Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 38.755294] ================================================================== [ 38.766237] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 38.773123] Read of size 16 at addr ffff0000981901e0 by task kunit_try_catch/277 [ 38.780625] [ 38.782160] CPU: 3 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 38.782189] Tainted: [B]=BAD_PAGE, [N]=TEST [ 38.782198] Hardware name: Thundercomm Dragonboard 845c (DT) [ 38.782210] Call trace: [ 38.782218] show_stack+0x20/0x38 (C) [ 38.782237] dump_stack_lvl+0x8c/0xd0 [ 38.782259] print_report+0x118/0x608 [ 38.782280] kasan_report+0xdc/0x128 [ 38.782298] __asan_report_load16_noabort+0x20/0x30 [ 38.782318] kmalloc_uaf_16+0x3bc/0x438 [ 38.782335] kunit_try_run_case+0x170/0x3f0 [ 38.782353] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.782375] kthread+0x328/0x630 [ 38.782391] ret_from_fork+0x10/0x20 [ 38.782409] [ 38.847849] Allocated by task 277: [ 38.851315] kasan_save_stack+0x3c/0x68 [ 38.855223] kasan_save_track+0x20/0x40 [ 38.859127] kasan_save_alloc_info+0x40/0x58 [ 38.863474] __kasan_kmalloc+0xd4/0xd8 [ 38.867290] __kmalloc_cache_noprof+0x16c/0x3c0 [ 38.871897] kmalloc_uaf_16+0x140/0x438 [ 38.875802] kunit_try_run_case+0x170/0x3f0 [ 38.880063] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.885634] kthread+0x328/0x630 [ 38.888919] ret_from_fork+0x10/0x20 [ 38.892564] [ 38.894094] Freed by task 277: [ 38.897203] kasan_save_stack+0x3c/0x68 [ 38.901109] kasan_save_track+0x20/0x40 [ 38.905016] kasan_save_free_info+0x4c/0x78 [ 38.909275] __kasan_slab_free+0x6c/0x98 [ 38.913266] kfree+0x214/0x3c8 [ 38.916381] kmalloc_uaf_16+0x190/0x438 [ 38.920285] kunit_try_run_case+0x170/0x3f0 [ 38.924546] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 38.930116] kthread+0x328/0x630 [ 38.933403] ret_from_fork+0x10/0x20 [ 38.937048] [ 38.938579] The buggy address belongs to the object at ffff0000981901e0 [ 38.938579] which belongs to the cache kmalloc-16 of size 16 [ 38.951066] The buggy address is located 0 bytes inside of [ 38.951066] freed 16-byte region [ffff0000981901e0, ffff0000981901f0) [ 38.963202] [ 38.964733] The buggy address belongs to the physical page: [ 38.970381] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118190 [ 38.978485] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 38.985109] page_type: f5(slab) [ 38.988310] raw: 0bfffe0000000000 ffff000080002640 dead000000000122 0000000000000000 [ 38.996157] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 39.004000] page dumped because: kasan: bad access detected [ 39.009647] [ 39.011177] Memory state around the buggy address: [ 39.016035] ffff000098190080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 39.023350] ffff000098190100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 39.030666] >ffff000098190180: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 39.037980] ^ [ 39.044420] ffff000098190200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.051736] ffff000098190280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.059050] ==================================================================
[ 31.037971] ================================================================== [ 31.038325] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 31.039003] Read of size 16 at addr fff00000c5a30c80 by task kunit_try_catch/200 [ 31.039307] [ 31.039415] CPU: 0 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 31.039588] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.039633] Hardware name: linux,dummy-virt (DT) [ 31.039723] Call trace: [ 31.039773] show_stack+0x20/0x38 (C) [ 31.039896] dump_stack_lvl+0x8c/0xd0 [ 31.039946] print_report+0x118/0x608 [ 31.039993] kasan_report+0xdc/0x128 [ 31.040039] __asan_report_load16_noabort+0x20/0x30 [ 31.040358] kmalloc_uaf_16+0x3bc/0x438 [ 31.040561] kunit_try_run_case+0x170/0x3f0 [ 31.040674] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.040848] kthread+0x328/0x630 [ 31.040895] ret_from_fork+0x10/0x20 [ 31.040956] [ 31.040974] Allocated by task 200: [ 31.041002] kasan_save_stack+0x3c/0x68 [ 31.041045] kasan_save_track+0x20/0x40 [ 31.041083] kasan_save_alloc_info+0x40/0x58 [ 31.041492] __kasan_kmalloc+0xd4/0xd8 [ 31.041666] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.041805] kmalloc_uaf_16+0x140/0x438 [ 31.041981] kunit_try_run_case+0x170/0x3f0 [ 31.042155] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.042357] kthread+0x328/0x630 [ 31.042489] ret_from_fork+0x10/0x20 [ 31.042584] [ 31.042762] Freed by task 200: [ 31.042879] kasan_save_stack+0x3c/0x68 [ 31.043051] kasan_save_track+0x20/0x40 [ 31.043088] kasan_save_free_info+0x4c/0x78 [ 31.043158] __kasan_slab_free+0x6c/0x98 [ 31.043531] kfree+0x214/0x3c8 [ 31.043739] kmalloc_uaf_16+0x190/0x438 [ 31.043844] kunit_try_run_case+0x170/0x3f0 [ 31.043914] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.044098] kthread+0x328/0x630 [ 31.044332] ret_from_fork+0x10/0x20 [ 31.044554] [ 31.044716] The buggy address belongs to the object at fff00000c5a30c80 [ 31.044716] which belongs to the cache kmalloc-16 of size 16 [ 31.044885] The buggy address is located 0 bytes inside of [ 31.044885] freed 16-byte region [fff00000c5a30c80, fff00000c5a30c90) [ 31.045059] [ 31.045108] The buggy address belongs to the physical page: [ 31.045141] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c5a30be0 pfn:0x105a30 [ 31.045204] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.045253] page_type: f5(slab) [ 31.045680] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.045861] raw: fff00000c5a30be0 000000008080007f 00000000f5000000 0000000000000000 [ 31.046196] page dumped because: kasan: bad access detected [ 31.046248] [ 31.046268] Memory state around the buggy address: [ 31.046614] fff00000c5a30b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.046738] fff00000c5a30c00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 31.046889] >fff00000c5a30c80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.046935] ^ [ 31.047298] fff00000c5a30d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.047391] fff00000c5a30d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.047583] ==================================================================
[ 23.175372] ================================================================== [ 23.176047] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 23.176826] Read of size 16 at addr ffff888104b06e40 by task kunit_try_catch/217 [ 23.177448] [ 23.177580] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 23.177630] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.177642] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.177663] Call Trace: [ 23.177676] <TASK> [ 23.177692] dump_stack_lvl+0x73/0xb0 [ 23.177721] print_report+0xd1/0x650 [ 23.177742] ? __virt_addr_valid+0x1db/0x2d0 [ 23.177765] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.177785] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.177810] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.177830] kasan_report+0x141/0x180 [ 23.177855] ? kmalloc_uaf_16+0x47b/0x4c0 [ 23.177880] __asan_report_load16_noabort+0x18/0x20 [ 23.177904] kmalloc_uaf_16+0x47b/0x4c0 [ 23.177924] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 23.177945] ? __schedule+0x10cc/0x2b60 [ 23.177970] ? __pfx_read_tsc+0x10/0x10 [ 23.177998] ? ktime_get_ts64+0x86/0x230 [ 23.178021] kunit_try_run_case+0x1a5/0x480 [ 23.178046] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.178069] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.178090] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.178114] ? __kthread_parkme+0x82/0x180 [ 23.178134] ? preempt_count_sub+0x50/0x80 [ 23.178158] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.178183] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.178206] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.178231] kthread+0x337/0x6f0 [ 23.178251] ? trace_preempt_on+0x20/0xc0 [ 23.178274] ? __pfx_kthread+0x10/0x10 [ 23.178294] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.178317] ? calculate_sigpending+0x7b/0xa0 [ 23.178392] ? __pfx_kthread+0x10/0x10 [ 23.178416] ret_from_fork+0x116/0x1d0 [ 23.178435] ? __pfx_kthread+0x10/0x10 [ 23.178479] ret_from_fork_asm+0x1a/0x30 [ 23.178510] </TASK> [ 23.178521] [ 23.188430] Allocated by task 217: [ 23.189085] kasan_save_stack+0x45/0x70 [ 23.189317] kasan_save_track+0x18/0x40 [ 23.189647] kasan_save_alloc_info+0x3b/0x50 [ 23.189861] __kasan_kmalloc+0xb7/0xc0 [ 23.190192] __kmalloc_cache_noprof+0x189/0x420 [ 23.190504] kmalloc_uaf_16+0x15b/0x4c0 [ 23.190738] kunit_try_run_case+0x1a5/0x480 [ 23.190992] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.191335] kthread+0x337/0x6f0 [ 23.191497] ret_from_fork+0x116/0x1d0 [ 23.191843] ret_from_fork_asm+0x1a/0x30 [ 23.192041] [ 23.192330] Freed by task 217: [ 23.192490] kasan_save_stack+0x45/0x70 [ 23.192681] kasan_save_track+0x18/0x40 [ 23.192837] kasan_save_free_info+0x3f/0x60 [ 23.193015] __kasan_slab_free+0x56/0x70 [ 23.193178] kfree+0x222/0x3f0 [ 23.193825] kmalloc_uaf_16+0x1d6/0x4c0 [ 23.194016] kunit_try_run_case+0x1a5/0x480 [ 23.194215] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.194553] kthread+0x337/0x6f0 [ 23.194728] ret_from_fork+0x116/0x1d0 [ 23.194905] ret_from_fork_asm+0x1a/0x30 [ 23.195091] [ 23.195163] The buggy address belongs to the object at ffff888104b06e40 [ 23.195163] which belongs to the cache kmalloc-16 of size 16 [ 23.196113] The buggy address is located 0 bytes inside of [ 23.196113] freed 16-byte region [ffff888104b06e40, ffff888104b06e50) [ 23.196874] [ 23.196955] The buggy address belongs to the physical page: [ 23.197708] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104b06 [ 23.198021] flags: 0x200000000000000(node=0|zone=2) [ 23.198387] page_type: f5(slab) [ 23.198575] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 23.198881] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.199518] page dumped because: kasan: bad access detected [ 23.199740] [ 23.199818] Memory state around the buggy address: [ 23.200167] ffff888104b06d00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.200642] ffff888104b06d80: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 23.201035] >ffff888104b06e00: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 23.201545] ^ [ 23.201773] ffff888104b06e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.202138] ffff888104b06f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.202801] ==================================================================