Date
July 11, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.829830] ================================================================== [ 16.832356] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 16.832535] Write of size 33 at addr fff00000c58a8100 by task kunit_try_catch/187 [ 16.832586] [ 16.833213] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.834041] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.834398] Hardware name: linux,dummy-virt (DT) [ 16.834483] Call trace: [ 16.834719] show_stack+0x20/0x38 (C) [ 16.835358] dump_stack_lvl+0x8c/0xd0 [ 16.835851] print_report+0x118/0x608 [ 16.835904] kasan_report+0xdc/0x128 [ 16.835950] kasan_check_range+0x100/0x1a8 [ 16.835999] __asan_memset+0x34/0x78 [ 16.836041] kmalloc_uaf_memset+0x170/0x310 [ 16.836087] kunit_try_run_case+0x170/0x3f0 [ 16.837920] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.837988] kthread+0x328/0x630 [ 16.838897] ret_from_fork+0x10/0x20 [ 16.839228] [ 16.839948] Allocated by task 187: [ 16.840567] kasan_save_stack+0x3c/0x68 [ 16.840863] kasan_save_track+0x20/0x40 [ 16.841023] kasan_save_alloc_info+0x40/0x58 [ 16.841629] __kasan_kmalloc+0xd4/0xd8 [ 16.841894] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.841969] kmalloc_uaf_memset+0xb8/0x310 [ 16.842635] kunit_try_run_case+0x170/0x3f0 [ 16.842676] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.842803] kthread+0x328/0x630 [ 16.843032] ret_from_fork+0x10/0x20 [ 16.843106] [ 16.843773] Freed by task 187: [ 16.844501] kasan_save_stack+0x3c/0x68 [ 16.844895] kasan_save_track+0x20/0x40 [ 16.845000] kasan_save_free_info+0x4c/0x78 [ 16.845040] __kasan_slab_free+0x6c/0x98 [ 16.845077] kfree+0x214/0x3c8 [ 16.845111] kmalloc_uaf_memset+0x11c/0x310 [ 16.845147] kunit_try_run_case+0x170/0x3f0 [ 16.845184] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.845227] kthread+0x328/0x630 [ 16.845257] ret_from_fork+0x10/0x20 [ 16.845292] [ 16.845312] The buggy address belongs to the object at fff00000c58a8100 [ 16.845312] which belongs to the cache kmalloc-64 of size 64 [ 16.846852] The buggy address is located 0 bytes inside of [ 16.846852] freed 64-byte region [fff00000c58a8100, fff00000c58a8140) [ 16.847016] [ 16.847038] The buggy address belongs to the physical page: [ 16.847554] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a8 [ 16.847806] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.847961] page_type: f5(slab) [ 16.848391] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 16.848574] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 16.848807] page dumped because: kasan: bad access detected [ 16.848860] [ 16.848879] Memory state around the buggy address: [ 16.849367] fff00000c58a8000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.849654] fff00000c58a8080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.849864] >fff00000c58a8100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.850364] ^ [ 16.850570] fff00000c58a8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.850910] fff00000c58a8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.850956] ==================================================================
[ 12.615484] ================================================================== [ 12.616429] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 12.616764] Write of size 33 at addr ffff8881029fe880 by task kunit_try_catch/203 [ 12.617104] [ 12.617267] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 12.617308] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.617319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.617338] Call Trace: [ 12.617349] <TASK> [ 12.617363] dump_stack_lvl+0x73/0xb0 [ 12.617390] print_report+0xd1/0x650 [ 12.617412] ? __virt_addr_valid+0x1db/0x2d0 [ 12.617434] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.617454] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.617477] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.617498] kasan_report+0x141/0x180 [ 12.617520] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.617546] kasan_check_range+0x10c/0x1c0 [ 12.617569] __asan_memset+0x27/0x50 [ 12.617588] kmalloc_uaf_memset+0x1a3/0x360 [ 12.617609] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 12.617632] ? __schedule+0x10cc/0x2b60 [ 12.617653] ? __pfx_read_tsc+0x10/0x10 [ 12.617673] ? ktime_get_ts64+0x86/0x230 [ 12.617697] kunit_try_run_case+0x1a5/0x480 [ 12.617720] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.617742] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.617819] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.617843] ? __kthread_parkme+0x82/0x180 [ 12.617863] ? preempt_count_sub+0x50/0x80 [ 12.617887] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.617911] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.617946] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.617970] kthread+0x337/0x6f0 [ 12.617989] ? trace_preempt_on+0x20/0xc0 [ 12.618012] ? __pfx_kthread+0x10/0x10 [ 12.618032] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.618053] ? calculate_sigpending+0x7b/0xa0 [ 12.618076] ? __pfx_kthread+0x10/0x10 [ 12.618097] ret_from_fork+0x116/0x1d0 [ 12.618115] ? __pfx_kthread+0x10/0x10 [ 12.618135] ret_from_fork_asm+0x1a/0x30 [ 12.618167] </TASK> [ 12.618176] [ 12.625824] Allocated by task 203: [ 12.625966] kasan_save_stack+0x45/0x70 [ 12.626107] kasan_save_track+0x18/0x40 [ 12.626411] kasan_save_alloc_info+0x3b/0x50 [ 12.626623] __kasan_kmalloc+0xb7/0xc0 [ 12.626951] __kmalloc_cache_noprof+0x189/0x420 [ 12.627332] kmalloc_uaf_memset+0xa9/0x360 [ 12.627479] kunit_try_run_case+0x1a5/0x480 [ 12.627625] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.627871] kthread+0x337/0x6f0 [ 12.628054] ret_from_fork+0x116/0x1d0 [ 12.628286] ret_from_fork_asm+0x1a/0x30 [ 12.628609] [ 12.628677] Freed by task 203: [ 12.628786] kasan_save_stack+0x45/0x70 [ 12.628930] kasan_save_track+0x18/0x40 [ 12.629063] kasan_save_free_info+0x3f/0x60 [ 12.629219] __kasan_slab_free+0x56/0x70 [ 12.629414] kfree+0x222/0x3f0 [ 12.629575] kmalloc_uaf_memset+0x12b/0x360 [ 12.629782] kunit_try_run_case+0x1a5/0x480 [ 12.630006] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.630270] kthread+0x337/0x6f0 [ 12.630442] ret_from_fork+0x116/0x1d0 [ 12.630685] ret_from_fork_asm+0x1a/0x30 [ 12.630883] [ 12.630979] The buggy address belongs to the object at ffff8881029fe880 [ 12.630979] which belongs to the cache kmalloc-64 of size 64 [ 12.631481] The buggy address is located 0 bytes inside of [ 12.631481] freed 64-byte region [ffff8881029fe880, ffff8881029fe8c0) [ 12.631824] [ 12.631893] The buggy address belongs to the physical page: [ 12.632412] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029fe [ 12.632786] flags: 0x200000000000000(node=0|zone=2) [ 12.633034] page_type: f5(slab) [ 12.633208] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 12.633620] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 12.633848] page dumped because: kasan: bad access detected [ 12.634118] [ 12.634230] Memory state around the buggy address: [ 12.634459] ffff8881029fe780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.634746] ffff8881029fe800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.635025] >ffff8881029fe880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.635304] ^ [ 12.635423] ffff8881029fe900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.635638] ffff8881029fe980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.635849] ==================================================================