Date
July 9, 2025, 12:11 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.964956] ================================================================== [ 19.965027] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 19.965106] Read of size 1 at addr fff00000c64b5378 by task kunit_try_catch/197 [ 19.965162] [ 19.965200] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.965313] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.965339] Hardware name: linux,dummy-virt (DT) [ 19.965389] Call trace: [ 19.965444] show_stack+0x20/0x38 (C) [ 19.965551] dump_stack_lvl+0x8c/0xd0 [ 19.965606] print_report+0x118/0x608 [ 19.965663] kasan_report+0xdc/0x128 [ 19.965711] __asan_report_load1_noabort+0x20/0x30 [ 19.965762] ksize_uaf+0x544/0x5f8 [ 19.966058] kunit_try_run_case+0x170/0x3f0 [ 19.966115] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.966169] kthread+0x328/0x630 [ 19.966229] ret_from_fork+0x10/0x20 [ 19.966285] [ 19.966305] Allocated by task 197: [ 19.966386] kasan_save_stack+0x3c/0x68 [ 19.966440] kasan_save_track+0x20/0x40 [ 19.966496] kasan_save_alloc_info+0x40/0x58 [ 19.966559] __kasan_kmalloc+0xd4/0xd8 [ 19.966633] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.966701] ksize_uaf+0xb8/0x5f8 [ 19.966748] kunit_try_run_case+0x170/0x3f0 [ 19.966788] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.966833] kthread+0x328/0x630 [ 19.966873] ret_from_fork+0x10/0x20 [ 19.966910] [ 19.966939] Freed by task 197: [ 19.966967] kasan_save_stack+0x3c/0x68 [ 19.967004] kasan_save_track+0x20/0x40 [ 19.967043] kasan_save_free_info+0x4c/0x78 [ 19.967083] __kasan_slab_free+0x6c/0x98 [ 19.967121] kfree+0x214/0x3c8 [ 19.967158] ksize_uaf+0x11c/0x5f8 [ 19.967192] kunit_try_run_case+0x170/0x3f0 [ 19.967240] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.967285] kthread+0x328/0x630 [ 19.967322] ret_from_fork+0x10/0x20 [ 19.967367] [ 19.967386] The buggy address belongs to the object at fff00000c64b5300 [ 19.967386] which belongs to the cache kmalloc-128 of size 128 [ 19.967453] The buggy address is located 120 bytes inside of [ 19.967453] freed 128-byte region [fff00000c64b5300, fff00000c64b5380) [ 19.967515] [ 19.967534] The buggy address belongs to the physical page: [ 19.967565] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064b5 [ 19.967617] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.967665] page_type: f5(slab) [ 19.967703] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.967753] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.967793] page dumped because: kasan: bad access detected [ 19.967824] [ 19.967860] Memory state around the buggy address: [ 19.967911] fff00000c64b5200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.967955] fff00000c64b5280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.968004] >fff00000c64b5300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.968110] ^ [ 19.968184] fff00000c64b5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.968228] fff00000c64b5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.968291] ================================================================== [ 19.959346] ================================================================== [ 19.959445] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 19.959511] Read of size 1 at addr fff00000c64b5300 by task kunit_try_catch/197 [ 19.959578] [ 19.959607] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.959692] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.959719] Hardware name: linux,dummy-virt (DT) [ 19.959751] Call trace: [ 19.960054] show_stack+0x20/0x38 (C) [ 19.960104] dump_stack_lvl+0x8c/0xd0 [ 19.960184] print_report+0x118/0x608 [ 19.960251] kasan_report+0xdc/0x128 [ 19.960314] __asan_report_load1_noabort+0x20/0x30 [ 19.960377] ksize_uaf+0x598/0x5f8 [ 19.960431] kunit_try_run_case+0x170/0x3f0 [ 19.960479] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.960533] kthread+0x328/0x630 [ 19.960577] ret_from_fork+0x10/0x20 [ 19.960625] [ 19.960643] Allocated by task 197: [ 19.960671] kasan_save_stack+0x3c/0x68 [ 19.960712] kasan_save_track+0x20/0x40 [ 19.960751] kasan_save_alloc_info+0x40/0x58 [ 19.961090] __kasan_kmalloc+0xd4/0xd8 [ 19.961167] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.961277] ksize_uaf+0xb8/0x5f8 [ 19.961326] kunit_try_run_case+0x170/0x3f0 [ 19.961425] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.961543] kthread+0x328/0x630 [ 19.961604] ret_from_fork+0x10/0x20 [ 19.961723] [ 19.961761] Freed by task 197: [ 19.961787] kasan_save_stack+0x3c/0x68 [ 19.961851] kasan_save_track+0x20/0x40 [ 19.962157] kasan_save_free_info+0x4c/0x78 [ 19.962226] __kasan_slab_free+0x6c/0x98 [ 19.962361] kfree+0x214/0x3c8 [ 19.962428] ksize_uaf+0x11c/0x5f8 [ 19.962543] kunit_try_run_case+0x170/0x3f0 [ 19.962622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.962696] kthread+0x328/0x630 [ 19.962787] ret_from_fork+0x10/0x20 [ 19.962857] [ 19.962908] The buggy address belongs to the object at fff00000c64b5300 [ 19.962908] which belongs to the cache kmalloc-128 of size 128 [ 19.963037] The buggy address is located 0 bytes inside of [ 19.963037] freed 128-byte region [fff00000c64b5300, fff00000c64b5380) [ 19.963111] [ 19.963131] The buggy address belongs to the physical page: [ 19.963163] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064b5 [ 19.963497] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.963584] page_type: f5(slab) [ 19.963667] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.963743] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.963855] page dumped because: kasan: bad access detected [ 19.963923] [ 19.963982] Memory state around the buggy address: [ 19.964063] fff00000c64b5200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.964134] fff00000c64b5280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.964187] >fff00000c64b5300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.964231] ^ [ 19.964271] fff00000c64b5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.964315] fff00000c64b5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.964353] ================================================================== [ 19.955252] ================================================================== [ 19.955312] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 19.955597] Read of size 1 at addr fff00000c64b5300 by task kunit_try_catch/197 [ 19.955649] [ 19.955679] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.955769] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.955797] Hardware name: linux,dummy-virt (DT) [ 19.955844] Call trace: [ 19.955883] show_stack+0x20/0x38 (C) [ 19.955934] dump_stack_lvl+0x8c/0xd0 [ 19.955981] print_report+0x118/0x608 [ 19.956030] kasan_report+0xdc/0x128 [ 19.956150] __kasan_check_byte+0x54/0x70 [ 19.956236] ksize+0x30/0x88 [ 19.956368] ksize_uaf+0x168/0x5f8 [ 19.956434] kunit_try_run_case+0x170/0x3f0 [ 19.956484] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.956538] kthread+0x328/0x630 [ 19.956601] ret_from_fork+0x10/0x20 [ 19.956650] [ 19.956668] Allocated by task 197: [ 19.956697] kasan_save_stack+0x3c/0x68 [ 19.956739] kasan_save_track+0x20/0x40 [ 19.956778] kasan_save_alloc_info+0x40/0x58 [ 19.956819] __kasan_kmalloc+0xd4/0xd8 [ 19.956856] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.956897] ksize_uaf+0xb8/0x5f8 [ 19.956934] kunit_try_run_case+0x170/0x3f0 [ 19.957026] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.957108] kthread+0x328/0x630 [ 19.957166] ret_from_fork+0x10/0x20 [ 19.957221] [ 19.957283] Freed by task 197: [ 19.957423] kasan_save_stack+0x3c/0x68 [ 19.957500] kasan_save_track+0x20/0x40 [ 19.957608] kasan_save_free_info+0x4c/0x78 [ 19.957661] __kasan_slab_free+0x6c/0x98 [ 19.957701] kfree+0x214/0x3c8 [ 19.957735] ksize_uaf+0x11c/0x5f8 [ 19.957771] kunit_try_run_case+0x170/0x3f0 [ 19.957819] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.957864] kthread+0x328/0x630 [ 19.957897] ret_from_fork+0x10/0x20 [ 19.957941] [ 19.957961] The buggy address belongs to the object at fff00000c64b5300 [ 19.957961] which belongs to the cache kmalloc-128 of size 128 [ 19.958027] The buggy address is located 0 bytes inside of [ 19.958027] freed 128-byte region [fff00000c64b5300, fff00000c64b5380) [ 19.958099] [ 19.958119] The buggy address belongs to the physical page: [ 19.958159] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064b5 [ 19.958219] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.958268] page_type: f5(slab) [ 19.958315] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 19.958376] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.958426] page dumped because: kasan: bad access detected [ 19.958457] [ 19.958475] Memory state around the buggy address: [ 19.958507] fff00000c64b5200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.958550] fff00000c64b5280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.958593] >fff00000c64b5300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.958631] ^ [ 19.958657] fff00000c64b5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.958700] fff00000c64b5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.958739] ==================================================================
[ 13.129371] ================================================================== [ 13.129829] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.130336] Read of size 1 at addr ffff888102a9ed00 by task kunit_try_catch/213 [ 13.130923] [ 13.131319] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.131371] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.131383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.131405] Call Trace: [ 13.131417] <TASK> [ 13.131436] dump_stack_lvl+0x73/0xb0 [ 13.131471] print_report+0xd1/0x650 [ 13.131494] ? __virt_addr_valid+0x1db/0x2d0 [ 13.131611] ? ksize_uaf+0x19d/0x6c0 [ 13.131633] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.131656] ? ksize_uaf+0x19d/0x6c0 [ 13.131677] kasan_report+0x141/0x180 [ 13.131699] ? ksize_uaf+0x19d/0x6c0 [ 13.131722] ? ksize_uaf+0x19d/0x6c0 [ 13.131742] __kasan_check_byte+0x3d/0x50 [ 13.131764] ksize+0x20/0x60 [ 13.131785] ksize_uaf+0x19d/0x6c0 [ 13.131805] ? __pfx_ksize_uaf+0x10/0x10 [ 13.131827] ? __schedule+0x10cc/0x2b60 [ 13.131850] ? __pfx_read_tsc+0x10/0x10 [ 13.131872] ? ktime_get_ts64+0x86/0x230 [ 13.131898] kunit_try_run_case+0x1a5/0x480 [ 13.131937] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.132301] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.132334] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.132358] ? __kthread_parkme+0x82/0x180 [ 13.132380] ? preempt_count_sub+0x50/0x80 [ 13.132405] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.132431] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.132456] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.132481] kthread+0x337/0x6f0 [ 13.132500] ? trace_preempt_on+0x20/0xc0 [ 13.132525] ? __pfx_kthread+0x10/0x10 [ 13.132545] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.132566] ? calculate_sigpending+0x7b/0xa0 [ 13.132591] ? __pfx_kthread+0x10/0x10 [ 13.132612] ret_from_fork+0x116/0x1d0 [ 13.132631] ? __pfx_kthread+0x10/0x10 [ 13.132651] ret_from_fork_asm+0x1a/0x30 [ 13.132683] </TASK> [ 13.132694] [ 13.144640] Allocated by task 213: [ 13.144942] kasan_save_stack+0x45/0x70 [ 13.145189] kasan_save_track+0x18/0x40 [ 13.145782] kasan_save_alloc_info+0x3b/0x50 [ 13.146046] __kasan_kmalloc+0xb7/0xc0 [ 13.146522] __kmalloc_cache_noprof+0x189/0x420 [ 13.146759] ksize_uaf+0xaa/0x6c0 [ 13.147114] kunit_try_run_case+0x1a5/0x480 [ 13.147516] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.147781] kthread+0x337/0x6f0 [ 13.148122] ret_from_fork+0x116/0x1d0 [ 13.148602] ret_from_fork_asm+0x1a/0x30 [ 13.148799] [ 13.148888] Freed by task 213: [ 13.149359] kasan_save_stack+0x45/0x70 [ 13.149549] kasan_save_track+0x18/0x40 [ 13.150019] kasan_save_free_info+0x3f/0x60 [ 13.150221] __kasan_slab_free+0x56/0x70 [ 13.150541] kfree+0x222/0x3f0 [ 13.150726] ksize_uaf+0x12c/0x6c0 [ 13.151134] kunit_try_run_case+0x1a5/0x480 [ 13.151471] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.151729] kthread+0x337/0x6f0 [ 13.151900] ret_from_fork+0x116/0x1d0 [ 13.152440] ret_from_fork_asm+0x1a/0x30 [ 13.152654] [ 13.152898] The buggy address belongs to the object at ffff888102a9ed00 [ 13.152898] which belongs to the cache kmalloc-128 of size 128 [ 13.154095] The buggy address is located 0 bytes inside of [ 13.154095] freed 128-byte region [ffff888102a9ed00, ffff888102a9ed80) [ 13.154834] [ 13.155151] The buggy address belongs to the physical page: [ 13.155514] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a9e [ 13.155849] flags: 0x200000000000000(node=0|zone=2) [ 13.156294] page_type: f5(slab) [ 13.156643] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.157208] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.157756] page dumped because: kasan: bad access detected [ 13.158024] [ 13.158352] Memory state around the buggy address: [ 13.158596] ffff888102a9ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.158854] ffff888102a9ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.159574] >ffff888102a9ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.159851] ^ [ 13.160067] ffff888102a9ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.160588] ffff888102a9ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.160987] ================================================================== [ 13.194153] ================================================================== [ 13.194649] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.194908] Read of size 1 at addr ffff888102a9ed78 by task kunit_try_catch/213 [ 13.195416] [ 13.195529] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.195574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.195597] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.195617] Call Trace: [ 13.195636] <TASK> [ 13.195655] dump_stack_lvl+0x73/0xb0 [ 13.195687] print_report+0xd1/0x650 [ 13.195720] ? __virt_addr_valid+0x1db/0x2d0 [ 13.195743] ? ksize_uaf+0x5e4/0x6c0 [ 13.195763] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.195797] ? ksize_uaf+0x5e4/0x6c0 [ 13.195818] kasan_report+0x141/0x180 [ 13.195839] ? ksize_uaf+0x5e4/0x6c0 [ 13.195864] __asan_report_load1_noabort+0x18/0x20 [ 13.195889] ksize_uaf+0x5e4/0x6c0 [ 13.195908] ? __pfx_ksize_uaf+0x10/0x10 [ 13.195944] ? __schedule+0x10cc/0x2b60 [ 13.196048] ? __pfx_read_tsc+0x10/0x10 [ 13.196084] ? ktime_get_ts64+0x86/0x230 [ 13.196110] kunit_try_run_case+0x1a5/0x480 [ 13.196136] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.196170] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.196195] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.196218] ? __kthread_parkme+0x82/0x180 [ 13.196239] ? preempt_count_sub+0x50/0x80 [ 13.196263] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.196297] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.196321] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.196357] kthread+0x337/0x6f0 [ 13.196376] ? trace_preempt_on+0x20/0xc0 [ 13.196400] ? __pfx_kthread+0x10/0x10 [ 13.196420] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.196441] ? calculate_sigpending+0x7b/0xa0 [ 13.196466] ? __pfx_kthread+0x10/0x10 [ 13.196486] ret_from_fork+0x116/0x1d0 [ 13.196506] ? __pfx_kthread+0x10/0x10 [ 13.196526] ret_from_fork_asm+0x1a/0x30 [ 13.196557] </TASK> [ 13.196568] [ 13.204359] Allocated by task 213: [ 13.204579] kasan_save_stack+0x45/0x70 [ 13.204810] kasan_save_track+0x18/0x40 [ 13.205071] kasan_save_alloc_info+0x3b/0x50 [ 13.205225] __kasan_kmalloc+0xb7/0xc0 [ 13.205502] __kmalloc_cache_noprof+0x189/0x420 [ 13.205752] ksize_uaf+0xaa/0x6c0 [ 13.205915] kunit_try_run_case+0x1a5/0x480 [ 13.206129] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.206503] kthread+0x337/0x6f0 [ 13.206715] ret_from_fork+0x116/0x1d0 [ 13.207023] ret_from_fork_asm+0x1a/0x30 [ 13.207220] [ 13.207364] Freed by task 213: [ 13.207529] kasan_save_stack+0x45/0x70 [ 13.207700] kasan_save_track+0x18/0x40 [ 13.207881] kasan_save_free_info+0x3f/0x60 [ 13.208101] __kasan_slab_free+0x56/0x70 [ 13.208383] kfree+0x222/0x3f0 [ 13.208574] ksize_uaf+0x12c/0x6c0 [ 13.208726] kunit_try_run_case+0x1a5/0x480 [ 13.208869] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.209054] kthread+0x337/0x6f0 [ 13.209173] ret_from_fork+0x116/0x1d0 [ 13.209324] ret_from_fork_asm+0x1a/0x30 [ 13.210817] [ 13.210920] The buggy address belongs to the object at ffff888102a9ed00 [ 13.210920] which belongs to the cache kmalloc-128 of size 128 [ 13.211707] The buggy address is located 120 bytes inside of [ 13.211707] freed 128-byte region [ffff888102a9ed00, ffff888102a9ed80) [ 13.212593] [ 13.212690] The buggy address belongs to the physical page: [ 13.212938] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a9e [ 13.213264] flags: 0x200000000000000(node=0|zone=2) [ 13.213484] page_type: f5(slab) [ 13.213645] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.214572] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.215333] page dumped because: kasan: bad access detected [ 13.215818] [ 13.216069] Memory state around the buggy address: [ 13.216543] ffff888102a9ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.217304] ffff888102a9ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.217906] >ffff888102a9ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.218685] ^ [ 13.219071] ffff888102a9ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.219759] ffff888102a9ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.220240] ================================================================== [ 13.162006] ================================================================== [ 13.162318] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.162617] Read of size 1 at addr ffff888102a9ed00 by task kunit_try_catch/213 [ 13.163492] [ 13.163708] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.163844] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.163858] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.163878] Call Trace: [ 13.163897] <TASK> [ 13.163917] dump_stack_lvl+0x73/0xb0 [ 13.164227] print_report+0xd1/0x650 [ 13.164251] ? __virt_addr_valid+0x1db/0x2d0 [ 13.164274] ? ksize_uaf+0x5fe/0x6c0 [ 13.164294] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.164317] ? ksize_uaf+0x5fe/0x6c0 [ 13.164338] kasan_report+0x141/0x180 [ 13.164359] ? ksize_uaf+0x5fe/0x6c0 [ 13.164384] __asan_report_load1_noabort+0x18/0x20 [ 13.164408] ksize_uaf+0x5fe/0x6c0 [ 13.164428] ? __pfx_ksize_uaf+0x10/0x10 [ 13.164450] ? __schedule+0x10cc/0x2b60 [ 13.164472] ? __pfx_read_tsc+0x10/0x10 [ 13.164494] ? ktime_get_ts64+0x86/0x230 [ 13.164520] kunit_try_run_case+0x1a5/0x480 [ 13.164545] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164567] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.164591] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.164615] ? __kthread_parkme+0x82/0x180 [ 13.164636] ? preempt_count_sub+0x50/0x80 [ 13.164659] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.164683] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.164708] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.164732] kthread+0x337/0x6f0 [ 13.164751] ? trace_preempt_on+0x20/0xc0 [ 13.164775] ? __pfx_kthread+0x10/0x10 [ 13.164796] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.164817] ? calculate_sigpending+0x7b/0xa0 [ 13.164841] ? __pfx_kthread+0x10/0x10 [ 13.164862] ret_from_fork+0x116/0x1d0 [ 13.164881] ? __pfx_kthread+0x10/0x10 [ 13.164901] ret_from_fork_asm+0x1a/0x30 [ 13.165015] </TASK> [ 13.165029] [ 13.175913] Allocated by task 213: [ 13.176460] kasan_save_stack+0x45/0x70 [ 13.176707] kasan_save_track+0x18/0x40 [ 13.177109] kasan_save_alloc_info+0x3b/0x50 [ 13.177306] __kasan_kmalloc+0xb7/0xc0 [ 13.177801] __kmalloc_cache_noprof+0x189/0x420 [ 13.178134] ksize_uaf+0xaa/0x6c0 [ 13.178275] kunit_try_run_case+0x1a5/0x480 [ 13.178513] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.178900] kthread+0x337/0x6f0 [ 13.179424] ret_from_fork+0x116/0x1d0 [ 13.179603] ret_from_fork_asm+0x1a/0x30 [ 13.179755] [ 13.180043] Freed by task 213: [ 13.180298] kasan_save_stack+0x45/0x70 [ 13.180451] kasan_save_track+0x18/0x40 [ 13.180649] kasan_save_free_info+0x3f/0x60 [ 13.180871] __kasan_slab_free+0x56/0x70 [ 13.181530] kfree+0x222/0x3f0 [ 13.181704] ksize_uaf+0x12c/0x6c0 [ 13.181842] kunit_try_run_case+0x1a5/0x480 [ 13.182135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.182641] kthread+0x337/0x6f0 [ 13.182832] ret_from_fork+0x116/0x1d0 [ 13.183049] ret_from_fork_asm+0x1a/0x30 [ 13.183632] [ 13.183708] The buggy address belongs to the object at ffff888102a9ed00 [ 13.183708] which belongs to the cache kmalloc-128 of size 128 [ 13.184303] The buggy address is located 0 bytes inside of [ 13.184303] freed 128-byte region [ffff888102a9ed00, ffff888102a9ed80) [ 13.186696] [ 13.186795] The buggy address belongs to the physical page: [ 13.186979] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a9e [ 13.187216] flags: 0x200000000000000(node=0|zone=2) [ 13.187378] page_type: f5(slab) [ 13.187536] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.187842] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.189705] page dumped because: kasan: bad access detected [ 13.190235] [ 13.190314] Memory state around the buggy address: [ 13.190475] ffff888102a9ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.190696] ffff888102a9ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.190918] >ffff888102a9ed00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.191168] ^ [ 13.191285] ffff888102a9ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.191498] ffff888102a9ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.191708] ==================================================================