Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 29.840002] ================================================================== [ 29.849338] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 29.855932] Read of size 1 at addr ffff000800c2e128 by task kunit_try_catch/232 [ 29.863223] [ 29.864708] CPU: 5 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 29.864764] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.864779] Hardware name: WinLink E850-96 board (DT) [ 29.864800] Call trace: [ 29.864812] show_stack+0x20/0x38 (C) [ 29.864848] dump_stack_lvl+0x8c/0xd0 [ 29.864885] print_report+0x118/0x608 [ 29.864921] kasan_report+0xdc/0x128 [ 29.864951] __asan_report_load1_noabort+0x20/0x30 [ 29.864985] kmalloc_uaf2+0x3f4/0x468 [ 29.865012] kunit_try_run_case+0x170/0x3f0 [ 29.865046] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.865086] kthread+0x328/0x630 [ 29.865115] ret_from_fork+0x10/0x20 [ 29.865150] [ 29.927892] Allocated by task 232: [ 29.931280] kasan_save_stack+0x3c/0x68 [ 29.935096] kasan_save_track+0x20/0x40 [ 29.938918] kasan_save_alloc_info+0x40/0x58 [ 29.943170] __kasan_kmalloc+0xd4/0xd8 [ 29.946902] __kmalloc_cache_noprof+0x15c/0x3c0 [ 29.951416] kmalloc_uaf2+0xc4/0x468 [ 29.954975] kunit_try_run_case+0x170/0x3f0 [ 29.959142] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.964610] kthread+0x328/0x630 [ 29.967822] ret_from_fork+0x10/0x20 [ 29.971381] [ 29.972856] Freed by task 232: [ 29.975895] kasan_save_stack+0x3c/0x68 [ 29.979714] kasan_save_track+0x20/0x40 [ 29.983533] kasan_save_free_info+0x4c/0x78 [ 29.987700] __kasan_slab_free+0x6c/0x98 [ 29.991608] kfree+0x214/0x3c8 [ 29.994644] kmalloc_uaf2+0x134/0x468 [ 29.998290] kunit_try_run_case+0x170/0x3f0 [ 30.002457] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.007926] kthread+0x328/0x630 [ 30.011137] ret_from_fork+0x10/0x20 [ 30.014696] [ 30.016173] The buggy address belongs to the object at ffff000800c2e100 [ 30.016173] which belongs to the cache kmalloc-64 of size 64 [ 30.028500] The buggy address is located 40 bytes inside of [ 30.028500] freed 64-byte region [ffff000800c2e100, ffff000800c2e140) [ 30.040564] [ 30.042043] The buggy address belongs to the physical page: [ 30.047599] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880c2e [ 30.055585] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.062091] page_type: f5(slab) [ 30.065229] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000 [ 30.072948] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 30.080667] page dumped because: kasan: bad access detected [ 30.086224] [ 30.087698] Memory state around the buggy address: [ 30.092480] ffff000800c2e000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.099681] ffff000800c2e080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.106886] >ffff000800c2e100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 30.114087] ^ [ 30.118605] ffff000800c2e180: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 30.125810] ffff000800c2e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.133012] ==================================================================
[ 25.093067] ================================================================== [ 25.093273] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 25.093703] Read of size 1 at addr fff00000c77e79a8 by task kunit_try_catch/189 [ 25.093856] [ 25.093983] CPU: 0 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.094191] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.094320] Hardware name: linux,dummy-virt (DT) [ 25.094404] Call trace: [ 25.094521] show_stack+0x20/0x38 (C) [ 25.094657] dump_stack_lvl+0x8c/0xd0 [ 25.094886] print_report+0x118/0x608 [ 25.095022] kasan_report+0xdc/0x128 [ 25.095190] __asan_report_load1_noabort+0x20/0x30 [ 25.095349] kmalloc_uaf2+0x3f4/0x468 [ 25.095463] kunit_try_run_case+0x170/0x3f0 [ 25.095631] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.095809] kthread+0x328/0x630 [ 25.095981] ret_from_fork+0x10/0x20 [ 25.096113] [ 25.096237] Allocated by task 189: [ 25.096380] kasan_save_stack+0x3c/0x68 [ 25.096521] kasan_save_track+0x20/0x40 [ 25.097398] kasan_save_alloc_info+0x40/0x58 [ 25.097907] __kasan_kmalloc+0xd4/0xd8 [ 25.098223] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.098333] kmalloc_uaf2+0xc4/0x468 [ 25.098508] kunit_try_run_case+0x170/0x3f0 [ 25.099234] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.099393] kthread+0x328/0x630 [ 25.099722] ret_from_fork+0x10/0x20 [ 25.100200] [ 25.100252] Freed by task 189: [ 25.100321] kasan_save_stack+0x3c/0x68 [ 25.100422] kasan_save_track+0x20/0x40 [ 25.100518] kasan_save_free_info+0x4c/0x78 [ 25.100611] __kasan_slab_free+0x6c/0x98 [ 25.100721] kfree+0x214/0x3c8 [ 25.100823] kmalloc_uaf2+0x134/0x468 [ 25.101080] kunit_try_run_case+0x170/0x3f0 [ 25.101209] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.101327] kthread+0x328/0x630 [ 25.101413] ret_from_fork+0x10/0x20 [ 25.101535] [ 25.101664] The buggy address belongs to the object at fff00000c77e7980 [ 25.101664] which belongs to the cache kmalloc-64 of size 64 [ 25.101823] The buggy address is located 40 bytes inside of [ 25.101823] freed 64-byte region [fff00000c77e7980, fff00000c77e79c0) [ 25.102936] [ 25.102996] The buggy address belongs to the physical page: [ 25.103097] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e7 [ 25.103289] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.103407] page_type: f5(slab) [ 25.103509] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 25.103983] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.104105] page dumped because: kasan: bad access detected [ 25.104265] [ 25.104317] Memory state around the buggy address: [ 25.104444] fff00000c77e7880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.104581] fff00000c77e7900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.104723] >fff00000c77e7980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.105225] ^ [ 25.105361] fff00000c77e7a00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 25.105474] fff00000c77e7a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.105566] ==================================================================
[ 18.672814] ================================================================== [ 18.674083] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520 [ 18.675885] Read of size 1 at addr ffff888102b675a8 by task kunit_try_catch/205 [ 18.676411] [ 18.676878] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 18.677004] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.677062] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.677111] Call Trace: [ 18.677151] <TASK> [ 18.677199] dump_stack_lvl+0x73/0xb0 [ 18.677286] print_report+0xd1/0x650 [ 18.677346] ? __virt_addr_valid+0x1db/0x2d0 [ 18.677380] ? kmalloc_uaf2+0x4a8/0x520 [ 18.677408] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.677439] ? kmalloc_uaf2+0x4a8/0x520 [ 18.677469] kasan_report+0x141/0x180 [ 18.677501] ? kmalloc_uaf2+0x4a8/0x520 [ 18.677536] __asan_report_load1_noabort+0x18/0x20 [ 18.677564] kmalloc_uaf2+0x4a8/0x520 [ 18.677592] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 18.677620] ? finish_task_switch.isra.0+0x153/0x700 [ 18.677651] ? __switch_to+0x47/0xf50 [ 18.677686] ? __schedule+0x10cc/0x2b60 [ 18.677720] ? __pfx_read_tsc+0x10/0x10 [ 18.677777] ? ktime_get_ts64+0x86/0x230 [ 18.677814] kunit_try_run_case+0x1a5/0x480 [ 18.677845] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.677872] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.677907] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.677941] ? __kthread_parkme+0x82/0x180 [ 18.677968] ? preempt_count_sub+0x50/0x80 [ 18.677998] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.678073] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.678153] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.678232] kthread+0x337/0x6f0 [ 18.678309] ? trace_preempt_on+0x20/0xc0 [ 18.678548] ? __pfx_kthread+0x10/0x10 [ 18.678581] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.678614] ? calculate_sigpending+0x7b/0xa0 [ 18.678649] ? __pfx_kthread+0x10/0x10 [ 18.678679] ret_from_fork+0x116/0x1d0 [ 18.678704] ? __pfx_kthread+0x10/0x10 [ 18.678739] ret_from_fork_asm+0x1a/0x30 [ 18.678816] </TASK> [ 18.678834] [ 18.696027] Allocated by task 205: [ 18.696312] kasan_save_stack+0x45/0x70 [ 18.696993] kasan_save_track+0x18/0x40 [ 18.697550] kasan_save_alloc_info+0x3b/0x50 [ 18.698054] __kasan_kmalloc+0xb7/0xc0 [ 18.698483] __kmalloc_cache_noprof+0x189/0x420 [ 18.699284] kmalloc_uaf2+0xc6/0x520 [ 18.699719] kunit_try_run_case+0x1a5/0x480 [ 18.700349] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.700870] kthread+0x337/0x6f0 [ 18.701226] ret_from_fork+0x116/0x1d0 [ 18.701533] ret_from_fork_asm+0x1a/0x30 [ 18.701894] [ 18.702166] Freed by task 205: [ 18.702549] kasan_save_stack+0x45/0x70 [ 18.703025] kasan_save_track+0x18/0x40 [ 18.703720] kasan_save_free_info+0x3f/0x60 [ 18.704285] __kasan_slab_free+0x56/0x70 [ 18.704959] kfree+0x222/0x3f0 [ 18.705513] kmalloc_uaf2+0x14c/0x520 [ 18.705866] kunit_try_run_case+0x1a5/0x480 [ 18.706680] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.707284] kthread+0x337/0x6f0 [ 18.707716] ret_from_fork+0x116/0x1d0 [ 18.708291] ret_from_fork_asm+0x1a/0x30 [ 18.708612] [ 18.708847] The buggy address belongs to the object at ffff888102b67580 [ 18.708847] which belongs to the cache kmalloc-64 of size 64 [ 18.709804] The buggy address is located 40 bytes inside of [ 18.709804] freed 64-byte region [ffff888102b67580, ffff888102b675c0) [ 18.711483] [ 18.711790] The buggy address belongs to the physical page: [ 18.712495] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b67 [ 18.713925] flags: 0x200000000000000(node=0|zone=2) [ 18.714849] page_type: f5(slab) [ 18.716131] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 18.716786] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 18.717720] page dumped because: kasan: bad access detected [ 18.717949] [ 18.718083] Memory state around the buggy address: [ 18.719435] ffff888102b67480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.721077] ffff888102b67500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.721812] >ffff888102b67580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.722539] ^ [ 18.723041] ffff888102b67600: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 18.723708] ffff888102b67680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.724233] ==================================================================
[ 56.479766] ================================================================== [ 56.490966] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4d0/0x550 [ 56.497650] Read of size 1 at addr cc7975a8 by task kunit_try_catch/240 [ 56.504302] [ 56.505798] CPU: 0 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 56.505828] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 56.505828] Hardware name: Generic DRA74X (Flattened Device Tree) [ 56.505859] Call trace: [ 56.505859] unwind_backtrace from show_stack+0x18/0x1c [ 56.505889] show_stack from dump_stack_lvl+0x70/0x90 [ 56.505920] dump_stack_lvl from print_report+0x158/0x528 [ 56.505920] print_report from kasan_report+0xdc/0x118 [ 56.505950] kasan_report from kmalloc_uaf2+0x4d0/0x550 [ 56.505981] kmalloc_uaf2 from kunit_try_run_case+0x22c/0x5a8 [ 56.506011] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.506042] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 56.506042] kthread from ret_from_fork+0x14/0x20 [ 56.506072] Exception stack(0xf2303fb0 to 0xf2303ff8) [ 56.506072] 3fa0: 00000000 00000000 00000000 00000000 [ 56.506103] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.506134] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 56.506134] [ 56.610992] Allocated by task 240: [ 56.614440] kasan_save_track+0x30/0x5c [ 56.618286] __kasan_kmalloc+0x8c/0x94 [ 56.622070] kmalloc_uaf2+0xd8/0x550 [ 56.625671] kunit_try_run_case+0x22c/0x5a8 [ 56.629913] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.635437] kthread+0x464/0x810 [ 56.638671] ret_from_fork+0x14/0x20 [ 56.642272] [ 56.643798] Freed by task 240: [ 56.646881] kasan_save_track+0x30/0x5c [ 56.650726] kasan_save_free_info+0x3c/0x48 [ 56.654937] __kasan_slab_free+0x40/0x50 [ 56.658905] kfree+0xe8/0x384 [ 56.661895] kmalloc_uaf2+0x184/0x550 [ 56.665588] kunit_try_run_case+0x22c/0x5a8 [ 56.669799] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.675354] kthread+0x464/0x810 [ 56.678588] ret_from_fork+0x14/0x20 [ 56.682189] [ 56.683685] The buggy address belongs to the object at cc797580 [ 56.683685] which belongs to the cache kmalloc-64 of size 64 [ 56.695434] The buggy address is located 40 bytes inside of [ 56.695434] freed 64-byte region [cc797580, cc7975c0) [ 56.706176] [ 56.707702] The buggy address belongs to the physical page: [ 56.713287] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c797 [ 56.720581] flags: 0x0(zone=0) [ 56.723663] page_type: f5(slab) [ 56.726806] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 56.734954] raw: 00000000 [ 56.737609] page dumped because: kasan: bad access detected [ 56.743194] [ 56.744720] Memory state around the buggy address: [ 56.749542] cc797480: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.756103] cc797500: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.762664] >cc797580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.769256] ^ [ 56.773101] cc797600: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 56.779693] cc797680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.786254] ==================================================================