Date
Nov. 27, 2024, 3:37 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 48.190367] ================================================================== [ 48.191581] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 48.192313] Read of size 1 at addr fff00000c40dc828 by task kunit_try_catch/173 [ 48.192995] [ 48.193367] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 48.195134] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.195708] Hardware name: linux,dummy-virt (DT) [ 48.196321] Call trace: [ 48.196866] show_stack+0x20/0x38 (C) [ 48.197478] dump_stack_lvl+0x8c/0xd0 [ 48.197949] print_report+0x118/0x5e0 [ 48.199012] kasan_report+0xc8/0x118 [ 48.199652] __asan_report_load1_noabort+0x20/0x30 [ 48.200383] kmalloc_uaf+0x300/0x338 [ 48.200947] kunit_try_run_case+0x14c/0x3d0 [ 48.201558] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.202307] kthread+0x24c/0x2d0 [ 48.202934] ret_from_fork+0x10/0x20 [ 48.203740] [ 48.204042] Allocated by task 173: [ 48.204571] kasan_save_stack+0x3c/0x68 [ 48.205052] kasan_save_track+0x20/0x40 [ 48.206060] kasan_save_alloc_info+0x40/0x58 [ 48.206702] __kasan_kmalloc+0xd4/0xd8 [ 48.207247] __kmalloc_cache_noprof+0x15c/0x3c0 [ 48.207847] kmalloc_uaf+0xb8/0x338 [ 48.208439] kunit_try_run_case+0x14c/0x3d0 [ 48.208943] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.210148] kthread+0x24c/0x2d0 [ 48.210699] ret_from_fork+0x10/0x20 [ 48.211251] [ 48.211587] Freed by task 173: [ 48.211999] kasan_save_stack+0x3c/0x68 [ 48.212617] kasan_save_track+0x20/0x40 [ 48.213079] kasan_save_free_info+0x4c/0x78 [ 48.214132] __kasan_slab_free+0x6c/0x98 [ 48.214706] kfree+0x114/0x3c8 [ 48.215271] kmalloc_uaf+0x11c/0x338 [ 48.215840] kunit_try_run_case+0x14c/0x3d0 [ 48.216442] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.217378] kthread+0x24c/0x2d0 [ 48.217938] ret_from_fork+0x10/0x20 [ 48.218530] [ 48.218868] The buggy address belongs to the object at fff00000c40dc820 [ 48.218868] which belongs to the cache kmalloc-16 of size 16 [ 48.220397] The buggy address is located 8 bytes inside of [ 48.220397] freed 16-byte region [fff00000c40dc820, fff00000c40dc830) [ 48.222027] [ 48.222679] The buggy address belongs to the physical page: [ 48.223216] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1040dc [ 48.224280] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 48.225234] page_type: f5(slab) [ 48.225753] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 48.226738] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 48.227657] page dumped because: kasan: bad access detected [ 48.228344] [ 48.228762] Memory state around the buggy address: [ 48.229401] fff00000c40dc700: 00 06 fc fc 00 06 fc fc fa fb fc fc fa fb fc fc [ 48.230754] fff00000c40dc780: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 48.231618] >fff00000c40dc800: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 48.232483] ^ [ 48.233363] fff00000c40dc880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.234194] fff00000c40dc900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.235054] ================================================================== [ 48.302800] ================================================================== [ 48.304146] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 48.305362] Read of size 1 at addr fff00000c616ae28 by task kunit_try_catch/177 [ 48.306730] [ 48.307128] CPU: 0 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 48.308546] Tainted: [B]=BAD_PAGE, [N]=TEST [ 48.309102] Hardware name: linux,dummy-virt (DT) [ 48.310525] Call trace: [ 48.310739] show_stack+0x20/0x38 (C) [ 48.311022] dump_stack_lvl+0x8c/0xd0 [ 48.311340] print_report+0x118/0x5e0 [ 48.311645] kasan_report+0xc8/0x118 [ 48.311918] __asan_report_load1_noabort+0x20/0x30 [ 48.312246] kmalloc_uaf2+0x3f4/0x468 [ 48.314181] kunit_try_run_case+0x14c/0x3d0 [ 48.315106] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.315899] kthread+0x24c/0x2d0 [ 48.316656] ret_from_fork+0x10/0x20 [ 48.317238] [ 48.317616] Allocated by task 177: [ 48.318024] kasan_save_stack+0x3c/0x68 [ 48.318684] kasan_save_track+0x20/0x40 [ 48.319593] kasan_save_alloc_info+0x40/0x58 [ 48.320176] __kasan_kmalloc+0xd4/0xd8 [ 48.320729] __kmalloc_cache_noprof+0x15c/0x3c0 [ 48.321504] kmalloc_uaf2+0xc4/0x468 [ 48.322013] kunit_try_run_case+0x14c/0x3d0 [ 48.323020] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.324131] kthread+0x24c/0x2d0 [ 48.324623] ret_from_fork+0x10/0x20 [ 48.325183] [ 48.325534] Freed by task 177: [ 48.326035] kasan_save_stack+0x3c/0x68 [ 48.326610] kasan_save_track+0x20/0x40 [ 48.327125] kasan_save_free_info+0x4c/0x78 [ 48.327977] __kasan_slab_free+0x6c/0x98 [ 48.328586] kfree+0x114/0x3c8 [ 48.329796] kmalloc_uaf2+0x134/0x468 [ 48.330347] kunit_try_run_case+0x14c/0x3d0 [ 48.330935] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 48.331646] kthread+0x24c/0x2d0 [ 48.332118] ret_from_fork+0x10/0x20 [ 48.332868] [ 48.333186] The buggy address belongs to the object at fff00000c616ae00 [ 48.333186] which belongs to the cache kmalloc-64 of size 64 [ 48.334976] The buggy address is located 40 bytes inside of [ 48.334976] freed 64-byte region [fff00000c616ae00, fff00000c616ae40) [ 48.336246] [ 48.336649] The buggy address belongs to the physical page: [ 48.338027] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10616a [ 48.338968] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 48.339980] page_type: f5(slab) [ 48.340486] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 48.341488] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 48.342373] page dumped because: kasan: bad access detected [ 48.343056] [ 48.343654] Memory state around the buggy address: [ 48.344363] fff00000c616ad00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.345324] fff00000c616ad80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.346087] >fff00000c616ae00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 48.348113] ^ [ 48.349073] fff00000c616ae80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 48.350073] fff00000c616af00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.351353] ================================================================== [ 47.775067] ================================================================== [ 47.776212] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 47.776842] Read of size 16 at addr fff00000c40dc800 by task kunit_try_catch/157 [ 47.778139] [ 47.778623] CPU: 1 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 47.779510] Tainted: [B]=BAD_PAGE, [N]=TEST [ 47.779946] Hardware name: linux,dummy-virt (DT) [ 47.780685] Call trace: [ 47.781143] show_stack+0x20/0x38 (C) [ 47.782258] dump_stack_lvl+0x8c/0xd0 [ 47.783388] print_report+0x118/0x5e0 [ 47.784202] kasan_report+0xc8/0x118 [ 47.784953] __asan_report_load16_noabort+0x20/0x30 [ 47.786212] kmalloc_uaf_16+0x3bc/0x438 [ 47.787069] kunit_try_run_case+0x14c/0x3d0 [ 47.787667] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.788588] kthread+0x24c/0x2d0 [ 47.789190] ret_from_fork+0x10/0x20 [ 47.790082] [ 47.790452] Allocated by task 157: [ 47.791054] kasan_save_stack+0x3c/0x68 [ 47.791829] kasan_save_track+0x20/0x40 [ 47.792481] kasan_save_alloc_info+0x40/0x58 [ 47.793264] __kasan_kmalloc+0xd4/0xd8 [ 47.793866] __kmalloc_cache_noprof+0x15c/0x3c0 [ 47.794573] kmalloc_uaf_16+0x140/0x438 [ 47.795253] kunit_try_run_case+0x14c/0x3d0 [ 47.795895] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.796652] kthread+0x24c/0x2d0 [ 47.797313] ret_from_fork+0x10/0x20 [ 47.797880] [ 47.798148] Freed by task 157: [ 47.798744] kasan_save_stack+0x3c/0x68 [ 47.799214] kasan_save_track+0x20/0x40 [ 47.800425] kasan_save_free_info+0x4c/0x78 [ 47.800980] __kasan_slab_free+0x6c/0x98 [ 47.801661] kfree+0x114/0x3c8 [ 47.802209] kmalloc_uaf_16+0x190/0x438 [ 47.802802] kunit_try_run_case+0x14c/0x3d0 [ 47.803625] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 47.804399] kthread+0x24c/0x2d0 [ 47.804988] ret_from_fork+0x10/0x20 [ 47.805698] [ 47.806035] The buggy address belongs to the object at fff00000c40dc800 [ 47.806035] which belongs to the cache kmalloc-16 of size 16 [ 47.807576] The buggy address is located 0 bytes inside of [ 47.807576] freed 16-byte region [fff00000c40dc800, fff00000c40dc810) [ 47.808957] [ 47.809284] The buggy address belongs to the physical page: [ 47.810213] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1040dc [ 47.811037] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 47.811925] page_type: f5(slab) [ 47.812522] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 47.813676] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 47.814551] page dumped because: kasan: bad access detected [ 47.815204] [ 47.815567] Memory state around the buggy address: [ 47.816194] fff00000c40dc700: 00 06 fc fc 00 06 fc fc fa fb fc fc fa fb fc fc [ 47.816939] fff00000c40dc780: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 47.818633] >fff00000c40dc800: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.819509] ^ [ 47.819959] fff00000c40dc880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.820947] fff00000c40dc900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.821732] ==================================================================
[ 25.530604] ================================================================== [ 25.531718] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 25.532482] Read of size 1 at addr ffff888101aa6028 by task kunit_try_catch/196 [ 25.533169] [ 25.533663] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.535233] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.535909] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.537139] Call Trace: [ 25.537582] <TASK> [ 25.537854] dump_stack_lvl+0x73/0xb0 [ 25.538369] print_report+0xd1/0x640 [ 25.539317] ? __virt_addr_valid+0x1db/0x2d0 [ 25.539833] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.540646] kasan_report+0x102/0x140 [ 25.541168] ? kmalloc_uaf2+0x4aa/0x520 [ 25.541571] ? kmalloc_uaf2+0x4aa/0x520 [ 25.542262] __asan_report_load1_noabort+0x18/0x20 [ 25.543092] kmalloc_uaf2+0x4aa/0x520 [ 25.543717] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 25.544195] ? finish_task_switch.isra.0+0x153/0x700 [ 25.544833] ? __switch_to+0x5d9/0xf60 [ 25.545459] ? __schedule+0xc3e/0x2790 [ 25.545973] ? __pfx_read_tsc+0x10/0x10 [ 25.546526] ? ktime_get_ts64+0x84/0x230 [ 25.547262] kunit_try_run_case+0x1b3/0x490 [ 25.547852] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.548526] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.549416] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.549881] ? __kthread_parkme+0x82/0x160 [ 25.550544] ? preempt_count_sub+0x50/0x80 [ 25.551015] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.551561] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.552493] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.553077] kthread+0x257/0x310 [ 25.553757] ? __pfx_kthread+0x10/0x10 [ 25.554091] ret_from_fork+0x41/0x80 [ 25.554798] ? __pfx_kthread+0x10/0x10 [ 25.555492] ret_from_fork_asm+0x1a/0x30 [ 25.556197] </TASK> [ 25.556498] [ 25.556741] Allocated by task 196: [ 25.557422] kasan_save_stack+0x3d/0x60 [ 25.557759] kasan_save_track+0x18/0x40 [ 25.558360] kasan_save_alloc_info+0x3b/0x50 [ 25.558957] __kasan_kmalloc+0xb7/0xc0 [ 25.559621] __kmalloc_cache_noprof+0x184/0x410 [ 25.560551] kmalloc_uaf2+0xc7/0x520 [ 25.561643] kunit_try_run_case+0x1b3/0x490 [ 25.561973] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.563040] kthread+0x257/0x310 [ 25.563704] ret_from_fork+0x41/0x80 [ 25.563883] ret_from_fork_asm+0x1a/0x30 [ 25.564853] [ 25.565231] Freed by task 196: [ 25.566135] kasan_save_stack+0x3d/0x60 [ 25.566620] kasan_save_track+0x18/0x40 [ 25.567265] kasan_save_free_info+0x3f/0x60 [ 25.567866] __kasan_slab_free+0x56/0x70 [ 25.568419] kfree+0x123/0x3f0 [ 25.568689] kmalloc_uaf2+0x14d/0x520 [ 25.570320] kunit_try_run_case+0x1b3/0x490 [ 25.570704] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.571665] kthread+0x257/0x310 [ 25.572592] ret_from_fork+0x41/0x80 [ 25.572961] ret_from_fork_asm+0x1a/0x30 [ 25.573840] [ 25.574490] The buggy address belongs to the object at ffff888101aa6000 [ 25.574490] which belongs to the cache kmalloc-64 of size 64 [ 25.575709] The buggy address is located 40 bytes inside of [ 25.575709] freed 64-byte region [ffff888101aa6000, ffff888101aa6040) [ 25.577032] [ 25.577468] The buggy address belongs to the physical page: [ 25.578414] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101aa6 [ 25.579049] flags: 0x200000000000000(node=0|zone=2) [ 25.579556] page_type: f5(slab) [ 25.580476] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 25.581668] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 25.582736] page dumped because: kasan: bad access detected [ 25.583869] [ 25.584037] Memory state around the buggy address: [ 25.584515] ffff888101aa5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.585847] ffff888101aa5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.586635] >ffff888101aa6000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.587879] ^ [ 25.588295] ffff888101aa6080: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 25.589529] ffff888101aa6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.590070] ================================================================== [ 25.007414] ================================================================== [ 25.008339] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 25.008960] Read of size 16 at addr ffff888101a26640 by task kunit_try_catch/176 [ 25.009612] [ 25.009921] CPU: 1 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.010843] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.011332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.012477] Call Trace: [ 25.012759] <TASK> [ 25.013293] dump_stack_lvl+0x73/0xb0 [ 25.013672] print_report+0xd1/0x640 [ 25.014332] ? __virt_addr_valid+0x1db/0x2d0 [ 25.014736] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.015311] kasan_report+0x102/0x140 [ 25.016078] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.016825] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.017547] __asan_report_load16_noabort+0x18/0x20 [ 25.018083] kmalloc_uaf_16+0x47d/0x4c0 [ 25.018645] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 25.019076] ? __schedule+0xc3e/0x2790 [ 25.019622] ? __pfx_read_tsc+0x10/0x10 [ 25.020256] ? ktime_get_ts64+0x84/0x230 [ 25.021172] kunit_try_run_case+0x1b3/0x490 [ 25.021628] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.022384] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.022721] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.023252] ? __kthread_parkme+0x82/0x160 [ 25.023785] ? preempt_count_sub+0x50/0x80 [ 25.024551] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.025043] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.025501] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.026096] kthread+0x257/0x310 [ 25.026564] ? __pfx_kthread+0x10/0x10 [ 25.027075] ret_from_fork+0x41/0x80 [ 25.027603] ? __pfx_kthread+0x10/0x10 [ 25.027903] ret_from_fork_asm+0x1a/0x30 [ 25.028243] </TASK> [ 25.028567] [ 25.028795] Allocated by task 176: [ 25.029548] kasan_save_stack+0x3d/0x60 [ 25.030102] kasan_save_track+0x18/0x40 [ 25.030527] kasan_save_alloc_info+0x3b/0x50 [ 25.030826] __kasan_kmalloc+0xb7/0xc0 [ 25.031149] __kmalloc_cache_noprof+0x184/0x410 [ 25.031706] kmalloc_uaf_16+0x15c/0x4c0 [ 25.032162] kunit_try_run_case+0x1b3/0x490 [ 25.032827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.033518] kthread+0x257/0x310 [ 25.033830] ret_from_fork+0x41/0x80 [ 25.034322] ret_from_fork_asm+0x1a/0x30 [ 25.034913] [ 25.035089] Freed by task 176: [ 25.035399] kasan_save_stack+0x3d/0x60 [ 25.035941] kasan_save_track+0x18/0x40 [ 25.036234] kasan_save_free_info+0x3f/0x60 [ 25.037281] __kasan_slab_free+0x56/0x70 [ 25.037646] kfree+0x123/0x3f0 [ 25.038102] kmalloc_uaf_16+0x1d7/0x4c0 [ 25.038448] kunit_try_run_case+0x1b3/0x490 [ 25.038744] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.039276] kthread+0x257/0x310 [ 25.040025] ret_from_fork+0x41/0x80 [ 25.040606] ret_from_fork_asm+0x1a/0x30 [ 25.041196] [ 25.041427] The buggy address belongs to the object at ffff888101a26640 [ 25.041427] which belongs to the cache kmalloc-16 of size 16 [ 25.042206] The buggy address is located 0 bytes inside of [ 25.042206] freed 16-byte region [ffff888101a26640, ffff888101a26650) [ 25.043456] [ 25.043653] The buggy address belongs to the physical page: [ 25.044331] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a26 [ 25.044883] flags: 0x200000000000000(node=0|zone=2) [ 25.045761] page_type: f5(slab) [ 25.046039] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.046489] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.047300] page dumped because: kasan: bad access detected [ 25.047876] [ 25.048116] Memory state around the buggy address: [ 25.048710] ffff888101a26500: 00 00 fc fc 00 04 fc fc 00 04 fc fc 00 00 fc fc [ 25.049731] ffff888101a26580: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.050263] >ffff888101a26600: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 25.050678] ^ [ 25.051054] ffff888101a26680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.051852] ffff888101a26700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.052631] ================================================================== [ 25.421754] ================================================================== [ 25.423529] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 25.424183] Read of size 1 at addr ffff888101a26668 by task kunit_try_catch/192 [ 25.424705] [ 25.424970] CPU: 1 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241127 #1 [ 25.425782] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.426467] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.427418] Call Trace: [ 25.427640] <TASK> [ 25.428071] dump_stack_lvl+0x73/0xb0 [ 25.428430] print_report+0xd1/0x640 [ 25.428833] ? __virt_addr_valid+0x1db/0x2d0 [ 25.429393] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.429816] kasan_report+0x102/0x140 [ 25.430114] ? kmalloc_uaf+0x322/0x380 [ 25.431173] ? kmalloc_uaf+0x322/0x380 [ 25.431497] __asan_report_load1_noabort+0x18/0x20 [ 25.432020] kmalloc_uaf+0x322/0x380 [ 25.432408] ? __pfx_kmalloc_uaf+0x10/0x10 [ 25.432729] ? __schedule+0xc3e/0x2790 [ 25.433382] ? __pfx_read_tsc+0x10/0x10 [ 25.433865] ? ktime_get_ts64+0x84/0x230 [ 25.434694] kunit_try_run_case+0x1b3/0x490 [ 25.435117] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.435675] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.436293] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.436675] ? __kthread_parkme+0x82/0x160 [ 25.436970] ? preempt_count_sub+0x50/0x80 [ 25.437566] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.438420] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.439197] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.439573] kthread+0x257/0x310 [ 25.440030] ? __pfx_kthread+0x10/0x10 [ 25.440601] ret_from_fork+0x41/0x80 [ 25.441198] ? __pfx_kthread+0x10/0x10 [ 25.441542] ret_from_fork_asm+0x1a/0x30 [ 25.441967] </TASK> [ 25.442269] [ 25.442434] Allocated by task 192: [ 25.442869] kasan_save_stack+0x3d/0x60 [ 25.443229] kasan_save_track+0x18/0x40 [ 25.443859] kasan_save_alloc_info+0x3b/0x50 [ 25.444448] __kasan_kmalloc+0xb7/0xc0 [ 25.444771] __kmalloc_cache_noprof+0x184/0x410 [ 25.445385] kmalloc_uaf+0xab/0x380 [ 25.445646] kunit_try_run_case+0x1b3/0x490 [ 25.446390] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.447260] kthread+0x257/0x310 [ 25.447527] ret_from_fork+0x41/0x80 [ 25.448086] ret_from_fork_asm+0x1a/0x30 [ 25.448578] [ 25.448787] Freed by task 192: [ 25.449291] kasan_save_stack+0x3d/0x60 [ 25.449585] kasan_save_track+0x18/0x40 [ 25.449857] kasan_save_free_info+0x3f/0x60 [ 25.451521] __kasan_slab_free+0x56/0x70 [ 25.452246] kfree+0x123/0x3f0 [ 25.452864] kmalloc_uaf+0x12d/0x380 [ 25.453341] kunit_try_run_case+0x1b3/0x490 [ 25.453757] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.455329] kthread+0x257/0x310 [ 25.455567] ret_from_fork+0x41/0x80 [ 25.456812] ret_from_fork_asm+0x1a/0x30 [ 25.457382] [ 25.457529] The buggy address belongs to the object at ffff888101a26660 [ 25.457529] which belongs to the cache kmalloc-16 of size 16 [ 25.459473] The buggy address is located 8 bytes inside of [ 25.459473] freed 16-byte region [ffff888101a26660, ffff888101a26670) [ 25.461218] [ 25.461383] The buggy address belongs to the physical page: [ 25.461700] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a26 [ 25.463068] flags: 0x200000000000000(node=0|zone=2) [ 25.463710] page_type: f5(slab) [ 25.464036] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.465406] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 25.466094] page dumped because: kasan: bad access detected [ 25.466577] [ 25.466782] Memory state around the buggy address: [ 25.467839] ffff888101a26500: 00 00 fc fc 00 04 fc fc 00 04 fc fc 00 00 fc fc [ 25.468924] ffff888101a26580: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.470109] >ffff888101a26600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.471210] ^ [ 25.472294] ffff888101a26680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.472855] ffff888101a26700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.473871] ==================================================================