Date
July 13, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.647154] ================================================================== [ 15.647494] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 15.647792] Read of size 1 at addr fff00000c65f8000 by task kunit_try_catch/149 [ 15.647986] [ 15.648032] CPU: 0 UID: 0 PID: 149 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 15.648122] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.648229] Hardware name: linux,dummy-virt (DT) [ 15.648361] Call trace: [ 15.648553] show_stack+0x20/0x38 (C) [ 15.648640] dump_stack_lvl+0x8c/0xd0 [ 15.648767] print_report+0x118/0x5d0 [ 15.648841] kasan_report+0xdc/0x128 [ 15.648988] __asan_report_load1_noabort+0x20/0x30 [ 15.649097] kmalloc_large_uaf+0x2cc/0x2f8 [ 15.649226] kunit_try_run_case+0x170/0x3f0 [ 15.649313] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.649381] kthread+0x328/0x630 [ 15.649702] ret_from_fork+0x10/0x20 [ 15.649804] [ 15.649900] The buggy address belongs to the physical page: [ 15.649980] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065f8 [ 15.650059] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.650238] raw: 0bfffe0000000000 fff00000da456c40 fff00000da456c40 0000000000000000 [ 15.650310] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 15.650635] page dumped because: kasan: bad access detected [ 15.650689] [ 15.650724] Memory state around the buggy address: [ 15.650905] fff00000c65f7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.651738] fff00000c65f7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.651991] >fff00000c65f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.652780] ^ [ 15.652857] fff00000c65f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.652921] fff00000c65f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.653434] ==================================================================
[ 16.514917] ================================================================== [ 16.514982] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 16.515031] Read of size 1 at addr fff00000c782c000 by task kunit_try_catch/149 [ 16.515080] [ 16.515113] CPU: 1 UID: 0 PID: 149 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.515211] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.515237] Hardware name: linux,dummy-virt (DT) [ 16.515513] Call trace: [ 16.515548] show_stack+0x20/0x38 (C) [ 16.515598] dump_stack_lvl+0x8c/0xd0 [ 16.515643] print_report+0x118/0x5d0 [ 16.515687] kasan_report+0xdc/0x128 [ 16.515730] __asan_report_load1_noabort+0x20/0x30 [ 16.515778] kmalloc_large_uaf+0x2cc/0x2f8 [ 16.515821] kunit_try_run_case+0x170/0x3f0 [ 16.515866] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.515917] kthread+0x328/0x630 [ 16.515956] ret_from_fork+0x10/0x20 [ 16.516001] [ 16.516020] The buggy address belongs to the physical page: [ 16.516049] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10782c [ 16.516102] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.516162] raw: 0bfffe0000000000 ffffc1ffc31e0c08 fff00000da479c40 0000000000000000 [ 16.516275] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 16.516314] page dumped because: kasan: bad access detected [ 16.516344] [ 16.516361] Memory state around the buggy address: [ 16.516392] fff00000c782bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.516434] fff00000c782bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 16.516476] >fff00000c782c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.516729] ^ [ 16.516764] fff00000c782c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.516848] fff00000c782c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 16.516886] ==================================================================
[ 12.054973] ================================================================== [ 12.055618] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340 [ 12.056028] Read of size 1 at addr ffff888103a08000 by task kunit_try_catch/165 [ 12.056345] [ 12.056910] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.056959] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.056970] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.056991] Call Trace: [ 12.057003] <TASK> [ 12.057016] dump_stack_lvl+0x73/0xb0 [ 12.057046] print_report+0xd1/0x610 [ 12.057068] ? __virt_addr_valid+0x1db/0x2d0 [ 12.057090] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.057110] ? kasan_addr_to_slab+0x11/0xa0 [ 12.057131] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.057152] kasan_report+0x141/0x180 [ 12.057173] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.057199] __asan_report_load1_noabort+0x18/0x20 [ 12.057224] kmalloc_large_uaf+0x2f1/0x340 [ 12.057244] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 12.057267] ? __schedule+0x10cc/0x2b60 [ 12.057289] ? __pfx_read_tsc+0x10/0x10 [ 12.057310] ? ktime_get_ts64+0x86/0x230 [ 12.057334] kunit_try_run_case+0x1a5/0x480 [ 12.057359] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.057382] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.057425] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.057463] ? __kthread_parkme+0x82/0x180 [ 12.057483] ? preempt_count_sub+0x50/0x80 [ 12.057507] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.057531] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.057556] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.057581] kthread+0x337/0x6f0 [ 12.057600] ? trace_preempt_on+0x20/0xc0 [ 12.057623] ? __pfx_kthread+0x10/0x10 [ 12.057643] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.057665] ? calculate_sigpending+0x7b/0xa0 [ 12.057689] ? __pfx_kthread+0x10/0x10 [ 12.057711] ret_from_fork+0x116/0x1d0 [ 12.057730] ? __pfx_kthread+0x10/0x10 [ 12.057750] ret_from_fork_asm+0x1a/0x30 [ 12.057780] </TASK> [ 12.057790] [ 12.067884] The buggy address belongs to the physical page: [ 12.068233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a08 [ 12.068722] flags: 0x200000000000000(node=0|zone=2) [ 12.068978] raw: 0200000000000000 ffffea00040e8308 ffff88815b039f80 0000000000000000 [ 12.069325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 12.069901] page dumped because: kasan: bad access detected [ 12.070235] [ 12.070459] Memory state around the buggy address: [ 12.070750] ffff888103a07f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.071155] ffff888103a07f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.071594] >ffff888103a08000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.072014] ^ [ 12.072262] ffff888103a08080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.072703] ffff888103a08100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.073069] ==================================================================
[ 12.302247] ================================================================== [ 12.302743] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340 [ 12.303793] Read of size 1 at addr ffff8881027e8000 by task kunit_try_catch/166 [ 12.304491] [ 12.304588] CPU: 1 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.305137] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.305157] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.305189] Call Trace: [ 12.305202] <TASK> [ 12.305218] dump_stack_lvl+0x73/0xb0 [ 12.305251] print_report+0xd1/0x610 [ 12.305275] ? __virt_addr_valid+0x1db/0x2d0 [ 12.305299] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.305319] ? kasan_addr_to_slab+0x11/0xa0 [ 12.305340] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.305361] kasan_report+0x141/0x180 [ 12.305383] ? kmalloc_large_uaf+0x2f1/0x340 [ 12.305408] __asan_report_load1_noabort+0x18/0x20 [ 12.305433] kmalloc_large_uaf+0x2f1/0x340 [ 12.305454] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 12.305476] ? __schedule+0x10cc/0x2b60 [ 12.305498] ? __pfx_read_tsc+0x10/0x10 [ 12.305520] ? ktime_get_ts64+0x86/0x230 [ 12.305544] kunit_try_run_case+0x1a5/0x480 [ 12.305570] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.305593] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.305617] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.305641] ? __kthread_parkme+0x82/0x180 [ 12.305731] ? preempt_count_sub+0x50/0x80 [ 12.305755] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.305780] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.305805] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.305830] kthread+0x337/0x6f0 [ 12.305850] ? trace_preempt_on+0x20/0xc0 [ 12.305874] ? __pfx_kthread+0x10/0x10 [ 12.305894] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.305916] ? calculate_sigpending+0x7b/0xa0 [ 12.305940] ? __pfx_kthread+0x10/0x10 [ 12.305962] ret_from_fork+0x116/0x1d0 [ 12.305981] ? __pfx_kthread+0x10/0x10 [ 12.306001] ret_from_fork_asm+0x1a/0x30 [ 12.306031] </TASK> [ 12.306042] [ 12.321246] The buggy address belongs to the physical page: [ 12.321807] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1027e8 [ 12.322367] flags: 0x200000000000000(node=0|zone=2) [ 12.322546] raw: 0200000000000000 ffffea000409fb08 ffff888154739f80 0000000000000000 [ 12.323225] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 12.324213] page dumped because: kasan: bad access detected [ 12.325091] [ 12.325205] Memory state around the buggy address: [ 12.325363] ffff8881027e7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.325581] ffff8881027e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.326317] >ffff8881027e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.327215] ^ [ 12.327597] ffff8881027e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.328404] ffff8881027e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.329072] ==================================================================