Date
Dec. 6, 2024, 3:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.476198] ================================================================== [ 31.477328] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 31.478137] Read of size 1 at addr fff00000c66bc228 by task kunit_try_catch/173 [ 31.478969] [ 31.479376] CPU: 1 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 31.480427] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.481857] Hardware name: linux,dummy-virt (DT) [ 31.482661] Call trace: [ 31.483409] show_stack+0x20/0x38 (C) [ 31.484059] dump_stack_lvl+0x8c/0xd0 [ 31.484676] print_report+0x118/0x5e0 [ 31.485267] kasan_report+0xc8/0x118 [ 31.485794] __asan_report_load1_noabort+0x20/0x30 [ 31.487060] kmalloc_uaf+0x300/0x338 [ 31.487624] kunit_try_run_case+0x14c/0x3d0 [ 31.488337] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.489165] kthread+0x24c/0x2d0 [ 31.489755] ret_from_fork+0x10/0x20 [ 31.490352] [ 31.490742] Allocated by task 173: [ 31.491555] kasan_save_stack+0x3c/0x68 [ 31.492172] kasan_save_track+0x20/0x40 [ 31.493011] kasan_save_alloc_info+0x40/0x58 [ 31.493624] __kasan_kmalloc+0xd4/0xd8 [ 31.494945] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.495705] kmalloc_uaf+0xb8/0x338 [ 31.496320] kunit_try_run_case+0x14c/0x3d0 [ 31.496898] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.497235] kthread+0x24c/0x2d0 [ 31.497474] ret_from_fork+0x10/0x20 [ 31.497972] [ 31.498322] Freed by task 173: [ 31.498870] kasan_save_stack+0x3c/0x68 [ 31.499393] kasan_save_track+0x20/0x40 [ 31.500294] kasan_save_free_info+0x4c/0x78 [ 31.500886] __kasan_slab_free+0x6c/0x98 [ 31.501493] kfree+0x114/0x3c8 [ 31.501952] kmalloc_uaf+0x11c/0x338 [ 31.503368] kunit_try_run_case+0x14c/0x3d0 [ 31.503946] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.504731] kthread+0x24c/0x2d0 [ 31.505348] ret_from_fork+0x10/0x20 [ 31.506003] [ 31.506833] The buggy address belongs to the object at fff00000c66bc220 [ 31.506833] which belongs to the cache kmalloc-16 of size 16 [ 31.508200] The buggy address is located 8 bytes inside of [ 31.508200] freed 16-byte region [fff00000c66bc220, fff00000c66bc230) [ 31.509438] [ 31.509832] The buggy address belongs to the physical page: [ 31.510642] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066bc [ 31.511679] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.513279] page_type: f5(slab) [ 31.513855] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.515207] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 31.516050] page dumped because: kasan: bad access detected [ 31.516727] [ 31.517091] Memory state around the buggy address: [ 31.517644] fff00000c66bc100: 00 05 fc fc fa fb fc fc 00 02 fc fc fa fb fc fc [ 31.518634] fff00000c66bc180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.520435] >fff00000c66bc200: 00 04 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 31.521192] ^ [ 31.521817] fff00000c66bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.522934] fff00000c66bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.523740] ================================================================== [ 31.593940] ================================================================== [ 31.595016] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 31.595863] Read of size 1 at addr fff00000c6729d28 by task kunit_try_catch/177 [ 31.596849] [ 31.597767] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 31.599503] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.600024] Hardware name: linux,dummy-virt (DT) [ 31.600734] Call trace: [ 31.601135] show_stack+0x20/0x38 (C) [ 31.601793] dump_stack_lvl+0x8c/0xd0 [ 31.602783] print_report+0x118/0x5e0 [ 31.603436] kasan_report+0xc8/0x118 [ 31.604087] __asan_report_load1_noabort+0x20/0x30 [ 31.604934] kmalloc_uaf2+0x3f4/0x468 [ 31.605476] kunit_try_run_case+0x14c/0x3d0 [ 31.606100] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.607350] kthread+0x24c/0x2d0 [ 31.607961] ret_from_fork+0x10/0x20 [ 31.608577] [ 31.608949] Allocated by task 177: [ 31.609561] kasan_save_stack+0x3c/0x68 [ 31.610150] kasan_save_track+0x20/0x40 [ 31.611211] kasan_save_alloc_info+0x40/0x58 [ 31.611890] __kasan_kmalloc+0xd4/0xd8 [ 31.612526] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.613182] kmalloc_uaf2+0xc4/0x468 [ 31.613831] kunit_try_run_case+0x14c/0x3d0 [ 31.614531] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.615308] kthread+0x24c/0x2d0 [ 31.615797] ret_from_fork+0x10/0x20 [ 31.616354] [ 31.616753] Freed by task 177: [ 31.617557] kasan_save_stack+0x3c/0x68 [ 31.618329] kasan_save_track+0x20/0x40 [ 31.619231] kasan_save_free_info+0x4c/0x78 [ 31.620125] __kasan_slab_free+0x6c/0x98 [ 31.620947] kfree+0x114/0x3c8 [ 31.621393] kmalloc_uaf2+0x134/0x468 [ 31.622015] kunit_try_run_case+0x14c/0x3d0 [ 31.623198] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.624029] kthread+0x24c/0x2d0 [ 31.624692] ret_from_fork+0x10/0x20 [ 31.625188] [ 31.625495] The buggy address belongs to the object at fff00000c6729d00 [ 31.625495] which belongs to the cache kmalloc-64 of size 64 [ 31.627080] The buggy address is located 40 bytes inside of [ 31.627080] freed 64-byte region [fff00000c6729d00, fff00000c6729d40) [ 31.629299] [ 31.629701] The buggy address belongs to the physical page: [ 31.630465] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106729 [ 31.631582] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.632638] page_type: f5(slab) [ 31.633044] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.633999] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.635306] page dumped because: kasan: bad access detected [ 31.635976] [ 31.636306] Memory state around the buggy address: [ 31.636845] fff00000c6729c00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.637679] fff00000c6729c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.638695] >fff00000c6729d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.639786] ^ [ 31.640419] fff00000c6729d80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.641143] fff00000c6729e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.642022] ================================================================== [ 31.049941] ================================================================== [ 31.051037] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 31.051872] Read of size 16 at addr fff00000c5b51880 by task kunit_try_catch/157 [ 31.052713] [ 31.053101] CPU: 0 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 31.054210] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.055175] Hardware name: linux,dummy-virt (DT) [ 31.055789] Call trace: [ 31.056241] show_stack+0x20/0x38 (C) [ 31.056878] dump_stack_lvl+0x8c/0xd0 [ 31.057376] print_report+0x118/0x5e0 [ 31.058015] kasan_report+0xc8/0x118 [ 31.058645] __asan_report_load16_noabort+0x20/0x30 [ 31.059338] kmalloc_uaf_16+0x3bc/0x438 [ 31.060151] kunit_try_run_case+0x14c/0x3d0 [ 31.060878] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.061693] kthread+0x24c/0x2d0 [ 31.062765] ret_from_fork+0x10/0x20 [ 31.063360] [ 31.063736] Allocated by task 157: [ 31.064240] kasan_save_stack+0x3c/0x68 [ 31.064789] kasan_save_track+0x20/0x40 [ 31.065330] kasan_save_alloc_info+0x40/0x58 [ 31.065894] __kasan_kmalloc+0xd4/0xd8 [ 31.066416] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.067420] kmalloc_uaf_16+0x140/0x438 [ 31.068159] kunit_try_run_case+0x14c/0x3d0 [ 31.068879] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.069626] kthread+0x24c/0x2d0 [ 31.070207] ret_from_fork+0x10/0x20 [ 31.071135] [ 31.071425] Freed by task 157: [ 31.071951] kasan_save_stack+0x3c/0x68 [ 31.072649] kasan_save_track+0x20/0x40 [ 31.073907] kasan_save_free_info+0x4c/0x78 [ 31.074390] __kasan_slab_free+0x6c/0x98 [ 31.075089] kfree+0x114/0x3c8 [ 31.075727] kmalloc_uaf_16+0x190/0x438 [ 31.076342] kunit_try_run_case+0x14c/0x3d0 [ 31.076983] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.077812] kthread+0x24c/0x2d0 [ 31.078366] ret_from_fork+0x10/0x20 [ 31.078979] [ 31.079348] The buggy address belongs to the object at fff00000c5b51880 [ 31.079348] which belongs to the cache kmalloc-16 of size 16 [ 31.081126] The buggy address is located 0 bytes inside of [ 31.081126] freed 16-byte region [fff00000c5b51880, fff00000c5b51890) [ 31.082666] [ 31.083175] The buggy address belongs to the physical page: [ 31.084010] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b51 [ 31.085073] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.086150] page_type: f5(slab) [ 31.086622] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.087740] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 31.088769] page dumped because: kasan: bad access detected [ 31.089396] [ 31.089744] Memory state around the buggy address: [ 31.090414] fff00000c5b51780: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.091495] fff00000c5b51800: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 31.092499] >fff00000c5b51880: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.093490] ^ [ 31.094235] fff00000c5b51900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.095299] fff00000c5b51980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.096326] ==================================================================
[ 23.565415] ================================================================== [ 23.566637] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 23.567559] Read of size 16 at addr ffff888101fff6e0 by task kunit_try_catch/176 [ 23.568451] [ 23.568889] CPU: 1 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 23.570879] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.571487] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.572212] Call Trace: [ 23.572974] <TASK> [ 23.573504] dump_stack_lvl+0x73/0xb0 [ 23.574335] print_report+0xd1/0x640 [ 23.574868] ? __virt_addr_valid+0x1db/0x2d0 [ 23.576017] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.576609] kasan_report+0x102/0x140 [ 23.577415] ? kmalloc_uaf_16+0x47d/0x4c0 [ 23.577708] ? kmalloc_uaf_16+0x47d/0x4c0 [ 23.578738] __asan_report_load16_noabort+0x18/0x20 [ 23.579646] kmalloc_uaf_16+0x47d/0x4c0 [ 23.579983] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 23.581083] ? __schedule+0xc70/0x27e0 [ 23.582020] ? __pfx_read_tsc+0x10/0x10 [ 23.582751] ? ktime_get_ts64+0x86/0x230 [ 23.583759] kunit_try_run_case+0x1b3/0x490 [ 23.585119] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.585840] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.586114] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.586349] ? __kthread_parkme+0x82/0x160 [ 23.586689] ? preempt_count_sub+0x50/0x80 [ 23.587171] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.587470] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.587850] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.588798] kthread+0x257/0x310 [ 23.589901] ? __pfx_kthread+0x10/0x10 [ 23.590499] ret_from_fork+0x41/0x80 [ 23.591211] ? __pfx_kthread+0x10/0x10 [ 23.591603] ret_from_fork_asm+0x1a/0x30 [ 23.592171] </TASK> [ 23.592628] [ 23.593188] Allocated by task 176: [ 23.593895] kasan_save_stack+0x3d/0x60 [ 23.594373] kasan_save_track+0x18/0x40 [ 23.595758] kasan_save_alloc_info+0x3b/0x50 [ 23.596799] __kasan_kmalloc+0xb7/0xc0 [ 23.597132] __kmalloc_cache_noprof+0x184/0x410 [ 23.598086] kmalloc_uaf_16+0x15c/0x4c0 [ 23.598657] kunit_try_run_case+0x1b3/0x490 [ 23.599362] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.600141] kthread+0x257/0x310 [ 23.600796] ret_from_fork+0x41/0x80 [ 23.601258] ret_from_fork_asm+0x1a/0x30 [ 23.601795] [ 23.602140] Freed by task 176: [ 23.602736] kasan_save_stack+0x3d/0x60 [ 23.603189] kasan_save_track+0x18/0x40 [ 23.603951] kasan_save_free_info+0x3f/0x60 [ 23.604259] __kasan_slab_free+0x56/0x70 [ 23.604724] kfree+0x123/0x3f0 [ 23.605364] kmalloc_uaf_16+0x1d7/0x4c0 [ 23.605986] kunit_try_run_case+0x1b3/0x490 [ 23.606610] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.607592] kthread+0x257/0x310 [ 23.608138] ret_from_fork+0x41/0x80 [ 23.609113] ret_from_fork_asm+0x1a/0x30 [ 23.609472] [ 23.609639] The buggy address belongs to the object at ffff888101fff6e0 [ 23.609639] which belongs to the cache kmalloc-16 of size 16 [ 23.611079] The buggy address is located 0 bytes inside of [ 23.611079] freed 16-byte region [ffff888101fff6e0, ffff888101fff6f0) [ 23.612265] [ 23.612693] The buggy address belongs to the physical page: [ 23.613407] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101fff [ 23.614457] flags: 0x200000000000000(node=0|zone=2) [ 23.614984] page_type: f5(slab) [ 23.615549] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 23.616830] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.618558] page dumped because: kasan: bad access detected [ 23.619343] [ 23.619542] Memory state around the buggy address: [ 23.620281] ffff888101fff580: fa fb fc fc 00 02 fc fc 00 02 fc fc 00 00 fc fc [ 23.621243] ffff888101fff600: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.622064] >ffff888101fff680: fa fb fc fc 00 04 fc fc 00 00 fc fc fa fb fc fc [ 23.622755] ^ [ 23.623442] ffff888101fff700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.624455] ffff888101fff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.625373] ================================================================== [ 24.219009] ================================================================== [ 24.219858] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 24.220593] Read of size 1 at addr ffff888102470ca8 by task kunit_try_catch/196 [ 24.221284] [ 24.221664] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 24.222845] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.223344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.224179] Call Trace: [ 24.224410] <TASK> [ 24.224966] dump_stack_lvl+0x73/0xb0 [ 24.225627] print_report+0xd1/0x640 [ 24.226095] ? __virt_addr_valid+0x1db/0x2d0 [ 24.226720] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.227225] kasan_report+0x102/0x140 [ 24.227833] ? kmalloc_uaf2+0x4aa/0x520 [ 24.228321] ? kmalloc_uaf2+0x4aa/0x520 [ 24.228733] __asan_report_load1_noabort+0x18/0x20 [ 24.229100] kmalloc_uaf2+0x4aa/0x520 [ 24.229679] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 24.230535] ? finish_task_switch.isra.0+0x153/0x700 [ 24.231129] ? __switch_to+0x5d9/0xf60 [ 24.231606] ? __schedule+0xc70/0x27e0 [ 24.231953] ? __pfx_read_tsc+0x10/0x10 [ 24.232725] ? ktime_get_ts64+0x86/0x230 [ 24.233381] kunit_try_run_case+0x1b3/0x490 [ 24.233887] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.234416] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.234756] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.235115] ? __kthread_parkme+0x82/0x160 [ 24.235625] ? preempt_count_sub+0x50/0x80 [ 24.236430] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.237025] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.237805] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.238410] kthread+0x257/0x310 [ 24.238779] ? __pfx_kthread+0x10/0x10 [ 24.239271] ret_from_fork+0x41/0x80 [ 24.239945] ? __pfx_kthread+0x10/0x10 [ 24.240437] ret_from_fork_asm+0x1a/0x30 [ 24.240760] </TASK> [ 24.241074] [ 24.241466] Allocated by task 196: [ 24.242023] kasan_save_stack+0x3d/0x60 [ 24.242619] kasan_save_track+0x18/0x40 [ 24.243051] kasan_save_alloc_info+0x3b/0x50 [ 24.243673] __kasan_kmalloc+0xb7/0xc0 [ 24.244115] __kmalloc_cache_noprof+0x184/0x410 [ 24.244427] kmalloc_uaf2+0xc7/0x520 [ 24.244690] kunit_try_run_case+0x1b3/0x490 [ 24.245321] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.246043] kthread+0x257/0x310 [ 24.246628] ret_from_fork+0x41/0x80 [ 24.247140] ret_from_fork_asm+0x1a/0x30 [ 24.247607] [ 24.247888] Freed by task 196: [ 24.248314] kasan_save_stack+0x3d/0x60 [ 24.248656] kasan_save_track+0x18/0x40 [ 24.248973] kasan_save_free_info+0x3f/0x60 [ 24.249271] __kasan_slab_free+0x56/0x70 [ 24.249556] kfree+0x123/0x3f0 [ 24.250003] kmalloc_uaf2+0x14d/0x520 [ 24.250622] kunit_try_run_case+0x1b3/0x490 [ 24.251190] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.252100] kthread+0x257/0x310 [ 24.252514] ret_from_fork+0x41/0x80 [ 24.252786] ret_from_fork_asm+0x1a/0x30 [ 24.253236] [ 24.253485] The buggy address belongs to the object at ffff888102470c80 [ 24.253485] which belongs to the cache kmalloc-64 of size 64 [ 24.255262] The buggy address is located 40 bytes inside of [ 24.255262] freed 64-byte region [ffff888102470c80, ffff888102470cc0) [ 24.256692] [ 24.256879] The buggy address belongs to the physical page: [ 24.257516] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102470 [ 24.258885] flags: 0x200000000000000(node=0|zone=2) [ 24.259263] page_type: f5(slab) [ 24.259528] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 24.260475] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.261834] page dumped because: kasan: bad access detected [ 24.262524] [ 24.262797] Memory state around the buggy address: [ 24.263372] ffff888102470b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.263791] ffff888102470c00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.264980] >ffff888102470c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.265562] ^ [ 24.266381] ffff888102470d00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 24.267501] ffff888102470d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.268747] ================================================================== [ 24.067069] ================================================================== [ 24.068999] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 24.070559] Read of size 1 at addr ffff888101b3ccc8 by task kunit_try_catch/192 [ 24.071474] [ 24.072247] CPU: 0 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 24.073524] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.073991] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.074824] Call Trace: [ 24.075964] <TASK> [ 24.076204] dump_stack_lvl+0x73/0xb0 [ 24.077044] print_report+0xd1/0x640 [ 24.078297] ? __virt_addr_valid+0x1db/0x2d0 [ 24.079021] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.079535] kasan_report+0x102/0x140 [ 24.080398] ? kmalloc_uaf+0x322/0x380 [ 24.081470] ? kmalloc_uaf+0x322/0x380 [ 24.082386] __asan_report_load1_noabort+0x18/0x20 [ 24.082879] kmalloc_uaf+0x322/0x380 [ 24.083460] ? __pfx_kmalloc_uaf+0x10/0x10 [ 24.084209] ? __pfx_kmalloc_uaf+0x10/0x10 [ 24.084856] kunit_try_run_case+0x1b3/0x490 [ 24.085517] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.086119] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.086542] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.087861] ? __kthread_parkme+0x82/0x160 [ 24.088181] ? preempt_count_sub+0x50/0x80 [ 24.088818] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.089583] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.090471] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.091893] kthread+0x257/0x310 [ 24.092398] ? __pfx_kthread+0x10/0x10 [ 24.093022] ret_from_fork+0x41/0x80 [ 24.093822] ? __pfx_kthread+0x10/0x10 [ 24.095152] ret_from_fork_asm+0x1a/0x30 [ 24.095631] </TASK> [ 24.095897] [ 24.096410] Allocated by task 192: [ 24.097676] kasan_save_stack+0x3d/0x60 [ 24.098026] kasan_save_track+0x18/0x40 [ 24.099052] kasan_save_alloc_info+0x3b/0x50 [ 24.100185] __kasan_kmalloc+0xb7/0xc0 [ 24.100443] __kmalloc_cache_noprof+0x184/0x410 [ 24.100833] kmalloc_uaf+0xab/0x380 [ 24.101585] kunit_try_run_case+0x1b3/0x490 [ 24.102396] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.103854] kthread+0x257/0x310 [ 24.104842] ret_from_fork+0x41/0x80 [ 24.105243] ret_from_fork_asm+0x1a/0x30 [ 24.105891] [ 24.106576] Freed by task 192: [ 24.107019] kasan_save_stack+0x3d/0x60 [ 24.108648] kasan_save_track+0x18/0x40 [ 24.108866] kasan_save_free_info+0x3f/0x60 [ 24.109808] __kasan_slab_free+0x56/0x70 [ 24.110842] kfree+0x123/0x3f0 [ 24.111135] kmalloc_uaf+0x12d/0x380 [ 24.112143] kunit_try_run_case+0x1b3/0x490 [ 24.112815] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.113895] kthread+0x257/0x310 [ 24.114199] ret_from_fork+0x41/0x80 [ 24.114654] ret_from_fork_asm+0x1a/0x30 [ 24.115120] [ 24.115308] The buggy address belongs to the object at ffff888101b3ccc0 [ 24.115308] which belongs to the cache kmalloc-16 of size 16 [ 24.117441] The buggy address is located 8 bytes inside of [ 24.117441] freed 16-byte region [ffff888101b3ccc0, ffff888101b3ccd0) [ 24.119253] [ 24.119478] The buggy address belongs to the physical page: [ 24.120339] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b3c [ 24.121573] flags: 0x200000000000000(node=0|zone=2) [ 24.122097] page_type: f5(slab) [ 24.124962] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 24.125446] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.126724] page dumped because: kasan: bad access detected [ 24.127301] [ 24.128170] Memory state around the buggy address: [ 24.128458] ffff888101b3cb80: 00 02 fc fc 00 05 fc fc 00 02 fc fc 00 02 fc fc [ 24.130150] ffff888101b3cc00: 00 02 fc fc 00 02 fc fc 00 05 fc fc fa fb fc fc [ 24.130799] >ffff888101b3cc80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 24.132016] ^ [ 24.132526] ffff888101b3cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.133292] ffff888101b3cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.134152] ==================================================================