Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 23.149070] ================================================================== [ 23.150015] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 23.150643] Read of size 1 at addr fff00000c637c1a8 by task kunit_try_catch/177 [ 23.151330] [ 23.151631] CPU: 0 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G B N 6.14.11-rc1 #1 [ 23.151841] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.151936] Hardware name: linux,dummy-virt (DT) [ 23.152024] Call trace: [ 23.152085] show_stack+0x20/0x38 (C) [ 23.152224] dump_stack_lvl+0x8c/0xd0 [ 23.152369] print_report+0x118/0x608 [ 23.152504] kasan_report+0xdc/0x128 [ 23.152647] __asan_report_load1_noabort+0x20/0x30 [ 23.152794] kmalloc_uaf2+0x3f4/0x468 [ 23.152942] kunit_try_run_case+0x170/0x3f0 [ 23.153081] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.153226] kthread+0x318/0x620 [ 23.153353] ret_from_fork+0x10/0x20 [ 23.153542] [ 23.159694] Allocated by task 177: [ 23.160099] kasan_save_stack+0x3c/0x68 [ 23.160730] kasan_save_track+0x20/0x40 [ 23.162188] kasan_save_alloc_info+0x40/0x58 [ 23.162795] __kasan_kmalloc+0xd4/0xd8 [ 23.163356] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.164111] kmalloc_uaf2+0xc4/0x468 [ 23.164548] kunit_try_run_case+0x170/0x3f0 [ 23.165052] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.165698] kthread+0x318/0x620 [ 23.166357] ret_from_fork+0x10/0x20 [ 23.167078] [ 23.167370] Freed by task 177: [ 23.167993] kasan_save_stack+0x3c/0x68 [ 23.168633] kasan_save_track+0x20/0x40 [ 23.169252] kasan_save_free_info+0x4c/0x78 [ 23.169991] __kasan_slab_free+0x6c/0x98 [ 23.170451] kfree+0x214/0x3c8 [ 23.170939] kmalloc_uaf2+0x134/0x468 [ 23.171534] kunit_try_run_case+0x170/0x3f0 [ 23.172101] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.172790] kthread+0x318/0x620 [ 23.173438] ret_from_fork+0x10/0x20 [ 23.173853] [ 23.174296] The buggy address belongs to the object at fff00000c637c180 [ 23.174296] which belongs to the cache kmalloc-64 of size 64 [ 23.175954] The buggy address is located 40 bytes inside of [ 23.175954] freed 64-byte region [fff00000c637c180, fff00000c637c1c0) [ 23.177787] [ 23.178056] The buggy address belongs to the physical page: [ 23.179402] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10637c [ 23.180452] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.181026] page_type: f5(slab) [ 23.181402] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 23.182308] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.183023] page dumped because: kasan: bad access detected [ 23.183642] [ 23.184012] Memory state around the buggy address: [ 23.184600] fff00000c637c080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.185345] fff00000c637c100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.186034] >fff00000c637c180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.186824] ^ [ 23.187540] fff00000c637c200: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 23.188356] fff00000c637c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.189166] ==================================================================