Date
June 26, 2025, 9:10 a.m.
Environment | |
---|---|
dragonboard-845c | |
qemu-arm64 | |
qemu-x86_64 |
[ 37.938274] ================================================================== [ 37.949220] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 37.956105] Read of size 16 at addr ffff000093276b60 by task kunit_try_catch/254 [ 37.963597] [ 37.965126] CPU: 7 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 37.965156] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.965164] Hardware name: Thundercomm Dragonboard 845c (DT) [ 37.965179] Call trace: [ 37.965186] show_stack+0x20/0x38 (C) [ 37.965203] dump_stack_lvl+0x8c/0xd0 [ 37.965223] print_report+0x118/0x608 [ 37.965240] kasan_report+0xdc/0x128 [ 37.965258] __asan_report_load16_noabort+0x20/0x30 [ 37.965274] kmalloc_uaf_16+0x3bc/0x438 [ 37.965290] kunit_try_run_case+0x170/0x3f0 [ 37.965308] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.965328] kthread+0x328/0x630 [ 37.965341] ret_from_fork+0x10/0x20 [ 37.965357] [ 38.030750] Allocated by task 254: [ 38.034207] kasan_save_stack+0x3c/0x68 [ 38.038105] kasan_save_track+0x20/0x40 [ 38.042004] kasan_save_alloc_info+0x40/0x58 [ 38.046342] __kasan_kmalloc+0xd4/0xd8 [ 38.050150] __kmalloc_cache_noprof+0x16c/0x3c0 [ 38.054751] kmalloc_uaf_16+0x140/0x438 [ 38.058647] kunit_try_run_case+0x170/0x3f0 [ 38.062899] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.068467] kthread+0x328/0x630 [ 38.071752] ret_from_fork+0x10/0x20 [ 38.075387] [ 38.076909] Freed by task 254: [ 38.080018] kasan_save_stack+0x3c/0x68 [ 38.083914] kasan_save_track+0x20/0x40 [ 38.087811] kasan_save_free_info+0x4c/0x78 [ 38.092061] __kasan_slab_free+0x6c/0x98 [ 38.096044] kfree+0x214/0x3c8 [ 38.099157] kmalloc_uaf_16+0x190/0x438 [ 38.103051] kunit_try_run_case+0x170/0x3f0 [ 38.107305] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.112874] kthread+0x328/0x630 [ 38.116160] ret_from_fork+0x10/0x20 [ 38.119794] [ 38.121316] The buggy address belongs to the object at ffff000093276b60 [ 38.121316] which belongs to the cache kmalloc-16 of size 16 [ 38.133799] The buggy address is located 0 bytes inside of [ 38.133799] freed 16-byte region [ffff000093276b60, ffff000093276b70) [ 38.145924] [ 38.147447] The buggy address belongs to the physical page: [ 38.153095] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113276 [ 38.161192] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 38.167801] page_type: f5(slab) [ 38.171000] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 38.178838] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 38.186671] page dumped because: kasan: bad access detected [ 38.192318] [ 38.193840] Memory state around the buggy address: [ 38.198695] ffff000093276a00: 00 03 fc fc 00 03 fc fc 00 03 fc fc 00 03 fc fc [ 38.206008] ffff000093276a80: 00 03 fc fc 00 03 fc fc 00 03 fc fc fa fb fc fc [ 38.213321] >ffff000093276b00: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 38.220631] ^ [ 38.227063] ffff000093276b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.234385] ffff000093276c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.241703] ==================================================================
[ 26.829812] ================================================================== [ 26.829866] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 26.829917] Read of size 16 at addr fff00000c16b9c60 by task kunit_try_catch/180 [ 26.830221] [ 26.830375] CPU: 0 UID: 0 PID: 180 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.830709] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.830745] Hardware name: linux,dummy-virt (DT) [ 26.830906] Call trace: [ 26.830983] show_stack+0x20/0x38 (C) [ 26.831039] dump_stack_lvl+0x8c/0xd0 [ 26.831149] print_report+0x118/0x608 [ 26.831236] kasan_report+0xdc/0x128 [ 26.831285] __asan_report_load16_noabort+0x20/0x30 [ 26.831333] kmalloc_uaf_16+0x3bc/0x438 [ 26.831640] kunit_try_run_case+0x170/0x3f0 [ 26.831938] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.832193] kthread+0x328/0x630 [ 26.832376] ret_from_fork+0x10/0x20 [ 26.832592] [ 26.832761] Allocated by task 180: [ 26.832799] kasan_save_stack+0x3c/0x68 [ 26.832841] kasan_save_track+0x20/0x40 [ 26.832877] kasan_save_alloc_info+0x40/0x58 [ 26.832914] __kasan_kmalloc+0xd4/0xd8 [ 26.833296] __kmalloc_cache_noprof+0x16c/0x3c0 [ 26.833404] kmalloc_uaf_16+0x140/0x438 [ 26.833538] kunit_try_run_case+0x170/0x3f0 [ 26.833617] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.833797] kthread+0x328/0x630 [ 26.833843] ret_from_fork+0x10/0x20 [ 26.833898] [ 26.834073] Freed by task 180: [ 26.834208] kasan_save_stack+0x3c/0x68 [ 26.834355] kasan_save_track+0x20/0x40 [ 26.834521] kasan_save_free_info+0x4c/0x78 [ 26.834626] __kasan_slab_free+0x6c/0x98 [ 26.834738] kfree+0x214/0x3c8 [ 26.834791] kmalloc_uaf_16+0x190/0x438 [ 26.834870] kunit_try_run_case+0x170/0x3f0 [ 26.835179] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.835713] kthread+0x328/0x630 [ 26.836112] ret_from_fork+0x10/0x20 [ 26.836219] [ 26.836294] The buggy address belongs to the object at fff00000c16b9c60 [ 26.836294] which belongs to the cache kmalloc-16 of size 16 [ 26.836352] The buggy address is located 0 bytes inside of [ 26.836352] freed 16-byte region [fff00000c16b9c60, fff00000c16b9c70) [ 26.836613] [ 26.836740] The buggy address belongs to the physical page: [ 26.836805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c16b9ba0 pfn:0x1016b9 [ 26.836922] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.837271] page_type: f5(slab) [ 26.837365] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 26.837585] raw: fff00000c16b9ba0 000000008080007f 00000000f5000000 0000000000000000 [ 26.837662] page dumped because: kasan: bad access detected [ 26.837706] [ 26.837723] Memory state around the buggy address: [ 26.837760] fff00000c16b9b00: 00 01 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 26.837811] fff00000c16b9b80: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 26.837851] >fff00000c16b9c00: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 26.837887] ^ [ 26.837924] fff00000c16b9c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.837970] fff00000c16b9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.838006] ==================================================================
[ 22.165647] ================================================================== [ 22.166481] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 22.166805] Read of size 16 at addr ffff888101126ca0 by task kunit_try_catch/197 [ 22.167138] [ 22.167318] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 22.167372] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.167384] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.167406] Call Trace: [ 22.167424] <TASK> [ 22.167445] dump_stack_lvl+0x73/0xb0 [ 22.167476] print_report+0xd1/0x650 [ 22.167498] ? __virt_addr_valid+0x1db/0x2d0 [ 22.167522] ? kmalloc_uaf_16+0x47b/0x4c0 [ 22.167541] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.167566] ? kmalloc_uaf_16+0x47b/0x4c0 [ 22.167586] kasan_report+0x141/0x180 [ 22.167607] ? kmalloc_uaf_16+0x47b/0x4c0 [ 22.167631] __asan_report_load16_noabort+0x18/0x20 [ 22.167654] kmalloc_uaf_16+0x47b/0x4c0 [ 22.167674] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 22.167695] ? __schedule+0x10cc/0x2b60 [ 22.167719] ? __pfx_read_tsc+0x10/0x10 [ 22.167741] ? ktime_get_ts64+0x86/0x230 [ 22.167767] kunit_try_run_case+0x1a5/0x480 [ 22.167792] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.167813] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.167837] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.167861] ? __kthread_parkme+0x82/0x180 [ 22.167882] ? preempt_count_sub+0x50/0x80 [ 22.167905] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.167928] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.167951] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.167974] kthread+0x337/0x6f0 [ 22.167993] ? trace_preempt_on+0x20/0xc0 [ 22.168015] ? __pfx_kthread+0x10/0x10 [ 22.168035] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.168058] ? calculate_sigpending+0x7b/0xa0 [ 22.168081] ? __pfx_kthread+0x10/0x10 [ 22.168101] ret_from_fork+0x116/0x1d0 [ 22.168120] ? __pfx_kthread+0x10/0x10 [ 22.168139] ret_from_fork_asm+0x1a/0x30 [ 22.168170] </TASK> [ 22.168182] [ 22.175994] Allocated by task 197: [ 22.176184] kasan_save_stack+0x45/0x70 [ 22.176409] kasan_save_track+0x18/0x40 [ 22.176676] kasan_save_alloc_info+0x3b/0x50 [ 22.177050] __kasan_kmalloc+0xb7/0xc0 [ 22.177248] __kmalloc_cache_noprof+0x189/0x420 [ 22.177464] kmalloc_uaf_16+0x15b/0x4c0 [ 22.177637] kunit_try_run_case+0x1a5/0x480 [ 22.177808] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.177974] kthread+0x337/0x6f0 [ 22.178089] ret_from_fork+0x116/0x1d0 [ 22.178570] ret_from_fork_asm+0x1a/0x30 [ 22.178745] [ 22.179068] Freed by task 197: [ 22.179244] kasan_save_stack+0x45/0x70 [ 22.179411] kasan_save_track+0x18/0x40 [ 22.179570] kasan_save_free_info+0x3f/0x60 [ 22.179772] __kasan_slab_free+0x56/0x70 [ 22.179983] kfree+0x222/0x3f0 [ 22.180202] kmalloc_uaf_16+0x1d6/0x4c0 [ 22.180488] kunit_try_run_case+0x1a5/0x480 [ 22.180656] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.180950] kthread+0x337/0x6f0 [ 22.181116] ret_from_fork+0x116/0x1d0 [ 22.181289] ret_from_fork_asm+0x1a/0x30 [ 22.181466] [ 22.181532] The buggy address belongs to the object at ffff888101126ca0 [ 22.181532] which belongs to the cache kmalloc-16 of size 16 [ 22.182400] The buggy address is located 0 bytes inside of [ 22.182400] freed 16-byte region [ffff888101126ca0, ffff888101126cb0) [ 22.182801] [ 22.182872] The buggy address belongs to the physical page: [ 22.183047] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101126 [ 22.183378] flags: 0x200000000000000(node=0|zone=2) [ 22.183610] page_type: f5(slab) [ 22.183776] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 22.184352] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 22.184581] page dumped because: kasan: bad access detected [ 22.184748] [ 22.184870] Memory state around the buggy address: [ 22.185166] ffff888101126b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 22.185503] ffff888101126c00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 22.185818] >ffff888101126c80: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 22.186202] ^ [ 22.186391] ffff888101126d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.186683] ffff888101126d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.186938] ==================================================================