Date
Dec. 9, 2024, 6:35 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 24.154123] ================================================================== [ 24.155481] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 24.156991] Read of size 16 at addr fff00000c63611c0 by task kunit_try_catch/156 [ 24.157781] [ 24.158111] CPU: 1 UID: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.159693] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.160198] Hardware name: linux,dummy-virt (DT) [ 24.160896] Call trace: [ 24.161253] show_stack+0x20/0x38 (C) [ 24.162321] dump_stack_lvl+0x8c/0xd0 [ 24.163257] print_report+0x118/0x5e0 [ 24.163924] kasan_report+0xc8/0x118 [ 24.164590] __asan_report_load16_noabort+0x20/0x30 [ 24.165217] kmalloc_uaf_16+0x3bc/0x438 [ 24.165752] kunit_try_run_case+0x14c/0x3d0 [ 24.166380] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.167021] kthread+0x24c/0x2d0 [ 24.167781] ret_from_fork+0x10/0x20 [ 24.168300] [ 24.168681] Allocated by task 156: [ 24.169139] kasan_save_stack+0x3c/0x68 [ 24.169772] kasan_save_track+0x20/0x40 [ 24.170298] kasan_save_alloc_info+0x40/0x58 [ 24.170927] __kasan_kmalloc+0xd4/0xd8 [ 24.171442] __kmalloc_cache_noprof+0x15c/0x3c0 [ 24.171936] kmalloc_uaf_16+0x140/0x438 [ 24.172895] kunit_try_run_case+0x14c/0x3d0 [ 24.173467] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.174078] kthread+0x24c/0x2d0 [ 24.174499] ret_from_fork+0x10/0x20 [ 24.175013] [ 24.175284] Freed by task 156: [ 24.176239] kasan_save_stack+0x3c/0x68 [ 24.176882] kasan_save_track+0x20/0x40 [ 24.177511] kasan_save_free_info+0x4c/0x78 [ 24.178170] __kasan_slab_free+0x6c/0x98 [ 24.179097] kfree+0x114/0x3c8 [ 24.179579] kmalloc_uaf_16+0x190/0x438 [ 24.180164] kunit_try_run_case+0x14c/0x3d0 [ 24.180851] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.181610] kthread+0x24c/0x2d0 [ 24.182148] ret_from_fork+0x10/0x20 [ 24.182378] [ 24.182515] The buggy address belongs to the object at fff00000c63611c0 [ 24.182515] which belongs to the cache kmalloc-16 of size 16 [ 24.183890] The buggy address is located 0 bytes inside of [ 24.183890] freed 16-byte region [fff00000c63611c0, fff00000c63611d0) [ 24.185319] [ 24.185686] The buggy address belongs to the physical page: [ 24.186326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106361 [ 24.187516] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.188263] page_type: f5(slab) [ 24.188804] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 24.189630] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.190449] page dumped because: kasan: bad access detected [ 24.191288] [ 24.191595] Memory state around the buggy address: [ 24.192285] fff00000c6361080: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.193175] fff00000c6361100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.193928] >fff00000c6361180: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 24.194748] ^ [ 24.195674] fff00000c6361200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.196499] fff00000c6361280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.197292] ================================================================== [ 24.678121] ================================================================== [ 24.679154] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 24.679944] Read of size 1 at addr fff00000c125aea8 by task kunit_try_catch/176 [ 24.680794] [ 24.681234] CPU: 1 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.682508] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.683072] Hardware name: linux,dummy-virt (DT) [ 24.683762] Call trace: [ 24.684201] show_stack+0x20/0x38 (C) [ 24.684868] dump_stack_lvl+0x8c/0xd0 [ 24.685468] print_report+0x118/0x5e0 [ 24.686073] kasan_report+0xc8/0x118 [ 24.686628] __asan_report_load1_noabort+0x20/0x30 [ 24.687325] kmalloc_uaf2+0x3f4/0x468 [ 24.687906] kunit_try_run_case+0x14c/0x3d0 [ 24.688535] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.689269] kthread+0x24c/0x2d0 [ 24.689835] ret_from_fork+0x10/0x20 [ 24.690402] [ 24.690776] Allocated by task 176: [ 24.691296] kasan_save_stack+0x3c/0x68 [ 24.691962] kasan_save_track+0x20/0x40 [ 24.692577] kasan_save_alloc_info+0x40/0x58 [ 24.693228] __kasan_kmalloc+0xd4/0xd8 [ 24.693869] __kmalloc_cache_noprof+0x15c/0x3c0 [ 24.694560] kmalloc_uaf2+0xc4/0x468 [ 24.695113] kunit_try_run_case+0x14c/0x3d0 [ 24.695756] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.696450] kthread+0x24c/0x2d0 [ 24.697015] ret_from_fork+0x10/0x20 [ 24.697576] [ 24.697893] Freed by task 176: [ 24.698406] kasan_save_stack+0x3c/0x68 [ 24.699036] kasan_save_track+0x20/0x40 [ 24.699574] kasan_save_free_info+0x4c/0x78 [ 24.700232] __kasan_slab_free+0x6c/0x98 [ 24.700856] kfree+0x114/0x3c8 [ 24.701348] kmalloc_uaf2+0x134/0x468 [ 24.701946] kunit_try_run_case+0x14c/0x3d0 [ 24.702585] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.703277] kthread+0x24c/0x2d0 [ 24.703817] ret_from_fork+0x10/0x20 [ 24.704404] [ 24.704824] The buggy address belongs to the object at fff00000c125ae80 [ 24.704824] which belongs to the cache kmalloc-64 of size 64 [ 24.706104] The buggy address is located 40 bytes inside of [ 24.706104] freed 64-byte region [fff00000c125ae80, fff00000c125aec0) [ 24.707402] [ 24.707774] The buggy address belongs to the physical page: [ 24.708420] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10125a [ 24.709345] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.710159] page_type: f5(slab) [ 24.710689] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 24.711621] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.712456] page dumped because: kasan: bad access detected [ 24.713149] [ 24.713473] Memory state around the buggy address: [ 24.714179] fff00000c125ad80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.715042] fff00000c125ae00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.715886] >fff00000c125ae80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.716681] ^ [ 24.717327] fff00000c125af00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 24.718185] fff00000c125af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.718990] ================================================================== [ 24.550411] ================================================================== [ 24.554020] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 24.556388] Read of size 1 at addr fff00000c63611e8 by task kunit_try_catch/172 [ 24.559018] [ 24.559609] CPU: 1 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.561976] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.563221] Hardware name: linux,dummy-virt (DT) [ 24.564912] Call trace: [ 24.566019] show_stack+0x20/0x38 (C) [ 24.566654] dump_stack_lvl+0x8c/0xd0 [ 24.569204] print_report+0x118/0x5e0 [ 24.570373] kasan_report+0xc8/0x118 [ 24.570799] __asan_report_load1_noabort+0x20/0x30 [ 24.571270] kmalloc_uaf+0x300/0x338 [ 24.571655] kunit_try_run_case+0x14c/0x3d0 [ 24.573632] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.575551] kthread+0x24c/0x2d0 [ 24.576969] ret_from_fork+0x10/0x20 [ 24.579079] [ 24.579547] Allocated by task 172: [ 24.580884] kasan_save_stack+0x3c/0x68 [ 24.582322] kasan_save_track+0x20/0x40 [ 24.583626] kasan_save_alloc_info+0x40/0x58 [ 24.584223] __kasan_kmalloc+0xd4/0xd8 [ 24.584819] __kmalloc_cache_noprof+0x15c/0x3c0 [ 24.585484] kmalloc_uaf+0xb8/0x338 [ 24.586058] kunit_try_run_case+0x14c/0x3d0 [ 24.586529] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.588581] kthread+0x24c/0x2d0 [ 24.589080] ret_from_fork+0x10/0x20 [ 24.589754] [ 24.590118] Freed by task 172: [ 24.590665] kasan_save_stack+0x3c/0x68 [ 24.591364] kasan_save_track+0x20/0x40 [ 24.592011] kasan_save_free_info+0x4c/0x78 [ 24.592983] __kasan_slab_free+0x6c/0x98 [ 24.593643] kfree+0x114/0x3c8 [ 24.594211] kmalloc_uaf+0x11c/0x338 [ 24.595081] kunit_try_run_case+0x14c/0x3d0 [ 24.595829] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.596554] kthread+0x24c/0x2d0 [ 24.597079] ret_from_fork+0x10/0x20 [ 24.597692] [ 24.598085] The buggy address belongs to the object at fff00000c63611e0 [ 24.598085] which belongs to the cache kmalloc-16 of size 16 [ 24.600102] The buggy address is located 8 bytes inside of [ 24.600102] freed 16-byte region [fff00000c63611e0, fff00000c63611f0) [ 24.600960] [ 24.601201] The buggy address belongs to the physical page: [ 24.601650] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106361 [ 24.602377] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.603088] page_type: f5(slab) [ 24.603965] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 24.604874] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.605909] page dumped because: kasan: bad access detected [ 24.606590] [ 24.608288] Memory state around the buggy address: [ 24.609047] fff00000c6361080: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.610251] fff00000c6361100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.611234] >fff00000c6361180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.611794] ^ [ 24.612311] fff00000c6361200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.612954] fff00000c6361280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.613664] ==================================================================
[ 24.519526] ================================================================== [ 24.520716] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 24.521566] Read of size 1 at addr ffff888101b7dca8 by task kunit_try_catch/191 [ 24.522103] [ 24.522437] CPU: 0 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.523485] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.523903] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.524741] Call Trace: [ 24.525400] <TASK> [ 24.525709] dump_stack_lvl+0x73/0xb0 [ 24.526454] print_report+0xd1/0x640 [ 24.526860] ? __virt_addr_valid+0x1db/0x2d0 [ 24.527558] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.528381] kasan_report+0x102/0x140 [ 24.528923] ? kmalloc_uaf+0x322/0x380 [ 24.529313] ? kmalloc_uaf+0x322/0x380 [ 24.530120] __asan_report_load1_noabort+0x18/0x20 [ 24.530819] kmalloc_uaf+0x322/0x380 [ 24.531354] ? __pfx_kmalloc_uaf+0x10/0x10 [ 24.531927] ? __schedule+0xc70/0x27e0 [ 24.532669] ? __pfx_read_tsc+0x10/0x10 [ 24.533128] ? ktime_get_ts64+0x86/0x230 [ 24.533945] kunit_try_run_case+0x1b3/0x490 [ 24.534553] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.535310] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.535854] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.536543] ? __kthread_parkme+0x82/0x160 [ 24.536972] ? preempt_count_sub+0x50/0x80 [ 24.537659] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.538402] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.539045] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.539860] kthread+0x257/0x310 [ 24.540502] ? __pfx_kthread+0x10/0x10 [ 24.541028] ret_from_fork+0x41/0x80 [ 24.541634] ? __pfx_kthread+0x10/0x10 [ 24.542042] ret_from_fork_asm+0x1a/0x30 [ 24.542678] </TASK> [ 24.542990] [ 24.543386] Allocated by task 191: [ 24.543852] kasan_save_stack+0x3d/0x60 [ 24.544338] kasan_save_track+0x18/0x40 [ 24.544967] kasan_save_alloc_info+0x3b/0x50 [ 24.545659] __kasan_kmalloc+0xb7/0xc0 [ 24.546094] __kmalloc_cache_noprof+0x184/0x410 [ 24.547108] kmalloc_uaf+0xab/0x380 [ 24.547586] kunit_try_run_case+0x1b3/0x490 [ 24.548544] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.549506] kthread+0x257/0x310 [ 24.550023] ret_from_fork+0x41/0x80 [ 24.551058] ret_from_fork_asm+0x1a/0x30 [ 24.551971] [ 24.552810] Freed by task 191: [ 24.553815] kasan_save_stack+0x3d/0x60 [ 24.554234] kasan_save_track+0x18/0x40 [ 24.554995] kasan_save_free_info+0x3f/0x60 [ 24.555775] __kasan_slab_free+0x56/0x70 [ 24.556628] kfree+0x123/0x3f0 [ 24.557375] kmalloc_uaf+0x12d/0x380 [ 24.557895] kunit_try_run_case+0x1b3/0x490 [ 24.559046] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.559750] kthread+0x257/0x310 [ 24.560140] ret_from_fork+0x41/0x80 [ 24.560569] ret_from_fork_asm+0x1a/0x30 [ 24.561786] [ 24.561977] The buggy address belongs to the object at ffff888101b7dca0 [ 24.561977] which belongs to the cache kmalloc-16 of size 16 [ 24.563478] The buggy address is located 8 bytes inside of [ 24.563478] freed 16-byte region [ffff888101b7dca0, ffff888101b7dcb0) [ 24.564681] [ 24.565490] The buggy address belongs to the physical page: [ 24.566112] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b7d [ 24.567435] flags: 0x200000000000000(node=0|zone=2) [ 24.567903] page_type: f5(slab) [ 24.568696] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 24.569730] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.570749] page dumped because: kasan: bad access detected [ 24.571610] [ 24.571803] Memory state around the buggy address: [ 24.572554] ffff888101b7db80: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.573654] ffff888101b7dc00: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.574558] >ffff888101b7dc80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 24.575652] ^ [ 24.576042] ffff888101b7dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.576957] ffff888101b7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.578016] ================================================================== [ 24.039072] ================================================================== [ 24.040464] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 24.041989] Read of size 16 at addr ffff888101b7dc80 by task kunit_try_catch/175 [ 24.043023] [ 24.043265] CPU: 0 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.044374] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.044725] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.046419] Call Trace: [ 24.046708] <TASK> [ 24.047824] dump_stack_lvl+0x73/0xb0 [ 24.049146] print_report+0xd1/0x640 [ 24.049719] ? __virt_addr_valid+0x1db/0x2d0 [ 24.050967] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.051376] kasan_report+0x102/0x140 [ 24.052040] ? kmalloc_uaf_16+0x47d/0x4c0 [ 24.052637] ? kmalloc_uaf_16+0x47d/0x4c0 [ 24.053489] __asan_report_load16_noabort+0x18/0x20 [ 24.054584] kmalloc_uaf_16+0x47d/0x4c0 [ 24.055035] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 24.056139] ? __schedule+0xc70/0x27e0 [ 24.056792] ? __pfx_read_tsc+0x10/0x10 [ 24.057640] ? ktime_get_ts64+0x86/0x230 [ 24.058805] kunit_try_run_case+0x1b3/0x490 [ 24.059194] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.059780] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.060275] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.060732] ? __kthread_parkme+0x82/0x160 [ 24.062120] ? preempt_count_sub+0x50/0x80 [ 24.063485] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.063870] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.065339] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.066406] kthread+0x257/0x310 [ 24.066777] ? __pfx_kthread+0x10/0x10 [ 24.067745] ret_from_fork+0x41/0x80 [ 24.068745] ? __pfx_kthread+0x10/0x10 [ 24.069007] ret_from_fork_asm+0x1a/0x30 [ 24.069563] </TASK> [ 24.069865] [ 24.070040] Allocated by task 175: [ 24.071994] kasan_save_stack+0x3d/0x60 [ 24.072574] kasan_save_track+0x18/0x40 [ 24.072926] kasan_save_alloc_info+0x3b/0x50 [ 24.073233] __kasan_kmalloc+0xb7/0xc0 [ 24.074003] __kmalloc_cache_noprof+0x184/0x410 [ 24.075004] kmalloc_uaf_16+0x15c/0x4c0 [ 24.075266] kunit_try_run_case+0x1b3/0x490 [ 24.076533] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.077002] kthread+0x257/0x310 [ 24.077460] ret_from_fork+0x41/0x80 [ 24.077878] ret_from_fork_asm+0x1a/0x30 [ 24.078527] [ 24.078729] Freed by task 175: [ 24.078993] kasan_save_stack+0x3d/0x60 [ 24.080194] kasan_save_track+0x18/0x40 [ 24.080604] kasan_save_free_info+0x3f/0x60 [ 24.081160] __kasan_slab_free+0x56/0x70 [ 24.081647] kfree+0x123/0x3f0 [ 24.082055] kmalloc_uaf_16+0x1d7/0x4c0 [ 24.082658] kunit_try_run_case+0x1b3/0x490 [ 24.083023] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.083394] kthread+0x257/0x310 [ 24.084613] ret_from_fork+0x41/0x80 [ 24.085048] ret_from_fork_asm+0x1a/0x30 [ 24.085358] [ 24.085777] The buggy address belongs to the object at ffff888101b7dc80 [ 24.085777] which belongs to the cache kmalloc-16 of size 16 [ 24.087670] The buggy address is located 0 bytes inside of [ 24.087670] freed 16-byte region [ffff888101b7dc80, ffff888101b7dc90) [ 24.088886] [ 24.089154] The buggy address belongs to the physical page: [ 24.090024] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101b7d [ 24.090574] flags: 0x200000000000000(node=0|zone=2) [ 24.091875] page_type: f5(slab) [ 24.092577] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 24.093152] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.093890] page dumped because: kasan: bad access detected [ 24.094236] [ 24.094612] Memory state around the buggy address: [ 24.095143] ffff888101b7db80: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.096158] ffff888101b7dc00: 00 05 fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 24.096847] >ffff888101b7dc80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.098317] ^ [ 24.098621] ffff888101b7dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.100107] ffff888101b7dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.100485] ================================================================== [ 24.648825] ================================================================== [ 24.650485] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 24.651347] Read of size 1 at addr ffff888102402ca8 by task kunit_try_catch/195 [ 24.652549] [ 24.653352] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc2-next-20241209 #1 [ 24.654771] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.655157] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.656791] Call Trace: [ 24.657086] <TASK> [ 24.657502] dump_stack_lvl+0x73/0xb0 [ 24.657806] print_report+0xd1/0x640 [ 24.658373] ? __virt_addr_valid+0x1db/0x2d0 [ 24.659182] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.660750] kasan_report+0x102/0x140 [ 24.661375] ? kmalloc_uaf2+0x4aa/0x520 [ 24.661765] ? kmalloc_uaf2+0x4aa/0x520 [ 24.662471] __asan_report_load1_noabort+0x18/0x20 [ 24.663801] kmalloc_uaf2+0x4aa/0x520 [ 24.664946] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 24.665674] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 24.666622] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 24.667374] kunit_try_run_case+0x1b3/0x490 [ 24.667844] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.669258] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 24.670184] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.671133] ? __kthread_parkme+0x82/0x160 [ 24.671761] ? preempt_count_sub+0x50/0x80 [ 24.672762] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.673455] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.674235] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.675391] kthread+0x257/0x310 [ 24.675779] ? __pfx_kthread+0x10/0x10 [ 24.676892] ret_from_fork+0x41/0x80 [ 24.677249] ? __pfx_kthread+0x10/0x10 [ 24.678082] ret_from_fork_asm+0x1a/0x30 [ 24.679096] </TASK> [ 24.679448] [ 24.679701] Allocated by task 195: [ 24.680095] kasan_save_stack+0x3d/0x60 [ 24.680608] kasan_save_track+0x18/0x40 [ 24.681614] kasan_save_alloc_info+0x3b/0x50 [ 24.682620] __kasan_kmalloc+0xb7/0xc0 [ 24.683035] __kmalloc_cache_noprof+0x184/0x410 [ 24.684112] kmalloc_uaf2+0xc7/0x520 [ 24.684521] kunit_try_run_case+0x1b3/0x490 [ 24.685013] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.686455] kthread+0x257/0x310 [ 24.686698] ret_from_fork+0x41/0x80 [ 24.687760] ret_from_fork_asm+0x1a/0x30 [ 24.688649] [ 24.688755] Freed by task 195: [ 24.689212] kasan_save_stack+0x3d/0x60 [ 24.690480] kasan_save_track+0x18/0x40 [ 24.690751] kasan_save_free_info+0x3f/0x60 [ 24.691574] __kasan_slab_free+0x56/0x70 [ 24.692745] kfree+0x123/0x3f0 [ 24.693092] kmalloc_uaf2+0x14d/0x520 [ 24.693535] kunit_try_run_case+0x1b3/0x490 [ 24.694859] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.695332] kthread+0x257/0x310 [ 24.695699] ret_from_fork+0x41/0x80 [ 24.696627] ret_from_fork_asm+0x1a/0x30 [ 24.696993] [ 24.697235] The buggy address belongs to the object at ffff888102402c80 [ 24.697235] which belongs to the cache kmalloc-64 of size 64 [ 24.698933] The buggy address is located 40 bytes inside of [ 24.698933] freed 64-byte region [ffff888102402c80, ffff888102402cc0) [ 24.700465] [ 24.700735] The buggy address belongs to the physical page: [ 24.702119] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102402 [ 24.703070] flags: 0x200000000000000(node=0|zone=2) [ 24.703568] page_type: f5(slab) [ 24.704403] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 24.705055] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 24.705742] page dumped because: kasan: bad access detected [ 24.706834] [ 24.707200] Memory state around the buggy address: [ 24.708086] ffff888102402b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.708716] ffff888102402c00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.710048] >ffff888102402c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 24.710760] ^ [ 24.711491] ffff888102402d00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 24.712049] ffff888102402d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.712776] ==================================================================