Date
July 19, 2025, 11:11 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.432825] ================================================================== [ 15.432883] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 15.433063] Write of size 33 at addr fff00000c63a8400 by task kunit_try_catch/187 [ 15.433126] [ 15.433168] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.433335] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.433585] Hardware name: linux,dummy-virt (DT) [ 15.433677] Call trace: [ 15.433701] show_stack+0x20/0x38 (C) [ 15.433755] dump_stack_lvl+0x8c/0xd0 [ 15.433806] print_report+0x118/0x5d0 [ 15.433866] kasan_report+0xdc/0x128 [ 15.433912] kasan_check_range+0x100/0x1a8 [ 15.434179] __asan_memset+0x34/0x78 [ 15.434341] kmalloc_uaf_memset+0x170/0x310 [ 15.434393] kunit_try_run_case+0x170/0x3f0 [ 15.434447] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.434506] kthread+0x328/0x630 [ 15.434559] ret_from_fork+0x10/0x20 [ 15.435743] [ 15.435885] Allocated by task 187: [ 15.436209] kasan_save_stack+0x3c/0x68 [ 15.436364] kasan_save_track+0x20/0x40 [ 15.436460] kasan_save_alloc_info+0x40/0x58 [ 15.436543] __kasan_kmalloc+0xd4/0xd8 [ 15.436581] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.436620] kmalloc_uaf_memset+0xb8/0x310 [ 15.436735] kunit_try_run_case+0x170/0x3f0 [ 15.437799] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.437859] kthread+0x328/0x630 [ 15.437894] ret_from_fork+0x10/0x20 [ 15.437929] [ 15.437949] Freed by task 187: [ 15.437977] kasan_save_stack+0x3c/0x68 [ 15.438141] kasan_save_track+0x20/0x40 [ 15.438267] kasan_save_free_info+0x4c/0x78 [ 15.438308] __kasan_slab_free+0x6c/0x98 [ 15.438399] kfree+0x214/0x3c8 [ 15.438495] kmalloc_uaf_memset+0x11c/0x310 [ 15.438543] kunit_try_run_case+0x170/0x3f0 [ 15.438582] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.438625] kthread+0x328/0x630 [ 15.438656] ret_from_fork+0x10/0x20 [ 15.438692] [ 15.438712] The buggy address belongs to the object at fff00000c63a8400 [ 15.438712] which belongs to the cache kmalloc-64 of size 64 [ 15.439007] The buggy address is located 0 bytes inside of [ 15.439007] freed 64-byte region [fff00000c63a8400, fff00000c63a8440) [ 15.439393] [ 15.439418] The buggy address belongs to the physical page: [ 15.439555] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063a8 [ 15.439776] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.439833] page_type: f5(slab) [ 15.439872] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 15.440236] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 15.440283] page dumped because: kasan: bad access detected [ 15.440342] [ 15.440370] Memory state around the buggy address: [ 15.440475] fff00000c63a8300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.440518] fff00000c63a8380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.440572] >fff00000c63a8400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.440693] ^ [ 15.440730] fff00000c63a8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.440808] fff00000c63a8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.440985] ==================================================================
[ 12.352894] ================================================================== [ 12.353391] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 12.353729] Write of size 33 at addr ffff888102f66180 by task kunit_try_catch/204 [ 12.354030] [ 12.354141] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.354187] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.354204] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.354225] Call Trace: [ 12.354237] <TASK> [ 12.354254] dump_stack_lvl+0x73/0xb0 [ 12.354307] print_report+0xd1/0x610 [ 12.354328] ? __virt_addr_valid+0x1db/0x2d0 [ 12.354351] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.354371] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.354393] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.354413] kasan_report+0x141/0x180 [ 12.354435] ? kmalloc_uaf_memset+0x1a3/0x360 [ 12.354460] kasan_check_range+0x10c/0x1c0 [ 12.354482] __asan_memset+0x27/0x50 [ 12.354512] kmalloc_uaf_memset+0x1a3/0x360 [ 12.354532] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 12.354554] ? __schedule+0x10cc/0x2b60 [ 12.354576] ? __pfx_read_tsc+0x10/0x10 [ 12.354596] ? ktime_get_ts64+0x86/0x230 [ 12.354619] kunit_try_run_case+0x1a5/0x480 [ 12.354642] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.354664] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.354686] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.354709] ? __kthread_parkme+0x82/0x180 [ 12.354729] ? preempt_count_sub+0x50/0x80 [ 12.354752] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.354775] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.354798] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.354821] kthread+0x337/0x6f0 [ 12.354839] ? trace_preempt_on+0x20/0xc0 [ 12.354861] ? __pfx_kthread+0x10/0x10 [ 12.354880] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.354901] ? calculate_sigpending+0x7b/0xa0 [ 12.354925] ? __pfx_kthread+0x10/0x10 [ 12.354945] ret_from_fork+0x116/0x1d0 [ 12.354962] ? __pfx_kthread+0x10/0x10 [ 12.354981] ret_from_fork_asm+0x1a/0x30 [ 12.355011] </TASK> [ 12.355021] [ 12.368146] Allocated by task 204: [ 12.368569] kasan_save_stack+0x45/0x70 [ 12.368749] kasan_save_track+0x18/0x40 [ 12.368929] kasan_save_alloc_info+0x3b/0x50 [ 12.369080] __kasan_kmalloc+0xb7/0xc0 [ 12.369284] __kmalloc_cache_noprof+0x189/0x420 [ 12.369583] kmalloc_uaf_memset+0xa9/0x360 [ 12.369796] kunit_try_run_case+0x1a5/0x480 [ 12.369981] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.370280] kthread+0x337/0x6f0 [ 12.370430] ret_from_fork+0x116/0x1d0 [ 12.370576] ret_from_fork_asm+0x1a/0x30 [ 12.370717] [ 12.370786] Freed by task 204: [ 12.370922] kasan_save_stack+0x45/0x70 [ 12.371102] kasan_save_track+0x18/0x40 [ 12.371287] kasan_save_free_info+0x3f/0x60 [ 12.371554] __kasan_slab_free+0x56/0x70 [ 12.371745] kfree+0x222/0x3f0 [ 12.371908] kmalloc_uaf_memset+0x12b/0x360 [ 12.372079] kunit_try_run_case+0x1a5/0x480 [ 12.372381] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.372648] kthread+0x337/0x6f0 [ 12.372775] ret_from_fork+0x116/0x1d0 [ 12.372967] ret_from_fork_asm+0x1a/0x30 [ 12.373256] [ 12.373350] The buggy address belongs to the object at ffff888102f66180 [ 12.373350] which belongs to the cache kmalloc-64 of size 64 [ 12.374174] The buggy address is located 0 bytes inside of [ 12.374174] freed 64-byte region [ffff888102f66180, ffff888102f661c0) [ 12.374778] [ 12.374875] The buggy address belongs to the physical page: [ 12.375197] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f66 [ 12.375519] flags: 0x200000000000000(node=0|zone=2) [ 12.375688] page_type: f5(slab) [ 12.375812] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 12.376129] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 12.376462] page dumped because: kasan: bad access detected [ 12.376804] [ 12.376872] Memory state around the buggy address: [ 12.377028] ffff888102f66080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.377569] ffff888102f66100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.377889] >ffff888102f66180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 12.378238] ^ [ 12.378358] ffff888102f66200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.378588] ffff888102f66280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.378802] ==================================================================