Hay
Sign in
Date
June 25, 2025, 8:08 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   26.766490] ==================================================================
[   26.766579] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   26.766652] Read of size 1 at addr fff00000c3f9db28 by task kunit_try_catch/196
[   26.766703] 
[   26.766752] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250625 #1 PREEMPT 
[   26.766840] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.766866] Hardware name: linux,dummy-virt (DT)
[   26.766909] Call trace:
[   26.766945]  show_stack+0x20/0x38 (C)
[   26.767002]  dump_stack_lvl+0x8c/0xd0
[   26.767058]  print_report+0x118/0x608
[   26.767106]  kasan_report+0xdc/0x128
[   26.767164]  __asan_report_load1_noabort+0x20/0x30
[   26.767212]  kmalloc_uaf+0x300/0x338
[   26.767255]  kunit_try_run_case+0x170/0x3f0
[   26.767309]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.767360]  kthread+0x328/0x630
[   26.767414]  ret_from_fork+0x10/0x20
[   26.767463] 
[   26.767481] Allocated by task 196:
[   26.767508]  kasan_save_stack+0x3c/0x68
[   26.767551]  kasan_save_track+0x20/0x40
[   26.767587]  kasan_save_alloc_info+0x40/0x58
[   26.767624]  __kasan_kmalloc+0xd4/0xd8
[   26.767662]  __kmalloc_cache_noprof+0x16c/0x3c0
[   26.767701]  kmalloc_uaf+0xb8/0x338
[   26.767736]  kunit_try_run_case+0x170/0x3f0
[   26.767785]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.767830]  kthread+0x328/0x630
[   26.767860]  ret_from_fork+0x10/0x20
[   26.768531] 
[   26.768593] Freed by task 196:
[   26.768644]  kasan_save_stack+0x3c/0x68
[   26.768716]  kasan_save_track+0x20/0x40
[   26.768832]  kasan_save_free_info+0x4c/0x78
[   26.768929]  __kasan_slab_free+0x6c/0x98
[   26.768970]  kfree+0x214/0x3c8
[   26.769195]  kmalloc_uaf+0x11c/0x338
[   26.769354]  kunit_try_run_case+0x170/0x3f0
[   26.769492]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.769863]  kthread+0x328/0x630
[   26.769968]  ret_from_fork+0x10/0x20
[   26.770342] 
[   26.770387] The buggy address belongs to the object at fff00000c3f9db20
[   26.770387]  which belongs to the cache kmalloc-16 of size 16
[   26.770519] The buggy address is located 8 bytes inside of
[   26.770519]  freed 16-byte region [fff00000c3f9db20, fff00000c3f9db30)
[   26.770645] 
[   26.770758] The buggy address belongs to the physical page:
[   26.771031] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f9d
[   26.771223] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   26.771366] page_type: f5(slab)
[   26.771447] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122
[   26.771689] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   26.772167] page dumped because: kasan: bad access detected
[   26.772274] 
[   26.772688] Memory state around the buggy address:
[   26.772804]  fff00000c3f9da00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   26.772911]  fff00000c3f9da80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   26.772983] >fff00000c3f9db00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   26.773147]                                   ^
[   26.773486]  fff00000c3f9db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.773661]  fff00000c3f9dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.773884] ==================================================================
Metadata Full log Test run details 

[   22.107764] ==================================================================
[   22.109139] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   22.109914] Read of size 1 at addr ffff888102797f28 by task kunit_try_catch/213
[   22.110785] 
[   22.111056] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250625 #1 PREEMPT(voluntary) 
[   22.111115] Tainted: [B]=BAD_PAGE, [N]=TEST
[   22.111128] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   22.111149] Call Trace:
[   22.111169]  <TASK>
[   22.111192]  dump_stack_lvl+0x73/0xb0
[   22.111225]  print_report+0xd1/0x650
[   22.111250]  ? __virt_addr_valid+0x1db/0x2d0
[   22.111278]  ? kmalloc_uaf+0x320/0x380
[   22.111299]  ? kasan_complete_mode_report_info+0x64/0x200
[   22.111326]  ? kmalloc_uaf+0x320/0x380
[   22.111348]  kasan_report+0x141/0x180
[   22.111372]  ? kmalloc_uaf+0x320/0x380
[   22.111400]  __asan_report_load1_noabort+0x18/0x20
[   22.111425]  kmalloc_uaf+0x320/0x380
[   22.111446]  ? __pfx_kmalloc_uaf+0x10/0x10
[   22.111468]  ? __schedule+0x10cc/0x2b60
[   22.111495]  ? __pfx_read_tsc+0x10/0x10
[   22.111518]  ? ktime_get_ts64+0x86/0x230
[   22.111548]  kunit_try_run_case+0x1a5/0x480
[   22.111577]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.111600]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   22.111622]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   22.111648]  ? __kthread_parkme+0x82/0x180
[   22.111671]  ? preempt_count_sub+0x50/0x80
[   22.111698]  ? __pfx_kunit_try_run_case+0x10/0x10
[   22.111725]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.111749]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   22.111773]  kthread+0x337/0x6f0
[   22.111794]  ? trace_preempt_on+0x20/0xc0
[   22.111819]  ? __pfx_kthread+0x10/0x10
[   22.111844]  ? _raw_spin_unlock_irq+0x47/0x80
[   22.111868]  ? calculate_sigpending+0x7b/0xa0
[   22.111893]  ? __pfx_kthread+0x10/0x10
[   22.111916]  ret_from_fork+0x116/0x1d0
[   22.111936]  ? __pfx_kthread+0x10/0x10
[   22.111969]  ret_from_fork_asm+0x1a/0x30
[   22.112006]  </TASK>
[   22.112019] 
[   22.124429] Allocated by task 213:
[   22.124638]  kasan_save_stack+0x45/0x70
[   22.124784]  kasan_save_track+0x18/0x40
[   22.125503]  kasan_save_alloc_info+0x3b/0x50
[   22.125911]  __kasan_kmalloc+0xb7/0xc0
[   22.126332]  __kmalloc_cache_noprof+0x189/0x420
[   22.126618]  kmalloc_uaf+0xaa/0x380
[   22.126737]  kunit_try_run_case+0x1a5/0x480
[   22.126968]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.127473]  kthread+0x337/0x6f0
[   22.127772]  ret_from_fork+0x116/0x1d0
[   22.128211]  ret_from_fork_asm+0x1a/0x30
[   22.128587] 
[   22.128735] Freed by task 213:
[   22.129019]  kasan_save_stack+0x45/0x70
[   22.129165]  kasan_save_track+0x18/0x40
[   22.129459]  kasan_save_free_info+0x3f/0x60
[   22.129883]  __kasan_slab_free+0x56/0x70
[   22.130268]  kfree+0x222/0x3f0
[   22.130527]  kmalloc_uaf+0x12c/0x380
[   22.130654]  kunit_try_run_case+0x1a5/0x480
[   22.130796]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   22.131330]  kthread+0x337/0x6f0
[   22.131641]  ret_from_fork+0x116/0x1d0
[   22.132082]  ret_from_fork_asm+0x1a/0x30
[   22.132488] 
[   22.132639] The buggy address belongs to the object at ffff888102797f20
[   22.132639]  which belongs to the cache kmalloc-16 of size 16
[   22.133461] The buggy address is located 8 bytes inside of
[   22.133461]  freed 16-byte region [ffff888102797f20, ffff888102797f30)
[   22.134153] 
[   22.134309] The buggy address belongs to the physical page:
[   22.134752] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102797
[   22.135396] flags: 0x200000000000000(node=0|zone=2)
[   22.135947] page_type: f5(slab)
[   22.136202] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   22.136528] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   22.136746] page dumped because: kasan: bad access detected
[   22.136912] 
[   22.137069] Memory state around the buggy address:
[   22.137534]  ffff888102797e00: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   22.138203]  ffff888102797e80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   22.138419] >ffff888102797f00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   22.138621]                                   ^
[   22.138764]  ffff888102797f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.139028]  ffff888102798000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   22.139325] ==================================================================
Metadata Full log Test run details