Hay
Sign in
Date
April 20, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
rk3399-rock-pi-4b 

[   23.535006] ==================================================================
[   23.535208] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   23.535327] Read of size 1 at addr fff00000c68280a8 by task kunit_try_catch/190
[   23.535857] 
[   23.535971] CPU: 0 UID: 0 PID: 190 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT 
[   23.536164] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.536370] Hardware name: linux,dummy-virt (DT)
[   23.536784] Call trace:
[   23.536843]  show_stack+0x20/0x38 (C)
[   23.537728]  dump_stack_lvl+0x8c/0xd0
[   23.537968]  print_report+0x118/0x608
[   23.538328]  kasan_report+0xdc/0x128
[   23.538443]  __asan_report_load1_noabort+0x20/0x30
[   23.538995]  kmalloc_uaf2+0x3f4/0x468
[   23.539723]  kunit_try_run_case+0x170/0x3f0
[   23.540138]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.540288]  kthread+0x328/0x630
[   23.541146]  ret_from_fork+0x10/0x20
[   23.541863] 
[   23.542260] Allocated by task 190:
[   23.542340]  kasan_save_stack+0x3c/0x68
[   23.542947]  kasan_save_track+0x20/0x40
[   23.543091]  kasan_save_alloc_info+0x40/0x58
[   23.543191]  __kasan_kmalloc+0xd4/0xd8
[   23.544059]  __kmalloc_cache_noprof+0x15c/0x3c0
[   23.544195]  kmalloc_uaf2+0xc4/0x468
[   23.545134]  kunit_try_run_case+0x170/0x3f0
[   23.545358]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.545677]  kthread+0x328/0x630
[   23.546242]  ret_from_fork+0x10/0x20
[   23.546558] 
[   23.546605] Freed by task 190:
[   23.546920]  kasan_save_stack+0x3c/0x68
[   23.547430]  kasan_save_track+0x20/0x40
[   23.547881]  kasan_save_free_info+0x4c/0x78
[   23.548028]  __kasan_slab_free+0x6c/0x98
[   23.548168]  kfree+0x214/0x3c8
[   23.548261]  kmalloc_uaf2+0x134/0x468
[   23.548384]  kunit_try_run_case+0x170/0x3f0
[   23.548502]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.548923]  kthread+0x328/0x630
[   23.549108]  ret_from_fork+0x10/0x20
[   23.549209] 
[   23.549252] The buggy address belongs to the object at fff00000c6828080
[   23.549252]  which belongs to the cache kmalloc-64 of size 64
[   23.549394] The buggy address is located 40 bytes inside of
[   23.549394]  freed 64-byte region [fff00000c6828080, fff00000c68280c0)
[   23.549557] 
[   23.549645] The buggy address belongs to the physical page:
[   23.549718] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106828
[   23.549841] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   23.549974] page_type: f5(slab)
[   23.550083] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   23.550224] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   23.550493] page dumped because: kasan: bad access detected
[   23.550638] 
[   23.550723] Memory state around the buggy address:
[   23.550859]  fff00000c6827f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.550985]  fff00000c6828000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.551092] >fff00000c6828080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   23.551192]                                   ^
[   23.551414]  fff00000c6828100: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   23.551522]  fff00000c6828180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.551615] ==================================================================
Metadata Full log Test run details 

[   11.795711] ==================================================================
[   11.796197] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   11.796636] Read of size 1 at addr ffff888102743628 by task kunit_try_catch/208
[   11.797200] 
[   11.797392] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT(voluntary) 
[   11.797453] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.797465] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.797662] Call Trace:
[   11.797679]  <TASK>
[   11.797698]  dump_stack_lvl+0x73/0xb0
[   11.797727]  print_report+0xd1/0x650
[   11.797750]  ? __virt_addr_valid+0x1db/0x2d0
[   11.797779]  ? kmalloc_uaf2+0x4a8/0x520
[   11.797799]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.797821]  ? kmalloc_uaf2+0x4a8/0x520
[   11.797841]  kasan_report+0x141/0x180
[   11.797863]  ? kmalloc_uaf2+0x4a8/0x520
[   11.797889]  __asan_report_load1_noabort+0x18/0x20
[   11.797909]  kmalloc_uaf2+0x4a8/0x520
[   11.797930]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   11.797950]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   11.797982]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   11.798007]  kunit_try_run_case+0x1a5/0x480
[   11.798032]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.798054]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.798078]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.798101]  ? __kthread_parkme+0x82/0x180
[   11.798133]  ? preempt_count_sub+0x50/0x80
[   11.798158]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.798180]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.798202]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.798224]  kthread+0x337/0x6f0
[   11.798244]  ? trace_preempt_on+0x20/0xc0
[   11.798268]  ? __pfx_kthread+0x10/0x10
[   11.798289]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.798310]  ? calculate_sigpending+0x7b/0xa0
[   11.798343]  ? __pfx_kthread+0x10/0x10
[   11.798364]  ret_from_fork+0x41/0x80
[   11.798395]  ? __pfx_kthread+0x10/0x10
[   11.798416]  ret_from_fork_asm+0x1a/0x30
[   11.798448]  </TASK>
[   11.798459] 
[   11.808018] Allocated by task 208:
[   11.808389]  kasan_save_stack+0x45/0x70
[   11.808685]  kasan_save_track+0x18/0x40
[   11.808881]  kasan_save_alloc_info+0x3b/0x50
[   11.809041]  __kasan_kmalloc+0xb7/0xc0
[   11.809225]  __kmalloc_cache_noprof+0x189/0x420
[   11.809717]  kmalloc_uaf2+0xc6/0x520
[   11.809863]  kunit_try_run_case+0x1a5/0x480
[   11.810332]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.810719]  kthread+0x337/0x6f0
[   11.810854]  ret_from_fork+0x41/0x80
[   11.811029]  ret_from_fork_asm+0x1a/0x30
[   11.811437] 
[   11.811578] Freed by task 208:
[   11.811696]  kasan_save_stack+0x45/0x70
[   11.811971]  kasan_save_track+0x18/0x40
[   11.812397]  kasan_save_free_info+0x3f/0x60
[   11.812655]  __kasan_slab_free+0x56/0x70
[   11.813100]  kfree+0x222/0x3f0
[   11.813235]  kmalloc_uaf2+0x14c/0x520
[   11.813750]  kunit_try_run_case+0x1a5/0x480
[   11.813917]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.814457]  kthread+0x337/0x6f0
[   11.814674]  ret_from_fork+0x41/0x80
[   11.814984]  ret_from_fork_asm+0x1a/0x30
[   11.815380] 
[   11.815499] The buggy address belongs to the object at ffff888102743600
[   11.815499]  which belongs to the cache kmalloc-64 of size 64
[   11.816223] The buggy address is located 40 bytes inside of
[   11.816223]  freed 64-byte region [ffff888102743600, ffff888102743640)
[   11.816988] 
[   11.817068] The buggy address belongs to the physical page:
[   11.817628] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102743
[   11.818084] flags: 0x200000000000000(node=0|zone=2)
[   11.818470] page_type: f5(slab)
[   11.818669] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   11.819188] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   11.819574] page dumped because: kasan: bad access detected
[   11.820146] 
[   11.820237] Memory state around the buggy address:
[   11.820481]  ffff888102743500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.820821]  ffff888102743580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.821120] >ffff888102743600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.821427]                                   ^
[   11.822066]  ffff888102743680: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   11.822350]  ffff888102743700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.822721] ==================================================================
Metadata Full log Test run details 

[   21.701017] ==================================================================
[   21.702078] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   21.702740] Read of size 1 at addr ffff00000ff06928 by task kunit_try_catch/242
[   21.703433] 
[   21.703605] CPU: 1 UID: 0 PID: 242 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT 
[   21.703668] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.703685] Hardware name: Radxa ROCK Pi 4B (DT)
[   21.703707] Call trace:
[   21.703721]  show_stack+0x20/0x38 (C)
[   21.703763]  dump_stack_lvl+0x8c/0xd0
[   21.703801]  print_report+0x118/0x608
[   21.703838]  kasan_report+0xdc/0x128
[   21.703873]  __asan_report_load1_noabort+0x20/0x30
[   21.703915]  kmalloc_uaf2+0x3f4/0x468
[   21.703954]  kunit_try_run_case+0x170/0x3f0
[   21.703997]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.704046]  kthread+0x328/0x630
[   21.704087]  ret_from_fork+0x10/0x20
[   21.704127] 
[   21.709701] Allocated by task 242:
[   21.710036]  kasan_save_stack+0x3c/0x68
[   21.710419]  kasan_save_track+0x20/0x40
[   21.710800]  kasan_save_alloc_info+0x40/0x58
[   21.711223]  __kasan_kmalloc+0xd4/0xd8
[   21.711597]  __kmalloc_cache_noprof+0x15c/0x3c0
[   21.712051]  kmalloc_uaf2+0xc4/0x468
[   21.712414]  kunit_try_run_case+0x170/0x3f0
[   21.712831]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.713367]  kthread+0x328/0x630
[   21.713699]  ret_from_fork+0x10/0x20
[   21.714059] 
[   21.714217] Freed by task 242:
[   21.714519]  kasan_save_stack+0x3c/0x68
[   21.714901]  kasan_save_track+0x20/0x40
[   21.715280]  kasan_save_free_info+0x4c/0x78
[   21.715696]  __kasan_slab_free+0x6c/0x98
[   21.716084]  kfree+0x214/0x3c8
[   21.716400]  kmalloc_uaf2+0x134/0x468
[   21.716771]  kunit_try_run_case+0x170/0x3f0
[   21.717188]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.717724]  kthread+0x328/0x630
[   21.718056]  ret_from_fork+0x10/0x20
[   21.718416] 
[   21.718574] The buggy address belongs to the object at ffff00000ff06900
[   21.718574]  which belongs to the cache kmalloc-64 of size 64
[   21.719704] The buggy address is located 40 bytes inside of
[   21.719704]  freed 64-byte region [ffff00000ff06900, ffff00000ff06940)
[   21.720812] 
[   21.720972] The buggy address belongs to the physical page:
[   21.721494] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xff06
[   21.722227] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff)
[   21.722850] page_type: f5(slab)
[   21.723172] raw: 03fffe0000000000 ffff0000004028c0 dead000000000122 0000000000000000
[   21.723900] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   21.724617] page dumped because: kasan: bad access detected
[   21.725139] 
[   21.725296] Memory state around the buggy address:
[   21.725753]  ffff00000ff06800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   21.726430]  ffff00000ff06880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   21.727106] >ffff00000ff06900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   21.727776]                                   ^
[   21.728210]  ffff00000ff06980: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   21.728887]  ffff00000ff06a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.729557] ==================================================================
Metadata Full log Test run details