Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-armv7 | |
| qemu-x86_64 |
[ 146.837579] ================================================================== [ 146.838492] BUG: KASAN: slab-use-after-free in ksize_uaf+0x12c/0x308 [ 146.839047] Read of size 1 at addr c8e02b78 by task kunit_try_catch/187 [ 146.839906] [ 146.840136] CPU: 1 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 146.841197] Hardware name: Generic DT based system [ 146.841813] unwind_backtrace from show_stack+0x18/0x1c [ 146.842403] show_stack from dump_stack_lvl+0x58/0x70 [ 146.843480] dump_stack_lvl from print_report+0x164/0x51c [ 146.844411] print_report from kasan_report+0xc8/0x104 [ 146.844982] kasan_report from ksize_uaf+0x12c/0x308 [ 146.846178] ksize_uaf from kunit_try_run_case+0x11c/0x2e4 [ 146.847407] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.848478] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 146.849339] kthread from ret_from_fork+0x14/0x30 [ 146.849976] Exception stack(0xfa0a3fb0 to 0xfa0a3ff8) [ 146.850655] 3fa0: 00000000 00000000 00000000 00000000 [ 146.851571] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 146.852457] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 146.853181] [ 146.853416] Allocated by task 187: [ 146.853796] kasan_set_track+0x3c/0x5c [ 146.854322] __kasan_kmalloc+0x8c/0x94 [ 146.855023] ksize_uaf+0xa0/0x308 [ 146.855466] kunit_try_run_case+0x11c/0x2e4 [ 146.856197] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.856855] kthread+0x184/0x1a8 [ 146.857380] ret_from_fork+0x14/0x30 [ 146.857824] [ 146.858194] Freed by task 187: [ 146.858601] kasan_set_track+0x3c/0x5c [ 146.859141] kasan_save_free_info+0x30/0x3c [ 146.859789] __kasan_slab_free+0xdc/0x124 [ 146.860299] __kmem_cache_free+0x140/0x2a8 [ 146.860956] ksize_uaf+0xbc/0x308 [ 146.861441] kunit_try_run_case+0x11c/0x2e4 [ 146.862009] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.862609] kthread+0x184/0x1a8 [ 146.863263] ret_from_fork+0x14/0x30 [ 146.863761] [ 146.863976] The buggy address belongs to the object at c8e02b00 [ 146.863976] which belongs to the cache kmalloc-128 of size 128 [ 146.865261] The buggy address is located 120 bytes inside of [ 146.865261] freed 128-byte region [c8e02b00, c8e02b80) [ 146.866426] [ 146.867387] The buggy address belongs to the physical page: [ 146.868142] page:b76fc2b6 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48e02 [ 146.869104] flags: 0x800(slab|zone=0) [ 146.869570] page_type: 0xffffffff() [ 146.870199] raw: 00000800 c4801300 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 146.871047] raw: 00000000 [ 146.871511] page dumped because: kasan: bad access detected [ 146.872179] [ 146.872434] Memory state around the buggy address: [ 146.872942] c8e02a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.873656] c8e02a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.874636] >c8e02b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.875362] ^ [ 146.876022] c8e02b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.876715] c8e02c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.877410] ================================================================== [ 146.797510] ================================================================== [ 146.798249] BUG: KASAN: slab-use-after-free in ksize_uaf+0xfc/0x308 [ 146.798955] Read of size 1 at addr c8e02b00 by task kunit_try_catch/187 [ 146.799645] [ 146.799918] CPU: 1 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 146.800714] Hardware name: Generic DT based system [ 146.801381] unwind_backtrace from show_stack+0x18/0x1c [ 146.802017] show_stack from dump_stack_lvl+0x58/0x70 [ 146.802723] dump_stack_lvl from print_report+0x164/0x51c [ 146.803318] print_report from kasan_report+0xc8/0x104 [ 146.804149] kasan_report from ksize_uaf+0xfc/0x308 [ 146.804869] ksize_uaf from kunit_try_run_case+0x11c/0x2e4 [ 146.805576] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.807331] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 146.808175] kthread from ret_from_fork+0x14/0x30 [ 146.808737] Exception stack(0xfa0a3fb0 to 0xfa0a3ff8) [ 146.809376] 3fa0: 00000000 00000000 00000000 00000000 [ 146.810380] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 146.811291] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 146.812044] [ 146.812347] Allocated by task 187: [ 146.812714] kasan_set_track+0x3c/0x5c [ 146.813355] __kasan_kmalloc+0x8c/0x94 [ 146.813998] ksize_uaf+0xa0/0x308 [ 146.814460] kunit_try_run_case+0x11c/0x2e4 [ 146.814992] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.815868] kthread+0x184/0x1a8 [ 146.816345] ret_from_fork+0x14/0x30 [ 146.816839] [ 146.817142] Freed by task 187: [ 146.817588] kasan_set_track+0x3c/0x5c [ 146.818118] kasan_save_free_info+0x30/0x3c [ 146.818705] __kasan_slab_free+0xdc/0x124 [ 146.819422] __kmem_cache_free+0x140/0x2a8 [ 146.820047] ksize_uaf+0xbc/0x308 [ 146.820470] kunit_try_run_case+0x11c/0x2e4 [ 146.821106] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.821878] kthread+0x184/0x1a8 [ 146.822360] ret_from_fork+0x14/0x30 [ 146.822896] [ 146.823198] The buggy address belongs to the object at c8e02b00 [ 146.823198] which belongs to the cache kmalloc-128 of size 128 [ 146.824405] The buggy address is located 0 bytes inside of [ 146.824405] freed 128-byte region [c8e02b00, c8e02b80) [ 146.825492] [ 146.826748] The buggy address belongs to the physical page: [ 146.827366] page:b76fc2b6 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48e02 [ 146.828197] flags: 0x800(slab|zone=0) [ 146.828690] page_type: 0xffffffff() [ 146.829122] raw: 00000800 c4801300 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 146.829999] raw: 00000000 [ 146.830446] page dumped because: kasan: bad access detected [ 146.831095] [ 146.831319] Memory state around the buggy address: [ 146.831947] c8e02a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.832711] c8e02a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.833524] >c8e02b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.834171] ^ [ 146.834644] c8e02b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.835347] c8e02c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.836187] ================================================================== [ 146.751863] ================================================================== [ 146.753029] BUG: KASAN: slab-use-after-free in ksize_uaf+0xd0/0x308 [ 146.753845] Read of size 1 at addr c8e02b00 by task kunit_try_catch/187 [ 146.754731] [ 146.754978] CPU: 1 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 146.756113] Hardware name: Generic DT based system [ 146.756656] unwind_backtrace from show_stack+0x18/0x1c [ 146.757606] show_stack from dump_stack_lvl+0x58/0x70 [ 146.758443] dump_stack_lvl from print_report+0x164/0x51c [ 146.759274] print_report from kasan_report+0xc8/0x104 [ 146.760118] kasan_report from __kasan_check_byte+0x34/0x3c [ 146.760920] __kasan_check_byte from ksize+0x20/0x3c [ 146.761773] ksize from ksize_uaf+0xd0/0x308 [ 146.762489] ksize_uaf from kunit_try_run_case+0x11c/0x2e4 [ 146.763320] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.764381] kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8 [ 146.765271] kthread from ret_from_fork+0x14/0x30 [ 146.765954] Exception stack(0xfa0a3fb0 to 0xfa0a3ff8) [ 146.766609] 3fa0: 00000000 00000000 00000000 00000000 [ 146.768380] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 146.769265] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 146.770040] [ 146.770353] Allocated by task 187: [ 146.770808] kasan_set_track+0x3c/0x5c [ 146.771352] __kasan_kmalloc+0x8c/0x94 [ 146.771902] ksize_uaf+0xa0/0x308 [ 146.772478] kunit_try_run_case+0x11c/0x2e4 [ 146.772950] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.773689] kthread+0x184/0x1a8 [ 146.774256] ret_from_fork+0x14/0x30 [ 146.774774] [ 146.775048] Freed by task 187: [ 146.775550] kasan_set_track+0x3c/0x5c [ 146.776033] kasan_save_free_info+0x30/0x3c [ 146.776613] __kasan_slab_free+0xdc/0x124 [ 146.777299] __kmem_cache_free+0x140/0x2a8 [ 146.777814] ksize_uaf+0xbc/0x308 [ 146.778454] kunit_try_run_case+0x11c/0x2e4 [ 146.779240] kunit_generic_run_threadfn_adapter+0x2c/0x48 [ 146.779952] kthread+0x184/0x1a8 [ 146.780493] ret_from_fork+0x14/0x30 [ 146.781041] [ 146.781292] The buggy address belongs to the object at c8e02b00 [ 146.781292] which belongs to the cache kmalloc-128 of size 128 [ 146.782593] The buggy address is located 0 bytes inside of [ 146.782593] freed 128-byte region [c8e02b00, c8e02b80) [ 146.783698] [ 146.784045] The buggy address belongs to the physical page: [ 146.784776] page:b76fc2b6 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48e02 [ 146.785709] flags: 0x800(slab|zone=0) [ 146.786272] page_type: 0xffffffff() [ 146.786743] raw: 00000800 c4801300 00000122 00000000 00000000 80100010 ffffffff 00000001 [ 146.787585] raw: 00000000 [ 146.788791] page dumped because: kasan: bad access detected [ 146.789388] [ 146.789656] Memory state around the buggy address: [ 146.790226] c8e02a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.790962] c8e02a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.791618] >c8e02b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 146.792420] ^ [ 146.792769] c8e02b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.793511] c8e02c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 146.794096] ==================================================================
[ 49.743716] ================================================================== [ 49.744383] BUG: KASAN: slab-use-after-free in ksize_uaf+0x108/0x310 [ 49.745106] Read of size 1 at addr ffff88810284c900 by task kunit_try_catch/210 [ 49.745919] [ 49.746256] CPU: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 49.748084] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 49.749596] Call Trace: [ 49.750086] <TASK> [ 49.750446] dump_stack_lvl+0x4e/0x90 [ 49.751120] print_report+0xd2/0x660 [ 49.752188] ? __virt_addr_valid+0x156/0x1e0 [ 49.753237] ? kasan_complete_mode_report_info+0x64/0x200 [ 49.753856] kasan_report+0xff/0x140 [ 49.754338] ? ksize_uaf+0x108/0x310 [ 49.754944] ? ksize_uaf+0x108/0x310 [ 49.756185] __asan_load1+0x66/0x70 [ 49.756662] ksize_uaf+0x108/0x310 [ 49.757174] ? __pfx_ksize_uaf+0x10/0x10 [ 49.757660] ? __schedule+0x70b/0x1190 [ 49.758307] ? ktime_get_ts64+0x118/0x140 [ 49.758869] kunit_try_run_case+0x126/0x290 [ 49.759927] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.760604] ? __kasan_check_write+0x18/0x20 [ 49.761277] ? trace_preempt_on+0x20/0xa0 [ 49.762177] ? __kthread_parkme+0x4f/0xd0 [ 49.762705] ? preempt_count_sub+0x50/0x80 [ 49.764169] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.764720] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 49.765416] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.766329] kthread+0x19e/0x1e0 [ 49.767219] ? __pfx_kthread+0x10/0x10 [ 49.768321] ret_from_fork+0x41/0x70 [ 49.768795] ? __pfx_kthread+0x10/0x10 [ 49.769278] ret_from_fork_asm+0x1b/0x30 [ 49.769892] </TASK> [ 49.770228] [ 49.770502] Allocated by task 210: [ 49.771709] kasan_save_stack+0x3c/0x60 [ 49.772179] kasan_set_track+0x29/0x40 [ 49.772616] kasan_save_alloc_info+0x22/0x30 [ 49.773247] __kasan_kmalloc+0xb7/0xc0 [ 49.773762] kmalloc_trace+0x4c/0xb0 [ 49.774348] ksize_uaf+0x9d/0x310 [ 49.774902] kunit_try_run_case+0x126/0x290 [ 49.775453] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.776871] kthread+0x19e/0x1e0 [ 49.777361] ret_from_fork+0x41/0x70 [ 49.777967] ret_from_fork_asm+0x1b/0x30 [ 49.778541] [ 49.778852] Freed by task 210: [ 49.779316] kasan_save_stack+0x3c/0x60 [ 49.779819] kasan_set_track+0x29/0x40 [ 49.780903] kasan_save_free_info+0x2f/0x50 [ 49.782210] ____kasan_slab_free+0x172/0x1d0 [ 49.782675] __kasan_slab_free+0x16/0x20 [ 49.783121] __kmem_cache_free+0x190/0x310 [ 49.783555] kfree+0x7c/0x120 [ 49.784008] ksize_uaf+0xbd/0x310 [ 49.785356] kunit_try_run_case+0x126/0x290 [ 49.786163] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.786753] kthread+0x19e/0x1e0 [ 49.787308] ret_from_fork+0x41/0x70 [ 49.787804] ret_from_fork_asm+0x1b/0x30 [ 49.789143] [ 49.789358] The buggy address belongs to the object at ffff88810284c900 [ 49.789358] which belongs to the cache kmalloc-128 of size 128 [ 49.790573] The buggy address is located 0 bytes inside of [ 49.790573] freed 128-byte region [ffff88810284c900, ffff88810284c980) [ 49.792269] [ 49.792779] The buggy address belongs to the physical page: [ 49.793292] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10284c [ 49.794555] flags: 0x200000000000800(slab|node=0|zone=2) [ 49.795220] page_type: 0xffffffff() [ 49.795692] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000 [ 49.796562] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 49.797298] page dumped because: kasan: bad access detected [ 49.798395] [ 49.798937] Memory state around the buggy address: [ 49.799967] ffff88810284c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.800767] ffff88810284c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.801666] >ffff88810284c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.802220] ^ [ 49.802545] ffff88810284c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.803250] ffff88810284ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.804454] ================================================================== [ 49.805606] ================================================================== [ 49.806296] BUG: KASAN: slab-use-after-free in ksize_uaf+0x140/0x310 [ 49.806983] Read of size 1 at addr ffff88810284c978 by task kunit_try_catch/210 [ 49.808405] [ 49.808699] CPU: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 49.809873] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 49.810717] Call Trace: [ 49.811381] <TASK> [ 49.811726] dump_stack_lvl+0x4e/0x90 [ 49.812255] print_report+0xd2/0x660 [ 49.812899] ? __virt_addr_valid+0x156/0x1e0 [ 49.813842] ? kasan_complete_mode_report_info+0x64/0x200 [ 49.814762] kasan_report+0xff/0x140 [ 49.815222] ? ksize_uaf+0x140/0x310 [ 49.815487] ? ksize_uaf+0x140/0x310 [ 49.815804] __asan_load1+0x66/0x70 [ 49.816350] ksize_uaf+0x140/0x310 [ 49.817136] ? __pfx_ksize_uaf+0x10/0x10 [ 49.817873] ? __schedule+0x70b/0x1190 [ 49.818468] ? ktime_get_ts64+0x118/0x140 [ 49.819072] kunit_try_run_case+0x126/0x290 [ 49.819968] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.820514] ? __kasan_check_write+0x18/0x20 [ 49.821254] ? trace_preempt_on+0x20/0xa0 [ 49.822237] ? __kthread_parkme+0x4f/0xd0 [ 49.822922] ? preempt_count_sub+0x50/0x80 [ 49.823463] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.824170] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 49.824973] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.825682] kthread+0x19e/0x1e0 [ 49.826789] ? __pfx_kthread+0x10/0x10 [ 49.827320] ret_from_fork+0x41/0x70 [ 49.827960] ? __pfx_kthread+0x10/0x10 [ 49.828443] ret_from_fork_asm+0x1b/0x30 [ 49.828817] </TASK> [ 49.829140] [ 49.829410] Allocated by task 210: [ 49.829764] kasan_save_stack+0x3c/0x60 [ 49.830305] kasan_set_track+0x29/0x40 [ 49.831327] kasan_save_alloc_info+0x22/0x30 [ 49.832063] __kasan_kmalloc+0xb7/0xc0 [ 49.832704] kmalloc_trace+0x4c/0xb0 [ 49.833216] ksize_uaf+0x9d/0x310 [ 49.833667] kunit_try_run_case+0x126/0x290 [ 49.834262] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.834987] kthread+0x19e/0x1e0 [ 49.835573] ret_from_fork+0x41/0x70 [ 49.836280] ret_from_fork_asm+0x1b/0x30 [ 49.837326] [ 49.837617] Freed by task 210: [ 49.838119] kasan_save_stack+0x3c/0x60 [ 49.838678] kasan_set_track+0x29/0x40 [ 49.839173] kasan_save_free_info+0x2f/0x50 [ 49.839796] ____kasan_slab_free+0x172/0x1d0 [ 49.840540] __kasan_slab_free+0x16/0x20 [ 49.841011] __kmem_cache_free+0x190/0x310 [ 49.842003] kfree+0x7c/0x120 [ 49.842385] ksize_uaf+0xbd/0x310 [ 49.842872] kunit_try_run_case+0x126/0x290 [ 49.843378] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.844197] kthread+0x19e/0x1e0 [ 49.845085] ret_from_fork+0x41/0x70 [ 49.845780] ret_from_fork_asm+0x1b/0x30 [ 49.846398] [ 49.846824] The buggy address belongs to the object at ffff88810284c900 [ 49.846824] which belongs to the cache kmalloc-128 of size 128 [ 49.847564] The buggy address is located 120 bytes inside of [ 49.847564] freed 128-byte region [ffff88810284c900, ffff88810284c980) [ 49.848407] [ 49.849252] The buggy address belongs to the physical page: [ 49.849997] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10284c [ 49.850939] flags: 0x200000000000800(slab|node=0|zone=2) [ 49.851472] page_type: 0xffffffff() [ 49.852117] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000 [ 49.853397] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 49.853912] page dumped because: kasan: bad access detected [ 49.854290] [ 49.854888] Memory state around the buggy address: [ 49.855641] ffff88810284c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.856634] ffff88810284c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.857553] >ffff88810284c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.858838] ^ [ 49.859549] ffff88810284c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.860365] ffff88810284ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.861084] ================================================================== [ 49.687411] ================================================================== [ 49.688527] BUG: KASAN: slab-use-after-free in ksize_uaf+0xd4/0x310 [ 49.689215] Read of size 1 at addr ffff88810284c900 by task kunit_try_catch/210 [ 49.690120] [ 49.690416] CPU: 0 PID: 210 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 49.691312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 49.692300] Call Trace: [ 49.692720] <TASK> [ 49.693110] dump_stack_lvl+0x4e/0x90 [ 49.693686] print_report+0xd2/0x660 [ 49.694328] ? __virt_addr_valid+0x156/0x1e0 [ 49.694967] ? kasan_complete_mode_report_info+0x64/0x200 [ 49.695585] kasan_report+0xff/0x140 [ 49.696209] ? ksize_uaf+0xd4/0x310 [ 49.696811] ? ksize_uaf+0xd4/0x310 [ 49.697329] ? ksize_uaf+0xd4/0x310 [ 49.697947] __kasan_check_byte+0x3d/0x50 [ 49.698503] ksize+0x20/0x60 [ 49.699242] ksize_uaf+0xd4/0x310 [ 49.700213] ? __pfx_ksize_uaf+0x10/0x10 [ 49.701202] ? __schedule+0x70b/0x1190 [ 49.701970] ? ktime_get_ts64+0x118/0x140 [ 49.702546] kunit_try_run_case+0x126/0x290 [ 49.703138] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.703692] ? __kasan_check_write+0x18/0x20 [ 49.704343] ? trace_preempt_on+0x20/0xa0 [ 49.704960] ? __kthread_parkme+0x4f/0xd0 [ 49.705389] ? preempt_count_sub+0x50/0x80 [ 49.706274] ? __pfx_kunit_try_run_case+0x10/0x10 [ 49.707071] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 49.707688] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.708402] kthread+0x19e/0x1e0 [ 49.708844] ? __pfx_kthread+0x10/0x10 [ 49.709518] ret_from_fork+0x41/0x70 [ 49.710054] ? __pfx_kthread+0x10/0x10 [ 49.710533] ret_from_fork_asm+0x1b/0x30 [ 49.711336] </TASK> [ 49.711774] [ 49.712055] Allocated by task 210: [ 49.712498] kasan_save_stack+0x3c/0x60 [ 49.713110] kasan_set_track+0x29/0x40 [ 49.713623] kasan_save_alloc_info+0x22/0x30 [ 49.714315] __kasan_kmalloc+0xb7/0xc0 [ 49.714824] kmalloc_trace+0x4c/0xb0 [ 49.715467] ksize_uaf+0x9d/0x310 [ 49.716021] kunit_try_run_case+0x126/0x290 [ 49.716592] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.717330] kthread+0x19e/0x1e0 [ 49.717810] ret_from_fork+0x41/0x70 [ 49.718425] ret_from_fork_asm+0x1b/0x30 [ 49.718944] [ 49.719217] Freed by task 210: [ 49.719670] kasan_save_stack+0x3c/0x60 [ 49.720213] kasan_set_track+0x29/0x40 [ 49.720833] kasan_save_free_info+0x2f/0x50 [ 49.721411] ____kasan_slab_free+0x172/0x1d0 [ 49.722075] __kasan_slab_free+0x16/0x20 [ 49.722656] __kmem_cache_free+0x190/0x310 [ 49.723216] kfree+0x7c/0x120 [ 49.723682] ksize_uaf+0xbd/0x310 [ 49.724197] kunit_try_run_case+0x126/0x290 [ 49.724720] kunit_generic_run_threadfn_adapter+0x33/0x50 [ 49.725534] kthread+0x19e/0x1e0 [ 49.726132] ret_from_fork+0x41/0x70 [ 49.726642] ret_from_fork_asm+0x1b/0x30 [ 49.727297] [ 49.727576] The buggy address belongs to the object at ffff88810284c900 [ 49.727576] which belongs to the cache kmalloc-128 of size 128 [ 49.728790] The buggy address is located 0 bytes inside of [ 49.728790] freed 128-byte region [ffff88810284c900, ffff88810284c980) [ 49.729907] [ 49.730231] The buggy address belongs to the physical page: [ 49.730842] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10284c [ 49.731766] flags: 0x200000000000800(slab|node=0|zone=2) [ 49.732337] page_type: 0xffffffff() [ 49.732928] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000 [ 49.733672] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 49.734517] page dumped because: kasan: bad access detected [ 49.735169] [ 49.735497] Memory state around the buggy address: [ 49.736041] ffff88810284c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.736848] ffff88810284c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.737599] >ffff88810284c900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.738415] ^ [ 49.738918] ffff88810284c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.739627] ffff88810284ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.740453] ==================================================================