Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 29.534679] ================================================================== [ 29.543615] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 29.550728] Write of size 33 at addr ffff000804991680 by task kunit_try_catch/230 [ 29.558193] [ 29.559677] CPU: 4 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 29.559736] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.559754] Hardware name: WinLink E850-96 board (DT) [ 29.559777] Call trace: [ 29.559794] show_stack+0x20/0x38 (C) [ 29.559828] dump_stack_lvl+0x8c/0xd0 [ 29.559864] print_report+0x118/0x608 [ 29.559900] kasan_report+0xdc/0x128 [ 29.559932] kasan_check_range+0x100/0x1a8 [ 29.559968] __asan_memset+0x34/0x78 [ 29.559997] kmalloc_uaf_memset+0x170/0x310 [ 29.560028] kunit_try_run_case+0x170/0x3f0 [ 29.560064] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.560103] kthread+0x328/0x630 [ 29.560136] ret_from_fork+0x10/0x20 [ 29.560171] [ 29.626247] Allocated by task 230: [ 29.629634] kasan_save_stack+0x3c/0x68 [ 29.633452] kasan_save_track+0x20/0x40 [ 29.637271] kasan_save_alloc_info+0x40/0x58 [ 29.641525] __kasan_kmalloc+0xd4/0xd8 [ 29.645257] __kmalloc_cache_noprof+0x15c/0x3c0 [ 29.649771] kmalloc_uaf_memset+0xb8/0x310 [ 29.653852] kunit_try_run_case+0x170/0x3f0 [ 29.658018] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.663486] kthread+0x328/0x630 [ 29.666698] ret_from_fork+0x10/0x20 [ 29.670257] [ 29.671733] Freed by task 230: [ 29.674773] kasan_save_stack+0x3c/0x68 [ 29.678590] kasan_save_track+0x20/0x40 [ 29.682410] kasan_save_free_info+0x4c/0x78 [ 29.686576] __kasan_slab_free+0x6c/0x98 [ 29.690482] kfree+0x214/0x3c8 [ 29.693520] kmalloc_uaf_memset+0x11c/0x310 [ 29.697687] kunit_try_run_case+0x170/0x3f0 [ 29.701854] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.707324] kthread+0x328/0x630 [ 29.710534] ret_from_fork+0x10/0x20 [ 29.714093] [ 29.715571] The buggy address belongs to the object at ffff000804991680 [ 29.715571] which belongs to the cache kmalloc-64 of size 64 [ 29.727897] The buggy address is located 0 bytes inside of [ 29.727897] freed 64-byte region [ffff000804991680, ffff0008049916c0) [ 29.739874] [ 29.741352] The buggy address belongs to the physical page: [ 29.746910] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x884991 [ 29.754893] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.761403] page_type: f5(slab) [ 29.764540] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000 [ 29.772258] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.779979] page dumped because: kasan: bad access detected [ 29.785534] [ 29.787008] Memory state around the buggy address: [ 29.791788] ffff000804991580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.798991] ffff000804991600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.806196] >ffff000804991680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.813397] ^ [ 29.816613] ffff000804991700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.823817] ffff000804991780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.831018] ==================================================================
[ 25.048697] ================================================================== [ 25.048851] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 25.049085] Write of size 33 at addr fff00000c77e7800 by task kunit_try_catch/187 [ 25.049290] [ 25.049400] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 25.049620] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.049702] Hardware name: linux,dummy-virt (DT) [ 25.049775] Call trace: [ 25.049830] show_stack+0x20/0x38 (C) [ 25.049954] dump_stack_lvl+0x8c/0xd0 [ 25.050079] print_report+0x118/0x608 [ 25.050194] kasan_report+0xdc/0x128 [ 25.050713] kasan_check_range+0x100/0x1a8 [ 25.051119] __asan_memset+0x34/0x78 [ 25.051487] kmalloc_uaf_memset+0x170/0x310 [ 25.051645] kunit_try_run_case+0x170/0x3f0 [ 25.051927] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.052321] kthread+0x328/0x630 [ 25.052459] ret_from_fork+0x10/0x20 [ 25.052936] [ 25.053119] Allocated by task 187: [ 25.053213] kasan_save_stack+0x3c/0x68 [ 25.053645] kasan_save_track+0x20/0x40 [ 25.054059] kasan_save_alloc_info+0x40/0x58 [ 25.054267] __kasan_kmalloc+0xd4/0xd8 [ 25.054410] __kmalloc_cache_noprof+0x15c/0x3c0 [ 25.054631] kmalloc_uaf_memset+0xb8/0x310 [ 25.054768] kunit_try_run_case+0x170/0x3f0 [ 25.054875] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.055052] kthread+0x328/0x630 [ 25.055147] ret_from_fork+0x10/0x20 [ 25.055238] [ 25.055291] Freed by task 187: [ 25.055561] kasan_save_stack+0x3c/0x68 [ 25.055673] kasan_save_track+0x20/0x40 [ 25.055802] kasan_save_free_info+0x4c/0x78 [ 25.056034] __kasan_slab_free+0x6c/0x98 [ 25.056482] kfree+0x214/0x3c8 [ 25.056720] kmalloc_uaf_memset+0x11c/0x310 [ 25.056818] kunit_try_run_case+0x170/0x3f0 [ 25.056907] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.057017] kthread+0x328/0x630 [ 25.057113] ret_from_fork+0x10/0x20 [ 25.057376] [ 25.057423] The buggy address belongs to the object at fff00000c77e7800 [ 25.057423] which belongs to the cache kmalloc-64 of size 64 [ 25.057735] The buggy address is located 0 bytes inside of [ 25.057735] freed 64-byte region [fff00000c77e7800, fff00000c77e7840) [ 25.057893] [ 25.057942] The buggy address belongs to the physical page: [ 25.058018] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e7 [ 25.058493] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.058725] page_type: f5(slab) [ 25.058830] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 25.058957] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.059323] page dumped because: kasan: bad access detected [ 25.059528] [ 25.059572] Memory state around the buggy address: [ 25.059649] fff00000c77e7700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.059832] fff00000c77e7780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.059938] >fff00000c77e7800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.060029] ^ [ 25.060095] fff00000c77e7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.060248] fff00000c77e7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.060415] ==================================================================
[ 18.602907] ================================================================== [ 18.604330] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 18.606203] Write of size 33 at addr ffff8881022c8d00 by task kunit_try_catch/203 [ 18.606870] [ 18.607179] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 18.607380] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.607421] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 18.607482] Call Trace: [ 18.607521] <TASK> [ 18.607571] dump_stack_lvl+0x73/0xb0 [ 18.607660] print_report+0xd1/0x650 [ 18.607741] ? __virt_addr_valid+0x1db/0x2d0 [ 18.607800] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.607834] ? kasan_complete_mode_report_info+0x64/0x200 [ 18.607866] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.607897] kasan_report+0x141/0x180 [ 18.607930] ? kmalloc_uaf_memset+0x1a3/0x360 [ 18.607966] kasan_check_range+0x10c/0x1c0 [ 18.608000] __asan_memset+0x27/0x50 [ 18.608057] kmalloc_uaf_memset+0x1a3/0x360 [ 18.608089] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 18.608121] ? __schedule+0x10cc/0x2b60 [ 18.608157] ? __pfx_read_tsc+0x10/0x10 [ 18.608225] ? ktime_get_ts64+0x86/0x230 [ 18.608299] kunit_try_run_case+0x1a5/0x480 [ 18.608368] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.608427] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 18.608499] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 18.608572] ? __kthread_parkme+0x82/0x180 [ 18.608643] ? preempt_count_sub+0x50/0x80 [ 18.608680] ? __pfx_kunit_try_run_case+0x10/0x10 [ 18.608710] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.608746] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 18.608781] kthread+0x337/0x6f0 [ 18.608808] ? trace_preempt_on+0x20/0xc0 [ 18.608841] ? __pfx_kthread+0x10/0x10 [ 18.608869] ? _raw_spin_unlock_irq+0x47/0x80 [ 18.608902] ? calculate_sigpending+0x7b/0xa0 [ 18.608936] ? __pfx_kthread+0x10/0x10 [ 18.608965] ret_from_fork+0x116/0x1d0 [ 18.608989] ? __pfx_kthread+0x10/0x10 [ 18.609041] ret_from_fork_asm+0x1a/0x30 [ 18.609088] </TASK> [ 18.609103] [ 18.632291] Allocated by task 203: [ 18.634653] kasan_save_stack+0x45/0x70 [ 18.636031] kasan_save_track+0x18/0x40 [ 18.636547] kasan_save_alloc_info+0x3b/0x50 [ 18.636822] __kasan_kmalloc+0xb7/0xc0 [ 18.637090] __kmalloc_cache_noprof+0x189/0x420 [ 18.637366] kmalloc_uaf_memset+0xa9/0x360 [ 18.638806] kunit_try_run_case+0x1a5/0x480 [ 18.640210] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.641223] kthread+0x337/0x6f0 [ 18.641644] ret_from_fork+0x116/0x1d0 [ 18.641957] ret_from_fork_asm+0x1a/0x30 [ 18.642296] [ 18.642455] Freed by task 203: [ 18.642674] kasan_save_stack+0x45/0x70 [ 18.642944] kasan_save_track+0x18/0x40 [ 18.645040] kasan_save_free_info+0x3f/0x60 [ 18.645909] __kasan_slab_free+0x56/0x70 [ 18.646802] kfree+0x222/0x3f0 [ 18.647609] kmalloc_uaf_memset+0x12b/0x360 [ 18.648226] kunit_try_run_case+0x1a5/0x480 [ 18.648512] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 18.649091] kthread+0x337/0x6f0 [ 18.650551] ret_from_fork+0x116/0x1d0 [ 18.651614] ret_from_fork_asm+0x1a/0x30 [ 18.652407] [ 18.652953] The buggy address belongs to the object at ffff8881022c8d00 [ 18.652953] which belongs to the cache kmalloc-64 of size 64 [ 18.654446] The buggy address is located 0 bytes inside of [ 18.654446] freed 64-byte region [ffff8881022c8d00, ffff8881022c8d40) [ 18.655452] [ 18.655898] The buggy address belongs to the physical page: [ 18.656398] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022c8 [ 18.657100] flags: 0x200000000000000(node=0|zone=2) [ 18.657659] page_type: f5(slab) [ 18.657974] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 18.658803] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 18.660687] page dumped because: kasan: bad access detected [ 18.661543] [ 18.661718] Memory state around the buggy address: [ 18.662564] ffff8881022c8c00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.663865] ffff8881022c8c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.664139] >ffff8881022c8d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 18.665380] ^ [ 18.665689] ffff8881022c8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.666294] ffff8881022c8e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.666784] ==================================================================
[ 56.152709] ================================================================== [ 56.163299] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1fc/0x3b0 [ 56.170501] Write of size 33 at addr cc797400 by task kunit_try_catch/238 [ 56.177337] [ 56.178833] CPU: 0 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 56.178863] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 56.178863] Hardware name: Generic DRA74X (Flattened Device Tree) [ 56.178894] Call trace: [ 56.178894] unwind_backtrace from show_stack+0x18/0x1c [ 56.178924] show_stack from dump_stack_lvl+0x70/0x90 [ 56.178955] dump_stack_lvl from print_report+0x158/0x528 [ 56.178955] print_report from kasan_report+0xdc/0x118 [ 56.178985] kasan_report from kasan_check_range+0x14c/0x198 [ 56.179016] kasan_check_range from __asan_memset+0x20/0x3c [ 56.179016] __asan_memset from kmalloc_uaf_memset+0x1fc/0x3b0 [ 56.179046] kmalloc_uaf_memset from kunit_try_run_case+0x22c/0x5a8 [ 56.179077] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.179107] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 56.179138] kthread from ret_from_fork+0x14/0x20 [ 56.179138] Exception stack(0xf22f3fb0 to 0xf22f3ff8) [ 56.179168] 3fa0: 00000000 00000000 00000000 00000000 [ 56.179168] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 56.179199] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 56.179199] [ 56.296478] Allocated by task 238: [ 56.299896] kasan_save_track+0x30/0x5c [ 56.303771] __kasan_kmalloc+0x8c/0x94 [ 56.307556] kmalloc_uaf_memset+0xcc/0x3b0 [ 56.311676] kunit_try_run_case+0x22c/0x5a8 [ 56.315917] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.321441] kthread+0x464/0x810 [ 56.324676] ret_from_fork+0x14/0x20 [ 56.328308] [ 56.329803] Freed by task 238: [ 56.332855] kasan_save_track+0x30/0x5c [ 56.336730] kasan_save_free_info+0x3c/0x48 [ 56.340942] __kasan_slab_free+0x40/0x50 [ 56.344909] kfree+0xe8/0x384 [ 56.347900] kmalloc_uaf_memset+0x174/0x3b0 [ 56.352111] kunit_try_run_case+0x22c/0x5a8 [ 56.356323] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 56.361877] kthread+0x464/0x810 [ 56.365112] ret_from_fork+0x14/0x20 [ 56.368713] [ 56.370239] The buggy address belongs to the object at cc797400 [ 56.370239] which belongs to the cache kmalloc-64 of size 64 [ 56.381958] The buggy address is located 0 bytes inside of [ 56.381958] freed 64-byte region [cc797400, cc797440) [ 56.392639] [ 56.394134] The buggy address belongs to the physical page: [ 56.399749] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c797 [ 56.407012] flags: 0x0(zone=0) [ 56.410095] page_type: f5(slab) [ 56.413269] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 56.421417] raw: 00000000 [ 56.424041] page dumped because: kasan: bad access detected [ 56.429656] [ 56.431152] Memory state around the buggy address: [ 56.435974] cc797300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.442535] cc797380: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.449127] >cc797400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.455688] ^ [ 56.458221] cc797480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.464813] cc797500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.471374] ==================================================================