Date
July 2, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.136508] ================================================================== [ 18.136568] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 18.136634] Read of size 16 at addr fff00000c3f3ec40 by task kunit_try_catch/168 [ 18.136683] [ 18.136715] CPU: 0 UID: 0 PID: 168 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 18.136793] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.136819] Hardware name: linux,dummy-virt (DT) [ 18.136849] Call trace: [ 18.136870] show_stack+0x20/0x38 (C) [ 18.136922] dump_stack_lvl+0x8c/0xd0 [ 18.136969] print_report+0x118/0x608 [ 18.137051] kasan_report+0xdc/0x128 [ 18.137105] __asan_report_load16_noabort+0x20/0x30 [ 18.137151] kmalloc_uaf_16+0x3bc/0x438 [ 18.137195] kunit_try_run_case+0x170/0x3f0 [ 18.137241] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.137292] kthread+0x328/0x630 [ 18.137333] ret_from_fork+0x10/0x20 [ 18.137381] [ 18.137398] Allocated by task 168: [ 18.137424] kasan_save_stack+0x3c/0x68 [ 18.137463] kasan_save_track+0x20/0x40 [ 18.137499] kasan_save_alloc_info+0x40/0x58 [ 18.137538] __kasan_kmalloc+0xd4/0xd8 [ 18.137583] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.137621] kmalloc_uaf_16+0x140/0x438 [ 18.137655] kunit_try_run_case+0x170/0x3f0 [ 18.137691] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.137739] kthread+0x328/0x630 [ 18.138014] ret_from_fork+0x10/0x20 [ 18.138059] [ 18.138078] Freed by task 168: [ 18.138104] kasan_save_stack+0x3c/0x68 [ 18.138139] kasan_save_track+0x20/0x40 [ 18.138176] kasan_save_free_info+0x4c/0x78 [ 18.138213] __kasan_slab_free+0x6c/0x98 [ 18.138249] kfree+0x214/0x3c8 [ 18.138282] kmalloc_uaf_16+0x190/0x438 [ 18.138316] kunit_try_run_case+0x170/0x3f0 [ 18.138351] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.138393] kthread+0x328/0x630 [ 18.138424] ret_from_fork+0x10/0x20 [ 18.138458] [ 18.138476] The buggy address belongs to the object at fff00000c3f3ec40 [ 18.138476] which belongs to the cache kmalloc-16 of size 16 [ 18.138562] The buggy address is located 0 bytes inside of [ 18.138562] freed 16-byte region [fff00000c3f3ec40, fff00000c3f3ec50) [ 18.138633] [ 18.138783] The buggy address belongs to the physical page: [ 18.138812] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f3e [ 18.138870] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.138917] page_type: f5(slab) [ 18.139074] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 18.139123] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.139238] page dumped because: kasan: bad access detected [ 18.139297] [ 18.139357] Memory state around the buggy address: [ 18.139388] fff00000c3f3eb00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.139431] fff00000c3f3eb80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.139490] >fff00000c3f3ec00: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 18.139607] ^ [ 18.139695] fff00000c3f3ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.139767] fff00000c3f3ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.139810] ==================================================================
[ 11.417836] ================================================================== [ 11.418237] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 11.418489] Read of size 16 at addr ffff888101c19f00 by task kunit_try_catch/187 [ 11.418733] [ 11.418963] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 11.419011] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.419023] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.419351] Call Trace: [ 11.419369] <TASK> [ 11.419402] dump_stack_lvl+0x73/0xb0 [ 11.419436] print_report+0xd1/0x650 [ 11.419459] ? __virt_addr_valid+0x1db/0x2d0 [ 11.419483] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.419502] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.419522] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.419542] kasan_report+0x141/0x180 [ 11.419562] ? kmalloc_uaf_16+0x47b/0x4c0 [ 11.419586] __asan_report_load16_noabort+0x18/0x20 [ 11.419609] kmalloc_uaf_16+0x47b/0x4c0 [ 11.419629] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 11.419649] ? __schedule+0x10cc/0x2b60 [ 11.419670] ? __pfx_read_tsc+0x10/0x10 [ 11.419698] ? ktime_get_ts64+0x86/0x230 [ 11.419723] kunit_try_run_case+0x1a5/0x480 [ 11.419748] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.419769] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.419792] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.419813] ? __kthread_parkme+0x82/0x180 [ 11.419833] ? preempt_count_sub+0x50/0x80 [ 11.419856] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.419879] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.419900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.419921] kthread+0x337/0x6f0 [ 11.419939] ? trace_preempt_on+0x20/0xc0 [ 11.419962] ? __pfx_kthread+0x10/0x10 [ 11.419982] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.420001] ? calculate_sigpending+0x7b/0xa0 [ 11.420024] ? __pfx_kthread+0x10/0x10 [ 11.420044] ret_from_fork+0x116/0x1d0 [ 11.420061] ? __pfx_kthread+0x10/0x10 [ 11.420081] ret_from_fork_asm+0x1a/0x30 [ 11.420110] </TASK> [ 11.420121] [ 11.432850] Allocated by task 187: [ 11.433061] kasan_save_stack+0x45/0x70 [ 11.433213] kasan_save_track+0x18/0x40 [ 11.433348] kasan_save_alloc_info+0x3b/0x50 [ 11.433507] __kasan_kmalloc+0xb7/0xc0 [ 11.433660] __kmalloc_cache_noprof+0x189/0x420 [ 11.433884] kmalloc_uaf_16+0x15b/0x4c0 [ 11.434086] kunit_try_run_case+0x1a5/0x480 [ 11.434294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.434551] kthread+0x337/0x6f0 [ 11.434710] ret_from_fork+0x116/0x1d0 [ 11.434898] ret_from_fork_asm+0x1a/0x30 [ 11.435097] [ 11.435192] Freed by task 187: [ 11.435337] kasan_save_stack+0x45/0x70 [ 11.435498] kasan_save_track+0x18/0x40 [ 11.435679] kasan_save_free_info+0x3f/0x60 [ 11.435860] __kasan_slab_free+0x56/0x70 [ 11.435994] kfree+0x222/0x3f0 [ 11.436128] kmalloc_uaf_16+0x1d6/0x4c0 [ 11.436321] kunit_try_run_case+0x1a5/0x480 [ 11.436623] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.436948] kthread+0x337/0x6f0 [ 11.437082] ret_from_fork+0x116/0x1d0 [ 11.437271] ret_from_fork_asm+0x1a/0x30 [ 11.437433] [ 11.437503] The buggy address belongs to the object at ffff888101c19f00 [ 11.437503] which belongs to the cache kmalloc-16 of size 16 [ 11.438156] The buggy address is located 0 bytes inside of [ 11.438156] freed 16-byte region [ffff888101c19f00, ffff888101c19f10) [ 11.438800] [ 11.438884] The buggy address belongs to the physical page: [ 11.439196] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c19 [ 11.439540] flags: 0x200000000000000(node=0|zone=2) [ 11.439758] page_type: f5(slab) [ 11.439937] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 11.440386] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 11.440651] page dumped because: kasan: bad access detected [ 11.440998] [ 11.441070] Memory state around the buggy address: [ 11.441225] ffff888101c19e00: 00 02 fc fc 00 06 fc fc 00 06 fc fc fa fb fc fc [ 11.441503] ffff888101c19e80: fa fb fc fc 00 05 fc fc fa fb fc fc 00 00 fc fc [ 11.441818] >ffff888101c19f00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.442081] ^ [ 11.442195] ffff888101c19f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.442493] ffff888101c1a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 11.443185] ==================================================================