Date
July 19, 2025, 11:11 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.292232] ================================================================== [ 15.292598] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 15.292706] Read of size 16 at addr fff00000c5f9c480 by task kunit_try_catch/169 [ 15.292791] [ 15.292850] CPU: 1 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.292973] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.293038] Hardware name: linux,dummy-virt (DT) [ 15.293307] Call trace: [ 15.293422] show_stack+0x20/0x38 (C) [ 15.293503] dump_stack_lvl+0x8c/0xd0 [ 15.293570] print_report+0x118/0x5d0 [ 15.293684] kasan_report+0xdc/0x128 [ 15.293894] __asan_report_load16_noabort+0x20/0x30 [ 15.293950] kmalloc_uaf_16+0x3bc/0x438 [ 15.294377] kunit_try_run_case+0x170/0x3f0 [ 15.294539] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.294969] kthread+0x328/0x630 [ 15.295103] ret_from_fork+0x10/0x20 [ 15.295277] [ 15.295348] Allocated by task 169: [ 15.295432] kasan_save_stack+0x3c/0x68 [ 15.295521] kasan_save_track+0x20/0x40 [ 15.295618] kasan_save_alloc_info+0x40/0x58 [ 15.295991] __kasan_kmalloc+0xd4/0xd8 [ 15.296057] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.296118] kmalloc_uaf_16+0x140/0x438 [ 15.296264] kunit_try_run_case+0x170/0x3f0 [ 15.296410] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.296469] kthread+0x328/0x630 [ 15.296501] ret_from_fork+0x10/0x20 [ 15.296565] [ 15.296752] Freed by task 169: [ 15.296914] kasan_save_stack+0x3c/0x68 [ 15.296976] kasan_save_track+0x20/0x40 [ 15.297098] kasan_save_free_info+0x4c/0x78 [ 15.297177] __kasan_slab_free+0x6c/0x98 [ 15.297310] kfree+0x214/0x3c8 [ 15.297371] kmalloc_uaf_16+0x190/0x438 [ 15.297416] kunit_try_run_case+0x170/0x3f0 [ 15.297760] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.298226] kthread+0x328/0x630 [ 15.298611] ret_from_fork+0x10/0x20 [ 15.298682] [ 15.298720] The buggy address belongs to the object at fff00000c5f9c480 [ 15.298720] which belongs to the cache kmalloc-16 of size 16 [ 15.298812] The buggy address is located 0 bytes inside of [ 15.298812] freed 16-byte region [fff00000c5f9c480, fff00000c5f9c490) [ 15.298893] [ 15.298990] The buggy address belongs to the physical page: [ 15.299023] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105f9c [ 15.299124] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.299209] page_type: f5(slab) [ 15.299555] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 15.299643] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 15.299816] page dumped because: kasan: bad access detected [ 15.300057] [ 15.300080] Memory state around the buggy address: [ 15.300269] fff00000c5f9c380: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 15.300328] fff00000c5f9c400: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 15.300499] >fff00000c5f9c480: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.300758] ^ [ 15.300826] fff00000c5f9c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.301330] fff00000c5f9c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.301388] ==================================================================
[ 12.118979] ================================================================== [ 12.119988] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 12.120821] Read of size 16 at addr ffff8881019945e0 by task kunit_try_catch/186 [ 12.121754] [ 12.121854] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.121901] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.121912] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.121933] Call Trace: [ 12.121946] <TASK> [ 12.121963] dump_stack_lvl+0x73/0xb0 [ 12.121993] print_report+0xd1/0x610 [ 12.122014] ? __virt_addr_valid+0x1db/0x2d0 [ 12.122037] ? kmalloc_uaf_16+0x47b/0x4c0 [ 12.122057] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.122078] ? kmalloc_uaf_16+0x47b/0x4c0 [ 12.122098] kasan_report+0x141/0x180 [ 12.122119] ? kmalloc_uaf_16+0x47b/0x4c0 [ 12.122143] __asan_report_load16_noabort+0x18/0x20 [ 12.122219] kmalloc_uaf_16+0x47b/0x4c0 [ 12.122240] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 12.122261] ? __schedule+0x10cc/0x2b60 [ 12.122283] ? __pfx_read_tsc+0x10/0x10 [ 12.122303] ? ktime_get_ts64+0x86/0x230 [ 12.122328] kunit_try_run_case+0x1a5/0x480 [ 12.122351] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.122373] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.122395] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.122418] ? __kthread_parkme+0x82/0x180 [ 12.122438] ? preempt_count_sub+0x50/0x80 [ 12.122462] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.122484] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.122521] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.122544] kthread+0x337/0x6f0 [ 12.122563] ? trace_preempt_on+0x20/0xc0 [ 12.122586] ? __pfx_kthread+0x10/0x10 [ 12.122606] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.122626] ? calculate_sigpending+0x7b/0xa0 [ 12.122650] ? __pfx_kthread+0x10/0x10 [ 12.122670] ret_from_fork+0x116/0x1d0 [ 12.122688] ? __pfx_kthread+0x10/0x10 [ 12.122707] ret_from_fork_asm+0x1a/0x30 [ 12.122737] </TASK> [ 12.122747] [ 12.132818] Allocated by task 186: [ 12.132948] kasan_save_stack+0x45/0x70 [ 12.133301] kasan_save_track+0x18/0x40 [ 12.133508] kasan_save_alloc_info+0x3b/0x50 [ 12.133695] __kasan_kmalloc+0xb7/0xc0 [ 12.133865] __kmalloc_cache_noprof+0x189/0x420 [ 12.134097] kmalloc_uaf_16+0x15b/0x4c0 [ 12.134313] kunit_try_run_case+0x1a5/0x480 [ 12.134477] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.134773] kthread+0x337/0x6f0 [ 12.134918] ret_from_fork+0x116/0x1d0 [ 12.135206] ret_from_fork_asm+0x1a/0x30 [ 12.135379] [ 12.135462] Freed by task 186: [ 12.135583] kasan_save_stack+0x45/0x70 [ 12.135718] kasan_save_track+0x18/0x40 [ 12.135851] kasan_save_free_info+0x3f/0x60 [ 12.135997] __kasan_slab_free+0x56/0x70 [ 12.136186] kfree+0x222/0x3f0 [ 12.136489] kmalloc_uaf_16+0x1d6/0x4c0 [ 12.136685] kunit_try_run_case+0x1a5/0x480 [ 12.136886] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.137105] kthread+0x337/0x6f0 [ 12.137222] ret_from_fork+0x116/0x1d0 [ 12.137351] ret_from_fork_asm+0x1a/0x30 [ 12.137486] [ 12.137711] The buggy address belongs to the object at ffff8881019945e0 [ 12.137711] which belongs to the cache kmalloc-16 of size 16 [ 12.138535] The buggy address is located 0 bytes inside of [ 12.138535] freed 16-byte region [ffff8881019945e0, ffff8881019945f0) [ 12.139033] [ 12.139116] The buggy address belongs to the physical page: [ 12.139386] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101994 [ 12.139714] flags: 0x200000000000000(node=0|zone=2) [ 12.139881] page_type: f5(slab) [ 12.140104] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 12.140604] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 12.140842] page dumped because: kasan: bad access detected [ 12.141013] [ 12.141081] Memory state around the buggy address: [ 12.141237] ffff888101994480: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc [ 12.141522] ffff888101994500: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc [ 12.141842] >ffff888101994580: fa fb fc fc 00 05 fc fc 00 00 fc fc fa fb fc fc [ 12.142158] ^ [ 12.142539] ffff888101994600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.142807] ffff888101994680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.143020] ==================================================================