Hay
Sign in
Date
June 17, 2025, 3:40 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   21.640002] ==================================================================
[   21.640130] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   21.640226] Read of size 16 at addr fff00000c58ac260 by task kunit_try_catch/170
[   21.640284] 
[   21.640333] CPU: 0 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G    B            N  6.15.3-rc1 #1 PREEMPT 
[   21.640430] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.640459] Hardware name: linux,dummy-virt (DT)
[   21.640495] Call trace:
[   21.640522]  show_stack+0x20/0x38 (C)
[   21.640579]  dump_stack_lvl+0x8c/0xd0
[   21.640633]  print_report+0x118/0x608
[   21.640682]  kasan_report+0xdc/0x128
[   21.640911]  __asan_report_load16_noabort+0x20/0x30
[   21.641052]  kmalloc_uaf_16+0x3bc/0x438
[   21.641152]  kunit_try_run_case+0x170/0x3f0
[   21.641244]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.641637]  kthread+0x328/0x630
[   21.641775]  ret_from_fork+0x10/0x20
[   21.642636] 
[   21.642965] Allocated by task 170:
[   21.643167]  kasan_save_stack+0x3c/0x68
[   21.643649]  kasan_save_track+0x20/0x40
[   21.644136]  kasan_save_alloc_info+0x40/0x58
[   21.644632]  __kasan_kmalloc+0xd4/0xd8
[   21.644725]  __kmalloc_cache_noprof+0x16c/0x3c0
[   21.645207]  kmalloc_uaf_16+0x140/0x438
[   21.645442]  kunit_try_run_case+0x170/0x3f0
[   21.645986]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.646277]  kthread+0x328/0x630
[   21.646418]  ret_from_fork+0x10/0x20
[   21.646505] 
[   21.646550] Freed by task 170:
[   21.646615]  kasan_save_stack+0x3c/0x68
[   21.646706]  kasan_save_track+0x20/0x40
[   21.646856]  kasan_save_free_info+0x4c/0x78
[   21.647836]  __kasan_slab_free+0x6c/0x98
[   21.648207]  kfree+0x214/0x3c8
[   21.648471]  kmalloc_uaf_16+0x190/0x438
[   21.648584]  kunit_try_run_case+0x170/0x3f0
[   21.648675]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.648790]  kthread+0x328/0x630
[   21.649512]  ret_from_fork+0x10/0x20
[   21.649886] 
[   21.649930] The buggy address belongs to the object at fff00000c58ac260
[   21.649930]  which belongs to the cache kmalloc-16 of size 16
[   21.650055] The buggy address is located 0 bytes inside of
[   21.650055]  freed 16-byte region [fff00000c58ac260, fff00000c58ac270)
[   21.650602] 
[   21.650898] The buggy address belongs to the physical page:
[   21.651122] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058ac
[   21.651432] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.651561] page_type: f5(slab)
[   21.651928] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   21.652379] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   21.653067] page dumped because: kasan: bad access detected
[   21.653187] 
[   21.653283] Memory state around the buggy address:
[   21.653499]  fff00000c58ac100: 00 00 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   21.653622]  fff00000c58ac180: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   21.653739] >fff00000c58ac200: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   21.653830]                                                        ^
[   21.653907]  fff00000c58ac280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.653980]  fff00000c58ac300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.654045] ==================================================================
Metadata Full log Test run details 

[   19.151526] ==================================================================
[   19.152486] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   19.153425] Read of size 16 at addr ffff8881021c1de0 by task kunit_try_catch/188
[   19.154016] 
[   19.154449] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.15.3-rc1 #1 PREEMPT(voluntary) 
[   19.154584] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.154624] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   19.154683] Call Trace:
[   19.154722]  <TASK>
[   19.154770]  dump_stack_lvl+0x73/0xb0
[   19.154854]  print_report+0xd1/0x650
[   19.154935]  ? __virt_addr_valid+0x1db/0x2d0
[   19.155192]  ? kmalloc_uaf_16+0x47b/0x4c0
[   19.155306]  ? kasan_complete_mode_report_info+0x64/0x200
[   19.155382]  ? kmalloc_uaf_16+0x47b/0x4c0
[   19.155451]  kasan_report+0x141/0x180
[   19.155523]  ? kmalloc_uaf_16+0x47b/0x4c0
[   19.155606]  __asan_report_load16_noabort+0x18/0x20
[   19.155676]  kmalloc_uaf_16+0x47b/0x4c0
[   19.155740]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   19.155779]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   19.155817]  kunit_try_run_case+0x1a5/0x480
[   19.155856]  ? __pfx_kunit_try_run_case+0x10/0x10
[   19.155909]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   19.155952]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   19.156074]  ? __kthread_parkme+0x82/0x180
[   19.156116]  ? preempt_count_sub+0x50/0x80
[   19.156156]  ? __pfx_kunit_try_run_case+0x10/0x10
[   19.156213]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   19.156253]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   19.156316]  kthread+0x337/0x6f0
[   19.156360]  ? trace_preempt_on+0x20/0xc0
[   19.156400]  ? __pfx_kthread+0x10/0x10
[   19.156450]  ? _raw_spin_unlock_irq+0x47/0x80
[   19.156485]  ? calculate_sigpending+0x7b/0xa0
[   19.156535]  ? __pfx_kthread+0x10/0x10
[   19.156565]  ret_from_fork+0x41/0x80
[   19.156613]  ? __pfx_kthread+0x10/0x10
[   19.156651]  ret_from_fork_asm+0x1a/0x30
[   19.156713]  </TASK>
[   19.156732] 
[   19.177278] Allocated by task 188:
[   19.178243]  kasan_save_stack+0x45/0x70
[   19.178641]  kasan_save_track+0x18/0x40
[   19.179466]  kasan_save_alloc_info+0x3b/0x50
[   19.179936]  __kasan_kmalloc+0xb7/0xc0
[   19.180633]  __kmalloc_cache_noprof+0x189/0x420
[   19.181362]  kmalloc_uaf_16+0x15b/0x4c0
[   19.181810]  kunit_try_run_case+0x1a5/0x480
[   19.182655]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   19.183675]  kthread+0x337/0x6f0
[   19.183978]  ret_from_fork+0x41/0x80
[   19.184737]  ret_from_fork_asm+0x1a/0x30
[   19.185116] 
[   19.185374] Freed by task 188:
[   19.185726]  kasan_save_stack+0x45/0x70
[   19.186109]  kasan_save_track+0x18/0x40
[   19.187163]  kasan_save_free_info+0x3f/0x60
[   19.187581]  __kasan_slab_free+0x56/0x70
[   19.188361]  kfree+0x222/0x3f0
[   19.188531]  kmalloc_uaf_16+0x1d6/0x4c0
[   19.188695]  kunit_try_run_case+0x1a5/0x480
[   19.188871]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   19.189230]  kthread+0x337/0x6f0
[   19.189655]  ret_from_fork+0x41/0x80
[   19.190885]  ret_from_fork_asm+0x1a/0x30
[   19.191595] 
[   19.191838] The buggy address belongs to the object at ffff8881021c1de0
[   19.191838]  which belongs to the cache kmalloc-16 of size 16
[   19.194223] The buggy address is located 0 bytes inside of
[   19.194223]  freed 16-byte region [ffff8881021c1de0, ffff8881021c1df0)
[   19.195043] 
[   19.195328] The buggy address belongs to the physical page:
[   19.195715] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1021c1
[   19.196966] flags: 0x200000000000000(node=0|zone=2)
[   19.197433] page_type: f5(slab)
[   19.198363] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   19.199609] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   19.200348] page dumped because: kasan: bad access detected
[   19.200688] 
[   19.200854] Memory state around the buggy address:
[   19.201239]  ffff8881021c1c80: 00 02 fc fc 00 05 fc fc 00 02 fc fc 00 02 fc fc
[   19.201646]  ffff8881021c1d00: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc
[   19.202198] >ffff8881021c1d80: fa fb fc fc 00 05 fc fc 00 00 fc fc fa fb fc fc
[   19.203564]                                                        ^
[   19.204171]  ffff8881021c1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.205365]  ffff8881021c1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.206163] ==================================================================
Metadata Full log Test run details