Hay
Sign in
Date
July 6, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
x86 

[   16.693889] ==================================================================
[   16.694213] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   16.694288] Read of size 1 at addr fff00000c6530000 by task kunit_try_catch/149
[   16.694355] 
[   16.694403] CPU: 0 UID: 0 PID: 149 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.694541] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.694567] Hardware name: linux,dummy-virt (DT)
[   16.694596] Call trace:
[   16.694627]  show_stack+0x20/0x38 (C)
[   16.694724]  dump_stack_lvl+0x8c/0xd0
[   16.695029]  print_report+0x118/0x608
[   16.695147]  kasan_report+0xdc/0x128
[   16.695284]  __asan_report_load1_noabort+0x20/0x30
[   16.695375]  kmalloc_large_uaf+0x2cc/0x2f8
[   16.695460]  kunit_try_run_case+0x170/0x3f0
[   16.695547]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.695671]  kthread+0x328/0x630
[   16.695749]  ret_from_fork+0x10/0x20
[   16.695817] 
[   16.695836] The buggy address belongs to the physical page:
[   16.695891] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106530
[   16.695943] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.696012] raw: 0bfffe0000000000 fff00000da456c40 fff00000da456c40 0000000000000000
[   16.696060] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   16.696098] page dumped because: kasan: bad access detected
[   16.696127] 
[   16.696329] Memory state around the buggy address:
[   16.696421]  fff00000c652ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.696516]  fff00000c652ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.696599] >fff00000c6530000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.696673]                    ^
[   16.696758]  fff00000c6530080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.696814]  fff00000c6530100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.696871] ==================================================================
Metadata Full log Test run details 

[   16.631570] ==================================================================
[   16.631632] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   16.631953] Read of size 1 at addr fff00000c7708000 by task kunit_try_catch/149
[   16.632271] 
[   16.632304] CPU: 1 UID: 0 PID: 149 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.632382] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.632844] Hardware name: linux,dummy-virt (DT)
[   16.632977] Call trace:
[   16.633000]  show_stack+0x20/0x38 (C)
[   16.633056]  dump_stack_lvl+0x8c/0xd0
[   16.633352]  print_report+0x118/0x608
[   16.633481]  kasan_report+0xdc/0x128
[   16.633531]  __asan_report_load1_noabort+0x20/0x30
[   16.633618]  kmalloc_large_uaf+0x2cc/0x2f8
[   16.633661]  kunit_try_run_case+0x170/0x3f0
[   16.634024]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.634084]  kthread+0x328/0x630
[   16.634124]  ret_from_fork+0x10/0x20
[   16.634170] 
[   16.634191] The buggy address belongs to the physical page:
[   16.634372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107708
[   16.634464] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.634569] raw: 0bfffe0000000000 ffffc1ffc31dc308 fff00000da478c40 0000000000000000
[   16.634617] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   16.634655] page dumped because: kasan: bad access detected
[   16.634693] 
[   16.634712] Memory state around the buggy address:
[   16.634743]  fff00000c7707f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.635091]  fff00000c7707f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.635135] >fff00000c7708000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.635171]                    ^
[   16.635374]  fff00000c7708080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.635454]  fff00000c7708100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.635578] ==================================================================
Metadata Full log Test run details 

[   12.725201] ==================================================================
[   12.725699] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   12.726529] Read of size 1 at addr ffff88810263c000 by task kunit_try_catch/166
[   12.726944] 
[   12.727023] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   12.727068] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.727079] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.727099] Call Trace:
[   12.727114]  <TASK>
[   12.727137]  dump_stack_lvl+0x73/0xb0
[   12.727171]  print_report+0xd1/0x650
[   12.727192]  ? __virt_addr_valid+0x1db/0x2d0
[   12.727212]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.727230]  ? kasan_addr_to_slab+0x11/0xa0
[   12.727248]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.727266]  kasan_report+0x141/0x180
[   12.727286]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.727309]  __asan_report_load1_noabort+0x18/0x20
[   12.727331]  kmalloc_large_uaf+0x2f1/0x340
[   12.727349]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   12.727368]  ? __schedule+0x10cc/0x2b60
[   12.727388]  ? __pfx_read_tsc+0x10/0x10
[   12.727408]  ? ktime_get_ts64+0x86/0x230
[   12.727431]  kunit_try_run_case+0x1a5/0x480
[   12.727452]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.727472]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.727493]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.727513]  ? __kthread_parkme+0x82/0x180
[   12.727531]  ? preempt_count_sub+0x50/0x80
[   12.727552]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.727573]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.727593]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.727613]  kthread+0x337/0x6f0
[   12.727659]  ? trace_preempt_on+0x20/0xc0
[   12.727695]  ? __pfx_kthread+0x10/0x10
[   12.727725]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.727756]  ? calculate_sigpending+0x7b/0xa0
[   12.727797]  ? __pfx_kthread+0x10/0x10
[   12.727835]  ret_from_fork+0x116/0x1d0
[   12.727869]  ? __pfx_kthread+0x10/0x10
[   12.727903]  ret_from_fork_asm+0x1a/0x30
[   12.727932]  </TASK>
[   12.727944] 
[   12.739069] The buggy address belongs to the physical page:
[   12.739606] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10263c
[   12.739990] flags: 0x200000000000000(node=0|zone=2)
[   12.740408] raw: 0200000000000000 ffff88815b039f80 ffff88815b039f80 0000000000000000
[   12.740711] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   12.741132] page dumped because: kasan: bad access detected
[   12.741557] 
[   12.741852] Memory state around the buggy address:
[   12.742158]  ffff88810263bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.742719]  ffff88810263bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.743126] >ffff88810263c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.743720]                    ^
[   12.743986]  ffff88810263c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.744407]  ffff88810263c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.744829] ==================================================================
Metadata Full log Test run details 

[   12.988275] ==================================================================
[   12.989133] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   12.990391] Read of size 1 at addr ffff888102424000 by task kunit_try_catch/165
[   12.991571] 
[   12.991943] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   12.991993] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.992006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.992027] Call Trace:
[   12.992039]  <TASK>
[   12.992069]  dump_stack_lvl+0x73/0xb0
[   12.992102]  print_report+0xd1/0x650
[   12.992124]  ? __virt_addr_valid+0x1db/0x2d0
[   12.992147]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.992167]  ? kasan_addr_to_slab+0x11/0xa0
[   12.992187]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.992207]  kasan_report+0x141/0x180
[   12.992229]  ? kmalloc_large_uaf+0x2f1/0x340
[   12.992255]  __asan_report_load1_noabort+0x18/0x20
[   12.992278]  kmalloc_large_uaf+0x2f1/0x340
[   12.992298]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   12.992320]  ? __schedule+0x10cc/0x2b60
[   12.992342]  ? __pfx_read_tsc+0x10/0x10
[   12.992362]  ? ktime_get_ts64+0x86/0x230
[   12.992387]  kunit_try_run_case+0x1a5/0x480
[   12.992411]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.992432]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.992455]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.992477]  ? __kthread_parkme+0x82/0x180
[   12.992496]  ? preempt_count_sub+0x50/0x80
[   12.992520]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.992542]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.992564]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.992586]  kthread+0x337/0x6f0
[   12.992605]  ? trace_preempt_on+0x20/0xc0
[   12.992628]  ? __pfx_kthread+0x10/0x10
[   12.992648]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.992668]  ? calculate_sigpending+0x7b/0xa0
[   12.992691]  ? __pfx_kthread+0x10/0x10
[   12.992712]  ret_from_fork+0x116/0x1d0
[   12.992730]  ? __pfx_kthread+0x10/0x10
[   12.992750]  ret_from_fork_asm+0x1a/0x30
[   12.992781]  </TASK>
[   12.992793] 
[   13.000311] The buggy address belongs to the physical page:
[   13.000596] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102424
[   13.001035] flags: 0x200000000000000(node=0|zone=2)
[   13.001231] raw: 0200000000000000 ffff88815b039f80 ffff88815b039f80 0000000000000000
[   13.001462] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   13.001856] page dumped because: kasan: bad access detected
[   13.002175] 
[   13.002277] Memory state around the buggy address:
[   13.002514]  ffff888102423f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.002975]  ffff888102423f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.003323] >ffff888102424000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.003663]                    ^
[   13.003936]  ffff888102424080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.004280]  ffff888102424100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.004586] ==================================================================
Metadata Full log Test run details 

[   16.723970] ==================================================================
[   16.735467] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   16.742080] Read of size 1 at addr ffff888106e9c000 by task kunit_try_catch/189
[   16.749418] 
[   16.750912] CPU: 1 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G S  B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   16.750921] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
[   16.750924] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   16.750927] Call Trace:
[   16.750929]  <TASK>
[   16.750930]  dump_stack_lvl+0x73/0xb0
[   16.750935]  print_report+0xd1/0x650
[   16.750939]  ? __virt_addr_valid+0x1db/0x2d0
[   16.750943]  ? kmalloc_large_uaf+0x2f1/0x340
[   16.750947]  ? kasan_addr_to_slab+0x11/0xa0
[   16.750950]  ? kmalloc_large_uaf+0x2f1/0x340
[   16.750954]  kasan_report+0x141/0x180
[   16.750958]  ? kmalloc_large_uaf+0x2f1/0x340
[   16.750963]  __asan_report_load1_noabort+0x18/0x20
[   16.750967]  kmalloc_large_uaf+0x2f1/0x340
[   16.750971]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   16.750975]  ? __schedule+0x10cc/0x2b60
[   16.750979]  ? ktime_get_ts64+0x83/0x230
[   16.750983]  kunit_try_run_case+0x1a2/0x480
[   16.750987]  ? __pfx_kunit_try_run_case+0x10/0x10
[   16.750991]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   16.750996]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   16.751000]  ? __kthread_parkme+0x82/0x180
[   16.751003]  ? preempt_count_sub+0x50/0x80
[   16.751007]  ? __pfx_kunit_try_run_case+0x10/0x10
[   16.751011]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   16.751016]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   16.751020]  kthread+0x334/0x6f0
[   16.751023]  ? trace_preempt_on+0x20/0xc0
[   16.751027]  ? __pfx_kthread+0x10/0x10
[   16.751031]  ? _raw_spin_unlock_irq+0x47/0x80
[   16.751034]  ? calculate_sigpending+0x7b/0xa0
[   16.751039]  ? __pfx_kthread+0x10/0x10
[   16.751043]  ret_from_fork+0x113/0x1d0
[   16.751046]  ? __pfx_kthread+0x10/0x10
[   16.751049]  ret_from_fork_asm+0x1a/0x30
[   16.751055]  </TASK>
[   16.751057] 
[   16.914773] The buggy address belongs to the physical page:
[   16.920374] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106e9c
[   16.928423] flags: 0x200000000000000(node=0|zone=2)
[   16.933310] raw: 0200000000000000 ffffea00041ba908 ffff88841f6b9f80 0000000000000000
[   16.941051] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   16.948795] page dumped because: kasan: bad access detected
[   16.954414] 
[   16.955911] Memory state around the buggy address:
[   16.960704]  ffff888106e9bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.967924]  ffff888106e9bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.975142] >ffff888106e9c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.982362]                    ^
[   16.985614]  ffff888106e9c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.992841]  ffff888106e9c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.000059] ==================================================================
Metadata Full log Test run details