Date
July 3, 2025, 3:13 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 15.741469] ================================================================== [ 15.742146] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 15.742425] Read of size 1 at addr fff00000c63d0428 by task kunit_try_catch/191 [ 15.742484] [ 15.742700] CPU: 1 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT [ 15.742911] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.743079] Hardware name: linux,dummy-virt (DT) [ 15.743115] Call trace: [ 15.743168] show_stack+0x20/0x38 (C) [ 15.743541] dump_stack_lvl+0x8c/0xd0 [ 15.743770] print_report+0x118/0x608 [ 15.743944] kasan_report+0xdc/0x128 [ 15.744125] __asan_report_load1_noabort+0x20/0x30 [ 15.744371] kmalloc_uaf2+0x3f4/0x468 [ 15.744602] kunit_try_run_case+0x170/0x3f0 [ 15.744686] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.744795] kthread+0x328/0x630 [ 15.744991] ret_from_fork+0x10/0x20 [ 15.745224] [ 15.745284] Allocated by task 191: [ 15.745577] kasan_save_stack+0x3c/0x68 [ 15.745646] kasan_save_track+0x20/0x40 [ 15.745755] kasan_save_alloc_info+0x40/0x58 [ 15.745836] __kasan_kmalloc+0xd4/0xd8 [ 15.746109] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.746326] kmalloc_uaf2+0xc4/0x468 [ 15.746526] kunit_try_run_case+0x170/0x3f0 [ 15.746567] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.746849] kthread+0x328/0x630 [ 15.746908] ret_from_fork+0x10/0x20 [ 15.746958] [ 15.746977] Freed by task 191: [ 15.747003] kasan_save_stack+0x3c/0x68 [ 15.747040] kasan_save_track+0x20/0x40 [ 15.747084] kasan_save_free_info+0x4c/0x78 [ 15.747122] __kasan_slab_free+0x6c/0x98 [ 15.747167] kfree+0x214/0x3c8 [ 15.747206] kmalloc_uaf2+0x134/0x468 [ 15.747242] kunit_try_run_case+0x170/0x3f0 [ 15.747282] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.747335] kthread+0x328/0x630 [ 15.747368] ret_from_fork+0x10/0x20 [ 15.747425] [ 15.747444] The buggy address belongs to the object at fff00000c63d0400 [ 15.747444] which belongs to the cache kmalloc-64 of size 64 [ 15.747502] The buggy address is located 40 bytes inside of [ 15.747502] freed 64-byte region [fff00000c63d0400, fff00000c63d0440) [ 15.747573] [ 15.747603] The buggy address belongs to the physical page: [ 15.747644] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063d0 [ 15.747700] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.747748] page_type: f5(slab) [ 15.747789] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 15.747848] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 15.747897] page dumped because: kasan: bad access detected [ 15.747928] [ 15.747998] Memory state around the buggy address: [ 15.748161] fff00000c63d0300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.748458] fff00000c63d0380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.748855] >fff00000c63d0400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 15.749143] ^ [ 15.749438] fff00000c63d0480: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 15.749625] fff00000c63d0500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.749913] ==================================================================
[ 11.489686] ================================================================== [ 11.490440] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520 [ 11.490932] Read of size 1 at addr ffff888102dccba8 by task kunit_try_catch/207 [ 11.491484] [ 11.491617] CPU: 1 UID: 0 PID: 207 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc1 #1 PREEMPT(voluntary) [ 11.491663] Tainted: [B]=BAD_PAGE, [N]=TEST [ 11.491674] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.491695] Call Trace: [ 11.491707] <TASK> [ 11.491721] dump_stack_lvl+0x73/0xb0 [ 11.491934] print_report+0xd1/0x650 [ 11.491957] ? __virt_addr_valid+0x1db/0x2d0 [ 11.491978] ? kmalloc_uaf2+0x4a8/0x520 [ 11.491999] ? kasan_complete_mode_report_info+0x64/0x200 [ 11.492021] ? kmalloc_uaf2+0x4a8/0x520 [ 11.492042] kasan_report+0x141/0x180 [ 11.492065] ? kmalloc_uaf2+0x4a8/0x520 [ 11.492090] __asan_report_load1_noabort+0x18/0x20 [ 11.492111] kmalloc_uaf2+0x4a8/0x520 [ 11.492132] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 11.492152] ? finish_task_switch.isra.0+0x153/0x700 [ 11.492176] ? __switch_to+0x5d9/0xf60 [ 11.492197] ? dequeue_task_fair+0x166/0x4e0 [ 11.492222] ? __schedule+0x10cc/0x2b60 [ 11.492258] ? __pfx_read_tsc+0x10/0x10 [ 11.492328] ? ktime_get_ts64+0x86/0x230 [ 11.492355] kunit_try_run_case+0x1a5/0x480 [ 11.492380] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.492402] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 11.492425] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 11.492448] ? __kthread_parkme+0x82/0x180 [ 11.492470] ? preempt_count_sub+0x50/0x80 [ 11.492494] ? __pfx_kunit_try_run_case+0x10/0x10 [ 11.492518] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.492540] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 11.492563] kthread+0x337/0x6f0 [ 11.492580] ? trace_preempt_on+0x20/0xc0 [ 11.492603] ? __pfx_kthread+0x10/0x10 [ 11.492620] ? _raw_spin_unlock_irq+0x47/0x80 [ 11.492642] ? calculate_sigpending+0x7b/0xa0 [ 11.492663] ? __pfx_kthread+0x10/0x10 [ 11.492681] ret_from_fork+0x41/0x80 [ 11.492701] ? __pfx_kthread+0x10/0x10 [ 11.492719] ret_from_fork_asm+0x1a/0x30 [ 11.492749] </TASK> [ 11.492760] [ 11.504620] Allocated by task 207: [ 11.505037] kasan_save_stack+0x45/0x70 [ 11.505463] kasan_save_track+0x18/0x40 [ 11.506065] kasan_save_alloc_info+0x3b/0x50 [ 11.506263] __kasan_kmalloc+0xb7/0xc0 [ 11.506524] __kmalloc_cache_noprof+0x189/0x420 [ 11.506748] kmalloc_uaf2+0xc6/0x520 [ 11.507044] kunit_try_run_case+0x1a5/0x480 [ 11.507487] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.508054] kthread+0x337/0x6f0 [ 11.508374] ret_from_fork+0x41/0x80 [ 11.508626] ret_from_fork_asm+0x1a/0x30 [ 11.508884] [ 11.509058] Freed by task 207: [ 11.509355] kasan_save_stack+0x45/0x70 [ 11.509809] kasan_save_track+0x18/0x40 [ 11.509964] kasan_save_free_info+0x3f/0x60 [ 11.510106] __kasan_slab_free+0x56/0x70 [ 11.510254] kfree+0x222/0x3f0 [ 11.510706] kmalloc_uaf2+0x14c/0x520 [ 11.511051] kunit_try_run_case+0x1a5/0x480 [ 11.511477] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 11.512023] kthread+0x337/0x6f0 [ 11.512361] ret_from_fork+0x41/0x80 [ 11.512783] ret_from_fork_asm+0x1a/0x30 [ 11.513122] [ 11.513195] The buggy address belongs to the object at ffff888102dccb80 [ 11.513195] which belongs to the cache kmalloc-64 of size 64 [ 11.514456] The buggy address is located 40 bytes inside of [ 11.514456] freed 64-byte region [ffff888102dccb80, ffff888102dccbc0) [ 11.514941] [ 11.515013] The buggy address belongs to the physical page: [ 11.515182] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102dcc [ 11.515434] flags: 0x200000000000000(node=0|zone=2) [ 11.515853] page_type: f5(slab) [ 11.516006] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 11.516315] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 11.516598] page dumped because: kasan: bad access detected [ 11.516944] [ 11.517041] Memory state around the buggy address: [ 11.517280] ffff888102dcca80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.517702] ffff888102dccb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.517991] >ffff888102dccb80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 11.518335] ^ [ 11.518568] ffff888102dccc00: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 11.518798] ffff888102dccc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.519092] ==================================================================