Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 29.380671] ================================================================== [ 29.389426] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 29.396538] Write of size 33 at addr ffff000800d62280 by task kunit_try_catch/233 [ 29.404001] [ 29.405489] CPU: 7 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 29.405548] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.405567] Hardware name: WinLink E850-96 board (DT) [ 29.405588] Call trace: [ 29.405602] show_stack+0x20/0x38 (C) [ 29.405639] dump_stack_lvl+0x8c/0xd0 [ 29.405677] print_report+0x118/0x608 [ 29.405715] kasan_report+0xdc/0x128 [ 29.405751] kasan_check_range+0x100/0x1a8 [ 29.405791] __asan_memset+0x34/0x78 [ 29.405820] kmalloc_uaf_memset+0x170/0x310 [ 29.405853] kunit_try_run_case+0x170/0x3f0 [ 29.405890] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.405929] kthread+0x328/0x630 [ 29.405958] ret_from_fork+0x10/0x20 [ 29.405994] [ 29.471189] Allocated by task 233: [ 29.474576] kasan_save_stack+0x3c/0x68 [ 29.478392] kasan_save_track+0x20/0x40 [ 29.482212] kasan_save_alloc_info+0x40/0x58 [ 29.486465] __kasan_kmalloc+0xd4/0xd8 [ 29.490199] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.494712] kmalloc_uaf_memset+0xb8/0x310 [ 29.498791] kunit_try_run_case+0x170/0x3f0 [ 29.502959] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.508426] kthread+0x328/0x630 [ 29.511638] ret_from_fork+0x10/0x20 [ 29.515197] [ 29.516673] Freed by task 233: [ 29.519714] kasan_save_stack+0x3c/0x68 [ 29.523530] kasan_save_track+0x20/0x40 [ 29.527350] kasan_save_free_info+0x4c/0x78 [ 29.531516] __kasan_slab_free+0x6c/0x98 [ 29.535423] kfree+0x214/0x3c8 [ 29.538461] kmalloc_uaf_memset+0x11c/0x310 [ 29.542629] kunit_try_run_case+0x170/0x3f0 [ 29.546794] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.552263] kthread+0x328/0x630 [ 29.555474] ret_from_fork+0x10/0x20 [ 29.559033] [ 29.560509] The buggy address belongs to the object at ffff000800d62280 [ 29.560509] which belongs to the cache kmalloc-64 of size 64 [ 29.572839] The buggy address is located 0 bytes inside of [ 29.572839] freed 64-byte region [ffff000800d62280, ffff000800d622c0) [ 29.584815] [ 29.586294] The buggy address belongs to the physical page: [ 29.591849] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880d62 [ 29.599835] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.606343] page_type: f5(slab) [ 29.609480] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000 [ 29.617200] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.624919] page dumped because: kasan: bad access detected [ 29.630473] [ 29.631949] Memory state around the buggy address: [ 29.636730] ffff000800d62180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.643932] ffff000800d62200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.651136] >ffff000800d62280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.658337] ^ [ 29.661553] ffff000800d62300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.668758] ffff000800d62380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.675960] ==================================================================
[ 25.568899] ================================================================== [ 25.569231] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 25.569436] Write of size 33 at addr fff00000c6418580 by task kunit_try_catch/186 [ 25.569838] [ 25.570205] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.570859] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.571469] Hardware name: linux,dummy-virt (DT) [ 25.572403] Call trace: [ 25.572703] show_stack+0x20/0x38 (C) [ 25.573012] dump_stack_lvl+0x8c/0xd0 [ 25.573624] print_report+0x118/0x608 [ 25.574533] kasan_report+0xdc/0x128 [ 25.574692] kasan_check_range+0x100/0x1a8 [ 25.574812] __asan_memset+0x34/0x78 [ 25.574954] kmalloc_uaf_memset+0x170/0x310 [ 25.576287] kunit_try_run_case+0x170/0x3f0 [ 25.577141] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.578078] kthread+0x328/0x630 [ 25.578258] ret_from_fork+0x10/0x20 [ 25.578382] [ 25.578429] Allocated by task 186: [ 25.578498] kasan_save_stack+0x3c/0x68 [ 25.579978] kasan_save_track+0x20/0x40 [ 25.580094] kasan_save_alloc_info+0x40/0x58 [ 25.580443] __kasan_kmalloc+0xd4/0xd8 [ 25.580570] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.580842] kmalloc_uaf_memset+0xb8/0x310 [ 25.581072] kunit_try_run_case+0x170/0x3f0 [ 25.581174] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.581296] kthread+0x328/0x630 [ 25.581494] ret_from_fork+0x10/0x20 [ 25.581584] [ 25.581632] Freed by task 186: [ 25.581702] kasan_save_stack+0x3c/0x68 [ 25.581797] kasan_save_track+0x20/0x40 [ 25.581911] kasan_save_free_info+0x4c/0x78 [ 25.582096] __kasan_slab_free+0x6c/0x98 [ 25.582361] kfree+0x214/0x3c8 [ 25.582455] kmalloc_uaf_memset+0x11c/0x310 [ 25.582952] kunit_try_run_case+0x170/0x3f0 [ 25.583254] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.583700] kthread+0x328/0x630 [ 25.583804] ret_from_fork+0x10/0x20 [ 25.583892] [ 25.583967] The buggy address belongs to the object at fff00000c6418580 [ 25.583967] which belongs to the cache kmalloc-64 of size 64 [ 25.584304] The buggy address is located 0 bytes inside of [ 25.584304] freed 64-byte region [fff00000c6418580, fff00000c64185c0) [ 25.584560] [ 25.584651] The buggy address belongs to the physical page: [ 25.584855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106418 [ 25.585254] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.585453] page_type: f5(slab) [ 25.585547] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 25.585672] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.585769] page dumped because: kasan: bad access detected [ 25.585890] [ 25.585980] Memory state around the buggy address: [ 25.586070] fff00000c6418480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.586464] fff00000c6418500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.586594] >fff00000c6418580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.586911] ^ [ 25.587185] fff00000c6418600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.587474] fff00000c6418680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.587578] ==================================================================
[ 25.815615] ================================================================== [ 25.815793] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 25.815948] Write of size 33 at addr fff00000c7713180 by task kunit_try_catch/186 [ 25.816070] [ 25.817330] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 25.817574] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.817643] Hardware name: linux,dummy-virt (DT) [ 25.817720] Call trace: [ 25.817777] show_stack+0x20/0x38 (C) [ 25.818611] dump_stack_lvl+0x8c/0xd0 [ 25.818737] print_report+0x118/0x608 [ 25.818883] kasan_report+0xdc/0x128 [ 25.819299] kasan_check_range+0x100/0x1a8 [ 25.819434] __asan_memset+0x34/0x78 [ 25.819560] kmalloc_uaf_memset+0x170/0x310 [ 25.819688] kunit_try_run_case+0x170/0x3f0 [ 25.819830] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.819981] kthread+0x328/0x630 [ 25.820090] ret_from_fork+0x10/0x20 [ 25.820214] [ 25.820255] Allocated by task 186: [ 25.820324] kasan_save_stack+0x3c/0x68 [ 25.820419] kasan_save_track+0x20/0x40 [ 25.820515] kasan_save_alloc_info+0x40/0x58 [ 25.820616] __kasan_kmalloc+0xd4/0xd8 [ 25.820718] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.820822] kmalloc_uaf_memset+0xb8/0x310 [ 25.825021] kunit_try_run_case+0x170/0x3f0 [ 25.825162] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.825279] kthread+0x328/0x630 [ 25.825372] ret_from_fork+0x10/0x20 [ 25.827103] [ 25.827158] Freed by task 186: [ 25.827224] kasan_save_stack+0x3c/0x68 [ 25.827335] kasan_save_track+0x20/0x40 [ 25.827437] kasan_save_free_info+0x4c/0x78 [ 25.827604] __kasan_slab_free+0x6c/0x98 [ 25.829250] kfree+0x214/0x3c8 [ 25.829374] kmalloc_uaf_memset+0x11c/0x310 [ 25.829769] kunit_try_run_case+0x170/0x3f0 [ 25.830960] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.831081] kthread+0x328/0x630 [ 25.831158] ret_from_fork+0x10/0x20 [ 25.831242] [ 25.831287] The buggy address belongs to the object at fff00000c7713180 [ 25.831287] which belongs to the cache kmalloc-64 of size 64 [ 25.831426] The buggy address is located 0 bytes inside of [ 25.831426] freed 64-byte region [fff00000c7713180, fff00000c77131c0) [ 25.831569] [ 25.831618] The buggy address belongs to the physical page: [ 25.831689] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107713 [ 25.831829] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.831973] page_type: f5(slab) [ 25.832075] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 25.832200] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.832300] page dumped because: kasan: bad access detected [ 25.832375] [ 25.832468] Memory state around the buggy address: [ 25.832570] fff00000c7713080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.832826] fff00000c7713100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.832980] >fff00000c7713180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.833141] ^ [ 25.833222] fff00000c7713200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.833331] fff00000c7713280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.833534] ==================================================================
[ 19.323068] ================================================================== [ 19.323777] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 19.324669] Write of size 33 at addr ffff8881039cc000 by task kunit_try_catch/204 [ 19.325293] [ 19.326718] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 19.326929] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.326969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 19.327029] Call Trace: [ 19.327072] <TASK> [ 19.327119] dump_stack_lvl+0x73/0xb0 [ 19.327219] print_report+0xd1/0x650 [ 19.327298] ? __virt_addr_valid+0x1db/0x2d0 [ 19.327369] ? kmalloc_uaf_memset+0x1a3/0x360 [ 19.327401] ? kasan_complete_mode_report_info+0x64/0x200 [ 19.327431] ? kmalloc_uaf_memset+0x1a3/0x360 [ 19.327461] kasan_report+0x141/0x180 [ 19.327491] ? kmalloc_uaf_memset+0x1a3/0x360 [ 19.327629] kasan_check_range+0x10c/0x1c0 [ 19.327711] __asan_memset+0x27/0x50 [ 19.327742] kmalloc_uaf_memset+0x1a3/0x360 [ 19.327773] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 19.327804] ? __schedule+0x10cc/0x2b60 [ 19.327838] ? __pfx_read_tsc+0x10/0x10 [ 19.327868] ? ktime_get_ts64+0x86/0x230 [ 19.327901] kunit_try_run_case+0x1a5/0x480 [ 19.327939] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.327972] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 19.328006] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 19.328038] ? __kthread_parkme+0x82/0x180 [ 19.328066] ? preempt_count_sub+0x50/0x80 [ 19.328097] ? __pfx_kunit_try_run_case+0x10/0x10 [ 19.328132] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.328164] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 19.328197] kthread+0x337/0x6f0 [ 19.328224] ? trace_preempt_on+0x20/0xc0 [ 19.328286] ? __pfx_kthread+0x10/0x10 [ 19.328317] ? _raw_spin_unlock_irq+0x47/0x80 [ 19.328348] ? calculate_sigpending+0x7b/0xa0 [ 19.328384] ? __pfx_kthread+0x10/0x10 [ 19.328412] ret_from_fork+0x116/0x1d0 [ 19.328438] ? __pfx_kthread+0x10/0x10 [ 19.328466] ret_from_fork_asm+0x1a/0x30 [ 19.328531] </TASK> [ 19.328590] [ 19.348048] Allocated by task 204: [ 19.349187] kasan_save_stack+0x45/0x70 [ 19.350320] kasan_save_track+0x18/0x40 [ 19.350787] kasan_save_alloc_info+0x3b/0x50 [ 19.351308] __kasan_kmalloc+0xb7/0xc0 [ 19.351859] __kmalloc_cache_noprof+0x189/0x420 [ 19.352731] kmalloc_uaf_memset+0xa9/0x360 [ 19.353992] kunit_try_run_case+0x1a5/0x480 [ 19.354340] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.354989] kthread+0x337/0x6f0 [ 19.355426] ret_from_fork+0x116/0x1d0 [ 19.355853] ret_from_fork_asm+0x1a/0x30 [ 19.356272] [ 19.356967] Freed by task 204: [ 19.357329] kasan_save_stack+0x45/0x70 [ 19.358011] kasan_save_track+0x18/0x40 [ 19.358328] kasan_save_free_info+0x3f/0x60 [ 19.358892] __kasan_slab_free+0x56/0x70 [ 19.359315] kfree+0x222/0x3f0 [ 19.359759] kmalloc_uaf_memset+0x12b/0x360 [ 19.360157] kunit_try_run_case+0x1a5/0x480 [ 19.361165] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 19.362034] kthread+0x337/0x6f0 [ 19.362343] ret_from_fork+0x116/0x1d0 [ 19.362927] ret_from_fork_asm+0x1a/0x30 [ 19.363344] [ 19.363618] The buggy address belongs to the object at ffff8881039cc000 [ 19.363618] which belongs to the cache kmalloc-64 of size 64 [ 19.365121] The buggy address is located 0 bytes inside of [ 19.365121] freed 64-byte region [ffff8881039cc000, ffff8881039cc040) [ 19.366560] [ 19.366785] The buggy address belongs to the physical page: [ 19.367777] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039cc [ 19.368953] flags: 0x200000000000000(node=0|zone=2) [ 19.369291] page_type: f5(slab) [ 19.369612] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 19.371014] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 19.372333] page dumped because: kasan: bad access detected [ 19.372679] [ 19.373444] Memory state around the buggy address: [ 19.374134] ffff8881039cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.375073] ffff8881039cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.376064] >ffff8881039cc000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 19.376893] ^ [ 19.377158] ffff8881039cc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.378407] ffff8881039cc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.379123] ==================================================================
[ 18.352185] ================================================================== [ 18.352984] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 18.353499] Write of size 33 at addr ffff888103302680 by task kunit_try_catch/204 [ 18.354827] [ 18.355400] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 18.355633] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.355670] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.355727] Call Trace: [ 18.355761] <TASK> [ 18.355803] dump_stack_lvl+0x73/0xb0 [ 18.355911] print_report+0xd1/0x650 [ 18.355989] ? __virt_addr_valid+0x1db/0x2d0 [ 18.356055] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.356297] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.356424] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.356502] kasan_report+0x141/0x180 [ 18.356639] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.356686] kasan_check_range+0x10c/0x1c0 [ 18.356723] __asan_memset+0x27/0x50 [ 18.356750] kmalloc_uaf_memset+0x1a3/0x360 [ 18.356780] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 18.356812] ? __schedule+0x10cc/0x2b60 [ 18.356846] ? __pfx_read_tsc+0x10/0x10 [ 18.356897] ? ktime_get_ts64+0x86/0x230 [ 18.356944] kunit_try_run_case+0x1a5/0x480 [ 18.356982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.357015] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.357050] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.357083] ? __kthread_parkme+0x82/0x180 [ 18.357126] ? preempt_count_sub+0x50/0x80 [ 18.357171] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.357208] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.357242] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.357276] kthread+0x337/0x6f0 [ 18.357302] ? trace_preempt_on+0x20/0xc0 [ 18.357363] ? __pfx_kthread+0x10/0x10 [ 18.357395] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.357432] ? calculate_sigpending+0x7b/0xa0 [ 18.357480] ? __pfx_kthread+0x10/0x10 [ 18.357518] ret_from_fork+0x116/0x1d0 [ 18.357620] ? __pfx_kthread+0x10/0x10 [ 18.357683] ret_from_fork_asm+0x1a/0x30 [ 18.357743] </TASK> [ 18.357761] [ 18.375475] Allocated by task 204: [ 18.376054] kasan_save_stack+0x45/0x70 [ 18.376487] kasan_save_track+0x18/0x40 [ 18.377415] kasan_save_alloc_info+0x3b/0x50 [ 18.378017] __kasan_kmalloc+0xb7/0xc0 [ 18.378490] __kmalloc_cache_noprof+0x189/0x420 [ 18.379024] kmalloc_uaf_memset+0xa9/0x360 [ 18.379545] kunit_try_run_case+0x1a5/0x480 [ 18.380253] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.381197] kthread+0x337/0x6f0 [ 18.381715] ret_from_fork+0x116/0x1d0 [ 18.382134] ret_from_fork_asm+0x1a/0x30 [ 18.382500] [ 18.382938] Freed by task 204: [ 18.383361] kasan_save_stack+0x45/0x70 [ 18.383961] kasan_save_track+0x18/0x40 [ 18.384439] kasan_save_free_info+0x3f/0x60 [ 18.385291] __kasan_slab_free+0x56/0x70 [ 18.385793] kfree+0x222/0x3f0 [ 18.386306] kmalloc_uaf_memset+0x12b/0x360 [ 18.386915] kunit_try_run_case+0x1a5/0x480 [ 18.387388] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.388041] kthread+0x337/0x6f0 [ 18.388911] ret_from_fork+0x116/0x1d0 [ 18.389349] ret_from_fork_asm+0x1a/0x30 [ 18.389784] [ 18.390016] The buggy address belongs to the object at ffff888103302680 [ 18.390016] which belongs to the cache kmalloc-64 of size 64 [ 18.390953] The buggy address is located 0 bytes inside of [ 18.390953] freed 64-byte region [ffff888103302680, ffff8881033026c0) [ 18.391742] [ 18.392123] The buggy address belongs to the physical page: [ 18.392870] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103302 [ 18.393793] flags: 0x200000000000000(node=0|zone=2) [ 18.394346] page_type: f5(slab) [ 18.394892] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 18.395731] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 18.396453] page dumped because: kasan: bad access detected [ 18.397408] [ 18.397799] Memory state around the buggy address: [ 18.398266] ffff888103302580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.399102] ffff888103302600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.399909] >ffff888103302680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.400997] ^ [ 18.401408] ffff888103302700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.402164] ffff888103302780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.402924] ==================================================================
[ 20.736176] ================================================================== [ 20.737182] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 20.737868] Write of size 33 at addr ffff00000101c980 by task kunit_try_catch/239 [ 20.738560] [ 20.738724] CPU: 2 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 20.738775] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.738790] Hardware name: Radxa ROCK Pi 4B (DT) [ 20.738806] Call trace: [ 20.738818] show_stack+0x20/0x38 (C) [ 20.738852] dump_stack_lvl+0x8c/0xd0 [ 20.738887] print_report+0x118/0x608 [ 20.738921] kasan_report+0xdc/0x128 [ 20.738953] kasan_check_range+0x100/0x1a8 [ 20.738987] __asan_memset+0x34/0x78 [ 20.739013] kmalloc_uaf_memset+0x170/0x310 [ 20.739042] kunit_try_run_case+0x170/0x3f0 [ 20.739076] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.739115] kthread+0x328/0x630 [ 20.739141] ret_from_fork+0x10/0x20 [ 20.739172] [ 20.745007] Allocated by task 239: [ 20.745332] kasan_save_stack+0x3c/0x68 [ 20.745710] kasan_save_track+0x20/0x40 [ 20.746085] kasan_save_alloc_info+0x40/0x58 [ 20.746500] __kasan_kmalloc+0xd4/0xd8 [ 20.746867] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.747304] kmalloc_uaf_memset+0xb8/0x310 [ 20.747699] kunit_try_run_case+0x170/0x3f0 [ 20.748104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.748627] kthread+0x328/0x630 [ 20.748942] ret_from_fork+0x10/0x20 [ 20.749292] [ 20.749445] Freed by task 239: [ 20.749738] kasan_save_stack+0x3c/0x68 [ 20.750113] kasan_save_track+0x20/0x40 [ 20.750488] kasan_save_free_info+0x4c/0x78 [ 20.750895] __kasan_slab_free+0x6c/0x98 [ 20.751277] kfree+0x214/0x3c8 [ 20.751580] kmalloc_uaf_memset+0x11c/0x310 [ 20.751982] kunit_try_run_case+0x170/0x3f0 [ 20.752387] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.752910] kthread+0x328/0x630 [ 20.753226] ret_from_fork+0x10/0x20 [ 20.753576] [ 20.753728] The buggy address belongs to the object at ffff00000101c980 [ 20.753728] which belongs to the cache kmalloc-64 of size 64 [ 20.754844] The buggy address is located 0 bytes inside of [ 20.754844] freed 64-byte region [ffff00000101c980, ffff00000101c9c0) [ 20.755933] [ 20.756087] The buggy address belongs to the physical page: [ 20.756600] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c [ 20.757324] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 20.757935] page_type: f5(slab) [ 20.758250] raw: 03fffe0000000000 ffff0000004028c0 dead000000000122 0000000000000000 [ 20.758965] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 20.759671] page dumped because: kasan: bad access detected [ 20.760186] [ 20.760338] Memory state around the buggy address: [ 20.760786] ffff00000101c880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.761452] ffff00000101c900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.762117] >ffff00000101c980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.762778] ^ [ 20.763088] ffff00000101ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.763754] ffff00000101ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.764415] ==================================================================