Date
July 1, 2025, 3:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.257910] ================================================================== [ 17.257972] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.258022] Read of size 1 at addr fff00000c5733c00 by task kunit_try_catch/197 [ 17.258071] [ 17.258130] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.258214] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.258242] Hardware name: linux,dummy-virt (DT) [ 17.258273] Call trace: [ 17.258295] show_stack+0x20/0x38 (C) [ 17.258357] dump_stack_lvl+0x8c/0xd0 [ 17.258405] print_report+0x118/0x608 [ 17.258450] kasan_report+0xdc/0x128 [ 17.258495] __kasan_check_byte+0x54/0x70 [ 17.258542] ksize+0x30/0x88 [ 17.258635] ksize_uaf+0x168/0x5f8 [ 17.259204] kunit_try_run_case+0x170/0x3f0 [ 17.259342] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.259396] kthread+0x328/0x630 [ 17.259754] ret_from_fork+0x10/0x20 [ 17.259844] [ 17.260149] Allocated by task 197: [ 17.260196] kasan_save_stack+0x3c/0x68 [ 17.260319] kasan_save_track+0x20/0x40 [ 17.260389] kasan_save_alloc_info+0x40/0x58 [ 17.260517] __kasan_kmalloc+0xd4/0xd8 [ 17.260557] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.260652] ksize_uaf+0xb8/0x5f8 [ 17.261007] kunit_try_run_case+0x170/0x3f0 [ 17.261141] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.261218] kthread+0x328/0x630 [ 17.261325] ret_from_fork+0x10/0x20 [ 17.261386] [ 17.261458] Freed by task 197: [ 17.261577] kasan_save_stack+0x3c/0x68 [ 17.261617] kasan_save_track+0x20/0x40 [ 17.261674] kasan_save_free_info+0x4c/0x78 [ 17.261721] __kasan_slab_free+0x6c/0x98 [ 17.261874] kfree+0x214/0x3c8 [ 17.262055] ksize_uaf+0x11c/0x5f8 [ 17.262182] kunit_try_run_case+0x170/0x3f0 [ 17.262296] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.262421] kthread+0x328/0x630 [ 17.262480] ret_from_fork+0x10/0x20 [ 17.262596] [ 17.262645] The buggy address belongs to the object at fff00000c5733c00 [ 17.262645] which belongs to the cache kmalloc-128 of size 128 [ 17.262738] The buggy address is located 0 bytes inside of [ 17.262738] freed 128-byte region [fff00000c5733c00, fff00000c5733c80) [ 17.263074] [ 17.263355] The buggy address belongs to the physical page: [ 17.263436] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105733 [ 17.263574] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.263663] page_type: f5(slab) [ 17.263777] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.263875] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.264012] page dumped because: kasan: bad access detected [ 17.264082] [ 17.264130] Memory state around the buggy address: [ 17.264227] fff00000c5733b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.264300] fff00000c5733b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.264611] >fff00000c5733c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.264687] ^ [ 17.264740] fff00000c5733c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.264876] fff00000c5733d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.264979] ================================================================== [ 17.266027] ================================================================== [ 17.266132] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.266219] Read of size 1 at addr fff00000c5733c00 by task kunit_try_catch/197 [ 17.266271] [ 17.266428] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.266603] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.266826] Hardware name: linux,dummy-virt (DT) [ 17.266869] Call trace: [ 17.266910] show_stack+0x20/0x38 (C) [ 17.266976] dump_stack_lvl+0x8c/0xd0 [ 17.267028] print_report+0x118/0x608 [ 17.267074] kasan_report+0xdc/0x128 [ 17.267119] __asan_report_load1_noabort+0x20/0x30 [ 17.267245] ksize_uaf+0x598/0x5f8 [ 17.267291] kunit_try_run_case+0x170/0x3f0 [ 17.267357] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.267457] kthread+0x328/0x630 [ 17.267501] ret_from_fork+0x10/0x20 [ 17.267549] [ 17.267812] Allocated by task 197: [ 17.267870] kasan_save_stack+0x3c/0x68 [ 17.267970] kasan_save_track+0x20/0x40 [ 17.268039] kasan_save_alloc_info+0x40/0x58 [ 17.268082] __kasan_kmalloc+0xd4/0xd8 [ 17.268178] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.268232] ksize_uaf+0xb8/0x5f8 [ 17.268312] kunit_try_run_case+0x170/0x3f0 [ 17.268452] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.268504] kthread+0x328/0x630 [ 17.268583] ret_from_fork+0x10/0x20 [ 17.268836] [ 17.268905] Freed by task 197: [ 17.268945] kasan_save_stack+0x3c/0x68 [ 17.268988] kasan_save_track+0x20/0x40 [ 17.269091] kasan_save_free_info+0x4c/0x78 [ 17.269134] __kasan_slab_free+0x6c/0x98 [ 17.269172] kfree+0x214/0x3c8 [ 17.269206] ksize_uaf+0x11c/0x5f8 [ 17.269304] kunit_try_run_case+0x170/0x3f0 [ 17.269406] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.269594] kthread+0x328/0x630 [ 17.269635] ret_from_fork+0x10/0x20 [ 17.269671] [ 17.269694] The buggy address belongs to the object at fff00000c5733c00 [ 17.269694] which belongs to the cache kmalloc-128 of size 128 [ 17.269934] The buggy address is located 0 bytes inside of [ 17.269934] freed 128-byte region [fff00000c5733c00, fff00000c5733c80) [ 17.270050] [ 17.270109] The buggy address belongs to the physical page: [ 17.270249] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105733 [ 17.270337] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.270637] page_type: f5(slab) [ 17.270693] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.270967] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.271044] page dumped because: kasan: bad access detected [ 17.271099] [ 17.271146] Memory state around the buggy address: [ 17.271286] fff00000c5733b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.271370] fff00000c5733b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.271704] >fff00000c5733c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.271868] ^ [ 17.271939] fff00000c5733c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.272104] fff00000c5733d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.272196] ================================================================== [ 17.273235] ================================================================== [ 17.273303] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.273353] Read of size 1 at addr fff00000c5733c78 by task kunit_try_catch/197 [ 17.273722] [ 17.273880] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 17.274051] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.274112] Hardware name: linux,dummy-virt (DT) [ 17.274187] Call trace: [ 17.274289] show_stack+0x20/0x38 (C) [ 17.274378] dump_stack_lvl+0x8c/0xd0 [ 17.274448] print_report+0x118/0x608 [ 17.274808] kasan_report+0xdc/0x128 [ 17.274877] __asan_report_load1_noabort+0x20/0x30 [ 17.274989] ksize_uaf+0x544/0x5f8 [ 17.275041] kunit_try_run_case+0x170/0x3f0 [ 17.275086] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.275137] kthread+0x328/0x630 [ 17.275179] ret_from_fork+0x10/0x20 [ 17.275233] [ 17.275252] Allocated by task 197: [ 17.275287] kasan_save_stack+0x3c/0x68 [ 17.275340] kasan_save_track+0x20/0x40 [ 17.275377] kasan_save_alloc_info+0x40/0x58 [ 17.275431] __kasan_kmalloc+0xd4/0xd8 [ 17.275473] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.275512] ksize_uaf+0xb8/0x5f8 [ 17.275561] kunit_try_run_case+0x170/0x3f0 [ 17.275958] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.276049] kthread+0x328/0x630 [ 17.276137] ret_from_fork+0x10/0x20 [ 17.276228] [ 17.276298] Freed by task 197: [ 17.276435] kasan_save_stack+0x3c/0x68 [ 17.276492] kasan_save_track+0x20/0x40 [ 17.276555] kasan_save_free_info+0x4c/0x78 [ 17.276890] __kasan_slab_free+0x6c/0x98 [ 17.276968] kfree+0x214/0x3c8 [ 17.277086] ksize_uaf+0x11c/0x5f8 [ 17.277164] kunit_try_run_case+0x170/0x3f0 [ 17.277312] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.277396] kthread+0x328/0x630 [ 17.277457] ret_from_fork+0x10/0x20 [ 17.277495] [ 17.277514] The buggy address belongs to the object at fff00000c5733c00 [ 17.277514] which belongs to the cache kmalloc-128 of size 128 [ 17.277585] The buggy address is located 120 bytes inside of [ 17.277585] freed 128-byte region [fff00000c5733c00, fff00000c5733c80) [ 17.278521] [ 17.278596] The buggy address belongs to the physical page: [ 17.278919] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105733 [ 17.278996] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.279134] page_type: f5(slab) [ 17.279215] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.279679] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.279953] page dumped because: kasan: bad access detected [ 17.280041] [ 17.280076] Memory state around the buggy address: [ 17.280188] fff00000c5733b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.280302] fff00000c5733b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.280368] >fff00000c5733c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.280458] ^ [ 17.280555] fff00000c5733c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.280654] fff00000c5733d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.281356] ==================================================================
[ 12.112403] ================================================================== [ 12.112785] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.113075] Read of size 1 at addr ffff8881033ae300 by task kunit_try_catch/213 [ 12.113394] [ 12.113492] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.113533] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.113544] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.113564] Call Trace: [ 12.113579] <TASK> [ 12.113595] dump_stack_lvl+0x73/0xb0 [ 12.113621] print_report+0xd1/0x650 [ 12.113809] ? __virt_addr_valid+0x1db/0x2d0 [ 12.113842] ? ksize_uaf+0x5fe/0x6c0 [ 12.113861] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.113882] ? ksize_uaf+0x5fe/0x6c0 [ 12.113902] kasan_report+0x141/0x180 [ 12.113922] ? ksize_uaf+0x5fe/0x6c0 [ 12.113946] __asan_report_load1_noabort+0x18/0x20 [ 12.113969] ksize_uaf+0x5fe/0x6c0 [ 12.113989] ? __pfx_ksize_uaf+0x10/0x10 [ 12.114009] ? __schedule+0x10cc/0x2b60 [ 12.114045] ? __pfx_read_tsc+0x10/0x10 [ 12.114065] ? ktime_get_ts64+0x86/0x230 [ 12.114088] kunit_try_run_case+0x1a5/0x480 [ 12.114110] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.114131] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.114153] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.114175] ? __kthread_parkme+0x82/0x180 [ 12.114194] ? preempt_count_sub+0x50/0x80 [ 12.114217] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.114239] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.114261] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.114282] kthread+0x337/0x6f0 [ 12.114300] ? trace_preempt_on+0x20/0xc0 [ 12.114322] ? __pfx_kthread+0x10/0x10 [ 12.114355] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.114375] ? calculate_sigpending+0x7b/0xa0 [ 12.114398] ? __pfx_kthread+0x10/0x10 [ 12.114418] ret_from_fork+0x116/0x1d0 [ 12.114435] ? __pfx_kthread+0x10/0x10 [ 12.114455] ret_from_fork_asm+0x1a/0x30 [ 12.114484] </TASK> [ 12.114496] [ 12.121615] Allocated by task 213: [ 12.121815] kasan_save_stack+0x45/0x70 [ 12.121960] kasan_save_track+0x18/0x40 [ 12.122107] kasan_save_alloc_info+0x3b/0x50 [ 12.122254] __kasan_kmalloc+0xb7/0xc0 [ 12.122407] __kmalloc_cache_noprof+0x189/0x420 [ 12.122627] ksize_uaf+0xaa/0x6c0 [ 12.123091] kunit_try_run_case+0x1a5/0x480 [ 12.123322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.123571] kthread+0x337/0x6f0 [ 12.123920] ret_from_fork+0x116/0x1d0 [ 12.124131] ret_from_fork_asm+0x1a/0x30 [ 12.124317] [ 12.124394] Freed by task 213: [ 12.124537] kasan_save_stack+0x45/0x70 [ 12.124792] kasan_save_track+0x18/0x40 [ 12.124990] kasan_save_free_info+0x3f/0x60 [ 12.125171] __kasan_slab_free+0x56/0x70 [ 12.125369] kfree+0x222/0x3f0 [ 12.125541] ksize_uaf+0x12c/0x6c0 [ 12.125670] kunit_try_run_case+0x1a5/0x480 [ 12.125816] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.125988] kthread+0x337/0x6f0 [ 12.126158] ret_from_fork+0x116/0x1d0 [ 12.126340] ret_from_fork_asm+0x1a/0x30 [ 12.126792] [ 12.126901] The buggy address belongs to the object at ffff8881033ae300 [ 12.126901] which belongs to the cache kmalloc-128 of size 128 [ 12.127293] The buggy address is located 0 bytes inside of [ 12.127293] freed 128-byte region [ffff8881033ae300, ffff8881033ae380) [ 12.128002] [ 12.128114] The buggy address belongs to the physical page: [ 12.128359] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033ae [ 12.128747] flags: 0x200000000000000(node=0|zone=2) [ 12.128954] page_type: f5(slab) [ 12.129135] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.129424] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.129793] page dumped because: kasan: bad access detected [ 12.130003] [ 12.130113] Memory state around the buggy address: [ 12.130309] ffff8881033ae200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.130602] ffff8881033ae280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.131093] >ffff8881033ae300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.131365] ^ [ 12.131482] ffff8881033ae380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.131724] ffff8881033ae400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.132234] ================================================================== [ 12.132831] ================================================================== [ 12.133189] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.133421] Read of size 1 at addr ffff8881033ae378 by task kunit_try_catch/213 [ 12.134007] [ 12.134153] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.134197] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.134209] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.134230] Call Trace: [ 12.134248] <TASK> [ 12.134264] dump_stack_lvl+0x73/0xb0 [ 12.134293] print_report+0xd1/0x650 [ 12.134314] ? __virt_addr_valid+0x1db/0x2d0 [ 12.134337] ? ksize_uaf+0x5e4/0x6c0 [ 12.134356] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.134377] ? ksize_uaf+0x5e4/0x6c0 [ 12.134397] kasan_report+0x141/0x180 [ 12.134418] ? ksize_uaf+0x5e4/0x6c0 [ 12.134442] __asan_report_load1_noabort+0x18/0x20 [ 12.134465] ksize_uaf+0x5e4/0x6c0 [ 12.134484] ? __pfx_ksize_uaf+0x10/0x10 [ 12.134504] ? __schedule+0x10cc/0x2b60 [ 12.134525] ? __pfx_read_tsc+0x10/0x10 [ 12.134545] ? ktime_get_ts64+0x86/0x230 [ 12.134568] kunit_try_run_case+0x1a5/0x480 [ 12.134590] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.134611] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.134633] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.134654] ? __kthread_parkme+0x82/0x180 [ 12.134673] ? preempt_count_sub+0x50/0x80 [ 12.134695] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.134717] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.134910] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.134942] kthread+0x337/0x6f0 [ 12.134962] ? trace_preempt_on+0x20/0xc0 [ 12.134985] ? __pfx_kthread+0x10/0x10 [ 12.135004] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.135039] ? calculate_sigpending+0x7b/0xa0 [ 12.135062] ? __pfx_kthread+0x10/0x10 [ 12.135083] ret_from_fork+0x116/0x1d0 [ 12.135100] ? __pfx_kthread+0x10/0x10 [ 12.135119] ret_from_fork_asm+0x1a/0x30 [ 12.135149] </TASK> [ 12.135161] [ 12.142054] Allocated by task 213: [ 12.142217] kasan_save_stack+0x45/0x70 [ 12.142361] kasan_save_track+0x18/0x40 [ 12.142535] kasan_save_alloc_info+0x3b/0x50 [ 12.142910] __kasan_kmalloc+0xb7/0xc0 [ 12.143111] __kmalloc_cache_noprof+0x189/0x420 [ 12.143312] ksize_uaf+0xaa/0x6c0 [ 12.143473] kunit_try_run_case+0x1a5/0x480 [ 12.143674] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.143886] kthread+0x337/0x6f0 [ 12.144006] ret_from_fork+0x116/0x1d0 [ 12.144153] ret_from_fork_asm+0x1a/0x30 [ 12.144290] [ 12.144358] Freed by task 213: [ 12.144468] kasan_save_stack+0x45/0x70 [ 12.144600] kasan_save_track+0x18/0x40 [ 12.144731] kasan_save_free_info+0x3f/0x60 [ 12.144936] __kasan_slab_free+0x56/0x70 [ 12.145138] kfree+0x222/0x3f0 [ 12.145298] ksize_uaf+0x12c/0x6c0 [ 12.145469] kunit_try_run_case+0x1a5/0x480 [ 12.145863] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.146150] kthread+0x337/0x6f0 [ 12.146316] ret_from_fork+0x116/0x1d0 [ 12.146463] ret_from_fork_asm+0x1a/0x30 [ 12.146604] [ 12.146848] The buggy address belongs to the object at ffff8881033ae300 [ 12.146848] which belongs to the cache kmalloc-128 of size 128 [ 12.147394] The buggy address is located 120 bytes inside of [ 12.147394] freed 128-byte region [ffff8881033ae300, ffff8881033ae380) [ 12.147947] [ 12.148046] The buggy address belongs to the physical page: [ 12.148259] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033ae [ 12.148496] flags: 0x200000000000000(node=0|zone=2) [ 12.148657] page_type: f5(slab) [ 12.148965] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.149325] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.149666] page dumped because: kasan: bad access detected [ 12.149927] [ 12.150034] Memory state around the buggy address: [ 12.150242] ffff8881033ae200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.150822] ffff8881033ae280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.151057] >ffff8881033ae300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.151377] ^ [ 12.151733] ffff8881033ae380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.152029] ffff8881033ae400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.152281] ================================================================== [ 12.091975] ================================================================== [ 12.092518] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.093065] Read of size 1 at addr ffff8881033ae300 by task kunit_try_catch/213 [ 12.093387] [ 12.093497] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.093545] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.093557] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.093579] Call Trace: [ 12.093591] <TASK> [ 12.093612] dump_stack_lvl+0x73/0xb0 [ 12.093644] print_report+0xd1/0x650 [ 12.093731] ? __virt_addr_valid+0x1db/0x2d0 [ 12.093756] ? ksize_uaf+0x19d/0x6c0 [ 12.093776] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.093797] ? ksize_uaf+0x19d/0x6c0 [ 12.093816] kasan_report+0x141/0x180 [ 12.093836] ? ksize_uaf+0x19d/0x6c0 [ 12.093858] ? ksize_uaf+0x19d/0x6c0 [ 12.093878] __kasan_check_byte+0x3d/0x50 [ 12.093899] ksize+0x20/0x60 [ 12.093920] ksize_uaf+0x19d/0x6c0 [ 12.093939] ? __pfx_ksize_uaf+0x10/0x10 [ 12.093959] ? __schedule+0x10cc/0x2b60 [ 12.093981] ? __pfx_read_tsc+0x10/0x10 [ 12.094001] ? ktime_get_ts64+0x86/0x230 [ 12.094039] kunit_try_run_case+0x1a5/0x480 [ 12.094064] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.094085] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.094108] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.094129] ? __kthread_parkme+0x82/0x180 [ 12.094149] ? preempt_count_sub+0x50/0x80 [ 12.094172] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.094194] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.094215] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.094236] kthread+0x337/0x6f0 [ 12.094254] ? trace_preempt_on+0x20/0xc0 [ 12.094276] ? __pfx_kthread+0x10/0x10 [ 12.094295] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.094314] ? calculate_sigpending+0x7b/0xa0 [ 12.094337] ? __pfx_kthread+0x10/0x10 [ 12.094357] ret_from_fork+0x116/0x1d0 [ 12.094374] ? __pfx_kthread+0x10/0x10 [ 12.094392] ret_from_fork_asm+0x1a/0x30 [ 12.094422] </TASK> [ 12.094434] [ 12.101846] Allocated by task 213: [ 12.102055] kasan_save_stack+0x45/0x70 [ 12.102252] kasan_save_track+0x18/0x40 [ 12.102413] kasan_save_alloc_info+0x3b/0x50 [ 12.102561] __kasan_kmalloc+0xb7/0xc0 [ 12.102691] __kmalloc_cache_noprof+0x189/0x420 [ 12.102909] ksize_uaf+0xaa/0x6c0 [ 12.103090] kunit_try_run_case+0x1a5/0x480 [ 12.103313] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.103544] kthread+0x337/0x6f0 [ 12.103775] ret_from_fork+0x116/0x1d0 [ 12.103973] ret_from_fork_asm+0x1a/0x30 [ 12.104185] [ 12.104273] Freed by task 213: [ 12.104418] kasan_save_stack+0x45/0x70 [ 12.104556] kasan_save_track+0x18/0x40 [ 12.104688] kasan_save_free_info+0x3f/0x60 [ 12.105128] __kasan_slab_free+0x56/0x70 [ 12.105351] kfree+0x222/0x3f0 [ 12.105518] ksize_uaf+0x12c/0x6c0 [ 12.105823] kunit_try_run_case+0x1a5/0x480 [ 12.106014] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.106197] kthread+0x337/0x6f0 [ 12.106316] ret_from_fork+0x116/0x1d0 [ 12.106446] ret_from_fork_asm+0x1a/0x30 [ 12.106613] [ 12.106708] The buggy address belongs to the object at ffff8881033ae300 [ 12.106708] which belongs to the cache kmalloc-128 of size 128 [ 12.107244] The buggy address is located 0 bytes inside of [ 12.107244] freed 128-byte region [ffff8881033ae300, ffff8881033ae380) [ 12.107733] [ 12.107839] The buggy address belongs to the physical page: [ 12.108091] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033ae [ 12.108371] flags: 0x200000000000000(node=0|zone=2) [ 12.108537] page_type: f5(slab) [ 12.108658] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.109238] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.109635] page dumped because: kasan: bad access detected [ 12.110055] [ 12.110154] Memory state around the buggy address: [ 12.110381] ffff8881033ae200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.110666] ffff8881033ae280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.110893] >ffff8881033ae300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.111190] ^ [ 12.111352] ffff8881033ae380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.111648] ffff8881033ae400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.111932] ==================================================================