Hay
Sign in
Date
June 17, 2025, 6:35 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   16.645083] ==================================================================
[   16.645159] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   16.645523] Read of size 1 at addr fff00000c177c000 by task kunit_try_catch/157
[   16.645646] 
[   16.645726] CPU: 1 UID: 0 PID: 157 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250617 #1 PREEMPT 
[   16.645838] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.645865] Hardware name: linux,dummy-virt (DT)
[   16.645898] Call trace:
[   16.645989]  show_stack+0x20/0x38 (C)
[   16.646143]  dump_stack_lvl+0x8c/0xd0
[   16.646242]  print_report+0x118/0x608
[   16.646302]  kasan_report+0xdc/0x128
[   16.646348]  __asan_report_load1_noabort+0x20/0x30
[   16.646411]  kmalloc_large_uaf+0x2cc/0x2f8
[   16.646627]  kunit_try_run_case+0x170/0x3f0
[   16.646903]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.647023]  kthread+0x328/0x630
[   16.647097]  ret_from_fork+0x10/0x20
[   16.647236] 
[   16.647285] The buggy address belongs to the physical page:
[   16.647346] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10177c
[   16.647426] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.647524] raw: 0bfffe0000000000 fff00000da495c80 fff00000da495c80 0000000000000000
[   16.647594] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   16.647635] page dumped because: kasan: bad access detected
[   16.647938] 
[   16.648074] Memory state around the buggy address:
[   16.648144]  fff00000c177bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.648289]  fff00000c177bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.648369] >fff00000c177c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.648466]                    ^
[   16.648577]  fff00000c177c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.648644]  fff00000c177c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   16.648697] ==================================================================
Metadata Full log Test run details 

[   17.006633] ==================================================================
[   17.007607] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   17.008575] Read of size 1 at addr ffff888103954000 by task kunit_try_catch/175
[   17.009194] 
[   17.010042] CPU: 0 UID: 0 PID: 175 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) 
[   17.010243] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.010295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   17.010355] Call Trace:
[   17.010392]  <TASK>
[   17.010439]  dump_stack_lvl+0x73/0xb0
[   17.010519]  print_report+0xd1/0x650
[   17.010579]  ? __virt_addr_valid+0x1db/0x2d0
[   17.010615]  ? kmalloc_large_uaf+0x2f1/0x340
[   17.010643]  ? kasan_addr_to_slab+0x11/0xa0
[   17.010672]  ? kmalloc_large_uaf+0x2f1/0x340
[   17.010701]  kasan_report+0x141/0x180
[   17.010731]  ? kmalloc_large_uaf+0x2f1/0x340
[   17.010764]  __asan_report_load1_noabort+0x18/0x20
[   17.010798]  kmalloc_large_uaf+0x2f1/0x340
[   17.010825]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   17.010888]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   17.010923]  kunit_try_run_case+0x1a5/0x480
[   17.010959]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.010990]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   17.011017]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   17.011052]  ? __kthread_parkme+0x82/0x180
[   17.011080]  ? preempt_count_sub+0x50/0x80
[   17.011110]  ? __pfx_kunit_try_run_case+0x10/0x10
[   17.011142]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.011172]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   17.011202]  kthread+0x337/0x6f0
[   17.011265]  ? trace_preempt_on+0x20/0xc0
[   17.011305]  ? __pfx_kthread+0x10/0x10
[   17.011334]  ? _raw_spin_unlock_irq+0x47/0x80
[   17.011366]  ? calculate_sigpending+0x7b/0xa0
[   17.011399]  ? __pfx_kthread+0x10/0x10
[   17.011427]  ret_from_fork+0x116/0x1d0
[   17.011453]  ? __pfx_kthread+0x10/0x10
[   17.011482]  ret_from_fork_asm+0x1a/0x30
[   17.011524]  </TASK>
[   17.011548] 
[   17.026659] The buggy address belongs to the physical page:
[   17.027205] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103954
[   17.027912] flags: 0x200000000000000(node=0|zone=2)
[   17.028491] raw: 0200000000000000 ffffea00040e5608 ffff88815b039f80 0000000000000000
[   17.029163] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   17.029872] page dumped because: kasan: bad access detected
[   17.030357] 
[   17.030512] Memory state around the buggy address:
[   17.031020]  ffff888103953f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031743]  ffff888103953f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.032250] >ffff888103954000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.032830]                    ^
[   17.033204]  ffff888103954080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.033887]  ffff888103954100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.034592] ==================================================================
Metadata Full log Test run details