Hay
Sign in
Date
July 3, 2025, 6:13 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.051753] ==================================================================
[   17.051853] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   17.052141] Read of size 1 at addr fff00000c78c1400 by task kunit_try_catch/196
[   17.052203] 
[   17.052340] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   17.052430] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.052461] Hardware name: linux,dummy-virt (DT)
[   17.052724] Call trace:
[   17.052911]  show_stack+0x20/0x38 (C)
[   17.053105]  dump_stack_lvl+0x8c/0xd0
[   17.053404]  print_report+0x118/0x608
[   17.053577]  kasan_report+0xdc/0x128
[   17.053686]  __kasan_check_byte+0x54/0x70
[   17.054113]  ksize+0x30/0x88
[   17.054275]  ksize_uaf+0x168/0x5f8
[   17.054485]  kunit_try_run_case+0x170/0x3f0
[   17.054599]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.054683]  kthread+0x328/0x630
[   17.055159]  ret_from_fork+0x10/0x20
[   17.055647] 
[   17.055747] Allocated by task 196:
[   17.055814]  kasan_save_stack+0x3c/0x68
[   17.055979]  kasan_save_track+0x20/0x40
[   17.056130]  kasan_save_alloc_info+0x40/0x58
[   17.056309]  __kasan_kmalloc+0xd4/0xd8
[   17.056452]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.056627]  ksize_uaf+0xb8/0x5f8
[   17.056811]  kunit_try_run_case+0x170/0x3f0
[   17.056996]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.057061]  kthread+0x328/0x630
[   17.057462]  ret_from_fork+0x10/0x20
[   17.057563] 
[   17.057629] Freed by task 196:
[   17.057659]  kasan_save_stack+0x3c/0x68
[   17.057699]  kasan_save_track+0x20/0x40
[   17.057765]  kasan_save_free_info+0x4c/0x78
[   17.057811]  __kasan_slab_free+0x6c/0x98
[   17.057870]  kfree+0x214/0x3c8
[   17.057920]  ksize_uaf+0x11c/0x5f8
[   17.057955]  kunit_try_run_case+0x170/0x3f0
[   17.058003]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.058057]  kthread+0x328/0x630
[   17.058090]  ret_from_fork+0x10/0x20
[   17.058127] 
[   17.058146] The buggy address belongs to the object at fff00000c78c1400
[   17.058146]  which belongs to the cache kmalloc-128 of size 128
[   17.058217] The buggy address is located 0 bytes inside of
[   17.058217]  freed 128-byte region [fff00000c78c1400, fff00000c78c1480)
[   17.058295] 
[   17.058314] The buggy address belongs to the physical page:
[   17.058352] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c1
[   17.058415] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.058463] page_type: f5(slab)
[   17.058498] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.058549] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.058603] page dumped because: kasan: bad access detected
[   17.058642] 
[   17.058659] Memory state around the buggy address:
[   17.058691]  fff00000c78c1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.058732]  fff00000c78c1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.058773] >fff00000c78c1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.058821]                    ^
[   17.058848]  fff00000c78c1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.058890]  fff00000c78c1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.058927] ==================================================================
[   17.072433] ==================================================================
[   17.072502] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   17.072779] Read of size 1 at addr fff00000c78c1478 by task kunit_try_catch/196
[   17.072991] 
[   17.073022] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   17.073487] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.073713] Hardware name: linux,dummy-virt (DT)
[   17.073869] Call trace:
[   17.073900]  show_stack+0x20/0x38 (C)
[   17.073998]  dump_stack_lvl+0x8c/0xd0
[   17.074060]  print_report+0x118/0x608
[   17.074107]  kasan_report+0xdc/0x128
[   17.074152]  __asan_report_load1_noabort+0x20/0x30
[   17.074203]  ksize_uaf+0x544/0x5f8
[   17.074272]  kunit_try_run_case+0x170/0x3f0
[   17.074319]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.074374]  kthread+0x328/0x630
[   17.074423]  ret_from_fork+0x10/0x20
[   17.074477] 
[   17.074496] Allocated by task 196:
[   17.074524]  kasan_save_stack+0x3c/0x68
[   17.074565]  kasan_save_track+0x20/0x40
[   17.074608]  kasan_save_alloc_info+0x40/0x58
[   17.074656]  __kasan_kmalloc+0xd4/0xd8
[   17.074693]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.074729]  ksize_uaf+0xb8/0x5f8
[   17.074761]  kunit_try_run_case+0x170/0x3f0
[   17.074804]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.074848]  kthread+0x328/0x630
[   17.074881]  ret_from_fork+0x10/0x20
[   17.074914] 
[   17.074939] Freed by task 196:
[   17.074973]  kasan_save_stack+0x3c/0x68
[   17.075009]  kasan_save_track+0x20/0x40
[   17.075055]  kasan_save_free_info+0x4c/0x78
[   17.075094]  __kasan_slab_free+0x6c/0x98
[   17.075140]  kfree+0x214/0x3c8
[   17.075172]  ksize_uaf+0x11c/0x5f8
[   17.075204]  kunit_try_run_case+0x170/0x3f0
[   17.075256]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.075310]  kthread+0x328/0x630
[   17.075343]  ret_from_fork+0x10/0x20
[   17.075379] 
[   17.075400] The buggy address belongs to the object at fff00000c78c1400
[   17.075400]  which belongs to the cache kmalloc-128 of size 128
[   17.075477] The buggy address is located 120 bytes inside of
[   17.075477]  freed 128-byte region [fff00000c78c1400, fff00000c78c1480)
[   17.075549] 
[   17.075584] The buggy address belongs to the physical page:
[   17.075613] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c1
[   17.075670] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.075727] page_type: f5(slab)
[   17.075777] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.075838] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.075878] page dumped because: kasan: bad access detected
[   17.075918] 
[   17.075936] Memory state around the buggy address:
[   17.075975]  fff00000c78c1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.076639]  fff00000c78c1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.076741] >fff00000c78c1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.076829]                                                                 ^
[   17.076913]  fff00000c78c1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.077106]  fff00000c78c1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.077315] ==================================================================
[   17.061989] ==================================================================
[   17.062063] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   17.062109] Read of size 1 at addr fff00000c78c1400 by task kunit_try_catch/196
[   17.062250] 
[   17.062336] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   17.062709] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.062805] Hardware name: linux,dummy-virt (DT)
[   17.062858] Call trace:
[   17.062916]  show_stack+0x20/0x38 (C)
[   17.062968]  dump_stack_lvl+0x8c/0xd0
[   17.063148]  print_report+0x118/0x608
[   17.063240]  kasan_report+0xdc/0x128
[   17.063303]  __asan_report_load1_noabort+0x20/0x30
[   17.063438]  ksize_uaf+0x598/0x5f8
[   17.063490]  kunit_try_run_case+0x170/0x3f0
[   17.063538]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.063591]  kthread+0x328/0x630
[   17.063853]  ret_from_fork+0x10/0x20
[   17.063931] 
[   17.064076] Allocated by task 196:
[   17.064113]  kasan_save_stack+0x3c/0x68
[   17.064156]  kasan_save_track+0x20/0x40
[   17.064192]  kasan_save_alloc_info+0x40/0x58
[   17.064370]  __kasan_kmalloc+0xd4/0xd8
[   17.064415]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.064597]  ksize_uaf+0xb8/0x5f8
[   17.064646]  kunit_try_run_case+0x170/0x3f0
[   17.064702]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.064746]  kthread+0x328/0x630
[   17.064778]  ret_from_fork+0x10/0x20
[   17.065082] 
[   17.065187] Freed by task 196:
[   17.065268]  kasan_save_stack+0x3c/0x68
[   17.065512]  kasan_save_track+0x20/0x40
[   17.065684]  kasan_save_free_info+0x4c/0x78
[   17.066121]  __kasan_slab_free+0x6c/0x98
[   17.066293]  kfree+0x214/0x3c8
[   17.066727]  ksize_uaf+0x11c/0x5f8
[   17.066933]  kunit_try_run_case+0x170/0x3f0
[   17.067092]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.067191]  kthread+0x328/0x630
[   17.067225]  ret_from_fork+0x10/0x20
[   17.067410] 
[   17.067640] The buggy address belongs to the object at fff00000c78c1400
[   17.067640]  which belongs to the cache kmalloc-128 of size 128
[   17.067827] The buggy address is located 0 bytes inside of
[   17.067827]  freed 128-byte region [fff00000c78c1400, fff00000c78c1480)
[   17.068017] 
[   17.068269] The buggy address belongs to the physical page:
[   17.068423] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078c1
[   17.068612] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.068816] page_type: f5(slab)
[   17.069146] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   17.069524] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   17.069696] page dumped because: kasan: bad access detected
[   17.069833] 
[   17.070009] Memory state around the buggy address:
[   17.070072]  fff00000c78c1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.070447]  fff00000c78c1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.070585] >fff00000c78c1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.070817]                    ^
[   17.070864]  fff00000c78c1480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.071037]  fff00000c78c1500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.071078] ==================================================================
Metadata Full log Test run details 

[   11.946893] ==================================================================
[   11.947292] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.947623] Read of size 1 at addr ffff8881029db700 by task kunit_try_catch/214
[   11.947868] 
[   11.947982] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.948023] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.948034] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.948054] Call Trace:
[   11.948066]  <TASK>
[   11.948082]  dump_stack_lvl+0x73/0xb0
[   11.948123]  print_report+0xd1/0x650
[   11.948145]  ? __virt_addr_valid+0x1db/0x2d0
[   11.948208]  ? ksize_uaf+0x5fe/0x6c0
[   11.948229]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.948250]  ? ksize_uaf+0x5fe/0x6c0
[   11.948270]  kasan_report+0x141/0x180
[   11.948291]  ? ksize_uaf+0x5fe/0x6c0
[   11.948316]  __asan_report_load1_noabort+0x18/0x20
[   11.948339]  ksize_uaf+0x5fe/0x6c0
[   11.948358]  ? __pfx_ksize_uaf+0x10/0x10
[   11.948378]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.948404]  ? __pfx_read_tsc+0x10/0x10
[   11.948425]  ? ktime_get_ts64+0x86/0x230
[   11.948449]  kunit_try_run_case+0x1a5/0x480
[   11.948471]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.948492]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.948514]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.948536]  ? __kthread_parkme+0x82/0x180
[   11.948556]  ? preempt_count_sub+0x50/0x80
[   11.948579]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.948601]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.948622]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.948644]  kthread+0x337/0x6f0
[   11.948663]  ? trace_preempt_on+0x20/0xc0
[   11.948698]  ? __pfx_kthread+0x10/0x10
[   11.948718]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.948738]  ? calculate_sigpending+0x7b/0xa0
[   11.948761]  ? __pfx_kthread+0x10/0x10
[   11.948782]  ret_from_fork+0x116/0x1d0
[   11.948799]  ? __pfx_kthread+0x10/0x10
[   11.948819]  ret_from_fork_asm+0x1a/0x30
[   11.948849]  </TASK>
[   11.948860] 
[   11.956306] Allocated by task 214:
[   11.956497]  kasan_save_stack+0x45/0x70
[   11.956698]  kasan_save_track+0x18/0x40
[   11.956891]  kasan_save_alloc_info+0x3b/0x50
[   11.957068]  __kasan_kmalloc+0xb7/0xc0
[   11.957361]  __kmalloc_cache_noprof+0x189/0x420
[   11.957529]  ksize_uaf+0xaa/0x6c0
[   11.957655]  kunit_try_run_case+0x1a5/0x480
[   11.957803]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.958000]  kthread+0x337/0x6f0
[   11.958174]  ret_from_fork+0x116/0x1d0
[   11.958509]  ret_from_fork_asm+0x1a/0x30
[   11.958712] 
[   11.958811] Freed by task 214:
[   11.958965]  kasan_save_stack+0x45/0x70
[   11.959330]  kasan_save_track+0x18/0x40
[   11.959538]  kasan_save_free_info+0x3f/0x60
[   11.959744]  __kasan_slab_free+0x56/0x70
[   11.959903]  kfree+0x222/0x3f0
[   11.960059]  ksize_uaf+0x12c/0x6c0
[   11.960284]  kunit_try_run_case+0x1a5/0x480
[   11.960562]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.960791]  kthread+0x337/0x6f0
[   11.960959]  ret_from_fork+0x116/0x1d0
[   11.961179]  ret_from_fork_asm+0x1a/0x30
[   11.961324] 
[   11.961440] The buggy address belongs to the object at ffff8881029db700
[   11.961440]  which belongs to the cache kmalloc-128 of size 128
[   11.961962] The buggy address is located 0 bytes inside of
[   11.961962]  freed 128-byte region [ffff8881029db700, ffff8881029db780)
[   11.962534] 
[   11.962621] The buggy address belongs to the physical page:
[   11.962822] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029db
[   11.963252] flags: 0x200000000000000(node=0|zone=2)
[   11.963481] page_type: f5(slab)
[   11.963622] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.963957] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.964438] page dumped because: kasan: bad access detected
[   11.964621] 
[   11.964693] Memory state around the buggy address:
[   11.964850]  ffff8881029db600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.965068]  ffff8881029db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.965550] >ffff8881029db700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.966237]                    ^
[   11.966403]  ffff8881029db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.966703]  ffff8881029db800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.966919] ==================================================================
[   11.926427] ==================================================================
[   11.926837] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.927059] Read of size 1 at addr ffff8881029db700 by task kunit_try_catch/214
[   11.927354] 
[   11.927457] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.927503] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.927514] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.927534] Call Trace:
[   11.927546]  <TASK>
[   11.927562]  dump_stack_lvl+0x73/0xb0
[   11.927589]  print_report+0xd1/0x650
[   11.927612]  ? __virt_addr_valid+0x1db/0x2d0
[   11.927635]  ? ksize_uaf+0x19d/0x6c0
[   11.927654]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.927675]  ? ksize_uaf+0x19d/0x6c0
[   11.927695]  kasan_report+0x141/0x180
[   11.927716]  ? ksize_uaf+0x19d/0x6c0
[   11.927739]  ? ksize_uaf+0x19d/0x6c0
[   11.927759]  __kasan_check_byte+0x3d/0x50
[   11.927780]  ksize+0x20/0x60
[   11.927801]  ksize_uaf+0x19d/0x6c0
[   11.927821]  ? __pfx_ksize_uaf+0x10/0x10
[   11.927841]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.927867]  ? __pfx_read_tsc+0x10/0x10
[   11.927888]  ? ktime_get_ts64+0x86/0x230
[   11.927913]  kunit_try_run_case+0x1a5/0x480
[   11.927936]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.927957]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.927981]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.928003]  ? __kthread_parkme+0x82/0x180
[   11.928023]  ? preempt_count_sub+0x50/0x80
[   11.928045]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.928067]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.928090]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.928124]  kthread+0x337/0x6f0
[   11.928143]  ? trace_preempt_on+0x20/0xc0
[   11.928167]  ? __pfx_kthread+0x10/0x10
[   11.928187]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.928207]  ? calculate_sigpending+0x7b/0xa0
[   11.928230]  ? __pfx_kthread+0x10/0x10
[   11.928250]  ret_from_fork+0x116/0x1d0
[   11.928277]  ? __pfx_kthread+0x10/0x10
[   11.928297]  ret_from_fork_asm+0x1a/0x30
[   11.928327]  </TASK>
[   11.928340] 
[   11.935688] Allocated by task 214:
[   11.935872]  kasan_save_stack+0x45/0x70
[   11.936051]  kasan_save_track+0x18/0x40
[   11.936362]  kasan_save_alloc_info+0x3b/0x50
[   11.936579]  __kasan_kmalloc+0xb7/0xc0
[   11.936717]  __kmalloc_cache_noprof+0x189/0x420
[   11.936908]  ksize_uaf+0xaa/0x6c0
[   11.937086]  kunit_try_run_case+0x1a5/0x480
[   11.937417]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.937645]  kthread+0x337/0x6f0
[   11.937893]  ret_from_fork+0x116/0x1d0
[   11.938033]  ret_from_fork_asm+0x1a/0x30
[   11.938268] 
[   11.938417] Freed by task 214:
[   11.938608]  kasan_save_stack+0x45/0x70
[   11.938796]  kasan_save_track+0x18/0x40
[   11.938935]  kasan_save_free_info+0x3f/0x60
[   11.939083]  __kasan_slab_free+0x56/0x70
[   11.939238]  kfree+0x222/0x3f0
[   11.939387]  ksize_uaf+0x12c/0x6c0
[   11.939562]  kunit_try_run_case+0x1a5/0x480
[   11.939776]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.940027]  kthread+0x337/0x6f0
[   11.940205]  ret_from_fork+0x116/0x1d0
[   11.940389]  ret_from_fork_asm+0x1a/0x30
[   11.940774] 
[   11.940881] The buggy address belongs to the object at ffff8881029db700
[   11.940881]  which belongs to the cache kmalloc-128 of size 128
[   11.941505] The buggy address is located 0 bytes inside of
[   11.941505]  freed 128-byte region [ffff8881029db700, ffff8881029db780)
[   11.941959] 
[   11.942060] The buggy address belongs to the physical page:
[   11.942348] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029db
[   11.942652] flags: 0x200000000000000(node=0|zone=2)
[   11.942819] page_type: f5(slab)
[   11.942943] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.943267] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.943603] page dumped because: kasan: bad access detected
[   11.943834] 
[   11.943905] Memory state around the buggy address:
[   11.944245]  ffff8881029db600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.944534]  ffff8881029db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.944755] >ffff8881029db700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.945046]                    ^
[   11.945492]  ffff8881029db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.945834]  ffff8881029db800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.946216] ==================================================================
[   11.967347] ==================================================================
[   11.967917] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.968281] Read of size 1 at addr ffff8881029db778 by task kunit_try_catch/214
[   11.968605] 
[   11.968713] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.968751] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.968762] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.968781] Call Trace:
[   11.968796]  <TASK>
[   11.968811]  dump_stack_lvl+0x73/0xb0
[   11.968836]  print_report+0xd1/0x650
[   11.968857]  ? __virt_addr_valid+0x1db/0x2d0
[   11.968878]  ? ksize_uaf+0x5e4/0x6c0
[   11.968897]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.968918]  ? ksize_uaf+0x5e4/0x6c0
[   11.968938]  kasan_report+0x141/0x180
[   11.968959]  ? ksize_uaf+0x5e4/0x6c0
[   11.968983]  __asan_report_load1_noabort+0x18/0x20
[   11.969006]  ksize_uaf+0x5e4/0x6c0
[   11.969026]  ? __pfx_ksize_uaf+0x10/0x10
[   11.969045]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.969069]  ? __pfx_read_tsc+0x10/0x10
[   11.969089]  ? ktime_get_ts64+0x86/0x230
[   11.969123]  kunit_try_run_case+0x1a5/0x480
[   11.969145]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.969165]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.969188]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.969209]  ? __kthread_parkme+0x82/0x180
[   11.969288]  ? preempt_count_sub+0x50/0x80
[   11.969312]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.969347]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.969369]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.969391]  kthread+0x337/0x6f0
[   11.969410]  ? trace_preempt_on+0x20/0xc0
[   11.969433]  ? __pfx_kthread+0x10/0x10
[   11.969453]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.969473]  ? calculate_sigpending+0x7b/0xa0
[   11.969495]  ? __pfx_kthread+0x10/0x10
[   11.969516]  ret_from_fork+0x116/0x1d0
[   11.969533]  ? __pfx_kthread+0x10/0x10
[   11.969553]  ret_from_fork_asm+0x1a/0x30
[   11.969583]  </TASK>
[   11.969593] 
[   11.977014] Allocated by task 214:
[   11.977243]  kasan_save_stack+0x45/0x70
[   11.977450]  kasan_save_track+0x18/0x40
[   11.977628]  kasan_save_alloc_info+0x3b/0x50
[   11.977839]  __kasan_kmalloc+0xb7/0xc0
[   11.978013]  __kmalloc_cache_noprof+0x189/0x420
[   11.978325]  ksize_uaf+0xaa/0x6c0
[   11.978467]  kunit_try_run_case+0x1a5/0x480
[   11.978673]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.978888]  kthread+0x337/0x6f0
[   11.979046]  ret_from_fork+0x116/0x1d0
[   11.979293]  ret_from_fork_asm+0x1a/0x30
[   11.979527] 
[   11.979613] Freed by task 214:
[   11.979768]  kasan_save_stack+0x45/0x70
[   11.979924]  kasan_save_track+0x18/0x40
[   11.980127]  kasan_save_free_info+0x3f/0x60
[   11.980323]  __kasan_slab_free+0x56/0x70
[   11.980490]  kfree+0x222/0x3f0
[   11.980608]  ksize_uaf+0x12c/0x6c0
[   11.980734]  kunit_try_run_case+0x1a5/0x480
[   11.980912]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.981166]  kthread+0x337/0x6f0
[   11.981382]  ret_from_fork+0x116/0x1d0
[   11.981530]  ret_from_fork_asm+0x1a/0x30
[   11.981671] 
[   11.981742] The buggy address belongs to the object at ffff8881029db700
[   11.981742]  which belongs to the cache kmalloc-128 of size 128
[   11.982100] The buggy address is located 120 bytes inside of
[   11.982100]  freed 128-byte region [ffff8881029db700, ffff8881029db780)
[   11.982554] 
[   11.982648] The buggy address belongs to the physical page:
[   11.982897] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029db
[   11.983256] flags: 0x200000000000000(node=0|zone=2)
[   11.983492] page_type: f5(slab)
[   11.983909] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.984172] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.984634] page dumped because: kasan: bad access detected
[   11.984891] 
[   11.984986] Memory state around the buggy address:
[   11.985289]  ffff8881029db600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.985605]  ffff8881029db680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.985882] >ffff8881029db700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.986237]                                                                 ^
[   11.986524]  ffff8881029db780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.986743]  ffff8881029db800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.987041] ==================================================================
Metadata Full log Test run details