Hay
Sign in
Date
May 29, 2025, 7:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   21.873007] ==================================================================
[   21.873202] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   21.873381] Read of size 1 at addr fff00000c66b10a8 by task kunit_try_catch/184
[   21.873506] 
[   21.873602] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250529 #1 PREEMPT 
[   21.873814] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.873884] Hardware name: linux,dummy-virt (DT)
[   21.873965] Call trace:
[   21.874023]  show_stack+0x20/0x38 (C)
[   21.874149]  dump_stack_lvl+0x8c/0xd0
[   21.874277]  print_report+0x118/0x608
[   21.874467]  kasan_report+0xdc/0x128
[   21.874728]  __asan_report_load1_noabort+0x20/0x30
[   21.874863]  kmalloc_uaf+0x300/0x338
[   21.874965]  kunit_try_run_case+0x170/0x3f0
[   21.875095]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.875330]  kthread+0x328/0x630
[   21.875501]  ret_from_fork+0x10/0x20
[   21.875686] 
[   21.875754] Allocated by task 184:
[   21.875854]  kasan_save_stack+0x3c/0x68
[   21.876008]  kasan_save_track+0x20/0x40
[   21.876085]  kasan_save_alloc_info+0x40/0x58
[   21.876154]  __kasan_kmalloc+0xd4/0xd8
[   21.876218]  __kmalloc_cache_noprof+0x15c/0x3c0
[   21.876326]  kmalloc_uaf+0xb8/0x338
[   21.876407]  kunit_try_run_case+0x170/0x3f0
[   21.876540]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.876640]  kthread+0x328/0x630
[   21.876722]  ret_from_fork+0x10/0x20
[   21.876799] 
[   21.876849] Freed by task 184:
[   21.876925]  kasan_save_stack+0x3c/0x68
[   21.877022]  kasan_save_track+0x20/0x40
[   21.877105]  kasan_save_free_info+0x4c/0x78
[   21.877179]  __kasan_slab_free+0x6c/0x98
[   21.877258]  kfree+0x214/0x3c8
[   21.877334]  kmalloc_uaf+0x11c/0x338
[   21.877479]  kunit_try_run_case+0x170/0x3f0
[   21.877600]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.877714]  kthread+0x328/0x630
[   21.877800]  ret_from_fork+0x10/0x20
[   21.877888] 
[   21.878066] The buggy address belongs to the object at fff00000c66b10a0
[   21.878066]  which belongs to the cache kmalloc-16 of size 16
[   21.878863] The buggy address is located 8 bytes inside of
[   21.878863]  freed 16-byte region [fff00000c66b10a0, fff00000c66b10b0)
[   21.879134] 
[   21.879320] The buggy address belongs to the physical page:
[   21.879484] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066b1
[   21.880366] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.880785] page_type: f5(slab)
[   21.880982] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   21.881369] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   21.881813] page dumped because: kasan: bad access detected
[   21.881936] 
[   21.882021] Memory state around the buggy address:
[   21.882250]  fff00000c66b0f80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   21.882878]  fff00000c66b1000: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   21.883143] >fff00000c66b1080: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   21.883259]                                   ^
[   21.883346]  fff00000c66b1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.883462]  fff00000c66b1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.883540] ==================================================================
Metadata Full log Test run details 

[   11.103024] ==================================================================
[   11.103822] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   11.104444] Read of size 1 at addr ffff888101c55fa8 by task kunit_try_catch/201
[   11.104822] 
[   11.104922] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250529 #1 PREEMPT(voluntary) 
[   11.104969] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.105049] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.105091] Call Trace:
[   11.105103]  <TASK>
[   11.105117]  dump_stack_lvl+0x73/0xb0
[   11.105144]  print_report+0xd1/0x650
[   11.105166]  ? __virt_addr_valid+0x1db/0x2d0
[   11.105188]  ? kmalloc_uaf+0x320/0x380
[   11.105208]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.105230]  ? kmalloc_uaf+0x320/0x380
[   11.105251]  kasan_report+0x141/0x180
[   11.105273]  ? kmalloc_uaf+0x320/0x380
[   11.105298]  __asan_report_load1_noabort+0x18/0x20
[   11.105318]  kmalloc_uaf+0x320/0x380
[   11.105339]  ? __pfx_kmalloc_uaf+0x10/0x10
[   11.105359]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   11.105402]  ? trace_hardirqs_on+0x37/0xe0
[   11.105437]  ? __pfx_read_tsc+0x10/0x10
[   11.105458]  ? ktime_get_ts64+0x86/0x230
[   11.105483]  kunit_try_run_case+0x1a5/0x480
[   11.105505]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.105526]  ? queued_spin_lock_slowpath+0x116/0xb40
[   11.105550]  ? __kthread_parkme+0x82/0x180
[   11.105570]  ? preempt_count_sub+0x50/0x80
[   11.105594]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.105627]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.105651]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.105675]  kthread+0x337/0x6f0
[   11.105694]  ? trace_preempt_on+0x20/0xc0
[   11.105715]  ? __pfx_kthread+0x10/0x10
[   11.105737]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.105809]  ? calculate_sigpending+0x7b/0xa0
[   11.105834]  ? __pfx_kthread+0x10/0x10
[   11.105856]  ret_from_fork+0x116/0x1d0
[   11.105874]  ? __pfx_kthread+0x10/0x10
[   11.105894]  ret_from_fork_asm+0x1a/0x30
[   11.105925]  </TASK>
[   11.105935] 
[   11.114414] Allocated by task 201:
[   11.114555]  kasan_save_stack+0x45/0x70
[   11.114889]  kasan_save_track+0x18/0x40
[   11.115221]  kasan_save_alloc_info+0x3b/0x50
[   11.115437]  __kasan_kmalloc+0xb7/0xc0
[   11.115642]  __kmalloc_cache_noprof+0x189/0x420
[   11.115833]  kmalloc_uaf+0xaa/0x380
[   11.116181]  kunit_try_run_case+0x1a5/0x480
[   11.116467]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.116674]  kthread+0x337/0x6f0
[   11.116803]  ret_from_fork+0x116/0x1d0
[   11.116987]  ret_from_fork_asm+0x1a/0x30
[   11.117232] 
[   11.117434] Freed by task 201:
[   11.117661]  kasan_save_stack+0x45/0x70
[   11.117996]  kasan_save_track+0x18/0x40
[   11.118264]  kasan_save_free_info+0x3f/0x60
[   11.118453]  __kasan_slab_free+0x56/0x70
[   11.118604]  kfree+0x222/0x3f0
[   11.118736]  kmalloc_uaf+0x12c/0x380
[   11.118909]  kunit_try_run_case+0x1a5/0x480
[   11.119139]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.119428]  kthread+0x337/0x6f0
[   11.119626]  ret_from_fork+0x116/0x1d0
[   11.120054]  ret_from_fork_asm+0x1a/0x30
[   11.120436] 
[   11.120518] The buggy address belongs to the object at ffff888101c55fa0
[   11.120518]  which belongs to the cache kmalloc-16 of size 16
[   11.121277] The buggy address is located 8 bytes inside of
[   11.121277]  freed 16-byte region [ffff888101c55fa0, ffff888101c55fb0)
[   11.121663] 
[   11.121817] The buggy address belongs to the physical page:
[   11.122123] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c55
[   11.122525] flags: 0x200000000000000(node=0|zone=2)
[   11.122831] page_type: f5(slab)
[   11.123026] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   11.123268] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   11.123640] page dumped because: kasan: bad access detected
[   11.123900] 
[   11.124142] Memory state around the buggy address:
[   11.124390]  ffff888101c55e80: 00 00 fc fc 00 02 fc fc 00 02 fc fc 00 06 fc fc
[   11.124682]  ffff888101c55f00: 00 06 fc fc 00 05 fc fc fa fb fc fc fa fb fc fc
[   11.125025] >ffff888101c55f80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   11.125293]                                   ^
[   11.125753]  ffff888101c56000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   11.126216]  ffff888101c56080: 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00
[   11.126552] ==================================================================
Metadata Full log Test run details