Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 39.338174] ================================================================== [ 39.348865] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 39.356101] Write of size 33 at addr ffff000080acfd80 by task kunit_try_catch/284 [ 39.363684] [ 39.365218] CPU: 3 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 39.365249] Tainted: [B]=BAD_PAGE, [N]=TEST [ 39.365259] Hardware name: Thundercomm Dragonboard 845c (DT) [ 39.365273] Call trace: [ 39.365280] show_stack+0x20/0x38 (C) [ 39.365299] dump_stack_lvl+0x8c/0xd0 [ 39.365320] print_report+0x118/0x608 [ 39.365339] kasan_report+0xdc/0x128 [ 39.365359] kasan_check_range+0x100/0x1a8 [ 39.365380] __asan_memset+0x34/0x78 [ 39.365396] kmalloc_uaf_memset+0x170/0x310 [ 39.365416] kunit_try_run_case+0x170/0x3f0 [ 39.365435] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.365457] kthread+0x328/0x630 [ 39.365472] ret_from_fork+0x10/0x20 [ 39.365490] [ 39.434114] Allocated by task 284: [ 39.437575] kasan_save_stack+0x3c/0x68 [ 39.441487] kasan_save_track+0x20/0x40 [ 39.445389] kasan_save_alloc_info+0x40/0x58 [ 39.449730] __kasan_kmalloc+0xd4/0xd8 [ 39.453545] __kmalloc_cache_noprof+0x16c/0x3c0 [ 39.458149] kmalloc_uaf_memset+0xb8/0x310 [ 39.462319] kunit_try_run_case+0x170/0x3f0 [ 39.466573] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.472145] kthread+0x328/0x630 [ 39.475439] ret_from_fork+0x10/0x20 [ 39.479084] [ 39.480611] Freed by task 284: [ 39.483716] kasan_save_stack+0x3c/0x68 [ 39.487618] kasan_save_track+0x20/0x40 [ 39.491520] kasan_save_free_info+0x4c/0x78 [ 39.495774] __kasan_slab_free+0x6c/0x98 [ 39.499764] kfree+0x214/0x3c8 [ 39.502878] kmalloc_uaf_memset+0x11c/0x310 [ 39.507138] kunit_try_run_case+0x170/0x3f0 [ 39.511392] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 39.516960] kthread+0x328/0x630 [ 39.520254] ret_from_fork+0x10/0x20 [ 39.523898] [ 39.525428] The buggy address belongs to the object at ffff000080acfd80 [ 39.525428] which belongs to the cache kmalloc-64 of size 64 [ 39.537916] The buggy address is located 0 bytes inside of [ 39.537916] freed 64-byte region [ffff000080acfd80, ffff000080acfdc0) [ 39.550058] [ 39.551587] The buggy address belongs to the physical page: [ 39.557240] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100acf [ 39.565348] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 39.571967] page_type: f5(slab) [ 39.575175] raw: 0bfffe0000000000 ffff0000800028c0 dead000000000122 0000000000000000 [ 39.583026] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 39.590863] page dumped because: kasan: bad access detected [ 39.596511] [ 39.598041] Memory state around the buggy address: [ 39.602906] ffff000080acfc80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.610225] ffff000080acfd00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.617543] >ffff000080acfd80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.624861] ^ [ 39.628152] ffff000080acfe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.635470] ffff000080acfe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.642791] ==================================================================
[ 33.222757] ================================================================== [ 33.222916] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 33.223085] Write of size 33 at addr fff00000c7735600 by task kunit_try_catch/197 [ 33.223242] [ 33.223473] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 33.224027] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.224145] Hardware name: linux,dummy-virt (DT) [ 33.224226] Call trace: [ 33.224285] show_stack+0x20/0x38 (C) [ 33.224449] dump_stack_lvl+0x8c/0xd0 [ 33.224797] print_report+0x118/0x608 [ 33.224959] kasan_report+0xdc/0x128 [ 33.225096] kasan_check_range+0x100/0x1a8 [ 33.225384] __asan_memset+0x34/0x78 [ 33.225521] kmalloc_uaf_memset+0x170/0x310 [ 33.225701] kunit_try_run_case+0x170/0x3f0 [ 33.225967] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.226307] kthread+0x328/0x630 [ 33.226623] ret_from_fork+0x10/0x20 [ 33.226863] [ 33.227023] Allocated by task 197: [ 33.227431] kasan_save_stack+0x3c/0x68 [ 33.228100] kasan_save_track+0x20/0x40 [ 33.228272] kasan_save_alloc_info+0x40/0x58 [ 33.228652] __kasan_kmalloc+0xd4/0xd8 [ 33.228755] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.229178] kmalloc_uaf_memset+0xb8/0x310 [ 33.229355] kunit_try_run_case+0x170/0x3f0 [ 33.230094] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.230229] kthread+0x328/0x630 [ 33.230369] ret_from_fork+0x10/0x20 [ 33.230488] [ 33.230567] Freed by task 197: [ 33.230774] kasan_save_stack+0x3c/0x68 [ 33.230874] kasan_save_track+0x20/0x40 [ 33.230987] kasan_save_free_info+0x4c/0x78 [ 33.231077] __kasan_slab_free+0x6c/0x98 [ 33.231604] kfree+0x214/0x3c8 [ 33.231738] kmalloc_uaf_memset+0x11c/0x310 [ 33.231904] kunit_try_run_case+0x170/0x3f0 [ 33.232236] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.232776] kthread+0x328/0x630 [ 33.232972] ret_from_fork+0x10/0x20 [ 33.233307] [ 33.233515] The buggy address belongs to the object at fff00000c7735600 [ 33.233515] which belongs to the cache kmalloc-64 of size 64 [ 33.233656] The buggy address is located 0 bytes inside of [ 33.233656] freed 64-byte region [fff00000c7735600, fff00000c7735640) [ 33.234440] [ 33.234580] The buggy address belongs to the physical page: [ 33.234696] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107735 [ 33.234926] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.235058] page_type: f5(slab) [ 33.235246] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 33.235382] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 33.235785] page dumped because: kasan: bad access detected [ 33.235990] [ 33.236038] Memory state around the buggy address: [ 33.236117] fff00000c7735500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.236272] fff00000c7735580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.236394] >fff00000c7735600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 33.236497] ^ [ 33.236580] fff00000c7735680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.236685] fff00000c7735700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.237162] ==================================================================
[ 29.377814] ================================================================== [ 29.379004] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 29.379673] Write of size 33 at addr ffff888102d0b300 by task kunit_try_catch/216 [ 29.380776] [ 29.380953] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 29.381066] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.381099] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 29.381159] Call Trace: [ 29.381196] <TASK> [ 29.381235] dump_stack_lvl+0x73/0xb0 [ 29.381326] print_report+0xd1/0x650 [ 29.381595] ? __virt_addr_valid+0x1db/0x2d0 [ 29.381698] ? kmalloc_uaf_memset+0x1a3/0x360 [ 29.381748] ? kasan_complete_mode_report_info+0x64/0x200 [ 29.381795] ? kmalloc_uaf_memset+0x1a3/0x360 [ 29.381823] kasan_report+0x141/0x180 [ 29.381853] ? kmalloc_uaf_memset+0x1a3/0x360 [ 29.381887] kasan_check_range+0x10c/0x1c0 [ 29.381917] __asan_memset+0x27/0x50 [ 29.381948] kmalloc_uaf_memset+0x1a3/0x360 [ 29.381975] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 29.382003] ? __schedule+0x207f/0x2b60 [ 29.382036] ? __pfx_read_tsc+0x10/0x10 [ 29.382116] ? ktime_get_ts64+0x86/0x230 [ 29.382178] kunit_try_run_case+0x1a5/0x480 [ 29.382218] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.382248] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 29.382281] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 29.382312] ? __kthread_parkme+0x82/0x180 [ 29.382343] ? preempt_count_sub+0x50/0x80 [ 29.382373] ? __pfx_kunit_try_run_case+0x10/0x10 [ 29.382404] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.382435] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 29.382465] kthread+0x337/0x6f0 [ 29.382490] ? trace_preempt_on+0x20/0xc0 [ 29.382521] ? __pfx_kthread+0x10/0x10 [ 29.382568] ? _raw_spin_unlock_irq+0x47/0x80 [ 29.382599] ? calculate_sigpending+0x7b/0xa0 [ 29.382642] ? __pfx_kthread+0x10/0x10 [ 29.382691] ret_from_fork+0x116/0x1d0 [ 29.382718] ? __pfx_kthread+0x10/0x10 [ 29.382746] ret_from_fork_asm+0x1a/0x30 [ 29.382787] </TASK> [ 29.382801] [ 29.398674] Allocated by task 216: [ 29.398931] kasan_save_stack+0x45/0x70 [ 29.399191] kasan_save_track+0x18/0x40 [ 29.399458] kasan_save_alloc_info+0x3b/0x50 [ 29.399958] __kasan_kmalloc+0xb7/0xc0 [ 29.400417] __kmalloc_cache_noprof+0x189/0x420 [ 29.400960] kmalloc_uaf_memset+0xa9/0x360 [ 29.401517] kunit_try_run_case+0x1a5/0x480 [ 29.402015] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.402679] kthread+0x337/0x6f0 [ 29.403019] ret_from_fork+0x116/0x1d0 [ 29.403295] ret_from_fork_asm+0x1a/0x30 [ 29.403564] [ 29.403832] Freed by task 216: [ 29.404321] kasan_save_stack+0x45/0x70 [ 29.404831] kasan_save_track+0x18/0x40 [ 29.405440] kasan_save_free_info+0x3f/0x60 [ 29.405920] __kasan_slab_free+0x56/0x70 [ 29.406292] kfree+0x222/0x3f0 [ 29.406520] kmalloc_uaf_memset+0x12b/0x360 [ 29.407094] kunit_try_run_case+0x1a5/0x480 [ 29.407736] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 29.408243] kthread+0x337/0x6f0 [ 29.408596] ret_from_fork+0x116/0x1d0 [ 29.409031] ret_from_fork_asm+0x1a/0x30 [ 29.409321] [ 29.409449] The buggy address belongs to the object at ffff888102d0b300 [ 29.409449] which belongs to the cache kmalloc-64 of size 64 [ 29.410675] The buggy address is located 0 bytes inside of [ 29.410675] freed 64-byte region [ffff888102d0b300, ffff888102d0b340) [ 29.411376] [ 29.411717] The buggy address belongs to the physical page: [ 29.412271] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d0b [ 29.412847] flags: 0x200000000000000(node=0|zone=2) [ 29.413176] page_type: f5(slab) [ 29.413390] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 29.414120] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.414836] page dumped because: kasan: bad access detected [ 29.415472] [ 29.415748] Memory state around the buggy address: [ 29.416231] ffff888102d0b200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.416641] ffff888102d0b280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.417269] >ffff888102d0b300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.417938] ^ [ 29.418358] ffff888102d0b380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.418835] ffff888102d0b400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.419497] ==================================================================