Date
Nov. 28, 2024, 2:36 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.880714] ================================================================== [ 30.882148] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 30.883498] Read of size 1 at addr fff00000c5d76c68 by task kunit_try_catch/172 [ 30.884706] [ 30.885251] CPU: 0 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 30.886521] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.887066] Hardware name: linux,dummy-virt (DT) [ 30.887603] Call trace: [ 30.887973] show_stack+0x20/0x38 (C) [ 30.888603] dump_stack_lvl+0x8c/0xd0 [ 30.889388] print_report+0x118/0x5e0 [ 30.889987] kasan_report+0xc8/0x118 [ 30.890541] __asan_report_load1_noabort+0x20/0x30 [ 30.891103] kmalloc_uaf+0x300/0x338 [ 30.892189] kunit_try_run_case+0x14c/0x3d0 [ 30.892813] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.893481] kthread+0x24c/0x2d0 [ 30.894035] ret_from_fork+0x10/0x20 [ 30.895144] [ 30.895477] Allocated by task 172: [ 30.895979] kasan_save_stack+0x3c/0x68 [ 30.896489] kasan_save_track+0x20/0x40 [ 30.897828] kasan_save_alloc_info+0x40/0x58 [ 30.898303] __kasan_kmalloc+0xd4/0xd8 [ 30.898872] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.899490] kmalloc_uaf+0xb8/0x338 [ 30.899976] kunit_try_run_case+0x14c/0x3d0 [ 30.900531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.901832] kthread+0x24c/0x2d0 [ 30.902389] ret_from_fork+0x10/0x20 [ 30.902869] [ 30.903215] Freed by task 172: [ 30.903678] kasan_save_stack+0x3c/0x68 [ 30.904158] kasan_save_track+0x20/0x40 [ 30.904748] kasan_save_free_info+0x4c/0x78 [ 30.905745] __kasan_slab_free+0x6c/0x98 [ 30.906424] kfree+0x114/0x3c8 [ 30.907152] kmalloc_uaf+0x11c/0x338 [ 30.907759] kunit_try_run_case+0x14c/0x3d0 [ 30.908430] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.909492] kthread+0x24c/0x2d0 [ 30.909993] ret_from_fork+0x10/0x20 [ 30.910731] [ 30.911128] The buggy address belongs to the object at fff00000c5d76c60 [ 30.911128] which belongs to the cache kmalloc-16 of size 16 [ 30.912344] The buggy address is located 8 bytes inside of [ 30.912344] freed 16-byte region [fff00000c5d76c60, fff00000c5d76c70) [ 30.913814] [ 30.914705] The buggy address belongs to the physical page: [ 30.915403] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105d76 [ 30.916347] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.917092] page_type: f5(slab) [ 30.917683] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.918530] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 30.919451] page dumped because: kasan: bad access detected [ 30.920207] [ 30.920692] Memory state around the buggy address: [ 30.921997] fff00000c5d76b00: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 05 fc fc [ 30.922885] fff00000c5d76b80: fa fb fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 30.923901] >fff00000c5d76c00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.924701] ^ [ 30.926338] fff00000c5d76c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.927063] fff00000c5d76d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.927828] ================================================================== [ 30.996249] ================================================================== [ 30.997730] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 30.998692] Read of size 1 at addr fff00000c63aea28 by task kunit_try_catch/176 [ 30.999548] [ 31.000626] CPU: 1 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 31.002299] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.002928] Hardware name: linux,dummy-virt (DT) [ 31.003291] Call trace: [ 31.004011] show_stack+0x20/0x38 (C) [ 31.004470] dump_stack_lvl+0x8c/0xd0 [ 31.005450] print_report+0x118/0x5e0 [ 31.006048] kasan_report+0xc8/0x118 [ 31.006685] __asan_report_load1_noabort+0x20/0x30 [ 31.007311] kmalloc_uaf2+0x3f4/0x468 [ 31.007961] kunit_try_run_case+0x14c/0x3d0 [ 31.008572] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.009329] kthread+0x24c/0x2d0 [ 31.009850] ret_from_fork+0x10/0x20 [ 31.010443] [ 31.010789] Allocated by task 176: [ 31.011352] kasan_save_stack+0x3c/0x68 [ 31.012140] kasan_save_track+0x20/0x40 [ 31.012765] kasan_save_alloc_info+0x40/0x58 [ 31.013657] __kasan_kmalloc+0xd4/0xd8 [ 31.014388] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.015027] kmalloc_uaf2+0xc4/0x468 [ 31.015585] kunit_try_run_case+0x14c/0x3d0 [ 31.016199] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.017338] kthread+0x24c/0x2d0 [ 31.017834] ret_from_fork+0x10/0x20 [ 31.018407] [ 31.018786] Freed by task 176: [ 31.019282] kasan_save_stack+0x3c/0x68 [ 31.019812] kasan_save_track+0x20/0x40 [ 31.020438] kasan_save_free_info+0x4c/0x78 [ 31.021427] __kasan_slab_free+0x6c/0x98 [ 31.021923] kfree+0x114/0x3c8 [ 31.022460] kmalloc_uaf2+0x134/0x468 [ 31.023060] kunit_try_run_case+0x14c/0x3d0 [ 31.023700] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.024399] kthread+0x24c/0x2d0 [ 31.025240] ret_from_fork+0x10/0x20 [ 31.025801] [ 31.026402] The buggy address belongs to the object at fff00000c63aea00 [ 31.026402] which belongs to the cache kmalloc-64 of size 64 [ 31.027627] The buggy address is located 40 bytes inside of [ 31.027627] freed 64-byte region [fff00000c63aea00, fff00000c63aea40) [ 31.028790] [ 31.029652] The buggy address belongs to the physical page: [ 31.030324] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063ae [ 31.031257] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.032037] page_type: f5(slab) [ 31.032528] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.033490] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 31.034660] page dumped because: kasan: bad access detected [ 31.035321] [ 31.035690] Memory state around the buggy address: [ 31.036242] fff00000c63ae900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.037517] fff00000c63ae980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.038364] >fff00000c63aea00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.039125] ^ [ 31.039706] fff00000c63aea80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.040540] fff00000c63aeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.041534] ================================================================== [ 30.482610] ================================================================== [ 30.483934] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 30.484842] Read of size 16 at addr fff00000c4005e80 by task kunit_try_catch/156 [ 30.485563] [ 30.485910] CPU: 1 UID: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 30.488800] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.489425] Hardware name: linux,dummy-virt (DT) [ 30.489951] Call trace: [ 30.490396] show_stack+0x20/0x38 (C) [ 30.490930] dump_stack_lvl+0x8c/0xd0 [ 30.491442] print_report+0x118/0x5e0 [ 30.492037] kasan_report+0xc8/0x118 [ 30.492641] __asan_report_load16_noabort+0x20/0x30 [ 30.493351] kmalloc_uaf_16+0x3bc/0x438 [ 30.493929] kunit_try_run_case+0x14c/0x3d0 [ 30.494569] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.495241] kthread+0x24c/0x2d0 [ 30.495746] ret_from_fork+0x10/0x20 [ 30.496346] [ 30.496683] Allocated by task 156: [ 30.497207] kasan_save_stack+0x3c/0x68 [ 30.497819] kasan_save_track+0x20/0x40 [ 30.498319] kasan_save_alloc_info+0x40/0x58 [ 30.498932] __kasan_kmalloc+0xd4/0xd8 [ 30.499461] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.499991] kmalloc_uaf_16+0x140/0x438 [ 30.500585] kunit_try_run_case+0x14c/0x3d0 [ 30.501104] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.501815] kthread+0x24c/0x2d0 [ 30.502344] ret_from_fork+0x10/0x20 [ 30.502844] [ 30.503205] Freed by task 156: [ 30.503673] kasan_save_stack+0x3c/0x68 [ 30.504256] kasan_save_track+0x20/0x40 [ 30.504846] kasan_save_free_info+0x4c/0x78 [ 30.505462] __kasan_slab_free+0x6c/0x98 [ 30.505928] kfree+0x114/0x3c8 [ 30.506455] kmalloc_uaf_16+0x190/0x438 [ 30.507035] kunit_try_run_case+0x14c/0x3d0 [ 30.507667] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.508395] kthread+0x24c/0x2d0 [ 30.508868] ret_from_fork+0x10/0x20 [ 30.509437] [ 30.509787] The buggy address belongs to the object at fff00000c4005e80 [ 30.509787] which belongs to the cache kmalloc-16 of size 16 [ 30.510866] The buggy address is located 0 bytes inside of [ 30.510866] freed 16-byte region [fff00000c4005e80, fff00000c4005e90) [ 30.512013] [ 30.512380] The buggy address belongs to the physical page: [ 30.513056] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104005 [ 30.513852] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.514601] page_type: f5(slab) [ 30.515077] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.515838] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 30.516696] page dumped because: kasan: bad access detected [ 30.517417] [ 30.517759] Memory state around the buggy address: [ 30.518396] fff00000c4005d80: 00 05 fc fc 00 05 fc fc fa fb fc fc fa fb fc fc [ 30.518997] fff00000c4005e00: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 30.519855] >fff00000c4005e80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.520667] ^ [ 30.521101] fff00000c4005f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.521926] fff00000c4005f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.522662] ==================================================================
[ 21.916688] ================================================================== [ 21.917643] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 21.918424] Read of size 1 at addr ffff888102a18ea8 by task kunit_try_catch/196 [ 21.919114] [ 21.919317] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 21.920316] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.920944] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.922202] Call Trace: [ 21.922769] <TASK> [ 21.923052] dump_stack_lvl+0x73/0xb0 [ 21.923436] print_report+0xd1/0x640 [ 21.923902] ? __virt_addr_valid+0x1db/0x2d0 [ 21.924616] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.925757] kasan_report+0x102/0x140 [ 21.926404] ? kmalloc_uaf2+0x4aa/0x520 [ 21.926807] ? kmalloc_uaf2+0x4aa/0x520 [ 21.927407] __asan_report_load1_noabort+0x18/0x20 [ 21.927907] kmalloc_uaf2+0x4aa/0x520 [ 21.928436] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 21.928948] ? finish_task_switch.isra.0+0x153/0x700 [ 21.929744] ? __switch_to+0x5d9/0xf60 [ 21.930375] ? __schedule+0xc3e/0x2790 [ 21.930875] ? __pfx_read_tsc+0x10/0x10 [ 21.931500] ? ktime_get_ts64+0x84/0x230 [ 21.931841] kunit_try_run_case+0x1b3/0x490 [ 21.932519] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.932975] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.933659] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.934032] ? __kthread_parkme+0x82/0x160 [ 21.934702] ? preempt_count_sub+0x50/0x80 [ 21.935183] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.935628] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.936008] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.936760] kthread+0x257/0x310 [ 21.937431] ? __pfx_kthread+0x10/0x10 [ 21.937744] ret_from_fork+0x41/0x80 [ 21.938423] ? __pfx_kthread+0x10/0x10 [ 21.938793] ret_from_fork_asm+0x1a/0x30 [ 21.939485] </TASK> [ 21.939810] [ 21.940038] Allocated by task 196: [ 21.940575] kasan_save_stack+0x3d/0x60 [ 21.941001] kasan_save_track+0x18/0x40 [ 21.941615] kasan_save_alloc_info+0x3b/0x50 [ 21.942057] __kasan_kmalloc+0xb7/0xc0 [ 21.942668] __kmalloc_cache_noprof+0x184/0x410 [ 21.943277] kmalloc_uaf2+0xc7/0x520 [ 21.943911] kunit_try_run_case+0x1b3/0x490 [ 21.944734] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.945557] kthread+0x257/0x310 [ 21.945824] ret_from_fork+0x41/0x80 [ 21.946298] ret_from_fork_asm+0x1a/0x30 [ 21.946896] [ 21.947048] Freed by task 196: [ 21.947729] kasan_save_stack+0x3d/0x60 [ 21.948022] kasan_save_track+0x18/0x40 [ 21.948317] kasan_save_free_info+0x3f/0x60 [ 21.949062] __kasan_slab_free+0x56/0x70 [ 21.949817] kfree+0x123/0x3f0 [ 21.950123] kmalloc_uaf2+0x14d/0x520 [ 21.950817] kunit_try_run_case+0x1b3/0x490 [ 21.951778] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.952798] kthread+0x257/0x310 [ 21.953122] ret_from_fork+0x41/0x80 [ 21.953470] ret_from_fork_asm+0x1a/0x30 [ 21.953937] [ 21.954081] The buggy address belongs to the object at ffff888102a18e80 [ 21.954081] which belongs to the cache kmalloc-64 of size 64 [ 21.955402] The buggy address is located 40 bytes inside of [ 21.955402] freed 64-byte region [ffff888102a18e80, ffff888102a18ec0) [ 21.956264] [ 21.956698] The buggy address belongs to the physical page: [ 21.957134] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a18 [ 21.957905] flags: 0x200000000000000(node=0|zone=2) [ 21.958516] page_type: f5(slab) [ 21.959441] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 21.960022] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 21.960810] page dumped because: kasan: bad access detected [ 21.961481] [ 21.961724] Memory state around the buggy address: [ 21.962267] ffff888102a18d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.963504] ffff888102a18e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.964366] >ffff888102a18e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.965120] ^ [ 21.965828] ffff888102a18f00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 21.966569] ffff888102a18f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.967190] ================================================================== [ 21.805767] ================================================================== [ 21.806811] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 21.807455] Read of size 1 at addr ffff88810268b468 by task kunit_try_catch/192 [ 21.808001] [ 21.808191] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 21.809979] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.810223] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.810823] Call Trace: [ 21.811150] <TASK> [ 21.811621] dump_stack_lvl+0x73/0xb0 [ 21.812133] print_report+0xd1/0x640 [ 21.812724] ? __virt_addr_valid+0x1db/0x2d0 [ 21.813452] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.813824] kasan_report+0x102/0x140 [ 21.814451] ? kmalloc_uaf+0x322/0x380 [ 21.814951] ? kmalloc_uaf+0x322/0x380 [ 21.815566] __asan_report_load1_noabort+0x18/0x20 [ 21.815899] kmalloc_uaf+0x322/0x380 [ 21.816651] ? __pfx_kmalloc_uaf+0x10/0x10 [ 21.817628] ? __schedule+0xc3e/0x2790 [ 21.818411] ? __pfx_read_tsc+0x10/0x10 [ 21.818711] ? ktime_get_ts64+0x84/0x230 [ 21.819499] kunit_try_run_case+0x1b3/0x490 [ 21.820114] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.820865] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.821561] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.822009] ? __kthread_parkme+0x82/0x160 [ 21.822656] ? preempt_count_sub+0x50/0x80 [ 21.822982] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.823675] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.824217] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.824832] kthread+0x257/0x310 [ 21.825200] ? __pfx_kthread+0x10/0x10 [ 21.825799] ret_from_fork+0x41/0x80 [ 21.826147] ? __pfx_kthread+0x10/0x10 [ 21.826844] ret_from_fork_asm+0x1a/0x30 [ 21.827503] </TASK> [ 21.827815] [ 21.828069] Allocated by task 192: [ 21.828599] kasan_save_stack+0x3d/0x60 [ 21.829055] kasan_save_track+0x18/0x40 [ 21.829725] kasan_save_alloc_info+0x3b/0x50 [ 21.830040] __kasan_kmalloc+0xb7/0xc0 [ 21.830573] __kmalloc_cache_noprof+0x184/0x410 [ 21.831416] kmalloc_uaf+0xab/0x380 [ 21.831846] kunit_try_run_case+0x1b3/0x490 [ 21.832563] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.833378] kthread+0x257/0x310 [ 21.833954] ret_from_fork+0x41/0x80 [ 21.834699] ret_from_fork_asm+0x1a/0x30 [ 21.835202] [ 21.835558] Freed by task 192: [ 21.835785] kasan_save_stack+0x3d/0x60 [ 21.836202] kasan_save_track+0x18/0x40 [ 21.836977] kasan_save_free_info+0x3f/0x60 [ 21.837408] __kasan_slab_free+0x56/0x70 [ 21.837943] kfree+0x123/0x3f0 [ 21.838486] kmalloc_uaf+0x12d/0x380 [ 21.839033] kunit_try_run_case+0x1b3/0x490 [ 21.839361] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.840313] kthread+0x257/0x310 [ 21.840931] ret_from_fork+0x41/0x80 [ 21.841831] ret_from_fork_asm+0x1a/0x30 [ 21.842770] [ 21.843043] The buggy address belongs to the object at ffff88810268b460 [ 21.843043] which belongs to the cache kmalloc-16 of size 16 [ 21.844510] The buggy address is located 8 bytes inside of [ 21.844510] freed 16-byte region [ffff88810268b460, ffff88810268b470) [ 21.846054] [ 21.846701] The buggy address belongs to the physical page: [ 21.847526] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10268b [ 21.848517] flags: 0x200000000000000(node=0|zone=2) [ 21.848996] page_type: f5(slab) [ 21.850124] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 21.850825] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 21.851399] page dumped because: kasan: bad access detected [ 21.851952] [ 21.852133] Memory state around the buggy address: [ 21.853547] ffff88810268b300: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 21.854145] ffff88810268b380: 00 02 fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 21.854992] >ffff88810268b400: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 21.855960] ^ [ 21.856760] ffff88810268b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.857761] ffff88810268b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.858646] ================================================================== [ 21.398734] ================================================================== [ 21.399746] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 21.400356] Read of size 16 at addr ffff88810268b440 by task kunit_try_catch/176 [ 21.400898] [ 21.401074] CPU: 0 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.12.0-next-20241128 #1 [ 21.402150] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.402793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.403677] Call Trace: [ 21.403876] <TASK> [ 21.404385] dump_stack_lvl+0x73/0xb0 [ 21.404851] print_report+0xd1/0x640 [ 21.405385] ? __virt_addr_valid+0x1db/0x2d0 [ 21.405964] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.406652] kasan_report+0x102/0x140 [ 21.406932] ? kmalloc_uaf_16+0x47d/0x4c0 [ 21.407581] ? kmalloc_uaf_16+0x47d/0x4c0 [ 21.408126] __asan_report_load16_noabort+0x18/0x20 [ 21.408643] kmalloc_uaf_16+0x47d/0x4c0 [ 21.408944] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 21.409645] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 21.410320] kunit_try_run_case+0x1b3/0x490 [ 21.410983] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.411822] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 21.412434] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.413054] ? __kthread_parkme+0x82/0x160 [ 21.413898] ? preempt_count_sub+0x50/0x80 [ 21.414431] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.414806] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.415455] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.415932] kthread+0x257/0x310 [ 21.416381] ? __pfx_kthread+0x10/0x10 [ 21.416737] ret_from_fork+0x41/0x80 [ 21.417241] ? __pfx_kthread+0x10/0x10 [ 21.418405] ret_from_fork_asm+0x1a/0x30 [ 21.418933] </TASK> [ 21.419225] [ 21.419776] Allocated by task 176: [ 21.420628] kasan_save_stack+0x3d/0x60 [ 21.421003] kasan_save_track+0x18/0x40 [ 21.421766] kasan_save_alloc_info+0x3b/0x50 [ 21.422436] __kasan_kmalloc+0xb7/0xc0 [ 21.422855] __kmalloc_cache_noprof+0x184/0x410 [ 21.423540] kmalloc_uaf_16+0x15c/0x4c0 [ 21.423883] kunit_try_run_case+0x1b3/0x490 [ 21.424475] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.425157] kthread+0x257/0x310 [ 21.425603] ret_from_fork+0x41/0x80 [ 21.425938] ret_from_fork_asm+0x1a/0x30 [ 21.426676] [ 21.426925] Freed by task 176: [ 21.427620] kasan_save_stack+0x3d/0x60 [ 21.428026] kasan_save_track+0x18/0x40 [ 21.428641] kasan_save_free_info+0x3f/0x60 [ 21.429150] __kasan_slab_free+0x56/0x70 [ 21.429854] kfree+0x123/0x3f0 [ 21.430293] kmalloc_uaf_16+0x1d7/0x4c0 [ 21.430802] kunit_try_run_case+0x1b3/0x490 [ 21.431370] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.431941] kthread+0x257/0x310 [ 21.432494] ret_from_fork+0x41/0x80 [ 21.432779] ret_from_fork_asm+0x1a/0x30 [ 21.433452] [ 21.433715] The buggy address belongs to the object at ffff88810268b440 [ 21.433715] which belongs to the cache kmalloc-16 of size 16 [ 21.434829] The buggy address is located 0 bytes inside of [ 21.434829] freed 16-byte region [ffff88810268b440, ffff88810268b450) [ 21.436352] [ 21.436578] The buggy address belongs to the physical page: [ 21.437133] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10268b [ 21.438512] flags: 0x200000000000000(node=0|zone=2) [ 21.439218] page_type: f5(slab) [ 21.439473] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 21.440609] raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 [ 21.441507] page dumped because: kasan: bad access detected [ 21.442115] [ 21.442530] Memory state around the buggy address: [ 21.443112] ffff88810268b300: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 21.443836] ffff88810268b380: 00 02 fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 21.444483] >ffff88810268b400: 00 04 fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 21.445105] ^ [ 21.445667] ffff88810268b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.446170] ffff88810268b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.447056] ==================================================================