Date
July 1, 2025, 12:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.661856] ================================================================== [ 17.661922] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.661976] Read of size 1 at addr fff00000c7800800 by task kunit_try_catch/196 [ 17.666273] [ 17.667011] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.667574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.667727] Hardware name: linux,dummy-virt (DT) [ 17.668184] Call trace: [ 17.668274] show_stack+0x20/0x38 (C) [ 17.668507] dump_stack_lvl+0x8c/0xd0 [ 17.668601] print_report+0x118/0x608 [ 17.668674] kasan_report+0xdc/0x128 [ 17.668732] __kasan_check_byte+0x54/0x70 [ 17.668777] ksize+0x30/0x88 [ 17.668821] ksize_uaf+0x168/0x5f8 [ 17.668862] kunit_try_run_case+0x170/0x3f0 [ 17.668911] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.668964] kthread+0x328/0x630 [ 17.670609] ret_from_fork+0x10/0x20 [ 17.671481] [ 17.671505] Allocated by task 196: [ 17.671538] kasan_save_stack+0x3c/0x68 [ 17.671585] kasan_save_track+0x20/0x40 [ 17.671630] kasan_save_alloc_info+0x40/0x58 [ 17.671672] __kasan_kmalloc+0xd4/0xd8 [ 17.672371] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.672859] ksize_uaf+0xb8/0x5f8 [ 17.673132] kunit_try_run_case+0x170/0x3f0 [ 17.673601] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.673787] kthread+0x328/0x630 [ 17.673823] ret_from_fork+0x10/0x20 [ 17.674801] [ 17.674894] Freed by task 196: [ 17.675336] kasan_save_stack+0x3c/0x68 [ 17.675820] kasan_save_track+0x20/0x40 [ 17.675914] kasan_save_free_info+0x4c/0x78 [ 17.676273] __kasan_slab_free+0x6c/0x98 [ 17.676409] kfree+0x214/0x3c8 [ 17.676774] ksize_uaf+0x11c/0x5f8 [ 17.677195] kunit_try_run_case+0x170/0x3f0 [ 17.677656] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.678112] kthread+0x328/0x630 [ 17.678555] ret_from_fork+0x10/0x20 [ 17.678794] [ 17.678882] The buggy address belongs to the object at fff00000c7800800 [ 17.678882] which belongs to the cache kmalloc-128 of size 128 [ 17.678957] The buggy address is located 0 bytes inside of [ 17.678957] freed 128-byte region [fff00000c7800800, fff00000c7800880) [ 17.680069] [ 17.680295] The buggy address belongs to the physical page: [ 17.680513] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 17.680817] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.680872] page_type: f5(slab) [ 17.680913] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.681811] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.682226] page dumped because: kasan: bad access detected [ 17.682272] [ 17.682852] Memory state around the buggy address: [ 17.683218] fff00000c7800700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.683405] fff00000c7800780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.683465] >fff00000c7800800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.683506] ^ [ 17.684221] fff00000c7800880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.684695] fff00000c7800900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.684749] ================================================================== [ 17.689078] ================================================================== [ 17.689132] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.690191] Read of size 1 at addr fff00000c7800800 by task kunit_try_catch/196 [ 17.690344] [ 17.690381] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.691533] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.691631] Hardware name: linux,dummy-virt (DT) [ 17.691803] Call trace: [ 17.691833] show_stack+0x20/0x38 (C) [ 17.692506] dump_stack_lvl+0x8c/0xd0 [ 17.692984] print_report+0x118/0x608 [ 17.693171] kasan_report+0xdc/0x128 [ 17.693330] __asan_report_load1_noabort+0x20/0x30 [ 17.693458] ksize_uaf+0x598/0x5f8 [ 17.694126] kunit_try_run_case+0x170/0x3f0 [ 17.694436] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.695100] kthread+0x328/0x630 [ 17.695245] ret_from_fork+0x10/0x20 [ 17.695471] [ 17.696049] Allocated by task 196: [ 17.696236] kasan_save_stack+0x3c/0x68 [ 17.696489] kasan_save_track+0x20/0x40 [ 17.696531] kasan_save_alloc_info+0x40/0x58 [ 17.696572] __kasan_kmalloc+0xd4/0xd8 [ 17.696608] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.696647] ksize_uaf+0xb8/0x5f8 [ 17.696681] kunit_try_run_case+0x170/0x3f0 [ 17.696719] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.696764] kthread+0x328/0x630 [ 17.696798] ret_from_fork+0x10/0x20 [ 17.696833] [ 17.696852] Freed by task 196: [ 17.696879] kasan_save_stack+0x3c/0x68 [ 17.696915] kasan_save_track+0x20/0x40 [ 17.698662] kasan_save_free_info+0x4c/0x78 [ 17.698775] __kasan_slab_free+0x6c/0x98 [ 17.699277] kfree+0x214/0x3c8 [ 17.699631] ksize_uaf+0x11c/0x5f8 [ 17.699666] kunit_try_run_case+0x170/0x3f0 [ 17.699708] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.700342] kthread+0x328/0x630 [ 17.701390] ret_from_fork+0x10/0x20 [ 17.701569] [ 17.701590] The buggy address belongs to the object at fff00000c7800800 [ 17.701590] which belongs to the cache kmalloc-128 of size 128 [ 17.702004] The buggy address is located 0 bytes inside of [ 17.702004] freed 128-byte region [fff00000c7800800, fff00000c7800880) [ 17.702591] [ 17.702770] The buggy address belongs to the physical page: [ 17.703416] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 17.704187] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.704316] page_type: f5(slab) [ 17.704756] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.705244] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.705298] page dumped because: kasan: bad access detected [ 17.705755] [ 17.705778] Memory state around the buggy address: [ 17.706815] fff00000c7800700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.706934] fff00000c7800780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.707779] >fff00000c7800800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.708430] ^ [ 17.708583] fff00000c7800880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.709069] fff00000c7800900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.709394] ================================================================== [ 17.717345] ================================================================== [ 17.717484] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.717542] Read of size 1 at addr fff00000c7800878 by task kunit_try_catch/196 [ 17.717593] [ 17.717630] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.717712] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.717739] Hardware name: linux,dummy-virt (DT) [ 17.717770] Call trace: [ 17.719015] show_stack+0x20/0x38 (C) [ 17.719158] dump_stack_lvl+0x8c/0xd0 [ 17.719209] print_report+0x118/0x608 [ 17.719256] kasan_report+0xdc/0x128 [ 17.719300] __asan_report_load1_noabort+0x20/0x30 [ 17.719352] ksize_uaf+0x544/0x5f8 [ 17.719395] kunit_try_run_case+0x170/0x3f0 [ 17.719455] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.719510] kthread+0x328/0x630 [ 17.719551] ret_from_fork+0x10/0x20 [ 17.719601] [ 17.719619] Allocated by task 196: [ 17.719648] kasan_save_stack+0x3c/0x68 [ 17.719688] kasan_save_track+0x20/0x40 [ 17.719727] kasan_save_alloc_info+0x40/0x58 [ 17.722280] __kasan_kmalloc+0xd4/0xd8 [ 17.723341] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.723419] ksize_uaf+0xb8/0x5f8 [ 17.723919] kunit_try_run_case+0x170/0x3f0 [ 17.724307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.724441] kthread+0x328/0x630 [ 17.724491] ret_from_fork+0x10/0x20 [ 17.724529] [ 17.725205] Freed by task 196: [ 17.725638] kasan_save_stack+0x3c/0x68 [ 17.725782] kasan_save_track+0x20/0x40 [ 17.726129] kasan_save_free_info+0x4c/0x78 [ 17.726300] __kasan_slab_free+0x6c/0x98 [ 17.727107] kfree+0x214/0x3c8 [ 17.727206] ksize_uaf+0x11c/0x5f8 [ 17.727242] kunit_try_run_case+0x170/0x3f0 [ 17.727907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.728586] kthread+0x328/0x630 [ 17.728641] ret_from_fork+0x10/0x20 [ 17.729043] [ 17.729280] The buggy address belongs to the object at fff00000c7800800 [ 17.729280] which belongs to the cache kmalloc-128 of size 128 [ 17.729897] The buggy address is located 120 bytes inside of [ 17.729897] freed 128-byte region [fff00000c7800800, fff00000c7800880) [ 17.730177] [ 17.730504] The buggy address belongs to the physical page: [ 17.730625] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107800 [ 17.731276] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.731660] page_type: f5(slab) [ 17.731979] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.732038] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.732083] page dumped because: kasan: bad access detected [ 17.732629] [ 17.732654] Memory state around the buggy address: [ 17.732691] fff00000c7800700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.732738] fff00000c7800780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.733196] >fff00000c7800800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.733467] ^ [ 17.734289] fff00000c7800880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.734714] fff00000c7800900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.735145] ==================================================================
[ 11.936775] ================================================================== [ 11.937378] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 11.937874] Read of size 1 at addr ffff88810312f300 by task kunit_try_catch/213 [ 11.938286] [ 11.938644] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.938690] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.938702] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.938720] Call Trace: [ 11.938835] <TASK> [ 11.938851] dump_stack_lvl+0x73/0xb0 [ 11.938881] print_report+0xd1/0x650 [ 11.938902] ? __virt_addr_valid+0x1db/0x2d0 [ 11.938924] ? ksize_uaf+0x5fe/0x6c0 [ 11.938943] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.938964] ? ksize_uaf+0x5fe/0x6c0 [ 11.938991] kasan_report+0x141/0x180 [ 11.939012] ? ksize_uaf+0x5fe/0x6c0 [ 11.939048] __asan_report_load1_noabort+0x18/0x20 [ 11.939072] ksize_uaf+0x5fe/0x6c0 [ 11.939092] ? __pfx_ksize_uaf+0x10/0x10 [ 11.939112] ? __schedule+0x10cc/0x2b60 [ 11.939132] ? __pfx_read_tsc+0x10/0x10 [ 11.939153] ? ktime_get_ts64+0x86/0x230 [ 11.939175] kunit_try_run_case+0x1a5/0x480 [ 11.939198] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.939218] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.939239] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.939260] ? __kthread_parkme+0x82/0x180 [ 11.939279] ? preempt_count_sub+0x50/0x80 [ 11.939301] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.939323] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.939344] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.939365] kthread+0x337/0x6f0 [ 11.939383] ? trace_preempt_on+0x20/0xc0 [ 11.939404] ? __pfx_kthread+0x10/0x10 [ 11.939423] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.939443] ? calculate_sigpending+0x7b/0xa0 [ 11.939465] ? __pfx_kthread+0x10/0x10 [ 11.939485] ret_from_fork+0x116/0x1d0 [ 11.939501] ? __pfx_kthread+0x10/0x10 [ 11.939520] ret_from_fork_asm+0x1a/0x30 [ 11.939549] </TASK> [ 11.939559] [ 11.951540] Allocated by task 213: [ 11.951712] kasan_save_stack+0x45/0x70 [ 11.951936] kasan_save_track+0x18/0x40 [ 11.952363] kasan_save_alloc_info+0x3b/0x50 [ 11.952838] __kasan_kmalloc+0xb7/0xc0 [ 11.953104] __kmalloc_cache_noprof+0x189/0x420 [ 11.953358] ksize_uaf+0xaa/0x6c0 [ 11.953718] kunit_try_run_case+0x1a5/0x480 [ 11.954022] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.954481] kthread+0x337/0x6f0 [ 11.954762] ret_from_fork+0x116/0x1d0 [ 11.955219] ret_from_fork_asm+0x1a/0x30 [ 11.955422] [ 11.955499] Freed by task 213: [ 11.955680] kasan_save_stack+0x45/0x70 [ 11.955943] kasan_save_track+0x18/0x40 [ 11.956157] kasan_save_free_info+0x3f/0x60 [ 11.956800] __kasan_slab_free+0x56/0x70 [ 11.957189] kfree+0x222/0x3f0 [ 11.957323] ksize_uaf+0x12c/0x6c0 [ 11.957643] kunit_try_run_case+0x1a5/0x480 [ 11.957875] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.958315] kthread+0x337/0x6f0 [ 11.958475] ret_from_fork+0x116/0x1d0 [ 11.958677] ret_from_fork_asm+0x1a/0x30 [ 11.959158] [ 11.959285] The buggy address belongs to the object at ffff88810312f300 [ 11.959285] which belongs to the cache kmalloc-128 of size 128 [ 11.959945] The buggy address is located 0 bytes inside of [ 11.959945] freed 128-byte region [ffff88810312f300, ffff88810312f380) [ 11.960799] [ 11.961101] The buggy address belongs to the physical page: [ 11.961556] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10312f [ 11.961890] flags: 0x200000000000000(node=0|zone=2) [ 11.962331] page_type: f5(slab) [ 11.962482] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.962827] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.963431] page dumped because: kasan: bad access detected [ 11.964263] [ 11.964368] Memory state around the buggy address: [ 11.964855] ffff88810312f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.965313] ffff88810312f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.966223] >ffff88810312f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.966839] ^ [ 11.966963] ffff88810312f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.967237] ffff88810312f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.967471] ================================================================== [ 11.910991] ================================================================== [ 11.912160] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 11.912443] Read of size 1 at addr ffff88810312f300 by task kunit_try_catch/213 [ 11.912723] [ 11.912830] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.912872] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.912883] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.912903] Call Trace: [ 11.912914] <TASK> [ 11.912929] dump_stack_lvl+0x73/0xb0 [ 11.912954] print_report+0xd1/0x650 [ 11.912976] ? __virt_addr_valid+0x1db/0x2d0 [ 11.912996] ? ksize_uaf+0x19d/0x6c0 [ 11.913015] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.913050] ? ksize_uaf+0x19d/0x6c0 [ 11.913069] kasan_report+0x141/0x180 [ 11.913090] ? ksize_uaf+0x19d/0x6c0 [ 11.913113] ? ksize_uaf+0x19d/0x6c0 [ 11.913132] __kasan_check_byte+0x3d/0x50 [ 11.913153] ksize+0x20/0x60 [ 11.913173] ksize_uaf+0x19d/0x6c0 [ 11.913193] ? __pfx_ksize_uaf+0x10/0x10 [ 11.913213] ? __schedule+0x10cc/0x2b60 [ 11.913234] ? __pfx_read_tsc+0x10/0x10 [ 11.913253] ? ktime_get_ts64+0x86/0x230 [ 11.913275] kunit_try_run_case+0x1a5/0x480 [ 11.913299] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.913320] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.913342] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.913364] ? __kthread_parkme+0x82/0x180 [ 11.913383] ? preempt_count_sub+0x50/0x80 [ 11.913406] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.913428] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.913450] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.913471] kthread+0x337/0x6f0 [ 11.913489] ? trace_preempt_on+0x20/0xc0 [ 11.913511] ? __pfx_kthread+0x10/0x10 [ 11.913530] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.913550] ? calculate_sigpending+0x7b/0xa0 [ 11.913572] ? __pfx_kthread+0x10/0x10 [ 11.913592] ret_from_fork+0x116/0x1d0 [ 11.913609] ? __pfx_kthread+0x10/0x10 [ 11.913628] ret_from_fork_asm+0x1a/0x30 [ 11.913657] </TASK> [ 11.913668] [ 11.922033] Allocated by task 213: [ 11.922342] kasan_save_stack+0x45/0x70 [ 11.922582] kasan_save_track+0x18/0x40 [ 11.922799] kasan_save_alloc_info+0x3b/0x50 [ 11.923124] __kasan_kmalloc+0xb7/0xc0 [ 11.923397] __kmalloc_cache_noprof+0x189/0x420 [ 11.923658] ksize_uaf+0xaa/0x6c0 [ 11.923843] kunit_try_run_case+0x1a5/0x480 [ 11.924075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.924465] kthread+0x337/0x6f0 [ 11.924688] ret_from_fork+0x116/0x1d0 [ 11.924866] ret_from_fork_asm+0x1a/0x30 [ 11.925187] [ 11.925283] Freed by task 213: [ 11.925427] kasan_save_stack+0x45/0x70 [ 11.925614] kasan_save_track+0x18/0x40 [ 11.925747] kasan_save_free_info+0x3f/0x60 [ 11.925891] __kasan_slab_free+0x56/0x70 [ 11.926257] kfree+0x222/0x3f0 [ 11.926429] ksize_uaf+0x12c/0x6c0 [ 11.926608] kunit_try_run_case+0x1a5/0x480 [ 11.926815] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.927161] kthread+0x337/0x6f0 [ 11.927286] ret_from_fork+0x116/0x1d0 [ 11.927417] ret_from_fork_asm+0x1a/0x30 [ 11.927571] [ 11.927701] The buggy address belongs to the object at ffff88810312f300 [ 11.927701] which belongs to the cache kmalloc-128 of size 128 [ 11.928473] The buggy address is located 0 bytes inside of [ 11.928473] freed 128-byte region [ffff88810312f300, ffff88810312f380) [ 11.929187] [ 11.929321] The buggy address belongs to the physical page: [ 11.929568] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10312f [ 11.929893] flags: 0x200000000000000(node=0|zone=2) [ 11.930136] page_type: f5(slab) [ 11.930325] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.930763] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.931363] page dumped because: kasan: bad access detected [ 11.931648] [ 11.931727] Memory state around the buggy address: [ 11.931981] ffff88810312f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.932361] ffff88810312f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.932728] >ffff88810312f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.933216] ^ [ 11.933336] ffff88810312f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.933698] ffff88810312f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.934088] ================================================================== [ 11.968316] ================================================================== [ 11.969016] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 11.969677] Read of size 1 at addr ffff88810312f378 by task kunit_try_catch/213 [ 11.970258] [ 11.970352] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.970393] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.970405] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.970424] Call Trace: [ 11.970440] <TASK> [ 11.970456] dump_stack_lvl+0x73/0xb0 [ 11.970484] print_report+0xd1/0x650 [ 11.970505] ? __virt_addr_valid+0x1db/0x2d0 [ 11.970527] ? ksize_uaf+0x5e4/0x6c0 [ 11.970546] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.970568] ? ksize_uaf+0x5e4/0x6c0 [ 11.970588] kasan_report+0x141/0x180 [ 11.970608] ? ksize_uaf+0x5e4/0x6c0 [ 11.970632] __asan_report_load1_noabort+0x18/0x20 [ 11.970655] ksize_uaf+0x5e4/0x6c0 [ 11.970674] ? __pfx_ksize_uaf+0x10/0x10 [ 11.970694] ? __schedule+0x10cc/0x2b60 [ 11.970715] ? __pfx_read_tsc+0x10/0x10 [ 11.970734] ? ktime_get_ts64+0x86/0x230 [ 11.970757] kunit_try_run_case+0x1a5/0x480 [ 11.970779] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.970799] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.970820] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.970841] ? __kthread_parkme+0x82/0x180 [ 11.970860] ? preempt_count_sub+0x50/0x80 [ 11.970882] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.970903] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.970924] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.970946] kthread+0x337/0x6f0 [ 11.970963] ? trace_preempt_on+0x20/0xc0 [ 11.970984] ? __pfx_kthread+0x10/0x10 [ 11.971003] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.971034] ? calculate_sigpending+0x7b/0xa0 [ 11.971060] ? __pfx_kthread+0x10/0x10 [ 11.971082] ret_from_fork+0x116/0x1d0 [ 11.971098] ? __pfx_kthread+0x10/0x10 [ 11.971117] ret_from_fork_asm+0x1a/0x30 [ 11.971146] </TASK> [ 11.971157] [ 11.980792] Allocated by task 213: [ 11.980987] kasan_save_stack+0x45/0x70 [ 11.981272] kasan_save_track+0x18/0x40 [ 11.981458] kasan_save_alloc_info+0x3b/0x50 [ 11.981606] __kasan_kmalloc+0xb7/0xc0 [ 11.981793] __kmalloc_cache_noprof+0x189/0x420 [ 11.982096] ksize_uaf+0xaa/0x6c0 [ 11.982442] kunit_try_run_case+0x1a5/0x480 [ 11.982638] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.982886] kthread+0x337/0x6f0 [ 11.983106] ret_from_fork+0x116/0x1d0 [ 11.983337] ret_from_fork_asm+0x1a/0x30 [ 11.983613] [ 11.983711] Freed by task 213: [ 11.983888] kasan_save_stack+0x45/0x70 [ 11.984153] kasan_save_track+0x18/0x40 [ 11.984304] kasan_save_free_info+0x3f/0x60 [ 11.984448] __kasan_slab_free+0x56/0x70 [ 11.984582] kfree+0x222/0x3f0 [ 11.984705] ksize_uaf+0x12c/0x6c0 [ 11.985020] kunit_try_run_case+0x1a5/0x480 [ 11.985243] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.985528] kthread+0x337/0x6f0 [ 11.985647] ret_from_fork+0x116/0x1d0 [ 11.985876] ret_from_fork_asm+0x1a/0x30 [ 11.986240] [ 11.986338] The buggy address belongs to the object at ffff88810312f300 [ 11.986338] which belongs to the cache kmalloc-128 of size 128 [ 11.986852] The buggy address is located 120 bytes inside of [ 11.986852] freed 128-byte region [ffff88810312f300, ffff88810312f380) [ 11.987532] [ 11.987632] The buggy address belongs to the physical page: [ 11.987860] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10312f [ 11.988459] flags: 0x200000000000000(node=0|zone=2) [ 11.988831] page_type: f5(slab) [ 11.988999] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 11.989353] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 11.989575] page dumped because: kasan: bad access detected [ 11.989851] [ 11.990050] Memory state around the buggy address: [ 11.990523] ffff88810312f200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.990845] ffff88810312f280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.991238] >ffff88810312f300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.991517] ^ [ 11.991766] ffff88810312f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.992367] ffff88810312f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.992787] ==================================================================