 18.157858] ksize_uaf+0x11c/0x5f8 [ 18.157908] kunit_try_run_case+0x170/0x3f0 [ 18.157961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.158145] kthread+0x328/0x630 [ 18.158646] ret_from_fork+0x10/0x20 [ 18.158709] [ 18.158774] The buggy address belongs to the object at fff00000c59e4300 [ 18.158774] which belongs to the cache kmalloc-128 of size 128 [ 18.158840] The buggy address is located 0 bytes inside of [ 18.158840] freed 128-byte region [fff00000c59e4300, fff00000c59e4380) [ 18.159282] [ 18.159362] The buggy address belongs to the physical page: [ 18.159635] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059e4 [ 18.159736] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.159959] page_type: f5(slab) [ 18.160025] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.160446] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.160522] page dumped because: kasan: bad access detected [ 18.160619] [ 18.160721] Memory state around the buggy address: [ 18.160829] fff00000c59e4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.160905] fff00000c59e4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.161050] >fff00000c59e4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.161139] ^ [ 18.161393] fff00000c59e4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.161567] fff00000c59e4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.161703] ================================================================== [ 18.162925] ================================================================== [ 18.162997] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.163062] Read of size 1 at addr fff00000c59e4378 by task kunit_try_catch/198 [ 18.163115] [ 18.163152] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT [ 18.163250] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.163276] Hardware name: linux,dummy-virt (DT) [ 18.163316] Call trace: [ 18.163340] show_stack+0x20/0x38 (C) [ 18.163386] dump_stack_lvl+0x8c/0xd0 [ 18.163433] print_report+0x118/0x5d0 [ 18.163485] kasan_report+0xdc/0x128 [ 18.163537] __asan_report_load1_noabort+0x20/0x30 [ 18.163586] ksize_uaf+0x544/0x5f8 [ 18.163633] kunit_try_run_case+0x170/0x3f0 [ 18.163679] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.163737] kthread+0x328/0x630 [ 18.163793] ret_from_fork+0x10/0x20 [ 18.163843] [ 18.163862] Allocated by task 198: [ 18.163891] kasan_save_stack+0x3c/0x68 [ 18.163929] kasan_save_track+0x20/0x40 [ 18.163966] kasan_save_alloc_info+0x40/0x58 [ 18.164005] __kasan_kmalloc+0xd4/0xd8 [ 18.164049] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.164097] ksize_uaf+0xb8/0x5f8 [ 18.164146] kunit_try_run_case+0x170/0x3f0 [ 18.164195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.164641] kthread+0x328/0x630 [ 18.164705] ret_from_fork+0x10/0x20 [ 18.164775] [ 18.164797] Freed by task 198: [ 18.165279] kasan_save_stack+0x3c/0x68 [ 18.165362] kasan_save_track+0x20/0x40 [ 18.165647] kasan_save_free_info+0x4c/0x78 [ 18.165819] __kasan_slab_free+0x6c/0x98 [ 18.166024] kfree+0x214/0x3c8 [ 18.166222] ksize_uaf+0x11c/0x5f8 [ 18.166474] kunit_try_run_case+0x170/0x3f0 [ 18.166569] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.166768] kthread+0x328/0x630 [ 18.167075] ret_from_fork+0x10/0x20 [ 18.167373] [ 18.167512] The buggy address belongs to the object at fff00000c59e4300 [ 18.167512] which belongs to the cache kmalloc-128 of size 128 [ 18.167914] The buggy address is located 120 bytes inside of [ 18.167914] freed 128-byte region [fff00000c59e4300, fff00000c59e4380) [ 18.168154] [ 18.168252] The buggy address belongs to the physical page: [ 18.168424] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059e4 [ 18.168620] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.168796] page_type: f5(slab) [ 18.168892] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.169029] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.169074] page dumped because: kasan: bad access detected [ 18.169153] [ 18.169351] Memory state around the buggy address: [ 18.169538] fff00000c59e4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.169771] fff00000c59e4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.169902] >fff00000c59e4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.169988] ^ [ 18.170057] fff00000c59e4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.170230] fff00000c59e4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.170447] ================================================================== [ 18.143533] ================================================================== [ 18.143892] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.143964] Read of size 1 at addr fff00000c59e4300 by task kunit_try_catch/198 [ 18.144399] [ 18.144495] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT [ 18.144639] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.144667] Hardware name: linux,dummy-virt (DT) [ 18.144726] Call trace: [ 18.144765] show_stack+0x20/0x38 (C) [ 18.145026] dump_stack_lvl+0x8c/0xd0 [ 18.145256] print_report+0x118/0x5d0 [ 18.145317] kasan_report+0xdc/0x128 [ 18.145401] __kasan_check_byte+0x54/0x70 [ 18.145520] ksize+0x30/0x88 [ 18.145596] ksize_uaf+0x168/0x5f8 [ 18.145653] kunit_try_run_case+0x170/0x3f0 [ 18.145703] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.145755] kthread+0x328/0x630 [ 18.145915] ret_from_fork+0x10/0x20 [ 18.146291] [ 18.146378] Allocated by task 198: [ 18.146456] kasan_save_stack+0x3c/0x68 [ 18.146610] kasan_save_track+0x20/0x40 [ 18.146697] kasan_save_alloc_info+0x40/0x58 [ 18.146813] __kasan_kmalloc+0xd4/0xd8 [ 18.146885] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.146943] ksize_uaf+0xb8/0x5f8 [ 18.147141] kunit_try_run_case+0x170/0x3f0 [ 18.147470] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.147605] kthread+0x328/0x630 [ 18.147701] ret_from_fork+0x10/0x20 [ 18.147821] [ 18.147887] Freed by task 198: [ 18.147933] kasan_save_stack+0x3c/0x68 [ 18.148002] kasan_save_track+0x20/0x40 [ 18.148242] kasan_save_free_info+0x4c/0x78 [ 18.148281] __kasan_slab_free+0x6c/0x98 [ 18.148465] kfree+0x214/0x3c8 [ 18.148509] ksize_uaf+0x11c/0x5f8 [ 18.148554] kunit_try_run_case+0x170/0x3f0 [ 18.148596] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.148642] kthread+0x328/0x630 [ 18.148679] ret_from_fork+0x10/0x20 [ 18.148716] [ 18.148735] The buggy address belongs to the object at fff00000c59e4300 [ 18.148735] which belongs to the cache kmalloc-128 of size 128 [ 18.148807] The buggy address is located 0 bytes inside of [ 18.148807] freed 128-byte region [fff00000c59e4300, fff00000c59e4380) [ 18.148872] [ 18.148901] The buggy address belongs to the physical page: [ 18.148955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059e4 [ 18.149021] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.149083] page_type: f5(slab) [ 18.149131] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.149193] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.149273] page dumped because: kasan: bad access detected [ 18.149318] [ 18.149551] Memory state around the buggy address: [ 18.149620] fff00000c59e4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.149869] fff00000c59e4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.150070] >fff00000c59e4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.150386] ^ [ 18.150706] fff00000c59e4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.151042] fff00000c59e4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.151157] ==================================================================
[ 11.463390] ================================================================== [ 11.463943] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.464222] Read of size 1 at addr ffff888102f2af00 by task kunit_try_catch/215 [ 11.464502] [ 11.464617] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT(voluntary) [ 11.464670] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.464681] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.464698] Call Trace: [ 11.464710] <TASK> [ 11.464724] dump_stack_lvl+0x73/0xb0 [ 11.464747] print_report+0xd1/0x610 [ 11.464769] ? __virt_addr_valid+0x1db/0x2d0 [ 11.464789] ? ksize_uaf+0x19d/0x6c0 [ 11.464809] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.464832] ? ksize_uaf+0x19d/0x6c0 [ 11.464852] kasan_report+0x141/0x180 [ 11.464874] ? ksize_uaf+0x19d/0x6c0 [ 11.464908] ? ksize_uaf+0x19d/0x6c0 [ 11.464929] __kasan_check_byte+0x3d/0x50 [ 11.464950] ksize+0x20/0x60 [ 11.464971] ksize_uaf+0x19d/0x6c0 [ 11.464991] ? __pfx_ksize_uaf+0x10/0x10 [ 11.465012] ? __schedule+0x10cc/0x2b60 [ 11.465035] ? __pfx_read_tsc+0x10/0x10 [ 11.465053] ? ktime_get_ts64+0x86/0x230 [ 11.465076] kunit_try_run_case+0x1a5/0x480 [ 11.465096] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.465113] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.465140] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.465162] ? __kthread_parkme+0x82/0x180 [ 11.465183] ? preempt_count_sub+0x50/0x80 [ 11.465207] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.465226] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.465247] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.465269] kthread+0x337/0x6f0 [ 11.465285] ? trace_preempt_on+0x20/0xc0 [ 11.465306] ? __pfx_kthread+0x10/0x10 [ 11.465323] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.465344] ? calculate_sigpending+0x7b/0xa0 [ 11.465364] ? __pfx_kthread+0x10/0x10 [ 11.465381] ret_from_fork+0x41/0x80 [ 11.465400] ? __pfx_kthread+0x10/0x10 [ 11.465417] ret_from_fork_asm+0x1a/0x30 [ 11.465446] </TASK> [ 11.465456] [ 11.472593] Allocated by task 215: [ 11.472790] kasan_save_stack+0x45/0x70 [ 11.473103] kasan_save_track+0x18/0x40 [ 11.473281] kasan_save_alloc_info+0x3b/0x50 [ 11.473429] __kasan_kmalloc+0xb7/0xc0 [ 11.473560] __kmalloc_cache_noprof+0x189/0x420 [ 11.473711] ksize_uaf+0xaa/0x6c0 [ 11.473860] kunit_try_run_case+0x1a5/0x480 [ 11.474302] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.474708] kthread+0x337/0x6f0 [ 11.474824] ret_from_fork+0x41/0x80 [ 11.475131] ret_from_fork_asm+0x1a/0x30 [ 11.475426] [ 11.475495] Freed by task 215: [ 11.475602] kasan_save_stack+0x45/0x70 [ 11.475788] kasan_save_track+0x18/0x40 [ 11.475989] kasan_save_free_info+0x3f/0x60 [ 11.476284] __kasan_slab_free+0x56/0x70 [ 11.476458] kfree+0x222/0x3f0 [ 11.476855] ksize_uaf+0x12c/0x6c0 [ 11.477777] kunit_try_run_case+0x1a5/0x480 [ 11.478870] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.479070] kthread+0x337/0x6f0 [ 11.479190] ret_from_fork+0x41/0x80 [ 11.479318] ret_from_fork_asm+0x1a/0x30 [ 11.479453] [ 11.479523] The buggy address belongs to the object at ffff888102f2af00 [ 11.479523] which belongs to the cache kmalloc-128 of size 128 [ 11.479897] The buggy address is located 0 bytes inside of [ 11.479897] freed 128-byte region [ffff888102f2af00, ffff888102f2af80) [ 11.480241] [ 11.480312] The buggy address belongs to the physical page: [ 11.480570] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f2a [ 11.481202] flags: 0x200000000000000(node=0|zone=2) [ 11.481662] page_type: f5(slab) [ 11.482085] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.482509] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.482969] page dumped because: kasan: bad access detected [ 11.483197] [ 11.483290] Memory state around the buggy address: [ 11.483496] ffff888102f2ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.483953] ffff888102f2ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.484249] >ffff888102f2af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.484532] ^ [ 11.484973] ffff888102f2af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.485278] ffff888102f2b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.485557] ================================================================== [ 11.486547] ================================================================== [ 11.486990] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.487278] Read of size 1 at addr ffff888102f2af00 by task kunit_try_catch/215 [ 11.487585] [ 11.487788] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT(voluntary) [ 11.487833] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.487861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.487889] Call Trace: [ 11.487902] <TASK> [ 11.487916] dump_stack_lvl+0x73/0xb0 [ 11.487941] print_report+0xd1/0x610 [ 11.487963] ? __virt_addr_valid+0x1db/0x2d0 [ 11.487983] ? ksize_uaf+0x5fe/0x6c0 [ 11.488003] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.488046] ? ksize_uaf+0x5fe/0x6c0 [ 11.488066] kasan_report+0x141/0x180 [ 11.488087] ? ksize_uaf+0x5fe/0x6c0 [ 11.488113] __asan_report_load1_noabort+0x18/0x20 [ 11.488132] ksize_uaf+0x5fe/0x6c0 [ 11.488152] ? __pfx_ksize_uaf+0x10/0x10 [ 11.488173] ? __schedule+0x10cc/0x2b60 [ 11.488195] ? __pfx_read_tsc+0x10/0x10 [ 11.488214] ? ktime_get_ts64+0x86/0x230 [ 11.488239] kunit_try_run_case+0x1a5/0x480 [ 11.488277] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.488296] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.488319] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.488343] ? __kthread_parkme+0x82/0x180 [ 11.488364] ? preempt_count_sub+0x50/0x80 [ 11.488390] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.488409] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.488446] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.488468] kthread+0x337/0x6f0 [ 11.488484] ? trace_preempt_on+0x20/0xc0 [ 11.488507] ? __pfx_kthread+0x10/0x10 [ 11.488524] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.488545] ? calculate_sigpending+0x7b/0xa0 [ 11.488565] ? __pfx_kthread+0x10/0x10 [ 11.488582] ret_from_fork+0x41/0x80 [ 11.488602] ? __pfx_kthread+0x10/0x10 [ 11.488619] ret_from_fork_asm+0x1a/0x30 [ 11.488650] </TASK> [ 11.488659] [ 11.498666] Allocated by task 215: [ 11.499119] kasan_save_stack+0x45/0x70 [ 11.499403] kasan_save_track+0x18/0x40 [ 11.499685] kasan_save_alloc_info+0x3b/0x50 [ 11.500023] __kasan_kmalloc+0xb7/0xc0 [ 11.500206] __kmalloc_cache_noprof+0x189/0x420 [ 11.500410] ksize_uaf+0xaa/0x6c0 [ 11.500571] kunit_try_run_case+0x1a5/0x480 [ 11.501073] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.501369] kthread+0x337/0x6f0 [ 11.501651] ret_from_fork+0x41/0x80 [ 11.501970] ret_from_fork_asm+0x1a/0x30 [ 11.502342] [ 11.502556] Freed by task 215: [ 11.502938] kasan_save_stack+0x45/0x70 [ 11.503136] kasan_save_track+0x18/0x40 [ 11.503314] kasan_save_free_info+0x3f/0x60 [ 11.503502] __kasan_slab_free+0x56/0x70 [ 11.503681] kfree+0x222/0x3f0 [ 11.504153] ksize_uaf+0x12c/0x6c0 [ 11.504360] kunit_try_run_case+0x1a5/0x480 [ 11.504706] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.505207] kthread+0x337/0x6f0 [ 11.505425] ret_from_fork+0x41/0x80 [ 11.505736] ret_from_fork_asm+0x1a/0x30 [ 11.505936] [ 11.506025] The buggy address belongs to the object at ffff888102f2af00 [ 11.506025] which belongs to the cache kmalloc-128 of size 128 [ 11.506515] The buggy address is located 0 bytes inside of [ 11.506515] freed 128-byte region [ffff888102f2af00, ffff888102f2af80) [ 11.507396] [ 11.507589] The buggy address belongs to the physical page: [ 11.508197] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f2a [ 11.508926] flags: 0x200000000000000(node=0|zone=2) [ 11.509176] page_type: f5(slab) [ 11.509335] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.509639] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.510503] page dumped because: kasan: bad access detected [ 11.511049] [ 11.511288] Memory state around the buggy address: [ 11.511617] ffff888102f2ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.512207] ffff888102f2ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.512507] >ffff888102f2af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.513104] ^ [ 11.513413] ffff888102f2af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.513968] ffff888102f2b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.514396] ================================================================== [ 11.515362] ================================================================== [ 11.515684] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.516162] Read of size 1 at addr ffff888102f2af78 by task kunit_try_catch/215 [ 11.516675] [ 11.516974] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.15.7-rc1 #1 PREEMPT(voluntary) [ 11.517020] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.517032] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.517050] Call Trace: [ 11.517062] <TASK> [ 11.517179] dump_stack_lvl+0x73/0xb0 [ 11.517213] print_report+0xd1/0x610 [ 11.517235] ? __virt_addr_valid+0x1db/0x2d0 [ 11.517255] ? ksize_uaf+0x5e4/0x6c0 [ 11.517275] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.517296] ? ksize_uaf+0x5e4/0x6c0 [ 11.517317] kasan_report+0x141/0x180 [ 11.517346] ? ksize_uaf+0x5e4/0x6c0 [ 11.517372] __asan_report_load1_noabort+0x18/0x20 [ 11.517392] ksize_uaf+0x5e4/0x6c0 [ 11.517411] ? __pfx_ksize_uaf+0x10/0x10 [ 11.517433] ? __schedule+0x10cc/0x2b60 [ 11.517454] ? __pfx_read_tsc+0x10/0x10 [ 11.517472] ? ktime_get_ts64+0x86/0x230 [ 11.517496] kunit_try_run_case+0x1a5/0x480 [ 11.517516] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.517533] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.517555] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.517578] ? __kthread_parkme+0x82/0x180 [ 11.517597] ? preempt_count_sub+0x50/0x80 [ 11.517621] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.517639] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.517661] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.517709] kthread+0x337/0x6f0 [ 11.517726] ? trace_preempt_on+0x20/0xc0 [ 11.517748] ? __pfx_kthread+0x10/0x10 [ 11.517765] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.517786] ? calculate_sigpending+0x7b/0xa0 [ 11.517805] ? __pfx_kthread+0x10/0x10 [ 11.517822] ret_from_fork+0x41/0x80 [ 11.517841] ? __pfx_kthread+0x10/0x10 [ 11.517858] ret_from_fork_asm+0x1a/0x30 [ 11.517897] </TASK> [ 11.517907] [ 11.528380] Allocated by task 215: [ 11.528554] kasan_save_stack+0x45/0x70 [ 11.528745] kasan_save_track+0x18/0x40 [ 11.529281] kasan_save_alloc_info+0x3b/0x50 [ 11.529526] __kasan_kmalloc+0xb7/0xc0 [ 11.529824] __kmalloc_cache_noprof+0x189/0x420 [ 11.530379] ksize_uaf+0xaa/0x6c0 [ 11.530615] kunit_try_run_case+0x1a5/0x480 [ 11.530939] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.531539] kthread+0x337/0x6f0 [ 11.531735] ret_from_fork+0x41/0x80 [ 11.532058] ret_from_fork_asm+0x1a/0x30 [ 11.532258] [ 11.532350] Freed by task 215: [ 11.532498] kasan_save_stack+0x45/0x70 [ 11.532677] kasan_save_track+0x18/0x40 [ 11.533181] kasan_save_free_info+0x3f/0x60 [ 11.533497] __kasan_slab_free+0x56/0x70 [ 11.533930] kfree+0x222/0x3f0 [ 11.534233] ksize_uaf+0x12c/0x6c0 [ 11.534549] kunit_try_run_case+0x1a5/0x480 [ 11.535084] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.535332] kthread+0x337/0x6f0 [ 11.535489] ret_from_fork+0x41/0x80 [ 11.535661] ret_from_fork_asm+0x1a/0x30 [ 11.536056] [ 11.536276] The buggy address belongs to the object at ffff888102f2af00 [ 11.536276] which belongs to the cache kmalloc-128 of size 128 [ 11.537374] The buggy address is located 120 bytes inside of [ 11.537374] freed 128-byte region [ffff888102f2af00, ffff888102f2af80) [ 11.538340] [ 11.538453] The buggy address belongs to the physical page: [ 11.538962] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f2a [ 11.539416] flags: 0x200000000000000(node=0|zone=2) [ 11.539639] page_type: f5(slab) [ 11.540141] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.540585] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.541324] page dumped because: kasan: bad access detected [ 11.541565] [ 11.541651] Memory state around the buggy address: [ 11.542163] ffff888102f2ae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.542600] ffff888102f2ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.543300] >ffff888102f2af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.543831] ^ [ 11.544337] ffff888102f2af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.544644] ffff888102f2b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.545221] ==================================================================