Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 179.930421] ================================================================== [ 179.932869] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0xc8/0x1d0 [ 179.934791] Read of size 1 at addr ffff0000c5e9f5a8 by task kunit_try_catch/162 [ 179.936548] [ 179.937740] CPU: 0 PID: 162 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 179.939692] Hardware name: linux,dummy-virt (DT) [ 179.940811] Call trace: [ 179.941504] dump_backtrace+0x9c/0x128 [ 179.942928] show_stack+0x20/0x38 [ 179.943925] dump_stack_lvl+0x60/0xb0 [ 179.945457] print_report+0xf8/0x5d8 [ 179.946667] kasan_report+0xc8/0x118 [ 179.947808] __asan_load1+0x60/0x70 [ 179.949278] kmalloc_uaf+0xc8/0x1d0 [ 179.950425] kunit_try_run_case+0xf8/0x260 [ 179.951649] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.953254] kthread+0x18c/0x1a8 [ 179.954148] ret_from_fork+0x10/0x20 [ 179.955823] [ 179.956665] Allocated by task 162: [ 179.957544] kasan_save_stack+0x3c/0x68 [ 179.958972] kasan_set_track+0x2c/0x40 [ 179.960081] kasan_save_alloc_info+0x24/0x38 [ 179.961551] __kasan_kmalloc+0xd4/0xd8 [ 179.962771] kmalloc_trace+0x68/0x130 [ 179.963737] kmalloc_uaf+0x9c/0x1d0 [ 179.964792] kunit_try_run_case+0xf8/0x260 [ 179.966238] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.967844] kthread+0x18c/0x1a8 [ 179.968922] ret_from_fork+0x10/0x20 [ 179.970430] [ 179.971008] Freed by task 162: [ 179.971845] kasan_save_stack+0x3c/0x68 [ 179.973271] kasan_set_track+0x2c/0x40 [ 179.974700] kasan_save_free_info+0x38/0x60 [ 179.976100] __kasan_slab_free+0x100/0x170 [ 179.977922] __kmem_cache_free+0x170/0x2e0 [ 179.979179] kfree+0x74/0x138 [ 179.980185] kmalloc_uaf+0xb8/0x1d0 [ 179.981313] kunit_try_run_case+0xf8/0x260 [ 179.982463] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.984100] kthread+0x18c/0x1a8 [ 179.985071] ret_from_fork+0x10/0x20 [ 179.986433] [ 179.986844] The buggy address belongs to the object at ffff0000c5e9f5a0 [ 179.986844] which belongs to the cache kmalloc-16 of size 16 [ 179.989946] The buggy address is located 8 bytes inside of [ 179.989946] freed 16-byte region [ffff0000c5e9f5a0, ffff0000c5e9f5b0) [ 179.992429] [ 179.992983] The buggy address belongs to the physical page: [ 179.994428] page:00000000a166c351 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105e9f [ 179.996831] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 179.998771] page_type: 0xffffffff() [ 179.999925] raw: 0bfffc0000000800 ffff0000c00013c0 dead000000000122 0000000000000000 [ 180.002122] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 180.003656] page dumped because: kasan: bad access detected [ 180.005320] [ 180.005772] Memory state around the buggy address: [ 180.007121] ffff0000c5e9f480: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 02 fc fc [ 180.008694] ffff0000c5e9f500: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 180.010901] >ffff0000c5e9f580: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 180.012504] ^ [ 180.013856] ffff0000c5e9f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 180.015646] ffff0000c5e9f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 180.017947] ==================================================================