[   30.848043][  T474] ==================================================================
[   30.848351][  T474] BUG: KASAN: slab-use-after-free in emit_its_trampoline+0xa5/0x300
[   30.848607][  T474] Read of size 1 at addr ffff88800193b720 by task modprobe/474
[   30.848857][  T474] 
[   30.848947][  T474] CPU: 0 UID: 0 PID: 474 Comm: modprobe Not tainted 6.16.0-rc2-virtme #1 PREEMPT(full) 
[   30.848952][  T474] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   30.848955][  T474] Call Trace:
[   30.848957][  T474]  <TASK>
[   30.848959][  T474]  dump_stack_lvl+0x82/0xd0
[   30.848966][  T474]  print_address_description.constprop.0+0x2c/0x400
[   30.848972][  T474]  ? emit_its_trampoline+0xa5/0x300
[   30.848976][  T474]  print_report+0xb4/0x270
[   30.848979][  T474]  ? emit_its_trampoline+0xa5/0x300
[   30.848982][  T474]  ? kasan_addr_to_slab+0x25/0x80
[   30.848985][  T474]  ? emit_its_trampoline+0xa5/0x300
[   30.848988][  T474]  kasan_report+0xca/0x100
[   30.848992][  T474]  ? emit_its_trampoline+0xa5/0x300
[   30.848996][  T474]  ? emit_its_trampoline+0xa5/0x300
[   30.848999][  T474]  __kasan_check_byte+0x3a/0x50
[   30.849003][  T474]  krealloc_noprof+0x3d/0x320
[   30.849007][  T474]  ? execmem_alloc+0xc0/0x240
[   30.849012][  T474]  emit_its_trampoline+0xa5/0x300
[   30.849015][  T474]  ? __x86_indirect_paranoid_thunk_rcx+0x2/0x2
[   30.849020][  T474]  ? __pi___x86_indirect_thunk_rax+0x20/0x20
[   30.849026][  T474]  apply_retpolines+0xcf/0x550
[   30.849029][  T474]  ? rcu_is_watching+0x12/0xc0
[   30.849033][  T474]  ? __pfx_apply_retpolines+0x10/0x10
[   30.849037][  T474]  ? __pfx___mutex_lock+0x10/0x10
[   30.849045][  T474]  ? memcmp+0x86/0x1d0
[   30.849052][  T474]  module_finalize+0x3d5/0x9d0
[   30.849059][  T474]  ? add_kallsyms+0x7bf/0xf40
[   30.849063][  T474]  ? __pfx_module_finalize+0x10/0x10
[   30.849067][  T474]  ? __pfx_cmp_ex_sort+0x10/0x10
[   30.849070][  T474]  ? __pfx_swap_ex+0x10/0x10
[   30.849074][  T474]  load_module+0x139a/0x2660
[   30.849080][  T474]  ? __pfx_load_module+0x10/0x10
[   30.849083][  T474]  ? kernel_read_file+0x3f5/0x550
[   30.849089][  T474]  ? kernel_read_file+0x3d0/0x550
[   30.849092][  T474]  ? __pfx_kernel_read_file+0x10/0x10
[   30.849096][  T474]  ? add_chain_cache+0x110/0x370
[   30.849101][  T474]  ? init_module_from_file+0xe9/0x150
[   30.849104][  T474]  init_module_from_file+0xe9/0x150
[   30.849107][  T474]  ? __pfx_init_module_from_file+0x10/0x10
[   30.849115][  T474]  ? idempotent_init_module+0x31a/0x620
[   30.849117][  T474]  ? __lock_release+0x5d/0x170
[   30.849121][  T474]  ? do_raw_spin_unlock+0x58/0x220
[   30.849126][  T474]  idempotent_init_module+0x335/0x620
[   30.849130][  T474]  ? __pfx_idempotent_init_module+0x10/0x10
[   30.849137][  T474]  ? cap_capable+0x94/0x230
[   30.849143][  T474]  __x64_sys_finit_module+0xca/0x150
[   30.849146][  T474]  ? do_syscall_64+0x85/0x380
[   30.849150][  T474]  do_syscall_64+0xc1/0x380
[   30.849154][  T474]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   30.849158][  T474] RIP: 0033:0x7f65999b2e5d
[   30.849163][  T474] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
[   30.849165][  T474] RSP: 002b:00007ffe2eb0b9f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   30.849169][  T474] RAX: ffffffffffffffda RBX: 00005590c11c8960 RCX: 00007f65999b2e5d
[   30.849171][  T474] RDX: 0000000000000000 RSI: 00005590a62aba2a RDI: 0000000000000005
[   30.849173][  T474] RBP: 0000000000040000 R08: 0000000000000000 R09: 00007ffe2eb0bb30
[   30.849175][  T474] R10: 0000000000000005 R11: 0000000000000246 R12: 00005590a62aba2a
[   30.849176][  T474] R13: 00005590c11c8b10 R14: 00005590c11c8db0 R15: 0000000000000000
[   30.849182][  T474]  </TASK>
[   30.849184][  T474] 
[   30.859897][  T474] Allocated by task 470:
[   30.860027][  T474]  kasan_save_stack+0x24/0x50
[   30.860205][  T474]  kasan_save_track+0x14/0x30
[   30.860376][  T474]  __kasan_kmalloc+0x7f/0x90
[   30.860546][  T474]  __kmalloc_noprof+0x1d4/0x470
[   30.860718][  T474]  virtqueue_add_split+0x6a3/0x1920
[   30.860894][  T474]  virtqueue_add_sgs+0x143/0x270
[   30.861065][  T474]  virtio_fs_enqueue_req+0x58c/0xfe0
[   30.861238][  T474]  virtio_fs_send_req+0x13a/0x710
[   30.861409][  T474]  __fuse_simple_request+0x22a/0xb50
[   30.861586][  T474]  fuse_readlink_folio+0x20b/0x400
[   30.861758][  T474]  fuse_get_link+0x12d/0x350
[   30.861929][  T474]  pick_link+0x7a2/0x1160
[   30.862058][  T474]  step_into+0x85a/0xfc0
[   30.862191][  T474]  link_path_walk+0x3c2/0xa10
[   30.862365][  T474]  path_openat+0x14d/0x380
[   30.862536][  T474]  do_filp_open+0x1d7/0x420
[   30.862706][  T474]  do_sys_openat2+0xd4/0x160
[   30.862878][  T474]  __x64_sys_openat+0x122/0x1e0
[   30.863063][  T474]  do_syscall_64+0xc1/0x380
[   30.863237][  T474]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   30.863450][  T474] 
[   30.863539][  T474] Freed by task 232:
[   30.863672][  T474]  kasan_save_stack+0x24/0x50
[   30.863844][  T474]  kasan_save_track+0x14/0x30
[   30.864014][  T474]  kasan_save_free_info+0x3b/0x60
[   30.864183][  T474]  __kasan_slab_free+0x38/0x50
[   30.864357][  T474]  kfree+0x144/0x320
[   30.864488][  T474]  detach_buf_split+0x48d/0x6f0
[   30.864659][  T474]  virtqueue_get_buf_ctx_split+0x294/0x7f0
[   30.864870][  T474]  virtio_fs_requests_done_work+0x231/0x890
[   30.865086][  T474]  process_one_work+0xe43/0x1660
[   30.865259][  T474]  worker_thread+0x591/0xcf0
[   30.865430][  T474]  kthread+0x37b/0x600
[   30.865565][  T474]  ret_from_fork+0x243/0x320
[   30.865738][  T474]  ret_from_fork_asm+0x1a/0x30
[   30.865911][  T474] 
[   30.865999][  T474] The buggy address belongs to the object at ffff88800193b720
[   30.865999][  T474]  which belongs to the cache kmalloc-96 of size 96
[   30.866410][  T474] The buggy address is located 0 bytes inside of
[   30.866410][  T474]  freed 96-byte region [ffff88800193b720, ffff88800193b780)
[   30.866823][  T474] 
[   30.866909][  T474] The buggy address belongs to the physical page:
[   30.867119][  T474] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x193b
[   30.867436][  T474] flags: 0x80000000000000(node=0|zone=1)
[   30.867616][  T474] page_type: f5(slab)
[   30.867753][  T474] raw: 0080000000000000 ffff888001042340 ffffea00004fa5d0 ffffea00004f24d0
[   30.868061][  T474] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   30.868366][  T474] page dumped because: kasan: bad access detected
[   30.868579][  T474] 
[   30.868670][  T474] Memory state around the buggy address:
[   30.868833][  T474]  ffff88800193b600: fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc
[   30.869083][  T474]  ffff88800193b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.869331][  T474] >ffff88800193b700: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
[   30.869579][  T474]                                ^
[   30.869751][  T474]  ffff88800193b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.869999][  T474]  ffff88800193b800: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 fc
[   30.870246][  T474] ==================================================================
[   30.870619][  T474] Disabling lock debugging due to kernel taint

WAIT TIMEOUT stderr

Ctrl-C stderr

Ctrl-C stderr

WAIT TIMEOUT stderr