Date
July 17, 2025, 10:12 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 29.683382] ================================================================== [ 29.683446] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x170/0x310 [ 29.683503] Write of size 33 at addr fff00000c9b1c980 by task kunit_try_catch/217 [ 29.683554] [ 29.683586] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT [ 29.683671] Tainted: [B]=BAD_PAGE, [N]=TEST [ 29.683716] Hardware name: linux,dummy-virt (DT) [ 29.683764] Call trace: [ 29.683788] show_stack+0x20/0x38 (C) [ 29.683838] dump_stack_lvl+0x8c/0xd0 [ 29.683918] print_report+0x118/0x5d0 [ 29.683964] kasan_report+0xdc/0x128 [ 29.684008] kasan_check_range+0x100/0x1a8 [ 29.684065] __asan_memset+0x34/0x78 [ 29.684119] kmalloc_uaf_memset+0x170/0x310 [ 29.684168] kunit_try_run_case+0x170/0x3f0 [ 29.684217] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.684269] kthread+0x328/0x630 [ 29.684311] ret_from_fork+0x10/0x20 [ 29.684363] [ 29.685219] Allocated by task 217: [ 29.685286] kasan_save_stack+0x3c/0x68 [ 29.685428] kasan_save_track+0x20/0x40 [ 29.685526] kasan_save_alloc_info+0x40/0x58 [ 29.685691] __kasan_kmalloc+0xd4/0xd8 [ 29.685778] __kmalloc_cache_noprof+0x16c/0x3c0 [ 29.685920] kmalloc_uaf_memset+0xb8/0x310 [ 29.685959] kunit_try_run_case+0x170/0x3f0 [ 29.686202] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.686529] kthread+0x328/0x630 [ 29.686597] ret_from_fork+0x10/0x20 [ 29.686722] [ 29.686784] Freed by task 217: [ 29.686843] kasan_save_stack+0x3c/0x68 [ 29.687318] kasan_save_track+0x20/0x40 [ 29.687403] kasan_save_free_info+0x4c/0x78 [ 29.687537] __kasan_slab_free+0x6c/0x98 [ 29.687597] kfree+0x214/0x3c8 [ 29.687645] kmalloc_uaf_memset+0x11c/0x310 [ 29.687750] kunit_try_run_case+0x170/0x3f0 [ 29.687789] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 29.690709] kthread+0x328/0x630 [ 29.691118] ret_from_fork+0x10/0x20 [ 29.691268] [ 29.691368] The buggy address belongs to the object at fff00000c9b1c980 [ 29.691368] which belongs to the cache kmalloc-64 of size 64 [ 29.692857] The buggy address is located 0 bytes inside of [ 29.692857] freed 64-byte region [fff00000c9b1c980, fff00000c9b1c9c0) [ 29.694575] [ 29.694615] The buggy address belongs to the physical page: [ 29.694651] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b1c [ 29.696629] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 29.697095] page_type: f5(slab) [ 29.697365] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 29.699508] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 29.699769] page dumped because: kasan: bad access detected [ 29.700728] [ 29.700770] Memory state around the buggy address: [ 29.700809] fff00000c9b1c880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.700855] fff00000c9b1c900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.701183] >fff00000c9b1c980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.701428] ^ [ 29.701464] fff00000c9b1ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.701904] fff00000c9b1ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.701952] ==================================================================
[ 25.917689] ================================================================== [ 25.918130] BUG: KASAN: slab-use-after-free in kmalloc_uaf_memset+0x1a3/0x360 [ 25.919311] Write of size 33 at addr ffff888106086680 by task kunit_try_catch/235 [ 25.919628] [ 25.919742] CPU: 1 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6-next-20250717 #1 PREEMPT(voluntary) [ 25.919792] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.919803] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.919824] Call Trace: [ 25.919838] <TASK> [ 25.919855] dump_stack_lvl+0x73/0xb0 [ 25.919887] print_report+0xd1/0x610 [ 25.919908] ? __virt_addr_valid+0x1db/0x2d0 [ 25.919932] ? kmalloc_uaf_memset+0x1a3/0x360 [ 25.919952] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.919976] ? kmalloc_uaf_memset+0x1a3/0x360 [ 25.919997] kasan_report+0x141/0x180 [ 25.920018] ? kmalloc_uaf_memset+0x1a3/0x360 [ 25.920043] kasan_check_range+0x10c/0x1c0 [ 25.920065] __asan_memset+0x27/0x50 [ 25.920098] kmalloc_uaf_memset+0x1a3/0x360 [ 25.920118] ? __pfx_kmalloc_uaf_memset+0x10/0x10 [ 25.920140] ? __schedule+0x10c6/0x2b60 [ 25.920162] ? __pfx_read_tsc+0x10/0x10 [ 25.920182] ? ktime_get_ts64+0x86/0x230 [ 25.920219] kunit_try_run_case+0x1a5/0x480 [ 25.920242] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.920263] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.920294] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.920317] ? __kthread_parkme+0x82/0x180 [ 25.920357] ? preempt_count_sub+0x50/0x80 [ 25.920380] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.920405] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.920431] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.920458] kthread+0x337/0x6f0 [ 25.920480] ? trace_preempt_on+0x20/0xc0 [ 25.920506] ? __pfx_kthread+0x10/0x10 [ 25.920527] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.920551] ? calculate_sigpending+0x7b/0xa0 [ 25.920577] ? __pfx_kthread+0x10/0x10 [ 25.920601] ret_from_fork+0x116/0x1d0 [ 25.920621] ? __pfx_kthread+0x10/0x10 [ 25.920645] ret_from_fork_asm+0x1a/0x30 [ 25.920677] </TASK> [ 25.920688] [ 25.931876] Allocated by task 235: [ 25.932445] kasan_save_stack+0x45/0x70 [ 25.933285] kasan_save_track+0x18/0x40 [ 25.935332] kasan_save_alloc_info+0x3b/0x50 [ 25.935494] __kasan_kmalloc+0xb7/0xc0 [ 25.935621] __kmalloc_cache_noprof+0x189/0x420 [ 25.935767] kmalloc_uaf_memset+0xa9/0x360 [ 25.935899] kunit_try_run_case+0x1a5/0x480 [ 25.936034] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.936226] kthread+0x337/0x6f0 [ 25.936345] ret_from_fork+0x116/0x1d0 [ 25.936496] ret_from_fork_asm+0x1a/0x30 [ 25.937466] [ 25.937574] Freed by task 235: [ 25.937726] kasan_save_stack+0x45/0x70 [ 25.937915] kasan_save_track+0x18/0x40 [ 25.940567] kasan_save_free_info+0x3f/0x60 [ 25.941312] __kasan_slab_free+0x56/0x70 [ 25.942851] kfree+0x222/0x3f0 [ 25.943392] kmalloc_uaf_memset+0x12b/0x360 [ 25.943942] kunit_try_run_case+0x1a5/0x480 [ 25.944394] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.944635] kthread+0x337/0x6f0 [ 25.944784] ret_from_fork+0x116/0x1d0 [ 25.944949] ret_from_fork_asm+0x1a/0x30 [ 25.945131] [ 25.945209] The buggy address belongs to the object at ffff888106086680 [ 25.945209] which belongs to the cache kmalloc-64 of size 64 [ 25.949777] The buggy address is located 0 bytes inside of [ 25.949777] freed 64-byte region [ffff888106086680, ffff8881060866c0) [ 25.950459] [ 25.950530] The buggy address belongs to the physical page: [ 25.950695] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106086 [ 25.952196] flags: 0x200000000000000(node=0|zone=2) [ 25.952652] page_type: f5(slab) [ 25.952940] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 25.953581] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 25.955681] page dumped because: kasan: bad access detected [ 25.956737] [ 25.957227] Memory state around the buggy address: [ 25.958874] ffff888106086580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.959499] ffff888106086600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.959712] >ffff888106086680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.959915] ^ [ 25.960023] ffff888106086700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.961488] ffff888106086780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.962407] ==================================================================