Hay
Sign in
Date
July 15, 2025, 11:35 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   46.447763] ==================================================================
[   46.456789] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   46.463903] Write of size 33 at addr ffff00080851b000 by task kunit_try_catch/267
[   46.471367] 
[   46.472852] CPU: 2 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   46.472907] Tainted: [B]=BAD_PAGE, [N]=TEST
[   46.472925] Hardware name: WinLink E850-96 board (DT)
[   46.472946] Call trace:
[   46.472959]  show_stack+0x20/0x38 (C)
[   46.472992]  dump_stack_lvl+0x8c/0xd0
[   46.473027]  print_report+0x118/0x5d0
[   46.473058]  kasan_report+0xdc/0x128
[   46.473085]  kasan_check_range+0x100/0x1a8
[   46.473114]  __asan_memset+0x34/0x78
[   46.473142]  kmalloc_uaf_memset+0x170/0x310
[   46.473172]  kunit_try_run_case+0x170/0x3f0
[   46.473203]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.473237]  kthread+0x328/0x630
[   46.473270]  ret_from_fork+0x10/0x20
[   46.473302] 
[   46.539768] Allocated by task 267:
[   46.543156]  kasan_save_stack+0x3c/0x68
[   46.546972]  kasan_save_track+0x20/0x40
[   46.550791]  kasan_save_alloc_info+0x40/0x58
[   46.555045]  __kasan_kmalloc+0xd4/0xd8
[   46.558777]  __kmalloc_cache_noprof+0x16c/0x3c0
[   46.563291]  kmalloc_uaf_memset+0xb8/0x310
[   46.567371]  kunit_try_run_case+0x170/0x3f0
[   46.571538]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.577006]  kthread+0x328/0x630
[   46.580218]  ret_from_fork+0x10/0x20
[   46.583777] 
[   46.585252] Freed by task 267:
[   46.588292]  kasan_save_stack+0x3c/0x68
[   46.592110]  kasan_save_track+0x20/0x40
[   46.595930]  kasan_save_free_info+0x4c/0x78
[   46.600096]  __kasan_slab_free+0x6c/0x98
[   46.604003]  kfree+0x214/0x3c8
[   46.607040]  kmalloc_uaf_memset+0x11c/0x310
[   46.611207]  kunit_try_run_case+0x170/0x3f0
[   46.615374]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   46.620844]  kthread+0x328/0x630
[   46.624054]  ret_from_fork+0x10/0x20
[   46.627613] 
[   46.629089] The buggy address belongs to the object at ffff00080851b000
[   46.629089]  which belongs to the cache kmalloc-64 of size 64
[   46.641418] The buggy address is located 0 bytes inside of
[   46.641418]  freed 64-byte region [ffff00080851b000, ffff00080851b040)
[   46.653394] 
[   46.654873] The buggy address belongs to the physical page:
[   46.660429] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88851b
[   46.668415] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   46.674923] page_type: f5(slab)
[   46.678060] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000
[   46.685779] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   46.693501] page dumped because: kasan: bad access detected
[   46.699054] 
[   46.700528] Memory state around the buggy address:
[   46.705310]  ffff00080851af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.712513]  ffff00080851af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   46.719718] >ffff00080851b000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   46.726917]                    ^
[   46.730133]  ffff00080851b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.737337]  ffff00080851b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.744540] ==================================================================
Metadata Full log Test run details 

[   30.693704] ==================================================================
[   30.693784] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310
[   30.693837] Write of size 33 at addr fff00000c6503680 by task kunit_try_catch/218
[   30.693994] 
[   30.694149] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   30.694246] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.694273] Hardware name: linux,dummy-virt (DT)
[   30.694303] Call trace:
[   30.694326]  show_stack+0x20/0x38 (C)
[   30.694520]  dump_stack_lvl+0x8c/0xd0
[   30.694651]  print_report+0x118/0x5d0
[   30.694786]  kasan_report+0xdc/0x128
[   30.694906]  kasan_check_range+0x100/0x1a8
[   30.695001]  __asan_memset+0x34/0x78
[   30.695097]  kmalloc_uaf_memset+0x170/0x310
[   30.695191]  kunit_try_run_case+0x170/0x3f0
[   30.695239]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.695528]  kthread+0x328/0x630
[   30.695662]  ret_from_fork+0x10/0x20
[   30.695717] 
[   30.695872] Allocated by task 218:
[   30.695944]  kasan_save_stack+0x3c/0x68
[   30.695991]  kasan_save_track+0x20/0x40
[   30.696032]  kasan_save_alloc_info+0x40/0x58
[   30.696129]  __kasan_kmalloc+0xd4/0xd8
[   30.696171]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.696212]  kmalloc_uaf_memset+0xb8/0x310
[   30.696279]  kunit_try_run_case+0x170/0x3f0
[   30.696317]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.696358]  kthread+0x328/0x630
[   30.696404]  ret_from_fork+0x10/0x20
[   30.696453] 
[   30.696473] Freed by task 218:
[   30.696532]  kasan_save_stack+0x3c/0x68
[   30.696914]  kasan_save_track+0x20/0x40
[   30.697112]  kasan_save_free_info+0x4c/0x78
[   30.697336]  __kasan_slab_free+0x6c/0x98
[   30.697379]  kfree+0x214/0x3c8
[   30.697453]  kmalloc_uaf_memset+0x11c/0x310
[   30.697491]  kunit_try_run_case+0x170/0x3f0
[   30.697528]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.697920]  kthread+0x328/0x630
[   30.697974]  ret_from_fork+0x10/0x20
[   30.698009] 
[   30.698029] The buggy address belongs to the object at fff00000c6503680
[   30.698029]  which belongs to the cache kmalloc-64 of size 64
[   30.698109] The buggy address is located 0 bytes inside of
[   30.698109]  freed 64-byte region [fff00000c6503680, fff00000c65036c0)
[   30.698286] 
[   30.698306] The buggy address belongs to the physical page:
[   30.698396] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106503
[   30.698551] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.698655] page_type: f5(slab)
[   30.698711] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   30.698836] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.698875] page dumped because: kasan: bad access detected
[   30.698905] 
[   30.698922] Memory state around the buggy address:
[   30.698954]  fff00000c6503580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.699149]  fff00000c6503600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.699275] >fff00000c6503680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.699381]                    ^
[   30.699961]  fff00000c6503700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.700010]  fff00000c6503780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.700049] ==================================================================
Metadata Full log Test run details 

[   24.322503] ==================================================================
[   24.323252] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360
[   24.323582] Write of size 33 at addr ffff8881055e1600 by task kunit_try_catch/234
[   24.324067] 
[   24.324422] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   24.324477] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.324490] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.324512] Call Trace:
[   24.324543]  <TASK>
[   24.324560]  dump_stack_lvl+0x73/0xb0
[   24.324666]  print_report+0xd1/0x610
[   24.324689]  ? __virt_addr_valid+0x1db/0x2d0
[   24.324715]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.324736]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.324761]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.324792]  kasan_report+0x141/0x180
[   24.324814]  ? kmalloc_uaf_memset+0x1a3/0x360
[   24.324841]  kasan_check_range+0x10c/0x1c0
[   24.324876]  __asan_memset+0x27/0x50
[   24.324899]  kmalloc_uaf_memset+0x1a3/0x360
[   24.324920]  ? __pfx_kmalloc_uaf_memset+0x10/0x10
[   24.324942]  ? __schedule+0x10cc/0x2b60
[   24.324964]  ? __pfx_read_tsc+0x10/0x10
[   24.324986]  ? ktime_get_ts64+0x86/0x230
[   24.325012]  kunit_try_run_case+0x1a5/0x480
[   24.325036]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.325057]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.325079]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.325101]  ? __kthread_parkme+0x82/0x180
[   24.325121]  ? preempt_count_sub+0x50/0x80
[   24.325145]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.325167]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.325192]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.325218]  kthread+0x337/0x6f0
[   24.325236]  ? trace_preempt_on+0x20/0xc0
[   24.325261]  ? __pfx_kthread+0x10/0x10
[   24.325281]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.325304]  ? calculate_sigpending+0x7b/0xa0
[   24.325328]  ? __pfx_kthread+0x10/0x10
[   24.325350]  ret_from_fork+0x116/0x1d0
[   24.325368]  ? __pfx_kthread+0x10/0x10
[   24.325388]  ret_from_fork_asm+0x1a/0x30
[   24.325420]  </TASK>
[   24.325432] 
[   24.333441] Allocated by task 234:
[   24.333588]  kasan_save_stack+0x45/0x70
[   24.333729]  kasan_save_track+0x18/0x40
[   24.333860]  kasan_save_alloc_info+0x3b/0x50
[   24.334099]  __kasan_kmalloc+0xb7/0xc0
[   24.334281]  __kmalloc_cache_noprof+0x189/0x420
[   24.334499]  kmalloc_uaf_memset+0xa9/0x360
[   24.334702]  kunit_try_run_case+0x1a5/0x480
[   24.334897]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.335070]  kthread+0x337/0x6f0
[   24.335183]  ret_from_fork+0x116/0x1d0
[   24.335308]  ret_from_fork_asm+0x1a/0x30
[   24.336103] 
[   24.336204] Freed by task 234:
[   24.336357]  kasan_save_stack+0x45/0x70
[   24.336559]  kasan_save_track+0x18/0x40
[   24.338441]  kasan_save_free_info+0x3f/0x60
[   24.338610]  __kasan_slab_free+0x56/0x70
[   24.338743]  kfree+0x222/0x3f0
[   24.338853]  kmalloc_uaf_memset+0x12b/0x360
[   24.338991]  kunit_try_run_case+0x1a5/0x480
[   24.339155]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.339690]  kthread+0x337/0x6f0
[   24.339954]  ret_from_fork+0x116/0x1d0
[   24.340088]  ret_from_fork_asm+0x1a/0x30
[   24.340298] 
[   24.340918] The buggy address belongs to the object at ffff8881055e1600
[   24.340918]  which belongs to the cache kmalloc-64 of size 64
[   24.341267] The buggy address is located 0 bytes inside of
[   24.341267]  freed 64-byte region [ffff8881055e1600, ffff8881055e1640)
[   24.341825] 
[   24.341926] The buggy address belongs to the physical page:
[   24.342175] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1055e1
[   24.342454] flags: 0x200000000000000(node=0|zone=2)
[   24.342813] page_type: f5(slab)
[   24.344416] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   24.344666] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   24.344885] page dumped because: kasan: bad access detected
[   24.345053] 
[   24.345780] Memory state around the buggy address:
[   24.346603]  ffff8881055e1500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.346928]  ffff8881055e1580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.347967] >ffff8881055e1600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   24.348259]                    ^
[   24.348379]  ffff8881055e1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.348759]  ffff8881055e1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.349105] ==================================================================
Metadata Full log Test run details