Hay
Sign in
Date
July 22, 2025, 2:40 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.476908] ==================================================================
[   17.477248] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   17.477322] Read of size 1 at addr fff00000c6fb0a78 by task kunit_try_catch/198
[   17.477474] 
[   17.477534] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT 
[   17.477687] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.477728] Hardware name: linux,dummy-virt (DT)
[   17.477763] Call trace:
[   17.477946]  show_stack+0x20/0x38 (C)
[   17.478120]  dump_stack_lvl+0x8c/0xd0
[   17.478184]  print_report+0x118/0x5d0
[   17.478238]  kasan_report+0xdc/0x128
[   17.478290]  __asan_report_load1_noabort+0x20/0x30
[   17.478341]  ksize_uaf+0x544/0x5f8
[   17.478387]  kunit_try_run_case+0x170/0x3f0
[   17.478434]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.478483]  kthread+0x328/0x630
[   17.478623]  ret_from_fork+0x10/0x20
[   17.478679] 
[   17.478698] Allocated by task 198:
[   17.479773]  kasan_save_stack+0x3c/0x68
[   17.479845]  kasan_save_track+0x20/0x40
[   17.479937]  kasan_save_alloc_info+0x40/0x58
[   17.480049]  __kasan_kmalloc+0xd4/0xd8
[   17.480147]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.480322]  ksize_uaf+0xb8/0x5f8
[   17.480487]  kunit_try_run_case+0x170/0x3f0
[   17.480876]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.481268]  kthread+0x328/0x630
[   17.481372]  ret_from_fork+0x10/0x20
[   17.481504] 
[   17.481695] Freed by task 198:
[   17.481813]  kasan_save_stack+0x3c/0x68
[   17.481932]  kasan_save_track+0x20/0x40
[   17.482085]  kasan_save_free_info+0x4c/0x78
[   17.482183]  __kasan_slab_free+0x6c/0x98
[   17.482274]  kfree+0x214/0x3c8
[   17.482363]  ksize_uaf+0x11c/0x5f8
[   17.482475]  kunit_try_run_case+0x170/0x3f0
[   17.482562]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.482881]  kthread+0x328/0x630
[   17.483050]  ret_from_fork+0x10/0x20
[   17.483129] 
[   17.483169] The buggy address belongs to the object at fff00000c6fb0a00
[   17.483169]  which belongs to the cache kmalloc-128 of size 128
[   17.483376] The buggy address is located 120 bytes inside of
[   17.483376]  freed 128-byte region [fff00000c6fb0a00, fff00000c6fb0a80)
[   17.483638] 
[   17.483672] The buggy address belongs to the physical page:
[   17.483740] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fb0
[   17.483805] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.483856] page_type: f5(slab)
[   17.483919] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.483970] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.484011] page dumped because: kasan: bad access detected
[   17.484044] 
[   17.484071] Memory state around the buggy address:
[   17.484100]  fff00000c6fb0900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.484152]  fff00000c6fb0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.484204] >fff00000c6fb0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.484241]                                                                 ^
[   17.484301]  fff00000c6fb0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.484343]  fff00000c6fb0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.484381] ==================================================================
[   17.466517] ==================================================================
[   17.466843] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   17.467008] Read of size 1 at addr fff00000c6fb0a00 by task kunit_try_catch/198
[   17.467162] 
[   17.467201] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT 
[   17.467390] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.467457] Hardware name: linux,dummy-virt (DT)
[   17.467514] Call trace:
[   17.467542]  show_stack+0x20/0x38 (C)
[   17.467591]  dump_stack_lvl+0x8c/0xd0
[   17.468025]  print_report+0x118/0x5d0
[   17.468184]  kasan_report+0xdc/0x128
[   17.468273]  __asan_report_load1_noabort+0x20/0x30
[   17.468429]  ksize_uaf+0x598/0x5f8
[   17.468519]  kunit_try_run_case+0x170/0x3f0
[   17.468911]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.469088]  kthread+0x328/0x630
[   17.469174]  ret_from_fork+0x10/0x20
[   17.469337] 
[   17.469401] Allocated by task 198:
[   17.469484]  kasan_save_stack+0x3c/0x68
[   17.469547]  kasan_save_track+0x20/0x40
[   17.469582]  kasan_save_alloc_info+0x40/0x58
[   17.469803]  __kasan_kmalloc+0xd4/0xd8
[   17.470131]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.470217]  ksize_uaf+0xb8/0x5f8
[   17.470370]  kunit_try_run_case+0x170/0x3f0
[   17.470452]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.470783]  kthread+0x328/0x630
[   17.471002]  ret_from_fork+0x10/0x20
[   17.471091] 
[   17.471140] Freed by task 198:
[   17.471256]  kasan_save_stack+0x3c/0x68
[   17.471326]  kasan_save_track+0x20/0x40
[   17.471544]  kasan_save_free_info+0x4c/0x78
[   17.471665]  __kasan_slab_free+0x6c/0x98
[   17.471951]  kfree+0x214/0x3c8
[   17.472263]  ksize_uaf+0x11c/0x5f8
[   17.472324]  kunit_try_run_case+0x170/0x3f0
[   17.472697]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.472784]  kthread+0x328/0x630
[   17.472904]  ret_from_fork+0x10/0x20
[   17.472981] 
[   17.473119] The buggy address belongs to the object at fff00000c6fb0a00
[   17.473119]  which belongs to the cache kmalloc-128 of size 128
[   17.473207] The buggy address is located 0 bytes inside of
[   17.473207]  freed 128-byte region [fff00000c6fb0a00, fff00000c6fb0a80)
[   17.473426] 
[   17.473490] The buggy address belongs to the physical page:
[   17.473690] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fb0
[   17.473771] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.473903] page_type: f5(slab)
[   17.473972] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.474085] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.474129] page dumped because: kasan: bad access detected
[   17.474561] 
[   17.474627] Memory state around the buggy address:
[   17.474753]  fff00000c6fb0900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.474846]  fff00000c6fb0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.474967] >fff00000c6fb0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.475015]                    ^
[   17.475042]  fff00000c6fb0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.475344]  fff00000c6fb0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.475526] ==================================================================
[   17.455288] ==================================================================
[   17.455495] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   17.455586] Read of size 1 at addr fff00000c6fb0a00 by task kunit_try_catch/198
[   17.455916] 
[   17.455984] CPU: 0 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT 
[   17.456412] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.456452] Hardware name: linux,dummy-virt (DT)
[   17.456510] Call trace:
[   17.456580]  show_stack+0x20/0x38 (C)
[   17.456792]  dump_stack_lvl+0x8c/0xd0
[   17.457186]  print_report+0x118/0x5d0
[   17.457360]  kasan_report+0xdc/0x128
[   17.457415]  __kasan_check_byte+0x54/0x70
[   17.457676]  ksize+0x30/0x88
[   17.457906]  ksize_uaf+0x168/0x5f8
[   17.458005]  kunit_try_run_case+0x170/0x3f0
[   17.458404]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.458550]  kthread+0x328/0x630
[   17.458639]  ret_from_fork+0x10/0x20
[   17.458965] 
[   17.459041] Allocated by task 198:
[   17.459139]  kasan_save_stack+0x3c/0x68
[   17.459240]  kasan_save_track+0x20/0x40
[   17.459308]  kasan_save_alloc_info+0x40/0x58
[   17.459490]  __kasan_kmalloc+0xd4/0xd8
[   17.459646]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.459857]  ksize_uaf+0xb8/0x5f8
[   17.459914]  kunit_try_run_case+0x170/0x3f0
[   17.460121]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.460343]  kthread+0x328/0x630
[   17.460458]  ret_from_fork+0x10/0x20
[   17.460535] 
[   17.460583] Freed by task 198:
[   17.460611]  kasan_save_stack+0x3c/0x68
[   17.460691]  kasan_save_track+0x20/0x40
[   17.460729]  kasan_save_free_info+0x4c/0x78
[   17.460766]  __kasan_slab_free+0x6c/0x98
[   17.460813]  kfree+0x214/0x3c8
[   17.460843]  ksize_uaf+0x11c/0x5f8
[   17.460888]  kunit_try_run_case+0x170/0x3f0
[   17.460926]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.460968]  kthread+0x328/0x630
[   17.461003]  ret_from_fork+0x10/0x20
[   17.461052] 
[   17.461072] The buggy address belongs to the object at fff00000c6fb0a00
[   17.461072]  which belongs to the cache kmalloc-128 of size 128
[   17.461132] The buggy address is located 0 bytes inside of
[   17.461132]  freed 128-byte region [fff00000c6fb0a00, fff00000c6fb0a80)
[   17.461193] 
[   17.461220] The buggy address belongs to the physical page:
[   17.461250] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fb0
[   17.461330] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.461385] page_type: f5(slab)
[   17.461438] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.461497] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.461548] page dumped because: kasan: bad access detected
[   17.461590] 
[   17.461609] Memory state around the buggy address:
[   17.461642]  fff00000c6fb0900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.461696]  fff00000c6fb0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.461746] >fff00000c6fb0a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.461787]                    ^
[   17.461814]  fff00000c6fb0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.461863]  fff00000c6fb0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.461901] ==================================================================
Metadata Full log Test run details 

[   11.605515] ==================================================================
[   11.606245] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.606533] Read of size 1 at addr ffff8881028ba200 by task kunit_try_catch/216
[   11.606830] 
[   11.606922] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT(voluntary) 
[   11.606967] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.606978] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.606999] Call Trace:
[   11.607011]  <TASK>
[   11.607027]  dump_stack_lvl+0x73/0xb0
[   11.607055]  print_report+0xd1/0x610
[   11.607076]  ? __virt_addr_valid+0x1db/0x2d0
[   11.607099]  ? ksize_uaf+0x5fe/0x6c0
[   11.607119]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.607140]  ? ksize_uaf+0x5fe/0x6c0
[   11.607161]  kasan_report+0x141/0x180
[   11.607183]  ? ksize_uaf+0x5fe/0x6c0
[   11.607208]  __asan_report_load1_noabort+0x18/0x20
[   11.607239]  ksize_uaf+0x5fe/0x6c0
[   11.607259]  ? __pfx_ksize_uaf+0x10/0x10
[   11.607280]  ? __schedule+0x10c6/0x2b60
[   11.607304]  ? __pfx_read_tsc+0x10/0x10
[   11.607324]  ? ktime_get_ts64+0x86/0x230
[   11.607350]  kunit_try_run_case+0x1a5/0x480
[   11.607381]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.607399]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.607420]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.607444]  ? __kthread_parkme+0x82/0x180
[   11.607465]  ? preempt_count_sub+0x50/0x80
[   11.607491]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.607510]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.607532]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.607554]  kthread+0x337/0x6f0
[   11.607571]  ? trace_preempt_on+0x20/0xc0
[   11.607594]  ? __pfx_kthread+0x10/0x10
[   11.607611]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.607632]  ? calculate_sigpending+0x7b/0xa0
[   11.607654]  ? __pfx_kthread+0x10/0x10
[   11.607672]  ret_from_fork+0x41/0x80
[   11.607691]  ? __pfx_kthread+0x10/0x10
[   11.607708]  ret_from_fork_asm+0x1a/0x30
[   11.607738]  </TASK>
[   11.607748] 
[   11.614979] Allocated by task 216:
[   11.615113]  kasan_save_stack+0x45/0x70
[   11.615308]  kasan_save_track+0x18/0x40
[   11.615666]  kasan_save_alloc_info+0x3b/0x50
[   11.615873]  __kasan_kmalloc+0xb7/0xc0
[   11.616061]  __kmalloc_cache_noprof+0x189/0x420
[   11.616253]  ksize_uaf+0xaa/0x6c0
[   11.616436]  kunit_try_run_case+0x1a5/0x480
[   11.616610]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.616836]  kthread+0x337/0x6f0
[   11.616990]  ret_from_fork+0x41/0x80
[   11.617169]  ret_from_fork_asm+0x1a/0x30
[   11.617341] 
[   11.617433] Freed by task 216:
[   11.617614]  kasan_save_stack+0x45/0x70
[   11.617748]  kasan_save_track+0x18/0x40
[   11.617882]  kasan_save_free_info+0x3f/0x60
[   11.618021]  __kasan_slab_free+0x56/0x70
[   11.618155]  kfree+0x222/0x3f0
[   11.618321]  ksize_uaf+0x12c/0x6c0
[   11.618491]  kunit_try_run_case+0x1a5/0x480
[   11.618690]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.619122]  kthread+0x337/0x6f0
[   11.619252]  ret_from_fork+0x41/0x80
[   11.619380]  ret_from_fork_asm+0x1a/0x30
[   11.619516] 
[   11.619585] The buggy address belongs to the object at ffff8881028ba200
[   11.619585]  which belongs to the cache kmalloc-128 of size 128
[   11.620107] The buggy address is located 0 bytes inside of
[   11.620107]  freed 128-byte region [ffff8881028ba200, ffff8881028ba280)
[   11.620967] 
[   11.621063] The buggy address belongs to the physical page:
[   11.621276] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028ba
[   11.621624] flags: 0x200000000000000(node=0|zone=2)
[   11.621858] page_type: f5(slab)
[   11.622020] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.622329] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.622696] page dumped because: kasan: bad access detected
[   11.622919] 
[   11.623011] Memory state around the buggy address:
[   11.623206]  ffff8881028ba100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.623559]  ffff8881028ba180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.623829] >ffff8881028ba200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.624105]                    ^
[   11.624270]  ffff8881028ba280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.624561]  ffff8881028ba300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.624838] ==================================================================
[   11.572734] ==================================================================
[   11.573860] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.574082] Read of size 1 at addr ffff8881028ba200 by task kunit_try_catch/216
[   11.575025] 
[   11.575279] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT(voluntary) 
[   11.575329] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.575463] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.575488] Call Trace:
[   11.575501]  <TASK>
[   11.575518]  dump_stack_lvl+0x73/0xb0
[   11.575558]  print_report+0xd1/0x610
[   11.575581]  ? __virt_addr_valid+0x1db/0x2d0
[   11.575607]  ? ksize_uaf+0x19d/0x6c0
[   11.575627]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.575649]  ? ksize_uaf+0x19d/0x6c0
[   11.575669]  kasan_report+0x141/0x180
[   11.575691]  ? ksize_uaf+0x19d/0x6c0
[   11.575715]  ? ksize_uaf+0x19d/0x6c0
[   11.575735]  __kasan_check_byte+0x3d/0x50
[   11.575756]  ksize+0x20/0x60
[   11.575779]  ksize_uaf+0x19d/0x6c0
[   11.575799]  ? __pfx_ksize_uaf+0x10/0x10
[   11.575820]  ? __schedule+0x10c6/0x2b60
[   11.575843]  ? __pfx_read_tsc+0x10/0x10
[   11.575862]  ? ktime_get_ts64+0x86/0x230
[   11.575886]  kunit_try_run_case+0x1a5/0x480
[   11.575906]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.575924]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.575944]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.575967]  ? __kthread_parkme+0x82/0x180
[   11.575988]  ? preempt_count_sub+0x50/0x80
[   11.576011]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.576031]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.576053]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.576075]  kthread+0x337/0x6f0
[   11.576091]  ? trace_preempt_on+0x20/0xc0
[   11.576113]  ? __pfx_kthread+0x10/0x10
[   11.576130]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.576151]  ? calculate_sigpending+0x7b/0xa0
[   11.576172]  ? __pfx_kthread+0x10/0x10
[   11.576190]  ret_from_fork+0x41/0x80
[   11.576209]  ? __pfx_kthread+0x10/0x10
[   11.576275]  ret_from_fork_asm+0x1a/0x30
[   11.576318]  </TASK>
[   11.576329] 
[   11.589106] Allocated by task 216:
[   11.589340]  kasan_save_stack+0x45/0x70
[   11.589723]  kasan_save_track+0x18/0x40
[   11.590099]  kasan_save_alloc_info+0x3b/0x50
[   11.590520]  __kasan_kmalloc+0xb7/0xc0
[   11.590872]  __kmalloc_cache_noprof+0x189/0x420
[   11.591189]  ksize_uaf+0xaa/0x6c0
[   11.591504]  kunit_try_run_case+0x1a5/0x480
[   11.591771]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.592168]  kthread+0x337/0x6f0
[   11.592295]  ret_from_fork+0x41/0x80
[   11.592499]  ret_from_fork_asm+0x1a/0x30
[   11.592885] 
[   11.593059] Freed by task 216:
[   11.593369]  kasan_save_stack+0x45/0x70
[   11.593754]  kasan_save_track+0x18/0x40
[   11.594122]  kasan_save_free_info+0x3f/0x60
[   11.594535]  __kasan_slab_free+0x56/0x70
[   11.594899]  kfree+0x222/0x3f0
[   11.595087]  ksize_uaf+0x12c/0x6c0
[   11.595433]  kunit_try_run_case+0x1a5/0x480
[   11.595794]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.596151]  kthread+0x337/0x6f0
[   11.596463]  ret_from_fork+0x41/0x80
[   11.596594]  ret_from_fork_asm+0x1a/0x30
[   11.596730] 
[   11.596799] The buggy address belongs to the object at ffff8881028ba200
[   11.596799]  which belongs to the cache kmalloc-128 of size 128
[   11.597163] The buggy address is located 0 bytes inside of
[   11.597163]  freed 128-byte region [ffff8881028ba200, ffff8881028ba280)
[   11.598202] 
[   11.598399] The buggy address belongs to the physical page:
[   11.598914] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028ba
[   11.599652] flags: 0x200000000000000(node=0|zone=2)
[   11.600090] page_type: f5(slab)
[   11.600310] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.601074] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.601564] page dumped because: kasan: bad access detected
[   11.602057] 
[   11.602130] Memory state around the buggy address:
[   11.602596]  ffff8881028ba100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.602813]  ffff8881028ba180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.603028] >ffff8881028ba200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.603249]                    ^
[   11.603380]  ffff8881028ba280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.603792]  ffff8881028ba300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.604509] ==================================================================
[   11.625848] ==================================================================
[   11.626428] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.627044] Read of size 1 at addr ffff8881028ba278 by task kunit_try_catch/216
[   11.627316] 
[   11.627463] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.15.8-rc1 #1 PREEMPT(voluntary) 
[   11.627504] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.627515] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.627534] Call Trace:
[   11.627550]  <TASK>
[   11.627565]  dump_stack_lvl+0x73/0xb0
[   11.627590]  print_report+0xd1/0x610
[   11.627611]  ? __virt_addr_valid+0x1db/0x2d0
[   11.627631]  ? ksize_uaf+0x5e4/0x6c0
[   11.627651]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.627672]  ? ksize_uaf+0x5e4/0x6c0
[   11.627693]  kasan_report+0x141/0x180
[   11.627714]  ? ksize_uaf+0x5e4/0x6c0
[   11.627739]  __asan_report_load1_noabort+0x18/0x20
[   11.627759]  ksize_uaf+0x5e4/0x6c0
[   11.627779]  ? __pfx_ksize_uaf+0x10/0x10
[   11.627801]  ? __schedule+0x10c6/0x2b60
[   11.627824]  ? __pfx_read_tsc+0x10/0x10
[   11.627843]  ? ktime_get_ts64+0x86/0x230
[   11.627867]  kunit_try_run_case+0x1a5/0x480
[   11.627887]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.627905]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.627924]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.627947]  ? __kthread_parkme+0x82/0x180
[   11.627968]  ? preempt_count_sub+0x50/0x80
[   11.627992]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.628011]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.628033]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.628055]  kthread+0x337/0x6f0
[   11.628071]  ? trace_preempt_on+0x20/0xc0
[   11.628094]  ? __pfx_kthread+0x10/0x10
[   11.628111]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.628132]  ? calculate_sigpending+0x7b/0xa0
[   11.628153]  ? __pfx_kthread+0x10/0x10
[   11.628170]  ret_from_fork+0x41/0x80
[   11.628191]  ? __pfx_kthread+0x10/0x10
[   11.628208]  ret_from_fork_asm+0x1a/0x30
[   11.628248]  </TASK>
[   11.628257] 
[   11.635016] Allocated by task 216:
[   11.635147]  kasan_save_stack+0x45/0x70
[   11.635299]  kasan_save_track+0x18/0x40
[   11.636288]  kasan_save_alloc_info+0x3b/0x50
[   11.636818]  __kasan_kmalloc+0xb7/0xc0
[   11.637022]  __kmalloc_cache_noprof+0x189/0x420
[   11.637251]  ksize_uaf+0xaa/0x6c0
[   11.637449]  kunit_try_run_case+0x1a5/0x480
[   11.637618]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.637844]  kthread+0x337/0x6f0
[   11.638002]  ret_from_fork+0x41/0x80
[   11.638175]  ret_from_fork_asm+0x1a/0x30
[   11.639215] 
[   11.639307] Freed by task 216:
[   11.639879]  kasan_save_stack+0x45/0x70
[   11.640509]  kasan_save_track+0x18/0x40
[   11.640948]  kasan_save_free_info+0x3f/0x60
[   11.641312]  __kasan_slab_free+0x56/0x70
[   11.641898]  kfree+0x222/0x3f0
[   11.642308]  ksize_uaf+0x12c/0x6c0
[   11.642643]  kunit_try_run_case+0x1a5/0x480
[   11.642801]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.642968]  kthread+0x337/0x6f0
[   11.643082]  ret_from_fork+0x41/0x80
[   11.643205]  ret_from_fork_asm+0x1a/0x30
[   11.643983] 
[   11.644297] The buggy address belongs to the object at ffff8881028ba200
[   11.644297]  which belongs to the cache kmalloc-128 of size 128
[   11.645752] The buggy address is located 120 bytes inside of
[   11.645752]  freed 128-byte region [ffff8881028ba200, ffff8881028ba280)
[   11.646998] 
[   11.647078] The buggy address belongs to the physical page:
[   11.647534] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028ba
[   11.648503] flags: 0x200000000000000(node=0|zone=2)
[   11.649094] page_type: f5(slab)
[   11.649275] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.649715] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.649935] page dumped because: kasan: bad access detected
[   11.650099] 
[   11.650165] Memory state around the buggy address:
[   11.650326]  ffff8881028ba100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.651005]  ffff8881028ba180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.651647] >ffff8881028ba200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.652255]                                                                 ^
[   11.652866]  ffff8881028ba280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.653506]  ffff8881028ba300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.654019] ==================================================================
Metadata Full log Test run details