Hay
Sign in
Date
July 25, 2025, 3:13 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   32.126462] ==================================================================
[   32.126589] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   32.126660] Read of size 1 at addr fff00000c99a0000 by task kunit_try_catch/180
[   32.126903] 
[   32.126951] CPU: 1 UID: 0 PID: 180 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc7-next-20250725 #1 PREEMPT 
[   32.127039] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   32.127097] Hardware name: linux,dummy-virt (DT)
[   32.127376] Call trace:
[   32.127577]  show_stack+0x20/0x38 (C)
[   32.127801]  dump_stack_lvl+0x8c/0xd0
[   32.128044]  print_report+0x118/0x5e8
[   32.128118]  kasan_report+0xdc/0x128
[   32.128275]  __asan_report_load1_noabort+0x20/0x30
[   32.128357]  kmalloc_large_uaf+0x2cc/0x2f8
[   32.128505]  kunit_try_run_case+0x170/0x3f0
[   32.128565]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.128793]  kthread+0x328/0x630
[   32.129032]  ret_from_fork+0x10/0x20
[   32.129115] 
[   32.129274] The buggy address belongs to the physical page:
[   32.129416] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1099a0
[   32.129855] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.130126] raw: 0bfffe0000000000 fff00000da470d00 fff00000da470d00 0000000000000000
[   32.130322] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   32.130363] page dumped because: kasan: bad access detected
[   32.130772] 
[   32.131007] Memory state around the buggy address:
[   32.131116]  fff00000c999ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.131300]  fff00000c999ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.131344] >fff00000c99a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.131402]                    ^
[   32.131650]  fff00000c99a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.131876]  fff00000c99a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.132030] ==================================================================
Metadata Full log Test run details 

[   25.204622] ==================================================================
[   25.205111] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   25.205633] Read of size 1 at addr ffff888106128000 by task kunit_try_catch/197
[   25.206035] 
[   25.206198] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250725 #1 PREEMPT(voluntary) 
[   25.206269] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.206281] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.206315] Call Trace:
[   25.206328]  <TASK>
[   25.206343]  dump_stack_lvl+0x73/0xb0
[   25.206372]  print_report+0xd1/0x640
[   25.206394]  ? __virt_addr_valid+0x1db/0x2d0
[   25.206419]  ? kmalloc_large_uaf+0x2f1/0x340
[   25.206440]  ? kasan_addr_to_slab+0x11/0xa0
[   25.206461]  ? kmalloc_large_uaf+0x2f1/0x340
[   25.206483]  kasan_report+0x141/0x180
[   25.206506]  ? kmalloc_large_uaf+0x2f1/0x340
[   25.206534]  __asan_report_load1_noabort+0x18/0x20
[   25.206559]  kmalloc_large_uaf+0x2f1/0x340
[   25.206581]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   25.206603]  ? __schedule+0x10da/0x2b60
[   25.206642]  ? __pfx_read_tsc+0x10/0x10
[   25.206665]  ? ktime_get_ts64+0x86/0x230
[   25.206689]  kunit_try_run_case+0x1a5/0x480
[   25.206714]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.206737]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.206758]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.206843]  ? __kthread_parkme+0x82/0x180
[   25.206869]  ? preempt_count_sub+0x50/0x80
[   25.206893]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.206917]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.206951]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.206976]  kthread+0x337/0x6f0
[   25.206996]  ? trace_preempt_on+0x20/0xc0
[   25.207020]  ? __pfx_kthread+0x10/0x10
[   25.207041]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.207077]  ? calculate_sigpending+0x7b/0xa0
[   25.207101]  ? __pfx_kthread+0x10/0x10
[   25.207122]  ret_from_fork+0x116/0x1d0
[   25.207142]  ? __pfx_kthread+0x10/0x10
[   25.207162]  ret_from_fork_asm+0x1a/0x30
[   25.207194]  </TASK>
[   25.207205] 
[   25.215172] The buggy address belongs to the physical page:
[   25.215369] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810612e600 pfn:0x106128
[   25.215778] flags: 0x200000000000000(node=0|zone=2)
[   25.216204] raw: 0200000000000000 ffffea0004184b08 ffff88815b139fc0 0000000000000000
[   25.216539] raw: ffff88810612e600 0000000000000000 00000000ffffffff 0000000000000000
[   25.216963] page dumped because: kasan: bad access detected
[   25.217231] 
[   25.217359] Memory state around the buggy address:
[   25.217631]  ffff888106127f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.217955]  ffff888106127f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   25.218285] >ffff888106128000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.218594]                    ^
[   25.218755]  ffff888106128080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.219137]  ffff888106128100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   25.219426] ==================================================================
Metadata Full log Test run details