Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 26.716993] ================================================================== [ 26.726179] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 26.732953] Read of size 16 at addr ffff000800c2f060 by task kunit_try_catch/215 [ 26.740326] [ 26.741813] CPU: 5 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 26.741873] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.741891] Hardware name: WinLink E850-96 board (DT) [ 26.741911] Call trace: [ 26.741925] show_stack+0x20/0x38 (C) [ 26.741959] dump_stack_lvl+0x8c/0xd0 [ 26.741996] print_report+0x118/0x608 [ 26.742031] kasan_report+0xdc/0x128 [ 26.742064] __asan_report_load16_noabort+0x20/0x30 [ 26.742104] kmalloc_uaf_16+0x3bc/0x438 [ 26.742134] kunit_try_run_case+0x170/0x3f0 [ 26.742169] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.742206] kthread+0x328/0x630 [ 26.742236] ret_from_fork+0x10/0x20 [ 26.742270] [ 26.804389] Allocated by task 215: [ 26.807776] kasan_save_stack+0x3c/0x68 [ 26.811595] kasan_save_track+0x20/0x40 [ 26.815411] kasan_save_alloc_info+0x40/0x58 [ 26.819665] __kasan_kmalloc+0xd4/0xd8 [ 26.823397] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.827911] kmalloc_uaf_16+0x140/0x438 [ 26.831731] kunit_try_run_case+0x170/0x3f0 [ 26.835897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.841366] kthread+0x328/0x630 [ 26.844578] ret_from_fork+0x10/0x20 [ 26.848137] [ 26.849614] Freed by task 215: [ 26.852652] kasan_save_stack+0x3c/0x68 [ 26.856470] kasan_save_track+0x20/0x40 [ 26.860289] kasan_save_free_info+0x4c/0x78 [ 26.864456] __kasan_slab_free+0x6c/0x98 [ 26.868362] kfree+0x214/0x3c8 [ 26.871400] kmalloc_uaf_16+0x190/0x438 [ 26.875220] kunit_try_run_case+0x170/0x3f0 [ 26.879386] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.884855] kthread+0x328/0x630 [ 26.888067] ret_from_fork+0x10/0x20 [ 26.891626] [ 26.893103] The buggy address belongs to the object at ffff000800c2f060 [ 26.893103] which belongs to the cache kmalloc-16 of size 16 [ 26.905429] The buggy address is located 0 bytes inside of [ 26.905429] freed 16-byte region [ffff000800c2f060, ffff000800c2f070) [ 26.917406] [ 26.918886] The buggy address belongs to the physical page: [ 26.924441] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880c2f [ 26.932426] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.938935] page_type: f5(slab) [ 26.942071] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 26.949792] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 26.957512] page dumped because: kasan: bad access detected [ 26.963065] [ 26.964541] Memory state around the buggy address: [ 26.969322] ffff000800c2ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.976524] ffff000800c2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.983729] >ffff000800c2f000: 00 04 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 26.990930] ^ [ 26.997270] ffff000800c2f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.004475] ffff000800c2f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.011679] ==================================================================
[ 25.250024] ================================================================== [ 25.250175] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 25.250310] Read of size 16 at addr fff00000c62bd2e0 by task kunit_try_catch/168 [ 25.250429] [ 25.250511] CPU: 0 UID: 0 PID: 168 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.250702] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.250814] Hardware name: linux,dummy-virt (DT) [ 25.250911] Call trace: [ 25.250989] show_stack+0x20/0x38 (C) [ 25.251191] dump_stack_lvl+0x8c/0xd0 [ 25.252971] print_report+0x118/0x608 [ 25.253120] kasan_report+0xdc/0x128 [ 25.253325] __asan_report_load16_noabort+0x20/0x30 [ 25.253478] kmalloc_uaf_16+0x3bc/0x438 [ 25.253600] kunit_try_run_case+0x170/0x3f0 [ 25.253741] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.254098] kthread+0x328/0x630 [ 25.254243] ret_from_fork+0x10/0x20 [ 25.254369] [ 25.254413] Allocated by task 168: [ 25.254541] kasan_save_stack+0x3c/0x68 [ 25.254747] kasan_save_track+0x20/0x40 [ 25.254875] kasan_save_alloc_info+0x40/0x58 [ 25.255040] __kasan_kmalloc+0xd4/0xd8 [ 25.255149] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.255269] kmalloc_uaf_16+0x140/0x438 [ 25.255405] kunit_try_run_case+0x170/0x3f0 [ 25.255544] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.255669] kthread+0x328/0x630 [ 25.255769] ret_from_fork+0x10/0x20 [ 25.255957] [ 25.256033] Freed by task 168: [ 25.256102] kasan_save_stack+0x3c/0x68 [ 25.256205] kasan_save_track+0x20/0x40 [ 25.256489] kasan_save_free_info+0x4c/0x78 [ 25.256639] __kasan_slab_free+0x6c/0x98 [ 25.256738] kfree+0x214/0x3c8 [ 25.256845] kmalloc_uaf_16+0x190/0x438 [ 25.256962] kunit_try_run_case+0x170/0x3f0 [ 25.257060] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.257188] kthread+0x328/0x630 [ 25.257365] ret_from_fork+0x10/0x20 [ 25.257555] [ 25.257606] The buggy address belongs to the object at fff00000c62bd2e0 [ 25.257606] which belongs to the cache kmalloc-16 of size 16 [ 25.257842] The buggy address is located 0 bytes inside of [ 25.257842] freed 16-byte region [fff00000c62bd2e0, fff00000c62bd2f0) [ 25.258100] [ 25.258155] The buggy address belongs to the physical page: [ 25.258238] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1062bd [ 25.258387] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.258634] page_type: f5(slab) [ 25.258745] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.259061] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.259285] page dumped because: kasan: bad access detected [ 25.259483] [ 25.259528] Memory state around the buggy address: [ 25.259686] fff00000c62bd180: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.259836] fff00000c62bd200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 25.260090] >fff00000c62bd280: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 25.260186] ^ [ 25.260284] fff00000c62bd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.260391] fff00000c62bd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.260484] ==================================================================
[ 25.457243] ================================================================== [ 25.457362] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 25.457483] Read of size 16 at addr fff00000c56fe3c0 by task kunit_try_catch/168 [ 25.457666] [ 25.457710] CPU: 0 UID: 0 PID: 168 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.457946] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.458325] Hardware name: linux,dummy-virt (DT) [ 25.458740] Call trace: [ 25.458808] show_stack+0x20/0x38 (C) [ 25.458970] dump_stack_lvl+0x8c/0xd0 [ 25.459091] print_report+0x118/0x608 [ 25.459210] kasan_report+0xdc/0x128 [ 25.459330] __asan_report_load16_noabort+0x20/0x30 [ 25.459700] kmalloc_uaf_16+0x3bc/0x438 [ 25.460994] kunit_try_run_case+0x170/0x3f0 [ 25.461170] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.461306] kthread+0x328/0x630 [ 25.462629] ret_from_fork+0x10/0x20 [ 25.463747] [ 25.463811] Allocated by task 168: [ 25.464482] kasan_save_stack+0x3c/0x68 [ 25.464649] kasan_save_track+0x20/0x40 [ 25.465191] kasan_save_alloc_info+0x40/0x58 [ 25.465303] __kasan_kmalloc+0xd4/0xd8 [ 25.465709] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.465824] kmalloc_uaf_16+0x140/0x438 [ 25.465975] kunit_try_run_case+0x170/0x3f0 [ 25.466104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.466405] kthread+0x328/0x630 [ 25.466640] ret_from_fork+0x10/0x20 [ 25.466814] [ 25.467382] Freed by task 168: [ 25.467463] kasan_save_stack+0x3c/0x68 [ 25.467913] kasan_save_track+0x20/0x40 [ 25.468335] kasan_save_free_info+0x4c/0x78 [ 25.468476] __kasan_slab_free+0x6c/0x98 [ 25.468577] kfree+0x214/0x3c8 [ 25.468683] kmalloc_uaf_16+0x190/0x438 [ 25.468791] kunit_try_run_case+0x170/0x3f0 [ 25.469472] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.469729] kthread+0x328/0x630 [ 25.469881] ret_from_fork+0x10/0x20 [ 25.469990] [ 25.470038] The buggy address belongs to the object at fff00000c56fe3c0 [ 25.470038] which belongs to the cache kmalloc-16 of size 16 [ 25.470178] The buggy address is located 0 bytes inside of [ 25.470178] freed 16-byte region [fff00000c56fe3c0, fff00000c56fe3d0) [ 25.470932] [ 25.470997] The buggy address belongs to the physical page: [ 25.471425] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056fe [ 25.471616] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.471905] page_type: f5(slab) [ 25.472036] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 25.472178] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.472954] page dumped because: kasan: bad access detected [ 25.473163] [ 25.473212] Memory state around the buggy address: [ 25.473648] fff00000c56fe280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.473915] fff00000c56fe300: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc [ 25.474137] >fff00000c56fe380: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 25.474430] ^ [ 25.474744] fff00000c56fe400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.474870] fff00000c56fe480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.476408] ==================================================================
[ 18.811446] ================================================================== [ 18.812175] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 18.812978] Read of size 16 at addr ffff888101a90ba0 by task kunit_try_catch/186 [ 18.813610] [ 18.813859] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.813990] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.814028] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.814136] Call Trace: [ 18.814181] <TASK> [ 18.814229] dump_stack_lvl+0x73/0xb0 [ 18.814319] print_report+0xd1/0x650 [ 18.814392] ? __virt_addr_valid+0x1db/0x2d0 [ 18.814465] ? kmalloc_uaf_16+0x47b/0x4c0 [ 18.814553] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.814624] ? kmalloc_uaf_16+0x47b/0x4c0 [ 18.814691] kasan_report+0x141/0x180 [ 18.814762] ? kmalloc_uaf_16+0x47b/0x4c0 [ 18.814839] __asan_report_load16_noabort+0x18/0x20 [ 18.814918] kmalloc_uaf_16+0x47b/0x4c0 [ 18.815036] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 18.815138] ? __schedule+0x10cc/0x2b60 [ 18.815239] ? __pfx_read_tsc+0x10/0x10 [ 18.815314] ? ktime_get_ts64+0x86/0x230 [ 18.815393] kunit_try_run_case+0x1a5/0x480 [ 18.815479] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.815573] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.815616] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.815652] ? __kthread_parkme+0x82/0x180 [ 18.815684] ? preempt_count_sub+0x50/0x80 [ 18.815716] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.815754] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.815788] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.815822] kthread+0x337/0x6f0 [ 18.815852] ? __pfx_kthread+0x10/0x10 [ 18.815880] ? __pfx_kthread+0x10/0x10 [ 18.815909] ? recalc_sigpending+0x168/0x1f0 [ 18.815944] ? __pfx_kthread+0x10/0x10 [ 18.815974] ret_from_fork+0x116/0x1d0 [ 18.816000] ? __pfx_kthread+0x10/0x10 [ 18.816027] ret_from_fork_asm+0x1a/0x30 [ 18.816069] </TASK> [ 18.816084] [ 18.831616] Allocated by task 186: [ 18.832078] kasan_save_stack+0x45/0x70 [ 18.832676] kasan_save_track+0x18/0x40 [ 18.833098] kasan_save_alloc_info+0x3b/0x50 [ 18.833693] __kasan_kmalloc+0xb7/0xc0 [ 18.834072] __kmalloc_cache_noprof+0x189/0x420 [ 18.834637] kmalloc_uaf_16+0x15b/0x4c0 [ 18.834959] kunit_try_run_case+0x1a5/0x480 [ 18.835416] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.835982] kthread+0x337/0x6f0 [ 18.836460] ret_from_fork+0x116/0x1d0 [ 18.836890] ret_from_fork_asm+0x1a/0x30 [ 18.837426] [ 18.837738] Freed by task 186: [ 18.838066] kasan_save_stack+0x45/0x70 [ 18.838449] kasan_save_track+0x18/0x40 [ 18.838908] kasan_save_free_info+0x3f/0x60 [ 18.839454] __kasan_slab_free+0x56/0x70 [ 18.839914] kfree+0x222/0x3f0 [ 18.840339] kmalloc_uaf_16+0x1d6/0x4c0 [ 18.840763] kunit_try_run_case+0x1a5/0x480 [ 18.841104] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.841601] kthread+0x337/0x6f0 [ 18.842023] ret_from_fork+0x116/0x1d0 [ 18.842540] ret_from_fork_asm+0x1a/0x30 [ 18.843035] [ 18.843331] The buggy address belongs to the object at ffff888101a90ba0 [ 18.843331] which belongs to the cache kmalloc-16 of size 16 [ 18.844472] The buggy address is located 0 bytes inside of [ 18.844472] freed 16-byte region [ffff888101a90ba0, ffff888101a90bb0) [ 18.845516] [ 18.845782] The buggy address belongs to the physical page: [ 18.846388] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a90 [ 18.847105] flags: 0x200000000000000(node=0|zone=2) [ 18.847644] page_type: f5(slab) [ 18.848034] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 18.848727] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.849486] page dumped because: kasan: bad access detected [ 18.850053] [ 18.850297] Memory state around the buggy address: [ 18.850661] ffff888101a90a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.851140] ffff888101a90b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.851895] >ffff888101a90b80: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 18.852616] ^ [ 18.853073] ffff888101a90c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.853753] ffff888101a90c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.854429] ==================================================================
[ 17.863163] ================================================================== [ 17.864255] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 17.864782] Read of size 16 at addr ffff888101e49e80 by task kunit_try_catch/186 [ 17.865831] [ 17.866055] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 17.866122] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.866157] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 17.866189] Call Trace: [ 17.866205] <TASK> [ 17.866222] dump_stack_lvl+0x73/0xb0 [ 17.866274] print_report+0xd1/0x650 [ 17.866307] ? __virt_addr_valid+0x1db/0x2d0 [ 17.866339] ? kmalloc_uaf_16+0x47b/0x4c0 [ 17.866367] ? kasan_complete_mode_report_info+0x64/0x200 [ 17.866398] ? kmalloc_uaf_16+0x47b/0x4c0 [ 17.866426] kasan_report+0x141/0x180 [ 17.866456] ? kmalloc_uaf_16+0x47b/0x4c0 [ 17.866490] __asan_report_load16_noabort+0x18/0x20 [ 17.866931] kmalloc_uaf_16+0x47b/0x4c0 [ 17.867015] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 17.867120] ? __schedule+0x10cc/0x2b60 [ 17.867272] ? __pfx_read_tsc+0x10/0x10 [ 17.867346] ? ktime_get_ts64+0x86/0x230 [ 17.867424] kunit_try_run_case+0x1a5/0x480 [ 17.867519] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.867626] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 17.867710] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 17.867793] ? __kthread_parkme+0x82/0x180 [ 17.867859] ? preempt_count_sub+0x50/0x80 [ 17.867925] ? __pfx_kunit_try_run_case+0x10/0x10 [ 17.867965] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.868000] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 17.868034] kthread+0x337/0x6f0 [ 17.868061] ? trace_preempt_on+0x20/0xc0 [ 17.868092] ? __pfx_kthread+0x10/0x10 [ 17.868159] ? _raw_spin_unlock_irq+0x47/0x80 [ 17.868192] ? calculate_sigpending+0x7b/0xa0 [ 17.868227] ? __pfx_kthread+0x10/0x10 [ 17.868257] ret_from_fork+0x116/0x1d0 [ 17.868281] ? __pfx_kthread+0x10/0x10 [ 17.868309] ret_from_fork_asm+0x1a/0x30 [ 17.868350] </TASK> [ 17.868364] [ 17.889256] Allocated by task 186: [ 17.890830] kasan_save_stack+0x45/0x70 [ 17.891401] kasan_save_track+0x18/0x40 [ 17.893327] kasan_save_alloc_info+0x3b/0x50 [ 17.893983] __kasan_kmalloc+0xb7/0xc0 [ 17.895471] __kmalloc_cache_noprof+0x189/0x420 [ 17.896640] kmalloc_uaf_16+0x15b/0x4c0 [ 17.896950] kunit_try_run_case+0x1a5/0x480 [ 17.897262] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.897572] kthread+0x337/0x6f0 [ 17.897811] ret_from_fork+0x116/0x1d0 [ 17.899489] ret_from_fork_asm+0x1a/0x30 [ 17.899953] [ 17.900194] Freed by task 186: [ 17.900520] kasan_save_stack+0x45/0x70 [ 17.901108] kasan_save_track+0x18/0x40 [ 17.901911] kasan_save_free_info+0x3f/0x60 [ 17.902678] __kasan_slab_free+0x56/0x70 [ 17.903230] kfree+0x222/0x3f0 [ 17.903837] kmalloc_uaf_16+0x1d6/0x4c0 [ 17.904947] kunit_try_run_case+0x1a5/0x480 [ 17.905857] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 17.906914] kthread+0x337/0x6f0 [ 17.907463] ret_from_fork+0x116/0x1d0 [ 17.908351] ret_from_fork_asm+0x1a/0x30 [ 17.908913] [ 17.909084] The buggy address belongs to the object at ffff888101e49e80 [ 17.909084] which belongs to the cache kmalloc-16 of size 16 [ 17.910914] The buggy address is located 0 bytes inside of [ 17.910914] freed 16-byte region [ffff888101e49e80, ffff888101e49e90) [ 17.912793] [ 17.913053] The buggy address belongs to the physical page: [ 17.913957] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e49 [ 17.915175] flags: 0x200000000000000(node=0|zone=2) [ 17.915939] page_type: f5(slab) [ 17.916253] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 17.917524] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 17.918220] page dumped because: kasan: bad access detected [ 17.919059] [ 17.919251] Memory state around the buggy address: [ 17.920342] ffff888101e49d80: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc [ 17.920948] ffff888101e49e00: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 17.921632] >ffff888101e49e80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.922937] ^ [ 17.923556] ffff888101e49f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.924183] ffff888101e49f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.924797] ==================================================================
[ 20.471508] ================================================================== [ 20.472573] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 20.473253] Read of size 16 at addr ffff00000101a200 by task kunit_try_catch/221 [ 20.473967] [ 20.474148] CPU: 2 UID: 0 PID: 221 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.474227] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.474249] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.474276] Call trace: [ 20.474294] show_stack+0x20/0x38 (C) [ 20.474347] dump_stack_lvl+0x8c/0xd0 [ 20.474403] print_report+0x118/0x608 [ 20.474458] kasan_report+0xdc/0x128 [ 20.474509] __asan_report_load16_noabort+0x20/0x30 [ 20.474572] kmalloc_uaf_16+0x3bc/0x438 [ 20.474619] kunit_try_run_case+0x170/0x3f0 [ 20.474674] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.474736] kthread+0x328/0x630 [ 20.474778] ret_from_fork+0x10/0x20 [ 20.474829] [ 20.480489] Allocated by task 221: [ 20.480835] kasan_save_stack+0x3c/0x68 [ 20.481244] kasan_save_track+0x20/0x40 [ 20.481648] kasan_save_alloc_info+0x40/0x58 [ 20.482094] __kasan_kmalloc+0xd4/0xd8 [ 20.482489] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.482955] kmalloc_uaf_16+0x140/0x438 [ 20.483352] kunit_try_run_case+0x170/0x3f0 [ 20.483786] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.484342] kthread+0x328/0x630 [ 20.484684] ret_from_fork+0x10/0x20 [ 20.485061] [ 20.485229] Freed by task 221: [ 20.485541] kasan_save_stack+0x3c/0x68 [ 20.485945] kasan_save_track+0x20/0x40 [ 20.486346] kasan_save_free_info+0x4c/0x78 [ 20.486785] __kasan_slab_free+0x6c/0x98 [ 20.487196] kfree+0x214/0x3c8 [ 20.487524] kmalloc_uaf_16+0x190/0x438 [ 20.487922] kunit_try_run_case+0x170/0x3f0 [ 20.488355] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.488911] kthread+0x328/0x630 [ 20.489251] ret_from_fork+0x10/0x20 [ 20.489627] [ 20.489795] The buggy address belongs to the object at ffff00000101a200 [ 20.489795] which belongs to the cache kmalloc-16 of size 16 [ 20.490942] The buggy address is located 0 bytes inside of [ 20.490942] freed 16-byte region [ffff00000101a200, ffff00000101a210) [ 20.492063] [ 20.492232] The buggy address belongs to the physical page: [ 20.492766] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a [ 20.493520] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.494159] page_type: f5(slab) [ 20.494496] raw: 03fffe0000000000 ffff000000402640 dead000000000122 0000000000000000 [ 20.495241] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 20.495972] page dumped because: kasan: bad access detected [ 20.496506] [ 20.496673] Memory state around the buggy address: [ 20.497141] ffff00000101a100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 20.497833] ffff00000101a180: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 20.498524] >ffff00000101a200: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.499208] ^ [ 20.499539] ffff00000101a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.500230] ffff00000101a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.500915] ==================================================================