Date
July 5, 2025, 5:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.494065] ================================================================== [ 18.494138] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.494191] Read of size 1 at addr fff00000c77e8000 by task kunit_try_catch/196 [ 18.494247] [ 18.494390] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.494636] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.494662] Hardware name: linux,dummy-virt (DT) [ 18.494731] Call trace: [ 18.494813] show_stack+0x20/0x38 (C) [ 18.494869] dump_stack_lvl+0x8c/0xd0 [ 18.495207] print_report+0x118/0x608 [ 18.495268] kasan_report+0xdc/0x128 [ 18.495433] __kasan_check_byte+0x54/0x70 [ 18.495659] ksize+0x30/0x88 [ 18.495757] ksize_uaf+0x168/0x5f8 [ 18.495811] kunit_try_run_case+0x170/0x3f0 [ 18.495878] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.495999] kthread+0x328/0x630 [ 18.496052] ret_from_fork+0x10/0x20 [ 18.496098] [ 18.496116] Allocated by task 196: [ 18.496391] kasan_save_stack+0x3c/0x68 [ 18.496505] kasan_save_track+0x20/0x40 [ 18.496561] kasan_save_alloc_info+0x40/0x58 [ 18.496798] __kasan_kmalloc+0xd4/0xd8 [ 18.496883] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.496956] ksize_uaf+0xb8/0x5f8 [ 18.497105] kunit_try_run_case+0x170/0x3f0 [ 18.497150] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.497503] kthread+0x328/0x630 [ 18.497554] ret_from_fork+0x10/0x20 [ 18.497592] [ 18.497613] Freed by task 196: [ 18.497685] kasan_save_stack+0x3c/0x68 [ 18.497763] kasan_save_track+0x20/0x40 [ 18.497800] kasan_save_free_info+0x4c/0x78 [ 18.497842] __kasan_slab_free+0x6c/0x98 [ 18.497889] kfree+0x214/0x3c8 [ 18.497924] ksize_uaf+0x11c/0x5f8 [ 18.497957] kunit_try_run_case+0x170/0x3f0 [ 18.498035] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.498278] kthread+0x328/0x630 [ 18.498311] ret_from_fork+0x10/0x20 [ 18.498346] [ 18.498410] The buggy address belongs to the object at fff00000c77e8000 [ 18.498410] which belongs to the cache kmalloc-128 of size 128 [ 18.498654] The buggy address is located 0 bytes inside of [ 18.498654] freed 128-byte region [fff00000c77e8000, fff00000c77e8080) [ 18.498713] [ 18.498739] The buggy address belongs to the physical page: [ 18.498815] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 18.498877] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.498925] page_type: f5(slab) [ 18.498963] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.499147] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.499467] page dumped because: kasan: bad access detected [ 18.499503] [ 18.499521] Memory state around the buggy address: [ 18.499613] fff00000c77e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.499671] fff00000c77e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.499727] >fff00000c77e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.500085] ^ [ 18.500120] fff00000c77e8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.500163] fff00000c77e8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.500224] ================================================================== [ 18.501853] ================================================================== [ 18.502034] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.502078] Read of size 1 at addr fff00000c77e8000 by task kunit_try_catch/196 [ 18.502128] [ 18.502158] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.502243] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.502408] Hardware name: linux,dummy-virt (DT) [ 18.502445] Call trace: [ 18.502516] show_stack+0x20/0x38 (C) [ 18.502580] dump_stack_lvl+0x8c/0xd0 [ 18.502629] print_report+0x118/0x608 [ 18.502827] kasan_report+0xdc/0x128 [ 18.502881] __asan_report_load1_noabort+0x20/0x30 [ 18.502932] ksize_uaf+0x598/0x5f8 [ 18.502975] kunit_try_run_case+0x170/0x3f0 [ 18.503319] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.503378] kthread+0x328/0x630 [ 18.503426] ret_from_fork+0x10/0x20 [ 18.503592] [ 18.503749] Allocated by task 196: [ 18.503847] kasan_save_stack+0x3c/0x68 [ 18.503930] kasan_save_track+0x20/0x40 [ 18.503968] kasan_save_alloc_info+0x40/0x58 [ 18.504035] __kasan_kmalloc+0xd4/0xd8 [ 18.504221] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.504306] ksize_uaf+0xb8/0x5f8 [ 18.504368] kunit_try_run_case+0x170/0x3f0 [ 18.504442] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.504503] kthread+0x328/0x630 [ 18.504536] ret_from_fork+0x10/0x20 [ 18.504590] [ 18.504650] Freed by task 196: [ 18.504677] kasan_save_stack+0x3c/0x68 [ 18.504716] kasan_save_track+0x20/0x40 [ 18.504754] kasan_save_free_info+0x4c/0x78 [ 18.504831] __kasan_slab_free+0x6c/0x98 [ 18.505050] kfree+0x214/0x3c8 [ 18.505083] ksize_uaf+0x11c/0x5f8 [ 18.505194] kunit_try_run_case+0x170/0x3f0 [ 18.505314] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.505393] kthread+0x328/0x630 [ 18.505426] ret_from_fork+0x10/0x20 [ 18.505462] [ 18.505487] The buggy address belongs to the object at fff00000c77e8000 [ 18.505487] which belongs to the cache kmalloc-128 of size 128 [ 18.505590] The buggy address is located 0 bytes inside of [ 18.505590] freed 128-byte region [fff00000c77e8000, fff00000c77e8080) [ 18.505649] [ 18.505668] The buggy address belongs to the physical page: [ 18.505723] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 18.505802] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.506438] page_type: f5(slab) [ 18.506879] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.506937] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.506976] page dumped because: kasan: bad access detected [ 18.507009] [ 18.507027] Memory state around the buggy address: [ 18.507060] fff00000c77e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.507104] fff00000c77e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.507147] >fff00000c77e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.507673] ^ [ 18.507707] fff00000c77e8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.507751] fff00000c77e8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.507836] ================================================================== [ 18.509135] ================================================================== [ 18.509691] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.509763] Read of size 1 at addr fff00000c77e8078 by task kunit_try_catch/196 [ 18.509902] [ 18.509930] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.510008] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.510035] Hardware name: linux,dummy-virt (DT) [ 18.510065] Call trace: [ 18.510085] show_stack+0x20/0x38 (C) [ 18.510560] dump_stack_lvl+0x8c/0xd0 [ 18.510747] print_report+0x118/0x608 [ 18.511069] kasan_report+0xdc/0x128 [ 18.511442] __asan_report_load1_noabort+0x20/0x30 [ 18.511498] ksize_uaf+0x544/0x5f8 [ 18.511587] kunit_try_run_case+0x170/0x3f0 [ 18.511653] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.511705] kthread+0x328/0x630 [ 18.511873] ret_from_fork+0x10/0x20 [ 18.511920] [ 18.511938] Allocated by task 196: [ 18.511966] kasan_save_stack+0x3c/0x68 [ 18.512154] kasan_save_track+0x20/0x40 [ 18.512195] kasan_save_alloc_info+0x40/0x58 [ 18.512244] __kasan_kmalloc+0xd4/0xd8 [ 18.512381] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.512421] ksize_uaf+0xb8/0x5f8 [ 18.512464] kunit_try_run_case+0x170/0x3f0 [ 18.512794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.512837] kthread+0x328/0x630 [ 18.512879] ret_from_fork+0x10/0x20 [ 18.512916] [ 18.512934] Freed by task 196: [ 18.512960] kasan_save_stack+0x3c/0x68 [ 18.513055] kasan_save_track+0x20/0x40 [ 18.513224] kasan_save_free_info+0x4c/0x78 [ 18.513413] __kasan_slab_free+0x6c/0x98 [ 18.513456] kfree+0x214/0x3c8 [ 18.513531] ksize_uaf+0x11c/0x5f8 [ 18.513593] kunit_try_run_case+0x170/0x3f0 [ 18.513697] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.513791] kthread+0x328/0x630 [ 18.513824] ret_from_fork+0x10/0x20 [ 18.513877] [ 18.513895] The buggy address belongs to the object at fff00000c77e8000 [ 18.513895] which belongs to the cache kmalloc-128 of size 128 [ 18.514138] The buggy address is located 120 bytes inside of [ 18.514138] freed 128-byte region [fff00000c77e8000, fff00000c77e8080) [ 18.514319] [ 18.514409] The buggy address belongs to the physical page: [ 18.514492] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e8 [ 18.514566] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.514612] page_type: f5(slab) [ 18.514732] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.514789] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.514829] page dumped because: kasan: bad access detected [ 18.514869] [ 18.514886] Memory state around the buggy address: [ 18.514919] fff00000c77e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.514961] fff00000c77e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.515547] >fff00000c77e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.515587] ^ [ 18.515627] fff00000c77e8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.515667] fff00000c77e8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.515705] ==================================================================
[ 12.111675] ================================================================== [ 12.112000] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.112463] Read of size 1 at addr ffff8881031a0678 by task kunit_try_catch/214 [ 12.112893] [ 12.112996] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.113038] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.113050] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.113070] Call Trace: [ 12.113083] <TASK> [ 12.113098] dump_stack_lvl+0x73/0xb0 [ 12.113146] print_report+0xd1/0x650 [ 12.113168] ? __virt_addr_valid+0x1db/0x2d0 [ 12.113205] ? ksize_uaf+0x5e4/0x6c0 [ 12.113224] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.113367] ? ksize_uaf+0x5e4/0x6c0 [ 12.113400] kasan_report+0x141/0x180 [ 12.113422] ? ksize_uaf+0x5e4/0x6c0 [ 12.113447] __asan_report_load1_noabort+0x18/0x20 [ 12.113484] ksize_uaf+0x5e4/0x6c0 [ 12.113504] ? __pfx_ksize_uaf+0x10/0x10 [ 12.113525] ? __schedule+0x10cc/0x2b60 [ 12.113571] ? __pfx_read_tsc+0x10/0x10 [ 12.113591] ? ktime_get_ts64+0x86/0x230 [ 12.113614] kunit_try_run_case+0x1a5/0x480 [ 12.113637] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.113658] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.113680] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.113702] ? __kthread_parkme+0x82/0x180 [ 12.113736] ? preempt_count_sub+0x50/0x80 [ 12.113758] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.113780] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.113803] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.113827] kthread+0x337/0x6f0 [ 12.113846] ? trace_preempt_on+0x20/0xc0 [ 12.113869] ? __pfx_kthread+0x10/0x10 [ 12.113905] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.113925] ? calculate_sigpending+0x7b/0xa0 [ 12.113961] ? __pfx_kthread+0x10/0x10 [ 12.113982] ret_from_fork+0x116/0x1d0 [ 12.113999] ? __pfx_kthread+0x10/0x10 [ 12.114033] ret_from_fork_asm+0x1a/0x30 [ 12.114075] </TASK> [ 12.114086] [ 12.123011] Allocated by task 214: [ 12.123217] kasan_save_stack+0x45/0x70 [ 12.123463] kasan_save_track+0x18/0x40 [ 12.123694] kasan_save_alloc_info+0x3b/0x50 [ 12.124001] __kasan_kmalloc+0xb7/0xc0 [ 12.124226] __kmalloc_cache_noprof+0x189/0x420 [ 12.124495] ksize_uaf+0xaa/0x6c0 [ 12.124724] kunit_try_run_case+0x1a5/0x480 [ 12.124930] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.125159] kthread+0x337/0x6f0 [ 12.125280] ret_from_fork+0x116/0x1d0 [ 12.125584] ret_from_fork_asm+0x1a/0x30 [ 12.126020] [ 12.126142] Freed by task 214: [ 12.126477] kasan_save_stack+0x45/0x70 [ 12.126699] kasan_save_track+0x18/0x40 [ 12.126912] kasan_save_free_info+0x3f/0x60 [ 12.127136] __kasan_slab_free+0x56/0x70 [ 12.127481] kfree+0x222/0x3f0 [ 12.127647] ksize_uaf+0x12c/0x6c0 [ 12.127826] kunit_try_run_case+0x1a5/0x480 [ 12.127976] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.128151] kthread+0x337/0x6f0 [ 12.128517] ret_from_fork+0x116/0x1d0 [ 12.128738] ret_from_fork_asm+0x1a/0x30 [ 12.128969] [ 12.129083] The buggy address belongs to the object at ffff8881031a0600 [ 12.129083] which belongs to the cache kmalloc-128 of size 128 [ 12.129898] The buggy address is located 120 bytes inside of [ 12.129898] freed 128-byte region [ffff8881031a0600, ffff8881031a0680) [ 12.130277] [ 12.130351] The buggy address belongs to the physical page: [ 12.130675] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031a0 [ 12.131094] flags: 0x200000000000000(node=0|zone=2) [ 12.131606] page_type: f5(slab) [ 12.131760] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.132277] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.132526] page dumped because: kasan: bad access detected [ 12.132717] [ 12.132813] Memory state around the buggy address: [ 12.133078] ffff8881031a0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.133818] ffff8881031a0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.134143] >ffff8881031a0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.134562] ^ [ 12.134853] ffff8881031a0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.135086] ffff8881031a0700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.135427] ================================================================== [ 12.055044] ================================================================== [ 12.056268] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.056512] Read of size 1 at addr ffff8881031a0600 by task kunit_try_catch/214 [ 12.056743] [ 12.056834] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.056877] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.056888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.056909] Call Trace: [ 12.056922] <TASK> [ 12.056938] dump_stack_lvl+0x73/0xb0 [ 12.056965] print_report+0xd1/0x650 [ 12.056986] ? __virt_addr_valid+0x1db/0x2d0 [ 12.057007] ? ksize_uaf+0x19d/0x6c0 [ 12.057026] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.057047] ? ksize_uaf+0x19d/0x6c0 [ 12.057067] kasan_report+0x141/0x180 [ 12.057088] ? ksize_uaf+0x19d/0x6c0 [ 12.057111] ? ksize_uaf+0x19d/0x6c0 [ 12.057132] __kasan_check_byte+0x3d/0x50 [ 12.057153] ksize+0x20/0x60 [ 12.057173] ksize_uaf+0x19d/0x6c0 [ 12.057193] ? __pfx_ksize_uaf+0x10/0x10 [ 12.057213] ? __schedule+0x10cc/0x2b60 [ 12.057234] ? __pfx_read_tsc+0x10/0x10 [ 12.057255] ? ktime_get_ts64+0x86/0x230 [ 12.057278] kunit_try_run_case+0x1a5/0x480 [ 12.057301] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.057322] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.057345] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.057367] ? __kthread_parkme+0x82/0x180 [ 12.057391] ? preempt_count_sub+0x50/0x80 [ 12.057413] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.057436] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.057466] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.057487] kthread+0x337/0x6f0 [ 12.057506] ? trace_preempt_on+0x20/0xc0 [ 12.057527] ? __pfx_kthread+0x10/0x10 [ 12.057547] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.057567] ? calculate_sigpending+0x7b/0xa0 [ 12.057589] ? __pfx_kthread+0x10/0x10 [ 12.057609] ret_from_fork+0x116/0x1d0 [ 12.057627] ? __pfx_kthread+0x10/0x10 [ 12.057646] ret_from_fork_asm+0x1a/0x30 [ 12.057676] </TASK> [ 12.057686] [ 12.071599] Allocated by task 214: [ 12.071966] kasan_save_stack+0x45/0x70 [ 12.072435] kasan_save_track+0x18/0x40 [ 12.072846] kasan_save_alloc_info+0x3b/0x50 [ 12.073303] __kasan_kmalloc+0xb7/0xc0 [ 12.073619] __kmalloc_cache_noprof+0x189/0x420 [ 12.073983] ksize_uaf+0xaa/0x6c0 [ 12.074371] kunit_try_run_case+0x1a5/0x480 [ 12.074651] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.074939] kthread+0x337/0x6f0 [ 12.075381] ret_from_fork+0x116/0x1d0 [ 12.075629] ret_from_fork_asm+0x1a/0x30 [ 12.075925] [ 12.076105] Freed by task 214: [ 12.076476] kasan_save_stack+0x45/0x70 [ 12.076856] kasan_save_track+0x18/0x40 [ 12.077036] kasan_save_free_info+0x3f/0x60 [ 12.077181] __kasan_slab_free+0x56/0x70 [ 12.077656] kfree+0x222/0x3f0 [ 12.078014] ksize_uaf+0x12c/0x6c0 [ 12.078417] kunit_try_run_case+0x1a5/0x480 [ 12.078861] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.079152] kthread+0x337/0x6f0 [ 12.079436] ret_from_fork+0x116/0x1d0 [ 12.079891] ret_from_fork_asm+0x1a/0x30 [ 12.080259] [ 12.080503] The buggy address belongs to the object at ffff8881031a0600 [ 12.080503] which belongs to the cache kmalloc-128 of size 128 [ 12.081035] The buggy address is located 0 bytes inside of [ 12.081035] freed 128-byte region [ffff8881031a0600, ffff8881031a0680) [ 12.081410] [ 12.081489] The buggy address belongs to the physical page: [ 12.082052] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031a0 [ 12.082416] flags: 0x200000000000000(node=0|zone=2) [ 12.082679] page_type: f5(slab) [ 12.082855] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.083147] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.083755] page dumped because: kasan: bad access detected [ 12.084085] [ 12.084217] Memory state around the buggy address: [ 12.084546] ffff8881031a0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.084903] ffff8881031a0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.085190] >ffff8881031a0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.085492] ^ [ 12.085632] ffff8881031a0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.086100] ffff8881031a0700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.086418] ================================================================== [ 12.087110] ================================================================== [ 12.087514] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.088079] Read of size 1 at addr ffff8881031a0600 by task kunit_try_catch/214 [ 12.088533] [ 12.088642] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.088683] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.088694] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.088714] Call Trace: [ 12.088729] <TASK> [ 12.088743] dump_stack_lvl+0x73/0xb0 [ 12.088956] print_report+0xd1/0x650 [ 12.088983] ? __virt_addr_valid+0x1db/0x2d0 [ 12.089005] ? ksize_uaf+0x5fe/0x6c0 [ 12.089025] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.089045] ? ksize_uaf+0x5fe/0x6c0 [ 12.089066] kasan_report+0x141/0x180 [ 12.089107] ? ksize_uaf+0x5fe/0x6c0 [ 12.089132] __asan_report_load1_noabort+0x18/0x20 [ 12.089156] ksize_uaf+0x5fe/0x6c0 [ 12.089193] ? __pfx_ksize_uaf+0x10/0x10 [ 12.089214] ? __schedule+0x10cc/0x2b60 [ 12.089235] ? __pfx_read_tsc+0x10/0x10 [ 12.089257] ? ktime_get_ts64+0x86/0x230 [ 12.089354] kunit_try_run_case+0x1a5/0x480 [ 12.089390] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.089411] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.089433] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.089466] ? __kthread_parkme+0x82/0x180 [ 12.089510] ? preempt_count_sub+0x50/0x80 [ 12.089532] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.089555] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.089576] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.089598] kthread+0x337/0x6f0 [ 12.089616] ? trace_preempt_on+0x20/0xc0 [ 12.089639] ? __pfx_kthread+0x10/0x10 [ 12.089677] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.089697] ? calculate_sigpending+0x7b/0xa0 [ 12.089719] ? __pfx_kthread+0x10/0x10 [ 12.089739] ret_from_fork+0x116/0x1d0 [ 12.089757] ? __pfx_kthread+0x10/0x10 [ 12.089776] ret_from_fork_asm+0x1a/0x30 [ 12.089806] </TASK> [ 12.089817] [ 12.097987] Allocated by task 214: [ 12.098173] kasan_save_stack+0x45/0x70 [ 12.098348] kasan_save_track+0x18/0x40 [ 12.098497] kasan_save_alloc_info+0x3b/0x50 [ 12.098648] __kasan_kmalloc+0xb7/0xc0 [ 12.098986] __kmalloc_cache_noprof+0x189/0x420 [ 12.099523] ksize_uaf+0xaa/0x6c0 [ 12.099749] kunit_try_run_case+0x1a5/0x480 [ 12.099959] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.100284] kthread+0x337/0x6f0 [ 12.100438] ret_from_fork+0x116/0x1d0 [ 12.100585] ret_from_fork_asm+0x1a/0x30 [ 12.100725] [ 12.100811] Freed by task 214: [ 12.100989] kasan_save_stack+0x45/0x70 [ 12.101246] kasan_save_track+0x18/0x40 [ 12.101644] kasan_save_free_info+0x3f/0x60 [ 12.102073] __kasan_slab_free+0x56/0x70 [ 12.102441] kfree+0x222/0x3f0 [ 12.102630] ksize_uaf+0x12c/0x6c0 [ 12.102911] kunit_try_run_case+0x1a5/0x480 [ 12.103128] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.103595] kthread+0x337/0x6f0 [ 12.103796] ret_from_fork+0x116/0x1d0 [ 12.103933] ret_from_fork_asm+0x1a/0x30 [ 12.104072] [ 12.104146] The buggy address belongs to the object at ffff8881031a0600 [ 12.104146] which belongs to the cache kmalloc-128 of size 128 [ 12.105127] The buggy address is located 0 bytes inside of [ 12.105127] freed 128-byte region [ffff8881031a0600, ffff8881031a0680) [ 12.106149] [ 12.106257] The buggy address belongs to the physical page: [ 12.106467] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031a0 [ 12.106711] flags: 0x200000000000000(node=0|zone=2) [ 12.107074] page_type: f5(slab) [ 12.107371] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.107739] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.108121] page dumped because: kasan: bad access detected [ 12.108476] [ 12.108591] Memory state around the buggy address: [ 12.108813] ffff8881031a0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.109064] ffff8881031a0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.109688] >ffff8881031a0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.110039] ^ [ 12.110214] ffff8881031a0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.110660] ffff8881031a0700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.111056] ==================================================================