Hay
Sign in
Date
July 20, 2025, 11:12 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.729055] ==================================================================
[   16.729126] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   16.729254] Write of size 33 at addr fff00000c7809700 by task kunit_try_catch/186
[   16.729326] 
[   16.729405] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.729783] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.729956] Hardware name: linux,dummy-virt (DT)
[   16.730004] Call trace:
[   16.730029]  show_stack+0x20/0x38 (C)
[   16.730081]  dump_stack_lvl+0x8c/0xd0
[   16.730344]  print_report+0x118/0x5d0
[   16.730502]  kasan_report+0xdc/0x128
[   16.730710]  kasan_check_range+0x100/0x1a8
[   16.730894]  __asan_memset+0x34/0x78
[   16.731048]  kmalloc_uaf_memset+0x170/0x310
[   16.731390]  kunit_try_run_case+0x170/0x3f0
[   16.731619]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.731774]  kthread+0x328/0x630
[   16.731880]  ret_from_fork+0x10/0x20
[   16.732061] 
[   16.732522] Allocated by task 186:
[   16.732585]  kasan_save_stack+0x3c/0x68
[   16.732686]  kasan_save_track+0x20/0x40
[   16.732800]  kasan_save_alloc_info+0x40/0x58
[   16.732918]  __kasan_kmalloc+0xd4/0xd8
[   16.733053]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.733120]  kmalloc_uaf_memset+0xb8/0x310
[   16.733201]  kunit_try_run_case+0x170/0x3f0
[   16.733241]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.733566]  kthread+0x328/0x630
[   16.733756]  ret_from_fork+0x10/0x20
[   16.733960] 
[   16.734030] Freed by task 186:
[   16.734105]  kasan_save_stack+0x3c/0x68
[   16.734233]  kasan_save_track+0x20/0x40
[   16.734272]  kasan_save_free_info+0x4c/0x78
[   16.734312]  __kasan_slab_free+0x6c/0x98
[   16.734356]  kfree+0x214/0x3c8
[   16.734390]  kmalloc_uaf_memset+0x11c/0x310
[   16.734427]  kunit_try_run_case+0x170/0x3f0
[   16.734464]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.734919]  kthread+0x328/0x630
[   16.735026]  ret_from_fork+0x10/0x20
[   16.735212] 
[   16.735334] The buggy address belongs to the object at fff00000c7809700
[   16.735334]  which belongs to the cache kmalloc-64 of size 64
[   16.735439] The buggy address is located 0 bytes inside of
[   16.735439]  freed 64-byte region [fff00000c7809700, fff00000c7809740)
[   16.735526] 
[   16.735706] The buggy address belongs to the physical page:
[   16.735773] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107809
[   16.735850] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.735921] page_type: f5(slab)
[   16.735972] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.736030] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.736083] page dumped because: kasan: bad access detected
[   16.736116] 
[   16.736139] Memory state around the buggy address:
[   16.736182]  fff00000c7809600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.736247]  fff00000c7809680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.736289] >fff00000c7809700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.736335]                    ^
[   16.736362]  fff00000c7809780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.736404]  fff00000c7809800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.736444] ==================================================================
Metadata Full log Test run details 

[   16.710909] ==================================================================
[   16.710974] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   16.711035] Write of size 33 at addr fff00000c6a20400 by task kunit_try_catch/186
[   16.711089] 
[   16.711279] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   16.711405] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.711435] Hardware name: linux,dummy-virt (DT)
[   16.711470] Call trace:
[   16.711494]  show_stack+0x20/0x38 (C)
[   16.711548]  dump_stack_lvl+0x8c/0xd0
[   16.711597]  print_report+0x118/0x5d0
[   16.711658]  kasan_report+0xdc/0x128
[   16.711704]  kasan_check_range+0x100/0x1a8
[   16.711761]  __asan_memset+0x34/0x78
[   16.711807]  kmalloc_uaf_memset+0x170/0x310
[   16.711856]  kunit_try_run_case+0x170/0x3f0
[   16.711906]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.711962]  kthread+0x328/0x630
[   16.712005]  ret_from_fork+0x10/0x20
[   16.712063] 
[   16.712093] Allocated by task 186:
[   16.712129]  kasan_save_stack+0x3c/0x68
[   16.712171]  kasan_save_track+0x20/0x40
[   16.712209]  kasan_save_alloc_info+0x40/0x58
[   16.712250]  __kasan_kmalloc+0xd4/0xd8
[   16.712297]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.712344]  kmalloc_uaf_memset+0xb8/0x310
[   16.712381]  kunit_try_run_case+0x170/0x3f0
[   16.712418]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.712468]  kthread+0x328/0x630
[   16.712509]  ret_from_fork+0x10/0x20
[   16.712552] 
[   16.712572] Freed by task 186:
[   16.712598]  kasan_save_stack+0x3c/0x68
[   16.713406]  kasan_save_track+0x20/0x40
[   16.713451]  kasan_save_free_info+0x4c/0x78
[   16.713492]  __kasan_slab_free+0x6c/0x98
[   16.713825]  kfree+0x214/0x3c8
[   16.714156]  kmalloc_uaf_memset+0x11c/0x310
[   16.714228]  kunit_try_run_case+0x170/0x3f0
[   16.714445]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.714591]  kthread+0x328/0x630
[   16.714742]  ret_from_fork+0x10/0x20
[   16.714833] 
[   16.714877] The buggy address belongs to the object at fff00000c6a20400
[   16.714877]  which belongs to the cache kmalloc-64 of size 64
[   16.715274] The buggy address is located 0 bytes inside of
[   16.715274]  freed 64-byte region [fff00000c6a20400, fff00000c6a20440)
[   16.715509] 
[   16.715588] The buggy address belongs to the physical page:
[   16.715692] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106a20
[   16.715775] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.715833] page_type: f5(slab)
[   16.716145] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   16.716343] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   16.716521] page dumped because: kasan: bad access detected
[   16.716671] 
[   16.716715] Memory state around the buggy address:
[   16.716882]  fff00000c6a20300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.717128]  fff00000c6a20380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.717575] >fff00000c6a20400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   16.717971]                    ^
[   16.718040]  fff00000c6a20480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.718097]  fff00000c6a20500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.718186] ==================================================================
Metadata Full log Test run details 

[   12.908856] ==================================================================
[   12.909619] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   12.910109] Write of size 33 at addr ffff88810315f680 by task kunit_try_catch/204
[   12.910555] 
[   12.910652] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   12.910746] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.910758] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.910780] Call Trace:
[   12.910793]  <TASK>
[   12.910824]  dump_stack_lvl+0x73/0xb0
[   12.910869]  print_report+0xd1/0x610
[   12.910904]  ? __virt_addr_valid+0x1db/0x2d0
[   12.910926]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.910947]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.910969]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.910990]  kasan_report+0x141/0x180
[   12.911012]  ? kmalloc_uaf_memset+0x1a3/0x360
[   12.911039]  kasan_check_range+0x10c/0x1c0
[   12.911062]  __asan_memset+0x27/0x50
[   12.911081]  kmalloc_uaf_memset+0x1a3/0x360
[   12.911101]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   12.911330]  ? __schedule+0x10c6/0x2b60
[   12.911365]  ? __pfx_read_tsc+0x10/0x10
[   12.911388]  ? ktime_get_ts64+0x86/0x230
[   12.911448]  kunit_try_run_case+0x1a5/0x480
[   12.911473]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.911495]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.911519]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.911543]  ? __kthread_parkme+0x82/0x180
[   12.911563]  ? preempt_count_sub+0x50/0x80
[   12.911588]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.911622]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.911645]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.911668]  kthread+0x337/0x6f0
[   12.911688]  ? trace_preempt_on+0x20/0xc0
[   12.911712]  ? __pfx_kthread+0x10/0x10
[   12.911733]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.911754]  ? calculate_sigpending+0x7b/0xa0
[   12.911777]  ? __pfx_kthread+0x10/0x10
[   12.911799]  ret_from_fork+0x116/0x1d0
[   12.911817]  ? __pfx_kthread+0x10/0x10
[   12.911837]  ret_from_fork_asm+0x1a/0x30
[   12.911870]  </TASK>
[   12.911880] 
[   12.923069] Allocated by task 204:
[   12.923829]  kasan_save_stack+0x45/0x70
[   12.925040]  kasan_save_track+0x18/0x40
[   12.925224]  kasan_save_alloc_info+0x3b/0x50
[   12.925383]  __kasan_kmalloc+0xb7/0xc0
[   12.925601]  __kmalloc_cache_noprof+0x189/0x420
[   12.925834]  kmalloc_uaf_memset+0xa9/0x360
[   12.927115]  kunit_try_run_case+0x1a5/0x480
[   12.927725]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.927925]  kthread+0x337/0x6f0
[   12.928303]  ret_from_fork+0x116/0x1d0
[   12.928504]  ret_from_fork_asm+0x1a/0x30
[   12.928651] 
[   12.929835] Freed by task 204:
[   12.930648]  kasan_save_stack+0x45/0x70
[   12.931177]  kasan_save_track+0x18/0x40
[   12.931366]  kasan_save_free_info+0x3f/0x60
[   12.932508]  __kasan_slab_free+0x56/0x70
[   12.933325]  kfree+0x222/0x3f0
[   12.934054]  kmalloc_uaf_memset+0x12b/0x360
[   12.934473]  kunit_try_run_case+0x1a5/0x480
[   12.934682]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.934909]  kthread+0x337/0x6f0
[   12.935062]  ret_from_fork+0x116/0x1d0
[   12.935235]  ret_from_fork_asm+0x1a/0x30
[   12.936298] 
[   12.936894] The buggy address belongs to the object at ffff88810315f680
[   12.936894]  which belongs to the cache kmalloc-64 of size 64
[   12.939445] The buggy address is located 0 bytes inside of
[   12.939445]  freed 64-byte region [ffff88810315f680, ffff88810315f6c0)
[   12.939890] 
[   12.939997] The buggy address belongs to the physical page:
[   12.940249] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10315f
[   12.940584] flags: 0x200000000000000(node=0|zone=2)
[   12.941768] page_type: f5(slab)
[   12.941905] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   12.942745] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   12.943044] page dumped because: kasan: bad access detected
[   12.943695] 
[   12.943797] Memory state around the buggy address:
[   12.944243]  ffff88810315f580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.944822]  ffff88810315f600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.945098] >ffff88810315f680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   12.946294]                    ^
[   12.946478]  ffff88810315f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.946953]  ffff88810315f780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.947472] ==================================================================
Metadata Full log Test run details 

[   13.069690] ==================================================================
[   13.070279] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   13.070559] Write of size 33 at addr ffff888102a52280 by task kunit_try_catch/203
[   13.070795] 
[   13.070898] CPU: 0 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   13.070950] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.070962] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.070984] Call Trace:
[   13.070997]  <TASK>
[   13.071017]  dump_stack_lvl+0x73/0xb0
[   13.071048]  print_report+0xd1/0x610
[   13.071071]  ? __virt_addr_valid+0x1db/0x2d0
[   13.071096]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.071117]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.071138]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.071174]  kasan_report+0x141/0x180
[   13.071195]  ? kmalloc_uaf_memset+0x1a3/0x360
[   13.071219]  kasan_check_range+0x10c/0x1c0
[   13.071241]  __asan_memset+0x27/0x50
[   13.071260]  kmalloc_uaf_memset+0x1a3/0x360
[   13.071280]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   13.071300]  ? __schedule+0x10c6/0x2b60
[   13.071323]  ? __pfx_read_tsc+0x10/0x10
[   13.071344]  ? ktime_get_ts64+0x86/0x230
[   13.071368]  kunit_try_run_case+0x1a5/0x480
[   13.071393]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.071797]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.071828]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.072012]  ? __kthread_parkme+0x82/0x180
[   13.072035]  ? preempt_count_sub+0x50/0x80
[   13.072059]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.072082]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.072105]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.072128]  kthread+0x337/0x6f0
[   13.072158]  ? trace_preempt_on+0x20/0xc0
[   13.072181]  ? __pfx_kthread+0x10/0x10
[   13.072201]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.072221]  ? calculate_sigpending+0x7b/0xa0
[   13.072245]  ? __pfx_kthread+0x10/0x10
[   13.072266]  ret_from_fork+0x116/0x1d0
[   13.072283]  ? __pfx_kthread+0x10/0x10
[   13.072303]  ret_from_fork_asm+0x1a/0x30
[   13.072338]  </TASK>
[   13.072350] 
[   13.081822] Allocated by task 203:
[   13.082094]  kasan_save_stack+0x45/0x70
[   13.082328]  kasan_save_track+0x18/0x40
[   13.082533]  kasan_save_alloc_info+0x3b/0x50
[   13.082734]  __kasan_kmalloc+0xb7/0xc0
[   13.082958]  __kmalloc_cache_noprof+0x189/0x420
[   13.083226]  kmalloc_uaf_memset+0xa9/0x360
[   13.083459]  kunit_try_run_case+0x1a5/0x480
[   13.083645]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.083986]  kthread+0x337/0x6f0
[   13.084190]  ret_from_fork+0x116/0x1d0
[   13.084375]  ret_from_fork_asm+0x1a/0x30
[   13.084596] 
[   13.084679] Freed by task 203:
[   13.084933]  kasan_save_stack+0x45/0x70
[   13.085140]  kasan_save_track+0x18/0x40
[   13.085323]  kasan_save_free_info+0x3f/0x60
[   13.085569]  __kasan_slab_free+0x56/0x70
[   13.085757]  kfree+0x222/0x3f0
[   13.086046]  kmalloc_uaf_memset+0x12b/0x360
[   13.086314]  kunit_try_run_case+0x1a5/0x480
[   13.086557]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.086809]  kthread+0x337/0x6f0
[   13.087040]  ret_from_fork+0x116/0x1d0
[   13.087242]  ret_from_fork_asm+0x1a/0x30
[   13.087461] 
[   13.087561] The buggy address belongs to the object at ffff888102a52280
[   13.087561]  which belongs to the cache kmalloc-64 of size 64
[   13.088109] The buggy address is located 0 bytes inside of
[   13.088109]  freed 64-byte region [ffff888102a52280, ffff888102a522c0)
[   13.088661] 
[   13.088787] The buggy address belongs to the physical page:
[   13.089105] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a52
[   13.089492] flags: 0x200000000000000(node=0|zone=2)
[   13.089722] page_type: f5(slab)
[   13.089976] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   13.090327] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   13.090674] page dumped because: kasan: bad access detected
[   13.091031] 
[   13.091113] Memory state around the buggy address:
[   13.091354]  ffff888102a52180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.091711]  ffff888102a52200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.092090] >ffff888102a52280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.092445]                    ^
[   13.092608]  ffff888102a52300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.092969]  ffff888102a52380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.093263] ==================================================================
Metadata Full log Test run details