Date
Nov. 20, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 37.443791] ================================================================== [ 37.444831] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x600 [ 37.446284] Read of size 1 at addr fff00000c1bf0100 by task kunit_try_catch/185 [ 37.447612] [ 37.448561] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 37.449625] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.450174] Hardware name: linux,dummy-virt (DT) [ 37.450751] Call trace: [ 37.451090] show_stack+0x20/0x38 (C) [ 37.451613] dump_stack_lvl+0x8c/0xd0 [ 37.452096] print_report+0x118/0x5e0 [ 37.452695] kasan_report+0xc8/0x118 [ 37.453190] __kasan_check_byte+0x54/0x70 [ 37.453750] ksize+0x30/0x88 [ 37.454288] ksize_uaf+0x168/0x600 [ 37.455568] kunit_try_run_case+0x14c/0x3d0 [ 37.456167] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.456831] kthread+0x24c/0x2d0 [ 37.457716] ret_from_fork+0x10/0x20 [ 37.458957] [ 37.459752] Allocated by task 185: [ 37.460267] kasan_save_stack+0x3c/0x68 [ 37.460811] kasan_save_track+0x20/0x40 [ 37.461683] kasan_save_alloc_info+0x40/0x58 [ 37.462283] __kasan_kmalloc+0xd4/0xd8 [ 37.462814] __kmalloc_cache_noprof+0x15c/0x3c8 [ 37.463370] ksize_uaf+0xb8/0x600 [ 37.464164] kunit_try_run_case+0x14c/0x3d0 [ 37.464783] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.465997] kthread+0x24c/0x2d0 [ 37.466782] ret_from_fork+0x10/0x20 [ 37.467255] [ 37.467554] Freed by task 185: [ 37.468076] kasan_save_stack+0x3c/0x68 [ 37.468733] kasan_save_track+0x20/0x40 [ 37.469767] kasan_save_free_info+0x4c/0x78 [ 37.470217] __kasan_slab_free+0x6c/0x98 [ 37.470820] kfree+0x114/0x3d0 [ 37.471332] ksize_uaf+0x11c/0x600 [ 37.471802] kunit_try_run_case+0x14c/0x3d0 [ 37.472490] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.473282] kthread+0x24c/0x2d0 [ 37.474535] ret_from_fork+0x10/0x20 [ 37.475381] [ 37.476103] The buggy address belongs to the object at fff00000c1bf0100 [ 37.476103] which belongs to the cache kmalloc-128 of size 128 [ 37.477289] The buggy address is located 0 bytes inside of [ 37.477289] freed 128-byte region [fff00000c1bf0100, fff00000c1bf0180) [ 37.479133] [ 37.479391] The buggy address belongs to the physical page: [ 37.479941] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bf0 [ 37.480743] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.481795] page_type: f5(slab) [ 37.482682] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 37.483481] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 37.484315] page dumped because: kasan: bad access detected [ 37.485863] [ 37.486203] Memory state around the buggy address: [ 37.486729] fff00000c1bf0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.488107] fff00000c1bf0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.488962] >fff00000c1bf0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.489757] ^ [ 37.490186] fff00000c1bf0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.492068] fff00000c1bf0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.492798] ================================================================== [ 37.538624] ================================================================== [ 37.539563] BUG: KASAN: slab-use-after-free in ksize_uaf+0x548/0x600 [ 37.540095] Read of size 1 at addr fff00000c1bf0178 by task kunit_try_catch/185 [ 37.541081] [ 37.541851] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 37.543342] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.543934] Hardware name: linux,dummy-virt (DT) [ 37.544770] Call trace: [ 37.545177] show_stack+0x20/0x38 (C) [ 37.546005] dump_stack_lvl+0x8c/0xd0 [ 37.546768] print_report+0x118/0x5e0 [ 37.547368] kasan_report+0xc8/0x118 [ 37.548209] __asan_report_load1_noabort+0x20/0x30 [ 37.549038] ksize_uaf+0x548/0x600 [ 37.549749] kunit_try_run_case+0x14c/0x3d0 [ 37.550389] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.551274] kthread+0x24c/0x2d0 [ 37.551844] ret_from_fork+0x10/0x20 [ 37.552405] [ 37.552791] Allocated by task 185: [ 37.553350] kasan_save_stack+0x3c/0x68 [ 37.553943] kasan_save_track+0x20/0x40 [ 37.554508] kasan_save_alloc_info+0x40/0x58 [ 37.555170] __kasan_kmalloc+0xd4/0xd8 [ 37.555811] __kmalloc_cache_noprof+0x15c/0x3c8 [ 37.556383] ksize_uaf+0xb8/0x600 [ 37.556959] kunit_try_run_case+0x14c/0x3d0 [ 37.557541] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.558260] kthread+0x24c/0x2d0 [ 37.558840] ret_from_fork+0x10/0x20 [ 37.559455] [ 37.559784] Freed by task 185: [ 37.560275] kasan_save_stack+0x3c/0x68 [ 37.560937] kasan_save_track+0x20/0x40 [ 37.561531] kasan_save_free_info+0x4c/0x78 [ 37.562138] __kasan_slab_free+0x6c/0x98 [ 37.562773] kfree+0x114/0x3d0 [ 37.563314] ksize_uaf+0x11c/0x600 [ 37.563905] kunit_try_run_case+0x14c/0x3d0 [ 37.564531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.565211] kthread+0x24c/0x2d0 [ 37.565646] ret_from_fork+0x10/0x20 [ 37.566181] [ 37.566527] The buggy address belongs to the object at fff00000c1bf0100 [ 37.566527] which belongs to the cache kmalloc-128 of size 128 [ 37.567670] The buggy address is located 120 bytes inside of [ 37.567670] freed 128-byte region [fff00000c1bf0100, fff00000c1bf0180) [ 37.568896] [ 37.569253] The buggy address belongs to the physical page: [ 37.569840] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bf0 [ 37.570745] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.571461] page_type: f5(slab) [ 37.571906] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 37.572797] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 37.573472] page dumped because: kasan: bad access detected [ 37.574166] [ 37.574513] Memory state around the buggy address: [ 37.575085] fff00000c1bf0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.575897] fff00000c1bf0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.576711] >fff00000c1bf0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.577502] ^ [ 37.578281] fff00000c1bf0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.579049] fff00000c1bf0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.579839] ================================================================== [ 37.496261] ================================================================== [ 37.497385] BUG: KASAN: slab-use-after-free in ksize_uaf+0x59c/0x600 [ 37.498171] Read of size 1 at addr fff00000c1bf0100 by task kunit_try_catch/185 [ 37.499071] [ 37.499504] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 37.500678] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.501242] Hardware name: linux,dummy-virt (DT) [ 37.501919] Call trace: [ 37.502346] show_stack+0x20/0x38 (C) [ 37.502990] dump_stack_lvl+0x8c/0xd0 [ 37.503623] print_report+0x118/0x5e0 [ 37.504184] kasan_report+0xc8/0x118 [ 37.504874] __asan_report_load1_noabort+0x20/0x30 [ 37.505555] ksize_uaf+0x59c/0x600 [ 37.506145] kunit_try_run_case+0x14c/0x3d0 [ 37.506809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.507645] kthread+0x24c/0x2d0 [ 37.508201] ret_from_fork+0x10/0x20 [ 37.508827] [ 37.509157] Allocated by task 185: [ 37.509663] kasan_save_stack+0x3c/0x68 [ 37.510143] kasan_save_track+0x20/0x40 [ 37.510741] kasan_save_alloc_info+0x40/0x58 [ 37.511369] __kasan_kmalloc+0xd4/0xd8 [ 37.511969] __kmalloc_cache_noprof+0x15c/0x3c8 [ 37.512634] ksize_uaf+0xb8/0x600 [ 37.513099] kunit_try_run_case+0x14c/0x3d0 [ 37.513750] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.514435] kthread+0x24c/0x2d0 [ 37.514953] ret_from_fork+0x10/0x20 [ 37.515529] [ 37.515873] Freed by task 185: [ 37.516306] kasan_save_stack+0x3c/0x68 [ 37.516837] kasan_save_track+0x20/0x40 [ 37.517353] kasan_save_free_info+0x4c/0x78 [ 37.517978] __kasan_slab_free+0x6c/0x98 [ 37.518536] kfree+0x114/0x3d0 [ 37.518966] ksize_uaf+0x11c/0x600 [ 37.519514] kunit_try_run_case+0x14c/0x3d0 [ 37.520125] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.520713] kthread+0x24c/0x2d0 [ 37.521234] ret_from_fork+0x10/0x20 [ 37.521804] [ 37.522152] The buggy address belongs to the object at fff00000c1bf0100 [ 37.522152] which belongs to the cache kmalloc-128 of size 128 [ 37.523249] The buggy address is located 0 bytes inside of [ 37.523249] freed 128-byte region [fff00000c1bf0100, fff00000c1bf0180) [ 37.524581] [ 37.524996] The buggy address belongs to the physical page: [ 37.525731] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bf0 [ 37.526479] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.527310] page_type: f5(slab) [ 37.527853] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 37.528803] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 37.529680] page dumped because: kasan: bad access detected [ 37.530256] [ 37.530570] Memory state around the buggy address: [ 37.531177] fff00000c1bf0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.532027] fff00000c1bf0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.532789] >fff00000c1bf0100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.533937] ^ [ 37.534496] fff00000c1bf0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.535249] fff00000c1bf0200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.536194] ==================================================================
[ 28.992956] ================================================================== [ 28.994424] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19e/0x6c0 [ 28.995323] Read of size 1 at addr ffff8881029e4a00 by task kunit_try_catch/203 [ 28.996200] [ 28.997220] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 28.998301] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.999110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.000450] Call Trace: [ 29.000650] <TASK> [ 29.001123] dump_stack_lvl+0x73/0xb0 [ 29.002079] print_report+0xd1/0x640 [ 29.002970] ? __virt_addr_valid+0x1db/0x2d0 [ 29.003825] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.004749] kasan_report+0x102/0x140 [ 29.005374] ? ksize_uaf+0x19e/0x6c0 [ 29.006418] ? ksize_uaf+0x19e/0x6c0 [ 29.006784] ? ksize_uaf+0x19e/0x6c0 [ 29.007406] __kasan_check_byte+0x3d/0x50 [ 29.008126] ksize+0x20/0x60 [ 29.008522] ksize_uaf+0x19e/0x6c0 [ 29.009464] ? __pfx_ksize_uaf+0x10/0x10 [ 29.009797] ? __schedule+0xc3e/0x2790 [ 29.010329] ? __pfx_read_tsc+0x10/0x10 [ 29.011331] ? ktime_get_ts64+0x84/0x230 [ 29.011621] kunit_try_run_case+0x1b3/0x490 [ 29.012391] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.013350] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 29.013946] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.014783] ? __kthread_parkme+0x82/0x160 [ 29.014981] ? preempt_count_sub+0x50/0x80 [ 29.015175] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.015384] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.015764] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.017237] kthread+0x257/0x310 [ 29.017506] ? __pfx_kthread+0x10/0x10 [ 29.018016] ret_from_fork+0x41/0x80 [ 29.018572] ? __pfx_kthread+0x10/0x10 [ 29.019085] ret_from_fork_asm+0x1a/0x30 [ 29.019921] </TASK> [ 29.020122] [ 29.020475] Allocated by task 203: [ 29.021161] kasan_save_stack+0x3d/0x60 [ 29.022007] kasan_save_track+0x18/0x40 [ 29.022830] kasan_save_alloc_info+0x3b/0x50 [ 29.023118] __kasan_kmalloc+0xb7/0xc0 [ 29.023788] __kmalloc_cache_noprof+0x184/0x410 [ 29.024652] ksize_uaf+0xab/0x6c0 [ 29.025296] kunit_try_run_case+0x1b3/0x490 [ 29.025705] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.026190] kthread+0x257/0x310 [ 29.026744] ret_from_fork+0x41/0x80 [ 29.027011] ret_from_fork_asm+0x1a/0x30 [ 29.027966] [ 29.028260] Freed by task 203: [ 29.029024] kasan_save_stack+0x3d/0x60 [ 29.029367] kasan_save_track+0x18/0x40 [ 29.029643] kasan_save_free_info+0x3f/0x60 [ 29.029923] __kasan_slab_free+0x56/0x70 [ 29.030172] kfree+0x123/0x3f0 [ 29.030380] ksize_uaf+0x12d/0x6c0 [ 29.030602] kunit_try_run_case+0x1b3/0x490 [ 29.031964] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.032286] kthread+0x257/0x310 [ 29.032502] ret_from_fork+0x41/0x80 [ 29.034198] ret_from_fork_asm+0x1a/0x30 [ 29.034492] [ 29.035525] The buggy address belongs to the object at ffff8881029e4a00 [ 29.035525] which belongs to the cache kmalloc-128 of size 128 [ 29.036306] The buggy address is located 0 bytes inside of [ 29.036306] freed 128-byte region [ffff8881029e4a00, ffff8881029e4a80) [ 29.036883] [ 29.037020] The buggy address belongs to the physical page: [ 29.037306] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029e4 [ 29.038869] flags: 0x200000000000000(node=0|zone=2) [ 29.039907] page_type: f5(slab) [ 29.040242] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.040622] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 29.041618] page dumped because: kasan: bad access detected [ 29.041949] [ 29.042095] Memory state around the buggy address: [ 29.042361] ffff8881029e4900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 29.043916] ffff8881029e4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.045589] >ffff8881029e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.046511] ^ [ 29.046997] ffff8881029e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.047809] ffff8881029e4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.048620] ================================================================== [ 29.106679] ================================================================== [ 29.107871] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e6/0x6c0 [ 29.109567] Read of size 1 at addr ffff8881029e4a78 by task kunit_try_catch/203 [ 29.110372] [ 29.110576] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 29.111383] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.112845] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.113997] Call Trace: [ 29.114230] <TASK> [ 29.115136] dump_stack_lvl+0x73/0xb0 [ 29.115887] print_report+0xd1/0x640 [ 29.116631] ? __virt_addr_valid+0x1db/0x2d0 [ 29.117198] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.118104] kasan_report+0x102/0x140 [ 29.118528] ? ksize_uaf+0x5e6/0x6c0 [ 29.119266] ? ksize_uaf+0x5e6/0x6c0 [ 29.119680] __asan_report_load1_noabort+0x18/0x20 [ 29.120457] ksize_uaf+0x5e6/0x6c0 [ 29.121082] ? __pfx_ksize_uaf+0x10/0x10 [ 29.121954] ? __schedule+0xc3e/0x2790 [ 29.122601] ? __pfx_read_tsc+0x10/0x10 [ 29.123467] ? ktime_get_ts64+0x84/0x230 [ 29.124218] kunit_try_run_case+0x1b3/0x490 [ 29.125124] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.125623] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 29.125952] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.126574] ? __kthread_parkme+0x82/0x160 [ 29.127519] ? preempt_count_sub+0x50/0x80 [ 29.128300] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.129603] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.130227] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.131086] kthread+0x257/0x310 [ 29.131600] ? __pfx_kthread+0x10/0x10 [ 29.132282] ret_from_fork+0x41/0x80 [ 29.133426] ? __pfx_kthread+0x10/0x10 [ 29.133798] ret_from_fork_asm+0x1a/0x30 [ 29.134274] </TASK> [ 29.134910] [ 29.135361] Allocated by task 203: [ 29.136037] kasan_save_stack+0x3d/0x60 [ 29.136509] kasan_save_track+0x18/0x40 [ 29.137748] kasan_save_alloc_info+0x3b/0x50 [ 29.138381] __kasan_kmalloc+0xb7/0xc0 [ 29.138736] __kmalloc_cache_noprof+0x184/0x410 [ 29.139771] ksize_uaf+0xab/0x6c0 [ 29.140100] kunit_try_run_case+0x1b3/0x490 [ 29.141124] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.141594] kthread+0x257/0x310 [ 29.142124] ret_from_fork+0x41/0x80 [ 29.142577] ret_from_fork_asm+0x1a/0x30 [ 29.143283] [ 29.143464] Freed by task 203: [ 29.143937] kasan_save_stack+0x3d/0x60 [ 29.144766] kasan_save_track+0x18/0x40 [ 29.145211] kasan_save_free_info+0x3f/0x60 [ 29.145654] __kasan_slab_free+0x56/0x70 [ 29.146200] kfree+0x123/0x3f0 [ 29.146739] ksize_uaf+0x12d/0x6c0 [ 29.147378] kunit_try_run_case+0x1b3/0x490 [ 29.147850] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.149025] kthread+0x257/0x310 [ 29.149309] ret_from_fork+0x41/0x80 [ 29.150224] ret_from_fork_asm+0x1a/0x30 [ 29.151522] [ 29.151796] The buggy address belongs to the object at ffff8881029e4a00 [ 29.151796] which belongs to the cache kmalloc-128 of size 128 [ 29.153844] The buggy address is located 120 bytes inside of [ 29.153844] freed 128-byte region [ffff8881029e4a00, ffff8881029e4a80) [ 29.155555] [ 29.156086] The buggy address belongs to the physical page: [ 29.156681] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029e4 [ 29.157738] flags: 0x200000000000000(node=0|zone=2) [ 29.158521] page_type: f5(slab) [ 29.159394] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.160411] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 29.161938] page dumped because: kasan: bad access detected [ 29.162437] [ 29.162633] Memory state around the buggy address: [ 29.163062] ffff8881029e4900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 29.163581] ffff8881029e4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.165260] >ffff8881029e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.165927] ^ [ 29.167360] ffff8881029e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.168505] ffff8881029e4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.169675] ================================================================== [ 29.052349] ================================================================== [ 29.052921] BUG: KASAN: slab-use-after-free in ksize_uaf+0x600/0x6c0 [ 29.053821] Read of size 1 at addr ffff8881029e4a00 by task kunit_try_catch/203 [ 29.054655] [ 29.054953] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241120 #1 [ 29.056440] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.057012] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.057870] Call Trace: [ 29.058387] <TASK> [ 29.058708] dump_stack_lvl+0x73/0xb0 [ 29.059436] print_report+0xd1/0x640 [ 29.059840] ? __virt_addr_valid+0x1db/0x2d0 [ 29.060556] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.061051] kasan_report+0x102/0x140 [ 29.061745] ? ksize_uaf+0x600/0x6c0 [ 29.062372] ? ksize_uaf+0x600/0x6c0 [ 29.062880] __asan_report_load1_noabort+0x18/0x20 [ 29.063716] ksize_uaf+0x600/0x6c0 [ 29.064021] ? __pfx_ksize_uaf+0x10/0x10 [ 29.064701] ? __schedule+0xc3e/0x2790 [ 29.065080] ? __pfx_read_tsc+0x10/0x10 [ 29.065761] ? ktime_get_ts64+0x84/0x230 [ 29.066371] kunit_try_run_case+0x1b3/0x490 [ 29.066952] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.067679] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 29.068217] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.068765] ? __kthread_parkme+0x82/0x160 [ 29.069071] ? preempt_count_sub+0x50/0x80 [ 29.069845] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.070462] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.071455] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.072240] kthread+0x257/0x310 [ 29.072664] ? __pfx_kthread+0x10/0x10 [ 29.073513] ret_from_fork+0x41/0x80 [ 29.073977] ? __pfx_kthread+0x10/0x10 [ 29.074583] ret_from_fork_asm+0x1a/0x30 [ 29.075379] </TASK> [ 29.075735] [ 29.076047] Allocated by task 203: [ 29.076658] kasan_save_stack+0x3d/0x60 [ 29.077269] kasan_save_track+0x18/0x40 [ 29.077718] kasan_save_alloc_info+0x3b/0x50 [ 29.078304] __kasan_kmalloc+0xb7/0xc0 [ 29.078856] __kmalloc_cache_noprof+0x184/0x410 [ 29.079651] ksize_uaf+0xab/0x6c0 [ 29.080045] kunit_try_run_case+0x1b3/0x490 [ 29.080553] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.081057] kthread+0x257/0x310 [ 29.081426] ret_from_fork+0x41/0x80 [ 29.082004] ret_from_fork_asm+0x1a/0x30 [ 29.082415] [ 29.082765] Freed by task 203: [ 29.083514] kasan_save_stack+0x3d/0x60 [ 29.084077] kasan_save_track+0x18/0x40 [ 29.084553] kasan_save_free_info+0x3f/0x60 [ 29.085271] __kasan_slab_free+0x56/0x70 [ 29.085810] kfree+0x123/0x3f0 [ 29.086380] ksize_uaf+0x12d/0x6c0 [ 29.086851] kunit_try_run_case+0x1b3/0x490 [ 29.087412] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.087947] kthread+0x257/0x310 [ 29.088741] ret_from_fork+0x41/0x80 [ 29.089059] ret_from_fork_asm+0x1a/0x30 [ 29.089770] [ 29.089988] The buggy address belongs to the object at ffff8881029e4a00 [ 29.089988] which belongs to the cache kmalloc-128 of size 128 [ 29.091397] The buggy address is located 0 bytes inside of [ 29.091397] freed 128-byte region [ffff8881029e4a00, ffff8881029e4a80) [ 29.093034] [ 29.093218] The buggy address belongs to the physical page: [ 29.093789] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029e4 [ 29.094570] flags: 0x200000000000000(node=0|zone=2) [ 29.095227] page_type: f5(slab) [ 29.095725] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 29.096858] raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 [ 29.097518] page dumped because: kasan: bad access detected [ 29.098185] [ 29.098522] Memory state around the buggy address: [ 29.099086] ffff8881029e4900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 29.099981] ffff8881029e4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.101410] >ffff8881029e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.101988] ^ [ 29.102545] ffff8881029e4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.103611] ffff8881029e4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.104714] ==================================================================