Date
Nov. 26, 2024, 6:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.188848] ================================================================== [ 31.190241] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 31.190857] Read of size 16 at addr fff00000c599a840 by task kunit_try_catch/157 [ 31.191873] [ 31.192352] CPU: 1 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.193779] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.194494] Hardware name: linux,dummy-virt (DT) [ 31.195303] Call trace: [ 31.195851] show_stack+0x20/0x38 (C) [ 31.196713] dump_stack_lvl+0x8c/0xd0 [ 31.197575] print_report+0x118/0x5e0 [ 31.198538] kasan_report+0xc8/0x118 [ 31.199502] __asan_report_load16_noabort+0x20/0x30 [ 31.200643] kmalloc_uaf_16+0x3bc/0x438 [ 31.201383] kunit_try_run_case+0x14c/0x3d0 [ 31.201933] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.202624] kthread+0x24c/0x2d0 [ 31.203238] ret_from_fork+0x10/0x20 [ 31.203917] [ 31.204375] Allocated by task 157: [ 31.204850] kasan_save_stack+0x3c/0x68 [ 31.205484] kasan_save_track+0x20/0x40 [ 31.206061] kasan_save_alloc_info+0x40/0x58 [ 31.206711] __kasan_kmalloc+0xd4/0xd8 [ 31.207211] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.207888] kmalloc_uaf_16+0x140/0x438 [ 31.208489] kunit_try_run_case+0x14c/0x3d0 [ 31.209155] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.209826] kthread+0x24c/0x2d0 [ 31.211300] ret_from_fork+0x10/0x20 [ 31.211882] [ 31.212309] Freed by task 157: [ 31.212775] kasan_save_stack+0x3c/0x68 [ 31.213625] kasan_save_track+0x20/0x40 [ 31.214248] kasan_save_free_info+0x4c/0x78 [ 31.214820] __kasan_slab_free+0x6c/0x98 [ 31.215439] kfree+0x114/0x3d0 [ 31.215994] kmalloc_uaf_16+0x190/0x438 [ 31.216934] kunit_try_run_case+0x14c/0x3d0 [ 31.217447] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.218216] kthread+0x24c/0x2d0 [ 31.218668] ret_from_fork+0x10/0x20 [ 31.219275] [ 31.219638] The buggy address belongs to the object at fff00000c599a840 [ 31.219638] which belongs to the cache kmalloc-16 of size 16 [ 31.221071] The buggy address is located 0 bytes inside of [ 31.221071] freed 16-byte region [fff00000c599a840, fff00000c599a850) [ 31.222297] [ 31.222673] The buggy address belongs to the physical page: [ 31.223403] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10599a [ 31.224631] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.225420] page_type: f5(slab) [ 31.226002] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.226965] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 31.227741] page dumped because: kasan: bad access detected [ 31.228929] [ 31.229196] Memory state around the buggy address: [ 31.229611] fff00000c599a700: 00 02 fc fc 00 00 fc fc 00 07 fc fc 00 07 fc fc [ 31.230213] fff00000c599a780: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 31.231124] >fff00000c599a800: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 31.232006] ^ [ 31.232769] fff00000c599a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.233703] fff00000c599a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.234387] ================================================================== [ 31.607469] ================================================================== [ 31.608981] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 31.610314] Read of size 1 at addr fff00000c599a868 by task kunit_try_catch/173 [ 31.611241] [ 31.613090] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.614396] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.615146] Hardware name: linux,dummy-virt (DT) [ 31.615983] Call trace: [ 31.616728] show_stack+0x20/0x38 (C) [ 31.617344] dump_stack_lvl+0x8c/0xd0 [ 31.618001] print_report+0x118/0x5e0 [ 31.618544] kasan_report+0xc8/0x118 [ 31.619224] __asan_report_load1_noabort+0x20/0x30 [ 31.619978] kmalloc_uaf+0x300/0x338 [ 31.620593] kunit_try_run_case+0x14c/0x3d0 [ 31.621568] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.622307] kthread+0x24c/0x2d0 [ 31.622945] ret_from_fork+0x10/0x20 [ 31.623562] [ 31.623958] Allocated by task 173: [ 31.624662] kasan_save_stack+0x3c/0x68 [ 31.625308] kasan_save_track+0x20/0x40 [ 31.625969] kasan_save_alloc_info+0x40/0x58 [ 31.626632] __kasan_kmalloc+0xd4/0xd8 [ 31.627275] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.628008] kmalloc_uaf+0xb8/0x338 [ 31.628779] kunit_try_run_case+0x14c/0x3d0 [ 31.629467] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.629996] kthread+0x24c/0x2d0 [ 31.630539] ret_from_fork+0x10/0x20 [ 31.631592] [ 31.632001] Freed by task 173: [ 31.632683] kasan_save_stack+0x3c/0x68 [ 31.633426] kasan_save_track+0x20/0x40 [ 31.634130] kasan_save_free_info+0x4c/0x78 [ 31.634736] __kasan_slab_free+0x6c/0x98 [ 31.635324] kfree+0x114/0x3d0 [ 31.635851] kmalloc_uaf+0x11c/0x338 [ 31.636708] kunit_try_run_case+0x14c/0x3d0 [ 31.637393] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.638110] kthread+0x24c/0x2d0 [ 31.638701] ret_from_fork+0x10/0x20 [ 31.639247] [ 31.639610] The buggy address belongs to the object at fff00000c599a860 [ 31.639610] which belongs to the cache kmalloc-16 of size 16 [ 31.641092] The buggy address is located 8 bytes inside of [ 31.641092] freed 16-byte region [fff00000c599a860, fff00000c599a870) [ 31.642388] [ 31.642732] The buggy address belongs to the physical page: [ 31.643658] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10599a [ 31.645076] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.646043] page_type: f5(slab) [ 31.646740] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.647588] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 31.648413] page dumped because: kasan: bad access detected [ 31.649542] [ 31.649891] Memory state around the buggy address: [ 31.650860] fff00000c599a700: 00 02 fc fc 00 00 fc fc 00 07 fc fc 00 07 fc fc [ 31.651734] fff00000c599a780: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 31.652351] >fff00000c599a800: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.653403] ^ [ 31.654087] fff00000c599a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.654885] fff00000c599a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.655859] ================================================================== [ 31.727199] ================================================================== [ 31.728209] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 31.729370] Read of size 1 at addr fff00000c6499728 by task kunit_try_catch/177 [ 31.730192] [ 31.730593] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.731555] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.732139] Hardware name: linux,dummy-virt (DT) [ 31.733174] Call trace: [ 31.733662] show_stack+0x20/0x38 (C) [ 31.734348] dump_stack_lvl+0x8c/0xd0 [ 31.735038] print_report+0x118/0x5e0 [ 31.735698] kasan_report+0xc8/0x118 [ 31.736655] __asan_report_load1_noabort+0x20/0x30 [ 31.737318] kmalloc_uaf2+0x3f4/0x468 [ 31.737980] kunit_try_run_case+0x14c/0x3d0 [ 31.738664] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.739412] kthread+0x24c/0x2d0 [ 31.739969] ret_from_fork+0x10/0x20 [ 31.740932] [ 31.741320] Allocated by task 177: [ 31.741866] kasan_save_stack+0x3c/0x68 [ 31.742469] kasan_save_track+0x20/0x40 [ 31.743102] kasan_save_alloc_info+0x40/0x58 [ 31.743706] __kasan_kmalloc+0xd4/0xd8 [ 31.744687] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.745393] kmalloc_uaf2+0xc4/0x468 [ 31.746022] kunit_try_run_case+0x14c/0x3d0 [ 31.746720] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.747353] kthread+0x24c/0x2d0 [ 31.747958] ret_from_fork+0x10/0x20 [ 31.749429] [ 31.750041] Freed by task 177: [ 31.750503] kasan_save_stack+0x3c/0x68 [ 31.751168] kasan_save_track+0x20/0x40 [ 31.751703] kasan_save_free_info+0x4c/0x78 [ 31.752772] __kasan_slab_free+0x6c/0x98 [ 31.753500] kfree+0x114/0x3d0 [ 31.754098] kmalloc_uaf2+0x134/0x468 [ 31.754702] kunit_try_run_case+0x14c/0x3d0 [ 31.755307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.756122] kthread+0x24c/0x2d0 [ 31.756999] ret_from_fork+0x10/0x20 [ 31.757585] [ 31.757926] The buggy address belongs to the object at fff00000c6499700 [ 31.757926] which belongs to the cache kmalloc-64 of size 64 [ 31.759011] The buggy address is located 40 bytes inside of [ 31.759011] freed 64-byte region [fff00000c6499700, fff00000c6499740) [ 31.760580] [ 31.760969] The buggy address belongs to the physical page: [ 31.761608] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106499 [ 31.762518] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.763451] page_type: f5(slab) [ 31.763929] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.765098] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 31.765985] page dumped because: kasan: bad access detected [ 31.766717] [ 31.767093] Memory state around the buggy address: [ 31.767592] fff00000c6499600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.769081] fff00000c6499680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.769703] >fff00000c6499700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.770602] ^ [ 31.771461] fff00000c6499780: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.772390] fff00000c6499800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.773466] ==================================================================
[ 31.161585] ================================================================== [ 31.163316] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 31.164010] Read of size 16 at addr fff00000c5e08280 by task kunit_try_catch/157 [ 31.165087] [ 31.165559] CPU: 1 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.167652] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.168376] Hardware name: linux,dummy-virt (DT) [ 31.169039] Call trace: [ 31.169514] show_stack+0x20/0x38 (C) [ 31.170593] dump_stack_lvl+0x8c/0xd0 [ 31.171107] print_report+0x118/0x5e0 [ 31.171740] kasan_report+0xc8/0x118 [ 31.172323] __asan_report_load16_noabort+0x20/0x30 [ 31.173003] kmalloc_uaf_16+0x3bc/0x438 [ 31.173844] kunit_try_run_case+0x14c/0x3d0 [ 31.174477] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.175162] kthread+0x24c/0x2d0 [ 31.175971] ret_from_fork+0x10/0x20 [ 31.176516] [ 31.176899] Allocated by task 157: [ 31.177449] kasan_save_stack+0x3c/0x68 [ 31.178441] kasan_save_track+0x20/0x40 [ 31.179068] kasan_save_alloc_info+0x40/0x58 [ 31.179676] __kasan_kmalloc+0xd4/0xd8 [ 31.180200] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.180863] kmalloc_uaf_16+0x140/0x438 [ 31.181434] kunit_try_run_case+0x14c/0x3d0 [ 31.183053] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.183774] kthread+0x24c/0x2d0 [ 31.184300] ret_from_fork+0x10/0x20 [ 31.185058] [ 31.185427] Freed by task 157: [ 31.186443] kasan_save_stack+0x3c/0x68 [ 31.187042] kasan_save_track+0x20/0x40 [ 31.187667] kasan_save_free_info+0x4c/0x78 [ 31.188285] __kasan_slab_free+0x6c/0x98 [ 31.188852] kfree+0x114/0x3d0 [ 31.189374] kmalloc_uaf_16+0x190/0x438 [ 31.190434] kunit_try_run_case+0x14c/0x3d0 [ 31.190997] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.191784] kthread+0x24c/0x2d0 [ 31.192332] ret_from_fork+0x10/0x20 [ 31.192884] [ 31.193248] The buggy address belongs to the object at fff00000c5e08280 [ 31.193248] which belongs to the cache kmalloc-16 of size 16 [ 31.194938] The buggy address is located 0 bytes inside of [ 31.194938] freed 16-byte region [fff00000c5e08280, fff00000c5e08290) [ 31.196137] [ 31.196485] The buggy address belongs to the physical page: [ 31.197244] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e08 [ 31.198450] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.199356] page_type: f5(slab) [ 31.199932] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.200845] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 31.202307] page dumped because: kasan: bad access detected [ 31.203193] [ 31.203817] Memory state around the buggy address: [ 31.204634] fff00000c5e08180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.205548] fff00000c5e08200: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 31.206558] >fff00000c5e08280: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.207399] ^ [ 31.207950] fff00000c5e08300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.208786] fff00000c5e08380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.210049] ================================================================== [ 31.706742] ================================================================== [ 31.707947] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 31.708747] Read of size 1 at addr fff00000c6597128 by task kunit_try_catch/177 [ 31.709357] [ 31.710424] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.711745] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.712331] Hardware name: linux,dummy-virt (DT) [ 31.712980] Call trace: [ 31.713409] show_stack+0x20/0x38 (C) [ 31.714358] dump_stack_lvl+0x8c/0xd0 [ 31.714971] print_report+0x118/0x5e0 [ 31.715601] kasan_report+0xc8/0x118 [ 31.716194] __asan_report_load1_noabort+0x20/0x30 [ 31.716944] kmalloc_uaf2+0x3f4/0x468 [ 31.717865] kunit_try_run_case+0x14c/0x3d0 [ 31.718574] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.719363] kthread+0x24c/0x2d0 [ 31.719972] ret_from_fork+0x10/0x20 [ 31.720568] [ 31.720971] Allocated by task 177: [ 31.721874] kasan_save_stack+0x3c/0x68 [ 31.722543] kasan_save_track+0x20/0x40 [ 31.723125] kasan_save_alloc_info+0x40/0x58 [ 31.723826] __kasan_kmalloc+0xd4/0xd8 [ 31.724405] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.725148] kmalloc_uaf2+0xc4/0x468 [ 31.725939] kunit_try_run_case+0x14c/0x3d0 [ 31.726521] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.727342] kthread+0x24c/0x2d0 [ 31.727933] ret_from_fork+0x10/0x20 [ 31.728599] [ 31.728990] Freed by task 177: [ 31.730418] kasan_save_stack+0x3c/0x68 [ 31.731040] kasan_save_track+0x20/0x40 [ 31.731492] kasan_save_free_info+0x4c/0x78 [ 31.732062] __kasan_slab_free+0x6c/0x98 [ 31.732728] kfree+0x114/0x3d0 [ 31.733205] kmalloc_uaf2+0x134/0x468 [ 31.733863] kunit_try_run_case+0x14c/0x3d0 [ 31.734458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.735520] kthread+0x24c/0x2d0 [ 31.736015] ret_from_fork+0x10/0x20 [ 31.736651] [ 31.737026] The buggy address belongs to the object at fff00000c6597100 [ 31.737026] which belongs to the cache kmalloc-64 of size 64 [ 31.738469] The buggy address is located 40 bytes inside of [ 31.738469] freed 64-byte region [fff00000c6597100, fff00000c6597140) [ 31.739806] [ 31.740176] The buggy address belongs to the physical page: [ 31.740754] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106597 [ 31.742074] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.742816] page_type: f5(slab) [ 31.743375] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.744360] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 31.745283] page dumped because: kasan: bad access detected [ 31.746276] [ 31.746664] Memory state around the buggy address: [ 31.747167] fff00000c6597000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.748107] fff00000c6597080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 31.748863] >fff00000c6597100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.750277] ^ [ 31.751308] fff00000c6597180: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.752055] fff00000c6597200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.752823] ================================================================== [ 31.584451] ================================================================== [ 31.585652] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 31.586865] Read of size 1 at addr fff00000c56f3808 by task kunit_try_catch/173 [ 31.587630] [ 31.588049] CPU: 0 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 31.590446] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.591043] Hardware name: linux,dummy-virt (DT) [ 31.591763] Call trace: [ 31.592281] show_stack+0x20/0x38 (C) [ 31.592882] dump_stack_lvl+0x8c/0xd0 [ 31.593565] print_report+0x118/0x5e0 [ 31.594214] kasan_report+0xc8/0x118 [ 31.595259] __asan_report_load1_noabort+0x20/0x30 [ 31.596432] kmalloc_uaf+0x300/0x338 [ 31.597001] kunit_try_run_case+0x14c/0x3d0 [ 31.598060] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.598780] kthread+0x24c/0x2d0 [ 31.599291] ret_from_fork+0x10/0x20 [ 31.600086] [ 31.600494] Allocated by task 173: [ 31.601084] kasan_save_stack+0x3c/0x68 [ 31.601723] kasan_save_track+0x20/0x40 [ 31.602201] kasan_save_alloc_info+0x40/0x58 [ 31.603699] __kasan_kmalloc+0xd4/0xd8 [ 31.604378] __kmalloc_cache_noprof+0x15c/0x3c8 [ 31.605026] kmalloc_uaf+0xb8/0x338 [ 31.605634] kunit_try_run_case+0x14c/0x3d0 [ 31.606542] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.607540] kthread+0x24c/0x2d0 [ 31.608111] ret_from_fork+0x10/0x20 [ 31.608708] [ 31.609137] Freed by task 173: [ 31.610041] kasan_save_stack+0x3c/0x68 [ 31.611115] kasan_save_track+0x20/0x40 [ 31.611810] kasan_save_free_info+0x4c/0x78 [ 31.612444] __kasan_slab_free+0x6c/0x98 [ 31.613087] kfree+0x114/0x3d0 [ 31.614121] kmalloc_uaf+0x11c/0x338 [ 31.614746] kunit_try_run_case+0x14c/0x3d0 [ 31.615446] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.616179] kthread+0x24c/0x2d0 [ 31.616820] ret_from_fork+0x10/0x20 [ 31.617444] [ 31.617873] The buggy address belongs to the object at fff00000c56f3800 [ 31.617873] which belongs to the cache kmalloc-16 of size 16 [ 31.619118] The buggy address is located 8 bytes inside of [ 31.619118] freed 16-byte region [fff00000c56f3800, fff00000c56f3810) [ 31.620573] [ 31.621790] The buggy address belongs to the physical page: [ 31.622451] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056f3 [ 31.623879] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.624242] page_type: f5(slab) [ 31.624503] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.625970] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 31.627112] page dumped because: kasan: bad access detected [ 31.627861] [ 31.628224] Memory state around the buggy address: [ 31.628874] fff00000c56f3700: fa fb fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 31.629653] fff00000c56f3780: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 31.630871] >fff00000c56f3800: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.631621] ^ [ 31.632235] fff00000c56f3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.633035] fff00000c56f3900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.634000] ==================================================================
[ 25.317984] ================================================================== [ 25.318460] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 25.318460] Read of size 16 at addr ffff888101a468a0 by task kunit_try_catch/177 [ 25.318460] [ 25.318460] CPU: 0 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 25.318460] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.318460] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.318460] Call Trace: [ 25.318460] <TASK> [ 25.318460] dump_stack_lvl+0x73/0xb0 [ 25.318460] print_report+0xd1/0x640 [ 25.318460] ? __virt_addr_valid+0x1db/0x2d0 [ 25.318460] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.318460] kasan_report+0x102/0x140 [ 25.318460] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.318460] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.318460] __asan_report_load16_noabort+0x18/0x20 [ 25.318460] kmalloc_uaf_16+0x47d/0x4c0 [ 25.318460] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 25.318460] ? __schedule+0xc3e/0x2790 [ 25.318460] ? ktime_get_ts64+0x84/0x230 [ 25.318460] kunit_try_run_case+0x1b3/0x490 [ 25.318460] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.318460] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.318460] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.318460] ? __kthread_parkme+0x82/0x160 [ 25.318460] ? preempt_count_sub+0x50/0x80 [ 25.318460] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.318460] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.318460] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.318460] kthread+0x257/0x310 [ 25.318460] ? __pfx_kthread+0x10/0x10 [ 25.318460] ret_from_fork+0x41/0x80 [ 25.318460] ? __pfx_kthread+0x10/0x10 [ 25.318460] ret_from_fork_asm+0x1a/0x30 [ 25.318460] </TASK> [ 25.318460] [ 25.318460] Allocated by task 177: [ 25.318460] kasan_save_stack+0x3d/0x60 [ 25.318460] kasan_save_track+0x18/0x40 [ 25.318460] kasan_save_alloc_info+0x3b/0x50 [ 25.318460] __kasan_kmalloc+0xb7/0xc0 [ 25.318460] __kmalloc_cache_noprof+0x184/0x410 [ 25.318460] kmalloc_uaf_16+0x15c/0x4c0 [ 25.318460] kunit_try_run_case+0x1b3/0x490 [ 25.318460] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.318460] kthread+0x257/0x310 [ 25.318460] ret_from_fork+0x41/0x80 [ 25.318460] ret_from_fork_asm+0x1a/0x30 [ 25.318460] [ 25.318460] Freed by task 177: [ 25.318460] kasan_save_stack+0x3d/0x60 [ 25.318460] kasan_save_track+0x18/0x40 [ 25.318460] kasan_save_free_info+0x3f/0x60 [ 25.318460] __kasan_slab_free+0x56/0x70 [ 25.318460] kfree+0x123/0x3f0 [ 25.318460] kmalloc_uaf_16+0x1d7/0x4c0 [ 25.318460] kunit_try_run_case+0x1b3/0x490 [ 25.318460] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.318460] kthread+0x257/0x310 [ 25.318460] ret_from_fork+0x41/0x80 [ 25.318460] ret_from_fork_asm+0x1a/0x30 [ 25.318460] [ 25.318460] The buggy address belongs to the object at ffff888101a468a0 [ 25.318460] which belongs to the cache kmalloc-16 of size 16 [ 25.318460] The buggy address is located 0 bytes inside of [ 25.318460] freed 16-byte region [ffff888101a468a0, ffff888101a468b0) [ 25.318460] [ 25.318460] The buggy address belongs to the physical page: [ 25.318460] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a46 [ 25.318460] flags: 0x200000000000000(node=0|zone=2) [ 25.318460] page_type: f5(slab) [ 25.318460] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.318460] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.318460] page dumped because: kasan: bad access detected [ 25.318460] [ 25.318460] Memory state around the buggy address: [ 25.318460] ffff888101a46780: 00 05 fc fc 00 05 fc fc 00 02 fc fc fa fb fc fc [ 25.318460] ffff888101a46800: 00 05 fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 25.318460] >ffff888101a46880: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 25.318460] ^ [ 25.318460] ffff888101a46900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.318460] ffff888101a46980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.318460] ================================================================== [ 25.864291] ================================================================== [ 25.865156] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 25.865156] Read of size 1 at addr ffff88810293d128 by task kunit_try_catch/197 [ 25.865156] [ 25.865156] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 25.865156] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.865156] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.865156] Call Trace: [ 25.865156] <TASK> [ 25.865156] dump_stack_lvl+0x73/0xb0 [ 25.865156] print_report+0xd1/0x640 [ 25.865156] ? __virt_addr_valid+0x1db/0x2d0 [ 25.865156] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.865156] kasan_report+0x102/0x140 [ 25.865156] ? kmalloc_uaf2+0x4aa/0x520 [ 25.865156] ? kmalloc_uaf2+0x4aa/0x520 [ 25.865156] __asan_report_load1_noabort+0x18/0x20 [ 25.865156] kmalloc_uaf2+0x4aa/0x520 [ 25.865156] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 25.865156] ? __switch_to+0x5d9/0xf60 [ 25.865156] ? __schedule+0xc3e/0x2790 [ 25.865156] ? ktime_get_ts64+0x84/0x230 [ 25.865156] kunit_try_run_case+0x1b3/0x490 [ 25.865156] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.865156] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.865156] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.865156] ? __kthread_parkme+0x82/0x160 [ 25.865156] ? preempt_count_sub+0x50/0x80 [ 25.865156] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.865156] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.865156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.865156] kthread+0x257/0x310 [ 25.865156] ? __pfx_kthread+0x10/0x10 [ 25.865156] ret_from_fork+0x41/0x80 [ 25.865156] ? __pfx_kthread+0x10/0x10 [ 25.865156] ret_from_fork_asm+0x1a/0x30 [ 25.865156] </TASK> [ 25.865156] [ 25.865156] Allocated by task 197: [ 25.865156] kasan_save_stack+0x3d/0x60 [ 25.865156] kasan_save_track+0x18/0x40 [ 25.865156] kasan_save_alloc_info+0x3b/0x50 [ 25.865156] __kasan_kmalloc+0xb7/0xc0 [ 25.865156] __kmalloc_cache_noprof+0x184/0x410 [ 25.865156] kmalloc_uaf2+0xc7/0x520 [ 25.865156] kunit_try_run_case+0x1b3/0x490 [ 25.865156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.865156] kthread+0x257/0x310 [ 25.865156] ret_from_fork+0x41/0x80 [ 25.865156] ret_from_fork_asm+0x1a/0x30 [ 25.865156] [ 25.865156] Freed by task 197: [ 25.865156] kasan_save_stack+0x3d/0x60 [ 25.865156] kasan_save_track+0x18/0x40 [ 25.865156] kasan_save_free_info+0x3f/0x60 [ 25.865156] __kasan_slab_free+0x56/0x70 [ 25.865156] kfree+0x123/0x3f0 [ 25.865156] kmalloc_uaf2+0x14d/0x520 [ 25.865156] kunit_try_run_case+0x1b3/0x490 [ 25.865156] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.865156] kthread+0x257/0x310 [ 25.865156] ret_from_fork+0x41/0x80 [ 25.865156] ret_from_fork_asm+0x1a/0x30 [ 25.865156] [ 25.865156] The buggy address belongs to the object at ffff88810293d100 [ 25.865156] which belongs to the cache kmalloc-64 of size 64 [ 25.865156] The buggy address is located 40 bytes inside of [ 25.865156] freed 64-byte region [ffff88810293d100, ffff88810293d140) [ 25.865156] [ 25.865156] The buggy address belongs to the physical page: [ 25.865156] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10293d [ 25.865156] flags: 0x200000000000000(node=0|zone=2) [ 25.865156] page_type: f5(slab) [ 25.865156] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 25.865156] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 25.865156] page dumped because: kasan: bad access detected [ 25.865156] [ 25.865156] Memory state around the buggy address: [ 25.865156] ffff88810293d000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.865156] ffff88810293d080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.865156] >ffff88810293d100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.865156] ^ [ 25.865156] ffff88810293d180: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 25.865156] ffff88810293d200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.865156] ================================================================== [ 25.741635] ================================================================== [ 25.742294] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 25.742294] Read of size 1 at addr ffff888101a468c8 by task kunit_try_catch/193 [ 25.742294] [ 25.742294] CPU: 0 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 25.742294] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.742294] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.742294] Call Trace: [ 25.742294] <TASK> [ 25.742294] dump_stack_lvl+0x73/0xb0 [ 25.742294] print_report+0xd1/0x640 [ 25.742294] ? __virt_addr_valid+0x1db/0x2d0 [ 25.742294] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.742294] kasan_report+0x102/0x140 [ 25.742294] ? kmalloc_uaf+0x322/0x380 [ 25.742294] ? kmalloc_uaf+0x322/0x380 [ 25.742294] __asan_report_load1_noabort+0x18/0x20 [ 25.742294] kmalloc_uaf+0x322/0x380 [ 25.742294] ? __pfx_kmalloc_uaf+0x10/0x10 [ 25.742294] ? __pfx_kmalloc_uaf+0x10/0x10 [ 25.742294] kunit_try_run_case+0x1b3/0x490 [ 25.742294] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.742294] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.742294] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.742294] ? __kthread_parkme+0x82/0x160 [ 25.742294] ? preempt_count_sub+0x50/0x80 [ 25.742294] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.742294] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.742294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.742294] kthread+0x257/0x310 [ 25.742294] ? __pfx_kthread+0x10/0x10 [ 25.742294] ret_from_fork+0x41/0x80 [ 25.742294] ? __pfx_kthread+0x10/0x10 [ 25.742294] ret_from_fork_asm+0x1a/0x30 [ 25.742294] </TASK> [ 25.742294] [ 25.742294] Allocated by task 193: [ 25.742294] kasan_save_stack+0x3d/0x60 [ 25.742294] kasan_save_track+0x18/0x40 [ 25.742294] kasan_save_alloc_info+0x3b/0x50 [ 25.742294] __kasan_kmalloc+0xb7/0xc0 [ 25.742294] __kmalloc_cache_noprof+0x184/0x410 [ 25.742294] kmalloc_uaf+0xab/0x380 [ 25.742294] kunit_try_run_case+0x1b3/0x490 [ 25.742294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.742294] kthread+0x257/0x310 [ 25.742294] ret_from_fork+0x41/0x80 [ 25.742294] ret_from_fork_asm+0x1a/0x30 [ 25.742294] [ 25.742294] Freed by task 193: [ 25.742294] kasan_save_stack+0x3d/0x60 [ 25.742294] kasan_save_track+0x18/0x40 [ 25.742294] kasan_save_free_info+0x3f/0x60 [ 25.742294] __kasan_slab_free+0x56/0x70 [ 25.742294] kfree+0x123/0x3f0 [ 25.742294] kmalloc_uaf+0x12d/0x380 [ 25.742294] kunit_try_run_case+0x1b3/0x490 [ 25.742294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.742294] kthread+0x257/0x310 [ 25.742294] ret_from_fork+0x41/0x80 [ 25.742294] ret_from_fork_asm+0x1a/0x30 [ 25.742294] [ 25.742294] The buggy address belongs to the object at ffff888101a468c0 [ 25.742294] which belongs to the cache kmalloc-16 of size 16 [ 25.742294] The buggy address is located 8 bytes inside of [ 25.742294] freed 16-byte region [ffff888101a468c0, ffff888101a468d0) [ 25.742294] [ 25.742294] The buggy address belongs to the physical page: [ 25.742294] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a46 [ 25.742294] flags: 0x200000000000000(node=0|zone=2) [ 25.742294] page_type: f5(slab) [ 25.742294] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.742294] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.742294] page dumped because: kasan: bad access detected [ 25.742294] [ 25.742294] Memory state around the buggy address: [ 25.742294] ffff888101a46780: 00 05 fc fc 00 05 fc fc 00 02 fc fc fa fb fc fc [ 25.742294] ffff888101a46800: 00 05 fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 25.742294] >ffff888101a46880: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 25.742294] ^ [ 25.742294] ffff888101a46900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.742294] ffff888101a46980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.742294] ==================================================================
[ 20.879651] ================================================================== [ 20.880737] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 20.881425] Read of size 1 at addr ffff88810295cfa8 by task kunit_try_catch/195 [ 20.881798] [ 20.881985] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 20.882945] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.883791] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.884571] Call Trace: [ 20.884780] <TASK> [ 20.884978] dump_stack_lvl+0x73/0xb0 [ 20.885629] print_report+0xd1/0x640 [ 20.886434] ? __virt_addr_valid+0x1db/0x2d0 [ 20.886906] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.888355] kasan_report+0x102/0x140 [ 20.888959] ? kmalloc_uaf2+0x4aa/0x520 [ 20.889611] ? kmalloc_uaf2+0x4aa/0x520 [ 20.890286] __asan_report_load1_noabort+0x18/0x20 [ 20.890987] kmalloc_uaf2+0x4aa/0x520 [ 20.891798] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 20.892366] ? irqentry_exit+0x2a/0x60 [ 20.892916] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 20.893504] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.894220] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.895051] ? __pfx_read_tsc+0x10/0x10 [ 20.895394] ? ktime_get_ts64+0x84/0x230 [ 20.895829] kunit_try_run_case+0x1b3/0x490 [ 20.896261] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.897438] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.897848] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.898986] ? __kthread_parkme+0x82/0x160 [ 20.899684] ? preempt_count_sub+0x50/0x80 [ 20.900397] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.901269] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.901797] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.902187] kthread+0x257/0x310 [ 20.902892] ? __pfx_kthread+0x10/0x10 [ 20.903317] ret_from_fork+0x41/0x80 [ 20.903870] ? __pfx_kthread+0x10/0x10 [ 20.904195] ret_from_fork_asm+0x1a/0x30 [ 20.904600] </TASK> [ 20.904885] [ 20.905107] Allocated by task 195: [ 20.905473] kasan_save_stack+0x3d/0x60 [ 20.906418] kasan_save_track+0x18/0x40 [ 20.906856] kasan_save_alloc_info+0x3b/0x50 [ 20.907672] __kasan_kmalloc+0xb7/0xc0 [ 20.908002] __kmalloc_cache_noprof+0x184/0x410 [ 20.908590] kmalloc_uaf2+0xc7/0x520 [ 20.909424] kunit_try_run_case+0x1b3/0x490 [ 20.909930] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.910275] kthread+0x257/0x310 [ 20.910640] ret_from_fork+0x41/0x80 [ 20.911868] ret_from_fork_asm+0x1a/0x30 [ 20.912455] [ 20.912701] Freed by task 195: [ 20.913116] kasan_save_stack+0x3d/0x60 [ 20.913553] kasan_save_track+0x18/0x40 [ 20.914288] kasan_save_free_info+0x3f/0x60 [ 20.915134] __kasan_slab_free+0x56/0x70 [ 20.915661] kfree+0x123/0x3f0 [ 20.915904] kmalloc_uaf2+0x14d/0x520 [ 20.916157] kunit_try_run_case+0x1b3/0x490 [ 20.916654] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.917635] kthread+0x257/0x310 [ 20.918127] ret_from_fork+0x41/0x80 [ 20.919161] ret_from_fork_asm+0x1a/0x30 [ 20.919739] [ 20.920068] The buggy address belongs to the object at ffff88810295cf80 [ 20.920068] which belongs to the cache kmalloc-64 of size 64 [ 20.921593] The buggy address is located 40 bytes inside of [ 20.921593] freed 64-byte region [ffff88810295cf80, ffff88810295cfc0) [ 20.922388] [ 20.922752] The buggy address belongs to the physical page: [ 20.923399] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10295c [ 20.924337] flags: 0x200000000000000(node=0|zone=2) [ 20.925650] page_type: f5(slab) [ 20.925933] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 20.926710] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 [ 20.927093] page dumped because: kasan: bad access detected [ 20.927434] [ 20.928161] Memory state around the buggy address: [ 20.928994] ffff88810295ce80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.929759] ffff88810295cf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.930383] >ffff88810295cf80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 20.931344] ^ [ 20.931844] ffff88810295d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 20.932575] ffff88810295d080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 20.933400] ================================================================== [ 20.776677] ================================================================== [ 20.777809] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 20.778382] Read of size 1 at addr ffff8881011ae2c8 by task kunit_try_catch/191 [ 20.778839] [ 20.779097] CPU: 1 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 20.780867] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.781327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.782091] Call Trace: [ 20.782343] <TASK> [ 20.782590] dump_stack_lvl+0x73/0xb0 [ 20.783347] print_report+0xd1/0x640 [ 20.783806] ? __virt_addr_valid+0x1db/0x2d0 [ 20.784285] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.785129] kasan_report+0x102/0x140 [ 20.785827] ? kmalloc_uaf+0x322/0x380 [ 20.786502] ? kmalloc_uaf+0x322/0x380 [ 20.787222] __asan_report_load1_noabort+0x18/0x20 [ 20.787737] kmalloc_uaf+0x322/0x380 [ 20.788686] ? __pfx_kmalloc_uaf+0x10/0x10 [ 20.789098] ? __schedule+0xc3e/0x2790 [ 20.789807] ? __pfx_read_tsc+0x10/0x10 [ 20.790295] ? ktime_get_ts64+0x84/0x230 [ 20.790882] kunit_try_run_case+0x1b3/0x490 [ 20.791431] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.792050] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.792526] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.793051] ? __kthread_parkme+0x82/0x160 [ 20.793450] ? preempt_count_sub+0x50/0x80 [ 20.794016] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.794705] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.795345] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.795849] kthread+0x257/0x310 [ 20.796320] ? __pfx_kthread+0x10/0x10 [ 20.796794] ret_from_fork+0x41/0x80 [ 20.797270] ? __pfx_kthread+0x10/0x10 [ 20.797834] ret_from_fork_asm+0x1a/0x30 [ 20.798321] </TASK> [ 20.798706] [ 20.798965] Allocated by task 191: [ 20.799334] kasan_save_stack+0x3d/0x60 [ 20.799813] kasan_save_track+0x18/0x40 [ 20.800188] kasan_save_alloc_info+0x3b/0x50 [ 20.800761] __kasan_kmalloc+0xb7/0xc0 [ 20.801192] __kmalloc_cache_noprof+0x184/0x410 [ 20.801801] kmalloc_uaf+0xab/0x380 [ 20.802179] kunit_try_run_case+0x1b3/0x490 [ 20.802750] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.803165] kthread+0x257/0x310 [ 20.803560] ret_from_fork+0x41/0x80 [ 20.804081] ret_from_fork_asm+0x1a/0x30 [ 20.804470] [ 20.804664] Freed by task 191: [ 20.804879] kasan_save_stack+0x3d/0x60 [ 20.805252] kasan_save_track+0x18/0x40 [ 20.805807] kasan_save_free_info+0x3f/0x60 [ 20.806277] __kasan_slab_free+0x56/0x70 [ 20.806721] kfree+0x123/0x3f0 [ 20.806960] kmalloc_uaf+0x12d/0x380 [ 20.807275] kunit_try_run_case+0x1b3/0x490 [ 20.807936] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.808563] kthread+0x257/0x310 [ 20.809035] ret_from_fork+0x41/0x80 [ 20.809551] ret_from_fork_asm+0x1a/0x30 [ 20.809881] [ 20.810118] The buggy address belongs to the object at ffff8881011ae2c0 [ 20.810118] which belongs to the cache kmalloc-16 of size 16 [ 20.811320] The buggy address is located 8 bytes inside of [ 20.811320] freed 16-byte region [ffff8881011ae2c0, ffff8881011ae2d0) [ 20.812322] [ 20.812508] The buggy address belongs to the physical page: [ 20.813117] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1011ae [ 20.813881] flags: 0x200000000000000(node=0|zone=2) [ 20.814408] page_type: f5(slab) [ 20.814722] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 20.815516] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 20.816157] page dumped because: kasan: bad access detected [ 20.817008] [ 20.817462] Memory state around the buggy address: [ 20.818591] ffff8881011ae180: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc [ 20.820109] ffff8881011ae200: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 05 fc fc [ 20.820530] >ffff8881011ae280: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 20.821154] ^ [ 20.821835] ffff8881011ae300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.822380] ffff8881011ae380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.823108] ================================================================== [ 20.345845] ================================================================== [ 20.346739] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 20.347677] Read of size 16 at addr ffff8881011ae2a0 by task kunit_try_catch/175 [ 20.348275] [ 20.349272] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241126 #1 [ 20.350373] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.351208] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.351776] Call Trace: [ 20.351989] <TASK> [ 20.352522] dump_stack_lvl+0x73/0xb0 [ 20.353422] print_report+0xd1/0x640 [ 20.353892] ? __virt_addr_valid+0x1db/0x2d0 [ 20.354368] ? kasan_complete_mode_report_info+0x64/0x200 [ 20.354902] kasan_report+0x102/0x140 [ 20.355256] ? kmalloc_uaf_16+0x47d/0x4c0 [ 20.355656] ? kmalloc_uaf_16+0x47d/0x4c0 [ 20.356194] __asan_report_load16_noabort+0x18/0x20 [ 20.356784] kmalloc_uaf_16+0x47d/0x4c0 [ 20.357141] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 20.357447] ? __schedule+0xc3e/0x2790 [ 20.358015] ? __pfx_read_tsc+0x10/0x10 [ 20.359066] ? ktime_get_ts64+0x84/0x230 [ 20.359628] kunit_try_run_case+0x1b3/0x490 [ 20.360680] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.361233] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 20.361642] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.362553] ? __kthread_parkme+0x82/0x160 [ 20.363564] ? preempt_count_sub+0x50/0x80 [ 20.364076] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.364540] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.365198] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.365745] kthread+0x257/0x310 [ 20.366323] ? __pfx_kthread+0x10/0x10 [ 20.366736] ret_from_fork+0x41/0x80 [ 20.367179] ? __pfx_kthread+0x10/0x10 [ 20.368063] ret_from_fork_asm+0x1a/0x30 [ 20.368565] </TASK> [ 20.368895] [ 20.369335] Allocated by task 175: [ 20.369652] kasan_save_stack+0x3d/0x60 [ 20.370269] kasan_save_track+0x18/0x40 [ 20.370793] kasan_save_alloc_info+0x3b/0x50 [ 20.371434] __kasan_kmalloc+0xb7/0xc0 [ 20.371808] __kmalloc_cache_noprof+0x184/0x410 [ 20.372472] kmalloc_uaf_16+0x15c/0x4c0 [ 20.372870] kunit_try_run_case+0x1b3/0x490 [ 20.373256] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.374377] kthread+0x257/0x310 [ 20.374698] ret_from_fork+0x41/0x80 [ 20.375443] ret_from_fork_asm+0x1a/0x30 [ 20.376204] [ 20.376432] Freed by task 175: [ 20.376825] kasan_save_stack+0x3d/0x60 [ 20.377529] kasan_save_track+0x18/0x40 [ 20.378500] kasan_save_free_info+0x3f/0x60 [ 20.379166] __kasan_slab_free+0x56/0x70 [ 20.379610] kfree+0x123/0x3f0 [ 20.380342] kmalloc_uaf_16+0x1d7/0x4c0 [ 20.380687] kunit_try_run_case+0x1b3/0x490 [ 20.381140] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.382109] kthread+0x257/0x310 [ 20.382515] ret_from_fork+0x41/0x80 [ 20.383592] ret_from_fork_asm+0x1a/0x30 [ 20.384261] [ 20.384421] The buggy address belongs to the object at ffff8881011ae2a0 [ 20.384421] which belongs to the cache kmalloc-16 of size 16 [ 20.385560] The buggy address is located 0 bytes inside of [ 20.385560] freed 16-byte region [ffff8881011ae2a0, ffff8881011ae2b0) [ 20.387217] [ 20.387442] The buggy address belongs to the physical page: [ 20.387919] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1011ae [ 20.389475] flags: 0x200000000000000(node=0|zone=2) [ 20.390462] page_type: f5(slab) [ 20.390910] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 20.391661] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 20.392287] page dumped because: kasan: bad access detected [ 20.392744] [ 20.393129] Memory state around the buggy address: [ 20.393805] ffff8881011ae180: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc [ 20.394977] ffff8881011ae200: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 05 fc fc [ 20.395843] >ffff8881011ae280: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 20.396562] ^ [ 20.397129] ffff8881011ae300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.397882] ffff8881011ae380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 20.398458] ==================================================================