Date
July 13, 2025, 11:09 p.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 15.997421] ================================================================== [ 15.997483] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 15.997536] Read of size 1 at addr fff00000c5809548 by task kunit_try_catch/185 [ 15.997586] [ 15.997617] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.997992] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.998075] Hardware name: linux,dummy-virt (DT) [ 15.998173] Call trace: [ 15.998225] show_stack+0x20/0x38 (C) [ 15.998305] dump_stack_lvl+0x8c/0xd0 [ 15.998759] print_report+0x118/0x5d0 [ 15.998838] kasan_report+0xdc/0x128 [ 15.999135] __asan_report_load1_noabort+0x20/0x30 [ 15.999237] kmalloc_uaf+0x300/0x338 [ 15.999353] kunit_try_run_case+0x170/0x3f0 [ 15.999444] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.999707] kthread+0x328/0x630 [ 15.999789] ret_from_fork+0x10/0x20 [ 15.999978] [ 16.000132] Allocated by task 185: [ 16.000284] kasan_save_stack+0x3c/0x68 [ 16.000360] kasan_save_track+0x20/0x40 [ 16.000468] kasan_save_alloc_info+0x40/0x58 [ 16.000710] __kasan_kmalloc+0xd4/0xd8 [ 16.000789] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.000937] kmalloc_uaf+0xb8/0x338 [ 16.001003] kunit_try_run_case+0x170/0x3f0 [ 16.001120] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.001184] kthread+0x328/0x630 [ 16.001229] ret_from_fork+0x10/0x20 [ 16.001551] [ 16.001590] Freed by task 185: [ 16.001662] kasan_save_stack+0x3c/0x68 [ 16.001732] kasan_save_track+0x20/0x40 [ 16.001769] kasan_save_free_info+0x4c/0x78 [ 16.002030] __kasan_slab_free+0x6c/0x98 [ 16.002160] kfree+0x214/0x3c8 [ 16.002271] kmalloc_uaf+0x11c/0x338 [ 16.002387] kunit_try_run_case+0x170/0x3f0 [ 16.002439] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.002497] kthread+0x328/0x630 [ 16.002788] ret_from_fork+0x10/0x20 [ 16.002858] [ 16.002931] The buggy address belongs to the object at fff00000c5809540 [ 16.002931] which belongs to the cache kmalloc-16 of size 16 [ 16.003039] The buggy address is located 8 bytes inside of [ 16.003039] freed 16-byte region [fff00000c5809540, fff00000c5809550) [ 16.003118] [ 16.003137] The buggy address belongs to the physical page: [ 16.003292] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105809 [ 16.003408] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.003647] page_type: f5(slab) [ 16.003718] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 16.004060] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 16.004126] page dumped because: kasan: bad access detected [ 16.004183] [ 16.004292] Memory state around the buggy address: [ 16.004379] fff00000c5809400: 00 00 fc fc 00 00 fc fc 00 00 fc fc fa fb fc fc [ 16.004439] fff00000c5809480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.004488] >fff00000c5809500: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 16.004760] ^ [ 16.004843] fff00000c5809580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.004984] fff00000c5809600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.005062] ==================================================================
[ 16.764419] ================================================================== [ 16.764484] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 16.764540] Read of size 1 at addr fff00000c44abaa8 by task kunit_try_catch/185 [ 16.764620] [ 16.764655] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.765127] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.765297] Hardware name: linux,dummy-virt (DT) [ 16.765372] Call trace: [ 16.765462] show_stack+0x20/0x38 (C) [ 16.765553] dump_stack_lvl+0x8c/0xd0 [ 16.765659] print_report+0x118/0x5d0 [ 16.765777] kasan_report+0xdc/0x128 [ 16.765876] __asan_report_load1_noabort+0x20/0x30 [ 16.766014] kmalloc_uaf+0x300/0x338 [ 16.766059] kunit_try_run_case+0x170/0x3f0 [ 16.766154] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.766224] kthread+0x328/0x630 [ 16.766441] ret_from_fork+0x10/0x20 [ 16.766612] [ 16.766809] Allocated by task 185: [ 16.766987] kasan_save_stack+0x3c/0x68 [ 16.767150] kasan_save_track+0x20/0x40 [ 16.767328] kasan_save_alloc_info+0x40/0x58 [ 16.767370] __kasan_kmalloc+0xd4/0xd8 [ 16.767450] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.767712] kmalloc_uaf+0xb8/0x338 [ 16.767871] kunit_try_run_case+0x170/0x3f0 [ 16.768021] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.768140] kthread+0x328/0x630 [ 16.768242] ret_from_fork+0x10/0x20 [ 16.768311] [ 16.768469] Freed by task 185: [ 16.768549] kasan_save_stack+0x3c/0x68 [ 16.768670] kasan_save_track+0x20/0x40 [ 16.768709] kasan_save_free_info+0x4c/0x78 [ 16.768749] __kasan_slab_free+0x6c/0x98 [ 16.768811] kfree+0x214/0x3c8 [ 16.768844] kmalloc_uaf+0x11c/0x338 [ 16.769277] kunit_try_run_case+0x170/0x3f0 [ 16.769374] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.769461] kthread+0x328/0x630 [ 16.769515] ret_from_fork+0x10/0x20 [ 16.769600] [ 16.769668] The buggy address belongs to the object at fff00000c44abaa0 [ 16.769668] which belongs to the cache kmalloc-16 of size 16 [ 16.769781] The buggy address is located 8 bytes inside of [ 16.769781] freed 16-byte region [fff00000c44abaa0, fff00000c44abab0) [ 16.769860] [ 16.769880] The buggy address belongs to the physical page: [ 16.769956] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1044ab [ 16.770022] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.770084] page_type: f5(slab) [ 16.770125] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 16.770505] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 16.770569] page dumped because: kasan: bad access detected [ 16.770602] [ 16.770666] Memory state around the buggy address: [ 16.770756] fff00000c44ab980: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 16.770800] fff00000c44aba00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.770843] >fff00000c44aba80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 16.770882] ^ [ 16.771065] fff00000c44abb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.771259] fff00000c44abb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.771358] ==================================================================
[ 12.872360] ================================================================== [ 12.873127] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 12.873539] Read of size 1 at addr ffff888102676228 by task kunit_try_catch/201 [ 12.873913] [ 12.874014] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.874056] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.874067] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.874087] Call Trace: [ 12.874098] <TASK> [ 12.874112] dump_stack_lvl+0x73/0xb0 [ 12.874140] print_report+0xd1/0x610 [ 12.874162] ? __virt_addr_valid+0x1db/0x2d0 [ 12.874185] ? kmalloc_uaf+0x320/0x380 [ 12.874204] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.874226] ? kmalloc_uaf+0x320/0x380 [ 12.874246] kasan_report+0x141/0x180 [ 12.874267] ? kmalloc_uaf+0x320/0x380 [ 12.874291] __asan_report_load1_noabort+0x18/0x20 [ 12.874316] kmalloc_uaf+0x320/0x380 [ 12.874336] ? __pfx_kmalloc_uaf+0x10/0x10 [ 12.874357] ? __schedule+0x10cc/0x2b60 [ 12.874379] ? __pfx_read_tsc+0x10/0x10 [ 12.874399] ? ktime_get_ts64+0x86/0x230 [ 12.874966] kunit_try_run_case+0x1a5/0x480 [ 12.874995] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.875020] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.875045] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.875069] ? __kthread_parkme+0x82/0x180 [ 12.875089] ? preempt_count_sub+0x50/0x80 [ 12.875113] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.875137] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.875162] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.875187] kthread+0x337/0x6f0 [ 12.875206] ? trace_preempt_on+0x20/0xc0 [ 12.875229] ? __pfx_kthread+0x10/0x10 [ 12.875250] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.875271] ? calculate_sigpending+0x7b/0xa0 [ 12.875296] ? __pfx_kthread+0x10/0x10 [ 12.875317] ret_from_fork+0x116/0x1d0 [ 12.875336] ? __pfx_kthread+0x10/0x10 [ 12.875357] ret_from_fork_asm+0x1a/0x30 [ 12.875387] </TASK> [ 12.875397] [ 12.885724] Allocated by task 201: [ 12.885869] kasan_save_stack+0x45/0x70 [ 12.886790] kasan_save_track+0x18/0x40 [ 12.887006] kasan_save_alloc_info+0x3b/0x50 [ 12.887224] __kasan_kmalloc+0xb7/0xc0 [ 12.887404] __kmalloc_cache_noprof+0x189/0x420 [ 12.888082] kmalloc_uaf+0xaa/0x380 [ 12.888220] kunit_try_run_case+0x1a5/0x480 [ 12.889479] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.889977] kthread+0x337/0x6f0 [ 12.890153] ret_from_fork+0x116/0x1d0 [ 12.890337] ret_from_fork_asm+0x1a/0x30 [ 12.890593] [ 12.890673] Freed by task 201: [ 12.891143] kasan_save_stack+0x45/0x70 [ 12.891699] kasan_save_track+0x18/0x40 [ 12.891858] kasan_save_free_info+0x3f/0x60 [ 12.892072] __kasan_slab_free+0x56/0x70 [ 12.892235] kfree+0x222/0x3f0 [ 12.892408] kmalloc_uaf+0x12c/0x380 [ 12.892827] kunit_try_run_case+0x1a5/0x480 [ 12.893074] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.893363] kthread+0x337/0x6f0 [ 12.893517] ret_from_fork+0x116/0x1d0 [ 12.893852] ret_from_fork_asm+0x1a/0x30 [ 12.894052] [ 12.894141] The buggy address belongs to the object at ffff888102676220 [ 12.894141] which belongs to the cache kmalloc-16 of size 16 [ 12.894963] The buggy address is located 8 bytes inside of [ 12.894963] freed 16-byte region [ffff888102676220, ffff888102676230) [ 12.895579] [ 12.895941] The buggy address belongs to the physical page: [ 12.896245] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102676 [ 12.896771] flags: 0x200000000000000(node=0|zone=2) [ 12.896946] page_type: f5(slab) [ 12.897205] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 12.897697] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 12.898097] page dumped because: kasan: bad access detected [ 12.898385] [ 12.898506] Memory state around the buggy address: [ 12.898902] ffff888102676100: 00 06 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 12.899183] ffff888102676180: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 12.899655] >ffff888102676200: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 12.900122] ^ [ 12.900388] ffff888102676280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.901071] ffff888102676300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.901391] ==================================================================
[ 13.099357] ================================================================== [ 13.099834] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 13.100147] Read of size 1 at addr ffff8881016acd68 by task kunit_try_catch/202 [ 13.100437] [ 13.100536] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 13.100580] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.100592] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.100611] Call Trace: [ 13.100622] <TASK> [ 13.100637] dump_stack_lvl+0x73/0xb0 [ 13.100666] print_report+0xd1/0x610 [ 13.100687] ? __virt_addr_valid+0x1db/0x2d0 [ 13.100709] ? kmalloc_uaf+0x320/0x380 [ 13.100728] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.100750] ? kmalloc_uaf+0x320/0x380 [ 13.100769] kasan_report+0x141/0x180 [ 13.100790] ? kmalloc_uaf+0x320/0x380 [ 13.100813] __asan_report_load1_noabort+0x18/0x20 [ 13.100837] kmalloc_uaf+0x320/0x380 [ 13.100855] ? __pfx_kmalloc_uaf+0x10/0x10 [ 13.100875] ? __schedule+0x10cc/0x2b60 [ 13.100896] ? __pfx_read_tsc+0x10/0x10 [ 13.100917] ? ktime_get_ts64+0x86/0x230 [ 13.100941] kunit_try_run_case+0x1a5/0x480 [ 13.100964] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.100986] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.101008] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.101031] ? __kthread_parkme+0x82/0x180 [ 13.101099] ? preempt_count_sub+0x50/0x80 [ 13.101159] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.101185] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.101211] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.101236] kthread+0x337/0x6f0 [ 13.101256] ? trace_preempt_on+0x20/0xc0 [ 13.101280] ? __pfx_kthread+0x10/0x10 [ 13.101300] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.101322] ? calculate_sigpending+0x7b/0xa0 [ 13.101347] ? __pfx_kthread+0x10/0x10 [ 13.101369] ret_from_fork+0x116/0x1d0 [ 13.101388] ? __pfx_kthread+0x10/0x10 [ 13.101409] ret_from_fork_asm+0x1a/0x30 [ 13.101440] </TASK> [ 13.101450] [ 13.108355] Allocated by task 202: [ 13.108528] kasan_save_stack+0x45/0x70 [ 13.108705] kasan_save_track+0x18/0x40 [ 13.108897] kasan_save_alloc_info+0x3b/0x50 [ 13.109096] __kasan_kmalloc+0xb7/0xc0 [ 13.109291] __kmalloc_cache_noprof+0x189/0x420 [ 13.109473] kmalloc_uaf+0xaa/0x380 [ 13.109603] kunit_try_run_case+0x1a5/0x480 [ 13.109752] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.109962] kthread+0x337/0x6f0 [ 13.110172] ret_from_fork+0x116/0x1d0 [ 13.110364] ret_from_fork_asm+0x1a/0x30 [ 13.110561] [ 13.110655] Freed by task 202: [ 13.110819] kasan_save_stack+0x45/0x70 [ 13.111012] kasan_save_track+0x18/0x40 [ 13.111240] kasan_save_free_info+0x3f/0x60 [ 13.111416] __kasan_slab_free+0x56/0x70 [ 13.111603] kfree+0x222/0x3f0 [ 13.111720] kmalloc_uaf+0x12c/0x380 [ 13.111849] kunit_try_run_case+0x1a5/0x480 [ 13.112070] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.112350] kthread+0x337/0x6f0 [ 13.112529] ret_from_fork+0x116/0x1d0 [ 13.112723] ret_from_fork_asm+0x1a/0x30 [ 13.112913] [ 13.112997] The buggy address belongs to the object at ffff8881016acd60 [ 13.112997] which belongs to the cache kmalloc-16 of size 16 [ 13.113473] The buggy address is located 8 bytes inside of [ 13.113473] freed 16-byte region [ffff8881016acd60, ffff8881016acd70) [ 13.113967] [ 13.114061] The buggy address belongs to the physical page: [ 13.114326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1016ac [ 13.114605] flags: 0x200000000000000(node=0|zone=2) [ 13.114775] page_type: f5(slab) [ 13.114897] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 13.115164] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 13.115417] page dumped because: kasan: bad access detected [ 13.115669] [ 13.115763] Memory state around the buggy address: [ 13.115985] ffff8881016acc00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 13.116333] ffff8881016acc80: 00 00 fc fc 00 04 fc fc 00 04 fc fc fa fb fc fc [ 13.116657] >ffff8881016acd00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 13.116943] ^ [ 13.117174] ffff8881016acd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.117393] ffff8881016ace00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 13.117633] ==================================================================