Date
July 17, 2025, 10:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.713657] ================================================================== [ 29.713720] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 29.713779] Read of size 1 at addr fff00000c9b1cb28 by task kunit_try_catch/219 [ 29.713850] [ 29.713886] CPU: 1 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 29.713980] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.714008] Hardware name: linux,dummy-virt (DT) [ 29.714040] Call trace: [ 29.714434] show_stack+0x20/0x38 (C) [ 29.714531] dump_stack_lvl+0x8c/0xd0 [ 29.714938] print_report+0x118/0x5d0 [ 29.715332] kasan_report+0xdc/0x128 [ 29.715651] __asan_report_load1_noabort+0x20/0x30 [ 29.715732] kmalloc_uaf2+0x3f4/0x468 [ 29.715833] kunit_try_run_case+0x170/0x3f0 [ 29.715889] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.715942] kthread+0x328/0x630 [ 29.716091] ret_from_fork+0x10/0x20 [ 29.716163] [ 29.716188] Allocated by task 219: [ 29.716367] kasan_save_stack+0x3c/0x68 [ 29.716586] kasan_save_track+0x20/0x40 [ 29.716708] kasan_save_alloc_info+0x40/0x58 [ 29.716798] __kasan_kmalloc+0xd4/0xd8 [ 29.716971] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.717026] kmalloc_uaf2+0xc4/0x468 [ 29.717226] kunit_try_run_case+0x170/0x3f0 [ 29.717400] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.717452] kthread+0x328/0x630 [ 29.717484] ret_from_fork+0x10/0x20 [ 29.717697] [ 29.717905] Freed by task 219: [ 29.718026] kasan_save_stack+0x3c/0x68 [ 29.718158] kasan_save_track+0x20/0x40 [ 29.718220] kasan_save_free_info+0x4c/0x78 [ 29.718258] __kasan_slab_free+0x6c/0x98 [ 29.718318] kfree+0x214/0x3c8 [ 29.718774] kmalloc_uaf2+0x134/0x468 [ 29.718874] kunit_try_run_case+0x170/0x3f0 [ 29.718953] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.719105] kthread+0x328/0x630 [ 29.719177] ret_from_fork+0x10/0x20 [ 29.719358] [ 29.719557] The buggy address belongs to the object at fff00000c9b1cb00 [ 29.719557] which belongs to the cache kmalloc-64 of size 64 [ 29.719655] The buggy address is located 40 bytes inside of [ 29.719655] freed 64-byte region [fff00000c9b1cb00, fff00000c9b1cb40) [ 29.719803] [ 29.719879] The buggy address belongs to the physical page: [ 29.719957] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b1c [ 29.720050] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.720191] page_type: f5(slab) [ 29.720385] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 29.720645] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.720700] page dumped because: kasan: bad access detected [ 29.720838] [ 29.720915] Memory state around the buggy address: [ 29.721034] fff00000c9b1ca00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.721101] fff00000c9b1ca80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.721151] >fff00000c9b1cb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.721189] ^ [ 29.721219] fff00000c9b1cb80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 29.721397] fff00000c9b1cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.721620] ==================================================================
[ 25.968949] ================================================================== [ 25.969493] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520 [ 25.969813] Read of size 1 at addr ffff8881061782a8 by task kunit_try_catch/237 [ 25.970287] [ 25.970462] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 25.970523] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.970535] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.970556] Call Trace: [ 25.970568] <TASK> [ 25.970586] dump_stack_lvl+0x73/0xb0 [ 25.970616] print_report+0xd1/0x610 [ 25.970637] ? __virt_addr_valid+0x1db/0x2d0 [ 25.970660] ? kmalloc_uaf2+0x4a8/0x520 [ 25.970683] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.970708] ? kmalloc_uaf2+0x4a8/0x520 [ 25.970727] kasan_report+0x141/0x180 [ 25.970748] ? kmalloc_uaf2+0x4a8/0x520 [ 25.970772] __asan_report_load1_noabort+0x18/0x20 [ 25.970819] kmalloc_uaf2+0x4a8/0x520 [ 25.970839] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 25.970857] ? finish_task_switch.isra.0+0x153/0x700 [ 25.970879] ? __switch_to+0x47/0xf80 [ 25.970905] ? __schedule+0x10c6/0x2b60 [ 25.970927] ? __pfx_read_tsc+0x10/0x10 [ 25.970948] ? ktime_get_ts64+0x86/0x230 [ 25.970972] kunit_try_run_case+0x1a5/0x480 [ 25.970996] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.971017] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.971039] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.971061] ? __kthread_parkme+0x82/0x180 [ 25.971096] ? preempt_count_sub+0x50/0x80 [ 25.971117] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.971140] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.971161] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.971183] kthread+0x337/0x6f0 [ 25.971202] ? trace_preempt_on+0x20/0xc0 [ 25.971232] ? __pfx_kthread+0x10/0x10 [ 25.971253] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.971274] ? calculate_sigpending+0x7b/0xa0 [ 25.971297] ? __pfx_kthread+0x10/0x10 [ 25.971318] ret_from_fork+0x116/0x1d0 [ 25.971336] ? __pfx_kthread+0x10/0x10 [ 25.971355] ret_from_fork_asm+0x1a/0x30 [ 25.971386] </TASK> [ 25.971396] [ 25.979473] Allocated by task 237: [ 25.979601] kasan_save_stack+0x45/0x70 [ 25.979741] kasan_save_track+0x18/0x40 [ 25.979876] kasan_save_alloc_info+0x3b/0x50 [ 25.980254] __kasan_kmalloc+0xb7/0xc0 [ 25.980624] __kmalloc_cache_noprof+0x189/0x420 [ 25.980835] kmalloc_uaf2+0xc6/0x520 [ 25.980995] kunit_try_run_case+0x1a5/0x480 [ 25.981191] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.982744] kthread+0x337/0x6f0 [ 25.982938] ret_from_fork+0x116/0x1d0 [ 25.983141] ret_from_fork_asm+0x1a/0x30 [ 25.983450] [ 25.983520] Freed by task 237: [ 25.983625] kasan_save_stack+0x45/0x70 [ 25.984328] kasan_save_track+0x18/0x40 [ 25.984527] kasan_save_free_info+0x3f/0x60 [ 25.984733] __kasan_slab_free+0x56/0x70 [ 25.984923] kfree+0x222/0x3f0 [ 25.985101] kmalloc_uaf2+0x14c/0x520 [ 25.985300] kunit_try_run_case+0x1a5/0x480 [ 25.985489] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.985727] kthread+0x337/0x6f0 [ 25.985889] ret_from_fork+0x116/0x1d0 [ 25.986045] ret_from_fork_asm+0x1a/0x30 [ 25.986305] [ 25.986385] The buggy address belongs to the object at ffff888106178280 [ 25.986385] which belongs to the cache kmalloc-64 of size 64 [ 25.986860] The buggy address is located 40 bytes inside of [ 25.986860] freed 64-byte region [ffff888106178280, ffff8881061782c0) [ 25.987418] [ 25.987495] The buggy address belongs to the physical page: [ 25.987742] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106178 [ 25.988052] flags: 0x200000000000000(node=0|zone=2) [ 25.988238] page_type: f5(slab) [ 25.988453] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 25.988787] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.989040] page dumped because: kasan: bad access detected [ 25.989217] [ 25.989280] Memory state around the buggy address: [ 25.989562] ffff888106178180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.989838] ffff888106178200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.990141] >ffff888106178280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.990352] ^ [ 25.990493] ffff888106178300: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 25.990701] ffff888106178380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.991010] ==================================================================