Date
July 8, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.267710] ================================================================== [ 31.267773] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 31.267832] Write of size 33 at addr fff00000c9acb580 by task kunit_try_catch/217 [ 31.267882] [ 31.267918] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250708 #1 PREEMPT [ 31.268336] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.268376] Hardware name: linux,dummy-virt (DT) [ 31.268427] Call trace: [ 31.268452] show_stack+0x20/0x38 (C) [ 31.268520] dump_stack_lvl+0x8c/0xd0 [ 31.268583] print_report+0x118/0x5d0 [ 31.268853] kasan_report+0xdc/0x128 [ 31.269067] kasan_check_range+0x100/0x1a8 [ 31.269117] __asan_memset+0x34/0x78 [ 31.269161] kmalloc_uaf_memset+0x170/0x310 [ 31.270394] kunit_try_run_case+0x170/0x3f0 [ 31.270487] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.270544] kthread+0x328/0x630 [ 31.270588] ret_from_fork+0x10/0x20 [ 31.270777] [ 31.270797] Allocated by task 217: [ 31.270861] kasan_save_stack+0x3c/0x68 [ 31.270905] kasan_save_track+0x20/0x40 [ 31.272329] kasan_save_alloc_info+0x40/0x58 [ 31.272807] __kasan_kmalloc+0xd4/0xd8 [ 31.273662] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.274448] kmalloc_uaf_memset+0xb8/0x310 [ 31.275649] kunit_try_run_case+0x170/0x3f0 [ 31.277201] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.277742] kthread+0x328/0x630 [ 31.277777] ret_from_fork+0x10/0x20 [ 31.277815] [ 31.277840] Freed by task 217: [ 31.278787] kasan_save_stack+0x3c/0x68 [ 31.279106] kasan_save_track+0x20/0x40 [ 31.279289] kasan_save_free_info+0x4c/0x78 [ 31.279329] __kasan_slab_free+0x6c/0x98 [ 31.279368] kfree+0x214/0x3c8 [ 31.279402] kmalloc_uaf_memset+0x11c/0x310 [ 31.279572] kunit_try_run_case+0x170/0x3f0 [ 31.279897] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.280085] kthread+0x328/0x630 [ 31.280161] ret_from_fork+0x10/0x20 [ 31.280260] [ 31.280280] The buggy address belongs to the object at fff00000c9acb580 [ 31.280280] which belongs to the cache kmalloc-64 of size 64 [ 31.280340] The buggy address is located 0 bytes inside of [ 31.280340] freed 64-byte region [fff00000c9acb580, fff00000c9acb5c0) [ 31.280402] [ 31.280460] The buggy address belongs to the physical page: [ 31.280510] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109acb [ 31.280766] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.281019] page_type: f5(slab) [ 31.281232] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 31.281328] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 31.281369] page dumped because: kasan: bad access detected [ 31.281402] [ 31.281453] Memory state around the buggy address: [ 31.281486] fff00000c9acb480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.281529] fff00000c9acb500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.281571] >fff00000c9acb580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 31.281609] ^ [ 31.281637] fff00000c9acb600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.282036] fff00000c9acb680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.282127] ==================================================================
[ 23.630421] ================================================================== [ 23.631190] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 23.631542] Write of size 33 at addr ffff8881059b5f80 by task kunit_try_catch/234 [ 23.631949] [ 23.632065] CPU: 0 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250708 #1 PREEMPT(voluntary) [ 23.632122] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.632134] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.632158] Call Trace: [ 23.632174] <TASK> [ 23.632195] dump_stack_lvl+0x73/0xb0 [ 23.632229] print_report+0xd1/0x610 [ 23.632266] ? __virt_addr_valid+0x1db/0x2d0 [ 23.632291] ? kmalloc_uaf_memset+0x1a3/0x360 [ 23.632312] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.632341] ? kmalloc_uaf_memset+0x1a3/0x360 [ 23.632363] kasan_report+0x141/0x180 [ 23.632385] ? kmalloc_uaf_memset+0x1a3/0x360 [ 23.632411] kasan_check_range+0x10c/0x1c0 [ 23.632436] __asan_memset+0x27/0x50 [ 23.632463] kmalloc_uaf_memset+0x1a3/0x360 [ 23.632484] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 23.632507] ? __schedule+0x10cc/0x2b60 [ 23.632536] ? __pfx_read_tsc+0x10/0x10 [ 23.632561] ? ktime_get_ts64+0x86/0x230 [ 23.632589] kunit_try_run_case+0x1a5/0x480 [ 23.632613] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.632633] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 23.632655] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.632683] ? __kthread_parkme+0x82/0x180 [ 23.632705] ? preempt_count_sub+0x50/0x80 [ 23.632729] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.632797] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.632839] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.632867] kthread+0x337/0x6f0 [ 23.632888] ? trace_preempt_on+0x20/0xc0 [ 23.632914] ? __pfx_kthread+0x10/0x10 [ 23.632936] ? _raw_spin_unlock_irq+0x47/0x80 [ 23.632963] ? calculate_sigpending+0x7b/0xa0 [ 23.632991] ? __pfx_kthread+0x10/0x10 [ 23.633014] ret_from_fork+0x116/0x1d0 [ 23.633034] ? __pfx_kthread+0x10/0x10 [ 23.633056] ret_from_fork_asm+0x1a/0x30 [ 23.633091] </TASK> [ 23.633103] [ 23.640228] Allocated by task 234: [ 23.640387] kasan_save_stack+0x45/0x70 [ 23.640577] kasan_save_track+0x18/0x40 [ 23.640704] kasan_save_alloc_info+0x3b/0x50 [ 23.640872] __kasan_kmalloc+0xb7/0xc0 [ 23.641069] __kmalloc_cache_noprof+0x189/0x420 [ 23.641284] kmalloc_uaf_memset+0xa9/0x360 [ 23.641421] kunit_try_run_case+0x1a5/0x480 [ 23.641571] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.641816] kthread+0x337/0x6f0 [ 23.642053] ret_from_fork+0x116/0x1d0 [ 23.642236] ret_from_fork_asm+0x1a/0x30 [ 23.642444] [ 23.642507] Freed by task 234: [ 23.642656] kasan_save_stack+0x45/0x70 [ 23.642873] kasan_save_track+0x18/0x40 [ 23.643013] kasan_save_free_info+0x3f/0x60 [ 23.643212] __kasan_slab_free+0x56/0x70 [ 23.643413] kfree+0x222/0x3f0 [ 23.643530] kmalloc_uaf_memset+0x12b/0x360 [ 23.643698] kunit_try_run_case+0x1a5/0x480 [ 23.644034] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.644298] kthread+0x337/0x6f0 [ 23.644440] ret_from_fork+0x116/0x1d0 [ 23.644594] ret_from_fork_asm+0x1a/0x30 [ 23.644729] [ 23.644794] The buggy address belongs to the object at ffff8881059b5f80 [ 23.644794] which belongs to the cache kmalloc-64 of size 64 [ 23.645143] The buggy address is located 0 bytes inside of [ 23.645143] freed 64-byte region [ffff8881059b5f80, ffff8881059b5fc0) [ 23.645567] [ 23.645660] The buggy address belongs to the physical page: [ 23.645905] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059b5 [ 23.646555] flags: 0x200000000000000(node=0|zone=2) [ 23.646721] page_type: f5(slab) [ 23.647074] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.647509] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.648089] page dumped because: kasan: bad access detected [ 23.648325] [ 23.648405] Memory state around the buggy address: [ 23.648557] ffff8881059b5e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.648766] ffff8881059b5f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.648974] >ffff8881059b5f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.649456] ^ [ 23.649623] ffff8881059b6000: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 23.650159] ffff8881059b6080: 00 00 00 00 00 00 00 00 00 03 fc fc fc fc fc fc [ 23.650493] ==================================================================