Date
July 6, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 17.008956] ================================================================== [ 17.009204] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 17.009288] Write of size 33 at addr fff00000c69bd280 by task kunit_try_catch/187 [ 17.009341] [ 17.009374] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 17.009606] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.009669] Hardware name: linux,dummy-virt (DT) [ 17.009704] Call trace: [ 17.009727] show_stack+0x20/0x38 (C) [ 17.009777] dump_stack_lvl+0x8c/0xd0 [ 17.009841] print_report+0x118/0x608 [ 17.009927] kasan_report+0xdc/0x128 [ 17.009971] kasan_check_range+0x100/0x1a8 [ 17.010057] __asan_memset+0x34/0x78 [ 17.010109] kmalloc_uaf_memset+0x170/0x310 [ 17.010153] kunit_try_run_case+0x170/0x3f0 [ 17.010228] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.010290] kthread+0x328/0x630 [ 17.010346] ret_from_fork+0x10/0x20 [ 17.010410] [ 17.010428] Allocated by task 187: [ 17.010472] kasan_save_stack+0x3c/0x68 [ 17.010512] kasan_save_track+0x20/0x40 [ 17.010547] kasan_save_alloc_info+0x40/0x58 [ 17.010587] __kasan_kmalloc+0xd4/0xd8 [ 17.010648] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.010687] kmalloc_uaf_memset+0xb8/0x310 [ 17.010882] kunit_try_run_case+0x170/0x3f0 [ 17.010961] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.011142] kthread+0x328/0x630 [ 17.011218] ret_from_fork+0x10/0x20 [ 17.011310] [ 17.011389] Freed by task 187: [ 17.011475] kasan_save_stack+0x3c/0x68 [ 17.011583] kasan_save_track+0x20/0x40 [ 17.011678] kasan_save_free_info+0x4c/0x78 [ 17.011717] __kasan_slab_free+0x6c/0x98 [ 17.011778] kfree+0x214/0x3c8 [ 17.011812] kmalloc_uaf_memset+0x11c/0x310 [ 17.011846] kunit_try_run_case+0x170/0x3f0 [ 17.012021] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.012132] kthread+0x328/0x630 [ 17.012239] ret_from_fork+0x10/0x20 [ 17.012358] [ 17.012438] The buggy address belongs to the object at fff00000c69bd280 [ 17.012438] which belongs to the cache kmalloc-64 of size 64 [ 17.012580] The buggy address is located 0 bytes inside of [ 17.012580] freed 64-byte region [fff00000c69bd280, fff00000c69bd2c0) [ 17.012678] [ 17.012754] The buggy address belongs to the physical page: [ 17.012840] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069bd [ 17.012930] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.013015] page_type: f5(slab) [ 17.013080] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 17.013130] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 17.013434] page dumped because: kasan: bad access detected [ 17.013509] [ 17.013603] Memory state around the buggy address: [ 17.013680] fff00000c69bd180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.013736] fff00000c69bd200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.013779] >fff00000c69bd280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 17.014084] ^ [ 17.014158] fff00000c69bd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.014225] fff00000c69bd380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 17.014295] ==================================================================
[ 16.991696] ================================================================== [ 16.991757] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 16.991812] Write of size 33 at addr fff00000c7772080 by task kunit_try_catch/187 [ 16.992107] [ 16.992274] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 16.992363] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.992797] Hardware name: linux,dummy-virt (DT) [ 16.992847] Call trace: [ 16.992869] show_stack+0x20/0x38 (C) [ 16.992936] dump_stack_lvl+0x8c/0xd0 [ 16.992984] print_report+0x118/0x608 [ 16.993031] kasan_report+0xdc/0x128 [ 16.993082] kasan_check_range+0x100/0x1a8 [ 16.993130] __asan_memset+0x34/0x78 [ 16.993171] kmalloc_uaf_memset+0x170/0x310 [ 16.993217] kunit_try_run_case+0x170/0x3f0 [ 16.993264] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.993327] kthread+0x328/0x630 [ 16.993368] ret_from_fork+0x10/0x20 [ 16.993416] [ 16.993434] Allocated by task 187: [ 16.993461] kasan_save_stack+0x3c/0x68 [ 16.993517] kasan_save_track+0x20/0x40 [ 16.993570] kasan_save_alloc_info+0x40/0x58 [ 16.993609] __kasan_kmalloc+0xd4/0xd8 [ 16.993646] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.993685] kmalloc_uaf_memset+0xb8/0x310 [ 16.993729] kunit_try_run_case+0x170/0x3f0 [ 16.993766] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.993809] kthread+0x328/0x630 [ 16.993841] ret_from_fork+0x10/0x20 [ 16.993883] [ 16.993902] Freed by task 187: [ 16.993937] kasan_save_stack+0x3c/0x68 [ 16.993973] kasan_save_track+0x20/0x40 [ 16.994010] kasan_save_free_info+0x4c/0x78 [ 16.994051] __kasan_slab_free+0x6c/0x98 [ 16.994792] kfree+0x214/0x3c8 [ 16.994866] kmalloc_uaf_memset+0x11c/0x310 [ 16.994904] kunit_try_run_case+0x170/0x3f0 [ 16.994953] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.995281] kthread+0x328/0x630 [ 16.995351] ret_from_fork+0x10/0x20 [ 16.995439] [ 16.995508] The buggy address belongs to the object at fff00000c7772080 [ 16.995508] which belongs to the cache kmalloc-64 of size 64 [ 16.995865] The buggy address is located 0 bytes inside of [ 16.995865] freed 64-byte region [fff00000c7772080, fff00000c77720c0) [ 16.996013] [ 16.996084] The buggy address belongs to the physical page: [ 16.996417] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107772 [ 16.996534] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.996643] page_type: f5(slab) [ 16.996840] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 16.997228] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 16.997323] page dumped because: kasan: bad access detected [ 16.997362] [ 16.997381] Memory state around the buggy address: [ 16.997668] fff00000c7771f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.997723] fff00000c7772000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.997849] >fff00000c7772080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 16.998149] ^ [ 16.998196] fff00000c7772100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.998241] fff00000c7772180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.998280] ==================================================================
[ 13.812681] ================================================================== [ 13.813151] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 13.813393] Write of size 33 at addr ffff8881031c1080 by task kunit_try_catch/203 [ 13.813636] [ 13.813727] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 13.813770] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.813782] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.813803] Call Trace: [ 13.813814] <TASK> [ 13.813839] dump_stack_lvl+0x73/0xb0 [ 13.813866] print_report+0xd1/0x650 [ 13.813887] ? __virt_addr_valid+0x1db/0x2d0 [ 13.813908] ? kmalloc_uaf_memset+0x1a3/0x360 [ 13.813929] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.813953] ? kmalloc_uaf_memset+0x1a3/0x360 [ 13.813974] kasan_report+0x141/0x180 [ 13.813995] ? kmalloc_uaf_memset+0x1a3/0x360 [ 13.814021] kasan_check_range+0x10c/0x1c0 [ 13.814043] __asan_memset+0x27/0x50 [ 13.814073] kmalloc_uaf_memset+0x1a3/0x360 [ 13.814093] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 13.814114] ? __schedule+0x10cc/0x2b60 [ 13.814135] ? __pfx_read_tsc+0x10/0x10 [ 13.814154] ? ktime_get_ts64+0x86/0x230 [ 13.814179] kunit_try_run_case+0x1a5/0x480 [ 13.814202] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.814223] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.814245] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.814267] ? __kthread_parkme+0x82/0x180 [ 13.814285] ? preempt_count_sub+0x50/0x80 [ 13.814308] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.814330] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.814352] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.814374] kthread+0x337/0x6f0 [ 13.814393] ? trace_preempt_on+0x20/0xc0 [ 13.814416] ? __pfx_kthread+0x10/0x10 [ 13.814435] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.814455] ? calculate_sigpending+0x7b/0xa0 [ 13.814477] ? __pfx_kthread+0x10/0x10 [ 13.814498] ret_from_fork+0x116/0x1d0 [ 13.814515] ? __pfx_kthread+0x10/0x10 [ 13.814535] ret_from_fork_asm+0x1a/0x30 [ 13.814565] </TASK> [ 13.814575] [ 13.827319] Allocated by task 203: [ 13.827461] kasan_save_stack+0x45/0x70 [ 13.827740] kasan_save_track+0x18/0x40 [ 13.827882] kasan_save_alloc_info+0x3b/0x50 [ 13.828061] __kasan_kmalloc+0xb7/0xc0 [ 13.828208] __kmalloc_cache_noprof+0x189/0x420 [ 13.828660] kmalloc_uaf_memset+0xa9/0x360 [ 13.829101] kunit_try_run_case+0x1a5/0x480 [ 13.829520] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.830146] kthread+0x337/0x6f0 [ 13.830448] ret_from_fork+0x116/0x1d0 [ 13.830869] ret_from_fork_asm+0x1a/0x30 [ 13.831312] [ 13.831521] Freed by task 203: [ 13.831867] kasan_save_stack+0x45/0x70 [ 13.832237] kasan_save_track+0x18/0x40 [ 13.832538] kasan_save_free_info+0x3f/0x60 [ 13.833123] __kasan_slab_free+0x56/0x70 [ 13.833538] kfree+0x222/0x3f0 [ 13.833866] kmalloc_uaf_memset+0x12b/0x360 [ 13.834160] kunit_try_run_case+0x1a5/0x480 [ 13.834870] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.835181] kthread+0x337/0x6f0 [ 13.835313] ret_from_fork+0x116/0x1d0 [ 13.835453] ret_from_fork_asm+0x1a/0x30 [ 13.835599] [ 13.835675] The buggy address belongs to the object at ffff8881031c1080 [ 13.835675] which belongs to the cache kmalloc-64 of size 64 [ 13.836924] The buggy address is located 0 bytes inside of [ 13.836924] freed 64-byte region [ffff8881031c1080, ffff8881031c10c0) [ 13.838161] [ 13.838331] The buggy address belongs to the physical page: [ 13.838855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031c1 [ 13.839673] flags: 0x200000000000000(node=0|zone=2) [ 13.840220] page_type: f5(slab) [ 13.840551] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 13.841264] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 13.842104] page dumped because: kasan: bad access detected [ 13.842337] [ 13.842416] Memory state around the buggy address: [ 13.842586] ffff8881031c0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.842827] ffff8881031c1000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.843070] >ffff8881031c1080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 13.843491] ^ [ 13.843625] ffff8881031c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.844283] ffff8881031c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.845030] ==================================================================
[ 27.694410] ================================================================== [ 27.704975] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 27.712115] Write of size 33 at addr ffff88810629ff80 by task kunit_try_catch/227 [ 27.719594] [ 27.721095] CPU: 3 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G S B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 27.721104] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 27.721107] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 27.721110] Call Trace: [ 27.721111] <TASK> [ 27.721113] dump_stack_lvl+0x73/0xb0 [ 27.721118] print_report+0xd1/0x650 [ 27.721122] ? __virt_addr_valid+0x1db/0x2d0 [ 27.721125] ? kmalloc_uaf_memset+0x1a3/0x360 [ 27.721129] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.721134] ? kmalloc_uaf_memset+0x1a3/0x360 [ 27.721138] kasan_report+0x141/0x180 [ 27.721142] ? kmalloc_uaf_memset+0x1a3/0x360 [ 27.721147] kasan_check_range+0x10c/0x1c0 [ 27.721151] __asan_memset+0x27/0x50 [ 27.721154] kmalloc_uaf_memset+0x1a3/0x360 [ 27.721158] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 27.721162] ? __schedule+0x10cc/0x2b60 [ 27.721166] ? ktime_get_ts64+0x83/0x230 [ 27.721170] kunit_try_run_case+0x1a2/0x480 [ 27.721175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.721179] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.721183] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.721187] ? __kthread_parkme+0x82/0x180 [ 27.721190] ? preempt_count_sub+0x50/0x80 [ 27.721195] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.721199] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.721203] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.721207] kthread+0x334/0x6f0 [ 27.721210] ? trace_preempt_on+0x20/0xc0 [ 27.721214] ? __pfx_kthread+0x10/0x10 [ 27.721218] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.721222] ? calculate_sigpending+0x7b/0xa0 [ 27.721226] ? __pfx_kthread+0x10/0x10 [ 27.721230] ret_from_fork+0x113/0x1d0 [ 27.721233] ? __pfx_kthread+0x10/0x10 [ 27.721237] ret_from_fork_asm+0x1a/0x30 [ 27.721243] </TASK> [ 27.721244] [ 27.889365] Allocated by task 227: [ 27.892771] kasan_save_stack+0x45/0x70 [ 27.896611] kasan_save_track+0x18/0x40 [ 27.900451] kasan_save_alloc_info+0x3b/0x50 [ 27.904730] __kasan_kmalloc+0xb7/0xc0 [ 27.908484] __kmalloc_cache_noprof+0x189/0x420 [ 27.913017] kmalloc_uaf_memset+0xa9/0x360 [ 27.917116] kunit_try_run_case+0x1a2/0x480 [ 27.921303] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.926703] kthread+0x334/0x6f0 [ 27.929935] ret_from_fork+0x113/0x1d0 [ 27.933686] ret_from_fork_asm+0x1a/0x30 [ 27.937614] [ 27.939112] Freed by task 227: [ 27.942170] kasan_save_stack+0x45/0x70 [ 27.946010] kasan_save_track+0x18/0x40 [ 27.949849] kasan_save_free_info+0x3f/0x60 [ 27.954036] __kasan_slab_free+0x56/0x70 [ 27.957962] kfree+0x222/0x3f0 [ 27.961020] kmalloc_uaf_memset+0x12b/0x360 [ 27.965206] kunit_try_run_case+0x1a2/0x480 [ 27.969414] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.974819] kthread+0x334/0x6f0 [ 27.978050] ret_from_fork+0x113/0x1d0 [ 27.981804] ret_from_fork_asm+0x1a/0x30 [ 27.985731] [ 27.987229] The buggy address belongs to the object at ffff88810629ff80 [ 27.987229] which belongs to the cache kmalloc-64 of size 64 [ 27.999570] The buggy address is located 0 bytes inside of [ 27.999570] freed 64-byte region [ffff88810629ff80, ffff88810629ffc0) [ 28.011565] [ 28.013063] The buggy address belongs to the physical page: [ 28.018636] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10629f [ 28.026636] flags: 0x200000000000000(node=0|zone=2) [ 28.031515] page_type: f5(slab) [ 28.034662] raw: 0200000000000000 ffff8881000428c0 dead000000000122 0000000000000000 [ 28.042409] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 28.050149] page dumped because: kasan: bad access detected [ 28.055721] [ 28.057219] Memory state around the buggy address: [ 28.062013] ffff88810629fe80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.069234] ffff88810629ff00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.076454] >ffff88810629ff80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.083681] ^ [ 28.086912] ffff8881062a0000: fa fc fc fc 04 fc fc fc fa fc fc fc fa fc fc fc [ 28.094131] ffff8881062a0080: 02 fc fc fc fa fc fc fc 04 fc fc fc fa fc fc fc [ 28.101365] ==================================================================