Date
April 22, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 18.096869] ================================================================== [ 18.096986] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 18.097095] Read of size 1 at addr fff00000c62d4d78 by task kunit_try_catch/198 [ 18.097208] [ 18.097287] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 18.097488] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.099940] Hardware name: linux,dummy-virt (DT) [ 18.100146] Call trace: [ 18.100221] show_stack+0x20/0x38 (C) [ 18.100874] dump_stack_lvl+0x8c/0xd0 [ 18.100988] print_report+0x118/0x608 [ 18.101084] kasan_report+0xdc/0x128 [ 18.101177] __asan_report_load1_noabort+0x20/0x30 [ 18.101290] ksize_uaf+0x544/0x5f8 [ 18.101390] kunit_try_run_case+0x170/0x3f0 [ 18.101504] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.101652] kthread+0x328/0x630 [ 18.101754] ret_from_fork+0x10/0x20 [ 18.101864] [ 18.101905] Allocated by task 198: [ 18.101967] kasan_save_stack+0x3c/0x68 [ 18.102055] kasan_save_track+0x20/0x40 [ 18.103678] kasan_save_alloc_info+0x40/0x58 [ 18.103954] __kasan_kmalloc+0xd4/0xd8 [ 18.104521] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.104843] ksize_uaf+0xb8/0x5f8 [ 18.105062] kunit_try_run_case+0x170/0x3f0 [ 18.105195] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.105946] kthread+0x328/0x630 [ 18.106174] ret_from_fork+0x10/0x20 [ 18.106274] [ 18.106319] Freed by task 198: [ 18.106854] kasan_save_stack+0x3c/0x68 [ 18.107183] kasan_save_track+0x20/0x40 [ 18.107876] kasan_save_free_info+0x4c/0x78 [ 18.108130] __kasan_slab_free+0x6c/0x98 [ 18.108277] kfree+0x214/0x3c8 [ 18.108463] ksize_uaf+0x11c/0x5f8 [ 18.108555] kunit_try_run_case+0x170/0x3f0 [ 18.108645] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.108734] kthread+0x328/0x630 [ 18.108806] ret_from_fork+0x10/0x20 [ 18.108885] [ 18.108931] The buggy address belongs to the object at fff00000c62d4d00 [ 18.108931] which belongs to the cache kmalloc-128 of size 128 [ 18.109065] The buggy address is located 120 bytes inside of [ 18.109065] freed 128-byte region [fff00000c62d4d00, fff00000c62d4d80) [ 18.109903] [ 18.110306] The buggy address belongs to the physical page: [ 18.110642] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062d4 [ 18.110788] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.110921] page_type: f5(slab) [ 18.111039] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.111157] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.111249] page dumped because: kasan: bad access detected [ 18.111322] [ 18.111364] Memory state around the buggy address: [ 18.111439] fff00000c62d4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.111551] fff00000c62d4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.111688] >fff00000c62d4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.111821] ^ [ 18.111922] fff00000c62d4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.112057] fff00000c62d4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.112147] ================================================================== [ 18.076992] ================================================================== [ 18.077107] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 18.077520] Read of size 1 at addr fff00000c62d4d00 by task kunit_try_catch/198 [ 18.077681] [ 18.077801] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 18.078063] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.078155] Hardware name: linux,dummy-virt (DT) [ 18.078226] Call trace: [ 18.078275] show_stack+0x20/0x38 (C) [ 18.078384] dump_stack_lvl+0x8c/0xd0 [ 18.078482] print_report+0x118/0x608 [ 18.078589] kasan_report+0xdc/0x128 [ 18.078697] __asan_report_load1_noabort+0x20/0x30 [ 18.078830] ksize_uaf+0x598/0x5f8 [ 18.079455] kunit_try_run_case+0x170/0x3f0 [ 18.079547] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.079672] kthread+0x328/0x630 [ 18.079780] ret_from_fork+0x10/0x20 [ 18.079896] [ 18.079936] Allocated by task 198: [ 18.079989] kasan_save_stack+0x3c/0x68 [ 18.080058] kasan_save_track+0x20/0x40 [ 18.080127] kasan_save_alloc_info+0x40/0x58 [ 18.080206] __kasan_kmalloc+0xd4/0xd8 [ 18.080282] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.080371] ksize_uaf+0xb8/0x5f8 [ 18.080672] kunit_try_run_case+0x170/0x3f0 [ 18.080939] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.081567] kthread+0x328/0x630 [ 18.081935] ret_from_fork+0x10/0x20 [ 18.082253] [ 18.082386] Freed by task 198: [ 18.082454] kasan_save_stack+0x3c/0x68 [ 18.083163] kasan_save_track+0x20/0x40 [ 18.083552] kasan_save_free_info+0x4c/0x78 [ 18.083634] __kasan_slab_free+0x6c/0x98 [ 18.083704] kfree+0x214/0x3c8 [ 18.083771] ksize_uaf+0x11c/0x5f8 [ 18.083848] kunit_try_run_case+0x170/0x3f0 [ 18.085306] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.085726] kthread+0x328/0x630 [ 18.086303] ret_from_fork+0x10/0x20 [ 18.086807] [ 18.086870] The buggy address belongs to the object at fff00000c62d4d00 [ 18.086870] which belongs to the cache kmalloc-128 of size 128 [ 18.087455] The buggy address is located 0 bytes inside of [ 18.087455] freed 128-byte region [fff00000c62d4d00, fff00000c62d4d80) [ 18.088056] [ 18.088105] The buggy address belongs to the physical page: [ 18.088172] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062d4 [ 18.088820] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.089234] page_type: f5(slab) [ 18.089321] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.089922] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.090467] page dumped because: kasan: bad access detected [ 18.090553] [ 18.090597] Memory state around the buggy address: [ 18.090668] fff00000c62d4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.090774] fff00000c62d4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.090875] >fff00000c62d4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.090967] ^ [ 18.091031] fff00000c62d4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.091136] fff00000c62d4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.091232] ================================================================== [ 18.066866] ================================================================== [ 18.067004] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 18.067428] Read of size 1 at addr fff00000c62d4d00 by task kunit_try_catch/198 [ 18.067938] [ 18.068035] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 18.068229] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.068284] Hardware name: linux,dummy-virt (DT) [ 18.068354] Call trace: [ 18.068405] show_stack+0x20/0x38 (C) [ 18.068518] dump_stack_lvl+0x8c/0xd0 [ 18.068633] print_report+0x118/0x608 [ 18.068732] kasan_report+0xdc/0x128 [ 18.069180] __kasan_check_byte+0x54/0x70 [ 18.069547] ksize+0x30/0x88 [ 18.069650] ksize_uaf+0x168/0x5f8 [ 18.069752] kunit_try_run_case+0x170/0x3f0 [ 18.069848] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.069952] kthread+0x328/0x630 [ 18.070039] ret_from_fork+0x10/0x20 [ 18.070140] [ 18.070185] Allocated by task 198: [ 18.070246] kasan_save_stack+0x3c/0x68 [ 18.070324] kasan_save_track+0x20/0x40 [ 18.070394] kasan_save_alloc_info+0x40/0x58 [ 18.070463] __kasan_kmalloc+0xd4/0xd8 [ 18.070587] __kmalloc_cache_noprof+0x15c/0x3c0 [ 18.070668] ksize_uaf+0xb8/0x5f8 [ 18.071154] kunit_try_run_case+0x170/0x3f0 [ 18.071265] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.071403] kthread+0x328/0x630 [ 18.071490] ret_from_fork+0x10/0x20 [ 18.071631] [ 18.071696] Freed by task 198: [ 18.071781] kasan_save_stack+0x3c/0x68 [ 18.071896] kasan_save_track+0x20/0x40 [ 18.072001] kasan_save_free_info+0x4c/0x78 [ 18.072085] __kasan_slab_free+0x6c/0x98 [ 18.072152] kfree+0x214/0x3c8 [ 18.072238] ksize_uaf+0x11c/0x5f8 [ 18.072302] kunit_try_run_case+0x170/0x3f0 [ 18.072380] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.072520] kthread+0x328/0x630 [ 18.072630] ret_from_fork+0x10/0x20 [ 18.072697] [ 18.072736] The buggy address belongs to the object at fff00000c62d4d00 [ 18.072736] which belongs to the cache kmalloc-128 of size 128 [ 18.073109] The buggy address is located 0 bytes inside of [ 18.073109] freed 128-byte region [fff00000c62d4d00, fff00000c62d4d80) [ 18.073258] [ 18.073304] The buggy address belongs to the physical page: [ 18.073380] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062d4 [ 18.073517] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.073663] page_type: f5(slab) [ 18.073768] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 18.073874] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.073965] page dumped because: kasan: bad access detected [ 18.074042] [ 18.074093] Memory state around the buggy address: [ 18.074163] fff00000c62d4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.074611] fff00000c62d4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.074766] >fff00000c62d4d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.074891] ^ [ 18.074980] fff00000c62d4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.075115] fff00000c62d4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.075201] ==================================================================
[ 18.954687] ================================================================== [ 18.955082] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0 [ 18.955549] Read of size 1 at addr ffff888103199c00 by task kunit_try_catch/216 [ 18.956735] [ 18.957220] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 18.957288] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.957304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.957333] Call Trace: [ 18.957351] <TASK> [ 18.957372] dump_stack_lvl+0x73/0xb0 [ 18.957413] print_report+0xd1/0x650 [ 18.957947] ? __virt_addr_valid+0x1db/0x2d0 [ 18.958213] ? ksize_uaf+0x5fe/0x6c0 [ 18.958318] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.958363] ? ksize_uaf+0x5fe/0x6c0 [ 18.958398] kasan_report+0x141/0x180 [ 18.958440] ? ksize_uaf+0x5fe/0x6c0 [ 18.958802] __asan_report_load1_noabort+0x18/0x20 [ 18.958839] ksize_uaf+0x5fe/0x6c0 [ 18.958873] ? __pfx_ksize_uaf+0x10/0x10 [ 18.958904] ? __schedule+0x10cc/0x2b30 [ 18.958937] ? __pfx_read_tsc+0x10/0x10 [ 18.958964] ? ktime_get_ts64+0x86/0x230 [ 18.959002] kunit_try_run_case+0x1a5/0x480 [ 18.959039] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.959071] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.959104] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.959138] ? __kthread_parkme+0x82/0x180 [ 18.959169] ? preempt_count_sub+0x50/0x80 [ 18.959204] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.959236] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.959268] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.959301] kthread+0x337/0x6f0 [ 18.959331] ? trace_preempt_on+0x20/0xc0 [ 18.959364] ? __pfx_kthread+0x10/0x10 [ 18.959395] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.959427] ? calculate_sigpending+0x7b/0xa0 [ 18.959519] ? __pfx_kthread+0x10/0x10 [ 18.959595] ret_from_fork+0x41/0x80 [ 18.959667] ? __pfx_kthread+0x10/0x10 [ 18.959738] ret_from_fork_asm+0x1a/0x30 [ 18.959829] </TASK> [ 18.959867] [ 18.981226] Allocated by task 216: [ 18.982551] kasan_save_stack+0x45/0x70 [ 18.982873] kasan_save_track+0x18/0x40 [ 18.983265] kasan_save_alloc_info+0x3b/0x50 [ 18.984086] __kasan_kmalloc+0xb7/0xc0 [ 18.984471] __kmalloc_cache_noprof+0x189/0x420 [ 18.984907] ksize_uaf+0xaa/0x6c0 [ 18.985324] kunit_try_run_case+0x1a5/0x480 [ 18.985791] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.986524] kthread+0x337/0x6f0 [ 18.987162] ret_from_fork+0x41/0x80 [ 18.987613] ret_from_fork_asm+0x1a/0x30 [ 18.988074] [ 18.988294] Freed by task 216: [ 18.989129] kasan_save_stack+0x45/0x70 [ 18.989657] kasan_save_track+0x18/0x40 [ 18.989998] kasan_save_free_info+0x3f/0x60 [ 18.990429] __kasan_slab_free+0x56/0x70 [ 18.990918] kfree+0x222/0x3f0 [ 18.991276] ksize_uaf+0x12c/0x6c0 [ 18.991809] kunit_try_run_case+0x1a5/0x480 [ 18.992271] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.992848] kthread+0x337/0x6f0 [ 18.993246] ret_from_fork+0x41/0x80 [ 18.994002] ret_from_fork_asm+0x1a/0x30 [ 18.994372] [ 18.994711] The buggy address belongs to the object at ffff888103199c00 [ 18.994711] which belongs to the cache kmalloc-128 of size 128 [ 18.995611] The buggy address is located 0 bytes inside of [ 18.995611] freed 128-byte region [ffff888103199c00, ffff888103199c80) [ 18.996353] [ 18.996596] The buggy address belongs to the physical page: [ 18.997267] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103199 [ 18.997934] flags: 0x200000000000000(node=0|zone=2) [ 18.998587] page_type: f5(slab) [ 18.999103] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.999823] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.000413] page dumped because: kasan: bad access detected [ 19.000930] [ 19.001154] Memory state around the buggy address: [ 19.001553] ffff888103199b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.002750] ffff888103199b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.003522] >ffff888103199c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.003975] ^ [ 19.004346] ffff888103199c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.005093] ffff888103199d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.005709] ================================================================== [ 18.903970] ================================================================== [ 18.904804] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0 [ 18.905439] Read of size 1 at addr ffff888103199c00 by task kunit_try_catch/216 [ 18.906310] [ 18.906790] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 18.906926] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.906985] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.907072] Call Trace: [ 18.907118] <TASK> [ 18.907175] dump_stack_lvl+0x73/0xb0 [ 18.907281] print_report+0xd1/0x650 [ 18.907392] ? __virt_addr_valid+0x1db/0x2d0 [ 18.907472] ? ksize_uaf+0x19d/0x6c0 [ 18.907559] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.907632] ? ksize_uaf+0x19d/0x6c0 [ 18.907664] kasan_report+0x141/0x180 [ 18.907732] ? ksize_uaf+0x19d/0x6c0 [ 18.907814] ? ksize_uaf+0x19d/0x6c0 [ 18.907906] __kasan_check_byte+0x3d/0x50 [ 18.908013] ksize+0x20/0x60 [ 18.908086] ksize_uaf+0x19d/0x6c0 [ 18.908161] ? __pfx_ksize_uaf+0x10/0x10 [ 18.908233] ? __schedule+0x10cc/0x2b30 [ 18.908363] ? __pfx_read_tsc+0x10/0x10 [ 18.908436] ? ktime_get_ts64+0x86/0x230 [ 18.908543] kunit_try_run_case+0x1a5/0x480 [ 18.908595] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.908626] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.908660] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.908692] ? __kthread_parkme+0x82/0x180 [ 18.908723] ? preempt_count_sub+0x50/0x80 [ 18.908757] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.908788] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.908818] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.908850] kthread+0x337/0x6f0 [ 18.908879] ? trace_preempt_on+0x20/0xc0 [ 18.908912] ? __pfx_kthread+0x10/0x10 [ 18.908943] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.908973] ? calculate_sigpending+0x7b/0xa0 [ 18.909002] ? __pfx_kthread+0x10/0x10 [ 18.909033] ret_from_fork+0x41/0x80 [ 18.909061] ? __pfx_kthread+0x10/0x10 [ 18.909091] ret_from_fork_asm+0x1a/0x30 [ 18.909134] </TASK> [ 18.909147] [ 18.925049] Allocated by task 216: [ 18.925388] kasan_save_stack+0x45/0x70 [ 18.925947] kasan_save_track+0x18/0x40 [ 18.926453] kasan_save_alloc_info+0x3b/0x50 [ 18.927208] __kasan_kmalloc+0xb7/0xc0 [ 18.927618] __kmalloc_cache_noprof+0x189/0x420 [ 18.928073] ksize_uaf+0xaa/0x6c0 [ 18.928418] kunit_try_run_case+0x1a5/0x480 [ 18.929626] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.930653] kthread+0x337/0x6f0 [ 18.931298] ret_from_fork+0x41/0x80 [ 18.931924] ret_from_fork_asm+0x1a/0x30 [ 18.932191] [ 18.932283] Freed by task 216: [ 18.932410] kasan_save_stack+0x45/0x70 [ 18.933240] kasan_save_track+0x18/0x40 [ 18.933971] kasan_save_free_info+0x3f/0x60 [ 18.934955] __kasan_slab_free+0x56/0x70 [ 18.935814] kfree+0x222/0x3f0 [ 18.936444] ksize_uaf+0x12c/0x6c0 [ 18.937182] kunit_try_run_case+0x1a5/0x480 [ 18.938040] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.938625] kthread+0x337/0x6f0 [ 18.938878] ret_from_fork+0x41/0x80 [ 18.939407] ret_from_fork_asm+0x1a/0x30 [ 18.939948] [ 18.940195] The buggy address belongs to the object at ffff888103199c00 [ 18.940195] which belongs to the cache kmalloc-128 of size 128 [ 18.941719] The buggy address is located 0 bytes inside of [ 18.941719] freed 128-byte region [ffff888103199c00, ffff888103199c80) [ 18.942912] [ 18.943097] The buggy address belongs to the physical page: [ 18.943615] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103199 [ 18.944189] flags: 0x200000000000000(node=0|zone=2) [ 18.945209] page_type: f5(slab) [ 18.945742] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 18.946878] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 18.947417] page dumped because: kasan: bad access detected [ 18.948346] [ 18.948539] Memory state around the buggy address: [ 18.949117] ffff888103199b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.949817] ffff888103199b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.950582] >ffff888103199c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 18.951255] ^ [ 18.951610] ffff888103199c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.952427] ffff888103199d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.953114] ================================================================== [ 19.008297] ================================================================== [ 19.009263] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0 [ 19.009952] Read of size 1 at addr ffff888103199c78 by task kunit_try_catch/216 [ 19.010519] [ 19.010883] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT(voluntary) [ 19.011008] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.011045] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.011101] Call Trace: [ 19.011141] <TASK> [ 19.011192] dump_stack_lvl+0x73/0xb0 [ 19.011267] print_report+0xd1/0x650 [ 19.011351] ? __virt_addr_valid+0x1db/0x2d0 [ 19.011428] ? ksize_uaf+0x5e4/0x6c0 [ 19.011521] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.011599] ? ksize_uaf+0x5e4/0x6c0 [ 19.011674] kasan_report+0x141/0x180 [ 19.011753] ? ksize_uaf+0x5e4/0x6c0 [ 19.011850] __asan_report_load1_noabort+0x18/0x20 [ 19.011922] ksize_uaf+0x5e4/0x6c0 [ 19.011996] ? __pfx_ksize_uaf+0x10/0x10 [ 19.012074] ? __schedule+0x10cc/0x2b30 [ 19.012160] ? __pfx_read_tsc+0x10/0x10 [ 19.012234] ? ktime_get_ts64+0x86/0x230 [ 19.012316] kunit_try_run_case+0x1a5/0x480 [ 19.012415] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.012585] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.012625] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.012661] ? __kthread_parkme+0x82/0x180 [ 19.012692] ? preempt_count_sub+0x50/0x80 [ 19.012727] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.012761] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.012796] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.012829] kthread+0x337/0x6f0 [ 19.012858] ? trace_preempt_on+0x20/0xc0 [ 19.012891] ? __pfx_kthread+0x10/0x10 [ 19.012923] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.012957] ? calculate_sigpending+0x7b/0xa0 [ 19.012987] ? __pfx_kthread+0x10/0x10 [ 19.013019] ret_from_fork+0x41/0x80 [ 19.013049] ? __pfx_kthread+0x10/0x10 [ 19.013080] ret_from_fork_asm+0x1a/0x30 [ 19.013123] </TASK> [ 19.013135] [ 19.031243] Allocated by task 216: [ 19.031425] kasan_save_stack+0x45/0x70 [ 19.031869] kasan_save_track+0x18/0x40 [ 19.032279] kasan_save_alloc_info+0x3b/0x50 [ 19.033859] __kasan_kmalloc+0xb7/0xc0 [ 19.034387] __kmalloc_cache_noprof+0x189/0x420 [ 19.035131] ksize_uaf+0xaa/0x6c0 [ 19.035755] kunit_try_run_case+0x1a5/0x480 [ 19.036246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.037065] kthread+0x337/0x6f0 [ 19.037381] ret_from_fork+0x41/0x80 [ 19.037675] ret_from_fork_asm+0x1a/0x30 [ 19.038096] [ 19.038327] Freed by task 216: [ 19.038687] kasan_save_stack+0x45/0x70 [ 19.039087] kasan_save_track+0x18/0x40 [ 19.039484] kasan_save_free_info+0x3f/0x60 [ 19.040061] __kasan_slab_free+0x56/0x70 [ 19.040374] kfree+0x222/0x3f0 [ 19.040699] ksize_uaf+0x12c/0x6c0 [ 19.041005] kunit_try_run_case+0x1a5/0x480 [ 19.042000] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.042689] kthread+0x337/0x6f0 [ 19.043083] ret_from_fork+0x41/0x80 [ 19.043742] ret_from_fork_asm+0x1a/0x30 [ 19.044161] [ 19.044949] The buggy address belongs to the object at ffff888103199c00 [ 19.044949] which belongs to the cache kmalloc-128 of size 128 [ 19.046099] The buggy address is located 120 bytes inside of [ 19.046099] freed 128-byte region [ffff888103199c00, ffff888103199c80) [ 19.047015] [ 19.047327] The buggy address belongs to the physical page: [ 19.047875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103199 [ 19.048723] flags: 0x200000000000000(node=0|zone=2) [ 19.049268] page_type: f5(slab) [ 19.049861] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 19.050690] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.051340] page dumped because: kasan: bad access detected [ 19.052653] [ 19.052917] Memory state around the buggy address: [ 19.053452] ffff888103199b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.053965] ffff888103199b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.054892] >ffff888103199c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.055549] ^ [ 19.056148] ffff888103199c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.056827] ffff888103199d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.057880] ==================================================================
[ 20.213891] ================================================================== [ 20.214591] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8 [ 20.215203] Read of size 1 at addr ffff00000c992700 by task kunit_try_catch/254 [ 20.215870] [ 20.216027] CPU: 3 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.216065] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.216075] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.216088] Call trace: [ 20.216096] show_stack+0x20/0x38 (C) [ 20.216121] dump_stack_lvl+0x8c/0xd0 [ 20.216144] print_report+0x118/0x608 [ 20.216166] kasan_report+0xdc/0x128 [ 20.216186] __asan_report_load1_noabort+0x20/0x30 [ 20.216210] ksize_uaf+0x598/0x5f8 [ 20.216233] kunit_try_run_case+0x170/0x3f0 [ 20.216259] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.216288] kthread+0x328/0x630 [ 20.216313] ret_from_fork+0x10/0x20 [ 20.216337] [ 20.221807] Allocated by task 254: [ 20.222127] kasan_save_stack+0x3c/0x68 [ 20.222495] kasan_save_track+0x20/0x40 [ 20.222855] kasan_save_alloc_info+0x40/0x58 [ 20.223257] __kasan_kmalloc+0xd4/0xd8 [ 20.223610] __kmalloc_cache_noprof+0x15c/0x3c0 [ 20.224038] ksize_uaf+0xb8/0x5f8 [ 20.224357] kunit_try_run_case+0x170/0x3f0 [ 20.224752] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.225263] kthread+0x328/0x630 [ 20.225573] ret_from_fork+0x10/0x20 [ 20.225913] [ 20.226061] Freed by task 254: [ 20.226347] kasan_save_stack+0x3c/0x68 [ 20.226708] kasan_save_track+0x20/0x40 [ 20.227069] kasan_save_free_info+0x4c/0x78 [ 20.227461] __kasan_slab_free+0x6c/0x98 [ 20.227829] kfree+0x214/0x3c8 [ 20.228124] ksize_uaf+0x11c/0x5f8 [ 20.228450] kunit_try_run_case+0x170/0x3f0 [ 20.228845] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.229356] kthread+0x328/0x630 [ 20.229666] ret_from_fork+0x10/0x20 [ 20.230005] [ 20.230152] The buggy address belongs to the object at ffff00000c992700 [ 20.230152] which belongs to the cache kmalloc-128 of size 128 [ 20.231272] The buggy address is located 0 bytes inside of [ 20.231272] freed 128-byte region [ffff00000c992700, ffff00000c992780) [ 20.232356] [ 20.232503] The buggy address belongs to the physical page: [ 20.233012] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc992 [ 20.233723] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.234323] page_type: f5(slab) [ 20.234626] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 20.235331] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.236028] page dumped because: kasan: bad access detected [ 20.236534] [ 20.236681] Memory state around the buggy address: [ 20.237121] ffff00000c992600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.237775] ffff00000c992680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.238430] >ffff00000c992700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.239082] ^ [ 20.239384] ffff00000c992780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.240039] ffff00000c992800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.240690] ================================================================== [ 20.241882] ================================================================== [ 20.242561] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8 [ 20.243160] Read of size 1 at addr ffff00000c992778 by task kunit_try_catch/254 [ 20.243826] [ 20.243981] CPU: 4 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.244018] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.244028] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.244039] Call trace: [ 20.244048] show_stack+0x20/0x38 (C) [ 20.244071] dump_stack_lvl+0x8c/0xd0 [ 20.244092] print_report+0x118/0x608 [ 20.244111] kasan_report+0xdc/0x128 [ 20.244130] __asan_report_load1_noabort+0x20/0x30 [ 20.244152] ksize_uaf+0x544/0x5f8 [ 20.244174] kunit_try_run_case+0x170/0x3f0 [ 20.244198] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.244224] kthread+0x328/0x630 [ 20.244247] ret_from_fork+0x10/0x20 [ 20.244268] [ 20.249733] Allocated by task 254: [ 20.250050] kasan_save_stack+0x3c/0x68 [ 20.250411] kasan_save_track+0x20/0x40 [ 20.250770] kasan_save_alloc_info+0x40/0x58 [ 20.251168] __kasan_kmalloc+0xd4/0xd8 [ 20.251519] __kmalloc_cache_noprof+0x15c/0x3c0 [ 20.251945] ksize_uaf+0xb8/0x5f8 [ 20.252262] kunit_try_run_case+0x170/0x3f0 [ 20.252654] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.253163] kthread+0x328/0x630 [ 20.253471] ret_from_fork+0x10/0x20 [ 20.253809] [ 20.253955] Freed by task 254: [ 20.254240] kasan_save_stack+0x3c/0x68 [ 20.254598] kasan_save_track+0x20/0x40 [ 20.254956] kasan_save_free_info+0x4c/0x78 [ 20.255347] __kasan_slab_free+0x6c/0x98 [ 20.255713] kfree+0x214/0x3c8 [ 20.256008] ksize_uaf+0x11c/0x5f8 [ 20.256332] kunit_try_run_case+0x170/0x3f0 [ 20.256723] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.257232] kthread+0x328/0x630 [ 20.257540] ret_from_fork+0x10/0x20 [ 20.257877] [ 20.258024] The buggy address belongs to the object at ffff00000c992700 [ 20.258024] which belongs to the cache kmalloc-128 of size 128 [ 20.259142] The buggy address is located 120 bytes inside of [ 20.259142] freed 128-byte region [ffff00000c992700, ffff00000c992780) [ 20.260239] [ 20.260384] The buggy address belongs to the physical page: [ 20.260888] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc992 [ 20.261599] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.262197] page_type: f5(slab) [ 20.262497] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 20.263196] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.263891] page dumped because: kasan: bad access detected [ 20.264396] [ 20.264540] Memory state around the buggy address: [ 20.264978] ffff00000c992600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.265630] ffff00000c992680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.266283] >ffff00000c992700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.266932] ^ [ 20.267576] ffff00000c992780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.268228] ffff00000c992800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.268877] ================================================================== [ 20.184728] ================================================================== [ 20.185839] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8 [ 20.186466] Read of size 1 at addr ffff00000c992700 by task kunit_try_catch/254 [ 20.187144] [ 20.187309] CPU: 3 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc3 #1 PREEMPT [ 20.187358] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.187373] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.187390] Call trace: [ 20.187402] show_stack+0x20/0x38 (C) [ 20.187435] dump_stack_lvl+0x8c/0xd0 [ 20.187467] print_report+0x118/0x608 [ 20.187497] kasan_report+0xdc/0x128 [ 20.187525] __kasan_check_byte+0x54/0x70 [ 20.187554] ksize+0x30/0x88 [ 20.187580] ksize_uaf+0x168/0x5f8 [ 20.187613] kunit_try_run_case+0x170/0x3f0 [ 20.187648] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.187687] kthread+0x328/0x630 [ 20.187722] ret_from_fork+0x10/0x20 [ 20.187755] [ 20.193462] Allocated by task 254: [ 20.193789] kasan_save_stack+0x3c/0x68 [ 20.194163] kasan_save_track+0x20/0x40 [ 20.194535] kasan_save_alloc_info+0x40/0x58 [ 20.194949] __kasan_kmalloc+0xd4/0xd8 [ 20.195312] __kmalloc_cache_noprof+0x15c/0x3c0 [ 20.195755] ksize_uaf+0xb8/0x5f8 [ 20.196084] kunit_try_run_case+0x170/0x3f0 [ 20.196492] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.197016] kthread+0x328/0x630 [ 20.197340] ret_from_fork+0x10/0x20 [ 20.197690] [ 20.197843] Freed by task 254: [ 20.198138] kasan_save_stack+0x3c/0x68 [ 20.198510] kasan_save_track+0x20/0x40 [ 20.198880] kasan_save_free_info+0x4c/0x78 [ 20.199284] __kasan_slab_free+0x6c/0x98 [ 20.199665] kfree+0x214/0x3c8 [ 20.199972] ksize_uaf+0x11c/0x5f8 [ 20.200310] kunit_try_run_case+0x170/0x3f0 [ 20.200716] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.201242] kthread+0x328/0x630 [ 20.201564] ret_from_fork+0x10/0x20 [ 20.201914] [ 20.202068] The buggy address belongs to the object at ffff00000c992700 [ 20.202068] which belongs to the cache kmalloc-128 of size 128 [ 20.203203] The buggy address is located 0 bytes inside of [ 20.203203] freed 128-byte region [ffff00000c992700, ffff00000c992780) [ 20.204300] [ 20.204454] The buggy address belongs to the physical page: [ 20.204971] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc992 [ 20.205696] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.206309] page_type: f5(slab) [ 20.206624] raw: 03fffe0000000000 ffff000000402a00 dead000000000122 0000000000000000 [ 20.207341] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 20.208050] page dumped because: kasan: bad access detected [ 20.208566] [ 20.208718] Memory state around the buggy address: [ 20.209167] ffff00000c992600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.209834] ffff00000c992680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.210501] >ffff00000c992700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.211164] ^ [ 20.211475] ffff00000c992780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.212140] ffff00000c992800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.212802] ==================================================================