Hay
Sign in
Date
June 3, 2025, 7:38 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.406266] ==================================================================
[   18.406337] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   18.406395] Read of size 1 at addr fff00000c4473bc8 by task kunit_try_catch/184
[   18.406460] 
[   18.406510] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250603 #1 PREEMPT 
[   18.406598] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.406625] Hardware name: linux,dummy-virt (DT)
[   18.406655] Call trace:
[   18.406676]  show_stack+0x20/0x38 (C)
[   18.406725]  dump_stack_lvl+0x8c/0xd0
[   18.406849]  print_report+0x118/0x608
[   18.406905]  kasan_report+0xdc/0x128
[   18.406978]  __asan_report_load1_noabort+0x20/0x30
[   18.407066]  kmalloc_uaf+0x300/0x338
[   18.407111]  kunit_try_run_case+0x170/0x3f0
[   18.407177]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.407239]  kthread+0x328/0x630
[   18.407283]  ret_from_fork+0x10/0x20
[   18.407330] 
[   18.407347] Allocated by task 184:
[   18.407394]  kasan_save_stack+0x3c/0x68
[   18.407444]  kasan_save_track+0x20/0x40
[   18.407659]  kasan_save_alloc_info+0x40/0x58
[   18.407728]  __kasan_kmalloc+0xd4/0xd8
[   18.407812]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.407921]  kmalloc_uaf+0xb8/0x338
[   18.407976]  kunit_try_run_case+0x170/0x3f0
[   18.408014]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.408058]  kthread+0x328/0x630
[   18.408113]  ret_from_fork+0x10/0x20
[   18.408151] 
[   18.408172] Freed by task 184:
[   18.408198]  kasan_save_stack+0x3c/0x68
[   18.408234]  kasan_save_track+0x20/0x40
[   18.408537]  kasan_save_free_info+0x4c/0x78
[   18.408607]  __kasan_slab_free+0x6c/0x98
[   18.408733]  kfree+0x214/0x3c8
[   18.408802]  kmalloc_uaf+0x11c/0x338
[   18.408865]  kunit_try_run_case+0x170/0x3f0
[   18.408928]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.408991]  kthread+0x328/0x630
[   18.409300]  ret_from_fork+0x10/0x20
[   18.409399] 
[   18.409514] The buggy address belongs to the object at fff00000c4473bc0
[   18.409514]  which belongs to the cache kmalloc-16 of size 16
[   18.409644] The buggy address is located 8 bytes inside of
[   18.409644]  freed 16-byte region [fff00000c4473bc0, fff00000c4473bd0)
[   18.409714] 
[   18.409735] The buggy address belongs to the physical page:
[   18.409767] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104473
[   18.409817] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.409867] page_type: f5(slab)
[   18.409907] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   18.410065] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   18.410134] page dumped because: kasan: bad access detected
[   18.410176] 
[   18.410218] Memory state around the buggy address:
[   18.410331]  fff00000c4473a80: fa fb fc fc 00 01 fc fc fa fb fc fc fa fb fc fc
[   18.410469]  fff00000c4473b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   18.410513] >fff00000c4473b80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc
[   18.410551]                                               ^
[   18.410586]  fff00000c4473c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.410629]  fff00000c4473c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.410667] ==================================================================
Metadata Full log Test run details 

[   14.840642] ==================================================================
[   14.841615] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   14.842118] Read of size 1 at addr ffff888101c20688 by task kunit_try_catch/201
[   14.842806] 
[   14.843086] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-next-20250603 #1 PREEMPT(voluntary) 
[   14.843191] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.843216] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.843267] Call Trace:
[   14.843296]  <TASK>
[   14.843358]  dump_stack_lvl+0x73/0xb0
[   14.843428]  print_report+0xd1/0x650
[   14.843488]  ? __virt_addr_valid+0x1db/0x2d0
[   14.843538]  ? kmalloc_uaf+0x320/0x380
[   14.843588]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.843635]  ? kmalloc_uaf+0x320/0x380
[   14.843700]  kasan_report+0x141/0x180
[   14.843743]  ? kmalloc_uaf+0x320/0x380
[   14.843791]  __asan_report_load1_noabort+0x18/0x20
[   14.843835]  kmalloc_uaf+0x320/0x380
[   14.843878]  ? __pfx_kmalloc_uaf+0x10/0x10
[   14.843934]  ? __schedule+0x10cc/0x2b60
[   14.844002]  ? __pfx_read_tsc+0x10/0x10
[   14.844048]  ? ktime_get_ts64+0x86/0x230
[   14.844086]  kunit_try_run_case+0x1a5/0x480
[   14.844113]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.844134]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.844160]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.844185]  ? __kthread_parkme+0x82/0x180
[   14.844219]  ? preempt_count_sub+0x50/0x80
[   14.844308]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.844331]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.844358]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.844383]  kthread+0x337/0x6f0
[   14.844405]  ? trace_preempt_on+0x20/0xc0
[   14.844430]  ? __pfx_kthread+0x10/0x10
[   14.844452]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.844502]  ? calculate_sigpending+0x7b/0xa0
[   14.844529]  ? __pfx_kthread+0x10/0x10
[   14.844552]  ret_from_fork+0x116/0x1d0
[   14.844574]  ? __pfx_kthread+0x10/0x10
[   14.844596]  ret_from_fork_asm+0x1a/0x30
[   14.844630]  </TASK>
[   14.844643] 
[   14.856924] Allocated by task 201:
[   14.857426]  kasan_save_stack+0x45/0x70
[   14.857863]  kasan_save_track+0x18/0x40
[   14.858270]  kasan_save_alloc_info+0x3b/0x50
[   14.858670]  __kasan_kmalloc+0xb7/0xc0
[   14.859030]  __kmalloc_cache_noprof+0x189/0x420
[   14.859532]  kmalloc_uaf+0xaa/0x380
[   14.859789]  kunit_try_run_case+0x1a5/0x480
[   14.859993]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.860444]  kthread+0x337/0x6f0
[   14.860753]  ret_from_fork+0x116/0x1d0
[   14.861062]  ret_from_fork_asm+0x1a/0x30
[   14.861394] 
[   14.861548] Freed by task 201:
[   14.861716]  kasan_save_stack+0x45/0x70
[   14.862037]  kasan_save_track+0x18/0x40
[   14.862387]  kasan_save_free_info+0x3f/0x60
[   14.862677]  __kasan_slab_free+0x56/0x70
[   14.862879]  kfree+0x222/0x3f0
[   14.863143]  kmalloc_uaf+0x12c/0x380
[   14.863501]  kunit_try_run_case+0x1a5/0x480
[   14.863871]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.864143]  kthread+0x337/0x6f0
[   14.864483]  ret_from_fork+0x116/0x1d0
[   14.864825]  ret_from_fork_asm+0x1a/0x30
[   14.865118] 
[   14.865322] The buggy address belongs to the object at ffff888101c20680
[   14.865322]  which belongs to the cache kmalloc-16 of size 16
[   14.866010] The buggy address is located 8 bytes inside of
[   14.866010]  freed 16-byte region [ffff888101c20680, ffff888101c20690)
[   14.866618] 
[   14.866755] The buggy address belongs to the physical page:
[   14.866993] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c20
[   14.867706] flags: 0x200000000000000(node=0|zone=2)
[   14.868151] page_type: f5(slab)
[   14.868447] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   14.869029] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   14.869582] page dumped because: kasan: bad access detected
[   14.870007] 
[   14.870245] Memory state around the buggy address:
[   14.870557]  ffff888101c20580: 00 01 fc fc fa fb fc fc 00 05 fc fc fa fb fc fc
[   14.871098]  ffff888101c20600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   14.871703] >ffff888101c20680: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.872089]                       ^
[   14.872447]  ffff888101c20700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.872976]  ffff888101c20780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.873464] ==================================================================
Metadata Full log Test run details