Hay
Sign in
Date
June 2, 2025, 2:13 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.033636] ==================================================================
[   18.034626] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   18.034982] Read of size 1 at addr fff00000c6068000 by task kunit_try_catch/138
[   18.035310] 
[   18.035463] CPU: 0 UID: 0 PID: 138 Comm: kunit_try_catch Tainted: G    B            N 6.14.10-rc1 #1
[   18.035552] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.035581] Hardware name: linux,dummy-virt (DT)
[   18.035616] Call trace:
[   18.035641]  show_stack+0x20/0x38 (C)
[   18.035695]  dump_stack_lvl+0x8c/0xd0
[   18.035745]  print_report+0x118/0x608
[   18.035792]  kasan_report+0xdc/0x128
[   18.035838]  __asan_report_load1_noabort+0x20/0x30
[   18.035885]  kmalloc_large_uaf+0x2cc/0x2f8
[   18.035931]  kunit_try_run_case+0x170/0x3f0
[   18.035978]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.036029]  kthread+0x318/0x620
[   18.036075]  ret_from_fork+0x10/0x20
[   18.036124] 
[   18.040532] The buggy address belongs to the physical page:
[   18.041260] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106068
[   18.041914] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.042687] raw: 0bfffe0000000000 ffffc1ffc3181b08 fff00000da4b1040 0000000000000000
[   18.043287] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   18.043795] page dumped because: kasan: bad access detected
[   18.044327] 
[   18.044572] Memory state around the buggy address:
[   18.045006]  fff00000c6067f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.045592]  fff00000c6067f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.046244] >fff00000c6068000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   18.046883]                    ^
[   18.047319]  fff00000c6068080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   18.047889]  fff00000c6068100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   18.048442] ==================================================================
Metadata Full log Test run details 

[   12.245549] ==================================================================
[   12.246465] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f3/0x340
[   12.246743] Read of size 1 at addr ffff888102ac4000 by task kunit_try_catch/156
[   12.247197] 
[   12.247310] CPU: 0 UID: 0 PID: 156 Comm: kunit_try_catch Tainted: G    B            N 6.14.10-rc1 #1
[   12.247477] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.247492] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.247513] Call Trace:
[   12.247523]  <TASK>
[   12.247547]  dump_stack_lvl+0x73/0xb0
[   12.247576]  print_report+0xd1/0x650
[   12.247600]  ? __virt_addr_valid+0x1db/0x2d0
[   12.247681]  ? kmalloc_large_uaf+0x2f3/0x340
[   12.247705]  ? kasan_addr_to_slab+0x11/0xa0
[   12.247727]  ? kmalloc_large_uaf+0x2f3/0x340
[   12.247749]  kasan_report+0x140/0x180
[   12.247774]  ? kmalloc_large_uaf+0x2f3/0x340
[   12.247801]  __asan_report_load1_noabort+0x18/0x20
[   12.247827]  kmalloc_large_uaf+0x2f3/0x340
[   12.247859]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   12.247882]  ? __schedule+0xce8/0x2840
[   12.247908]  ? __pfx_read_tsc+0x10/0x10
[   12.247942]  ? ktime_get_ts64+0x86/0x230
[   12.247970]  kunit_try_run_case+0x1a6/0x480
[   12.247995]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.248027]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   12.248053]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.248079]  ? __kthread_parkme+0x82/0x160
[   12.248102]  ? preempt_count_sub+0x50/0x80
[   12.248129]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.248153]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.248181]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.248209]  kthread+0x324/0x6e0
[   12.248232]  ? trace_preempt_on+0x20/0xc0
[   12.248257]  ? __pfx_kthread+0x10/0x10
[   12.248282]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.248306]  ? calculate_sigpending+0x7b/0xa0
[   12.248329]  ? __pfx_kthread+0x10/0x10
[   12.248354]  ret_from_fork+0x41/0x80
[   12.248375]  ? __pfx_kthread+0x10/0x10
[   12.248399]  ret_from_fork_asm+0x1a/0x30
[   12.248432]  </TASK>
[   12.248443] 
[   12.256045] The buggy address belongs to the physical page:
[   12.256277] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ac4
[   12.256810] flags: 0x200000000000000(node=0|zone=2)
[   12.257074] raw: 0200000000000000 ffffea00040ab208 ffff88815b03ef40 0000000000000000
[   12.257394] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   12.257848] page dumped because: kasan: bad access detected
[   12.258292] 
[   12.258395] Memory state around the buggy address:
[   12.258553]  ffff888102ac3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.258969]  ffff888102ac3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.259270] >ffff888102ac4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.259551]                    ^
[   12.259795]  ffff888102ac4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.260113]  ffff888102ac4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   12.260415] ==================================================================
Metadata Full log Test run details