Date
April 20, 2025, 11:09 p.m.
| Environment | |
|---|---|
| x15 | |
| x86 |
[ 53.746002] ================================================================== [ 53.756866] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x484/0x518 [ 53.763702] Read of size 16 at addr cc22b400 by task kunit_try_catch/224 [ 53.770446] [ 53.771972] CPU: 1 UID: 0 PID: 224 Comm: kunit_try_catch Tainted: G B W N 6.15.0-rc3 #1 NONE [ 53.772003] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 53.772003] Hardware name: Generic DRA74X (Flattened Device Tree) [ 53.772003] Call trace: [ 53.772003] unwind_backtrace from show_stack+0x18/0x1c [ 53.772033] show_stack from dump_stack_lvl+0x70/0x90 [ 53.772064] dump_stack_lvl from print_report+0x158/0x528 [ 53.772094] print_report from kasan_report+0xdc/0x118 [ 53.772125] kasan_report from kmalloc_uaf_16+0x484/0x518 [ 53.772125] kmalloc_uaf_16 from kunit_try_run_case+0x22c/0x5a8 [ 53.772155] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.772186] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 53.772216] kthread from ret_from_fork+0x14/0x20 [ 53.772216] Exception stack(0xf241bfb0 to 0xf241bff8) [ 53.772247] bfa0: 00000000 00000000 00000000 00000000 [ 53.772247] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 53.772277] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 53.772277] [ 53.876617] Allocated by task 224: [ 53.880065] kasan_save_track+0x30/0x5c [ 53.883911] __kasan_kmalloc+0x8c/0x94 [ 53.887695] kmalloc_uaf_16+0x1b0/0x518 [ 53.891571] kunit_try_run_case+0x22c/0x5a8 [ 53.895782] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.901306] kthread+0x464/0x810 [ 53.904571] ret_from_fork+0x14/0x20 [ 53.908172] [ 53.909667] Freed by task 224: [ 53.912750] kasan_save_track+0x30/0x5c [ 53.916625] kasan_save_free_info+0x3c/0x48 [ 53.920837] __kasan_slab_free+0x40/0x50 [ 53.924774] kfree+0xe8/0x384 [ 53.927795] kmalloc_uaf_16+0x234/0x518 [ 53.931640] kunit_try_run_case+0x22c/0x5a8 [ 53.935852] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 53.941406] kthread+0x464/0x810 [ 53.944641] ret_from_fork+0x14/0x20 [ 53.948242] [ 53.949768] The buggy address belongs to the object at cc22b400 [ 53.949768] which belongs to the cache kmalloc-64 of size 64 [ 53.961486] The buggy address is located 0 bytes inside of [ 53.961486] freed 64-byte region [cc22b400, cc22b440) [ 53.972167] [ 53.973663] The buggy address belongs to the physical page: [ 53.979248] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c22b [ 53.986541] flags: 0x0(zone=0) [ 53.989624] page_type: f5(slab) [ 53.992797] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 54.000915] raw: 00000000 [ 54.003570] page dumped because: kasan: bad access detected [ 54.009185] [ 54.010681] Memory state around the buggy address: [ 54.015502] cc22b300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.022064] cc22b380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.028656] >cc22b400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 54.035217] ^ [ 54.037750] cc22b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.044342] cc22b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.050903] ==================================================================
[ 24.023437] ================================================================== [ 24.034240] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 24.041026] Read of size 16 at addr ffff888104ed9140 by task kunit_try_catch/211 [ 24.048421] [ 24.049921] CPU: 1 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 24.049929] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.049931] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 24.049934] Call Trace: [ 24.049936] <TASK> [ 24.049938] dump_stack_lvl+0x73/0xb0 [ 24.049942] print_report+0xd1/0x650 [ 24.049946] ? __virt_addr_valid+0x1db/0x2d0 [ 24.049950] ? kmalloc_uaf_16+0x47b/0x4c0 [ 24.049954] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.049958] ? kmalloc_uaf_16+0x47b/0x4c0 [ 24.049962] kasan_report+0x141/0x180 [ 24.049966] ? kmalloc_uaf_16+0x47b/0x4c0 [ 24.049970] __asan_report_load16_noabort+0x18/0x20 [ 24.049974] kmalloc_uaf_16+0x47b/0x4c0 [ 24.049978] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 24.049982] ? __schedule+0x10cc/0x2b30 [ 24.049987] ? ktime_get_ts64+0x83/0x230 [ 24.049991] kunit_try_run_case+0x1a2/0x480 [ 24.049996] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.050000] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.050004] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.050009] ? __kthread_parkme+0x82/0x180 [ 24.050013] ? preempt_count_sub+0x50/0x80 [ 24.050017] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.050022] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 24.050025] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.050029] kthread+0x334/0x6f0 [ 24.050033] ? trace_preempt_on+0x20/0xc0 [ 24.050038] ? __pfx_kthread+0x10/0x10 [ 24.050042] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.050046] ? calculate_sigpending+0x7b/0xa0 [ 24.050050] ? __pfx_kthread+0x10/0x10 [ 24.050054] ret_from_fork+0x3e/0x80 [ 24.050058] ? __pfx_kthread+0x10/0x10 [ 24.050062] ret_from_fork_asm+0x1a/0x30 [ 24.050068] </TASK> [ 24.050069] [ 24.211760] Allocated by task 211: [ 24.215169] kasan_save_stack+0x45/0x70 [ 24.219016] kasan_save_track+0x18/0x40 [ 24.222861] kasan_save_alloc_info+0x3b/0x50 [ 24.227136] __kasan_kmalloc+0xb7/0xc0 [ 24.230896] __kmalloc_cache_noprof+0x189/0x420 [ 24.235430] kmalloc_uaf_16+0x15b/0x4c0 [ 24.239268] kunit_try_run_case+0x1a2/0x480 [ 24.243454] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 24.248854] kthread+0x334/0x6f0 [ 24.252095] ret_from_fork+0x3e/0x80 [ 24.255713] ret_from_fork_asm+0x1a/0x30 [ 24.259699] [ 24.261245] Freed by task 211: [ 24.264304] kasan_save_stack+0x45/0x70 [ 24.268143] kasan_save_track+0x18/0x40 [ 24.271983] kasan_save_free_info+0x3f/0x60 [ 24.276170] __kasan_slab_free+0x56/0x70 [ 24.280104] kfree+0x222/0x3f0 [ 24.283161] kmalloc_uaf_16+0x1d6/0x4c0 [ 24.287003] kunit_try_run_case+0x1a2/0x480 [ 24.291197] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 24.296595] kthread+0x334/0x6f0 [ 24.299828] ret_from_fork+0x3e/0x80 [ 24.303405] ret_from_fork_asm+0x1a/0x30 [ 24.307332] [ 24.308832] The buggy address belongs to the object at ffff888104ed9140 [ 24.308832] which belongs to the cache kmalloc-16 of size 16 [ 24.321172] The buggy address is located 0 bytes inside of [ 24.321172] freed 16-byte region [ffff888104ed9140, ffff888104ed9150) [ 24.333168] [ 24.334685] The buggy address belongs to the physical page: [ 24.340292] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104ed9 [ 24.348299] flags: 0x200000000000000(node=0|zone=2) [ 24.353177] page_type: f5(slab) [ 24.356324] raw: 0200000000000000 ffff888100042640 dead000000000122 0000000000000000 [ 24.364064] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.371809] page dumped because: kasan: bad access detected [ 24.377384] [ 24.378881] Memory state around the buggy address: [ 24.383713] ffff888104ed9000: 00 03 fc fc 00 03 fc fc 00 03 fc fc 00 03 fc fc [ 24.390961] ffff888104ed9080: 00 03 fc fc 00 03 fc fc 00 03 fc fc fa fb fc fc [ 24.398181] >ffff888104ed9100: 00 05 fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 24.405401] ^ [ 24.410748] ffff888104ed9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.417977] ffff888104ed9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.425193] ==================================================================