Hay
Sign in
Date
July 20, 2025, 11:12 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.712354] ==================================================================
[   16.712431] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.712487] Read of size 1 at addr fff00000c59ab968 by task kunit_try_catch/184
[   16.712537] 
[   16.712571] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.712654] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.712689] Hardware name: linux,dummy-virt (DT)
[   16.712722] Call trace:
[   16.712744]  show_stack+0x20/0x38 (C)
[   16.712800]  dump_stack_lvl+0x8c/0xd0
[   16.712849]  print_report+0x118/0x5d0
[   16.712895]  kasan_report+0xdc/0x128
[   16.712952]  __asan_report_load1_noabort+0x20/0x30
[   16.713003]  kmalloc_uaf+0x300/0x338
[   16.713053]  kunit_try_run_case+0x170/0x3f0
[   16.713101]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.713153]  kthread+0x328/0x630
[   16.713194]  ret_from_fork+0x10/0x20
[   16.713241] 
[   16.713265] Allocated by task 184:
[   16.713302]  kasan_save_stack+0x3c/0x68
[   16.713342]  kasan_save_track+0x20/0x40
[   16.713381]  kasan_save_alloc_info+0x40/0x58
[   16.713420]  __kasan_kmalloc+0xd4/0xd8
[   16.713457]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.713513]  kmalloc_uaf+0xb8/0x338
[   16.713554]  kunit_try_run_case+0x170/0x3f0
[   16.713591]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.713634]  kthread+0x328/0x630
[   16.713666]  ret_from_fork+0x10/0x20
[   16.713703] 
[   16.713722] Freed by task 184:
[   16.713746]  kasan_save_stack+0x3c/0x68
[   16.713782]  kasan_save_track+0x20/0x40
[   16.713819]  kasan_save_free_info+0x4c/0x78
[   16.714393]  __kasan_slab_free+0x6c/0x98
[   16.714479]  kfree+0x214/0x3c8
[   16.714761]  kmalloc_uaf+0x11c/0x338
[   16.714845]  kunit_try_run_case+0x170/0x3f0
[   16.715534]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.715693]  kthread+0x328/0x630
[   16.715999]  ret_from_fork+0x10/0x20
[   16.716046] 
[   16.716067] The buggy address belongs to the object at fff00000c59ab960
[   16.716067]  which belongs to the cache kmalloc-16 of size 16
[   16.716558] The buggy address is located 8 bytes inside of
[   16.716558]  freed 16-byte region [fff00000c59ab960, fff00000c59ab970)
[   16.716630] 
[   16.716653] The buggy address belongs to the physical page:
[   16.717174] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059ab
[   16.717512] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.717617] page_type: f5(slab)
[   16.717694] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.717774] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.717946] page dumped because: kasan: bad access detected
[   16.717987] 
[   16.718005] Memory state around the buggy address:
[   16.718258]  fff00000c59ab800: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.718368]  fff00000c59ab880: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc
[   16.718454] >fff00000c59ab900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.718547]                                                           ^
[   16.718756]  fff00000c59ab980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.718840]  fff00000c59aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.718998] ==================================================================
Metadata Full log Test run details 

[   16.687552] ==================================================================
[   16.687640] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.687839] Read of size 1 at addr fff00000c1375b88 by task kunit_try_catch/184
[   16.687936] 
[   16.688087] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.688234] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.688292] Hardware name: linux,dummy-virt (DT)
[   16.688361] Call trace:
[   16.688438]  show_stack+0x20/0x38 (C)
[   16.688494]  dump_stack_lvl+0x8c/0xd0
[   16.688549]  print_report+0x118/0x5d0
[   16.688602]  kasan_report+0xdc/0x128
[   16.688657]  __asan_report_load1_noabort+0x20/0x30
[   16.688709]  kmalloc_uaf+0x300/0x338
[   16.688964]  kunit_try_run_case+0x170/0x3f0
[   16.689184]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.689270]  kthread+0x328/0x630
[   16.689434]  ret_from_fork+0x10/0x20
[   16.689487] 
[   16.689601] Allocated by task 184:
[   16.689880]  kasan_save_stack+0x3c/0x68
[   16.689939]  kasan_save_track+0x20/0x40
[   16.689980]  kasan_save_alloc_info+0x40/0x58
[   16.690031]  __kasan_kmalloc+0xd4/0xd8
[   16.690070]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.690109]  kmalloc_uaf+0xb8/0x338
[   16.690144]  kunit_try_run_case+0x170/0x3f0
[   16.690181]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.690226]  kthread+0x328/0x630
[   16.690260]  ret_from_fork+0x10/0x20
[   16.690297] 
[   16.690317] Freed by task 184:
[   16.690343]  kasan_save_stack+0x3c/0x68
[   16.690392]  kasan_save_track+0x20/0x40
[   16.690429]  kasan_save_free_info+0x4c/0x78
[   16.690469]  __kasan_slab_free+0x6c/0x98
[   16.690517]  kfree+0x214/0x3c8
[   16.690549]  kmalloc_uaf+0x11c/0x338
[   16.690585]  kunit_try_run_case+0x170/0x3f0
[   16.690644]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.690689]  kthread+0x328/0x630
[   16.690732]  ret_from_fork+0x10/0x20
[   16.690769] 
[   16.690796] The buggy address belongs to the object at fff00000c1375b80
[   16.690796]  which belongs to the cache kmalloc-16 of size 16
[   16.690876] The buggy address is located 8 bytes inside of
[   16.690876]  freed 16-byte region [fff00000c1375b80, fff00000c1375b90)
[   16.690943] 
[   16.690966] The buggy address belongs to the physical page:
[   16.690998] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101375
[   16.691059] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.691110] page_type: f5(slab)
[   16.691159] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.691209] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.691251] page dumped because: kasan: bad access detected
[   16.691283] 
[   16.691301] Memory state around the buggy address:
[   16.691351]  fff00000c1375a80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.691396]  fff00000c1375b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.691441] >fff00000c1375b80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.691490]                       ^
[   16.691538]  fff00000c1375c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.691586]  fff00000c1375c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.692032] ==================================================================
Metadata Full log Test run details 

[   12.882669] ==================================================================
[   12.883205] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   12.883601] Read of size 1 at addr ffff888101b1cbe8 by task kunit_try_catch/202
[   12.883935] 
[   12.884033] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   12.884077] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.884089] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.884110] Call Trace:
[   12.884123]  <TASK>
[   12.884138]  dump_stack_lvl+0x73/0xb0
[   12.884227]  print_report+0xd1/0x610
[   12.884252]  ? __virt_addr_valid+0x1db/0x2d0
[   12.884274]  ? kmalloc_uaf+0x320/0x380
[   12.884293]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.884315]  ? kmalloc_uaf+0x320/0x380
[   12.884335]  kasan_report+0x141/0x180
[   12.884357]  ? kmalloc_uaf+0x320/0x380
[   12.884382]  __asan_report_load1_noabort+0x18/0x20
[   12.884418]  kmalloc_uaf+0x320/0x380
[   12.884437]  ? __pfx_kmalloc_uaf+0x10/0x10
[   12.884458]  ? __schedule+0x10c6/0x2b60
[   12.884480]  ? __pfx_read_tsc+0x10/0x10
[   12.884501]  ? ktime_get_ts64+0x86/0x230
[   12.884528]  kunit_try_run_case+0x1a5/0x480
[   12.884552]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.884574]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.884598]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.884621]  ? __kthread_parkme+0x82/0x180
[   12.884641]  ? preempt_count_sub+0x50/0x80
[   12.884665]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.884698]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.884721]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.884745]  kthread+0x337/0x6f0
[   12.884764]  ? trace_preempt_on+0x20/0xc0
[   12.884787]  ? __pfx_kthread+0x10/0x10
[   12.884808]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.884829]  ? calculate_sigpending+0x7b/0xa0
[   12.884852]  ? __pfx_kthread+0x10/0x10
[   12.884874]  ret_from_fork+0x116/0x1d0
[   12.884892]  ? __pfx_kthread+0x10/0x10
[   12.884912]  ret_from_fork_asm+0x1a/0x30
[   12.884944]  </TASK>
[   12.884954] 
[   12.892948] Allocated by task 202:
[   12.893128]  kasan_save_stack+0x45/0x70
[   12.893319]  kasan_save_track+0x18/0x40
[   12.893543]  kasan_save_alloc_info+0x3b/0x50
[   12.893748]  __kasan_kmalloc+0xb7/0xc0
[   12.893906]  __kmalloc_cache_noprof+0x189/0x420
[   12.894061]  kmalloc_uaf+0xaa/0x380
[   12.894183]  kunit_try_run_case+0x1a5/0x480
[   12.894553]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.894861]  kthread+0x337/0x6f0
[   12.895069]  ret_from_fork+0x116/0x1d0
[   12.895280]  ret_from_fork_asm+0x1a/0x30
[   12.895580] 
[   12.895676] Freed by task 202:
[   12.895825]  kasan_save_stack+0x45/0x70
[   12.896093]  kasan_save_track+0x18/0x40
[   12.896264]  kasan_save_free_info+0x3f/0x60
[   12.896420]  __kasan_slab_free+0x56/0x70
[   12.896557]  kfree+0x222/0x3f0
[   12.896690]  kmalloc_uaf+0x12c/0x380
[   12.896868]  kunit_try_run_case+0x1a5/0x480
[   12.897070]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.897612]  kthread+0x337/0x6f0
[   12.897788]  ret_from_fork+0x116/0x1d0
[   12.897943]  ret_from_fork_asm+0x1a/0x30
[   12.898243] 
[   12.898358] The buggy address belongs to the object at ffff888101b1cbe0
[   12.898358]  which belongs to the cache kmalloc-16 of size 16
[   12.899002] The buggy address is located 8 bytes inside of
[   12.899002]  freed 16-byte region [ffff888101b1cbe0, ffff888101b1cbf0)
[   12.899607] 
[   12.899712] The buggy address belongs to the physical page:
[   12.899965] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b1c
[   12.900370] flags: 0x200000000000000(node=0|zone=2)
[   12.900625] page_type: f5(slab)
[   12.900820] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   12.901153] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   12.901502] page dumped because: kasan: bad access detected
[   12.901956] 
[   12.902206] Memory state around the buggy address:
[   12.902379]  ffff888101b1ca80: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc
[   12.902632]  ffff888101b1cb00: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc
[   12.902958] >ffff888101b1cb80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   12.903483]                                                           ^
[   12.903929]  ffff888101b1cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.904322]  ffff888101b1cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.904738] ==================================================================
Metadata Full log Test run details 

[   13.030332] ==================================================================
[   13.031766] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   13.032538] Read of size 1 at addr ffff8881023973a8 by task kunit_try_catch/201
[   13.033537] 
[   13.033876] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   13.033929] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.033941] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.033965] Call Trace:
[   13.033981]  <TASK>
[   13.033999]  dump_stack_lvl+0x73/0xb0
[   13.034162]  print_report+0xd1/0x610
[   13.034185]  ? __virt_addr_valid+0x1db/0x2d0
[   13.034210]  ? kmalloc_uaf+0x320/0x380
[   13.034228]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.034250]  ? kmalloc_uaf+0x320/0x380
[   13.034269]  kasan_report+0x141/0x180
[   13.034290]  ? kmalloc_uaf+0x320/0x380
[   13.034319]  __asan_report_load1_noabort+0x18/0x20
[   13.034342]  kmalloc_uaf+0x320/0x380
[   13.034361]  ? __pfx_kmalloc_uaf+0x10/0x10
[   13.034381]  ? __schedule+0x10c6/0x2b60
[   13.034403]  ? __pfx_read_tsc+0x10/0x10
[   13.034424]  ? ktime_get_ts64+0x86/0x230
[   13.034447]  kunit_try_run_case+0x1a5/0x480
[   13.034472]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.034493]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.034517]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.034539]  ? __kthread_parkme+0x82/0x180
[   13.034559]  ? preempt_count_sub+0x50/0x80
[   13.034583]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.034606]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.034628]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.034650]  kthread+0x337/0x6f0
[   13.034669]  ? trace_preempt_on+0x20/0xc0
[   13.034692]  ? __pfx_kthread+0x10/0x10
[   13.034712]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.034733]  ? calculate_sigpending+0x7b/0xa0
[   13.034756]  ? __pfx_kthread+0x10/0x10
[   13.034776]  ret_from_fork+0x116/0x1d0
[   13.034794]  ? __pfx_kthread+0x10/0x10
[   13.034814]  ret_from_fork_asm+0x1a/0x30
[   13.034844]  </TASK>
[   13.034854] 
[   13.047180] Allocated by task 201:
[   13.047598]  kasan_save_stack+0x45/0x70
[   13.047979]  kasan_save_track+0x18/0x40
[   13.048284]  kasan_save_alloc_info+0x3b/0x50
[   13.048470]  __kasan_kmalloc+0xb7/0xc0
[   13.048661]  __kmalloc_cache_noprof+0x189/0x420
[   13.048883]  kmalloc_uaf+0xaa/0x380
[   13.049051]  kunit_try_run_case+0x1a5/0x480
[   13.049543]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.049733]  kthread+0x337/0x6f0
[   13.050043]  ret_from_fork+0x116/0x1d0
[   13.050221]  ret_from_fork_asm+0x1a/0x30
[   13.050961] 
[   13.051067] Freed by task 201:
[   13.051504]  kasan_save_stack+0x45/0x70
[   13.051825]  kasan_save_track+0x18/0x40
[   13.052220]  kasan_save_free_info+0x3f/0x60
[   13.052580]  __kasan_slab_free+0x56/0x70
[   13.053060]  kfree+0x222/0x3f0
[   13.053243]  kmalloc_uaf+0x12c/0x380
[   13.053625]  kunit_try_run_case+0x1a5/0x480
[   13.054027]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.054281]  kthread+0x337/0x6f0
[   13.054442]  ret_from_fork+0x116/0x1d0
[   13.054621]  ret_from_fork_asm+0x1a/0x30
[   13.054811] 
[   13.054901] The buggy address belongs to the object at ffff8881023973a0
[   13.054901]  which belongs to the cache kmalloc-16 of size 16
[   13.056158] The buggy address is located 8 bytes inside of
[   13.056158]  freed 16-byte region [ffff8881023973a0, ffff8881023973b0)
[   13.057045] 
[   13.057163] The buggy address belongs to the physical page:
[   13.057400] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102397
[   13.058036] flags: 0x200000000000000(node=0|zone=2)
[   13.058331] page_type: f5(slab)
[   13.058586] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.058937] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.059229] page dumped because: kasan: bad access detected
[   13.059491] 
[   13.059578] Memory state around the buggy address:
[   13.059794]  ffff888102397280: 00 02 fc fc 00 02 fc fc 00 06 fc fc 00 06 fc fc
[   13.060524]  ffff888102397300: fa fb fc fc fa fb fc fc fa fb fc fc 00 05 fc fc
[   13.060753] >ffff888102397380: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   13.061597]                                   ^
[   13.062068]  ffff888102397400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.062735]  ffff888102397480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.063134] ==================================================================
Metadata Full log Test run details