Date
July 16, 2025, 3:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.837746] ================================================================== [ 16.837837] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.837893] Read of size 1 at addr fff00000c5967000 by task kunit_try_catch/196 [ 16.837945] [ 16.837998] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.838079] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.838106] Hardware name: linux,dummy-virt (DT) [ 16.838159] Call trace: [ 16.838197] show_stack+0x20/0x38 (C) [ 16.838245] dump_stack_lvl+0x8c/0xd0 [ 16.838311] print_report+0x118/0x5d0 [ 16.838376] kasan_report+0xdc/0x128 [ 16.838439] __asan_report_load1_noabort+0x20/0x30 [ 16.838500] ksize_uaf+0x598/0x5f8 [ 16.838557] kunit_try_run_case+0x170/0x3f0 [ 16.838606] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.838656] kthread+0x328/0x630 [ 16.838913] ret_from_fork+0x10/0x20 [ 16.838999] [ 16.839030] Allocated by task 196: [ 16.839078] kasan_save_stack+0x3c/0x68 [ 16.839135] kasan_save_track+0x20/0x40 [ 16.839197] kasan_save_alloc_info+0x40/0x58 [ 16.839245] __kasan_kmalloc+0xd4/0xd8 [ 16.839361] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.839485] ksize_uaf+0xb8/0x5f8 [ 16.839578] kunit_try_run_case+0x170/0x3f0 [ 16.839639] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.839682] kthread+0x328/0x630 [ 16.839735] ret_from_fork+0x10/0x20 [ 16.839965] [ 16.839986] Freed by task 196: [ 16.840014] kasan_save_stack+0x3c/0x68 [ 16.840052] kasan_save_track+0x20/0x40 [ 16.840090] kasan_save_free_info+0x4c/0x78 [ 16.840128] __kasan_slab_free+0x6c/0x98 [ 16.840166] kfree+0x214/0x3c8 [ 16.840200] ksize_uaf+0x11c/0x5f8 [ 16.840233] kunit_try_run_case+0x170/0x3f0 [ 16.840338] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.840405] kthread+0x328/0x630 [ 16.840450] ret_from_fork+0x10/0x20 [ 16.840485] [ 16.840540] The buggy address belongs to the object at fff00000c5967000 [ 16.840540] which belongs to the cache kmalloc-128 of size 128 [ 16.840606] The buggy address is located 0 bytes inside of [ 16.840606] freed 128-byte region [fff00000c5967000, fff00000c5967080) [ 16.840681] [ 16.840702] The buggy address belongs to the physical page: [ 16.840748] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105967 [ 16.840802] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.840951] page_type: f5(slab) [ 16.840992] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.841095] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.841176] page dumped because: kasan: bad access detected [ 16.841263] [ 16.841352] Memory state around the buggy address: [ 16.841512] fff00000c5966f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.841576] fff00000c5966f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.841643] >fff00000c5967000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.842741] ^ [ 16.842774] fff00000c5967080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.842819] fff00000c5967100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.842859] ================================================================== [ 16.821596] ================================================================== [ 16.821657] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.822264] Read of size 1 at addr fff00000c5967000 by task kunit_try_catch/196 [ 16.822332] [ 16.822367] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.822459] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.822504] Hardware name: linux,dummy-virt (DT) [ 16.822553] Call trace: [ 16.822602] show_stack+0x20/0x38 (C) [ 16.822654] dump_stack_lvl+0x8c/0xd0 [ 16.822752] print_report+0x118/0x5d0 [ 16.822801] kasan_report+0xdc/0x128 [ 16.822847] __kasan_check_byte+0x54/0x70 [ 16.822894] ksize+0x30/0x88 [ 16.822935] ksize_uaf+0x168/0x5f8 [ 16.822976] kunit_try_run_case+0x170/0x3f0 [ 16.823154] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.823272] kthread+0x328/0x630 [ 16.823392] ret_from_fork+0x10/0x20 [ 16.823525] [ 16.823602] Allocated by task 196: [ 16.823631] kasan_save_stack+0x3c/0x68 [ 16.823720] kasan_save_track+0x20/0x40 [ 16.823792] kasan_save_alloc_info+0x40/0x58 [ 16.823856] __kasan_kmalloc+0xd4/0xd8 [ 16.823956] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.824100] ksize_uaf+0xb8/0x5f8 [ 16.824382] kunit_try_run_case+0x170/0x3f0 [ 16.824492] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.824581] kthread+0x328/0x630 [ 16.824645] ret_from_fork+0x10/0x20 [ 16.824705] [ 16.824813] Freed by task 196: [ 16.824840] kasan_save_stack+0x3c/0x68 [ 16.824890] kasan_save_track+0x20/0x40 [ 16.825313] kasan_save_free_info+0x4c/0x78 [ 16.825378] __kasan_slab_free+0x6c/0x98 [ 16.826257] kfree+0x214/0x3c8 [ 16.826484] ksize_uaf+0x11c/0x5f8 [ 16.827479] kunit_try_run_case+0x170/0x3f0 [ 16.828907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.830085] kthread+0x328/0x630 [ 16.831320] ret_from_fork+0x10/0x20 [ 16.831765] [ 16.831795] The buggy address belongs to the object at fff00000c5967000 [ 16.831795] which belongs to the cache kmalloc-128 of size 128 [ 16.832740] The buggy address is located 0 bytes inside of [ 16.832740] freed 128-byte region [fff00000c5967000, fff00000c5967080) [ 16.832815] [ 16.832837] The buggy address belongs to the physical page: [ 16.833593] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105967 [ 16.833689] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.835294] page_type: f5(slab) [ 16.835408] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.835614] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.835848] page dumped because: kasan: bad access detected [ 16.835888] [ 16.835906] Memory state around the buggy address: [ 16.835962] fff00000c5966f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.836008] fff00000c5966f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.836052] >fff00000c5967000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.836091] ^ [ 16.836121] fff00000c5967080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.836165] fff00000c5967100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.836313] ================================================================== [ 16.845451] ================================================================== [ 16.845510] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.845560] Read of size 1 at addr fff00000c5967078 by task kunit_try_catch/196 [ 16.845612] [ 16.845658] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.846134] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.846170] Hardware name: linux,dummy-virt (DT) [ 16.846227] Call trace: [ 16.846301] show_stack+0x20/0x38 (C) [ 16.846398] dump_stack_lvl+0x8c/0xd0 [ 16.846447] print_report+0x118/0x5d0 [ 16.846495] kasan_report+0xdc/0x128 [ 16.846539] __asan_report_load1_noabort+0x20/0x30 [ 16.846597] ksize_uaf+0x544/0x5f8 [ 16.846642] kunit_try_run_case+0x170/0x3f0 [ 16.846687] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.846751] kthread+0x328/0x630 [ 16.846793] ret_from_fork+0x10/0x20 [ 16.846838] [ 16.846855] Allocated by task 196: [ 16.846988] kasan_save_stack+0x3c/0x68 [ 16.847074] kasan_save_track+0x20/0x40 [ 16.847156] kasan_save_alloc_info+0x40/0x58 [ 16.847232] __kasan_kmalloc+0xd4/0xd8 [ 16.847298] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.847340] ksize_uaf+0xb8/0x5f8 [ 16.847443] kunit_try_run_case+0x170/0x3f0 [ 16.847606] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.847673] kthread+0x328/0x630 [ 16.847784] ret_from_fork+0x10/0x20 [ 16.847916] [ 16.847936] Freed by task 196: [ 16.847962] kasan_save_stack+0x3c/0x68 [ 16.848040] kasan_save_track+0x20/0x40 [ 16.848105] kasan_save_free_info+0x4c/0x78 [ 16.848145] __kasan_slab_free+0x6c/0x98 [ 16.848182] kfree+0x214/0x3c8 [ 16.848217] ksize_uaf+0x11c/0x5f8 [ 16.848251] kunit_try_run_case+0x170/0x3f0 [ 16.848287] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.848331] kthread+0x328/0x630 [ 16.848364] ret_from_fork+0x10/0x20 [ 16.848401] [ 16.848420] The buggy address belongs to the object at fff00000c5967000 [ 16.848420] which belongs to the cache kmalloc-128 of size 128 [ 16.848483] The buggy address is located 120 bytes inside of [ 16.848483] freed 128-byte region [fff00000c5967000, fff00000c5967080) [ 16.848547] [ 16.848568] The buggy address belongs to the physical page: [ 16.848600] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105967 [ 16.848654] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.849129] page_type: f5(slab) [ 16.849234] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.849334] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.849444] page dumped because: kasan: bad access detected [ 16.849556] [ 16.849648] Memory state around the buggy address: [ 16.849734] fff00000c5966f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.849831] fff00000c5966f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.849910] >fff00000c5967000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.849985] ^ [ 16.850026] fff00000c5967080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.850303] fff00000c5967100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.850417] ==================================================================
[ 13.109907] ================================================================== [ 13.110314] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.110526] Read of size 1 at addr ffff88810305bf78 by task kunit_try_catch/213 [ 13.110876] [ 13.110985] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.111028] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.111039] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.111058] Call Trace: [ 13.111071] <TASK> [ 13.111084] dump_stack_lvl+0x73/0xb0 [ 13.111111] print_report+0xd1/0x610 [ 13.111134] ? __virt_addr_valid+0x1db/0x2d0 [ 13.111156] ? ksize_uaf+0x5e4/0x6c0 [ 13.111180] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.111204] ? ksize_uaf+0x5e4/0x6c0 [ 13.111224] kasan_report+0x141/0x180 [ 13.111246] ? ksize_uaf+0x5e4/0x6c0 [ 13.111271] __asan_report_load1_noabort+0x18/0x20 [ 13.111296] ksize_uaf+0x5e4/0x6c0 [ 13.111316] ? __pfx_ksize_uaf+0x10/0x10 [ 13.111338] ? __schedule+0x10cc/0x2b60 [ 13.111360] ? __pfx_read_tsc+0x10/0x10 [ 13.111381] ? ktime_get_ts64+0x86/0x230 [ 13.111405] kunit_try_run_case+0x1a5/0x480 [ 13.111428] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.111452] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.111476] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.111500] ? __kthread_parkme+0x82/0x180 [ 13.111521] ? preempt_count_sub+0x50/0x80 [ 13.111545] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.111571] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.111596] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.111637] kthread+0x337/0x6f0 [ 13.111697] ? trace_preempt_on+0x20/0xc0 [ 13.111722] ? __pfx_kthread+0x10/0x10 [ 13.111742] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.111777] ? calculate_sigpending+0x7b/0xa0 [ 13.111802] ? __pfx_kthread+0x10/0x10 [ 13.111823] ret_from_fork+0x116/0x1d0 [ 13.111842] ? __pfx_kthread+0x10/0x10 [ 13.111862] ret_from_fork_asm+0x1a/0x30 [ 13.111892] </TASK> [ 13.111902] [ 13.120719] Allocated by task 213: [ 13.121043] kasan_save_stack+0x45/0x70 [ 13.121258] kasan_save_track+0x18/0x40 [ 13.121440] kasan_save_alloc_info+0x3b/0x50 [ 13.122490] __kasan_kmalloc+0xb7/0xc0 [ 13.122692] __kmalloc_cache_noprof+0x189/0x420 [ 13.122933] ksize_uaf+0xaa/0x6c0 [ 13.123297] kunit_try_run_case+0x1a5/0x480 [ 13.123515] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.123742] kthread+0x337/0x6f0 [ 13.123921] ret_from_fork+0x116/0x1d0 [ 13.124152] ret_from_fork_asm+0x1a/0x30 [ 13.124330] [ 13.124402] Freed by task 213: [ 13.124668] kasan_save_stack+0x45/0x70 [ 13.124919] kasan_save_track+0x18/0x40 [ 13.125142] kasan_save_free_info+0x3f/0x60 [ 13.125336] __kasan_slab_free+0x56/0x70 [ 13.125543] kfree+0x222/0x3f0 [ 13.125662] ksize_uaf+0x12c/0x6c0 [ 13.125813] kunit_try_run_case+0x1a5/0x480 [ 13.126171] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.126455] kthread+0x337/0x6f0 [ 13.126584] ret_from_fork+0x116/0x1d0 [ 13.126718] ret_from_fork_asm+0x1a/0x30 [ 13.126873] [ 13.126965] The buggy address belongs to the object at ffff88810305bf00 [ 13.126965] which belongs to the cache kmalloc-128 of size 128 [ 13.127558] The buggy address is located 120 bytes inside of [ 13.127558] freed 128-byte region [ffff88810305bf00, ffff88810305bf80) [ 13.127962] [ 13.128035] The buggy address belongs to the physical page: [ 13.128595] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10305b [ 13.128977] flags: 0x200000000000000(node=0|zone=2) [ 13.129214] page_type: f5(slab) [ 13.129363] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.129644] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.129925] page dumped because: kasan: bad access detected [ 13.130172] [ 13.130265] Memory state around the buggy address: [ 13.130458] ffff88810305be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.130673] ffff88810305be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.130931] >ffff88810305bf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.131257] ^ [ 13.131582] ffff88810305bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.131921] ffff88810305c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.132226] ================================================================== [ 13.089354] ================================================================== [ 13.089646] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.089968] Read of size 1 at addr ffff88810305bf00 by task kunit_try_catch/213 [ 13.090342] [ 13.090453] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.090498] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.090509] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.090531] Call Trace: [ 13.090544] <TASK> [ 13.090560] dump_stack_lvl+0x73/0xb0 [ 13.090591] print_report+0xd1/0x610 [ 13.090614] ? __virt_addr_valid+0x1db/0x2d0 [ 13.090639] ? ksize_uaf+0x5fe/0x6c0 [ 13.090659] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.090683] ? ksize_uaf+0x5fe/0x6c0 [ 13.090703] kasan_report+0x141/0x180 [ 13.090725] ? ksize_uaf+0x5fe/0x6c0 [ 13.090750] __asan_report_load1_noabort+0x18/0x20 [ 13.090788] ksize_uaf+0x5fe/0x6c0 [ 13.090809] ? __pfx_ksize_uaf+0x10/0x10 [ 13.090831] ? __schedule+0x10cc/0x2b60 [ 13.090854] ? __pfx_read_tsc+0x10/0x10 [ 13.090876] ? ktime_get_ts64+0x86/0x230 [ 13.090902] kunit_try_run_case+0x1a5/0x480 [ 13.090927] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.090951] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.090976] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.091000] ? __kthread_parkme+0x82/0x180 [ 13.091022] ? preempt_count_sub+0x50/0x80 [ 13.091047] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.091072] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.091097] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.091123] kthread+0x337/0x6f0 [ 13.091142] ? trace_preempt_on+0x20/0xc0 [ 13.091225] ? __pfx_kthread+0x10/0x10 [ 13.091248] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.091271] ? calculate_sigpending+0x7b/0xa0 [ 13.091297] ? __pfx_kthread+0x10/0x10 [ 13.091319] ret_from_fork+0x116/0x1d0 [ 13.091339] ? __pfx_kthread+0x10/0x10 [ 13.091360] ret_from_fork_asm+0x1a/0x30 [ 13.091391] </TASK> [ 13.091401] [ 13.098750] Allocated by task 213: [ 13.098949] kasan_save_stack+0x45/0x70 [ 13.099153] kasan_save_track+0x18/0x40 [ 13.099360] kasan_save_alloc_info+0x3b/0x50 [ 13.099672] __kasan_kmalloc+0xb7/0xc0 [ 13.099846] __kmalloc_cache_noprof+0x189/0x420 [ 13.100006] ksize_uaf+0xaa/0x6c0 [ 13.100131] kunit_try_run_case+0x1a5/0x480 [ 13.100325] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.100581] kthread+0x337/0x6f0 [ 13.100921] ret_from_fork+0x116/0x1d0 [ 13.101220] ret_from_fork_asm+0x1a/0x30 [ 13.101371] [ 13.101457] Freed by task 213: [ 13.101617] kasan_save_stack+0x45/0x70 [ 13.101830] kasan_save_track+0x18/0x40 [ 13.102126] kasan_save_free_info+0x3f/0x60 [ 13.102345] __kasan_slab_free+0x56/0x70 [ 13.102614] kfree+0x222/0x3f0 [ 13.102791] ksize_uaf+0x12c/0x6c0 [ 13.102935] kunit_try_run_case+0x1a5/0x480 [ 13.103228] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.103476] kthread+0x337/0x6f0 [ 13.103619] ret_from_fork+0x116/0x1d0 [ 13.103820] ret_from_fork_asm+0x1a/0x30 [ 13.103963] [ 13.104053] The buggy address belongs to the object at ffff88810305bf00 [ 13.104053] which belongs to the cache kmalloc-128 of size 128 [ 13.104465] The buggy address is located 0 bytes inside of [ 13.104465] freed 128-byte region [ffff88810305bf00, ffff88810305bf80) [ 13.104929] [ 13.105045] The buggy address belongs to the physical page: [ 13.105298] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10305b [ 13.105697] flags: 0x200000000000000(node=0|zone=2) [ 13.105872] page_type: f5(slab) [ 13.105993] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.106268] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.106604] page dumped because: kasan: bad access detected [ 13.107120] [ 13.107231] Memory state around the buggy address: [ 13.107552] ffff88810305be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.107893] ffff88810305be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.108293] >ffff88810305bf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.108625] ^ [ 13.108801] ffff88810305bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.109018] ffff88810305c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.109293] ================================================================== [ 13.057613] ================================================================== [ 13.058102] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.058543] Read of size 1 at addr ffff88810305bf00 by task kunit_try_catch/213 [ 13.058840] [ 13.058952] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.059079] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.059092] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.059113] Call Trace: [ 13.059125] <TASK> [ 13.059141] dump_stack_lvl+0x73/0xb0 [ 13.059179] print_report+0xd1/0x610 [ 13.059203] ? __virt_addr_valid+0x1db/0x2d0 [ 13.059226] ? ksize_uaf+0x19d/0x6c0 [ 13.059246] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.059270] ? ksize_uaf+0x19d/0x6c0 [ 13.059290] kasan_report+0x141/0x180 [ 13.059313] ? ksize_uaf+0x19d/0x6c0 [ 13.059337] ? ksize_uaf+0x19d/0x6c0 [ 13.059358] __kasan_check_byte+0x3d/0x50 [ 13.059380] ksize+0x20/0x60 [ 13.059401] ksize_uaf+0x19d/0x6c0 [ 13.059422] ? __pfx_ksize_uaf+0x10/0x10 [ 13.059453] ? __schedule+0x10cc/0x2b60 [ 13.059476] ? __pfx_read_tsc+0x10/0x10 [ 13.059498] ? ktime_get_ts64+0x86/0x230 [ 13.059522] kunit_try_run_case+0x1a5/0x480 [ 13.059546] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.059570] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.059595] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.059619] ? __kthread_parkme+0x82/0x180 [ 13.059640] ? preempt_count_sub+0x50/0x80 [ 13.059665] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.059690] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.059715] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.059741] kthread+0x337/0x6f0 [ 13.059772] ? trace_preempt_on+0x20/0xc0 [ 13.059795] ? __pfx_kthread+0x10/0x10 [ 13.059816] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.059838] ? calculate_sigpending+0x7b/0xa0 [ 13.059862] ? __pfx_kthread+0x10/0x10 [ 13.059884] ret_from_fork+0x116/0x1d0 [ 13.059902] ? __pfx_kthread+0x10/0x10 [ 13.059923] ret_from_fork_asm+0x1a/0x30 [ 13.059954] </TASK> [ 13.059965] [ 13.071474] Allocated by task 213: [ 13.071618] kasan_save_stack+0x45/0x70 [ 13.071789] kasan_save_track+0x18/0x40 [ 13.071936] kasan_save_alloc_info+0x3b/0x50 [ 13.072088] __kasan_kmalloc+0xb7/0xc0 [ 13.072223] __kmalloc_cache_noprof+0x189/0x420 [ 13.072383] ksize_uaf+0xaa/0x6c0 [ 13.072507] kunit_try_run_case+0x1a5/0x480 [ 13.073346] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.073634] kthread+0x337/0x6f0 [ 13.075069] ret_from_fork+0x116/0x1d0 [ 13.075904] ret_from_fork_asm+0x1a/0x30 [ 13.076844] [ 13.077086] Freed by task 213: [ 13.077885] kasan_save_stack+0x45/0x70 [ 13.078587] kasan_save_track+0x18/0x40 [ 13.079352] kasan_save_free_info+0x3f/0x60 [ 13.080240] __kasan_slab_free+0x56/0x70 [ 13.081046] kfree+0x222/0x3f0 [ 13.081216] ksize_uaf+0x12c/0x6c0 [ 13.081379] kunit_try_run_case+0x1a5/0x480 [ 13.081576] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.081902] kthread+0x337/0x6f0 [ 13.082155] ret_from_fork+0x116/0x1d0 [ 13.082323] ret_from_fork_asm+0x1a/0x30 [ 13.082526] [ 13.082681] The buggy address belongs to the object at ffff88810305bf00 [ 13.082681] which belongs to the cache kmalloc-128 of size 128 [ 13.083151] The buggy address is located 0 bytes inside of [ 13.083151] freed 128-byte region [ffff88810305bf00, ffff88810305bf80) [ 13.083901] [ 13.083985] The buggy address belongs to the physical page: [ 13.084410] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10305b [ 13.084715] flags: 0x200000000000000(node=0|zone=2) [ 13.085124] page_type: f5(slab) [ 13.085314] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.085682] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.086100] page dumped because: kasan: bad access detected [ 13.086320] [ 13.086399] Memory state around the buggy address: [ 13.086655] ffff88810305be00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.086994] ffff88810305be80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.087238] >ffff88810305bf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.087530] ^ [ 13.087693] ffff88810305bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.087980] ffff88810305c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.088255] ==================================================================