Hay
Sign in
Date
July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   46.549329] ==================================================================
[   46.557946] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   46.565062] Write of size 33 at addr ffff0008083fc280 by task kunit_try_catch/270
[   46.572524] 
[   46.574012] CPU: 0 UID: 0 PID: 270 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   46.574068] Tainted: [B]=BAD_PAGE, [N]=TEST
[   46.574085] Hardware name: WinLink E850-96 board (DT)
[   46.574109] Call trace:
[   46.574123]  show_stack+0x20/0x38 (C)
[   46.574161]  dump_stack_lvl+0x8c/0xd0
[   46.574194]  print_report+0x118/0x5d0
[   46.574222]  kasan_report+0xdc/0x128
[   46.574252]  kasan_check_range+0x100/0x1a8
[   46.574282]  __asan_memset+0x34/0x78
[   46.574313]  kmalloc_uaf_memset+0x170/0x310
[   46.574346]  kunit_try_run_case+0x170/0x3f0
[   46.574387]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.574420]  kthread+0x328/0x630
[   46.574451]  ret_from_fork+0x10/0x20
[   46.574483] 
[   46.640927] Allocated by task 270:
[   46.644313]  kasan_save_stack+0x3c/0x68
[   46.648130]  kasan_save_track+0x20/0x40
[   46.651950]  kasan_save_alloc_info+0x40/0x58
[   46.656203]  __kasan_kmalloc+0xd4/0xd8
[   46.659936]  __kmalloc_cache_noprof+0x16c/0x3c0
[   46.664449]  kmalloc_uaf_memset+0xb8/0x310
[   46.668531]  kunit_try_run_case+0x170/0x3f0
[   46.672696]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.678164]  kthread+0x328/0x630
[   46.681376]  ret_from_fork+0x10/0x20
[   46.684935] 
[   46.686412] Freed by task 270:
[   46.689450]  kasan_save_stack+0x3c/0x68
[   46.693269]  kasan_save_track+0x20/0x40
[   46.697088]  kasan_save_free_info+0x4c/0x78
[   46.701254]  __kasan_slab_free+0x6c/0x98
[   46.705161]  kfree+0x214/0x3c8
[   46.708199]  kmalloc_uaf_memset+0x11c/0x310
[   46.712366]  kunit_try_run_case+0x170/0x3f0
[   46.716532]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.722002]  kthread+0x328/0x630
[   46.725212]  ret_from_fork+0x10/0x20
[   46.728771] 
[   46.730249] The buggy address belongs to the object at ffff0008083fc280
[   46.730249]  which belongs to the cache kmalloc-64 of size 64
[   46.742575] The buggy address is located 0 bytes inside of
[   46.742575]  freed 64-byte region [ffff0008083fc280, ffff0008083fc2c0)
[   46.754552] 
[   46.756031] The buggy address belongs to the physical page:
[   46.761587] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8883fc
[   46.769573] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   46.776082] page_type: f5(slab)
[   46.779217] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000
[   46.786937] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   46.794656] page dumped because: kasan: bad access detected
[   46.800211] 
[   46.801686] Memory state around the buggy address:
[   46.806467]  ffff0008083fc180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   46.813669]  ffff0008083fc200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   46.820876] >ffff0008083fc280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   46.828075]                    ^
[   46.831291]  ffff0008083fc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.838496]  ffff0008083fc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.845698] ==================================================================
Metadata Full log Test run details 

[   30.543270] ==================================================================
[   30.543378] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   30.543455] Write of size 33 at addr fff00000c9ac9a80 by task kunit_try_catch/217
[   30.545884] 
[   30.545948] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   30.546241] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.546268] Hardware name: linux,dummy-virt (DT)
[   30.548068] Call trace:
[   30.548169]  show_stack+0x20/0x38 (C)
[   30.548237]  dump_stack_lvl+0x8c/0xd0
[   30.548715]  print_report+0x118/0x5d0
[   30.549225]  kasan_report+0xdc/0x128
[   30.549940]  kasan_check_range+0x100/0x1a8
[   30.550215]  __asan_memset+0x34/0x78
[   30.550348]  kmalloc_uaf_memset+0x170/0x310
[   30.551001]  kunit_try_run_case+0x170/0x3f0
[   30.551635]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.551698]  kthread+0x328/0x630
[   30.552619]  ret_from_fork+0x10/0x20
[   30.552685] 
[   30.552705] Allocated by task 217:
[   30.552736]  kasan_save_stack+0x3c/0x68
[   30.553537]  kasan_save_track+0x20/0x40
[   30.553920]  kasan_save_alloc_info+0x40/0x58
[   30.553967]  __kasan_kmalloc+0xd4/0xd8
[   30.554004]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.554726]  kmalloc_uaf_memset+0xb8/0x310
[   30.554779]  kunit_try_run_case+0x170/0x3f0
[   30.555440]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.556164]  kthread+0x328/0x630
[   30.556238]  ret_from_fork+0x10/0x20
[   30.557066] 
[   30.557091] Freed by task 217:
[   30.557122]  kasan_save_stack+0x3c/0x68
[   30.557792]  kasan_save_track+0x20/0x40
[   30.558723]  kasan_save_free_info+0x4c/0x78
[   30.558898]  __kasan_slab_free+0x6c/0x98
[   30.559504]  kfree+0x214/0x3c8
[   30.559662]  kmalloc_uaf_memset+0x11c/0x310
[   30.559710]  kunit_try_run_case+0x170/0x3f0
[   30.559982]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.560319]  kthread+0x328/0x630
[   30.560692]  ret_from_fork+0x10/0x20
[   30.560734] 
[   30.561572] The buggy address belongs to the object at fff00000c9ac9a80
[   30.561572]  which belongs to the cache kmalloc-64 of size 64
[   30.561661] The buggy address is located 0 bytes inside of
[   30.561661]  freed 64-byte region [fff00000c9ac9a80, fff00000c9ac9ac0)
[   30.561724] 
[   30.562726] The buggy address belongs to the physical page:
[   30.562770] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ac9
[   30.562835] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.562891] page_type: f5(slab)
[   30.562936] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   30.562989] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.564619] page dumped because: kasan: bad access detected
[   30.565160] 
[   30.565341] Memory state around the buggy address:
[   30.565422]  fff00000c9ac9980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.566012]  fff00000c9ac9a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.567055] >fff00000c9ac9a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.567270]                    ^
[   30.567315]  fff00000c9ac9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.567381]  fff00000c9ac9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.567422] ==================================================================
Metadata Full log Test run details 

[   24.051837] ==================================================================
[   24.052248] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   24.053131] Write of size 33 at addr ffff888104cb3b80 by task kunit_try_catch/236
[   24.054019] 
[   24.054206] CPU: 0 UID: 0 PID: 236 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   24.054340] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.054356] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.054378] Call Trace:
[   24.054392]  <TASK>
[   24.054429]  dump_stack_lvl+0x73/0xb0
[   24.054465]  print_report+0xd1/0x610
[   24.054492]  ? __virt_addr_valid+0x1db/0x2d0
[   24.054519]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.054540]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.054566]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.054587]  kasan_report+0x141/0x180
[   24.054609]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.054633]  kasan_check_range+0x10c/0x1c0
[   24.054656]  __asan_memset+0x27/0x50
[   24.054679]  kmalloc_uaf_memset+0x1a3/0x360
[   24.054700]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   24.054721]  ? __schedule+0x10cc/0x2b60
[   24.054757]  ? __pfx_read_tsc+0x10/0x10
[   24.054779]  ? ktime_get_ts64+0x86/0x230
[   24.054806]  kunit_try_run_case+0x1a5/0x480
[   24.054831]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.054851]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.054874]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.054897]  ? __kthread_parkme+0x82/0x180
[   24.054919]  ? preempt_count_sub+0x50/0x80
[   24.054943]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.054964]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.054989]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.055013]  kthread+0x337/0x6f0
[   24.055033]  ? trace_preempt_on+0x20/0xc0
[   24.055057]  ? __pfx_kthread+0x10/0x10
[   24.055078]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.055099]  ? calculate_sigpending+0x7b/0xa0
[   24.055124]  ? __pfx_kthread+0x10/0x10
[   24.055146]  ret_from_fork+0x116/0x1d0
[   24.055165]  ? __pfx_kthread+0x10/0x10
[   24.055186]  ret_from_fork_asm+0x1a/0x30
[   24.055217]  </TASK>
[   24.055229] 
[   24.066120] Allocated by task 236:
[   24.066253]  kasan_save_stack+0x45/0x70
[   24.066677]  kasan_save_track+0x18/0x40
[   24.067022]  kasan_save_alloc_info+0x3b/0x50
[   24.067459]  __kasan_kmalloc+0xb7/0xc0
[   24.067809]  __kmalloc_cache_noprof+0x189/0x420
[   24.068460]  kmalloc_uaf_memset+0xa9/0x360
[   24.068871]  kunit_try_run_case+0x1a5/0x480
[   24.069227]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.069767]  kthread+0x337/0x6f0
[   24.070101]  ret_from_fork+0x116/0x1d0
[   24.070235]  ret_from_fork_asm+0x1a/0x30
[   24.070637] 
[   24.070804] Freed by task 236:
[   24.071070]  kasan_save_stack+0x45/0x70
[   24.071388]  kasan_save_track+0x18/0x40
[   24.071525]  kasan_save_free_info+0x3f/0x60
[   24.071663]  __kasan_slab_free+0x56/0x70
[   24.071806]  kfree+0x222/0x3f0
[   24.071919]  kmalloc_uaf_memset+0x12b/0x360
[   24.072054]  kunit_try_run_case+0x1a5/0x480
[   24.072188]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.072377]  kthread+0x337/0x6f0
[   24.072493]  ret_from_fork+0x116/0x1d0
[   24.072681]  ret_from_fork_asm+0x1a/0x30
[   24.073062] 
[   24.073158] The buggy address belongs to the object at ffff888104cb3b80
[   24.073158]  which belongs to the cache kmalloc-64 of size 64
[   24.073837] The buggy address is located 0 bytes inside of
[   24.073837]  freed 64-byte region [ffff888104cb3b80, ffff888104cb3bc0)
[   24.074232] 
[   24.074322] The buggy address belongs to the physical page:
[   24.074827] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cb3
[   24.075068] flags: 0x200000000000000(node=0|zone=2)
[   24.075294] page_type: f5(slab)
[   24.075458] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   24.075805] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   24.076024] page dumped because: kasan: bad access detected
[   24.076276] 
[   24.076371] Memory state around the buggy address:
[   24.076634]  ffff888104cb3a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.076937]  ffff888104cb3b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.077143] >ffff888104cb3b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.077426]                    ^
[   24.077659]  ffff888104cb3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.077901]  ffff888104cb3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.078270] ==================================================================
Metadata Full log Test run details