Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.803364] ================================================================== [ 30.803424] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 30.803474] Read of size 16 at addr fff00000c919c780 by task kunit_try_catch/201 [ 30.803912] [ 30.803977] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.804361] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.804494] Hardware name: linux,dummy-virt (DT) [ 30.804554] Call trace: [ 30.804603] show_stack+0x20/0x38 (C) [ 30.804755] dump_stack_lvl+0x8c/0xd0 [ 30.804837] print_report+0x118/0x608 [ 30.804999] kasan_report+0xdc/0x128 [ 30.805075] __asan_report_load16_noabort+0x20/0x30 [ 30.805319] kmalloc_uaf_16+0x3bc/0x438 [ 30.805550] kunit_try_run_case+0x170/0x3f0 [ 30.805698] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.805774] kthread+0x328/0x630 [ 30.805826] ret_from_fork+0x10/0x20 [ 30.805900] [ 30.805920] Allocated by task 201: [ 30.806245] kasan_save_stack+0x3c/0x68 [ 30.806392] kasan_save_track+0x20/0x40 [ 30.806460] kasan_save_alloc_info+0x40/0x58 [ 30.806563] __kasan_kmalloc+0xd4/0xd8 [ 30.806626] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.806693] kmalloc_uaf_16+0x140/0x438 [ 30.806800] kunit_try_run_case+0x170/0x3f0 [ 30.806857] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.806912] kthread+0x328/0x630 [ 30.806955] ret_from_fork+0x10/0x20 [ 30.807224] [ 30.807384] Freed by task 201: [ 30.807475] kasan_save_stack+0x3c/0x68 [ 30.807550] kasan_save_track+0x20/0x40 [ 30.807679] kasan_save_free_info+0x4c/0x78 [ 30.807747] __kasan_slab_free+0x6c/0x98 [ 30.807876] kfree+0x214/0x3c8 [ 30.807973] kmalloc_uaf_16+0x190/0x438 [ 30.808010] kunit_try_run_case+0x170/0x3f0 [ 30.808184] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.808437] kthread+0x328/0x630 [ 30.808533] ret_from_fork+0x10/0x20 [ 30.808650] [ 30.808689] The buggy address belongs to the object at fff00000c919c780 [ 30.808689] which belongs to the cache kmalloc-16 of size 16 [ 30.808791] The buggy address is located 0 bytes inside of [ 30.808791] freed 16-byte region [fff00000c919c780, fff00000c919c790) [ 30.808864] [ 30.808894] The buggy address belongs to the physical page: [ 30.808934] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c919c6c0 pfn:0x10919c [ 30.808993] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.809060] page_type: f5(slab) [ 30.809100] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.809159] raw: fff00000c919c6c0 000000008080007f 00000000f5000000 0000000000000000 [ 30.809199] page dumped because: kasan: bad access detected [ 30.809238] [ 30.809257] Memory state around the buggy address: [ 30.809286] fff00000c919c680: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 30.809328] fff00000c919c700: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 30.809385] >fff00000c919c780: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.809422] ^ [ 30.809450] fff00000c919c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.809497] fff00000c919c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.809550] ==================================================================
[ 32.581466] ================================================================== [ 32.581644] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 32.581835] Read of size 16 at addr fff00000c5788980 by task kunit_try_catch/199 [ 32.581995] [ 32.582026] CPU: 1 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.582110] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.582136] Hardware name: linux,dummy-virt (DT) [ 32.582179] Call trace: [ 32.582201] show_stack+0x20/0x38 (C) [ 32.582417] dump_stack_lvl+0x8c/0xd0 [ 32.582578] print_report+0x118/0x608 [ 32.582659] kasan_report+0xdc/0x128 [ 32.582705] __asan_report_load16_noabort+0x20/0x30 [ 32.582753] kmalloc_uaf_16+0x3bc/0x438 [ 32.582797] kunit_try_run_case+0x170/0x3f0 [ 32.582845] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.582898] kthread+0x328/0x630 [ 32.582940] ret_from_fork+0x10/0x20 [ 32.582987] [ 32.583005] Allocated by task 199: [ 32.583033] kasan_save_stack+0x3c/0x68 [ 32.583080] kasan_save_track+0x20/0x40 [ 32.583228] kasan_save_alloc_info+0x40/0x58 [ 32.583275] __kasan_kmalloc+0xd4/0xd8 [ 32.583312] __kmalloc_cache_noprof+0x16c/0x3c0 [ 32.583350] kmalloc_uaf_16+0x140/0x438 [ 32.583385] kunit_try_run_case+0x170/0x3f0 [ 32.583423] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.583512] kthread+0x328/0x630 [ 32.583544] ret_from_fork+0x10/0x20 [ 32.583578] [ 32.583596] Freed by task 199: [ 32.583622] kasan_save_stack+0x3c/0x68 [ 32.583658] kasan_save_track+0x20/0x40 [ 32.583913] kasan_save_free_info+0x4c/0x78 [ 32.584142] __kasan_slab_free+0x6c/0x98 [ 32.584283] kfree+0x214/0x3c8 [ 32.584345] kmalloc_uaf_16+0x190/0x438 [ 32.584380] kunit_try_run_case+0x170/0x3f0 [ 32.584417] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.584460] kthread+0x328/0x630 [ 32.584491] ret_from_fork+0x10/0x20 [ 32.584526] [ 32.584545] The buggy address belongs to the object at fff00000c5788980 [ 32.584545] which belongs to the cache kmalloc-16 of size 16 [ 32.584703] The buggy address is located 0 bytes inside of [ 32.584703] freed 16-byte region [fff00000c5788980, fff00000c5788990) [ 32.584824] [ 32.584844] The buggy address belongs to the physical page: [ 32.584873] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105788 [ 32.584943] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.585012] page_type: f5(slab) [ 32.585051] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 32.585100] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 32.585140] page dumped because: kasan: bad access detected [ 32.585182] [ 32.585200] Memory state around the buggy address: [ 32.585239] fff00000c5788880: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.585283] fff00000c5788900: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 32.585327] >fff00000c5788980: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.585440] ^ [ 32.585470] fff00000c5788a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.585539] fff00000c5788a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.585596] ==================================================================
[ 23.075276] ================================================================== [ 23.075747] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 23.076044] Read of size 16 at addr ffff8881048b6380 by task kunit_try_catch/216 [ 23.076489] [ 23.076601] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.076660] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.076673] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.076704] Call Trace: [ 23.076716] <TASK> [ 23.076731] dump_stack_lvl+0x73/0xb0 [ 23.076760] print_report+0xd1/0x650 [ 23.076781] ? __virt_addr_valid+0x1db/0x2d0 [ 23.076803] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.076823] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.076848] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.076869] kasan_report+0x141/0x180 [ 23.076890] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.076914] __asan_report_load16_noabort+0x18/0x20 [ 23.076938] kmalloc_uaf_16+0x47b/0x4c0 [ 23.076958] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 23.076979] ? __schedule+0x10cc/0x2b60 [ 23.077000] ? __pfx_read_tsc+0x10/0x10 [ 23.077021] ? ktime_get_ts64+0x86/0x230 [ 23.077045] kunit_try_run_case+0x1a5/0x480 [ 23.077070] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.077093] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.077114] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.077135] ? __kthread_parkme+0x82/0x180 [ 23.077155] ? preempt_count_sub+0x50/0x80 [ 23.077178] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.077202] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.077226] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.077249] kthread+0x337/0x6f0 [ 23.077268] ? trace_preempt_on+0x20/0xc0 [ 23.077291] ? __pfx_kthread+0x10/0x10 [ 23.077323] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.077346] ? calculate_sigpending+0x7b/0xa0 [ 23.077369] ? __pfx_kthread+0x10/0x10 [ 23.077390] ret_from_fork+0x116/0x1d0 [ 23.077409] ? __pfx_kthread+0x10/0x10 [ 23.077429] ret_from_fork_asm+0x1a/0x30 [ 23.077458] </TASK> [ 23.077470] [ 23.084267] Allocated by task 216: [ 23.084402] kasan_save_stack+0x45/0x70 [ 23.084538] kasan_save_track+0x18/0x40 [ 23.084667] kasan_save_alloc_info+0x3b/0x50 [ 23.084869] __kasan_kmalloc+0xb7/0xc0 [ 23.085046] __kmalloc_cache_noprof+0x189/0x420 [ 23.085257] kmalloc_uaf_16+0x15b/0x4c0 [ 23.085596] kunit_try_run_case+0x1a5/0x480 [ 23.085917] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.086108] kthread+0x337/0x6f0 [ 23.086222] ret_from_fork+0x116/0x1d0 [ 23.086387] ret_from_fork_asm+0x1a/0x30 [ 23.086563] [ 23.086629] Freed by task 216: [ 23.086738] kasan_save_stack+0x45/0x70 [ 23.086983] kasan_save_track+0x18/0x40 [ 23.087147] kasan_save_free_info+0x3f/0x60 [ 23.087329] __kasan_slab_free+0x56/0x70 [ 23.087546] kfree+0x222/0x3f0 [ 23.087683] kmalloc_uaf_16+0x1d6/0x4c0 [ 23.087848] kunit_try_run_case+0x1a5/0x480 [ 23.088020] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.088240] kthread+0x337/0x6f0 [ 23.088414] ret_from_fork+0x116/0x1d0 [ 23.088638] ret_from_fork_asm+0x1a/0x30 [ 23.088822] [ 23.088902] The buggy address belongs to the object at ffff8881048b6380 [ 23.088902] which belongs to the cache kmalloc-16 of size 16 [ 23.090388] The buggy address is located 0 bytes inside of [ 23.090388] freed 16-byte region [ffff8881048b6380, ffff8881048b6390) [ 23.090749] [ 23.090820] The buggy address belongs to the physical page: [ 23.091136] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1048b6 [ 23.091862] flags: 0x200000000000000(node=0|zone=2) [ 23.092297] page_type: f5(slab) [ 23.092641] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 23.093358] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.094095] page dumped because: kasan: bad access detected [ 23.094589] [ 23.094707] Memory state around the buggy address: [ 23.095068] ffff8881048b6280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.095283] ffff8881048b6300: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc [ 23.095525] >ffff8881048b6380: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.096187] ^ [ 23.096490] ffff8881048b6400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.097190] ffff8881048b6480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.097930] ==================================================================
[ 23.336550] ================================================================== [ 23.337046] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 23.337468] Read of size 16 at addr ffff8881049ad560 by task kunit_try_catch/217 [ 23.338013] [ 23.338168] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 23.338245] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.338258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.338281] Call Trace: [ 23.338295] <TASK> [ 23.338315] dump_stack_lvl+0x73/0xb0 [ 23.338349] print_report+0xd1/0x650 [ 23.338373] ? __virt_addr_valid+0x1db/0x2d0 [ 23.338397] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.338417] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.338442] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.338462] kasan_report+0x141/0x180 [ 23.338484] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.338508] __asan_report_load16_noabort+0x18/0x20 [ 23.338532] kmalloc_uaf_16+0x47b/0x4c0 [ 23.338552] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 23.338574] ? __schedule+0x10cc/0x2b60 [ 23.338595] ? __pfx_read_tsc+0x10/0x10 [ 23.338618] ? ktime_get_ts64+0x86/0x230 [ 23.338644] kunit_try_run_case+0x1a5/0x480 [ 23.338670] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.338694] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.338716] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.338737] ? __kthread_parkme+0x82/0x180 [ 23.338758] ? preempt_count_sub+0x50/0x80 [ 23.338782] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.338806] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.338830] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.338854] kthread+0x337/0x6f0 [ 23.338873] ? trace_preempt_on+0x20/0xc0 [ 23.338897] ? __pfx_kthread+0x10/0x10 [ 23.338917] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.338940] ? calculate_sigpending+0x7b/0xa0 [ 23.338964] ? __pfx_kthread+0x10/0x10 [ 23.339003] ret_from_fork+0x116/0x1d0 [ 23.339022] ? __pfx_kthread+0x10/0x10 [ 23.339043] ret_from_fork_asm+0x1a/0x30 [ 23.339083] </TASK> [ 23.339097] [ 23.347352] Allocated by task 217: [ 23.347503] kasan_save_stack+0x45/0x70 [ 23.347654] kasan_save_track+0x18/0x40 [ 23.347783] kasan_save_alloc_info+0x3b/0x50 [ 23.347924] __kasan_kmalloc+0xb7/0xc0 [ 23.348048] __kmalloc_cache_noprof+0x189/0x420 [ 23.348451] kmalloc_uaf_16+0x15b/0x4c0 [ 23.348824] kunit_try_run_case+0x1a5/0x480 [ 23.349520] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.350110] kthread+0x337/0x6f0 [ 23.350399] ret_from_fork+0x116/0x1d0 [ 23.350893] ret_from_fork_asm+0x1a/0x30 [ 23.351565] [ 23.351789] Freed by task 217: [ 23.352139] kasan_save_stack+0x45/0x70 [ 23.352571] kasan_save_track+0x18/0x40 [ 23.352937] kasan_save_free_info+0x3f/0x60 [ 23.353569] __kasan_slab_free+0x56/0x70 [ 23.353981] kfree+0x222/0x3f0 [ 23.354318] kmalloc_uaf_16+0x1d6/0x4c0 [ 23.354753] kunit_try_run_case+0x1a5/0x480 [ 23.355294] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.355784] kthread+0x337/0x6f0 [ 23.356141] ret_from_fork+0x116/0x1d0 [ 23.356564] ret_from_fork_asm+0x1a/0x30 [ 23.356948] [ 23.357114] The buggy address belongs to the object at ffff8881049ad560 [ 23.357114] which belongs to the cache kmalloc-16 of size 16 [ 23.358088] The buggy address is located 0 bytes inside of [ 23.358088] freed 16-byte region [ffff8881049ad560, ffff8881049ad570) [ 23.358975] [ 23.359148] The buggy address belongs to the physical page: [ 23.359764] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1049ad [ 23.360320] flags: 0x200000000000000(node=0|zone=2) [ 23.360778] page_type: f5(slab) [ 23.361108] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 23.361560] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.361786] page dumped because: kasan: bad access detected [ 23.361961] [ 23.362025] Memory state around the buggy address: [ 23.362430] ffff8881049ad400: 00 06 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 23.363178] ffff8881049ad480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.363892] >ffff8881049ad500: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 23.364660] ^ [ 23.365326] ffff8881049ad580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.366068] ffff8881049ad600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.366718] ==================================================================