Hay
Sign in
Date
July 8, 2025, 7:07 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   19.523160] ==================================================================
[   19.523366] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   19.523431] Read of size 1 at addr fff00000c5708400 by task kunit_try_catch/196
[   19.523509] 
[   19.523547] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   19.523744] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.523934] Hardware name: linux,dummy-virt (DT)
[   19.523968] Call trace:
[   19.523989]  show_stack+0x20/0x38 (C)
[   19.524400]  dump_stack_lvl+0x8c/0xd0
[   19.524582]  print_report+0x118/0x608
[   19.524698]  kasan_report+0xdc/0x128
[   19.524908]  __asan_report_load1_noabort+0x20/0x30
[   19.524962]  ksize_uaf+0x598/0x5f8
[   19.525496]  kunit_try_run_case+0x170/0x3f0
[   19.525613]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.525764]  kthread+0x328/0x630
[   19.525809]  ret_from_fork+0x10/0x20
[   19.525902] 
[   19.526185] Allocated by task 196:
[   19.526278]  kasan_save_stack+0x3c/0x68
[   19.526350]  kasan_save_track+0x20/0x40
[   19.526486]  kasan_save_alloc_info+0x40/0x58
[   19.526597]  __kasan_kmalloc+0xd4/0xd8
[   19.526811]  __kmalloc_cache_noprof+0x16c/0x3c0
[   19.527026]  ksize_uaf+0xb8/0x5f8
[   19.527093]  kunit_try_run_case+0x170/0x3f0
[   19.527256]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.527360]  kthread+0x328/0x630
[   19.527476]  ret_from_fork+0x10/0x20
[   19.527563] 
[   19.527778] Freed by task 196:
[   19.527812]  kasan_save_stack+0x3c/0x68
[   19.527853]  kasan_save_track+0x20/0x40
[   19.527896]  kasan_save_free_info+0x4c/0x78
[   19.528128]  __kasan_slab_free+0x6c/0x98
[   19.528246]  kfree+0x214/0x3c8
[   19.528304]  ksize_uaf+0x11c/0x5f8
[   19.528425]  kunit_try_run_case+0x170/0x3f0
[   19.528528]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.528687]  kthread+0x328/0x630
[   19.528816]  ret_from_fork+0x10/0x20
[   19.528855] 
[   19.529040] The buggy address belongs to the object at fff00000c5708400
[   19.529040]  which belongs to the cache kmalloc-128 of size 128
[   19.529232] The buggy address is located 0 bytes inside of
[   19.529232]  freed 128-byte region [fff00000c5708400, fff00000c5708480)
[   19.529409] 
[   19.529479] The buggy address belongs to the physical page:
[   19.530307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105708
[   19.530387] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.530471] page_type: f5(slab)
[   19.530592] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.531167] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.531238] page dumped because: kasan: bad access detected
[   19.531303] 
[   19.531431] Memory state around the buggy address:
[   19.531555]  fff00000c5708300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.531630]  fff00000c5708380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.531765] >fff00000c5708400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.531805]                    ^
[   19.531833]  fff00000c5708480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.531876]  fff00000c5708500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.531913] ==================================================================
[   19.516245] ==================================================================
[   19.516438] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   19.516492] Read of size 1 at addr fff00000c5708400 by task kunit_try_catch/196
[   19.516599] 
[   19.516636] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   19.516798] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.516827] Hardware name: linux,dummy-virt (DT)
[   19.516858] Call trace:
[   19.516879]  show_stack+0x20/0x38 (C)
[   19.517238]  dump_stack_lvl+0x8c/0xd0
[   19.517326]  print_report+0x118/0x608
[   19.517437]  kasan_report+0xdc/0x128
[   19.517552]  __kasan_check_byte+0x54/0x70
[   19.517616]  ksize+0x30/0x88
[   19.517758]  ksize_uaf+0x168/0x5f8
[   19.517811]  kunit_try_run_case+0x170/0x3f0
[   19.517859]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.518307]  kthread+0x328/0x630
[   19.518449]  ret_from_fork+0x10/0x20
[   19.518597] 
[   19.518635] Allocated by task 196:
[   19.518702]  kasan_save_stack+0x3c/0x68
[   19.518822]  kasan_save_track+0x20/0x40
[   19.518863]  kasan_save_alloc_info+0x40/0x58
[   19.519093]  __kasan_kmalloc+0xd4/0xd8
[   19.519145]  __kmalloc_cache_noprof+0x16c/0x3c0
[   19.519350]  ksize_uaf+0xb8/0x5f8
[   19.519398]  kunit_try_run_case+0x170/0x3f0
[   19.519436]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.519619]  kthread+0x328/0x630
[   19.519688]  ret_from_fork+0x10/0x20
[   19.519837] 
[   19.519857] Freed by task 196:
[   19.519884]  kasan_save_stack+0x3c/0x68
[   19.519945]  kasan_save_track+0x20/0x40
[   19.519983]  kasan_save_free_info+0x4c/0x78
[   19.520023]  __kasan_slab_free+0x6c/0x98
[   19.520060]  kfree+0x214/0x3c8
[   19.520093]  ksize_uaf+0x11c/0x5f8
[   19.520130]  kunit_try_run_case+0x170/0x3f0
[   19.520169]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.520214]  kthread+0x328/0x630
[   19.520782]  ret_from_fork+0x10/0x20
[   19.520845] 
[   19.520868] The buggy address belongs to the object at fff00000c5708400
[   19.520868]  which belongs to the cache kmalloc-128 of size 128
[   19.520928] The buggy address is located 0 bytes inside of
[   19.520928]  freed 128-byte region [fff00000c5708400, fff00000c5708480)
[   19.520988] 
[   19.521007] The buggy address belongs to the physical page:
[   19.521044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105708
[   19.521106] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.521152] page_type: f5(slab)
[   19.521208] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.521266] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.521305] page dumped because: kasan: bad access detected
[   19.521336] 
[   19.521353] Memory state around the buggy address:
[   19.521384]  fff00000c5708300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.521439]  fff00000c5708380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.521482] >fff00000c5708400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.521521]                    ^
[   19.521554]  fff00000c5708480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.521606]  fff00000c5708500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.521643] ==================================================================
[   19.535220] ==================================================================
[   19.535340] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   19.535783] Read of size 1 at addr fff00000c5708478 by task kunit_try_catch/196
[   19.535988] 
[   19.536034] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   19.536358] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.536454] Hardware name: linux,dummy-virt (DT)
[   19.536523] Call trace:
[   19.536638]  show_stack+0x20/0x38 (C)
[   19.536730]  dump_stack_lvl+0x8c/0xd0
[   19.536782]  print_report+0x118/0x608
[   19.537128]  kasan_report+0xdc/0x128
[   19.537271]  __asan_report_load1_noabort+0x20/0x30
[   19.537704]  ksize_uaf+0x544/0x5f8
[   19.537882]  kunit_try_run_case+0x170/0x3f0
[   19.538228]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.538353]  kthread+0x328/0x630
[   19.538465]  ret_from_fork+0x10/0x20
[   19.538564] 
[   19.538637] Allocated by task 196:
[   19.538730]  kasan_save_stack+0x3c/0x68
[   19.539069]  kasan_save_track+0x20/0x40
[   19.539205]  kasan_save_alloc_info+0x40/0x58
[   19.539282]  __kasan_kmalloc+0xd4/0xd8
[   19.539638]  __kmalloc_cache_noprof+0x16c/0x3c0
[   19.539821]  ksize_uaf+0xb8/0x5f8
[   19.539906]  kunit_try_run_case+0x170/0x3f0
[   19.539958]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.540004]  kthread+0x328/0x630
[   19.540037]  ret_from_fork+0x10/0x20
[   19.540073] 
[   19.540227] Freed by task 196:
[   19.540370]  kasan_save_stack+0x3c/0x68
[   19.540498]  kasan_save_track+0x20/0x40
[   19.540736]  kasan_save_free_info+0x4c/0x78
[   19.540879]  __kasan_slab_free+0x6c/0x98
[   19.541207]  kfree+0x214/0x3c8
[   19.541328]  ksize_uaf+0x11c/0x5f8
[   19.541364]  kunit_try_run_case+0x170/0x3f0
[   19.541771]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.541879]  kthread+0x328/0x630
[   19.541915]  ret_from_fork+0x10/0x20
[   19.541953] 
[   19.542392] The buggy address belongs to the object at fff00000c5708400
[   19.542392]  which belongs to the cache kmalloc-128 of size 128
[   19.542853] The buggy address is located 120 bytes inside of
[   19.542853]  freed 128-byte region [fff00000c5708400, fff00000c5708480)
[   19.542965] 
[   19.542993] The buggy address belongs to the physical page:
[   19.543089] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105708
[   19.543145] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.543625] page_type: f5(slab)
[   19.543742] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.543795] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.544089] page dumped because: kasan: bad access detected
[   19.544200] 
[   19.544298] Memory state around the buggy address:
[   19.544394]  fff00000c5708300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.544459]  fff00000c5708380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.544813] >fff00000c5708400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.544962]                                                                 ^
[   19.545029]  fff00000c5708480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.545105]  fff00000c5708500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.545573] ==================================================================
Metadata Full log Test run details 

[   13.430713] ==================================================================
[   13.432070] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   13.432827] Read of size 1 at addr ffff888102602b00 by task kunit_try_catch/213
[   13.433676] 
[   13.433894] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.433940] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.433951] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.433972] Call Trace:
[   13.433984]  <TASK>
[   13.434000]  dump_stack_lvl+0x73/0xb0
[   13.434028]  print_report+0xd1/0x650
[   13.434060]  ? __virt_addr_valid+0x1db/0x2d0
[   13.434082]  ? ksize_uaf+0x19d/0x6c0
[   13.434101]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.434126]  ? ksize_uaf+0x19d/0x6c0
[   13.434146]  kasan_report+0x141/0x180
[   13.434167]  ? ksize_uaf+0x19d/0x6c0
[   13.434189]  ? ksize_uaf+0x19d/0x6c0
[   13.434209]  __kasan_check_byte+0x3d/0x50
[   13.434230]  ksize+0x20/0x60
[   13.434250]  ksize_uaf+0x19d/0x6c0
[   13.434269]  ? __pfx_ksize_uaf+0x10/0x10
[   13.434289]  ? __schedule+0x10cc/0x2b60
[   13.434310]  ? __pfx_read_tsc+0x10/0x10
[   13.434330]  ? ktime_get_ts64+0x86/0x230
[   13.434353]  kunit_try_run_case+0x1a5/0x480
[   13.434376]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.434397]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.434418]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.434440]  ? __kthread_parkme+0x82/0x180
[   13.434459]  ? preempt_count_sub+0x50/0x80
[   13.434482]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.434575]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.434615]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.434637]  kthread+0x337/0x6f0
[   13.434655]  ? trace_preempt_on+0x20/0xc0
[   13.434677]  ? __pfx_kthread+0x10/0x10
[   13.434696]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.434716]  ? calculate_sigpending+0x7b/0xa0
[   13.434740]  ? __pfx_kthread+0x10/0x10
[   13.434762]  ret_from_fork+0x116/0x1d0
[   13.434779]  ? __pfx_kthread+0x10/0x10
[   13.434799]  ret_from_fork_asm+0x1a/0x30
[   13.434829]  </TASK>
[   13.434841] 
[   13.448639] Allocated by task 213:
[   13.448977]  kasan_save_stack+0x45/0x70
[   13.449479]  kasan_save_track+0x18/0x40
[   13.449894]  kasan_save_alloc_info+0x3b/0x50
[   13.450422]  __kasan_kmalloc+0xb7/0xc0
[   13.450664]  __kmalloc_cache_noprof+0x189/0x420
[   13.450825]  ksize_uaf+0xaa/0x6c0
[   13.450948]  kunit_try_run_case+0x1a5/0x480
[   13.451167]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.451690]  kthread+0x337/0x6f0
[   13.452062]  ret_from_fork+0x116/0x1d0
[   13.452661]  ret_from_fork_asm+0x1a/0x30
[   13.453128] 
[   13.453291] Freed by task 213:
[   13.453637]  kasan_save_stack+0x45/0x70
[   13.453998]  kasan_save_track+0x18/0x40
[   13.454488]  kasan_save_free_info+0x3f/0x60
[   13.454743]  __kasan_slab_free+0x56/0x70
[   13.454882]  kfree+0x222/0x3f0
[   13.455001]  ksize_uaf+0x12c/0x6c0
[   13.455272]  kunit_try_run_case+0x1a5/0x480
[   13.455831]  kthread+0x337/0x6f0
[   13.455967]  ret_from_fork+0x116/0x1d0
[   13.456109]  ret_from_fork_asm+0x1a/0x30
[   13.456541] 
[   13.456669] The buggy address belongs to the object at ffff888102602b00
[   13.456669]  which belongs to the cache kmalloc-128 of size 128
[   13.457185] The buggy address is located 0 bytes inside of
[   13.457185]  freed 128-byte region [ffff888102602b00, ffff888102602b80)
[   13.457749] 
[   13.457881] The buggy address belongs to the physical page:
[   13.458101] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102602
[   13.458678] flags: 0x200000000000000(node=0|zone=2)
[   13.458853] page_type: f5(slab)
[   13.459110] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   13.459470] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   13.459795] page dumped because: kasan: bad access detected
[   13.459979] 
[   13.460059] Memory state around the buggy address:
[   13.460487]  ffff888102602a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.460821]  ffff888102602a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.461182] >ffff888102602b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.461590]                    ^
[   13.461725]  ffff888102602b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.462006]  ffff888102602c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.462411] ==================================================================
[   13.484792] ==================================================================
[   13.485247] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   13.485576] Read of size 1 at addr ffff888102602b78 by task kunit_try_catch/213
[   13.485873] 
[   13.485983] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.486032] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.486121] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.486143] Call Trace:
[   13.486158]  <TASK>
[   13.486173]  dump_stack_lvl+0x73/0xb0
[   13.486209]  print_report+0xd1/0x650
[   13.486230]  ? __virt_addr_valid+0x1db/0x2d0
[   13.486251]  ? ksize_uaf+0x5e4/0x6c0
[   13.486271]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.486307]  ? ksize_uaf+0x5e4/0x6c0
[   13.486327]  kasan_report+0x141/0x180
[   13.486347]  ? ksize_uaf+0x5e4/0x6c0
[   13.486381]  __asan_report_load1_noabort+0x18/0x20
[   13.486405]  ksize_uaf+0x5e4/0x6c0
[   13.486424]  ? __pfx_ksize_uaf+0x10/0x10
[   13.486456]  ? __schedule+0x10cc/0x2b60
[   13.486479]  ? __pfx_read_tsc+0x10/0x10
[   13.486499]  ? ktime_get_ts64+0x86/0x230
[   13.486522]  kunit_try_run_case+0x1a5/0x480
[   13.486559]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.486581]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.486623]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.486645]  ? __kthread_parkme+0x82/0x180
[   13.486664]  ? preempt_count_sub+0x50/0x80
[   13.486687]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.486709]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.486731]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.486753]  kthread+0x337/0x6f0
[   13.486771]  ? trace_preempt_on+0x20/0xc0
[   13.486793]  ? __pfx_kthread+0x10/0x10
[   13.486812]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.486832]  ? calculate_sigpending+0x7b/0xa0
[   13.486854]  ? __pfx_kthread+0x10/0x10
[   13.486875]  ret_from_fork+0x116/0x1d0
[   13.486892]  ? __pfx_kthread+0x10/0x10
[   13.486911]  ret_from_fork_asm+0x1a/0x30
[   13.486941]  </TASK>
[   13.486951] 
[   13.494673] Allocated by task 213:
[   13.494859]  kasan_save_stack+0x45/0x70
[   13.495145]  kasan_save_track+0x18/0x40
[   13.495364]  kasan_save_alloc_info+0x3b/0x50
[   13.495580]  __kasan_kmalloc+0xb7/0xc0
[   13.495766]  __kmalloc_cache_noprof+0x189/0x420
[   13.495946]  ksize_uaf+0xaa/0x6c0
[   13.496360]  kunit_try_run_case+0x1a5/0x480
[   13.496593]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.496862]  kthread+0x337/0x6f0
[   13.497068]  ret_from_fork+0x116/0x1d0
[   13.497326]  ret_from_fork_asm+0x1a/0x30
[   13.497534] 
[   13.497637] Freed by task 213:
[   13.497796]  kasan_save_stack+0x45/0x70
[   13.497985]  kasan_save_track+0x18/0x40
[   13.498252]  kasan_save_free_info+0x3f/0x60
[   13.498465]  __kasan_slab_free+0x56/0x70
[   13.498615]  kfree+0x222/0x3f0
[   13.498732]  ksize_uaf+0x12c/0x6c0
[   13.498856]  kunit_try_run_case+0x1a5/0x480
[   13.499071]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.499320]  kthread+0x337/0x6f0
[   13.499489]  ret_from_fork+0x116/0x1d0
[   13.499674]  ret_from_fork_asm+0x1a/0x30
[   13.499868] 
[   13.499944] The buggy address belongs to the object at ffff888102602b00
[   13.499944]  which belongs to the cache kmalloc-128 of size 128
[   13.500656] The buggy address is located 120 bytes inside of
[   13.500656]  freed 128-byte region [ffff888102602b00, ffff888102602b80)
[   13.501266] 
[   13.501381] The buggy address belongs to the physical page:
[   13.501643] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102602
[   13.501954] flags: 0x200000000000000(node=0|zone=2)
[   13.502193] page_type: f5(slab)
[   13.502322] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   13.502711] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   13.503165] page dumped because: kasan: bad access detected
[   13.503433] 
[   13.503543] Memory state around the buggy address:
[   13.503801]  ffff888102602a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.504293]  ffff888102602a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.504680] >ffff888102602b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.505003]                                                                 ^
[   13.505409]  ffff888102602b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.505760]  ffff888102602c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.506134] ==================================================================
[   13.463298] ==================================================================
[   13.463584] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   13.463923] Read of size 1 at addr ffff888102602b00 by task kunit_try_catch/213
[   13.464529] 
[   13.464650] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.464695] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.464707] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.464735] Call Trace:
[   13.464748]  <TASK>
[   13.464764]  dump_stack_lvl+0x73/0xb0
[   13.464794]  print_report+0xd1/0x650
[   13.464815]  ? __virt_addr_valid+0x1db/0x2d0
[   13.464838]  ? ksize_uaf+0x5fe/0x6c0
[   13.464859]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.464884]  ? ksize_uaf+0x5fe/0x6c0
[   13.464903]  kasan_report+0x141/0x180
[   13.464924]  ? ksize_uaf+0x5fe/0x6c0
[   13.464950]  __asan_report_load1_noabort+0x18/0x20
[   13.464974]  ksize_uaf+0x5fe/0x6c0
[   13.464993]  ? __pfx_ksize_uaf+0x10/0x10
[   13.465013]  ? __schedule+0x10cc/0x2b60
[   13.465035]  ? __pfx_read_tsc+0x10/0x10
[   13.465065]  ? ktime_get_ts64+0x86/0x230
[   13.465090]  kunit_try_run_case+0x1a5/0x480
[   13.465113]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.465134]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.465156]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.465178]  ? __kthread_parkme+0x82/0x180
[   13.465198]  ? preempt_count_sub+0x50/0x80
[   13.465222]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.465244]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.465266]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.465288]  kthread+0x337/0x6f0
[   13.465306]  ? trace_preempt_on+0x20/0xc0
[   13.465328]  ? __pfx_kthread+0x10/0x10
[   13.465348]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.465368]  ? calculate_sigpending+0x7b/0xa0
[   13.465392]  ? __pfx_kthread+0x10/0x10
[   13.465413]  ret_from_fork+0x116/0x1d0
[   13.465430]  ? __pfx_kthread+0x10/0x10
[   13.465449]  ret_from_fork_asm+0x1a/0x30
[   13.465480]  </TASK>
[   13.465491] 
[   13.473185] Allocated by task 213:
[   13.473372]  kasan_save_stack+0x45/0x70
[   13.473538]  kasan_save_track+0x18/0x40
[   13.473736]  kasan_save_alloc_info+0x3b/0x50
[   13.473973]  __kasan_kmalloc+0xb7/0xc0
[   13.474245]  __kmalloc_cache_noprof+0x189/0x420
[   13.474454]  ksize_uaf+0xaa/0x6c0
[   13.474657]  kunit_try_run_case+0x1a5/0x480
[   13.474879]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.475221]  kthread+0x337/0x6f0
[   13.475365]  ret_from_fork+0x116/0x1d0
[   13.475570]  ret_from_fork_asm+0x1a/0x30
[   13.475752] 
[   13.475856] Freed by task 213:
[   13.476013]  kasan_save_stack+0x45/0x70
[   13.476228]  kasan_save_track+0x18/0x40
[   13.476367]  kasan_save_free_info+0x3f/0x60
[   13.476514]  __kasan_slab_free+0x56/0x70
[   13.476665]  kfree+0x222/0x3f0
[   13.476828]  ksize_uaf+0x12c/0x6c0
[   13.477273]  kunit_try_run_case+0x1a5/0x480
[   13.477510]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.477781]  kthread+0x337/0x6f0
[   13.477963]  ret_from_fork+0x116/0x1d0
[   13.478240]  ret_from_fork_asm+0x1a/0x30
[   13.478401] 
[   13.478476] The buggy address belongs to the object at ffff888102602b00
[   13.478476]  which belongs to the cache kmalloc-128 of size 128
[   13.479005] The buggy address is located 0 bytes inside of
[   13.479005]  freed 128-byte region [ffff888102602b00, ffff888102602b80)
[   13.479572] 
[   13.479649] The buggy address belongs to the physical page:
[   13.479873] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102602
[   13.480452] flags: 0x200000000000000(node=0|zone=2)
[   13.480740] page_type: f5(slab)
[   13.480912] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   13.481322] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   13.481661] page dumped because: kasan: bad access detected
[   13.481835] 
[   13.481932] Memory state around the buggy address:
[   13.482247]  ffff888102602a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.482562]  ffff888102602a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.482875] >ffff888102602b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.483274]                    ^
[   13.483435]  ffff888102602b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.483783]  ffff888102602c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.484258] ==================================================================
Metadata Full log Test run details