Hay
Sign in
Date
Feb. 5, 2025, 2:09 p.m.

Environment
qemu-armv7
qemu-x86_64 

[  147.839008] ==================================================================
[  147.840706] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0xd0/0x1cc
[  147.841494] Read of size 1 at addr c8fbdb00 by task kunit_try_catch/205
[  147.842152] 
[  147.842376] CPU: 1 PID: 205 Comm: kunit_try_catch Tainted: G    B            N 6.6.76-rc1 #1
[  147.843248] Hardware name: Generic DT based system
[  147.843778]  unwind_backtrace from show_stack+0x18/0x1c
[  147.844523]  show_stack from dump_stack_lvl+0x58/0x70
[  147.845107]  dump_stack_lvl from print_report+0x164/0x51c
[  147.845900]  print_report from kasan_report+0xc8/0x104
[  147.846880]  kasan_report from __kasan_check_byte+0x34/0x3c
[  147.847764]  __kasan_check_byte from kfree_sensitive+0x20/0x6c
[  147.848632]  kfree_sensitive from kmalloc_double_kzfree+0xd0/0x1cc
[  147.849402]  kmalloc_double_kzfree from kunit_try_run_case+0x11c/0x2e4
[  147.850475]  kunit_try_run_case from kunit_generic_run_threadfn_adapter+0x2c/0x48
[  147.851561]  kunit_generic_run_threadfn_adapter from kthread+0x184/0x1a8
[  147.852478]  kthread from ret_from_fork+0x14/0x30
[  147.853146] Exception stack(0xfa123fb0 to 0xfa123ff8)
[  147.853778] 3fa0:                                     00000000 00000000 00000000 00000000
[  147.854617] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  147.856010] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[  147.857068] 
[  147.857354] Allocated by task 205:
[  147.857806]  kasan_set_track+0x3c/0x5c
[  147.858490]  __kasan_kmalloc+0x8c/0x94
[  147.859169]  kmalloc_double_kzfree+0xa0/0x1cc
[  147.859794]  kunit_try_run_case+0x11c/0x2e4
[  147.860471]  kunit_generic_run_threadfn_adapter+0x2c/0x48
[  147.861352]  kthread+0x184/0x1a8
[  147.861867]  ret_from_fork+0x14/0x30
[  147.862335] 
[  147.862669] Freed by task 205:
[  147.863334]  kasan_set_track+0x3c/0x5c
[  147.863841]  kasan_save_free_info+0x30/0x3c
[  147.864708]  __kasan_slab_free+0xdc/0x124
[  147.865327]  __kmem_cache_free+0x140/0x2a8
[  147.866200]  kmalloc_double_kzfree+0xbc/0x1cc
[  147.866745]  kunit_try_run_case+0x11c/0x2e4
[  147.867442]  kunit_generic_run_threadfn_adapter+0x2c/0x48
[  147.868122]  kthread+0x184/0x1a8
[  147.868584]  ret_from_fork+0x14/0x30
[  147.869189] 
[  147.869445] The buggy address belongs to the object at c8fbdb00
[  147.869445]  which belongs to the cache kmalloc-64 of size 64
[  147.870686] The buggy address is located 0 bytes inside of
[  147.870686]  freed 64-byte region [c8fbdb00, c8fbdb40)
[  147.871901] 
[  147.872172] The buggy address belongs to the physical page:
[  147.872876] page:652e16b7 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x48fbd
[  147.873995] flags: 0x800(slab|zone=0)
[  147.874472] page_type: 0xffffffff()
[  147.875037] raw: 00000800 c4801200 00000122 00000000 00000000 80200020 ffffffff 00000001
[  147.875951] raw: 00000000
[  147.876502] page dumped because: kasan: bad access detected
[  147.877548] 
[  147.877861] Memory state around the buggy address:
[  147.878498]  c8fbda00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  147.879243]  c8fbda80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  147.880018] >c8fbdb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  147.880741]            ^
[  147.881047]  c8fbdb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  147.881793]  c8fbdc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  147.882557] ==================================================================
Metadata Full log Test run details 

[   51.640284] ==================================================================
[   51.641296] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0xd4/0x1d0
[   51.641659] Read of size 1 at addr ffff888101a81400 by task kunit_try_catch/228
[   51.642495] 
[   51.643296] CPU: 0 PID: 228 Comm: kunit_try_catch Tainted: G    B            N 6.6.76-rc1 #1
[   51.645110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   51.646133] Call Trace:
[   51.646541]  <TASK>
[   51.646921]  dump_stack_lvl+0x4e/0x90
[   51.647633]  print_report+0xd2/0x660
[   51.649045]  ? __virt_addr_valid+0x156/0x1e0
[   51.649559]  ? kasan_complete_mode_report_info+0x64/0x200
[   51.650335]  kasan_report+0xff/0x140
[   51.650993]  ? kmalloc_double_kzfree+0xd4/0x1d0
[   51.651517]  ? kmalloc_double_kzfree+0xd4/0x1d0
[   51.652361]  ? kmalloc_double_kzfree+0xd4/0x1d0
[   51.653065]  __kasan_check_byte+0x3d/0x50
[   51.653665]  kfree_sensitive+0x22/0x90
[   51.654363]  kmalloc_double_kzfree+0xd4/0x1d0
[   51.655002]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   51.655778]  ? __schedule+0x70b/0x1190
[   51.656270]  ? ktime_get_ts64+0x118/0x140
[   51.656926]  kunit_try_run_case+0x126/0x290
[   51.657575]  ? __pfx_kunit_try_run_case+0x10/0x10
[   51.658794]  ? __kasan_check_write+0x18/0x20
[   51.659407]  ? trace_preempt_on+0x20/0xa0
[   51.660045]  ? __kthread_parkme+0x4f/0xd0
[   51.660631]  ? preempt_count_sub+0x50/0x80
[   51.661282]  ? __pfx_kunit_try_run_case+0x10/0x10
[   51.662103]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   51.663304]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   51.663944]  kthread+0x19e/0x1e0
[   51.664473]  ? __pfx_kthread+0x10/0x10
[   51.665008]  ret_from_fork+0x41/0x70
[   51.665609]  ? __pfx_kthread+0x10/0x10
[   51.666206]  ret_from_fork_asm+0x1b/0x30
[   51.666866]  </TASK>
[   51.667362] 
[   51.667640] Allocated by task 228:
[   51.668805]  kasan_save_stack+0x3c/0x60
[   51.669302]  kasan_set_track+0x29/0x40
[   51.669717]  kasan_save_alloc_info+0x22/0x30
[   51.670193]  __kasan_kmalloc+0xb7/0xc0
[   51.670593]  kmalloc_trace+0x4c/0xb0
[   51.671432]  kmalloc_double_kzfree+0x9d/0x1d0
[   51.672402]  kunit_try_run_case+0x126/0x290
[   51.673262]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   51.674122]  kthread+0x19e/0x1e0
[   51.674503]  ret_from_fork+0x41/0x70
[   51.674990]  ret_from_fork_asm+0x1b/0x30
[   51.676274] 
[   51.676494] Freed by task 228:
[   51.676793]  kasan_save_stack+0x3c/0x60
[   51.677368]  kasan_set_track+0x29/0x40
[   51.678535]  kasan_save_free_info+0x2f/0x50
[   51.679187]  ____kasan_slab_free+0x172/0x1d0
[   51.679826]  __kasan_slab_free+0x16/0x20
[   51.680286]  __kmem_cache_free+0x190/0x310
[   51.681447]  kfree+0x7c/0x120
[   51.681875]  kfree_sensitive+0x67/0x90
[   51.682356]  kmalloc_double_kzfree+0xbd/0x1d0
[   51.682998]  kunit_try_run_case+0x126/0x290
[   51.683567]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   51.684359]  kthread+0x19e/0x1e0
[   51.685549]  ret_from_fork+0x41/0x70
[   51.686018]  ret_from_fork_asm+0x1b/0x30
[   51.686775] 
[   51.687035] The buggy address belongs to the object at ffff888101a81400
[   51.687035]  which belongs to the cache kmalloc-16 of size 16
[   51.688181] The buggy address is located 0 bytes inside of
[   51.688181]  freed 16-byte region [ffff888101a81400, ffff888101a81410)
[   51.690277] 
[   51.690493] The buggy address belongs to the physical page:
[   51.691567] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101a81
[   51.692520] flags: 0x200000000000800(slab|node=0|zone=2)
[   51.693283] page_type: 0xffffffff()
[   51.693702] raw: 0200000000000800 ffff8881000413c0 dead000000000122 0000000000000000
[   51.694411] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
[   51.695438] page dumped because: kasan: bad access detected
[   51.696415] 
[   51.696627] Memory state around the buggy address:
[   51.697619]  ffff888101a81300: 00 02 fc fc 00 02 fc fc fa fb fc fc fa fb fc fc
[   51.698502]  ffff888101a81380: fa fb fc fc 00 05 fc fc fa fb fc fc fa fb fc fc
[   51.699552] >ffff888101a81400: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.700271]                    ^
[   51.700923]  ffff888101a81480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.702314]  ffff888101a81500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.702828] ==================================================================
Metadata Full log Test run details