Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 41.840510] ================================================================== [ 41.851811] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 41.858520] Read of size 1 at addr ffff000097bcda28 by task kunit_try_catch/297 [ 41.865930] [ 41.867464] CPU: 2 UID: 0 PID: 297 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 41.867493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.867502] Hardware name: Thundercomm Dragonboard 845c (DT) [ 41.867513] Call trace: [ 41.867520] show_stack+0x20/0x38 (C) [ 41.867537] dump_stack_lvl+0x8c/0xd0 [ 41.867558] print_report+0x118/0x608 [ 41.867576] kasan_report+0xdc/0x128 [ 41.867595] __asan_report_load1_noabort+0x20/0x30 [ 41.867613] kmalloc_uaf2+0x3f4/0x468 [ 41.867629] kunit_try_run_case+0x170/0x3f0 [ 41.867648] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.867670] kthread+0x328/0x630 [ 41.867685] ret_from_fork+0x10/0x20 [ 41.867702] [ 41.932886] Allocated by task 297: [ 41.936346] kasan_save_stack+0x3c/0x68 [ 41.940256] kasan_save_track+0x20/0x40 [ 41.944166] kasan_save_alloc_info+0x40/0x58 [ 41.948506] __kasan_kmalloc+0xd4/0xd8 [ 41.952329] __kmalloc_cache_noprof+0x16c/0x3c0 [ 41.956940] kmalloc_uaf2+0xc4/0x468 [ 41.960578] kunit_try_run_case+0x170/0x3f0 [ 41.964832] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.970408] kthread+0x328/0x630 [ 41.973699] ret_from_fork+0x10/0x20 [ 41.977336] [ 41.978868] Freed by task 297: [ 41.981980] kasan_save_stack+0x3c/0x68 [ 41.985890] kasan_save_track+0x20/0x40 [ 41.989800] kasan_save_free_info+0x4c/0x78 [ 41.994052] __kasan_slab_free+0x6c/0x98 [ 41.998049] kfree+0x214/0x3c8 [ 42.001168] kmalloc_uaf2+0x134/0x468 [ 42.004902] kunit_try_run_case+0x170/0x3f0 [ 42.009156] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 42.014731] kthread+0x328/0x630 [ 42.018022] ret_from_fork+0x10/0x20 [ 42.021660] [ 42.023188] The buggy address belongs to the object at ffff000097bcda00 [ 42.023188] which belongs to the cache kmalloc-64 of size 64 [ 42.035679] The buggy address is located 40 bytes inside of [ 42.035679] freed 64-byte region [ffff000097bcda00, ffff000097bcda40) [ 42.047901] [ 42.049431] The buggy address belongs to the physical page: [ 42.055080] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117bcd [ 42.063195] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 42.069810] page_type: f5(slab) [ 42.073015] raw: 0bfffe0000000000 ffff0000800028c0 dead000000000122 0000000000000000 [ 42.080860] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 42.088702] page dumped because: kasan: bad access detected [ 42.094354] [ 42.095889] Memory state around the buggy address: [ 42.100753] ffff000097bcd900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.108068] ffff000097bcd980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.115385] >ffff000097bcda00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.122698] ^ [ 42.127301] ffff000097bcda80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 42.134618] ffff000097bcdb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.141940] ==================================================================
[ 31.235474] ================================================================== [ 31.235740] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 31.235808] Read of size 1 at addr fff00000c9b4c328 by task kunit_try_catch/220 [ 31.235974] [ 31.236008] CPU: 0 UID: 0 PID: 220 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.236432] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.236545] Hardware name: linux,dummy-virt (DT) [ 31.236683] Call trace: [ 31.236715] show_stack+0x20/0x38 (C) [ 31.236770] dump_stack_lvl+0x8c/0xd0 [ 31.236827] print_report+0x118/0x608 [ 31.237190] kasan_report+0xdc/0x128 [ 31.237367] __asan_report_load1_noabort+0x20/0x30 [ 31.237640] kmalloc_uaf2+0x3f4/0x468 [ 31.237709] kunit_try_run_case+0x170/0x3f0 [ 31.237764] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.238078] kthread+0x328/0x630 [ 31.238220] ret_from_fork+0x10/0x20 [ 31.238291] [ 31.238310] Allocated by task 220: [ 31.238340] kasan_save_stack+0x3c/0x68 [ 31.238385] kasan_save_track+0x20/0x40 [ 31.238440] kasan_save_alloc_info+0x40/0x58 [ 31.238495] __kasan_kmalloc+0xd4/0xd8 [ 31.238531] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.238574] kmalloc_uaf2+0xc4/0x468 [ 31.238617] kunit_try_run_case+0x170/0x3f0 [ 31.238658] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.238705] kthread+0x328/0x630 [ 31.238739] ret_from_fork+0x10/0x20 [ 31.238783] [ 31.238802] Freed by task 220: [ 31.238829] kasan_save_stack+0x3c/0x68 [ 31.239269] kasan_save_track+0x20/0x40 [ 31.239501] kasan_save_free_info+0x4c/0x78 [ 31.239783] __kasan_slab_free+0x6c/0x98 [ 31.239979] kfree+0x214/0x3c8 [ 31.240149] kmalloc_uaf2+0x134/0x468 [ 31.240192] kunit_try_run_case+0x170/0x3f0 [ 31.240528] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.240673] kthread+0x328/0x630 [ 31.240938] ret_from_fork+0x10/0x20 [ 31.241087] [ 31.241115] The buggy address belongs to the object at fff00000c9b4c300 [ 31.241115] which belongs to the cache kmalloc-64 of size 64 [ 31.241176] The buggy address is located 40 bytes inside of [ 31.241176] freed 64-byte region [fff00000c9b4c300, fff00000c9b4c340) [ 31.241663] [ 31.241797] The buggy address belongs to the physical page: [ 31.242016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b4c [ 31.242108] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.242233] page_type: f5(slab) [ 31.242466] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.242741] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.242952] page dumped because: kasan: bad access detected [ 31.243344] [ 31.243388] Memory state around the buggy address: [ 31.243925] fff00000c9b4c200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.243978] fff00000c9b4c280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.244387] >fff00000c9b4c300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.244545] ^ [ 31.244596] fff00000c9b4c380: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 31.244901] fff00000c9b4c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.244947] ==================================================================
[ 23.433799] ================================================================== [ 23.434265] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520 [ 23.434549] Read of size 1 at addr ffff888105abcba8 by task kunit_try_catch/237 [ 23.435369] [ 23.435825] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.435880] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.435893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.435915] Call Trace: [ 23.435928] <TASK> [ 23.435946] dump_stack_lvl+0x73/0xb0 [ 23.435976] print_report+0xd1/0x650 [ 23.435998] ? __virt_addr_valid+0x1db/0x2d0 [ 23.436022] ? kmalloc_uaf2+0x4a8/0x520 [ 23.436041] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.436066] ? kmalloc_uaf2+0x4a8/0x520 [ 23.436085] kasan_report+0x141/0x180 [ 23.436106] ? kmalloc_uaf2+0x4a8/0x520 [ 23.436130] __asan_report_load1_noabort+0x18/0x20 [ 23.436153] kmalloc_uaf2+0x4a8/0x520 [ 23.436173] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 23.436342] ? finish_task_switch.isra.0+0x153/0x700 [ 23.436366] ? __switch_to+0x47/0xf50 [ 23.436421] ? __schedule+0x10cc/0x2b60 [ 23.436448] ? __pfx_read_tsc+0x10/0x10 [ 23.436511] ? ktime_get_ts64+0x86/0x230 [ 23.436536] kunit_try_run_case+0x1a5/0x480 [ 23.436562] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.436584] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.436606] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.436630] ? __kthread_parkme+0x82/0x180 [ 23.436651] ? preempt_count_sub+0x50/0x80 [ 23.436673] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.436697] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.436720] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.436743] kthread+0x337/0x6f0 [ 23.436763] ? trace_preempt_on+0x20/0xc0 [ 23.436786] ? __pfx_kthread+0x10/0x10 [ 23.436806] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.436829] ? calculate_sigpending+0x7b/0xa0 [ 23.436852] ? __pfx_kthread+0x10/0x10 [ 23.436873] ret_from_fork+0x116/0x1d0 [ 23.436893] ? __pfx_kthread+0x10/0x10 [ 23.436913] ret_from_fork_asm+0x1a/0x30 [ 23.436944] </TASK> [ 23.436956] [ 23.452012] Allocated by task 237: [ 23.452490] kasan_save_stack+0x45/0x70 [ 23.452692] kasan_save_track+0x18/0x40 [ 23.453067] kasan_save_alloc_info+0x3b/0x50 [ 23.453477] __kasan_kmalloc+0xb7/0xc0 [ 23.453703] __kmalloc_cache_noprof+0x189/0x420 [ 23.454099] kmalloc_uaf2+0xc6/0x520 [ 23.454239] kunit_try_run_case+0x1a5/0x480 [ 23.454719] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.455228] kthread+0x337/0x6f0 [ 23.455444] ret_from_fork+0x116/0x1d0 [ 23.455821] ret_from_fork_asm+0x1a/0x30 [ 23.455952] [ 23.456017] Freed by task 237: [ 23.456122] kasan_save_stack+0x45/0x70 [ 23.456414] kasan_save_track+0x18/0x40 [ 23.456803] kasan_save_free_info+0x3f/0x60 [ 23.457195] __kasan_slab_free+0x56/0x70 [ 23.457625] kfree+0x222/0x3f0 [ 23.458011] kmalloc_uaf2+0x14c/0x520 [ 23.458349] kunit_try_run_case+0x1a5/0x480 [ 23.458854] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.459321] kthread+0x337/0x6f0 [ 23.459468] ret_from_fork+0x116/0x1d0 [ 23.459608] ret_from_fork_asm+0x1a/0x30 [ 23.459837] [ 23.459903] The buggy address belongs to the object at ffff888105abcb80 [ 23.459903] which belongs to the cache kmalloc-64 of size 64 [ 23.461050] The buggy address is located 40 bytes inside of [ 23.461050] freed 64-byte region [ffff888105abcb80, ffff888105abcbc0) [ 23.461763] [ 23.461978] The buggy address belongs to the physical page: [ 23.462587] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105abc [ 23.463207] flags: 0x200000000000000(node=0|zone=2) [ 23.463539] page_type: f5(slab) [ 23.463660] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.463876] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.464090] page dumped because: kasan: bad access detected [ 23.464627] [ 23.464783] Memory state around the buggy address: [ 23.465250] ffff888105abca80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.465947] ffff888105abcb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.466664] >ffff888105abcb80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.467314] ^ [ 23.467819] ffff888105abcc00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 23.468358] ffff888105abcc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.468594] ==================================================================