Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.258012] ================================================================== [ 33.269662] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 33.276371] Read of size 1 at addr ffff000086190000 by task kunit_try_catch/257 [ 33.283784] [ 33.285315] CPU: 3 UID: 0 PID: 257 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.285343] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.285351] Hardware name: Thundercomm Dragonboard 845c (DT) [ 33.285362] Call trace: [ 33.285369] show_stack+0x20/0x38 (C) [ 33.285387] dump_stack_lvl+0x8c/0xd0 [ 33.285407] print_report+0x118/0x608 [ 33.285427] kasan_report+0xdc/0x128 [ 33.285445] __asan_report_load1_noabort+0x20/0x30 [ 33.285463] kmalloc_large_uaf+0x2cc/0x2f8 [ 33.285480] kunit_try_run_case+0x170/0x3f0 [ 33.285499] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.285521] kthread+0x328/0x630 [ 33.285536] ret_from_fork+0x10/0x20 [ 33.285554] [ 33.351176] The buggy address belongs to the physical page: [ 33.356829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106190 [ 33.364942] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.371563] raw: 0bfffe0000000000 fffffdffc2186508 ffff0000dae04c00 0000000000000000 [ 33.379407] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 33.387247] page dumped because: kasan: bad access detected [ 33.392901] [ 33.394432] Memory state around the buggy address: [ 33.399295] ffff00008618ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.406616] ffff00008618ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.413939] >ffff000086190000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.421259] ^ [ 33.424547] ffff000086190080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.431862] ffff000086190100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.439176] ==================================================================
[ 30.771586] ================================================================== [ 30.771649] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8 [ 30.772213] Read of size 1 at addr fff00000c9bc0000 by task kunit_try_catch/180 [ 30.772285] [ 30.772479] CPU: 0 UID: 0 PID: 180 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 30.772613] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.772639] Hardware name: linux,dummy-virt (DT) [ 30.772995] Call trace: [ 30.773086] show_stack+0x20/0x38 (C) [ 30.773221] dump_stack_lvl+0x8c/0xd0 [ 30.773315] print_report+0x118/0x608 [ 30.773367] kasan_report+0xdc/0x128 [ 30.773425] __asan_report_load1_noabort+0x20/0x30 [ 30.773632] kmalloc_large_uaf+0x2cc/0x2f8 [ 30.773853] kunit_try_run_case+0x170/0x3f0 [ 30.773916] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.774370] kthread+0x328/0x630 [ 30.774554] ret_from_fork+0x10/0x20 [ 30.774645] [ 30.774666] The buggy address belongs to the physical page: [ 30.775036] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bc0 [ 30.775105] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.775171] raw: 0bfffe0000000000 ffffc1ffc326f108 fff00000da462c40 0000000000000000 [ 30.775525] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 30.775740] page dumped because: kasan: bad access detected [ 30.775888] [ 30.776231] Memory state around the buggy address: [ 30.776409] fff00000c9bbff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.776476] fff00000c9bbff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.776525] >fff00000c9bc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.776892] ^ [ 30.777028] fff00000c9bc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.777073] fff00000c9bc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.777143] ==================================================================
[ 22.670827] ================================================================== [ 22.671416] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340 [ 22.671775] Read of size 1 at addr ffff888105740000 by task kunit_try_catch/197 [ 22.672071] [ 22.672427] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 22.672501] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.672514] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.672535] Call Trace: [ 22.672559] <TASK> [ 22.672575] dump_stack_lvl+0x73/0xb0 [ 22.672605] print_report+0xd1/0x650 [ 22.672627] ? __virt_addr_valid+0x1db/0x2d0 [ 22.672651] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.672670] ? kasan_addr_to_slab+0x11/0xa0 [ 22.672696] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.672717] kasan_report+0x141/0x180 [ 22.672739] ? kmalloc_large_uaf+0x2f1/0x340 [ 22.672764] __asan_report_load1_noabort+0x18/0x20 [ 22.672799] kmalloc_large_uaf+0x2f1/0x340 [ 22.672819] ? __pfx_kmalloc_large_uaf+0x10/0x10 [ 22.672840] ? __schedule+0x10cc/0x2b60 [ 22.672876] ? __pfx_read_tsc+0x10/0x10 [ 22.672898] ? ktime_get_ts64+0x86/0x230 [ 22.672923] kunit_try_run_case+0x1a5/0x480 [ 22.672949] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.672980] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.673001] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.673026] ? __kthread_parkme+0x82/0x180 [ 22.673057] ? preempt_count_sub+0x50/0x80 [ 22.673081] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.673105] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.673128] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.673152] kthread+0x337/0x6f0 [ 22.673172] ? trace_preempt_on+0x20/0xc0 [ 22.673206] ? __pfx_kthread+0x10/0x10 [ 22.673226] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.673263] ? calculate_sigpending+0x7b/0xa0 [ 22.673287] ? __pfx_kthread+0x10/0x10 [ 22.673308] ret_from_fork+0x116/0x1d0 [ 22.673327] ? __pfx_kthread+0x10/0x10 [ 22.673348] ret_from_fork_asm+0x1a/0x30 [ 22.673379] </TASK> [ 22.673390] [ 22.681846] The buggy address belongs to the physical page: [ 22.682111] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105740 [ 22.682416] flags: 0x200000000000000(node=0|zone=2) [ 22.682657] raw: 0200000000000000 ffffea000415d108 ffff88815b039fc0 0000000000000000 [ 22.682974] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 22.683580] page dumped because: kasan: bad access detected [ 22.683786] [ 22.683853] Memory state around the buggy address: [ 22.684005] ffff88810573ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.684443] ffff88810573ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 22.684760] >ffff888105740000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.685013] ^ [ 22.685157] ffff888105740080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.685452] ffff888105740100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.685714] ==================================================================