Hay
Sign in
Date
July 13, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.014028] ==================================================================
[   16.014126] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   16.014179] Write of size 33 at addr fff00000c654e700 by task kunit_try_catch/187
[   16.014250] 
[   16.014377] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.014479] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.014507] Hardware name: linux,dummy-virt (DT)
[   16.014784] Call trace:
[   16.014901]  show_stack+0x20/0x38 (C)
[   16.014976]  dump_stack_lvl+0x8c/0xd0
[   16.015043]  print_report+0x118/0x5d0
[   16.015099]  kasan_report+0xdc/0x128
[   16.015227]  kasan_check_range+0x100/0x1a8
[   16.015293]  __asan_memset+0x34/0x78
[   16.015545]  kmalloc_uaf_memset+0x170/0x310
[   16.015599]  kunit_try_run_case+0x170/0x3f0
[   16.015784]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.015922]  kthread+0x328/0x630
[   16.015978]  ret_from_fork+0x10/0x20
[   16.016044] 
[   16.016139] Allocated by task 187:
[   16.016180]  kasan_save_stack+0x3c/0x68
[   16.016233]  kasan_save_track+0x20/0x40
[   16.016270]  kasan_save_alloc_info+0x40/0x58
[   16.016309]  __kasan_kmalloc+0xd4/0xd8
[   16.016852]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.016991]  kmalloc_uaf_memset+0xb8/0x310
[   16.017049]  kunit_try_run_case+0x170/0x3f0
[   16.017215]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.017291]  kthread+0x328/0x630
[   16.017353]  ret_from_fork+0x10/0x20
[   16.017390] 
[   16.017775] Freed by task 187:
[   16.017854]  kasan_save_stack+0x3c/0x68
[   16.017928]  kasan_save_track+0x20/0x40
[   16.017983]  kasan_save_free_info+0x4c/0x78
[   16.018112]  __kasan_slab_free+0x6c/0x98
[   16.018182]  kfree+0x214/0x3c8
[   16.018315]  kmalloc_uaf_memset+0x11c/0x310
[   16.018385]  kunit_try_run_case+0x170/0x3f0
[   16.018424]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.018783]  kthread+0x328/0x630
[   16.018900]  ret_from_fork+0x10/0x20
[   16.018999] 
[   16.019052] The buggy address belongs to the object at fff00000c654e700
[   16.019052]  which belongs to the cache kmalloc-64 of size 64
[   16.019212] The buggy address is located 0 bytes inside of
[   16.019212]  freed 64-byte region [fff00000c654e700, fff00000c654e740)
[   16.019300] 
[   16.019403] The buggy address belongs to the physical page:
[   16.019437] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10654e
[   16.019525] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.019884] page_type: f5(slab)
[   16.020066] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.020146] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.020294] page dumped because: kasan: bad access detected
[   16.020327] 
[   16.020346] Memory state around the buggy address:
[   16.020380]  fff00000c654e600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.020445]  fff00000c654e680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.020488] >fff00000c654e700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.020798]                    ^
[   16.020944]  fff00000c654e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.020991]  fff00000c654e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.021064] ==================================================================
Metadata Full log Test run details 

[   16.778021] ==================================================================
[   16.778084] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   16.778136] Write of size 33 at addr fff00000c5ac5000 by task kunit_try_catch/187
[   16.778405] 
[   16.778447] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.778530] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.778557] Hardware name: linux,dummy-virt (DT)
[   16.778648] Call trace:
[   16.778687]  show_stack+0x20/0x38 (C)
[   16.778738]  dump_stack_lvl+0x8c/0xd0
[   16.778785]  print_report+0x118/0x5d0
[   16.778902]  kasan_report+0xdc/0x128
[   16.778975]  kasan_check_range+0x100/0x1a8
[   16.779024]  __asan_memset+0x34/0x78
[   16.779065]  kmalloc_uaf_memset+0x170/0x310
[   16.779235]  kunit_try_run_case+0x170/0x3f0
[   16.779318]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.779373]  kthread+0x328/0x630
[   16.779462]  ret_from_fork+0x10/0x20
[   16.779529] 
[   16.779546] Allocated by task 187:
[   16.779575]  kasan_save_stack+0x3c/0x68
[   16.779615]  kasan_save_track+0x20/0x40
[   16.779651]  kasan_save_alloc_info+0x40/0x58
[   16.779692]  __kasan_kmalloc+0xd4/0xd8
[   16.779727]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.779908]  kmalloc_uaf_memset+0xb8/0x310
[   16.780003]  kunit_try_run_case+0x170/0x3f0
[   16.780080]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.780259]  kthread+0x328/0x630
[   16.780303]  ret_from_fork+0x10/0x20
[   16.780339] 
[   16.780357] Freed by task 187:
[   16.780385]  kasan_save_stack+0x3c/0x68
[   16.780429]  kasan_save_track+0x20/0x40
[   16.780478]  kasan_save_free_info+0x4c/0x78
[   16.780526]  __kasan_slab_free+0x6c/0x98
[   16.780570]  kfree+0x214/0x3c8
[   16.780602]  kmalloc_uaf_memset+0x11c/0x310
[   16.780639]  kunit_try_run_case+0x170/0x3f0
[   16.780676]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.780740]  kthread+0x328/0x630
[   16.780779]  ret_from_fork+0x10/0x20
[   16.780822] 
[   16.780840] The buggy address belongs to the object at fff00000c5ac5000
[   16.780840]  which belongs to the cache kmalloc-64 of size 64
[   16.780905] The buggy address is located 0 bytes inside of
[   16.780905]  freed 64-byte region [fff00000c5ac5000, fff00000c5ac5040)
[   16.780968] 
[   16.780989] The buggy address belongs to the physical page:
[   16.781027] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ac5
[   16.781089] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.781146] page_type: f5(slab)
[   16.781208] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.781259] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.781300] page dumped because: kasan: bad access detected
[   16.781608] 
[   16.781678] Memory state around the buggy address:
[   16.781714]  fff00000c5ac4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.781760]  fff00000c5ac4f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.781806] >fff00000c5ac5000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.782037]                    ^
[   16.782116]  fff00000c5ac5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.782310]  fff00000c5ac5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.782436] ==================================================================
Metadata Full log Test run details 

[   12.904807] ==================================================================
[   12.905199] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   12.905444] Write of size 33 at addr ffff88810342f800 by task kunit_try_catch/203
[   12.905682] 
[   12.905769] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.905814] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.905825] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.905846] Call Trace:
[   12.905857]  <TASK>
[   12.905872]  dump_stack_lvl+0x73/0xb0
[   12.905901]  print_report+0xd1/0x610
[   12.905921]  ? __virt_addr_valid+0x1db/0x2d0
[   12.905943]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.905963]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.905984]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.906004]  kasan_report+0x141/0x180
[   12.906025]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.906049]  kasan_check_range+0x10c/0x1c0
[   12.906072]  __asan_memset+0x27/0x50
[   12.906090]  kmalloc_uaf_memset+0x1a3/0x360
[   12.906110]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   12.906131]  ? __schedule+0x10cc/0x2b60
[   12.906152]  ? __pfx_read_tsc+0x10/0x10
[   12.906172]  ? ktime_get_ts64+0x86/0x230
[   12.906195]  kunit_try_run_case+0x1a5/0x480
[   12.906218]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.906239]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.906262]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.906285]  ? __kthread_parkme+0x82/0x180
[   12.906304]  ? preempt_count_sub+0x50/0x80
[   12.906326]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.906349]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.906373]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.906396]  kthread+0x337/0x6f0
[   12.906415]  ? trace_preempt_on+0x20/0xc0
[   12.906437]  ? __pfx_kthread+0x10/0x10
[   12.906822]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.906850]  ? calculate_sigpending+0x7b/0xa0
[   12.907097]  ? __pfx_kthread+0x10/0x10
[   12.907121]  ret_from_fork+0x116/0x1d0
[   12.907142]  ? __pfx_kthread+0x10/0x10
[   12.907163]  ret_from_fork_asm+0x1a/0x30
[   12.907194]  </TASK>
[   12.907205] 
[   12.922790] Allocated by task 203:
[   12.923154]  kasan_save_stack+0x45/0x70
[   12.923413]  kasan_save_track+0x18/0x40
[   12.923849]  kasan_save_alloc_info+0x3b/0x50
[   12.924070]  __kasan_kmalloc+0xb7/0xc0
[   12.924345]  __kmalloc_cache_noprof+0x189/0x420
[   12.924799]  kmalloc_uaf_memset+0xa9/0x360
[   12.924977]  kunit_try_run_case+0x1a5/0x480
[   12.925506]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.925809]  kthread+0x337/0x6f0
[   12.925982]  ret_from_fork+0x116/0x1d0
[   12.926143]  ret_from_fork_asm+0x1a/0x30
[   12.926334] 
[   12.926425] Freed by task 203:
[   12.926951]  kasan_save_stack+0x45/0x70
[   12.927122]  kasan_save_track+0x18/0x40
[   12.927511]  kasan_save_free_info+0x3f/0x60
[   12.927962]  __kasan_slab_free+0x56/0x70
[   12.928135]  kfree+0x222/0x3f0
[   12.928305]  kmalloc_uaf_memset+0x12b/0x360
[   12.928506]  kunit_try_run_case+0x1a5/0x480
[   12.928717]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.928961]  kthread+0x337/0x6f0
[   12.929130]  ret_from_fork+0x116/0x1d0
[   12.929295]  ret_from_fork_asm+0x1a/0x30
[   12.929938] 
[   12.930036] The buggy address belongs to the object at ffff88810342f800
[   12.930036]  which belongs to the cache kmalloc-64 of size 64
[   12.930765] The buggy address is located 0 bytes inside of
[   12.930765]  freed 64-byte region [ffff88810342f800, ffff88810342f840)
[   12.931233] 
[   12.931357] The buggy address belongs to the physical page:
[   12.932139] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10342f
[   12.932505] flags: 0x200000000000000(node=0|zone=2)
[   12.932939] page_type: f5(slab)
[   12.933080] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   12.933422] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   12.933697] page dumped because: kasan: bad access detected
[   12.933945] 
[   12.934038] Memory state around the buggy address:
[   12.934226]  ffff88810342f700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.934949]  ffff88810342f780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.935211] >ffff88810342f800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.935811]                    ^
[   12.935989]  ffff88810342f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.936462]  ffff88810342f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.936927] ==================================================================
Metadata Full log Test run details 

[   13.123295] ==================================================================
[   13.123941] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   13.124373] Write of size 33 at addr ffff888102b39d80 by task kunit_try_catch/204
[   13.124688] 
[   13.124777] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   13.124819] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.124830] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.124851] Call Trace:
[   13.124862]  <TASK>
[   13.124877]  dump_stack_lvl+0x73/0xb0
[   13.124907]  print_report+0xd1/0x610
[   13.124931]  ? __virt_addr_valid+0x1db/0x2d0
[   13.124954]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.124975]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.124999]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.125021]  kasan_report+0x141/0x180
[   13.125043]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.125081]  kasan_check_range+0x10c/0x1c0
[   13.125105]  __asan_memset+0x27/0x50
[   13.125142]  kmalloc_uaf_memset+0x1a3/0x360
[   13.125164]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   13.125187]  ? __schedule+0x10cc/0x2b60
[   13.125209]  ? __pfx_read_tsc+0x10/0x10
[   13.125231]  ? ktime_get_ts64+0x86/0x230
[   13.125255]  kunit_try_run_case+0x1a5/0x480
[   13.125279]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.125302]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.125327]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.125351]  ? __kthread_parkme+0x82/0x180
[   13.125372]  ? preempt_count_sub+0x50/0x80
[   13.125396]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.125420]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.125445]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.125470]  kthread+0x337/0x6f0
[   13.125489]  ? trace_preempt_on+0x20/0xc0
[   13.125513]  ? __pfx_kthread+0x10/0x10
[   13.125534]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.125555]  ? calculate_sigpending+0x7b/0xa0
[   13.125580]  ? __pfx_kthread+0x10/0x10
[   13.125601]  ret_from_fork+0x116/0x1d0
[   13.125620]  ? __pfx_kthread+0x10/0x10
[   13.125641]  ret_from_fork_asm+0x1a/0x30
[   13.125671]  </TASK>
[   13.125680] 
[   13.133491] Allocated by task 204:
[   13.133680]  kasan_save_stack+0x45/0x70
[   13.133884]  kasan_save_track+0x18/0x40
[   13.134093]  kasan_save_alloc_info+0x3b/0x50
[   13.134309]  __kasan_kmalloc+0xb7/0xc0
[   13.134543]  __kmalloc_cache_noprof+0x189/0x420
[   13.134706]  kmalloc_uaf_memset+0xa9/0x360
[   13.134884]  kunit_try_run_case+0x1a5/0x480
[   13.135107]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.135360]  kthread+0x337/0x6f0
[   13.135526]  ret_from_fork+0x116/0x1d0
[   13.135928]  ret_from_fork_asm+0x1a/0x30
[   13.136093] 
[   13.136226] Freed by task 204:
[   13.136383]  kasan_save_stack+0x45/0x70
[   13.136598]  kasan_save_track+0x18/0x40
[   13.136809]  kasan_save_free_info+0x3f/0x60
[   13.136964]  __kasan_slab_free+0x56/0x70
[   13.137188]  kfree+0x222/0x3f0
[   13.137355]  kmalloc_uaf_memset+0x12b/0x360
[   13.137562]  kunit_try_run_case+0x1a5/0x480
[   13.137819]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.138061]  kthread+0x337/0x6f0
[   13.138237]  ret_from_fork+0x116/0x1d0
[   13.138458]  ret_from_fork_asm+0x1a/0x30
[   13.138684] 
[   13.138788] The buggy address belongs to the object at ffff888102b39d80
[   13.138788]  which belongs to the cache kmalloc-64 of size 64
[   13.139280] The buggy address is located 0 bytes inside of
[   13.139280]  freed 64-byte region [ffff888102b39d80, ffff888102b39dc0)
[   13.139624] 
[   13.139698] The buggy address belongs to the physical page:
[   13.139940] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b39
[   13.140306] flags: 0x200000000000000(node=0|zone=2)
[   13.140723] page_type: f5(slab)
[   13.140857] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   13.141180] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   13.141481] page dumped because: kasan: bad access detected
[   13.141717] 
[   13.141817] Memory state around the buggy address:
[   13.142044]  ffff888102b39c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.142459]  ffff888102b39d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.142797] >ffff888102b39d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.143066]                    ^
[   13.143357]  ffff888102b39e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.143616]  ffff888102b39e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.143960] ==================================================================
Metadata Full log Test run details