Date
June 3, 2025, 7:38 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 18.329333] ================================================================== [ 18.329522] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 18.329623] Read of size 16 at addr fff00000c4473ba0 by task kunit_try_catch/168 [ 18.329679] [ 18.329736] CPU: 1 UID: 0 PID: 168 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT [ 18.329837] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.329864] Hardware name: linux,dummy-virt (DT) [ 18.329903] Call trace: [ 18.329942] show_stack+0x20/0x38 (C) [ 18.330009] dump_stack_lvl+0x8c/0xd0 [ 18.330057] print_report+0x118/0x608 [ 18.330103] kasan_report+0xdc/0x128 [ 18.330148] __asan_report_load16_noabort+0x20/0x30 [ 18.330195] kmalloc_uaf_16+0x3bc/0x438 [ 18.330238] kunit_try_run_case+0x170/0x3f0 [ 18.330285] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.330336] kthread+0x328/0x630 [ 18.330379] ret_from_fork+0x10/0x20 [ 18.330507] [ 18.330548] Allocated by task 168: [ 18.330597] kasan_save_stack+0x3c/0x68 [ 18.330656] kasan_save_track+0x20/0x40 [ 18.330693] kasan_save_alloc_info+0x40/0x58 [ 18.330727] __kasan_kmalloc+0xd4/0xd8 [ 18.330767] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.330970] kmalloc_uaf_16+0x140/0x438 [ 18.331032] kunit_try_run_case+0x170/0x3f0 [ 18.331080] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.331150] kthread+0x328/0x630 [ 18.331190] ret_from_fork+0x10/0x20 [ 18.331247] [ 18.331266] Freed by task 168: [ 18.331292] kasan_save_stack+0x3c/0x68 [ 18.331341] kasan_save_track+0x20/0x40 [ 18.331386] kasan_save_free_info+0x4c/0x78 [ 18.331420] __kasan_slab_free+0x6c/0x98 [ 18.331466] kfree+0x214/0x3c8 [ 18.331498] kmalloc_uaf_16+0x190/0x438 [ 18.331531] kunit_try_run_case+0x170/0x3f0 [ 18.331567] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.331630] kthread+0x328/0x630 [ 18.331668] ret_from_fork+0x10/0x20 [ 18.331764] [ 18.331853] The buggy address belongs to the object at fff00000c4473ba0 [ 18.331853] which belongs to the cache kmalloc-16 of size 16 [ 18.331975] The buggy address is located 0 bytes inside of [ 18.331975] freed 16-byte region [fff00000c4473ba0, fff00000c4473bb0) [ 18.332095] [ 18.332123] The buggy address belongs to the physical page: [ 18.332194] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104473 [ 18.332288] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.332337] page_type: f5(slab) [ 18.332375] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 18.332434] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 18.332473] page dumped because: kasan: bad access detected [ 18.332502] [ 18.332541] Memory state around the buggy address: [ 18.332574] fff00000c4473a80: fa fb fc fc 00 01 fc fc fa fb fc fc fa fb fc fc [ 18.332615] fff00000c4473b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 18.332802] >fff00000c4473b80: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 18.332848] ^ [ 18.332904] fff00000c4473c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.332961] fff00000c4473c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 18.333063] ==================================================================
[ 14.494489] ================================================================== [ 14.495591] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 14.496070] Read of size 16 at addr ffff888101c20660 by task kunit_try_catch/185 [ 14.496547] [ 14.496819] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 14.496926] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.496950] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.496990] Call Trace: [ 14.497017] <TASK> [ 14.497055] dump_stack_lvl+0x73/0xb0 [ 14.497129] print_report+0xd1/0x650 [ 14.497174] ? __virt_addr_valid+0x1db/0x2d0 [ 14.497328] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.497377] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.497419] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.497476] kasan_report+0x141/0x180 [ 14.497525] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.497583] __asan_report_load16_noabort+0x18/0x20 [ 14.497631] kmalloc_uaf_16+0x47b/0x4c0 [ 14.497680] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 14.497725] ? __schedule+0x10cc/0x2b60 [ 14.497771] ? __pfx_read_tsc+0x10/0x10 [ 14.497978] ? ktime_get_ts64+0x86/0x230 [ 14.498032] kunit_try_run_case+0x1a5/0x480 [ 14.498081] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.498120] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.498171] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.498372] ? __kthread_parkme+0x82/0x180 [ 14.498434] ? preempt_count_sub+0x50/0x80 [ 14.498509] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.498535] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.498563] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.498588] kthread+0x337/0x6f0 [ 14.498609] ? trace_preempt_on+0x20/0xc0 [ 14.498636] ? __pfx_kthread+0x10/0x10 [ 14.498658] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.498682] ? calculate_sigpending+0x7b/0xa0 [ 14.498820] ? __pfx_kthread+0x10/0x10 [ 14.498848] ret_from_fork+0x116/0x1d0 [ 14.498870] ? __pfx_kthread+0x10/0x10 [ 14.498892] ret_from_fork_asm+0x1a/0x30 [ 14.498927] </TASK> [ 14.498941] [ 14.513863] Allocated by task 185: [ 14.514261] kasan_save_stack+0x45/0x70 [ 14.514658] kasan_save_track+0x18/0x40 [ 14.514999] kasan_save_alloc_info+0x3b/0x50 [ 14.515296] __kasan_kmalloc+0xb7/0xc0 [ 14.515982] __kmalloc_cache_noprof+0x189/0x420 [ 14.516516] kmalloc_uaf_16+0x15b/0x4c0 [ 14.517448] kunit_try_run_case+0x1a5/0x480 [ 14.518453] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.518751] kthread+0x337/0x6f0 [ 14.519168] ret_from_fork+0x116/0x1d0 [ 14.519881] ret_from_fork_asm+0x1a/0x30 [ 14.520167] [ 14.520571] Freed by task 185: [ 14.521021] kasan_save_stack+0x45/0x70 [ 14.521624] kasan_save_track+0x18/0x40 [ 14.522157] kasan_save_free_info+0x3f/0x60 [ 14.522346] __kasan_slab_free+0x56/0x70 [ 14.522504] kfree+0x222/0x3f0 [ 14.522630] kmalloc_uaf_16+0x1d6/0x4c0 [ 14.523382] kunit_try_run_case+0x1a5/0x480 [ 14.523646] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.523888] kthread+0x337/0x6f0 [ 14.524735] ret_from_fork+0x116/0x1d0 [ 14.525189] ret_from_fork_asm+0x1a/0x30 [ 14.525887] [ 14.526004] The buggy address belongs to the object at ffff888101c20660 [ 14.526004] which belongs to the cache kmalloc-16 of size 16 [ 14.527063] The buggy address is located 0 bytes inside of [ 14.527063] freed 16-byte region [ffff888101c20660, ffff888101c20670) [ 14.527916] [ 14.528417] The buggy address belongs to the physical page: [ 14.529148] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c20 [ 14.529400] flags: 0x200000000000000(node=0|zone=2) [ 14.529597] page_type: f5(slab) [ 14.529739] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 14.530559] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 14.530868] page dumped because: kasan: bad access detected [ 14.531299] [ 14.531433] Memory state around the buggy address: [ 14.532007] ffff888101c20500: fa fb fc fc fa fb fc fc fa fb fc fc 00 01 fc fc [ 14.532434] ffff888101c20580: 00 01 fc fc fa fb fc fc 00 05 fc fc fa fb fc fc [ 14.533753] >ffff888101c20600: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 14.534350] ^ [ 14.534985] ffff888101c20680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.535432] ffff888101c20700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.535763] ==================================================================
[ 27.389019] ================================================================== [ 27.399818] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 27.406613] Read of size 16 at addr ffff888100aa54e0 by task kunit_try_catch/208 [ 27.414013] [ 27.415513] CPU: 1 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G S B N 6.15.0-next-20250603 #1 PREEMPT(voluntary) [ 27.415522] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST [ 27.415524] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 27.415528] Call Trace: [ 27.415529] <TASK> [ 27.415531] dump_stack_lvl+0x73/0xb0 [ 27.415535] print_report+0xd1/0x650 [ 27.415539] ? __virt_addr_valid+0x1db/0x2d0 [ 27.415543] ? kmalloc_uaf_16+0x47b/0x4c0 [ 27.415546] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.415550] ? kmalloc_uaf_16+0x47b/0x4c0 [ 27.415554] kasan_report+0x141/0x180 [ 27.415558] ? kmalloc_uaf_16+0x47b/0x4c0 [ 27.415563] __asan_report_load16_noabort+0x18/0x20 [ 27.415567] kmalloc_uaf_16+0x47b/0x4c0 [ 27.415571] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 27.415575] ? __schedule+0x10cc/0x2b60 [ 27.415579] ? ktime_get_ts64+0x83/0x230 [ 27.415583] kunit_try_run_case+0x1a2/0x480 [ 27.415587] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.415590] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 27.415595] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.415599] ? __kthread_parkme+0x82/0x180 [ 27.415603] ? preempt_count_sub+0x50/0x80 [ 27.415607] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.415610] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.415615] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.415619] kthread+0x334/0x6f0 [ 27.415623] ? trace_preempt_on+0x20/0xc0 [ 27.415627] ? __pfx_kthread+0x10/0x10 [ 27.415631] ? _raw_spin_unlock_irq+0x47/0x80 [ 27.415635] ? calculate_sigpending+0x7b/0xa0 [ 27.415639] ? __pfx_kthread+0x10/0x10 [ 27.415643] ret_from_fork+0x113/0x1d0 [ 27.415646] ? __pfx_kthread+0x10/0x10 [ 27.415650] ret_from_fork_asm+0x1a/0x30 [ 27.415656] </TASK> [ 27.415657] [ 27.580107] Allocated by task 208: [ 27.583513] kasan_save_stack+0x45/0x70 [ 27.587369] kasan_save_track+0x18/0x40 [ 27.591235] kasan_save_alloc_info+0x3b/0x50 [ 27.595507] __kasan_kmalloc+0xb7/0xc0 [ 27.599259] __kmalloc_cache_noprof+0x189/0x420 [ 27.603792] kmalloc_uaf_16+0x15b/0x4c0 [ 27.607632] kunit_try_run_case+0x1a2/0x480 [ 27.611818] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.617219] kthread+0x334/0x6f0 [ 27.620450] ret_from_fork+0x113/0x1d0 [ 27.624202] ret_from_fork_asm+0x1a/0x30 [ 27.628127] [ 27.629620] Freed by task 208: [ 27.632679] kasan_save_stack+0x45/0x70 [ 27.636518] kasan_save_track+0x18/0x40 [ 27.640368] kasan_save_free_info+0x3f/0x60 [ 27.644568] __kasan_slab_free+0x56/0x70 [ 27.648496] kfree+0x222/0x3f0 [ 27.651555] kmalloc_uaf_16+0x1d6/0x4c0 [ 27.655410] kunit_try_run_case+0x1a2/0x480 [ 27.659598] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 27.665005] kthread+0x334/0x6f0 [ 27.668237] ret_from_fork+0x113/0x1d0 [ 27.671988] ret_from_fork_asm+0x1a/0x30 [ 27.675915] [ 27.677416] The buggy address belongs to the object at ffff888100aa54e0 [ 27.677416] which belongs to the cache kmalloc-16 of size 16 [ 27.689756] The buggy address is located 0 bytes inside of [ 27.689756] freed 16-byte region [ffff888100aa54e0, ffff888100aa54f0) [ 27.701752] [ 27.703249] The buggy address belongs to the physical page: [ 27.708822] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aa5 [ 27.716823] flags: 0x200000000000000(node=0|zone=2) [ 27.721701] page_type: f5(slab) [ 27.724848] raw: 0200000000000000 ffff888100042640 dead000000000122 0000000000000000 [ 27.732588] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 27.740334] page dumped because: kasan: bad access detected [ 27.745934] [ 27.747432] Memory state around the buggy address: [ 27.752225] ffff888100aa5380: fa fb fc fc fa fb fc fc 00 06 fc fc 00 06 fc fc [ 27.759443] ffff888100aa5400: 00 06 fc fc 00 00 fc fc 00 05 fc fc fa fb fc fc [ 27.766663] >ffff888100aa5480: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 27.773883] ^ [ 27.780236] ffff888100aa5500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.787454] ffff888100aa5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.794673] ==================================================================