Date
Dec. 5, 2024, 2:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.546067] ================================================================== [ 30.547570] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 30.548737] Read of size 1 at addr fff00000c64e7e28 by task kunit_try_catch/177 [ 30.549678] [ 30.550104] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.551829] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.552444] Hardware name: linux,dummy-virt (DT) [ 30.553097] Call trace: [ 30.553583] show_stack+0x20/0x38 (C) [ 30.554180] dump_stack_lvl+0x8c/0xd0 [ 30.554825] print_report+0x118/0x5e0 [ 30.555787] kasan_report+0xc8/0x118 [ 30.556452] __asan_report_load1_noabort+0x20/0x30 [ 30.557101] kmalloc_uaf2+0x3f4/0x468 [ 30.557700] kunit_try_run_case+0x14c/0x3d0 [ 30.558611] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.559893] kthread+0x24c/0x2d0 [ 30.560491] ret_from_fork+0x10/0x20 [ 30.561152] [ 30.561588] Allocated by task 177: [ 30.562076] kasan_save_stack+0x3c/0x68 [ 30.562780] kasan_save_track+0x20/0x40 [ 30.563832] kasan_save_alloc_info+0x40/0x58 [ 30.564455] __kasan_kmalloc+0xd4/0xd8 [ 30.565110] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.565851] kmalloc_uaf2+0xc4/0x468 [ 30.566542] kunit_try_run_case+0x14c/0x3d0 [ 30.567137] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.568214] kthread+0x24c/0x2d0 [ 30.568766] ret_from_fork+0x10/0x20 [ 30.569440] [ 30.569866] Freed by task 177: [ 30.570432] kasan_save_stack+0x3c/0x68 [ 30.570955] kasan_save_track+0x20/0x40 [ 30.571854] kasan_save_free_info+0x4c/0x78 [ 30.572640] __kasan_slab_free+0x6c/0x98 [ 30.573533] kfree+0x114/0x3c8 [ 30.574017] kmalloc_uaf2+0x134/0x468 [ 30.574708] kunit_try_run_case+0x14c/0x3d0 [ 30.575459] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.576397] kthread+0x24c/0x2d0 [ 30.577066] ret_from_fork+0x10/0x20 [ 30.577570] [ 30.578009] The buggy address belongs to the object at fff00000c64e7e00 [ 30.578009] which belongs to the cache kmalloc-64 of size 64 [ 30.579616] The buggy address is located 40 bytes inside of [ 30.579616] freed 64-byte region [fff00000c64e7e00, fff00000c64e7e40) [ 30.581350] [ 30.581833] The buggy address belongs to the physical page: [ 30.582732] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064e7 [ 30.584241] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.585010] page_type: f5(slab) [ 30.585588] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 30.586520] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.587622] page dumped because: kasan: bad access detected [ 30.588662] [ 30.589242] Memory state around the buggy address: [ 30.589900] fff00000c64e7d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.590623] fff00000c64e7d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.591618] >fff00000c64e7e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.592571] ^ [ 30.593027] fff00000c64e7e80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 30.594006] fff00000c64e7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.594951] ================================================================== [ 30.031569] ================================================================== [ 30.032797] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 30.033534] Read of size 16 at addr fff00000c61b4300 by task kunit_try_catch/157 [ 30.034742] [ 30.035159] CPU: 0 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.036525] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.037473] Hardware name: linux,dummy-virt (DT) [ 30.038280] Call trace: [ 30.038655] show_stack+0x20/0x38 (C) [ 30.039504] dump_stack_lvl+0x8c/0xd0 [ 30.040190] print_report+0x118/0x5e0 [ 30.040891] kasan_report+0xc8/0x118 [ 30.041430] __asan_report_load16_noabort+0x20/0x30 [ 30.042039] kmalloc_uaf_16+0x3bc/0x438 [ 30.042696] kunit_try_run_case+0x14c/0x3d0 [ 30.043257] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.044225] kthread+0x24c/0x2d0 [ 30.044766] ret_from_fork+0x10/0x20 [ 30.045374] [ 30.045711] Allocated by task 157: [ 30.046328] kasan_save_stack+0x3c/0x68 [ 30.047093] kasan_save_track+0x20/0x40 [ 30.047850] kasan_save_alloc_info+0x40/0x58 [ 30.048527] __kasan_kmalloc+0xd4/0xd8 [ 30.049107] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.049658] kmalloc_uaf_16+0x140/0x438 [ 30.050298] kunit_try_run_case+0x14c/0x3d0 [ 30.050919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.051949] kthread+0x24c/0x2d0 [ 30.052379] ret_from_fork+0x10/0x20 [ 30.053281] [ 30.053695] Freed by task 157: [ 30.054113] kasan_save_stack+0x3c/0x68 [ 30.054774] kasan_save_track+0x20/0x40 [ 30.055328] kasan_save_free_info+0x4c/0x78 [ 30.056026] __kasan_slab_free+0x6c/0x98 [ 30.056807] kfree+0x114/0x3c8 [ 30.057566] kmalloc_uaf_16+0x190/0x438 [ 30.058102] kunit_try_run_case+0x14c/0x3d0 [ 30.058663] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.059776] kthread+0x24c/0x2d0 [ 30.060305] ret_from_fork+0x10/0x20 [ 30.060870] [ 30.061207] The buggy address belongs to the object at fff00000c61b4300 [ 30.061207] which belongs to the cache kmalloc-16 of size 16 [ 30.062534] The buggy address is located 0 bytes inside of [ 30.062534] freed 16-byte region [fff00000c61b4300, fff00000c61b4310) [ 30.064033] [ 30.064568] The buggy address belongs to the physical page: [ 30.065422] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061b4 [ 30.066536] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.067941] page_type: f5(slab) [ 30.068615] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.069526] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.070599] page dumped because: kasan: bad access detected [ 30.071426] [ 30.072286] Memory state around the buggy address: [ 30.073305] fff00000c61b4200: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.074212] fff00000c61b4280: 00 04 fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 30.075136] >fff00000c61b4300: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.076060] ^ [ 30.076832] fff00000c61b4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.077917] fff00000c61b4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.078919] ================================================================== [ 30.433372] ================================================================== [ 30.434584] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 30.435348] Read of size 1 at addr fff00000c61b4328 by task kunit_try_catch/173 [ 30.436312] [ 30.436686] CPU: 0 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 30.438440] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.439451] Hardware name: linux,dummy-virt (DT) [ 30.440177] Call trace: [ 30.440612] show_stack+0x20/0x38 (C) [ 30.441546] dump_stack_lvl+0x8c/0xd0 [ 30.442338] print_report+0x118/0x5e0 [ 30.443124] kasan_report+0xc8/0x118 [ 30.443704] __asan_report_load1_noabort+0x20/0x30 [ 30.444510] kmalloc_uaf+0x300/0x338 [ 30.445213] kunit_try_run_case+0x14c/0x3d0 [ 30.446102] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.446920] kthread+0x24c/0x2d0 [ 30.447785] ret_from_fork+0x10/0x20 [ 30.448303] [ 30.448696] Allocated by task 173: [ 30.449163] kasan_save_stack+0x3c/0x68 [ 30.449757] kasan_save_track+0x20/0x40 [ 30.450542] kasan_save_alloc_info+0x40/0x58 [ 30.451219] __kasan_kmalloc+0xd4/0xd8 [ 30.451913] __kmalloc_cache_noprof+0x15c/0x3c0 [ 30.452515] kmalloc_uaf+0xb8/0x338 [ 30.452782] kunit_try_run_case+0x14c/0x3d0 [ 30.453707] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.454667] kthread+0x24c/0x2d0 [ 30.455161] ret_from_fork+0x10/0x20 [ 30.455738] [ 30.456751] Freed by task 173: [ 30.457275] kasan_save_stack+0x3c/0x68 [ 30.457801] kasan_save_track+0x20/0x40 [ 30.458421] kasan_save_free_info+0x4c/0x78 [ 30.459026] __kasan_slab_free+0x6c/0x98 [ 30.459543] kfree+0x114/0x3c8 [ 30.460110] kmalloc_uaf+0x11c/0x338 [ 30.460634] kunit_try_run_case+0x14c/0x3d0 [ 30.461364] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.462078] kthread+0x24c/0x2d0 [ 30.462651] ret_from_fork+0x10/0x20 [ 30.463168] [ 30.463557] The buggy address belongs to the object at fff00000c61b4320 [ 30.463557] which belongs to the cache kmalloc-16 of size 16 [ 30.465045] The buggy address is located 8 bytes inside of [ 30.465045] freed 16-byte region [fff00000c61b4320, fff00000c61b4330) [ 30.466520] [ 30.466836] The buggy address belongs to the physical page: [ 30.467836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061b4 [ 30.468705] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.469634] page_type: f5(slab) [ 30.470130] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.471162] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.472228] page dumped because: kasan: bad access detected [ 30.472903] [ 30.473243] Memory state around the buggy address: [ 30.473797] fff00000c61b4200: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.474717] fff00000c61b4280: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.475796] >fff00000c61b4300: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 30.476713] ^ [ 30.477388] fff00000c61b4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.478264] fff00000c61b4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.479224] ==================================================================
[ 28.227611] ================================================================== [ 28.229276] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 28.230839] Read of size 1 at addr ffff888101a5bc08 by task kunit_try_catch/191 [ 28.231656] [ 28.232531] CPU: 0 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 28.233643] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.234447] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.235355] Call Trace: [ 28.235622] <TASK> [ 28.235843] dump_stack_lvl+0x73/0xb0 [ 28.236250] print_report+0xd1/0x640 [ 28.237072] ? __virt_addr_valid+0x1db/0x2d0 [ 28.237624] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.238171] kasan_report+0x102/0x140 [ 28.238723] ? kmalloc_uaf+0x322/0x380 [ 28.240243] ? kmalloc_uaf+0x322/0x380 [ 28.240777] __asan_report_load1_noabort+0x18/0x20 [ 28.241391] kmalloc_uaf+0x322/0x380 [ 28.242439] ? __pfx_kmalloc_uaf+0x10/0x10 [ 28.242894] ? __schedule+0xc70/0x27e0 [ 28.243193] ? __pfx_read_tsc+0x10/0x10 [ 28.243654] ? ktime_get_ts64+0x86/0x230 [ 28.244643] kunit_try_run_case+0x1b3/0x490 [ 28.245347] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.245780] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 28.246663] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.247395] ? __kthread_parkme+0x82/0x160 [ 28.247808] ? preempt_count_sub+0x50/0x80 [ 28.248632] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.249776] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.250485] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.251125] kthread+0x257/0x310 [ 28.251573] ? __pfx_kthread+0x10/0x10 [ 28.252264] ret_from_fork+0x41/0x80 [ 28.253284] ? __pfx_kthread+0x10/0x10 [ 28.253704] ret_from_fork_asm+0x1a/0x30 [ 28.254345] </TASK> [ 28.254603] [ 28.255653] Allocated by task 191: [ 28.256262] kasan_save_stack+0x3d/0x60 [ 28.256950] kasan_save_track+0x18/0x40 [ 28.257546] kasan_save_alloc_info+0x3b/0x50 [ 28.258660] __kasan_kmalloc+0xb7/0xc0 [ 28.259374] __kmalloc_cache_noprof+0x184/0x410 [ 28.260268] kmalloc_uaf+0xab/0x380 [ 28.260710] kunit_try_run_case+0x1b3/0x490 [ 28.261811] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.262370] kthread+0x257/0x310 [ 28.262735] ret_from_fork+0x41/0x80 [ 28.263081] ret_from_fork_asm+0x1a/0x30 [ 28.263518] [ 28.264307] Freed by task 191: [ 28.264553] kasan_save_stack+0x3d/0x60 [ 28.265273] kasan_save_track+0x18/0x40 [ 28.265948] kasan_save_free_info+0x3f/0x60 [ 28.266621] __kasan_slab_free+0x56/0x70 [ 28.267424] kfree+0x123/0x3f0 [ 28.267726] kmalloc_uaf+0x12d/0x380 [ 28.268557] kunit_try_run_case+0x1b3/0x490 [ 28.269518] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.270379] kthread+0x257/0x310 [ 28.271106] ret_from_fork+0x41/0x80 [ 28.271660] ret_from_fork_asm+0x1a/0x30 [ 28.272453] [ 28.272920] The buggy address belongs to the object at ffff888101a5bc00 [ 28.272920] which belongs to the cache kmalloc-16 of size 16 [ 28.274776] The buggy address is located 8 bytes inside of [ 28.274776] freed 16-byte region [ffff888101a5bc00, ffff888101a5bc10) [ 28.276847] [ 28.276994] The buggy address belongs to the physical page: [ 28.277836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a5b [ 28.279089] flags: 0x200000000000000(node=0|zone=2) [ 28.279646] page_type: f5(slab) [ 28.280724] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 28.281641] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 28.282581] page dumped because: kasan: bad access detected [ 28.283266] [ 28.283439] Memory state around the buggy address: [ 28.283991] ffff888101a5bb00: fa fb fc fc 00 01 fc fc 00 01 fc fc fa fb fc fc [ 28.284649] ffff888101a5bb80: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 28.285733] >ffff888101a5bc00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.286185] ^ [ 28.286768] ffff888101a5bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.287618] ffff888101a5bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.288643] ================================================================== [ 27.778408] ================================================================== [ 27.779626] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 27.781138] Read of size 16 at addr ffff8881025ed7a0 by task kunit_try_catch/175 [ 27.781765] [ 27.782399] CPU: 1 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 27.783804] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.784701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.785458] Call Trace: [ 27.785767] <TASK> [ 27.786037] dump_stack_lvl+0x73/0xb0 [ 27.786451] print_report+0xd1/0x640 [ 27.786762] ? __virt_addr_valid+0x1db/0x2d0 [ 27.787286] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.787958] kasan_report+0x102/0x140 [ 27.789249] ? kmalloc_uaf_16+0x47d/0x4c0 [ 27.789909] ? kmalloc_uaf_16+0x47d/0x4c0 [ 27.790285] __asan_report_load16_noabort+0x18/0x20 [ 27.790732] kmalloc_uaf_16+0x47d/0x4c0 [ 27.791479] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 27.792382] ? __schedule+0xc70/0x27e0 [ 27.792849] ? __pfx_read_tsc+0x10/0x10 [ 27.793707] ? ktime_get_ts64+0x86/0x230 [ 27.794294] kunit_try_run_case+0x1b3/0x490 [ 27.794750] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.795222] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.796217] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.796658] ? __kthread_parkme+0x82/0x160 [ 27.797264] ? preempt_count_sub+0x50/0x80 [ 27.797975] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.798707] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.799396] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.800499] kthread+0x257/0x310 [ 27.801053] ? __pfx_kthread+0x10/0x10 [ 27.801470] ret_from_fork+0x41/0x80 [ 27.802218] ? __pfx_kthread+0x10/0x10 [ 27.802836] ret_from_fork_asm+0x1a/0x30 [ 27.803517] </TASK> [ 27.803649] [ 27.803816] Allocated by task 175: [ 27.804387] kasan_save_stack+0x3d/0x60 [ 27.805206] kasan_save_track+0x18/0x40 [ 27.806135] kasan_save_alloc_info+0x3b/0x50 [ 27.806853] __kasan_kmalloc+0xb7/0xc0 [ 27.807280] __kmalloc_cache_noprof+0x184/0x410 [ 27.807672] kmalloc_uaf_16+0x15c/0x4c0 [ 27.808404] kunit_try_run_case+0x1b3/0x490 [ 27.808863] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.809585] kthread+0x257/0x310 [ 27.810164] ret_from_fork+0x41/0x80 [ 27.810606] ret_from_fork_asm+0x1a/0x30 [ 27.811261] [ 27.811627] Freed by task 175: [ 27.811912] kasan_save_stack+0x3d/0x60 [ 27.812528] kasan_save_track+0x18/0x40 [ 27.812931] kasan_save_free_info+0x3f/0x60 [ 27.813431] __kasan_slab_free+0x56/0x70 [ 27.814040] kfree+0x123/0x3f0 [ 27.814388] kmalloc_uaf_16+0x1d7/0x4c0 [ 27.814760] kunit_try_run_case+0x1b3/0x490 [ 27.815641] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.816514] kthread+0x257/0x310 [ 27.817149] ret_from_fork+0x41/0x80 [ 27.817650] ret_from_fork_asm+0x1a/0x30 [ 27.818318] [ 27.818482] The buggy address belongs to the object at ffff8881025ed7a0 [ 27.818482] which belongs to the cache kmalloc-16 of size 16 [ 27.819960] The buggy address is located 0 bytes inside of [ 27.819960] freed 16-byte region [ffff8881025ed7a0, ffff8881025ed7b0) [ 27.820990] [ 27.821386] The buggy address belongs to the physical page: [ 27.822100] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025ed [ 27.822605] flags: 0x200000000000000(node=0|zone=2) [ 27.823332] page_type: f5(slab) [ 27.823732] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 27.824325] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 27.826634] page dumped because: kasan: bad access detected [ 27.827095] [ 27.827501] Memory state around the buggy address: [ 27.828791] ffff8881025ed680: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 27.829917] ffff8881025ed700: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 27.830829] >ffff8881025ed780: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 27.832098] ^ [ 27.832832] ffff8881025ed800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.833835] ffff8881025ed880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.834893] ================================================================== [ 28.350760] ================================================================== [ 28.351888] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 28.352509] Read of size 1 at addr ffff888101ab36a8 by task kunit_try_catch/195 [ 28.353653] [ 28.353976] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241205 #1 [ 28.354985] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.355557] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.356512] Call Trace: [ 28.356855] <TASK> [ 28.357192] dump_stack_lvl+0x73/0xb0 [ 28.357934] print_report+0xd1/0x640 [ 28.358589] ? __virt_addr_valid+0x1db/0x2d0 [ 28.359333] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.359966] kasan_report+0x102/0x140 [ 28.360472] ? kmalloc_uaf2+0x4aa/0x520 [ 28.360668] ? kmalloc_uaf2+0x4aa/0x520 [ 28.361307] __asan_report_load1_noabort+0x18/0x20 [ 28.361967] kmalloc_uaf2+0x4aa/0x520 [ 28.362420] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 28.362976] ? __pfx_read_tsc+0x10/0x10 [ 28.363543] ? __pfx_read_tsc+0x10/0x10 [ 28.364315] ? __pfx_read_tsc+0x10/0x10 [ 28.364889] ? ktime_get_ts64+0x86/0x230 [ 28.365731] kunit_try_run_case+0x1b3/0x490 [ 28.366525] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.366982] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 28.368052] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.368824] ? __kthread_parkme+0x82/0x160 [ 28.369492] ? preempt_count_sub+0x50/0x80 [ 28.370075] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.370533] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.372389] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.372953] kthread+0x257/0x310 [ 28.373468] ? __pfx_kthread+0x10/0x10 [ 28.373873] ret_from_fork+0x41/0x80 [ 28.375200] ? __pfx_kthread+0x10/0x10 [ 28.375634] ret_from_fork_asm+0x1a/0x30 [ 28.376848] </TASK> [ 28.377393] [ 28.378190] Allocated by task 195: [ 28.379205] kasan_save_stack+0x3d/0x60 [ 28.379611] kasan_save_track+0x18/0x40 [ 28.381016] kasan_save_alloc_info+0x3b/0x50 [ 28.381558] __kasan_kmalloc+0xb7/0xc0 [ 28.382601] __kmalloc_cache_noprof+0x184/0x410 [ 28.382994] kmalloc_uaf2+0xc7/0x520 [ 28.383818] kunit_try_run_case+0x1b3/0x490 [ 28.384080] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.385494] kthread+0x257/0x310 [ 28.386076] ret_from_fork+0x41/0x80 [ 28.386744] ret_from_fork_asm+0x1a/0x30 [ 28.387637] [ 28.387824] Freed by task 195: [ 28.388676] kasan_save_stack+0x3d/0x60 [ 28.389531] kasan_save_track+0x18/0x40 [ 28.389900] kasan_save_free_info+0x3f/0x60 [ 28.390360] __kasan_slab_free+0x56/0x70 [ 28.391626] kfree+0x123/0x3f0 [ 28.391993] kmalloc_uaf2+0x14d/0x520 [ 28.392643] kunit_try_run_case+0x1b3/0x490 [ 28.393211] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.394183] kthread+0x257/0x310 [ 28.394521] ret_from_fork+0x41/0x80 [ 28.395067] ret_from_fork_asm+0x1a/0x30 [ 28.395568] [ 28.395777] The buggy address belongs to the object at ffff888101ab3680 [ 28.395777] which belongs to the cache kmalloc-64 of size 64 [ 28.396948] The buggy address is located 40 bytes inside of [ 28.396948] freed 64-byte region [ffff888101ab3680, ffff888101ab36c0) [ 28.399051] [ 28.399522] The buggy address belongs to the physical page: [ 28.400491] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ab3 [ 28.401409] flags: 0x200000000000000(node=0|zone=2) [ 28.401953] page_type: f5(slab) [ 28.402432] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 28.403346] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 28.404287] page dumped because: kasan: bad access detected [ 28.404778] [ 28.405355] Memory state around the buggy address: [ 28.405699] ffff888101ab3580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.406528] ffff888101ab3600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.407300] >ffff888101ab3680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 28.408180] ^ [ 28.408673] ffff888101ab3700: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 28.409311] ffff888101ab3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.410320] ==================================================================