Date
July 15, 2025, 11:35 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 46.145603] ================================================================== [ 46.155489] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 46.161996] Read of size 1 at addr ffff000802754728 by task kunit_try_catch/265 [ 46.169287] [ 46.170774] CPU: 3 UID: 0 PID: 265 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 46.170827] Tainted: [B]=BAD_PAGE, [N]=TEST [ 46.170845] Hardware name: WinLink E850-96 board (DT) [ 46.170869] Call trace: [ 46.170884] show_stack+0x20/0x38 (C) [ 46.170920] dump_stack_lvl+0x8c/0xd0 [ 46.170957] print_report+0x118/0x5d0 [ 46.170986] kasan_report+0xdc/0x128 [ 46.171014] __asan_report_load1_noabort+0x20/0x30 [ 46.171046] kmalloc_uaf+0x300/0x338 [ 46.171076] kunit_try_run_case+0x170/0x3f0 [ 46.171107] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.171143] kthread+0x328/0x630 [ 46.171171] ret_from_fork+0x10/0x20 [ 46.171208] [ 46.234218] Allocated by task 265: [ 46.237606] kasan_save_stack+0x3c/0x68 [ 46.241421] kasan_save_track+0x20/0x40 [ 46.245242] kasan_save_alloc_info+0x40/0x58 [ 46.249494] __kasan_kmalloc+0xd4/0xd8 [ 46.253227] __kmalloc_cache_noprof+0x16c/0x3c0 [ 46.257740] kmalloc_uaf+0xb8/0x338 [ 46.261212] kunit_try_run_case+0x170/0x3f0 [ 46.265379] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.270848] kthread+0x328/0x630 [ 46.274059] ret_from_fork+0x10/0x20 [ 46.277618] [ 46.279095] Freed by task 265: [ 46.282132] kasan_save_stack+0x3c/0x68 [ 46.285952] kasan_save_track+0x20/0x40 [ 46.289771] kasan_save_free_info+0x4c/0x78 [ 46.293938] __kasan_slab_free+0x6c/0x98 [ 46.297844] kfree+0x214/0x3c8 [ 46.300882] kmalloc_uaf+0x11c/0x338 [ 46.304441] kunit_try_run_case+0x170/0x3f0 [ 46.308608] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 46.314076] kthread+0x328/0x630 [ 46.317288] ret_from_fork+0x10/0x20 [ 46.320847] [ 46.322326] The buggy address belongs to the object at ffff000802754720 [ 46.322326] which belongs to the cache kmalloc-16 of size 16 [ 46.334652] The buggy address is located 8 bytes inside of [ 46.334652] freed 16-byte region [ffff000802754720, ffff000802754730) [ 46.346628] [ 46.348106] The buggy address belongs to the physical page: [ 46.353663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882754 [ 46.361647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 46.368156] page_type: f5(slab) [ 46.371293] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 46.379013] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 46.386734] page dumped because: kasan: bad access detected [ 46.392287] [ 46.393762] Memory state around the buggy address: [ 46.398543] ffff000802754600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 46.405745] ffff000802754680: fa fb fc fc fa fb fc fc fa fb fc fc 00 05 fc fc [ 46.412950] >ffff000802754700: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 46.420151] ^ [ 46.424668] ffff000802754780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.431875] ffff000802754800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.439076] ==================================================================
[ 30.680644] ================================================================== [ 30.680733] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 30.680784] Read of size 1 at addr fff00000c648e3c8 by task kunit_try_catch/216 [ 30.680851] [ 30.680898] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT [ 30.680983] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.681010] Hardware name: linux,dummy-virt (DT) [ 30.681040] Call trace: [ 30.681060] show_stack+0x20/0x38 (C) [ 30.681108] dump_stack_lvl+0x8c/0xd0 [ 30.681172] print_report+0x118/0x5d0 [ 30.681318] kasan_report+0xdc/0x128 [ 30.681374] __asan_report_load1_noabort+0x20/0x30 [ 30.681673] kmalloc_uaf+0x300/0x338 [ 30.681856] kunit_try_run_case+0x170/0x3f0 [ 30.681992] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.682079] kthread+0x328/0x630 [ 30.682143] ret_from_fork+0x10/0x20 [ 30.682192] [ 30.682210] Allocated by task 216: [ 30.682239] kasan_save_stack+0x3c/0x68 [ 30.682281] kasan_save_track+0x20/0x40 [ 30.682321] kasan_save_alloc_info+0x40/0x58 [ 30.682834] __kasan_kmalloc+0xd4/0xd8 [ 30.682913] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.683002] kmalloc_uaf+0xb8/0x338 [ 30.683153] kunit_try_run_case+0x170/0x3f0 [ 30.683248] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.683369] kthread+0x328/0x630 [ 30.683457] ret_from_fork+0x10/0x20 [ 30.683542] [ 30.683562] Freed by task 216: [ 30.683589] kasan_save_stack+0x3c/0x68 [ 30.683664] kasan_save_track+0x20/0x40 [ 30.683990] kasan_save_free_info+0x4c/0x78 [ 30.684100] __kasan_slab_free+0x6c/0x98 [ 30.684193] kfree+0x214/0x3c8 [ 30.684319] kmalloc_uaf+0x11c/0x338 [ 30.684621] kunit_try_run_case+0x170/0x3f0 [ 30.684744] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.684864] kthread+0x328/0x630 [ 30.684940] ret_from_fork+0x10/0x20 [ 30.685077] [ 30.685195] The buggy address belongs to the object at fff00000c648e3c0 [ 30.685195] which belongs to the cache kmalloc-16 of size 16 [ 30.685311] The buggy address is located 8 bytes inside of [ 30.685311] freed 16-byte region [fff00000c648e3c0, fff00000c648e3d0) [ 30.685371] [ 30.685671] The buggy address belongs to the physical page: [ 30.685784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10648e [ 30.685867] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.685932] page_type: f5(slab) [ 30.685969] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 30.686046] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.686086] page dumped because: kasan: bad access detected [ 30.686147] [ 30.686165] Memory state around the buggy address: [ 30.686198] fff00000c648e280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.686240] fff00000c648e300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.686282] >fff00000c648e380: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 30.686412] ^ [ 30.686644] fff00000c648e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.686764] fff00000c648e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.686886] ==================================================================
[ 24.293806] ================================================================== [ 24.294438] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 24.295057] Read of size 1 at addr ffff8881058f7168 by task kunit_try_catch/232 [ 24.295338] [ 24.295510] CPU: 0 UID: 0 PID: 232 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) [ 24.295804] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.295823] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 24.296041] Call Trace: [ 24.296074] <TASK> [ 24.296096] dump_stack_lvl+0x73/0xb0 [ 24.296136] print_report+0xd1/0x610 [ 24.296164] ? __virt_addr_valid+0x1db/0x2d0 [ 24.296193] ? kmalloc_uaf+0x320/0x380 [ 24.296217] ? kasan_complete_mode_report_info+0x64/0x200 [ 24.296248] ? kmalloc_uaf+0x320/0x380 [ 24.296274] kasan_report+0x141/0x180 [ 24.296301] ? kmalloc_uaf+0x320/0x380 [ 24.296332] __asan_report_load1_noabort+0x18/0x20 [ 24.296360] kmalloc_uaf+0x320/0x380 [ 24.296385] ? __pfx_kmalloc_uaf+0x10/0x10 [ 24.296410] ? __schedule+0x10cc/0x2b60 [ 24.296437] ? __pfx_read_tsc+0x10/0x10 [ 24.296463] ? ktime_get_ts64+0x86/0x230 [ 24.296494] kunit_try_run_case+0x1a5/0x480 [ 24.296532] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.296558] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 24.296599] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 24.296626] ? __kthread_parkme+0x82/0x180 [ 24.296665] ? preempt_count_sub+0x50/0x80 [ 24.296697] ? __pfx_kunit_try_run_case+0x10/0x10 [ 24.296725] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.296756] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 24.296786] kthread+0x337/0x6f0 [ 24.296811] ? trace_preempt_on+0x20/0xc0 [ 24.296840] ? __pfx_kthread+0x10/0x10 [ 24.296865] ? _raw_spin_unlock_irq+0x47/0x80 [ 24.296894] ? calculate_sigpending+0x7b/0xa0 [ 24.296923] ? __pfx_kthread+0x10/0x10 [ 24.296950] ret_from_fork+0x116/0x1d0 [ 24.296973] ? __pfx_kthread+0x10/0x10 [ 24.296998] ret_from_fork_asm+0x1a/0x30 [ 24.297038] </TASK> [ 24.297051] [ 24.307764] Allocated by task 232: [ 24.307951] kasan_save_stack+0x45/0x70 [ 24.308163] kasan_save_track+0x18/0x40 [ 24.308359] kasan_save_alloc_info+0x3b/0x50 [ 24.308688] __kasan_kmalloc+0xb7/0xc0 [ 24.308870] __kmalloc_cache_noprof+0x189/0x420 [ 24.309106] kmalloc_uaf+0xaa/0x380 [ 24.309233] kunit_try_run_case+0x1a5/0x480 [ 24.309376] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.309653] kthread+0x337/0x6f0 [ 24.309999] ret_from_fork+0x116/0x1d0 [ 24.310233] ret_from_fork_asm+0x1a/0x30 [ 24.310436] [ 24.310510] Freed by task 232: [ 24.310642] kasan_save_stack+0x45/0x70 [ 24.310859] kasan_save_track+0x18/0x40 [ 24.311158] kasan_save_free_info+0x3f/0x60 [ 24.311373] __kasan_slab_free+0x56/0x70 [ 24.311560] kfree+0x222/0x3f0 [ 24.311818] kmalloc_uaf+0x12c/0x380 [ 24.311978] kunit_try_run_case+0x1a5/0x480 [ 24.312184] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 24.312419] kthread+0x337/0x6f0 [ 24.312623] ret_from_fork+0x116/0x1d0 [ 24.312847] ret_from_fork_asm+0x1a/0x30 [ 24.313054] [ 24.313146] The buggy address belongs to the object at ffff8881058f7160 [ 24.313146] which belongs to the cache kmalloc-16 of size 16 [ 24.313528] The buggy address is located 8 bytes inside of [ 24.313528] freed 16-byte region [ffff8881058f7160, ffff8881058f7170) [ 24.314115] [ 24.314208] The buggy address belongs to the physical page: [ 24.314453] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058f7 [ 24.315110] flags: 0x200000000000000(node=0|zone=2) [ 24.315374] page_type: f5(slab) [ 24.315558] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 24.315791] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.316088] page dumped because: kasan: bad access detected [ 24.316443] [ 24.316566] Memory state around the buggy address: [ 24.316927] ffff8881058f7000: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.317244] ffff8881058f7080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.317540] >ffff8881058f7100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 24.317935] ^ [ 24.318245] ffff8881058f7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.318544] ffff8881058f7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.319063] ==================================================================