Hay
Sign in
Date
June 24, 2025, 11:37 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64 

[   39.025442] ==================================================================
[   39.037615] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   39.044241] Read of size 1 at addr ffff000080a55188 by task kunit_try_catch/282
[   39.051653] 
[   39.053185] CPU: 2 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   39.053215] Tainted: [B]=BAD_PAGE, [N]=TEST
[   39.053226] Hardware name: Thundercomm Dragonboard 845c (DT)
[   39.053238] Call trace:
[   39.053246]  show_stack+0x20/0x38 (C)
[   39.053265]  dump_stack_lvl+0x8c/0xd0
[   39.053285]  print_report+0x118/0x608
[   39.053305]  kasan_report+0xdc/0x128
[   39.053325]  __asan_report_load1_noabort+0x20/0x30
[   39.053344]  kmalloc_uaf+0x300/0x338
[   39.053360]  kunit_try_run_case+0x170/0x3f0
[   39.053380]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.053401]  kthread+0x328/0x630
[   39.053418]  ret_from_fork+0x10/0x20
[   39.053437] 
[   39.118539] Allocated by task 282:
[   39.122002]  kasan_save_stack+0x3c/0x68
[   39.125904]  kasan_save_track+0x20/0x40
[   39.129809]  kasan_save_alloc_info+0x40/0x58
[   39.134151]  __kasan_kmalloc+0xd4/0xd8
[   39.137966]  __kmalloc_cache_noprof+0x16c/0x3c0
[   39.142571]  kmalloc_uaf+0xb8/0x338
[   39.146126]  kunit_try_run_case+0x170/0x3f0
[   39.150383]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.155957]  kthread+0x328/0x630
[   39.159251]  ret_from_fork+0x10/0x20
[   39.162896] 
[   39.164423] Freed by task 282:
[   39.167527]  kasan_save_stack+0x3c/0x68
[   39.171430]  kasan_save_track+0x20/0x40
[   39.175331]  kasan_save_free_info+0x4c/0x78
[   39.179588]  __kasan_slab_free+0x6c/0x98
[   39.183576]  kfree+0x214/0x3c8
[   39.186690]  kmalloc_uaf+0x11c/0x338
[   39.190331]  kunit_try_run_case+0x170/0x3f0
[   39.194589]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.200163]  kthread+0x328/0x630
[   39.203460]  ret_from_fork+0x10/0x20
[   39.207101] 
[   39.208630] The buggy address belongs to the object at ffff000080a55180
[   39.208630]  which belongs to the cache kmalloc-16 of size 16
[   39.221120] The buggy address is located 8 bytes inside of
[   39.221120]  freed 16-byte region [ffff000080a55180, ffff000080a55190)
[   39.233257] 
[   39.234788] The buggy address belongs to the physical page:
[   39.240440] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a55
[   39.248550] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   39.255169] page_type: f5(slab)
[   39.258369] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000
[   39.266220] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   39.274057] page dumped because: kasan: bad access detected
[   39.279709] 
[   39.281239] Memory state around the buggy address:
[   39.286105]  ffff000080a55080: 00 06 fc fc 00 05 fc fc 00 05 fc fc 00 05 fc fc
[   39.293425]  ffff000080a55100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   39.300745] >ffff000080a55180: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.308062]                       ^
[   39.311613]  ffff000080a55200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.318936]  ffff000080a55280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.326254] ==================================================================
Metadata Full log Test run details 

[   33.187040] ==================================================================
[   33.187329] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   33.188196] Read of size 1 at addr fff00000c5757308 by task kunit_try_catch/195
[   33.189566] 
[   33.190453] CPU: 0 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   33.191260] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.191801] Hardware name: linux,dummy-virt (DT)
[   33.191928] Call trace:
[   33.191993]  show_stack+0x20/0x38 (C)
[   33.192123]  dump_stack_lvl+0x8c/0xd0
[   33.192250]  print_report+0x118/0x608
[   33.192855]  kasan_report+0xdc/0x128
[   33.193019]  __asan_report_load1_noabort+0x20/0x30
[   33.193140]  kmalloc_uaf+0x300/0x338
[   33.193246]  kunit_try_run_case+0x170/0x3f0
[   33.193364]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.193871]  kthread+0x328/0x630
[   33.194838]  ret_from_fork+0x10/0x20
[   33.195063] 
[   33.195174] Allocated by task 195:
[   33.195306]  kasan_save_stack+0x3c/0x68
[   33.195412]  kasan_save_track+0x20/0x40
[   33.195533]  kasan_save_alloc_info+0x40/0x58
[   33.195800]  __kasan_kmalloc+0xd4/0xd8
[   33.195946]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.196041]  kmalloc_uaf+0xb8/0x338
[   33.196131]  kunit_try_run_case+0x170/0x3f0
[   33.196276]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.196502]  kthread+0x328/0x630
[   33.196589]  ret_from_fork+0x10/0x20
[   33.196676] 
[   33.196777] Freed by task 195:
[   33.196931]  kasan_save_stack+0x3c/0x68
[   33.197080]  kasan_save_track+0x20/0x40
[   33.197195]  kasan_save_free_info+0x4c/0x78
[   33.197305]  __kasan_slab_free+0x6c/0x98
[   33.197467]  kfree+0x214/0x3c8
[   33.197559]  kmalloc_uaf+0x11c/0x338
[   33.197669]  kunit_try_run_case+0x170/0x3f0
[   33.197821]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.197968]  kthread+0x328/0x630
[   33.198066]  ret_from_fork+0x10/0x20
[   33.198161] 
[   33.198231] The buggy address belongs to the object at fff00000c5757300
[   33.198231]  which belongs to the cache kmalloc-16 of size 16
[   33.198505] The buggy address is located 8 bytes inside of
[   33.198505]  freed 16-byte region [fff00000c5757300, fff00000c5757310)
[   33.198754] 
[   33.198808] The buggy address belongs to the physical page:
[   33.198907] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105757
[   33.199035] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.199358] page_type: f5(slab)
[   33.199547] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   33.199741] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   33.199850] page dumped because: kasan: bad access detected
[   33.199962] 
[   33.200016] Memory state around the buggy address:
[   33.200110]  fff00000c5757200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   33.200229]  fff00000c5757280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   33.200402] >fff00000c5757300: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.200499]                       ^
[   33.200606]  fff00000c5757380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.200724]  fff00000c5757400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.200921] ==================================================================
Metadata Full log Test run details 

[   29.331943] ==================================================================
[   29.332773] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   29.333746] Read of size 1 at addr ffff8881010ffc88 by task kunit_try_catch/214
[   29.334071] 
[   29.334265] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) 
[   29.334376] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.334406] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   29.334450] Call Trace:
[   29.334478]  <TASK>
[   29.334513]  dump_stack_lvl+0x73/0xb0
[   29.334605]  print_report+0xd1/0x650
[   29.334659]  ? __virt_addr_valid+0x1db/0x2d0
[   29.335252]  ? kmalloc_uaf+0x320/0x380
[   29.335285]  ? kasan_complete_mode_report_info+0x64/0x200
[   29.335319]  ? kmalloc_uaf+0x320/0x380
[   29.335346]  kasan_report+0x141/0x180
[   29.335376]  ? kmalloc_uaf+0x320/0x380
[   29.335407]  __asan_report_load1_noabort+0x18/0x20
[   29.335439]  kmalloc_uaf+0x320/0x380
[   29.335464]  ? __pfx_kmalloc_uaf+0x10/0x10
[   29.335491]  ? __schedule+0x10cc/0x2b60
[   29.335524]  ? __pfx_read_tsc+0x10/0x10
[   29.335573]  ? ktime_get_ts64+0x86/0x230
[   29.335606]  kunit_try_run_case+0x1a5/0x480
[   29.335651]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.335709]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   29.335741]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   29.335773]  ? __kthread_parkme+0x82/0x180
[   29.335803]  ? preempt_count_sub+0x50/0x80
[   29.335847]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.335878]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.335909]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   29.335940]  kthread+0x337/0x6f0
[   29.335965]  ? trace_preempt_on+0x20/0xc0
[   29.335996]  ? __pfx_kthread+0x10/0x10
[   29.336022]  ? _raw_spin_unlock_irq+0x47/0x80
[   29.336051]  ? calculate_sigpending+0x7b/0xa0
[   29.336081]  ? __pfx_kthread+0x10/0x10
[   29.336109]  ret_from_fork+0x116/0x1d0
[   29.336133]  ? __pfx_kthread+0x10/0x10
[   29.336159]  ret_from_fork_asm+0x1a/0x30
[   29.336198]  </TASK>
[   29.336212] 
[   29.351068] Allocated by task 214:
[   29.351463]  kasan_save_stack+0x45/0x70
[   29.351806]  kasan_save_track+0x18/0x40
[   29.352074]  kasan_save_alloc_info+0x3b/0x50
[   29.352329]  __kasan_kmalloc+0xb7/0xc0
[   29.352571]  __kmalloc_cache_noprof+0x189/0x420
[   29.352982]  kmalloc_uaf+0xaa/0x380
[   29.353356]  kunit_try_run_case+0x1a5/0x480
[   29.353848]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.354412]  kthread+0x337/0x6f0
[   29.355071]  ret_from_fork+0x116/0x1d0
[   29.355786]  ret_from_fork_asm+0x1a/0x30
[   29.356022] 
[   29.356198] Freed by task 214:
[   29.356517]  kasan_save_stack+0x45/0x70
[   29.356982]  kasan_save_track+0x18/0x40
[   29.357314]  kasan_save_free_info+0x3f/0x60
[   29.357818]  __kasan_slab_free+0x56/0x70
[   29.358156]  kfree+0x222/0x3f0
[   29.358474]  kmalloc_uaf+0x12c/0x380
[   29.358868]  kunit_try_run_case+0x1a5/0x480
[   29.359235]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.359772]  kthread+0x337/0x6f0
[   29.360080]  ret_from_fork+0x116/0x1d0
[   29.360434]  ret_from_fork_asm+0x1a/0x30
[   29.360890] 
[   29.361094] The buggy address belongs to the object at ffff8881010ffc80
[   29.361094]  which belongs to the cache kmalloc-16 of size 16
[   29.361965] The buggy address is located 8 bytes inside of
[   29.361965]  freed 16-byte region [ffff8881010ffc80, ffff8881010ffc90)
[   29.362758] 
[   29.362986] The buggy address belongs to the physical page:
[   29.363480] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1010ff
[   29.364109] flags: 0x200000000000000(node=0|zone=2)
[   29.364536] page_type: f5(slab)
[   29.364881] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   29.365468] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   29.366037] page dumped because: kasan: bad access detected
[   29.366510] 
[   29.366776] Memory state around the buggy address:
[   29.367110]  ffff8881010ffb80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   29.367753]  ffff8881010ffc00: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   29.368232] >ffff8881010ffc80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.368897]                       ^
[   29.369223]  ffff8881010ffd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.369701]  ffff8881010ffd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.370338] ==================================================================
Metadata Full log Test run details