Date
Feb. 5, 2025, 2:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 |
[ 179.161841] ================================================================== [ 179.164127] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x100/0x258 [ 179.165646] Read of size 16 at addr ffff0000c0b71d20 by task kunit_try_catch/146 [ 179.167143] [ 179.167971] CPU: 1 PID: 146 Comm: kunit_try_catch Tainted: G B N 6.6.76-rc1 #1 [ 179.170333] Hardware name: linux,dummy-virt (DT) [ 179.171593] Call trace: [ 179.172360] dump_backtrace+0x9c/0x128 [ 179.173612] show_stack+0x20/0x38 [ 179.175187] dump_stack_lvl+0x60/0xb0 [ 179.176370] print_report+0xf8/0x5d8 [ 179.177633] kasan_report+0xc8/0x118 [ 179.178776] __asan_load16+0xa4/0xa8 [ 179.179896] kmalloc_uaf_16+0x100/0x258 [ 179.180969] kunit_try_run_case+0xf8/0x260 [ 179.182708] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.183554] kthread+0x18c/0x1a8 [ 179.184717] ret_from_fork+0x10/0x20 [ 179.186029] [ 179.186875] Allocated by task 146: [ 179.188183] kasan_save_stack+0x3c/0x68 [ 179.189930] kasan_set_track+0x2c/0x40 [ 179.191228] kasan_save_alloc_info+0x24/0x38 [ 179.192550] __kasan_kmalloc+0xd4/0xd8 [ 179.193838] kmalloc_trace+0x68/0x130 [ 179.195001] kmalloc_uaf_16+0xcc/0x258 [ 179.196127] kunit_try_run_case+0xf8/0x260 [ 179.197435] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.198827] kthread+0x18c/0x1a8 [ 179.199766] ret_from_fork+0x10/0x20 [ 179.200835] [ 179.201687] Freed by task 146: [ 179.202455] kasan_save_stack+0x3c/0x68 [ 179.203676] kasan_set_track+0x2c/0x40 [ 179.204803] kasan_save_free_info+0x38/0x60 [ 179.206080] __kasan_slab_free+0x100/0x170 [ 179.207093] __kmem_cache_free+0x170/0x2e0 [ 179.209936] kfree+0x74/0x138 [ 179.211043] kmalloc_uaf_16+0xe8/0x258 [ 179.212159] kunit_try_run_case+0xf8/0x260 [ 179.213665] kunit_generic_run_threadfn_adapter+0x38/0x60 [ 179.214802] kthread+0x18c/0x1a8 [ 179.215775] ret_from_fork+0x10/0x20 [ 179.216862] [ 179.217821] The buggy address belongs to the object at ffff0000c0b71d20 [ 179.217821] which belongs to the cache kmalloc-16 of size 16 [ 179.220741] The buggy address is located 0 bytes inside of [ 179.220741] freed 16-byte region [ffff0000c0b71d20, ffff0000c0b71d30) [ 179.223519] [ 179.224122] The buggy address belongs to the physical page: [ 179.225934] page:00000000617c99bc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100b71 [ 179.227530] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff) [ 179.229446] page_type: 0xffffffff() [ 179.230662] raw: 0bfffc0000000800 ffff0000c00013c0 dead000000000122 0000000000000000 [ 179.232372] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000 [ 179.234331] page dumped because: kasan: bad access detected [ 179.235624] [ 179.236104] Memory state around the buggy address: [ 179.237742] ffff0000c0b71c00: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 179.239305] ffff0000c0b71c80: 00 04 fc fc 00 00 fc fc 00 03 fc fc 00 05 fc fc [ 179.241103] >ffff0000c0b71d00: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 179.242754] ^ [ 179.243820] ffff0000c0b71d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 179.245706] ffff0000c0b71e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 179.247987] ==================================================================