Date
Nov. 20, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 36.628013] ================================================================== [ 36.628917] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 36.629821] Read of size 16 at addr fff00000c1bb3be0 by task kunit_try_catch/157 [ 36.631624] [ 36.631923] CPU: 0 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 36.633009] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.633751] Hardware name: linux,dummy-virt (DT) [ 36.634311] Call trace: [ 36.635152] show_stack+0x20/0x38 (C) [ 36.635841] dump_stack_lvl+0x8c/0xd0 [ 36.636377] print_report+0x118/0x5e0 [ 36.636966] kasan_report+0xc8/0x118 [ 36.637826] __asan_report_load16_noabort+0x20/0x30 [ 36.638572] kmalloc_uaf_16+0x3bc/0x438 [ 36.639122] kunit_try_run_case+0x14c/0x3d0 [ 36.639851] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.640436] kthread+0x24c/0x2d0 [ 36.641020] ret_from_fork+0x10/0x20 [ 36.641737] [ 36.642052] Allocated by task 157: [ 36.642583] kasan_save_stack+0x3c/0x68 [ 36.643155] kasan_save_track+0x20/0x40 [ 36.644016] kasan_save_alloc_info+0x40/0x58 [ 36.644640] __kasan_kmalloc+0xd4/0xd8 [ 36.645116] __kmalloc_cache_noprof+0x15c/0x3c8 [ 36.645818] kmalloc_uaf_16+0x140/0x438 [ 36.646866] kunit_try_run_case+0x14c/0x3d0 [ 36.647432] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.648075] kthread+0x24c/0x2d0 [ 36.648716] ret_from_fork+0x10/0x20 [ 36.649260] [ 36.649582] Freed by task 157: [ 36.650003] kasan_save_stack+0x3c/0x68 [ 36.651176] kasan_save_track+0x20/0x40 [ 36.651671] kasan_save_free_info+0x4c/0x78 [ 36.652284] __kasan_slab_free+0x6c/0x98 [ 36.652772] kfree+0x114/0x3d0 [ 36.653798] kmalloc_uaf_16+0x190/0x438 [ 36.654306] kunit_try_run_case+0x14c/0x3d0 [ 36.654776] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.655497] kthread+0x24c/0x2d0 [ 36.656019] ret_from_fork+0x10/0x20 [ 36.656563] [ 36.656899] The buggy address belongs to the object at fff00000c1bb3be0 [ 36.656899] which belongs to the cache kmalloc-16 of size 16 [ 36.658426] The buggy address is located 0 bytes inside of [ 36.658426] freed 16-byte region [fff00000c1bb3be0, fff00000c1bb3bf0) [ 36.659593] [ 36.659892] The buggy address belongs to the physical page: [ 36.660609] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bb3 [ 36.661340] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 36.662085] page_type: f5(slab) [ 36.662560] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 36.663509] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 36.664420] page dumped because: kasan: bad access detected [ 36.664894] [ 36.665164] Memory state around the buggy address: [ 36.666212] fff00000c1bb3a80: fa fb fc fc fa fb fc fc fa fb fc fc 00 02 fc fc [ 36.667090] fff00000c1bb3b00: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 36.667982] >fff00000c1bb3b80: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 36.668809] ^ [ 36.669553] fff00000c1bb3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.670912] fff00000c1bb3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.671691] ================================================================== [ 37.146333] ================================================================== [ 37.147262] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 37.148246] Read of size 1 at addr fff00000c65920a8 by task kunit_try_catch/177 [ 37.149078] [ 37.149540] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 37.150777] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.151345] Hardware name: linux,dummy-virt (DT) [ 37.152120] Call trace: [ 37.152915] show_stack+0x20/0x38 (C) [ 37.153557] dump_stack_lvl+0x8c/0xd0 [ 37.154240] print_report+0x118/0x5e0 [ 37.154933] kasan_report+0xc8/0x118 [ 37.155606] __asan_report_load1_noabort+0x20/0x30 [ 37.156223] kmalloc_uaf2+0x3f4/0x468 [ 37.156726] kunit_try_run_case+0x14c/0x3d0 [ 37.157426] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.158296] kthread+0x24c/0x2d0 [ 37.158875] ret_from_fork+0x10/0x20 [ 37.159508] [ 37.159889] Allocated by task 177: [ 37.160389] kasan_save_stack+0x3c/0x68 [ 37.161038] kasan_save_track+0x20/0x40 [ 37.161882] kasan_save_alloc_info+0x40/0x58 [ 37.162465] __kasan_kmalloc+0xd4/0xd8 [ 37.163015] __kmalloc_cache_noprof+0x15c/0x3c8 [ 37.163617] kmalloc_uaf2+0xc4/0x468 [ 37.164208] kunit_try_run_case+0x14c/0x3d0 [ 37.164866] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.165673] kthread+0x24c/0x2d0 [ 37.166136] ret_from_fork+0x10/0x20 [ 37.166908] [ 37.167267] Freed by task 177: [ 37.167798] kasan_save_stack+0x3c/0x68 [ 37.168401] kasan_save_track+0x20/0x40 [ 37.169004] kasan_save_free_info+0x4c/0x78 [ 37.169760] __kasan_slab_free+0x6c/0x98 [ 37.170471] kfree+0x114/0x3d0 [ 37.170955] kmalloc_uaf2+0x134/0x468 [ 37.171700] kunit_try_run_case+0x14c/0x3d0 [ 37.172103] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.173455] kthread+0x24c/0x2d0 [ 37.174197] ret_from_fork+0x10/0x20 [ 37.174880] [ 37.175205] The buggy address belongs to the object at fff00000c6592080 [ 37.175205] which belongs to the cache kmalloc-64 of size 64 [ 37.176960] The buggy address is located 40 bytes inside of [ 37.176960] freed 64-byte region [fff00000c6592080, fff00000c65920c0) [ 37.178549] [ 37.179018] The buggy address belongs to the physical page: [ 37.179734] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106592 [ 37.180591] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.181526] page_type: f5(slab) [ 37.181976] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 37.182623] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 37.183541] page dumped because: kasan: bad access detected [ 37.184148] [ 37.184532] Memory state around the buggy address: [ 37.185096] fff00000c6591f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.186420] fff00000c6592000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.187070] >fff00000c6592080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.187816] ^ [ 37.188432] fff00000c6592100: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 37.189269] fff00000c6592180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.190295] ================================================================== [ 37.035536] ================================================================== [ 37.036717] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 37.037381] Read of size 1 at addr fff00000c5a3bf08 by task kunit_try_catch/173 [ 37.038923] [ 37.039353] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 37.040558] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.041080] Hardware name: linux,dummy-virt (DT) [ 37.041692] Call trace: [ 37.042136] show_stack+0x20/0x38 (C) [ 37.042707] dump_stack_lvl+0x8c/0xd0 [ 37.043287] print_report+0x118/0x5e0 [ 37.043922] kasan_report+0xc8/0x118 [ 37.044548] __asan_report_load1_noabort+0x20/0x30 [ 37.045431] kmalloc_uaf+0x300/0x338 [ 37.045913] kunit_try_run_case+0x14c/0x3d0 [ 37.046561] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.047201] kthread+0x24c/0x2d0 [ 37.047742] ret_from_fork+0x10/0x20 [ 37.048230] [ 37.048588] Allocated by task 173: [ 37.049072] kasan_save_stack+0x3c/0x68 [ 37.049967] kasan_save_track+0x20/0x40 [ 37.050920] kasan_save_alloc_info+0x40/0x58 [ 37.051384] __kasan_kmalloc+0xd4/0xd8 [ 37.051960] __kmalloc_cache_noprof+0x15c/0x3c8 [ 37.052608] kmalloc_uaf+0xb8/0x338 [ 37.053080] kunit_try_run_case+0x14c/0x3d0 [ 37.054117] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.055054] kthread+0x24c/0x2d0 [ 37.055841] ret_from_fork+0x10/0x20 [ 37.056387] [ 37.056716] Freed by task 173: [ 37.058327] kasan_save_stack+0x3c/0x68 [ 37.058893] kasan_save_track+0x20/0x40 [ 37.059502] kasan_save_free_info+0x4c/0x78 [ 37.060202] __kasan_slab_free+0x6c/0x98 [ 37.060716] kfree+0x114/0x3d0 [ 37.060947] kmalloc_uaf+0x11c/0x338 [ 37.061171] kunit_try_run_case+0x14c/0x3d0 [ 37.061423] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.062094] kthread+0x24c/0x2d0 [ 37.062627] ret_from_fork+0x10/0x20 [ 37.063223] [ 37.063626] The buggy address belongs to the object at fff00000c5a3bf00 [ 37.063626] which belongs to the cache kmalloc-16 of size 16 [ 37.064777] The buggy address is located 8 bytes inside of [ 37.064777] freed 16-byte region [fff00000c5a3bf00, fff00000c5a3bf10) [ 37.065876] [ 37.066266] The buggy address belongs to the physical page: [ 37.066966] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a3b [ 37.067866] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.068684] page_type: f5(slab) [ 37.069216] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 37.070033] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 37.070870] page dumped because: kasan: bad access detected [ 37.071467] [ 37.071795] Memory state around the buggy address: [ 37.072322] fff00000c5a3be00: fa fb fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 37.073175] fff00000c5a3be80: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 37.073832] >fff00000c5a3bf00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.074656] ^ [ 37.075153] fff00000c5a3bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.075924] fff00000c5a3c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.076617] ==================================================================
[ 28.075828] ================================================================== [ 28.076978] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 28.077970] Read of size 16 at addr ffff8881025fee40 by task kunit_try_catch/175 [ 28.079914] [ 28.080113] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 28.080880] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.081264] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.082513] Call Trace: [ 28.083117] <TASK> [ 28.083313] dump_stack_lvl+0x73/0xb0 [ 28.084265] print_report+0xd1/0x640 [ 28.085358] ? __virt_addr_valid+0x1db/0x2d0 [ 28.086106] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.086636] kasan_report+0x102/0x140 [ 28.087361] ? kmalloc_uaf_16+0x47d/0x4c0 [ 28.088263] ? kmalloc_uaf_16+0x47d/0x4c0 [ 28.088549] __asan_report_load16_noabort+0x18/0x20 [ 28.089732] kmalloc_uaf_16+0x47d/0x4c0 [ 28.090101] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 28.091557] ? __schedule+0xc3e/0x2790 [ 28.091969] ? __pfx_read_tsc+0x10/0x10 [ 28.092602] ? ktime_get_ts64+0x84/0x230 [ 28.093368] kunit_try_run_case+0x1b3/0x490 [ 28.094106] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.095179] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 28.096172] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.096551] ? __kthread_parkme+0x82/0x160 [ 28.097427] ? preempt_count_sub+0x50/0x80 [ 28.097878] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.098607] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.099763] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.100443] kthread+0x257/0x310 [ 28.100995] ? __pfx_kthread+0x10/0x10 [ 28.101502] ret_from_fork+0x41/0x80 [ 28.102382] ? __pfx_kthread+0x10/0x10 [ 28.102666] ret_from_fork_asm+0x1a/0x30 [ 28.103215] </TASK> [ 28.103440] [ 28.104223] Allocated by task 175: [ 28.104541] kasan_save_stack+0x3d/0x60 [ 28.104976] kasan_save_track+0x18/0x40 [ 28.106253] kasan_save_alloc_info+0x3b/0x50 [ 28.106617] __kasan_kmalloc+0xb7/0xc0 [ 28.107000] __kmalloc_cache_noprof+0x184/0x410 [ 28.107788] kmalloc_uaf_16+0x15c/0x4c0 [ 28.108146] kunit_try_run_case+0x1b3/0x490 [ 28.108737] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.109637] kthread+0x257/0x310 [ 28.110033] ret_from_fork+0x41/0x80 [ 28.110514] ret_from_fork_asm+0x1a/0x30 [ 28.110979] [ 28.111161] Freed by task 175: [ 28.112477] kasan_save_stack+0x3d/0x60 [ 28.112831] kasan_save_track+0x18/0x40 [ 28.113344] kasan_save_free_info+0x3f/0x60 [ 28.113926] __kasan_slab_free+0x56/0x70 [ 28.114654] kfree+0x123/0x3f0 [ 28.115482] kmalloc_uaf_16+0x1d7/0x4c0 [ 28.115895] kunit_try_run_case+0x1b3/0x490 [ 28.116563] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.117890] kthread+0x257/0x310 [ 28.118218] ret_from_fork+0x41/0x80 [ 28.119327] ret_from_fork_asm+0x1a/0x30 [ 28.120271] [ 28.120520] The buggy address belongs to the object at ffff8881025fee40 [ 28.120520] which belongs to the cache kmalloc-16 of size 16 [ 28.121634] The buggy address is located 0 bytes inside of [ 28.121634] freed 16-byte region [ffff8881025fee40, ffff8881025fee50) [ 28.122460] [ 28.122778] The buggy address belongs to the physical page: [ 28.123809] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025fe [ 28.124549] flags: 0x200000000000000(node=0|zone=2) [ 28.125051] page_type: f5(slab) [ 28.125364] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 28.126038] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 28.126836] page dumped because: kasan: bad access detected [ 28.127291] [ 28.127441] Memory state around the buggy address: [ 28.128133] ffff8881025fed00: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 28.128532] ffff8881025fed80: fa fb fc fc 00 05 fc fc fa fb fc fc fa fb fc fc [ 28.129382] >ffff8881025fee00: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 28.129910] ^ [ 28.130830] ffff8881025fee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.132392] ffff8881025fef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.133537] ================================================================== [ 28.519672] ================================================================== [ 28.521010] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 28.521924] Read of size 1 at addr ffff8881025fee68 by task kunit_try_catch/191 [ 28.523227] [ 28.523400] CPU: 1 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 28.524797] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.525086] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.526483] Call Trace: [ 28.526847] <TASK> [ 28.527097] dump_stack_lvl+0x73/0xb0 [ 28.528031] print_report+0xd1/0x640 [ 28.528631] ? __virt_addr_valid+0x1db/0x2d0 [ 28.529455] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.529963] kasan_report+0x102/0x140 [ 28.530351] ? kmalloc_uaf+0x322/0x380 [ 28.530722] ? kmalloc_uaf+0x322/0x380 [ 28.531111] __asan_report_load1_noabort+0x18/0x20 [ 28.531569] kmalloc_uaf+0x322/0x380 [ 28.532435] ? __pfx_kmalloc_uaf+0x10/0x10 [ 28.533408] ? __schedule+0xc3e/0x2790 [ 28.534330] ? __pfx_read_tsc+0x10/0x10 [ 28.535178] ? ktime_get_ts64+0x84/0x230 [ 28.536087] kunit_try_run_case+0x1b3/0x490 [ 28.537011] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.538035] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 28.539073] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.539774] ? __kthread_parkme+0x82/0x160 [ 28.540232] ? preempt_count_sub+0x50/0x80 [ 28.540623] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.541255] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.541881] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.542473] kthread+0x257/0x310 [ 28.542910] ? __pfx_kthread+0x10/0x10 [ 28.543595] ret_from_fork+0x41/0x80 [ 28.544124] ? __pfx_kthread+0x10/0x10 [ 28.544655] ret_from_fork_asm+0x1a/0x30 [ 28.545054] </TASK> [ 28.545419] [ 28.545644] Allocated by task 191: [ 28.545967] kasan_save_stack+0x3d/0x60 [ 28.546390] kasan_save_track+0x18/0x40 [ 28.546934] kasan_save_alloc_info+0x3b/0x50 [ 28.547235] __kasan_kmalloc+0xb7/0xc0 [ 28.547501] __kmalloc_cache_noprof+0x184/0x410 [ 28.547821] kmalloc_uaf+0xab/0x380 [ 28.548591] kunit_try_run_case+0x1b3/0x490 [ 28.549249] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.549658] kthread+0x257/0x310 [ 28.550578] ret_from_fork+0x41/0x80 [ 28.550918] ret_from_fork_asm+0x1a/0x30 [ 28.551800] [ 28.551976] Freed by task 191: [ 28.552308] kasan_save_stack+0x3d/0x60 [ 28.552945] kasan_save_track+0x18/0x40 [ 28.553508] kasan_save_free_info+0x3f/0x60 [ 28.553998] __kasan_slab_free+0x56/0x70 [ 28.554617] kfree+0x123/0x3f0 [ 28.554879] kmalloc_uaf+0x12d/0x380 [ 28.555145] kunit_try_run_case+0x1b3/0x490 [ 28.555433] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.556197] kthread+0x257/0x310 [ 28.556657] ret_from_fork+0x41/0x80 [ 28.557145] ret_from_fork_asm+0x1a/0x30 [ 28.557831] [ 28.558108] The buggy address belongs to the object at ffff8881025fee60 [ 28.558108] which belongs to the cache kmalloc-16 of size 16 [ 28.559603] The buggy address is located 8 bytes inside of [ 28.559603] freed 16-byte region [ffff8881025fee60, ffff8881025fee70) [ 28.561322] [ 28.561482] The buggy address belongs to the physical page: [ 28.562883] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025fe [ 28.564012] flags: 0x200000000000000(node=0|zone=2) [ 28.565365] page_type: f5(slab) [ 28.566301] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 28.566948] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 28.567523] page dumped because: kasan: bad access detected [ 28.567975] [ 28.568165] Memory state around the buggy address: [ 28.568557] ffff8881025fed00: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 28.569466] ffff8881025fed80: fa fb fc fc 00 05 fc fc fa fb fc fc fa fb fc fc [ 28.570945] >ffff8881025fee00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 28.572052] ^ [ 28.572796] ffff8881025fee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.573816] ffff8881025fef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.574493] ================================================================== [ 28.633005] ================================================================== [ 28.634152] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 28.634803] Read of size 1 at addr ffff888101ac7728 by task kunit_try_catch/195 [ 28.635474] [ 28.635868] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 28.637526] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.638239] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.639326] Call Trace: [ 28.639525] <TASK> [ 28.640322] dump_stack_lvl+0x73/0xb0 [ 28.641318] print_report+0xd1/0x640 [ 28.641832] ? __virt_addr_valid+0x1db/0x2d0 [ 28.642081] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.643288] kasan_report+0x102/0x140 [ 28.643681] ? kmalloc_uaf2+0x4aa/0x520 [ 28.644017] ? kmalloc_uaf2+0x4aa/0x520 [ 28.645139] __asan_report_load1_noabort+0x18/0x20 [ 28.646445] kmalloc_uaf2+0x4aa/0x520 [ 28.646956] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 28.647308] ? finish_task_switch.isra.0+0x153/0x700 [ 28.648238] ? __switch_to+0x5d9/0xf60 [ 28.648647] ? __schedule+0xc3e/0x2790 [ 28.648926] ? __pfx_read_tsc+0x10/0x10 [ 28.649429] ? ktime_get_ts64+0x84/0x230 [ 28.650458] kunit_try_run_case+0x1b3/0x490 [ 28.651014] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.651851] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 28.652177] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.652738] ? __kthread_parkme+0x82/0x160 [ 28.653494] ? preempt_count_sub+0x50/0x80 [ 28.653999] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.654645] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.656135] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.656912] kthread+0x257/0x310 [ 28.657529] ? __pfx_kthread+0x10/0x10 [ 28.658406] ret_from_fork+0x41/0x80 [ 28.658828] ? __pfx_kthread+0x10/0x10 [ 28.659490] ret_from_fork_asm+0x1a/0x30 [ 28.660135] </TASK> [ 28.660438] [ 28.660784] Allocated by task 195: [ 28.661372] kasan_save_stack+0x3d/0x60 [ 28.662296] kasan_save_track+0x18/0x40 [ 28.663033] kasan_save_alloc_info+0x3b/0x50 [ 28.663665] __kasan_kmalloc+0xb7/0xc0 [ 28.664080] __kmalloc_cache_noprof+0x184/0x410 [ 28.665375] kmalloc_uaf2+0xc7/0x520 [ 28.665583] kunit_try_run_case+0x1b3/0x490 [ 28.665888] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.667421] kthread+0x257/0x310 [ 28.667651] ret_from_fork+0x41/0x80 [ 28.668222] ret_from_fork_asm+0x1a/0x30 [ 28.669110] [ 28.669411] Freed by task 195: [ 28.669833] kasan_save_stack+0x3d/0x60 [ 28.670269] kasan_save_track+0x18/0x40 [ 28.671490] kasan_save_free_info+0x3f/0x60 [ 28.672498] __kasan_slab_free+0x56/0x70 [ 28.672869] kfree+0x123/0x3f0 [ 28.673289] kmalloc_uaf2+0x14d/0x520 [ 28.673635] kunit_try_run_case+0x1b3/0x490 [ 28.674719] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.675653] kthread+0x257/0x310 [ 28.676432] ret_from_fork+0x41/0x80 [ 28.676936] ret_from_fork_asm+0x1a/0x30 [ 28.677441] [ 28.677992] The buggy address belongs to the object at ffff888101ac7700 [ 28.677992] which belongs to the cache kmalloc-64 of size 64 [ 28.679319] The buggy address is located 40 bytes inside of [ 28.679319] freed 64-byte region [ffff888101ac7700, ffff888101ac7740) [ 28.681490] [ 28.681754] The buggy address belongs to the physical page: [ 28.682864] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ac7 [ 28.683624] flags: 0x200000000000000(node=0|zone=2) [ 28.684138] page_type: f5(slab) [ 28.684498] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 28.686044] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 28.687003] page dumped because: kasan: bad access detected [ 28.687665] [ 28.687958] Memory state around the buggy address: [ 28.689193] ffff888101ac7600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.690317] ffff888101ac7680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.691254] >ffff888101ac7700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.692810] ^ [ 28.693489] ffff888101ac7780: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 28.694926] ffff888101ac7800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.695397] ==================================================================