Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 29.080260] ================================================================== [ 29.090381] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 29.096889] Read of size 1 at addr ffff000800c2f088 by task kunit_try_catch/231 [ 29.104179] [ 29.105666] CPU: 5 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 29.105728] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.105746] Hardware name: WinLink E850-96 board (DT) [ 29.105769] Call trace: [ 29.105782] show_stack+0x20/0x38 (C) [ 29.105817] dump_stack_lvl+0x8c/0xd0 [ 29.105854] print_report+0x118/0x608 [ 29.105892] kasan_report+0xdc/0x128 [ 29.105924] __asan_report_load1_noabort+0x20/0x30 [ 29.105966] kmalloc_uaf+0x300/0x338 [ 29.105992] kunit_try_run_case+0x170/0x3f0 [ 29.106028] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.106067] kthread+0x328/0x630 [ 29.106098] ret_from_fork+0x10/0x20 [ 29.106135] [ 29.167895] Allocated by task 231: [ 29.171282] kasan_save_stack+0x3c/0x68 [ 29.175099] kasan_save_track+0x20/0x40 [ 29.178918] kasan_save_alloc_info+0x40/0x58 [ 29.183171] __kasan_kmalloc+0xd4/0xd8 [ 29.186904] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.191417] kmalloc_uaf+0xb8/0x338 [ 29.194890] kunit_try_run_case+0x170/0x3f0 [ 29.199056] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.204525] kthread+0x328/0x630 [ 29.207737] ret_from_fork+0x10/0x20 [ 29.211296] [ 29.212771] Freed by task 231: [ 29.215809] kasan_save_stack+0x3c/0x68 [ 29.219629] kasan_save_track+0x20/0x40 [ 29.223450] kasan_save_free_info+0x4c/0x78 [ 29.227615] __kasan_slab_free+0x6c/0x98 [ 29.231521] kfree+0x214/0x3c8 [ 29.234559] kmalloc_uaf+0x11c/0x338 [ 29.238118] kunit_try_run_case+0x170/0x3f0 [ 29.242286] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.247753] kthread+0x328/0x630 [ 29.250965] ret_from_fork+0x10/0x20 [ 29.254524] [ 29.256001] The buggy address belongs to the object at ffff000800c2f080 [ 29.256001] which belongs to the cache kmalloc-16 of size 16 [ 29.268328] The buggy address is located 8 bytes inside of [ 29.268328] freed 16-byte region [ffff000800c2f080, ffff000800c2f090) [ 29.280305] [ 29.281783] The buggy address belongs to the physical page: [ 29.287340] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880c2f [ 29.295325] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.301835] page_type: f5(slab) [ 29.304971] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 29.312690] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 29.320410] page dumped because: kasan: bad access detected [ 29.325964] [ 29.327440] Memory state around the buggy address: [ 29.332222] ffff000800c2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.339424] ffff000800c2f000: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 29.346627] >ffff000800c2f080: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.353828] ^ [ 29.357305] ffff000800c2f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.364509] ffff000800c2f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.371713] ==================================================================
[ 25.542277] ================================================================== [ 25.542410] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 25.542543] Read of size 1 at addr fff00000c62bd308 by task kunit_try_catch/184 [ 25.542719] [ 25.542790] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.543020] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.543088] Hardware name: linux,dummy-virt (DT) [ 25.543187] Call trace: [ 25.543250] show_stack+0x20/0x38 (C) [ 25.543436] dump_stack_lvl+0x8c/0xd0 [ 25.543580] print_report+0x118/0x608 [ 25.543713] kasan_report+0xdc/0x128 [ 25.543838] __asan_report_load1_noabort+0x20/0x30 [ 25.544100] kmalloc_uaf+0x300/0x338 [ 25.544315] kunit_try_run_case+0x170/0x3f0 [ 25.544540] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.544770] kthread+0x328/0x630 [ 25.545043] ret_from_fork+0x10/0x20 [ 25.545401] [ 25.545455] Allocated by task 184: [ 25.545655] kasan_save_stack+0x3c/0x68 [ 25.545914] kasan_save_track+0x20/0x40 [ 25.546204] kasan_save_alloc_info+0x40/0x58 [ 25.546312] __kasan_kmalloc+0xd4/0xd8 [ 25.546420] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.546710] kmalloc_uaf+0xb8/0x338 [ 25.546997] kunit_try_run_case+0x170/0x3f0 [ 25.547104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.547226] kthread+0x328/0x630 [ 25.547369] ret_from_fork+0x10/0x20 [ 25.547517] [ 25.547573] Freed by task 184: [ 25.547652] kasan_save_stack+0x3c/0x68 [ 25.547761] kasan_save_track+0x20/0x40 [ 25.547871] kasan_save_free_info+0x4c/0x78 [ 25.548119] __kasan_slab_free+0x6c/0x98 [ 25.548385] kfree+0x214/0x3c8 [ 25.548532] kmalloc_uaf+0x11c/0x338 [ 25.548652] kunit_try_run_case+0x170/0x3f0 [ 25.548757] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.548889] kthread+0x328/0x630 [ 25.549045] ret_from_fork+0x10/0x20 [ 25.549145] [ 25.549204] The buggy address belongs to the object at fff00000c62bd300 [ 25.549204] which belongs to the cache kmalloc-16 of size 16 [ 25.549438] The buggy address is located 8 bytes inside of [ 25.549438] freed 16-byte region [fff00000c62bd300, fff00000c62bd310) [ 25.549588] [ 25.549683] The buggy address belongs to the physical page: [ 25.549764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062bd [ 25.549988] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.550239] page_type: f5(slab) [ 25.550332] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.550455] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.550554] page dumped because: kasan: bad access detected [ 25.550633] [ 25.550676] Memory state around the buggy address: [ 25.550798] fff00000c62bd200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 25.551005] fff00000c62bd280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.551139] >fff00000c62bd300: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.551324] ^ [ 25.551406] fff00000c62bd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.551584] fff00000c62bd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.551760] ==================================================================
[ 25.777992] ================================================================== [ 25.778228] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 25.778453] Read of size 1 at addr fff00000c56fe3e8 by task kunit_try_catch/184 [ 25.778787] [ 25.778905] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.779128] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.779248] Hardware name: linux,dummy-virt (DT) [ 25.779341] Call trace: [ 25.779394] show_stack+0x20/0x38 (C) [ 25.779542] dump_stack_lvl+0x8c/0xd0 [ 25.779923] print_report+0x118/0x608 [ 25.780129] kasan_report+0xdc/0x128 [ 25.780243] __asan_report_load1_noabort+0x20/0x30 [ 25.780373] kmalloc_uaf+0x300/0x338 [ 25.780478] kunit_try_run_case+0x170/0x3f0 [ 25.780596] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.780724] kthread+0x328/0x630 [ 25.780826] ret_from_fork+0x10/0x20 [ 25.780964] [ 25.781007] Allocated by task 184: [ 25.781103] kasan_save_stack+0x3c/0x68 [ 25.781230] kasan_save_track+0x20/0x40 [ 25.781337] kasan_save_alloc_info+0x40/0x58 [ 25.781457] __kasan_kmalloc+0xd4/0xd8 [ 25.781778] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.782085] kmalloc_uaf+0xb8/0x338 [ 25.782192] kunit_try_run_case+0x170/0x3f0 [ 25.782298] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.782441] kthread+0x328/0x630 [ 25.782546] ret_from_fork+0x10/0x20 [ 25.782690] [ 25.782739] Freed by task 184: [ 25.782814] kasan_save_stack+0x3c/0x68 [ 25.783332] kasan_save_track+0x20/0x40 [ 25.783584] kasan_save_free_info+0x4c/0x78 [ 25.783733] __kasan_slab_free+0x6c/0x98 [ 25.783863] kfree+0x214/0x3c8 [ 25.784092] kmalloc_uaf+0x11c/0x338 [ 25.784181] kunit_try_run_case+0x170/0x3f0 [ 25.784286] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.784590] kthread+0x328/0x630 [ 25.784727] ret_from_fork+0x10/0x20 [ 25.784875] [ 25.784935] The buggy address belongs to the object at fff00000c56fe3e0 [ 25.784935] which belongs to the cache kmalloc-16 of size 16 [ 25.785123] The buggy address is located 8 bytes inside of [ 25.785123] freed 16-byte region [fff00000c56fe3e0, fff00000c56fe3f0) [ 25.785697] [ 25.785773] The buggy address belongs to the physical page: [ 25.785871] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056fe [ 25.786005] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.786138] page_type: f5(slab) [ 25.786239] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.786393] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.786571] page dumped because: kasan: bad access detected [ 25.786751] [ 25.787082] Memory state around the buggy address: [ 25.787216] fff00000c56fe280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.787331] fff00000c56fe300: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc [ 25.787457] >fff00000c56fe380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.787786] ^ [ 25.787912] fff00000c56fe400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.788024] fff00000c56fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.788124] ==================================================================
[ 19.262224] ================================================================== [ 19.263376] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 19.264141] Read of size 1 at addr ffff888101a90bc8 by task kunit_try_catch/202 [ 19.264681] [ 19.264892] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.265005] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.265038] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.265090] Call Trace: [ 19.265125] <TASK> [ 19.265170] dump_stack_lvl+0x73/0xb0 [ 19.265252] print_report+0xd1/0x650 [ 19.265317] ? __virt_addr_valid+0x1db/0x2d0 [ 19.265385] ? kmalloc_uaf+0x320/0x380 [ 19.265446] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.265535] ? kmalloc_uaf+0x320/0x380 [ 19.265599] kasan_report+0x141/0x180 [ 19.265679] ? kmalloc_uaf+0x320/0x380 [ 19.265753] __asan_report_load1_noabort+0x18/0x20 [ 19.265825] kmalloc_uaf+0x320/0x380 [ 19.265887] ? __pfx_kmalloc_uaf+0x10/0x10 [ 19.265950] ? __schedule+0x10cc/0x2b60 [ 19.266021] ? __pfx_read_tsc+0x10/0x10 [ 19.266088] ? ktime_get_ts64+0x86/0x230 [ 19.266157] kunit_try_run_case+0x1a5/0x480 [ 19.266231] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.266301] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.266362] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.266426] ? __kthread_parkme+0x82/0x180 [ 19.266486] ? preempt_count_sub+0x50/0x80 [ 19.266581] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.266647] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.266715] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.266786] kthread+0x337/0x6f0 [ 19.266852] ? trace_preempt_on+0x20/0xc0 [ 19.266928] ? __pfx_kthread+0x10/0x10 [ 19.267325] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.267412] ? calculate_sigpending+0x7b/0xa0 [ 19.267494] ? __pfx_kthread+0x10/0x10 [ 19.267703] ret_from_fork+0x116/0x1d0 [ 19.267772] ? __pfx_kthread+0x10/0x10 [ 19.267842] ret_from_fork_asm+0x1a/0x30 [ 19.268028] </TASK> [ 19.268069] [ 19.289579] Allocated by task 202: [ 19.290021] kasan_save_stack+0x45/0x70 [ 19.291024] kasan_save_track+0x18/0x40 [ 19.291823] kasan_save_alloc_info+0x3b/0x50 [ 19.292520] __kasan_kmalloc+0xb7/0xc0 [ 19.292999] __kmalloc_cache_noprof+0x189/0x420 [ 19.293806] kmalloc_uaf+0xaa/0x380 [ 19.294150] kunit_try_run_case+0x1a5/0x480 [ 19.294989] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.295472] kthread+0x337/0x6f0 [ 19.295996] ret_from_fork+0x116/0x1d0 [ 19.296422] ret_from_fork_asm+0x1a/0x30 [ 19.297004] [ 19.297272] Freed by task 202: [ 19.297897] kasan_save_stack+0x45/0x70 [ 19.298326] kasan_save_track+0x18/0x40 [ 19.298750] kasan_save_free_info+0x3f/0x60 [ 19.299123] __kasan_slab_free+0x56/0x70 [ 19.299588] kfree+0x222/0x3f0 [ 19.299956] kmalloc_uaf+0x12c/0x380 [ 19.300684] kunit_try_run_case+0x1a5/0x480 [ 19.301083] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.301722] kthread+0x337/0x6f0 [ 19.302097] ret_from_fork+0x116/0x1d0 [ 19.302671] ret_from_fork_asm+0x1a/0x30 [ 19.303102] [ 19.303377] The buggy address belongs to the object at ffff888101a90bc0 [ 19.303377] which belongs to the cache kmalloc-16 of size 16 [ 19.304731] The buggy address is located 8 bytes inside of [ 19.304731] freed 16-byte region [ffff888101a90bc0, ffff888101a90bd0) [ 19.305693] [ 19.305896] The buggy address belongs to the physical page: [ 19.306426] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a90 [ 19.307030] flags: 0x200000000000000(node=0|zone=2) [ 19.307441] page_type: f5(slab) [ 19.308018] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 19.308888] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 19.309475] page dumped because: kasan: bad access detected [ 19.310164] [ 19.310452] Memory state around the buggy address: [ 19.311206] ffff888101a90a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 19.312004] ffff888101a90b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 19.312802] >ffff888101a90b80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 19.313363] ^ [ 19.313987] ffff888101a90c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.314810] ffff888101a90c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.315397] ==================================================================
[ 18.297156] ================================================================== [ 18.298185] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 18.298787] Read of size 1 at addr ffff888101e49ea8 by task kunit_try_catch/202 [ 18.299534] [ 18.300223] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.300717] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.300735] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.300765] Call Trace: [ 18.300780] <TASK> [ 18.300798] dump_stack_lvl+0x73/0xb0 [ 18.300842] print_report+0xd1/0x650 [ 18.300874] ? __virt_addr_valid+0x1db/0x2d0 [ 18.300934] ? kmalloc_uaf+0x320/0x380 [ 18.300964] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.300994] ? kmalloc_uaf+0x320/0x380 [ 18.301023] kasan_report+0x141/0x180 [ 18.301054] ? kmalloc_uaf+0x320/0x380 [ 18.301088] __asan_report_load1_noabort+0x18/0x20 [ 18.301151] kmalloc_uaf+0x320/0x380 [ 18.301184] ? __pfx_kmalloc_uaf+0x10/0x10 [ 18.301215] ? __schedule+0x10cc/0x2b60 [ 18.301247] ? __pfx_read_tsc+0x10/0x10 [ 18.301275] ? ktime_get_ts64+0x86/0x230 [ 18.301307] kunit_try_run_case+0x1a5/0x480 [ 18.301342] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.301375] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.301406] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.301439] ? __kthread_parkme+0x82/0x180 [ 18.301466] ? preempt_count_sub+0x50/0x80 [ 18.301496] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.301604] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.301657] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.301693] kthread+0x337/0x6f0 [ 18.301720] ? trace_preempt_on+0x20/0xc0 [ 18.301753] ? __pfx_kthread+0x10/0x10 [ 18.301781] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.301811] ? calculate_sigpending+0x7b/0xa0 [ 18.301845] ? __pfx_kthread+0x10/0x10 [ 18.301873] ret_from_fork+0x116/0x1d0 [ 18.301930] ? __pfx_kthread+0x10/0x10 [ 18.301960] ret_from_fork_asm+0x1a/0x30 [ 18.302002] </TASK> [ 18.302017] [ 18.322640] Allocated by task 202: [ 18.323033] kasan_save_stack+0x45/0x70 [ 18.324115] kasan_save_track+0x18/0x40 [ 18.324459] kasan_save_alloc_info+0x3b/0x50 [ 18.325021] __kasan_kmalloc+0xb7/0xc0 [ 18.325698] __kmalloc_cache_noprof+0x189/0x420 [ 18.326040] kmalloc_uaf+0xaa/0x380 [ 18.326960] kunit_try_run_case+0x1a5/0x480 [ 18.327500] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.328293] kthread+0x337/0x6f0 [ 18.328895] ret_from_fork+0x116/0x1d0 [ 18.329249] ret_from_fork_asm+0x1a/0x30 [ 18.329801] [ 18.330039] Freed by task 202: [ 18.330327] kasan_save_stack+0x45/0x70 [ 18.330805] kasan_save_track+0x18/0x40 [ 18.331204] kasan_save_free_info+0x3f/0x60 [ 18.332319] __kasan_slab_free+0x56/0x70 [ 18.332805] kfree+0x222/0x3f0 [ 18.333440] kmalloc_uaf+0x12c/0x380 [ 18.333786] kunit_try_run_case+0x1a5/0x480 [ 18.334292] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.334831] kthread+0x337/0x6f0 [ 18.335301] ret_from_fork+0x116/0x1d0 [ 18.335992] ret_from_fork_asm+0x1a/0x30 [ 18.336420] [ 18.336660] The buggy address belongs to the object at ffff888101e49ea0 [ 18.336660] which belongs to the cache kmalloc-16 of size 16 [ 18.337614] The buggy address is located 8 bytes inside of [ 18.337614] freed 16-byte region [ffff888101e49ea0, ffff888101e49eb0) [ 18.338899] [ 18.339142] The buggy address belongs to the physical page: [ 18.339703] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e49 [ 18.340299] flags: 0x200000000000000(node=0|zone=2) [ 18.340926] page_type: f5(slab) [ 18.341290] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 18.341786] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.342486] page dumped because: kasan: bad access detected [ 18.343010] [ 18.343198] Memory state around the buggy address: [ 18.344049] ffff888101e49d80: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc [ 18.344982] ffff888101e49e00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.345494] >ffff888101e49e80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 18.346243] ^ [ 18.346657] ffff888101e49f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.347299] ffff888101e49f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.347829] ==================================================================
[ 20.704225] ================================================================== [ 20.705366] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 20.705994] Read of size 1 at addr ffff000001e6e6e8 by task kunit_try_catch/237 [ 20.706672] [ 20.706836] CPU: 1 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.706887] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.706901] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.706918] Call trace: [ 20.706930] show_stack+0x20/0x38 (C) [ 20.706963] dump_stack_lvl+0x8c/0xd0 [ 20.706999] print_report+0x118/0x608 [ 20.707033] kasan_report+0xdc/0x128 [ 20.707064] __asan_report_load1_noabort+0x20/0x30 [ 20.707101] kmalloc_uaf+0x300/0x338 [ 20.707129] kunit_try_run_case+0x170/0x3f0 [ 20.707163] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.707200] kthread+0x328/0x630 [ 20.707227] ret_from_fork+0x10/0x20 [ 20.707259] [ 20.712785] Allocated by task 237: [ 20.713111] kasan_save_stack+0x3c/0x68 [ 20.713489] kasan_save_track+0x20/0x40 [ 20.713863] kasan_save_alloc_info+0x40/0x58 [ 20.714278] __kasan_kmalloc+0xd4/0xd8 [ 20.714647] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.715083] kmalloc_uaf+0xb8/0x338 [ 20.715424] kunit_try_run_case+0x170/0x3f0 [ 20.715829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.716353] kthread+0x328/0x630 [ 20.716670] ret_from_fork+0x10/0x20 [ 20.717020] [ 20.717172] Freed by task 237: [ 20.717466] kasan_save_stack+0x3c/0x68 [ 20.717842] kasan_save_track+0x20/0x40 [ 20.718217] kasan_save_free_info+0x4c/0x78 [ 20.718625] __kasan_slab_free+0x6c/0x98 [ 20.719009] kfree+0x214/0x3c8 [ 20.719312] kmalloc_uaf+0x11c/0x338 [ 20.719660] kunit_try_run_case+0x170/0x3f0 [ 20.720066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.720589] kthread+0x328/0x630 [ 20.720905] ret_from_fork+0x10/0x20 [ 20.721254] [ 20.721407] The buggy address belongs to the object at ffff000001e6e6e0 [ 20.721407] which belongs to the cache kmalloc-16 of size 16 [ 20.722524] The buggy address is located 8 bytes inside of [ 20.722524] freed 16-byte region [ffff000001e6e6e0, ffff000001e6e6f0) [ 20.723613] [ 20.723767] The buggy address belongs to the physical page: [ 20.724282] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e6e [ 20.725007] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.725618] page_type: f5(slab) [ 20.725931] raw: 03fffe0000000000 ffff000000402640 dead000000000122 0000000000000000 [ 20.726647] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 20.727354] page dumped because: kasan: bad access detected [ 20.727869] [ 20.728020] Memory state around the buggy address: [ 20.728469] ffff000001e6e580: 00 05 fc fc 00 05 fc fc 00 05 fc fc fa fb fc fc [ 20.729135] ffff000001e6e600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.729800] >ffff000001e6e680: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.730462] ^ [ 20.731070] ffff000001e6e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.731735] ffff000001e6e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.732396] ==================================================================