Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 40.379114] ================================================================== [ 40.391291] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 40.397912] Read of size 1 at addr ffff000081a1d448 by task kunit_try_catch/270 [ 40.405319] [ 40.406853] CPU: 1 UID: 0 PID: 270 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 40.406883] Tainted: [B]=BAD_PAGE, [N]=TEST [ 40.406892] Hardware name: Thundercomm Dragonboard 845c (DT) [ 40.406904] Call trace: [ 40.406914] show_stack+0x20/0x38 (C) [ 40.406933] dump_stack_lvl+0x8c/0xd0 [ 40.406952] print_report+0x118/0x608 [ 40.406973] kasan_report+0xdc/0x128 [ 40.406992] __asan_report_load1_noabort+0x20/0x30 [ 40.407009] kmalloc_uaf+0x300/0x338 [ 40.407027] kunit_try_run_case+0x170/0x3f0 [ 40.407046] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.407069] kthread+0x328/0x630 [ 40.407083] ret_from_fork+0x10/0x20 [ 40.407100] [ 40.472199] Allocated by task 270: [ 40.475663] kasan_save_stack+0x3c/0x68 [ 40.479572] kasan_save_track+0x20/0x40 [ 40.483479] kasan_save_alloc_info+0x40/0x58 [ 40.487823] __kasan_kmalloc+0xd4/0xd8 [ 40.491643] __kmalloc_cache_noprof+0x16c/0x3c0 [ 40.496246] kmalloc_uaf+0xb8/0x338 [ 40.499799] kunit_try_run_case+0x170/0x3f0 [ 40.504059] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.509626] kthread+0x328/0x630 [ 40.512914] ret_from_fork+0x10/0x20 [ 40.516561] [ 40.518089] Freed by task 270: [ 40.521197] kasan_save_stack+0x3c/0x68 [ 40.525104] kasan_save_track+0x20/0x40 [ 40.529011] kasan_save_free_info+0x4c/0x78 [ 40.533271] __kasan_slab_free+0x6c/0x98 [ 40.537266] kfree+0x214/0x3c8 [ 40.540382] kmalloc_uaf+0x11c/0x338 [ 40.544020] kunit_try_run_case+0x170/0x3f0 [ 40.548279] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.553850] kthread+0x328/0x630 [ 40.557136] ret_from_fork+0x10/0x20 [ 40.560783] [ 40.562316] The buggy address belongs to the object at ffff000081a1d440 [ 40.562316] which belongs to the cache kmalloc-16 of size 16 [ 40.574800] The buggy address is located 8 bytes inside of [ 40.574800] freed 16-byte region [ffff000081a1d440, ffff000081a1d450) [ 40.586940] [ 40.588473] The buggy address belongs to the physical page: [ 40.594121] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a1d [ 40.602232] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 40.608851] page_type: f5(slab) [ 40.612058] raw: 0bfffe0000000000 ffff000080002640 dead000000000100 dead000000000122 [ 40.619899] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 40.627738] page dumped because: kasan: bad access detected [ 40.633388] [ 40.634917] Memory state around the buggy address: [ 40.639777] ffff000081a1d300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 40.647099] ffff000081a1d380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 40.654419] >ffff000081a1d400: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 40.661739] ^ [ 40.667388] ffff000081a1d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.674710] ffff000081a1d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.682029] ==================================================================
[ 26.928826] ================================================================== [ 26.928883] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 26.928969] Read of size 1 at addr fff00000c16b9c88 by task kunit_try_catch/196 [ 26.929020] [ 26.929047] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.929146] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.929171] Hardware name: linux,dummy-virt (DT) [ 26.929210] Call trace: [ 26.929232] show_stack+0x20/0x38 (C) [ 26.929281] dump_stack_lvl+0x8c/0xd0 [ 26.929327] print_report+0x118/0x608 [ 26.929373] kasan_report+0xdc/0x128 [ 26.929418] __asan_report_load1_noabort+0x20/0x30 [ 26.929538] kmalloc_uaf+0x300/0x338 [ 26.929581] kunit_try_run_case+0x170/0x3f0 [ 26.929628] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.929679] kthread+0x328/0x630 [ 26.929730] ret_from_fork+0x10/0x20 [ 26.929778] [ 26.929795] Allocated by task 196: [ 26.929820] kasan_save_stack+0x3c/0x68 [ 26.929861] kasan_save_track+0x20/0x40 [ 26.929896] kasan_save_alloc_info+0x40/0x58 [ 26.929934] __kasan_kmalloc+0xd4/0xd8 [ 26.929970] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.930162] kmalloc_uaf+0xb8/0x338 [ 26.930310] kunit_try_run_case+0x170/0x3f0 [ 26.930368] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.930413] kthread+0x328/0x630 [ 26.930489] ret_from_fork+0x10/0x20 [ 26.930523] [ 26.930542] Freed by task 196: [ 26.930567] kasan_save_stack+0x3c/0x68 [ 26.930604] kasan_save_track+0x20/0x40 [ 26.930639] kasan_save_free_info+0x4c/0x78 [ 26.930675] __kasan_slab_free+0x6c/0x98 [ 26.930713] kfree+0x214/0x3c8 [ 26.930786] kmalloc_uaf+0x11c/0x338 [ 26.930922] kunit_try_run_case+0x170/0x3f0 [ 26.930960] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.931003] kthread+0x328/0x630 [ 26.931041] ret_from_fork+0x10/0x20 [ 26.931143] [ 26.931161] The buggy address belongs to the object at fff00000c16b9c80 [ 26.931161] which belongs to the cache kmalloc-16 of size 16 [ 26.931334] The buggy address is located 8 bytes inside of [ 26.931334] freed 16-byte region [fff00000c16b9c80, fff00000c16b9c90) [ 26.931494] [ 26.931549] The buggy address belongs to the physical page: [ 26.931663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c16b9ba0 pfn:0x1016b9 [ 26.931747] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.931827] page_type: f5(slab) [ 26.931863] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 26.931913] raw: fff00000c16b9ba0 000000008080007f 00000000f5000000 0000000000000000 [ 26.931952] page dumped because: kasan: bad access detected [ 26.931982] [ 26.932001] Memory state around the buggy address: [ 26.932029] fff00000c16b9b80: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 26.932080] fff00000c16b9c00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 26.932121] >fff00000c16b9c80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.932158] ^ [ 26.932184] fff00000c16b9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.932226] fff00000c16b9d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.932262] ==================================================================
[ 22.361277] ================================================================== [ 22.361751] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 22.362298] Read of size 1 at addr ffff88810278b6e8 by task kunit_try_catch/213 [ 22.362629] [ 22.362749] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.362803] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.362816] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.362840] Call Trace: [ 22.362864] <TASK> [ 22.362886] dump_stack_lvl+0x73/0xb0 [ 22.362923] print_report+0xd1/0x650 [ 22.362963] ? __virt_addr_valid+0x1db/0x2d0 [ 22.362991] ? kmalloc_uaf+0x320/0x380 [ 22.363010] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.363054] ? kmalloc_uaf+0x320/0x380 [ 22.363084] kasan_report+0x141/0x180 [ 22.363105] ? kmalloc_uaf+0x320/0x380 [ 22.363127] __asan_report_load1_noabort+0x18/0x20 [ 22.363161] kmalloc_uaf+0x320/0x380 [ 22.363181] ? __pfx_kmalloc_uaf+0x10/0x10 [ 22.363200] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 22.363232] ? trace_hardirqs_on+0x37/0xe0 [ 22.363257] ? __pfx_read_tsc+0x10/0x10 [ 22.363280] ? ktime_get_ts64+0x86/0x230 [ 22.363305] kunit_try_run_case+0x1a5/0x480 [ 22.363332] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.363355] ? queued_spin_lock_slowpath+0x116/0xb40 [ 22.363381] ? __kthread_parkme+0x82/0x180 [ 22.363402] ? preempt_count_sub+0x50/0x80 [ 22.363435] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.363458] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.363481] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.363515] kthread+0x337/0x6f0 [ 22.363534] ? trace_preempt_on+0x20/0xc0 [ 22.363564] ? __pfx_kthread+0x10/0x10 [ 22.363583] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.363606] ? calculate_sigpending+0x7b/0xa0 [ 22.363640] ? __pfx_kthread+0x10/0x10 [ 22.363661] ret_from_fork+0x116/0x1d0 [ 22.363679] ? __pfx_kthread+0x10/0x10 [ 22.363698] ret_from_fork_asm+0x1a/0x30 [ 22.363730] </TASK> [ 22.363743] [ 22.372964] Allocated by task 213: [ 22.373428] kasan_save_stack+0x45/0x70 [ 22.373779] kasan_save_track+0x18/0x40 [ 22.373962] kasan_save_alloc_info+0x3b/0x50 [ 22.374270] __kasan_kmalloc+0xb7/0xc0 [ 22.374528] __kmalloc_cache_noprof+0x189/0x420 [ 22.374843] kmalloc_uaf+0xaa/0x380 [ 22.374987] kunit_try_run_case+0x1a5/0x480 [ 22.375405] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.375743] kthread+0x337/0x6f0 [ 22.375875] ret_from_fork+0x116/0x1d0 [ 22.376300] ret_from_fork_asm+0x1a/0x30 [ 22.376571] [ 22.376658] Freed by task 213: [ 22.376779] kasan_save_stack+0x45/0x70 [ 22.377153] kasan_save_track+0x18/0x40 [ 22.377337] kasan_save_free_info+0x3f/0x60 [ 22.377659] __kasan_slab_free+0x56/0x70 [ 22.377857] kfree+0x222/0x3f0 [ 22.378004] kmalloc_uaf+0x12c/0x380 [ 22.378359] kunit_try_run_case+0x1a5/0x480 [ 22.378567] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.378938] kthread+0x337/0x6f0 [ 22.379197] ret_from_fork+0x116/0x1d0 [ 22.379457] ret_from_fork_asm+0x1a/0x30 [ 22.379737] [ 22.379830] The buggy address belongs to the object at ffff88810278b6e0 [ 22.379830] which belongs to the cache kmalloc-16 of size 16 [ 22.380562] The buggy address is located 8 bytes inside of [ 22.380562] freed 16-byte region [ffff88810278b6e0, ffff88810278b6f0) [ 22.381134] [ 22.381382] The buggy address belongs to the physical page: [ 22.381611] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10278b [ 22.382046] flags: 0x200000000000000(node=0|zone=2) [ 22.382347] page_type: f5(slab) [ 22.382477] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 22.382932] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 22.383325] page dumped because: kasan: bad access detected [ 22.383630] [ 22.383722] Memory state around the buggy address: [ 22.383925] ffff88810278b580: 00 06 fc fc 00 06 fc fc 00 06 fc fc fa fb fc fc [ 22.384413] ffff88810278b600: fa fb fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 22.384787] >ffff88810278b680: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 22.385038] ^ [ 22.385493] ffff88810278b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.385800] ffff88810278b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.386213] ==================================================================