Date
July 20, 2025, 8:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.441403] ================================================================== [ 15.441618] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 15.441682] Read of size 1 at addr fff00000c7771078 by task kunit_try_catch/197 [ 15.441986] [ 15.442040] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.442320] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.442413] Hardware name: linux,dummy-virt (DT) [ 15.442547] Call trace: [ 15.442634] show_stack+0x20/0x38 (C) [ 15.442708] dump_stack_lvl+0x8c/0xd0 [ 15.442774] print_report+0x118/0x5d0 [ 15.442841] kasan_report+0xdc/0x128 [ 15.443088] __asan_report_load1_noabort+0x20/0x30 [ 15.443159] ksize_uaf+0x544/0x5f8 [ 15.443214] kunit_try_run_case+0x170/0x3f0 [ 15.443684] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.443847] kthread+0x328/0x630 [ 15.443924] ret_from_fork+0x10/0x20 [ 15.443990] [ 15.444017] Allocated by task 197: [ 15.444140] kasan_save_stack+0x3c/0x68 [ 15.444214] kasan_save_track+0x20/0x40 [ 15.444420] kasan_save_alloc_info+0x40/0x58 [ 15.444475] __kasan_kmalloc+0xd4/0xd8 [ 15.444518] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.444828] ksize_uaf+0xb8/0x5f8 [ 15.444897] kunit_try_run_case+0x170/0x3f0 [ 15.444980] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.445053] kthread+0x328/0x630 [ 15.445165] ret_from_fork+0x10/0x20 [ 15.445532] [ 15.445569] Freed by task 197: [ 15.445630] kasan_save_stack+0x3c/0x68 [ 15.445738] kasan_save_track+0x20/0x40 [ 15.445858] kasan_save_free_info+0x4c/0x78 [ 15.445929] __kasan_slab_free+0x6c/0x98 [ 15.446061] kfree+0x214/0x3c8 [ 15.446150] ksize_uaf+0x11c/0x5f8 [ 15.446238] kunit_try_run_case+0x170/0x3f0 [ 15.446286] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.446330] kthread+0x328/0x630 [ 15.446377] ret_from_fork+0x10/0x20 [ 15.446424] [ 15.446460] The buggy address belongs to the object at fff00000c7771000 [ 15.446460] which belongs to the cache kmalloc-128 of size 128 [ 15.446529] The buggy address is located 120 bytes inside of [ 15.446529] freed 128-byte region [fff00000c7771000, fff00000c7771080) [ 15.446605] [ 15.446649] The buggy address belongs to the physical page: [ 15.446689] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107771 [ 15.446758] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.446813] page_type: f5(slab) [ 15.446852] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.446911] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.446952] page dumped because: kasan: bad access detected [ 15.446985] [ 15.447020] Memory state around the buggy address: [ 15.447072] fff00000c7770f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.447125] fff00000c7770f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.447168] >fff00000c7771000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.447427] ^ [ 15.447675] fff00000c7771080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.447864] fff00000c7771100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.448104] ================================================================== [ 15.431074] ================================================================== [ 15.431135] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 15.431368] Read of size 1 at addr fff00000c7771000 by task kunit_try_catch/197 [ 15.431492] [ 15.431764] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.432079] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.432123] Hardware name: linux,dummy-virt (DT) [ 15.432173] Call trace: [ 15.432252] show_stack+0x20/0x38 (C) [ 15.432309] dump_stack_lvl+0x8c/0xd0 [ 15.432355] print_report+0x118/0x5d0 [ 15.432588] kasan_report+0xdc/0x128 [ 15.432776] __asan_report_load1_noabort+0x20/0x30 [ 15.432831] ksize_uaf+0x598/0x5f8 [ 15.433067] kunit_try_run_case+0x170/0x3f0 [ 15.433249] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.433417] kthread+0x328/0x630 [ 15.433470] ret_from_fork+0x10/0x20 [ 15.433517] [ 15.433700] Allocated by task 197: [ 15.433956] kasan_save_stack+0x3c/0x68 [ 15.434061] kasan_save_track+0x20/0x40 [ 15.434131] kasan_save_alloc_info+0x40/0x58 [ 15.434268] __kasan_kmalloc+0xd4/0xd8 [ 15.434307] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.434549] ksize_uaf+0xb8/0x5f8 [ 15.434732] kunit_try_run_case+0x170/0x3f0 [ 15.434913] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.435043] kthread+0x328/0x630 [ 15.435227] ret_from_fork+0x10/0x20 [ 15.435679] [ 15.435795] Freed by task 197: [ 15.435943] kasan_save_stack+0x3c/0x68 [ 15.436044] kasan_save_track+0x20/0x40 [ 15.436208] kasan_save_free_info+0x4c/0x78 [ 15.436467] __kasan_slab_free+0x6c/0x98 [ 15.436623] kfree+0x214/0x3c8 [ 15.436871] ksize_uaf+0x11c/0x5f8 [ 15.436948] kunit_try_run_case+0x170/0x3f0 [ 15.437063] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.437315] kthread+0x328/0x630 [ 15.437530] ret_from_fork+0x10/0x20 [ 15.437686] [ 15.437746] The buggy address belongs to the object at fff00000c7771000 [ 15.437746] which belongs to the cache kmalloc-128 of size 128 [ 15.437900] The buggy address is located 0 bytes inside of [ 15.437900] freed 128-byte region [fff00000c7771000, fff00000c7771080) [ 15.437987] [ 15.438406] The buggy address belongs to the physical page: [ 15.438456] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107771 [ 15.438582] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.438768] page_type: f5(slab) [ 15.438891] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.438951] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.439166] page dumped because: kasan: bad access detected [ 15.439619] [ 15.439767] Memory state around the buggy address: [ 15.439874] fff00000c7770f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.439940] fff00000c7770f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.440256] >fff00000c7771000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.440395] ^ [ 15.440562] fff00000c7771080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.440664] fff00000c7771100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.440780] ================================================================== [ 15.423374] ================================================================== [ 15.423604] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 15.423667] Read of size 1 at addr fff00000c7771000 by task kunit_try_catch/197 [ 15.423719] [ 15.423851] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.423946] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.424299] Hardware name: linux,dummy-virt (DT) [ 15.424404] Call trace: [ 15.424433] show_stack+0x20/0x38 (C) [ 15.424487] dump_stack_lvl+0x8c/0xd0 [ 15.424533] print_report+0x118/0x5d0 [ 15.424965] kasan_report+0xdc/0x128 [ 15.425271] __kasan_check_byte+0x54/0x70 [ 15.425495] ksize+0x30/0x88 [ 15.425550] ksize_uaf+0x168/0x5f8 [ 15.425619] kunit_try_run_case+0x170/0x3f0 [ 15.425669] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.425723] kthread+0x328/0x630 [ 15.425776] ret_from_fork+0x10/0x20 [ 15.425831] [ 15.425850] Allocated by task 197: [ 15.425879] kasan_save_stack+0x3c/0x68 [ 15.425920] kasan_save_track+0x20/0x40 [ 15.425968] kasan_save_alloc_info+0x40/0x58 [ 15.426009] __kasan_kmalloc+0xd4/0xd8 [ 15.426056] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.426097] ksize_uaf+0xb8/0x5f8 [ 15.426138] kunit_try_run_case+0x170/0x3f0 [ 15.426177] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.426232] kthread+0x328/0x630 [ 15.426264] ret_from_fork+0x10/0x20 [ 15.426308] [ 15.426337] Freed by task 197: [ 15.426371] kasan_save_stack+0x3c/0x68 [ 15.426412] kasan_save_track+0x20/0x40 [ 15.426448] kasan_save_free_info+0x4c/0x78 [ 15.426510] __kasan_slab_free+0x6c/0x98 [ 15.426547] kfree+0x214/0x3c8 [ 15.426582] ksize_uaf+0x11c/0x5f8 [ 15.426615] kunit_try_run_case+0x170/0x3f0 [ 15.426666] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.426709] kthread+0x328/0x630 [ 15.426750] ret_from_fork+0x10/0x20 [ 15.426793] [ 15.426812] The buggy address belongs to the object at fff00000c7771000 [ 15.426812] which belongs to the cache kmalloc-128 of size 128 [ 15.426878] The buggy address is located 0 bytes inside of [ 15.426878] freed 128-byte region [fff00000c7771000, fff00000c7771080) [ 15.426948] [ 15.426976] The buggy address belongs to the physical page: [ 15.427024] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107771 [ 15.427078] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.427142] page_type: f5(slab) [ 15.428063] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 15.428141] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 15.428202] page dumped because: kasan: bad access detected [ 15.428271] [ 15.428315] Memory state around the buggy address: [ 15.428389] fff00000c7770f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.428604] fff00000c7770f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.428701] >fff00000c7771000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 15.428951] ^ [ 15.429204] fff00000c7771080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.429387] fff00000c7771100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.429564] ==================================================================
[ 13.441186] ================================================================== [ 13.441667] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 13.441930] Read of size 1 at addr ffff888103249700 by task kunit_try_catch/214 [ 13.442453] [ 13.442592] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.442641] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.442652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.442675] Call Trace: [ 13.442688] <TASK> [ 13.442706] dump_stack_lvl+0x73/0xb0 [ 13.442739] print_report+0xd1/0x610 [ 13.442763] ? __virt_addr_valid+0x1db/0x2d0 [ 13.442789] ? ksize_uaf+0x19d/0x6c0 [ 13.442810] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.442845] ? ksize_uaf+0x19d/0x6c0 [ 13.442867] kasan_report+0x141/0x180 [ 13.442889] ? ksize_uaf+0x19d/0x6c0 [ 13.442913] ? ksize_uaf+0x19d/0x6c0 [ 13.442935] __kasan_check_byte+0x3d/0x50 [ 13.442957] ksize+0x20/0x60 [ 13.442979] ksize_uaf+0x19d/0x6c0 [ 13.443000] ? __pfx_ksize_uaf+0x10/0x10 [ 13.443022] ? __schedule+0x10c6/0x2b60 [ 13.443047] ? __pfx_read_tsc+0x10/0x10 [ 13.443069] ? ktime_get_ts64+0x86/0x230 [ 13.443095] kunit_try_run_case+0x1a5/0x480 [ 13.443122] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.443145] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.443169] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.443193] ? __kthread_parkme+0x82/0x180 [ 13.443214] ? preempt_count_sub+0x50/0x80 [ 13.443239] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.443263] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.443287] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.443311] kthread+0x337/0x6f0 [ 13.443331] ? trace_preempt_on+0x20/0xc0 [ 13.443355] ? __pfx_kthread+0x10/0x10 [ 13.443376] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.443398] ? calculate_sigpending+0x7b/0xa0 [ 13.443422] ? __pfx_kthread+0x10/0x10 [ 13.443444] ret_from_fork+0x116/0x1d0 [ 13.443463] ? __pfx_kthread+0x10/0x10 [ 13.443496] ret_from_fork_asm+0x1a/0x30 [ 13.443527] </TASK> [ 13.443537] [ 13.450641] Allocated by task 214: [ 13.450775] kasan_save_stack+0x45/0x70 [ 13.450926] kasan_save_track+0x18/0x40 [ 13.451128] kasan_save_alloc_info+0x3b/0x50 [ 13.451533] __kasan_kmalloc+0xb7/0xc0 [ 13.451731] __kmalloc_cache_noprof+0x189/0x420 [ 13.451943] ksize_uaf+0xaa/0x6c0 [ 13.452073] kunit_try_run_case+0x1a5/0x480 [ 13.452228] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.452412] kthread+0x337/0x6f0 [ 13.452700] ret_from_fork+0x116/0x1d0 [ 13.453066] ret_from_fork_asm+0x1a/0x30 [ 13.453274] [ 13.453373] Freed by task 214: [ 13.453548] kasan_save_stack+0x45/0x70 [ 13.453756] kasan_save_track+0x18/0x40 [ 13.453913] kasan_save_free_info+0x3f/0x60 [ 13.454122] __kasan_slab_free+0x56/0x70 [ 13.454325] kfree+0x222/0x3f0 [ 13.454503] ksize_uaf+0x12c/0x6c0 [ 13.454660] kunit_try_run_case+0x1a5/0x480 [ 13.454883] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.455107] kthread+0x337/0x6f0 [ 13.455278] ret_from_fork+0x116/0x1d0 [ 13.455457] ret_from_fork_asm+0x1a/0x30 [ 13.455657] [ 13.455738] The buggy address belongs to the object at ffff888103249700 [ 13.455738] which belongs to the cache kmalloc-128 of size 128 [ 13.456248] The buggy address is located 0 bytes inside of [ 13.456248] freed 128-byte region [ffff888103249700, ffff888103249780) [ 13.456721] [ 13.456825] The buggy address belongs to the physical page: [ 13.457071] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103249 [ 13.457394] flags: 0x200000000000000(node=0|zone=2) [ 13.457633] page_type: f5(slab) [ 13.457827] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.458144] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.458436] page dumped because: kasan: bad access detected [ 13.458672] [ 13.458766] Memory state around the buggy address: [ 13.458986] ffff888103249600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.459263] ffff888103249680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.459575] >ffff888103249700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.459901] ^ [ 13.460065] ffff888103249780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.460329] ffff888103249800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.460602] ================================================================== [ 13.461412] ================================================================== [ 13.461748] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 13.461988] Read of size 1 at addr ffff888103249700 by task kunit_try_catch/214 [ 13.462946] [ 13.463077] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.463121] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.463132] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.463153] Call Trace: [ 13.463166] <TASK> [ 13.463181] dump_stack_lvl+0x73/0xb0 [ 13.463212] print_report+0xd1/0x610 [ 13.463235] ? __virt_addr_valid+0x1db/0x2d0 [ 13.463257] ? ksize_uaf+0x5fe/0x6c0 [ 13.463278] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.463300] ? ksize_uaf+0x5fe/0x6c0 [ 13.463321] kasan_report+0x141/0x180 [ 13.463342] ? ksize_uaf+0x5fe/0x6c0 [ 13.463368] __asan_report_load1_noabort+0x18/0x20 [ 13.463392] ksize_uaf+0x5fe/0x6c0 [ 13.463412] ? __pfx_ksize_uaf+0x10/0x10 [ 13.463433] ? __schedule+0x10c6/0x2b60 [ 13.463456] ? __pfx_read_tsc+0x10/0x10 [ 13.463491] ? ktime_get_ts64+0x86/0x230 [ 13.463515] kunit_try_run_case+0x1a5/0x480 [ 13.463539] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.463561] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.463585] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.463608] ? __kthread_parkme+0x82/0x180 [ 13.463628] ? preempt_count_sub+0x50/0x80 [ 13.463651] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.463674] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.463697] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.463720] kthread+0x337/0x6f0 [ 13.463740] ? trace_preempt_on+0x20/0xc0 [ 13.463763] ? __pfx_kthread+0x10/0x10 [ 13.463784] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.463805] ? calculate_sigpending+0x7b/0xa0 [ 13.463829] ? __pfx_kthread+0x10/0x10 [ 13.463850] ret_from_fork+0x116/0x1d0 [ 13.463868] ? __pfx_kthread+0x10/0x10 [ 13.463889] ret_from_fork_asm+0x1a/0x30 [ 13.463919] </TASK> [ 13.463929] [ 13.470799] Allocated by task 214: [ 13.470969] kasan_save_stack+0x45/0x70 [ 13.471149] kasan_save_track+0x18/0x40 [ 13.471324] kasan_save_alloc_info+0x3b/0x50 [ 13.471526] __kasan_kmalloc+0xb7/0xc0 [ 13.471742] __kmalloc_cache_noprof+0x189/0x420 [ 13.471987] ksize_uaf+0xaa/0x6c0 [ 13.472167] kunit_try_run_case+0x1a5/0x480 [ 13.472389] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.472619] kthread+0x337/0x6f0 [ 13.472748] ret_from_fork+0x116/0x1d0 [ 13.472954] ret_from_fork_asm+0x1a/0x30 [ 13.473162] [ 13.473264] Freed by task 214: [ 13.473391] kasan_save_stack+0x45/0x70 [ 13.473569] kasan_save_track+0x18/0x40 [ 13.473766] kasan_save_free_info+0x3f/0x60 [ 13.473966] __kasan_slab_free+0x56/0x70 [ 13.474130] kfree+0x222/0x3f0 [ 13.474299] ksize_uaf+0x12c/0x6c0 [ 13.474490] kunit_try_run_case+0x1a5/0x480 [ 13.474658] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.475002] kthread+0x337/0x6f0 [ 13.475176] ret_from_fork+0x116/0x1d0 [ 13.475344] ret_from_fork_asm+0x1a/0x30 [ 13.475524] [ 13.475601] The buggy address belongs to the object at ffff888103249700 [ 13.475601] which belongs to the cache kmalloc-128 of size 128 [ 13.475980] The buggy address is located 0 bytes inside of [ 13.475980] freed 128-byte region [ffff888103249700, ffff888103249780) [ 13.476345] [ 13.476423] The buggy address belongs to the physical page: [ 13.476683] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103249 [ 13.477256] flags: 0x200000000000000(node=0|zone=2) [ 13.477518] page_type: f5(slab) [ 13.477691] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.478391] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.478721] page dumped because: kasan: bad access detected [ 13.478898] [ 13.478970] Memory state around the buggy address: [ 13.479130] ffff888103249600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.479351] ffff888103249680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.479591] >ffff888103249700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.480105] ^ [ 13.480277] ffff888103249780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.480616] ffff888103249800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.481170] ================================================================== [ 13.482383] ================================================================== [ 13.482730] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 13.483052] Read of size 1 at addr ffff888103249778 by task kunit_try_catch/214 [ 13.483301] [ 13.483546] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.483594] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.483605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.483627] Call Trace: [ 13.483642] <TASK> [ 13.483656] dump_stack_lvl+0x73/0xb0 [ 13.483687] print_report+0xd1/0x610 [ 13.483710] ? __virt_addr_valid+0x1db/0x2d0 [ 13.483733] ? ksize_uaf+0x5e4/0x6c0 [ 13.483754] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.483776] ? ksize_uaf+0x5e4/0x6c0 [ 13.483805] kasan_report+0x141/0x180 [ 13.483827] ? ksize_uaf+0x5e4/0x6c0 [ 13.483853] __asan_report_load1_noabort+0x18/0x20 [ 13.483878] ksize_uaf+0x5e4/0x6c0 [ 13.483900] ? __pfx_ksize_uaf+0x10/0x10 [ 13.483922] ? __schedule+0x10c6/0x2b60 [ 13.483946] ? __pfx_read_tsc+0x10/0x10 [ 13.483967] ? ktime_get_ts64+0x86/0x230 [ 13.483993] kunit_try_run_case+0x1a5/0x480 [ 13.484017] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.484040] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.484064] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.484087] ? __kthread_parkme+0x82/0x180 [ 13.484109] ? preempt_count_sub+0x50/0x80 [ 13.484133] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.484158] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.484181] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.484205] kthread+0x337/0x6f0 [ 13.484225] ? trace_preempt_on+0x20/0xc0 [ 13.484248] ? __pfx_kthread+0x10/0x10 [ 13.484269] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.484291] ? calculate_sigpending+0x7b/0xa0 [ 13.484317] ? __pfx_kthread+0x10/0x10 [ 13.484339] ret_from_fork+0x116/0x1d0 [ 13.484358] ? __pfx_kthread+0x10/0x10 [ 13.484379] ret_from_fork_asm+0x1a/0x30 [ 13.484409] </TASK> [ 13.484420] [ 13.491603] Allocated by task 214: [ 13.491793] kasan_save_stack+0x45/0x70 [ 13.491986] kasan_save_track+0x18/0x40 [ 13.492148] kasan_save_alloc_info+0x3b/0x50 [ 13.492341] __kasan_kmalloc+0xb7/0xc0 [ 13.492548] __kmalloc_cache_noprof+0x189/0x420 [ 13.492735] ksize_uaf+0xaa/0x6c0 [ 13.492869] kunit_try_run_case+0x1a5/0x480 [ 13.493030] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.493217] kthread+0x337/0x6f0 [ 13.493346] ret_from_fork+0x116/0x1d0 [ 13.493493] ret_from_fork_asm+0x1a/0x30 [ 13.493641] [ 13.493714] Freed by task 214: [ 13.493830] kasan_save_stack+0x45/0x70 [ 13.493972] kasan_save_track+0x18/0x40 [ 13.494117] kasan_save_free_info+0x3f/0x60 [ 13.494270] __kasan_slab_free+0x56/0x70 [ 13.494478] kfree+0x222/0x3f0 [ 13.494661] ksize_uaf+0x12c/0x6c0 [ 13.494927] kunit_try_run_case+0x1a5/0x480 [ 13.495141] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.495403] kthread+0x337/0x6f0 [ 13.495592] ret_from_fork+0x116/0x1d0 [ 13.495790] ret_from_fork_asm+0x1a/0x30 [ 13.495991] [ 13.496086] The buggy address belongs to the object at ffff888103249700 [ 13.496086] which belongs to the cache kmalloc-128 of size 128 [ 13.496651] The buggy address is located 120 bytes inside of [ 13.496651] freed 128-byte region [ffff888103249700, ffff888103249780) [ 13.497392] [ 13.497477] The buggy address belongs to the physical page: [ 13.497659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103249 [ 13.498199] flags: 0x200000000000000(node=0|zone=2) [ 13.498445] page_type: f5(slab) [ 13.498628] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 13.499230] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 13.499542] page dumped because: kasan: bad access detected [ 13.499797] [ 13.499882] Memory state around the buggy address: [ 13.500044] ffff888103249600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.500271] ffff888103249680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.500541] >ffff888103249700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 13.500981] ^ [ 13.501319] ffff888103249780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.501680] ffff888103249800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.502058] ==================================================================