Hay
Sign in
Date
June 26, 2025, 11:12 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   29.734142] ==================================================================
[   29.743458] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   29.750054] Read of size 1 at addr ffff000802e1aba8 by task kunit_try_catch/237
[   29.757344] 
[   29.758833] CPU: 0 UID: 0 PID: 237 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   29.758890] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.758910] Hardware name: WinLink E850-96 board (DT)
[   29.758933] Call trace:
[   29.758951]  show_stack+0x20/0x38 (C)
[   29.758987]  dump_stack_lvl+0x8c/0xd0
[   29.759027]  print_report+0x118/0x608
[   29.759059]  kasan_report+0xdc/0x128
[   29.759088]  __asan_report_load1_noabort+0x20/0x30
[   29.759125]  kmalloc_uaf2+0x3f4/0x468
[   29.759160]  kunit_try_run_case+0x170/0x3f0
[   29.759199]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.759237]  kthread+0x328/0x630
[   29.759271]  ret_from_fork+0x10/0x20
[   29.759308] 
[   29.821147] Allocated by task 237:
[   29.824534]  kasan_save_stack+0x3c/0x68
[   29.828350]  kasan_save_track+0x20/0x40
[   29.832169]  kasan_save_alloc_info+0x40/0x58
[   29.836423]  __kasan_kmalloc+0xd4/0xd8
[   29.840155]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.844669]  kmalloc_uaf2+0xc4/0x468
[   29.848228]  kunit_try_run_case+0x170/0x3f0
[   29.852395]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.857863]  kthread+0x328/0x630
[   29.861075]  ret_from_fork+0x10/0x20
[   29.864634] 
[   29.866111] Freed by task 237:
[   29.869148]  kasan_save_stack+0x3c/0x68
[   29.872967]  kasan_save_track+0x20/0x40
[   29.876787]  kasan_save_free_info+0x4c/0x78
[   29.880953]  __kasan_slab_free+0x6c/0x98
[   29.884859]  kfree+0x214/0x3c8
[   29.887897]  kmalloc_uaf2+0x134/0x468
[   29.891543]  kunit_try_run_case+0x170/0x3f0
[   29.895710]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.901179]  kthread+0x328/0x630
[   29.904391]  ret_from_fork+0x10/0x20
[   29.907950] 
[   29.909427] The buggy address belongs to the object at ffff000802e1ab80
[   29.909427]  which belongs to the cache kmalloc-64 of size 64
[   29.921755] The buggy address is located 40 bytes inside of
[   29.921755]  freed 64-byte region [ffff000802e1ab80, ffff000802e1abc0)
[   29.933817] 
[   29.935297] The buggy address belongs to the physical page:
[   29.940852] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882e1a
[   29.948837] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.955347] page_type: f5(slab)
[   29.958485] raw: 0bfffe0000000000 ffff0008000028c0 dead000000000122 0000000000000000
[   29.966202] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   29.973922] page dumped because: kasan: bad access detected
[   29.979476] 
[   29.980951] Memory state around the buggy address:
[   29.985734]  ffff000802e1aa80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.992934]  ffff000802e1ab00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.000141] >ffff000802e1ab80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.007340]                                   ^
[   30.011859]  ffff000802e1ac00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   30.019063]  ffff000802e1ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.026265] ==================================================================
Metadata Full log Test run details 

[   18.167114] ==================================================================
[   18.167178] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   18.167235] Read of size 1 at addr fff00000c797b428 by task kunit_try_catch/190
[   18.167285] 
[   18.167317] CPU: 0 UID: 0 PID: 190 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   18.167402] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.167430] Hardware name: linux,dummy-virt (DT)
[   18.167462] Call trace:
[   18.167483]  show_stack+0x20/0x38 (C)
[   18.167531]  dump_stack_lvl+0x8c/0xd0
[   18.167579]  print_report+0x118/0x608
[   18.168367]  kasan_report+0xdc/0x128
[   18.168506]  __asan_report_load1_noabort+0x20/0x30
[   18.168876]  kmalloc_uaf2+0x3f4/0x468
[   18.168952]  kunit_try_run_case+0x170/0x3f0
[   18.169035]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.169208]  kthread+0x328/0x630
[   18.169345]  ret_from_fork+0x10/0x20
[   18.169756] 
[   18.169812] Allocated by task 190:
[   18.169896]  kasan_save_stack+0x3c/0x68
[   18.170090]  kasan_save_track+0x20/0x40
[   18.170132]  kasan_save_alloc_info+0x40/0x58
[   18.170406]  __kasan_kmalloc+0xd4/0xd8
[   18.170531]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.170644]  kmalloc_uaf2+0xc4/0x468
[   18.170836]  kunit_try_run_case+0x170/0x3f0
[   18.171168]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.171261]  kthread+0x328/0x630
[   18.171338]  ret_from_fork+0x10/0x20
[   18.171440] 
[   18.171567] Freed by task 190:
[   18.171792]  kasan_save_stack+0x3c/0x68
[   18.171834]  kasan_save_track+0x20/0x40
[   18.172153]  kasan_save_free_info+0x4c/0x78
[   18.172200]  __kasan_slab_free+0x6c/0x98
[   18.172237]  kfree+0x214/0x3c8
[   18.172298]  kmalloc_uaf2+0x134/0x468
[   18.172689]  kunit_try_run_case+0x170/0x3f0
[   18.172789]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.172964]  kthread+0x328/0x630
[   18.173015]  ret_from_fork+0x10/0x20
[   18.173205] 
[   18.173367] The buggy address belongs to the object at fff00000c797b400
[   18.173367]  which belongs to the cache kmalloc-64 of size 64
[   18.173483] The buggy address is located 40 bytes inside of
[   18.173483]  freed 64-byte region [fff00000c797b400, fff00000c797b440)
[   18.173570] 
[   18.173598] The buggy address belongs to the physical page:
[   18.173630] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10797b
[   18.173683] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.173742] page_type: f5(slab)
[   18.173791] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   18.173870] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   18.173919] page dumped because: kasan: bad access detected
[   18.173951] 
[   18.173968] Memory state around the buggy address:
[   18.174009]  fff00000c797b300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.174064]  fff00000c797b380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.174109] >fff00000c797b400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.174149]                                   ^
[   18.174190]  fff00000c797b480: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   18.174236]  fff00000c797b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.174295] ==================================================================
Metadata Full log Test run details 

[   11.224402] ==================================================================
[   11.225597] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   11.226477] Read of size 1 at addr ffff888102f66e28 by task kunit_try_catch/207
[   11.227226] 
[   11.227502] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT(voluntary) 
[   11.227571] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.227584] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.227606] Call Trace:
[   11.227620]  <TASK>
[   11.227639]  dump_stack_lvl+0x73/0xb0
[   11.227667]  print_report+0xd1/0x650
[   11.227691]  ? __virt_addr_valid+0x1db/0x2d0
[   11.227745]  ? kmalloc_uaf2+0x4a8/0x520
[   11.227775]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.227798]  ? kmalloc_uaf2+0x4a8/0x520
[   11.227818]  kasan_report+0x141/0x180
[   11.227852]  ? kmalloc_uaf2+0x4a8/0x520
[   11.227877]  __asan_report_load1_noabort+0x18/0x20
[   11.227897]  kmalloc_uaf2+0x4a8/0x520
[   11.227928]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   11.227947]  ? finish_task_switch.isra.0+0x153/0x700
[   11.227971]  ? __switch_to+0x5d9/0xf60
[   11.227994]  ? dequeue_task_fair+0x166/0x4e0
[   11.228022]  ? __schedule+0x10cc/0x2b60
[   11.228045]  ? __pfx_read_tsc+0x10/0x10
[   11.228066]  ? ktime_get_ts64+0x86/0x230
[   11.228092]  kunit_try_run_case+0x1a5/0x480
[   11.228117]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.228138]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.228162]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.228184]  ? __kthread_parkme+0x82/0x180
[   11.228206]  ? preempt_count_sub+0x50/0x80
[   11.228231]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.228259]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.228283]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.228305]  kthread+0x337/0x6f0
[   11.228322]  ? trace_preempt_on+0x20/0xc0
[   11.228345]  ? __pfx_kthread+0x10/0x10
[   11.228362]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.228384]  ? calculate_sigpending+0x7b/0xa0
[   11.228405]  ? __pfx_kthread+0x10/0x10
[   11.228422]  ret_from_fork+0x41/0x80
[   11.228443]  ? __pfx_kthread+0x10/0x10
[   11.228460]  ret_from_fork_asm+0x1a/0x30
[   11.228490]  </TASK>
[   11.228502] 
[   11.242128] Allocated by task 207:
[   11.242613]  kasan_save_stack+0x45/0x70
[   11.243296]  kasan_save_track+0x18/0x40
[   11.243738]  kasan_save_alloc_info+0x3b/0x50
[   11.244139]  __kasan_kmalloc+0xb7/0xc0
[   11.244611]  __kmalloc_cache_noprof+0x189/0x420
[   11.245192]  kmalloc_uaf2+0xc6/0x520
[   11.245676]  kunit_try_run_case+0x1a5/0x480
[   11.246050]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.246227]  kthread+0x337/0x6f0
[   11.246342]  ret_from_fork+0x41/0x80
[   11.246468]  ret_from_fork_asm+0x1a/0x30
[   11.246632] 
[   11.246726] Freed by task 207:
[   11.246911]  kasan_save_stack+0x45/0x70
[   11.247161]  kasan_save_track+0x18/0x40
[   11.247350]  kasan_save_free_info+0x3f/0x60
[   11.247536]  __kasan_slab_free+0x56/0x70
[   11.247753]  kfree+0x222/0x3f0
[   11.248160]  kmalloc_uaf2+0x14c/0x520
[   11.248465]  kunit_try_run_case+0x1a5/0x480
[   11.248706]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.249060]  kthread+0x337/0x6f0
[   11.249317]  ret_from_fork+0x41/0x80
[   11.249641]  ret_from_fork_asm+0x1a/0x30
[   11.249993] 
[   11.250084] The buggy address belongs to the object at ffff888102f66e00
[   11.250084]  which belongs to the cache kmalloc-64 of size 64
[   11.250535] The buggy address is located 40 bytes inside of
[   11.250535]  freed 64-byte region [ffff888102f66e00, ffff888102f66e40)
[   11.251327] 
[   11.251475] The buggy address belongs to the physical page:
[   11.251746] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102f66
[   11.252168] flags: 0x200000000000000(node=0|zone=2)
[   11.252338] page_type: f5(slab)
[   11.252570] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   11.253038] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   11.253441] page dumped because: kasan: bad access detected
[   11.254051] 
[   11.254154] Memory state around the buggy address:
[   11.254386]  ffff888102f66d00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.254833]  ffff888102f66d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.255301] >ffff888102f66e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   11.255647]                                   ^
[   11.256066]  ffff888102f66e80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   11.256392]  ffff888102f66f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.256735] ==================================================================
Metadata Full log Test run details