Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 36.575182] ================================================================== [ 36.586123] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 36.593000] Read of size 16 at addr ffff0000958f6180 by task kunit_try_catch/266 [ 36.600487] [ 36.602018] CPU: 4 UID: 0 PID: 266 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 36.602049] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.602057] Hardware name: Thundercomm Dragonboard 845c (DT) [ 36.602068] Call trace: [ 36.602074] show_stack+0x20/0x38 (C) [ 36.602092] dump_stack_lvl+0x8c/0xd0 [ 36.602110] print_report+0x118/0x608 [ 36.602129] kasan_report+0xdc/0x128 [ 36.602147] __asan_report_load16_noabort+0x20/0x30 [ 36.602164] kmalloc_uaf_16+0x3bc/0x438 [ 36.602179] kunit_try_run_case+0x170/0x3f0 [ 36.602198] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.602220] kthread+0x328/0x630 [ 36.602232] ret_from_fork+0x10/0x20 [ 36.602248] [ 36.667641] Allocated by task 266: [ 36.671097] kasan_save_stack+0x3c/0x68 [ 36.674996] kasan_save_track+0x20/0x40 [ 36.678902] kasan_save_alloc_info+0x40/0x58 [ 36.683234] __kasan_kmalloc+0xd4/0xd8 [ 36.687041] __kmalloc_cache_noprof+0x16c/0x3c0 [ 36.691639] kmalloc_uaf_16+0x140/0x438 [ 36.695541] kunit_try_run_case+0x170/0x3f0 [ 36.699791] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.705357] kthread+0x328/0x630 [ 36.708639] ret_from_fork+0x10/0x20 [ 36.712271] [ 36.713795] Freed by task 266: [ 36.716900] kasan_save_stack+0x3c/0x68 [ 36.720795] kasan_save_track+0x20/0x40 [ 36.724700] kasan_save_free_info+0x4c/0x78 [ 36.728948] __kasan_slab_free+0x6c/0x98 [ 36.732939] kfree+0x214/0x3c8 [ 36.736050] kmalloc_uaf_16+0x190/0x438 [ 36.739952] kunit_try_run_case+0x170/0x3f0 [ 36.744203] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.749768] kthread+0x328/0x630 [ 36.753052] ret_from_fork+0x10/0x20 [ 36.756683] [ 36.758207] The buggy address belongs to the object at ffff0000958f6180 [ 36.758207] which belongs to the cache kmalloc-16 of size 16 [ 36.770690] The buggy address is located 0 bytes inside of [ 36.770690] freed 16-byte region [ffff0000958f6180, ffff0000958f6190) [ 36.782817] [ 36.784348] The buggy address belongs to the physical page: [ 36.789990] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1158f6 [ 36.798093] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 36.804705] page_type: f5(slab) [ 36.807902] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 36.815754] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 36.823598] page dumped because: kasan: bad access detected [ 36.829245] [ 36.830770] Memory state around the buggy address: [ 36.835632] ffff0000958f6080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 36.842945] ffff0000958f6100: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 36.850252] >ffff0000958f6180: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.857568] ^ [ 36.860850] ffff0000958f6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.868157] ffff0000958f6280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.875462] ==================================================================
[ 32.919165] ================================================================== [ 32.919857] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 32.920185] Read of size 16 at addr fff00000c57572e0 by task kunit_try_catch/179 [ 32.920620] [ 32.920718] CPU: 0 UID: 0 PID: 179 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 32.921413] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.921609] Hardware name: linux,dummy-virt (DT) [ 32.921833] Call trace: [ 32.922142] show_stack+0x20/0x38 (C) [ 32.922481] dump_stack_lvl+0x8c/0xd0 [ 32.922911] print_report+0x118/0x608 [ 32.923926] kasan_report+0xdc/0x128 [ 32.924262] __asan_report_load16_noabort+0x20/0x30 [ 32.924553] kmalloc_uaf_16+0x3bc/0x438 [ 32.924683] kunit_try_run_case+0x170/0x3f0 [ 32.924805] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.925080] kthread+0x328/0x630 [ 32.925413] ret_from_fork+0x10/0x20 [ 32.925569] [ 32.925618] Allocated by task 179: [ 32.925682] kasan_save_stack+0x3c/0x68 [ 32.925776] kasan_save_track+0x20/0x40 [ 32.925872] kasan_save_alloc_info+0x40/0x58 [ 32.926381] __kasan_kmalloc+0xd4/0xd8 [ 32.926485] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.926598] kmalloc_uaf_16+0x140/0x438 [ 32.926698] kunit_try_run_case+0x170/0x3f0 [ 32.926843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.927173] kthread+0x328/0x630 [ 32.927265] ret_from_fork+0x10/0x20 [ 32.927356] [ 32.927427] Freed by task 179: [ 32.927588] kasan_save_stack+0x3c/0x68 [ 32.927728] kasan_save_track+0x20/0x40 [ 32.927871] kasan_save_free_info+0x4c/0x78 [ 32.928063] __kasan_slab_free+0x6c/0x98 [ 32.928236] kfree+0x214/0x3c8 [ 32.928448] kmalloc_uaf_16+0x190/0x438 [ 32.928650] kunit_try_run_case+0x170/0x3f0 [ 32.928841] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.928972] kthread+0x328/0x630 [ 32.929513] ret_from_fork+0x10/0x20 [ 32.929702] [ 32.929784] The buggy address belongs to the object at fff00000c57572e0 [ 32.929784] which belongs to the cache kmalloc-16 of size 16 [ 32.929929] The buggy address is located 0 bytes inside of [ 32.929929] freed 16-byte region [fff00000c57572e0, fff00000c57572f0) [ 32.930076] [ 32.930143] The buggy address belongs to the physical page: [ 32.930218] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105757 [ 32.930338] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.930462] page_type: f5(slab) [ 32.930554] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 32.930699] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 32.930795] page dumped because: kasan: bad access detected [ 32.930865] [ 32.930943] Memory state around the buggy address: [ 32.931029] fff00000c5757180: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.931496] fff00000c5757200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 32.931629] >fff00000c5757280: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 32.931881] ^ [ 32.932658] fff00000c5757300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.932936] fff00000c5757380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.933034] ==================================================================
[ 28.979776] ================================================================== [ 28.980839] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 28.981340] Read of size 16 at addr ffff8881022bd700 by task kunit_try_catch/198 [ 28.981975] [ 28.982159] CPU: 1 UID: 0 PID: 198 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 28.982297] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.982330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.982376] Call Trace: [ 28.982405] <TASK> [ 28.982441] dump_stack_lvl+0x73/0xb0 [ 28.982509] print_report+0xd1/0x650 [ 28.982585] ? __virt_addr_valid+0x1db/0x2d0 [ 28.982645] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.982723] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.982806] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.982859] kasan_report+0x141/0x180 [ 28.982917] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.982978] __asan_report_load16_noabort+0x18/0x20 [ 28.983037] kmalloc_uaf_16+0x47b/0x4c0 [ 28.983090] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 28.983174] ? __schedule+0x10cc/0x2b60 [ 28.983235] ? __pfx_read_tsc+0x10/0x10 [ 28.983290] ? ktime_get_ts64+0x86/0x230 [ 28.983374] kunit_try_run_case+0x1a5/0x480 [ 28.983443] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.983502] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.983587] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.983646] ? __kthread_parkme+0x82/0x180 [ 28.983695] ? preempt_count_sub+0x50/0x80 [ 28.983740] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.983773] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.983805] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.983847] kthread+0x337/0x6f0 [ 28.983873] ? trace_preempt_on+0x20/0xc0 [ 28.983904] ? __pfx_kthread+0x10/0x10 [ 28.983931] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.983960] ? calculate_sigpending+0x7b/0xa0 [ 28.983990] ? __pfx_kthread+0x10/0x10 [ 28.984017] ret_from_fork+0x116/0x1d0 [ 28.984043] ? __pfx_kthread+0x10/0x10 [ 28.984069] ret_from_fork_asm+0x1a/0x30 [ 28.984107] </TASK> [ 28.984121] [ 28.996581] Allocated by task 198: [ 28.996942] kasan_save_stack+0x45/0x70 [ 28.997423] kasan_save_track+0x18/0x40 [ 28.997749] kasan_save_alloc_info+0x3b/0x50 [ 28.998077] __kasan_kmalloc+0xb7/0xc0 [ 28.998381] __kmalloc_cache_noprof+0x189/0x420 [ 28.998873] kmalloc_uaf_16+0x15b/0x4c0 [ 28.999279] kunit_try_run_case+0x1a5/0x480 [ 28.999956] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.000479] kthread+0x337/0x6f0 [ 29.000861] ret_from_fork+0x116/0x1d0 [ 29.001242] ret_from_fork_asm+0x1a/0x30 [ 29.001774] [ 29.001973] Freed by task 198: [ 29.002222] kasan_save_stack+0x45/0x70 [ 29.002511] kasan_save_track+0x18/0x40 [ 29.002976] kasan_save_free_info+0x3f/0x60 [ 29.003441] __kasan_slab_free+0x56/0x70 [ 29.004034] kfree+0x222/0x3f0 [ 29.004325] kmalloc_uaf_16+0x1d6/0x4c0 [ 29.004819] kunit_try_run_case+0x1a5/0x480 [ 29.005310] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.005898] kthread+0x337/0x6f0 [ 29.006292] ret_from_fork+0x116/0x1d0 [ 29.006756] ret_from_fork_asm+0x1a/0x30 [ 29.007177] [ 29.007313] The buggy address belongs to the object at ffff8881022bd700 [ 29.007313] which belongs to the cache kmalloc-16 of size 16 [ 29.008407] The buggy address is located 0 bytes inside of [ 29.008407] freed 16-byte region [ffff8881022bd700, ffff8881022bd710) [ 29.009317] [ 29.009559] The buggy address belongs to the physical page: [ 29.009951] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022bd [ 29.010682] flags: 0x200000000000000(node=0|zone=2) [ 29.011208] page_type: f5(slab) [ 29.011622] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 29.012256] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 29.012902] page dumped because: kasan: bad access detected [ 29.013357] [ 29.013580] Memory state around the buggy address: [ 29.013967] ffff8881022bd600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 29.014488] ffff8881022bd680: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 29.014918] >ffff8881022bd700: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.015592] ^ [ 29.016139] ffff8881022bd780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.016797] ffff8881022bd800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.017254] ==================================================================