Hay
Sign in
Date
July 14, 2025, 10:38 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   45.505679] ==================================================================
[   45.515289] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   45.521881] Read of size 1 at addr ffff000804a478a8 by task kunit_try_catch/272
[   45.529171] 
[   45.530657] CPU: 2 UID: 0 PID: 272 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   45.530714] Tainted: [B]=BAD_PAGE, [N]=TEST
[   45.530731] Hardware name: WinLink E850-96 board (DT)
[   45.530753] Call trace:
[   45.530765]  show_stack+0x20/0x38 (C)
[   45.530801]  dump_stack_lvl+0x8c/0xd0
[   45.530832]  print_report+0x118/0x5d0
[   45.530860]  kasan_report+0xdc/0x128
[   45.530888]  __asan_report_load1_noabort+0x20/0x30
[   45.530922]  kmalloc_uaf2+0x3f4/0x468
[   45.530952]  kunit_try_run_case+0x170/0x3f0
[   45.530991]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   45.531022]  kthread+0x328/0x630
[   45.531052]  ret_from_fork+0x10/0x20
[   45.531086] 
[   45.594189] Allocated by task 272:
[   45.597576]  kasan_save_stack+0x3c/0x68
[   45.601393]  kasan_save_track+0x20/0x40
[   45.605213]  kasan_save_alloc_info+0x40/0x58
[   45.609465]  __kasan_kmalloc+0xd4/0xd8
[   45.613197]  __kmalloc_cache_noprof+0x16c/0x3c0
[   45.617711]  kmalloc_uaf2+0xc4/0x468
[   45.621271]  kunit_try_run_case+0x170/0x3f0
[   45.625437]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   45.630906]  kthread+0x328/0x630
[   45.634118]  ret_from_fork+0x10/0x20
[   45.637677] 
[   45.639153] Freed by task 272:
[   45.642190]  kasan_save_stack+0x3c/0x68
[   45.646009]  kasan_save_track+0x20/0x40
[   45.649829]  kasan_save_free_info+0x4c/0x78
[   45.653996]  __kasan_slab_free+0x6c/0x98
[   45.657902]  kfree+0x214/0x3c8
[   45.660940]  kmalloc_uaf2+0x134/0x468
[   45.664586]  kunit_try_run_case+0x170/0x3f0
[   45.668753]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   45.674221]  kthread+0x328/0x630
[   45.677433]  ret_from_fork+0x10/0x20
[   45.680992] 
[   45.682469] The buggy address belongs to the object at ffff000804a47880
[   45.682469]  which belongs to the cache kmalloc-64 of size 64
[   45.694797] The buggy address is located 40 bytes inside of
[   45.694797]  freed 64-byte region [ffff000804a47880, ffff000804a478c0)
[   45.706859] 
[   45.708337] The buggy address belongs to the physical page:
[   45.713895] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x884a47
[   45.721879] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   45.728390] page_type: f5(slab)
[   45.731525] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000
[   45.739244] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   45.746964] page dumped because: kasan: bad access detected
[   45.752519] 
[   45.753995] Memory state around the buggy address:
[   45.758774]  ffff000804a47780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   45.765977]  ffff000804a47800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   45.773182] >ffff000804a47880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   45.780382]                                   ^
[   45.784900]  ffff000804a47900: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   45.792105]  ffff000804a47980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.799307] ==================================================================
Metadata Full log Test run details 

[   29.766658] ==================================================================
[   29.766766] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   29.766833] Read of size 1 at addr fff00000c9adf1a8 by task kunit_try_catch/219
[   29.767106] 
[   29.767192] CPU: 0 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   29.767346] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.767375] Hardware name: linux,dummy-virt (DT)
[   29.767407] Call trace:
[   29.767438]  show_stack+0x20/0x38 (C)
[   29.767533]  dump_stack_lvl+0x8c/0xd0
[   29.767766]  print_report+0x118/0x5d0
[   29.767813]  kasan_report+0xdc/0x128
[   29.767856]  __asan_report_load1_noabort+0x20/0x30
[   29.767905]  kmalloc_uaf2+0x3f4/0x468
[   29.767948]  kunit_try_run_case+0x170/0x3f0
[   29.767998]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.768058]  kthread+0x328/0x630
[   29.768100]  ret_from_fork+0x10/0x20
[   29.768149] 
[   29.768216] Allocated by task 219:
[   29.768247]  kasan_save_stack+0x3c/0x68
[   29.768399]  kasan_save_track+0x20/0x40
[   29.768747]  kasan_save_alloc_info+0x40/0x58
[   29.768943]  __kasan_kmalloc+0xd4/0xd8
[   29.768986]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.769028]  kmalloc_uaf2+0xc4/0x468
[   29.769099]  kunit_try_run_case+0x170/0x3f0
[   29.769166]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.769207]  kthread+0x328/0x630
[   29.769239]  ret_from_fork+0x10/0x20
[   29.769277] 
[   29.769296] Freed by task 219:
[   29.769323]  kasan_save_stack+0x3c/0x68
[   29.769769]  kasan_save_track+0x20/0x40
[   29.769845]  kasan_save_free_info+0x4c/0x78
[   29.769883]  __kasan_slab_free+0x6c/0x98
[   29.769925]  kfree+0x214/0x3c8
[   29.769959]  kmalloc_uaf2+0x134/0x468
[   29.769995]  kunit_try_run_case+0x170/0x3f0
[   29.770168]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.770210]  kthread+0x328/0x630
[   29.770242]  ret_from_fork+0x10/0x20
[   29.770279] 
[   29.770299] The buggy address belongs to the object at fff00000c9adf180
[   29.770299]  which belongs to the cache kmalloc-64 of size 64
[   29.770359] The buggy address is located 40 bytes inside of
[   29.770359]  freed 64-byte region [fff00000c9adf180, fff00000c9adf1c0)
[   29.770420] 
[   29.770501] The buggy address belongs to the physical page:
[   29.770539] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109adf
[   29.770870] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.770968] page_type: f5(slab)
[   29.771033] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   29.771094] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   29.771135] page dumped because: kasan: bad access detected
[   29.771378] 
[   29.771451] Memory state around the buggy address:
[   29.771484]  fff00000c9adf080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.771539]  fff00000c9adf100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   29.771699] >fff00000c9adf180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.771738]                                   ^
[   29.771772]  fff00000c9adf200: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   29.771964]  fff00000c9adf280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.772066] ==================================================================
Metadata Full log Test run details 

[   24.592261] ==================================================================
[   24.592725] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   24.593355] Read of size 1 at addr ffff888103eaa2a8 by task kunit_try_catch/237
[   24.593630] 
[   24.593730] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) 
[   24.593784] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   24.593799] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.593822] Call Trace:
[   24.593834]  <TASK>
[   24.593854]  dump_stack_lvl+0x73/0xb0
[   24.593889]  print_report+0xd1/0x610
[   24.593911]  ? __virt_addr_valid+0x1db/0x2d0
[   24.593935]  ? kmalloc_uaf2+0x4a8/0x520
[   24.594466]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.594493]  ? kmalloc_uaf2+0x4a8/0x520
[   24.594513]  kasan_report+0x141/0x180
[   24.594535]  ? kmalloc_uaf2+0x4a8/0x520
[   24.594558]  __asan_report_load1_noabort+0x18/0x20
[   24.594581]  kmalloc_uaf2+0x4a8/0x520
[   24.594601]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   24.594620]  ? finish_task_switch.isra.0+0x153/0x700
[   24.594644]  ? __switch_to+0x47/0xf80
[   24.594686]  ? __schedule+0x10cc/0x2b60
[   24.594709]  ? __pfx_read_tsc+0x10/0x10
[   24.594730]  ? ktime_get_ts64+0x86/0x230
[   24.594766]  kunit_try_run_case+0x1a5/0x480
[   24.594790]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.594809]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.594832]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.594855]  ? __kthread_parkme+0x82/0x180
[   24.594876]  ? preempt_count_sub+0x50/0x80
[   24.594898]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.594919]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.594957]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.594981]  kthread+0x337/0x6f0
[   24.595000]  ? trace_preempt_on+0x20/0xc0
[   24.595024]  ? __pfx_kthread+0x10/0x10
[   24.595044]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.595065]  ? calculate_sigpending+0x7b/0xa0
[   24.595088]  ? __pfx_kthread+0x10/0x10
[   24.595109]  ret_from_fork+0x116/0x1d0
[   24.595128]  ? __pfx_kthread+0x10/0x10
[   24.595148]  ret_from_fork_asm+0x1a/0x30
[   24.595179]  </TASK>
[   24.595192] 
[   24.608251] Allocated by task 237:
[   24.608468]  kasan_save_stack+0x45/0x70
[   24.609116]  kasan_save_track+0x18/0x40
[   24.609371]  kasan_save_alloc_info+0x3b/0x50
[   24.609558]  __kasan_kmalloc+0xb7/0xc0
[   24.609751]  __kmalloc_cache_noprof+0x189/0x420
[   24.609984]  kmalloc_uaf2+0xc6/0x520
[   24.610386]  kunit_try_run_case+0x1a5/0x480
[   24.610643]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.610893]  kthread+0x337/0x6f0
[   24.611207]  ret_from_fork+0x116/0x1d0
[   24.611502]  ret_from_fork_asm+0x1a/0x30
[   24.611706] 
[   24.611791] Freed by task 237:
[   24.611995]  kasan_save_stack+0x45/0x70
[   24.612248]  kasan_save_track+0x18/0x40
[   24.612437]  kasan_save_free_info+0x3f/0x60
[   24.612649]  __kasan_slab_free+0x56/0x70
[   24.612871]  kfree+0x222/0x3f0
[   24.613054]  kmalloc_uaf2+0x14c/0x520
[   24.613349]  kunit_try_run_case+0x1a5/0x480
[   24.613553]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.613736]  kthread+0x337/0x6f0
[   24.613895]  ret_from_fork+0x116/0x1d0
[   24.614357]  ret_from_fork_asm+0x1a/0x30
[   24.614514] 
[   24.614578] The buggy address belongs to the object at ffff888103eaa280
[   24.614578]  which belongs to the cache kmalloc-64 of size 64
[   24.615331] The buggy address is located 40 bytes inside of
[   24.615331]  freed 64-byte region [ffff888103eaa280, ffff888103eaa2c0)
[   24.615810] 
[   24.615914] The buggy address belongs to the physical page:
[   24.616229] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103eaa
[   24.616552] flags: 0x200000000000000(node=0|zone=2)
[   24.616789] page_type: f5(slab)
[   24.617066] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   24.617389] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   24.617603] page dumped because: kasan: bad access detected
[   24.617994] 
[   24.618161] Memory state around the buggy address:
[   24.618396]  ffff888103eaa180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.618620]  ffff888103eaa200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.619380] >ffff888103eaa280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.619672]                                   ^
[   24.619862]  ffff888103eaa300: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   24.620317]  ffff888103eaa380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.620598] ==================================================================
Metadata Full log Test run details