Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.892259] ================================================================== [ 22.892811] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 22.893073] Read of size 1 at addr fff00000c76c4828 by task kunit_try_catch/192 [ 22.893286] [ 22.893451] CPU: 1 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT [ 22.894013] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.894109] Hardware name: linux,dummy-virt (DT) [ 22.894283] Call trace: [ 22.894462] show_stack+0x20/0x38 (C) [ 22.894618] dump_stack_lvl+0x8c/0xd0 [ 22.894752] print_report+0x118/0x608 [ 22.894879] kasan_report+0xdc/0x128 [ 22.895004] __asan_report_load1_noabort+0x20/0x30 [ 22.895109] kmalloc_uaf2+0x3f4/0x468 [ 22.895197] kunit_try_run_case+0x170/0x3f0 [ 22.895307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.895452] kthread+0x328/0x630 [ 22.895573] ret_from_fork+0x10/0x20 [ 22.895708] [ 22.895753] Allocated by task 192: [ 22.895831] kasan_save_stack+0x3c/0x68 [ 22.895938] kasan_save_track+0x20/0x40 [ 22.896033] kasan_save_alloc_info+0x40/0x58 [ 22.896138] __kasan_kmalloc+0xd4/0xd8 [ 22.896232] __kmalloc_cache_noprof+0x16c/0x3c0 [ 22.896345] kmalloc_uaf2+0xc4/0x468 [ 22.897091] kunit_try_run_case+0x170/0x3f0 [ 22.897549] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.897829] kthread+0x328/0x630 [ 22.898076] ret_from_fork+0x10/0x20 [ 22.898326] [ 22.898563] Freed by task 192: [ 22.898652] kasan_save_stack+0x3c/0x68 [ 22.898889] kasan_save_track+0x20/0x40 [ 22.899009] kasan_save_free_info+0x4c/0x78 [ 22.899148] __kasan_slab_free+0x6c/0x98 [ 22.899419] kfree+0x214/0x3c8 [ 22.899524] kmalloc_uaf2+0x134/0x468 [ 22.899772] kunit_try_run_case+0x170/0x3f0 [ 22.900025] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.900507] kthread+0x328/0x630 [ 22.900604] ret_from_fork+0x10/0x20 [ 22.900698] [ 22.900809] The buggy address belongs to the object at fff00000c76c4800 [ 22.900809] which belongs to the cache kmalloc-64 of size 64 [ 22.901135] The buggy address is located 40 bytes inside of [ 22.901135] freed 64-byte region [fff00000c76c4800, fff00000c76c4840) [ 22.901507] [ 22.901575] The buggy address belongs to the physical page: [ 22.901660] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1076c4 [ 22.901797] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.901933] page_type: f5(slab) [ 22.902036] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 22.902168] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.902277] page dumped because: kasan: bad access detected [ 22.902369] [ 22.902499] Memory state around the buggy address: [ 22.902623] fff00000c76c4700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.902731] fff00000c76c4780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.902817] >fff00000c76c4800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.902913] ^ [ 22.902993] fff00000c76c4880: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 22.903129] fff00000c76c4900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.903552] ==================================================================
[ 14.078594] ================================================================== [ 14.079266] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520 [ 14.080141] Read of size 1 at addr ffff8881033a21a8 by task kunit_try_catch/208 [ 14.080784] [ 14.081046] CPU: 0 UID: 0 PID: 208 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT(voluntary) [ 14.081512] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.081534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.081576] Call Trace: [ 14.081597] <TASK> [ 14.081706] dump_stack_lvl+0x73/0xb0 [ 14.081757] print_report+0xd1/0x650 [ 14.081785] ? __virt_addr_valid+0x1db/0x2d0 [ 14.081810] ? kmalloc_uaf2+0x4a8/0x520 [ 14.081832] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.081854] ? kmalloc_uaf2+0x4a8/0x520 [ 14.081875] kasan_report+0x141/0x180 [ 14.081898] ? kmalloc_uaf2+0x4a8/0x520 [ 14.081923] __asan_report_load1_noabort+0x18/0x20 [ 14.081944] kmalloc_uaf2+0x4a8/0x520 [ 14.081966] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 14.081987] ? finish_task_switch.isra.0+0x153/0x700 [ 14.082014] ? __switch_to+0x5d9/0xf60 [ 14.082037] ? dequeue_task_fair+0x166/0x4e0 [ 14.082062] ? __schedule+0x10cc/0x2b30 [ 14.082085] ? __pfx_read_tsc+0x10/0x10 [ 14.082107] ? ktime_get_ts64+0x86/0x230 [ 14.082135] kunit_try_run_case+0x1a5/0x480 [ 14.082162] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.082184] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.082209] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.082232] ? __kthread_parkme+0x82/0x180 [ 14.082256] ? preempt_count_sub+0x50/0x80 [ 14.082281] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.082306] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.082330] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.082354] kthread+0x337/0x6f0 [ 14.082372] ? trace_preempt_on+0x20/0xc0 [ 14.082399] ? __pfx_kthread+0x10/0x10 [ 14.082419] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.082441] ? calculate_sigpending+0x7b/0xa0 [ 14.082466] ? __pfx_kthread+0x10/0x10 [ 14.082486] ret_from_fork+0x41/0x80 [ 14.082509] ? __pfx_kthread+0x10/0x10 [ 14.082528] ret_from_fork_asm+0x1a/0x30 [ 14.082570] </TASK> [ 14.082589] [ 14.097241] Allocated by task 208: [ 14.097485] kasan_save_stack+0x45/0x70 [ 14.097796] kasan_save_track+0x18/0x40 [ 14.097961] kasan_save_alloc_info+0x3b/0x50 [ 14.098122] __kasan_kmalloc+0xb7/0xc0 [ 14.098278] __kmalloc_cache_noprof+0x189/0x420 [ 14.098453] kmalloc_uaf2+0xc6/0x520 [ 14.099849] kunit_try_run_case+0x1a5/0x480 [ 14.101322] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.101863] kthread+0x337/0x6f0 [ 14.102053] ret_from_fork+0x41/0x80 [ 14.102200] ret_from_fork_asm+0x1a/0x30 [ 14.102348] [ 14.102439] Freed by task 208: [ 14.102574] kasan_save_stack+0x45/0x70 [ 14.103763] kasan_save_track+0x18/0x40 [ 14.104127] kasan_save_free_info+0x3f/0x60 [ 14.104343] __kasan_slab_free+0x56/0x70 [ 14.104500] kfree+0x222/0x3f0 [ 14.105042] kmalloc_uaf2+0x14c/0x520 [ 14.105593] kunit_try_run_case+0x1a5/0x480 [ 14.106317] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.106884] kthread+0x337/0x6f0 [ 14.107001] ret_from_fork+0x41/0x80 [ 14.107098] ret_from_fork_asm+0x1a/0x30 [ 14.107210] [ 14.107274] The buggy address belongs to the object at ffff8881033a2180 [ 14.107274] which belongs to the cache kmalloc-64 of size 64 [ 14.107502] The buggy address is located 40 bytes inside of [ 14.107502] freed 64-byte region [ffff8881033a2180, ffff8881033a21c0) [ 14.108350] [ 14.108591] The buggy address belongs to the physical page: [ 14.109067] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033a2 [ 14.110162] flags: 0x200000000000000(node=0|zone=2) [ 14.110386] page_type: f5(slab) [ 14.110534] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 14.110792] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 14.111547] page dumped because: kasan: bad access detected [ 14.112536] [ 14.112721] Memory state around the buggy address: [ 14.113003] ffff8881033a2080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.113316] ffff8881033a2100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.113471] >ffff8881033a2180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 14.113905] ^ [ 14.114785] ffff8881033a2200: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 14.115336] ffff8881033a2280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.115881] ==================================================================