Date
Dec. 3, 2024, 11:38 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.351994] ================================================================== [ 30.353151] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 30.353958] Read of size 16 at addr fff00000c5732760 by task kunit_try_catch/157 [ 30.354976] [ 30.355494] CPU: 1 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 30.356974] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.357515] Hardware name: linux,dummy-virt (DT) [ 30.358135] Call trace: [ 30.358947] show_stack+0x20/0x38 (C) [ 30.359700] dump_stack_lvl+0x8c/0xd0 [ 30.360283] print_report+0x118/0x5e0 [ 30.360938] kasan_report+0xc8/0x118 [ 30.361484] __asan_report_load16_noabort+0x20/0x30 [ 30.362093] kmalloc_uaf_16+0x3bc/0x438 [ 30.362760] kunit_try_run_case+0x14c/0x3d0 [ 30.363651] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.364388] kthread+0x24c/0x2d0 [ 30.364978] ret_from_fork+0x10/0x20 [ 30.365503] [ 30.365873] Allocated by task 157: [ 30.366341] kasan_save_stack+0x3c/0x68 [ 30.367294] kasan_save_track+0x20/0x40 [ 30.367974] kasan_save_alloc_info+0x40/0x58 [ 30.368603] __kasan_kmalloc+0xd4/0xd8 [ 30.369127] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.369812] kmalloc_uaf_16+0x140/0x438 [ 30.370487] kunit_try_run_case+0x14c/0x3d0 [ 30.371247] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.371928] kthread+0x24c/0x2d0 [ 30.372493] ret_from_fork+0x10/0x20 [ 30.373143] [ 30.373512] Freed by task 157: [ 30.373965] kasan_save_stack+0x3c/0x68 [ 30.374623] kasan_save_track+0x20/0x40 [ 30.376243] kasan_save_free_info+0x4c/0x78 [ 30.376811] __kasan_slab_free+0x6c/0x98 [ 30.377479] kfree+0x114/0x3c8 [ 30.377944] kmalloc_uaf_16+0x190/0x438 [ 30.378689] kunit_try_run_case+0x14c/0x3d0 [ 30.379446] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.380279] kthread+0x24c/0x2d0 [ 30.381163] ret_from_fork+0x10/0x20 [ 30.381667] [ 30.382025] The buggy address belongs to the object at fff00000c5732760 [ 30.382025] which belongs to the cache kmalloc-16 of size 16 [ 30.383679] The buggy address is located 0 bytes inside of [ 30.383679] freed 16-byte region [fff00000c5732760, fff00000c5732770) [ 30.385057] [ 30.385384] The buggy address belongs to the physical page: [ 30.386203] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105732 [ 30.387434] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.388305] page_type: f5(slab) [ 30.388776] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.389787] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.390732] page dumped because: kasan: bad access detected [ 30.391686] [ 30.391983] Memory state around the buggy address: [ 30.392736] fff00000c5732600: 00 02 fc fc 00 05 fc fc fa fb fc fc 00 02 fc fc [ 30.393570] fff00000c5732680: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.394455] >fff00000c5732700: fa fb fc fc 00 04 fc fc 00 00 fc fc fa fb fc fc [ 30.395686] ^ [ 30.396554] fff00000c5732780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.397625] fff00000c5732800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.399361] ================================================================== [ 30.918257] ================================================================== [ 30.919968] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 30.920895] Read of size 1 at addr fff00000c642e3a8 by task kunit_try_catch/177 [ 30.921978] [ 30.922381] CPU: 0 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 30.923787] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.924735] Hardware name: linux,dummy-virt (DT) [ 30.925552] Call trace: [ 30.926064] show_stack+0x20/0x38 (C) [ 30.926822] dump_stack_lvl+0x8c/0xd0 [ 30.927649] print_report+0x118/0x5e0 [ 30.928545] kasan_report+0xc8/0x118 [ 30.929126] __asan_report_load1_noabort+0x20/0x30 [ 30.929983] kmalloc_uaf2+0x3f4/0x468 [ 30.930550] kunit_try_run_case+0x14c/0x3d0 [ 30.931665] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.932492] kthread+0x24c/0x2d0 [ 30.933053] ret_from_fork+0x10/0x20 [ 30.933755] [ 30.934182] Allocated by task 177: [ 30.934773] kasan_save_stack+0x3c/0x68 [ 30.936104] kasan_save_track+0x20/0x40 [ 30.936694] kasan_save_alloc_info+0x40/0x58 [ 30.937273] __kasan_kmalloc+0xd4/0xd8 [ 30.937809] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.938892] kmalloc_uaf2+0xc4/0x468 [ 30.939316] kunit_try_run_case+0x14c/0x3d0 [ 30.940385] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.941599] kthread+0x24c/0x2d0 [ 30.942471] ret_from_fork+0x10/0x20 [ 30.942963] [ 30.943502] Freed by task 177: [ 30.944237] kasan_save_stack+0x3c/0x68 [ 30.944959] kasan_save_track+0x20/0x40 [ 30.945600] kasan_save_free_info+0x4c/0x78 [ 30.946206] __kasan_slab_free+0x6c/0x98 [ 30.946910] kfree+0x114/0x3c8 [ 30.947448] kmalloc_uaf2+0x134/0x468 [ 30.948172] kunit_try_run_case+0x14c/0x3d0 [ 30.948850] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.949768] kthread+0x24c/0x2d0 [ 30.950408] ret_from_fork+0x10/0x20 [ 30.951115] [ 30.951388] The buggy address belongs to the object at fff00000c642e380 [ 30.951388] which belongs to the cache kmalloc-64 of size 64 [ 30.953134] The buggy address is located 40 bytes inside of [ 30.953134] freed 64-byte region [fff00000c642e380, fff00000c642e3c0) [ 30.954638] [ 30.955459] The buggy address belongs to the physical page: [ 30.955960] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10642e [ 30.957093] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.958053] page_type: f5(slab) [ 30.958693] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 30.959735] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.960690] page dumped because: kasan: bad access detected [ 30.961587] [ 30.962129] Memory state around the buggy address: [ 30.962875] fff00000c642e280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.963890] fff00000c642e300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.964904] >fff00000c642e380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.965899] ^ [ 30.966712] fff00000c642e400: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 30.967886] fff00000c642e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.968870] ================================================================== [ 30.785979] ================================================================== [ 30.787445] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 30.789576] Read of size 1 at addr fff00000c6318388 by task kunit_try_catch/173 [ 30.790487] [ 30.790800] CPU: 0 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 30.793208] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.793869] Hardware name: linux,dummy-virt (DT) [ 30.794434] Call trace: [ 30.794895] show_stack+0x20/0x38 (C) [ 30.795945] dump_stack_lvl+0x8c/0xd0 [ 30.796618] print_report+0x118/0x5e0 [ 30.797351] kasan_report+0xc8/0x118 [ 30.798045] __asan_report_load1_noabort+0x20/0x30 [ 30.798927] kmalloc_uaf+0x300/0x338 [ 30.799841] kunit_try_run_case+0x14c/0x3d0 [ 30.800657] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.801413] kthread+0x24c/0x2d0 [ 30.801960] ret_from_fork+0x10/0x20 [ 30.803584] [ 30.804520] Allocated by task 173: [ 30.805428] kasan_save_stack+0x3c/0x68 [ 30.805991] kasan_save_track+0x20/0x40 [ 30.806602] kasan_save_alloc_info+0x40/0x58 [ 30.807308] __kasan_kmalloc+0xd4/0xd8 [ 30.808424] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.808900] kmalloc_uaf+0xb8/0x338 [ 30.809298] kunit_try_run_case+0x14c/0x3d0 [ 30.810129] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.811433] kthread+0x24c/0x2d0 [ 30.812045] ret_from_fork+0x10/0x20 [ 30.812729] [ 30.813071] Freed by task 173: [ 30.813591] kasan_save_stack+0x3c/0x68 [ 30.814201] kasan_save_track+0x20/0x40 [ 30.814978] kasan_save_free_info+0x4c/0x78 [ 30.815765] __kasan_slab_free+0x6c/0x98 [ 30.816198] kfree+0x114/0x3c8 [ 30.816949] kmalloc_uaf+0x11c/0x338 [ 30.817970] kunit_try_run_case+0x14c/0x3d0 [ 30.818597] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.819438] kthread+0x24c/0x2d0 [ 30.820208] ret_from_fork+0x10/0x20 [ 30.820833] [ 30.821131] The buggy address belongs to the object at fff00000c6318380 [ 30.821131] which belongs to the cache kmalloc-16 of size 16 [ 30.822688] The buggy address is located 8 bytes inside of [ 30.822688] freed 16-byte region [fff00000c6318380, fff00000c6318390) [ 30.825072] [ 30.825580] The buggy address belongs to the physical page: [ 30.826384] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106318 [ 30.827178] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.828826] page_type: f5(slab) [ 30.829224] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.829760] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.830222] page dumped because: kasan: bad access detected [ 30.830797] [ 30.831146] Memory state around the buggy address: [ 30.832545] fff00000c6318280: fa fb fc fc fa fb fc fc 00 02 fc fc 00 02 fc fc [ 30.833236] fff00000c6318300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.834281] >fff00000c6318380: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.835771] ^ [ 30.836315] fff00000c6318400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.837213] fff00000c6318480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.838427] ==================================================================
[ 26.465404] ================================================================== [ 26.466089] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 26.467078] Read of size 1 at addr ffff8881029865a8 by task kunit_try_catch/197 [ 26.468257] [ 26.468778] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 26.470000] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.470251] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.471537] Call Trace: [ 26.472138] <TASK> [ 26.472320] dump_stack_lvl+0x73/0xb0 [ 26.473217] print_report+0xd1/0x640 [ 26.473579] ? __virt_addr_valid+0x1db/0x2d0 [ 26.474634] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.475142] kasan_report+0x102/0x140 [ 26.475415] ? kmalloc_uaf2+0x4aa/0x520 [ 26.476278] ? kmalloc_uaf2+0x4aa/0x520 [ 26.476627] __asan_report_load1_noabort+0x18/0x20 [ 26.477205] kmalloc_uaf2+0x4aa/0x520 [ 26.478048] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 26.478395] ? finish_task_switch.isra.0+0x153/0x700 [ 26.479032] ? __switch_to+0x5d9/0xf60 [ 26.479555] ? __schedule+0xc3e/0x2790 [ 26.480113] ? __pfx_read_tsc+0x10/0x10 [ 26.480779] ? ktime_get_ts64+0x86/0x230 [ 26.481310] kunit_try_run_case+0x1b3/0x490 [ 26.481739] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.482245] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.482617] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.483288] ? __kthread_parkme+0x82/0x160 [ 26.483573] ? preempt_count_sub+0x50/0x80 [ 26.484149] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.485349] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.485864] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.486299] kthread+0x257/0x310 [ 26.487234] ? __pfx_kthread+0x10/0x10 [ 26.487541] ret_from_fork+0x41/0x80 [ 26.487773] ? __pfx_kthread+0x10/0x10 [ 26.488152] ret_from_fork_asm+0x1a/0x30 [ 26.488597] </TASK> [ 26.488856] [ 26.489029] Allocated by task 197: [ 26.490359] kasan_save_stack+0x3d/0x60 [ 26.491168] kasan_save_track+0x18/0x40 [ 26.491448] kasan_save_alloc_info+0x3b/0x50 [ 26.492242] __kasan_kmalloc+0xb7/0xc0 [ 26.492837] __kmalloc_cache_noprof+0x184/0x410 [ 26.493085] kmalloc_uaf2+0xc7/0x520 [ 26.493232] kunit_try_run_case+0x1b3/0x490 [ 26.493380] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.493644] kthread+0x257/0x310 [ 26.493877] ret_from_fork+0x41/0x80 [ 26.495034] ret_from_fork_asm+0x1a/0x30 [ 26.495368] [ 26.495590] Freed by task 197: [ 26.495894] kasan_save_stack+0x3d/0x60 [ 26.496246] kasan_save_track+0x18/0x40 [ 26.496544] kasan_save_free_info+0x3f/0x60 [ 26.496952] __kasan_slab_free+0x56/0x70 [ 26.497537] kfree+0x123/0x3f0 [ 26.497903] kmalloc_uaf2+0x14d/0x520 [ 26.498263] kunit_try_run_case+0x1b3/0x490 [ 26.498882] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.499415] kthread+0x257/0x310 [ 26.499961] ret_from_fork+0x41/0x80 [ 26.500352] ret_from_fork_asm+0x1a/0x30 [ 26.501050] [ 26.501278] The buggy address belongs to the object at ffff888102986580 [ 26.501278] which belongs to the cache kmalloc-64 of size 64 [ 26.502278] The buggy address is located 40 bytes inside of [ 26.502278] freed 64-byte region [ffff888102986580, ffff8881029865c0) [ 26.503078] [ 26.503296] The buggy address belongs to the physical page: [ 26.503970] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102986 [ 26.504990] flags: 0x200000000000000(node=0|zone=2) [ 26.505509] page_type: f5(slab) [ 26.505819] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 26.506756] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 26.507338] page dumped because: kasan: bad access detected [ 26.507901] [ 26.508133] Memory state around the buggy address: [ 26.508848] ffff888102986480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.509503] ffff888102986500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.510131] >ffff888102986580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.510606] ^ [ 26.511165] ffff888102986600: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 26.511835] ffff888102986680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.512472] ================================================================== [ 26.356297] ================================================================== [ 26.357425] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 26.358292] Read of size 1 at addr ffff888101adffa8 by task kunit_try_catch/193 [ 26.359392] [ 26.360302] CPU: 0 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 26.360882] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.361336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.362305] Call Trace: [ 26.362578] <TASK> [ 26.363155] dump_stack_lvl+0x73/0xb0 [ 26.363793] print_report+0xd1/0x640 [ 26.364359] ? __virt_addr_valid+0x1db/0x2d0 [ 26.365143] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.365601] kasan_report+0x102/0x140 [ 26.365876] ? kmalloc_uaf+0x322/0x380 [ 26.366412] ? kmalloc_uaf+0x322/0x380 [ 26.367499] __asan_report_load1_noabort+0x18/0x20 [ 26.367944] kmalloc_uaf+0x322/0x380 [ 26.368198] ? __pfx_kmalloc_uaf+0x10/0x10 [ 26.368508] ? __schedule+0xc3e/0x2790 [ 26.369489] ? __pfx_read_tsc+0x10/0x10 [ 26.370188] ? ktime_get_ts64+0x86/0x230 [ 26.370776] kunit_try_run_case+0x1b3/0x490 [ 26.371169] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.372080] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 26.372479] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.373110] ? __kthread_parkme+0x82/0x160 [ 26.373877] ? preempt_count_sub+0x50/0x80 [ 26.375007] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.375528] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.376076] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.376545] kthread+0x257/0x310 [ 26.376882] ? __pfx_kthread+0x10/0x10 [ 26.377730] ret_from_fork+0x41/0x80 [ 26.378279] ? __pfx_kthread+0x10/0x10 [ 26.378498] ret_from_fork_asm+0x1a/0x30 [ 26.378731] </TASK> [ 26.378975] [ 26.379522] Allocated by task 193: [ 26.380736] kasan_save_stack+0x3d/0x60 [ 26.381083] kasan_save_track+0x18/0x40 [ 26.381394] kasan_save_alloc_info+0x3b/0x50 [ 26.382381] __kasan_kmalloc+0xb7/0xc0 [ 26.383004] __kmalloc_cache_noprof+0x184/0x410 [ 26.383748] kmalloc_uaf+0xab/0x380 [ 26.384153] kunit_try_run_case+0x1b3/0x490 [ 26.384750] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.385713] kthread+0x257/0x310 [ 26.385914] ret_from_fork+0x41/0x80 [ 26.386142] ret_from_fork_asm+0x1a/0x30 [ 26.386609] [ 26.386828] Freed by task 193: [ 26.387154] kasan_save_stack+0x3d/0x60 [ 26.387480] kasan_save_track+0x18/0x40 [ 26.387870] kasan_save_free_info+0x3f/0x60 [ 26.388321] __kasan_slab_free+0x56/0x70 [ 26.388758] kfree+0x123/0x3f0 [ 26.389128] kmalloc_uaf+0x12d/0x380 [ 26.389374] kunit_try_run_case+0x1b3/0x490 [ 26.389914] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.390371] kthread+0x257/0x310 [ 26.390670] ret_from_fork+0x41/0x80 [ 26.391089] ret_from_fork_asm+0x1a/0x30 [ 26.391711] [ 26.391899] The buggy address belongs to the object at ffff888101adffa0 [ 26.391899] which belongs to the cache kmalloc-16 of size 16 [ 26.392530] The buggy address is located 8 bytes inside of [ 26.392530] freed 16-byte region [ffff888101adffa0, ffff888101adffb0) [ 26.393499] [ 26.393776] The buggy address belongs to the physical page: [ 26.394286] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101adf [ 26.395686] flags: 0x200000000000000(node=0|zone=2) [ 26.396850] page_type: f5(slab) [ 26.397296] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 26.398587] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 26.399315] page dumped because: kasan: bad access detected [ 26.400408] [ 26.400813] Memory state around the buggy address: [ 26.401124] ffff888101adfe80: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 26.402482] ffff888101adff00: 00 02 fc fc fa fb fc fc 00 05 fc fc fa fb fc fc [ 26.403456] >ffff888101adff80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 26.404279] ^ [ 26.404742] ffff888101ae0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.405902] ffff888101ae0080: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb [ 26.407161] ================================================================== [ 25.952444] ================================================================== [ 25.953116] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 25.953771] Read of size 16 at addr ffff8881025733c0 by task kunit_try_catch/177 [ 25.954418] [ 25.954656] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241203 #1 [ 25.956209] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.956788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.957318] Call Trace: [ 25.957677] <TASK> [ 25.958148] dump_stack_lvl+0x73/0xb0 [ 25.958862] print_report+0xd1/0x640 [ 25.959303] ? __virt_addr_valid+0x1db/0x2d0 [ 25.959659] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.960276] kasan_report+0x102/0x140 [ 25.961038] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.961432] ? kmalloc_uaf_16+0x47d/0x4c0 [ 25.961852] __asan_report_load16_noabort+0x18/0x20 [ 25.962539] kmalloc_uaf_16+0x47d/0x4c0 [ 25.962891] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 25.963453] ? __schedule+0xc3e/0x2790 [ 25.963967] ? __pfx_read_tsc+0x10/0x10 [ 25.964486] ? ktime_get_ts64+0x86/0x230 [ 25.965158] kunit_try_run_case+0x1b3/0x490 [ 25.965536] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.966328] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 25.966722] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.967342] ? __kthread_parkme+0x82/0x160 [ 25.967718] ? preempt_count_sub+0x50/0x80 [ 25.968779] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.969186] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.970192] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.970971] kthread+0x257/0x310 [ 25.971210] ? __pfx_kthread+0x10/0x10 [ 25.971636] ret_from_fork+0x41/0x80 [ 25.972533] ? __pfx_kthread+0x10/0x10 [ 25.972988] ret_from_fork_asm+0x1a/0x30 [ 25.973363] </TASK> [ 25.974040] [ 25.974191] Allocated by task 177: [ 25.974909] kasan_save_stack+0x3d/0x60 [ 25.975499] kasan_save_track+0x18/0x40 [ 25.975937] kasan_save_alloc_info+0x3b/0x50 [ 25.976361] __kasan_kmalloc+0xb7/0xc0 [ 25.976734] __kmalloc_cache_noprof+0x184/0x410 [ 25.977102] kmalloc_uaf_16+0x15c/0x4c0 [ 25.977406] kunit_try_run_case+0x1b3/0x490 [ 25.978481] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.978903] kthread+0x257/0x310 [ 25.979273] ret_from_fork+0x41/0x80 [ 25.980016] ret_from_fork_asm+0x1a/0x30 [ 25.980655] [ 25.981260] Freed by task 177: [ 25.981569] kasan_save_stack+0x3d/0x60 [ 25.981817] kasan_save_track+0x18/0x40 [ 25.982457] kasan_save_free_info+0x3f/0x60 [ 25.983185] __kasan_slab_free+0x56/0x70 [ 25.983755] kfree+0x123/0x3f0 [ 25.984216] kmalloc_uaf_16+0x1d7/0x4c0 [ 25.984372] kunit_try_run_case+0x1b3/0x490 [ 25.984721] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.985213] kthread+0x257/0x310 [ 25.985500] ret_from_fork+0x41/0x80 [ 25.985737] ret_from_fork_asm+0x1a/0x30 [ 25.986837] [ 25.987276] The buggy address belongs to the object at ffff8881025733c0 [ 25.987276] which belongs to the cache kmalloc-16 of size 16 [ 25.988857] The buggy address is located 0 bytes inside of [ 25.988857] freed 16-byte region [ffff8881025733c0, ffff8881025733d0) [ 25.989642] [ 25.990207] The buggy address belongs to the physical page: [ 25.991093] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102573 [ 25.991756] flags: 0x200000000000000(node=0|zone=2) [ 25.992308] page_type: f5(slab) [ 25.993360] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.994043] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.994440] page dumped because: kasan: bad access detected [ 25.995153] [ 25.995343] Memory state around the buggy address: [ 25.995680] ffff888102573280: fa fb fc fc 00 05 fc fc 00 05 fc fc fa fb fc fc [ 25.997168] ffff888102573300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.997612] >ffff888102573380: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 25.998252] ^ [ 25.998606] ffff888102573400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.999337] ffff888102573480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.000582] ==================================================================