Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 180.148557] ================================================================== [ 180.150460] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x108/0x290 [ 180.152083] Read of size 1 at addr ffff0000c600ca28 by task kunit_try_catch/166 [ 180.153615] [ 180.155051] CPU: 1 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 180.157032] Hardware name: linux,dummy-virt (DT) [ 180.158907] Call trace: [ 180.160158] dump_backtrace+0x9c/0x128 [ 180.161632] show_stack+0x20/0x38 [ 180.162751] dump_stack_lvl+0x60/0xb0 [ 180.163963] print_report+0xf8/0x5d8 [ 180.165143] kasan_report+0xc8/0x118 [ 180.166324] __asan_load1+0x60/0x70 [ 180.167452] kmalloc_uaf2+0x108/0x290 [ 180.168469] kunit_try_run_case+0xf8/0x260 [ 180.169979] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.172123] kthread+0x18c/0x1a8 [ 180.173311] ret_from_fork+0x10/0x20 [ 180.174507] [ 180.175000] Allocated by task 166: [ 180.176257] kasan_save_stack+0x3c/0x68 [ 180.177845] kasan_set_track+0x2c/0x40 [ 180.179051] kasan_save_alloc_info+0x24/0x38 [ 180.180370] __kasan_kmalloc+0xd4/0xd8 [ 180.181497] kmalloc_trace+0x68/0x130 [ 180.182557] kmalloc_uaf2+0xb4/0x290 [ 180.183623] kunit_try_run_case+0xf8/0x260 [ 180.184868] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.186462] kthread+0x18c/0x1a8 [ 180.187232] ret_from_fork+0x10/0x20 [ 180.188117] [ 180.188550] Freed by task 166: [ 180.190640] kasan_save_stack+0x3c/0x68 [ 180.192058] kasan_set_track+0x2c/0x40 [ 180.193520] kasan_save_free_info+0x38/0x60 [ 180.194660] __kasan_slab_free+0x100/0x170 [ 180.195920] __kmem_cache_free+0x170/0x2e0 [ 180.197190] kfree+0x74/0x138 [ 180.198117] kmalloc_uaf2+0xc8/0x290 [ 180.199241] kunit_try_run_case+0xf8/0x260 [ 180.200369] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 180.201982] kthread+0x18c/0x1a8 [ 180.203191] ret_from_fork+0x10/0x20 [ 180.204075] [ 180.204492] The buggy address belongs to the object at ffff0000c600ca00 [ 180.204492] which belongs to the cache kmalloc-64 of size 64 [ 180.207791] The buggy address is located 40 bytes inside of [ 180.207791] freed 64-byte region [ffff0000c600ca00, ffff0000c600ca40) [ 180.210934] [ 180.211619] The buggy address belongs to the physical page: [ 180.212915] page:000000007a3032c1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10600c [ 180.215488] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 180.217147] page_type: 0xffffffff() [ 180.219028] raw: 0bfffc0000000800 ffff0000c0001640 dead000000000122 0000000000000000 [ 180.220733] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 [ 180.222601] page dumped because: kasan: bad access detected [ 180.223887] [ 180.224446] Memory state around the buggy address: [ 180.226118] ffff0000c600c900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.228927] ffff0000c600c980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.230887] >ffff0000c600ca00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 180.232156] ^ [ 180.234005] ffff0000c600ca80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 180.235260] ffff0000c600cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 180.238437] ==================================================================