Date
July 4, 2025, 3:11 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x86 |
[ 24.689640] ================================================================== [ 24.698738] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 24.705505] Read of size 16 at addr ffff000801716f40 by task kunit_try_catch/217 [ 24.712884] [ 24.714369] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 24.714424] Tainted: [B]=BAD_PAGE, [N]=TEST [ 24.714440] Hardware name: WinLink E850-96 board (DT) [ 24.714462] Call trace: [ 24.714476] show_stack+0x20/0x38 (C) [ 24.714510] dump_stack_lvl+0x8c/0xd0 [ 24.714546] print_report+0x118/0x608 [ 24.714577] kasan_report+0xdc/0x128 [ 24.714606] __asan_report_load16_noabort+0x20/0x30 [ 24.714642] kmalloc_uaf_16+0x3bc/0x438 [ 24.714672] kunit_try_run_case+0x170/0x3f0 [ 24.714707] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.714744] kthread+0x328/0x630 [ 24.714779] ret_from_fork+0x10/0x20 [ 24.714813] [ 24.776944] Allocated by task 217: [ 24.780333] kasan_save_stack+0x3c/0x68 [ 24.784148] kasan_save_track+0x20/0x40 [ 24.787968] kasan_save_alloc_info+0x40/0x58 [ 24.792221] __kasan_kmalloc+0xd4/0xd8 [ 24.795955] __kmalloc_cache_noprof+0x16c/0x3c0 [ 24.800468] kmalloc_uaf_16+0x140/0x438 [ 24.804287] kunit_try_run_case+0x170/0x3f0 [ 24.808454] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.813923] kthread+0x328/0x630 [ 24.817135] ret_from_fork+0x10/0x20 [ 24.820693] [ 24.822170] Freed by task 217: [ 24.825208] kasan_save_stack+0x3c/0x68 [ 24.829026] kasan_save_track+0x20/0x40 [ 24.832846] kasan_save_free_info+0x4c/0x78 [ 24.837012] __kasan_slab_free+0x6c/0x98 [ 24.840918] kfree+0x214/0x3c8 [ 24.843957] kmalloc_uaf_16+0x190/0x438 [ 24.847778] kunit_try_run_case+0x170/0x3f0 [ 24.851942] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 24.857411] kthread+0x328/0x630 [ 24.860623] ret_from_fork+0x10/0x20 [ 24.864182] [ 24.865660] The buggy address belongs to the object at ffff000801716f40 [ 24.865660] which belongs to the cache kmalloc-16 of size 16 [ 24.877988] The buggy address is located 0 bytes inside of [ 24.877988] freed 16-byte region [ffff000801716f40, ffff000801716f50) [ 24.889963] [ 24.891441] The buggy address belongs to the physical page: [ 24.896999] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881716 [ 24.904983] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 24.911492] page_type: f5(slab) [ 24.914630] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000 [ 24.922348] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 24.930068] page dumped because: kasan: bad access detected [ 24.935622] [ 24.937097] Memory state around the buggy address: [ 24.941881] ffff000801716e00: 00 02 fc fc 00 06 fc fc 00 06 fc fc 00 04 fc fc [ 24.949080] ffff000801716e80: 00 04 fc fc 00 01 fc fc 00 01 fc fc 00 04 fc fc [ 24.956287] >ffff000801716f00: 00 04 fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 24.963486] ^ [ 24.968785] ffff000801716f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 24.975991] ffff000801717000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 24.983192] ==================================================================
[ 15.563785] ================================================================== [ 15.563846] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 15.563901] Read of size 16 at addr fff00000c62712e0 by task kunit_try_catch/173 [ 15.564043] [ 15.564080] CPU: 0 UID: 0 PID: 173 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT [ 15.564159] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.564185] Hardware name: linux,dummy-virt (DT) [ 15.564215] Call trace: [ 15.564236] show_stack+0x20/0x38 (C) [ 15.564285] dump_stack_lvl+0x8c/0xd0 [ 15.564373] print_report+0x118/0x608 [ 15.564425] kasan_report+0xdc/0x128 [ 15.564470] __asan_report_load16_noabort+0x20/0x30 [ 15.564524] kmalloc_uaf_16+0x3bc/0x438 [ 15.564593] kunit_try_run_case+0x170/0x3f0 [ 15.564667] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.564722] kthread+0x328/0x630 [ 15.564769] ret_from_fork+0x10/0x20 [ 15.564816] [ 15.564834] Allocated by task 173: [ 15.564888] kasan_save_stack+0x3c/0x68 [ 15.564927] kasan_save_track+0x20/0x40 [ 15.564962] kasan_save_alloc_info+0x40/0x58 [ 15.564999] __kasan_kmalloc+0xd4/0xd8 [ 15.565032] __kmalloc_cache_noprof+0x16c/0x3c0 [ 15.565069] kmalloc_uaf_16+0x140/0x438 [ 15.565106] kunit_try_run_case+0x170/0x3f0 [ 15.565143] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.565186] kthread+0x328/0x630 [ 15.565650] ret_from_fork+0x10/0x20 [ 15.565694] [ 15.565714] Freed by task 173: [ 15.565740] kasan_save_stack+0x3c/0x68 [ 15.565777] kasan_save_track+0x20/0x40 [ 15.565812] kasan_save_free_info+0x4c/0x78 [ 15.566301] __kasan_slab_free+0x6c/0x98 [ 15.566381] kfree+0x214/0x3c8 [ 15.566551] kmalloc_uaf_16+0x190/0x438 [ 15.566746] kunit_try_run_case+0x170/0x3f0 [ 15.566862] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 15.566987] kthread+0x328/0x630 [ 15.567121] ret_from_fork+0x10/0x20 [ 15.567270] [ 15.567309] The buggy address belongs to the object at fff00000c62712e0 [ 15.567309] which belongs to the cache kmalloc-16 of size 16 [ 15.567625] The buggy address is located 0 bytes inside of [ 15.567625] freed 16-byte region [fff00000c62712e0, fff00000c62712f0) [ 15.567763] [ 15.567791] The buggy address belongs to the physical page: [ 15.567886] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106271 [ 15.567987] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 15.568219] page_type: f5(slab) [ 15.568354] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 15.568430] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 15.568472] page dumped because: kasan: bad access detected [ 15.568502] [ 15.568520] Memory state around the buggy address: [ 15.568550] fff00000c6271180: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 15.568591] fff00000c6271200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 15.568649] >fff00000c6271280: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 15.568686] ^ [ 15.569091] fff00000c6271300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.569204] fff00000c6271380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 15.569240] ==================================================================
[ 14.258644] ================================================================== [ 14.259209] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 14.259910] Read of size 16 at addr ffff888102317920 by task kunit_try_catch/189 [ 14.261373] [ 14.261632] CPU: 1 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 14.261734] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.261762] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.261806] Call Trace: [ 14.261858] <TASK> [ 14.261894] dump_stack_lvl+0x73/0xb0 [ 14.261959] print_report+0xd1/0x650 [ 14.262005] ? __virt_addr_valid+0x1db/0x2d0 [ 14.262053] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.262105] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.262130] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.262153] kasan_report+0x141/0x180 [ 14.262177] ? kmalloc_uaf_16+0x47b/0x4c0 [ 14.262209] __asan_report_load16_noabort+0x18/0x20 [ 14.262275] kmalloc_uaf_16+0x47b/0x4c0 [ 14.262314] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 14.262366] ? __schedule+0x10cc/0x2b60 [ 14.262394] ? __pfx_read_tsc+0x10/0x10 [ 14.262417] ? ktime_get_ts64+0x86/0x230 [ 14.262444] kunit_try_run_case+0x1a5/0x480 [ 14.262471] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.262493] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.262518] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.262542] ? __kthread_parkme+0x82/0x180 [ 14.262565] ? preempt_count_sub+0x50/0x80 [ 14.262592] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.262615] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.262639] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.262662] kthread+0x337/0x6f0 [ 14.262680] ? trace_preempt_on+0x20/0xc0 [ 14.262704] ? __pfx_kthread+0x10/0x10 [ 14.262724] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.262746] ? calculate_sigpending+0x7b/0xa0 [ 14.262769] ? __pfx_kthread+0x10/0x10 [ 14.262789] ret_from_fork+0x41/0x80 [ 14.262810] ? __pfx_kthread+0x10/0x10 [ 14.262829] ret_from_fork_asm+0x1a/0x30 [ 14.262861] </TASK> [ 14.262874] [ 14.275945] Allocated by task 189: [ 14.276649] kasan_save_stack+0x45/0x70 [ 14.277028] kasan_save_track+0x18/0x40 [ 14.277904] kasan_save_alloc_info+0x3b/0x50 [ 14.278424] __kasan_kmalloc+0xb7/0xc0 [ 14.278889] __kmalloc_cache_noprof+0x189/0x420 [ 14.279427] kmalloc_uaf_16+0x15b/0x4c0 [ 14.279738] kunit_try_run_case+0x1a5/0x480 [ 14.280614] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.281064] kthread+0x337/0x6f0 [ 14.281643] ret_from_fork+0x41/0x80 [ 14.281886] ret_from_fork_asm+0x1a/0x30 [ 14.282073] [ 14.282259] Freed by task 189: [ 14.282852] kasan_save_stack+0x45/0x70 [ 14.283138] kasan_save_track+0x18/0x40 [ 14.283287] kasan_save_free_info+0x3f/0x60 [ 14.283448] __kasan_slab_free+0x56/0x70 [ 14.283771] kfree+0x222/0x3f0 [ 14.284058] kmalloc_uaf_16+0x1d6/0x4c0 [ 14.284888] kunit_try_run_case+0x1a5/0x480 [ 14.285420] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.286039] kthread+0x337/0x6f0 [ 14.286582] ret_from_fork+0x41/0x80 [ 14.286794] ret_from_fork_asm+0x1a/0x30 [ 14.287019] [ 14.287139] The buggy address belongs to the object at ffff888102317920 [ 14.287139] which belongs to the cache kmalloc-16 of size 16 [ 14.287724] The buggy address is located 0 bytes inside of [ 14.287724] freed 16-byte region [ffff888102317920, ffff888102317930) [ 14.288274] [ 14.289601] The buggy address belongs to the physical page: [ 14.289857] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102317 [ 14.290491] flags: 0x200000000000000(node=0|zone=2) [ 14.290754] page_type: f5(slab) [ 14.291076] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 14.291558] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 14.291985] page dumped because: kasan: bad access detected [ 14.292282] [ 14.293147] Memory state around the buggy address: [ 14.294016] ffff888102317800: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 14.294794] ffff888102317880: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 14.295480] >ffff888102317900: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 14.295838] ^ [ 14.296071] ffff888102317980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.296525] ffff888102317a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 14.297011] ==================================================================
[ 28.522203] ================================================================== [ 28.533024] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0 [ 28.539820] Read of size 16 at addr ffff888104962a20 by task kunit_try_catch/211 [ 28.547218] [ 28.548721] CPU: 1 UID: 0 PID: 211 Comm: kunit_try_catch Tainted: G B N 6.15.5-rc2 #1 PREEMPT(voluntary) [ 28.548729] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.548731] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021 [ 28.548735] Call Trace: [ 28.548736] <TASK> [ 28.548738] dump_stack_lvl+0x73/0xb0 [ 28.548742] print_report+0xd1/0x650 [ 28.548746] ? __virt_addr_valid+0x1db/0x2d0 [ 28.548750] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.548754] ? kasan_complete_mode_report_info+0x64/0x200 [ 28.548758] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.548762] kasan_report+0x141/0x180 [ 28.548767] ? kmalloc_uaf_16+0x47b/0x4c0 [ 28.548772] __asan_report_load16_noabort+0x18/0x20 [ 28.548776] kmalloc_uaf_16+0x47b/0x4c0 [ 28.548780] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 28.548784] ? __schedule+0x10cc/0x2b60 [ 28.548789] ? ktime_get_ts64+0x83/0x230 [ 28.548793] kunit_try_run_case+0x1a2/0x480 [ 28.548798] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.548802] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.548807] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.548812] ? __kthread_parkme+0x82/0x180 [ 28.548816] ? preempt_count_sub+0x50/0x80 [ 28.548820] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.548825] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 28.548829] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.548834] kthread+0x334/0x6f0 [ 28.548837] ? trace_preempt_on+0x20/0xc0 [ 28.548841] ? __pfx_kthread+0x10/0x10 [ 28.548844] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.548848] ? calculate_sigpending+0x7b/0xa0 [ 28.548852] ? __pfx_kthread+0x10/0x10 [ 28.548855] ret_from_fork+0x3e/0x80 [ 28.548859] ? __pfx_kthread+0x10/0x10 [ 28.548862] ret_from_fork_asm+0x1a/0x30 [ 28.548868] </TASK> [ 28.548869] [ 28.710482] Allocated by task 211: [ 28.713902] kasan_save_stack+0x45/0x70 [ 28.717753] kasan_save_track+0x18/0x40 [ 28.721591] kasan_save_alloc_info+0x3b/0x50 [ 28.725864] __kasan_kmalloc+0xb7/0xc0 [ 28.729616] __kmalloc_cache_noprof+0x189/0x420 [ 28.734151] kmalloc_uaf_16+0x15b/0x4c0 [ 28.737998] kunit_try_run_case+0x1a2/0x480 [ 28.742184] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 28.747583] kthread+0x334/0x6f0 [ 28.750816] ret_from_fork+0x3e/0x80 [ 28.754394] ret_from_fork_asm+0x1a/0x30 [ 28.758320] [ 28.759820] Freed by task 211: [ 28.762881] kasan_save_stack+0x45/0x70 [ 28.766747] kasan_save_track+0x18/0x40 [ 28.770585] kasan_save_free_info+0x3f/0x60 [ 28.774771] __kasan_slab_free+0x56/0x70 [ 28.778698] kfree+0x222/0x3f0 [ 28.781756] kmalloc_uaf_16+0x1d6/0x4c0 [ 28.785594] kunit_try_run_case+0x1a2/0x480 [ 28.789782] kunit_generic_run_threadfn_adapter+0x82/0xf0 [ 28.795182] kthread+0x334/0x6f0 [ 28.798412] ret_from_fork+0x3e/0x80 [ 28.801991] ret_from_fork_asm+0x1a/0x30 [ 28.805917] [ 28.807435] The buggy address belongs to the object at ffff888104962a20 [ 28.807435] which belongs to the cache kmalloc-16 of size 16 [ 28.819776] The buggy address is located 0 bytes inside of [ 28.819776] freed 16-byte region [ffff888104962a20, ffff888104962a30) [ 28.831771] [ 28.833270] The buggy address belongs to the physical page: [ 28.838845] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104962 [ 28.846850] flags: 0x200000000000000(node=0|zone=2) [ 28.851731] page_type: f5(slab) [ 28.854876] raw: 0200000000000000 ffff888100042640 dead000000000122 0000000000000000 [ 28.862641] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 28.870381] page dumped because: kasan: bad access detected [ 28.875953] [ 28.877452] Memory state around the buggy address: [ 28.882245] ffff888104962900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 28.889466] ffff888104962980: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 28.896685] >ffff888104962a00: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 28.903918] ^ [ 28.908209] ffff888104962a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.915430] ffff888104962b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.922650] ==================================================================