Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.596849] ================================================================== [ 30.596918] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 30.597322] Read of size 1 at addr fff00000c99d0000 by task kunit_try_catch/181 [ 30.597400] [ 30.597450] CPU: 0 UID: 0 PID: 181 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.597609] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.597639] Hardware name: linux,dummy-virt (DT) [ 30.597687] Call trace: [ 30.597727] show_stack+0x20/0x38 (C) [ 30.598087] dump_stack_lvl+0x8c/0xd0 [ 30.598155] print_report+0x118/0x608 [ 30.598268] kasan_report+0xdc/0x128 [ 30.598321] __asan_report_load1_noabort+0x20/0x30 [ 30.598389] kmalloc_large_uaf+0x2cc/0x2f8 [ 30.598443] kunit_try_run_case+0x170/0x3f0 [ 30.598489] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.598809] kthread+0x328/0x630 [ 30.598880] ret_from_fork+0x10/0x20 [ 30.598945] [ 30.599054] The buggy address belongs to the physical page: [ 30.599104] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099d0 [ 30.599170] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.599464] raw: 0bfffe0000000000 ffffc1ffc3267508 fff00000da462c80 0000000000000000 [ 30.599678] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 30.599764] page dumped because: kasan: bad access detected [ 30.599813] [ 30.599924] Memory state around the buggy address: [ 30.600002] fff00000c99cff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.600083] fff00000c99cff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.600252] >fff00000c99d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.600488] ^ [ 30.600606] fff00000c99d0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.600707] fff00000c99d0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.600799] ==================================================================
[ 32.412984] ================================================================== [ 32.413238] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 32.413290] Read of size 1 at addr fff00000c99e8000 by task kunit_try_catch/179 [ 32.413338] [ 32.413368] CPU: 1 UID: 0 PID: 179 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.413453] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.413479] Hardware name: linux,dummy-virt (DT) [ 32.413515] Call trace: [ 32.413537] show_stack+0x20/0x38 (C) [ 32.413584] dump_stack_lvl+0x8c/0xd0 [ 32.413632] print_report+0x118/0x608 [ 32.413679] kasan_report+0xdc/0x128 [ 32.413724] __asan_report_load1_noabort+0x20/0x30 [ 32.413778] kmalloc_large_uaf+0x2cc/0x2f8 [ 32.413893] kunit_try_run_case+0x170/0x3f0 [ 32.414037] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.414455] kthread+0x328/0x630 [ 32.414517] ret_from_fork+0x10/0x20 [ 32.414564] [ 32.414584] The buggy address belongs to the physical page: [ 32.414613] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099e8 [ 32.414661] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.415435] raw: 0bfffe0000000000 ffffc1ffc3267b08 fff00000da484c80 0000000000000000 [ 32.415498] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 32.415537] page dumped because: kasan: bad access detected [ 32.415567] [ 32.415586] Memory state around the buggy address: [ 32.415616] fff00000c99e7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.415657] fff00000c99e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.415698] >fff00000c99e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.415735] ^ [ 32.415762] fff00000c99e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.415814] fff00000c99e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.415850] ==================================================================
[ 22.631484] ================================================================== [ 22.632124] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340 [ 22.632426] Read of size 1 at addr ffff8881060c4000 by task kunit_try_catch/196 [ 22.632888] [ 22.632982] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 22.633031] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.633043] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.633065] Call Trace: [ 22.633077] <TASK> [ 22.633094] dump_stack_lvl+0x73/0xb0 [ 22.633122] print_report+0xd1/0x650 [ 22.633144] ? __virt_addr_valid+0x1db/0x2d0 [ 22.633167] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.633186] ? kasan_addr_to_slab+0x11/0xa0 [ 22.633206] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.633226] kasan_report+0x141/0x180 [ 22.633248] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.633272] __asan_report_load1_noabort+0x18/0x20 [ 22.633296] kmalloc_large_uaf+0x2f1/0x340 [ 22.633328] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 22.633349] ? __schedule+0x10cc/0x2b60 [ 22.633371] ? __pfx_read_tsc+0x10/0x10 [ 22.633393] ? ktime_get_ts64+0x86/0x230 [ 22.633418] kunit_try_run_case+0x1a5/0x480 [ 22.633444] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.633467] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.633488] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.633520] ? __kthread_parkme+0x82/0x180 [ 22.633540] ? preempt_count_sub+0x50/0x80 [ 22.633563] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.633587] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.633610] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.633634] kthread+0x337/0x6f0 [ 22.633654] ? trace_preempt_on+0x20/0xc0 [ 22.633677] ? __pfx_kthread+0x10/0x10 [ 22.633697] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.633720] ? calculate_sigpending+0x7b/0xa0 [ 22.633748] ? __pfx_kthread+0x10/0x10 [ 22.633768] ret_from_fork+0x116/0x1d0 [ 22.633787] ? __pfx_kthread+0x10/0x10 [ 22.633807] ret_from_fork_asm+0x1a/0x30 [ 22.633879] </TASK> [ 22.633893] [ 22.640914] The buggy address belongs to the physical page: [ 22.641404] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060c4 [ 22.641685] flags: 0x200000000000000(node=0|zone=2) [ 22.641857] raw: 0200000000000000 ffffea0004183208 ffff88815b039fc0 0000000000000000 [ 22.642159] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 22.642494] page dumped because: kasan: bad access detected [ 22.642841] [ 22.642919] Memory state around the buggy address: [ 22.643068] ffff8881060c3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.643278] ffff8881060c3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.643773] >ffff8881060c4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.644090] ^ [ 22.644235] ffff8881060c4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.644455] ffff8881060c4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.645004] ==================================================================
[ 22.832092] ================================================================== [ 22.832811] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340 [ 22.833041] Read of size 1 at addr ffff8881057a0000 by task kunit_try_catch/197 [ 22.833287] [ 22.833375] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 22.833429] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.833443] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.833465] Call Trace: [ 22.833479] <TASK> [ 22.833498] dump_stack_lvl+0x73/0xb0 [ 22.833596] print_report+0xd1/0x650 [ 22.833620] ? __virt_addr_valid+0x1db/0x2d0 [ 22.833644] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.833664] ? kasan_addr_to_slab+0x11/0xa0 [ 22.833685] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.833705] kasan_report+0x141/0x180 [ 22.833726] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.833750] __asan_report_load1_noabort+0x18/0x20 [ 22.833774] kmalloc_large_uaf+0x2f1/0x340 [ 22.833794] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 22.833815] ? __schedule+0x10cc/0x2b60 [ 22.833845] ? __pfx_read_tsc+0x10/0x10 [ 22.833867] ? ktime_get_ts64+0x86/0x230 [ 22.833892] kunit_try_run_case+0x1a5/0x480 [ 22.833919] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.833957] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.833980] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.834001] ? __kthread_parkme+0x82/0x180 [ 22.834022] ? preempt_count_sub+0x50/0x80 [ 22.834045] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.834080] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.834104] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.834128] kthread+0x337/0x6f0 [ 22.834147] ? trace_preempt_on+0x20/0xc0 [ 22.834171] ? __pfx_kthread+0x10/0x10 [ 22.834200] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.834224] ? calculate_sigpending+0x7b/0xa0 [ 22.834248] ? __pfx_kthread+0x10/0x10 [ 22.834269] ret_from_fork+0x116/0x1d0 [ 22.834288] ? __pfx_kthread+0x10/0x10 [ 22.834308] ret_from_fork_asm+0x1a/0x30 [ 22.834339] </TASK> [ 22.834351] [ 22.843963] The buggy address belongs to the physical page: [ 22.844518] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057a0 [ 22.845311] flags: 0x200000000000000(node=0|zone=2) [ 22.845763] raw: 0200000000000000 ffffea000415e908 ffff88815b039fc0 0000000000000000 [ 22.846406] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 22.846635] page dumped because: kasan: bad access detected [ 22.846803] [ 22.846870] Memory state around the buggy address: [ 22.847221] ffff88810579ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.847917] ffff88810579ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.848624] >ffff8881057a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.849331] ^ [ 22.849651] ffff8881057a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.850399] ffff8881057a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.850691] ==================================================================