Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 41.210189] ================================================================== [ 41.222363] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 41.228983] Read of size 1 at addr ffff000097bbea08 by task kunit_try_catch/293 [ 41.236397] [ 41.237931] CPU: 2 UID: 0 PID: 293 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 41.237962] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.237971] Hardware name: Thundercomm Dragonboard 845c (DT) [ 41.237985] Call trace: [ 41.237991] show_stack+0x20/0x38 (C) [ 41.238009] dump_stack_lvl+0x8c/0xd0 [ 41.238031] print_report+0x118/0x608 [ 41.238050] kasan_report+0xdc/0x128 [ 41.238069] __asan_report_load1_noabort+0x20/0x30 [ 41.238087] kmalloc_uaf+0x300/0x338 [ 41.238105] kunit_try_run_case+0x170/0x3f0 [ 41.238124] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.238146] kthread+0x328/0x630 [ 41.238161] ret_from_fork+0x10/0x20 [ 41.238179] [ 41.303268] Allocated by task 293: [ 41.306731] kasan_save_stack+0x3c/0x68 [ 41.310643] kasan_save_track+0x20/0x40 [ 41.314544] kasan_save_alloc_info+0x40/0x58 [ 41.318882] __kasan_kmalloc+0xd4/0xd8 [ 41.322696] __kmalloc_cache_noprof+0x16c/0x3c0 [ 41.327309] kmalloc_uaf+0xb8/0x338 [ 41.330863] kunit_try_run_case+0x170/0x3f0 [ 41.335116] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.340689] kthread+0x328/0x630 [ 41.343983] ret_from_fork+0x10/0x20 [ 41.347625] [ 41.349153] Freed by task 293: [ 41.352268] kasan_save_stack+0x3c/0x68 [ 41.356179] kasan_save_track+0x20/0x40 [ 41.360089] kasan_save_free_info+0x4c/0x78 [ 41.364343] __kasan_slab_free+0x6c/0x98 [ 41.368341] kfree+0x214/0x3c8 [ 41.371453] kmalloc_uaf+0x11c/0x338 [ 41.375091] kunit_try_run_case+0x170/0x3f0 [ 41.379346] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.384918] kthread+0x328/0x630 [ 41.388209] ret_from_fork+0x10/0x20 [ 41.391849] [ 41.393379] The buggy address belongs to the object at ffff000097bbea00 [ 41.393379] which belongs to the cache kmalloc-16 of size 16 [ 41.405865] The buggy address is located 8 bytes inside of [ 41.405865] freed 16-byte region [ffff000097bbea00, ffff000097bbea10) [ 41.418007] [ 41.419537] The buggy address belongs to the physical page: [ 41.425186] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117bbe [ 41.433292] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 41.439909] page_type: f5(slab) [ 41.443119] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 41.450969] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 41.458814] page dumped because: kasan: bad access detected [ 41.464462] [ 41.465993] Memory state around the buggy address: [ 41.470857] ffff000097bbe900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 41.478173] ffff000097bbe980: fa fb fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 41.485491] >ffff000097bbea00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.492806] ^ [ 41.496355] ffff000097bbea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.503673] ffff000097bbeb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.510989] ==================================================================
[ 31.198652] ================================================================== [ 31.198724] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 31.198870] Read of size 1 at addr fff00000c5a30ca8 by task kunit_try_catch/216 [ 31.198927] [ 31.198984] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.199080] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.199107] Hardware name: linux,dummy-virt (DT) [ 31.199307] Call trace: [ 31.199495] show_stack+0x20/0x38 (C) [ 31.199565] dump_stack_lvl+0x8c/0xd0 [ 31.199792] print_report+0x118/0x608 [ 31.200115] kasan_report+0xdc/0x128 [ 31.200186] __asan_report_load1_noabort+0x20/0x30 [ 31.200239] kmalloc_uaf+0x300/0x338 [ 31.200284] kunit_try_run_case+0x170/0x3f0 [ 31.200503] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.200975] kthread+0x328/0x630 [ 31.201157] ret_from_fork+0x10/0x20 [ 31.201387] [ 31.201456] Allocated by task 216: [ 31.201494] kasan_save_stack+0x3c/0x68 [ 31.201744] kasan_save_track+0x20/0x40 [ 31.201981] kasan_save_alloc_info+0x40/0x58 [ 31.202045] __kasan_kmalloc+0xd4/0xd8 [ 31.202090] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.202148] kmalloc_uaf+0xb8/0x338 [ 31.202228] kunit_try_run_case+0x170/0x3f0 [ 31.202365] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.202421] kthread+0x328/0x630 [ 31.202463] ret_from_fork+0x10/0x20 [ 31.202499] [ 31.202613] Freed by task 216: [ 31.202693] kasan_save_stack+0x3c/0x68 [ 31.202906] kasan_save_track+0x20/0x40 [ 31.202970] kasan_save_free_info+0x4c/0x78 [ 31.203015] __kasan_slab_free+0x6c/0x98 [ 31.203065] kfree+0x214/0x3c8 [ 31.203099] kmalloc_uaf+0x11c/0x338 [ 31.203163] kunit_try_run_case+0x170/0x3f0 [ 31.203205] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.203271] kthread+0x328/0x630 [ 31.203317] ret_from_fork+0x10/0x20 [ 31.203354] [ 31.203388] The buggy address belongs to the object at fff00000c5a30ca0 [ 31.203388] which belongs to the cache kmalloc-16 of size 16 [ 31.203492] The buggy address is located 8 bytes inside of [ 31.203492] freed 16-byte region [fff00000c5a30ca0, fff00000c5a30cb0) [ 31.203567] [ 31.203586] The buggy address belongs to the physical page: [ 31.203629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c5a30be0 pfn:0x105a30 [ 31.203701] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.203768] page_type: f5(slab) [ 31.203818] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.203887] raw: fff00000c5a30be0 000000008080007f 00000000f5000000 0000000000000000 [ 31.203953] page dumped because: kasan: bad access detected [ 31.203986] [ 31.204014] Memory state around the buggy address: [ 31.204046] fff00000c5a30b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.204101] fff00000c5a30c00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.204144] >fff00000c5a30c80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 31.204202] ^ [ 31.204255] fff00000c5a30d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.204858] fff00000c5a30d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.204946] ==================================================================
[ 23.377517] ================================================================== [ 23.377964] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 23.378503] Read of size 1 at addr ffff8881054e0a08 by task kunit_try_catch/233 [ 23.378801] [ 23.378908] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.378955] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.378968] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.378989] Call Trace: [ 23.379002] <TASK> [ 23.379020] dump_stack_lvl+0x73/0xb0 [ 23.379048] print_report+0xd1/0x650 [ 23.379069] ? __virt_addr_valid+0x1db/0x2d0 [ 23.379092] ? kmalloc_uaf+0x320/0x380 [ 23.379110] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.379135] ? kmalloc_uaf+0x320/0x380 [ 23.379154] kasan_report+0x141/0x180 [ 23.379175] ? kmalloc_uaf+0x320/0x380 [ 23.379199] __asan_report_load1_noabort+0x18/0x20 [ 23.379222] kmalloc_uaf+0x320/0x380 [ 23.379241] ? __pfx_kmalloc_uaf+0x10/0x10 [ 23.379323] ? __schedule+0x10cc/0x2b60 [ 23.379353] ? __pfx_read_tsc+0x10/0x10 [ 23.379374] ? ktime_get_ts64+0x86/0x230 [ 23.379398] kunit_try_run_case+0x1a5/0x480 [ 23.379424] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.379447] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.379480] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.379504] ? __kthread_parkme+0x82/0x180 [ 23.379525] ? preempt_count_sub+0x50/0x80 [ 23.379547] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.379571] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.379594] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.379618] kthread+0x337/0x6f0 [ 23.379637] ? trace_preempt_on+0x20/0xc0 [ 23.379659] ? __pfx_kthread+0x10/0x10 [ 23.379680] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.379703] ? calculate_sigpending+0x7b/0xa0 [ 23.379727] ? __pfx_kthread+0x10/0x10 [ 23.379748] ret_from_fork+0x116/0x1d0 [ 23.379767] ? __pfx_kthread+0x10/0x10 [ 23.379787] ret_from_fork_asm+0x1a/0x30 [ 23.379818] </TASK> [ 23.379830] [ 23.389033] Allocated by task 233: [ 23.389329] kasan_save_stack+0x45/0x70 [ 23.389799] kasan_save_track+0x18/0x40 [ 23.390134] kasan_save_alloc_info+0x3b/0x50 [ 23.390463] __kasan_kmalloc+0xb7/0xc0 [ 23.390620] __kmalloc_cache_noprof+0x189/0x420 [ 23.390937] kmalloc_uaf+0xaa/0x380 [ 23.391311] kunit_try_run_case+0x1a5/0x480 [ 23.391487] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.391895] kthread+0x337/0x6f0 [ 23.392164] ret_from_fork+0x116/0x1d0 [ 23.392300] ret_from_fork_asm+0x1a/0x30 [ 23.392705] [ 23.392795] Freed by task 233: [ 23.392939] kasan_save_stack+0x45/0x70 [ 23.393336] kasan_save_track+0x18/0x40 [ 23.393533] kasan_save_free_info+0x3f/0x60 [ 23.394069] __kasan_slab_free+0x56/0x70 [ 23.394203] kfree+0x222/0x3f0 [ 23.394644] kmalloc_uaf+0x12c/0x380 [ 23.394789] kunit_try_run_case+0x1a5/0x480 [ 23.395081] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.395539] kthread+0x337/0x6f0 [ 23.395732] ret_from_fork+0x116/0x1d0 [ 23.396000] ret_from_fork_asm+0x1a/0x30 [ 23.396151] [ 23.396320] The buggy address belongs to the object at ffff8881054e0a00 [ 23.396320] which belongs to the cache kmalloc-16 of size 16 [ 23.397032] The buggy address is located 8 bytes inside of [ 23.397032] freed 16-byte region [ffff8881054e0a00, ffff8881054e0a10) [ 23.397778] [ 23.397956] The buggy address belongs to the physical page: [ 23.398501] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1054e0 [ 23.398836] flags: 0x200000000000000(node=0|zone=2) [ 23.399142] page_type: f5(slab) [ 23.399420] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122 [ 23.399892] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.400368] page dumped because: kasan: bad access detected [ 23.400703] [ 23.400797] Memory state around the buggy address: [ 23.400988] ffff8881054e0900: 00 00 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.401636] ffff8881054e0980: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.401885] >ffff8881054e0a00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.402437] ^ [ 23.402707] ffff8881054e0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.402956] ffff8881054e0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.403579] ==================================================================