Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 23.194688] ================================================================== [ 23.194801] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 23.194947] Read of size 16 at addr fff00000c412bba0 by task kunit_try_catch/170 [ 23.195067] [ 23.195142] CPU: 0 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 23.195321] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.195380] Hardware name: linux,dummy-virt (DT) [ 23.195451] Call trace: [ 23.195511] show_stack+0x20/0x38 (C) [ 23.195829] dump_stack_lvl+0x8c/0xd0 [ 23.196180] print_report+0x118/0x608 [ 23.196416] kasan_report+0xdc/0x128 [ 23.196542] __asan_report_load16_noabort+0x20/0x30 [ 23.196717] kmalloc_uaf_16+0x3bc/0x438 [ 23.197031] kunit_try_run_case+0x170/0x3f0 [ 23.197320] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.197555] kthread+0x328/0x630 [ 23.197692] ret_from_fork+0x10/0x20 [ 23.197965] [ 23.198407] Allocated by task 170: [ 23.199198] kasan_save_stack+0x3c/0x68 [ 23.199578] kasan_save_track+0x20/0x40 [ 23.199705] kasan_save_alloc_info+0x40/0x58 [ 23.199834] __kasan_kmalloc+0xd4/0xd8 [ 23.199942] __kmalloc_cache_noprof+0x15c/0x3c0 [ 23.200062] kmalloc_uaf_16+0x140/0x438 [ 23.200290] kunit_try_run_case+0x170/0x3f0 [ 23.200438] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.200971] kthread+0x328/0x630 [ 23.201170] ret_from_fork+0x10/0x20 [ 23.201308] [ 23.201398] Freed by task 170: [ 23.201593] kasan_save_stack+0x3c/0x68 [ 23.201748] kasan_save_track+0x20/0x40 [ 23.201917] kasan_save_free_info+0x4c/0x78 [ 23.202057] __kasan_slab_free+0x6c/0x98 [ 23.202146] kfree+0x214/0x3c8 [ 23.202229] kmalloc_uaf_16+0x190/0x438 [ 23.202315] kunit_try_run_case+0x170/0x3f0 [ 23.202435] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.202571] kthread+0x328/0x630 [ 23.202668] ret_from_fork+0x10/0x20 [ 23.202905] [ 23.202973] The buggy address belongs to the object at fff00000c412bba0 [ 23.202973] which belongs to the cache kmalloc-16 of size 16 [ 23.203370] The buggy address is located 0 bytes inside of [ 23.203370] freed 16-byte region [fff00000c412bba0, fff00000c412bbb0) [ 23.203585] [ 23.203649] The buggy address belongs to the physical page: [ 23.203822] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10412b [ 23.204338] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.204989] page_type: f5(slab) [ 23.205119] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 23.205314] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.205510] page dumped because: kasan: bad access detected [ 23.205600] [ 23.205722] Memory state around the buggy address: [ 23.205927] fff00000c412ba80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.206065] fff00000c412bb00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.206182] >fff00000c412bb80: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 23.206363] ^ [ 23.206656] fff00000c412bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.207054] fff00000c412bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.207153] ==================================================================
[ 11.536164] ================================================================== [ 11.536756] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 11.537037] Read of size 16 at addr ffff8881023f82c0 by task kunit_try_catch/188 [ 11.537645] [ 11.537759] CPU: 0 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 11.537814] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.537825] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.537845] Call Trace: [ 11.537856] <TASK> [ 11.537871] dump_stack_lvl+0x73/0xb0 [ 11.537896] print_report+0xd1/0x650 [ 11.537918] ? __virt_addr_valid+0x1db/0x2d0 [ 11.537939] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.537960] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.537982] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.538004] kasan_report+0x141/0x180 [ 11.538026] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.538053] __asan_report_load16_noabort+0x18/0x20 [ 11.538073] kmalloc_uaf_16+0x47b/0x4c0 [ 11.538095] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 11.538117] ? __schedule+0x10cc/0x2b30 [ 11.538156] ? __pfx_read_tsc+0x10/0x10 [ 11.538176] ? ktime_get_ts64+0x86/0x230 [ 11.538201] kunit_try_run_case+0x1a5/0x480 [ 11.538224] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.538245] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.538268] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.538292] ? __kthread_parkme+0x82/0x180 [ 11.538313] ? preempt_count_sub+0x50/0x80 [ 11.538349] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.538372] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.538449] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.538474] kthread+0x337/0x6f0 [ 11.538495] ? trace_preempt_on+0x20/0xc0 [ 11.538519] ? __pfx_kthread+0x10/0x10 [ 11.538541] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.538562] ? calculate_sigpending+0x7b/0xa0 [ 11.538583] ? __pfx_kthread+0x10/0x10 [ 11.538605] ret_from_fork+0x41/0x80 [ 11.538626] ? __pfx_kthread+0x10/0x10 [ 11.538648] ret_from_fork_asm+0x1a/0x30 [ 11.538679] </TASK> [ 11.538690] [ 11.546025] Allocated by task 188: [ 11.546161] kasan_save_stack+0x45/0x70 [ 11.546542] kasan_save_track+0x18/0x40 [ 11.546743] kasan_save_alloc_info+0x3b/0x50 [ 11.546949] __kasan_kmalloc+0xb7/0xc0 [ 11.547140] __kmalloc_cache_noprof+0x189/0x420 [ 11.547349] kmalloc_uaf_16+0x15b/0x4c0 [ 11.547505] kunit_try_run_case+0x1a5/0x480 [ 11.547764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.547972] kthread+0x337/0x6f0 [ 11.548093] ret_from_fork+0x41/0x80 [ 11.548349] ret_from_fork_asm+0x1a/0x30 [ 11.548869] [ 11.548953] Freed by task 188: [ 11.549065] kasan_save_stack+0x45/0x70 [ 11.549204] kasan_save_track+0x18/0x40 [ 11.549558] kasan_save_free_info+0x3f/0x60 [ 11.549767] __kasan_slab_free+0x56/0x70 [ 11.549968] kfree+0x222/0x3f0 [ 11.550124] kmalloc_uaf_16+0x1d6/0x4c0 [ 11.550268] kunit_try_run_case+0x1a5/0x480 [ 11.550588] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.550791] kthread+0x337/0x6f0 [ 11.550911] ret_from_fork+0x41/0x80 [ 11.551040] ret_from_fork_asm+0x1a/0x30 [ 11.551358] [ 11.551555] The buggy address belongs to the object at ffff8881023f82c0 [ 11.551555] which belongs to the cache kmalloc-16 of size 16 [ 11.552031] The buggy address is located 0 bytes inside of [ 11.552031] freed 16-byte region [ffff8881023f82c0, ffff8881023f82d0) [ 11.552406] [ 11.552537] The buggy address belongs to the physical page: [ 11.552789] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1023f8 [ 11.553133] flags: 0x200000000000000(node=0|zone=2) [ 11.553342] page_type: f5(slab) [ 11.553464] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 11.553932] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 11.554284] page dumped because: kasan: bad access detected [ 11.554559] [ 11.554672] Memory state around the buggy address: [ 11.554961] ffff8881023f8180: 00 02 fc fc 00 02 fc fc 00 06 fc fc 00 06 fc fc [ 11.555209] ffff8881023f8200: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 11.555634] >ffff8881023f8280: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 11.555886] ^ [ 11.556110] ffff8881023f8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.556381] ffff8881023f8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.556640] ==================================================================
[ 21.410880] ================================================================== [ 21.411917] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 21.412568] Read of size 16 at addr ffff00000aa08660 by task kunit_try_catch/222 [ 21.413251] [ 21.413416] CPU: 3 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 21.413464] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.413478] Hardware name: Radxa ROCK Pi 4B (DT) [ 21.413496] Call trace: [ 21.413507] show_stack+0x20/0x38 (C) [ 21.413540] dump_stack_lvl+0x8c/0xd0 [ 21.413571] print_report+0x118/0x608 [ 21.413600] kasan_report+0xdc/0x128 [ 21.413628] __asan_report_load16_noabort+0x20/0x30 [ 21.413661] kmalloc_uaf_16+0x3bc/0x438 [ 21.413694] kunit_try_run_case+0x170/0x3f0 [ 21.413729] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.413768] kthread+0x328/0x630 [ 21.413802] ret_from_fork+0x10/0x20 [ 21.413834] [ 21.419390] Allocated by task 222: [ 21.419716] kasan_save_stack+0x3c/0x68 [ 21.420088] kasan_save_track+0x20/0x40 [ 21.420459] kasan_save_alloc_info+0x40/0x58 [ 21.420871] __kasan_kmalloc+0xd4/0xd8 [ 21.421234] __kmalloc_cache_noprof+0x15c/0x3c0 [ 21.421674] kmalloc_uaf_16+0x140/0x438 [ 21.422050] kunit_try_run_case+0x170/0x3f0 [ 21.422456] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.422979] kthread+0x328/0x630 [ 21.423302] ret_from_fork+0x10/0x20 [ 21.423651] [ 21.423803] Freed by task 222: [ 21.424097] kasan_save_stack+0x3c/0x68 [ 21.424468] kasan_save_track+0x20/0x40 [ 21.424839] kasan_save_free_info+0x4c/0x78 [ 21.425243] __kasan_slab_free+0x6c/0x98 [ 21.425622] kfree+0x214/0x3c8 [ 21.425929] kmalloc_uaf_16+0x190/0x438 [ 21.426305] kunit_try_run_case+0x170/0x3f0 [ 21.426709] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.427232] kthread+0x328/0x630 [ 21.427554] ret_from_fork+0x10/0x20 [ 21.427903] [ 21.428056] The buggy address belongs to the object at ffff00000aa08660 [ 21.428056] which belongs to the cache kmalloc-16 of size 16 [ 21.429172] The buggy address is located 0 bytes inside of [ 21.429172] freed 16-byte region [ffff00000aa08660, ffff00000aa08670) [ 21.430260] [ 21.430414] The buggy address belongs to the physical page: [ 21.430929] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaa08 [ 21.431653] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 21.432264] page_type: f5(slab) [ 21.432577] raw: 03fffe0000000000 ffff000000402640 dead000000000122 0000000000000000 [ 21.433292] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 21.433998] page dumped because: kasan: bad access detected [ 21.434512] [ 21.434664] Memory state around the buggy address: [ 21.435112] ffff00000aa08500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 21.435777] ffff00000aa08580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 21.436442] >ffff00000aa08600: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 21.437103] ^ [ 21.437689] ffff00000aa08680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.438354] ffff00000aa08700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.439015] ==================================================================