Date
July 18, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.293708] ================================================================== [ 17.294147] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 17.294238] Read of size 1 at addr fff00000c7892500 by task kunit_try_catch/196 [ 17.294470] [ 17.294523] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.294643] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.294780] Hardware name: linux,dummy-virt (DT) [ 17.294889] Call trace: [ 17.294917] show_stack+0x20/0x38 (C) [ 17.295021] dump_stack_lvl+0x8c/0xd0 [ 17.295082] print_report+0x118/0x5d0 [ 17.295447] kasan_report+0xdc/0x128 [ 17.295647] __asan_report_load1_noabort+0x20/0x30 [ 17.295834] ksize_uaf+0x598/0x5f8 [ 17.295910] kunit_try_run_case+0x170/0x3f0 [ 17.296038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.296210] kthread+0x328/0x630 [ 17.296285] ret_from_fork+0x10/0x20 [ 17.296336] [ 17.296354] Allocated by task 196: [ 17.296593] kasan_save_stack+0x3c/0x68 [ 17.296927] kasan_save_track+0x20/0x40 [ 17.297123] kasan_save_alloc_info+0x40/0x58 [ 17.297180] __kasan_kmalloc+0xd4/0xd8 [ 17.297430] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.297596] ksize_uaf+0xb8/0x5f8 [ 17.298110] kunit_try_run_case+0x170/0x3f0 [ 17.298168] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.298867] kthread+0x328/0x630 [ 17.298983] ret_from_fork+0x10/0x20 [ 17.299111] [ 17.299132] Freed by task 196: [ 17.299408] kasan_save_stack+0x3c/0x68 [ 17.299487] kasan_save_track+0x20/0x40 [ 17.299806] kasan_save_free_info+0x4c/0x78 [ 17.299951] __kasan_slab_free+0x6c/0x98 [ 17.300073] kfree+0x214/0x3c8 [ 17.300247] ksize_uaf+0x11c/0x5f8 [ 17.300503] kunit_try_run_case+0x170/0x3f0 [ 17.300674] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.300794] kthread+0x328/0x630 [ 17.300957] ret_from_fork+0x10/0x20 [ 17.301116] [ 17.301187] The buggy address belongs to the object at fff00000c7892500 [ 17.301187] which belongs to the cache kmalloc-128 of size 128 [ 17.301629] The buggy address is located 0 bytes inside of [ 17.301629] freed 128-byte region [fff00000c7892500, fff00000c7892580) [ 17.301738] [ 17.301916] The buggy address belongs to the physical page: [ 17.302404] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107892 [ 17.302563] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.302680] page_type: f5(slab) [ 17.302757] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.302925] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.302967] page dumped because: kasan: bad access detected [ 17.303194] [ 17.303234] Memory state around the buggy address: [ 17.303371] fff00000c7892400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.303615] fff00000c7892480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.303828] >fff00000c7892500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.303892] ^ [ 17.303929] fff00000c7892580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.303972] fff00000c7892600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.304199] ================================================================== [ 17.286061] ================================================================== [ 17.286169] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 17.286578] Read of size 1 at addr fff00000c7892500 by task kunit_try_catch/196 [ 17.286631] [ 17.286697] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.286787] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.286832] Hardware name: linux,dummy-virt (DT) [ 17.287184] Call trace: [ 17.287217] show_stack+0x20/0x38 (C) [ 17.287453] dump_stack_lvl+0x8c/0xd0 [ 17.287688] print_report+0x118/0x5d0 [ 17.288103] kasan_report+0xdc/0x128 [ 17.288700] __kasan_check_byte+0x54/0x70 [ 17.288786] ksize+0x30/0x88 [ 17.288853] ksize_uaf+0x168/0x5f8 [ 17.288897] kunit_try_run_case+0x170/0x3f0 [ 17.288990] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.289045] kthread+0x328/0x630 [ 17.289091] ret_from_fork+0x10/0x20 [ 17.289162] [ 17.289181] Allocated by task 196: [ 17.289230] kasan_save_stack+0x3c/0x68 [ 17.289290] kasan_save_track+0x20/0x40 [ 17.289338] kasan_save_alloc_info+0x40/0x58 [ 17.289378] __kasan_kmalloc+0xd4/0xd8 [ 17.289422] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.289463] ksize_uaf+0xb8/0x5f8 [ 17.289528] kunit_try_run_case+0x170/0x3f0 [ 17.289580] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.289633] kthread+0x328/0x630 [ 17.289665] ret_from_fork+0x10/0x20 [ 17.289702] [ 17.289736] Freed by task 196: [ 17.289771] kasan_save_stack+0x3c/0x68 [ 17.289809] kasan_save_track+0x20/0x40 [ 17.289874] kasan_save_free_info+0x4c/0x78 [ 17.289915] __kasan_slab_free+0x6c/0x98 [ 17.289951] kfree+0x214/0x3c8 [ 17.289995] ksize_uaf+0x11c/0x5f8 [ 17.290029] kunit_try_run_case+0x170/0x3f0 [ 17.290077] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.290122] kthread+0x328/0x630 [ 17.290154] ret_from_fork+0x10/0x20 [ 17.290192] [ 17.290213] The buggy address belongs to the object at fff00000c7892500 [ 17.290213] which belongs to the cache kmalloc-128 of size 128 [ 17.290271] The buggy address is located 0 bytes inside of [ 17.290271] freed 128-byte region [fff00000c7892500, fff00000c7892580) [ 17.290343] [ 17.290365] The buggy address belongs to the physical page: [ 17.290408] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107892 [ 17.290472] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.290530] page_type: f5(slab) [ 17.290594] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.290645] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.290688] page dumped because: kasan: bad access detected [ 17.290731] [ 17.290748] Memory state around the buggy address: [ 17.290790] fff00000c7892400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.291070] fff00000c7892480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.291877] >fff00000c7892500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.291997] ^ [ 17.292221] fff00000c7892580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.292271] fff00000c7892600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.292310] ================================================================== [ 17.306608] ================================================================== [ 17.306687] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 17.306768] Read of size 1 at addr fff00000c7892578 by task kunit_try_catch/196 [ 17.306820] [ 17.306993] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.307123] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.307169] Hardware name: linux,dummy-virt (DT) [ 17.307534] Call trace: [ 17.307803] show_stack+0x20/0x38 (C) [ 17.307906] dump_stack_lvl+0x8c/0xd0 [ 17.307967] print_report+0x118/0x5d0 [ 17.308018] kasan_report+0xdc/0x128 [ 17.308380] __asan_report_load1_noabort+0x20/0x30 [ 17.308892] ksize_uaf+0x544/0x5f8 [ 17.309032] kunit_try_run_case+0x170/0x3f0 [ 17.309129] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.309263] kthread+0x328/0x630 [ 17.309400] ret_from_fork+0x10/0x20 [ 17.309513] [ 17.309535] Allocated by task 196: [ 17.309749] kasan_save_stack+0x3c/0x68 [ 17.310165] kasan_save_track+0x20/0x40 [ 17.310431] kasan_save_alloc_info+0x40/0x58 [ 17.310761] __kasan_kmalloc+0xd4/0xd8 [ 17.310815] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.311206] ksize_uaf+0xb8/0x5f8 [ 17.311750] kunit_try_run_case+0x170/0x3f0 [ 17.311806] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.311861] kthread+0x328/0x630 [ 17.311897] ret_from_fork+0x10/0x20 [ 17.312199] [ 17.312327] Freed by task 196: [ 17.312368] kasan_save_stack+0x3c/0x68 [ 17.312595] kasan_save_track+0x20/0x40 [ 17.312828] kasan_save_free_info+0x4c/0x78 [ 17.312894] __kasan_slab_free+0x6c/0x98 [ 17.312931] kfree+0x214/0x3c8 [ 17.312967] ksize_uaf+0x11c/0x5f8 [ 17.313029] kunit_try_run_case+0x170/0x3f0 [ 17.313068] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.313112] kthread+0x328/0x630 [ 17.313168] ret_from_fork+0x10/0x20 [ 17.313220] [ 17.313243] The buggy address belongs to the object at fff00000c7892500 [ 17.313243] which belongs to the cache kmalloc-128 of size 128 [ 17.313313] The buggy address is located 120 bytes inside of [ 17.313313] freed 128-byte region [fff00000c7892500, fff00000c7892580) [ 17.313384] [ 17.313407] The buggy address belongs to the physical page: [ 17.313440] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107892 [ 17.313513] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.313566] page_type: f5(slab) [ 17.313617] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 17.313669] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 17.313711] page dumped because: kasan: bad access detected [ 17.313744] [ 17.313764] Memory state around the buggy address: [ 17.313816] fff00000c7892400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.313871] fff00000c7892480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.313925] >fff00000c7892500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 17.313961] ^ [ 17.314009] fff00000c7892580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.314050] fff00000c7892600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.314098] ==================================================================
[ 16.883190] ================================================================== [ 16.883595] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.883675] Read of size 1 at addr fff00000c5b7de00 by task kunit_try_catch/196 [ 16.883727] [ 16.883769] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.884113] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.884171] Hardware name: linux,dummy-virt (DT) [ 16.884204] Call trace: [ 16.884232] show_stack+0x20/0x38 (C) [ 16.884569] dump_stack_lvl+0x8c/0xd0 [ 16.884779] print_report+0x118/0x5d0 [ 16.884993] kasan_report+0xdc/0x128 [ 16.885535] __kasan_check_byte+0x54/0x70 [ 16.885617] ksize+0x30/0x88 [ 16.885764] ksize_uaf+0x168/0x5f8 [ 16.885834] kunit_try_run_case+0x170/0x3f0 [ 16.886155] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.886256] kthread+0x328/0x630 [ 16.886647] ret_from_fork+0x10/0x20 [ 16.886885] [ 16.886953] Allocated by task 196: [ 16.887040] kasan_save_stack+0x3c/0x68 [ 16.887143] kasan_save_track+0x20/0x40 [ 16.887211] kasan_save_alloc_info+0x40/0x58 [ 16.887664] __kasan_kmalloc+0xd4/0xd8 [ 16.887741] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.887807] ksize_uaf+0xb8/0x5f8 [ 16.887843] kunit_try_run_case+0x170/0x3f0 [ 16.887880] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.887925] kthread+0x328/0x630 [ 16.887957] ret_from_fork+0x10/0x20 [ 16.887996] [ 16.888025] Freed by task 196: [ 16.888053] kasan_save_stack+0x3c/0x68 [ 16.888105] kasan_save_track+0x20/0x40 [ 16.888160] kasan_save_free_info+0x4c/0x78 [ 16.888199] __kasan_slab_free+0x6c/0x98 [ 16.888237] kfree+0x214/0x3c8 [ 16.888268] ksize_uaf+0x11c/0x5f8 [ 16.888309] kunit_try_run_case+0x170/0x3f0 [ 16.888368] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.888423] kthread+0x328/0x630 [ 16.888456] ret_from_fork+0x10/0x20 [ 16.888765] [ 16.888790] The buggy address belongs to the object at fff00000c5b7de00 [ 16.888790] which belongs to the cache kmalloc-128 of size 128 [ 16.889367] The buggy address is located 0 bytes inside of [ 16.889367] freed 128-byte region [fff00000c5b7de00, fff00000c5b7de80) [ 16.889449] [ 16.889818] The buggy address belongs to the physical page: [ 16.889882] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b7d [ 16.889969] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.890178] page_type: f5(slab) [ 16.890429] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.890493] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.890535] page dumped because: kasan: bad access detected [ 16.890838] [ 16.890917] Memory state around the buggy address: [ 16.891056] fff00000c5b7dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.891179] fff00000c5b7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.891262] >fff00000c5b7de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.891580] ^ [ 16.891642] fff00000c5b7de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.891728] fff00000c5b7df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.891797] ================================================================== [ 16.895670] ================================================================== [ 16.895724] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.895772] Read of size 1 at addr fff00000c5b7de00 by task kunit_try_catch/196 [ 16.896202] [ 16.896341] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.896467] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.896638] Hardware name: linux,dummy-virt (DT) [ 16.896673] Call trace: [ 16.896822] show_stack+0x20/0x38 (C) [ 16.897035] dump_stack_lvl+0x8c/0xd0 [ 16.897147] print_report+0x118/0x5d0 [ 16.897197] kasan_report+0xdc/0x128 [ 16.897260] __asan_report_load1_noabort+0x20/0x30 [ 16.897328] ksize_uaf+0x598/0x5f8 [ 16.897372] kunit_try_run_case+0x170/0x3f0 [ 16.897419] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.897471] kthread+0x328/0x630 [ 16.897511] ret_from_fork+0x10/0x20 [ 16.897568] [ 16.897594] Allocated by task 196: [ 16.897642] kasan_save_stack+0x3c/0x68 [ 16.897700] kasan_save_track+0x20/0x40 [ 16.897737] kasan_save_alloc_info+0x40/0x58 [ 16.897785] __kasan_kmalloc+0xd4/0xd8 [ 16.897820] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.897859] ksize_uaf+0xb8/0x5f8 [ 16.897896] kunit_try_run_case+0x170/0x3f0 [ 16.897947] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.897992] kthread+0x328/0x630 [ 16.898025] ret_from_fork+0x10/0x20 [ 16.898060] [ 16.898079] Freed by task 196: [ 16.898115] kasan_save_stack+0x3c/0x68 [ 16.898152] kasan_save_track+0x20/0x40 [ 16.898189] kasan_save_free_info+0x4c/0x78 [ 16.898226] __kasan_slab_free+0x6c/0x98 [ 16.898264] kfree+0x214/0x3c8 [ 16.898306] ksize_uaf+0x11c/0x5f8 [ 16.898813] kunit_try_run_case+0x170/0x3f0 [ 16.898897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.899097] kthread+0x328/0x630 [ 16.899313] ret_from_fork+0x10/0x20 [ 16.899379] [ 16.899429] The buggy address belongs to the object at fff00000c5b7de00 [ 16.899429] which belongs to the cache kmalloc-128 of size 128 [ 16.899635] The buggy address is located 0 bytes inside of [ 16.899635] freed 128-byte region [fff00000c5b7de00, fff00000c5b7de80) [ 16.899795] [ 16.899845] The buggy address belongs to the physical page: [ 16.900125] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b7d [ 16.900224] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.900403] page_type: f5(slab) [ 16.900451] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.900629] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.900694] page dumped because: kasan: bad access detected [ 16.900827] [ 16.900970] Memory state around the buggy address: [ 16.901172] fff00000c5b7dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.901378] fff00000c5b7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.901519] >fff00000c5b7de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.901658] ^ [ 16.901719] fff00000c5b7de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.901793] fff00000c5b7df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.901901] ================================================================== [ 16.902972] ================================================================== [ 16.903312] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.903477] Read of size 1 at addr fff00000c5b7de78 by task kunit_try_catch/196 [ 16.903561] [ 16.903595] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.903744] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.903772] Hardware name: linux,dummy-virt (DT) [ 16.903828] Call trace: [ 16.903860] show_stack+0x20/0x38 (C) [ 16.904147] dump_stack_lvl+0x8c/0xd0 [ 16.904305] print_report+0x118/0x5d0 [ 16.904479] kasan_report+0xdc/0x128 [ 16.904566] __asan_report_load1_noabort+0x20/0x30 [ 16.904677] ksize_uaf+0x544/0x5f8 [ 16.904723] kunit_try_run_case+0x170/0x3f0 [ 16.904769] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.904821] kthread+0x328/0x630 [ 16.905159] ret_from_fork+0x10/0x20 [ 16.905253] [ 16.905301] Allocated by task 196: [ 16.905490] kasan_save_stack+0x3c/0x68 [ 16.905643] kasan_save_track+0x20/0x40 [ 16.906048] kasan_save_alloc_info+0x40/0x58 [ 16.906138] __kasan_kmalloc+0xd4/0xd8 [ 16.906225] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.906442] ksize_uaf+0xb8/0x5f8 [ 16.906529] kunit_try_run_case+0x170/0x3f0 [ 16.906685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.906732] kthread+0x328/0x630 [ 16.906797] ret_from_fork+0x10/0x20 [ 16.907112] [ 16.907150] Freed by task 196: [ 16.907207] kasan_save_stack+0x3c/0x68 [ 16.907346] kasan_save_track+0x20/0x40 [ 16.907444] kasan_save_free_info+0x4c/0x78 [ 16.907595] __kasan_slab_free+0x6c/0x98 [ 16.907647] kfree+0x214/0x3c8 [ 16.907708] ksize_uaf+0x11c/0x5f8 [ 16.908060] kunit_try_run_case+0x170/0x3f0 [ 16.908126] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.908272] kthread+0x328/0x630 [ 16.908377] ret_from_fork+0x10/0x20 [ 16.908581] [ 16.908613] The buggy address belongs to the object at fff00000c5b7de00 [ 16.908613] which belongs to the cache kmalloc-128 of size 128 [ 16.908687] The buggy address is located 120 bytes inside of [ 16.908687] freed 128-byte region [fff00000c5b7de00, fff00000c5b7de80) [ 16.909070] [ 16.909114] The buggy address belongs to the physical page: [ 16.909243] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b7d [ 16.909342] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.909475] page_type: f5(slab) [ 16.909580] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.910033] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.910197] page dumped because: kasan: bad access detected [ 16.910255] [ 16.910404] Memory state around the buggy address: [ 16.910492] fff00000c5b7dd00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.910565] fff00000c5b7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.910885] >fff00000c5b7de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.910989] ^ [ 16.911066] fff00000c5b7de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.911154] fff00000c5b7df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.911295] ==================================================================
[ 16.863650] ================================================================== [ 16.863728] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 16.863780] Read of size 1 at addr fff00000c771d500 by task kunit_try_catch/196 [ 16.863829] [ 16.863865] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.863947] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.863974] Hardware name: linux,dummy-virt (DT) [ 16.864303] Call trace: [ 16.864340] show_stack+0x20/0x38 (C) [ 16.864394] dump_stack_lvl+0x8c/0xd0 [ 16.864442] print_report+0x118/0x5d0 [ 16.864532] kasan_report+0xdc/0x128 [ 16.864579] __kasan_check_byte+0x54/0x70 [ 16.864626] ksize+0x30/0x88 [ 16.864667] ksize_uaf+0x168/0x5f8 [ 16.864878] kunit_try_run_case+0x170/0x3f0 [ 16.864969] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.865065] kthread+0x328/0x630 [ 16.865174] ret_from_fork+0x10/0x20 [ 16.865254] [ 16.865274] Allocated by task 196: [ 16.865358] kasan_save_stack+0x3c/0x68 [ 16.865491] kasan_save_track+0x20/0x40 [ 16.865601] kasan_save_alloc_info+0x40/0x58 [ 16.865780] __kasan_kmalloc+0xd4/0xd8 [ 16.865847] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.865888] ksize_uaf+0xb8/0x5f8 [ 16.865921] kunit_try_run_case+0x170/0x3f0 [ 16.865959] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.866232] kthread+0x328/0x630 [ 16.866321] ret_from_fork+0x10/0x20 [ 16.866358] [ 16.866433] Freed by task 196: [ 16.866569] kasan_save_stack+0x3c/0x68 [ 16.866623] kasan_save_track+0x20/0x40 [ 16.866772] kasan_save_free_info+0x4c/0x78 [ 16.866879] __kasan_slab_free+0x6c/0x98 [ 16.866927] kfree+0x214/0x3c8 [ 16.866961] ksize_uaf+0x11c/0x5f8 [ 16.867006] kunit_try_run_case+0x170/0x3f0 [ 16.867102] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.867158] kthread+0x328/0x630 [ 16.867222] ret_from_fork+0x10/0x20 [ 16.867259] [ 16.867280] The buggy address belongs to the object at fff00000c771d500 [ 16.867280] which belongs to the cache kmalloc-128 of size 128 [ 16.867481] The buggy address is located 0 bytes inside of [ 16.867481] freed 128-byte region [fff00000c771d500, fff00000c771d580) [ 16.867542] [ 16.867563] The buggy address belongs to the physical page: [ 16.867594] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10771d [ 16.867854] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.867951] page_type: f5(slab) [ 16.868059] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.868143] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.868196] page dumped because: kasan: bad access detected [ 16.868261] [ 16.868348] Memory state around the buggy address: [ 16.868404] fff00000c771d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.868464] fff00000c771d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.868542] >fff00000c771d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.868580] ^ [ 16.868610] fff00000c771d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.868653] fff00000c771d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.868819] ================================================================== [ 16.878217] ================================================================== [ 16.878272] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 16.878319] Read of size 1 at addr fff00000c771d578 by task kunit_try_catch/196 [ 16.878369] [ 16.878400] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.878481] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.878508] Hardware name: linux,dummy-virt (DT) [ 16.878538] Call trace: [ 16.878561] show_stack+0x20/0x38 (C) [ 16.878621] dump_stack_lvl+0x8c/0xd0 [ 16.878667] print_report+0x118/0x5d0 [ 16.878728] kasan_report+0xdc/0x128 [ 16.878772] __asan_report_load1_noabort+0x20/0x30 [ 16.878839] ksize_uaf+0x544/0x5f8 [ 16.878889] kunit_try_run_case+0x170/0x3f0 [ 16.878935] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.878997] kthread+0x328/0x630 [ 16.879040] ret_from_fork+0x10/0x20 [ 16.879093] [ 16.879112] Allocated by task 196: [ 16.879140] kasan_save_stack+0x3c/0x68 [ 16.879180] kasan_save_track+0x20/0x40 [ 16.879218] kasan_save_alloc_info+0x40/0x58 [ 16.879258] __kasan_kmalloc+0xd4/0xd8 [ 16.879293] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.879331] ksize_uaf+0xb8/0x5f8 [ 16.879364] kunit_try_run_case+0x170/0x3f0 [ 16.879401] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.879442] kthread+0x328/0x630 [ 16.879474] ret_from_fork+0x10/0x20 [ 16.879510] [ 16.879527] Freed by task 196: [ 16.879552] kasan_save_stack+0x3c/0x68 [ 16.879597] kasan_save_track+0x20/0x40 [ 16.879634] kasan_save_free_info+0x4c/0x78 [ 16.879673] __kasan_slab_free+0x6c/0x98 [ 16.879709] kfree+0x214/0x3c8 [ 16.880337] ksize_uaf+0x11c/0x5f8 [ 16.880406] kunit_try_run_case+0x170/0x3f0 [ 16.880444] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.880488] kthread+0x328/0x630 [ 16.880664] ret_from_fork+0x10/0x20 [ 16.880702] [ 16.880738] The buggy address belongs to the object at fff00000c771d500 [ 16.880738] which belongs to the cache kmalloc-128 of size 128 [ 16.880846] The buggy address is located 120 bytes inside of [ 16.880846] freed 128-byte region [fff00000c771d500, fff00000c771d580) [ 16.881004] [ 16.881093] The buggy address belongs to the physical page: [ 16.881191] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10771d [ 16.881275] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.881327] page_type: f5(slab) [ 16.881365] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.881450] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.881581] page dumped because: kasan: bad access detected [ 16.881682] [ 16.881737] Memory state around the buggy address: [ 16.881824] fff00000c771d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.881907] fff00000c771d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.882035] >fff00000c771d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.882083] ^ [ 16.882173] fff00000c771d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.882215] fff00000c771d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.882450] ================================================================== [ 16.870006] ================================================================== [ 16.870061] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 16.870108] Read of size 1 at addr fff00000c771d500 by task kunit_try_catch/196 [ 16.870339] [ 16.870418] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.870506] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.870552] Hardware name: linux,dummy-virt (DT) [ 16.870609] Call trace: [ 16.870686] show_stack+0x20/0x38 (C) [ 16.870750] dump_stack_lvl+0x8c/0xd0 [ 16.870882] print_report+0x118/0x5d0 [ 16.871006] kasan_report+0xdc/0x128 [ 16.871073] __asan_report_load1_noabort+0x20/0x30 [ 16.871185] ksize_uaf+0x598/0x5f8 [ 16.871249] kunit_try_run_case+0x170/0x3f0 [ 16.871330] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.871381] kthread+0x328/0x630 [ 16.871605] ret_from_fork+0x10/0x20 [ 16.871655] [ 16.871673] Allocated by task 196: [ 16.871702] kasan_save_stack+0x3c/0x68 [ 16.871998] kasan_save_track+0x20/0x40 [ 16.872123] kasan_save_alloc_info+0x40/0x58 [ 16.872166] __kasan_kmalloc+0xd4/0xd8 [ 16.872265] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.872336] ksize_uaf+0xb8/0x5f8 [ 16.872371] kunit_try_run_case+0x170/0x3f0 [ 16.872459] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.872585] kthread+0x328/0x630 [ 16.872663] ret_from_fork+0x10/0x20 [ 16.872742] [ 16.872762] Freed by task 196: [ 16.872867] kasan_save_stack+0x3c/0x68 [ 16.872906] kasan_save_track+0x20/0x40 [ 16.872944] kasan_save_free_info+0x4c/0x78 [ 16.872983] __kasan_slab_free+0x6c/0x98 [ 16.873021] kfree+0x214/0x3c8 [ 16.873466] ksize_uaf+0x11c/0x5f8 [ 16.873866] kunit_try_run_case+0x170/0x3f0 [ 16.873951] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.874074] kthread+0x328/0x630 [ 16.874220] ret_from_fork+0x10/0x20 [ 16.874345] [ 16.874472] The buggy address belongs to the object at fff00000c771d500 [ 16.874472] which belongs to the cache kmalloc-128 of size 128 [ 16.874532] The buggy address is located 0 bytes inside of [ 16.874532] freed 128-byte region [fff00000c771d500, fff00000c771d580) [ 16.874831] [ 16.874859] The buggy address belongs to the physical page: [ 16.874980] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10771d [ 16.875071] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.875506] page_type: f5(slab) [ 16.875634] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 16.875757] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 16.875845] page dumped because: kasan: bad access detected [ 16.875919] [ 16.875940] Memory state around the buggy address: [ 16.875973] fff00000c771d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.876031] fff00000c771d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.876077] >fff00000c771d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.876410] ^ [ 16.876692] fff00000c771d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.876965] fff00000c771d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.877071] ==================================================================
[ 12.755243] ================================================================== [ 12.755645] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.755956] Read of size 1 at addr ffff888102988878 by task kunit_try_catch/213 [ 12.756864] [ 12.757016] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.757060] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.757071] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.757092] Call Trace: [ 12.757107] <TASK> [ 12.757123] dump_stack_lvl+0x73/0xb0 [ 12.757153] print_report+0xd1/0x610 [ 12.757175] ? __virt_addr_valid+0x1db/0x2d0 [ 12.757198] ? ksize_uaf+0x5e4/0x6c0 [ 12.757217] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.757239] ? ksize_uaf+0x5e4/0x6c0 [ 12.757260] kasan_report+0x141/0x180 [ 12.757281] ? ksize_uaf+0x5e4/0x6c0 [ 12.757307] __asan_report_load1_noabort+0x18/0x20 [ 12.757330] ksize_uaf+0x5e4/0x6c0 [ 12.757351] ? __pfx_ksize_uaf+0x10/0x10 [ 12.757372] ? __schedule+0x10cc/0x2b60 [ 12.757394] ? __pfx_read_tsc+0x10/0x10 [ 12.757414] ? ktime_get_ts64+0x86/0x230 [ 12.757438] kunit_try_run_case+0x1a5/0x480 [ 12.757484] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.757507] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.757531] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.757554] ? __kthread_parkme+0x82/0x180 [ 12.757573] ? preempt_count_sub+0x50/0x80 [ 12.757612] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.757636] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.757673] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.757696] kthread+0x337/0x6f0 [ 12.757714] ? trace_preempt_on+0x20/0xc0 [ 12.757737] ? __pfx_kthread+0x10/0x10 [ 12.757757] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.757777] ? calculate_sigpending+0x7b/0xa0 [ 12.757801] ? __pfx_kthread+0x10/0x10 [ 12.757822] ret_from_fork+0x116/0x1d0 [ 12.757839] ? __pfx_kthread+0x10/0x10 [ 12.757859] ret_from_fork_asm+0x1a/0x30 [ 12.757900] </TASK> [ 12.757910] [ 12.764870] Allocated by task 213: [ 12.765080] kasan_save_stack+0x45/0x70 [ 12.765281] kasan_save_track+0x18/0x40 [ 12.765470] kasan_save_alloc_info+0x3b/0x50 [ 12.765680] __kasan_kmalloc+0xb7/0xc0 [ 12.765865] __kmalloc_cache_noprof+0x189/0x420 [ 12.766120] ksize_uaf+0xaa/0x6c0 [ 12.766294] kunit_try_run_case+0x1a5/0x480 [ 12.766481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.766747] kthread+0x337/0x6f0 [ 12.766912] ret_from_fork+0x116/0x1d0 [ 12.767060] ret_from_fork_asm+0x1a/0x30 [ 12.767196] [ 12.767264] Freed by task 213: [ 12.767372] kasan_save_stack+0x45/0x70 [ 12.767566] kasan_save_track+0x18/0x40 [ 12.767772] kasan_save_free_info+0x3f/0x60 [ 12.768032] __kasan_slab_free+0x56/0x70 [ 12.768244] kfree+0x222/0x3f0 [ 12.768406] ksize_uaf+0x12c/0x6c0 [ 12.768578] kunit_try_run_case+0x1a5/0x480 [ 12.768809] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.769094] kthread+0x337/0x6f0 [ 12.769229] ret_from_fork+0x116/0x1d0 [ 12.769436] ret_from_fork_asm+0x1a/0x30 [ 12.769623] [ 12.769725] The buggy address belongs to the object at ffff888102988800 [ 12.769725] which belongs to the cache kmalloc-128 of size 128 [ 12.770238] The buggy address is located 120 bytes inside of [ 12.770238] freed 128-byte region [ffff888102988800, ffff888102988880) [ 12.770779] [ 12.770861] The buggy address belongs to the physical page: [ 12.771167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102988 [ 12.771490] flags: 0x200000000000000(node=0|zone=2) [ 12.771748] page_type: f5(slab) [ 12.771901] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.772295] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.772584] page dumped because: kasan: bad access detected [ 12.772841] [ 12.772955] Memory state around the buggy address: [ 12.773188] ffff888102988700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.773448] ffff888102988780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.773663] >ffff888102988800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.773875] ^ [ 12.774238] ffff888102988880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.774552] ffff888102988900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.774870] ================================================================== [ 12.709240] ================================================================== [ 12.710334] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.710915] Read of size 1 at addr ffff888102988800 by task kunit_try_catch/213 [ 12.711875] [ 12.712219] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.712274] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.712286] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.712307] Call Trace: [ 12.712319] <TASK> [ 12.712372] dump_stack_lvl+0x73/0xb0 [ 12.712409] print_report+0xd1/0x610 [ 12.712433] ? __virt_addr_valid+0x1db/0x2d0 [ 12.712456] ? ksize_uaf+0x19d/0x6c0 [ 12.712476] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.712498] ? ksize_uaf+0x19d/0x6c0 [ 12.712518] kasan_report+0x141/0x180 [ 12.712540] ? ksize_uaf+0x19d/0x6c0 [ 12.712563] ? ksize_uaf+0x19d/0x6c0 [ 12.712583] __kasan_check_byte+0x3d/0x50 [ 12.712605] ksize+0x20/0x60 [ 12.712624] ksize_uaf+0x19d/0x6c0 [ 12.712644] ? __pfx_ksize_uaf+0x10/0x10 [ 12.712665] ? __schedule+0x10cc/0x2b60 [ 12.712686] ? __pfx_read_tsc+0x10/0x10 [ 12.712707] ? ktime_get_ts64+0x86/0x230 [ 12.712731] kunit_try_run_case+0x1a5/0x480 [ 12.712756] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.712777] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.712800] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.712824] ? __kthread_parkme+0x82/0x180 [ 12.712843] ? preempt_count_sub+0x50/0x80 [ 12.712867] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.712890] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.712925] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.712948] kthread+0x337/0x6f0 [ 12.712987] ? trace_preempt_on+0x20/0xc0 [ 12.713011] ? __pfx_kthread+0x10/0x10 [ 12.713031] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.713052] ? calculate_sigpending+0x7b/0xa0 [ 12.713075] ? __pfx_kthread+0x10/0x10 [ 12.713096] ret_from_fork+0x116/0x1d0 [ 12.713114] ? __pfx_kthread+0x10/0x10 [ 12.713133] ret_from_fork_asm+0x1a/0x30 [ 12.713165] </TASK> [ 12.713175] [ 12.724114] Allocated by task 213: [ 12.724292] kasan_save_stack+0x45/0x70 [ 12.724458] kasan_save_track+0x18/0x40 [ 12.724595] kasan_save_alloc_info+0x3b/0x50 [ 12.724790] __kasan_kmalloc+0xb7/0xc0 [ 12.725050] __kmalloc_cache_noprof+0x189/0x420 [ 12.725278] ksize_uaf+0xaa/0x6c0 [ 12.725448] kunit_try_run_case+0x1a5/0x480 [ 12.725682] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.725921] kthread+0x337/0x6f0 [ 12.726149] ret_from_fork+0x116/0x1d0 [ 12.726337] ret_from_fork_asm+0x1a/0x30 [ 12.726537] [ 12.726630] Freed by task 213: [ 12.726769] kasan_save_stack+0x45/0x70 [ 12.726918] kasan_save_track+0x18/0x40 [ 12.727076] kasan_save_free_info+0x3f/0x60 [ 12.727225] __kasan_slab_free+0x56/0x70 [ 12.727417] kfree+0x222/0x3f0 [ 12.727580] ksize_uaf+0x12c/0x6c0 [ 12.727779] kunit_try_run_case+0x1a5/0x480 [ 12.728061] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.728342] kthread+0x337/0x6f0 [ 12.728535] ret_from_fork+0x116/0x1d0 [ 12.728727] ret_from_fork_asm+0x1a/0x30 [ 12.728935] [ 12.729048] The buggy address belongs to the object at ffff888102988800 [ 12.729048] which belongs to the cache kmalloc-128 of size 128 [ 12.729519] The buggy address is located 0 bytes inside of [ 12.729519] freed 128-byte region [ffff888102988800, ffff888102988880) [ 12.730054] [ 12.730133] The buggy address belongs to the physical page: [ 12.730411] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102988 [ 12.730768] flags: 0x200000000000000(node=0|zone=2) [ 12.731046] page_type: f5(slab) [ 12.731206] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.731530] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.731848] page dumped because: kasan: bad access detected [ 12.732138] [ 12.732232] Memory state around the buggy address: [ 12.732442] ffff888102988700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.732748] ffff888102988780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.733049] >ffff888102988800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.733375] ^ [ 12.733528] ffff888102988880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.733808] ffff888102988900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.734175] ================================================================== [ 12.735392] ================================================================== [ 12.735804] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.736188] Read of size 1 at addr ffff888102988800 by task kunit_try_catch/213 [ 12.736532] [ 12.736650] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.736697] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.736708] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.736729] Call Trace: [ 12.736741] <TASK> [ 12.736757] dump_stack_lvl+0x73/0xb0 [ 12.736786] print_report+0xd1/0x610 [ 12.736811] ? __virt_addr_valid+0x1db/0x2d0 [ 12.736834] ? ksize_uaf+0x5fe/0x6c0 [ 12.736854] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.736877] ? ksize_uaf+0x5fe/0x6c0 [ 12.736909] kasan_report+0x141/0x180 [ 12.736932] ? ksize_uaf+0x5fe/0x6c0 [ 12.736959] __asan_report_load1_noabort+0x18/0x20 [ 12.737020] ksize_uaf+0x5fe/0x6c0 [ 12.737040] ? __pfx_ksize_uaf+0x10/0x10 [ 12.737061] ? __schedule+0x10cc/0x2b60 [ 12.737083] ? __pfx_read_tsc+0x10/0x10 [ 12.737102] ? ktime_get_ts64+0x86/0x230 [ 12.737127] kunit_try_run_case+0x1a5/0x480 [ 12.737151] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.737172] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.737196] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.737219] ? __kthread_parkme+0x82/0x180 [ 12.737239] ? preempt_count_sub+0x50/0x80 [ 12.737263] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.737286] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.737309] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.737332] kthread+0x337/0x6f0 [ 12.737351] ? trace_preempt_on+0x20/0xc0 [ 12.737374] ? __pfx_kthread+0x10/0x10 [ 12.737393] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.737414] ? calculate_sigpending+0x7b/0xa0 [ 12.737456] ? __pfx_kthread+0x10/0x10 [ 12.737477] ret_from_fork+0x116/0x1d0 [ 12.737494] ? __pfx_kthread+0x10/0x10 [ 12.737514] ret_from_fork_asm+0x1a/0x30 [ 12.737563] </TASK> [ 12.737574] [ 12.744551] Allocated by task 213: [ 12.744724] kasan_save_stack+0x45/0x70 [ 12.744864] kasan_save_track+0x18/0x40 [ 12.745062] kasan_save_alloc_info+0x3b/0x50 [ 12.745295] __kasan_kmalloc+0xb7/0xc0 [ 12.745509] __kmalloc_cache_noprof+0x189/0x420 [ 12.745756] ksize_uaf+0xaa/0x6c0 [ 12.745922] kunit_try_run_case+0x1a5/0x480 [ 12.746095] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.746373] kthread+0x337/0x6f0 [ 12.746550] ret_from_fork+0x116/0x1d0 [ 12.746731] ret_from_fork_asm+0x1a/0x30 [ 12.746877] [ 12.747023] Freed by task 213: [ 12.747180] kasan_save_stack+0x45/0x70 [ 12.747373] kasan_save_track+0x18/0x40 [ 12.747540] kasan_save_free_info+0x3f/0x60 [ 12.747718] __kasan_slab_free+0x56/0x70 [ 12.747944] kfree+0x222/0x3f0 [ 12.748147] ksize_uaf+0x12c/0x6c0 [ 12.748296] kunit_try_run_case+0x1a5/0x480 [ 12.748512] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.748787] kthread+0x337/0x6f0 [ 12.748983] ret_from_fork+0x116/0x1d0 [ 12.749167] ret_from_fork_asm+0x1a/0x30 [ 12.749362] [ 12.749454] The buggy address belongs to the object at ffff888102988800 [ 12.749454] which belongs to the cache kmalloc-128 of size 128 [ 12.749931] The buggy address is located 0 bytes inside of [ 12.749931] freed 128-byte region [ffff888102988800, ffff888102988880) [ 12.750475] [ 12.750562] The buggy address belongs to the physical page: [ 12.750734] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102988 [ 12.751091] flags: 0x200000000000000(node=0|zone=2) [ 12.751329] page_type: f5(slab) [ 12.751495] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.751827] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.752191] page dumped because: kasan: bad access detected [ 12.752439] [ 12.752530] Memory state around the buggy address: [ 12.752749] ffff888102988700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.753100] ffff888102988780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.753332] >ffff888102988800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.753545] ^ [ 12.753659] ffff888102988880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.753876] ffff888102988900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.754242] ==================================================================
[ 12.526712] ================================================================== [ 12.526991] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.527209] Read of size 1 at addr ffff8881026cea00 by task kunit_try_catch/214 [ 12.527453] [ 12.527573] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.527617] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.527628] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.527648] Call Trace: [ 12.527918] <TASK> [ 12.527942] dump_stack_lvl+0x73/0xb0 [ 12.527974] print_report+0xd1/0x610 [ 12.527997] ? __virt_addr_valid+0x1db/0x2d0 [ 12.528140] ? ksize_uaf+0x5fe/0x6c0 [ 12.528162] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.528184] ? ksize_uaf+0x5fe/0x6c0 [ 12.528204] kasan_report+0x141/0x180 [ 12.528226] ? ksize_uaf+0x5fe/0x6c0 [ 12.528252] __asan_report_load1_noabort+0x18/0x20 [ 12.528568] ksize_uaf+0x5fe/0x6c0 [ 12.528591] ? __pfx_ksize_uaf+0x10/0x10 [ 12.528613] ? __schedule+0x10cc/0x2b60 [ 12.528636] ? __pfx_read_tsc+0x10/0x10 [ 12.528656] ? ktime_get_ts64+0x86/0x230 [ 12.528680] kunit_try_run_case+0x1a5/0x480 [ 12.528703] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.528725] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.528749] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.528773] ? __kthread_parkme+0x82/0x180 [ 12.528792] ? preempt_count_sub+0x50/0x80 [ 12.528816] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.528840] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.528863] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.528886] kthread+0x337/0x6f0 [ 12.528904] ? trace_preempt_on+0x20/0xc0 [ 12.528926] ? __pfx_kthread+0x10/0x10 [ 12.528946] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.528966] ? calculate_sigpending+0x7b/0xa0 [ 12.528990] ? __pfx_kthread+0x10/0x10 [ 12.529011] ret_from_fork+0x116/0x1d0 [ 12.529028] ? __pfx_kthread+0x10/0x10 [ 12.529048] ret_from_fork_asm+0x1a/0x30 [ 12.529080] </TASK> [ 12.529090] [ 12.542789] Allocated by task 214: [ 12.542982] kasan_save_stack+0x45/0x70 [ 12.543194] kasan_save_track+0x18/0x40 [ 12.543385] kasan_save_alloc_info+0x3b/0x50 [ 12.543762] __kasan_kmalloc+0xb7/0xc0 [ 12.543954] __kmalloc_cache_noprof+0x189/0x420 [ 12.544165] ksize_uaf+0xaa/0x6c0 [ 12.544285] kunit_try_run_case+0x1a5/0x480 [ 12.544662] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.544885] kthread+0x337/0x6f0 [ 12.545032] ret_from_fork+0x116/0x1d0 [ 12.545228] ret_from_fork_asm+0x1a/0x30 [ 12.545401] [ 12.545512] Freed by task 214: [ 12.545730] kasan_save_stack+0x45/0x70 [ 12.545903] kasan_save_track+0x18/0x40 [ 12.546033] kasan_save_free_info+0x3f/0x60 [ 12.546174] __kasan_slab_free+0x56/0x70 [ 12.546306] kfree+0x222/0x3f0 [ 12.546455] ksize_uaf+0x12c/0x6c0 [ 12.546628] kunit_try_run_case+0x1a5/0x480 [ 12.546940] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.547334] kthread+0x337/0x6f0 [ 12.547735] ret_from_fork+0x116/0x1d0 [ 12.547923] ret_from_fork_asm+0x1a/0x30 [ 12.548102] [ 12.548174] The buggy address belongs to the object at ffff8881026cea00 [ 12.548174] which belongs to the cache kmalloc-128 of size 128 [ 12.548977] The buggy address is located 0 bytes inside of [ 12.548977] freed 128-byte region [ffff8881026cea00, ffff8881026cea80) [ 12.549591] [ 12.549671] The buggy address belongs to the physical page: [ 12.549899] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026ce [ 12.550230] flags: 0x200000000000000(node=0|zone=2) [ 12.550419] page_type: f5(slab) [ 12.550703] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.551008] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.551260] page dumped because: kasan: bad access detected [ 12.551432] [ 12.551513] Memory state around the buggy address: [ 12.551734] ffff8881026ce900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.552065] ffff8881026ce980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.552375] >ffff8881026cea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.552893] ^ [ 12.553069] ffff8881026cea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.553379] ffff8881026ceb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.553718] ================================================================== [ 12.554287] ================================================================== [ 12.554548] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.554757] Read of size 1 at addr ffff8881026cea78 by task kunit_try_catch/214 [ 12.555024] [ 12.555135] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.555177] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.555187] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.555303] Call Trace: [ 12.555322] <TASK> [ 12.555339] dump_stack_lvl+0x73/0xb0 [ 12.555368] print_report+0xd1/0x610 [ 12.555390] ? __virt_addr_valid+0x1db/0x2d0 [ 12.555468] ? ksize_uaf+0x5e4/0x6c0 [ 12.555489] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.555511] ? ksize_uaf+0x5e4/0x6c0 [ 12.555532] kasan_report+0x141/0x180 [ 12.555553] ? ksize_uaf+0x5e4/0x6c0 [ 12.555579] __asan_report_load1_noabort+0x18/0x20 [ 12.555603] ksize_uaf+0x5e4/0x6c0 [ 12.555622] ? __pfx_ksize_uaf+0x10/0x10 [ 12.555644] ? __schedule+0x10cc/0x2b60 [ 12.555666] ? __pfx_read_tsc+0x10/0x10 [ 12.555686] ? ktime_get_ts64+0x86/0x230 [ 12.555711] kunit_try_run_case+0x1a5/0x480 [ 12.555735] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.555756] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.555780] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.555803] ? __kthread_parkme+0x82/0x180 [ 12.555823] ? preempt_count_sub+0x50/0x80 [ 12.555847] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.555871] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.555894] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.555918] kthread+0x337/0x6f0 [ 12.555938] ? trace_preempt_on+0x20/0xc0 [ 12.555960] ? __pfx_kthread+0x10/0x10 [ 12.555980] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.556001] ? calculate_sigpending+0x7b/0xa0 [ 12.556024] ? __pfx_kthread+0x10/0x10 [ 12.556045] ret_from_fork+0x116/0x1d0 [ 12.556062] ? __pfx_kthread+0x10/0x10 [ 12.556082] ret_from_fork_asm+0x1a/0x30 [ 12.556114] </TASK> [ 12.556123] [ 12.563157] Allocated by task 214: [ 12.563633] kasan_save_stack+0x45/0x70 [ 12.564051] kasan_save_track+0x18/0x40 [ 12.564240] kasan_save_alloc_info+0x3b/0x50 [ 12.564646] __kasan_kmalloc+0xb7/0xc0 [ 12.564840] __kmalloc_cache_noprof+0x189/0x420 [ 12.565057] ksize_uaf+0xaa/0x6c0 [ 12.565237] kunit_try_run_case+0x1a5/0x480 [ 12.565479] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.565826] kthread+0x337/0x6f0 [ 12.565953] ret_from_fork+0x116/0x1d0 [ 12.566087] ret_from_fork_asm+0x1a/0x30 [ 12.566285] [ 12.566382] Freed by task 214: [ 12.566766] kasan_save_stack+0x45/0x70 [ 12.566932] kasan_save_track+0x18/0x40 [ 12.567099] kasan_save_free_info+0x3f/0x60 [ 12.567282] __kasan_slab_free+0x56/0x70 [ 12.567532] kfree+0x222/0x3f0 [ 12.567698] ksize_uaf+0x12c/0x6c0 [ 12.567840] kunit_try_run_case+0x1a5/0x480 [ 12.568006] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.568237] kthread+0x337/0x6f0 [ 12.568389] ret_from_fork+0x116/0x1d0 [ 12.568743] ret_from_fork_asm+0x1a/0x30 [ 12.568924] [ 12.569021] The buggy address belongs to the object at ffff8881026cea00 [ 12.569021] which belongs to the cache kmalloc-128 of size 128 [ 12.569374] The buggy address is located 120 bytes inside of [ 12.569374] freed 128-byte region [ffff8881026cea00, ffff8881026cea80) [ 12.569800] [ 12.569897] The buggy address belongs to the physical page: [ 12.570212] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026ce [ 12.570573] flags: 0x200000000000000(node=0|zone=2) [ 12.570874] page_type: f5(slab) [ 12.571106] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.571333] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.572056] page dumped because: kasan: bad access detected [ 12.572276] [ 12.572368] Memory state around the buggy address: [ 12.572757] ffff8881026ce900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.573079] ffff8881026ce980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.573351] >ffff8881026cea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.573760] ^ [ 12.574041] ffff8881026cea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.574326] ffff8881026ceb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.574652] ================================================================== [ 12.497102] ================================================================== [ 12.498862] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.499334] Read of size 1 at addr ffff8881026cea00 by task kunit_try_catch/214 [ 12.500171] [ 12.500491] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.500544] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.500555] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.500577] Call Trace: [ 12.500590] <TASK> [ 12.500608] dump_stack_lvl+0x73/0xb0 [ 12.500640] print_report+0xd1/0x610 [ 12.500662] ? __virt_addr_valid+0x1db/0x2d0 [ 12.500686] ? ksize_uaf+0x19d/0x6c0 [ 12.500709] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.500732] ? ksize_uaf+0x19d/0x6c0 [ 12.500752] kasan_report+0x141/0x180 [ 12.500774] ? ksize_uaf+0x19d/0x6c0 [ 12.500797] ? ksize_uaf+0x19d/0x6c0 [ 12.500817] __kasan_check_byte+0x3d/0x50 [ 12.500838] ksize+0x20/0x60 [ 12.500858] ksize_uaf+0x19d/0x6c0 [ 12.500879] ? __pfx_ksize_uaf+0x10/0x10 [ 12.500900] ? __schedule+0x10cc/0x2b60 [ 12.500923] ? __pfx_read_tsc+0x10/0x10 [ 12.500943] ? ktime_get_ts64+0x86/0x230 [ 12.500969] kunit_try_run_case+0x1a5/0x480 [ 12.500994] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.501015] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.501039] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.501063] ? __kthread_parkme+0x82/0x180 [ 12.501083] ? preempt_count_sub+0x50/0x80 [ 12.501107] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.501135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.501159] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.501182] kthread+0x337/0x6f0 [ 12.501200] ? trace_preempt_on+0x20/0xc0 [ 12.501223] ? __pfx_kthread+0x10/0x10 [ 12.501243] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.501264] ? calculate_sigpending+0x7b/0xa0 [ 12.501288] ? __pfx_kthread+0x10/0x10 [ 12.501308] ret_from_fork+0x116/0x1d0 [ 12.501326] ? __pfx_kthread+0x10/0x10 [ 12.501346] ret_from_fork_asm+0x1a/0x30 [ 12.501377] </TASK> [ 12.501387] [ 12.512269] Allocated by task 214: [ 12.512783] kasan_save_stack+0x45/0x70 [ 12.512967] kasan_save_track+0x18/0x40 [ 12.513296] kasan_save_alloc_info+0x3b/0x50 [ 12.513644] __kasan_kmalloc+0xb7/0xc0 [ 12.513954] __kmalloc_cache_noprof+0x189/0x420 [ 12.514160] ksize_uaf+0xaa/0x6c0 [ 12.514328] kunit_try_run_case+0x1a5/0x480 [ 12.514805] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.515143] kthread+0x337/0x6f0 [ 12.515393] ret_from_fork+0x116/0x1d0 [ 12.515825] ret_from_fork_asm+0x1a/0x30 [ 12.516085] [ 12.516162] Freed by task 214: [ 12.516611] kasan_save_stack+0x45/0x70 [ 12.516760] kasan_save_track+0x18/0x40 [ 12.516979] kasan_save_free_info+0x3f/0x60 [ 12.517264] __kasan_slab_free+0x56/0x70 [ 12.517759] kfree+0x222/0x3f0 [ 12.518065] ksize_uaf+0x12c/0x6c0 [ 12.518224] kunit_try_run_case+0x1a5/0x480 [ 12.518719] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.518952] kthread+0x337/0x6f0 [ 12.519106] ret_from_fork+0x116/0x1d0 [ 12.519292] ret_from_fork_asm+0x1a/0x30 [ 12.519487] [ 12.519563] The buggy address belongs to the object at ffff8881026cea00 [ 12.519563] which belongs to the cache kmalloc-128 of size 128 [ 12.520069] The buggy address is located 0 bytes inside of [ 12.520069] freed 128-byte region [ffff8881026cea00, ffff8881026cea80) [ 12.520556] [ 12.520670] The buggy address belongs to the physical page: [ 12.520977] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026ce [ 12.521225] flags: 0x200000000000000(node=0|zone=2) [ 12.521388] page_type: f5(slab) [ 12.521543] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.521874] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.522207] page dumped because: kasan: bad access detected [ 12.522622] [ 12.522709] Memory state around the buggy address: [ 12.522869] ffff8881026ce900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.523193] ffff8881026ce980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.523541] >ffff8881026cea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.523783] ^ [ 12.523946] ffff8881026cea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.524201] ffff8881026ceb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.524648] ==================================================================
[ 12.657794] ================================================================== [ 12.659199] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 12.660117] Read of size 1 at addr ffff888102b7d500 by task kunit_try_catch/213 [ 12.660763] [ 12.661038] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.661092] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.661104] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.661126] Call Trace: [ 12.661141] <TASK> [ 12.661161] dump_stack_lvl+0x73/0xb0 [ 12.661220] print_report+0xd1/0x610 [ 12.661343] ? __virt_addr_valid+0x1db/0x2d0 [ 12.661369] ? ksize_uaf+0x19d/0x6c0 [ 12.661389] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.661411] ? ksize_uaf+0x19d/0x6c0 [ 12.661432] kasan_report+0x141/0x180 [ 12.661453] ? ksize_uaf+0x19d/0x6c0 [ 12.661476] ? ksize_uaf+0x19d/0x6c0 [ 12.661496] __kasan_check_byte+0x3d/0x50 [ 12.661518] ksize+0x20/0x60 [ 12.661539] ksize_uaf+0x19d/0x6c0 [ 12.661558] ? __pfx_ksize_uaf+0x10/0x10 [ 12.661579] ? __schedule+0x10cc/0x2b60 [ 12.661602] ? __pfx_read_tsc+0x10/0x10 [ 12.661623] ? ktime_get_ts64+0x86/0x230 [ 12.661648] kunit_try_run_case+0x1a5/0x480 [ 12.661674] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.661696] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.661720] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.661743] ? __kthread_parkme+0x82/0x180 [ 12.661764] ? preempt_count_sub+0x50/0x80 [ 12.661789] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.661812] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.661835] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.661858] kthread+0x337/0x6f0 [ 12.661877] ? trace_preempt_on+0x20/0xc0 [ 12.661900] ? __pfx_kthread+0x10/0x10 [ 12.661919] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.661941] ? calculate_sigpending+0x7b/0xa0 [ 12.661966] ? __pfx_kthread+0x10/0x10 [ 12.661986] ret_from_fork+0x116/0x1d0 [ 12.662005] ? __pfx_kthread+0x10/0x10 [ 12.662034] ret_from_fork_asm+0x1a/0x30 [ 12.662066] </TASK> [ 12.662077] [ 12.677126] Allocated by task 213: [ 12.677327] kasan_save_stack+0x45/0x70 [ 12.677668] kasan_save_track+0x18/0x40 [ 12.678082] kasan_save_alloc_info+0x3b/0x50 [ 12.678538] __kasan_kmalloc+0xb7/0xc0 [ 12.678924] __kmalloc_cache_noprof+0x189/0x420 [ 12.679233] ksize_uaf+0xaa/0x6c0 [ 12.679387] kunit_try_run_case+0x1a5/0x480 [ 12.679653] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.680284] kthread+0x337/0x6f0 [ 12.680814] ret_from_fork+0x116/0x1d0 [ 12.681302] ret_from_fork_asm+0x1a/0x30 [ 12.681802] [ 12.682033] Freed by task 213: [ 12.682420] kasan_save_stack+0x45/0x70 [ 12.682709] kasan_save_track+0x18/0x40 [ 12.682847] kasan_save_free_info+0x3f/0x60 [ 12.682995] __kasan_slab_free+0x56/0x70 [ 12.683476] kfree+0x222/0x3f0 [ 12.683865] ksize_uaf+0x12c/0x6c0 [ 12.684260] kunit_try_run_case+0x1a5/0x480 [ 12.684731] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.685405] kthread+0x337/0x6f0 [ 12.685539] ret_from_fork+0x116/0x1d0 [ 12.685671] ret_from_fork_asm+0x1a/0x30 [ 12.685812] [ 12.685885] The buggy address belongs to the object at ffff888102b7d500 [ 12.685885] which belongs to the cache kmalloc-128 of size 128 [ 12.686958] The buggy address is located 0 bytes inside of [ 12.686958] freed 128-byte region [ffff888102b7d500, ffff888102b7d580) [ 12.688258] [ 12.688536] The buggy address belongs to the physical page: [ 12.689155] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b7d [ 12.689909] flags: 0x200000000000000(node=0|zone=2) [ 12.690342] page_type: f5(slab) [ 12.690698] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.691210] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.692103] page dumped because: kasan: bad access detected [ 12.692340] [ 12.692410] Memory state around the buggy address: [ 12.692959] ffff888102b7d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.693646] ffff888102b7d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.693871] >ffff888102b7d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.694119] ^ [ 12.694241] ffff888102b7d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.694564] ffff888102b7d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.695456] ================================================================== [ 12.734987] ================================================================== [ 12.735697] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 12.735919] Read of size 1 at addr ffff888102b7d578 by task kunit_try_catch/213 [ 12.736531] [ 12.736797] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.736844] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.736860] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.736882] Call Trace: [ 12.736895] <TASK> [ 12.736912] dump_stack_lvl+0x73/0xb0 [ 12.736964] print_report+0xd1/0x610 [ 12.736987] ? __virt_addr_valid+0x1db/0x2d0 [ 12.737019] ? ksize_uaf+0x5e4/0x6c0 [ 12.737105] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.737142] ? ksize_uaf+0x5e4/0x6c0 [ 12.737162] kasan_report+0x141/0x180 [ 12.737184] ? ksize_uaf+0x5e4/0x6c0 [ 12.737209] __asan_report_load1_noabort+0x18/0x20 [ 12.737233] ksize_uaf+0x5e4/0x6c0 [ 12.737253] ? __pfx_ksize_uaf+0x10/0x10 [ 12.737274] ? __schedule+0x10cc/0x2b60 [ 12.737296] ? __pfx_read_tsc+0x10/0x10 [ 12.737316] ? ktime_get_ts64+0x86/0x230 [ 12.737342] kunit_try_run_case+0x1a5/0x480 [ 12.737365] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.737386] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.737411] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.737449] ? __kthread_parkme+0x82/0x180 [ 12.737470] ? preempt_count_sub+0x50/0x80 [ 12.737494] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.737517] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.737541] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.737565] kthread+0x337/0x6f0 [ 12.737584] ? trace_preempt_on+0x20/0xc0 [ 12.737609] ? __pfx_kthread+0x10/0x10 [ 12.737629] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.737652] ? calculate_sigpending+0x7b/0xa0 [ 12.737676] ? __pfx_kthread+0x10/0x10 [ 12.737697] ret_from_fork+0x116/0x1d0 [ 12.737715] ? __pfx_kthread+0x10/0x10 [ 12.737735] ret_from_fork_asm+0x1a/0x30 [ 12.737765] </TASK> [ 12.737775] [ 12.751345] Allocated by task 213: [ 12.751556] kasan_save_stack+0x45/0x70 [ 12.751713] kasan_save_track+0x18/0x40 [ 12.751849] kasan_save_alloc_info+0x3b/0x50 [ 12.751997] __kasan_kmalloc+0xb7/0xc0 [ 12.752644] __kmalloc_cache_noprof+0x189/0x420 [ 12.753174] ksize_uaf+0xaa/0x6c0 [ 12.753576] kunit_try_run_case+0x1a5/0x480 [ 12.754053] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.754685] kthread+0x337/0x6f0 [ 12.755133] ret_from_fork+0x116/0x1d0 [ 12.755324] ret_from_fork_asm+0x1a/0x30 [ 12.755617] [ 12.755775] Freed by task 213: [ 12.756215] kasan_save_stack+0x45/0x70 [ 12.756654] kasan_save_track+0x18/0x40 [ 12.756815] kasan_save_free_info+0x3f/0x60 [ 12.756969] __kasan_slab_free+0x56/0x70 [ 12.757607] kfree+0x222/0x3f0 [ 12.757950] ksize_uaf+0x12c/0x6c0 [ 12.758387] kunit_try_run_case+0x1a5/0x480 [ 12.758809] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.758991] kthread+0x337/0x6f0 [ 12.759461] ret_from_fork+0x116/0x1d0 [ 12.759867] ret_from_fork_asm+0x1a/0x30 [ 12.760347] [ 12.760433] The buggy address belongs to the object at ffff888102b7d500 [ 12.760433] which belongs to the cache kmalloc-128 of size 128 [ 12.761502] The buggy address is located 120 bytes inside of [ 12.761502] freed 128-byte region [ffff888102b7d500, ffff888102b7d580) [ 12.762282] [ 12.762510] The buggy address belongs to the physical page: [ 12.763097] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b7d [ 12.763637] flags: 0x200000000000000(node=0|zone=2) [ 12.763810] page_type: f5(slab) [ 12.763933] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.764662] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.765404] page dumped because: kasan: bad access detected [ 12.765940] [ 12.766152] Memory state around the buggy address: [ 12.766415] ffff888102b7d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.766639] ffff888102b7d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.766857] >ffff888102b7d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.767439] ^ [ 12.768152] ffff888102b7d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.768883] ffff888102b7d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.769673] ================================================================== [ 12.696640] ================================================================== [ 12.698390] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 12.699152] Read of size 1 at addr ffff888102b7d500 by task kunit_try_catch/213 [ 12.699949] [ 12.700258] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.700310] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.700322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.700343] Call Trace: [ 12.700356] <TASK> [ 12.700374] dump_stack_lvl+0x73/0xb0 [ 12.700406] print_report+0xd1/0x610 [ 12.700438] ? __virt_addr_valid+0x1db/0x2d0 [ 12.700461] ? ksize_uaf+0x5fe/0x6c0 [ 12.700481] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.700504] ? ksize_uaf+0x5fe/0x6c0 [ 12.700524] kasan_report+0x141/0x180 [ 12.700545] ? ksize_uaf+0x5fe/0x6c0 [ 12.700570] __asan_report_load1_noabort+0x18/0x20 [ 12.700594] ksize_uaf+0x5fe/0x6c0 [ 12.700613] ? __pfx_ksize_uaf+0x10/0x10 [ 12.700634] ? __schedule+0x10cc/0x2b60 [ 12.700656] ? __pfx_read_tsc+0x10/0x10 [ 12.700677] ? ktime_get_ts64+0x86/0x230 [ 12.700701] kunit_try_run_case+0x1a5/0x480 [ 12.700725] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.700747] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.700771] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.700793] ? __kthread_parkme+0x82/0x180 [ 12.700814] ? preempt_count_sub+0x50/0x80 [ 12.700838] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.700871] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.700894] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.700918] kthread+0x337/0x6f0 [ 12.700937] ? trace_preempt_on+0x20/0xc0 [ 12.700960] ? __pfx_kthread+0x10/0x10 [ 12.700979] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.701000] ? calculate_sigpending+0x7b/0xa0 [ 12.701279] ? __pfx_kthread+0x10/0x10 [ 12.701301] ret_from_fork+0x116/0x1d0 [ 12.701321] ? __pfx_kthread+0x10/0x10 [ 12.701341] ret_from_fork_asm+0x1a/0x30 [ 12.701372] </TASK> [ 12.701382] [ 12.714718] Allocated by task 213: [ 12.715104] kasan_save_stack+0x45/0x70 [ 12.715570] kasan_save_track+0x18/0x40 [ 12.715716] kasan_save_alloc_info+0x3b/0x50 [ 12.715867] __kasan_kmalloc+0xb7/0xc0 [ 12.716000] __kmalloc_cache_noprof+0x189/0x420 [ 12.716687] ksize_uaf+0xaa/0x6c0 [ 12.717098] kunit_try_run_case+0x1a5/0x480 [ 12.717934] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.718623] kthread+0x337/0x6f0 [ 12.718807] ret_from_fork+0x116/0x1d0 [ 12.718943] ret_from_fork_asm+0x1a/0x30 [ 12.719268] [ 12.719471] Freed by task 213: [ 12.719839] kasan_save_stack+0x45/0x70 [ 12.720247] kasan_save_track+0x18/0x40 [ 12.720744] kasan_save_free_info+0x3f/0x60 [ 12.721253] __kasan_slab_free+0x56/0x70 [ 12.721645] kfree+0x222/0x3f0 [ 12.721770] ksize_uaf+0x12c/0x6c0 [ 12.721897] kunit_try_run_case+0x1a5/0x480 [ 12.722404] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.722943] kthread+0x337/0x6f0 [ 12.723374] ret_from_fork+0x116/0x1d0 [ 12.723818] ret_from_fork_asm+0x1a/0x30 [ 12.724237] [ 12.724524] The buggy address belongs to the object at ffff888102b7d500 [ 12.724524] which belongs to the cache kmalloc-128 of size 128 [ 12.725544] The buggy address is located 0 bytes inside of [ 12.725544] freed 128-byte region [ffff888102b7d500, ffff888102b7d580) [ 12.726102] [ 12.726401] The buggy address belongs to the physical page: [ 12.726981] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b7d [ 12.727816] flags: 0x200000000000000(node=0|zone=2) [ 12.727992] page_type: f5(slab) [ 12.728438] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 12.729201] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 12.729728] page dumped because: kasan: bad access detected [ 12.729906] [ 12.729977] Memory state around the buggy address: [ 12.730509] ffff888102b7d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.731285] ffff888102b7d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.732050] >ffff888102b7d500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.732452] ^ [ 12.732805] ffff888102b7d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.733496] ffff888102b7d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.734158] ==================================================================