Hay
Sign in
Date
July 20, 2025, 11:12 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.752323] ==================================================================
[   16.752396] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   16.752779] Read of size 1 at addr fff00000c78098a8 by task kunit_try_catch/188
[   16.752886] 
[   16.752940] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.753312] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.753408] Hardware name: linux,dummy-virt (DT)
[   16.753486] Call trace:
[   16.753510]  show_stack+0x20/0x38 (C)
[   16.753573]  dump_stack_lvl+0x8c/0xd0
[   16.753620]  print_report+0x118/0x5d0
[   16.753921]  kasan_report+0xdc/0x128
[   16.754175]  __asan_report_load1_noabort+0x20/0x30
[   16.754258]  kmalloc_uaf2+0x3f4/0x468
[   16.754305]  kunit_try_run_case+0x170/0x3f0
[   16.754352]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.754634]  kthread+0x328/0x630
[   16.754847]  ret_from_fork+0x10/0x20
[   16.755270] 
[   16.755378] Allocated by task 188:
[   16.755413]  kasan_save_stack+0x3c/0x68
[   16.755670]  kasan_save_track+0x20/0x40
[   16.756153]  kasan_save_alloc_info+0x40/0x58
[   16.756217]  __kasan_kmalloc+0xd4/0xd8
[   16.756256]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.756615]  kmalloc_uaf2+0xc4/0x468
[   16.756748]  kunit_try_run_case+0x170/0x3f0
[   16.757111]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.757306]  kthread+0x328/0x630
[   16.757342]  ret_from_fork+0x10/0x20
[   16.757507] 
[   16.757707] Freed by task 188:
[   16.757758]  kasan_save_stack+0x3c/0x68
[   16.757995]  kasan_save_track+0x20/0x40
[   16.758241]  kasan_save_free_info+0x4c/0x78
[   16.758335]  __kasan_slab_free+0x6c/0x98
[   16.758388]  kfree+0x214/0x3c8
[   16.758438]  kmalloc_uaf2+0x134/0x468
[   16.758474]  kunit_try_run_case+0x170/0x3f0
[   16.758520]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.758564]  kthread+0x328/0x630
[   16.758597]  ret_from_fork+0x10/0x20
[   16.758641] 
[   16.758694] The buggy address belongs to the object at fff00000c7809880
[   16.758694]  which belongs to the cache kmalloc-64 of size 64
[   16.758758] The buggy address is located 40 bytes inside of
[   16.758758]  freed 64-byte region [fff00000c7809880, fff00000c78098c0)
[   16.758821] 
[   16.758854] The buggy address belongs to the physical page:
[   16.758887] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107809
[   16.758954] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.759006] page_type: f5(slab)
[   16.759055] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.759107] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.759167] page dumped because: kasan: bad access detected
[   16.759199] 
[   16.759222] Memory state around the buggy address:
[   16.759269]  fff00000c7809780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.759337]  fff00000c7809800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.759403] >fff00000c7809880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.759444]                                   ^
[   16.759475]  fff00000c7809900: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   16.759543]  fff00000c7809980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.759593] ==================================================================
Metadata Full log Test run details 

[   16.730652] ==================================================================
[   16.730716] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   16.731190] Read of size 1 at addr fff00000c6a205a8 by task kunit_try_catch/188
[   16.731589] 
[   16.731950] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.732189] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.732223] Hardware name: linux,dummy-virt (DT)
[   16.732398] Call trace:
[   16.732436]  show_stack+0x20/0x38 (C)
[   16.732490]  dump_stack_lvl+0x8c/0xd0
[   16.732540]  print_report+0x118/0x5d0
[   16.732585]  kasan_report+0xdc/0x128
[   16.732645]  __asan_report_load1_noabort+0x20/0x30
[   16.732706]  kmalloc_uaf2+0x3f4/0x468
[   16.732756]  kunit_try_run_case+0x170/0x3f0
[   16.732809]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.732870]  kthread+0x328/0x630
[   16.732918]  ret_from_fork+0x10/0x20
[   16.733392] 
[   16.734197] Allocated by task 188:
[   16.735113]  kasan_save_stack+0x3c/0x68
[   16.735229]  kasan_save_track+0x20/0x40
[   16.735327]  kasan_save_alloc_info+0x40/0x58
[   16.735807]  __kasan_kmalloc+0xd4/0xd8
[   16.736014]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.736184]  kmalloc_uaf2+0xc4/0x468
[   16.736593]  kunit_try_run_case+0x170/0x3f0
[   16.736694]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.737110]  kthread+0x328/0x630
[   16.737329]  ret_from_fork+0x10/0x20
[   16.737404] 
[   16.737563] Freed by task 188:
[   16.737865]  kasan_save_stack+0x3c/0x68
[   16.738072]  kasan_save_track+0x20/0x40
[   16.738240]  kasan_save_free_info+0x4c/0x78
[   16.738344]  __kasan_slab_free+0x6c/0x98
[   16.738390]  kfree+0x214/0x3c8
[   16.738425]  kmalloc_uaf2+0x134/0x468
[   16.738461]  kunit_try_run_case+0x170/0x3f0
[   16.738501]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.738745]  kthread+0x328/0x630
[   16.738898]  ret_from_fork+0x10/0x20
[   16.739073] 
[   16.739143] The buggy address belongs to the object at fff00000c6a20580
[   16.739143]  which belongs to the cache kmalloc-64 of size 64
[   16.739478] The buggy address is located 40 bytes inside of
[   16.739478]  freed 64-byte region [fff00000c6a20580, fff00000c6a205c0)
[   16.739812] 
[   16.739903] The buggy address belongs to the physical page:
[   16.739974] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a20
[   16.740081] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.740299] page_type: f5(slab)
[   16.740383] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.740833] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.740895] page dumped because: kasan: bad access detected
[   16.741002] 
[   16.741072] Memory state around the buggy address:
[   16.741118]  fff00000c6a20480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.741367]  fff00000c6a20500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.741537] >fff00000c6a20580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.741580]                                   ^
[   16.741697]  fff00000c6a20600: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   16.741744]  fff00000c6a20680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.741792] ==================================================================
Metadata Full log Test run details 

[   12.952036] ==================================================================
[   12.952945] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   12.954113] Read of size 1 at addr ffff888103144fa8 by task kunit_try_catch/206
[   12.954906] 
[   12.955022] CPU: 0 UID: 0 PID: 206 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   12.955074] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.955087] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.955111] Call Trace:
[   12.955124]  <TASK>
[   12.955143]  dump_stack_lvl+0x73/0xb0
[   12.955177]  print_report+0xd1/0x610
[   12.955199]  ? __virt_addr_valid+0x1db/0x2d0
[   12.955224]  ? kmalloc_uaf2+0x4a8/0x520
[   12.955244]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.955265]  ? kmalloc_uaf2+0x4a8/0x520
[   12.955286]  kasan_report+0x141/0x180
[   12.955308]  ? kmalloc_uaf2+0x4a8/0x520
[   12.955333]  __asan_report_load1_noabort+0x18/0x20
[   12.955357]  kmalloc_uaf2+0x4a8/0x520
[   12.955376]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   12.955405]  ? finish_task_switch.isra.0+0x153/0x700
[   12.955428]  ? __switch_to+0x47/0xf50
[   12.955456]  ? __schedule+0x10c6/0x2b60
[   12.955478]  ? __pfx_read_tsc+0x10/0x10
[   12.955499]  ? ktime_get_ts64+0x86/0x230
[   12.955526]  kunit_try_run_case+0x1a5/0x480
[   12.955552]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.955575]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.955598]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.955621]  ? __kthread_parkme+0x82/0x180
[   12.955641]  ? preempt_count_sub+0x50/0x80
[   12.955665]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.955688]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.955711]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.955734]  kthread+0x337/0x6f0
[   12.955753]  ? trace_preempt_on+0x20/0xc0
[   12.955778]  ? __pfx_kthread+0x10/0x10
[   12.956136]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.956165]  ? calculate_sigpending+0x7b/0xa0
[   12.956192]  ? __pfx_kthread+0x10/0x10
[   12.956214]  ret_from_fork+0x116/0x1d0
[   12.956233]  ? __pfx_kthread+0x10/0x10
[   12.956254]  ret_from_fork_asm+0x1a/0x30
[   12.956287]  </TASK>
[   12.956300] 
[   12.969032] Allocated by task 206:
[   12.969175]  kasan_save_stack+0x45/0x70
[   12.969325]  kasan_save_track+0x18/0x40
[   12.969497]  kasan_save_alloc_info+0x3b/0x50
[   12.969677]  __kasan_kmalloc+0xb7/0xc0
[   12.969813]  __kmalloc_cache_noprof+0x189/0x420
[   12.969974]  kmalloc_uaf2+0xc6/0x520
[   12.970104]  kunit_try_run_case+0x1a5/0x480
[   12.970321]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.970823]  kthread+0x337/0x6f0
[   12.971249]  ret_from_fork+0x116/0x1d0
[   12.971413]  ret_from_fork_asm+0x1a/0x30
[   12.972287] 
[   12.972369] Freed by task 206:
[   12.973018]  kasan_save_stack+0x45/0x70
[   12.973260]  kasan_save_track+0x18/0x40
[   12.973638]  kasan_save_free_info+0x3f/0x60
[   12.973834]  __kasan_slab_free+0x56/0x70
[   12.974216]  kfree+0x222/0x3f0
[   12.974414]  kmalloc_uaf2+0x14c/0x520
[   12.974817]  kunit_try_run_case+0x1a5/0x480
[   12.975136]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.975383]  kthread+0x337/0x6f0
[   12.975731]  ret_from_fork+0x116/0x1d0
[   12.975931]  ret_from_fork_asm+0x1a/0x30
[   12.976228] 
[   12.976337] The buggy address belongs to the object at ffff888103144f80
[   12.976337]  which belongs to the cache kmalloc-64 of size 64
[   12.977027] The buggy address is located 40 bytes inside of
[   12.977027]  freed 64-byte region [ffff888103144f80, ffff888103144fc0)
[   12.977738] 
[   12.977997] The buggy address belongs to the physical page:
[   12.978229] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103144
[   12.978721] flags: 0x200000000000000(node=0|zone=2)
[   12.979020] page_type: f5(slab)
[   12.979220] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   12.979755] raw: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000
[   12.980222] page dumped because: kasan: bad access detected
[   12.980468] 
[   12.980568] Memory state around the buggy address:
[   12.980993]  ffff888103144e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.981468]  ffff888103144f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.982033] >ffff888103144f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.982617]                                   ^
[   12.982832]  ffff888103145000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.983433]  ffff888103145080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.983874] ==================================================================
Metadata Full log Test run details 

[   13.098454] ==================================================================
[   13.099571] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   13.100170] Read of size 1 at addr ffff888102a52328 by task kunit_try_catch/205
[   13.100896] 
[   13.101207] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   13.101259] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.101272] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.101293] Call Trace:
[   13.101307]  <TASK>
[   13.101323]  dump_stack_lvl+0x73/0xb0
[   13.101357]  print_report+0xd1/0x610
[   13.101380]  ? __virt_addr_valid+0x1db/0x2d0
[   13.101403]  ? kmalloc_uaf2+0x4a8/0x520
[   13.101422]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.101443]  ? kmalloc_uaf2+0x4a8/0x520
[   13.101463]  kasan_report+0x141/0x180
[   13.101483]  ? kmalloc_uaf2+0x4a8/0x520
[   13.101507]  __asan_report_load1_noabort+0x18/0x20
[   13.101529]  kmalloc_uaf2+0x4a8/0x520
[   13.101549]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   13.101567]  ? finish_task_switch.isra.0+0x153/0x700
[   13.101589]  ? __switch_to+0x47/0xf50
[   13.101615]  ? __schedule+0x10c6/0x2b60
[   13.101637]  ? __pfx_read_tsc+0x10/0x10
[   13.101657]  ? ktime_get_ts64+0x86/0x230
[   13.101680]  kunit_try_run_case+0x1a5/0x480
[   13.101705]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.101726]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.101749]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.101771]  ? __kthread_parkme+0x82/0x180
[   13.101791]  ? preempt_count_sub+0x50/0x80
[   13.101814]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.101837]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.101984]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.102008]  kthread+0x337/0x6f0
[   13.102028]  ? trace_preempt_on+0x20/0xc0
[   13.102051]  ? __pfx_kthread+0x10/0x10
[   13.102071]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.102091]  ? calculate_sigpending+0x7b/0xa0
[   13.102166]  ? __pfx_kthread+0x10/0x10
[   13.102188]  ret_from_fork+0x116/0x1d0
[   13.102206]  ? __pfx_kthread+0x10/0x10
[   13.102225]  ret_from_fork_asm+0x1a/0x30
[   13.102257]  </TASK>
[   13.102268] 
[   13.112537] Allocated by task 205:
[   13.112806]  kasan_save_stack+0x45/0x70
[   13.113162]  kasan_save_track+0x18/0x40
[   13.113973]  kasan_save_alloc_info+0x3b/0x50
[   13.114334]  __kasan_kmalloc+0xb7/0xc0
[   13.114574]  __kmalloc_cache_noprof+0x189/0x420
[   13.114962]  kmalloc_uaf2+0xc6/0x520
[   13.115271]  kunit_try_run_case+0x1a5/0x480
[   13.115561]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.115797]  kthread+0x337/0x6f0
[   13.116203]  ret_from_fork+0x116/0x1d0
[   13.116423]  ret_from_fork_asm+0x1a/0x30
[   13.116980] 
[   13.117157] Freed by task 205:
[   13.117317]  kasan_save_stack+0x45/0x70
[   13.117620]  kasan_save_track+0x18/0x40
[   13.117882]  kasan_save_free_info+0x3f/0x60
[   13.118133]  __kasan_slab_free+0x56/0x70
[   13.118420]  kfree+0x222/0x3f0
[   13.118590]  kmalloc_uaf2+0x14c/0x520
[   13.118737]  kunit_try_run_case+0x1a5/0x480
[   13.118940]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.119205]  kthread+0x337/0x6f0
[   13.119495]  ret_from_fork+0x116/0x1d0
[   13.119638]  ret_from_fork_asm+0x1a/0x30
[   13.119818] 
[   13.120041] The buggy address belongs to the object at ffff888102a52300
[   13.120041]  which belongs to the cache kmalloc-64 of size 64
[   13.120832] The buggy address is located 40 bytes inside of
[   13.120832]  freed 64-byte region [ffff888102a52300, ffff888102a52340)
[   13.121797] 
[   13.122056] The buggy address belongs to the physical page:
[   13.122652] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a52
[   13.123083] flags: 0x200000000000000(node=0|zone=2)
[   13.123551] page_type: f5(slab)
[   13.123692] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   13.124328] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   13.124899] page dumped because: kasan: bad access detected
[   13.125318] 
[   13.125444] Memory state around the buggy address:
[   13.125994]  ffff888102a52200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.126458]  ffff888102a52280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.126911] >ffff888102a52300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.127311]                                   ^
[   13.127484]  ffff888102a52380: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   13.127819]  ffff888102a52400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.128134] ==================================================================
Metadata Full log Test run details