Date
July 22, 2025, 5:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.323418] ================================================================== [ 30.323658] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 30.323787] Read of size 16 at addr fff00000c7b7a900 by task kunit_try_catch/199 [ 30.323864] [ 30.324157] CPU: 1 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 30.324356] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 30.324392] Hardware name: linux,dummy-virt (DT) [ 30.324469] Call trace: [ 30.324494] show_stack+0x20/0x38 (C) [ 30.324582] dump_stack_lvl+0x8c/0xd0 [ 30.324728] print_report+0x118/0x5e8 [ 30.324796] kasan_report+0xdc/0x128 [ 30.325137] __asan_report_load16_noabort+0x20/0x30 [ 30.325212] kmalloc_uaf_16+0x3bc/0x438 [ 30.325338] kunit_try_run_case+0x170/0x3f0 [ 30.325498] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.325598] kthread+0x328/0x630 [ 30.325680] ret_from_fork+0x10/0x20 [ 30.325729] [ 30.326031] Allocated by task 199: [ 30.326224] kasan_save_stack+0x3c/0x68 [ 30.326386] kasan_save_track+0x20/0x40 [ 30.326498] kasan_save_alloc_info+0x40/0x58 [ 30.326574] __kasan_kmalloc+0xd4/0xd8 [ 30.326730] __kmalloc_cache_noprof+0x16c/0x3c0 [ 30.327141] kmalloc_uaf_16+0x140/0x438 [ 30.327216] kunit_try_run_case+0x170/0x3f0 [ 30.327336] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.327391] kthread+0x328/0x630 [ 30.327462] ret_from_fork+0x10/0x20 [ 30.327761] [ 30.327832] Freed by task 199: [ 30.327885] kasan_save_stack+0x3c/0x68 [ 30.327995] kasan_save_track+0x20/0x40 [ 30.328073] kasan_save_free_info+0x4c/0x78 [ 30.328176] __kasan_slab_free+0x6c/0x98 [ 30.328258] kfree+0x214/0x3c8 [ 30.328313] kmalloc_uaf_16+0x190/0x438 [ 30.328613] kunit_try_run_case+0x170/0x3f0 [ 30.328694] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.328768] kthread+0x328/0x630 [ 30.328887] ret_from_fork+0x10/0x20 [ 30.328976] [ 30.329029] The buggy address belongs to the object at fff00000c7b7a900 [ 30.329029] which belongs to the cache kmalloc-16 of size 16 [ 30.329155] The buggy address is located 0 bytes inside of [ 30.329155] freed 16-byte region [fff00000c7b7a900, fff00000c7b7a910) [ 30.329239] [ 30.329258] The buggy address belongs to the physical page: [ 30.329642] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107b7a [ 30.329757] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.329904] page_type: f5(slab) [ 30.329961] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122 [ 30.330056] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 30.330223] page dumped because: kasan: bad access detected [ 30.330313] [ 30.330331] Memory state around the buggy address: [ 30.330656] fff00000c7b7a800: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 30.330725] fff00000c7b7a880: fa fb fc fc 00 00 fc fc fa fb fc fc fa fb fc fc [ 30.330837] >fff00000c7b7a900: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.330876] ^ [ 30.331032] fff00000c7b7a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.331267] fff00000c7b7aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.331354] ==================================================================
[ 25.118223] ================================================================== [ 25.118782] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 25.119021] Read of size 16 at addr ffff888104919c20 by task kunit_try_catch/216 [ 25.119522] [ 25.119767] CPU: 0 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 25.119816] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.119838] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.119860] Call Trace: [ 25.119873] <TASK> [ 25.119888] dump_stack_lvl+0x73/0xb0 [ 25.119917] print_report+0xd1/0x640 [ 25.119940] ? __virt_addr_valid+0x1db/0x2d0 [ 25.119963] ? kmalloc_uaf_16+0x47b/0x4c0 [ 25.119984] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.120010] ? kmalloc_uaf_16+0x47b/0x4c0 [ 25.120031] kasan_report+0x141/0x180 [ 25.120053] ? kmalloc_uaf_16+0x47b/0x4c0 [ 25.120079] __asan_report_load16_noabort+0x18/0x20 [ 25.120103] kmalloc_uaf_16+0x47b/0x4c0 [ 25.120124] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 25.120173] ? __schedule+0x10da/0x2b60 [ 25.120200] ? __pfx_read_tsc+0x10/0x10 [ 25.120222] ? ktime_get_ts64+0x86/0x230 [ 25.120256] kunit_try_run_case+0x1a5/0x480 [ 25.120282] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.120306] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.120331] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.120356] ? __kthread_parkme+0x82/0x180 [ 25.120384] ? preempt_count_sub+0x50/0x80 [ 25.120407] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.120432] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.120478] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.120501] kthread+0x337/0x6f0 [ 25.120521] ? trace_preempt_on+0x20/0xc0 [ 25.120543] ? __pfx_kthread+0x10/0x10 [ 25.120564] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.120599] ? calculate_sigpending+0x7b/0xa0 [ 25.120622] ? __pfx_kthread+0x10/0x10 [ 25.120644] ret_from_fork+0x116/0x1d0 [ 25.120674] ? __pfx_kthread+0x10/0x10 [ 25.120696] ret_from_fork_asm+0x1a/0x30 [ 25.120728] </TASK> [ 25.120739] [ 25.133170] Allocated by task 216: [ 25.133584] kasan_save_stack+0x45/0x70 [ 25.134023] kasan_save_track+0x18/0x40 [ 25.134410] kasan_save_alloc_info+0x3b/0x50 [ 25.134880] __kasan_kmalloc+0xb7/0xc0 [ 25.135221] __kmalloc_cache_noprof+0x189/0x420 [ 25.135610] kmalloc_uaf_16+0x15b/0x4c0 [ 25.135750] kunit_try_run_case+0x1a5/0x480 [ 25.135906] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.136082] kthread+0x337/0x6f0 [ 25.136340] ret_from_fork+0x116/0x1d0 [ 25.136737] ret_from_fork_asm+0x1a/0x30 [ 25.137247] [ 25.137406] Freed by task 216: [ 25.137777] kasan_save_stack+0x45/0x70 [ 25.138166] kasan_save_track+0x18/0x40 [ 25.138603] kasan_save_free_info+0x3f/0x60 [ 25.139008] __kasan_slab_free+0x56/0x70 [ 25.139390] kfree+0x222/0x3f0 [ 25.139751] kmalloc_uaf_16+0x1d6/0x4c0 [ 25.140050] kunit_try_run_case+0x1a5/0x480 [ 25.140505] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.140927] kthread+0x337/0x6f0 [ 25.141135] ret_from_fork+0x116/0x1d0 [ 25.141391] ret_from_fork_asm+0x1a/0x30 [ 25.141809] [ 25.141978] The buggy address belongs to the object at ffff888104919c20 [ 25.141978] which belongs to the cache kmalloc-16 of size 16 [ 25.142727] The buggy address is located 0 bytes inside of [ 25.142727] freed 16-byte region [ffff888104919c20, ffff888104919c30) [ 25.143699] [ 25.143872] The buggy address belongs to the physical page: [ 25.144280] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104919 [ 25.144783] flags: 0x200000000000000(node=0|zone=2) [ 25.145274] page_type: f5(slab) [ 25.145615] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 25.145862] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 25.146090] page dumped because: kasan: bad access detected [ 25.146260] [ 25.146327] Memory state around the buggy address: [ 25.146484] ffff888104919b00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.146702] ffff888104919b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 25.146934] >ffff888104919c00: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 25.147247] ^ [ 25.147392] ffff888104919c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.147660] ffff888104919d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.148115] ==================================================================