Date
May 15, 2025, 10:38 a.m.
| Environment | |
|---|---|
| e850-96 |
[ 26.783133] ================================================================== [ 26.792296] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 26.799062] Read of size 16 at addr ffff000800e20060 by task kunit_try_catch/213 [ 26.806440] [ 26.807925] CPU: 7 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc6-next-20250515 #1 PREEMPT [ 26.807980] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.807996] Hardware name: WinLink E850-96 board (DT) [ 26.808017] Call trace: [ 26.808031] show_stack+0x20/0x38 (C) [ 26.808067] dump_stack_lvl+0x8c/0xd0 [ 26.808100] print_report+0x118/0x608 [ 26.808133] kasan_report+0xdc/0x128 [ 26.808162] __asan_report_load16_noabort+0x20/0x30 [ 26.808197] kmalloc_uaf_16+0x3bc/0x438 [ 26.808222] kunit_try_run_case+0x170/0x3f0 [ 26.808255] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.808289] kthread+0x328/0x630 [ 26.808324] ret_from_fork+0x10/0x20 [ 26.808357] [ 26.871716] Allocated by task 213: [ 26.875104] kasan_save_stack+0x3c/0x68 [ 26.878920] kasan_save_track+0x20/0x40 [ 26.882739] kasan_save_alloc_info+0x40/0x58 [ 26.886993] __kasan_kmalloc+0xd4/0xd8 [ 26.890725] __kmalloc_cache_noprof+0x15c/0x3c0 [ 26.895239] kmalloc_uaf_16+0x140/0x438 [ 26.899058] kunit_try_run_case+0x170/0x3f0 [ 26.903225] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.908694] kthread+0x328/0x630 [ 26.911905] ret_from_fork+0x10/0x20 [ 26.915464] [ 26.916941] Freed by task 213: [ 26.919978] kasan_save_stack+0x3c/0x68 [ 26.923798] kasan_save_track+0x20/0x40 [ 26.927618] kasan_save_free_info+0x4c/0x78 [ 26.931783] __kasan_slab_free+0x6c/0x98 [ 26.935690] kfree+0x214/0x3c8 [ 26.938728] kmalloc_uaf_16+0x190/0x438 [ 26.942547] kunit_try_run_case+0x170/0x3f0 [ 26.946714] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.952182] kthread+0x328/0x630 [ 26.955394] ret_from_fork+0x10/0x20 [ 26.958953] [ 26.960431] The buggy address belongs to the object at ffff000800e20060 [ 26.960431] which belongs to the cache kmalloc-16 of size 16 [ 26.972759] The buggy address is located 0 bytes inside of [ 26.972759] freed 16-byte region [ffff000800e20060, ffff000800e20070) [ 26.984734] [ 26.986213] The buggy address belongs to the physical page: [ 26.991769] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880e20 [ 26.999753] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 27.006263] page_type: f5(slab) [ 27.009401] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 27.017119] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 27.024839] page dumped because: kasan: bad access detected [ 27.030393] [ 27.031868] Memory state around the buggy address: [ 27.036651] ffff000800e1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.043852] ffff000800e1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.051058] >ffff000800e20000: 00 04 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 27.058257] ^ [ 27.064598] ffff000800e20080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.071802] ffff000800e20100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.079005] ==================================================================