Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   93.011680] ==================================================================
[   93.012595] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0xc8/0x1d0
[   93.013430] Read of size 1 at addr ffff0000c5c52728 by task kunit_try_catch/163
[   93.014026] 
[   93.014316] CPU: 1 PID: 163 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   93.015293] Hardware name: linux,dummy-virt (DT)
[   93.015731] Call trace:
[   93.015998]  dump_backtrace+0x9c/0x128
[   93.016670]  show_stack+0x20/0x38
[   93.017148]  dump_stack_lvl+0x60/0xb0
[   93.017618]  print_report+0xf8/0x5e8
[   93.018075]  kasan_report+0xdc/0x128
[   93.018577]  __asan_load1+0x60/0x70
[   93.019043]  kmalloc_uaf+0xc8/0x1d0
[   93.019449]  kunit_try_run_case+0x114/0x298
[   93.019968]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.020697]  kthread+0x18c/0x1a8
[   93.021099]  ret_from_fork+0x10/0x20
[   93.021481] 
[   93.021669] Allocated by task 163:
[   93.021987]  kasan_save_stack+0x3c/0x68
[   93.022588]  kasan_set_track+0x2c/0x40
[   93.023216]  kasan_save_alloc_info+0x24/0x38
[   93.023778]  __kasan_kmalloc+0xd4/0xd8
[   93.024342]  kmalloc_trace+0x68/0x130
[   93.024818]  kmalloc_uaf+0x9c/0x1d0
[   93.025254]  kunit_try_run_case+0x114/0x298
[   93.025792]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.026380]  kthread+0x18c/0x1a8
[   93.027055]  ret_from_fork+0x10/0x20
[   93.027599] 
[   93.027857] Freed by task 163:
[   93.028266]  kasan_save_stack+0x3c/0x68
[   93.028803]  kasan_set_track+0x2c/0x40
[   93.029309]  kasan_save_free_info+0x38/0x60
[   93.029815]  __kasan_slab_free+0x100/0x170
[   93.030322]  __kmem_cache_free+0x178/0x2c8
[   93.031019]  kfree+0x74/0x138
[   93.031336]  kmalloc_uaf+0xb8/0x1d0
[   93.031691]  kunit_try_run_case+0x114/0x298
[   93.032117]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.032626]  kthread+0x18c/0x1a8
[   93.033132]  ret_from_fork+0x10/0x20
[   93.033671] 
[   93.033905] The buggy address belongs to the object at ffff0000c5c52720
[   93.033905]  which belongs to the cache kmalloc-16 of size 16
[   93.035116] The buggy address is located 8 bytes inside of
[   93.035116]  freed 16-byte region [ffff0000c5c52720, ffff0000c5c52730)
[   93.035831] 
[   93.036038] The buggy address belongs to the physical page:
[   93.037114] page:00000000fbf36b17 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105c52
[   93.037998] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   93.038639] page_type: 0xffffffff()
[   93.039200] raw: 0bfffc0000000800 ffff0000c00013c0 dead000000000122 0000000000000000
[   93.039800] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
[   93.040660] page dumped because: kasan: bad access detected
[   93.041193] 
[   93.041428] Memory state around the buggy address:
[   93.041924]  ffff0000c5c52600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   93.042568]  ffff0000c5c52680: 00 04 fc fc 00 05 fc fc fa fb fc fc fa fb fc fc
[   93.043289] >ffff0000c5c52700: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   93.044129]                                   ^
[   93.044636]  ffff0000c5c52780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   93.045190]  ffff0000c5c52800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   93.045990] ==================================================================
Metadata Full log Test run details 

[   34.186810] ==================================================================
[   34.187738] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0xd5/0x1d0
[   34.188222] Read of size 1 at addr ffff88810214e6e8 by task kunit_try_catch/178
[   34.188652] 
[   34.189044] CPU: 0 PID: 178 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   34.189984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   34.190726] Call Trace:
[   34.191095]  <TASK>
[   34.191487]  dump_stack_lvl+0x4e/0x90
[   34.191816]  print_report+0xd2/0x650
[   34.192218]  ? __virt_addr_valid+0x156/0x1e0
[   34.192693]  ? kmalloc_uaf+0xd5/0x1d0
[   34.193080]  ? kasan_complete_mode_report_info+0x64/0x200
[   34.193983]  ? kmalloc_uaf+0xd5/0x1d0
[   34.194367]  kasan_report+0x147/0x180
[   34.194828]  ? kmalloc_uaf+0xd5/0x1d0
[   34.195232]  __asan_load1+0x66/0x70
[   34.195598]  kmalloc_uaf+0xd5/0x1d0
[   34.196100]  ? __pfx_kmalloc_uaf+0x10/0x10
[   34.196461]  ? __schedule+0x715/0x11a0
[   34.196814]  ? ktime_get_ts64+0x118/0x140
[   34.197128]  kunit_try_run_case+0x120/0x290
[   34.197647]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.198073]  ? __kasan_check_write+0x18/0x20
[   34.198950]  ? trace_preempt_on+0x20/0xa0
[   34.199236]  ? __kthread_parkme+0x4f/0xd0
[   34.199835]  ? preempt_count_sub+0x50/0x80
[   34.200242]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.200651]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   34.201110]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.201636]  kthread+0x19e/0x1e0
[   34.202045]  ? __pfx_kthread+0x10/0x10
[   34.202491]  ret_from_fork+0x41/0x70
[   34.202928]  ? __pfx_kthread+0x10/0x10
[   34.203215]  ret_from_fork_asm+0x1b/0x30
[   34.203537]  </TASK>
[   34.204189] 
[   34.204316] Allocated by task 178:
[   34.204676]  kasan_save_stack+0x44/0x70
[   34.205038]  kasan_set_track+0x29/0x40
[   34.205274]  kasan_save_alloc_info+0x22/0x30
[   34.205941]  __kasan_kmalloc+0xb7/0xc0
[   34.206343]  kmalloc_trace+0x4c/0xb0
[   34.206671]  kmalloc_uaf+0x9d/0x1d0
[   34.206947]  kunit_try_run_case+0x120/0x290
[   34.207238]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.207816]  kthread+0x19e/0x1e0
[   34.208183]  ret_from_fork+0x41/0x70
[   34.208898]  ret_from_fork_asm+0x1b/0x30
[   34.209178] 
[   34.209301] Freed by task 178:
[   34.209661]  kasan_save_stack+0x44/0x70
[   34.210118]  kasan_set_track+0x29/0x40
[   34.210360]  kasan_save_free_info+0x2f/0x50
[   34.210912]  ____kasan_slab_free+0x172/0x1d0
[   34.211178]  __kasan_slab_free+0x16/0x20
[   34.211748]  __kmem_cache_free+0x190/0x310
[   34.212044]  kfree+0x7c/0x120
[   34.212263]  kmalloc_uaf+0xbd/0x1d0
[   34.212606]  kunit_try_run_case+0x120/0x290
[   34.212930]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.213261]  kthread+0x19e/0x1e0
[   34.214126]  ret_from_fork+0x41/0x70
[   34.214363]  ret_from_fork_asm+0x1b/0x30
[   34.214902] 
[   34.215044] The buggy address belongs to the object at ffff88810214e6e0
[   34.215044]  which belongs to the cache kmalloc-16 of size 16
[   34.216066] The buggy address is located 8 bytes inside of
[   34.216066]  freed 16-byte region [ffff88810214e6e0, ffff88810214e6f0)
[   34.216984] 
[   34.217179] The buggy address belongs to the physical page:
[   34.217697] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10214e
[   34.218267] flags: 0x200000000000800(slab|node=0|zone=2)
[   34.219051] page_type: 0xffffffff()
[   34.219300] raw: 0200000000000800 ffff8881000413c0 dead000000000122 0000000000000000
[   34.219957] raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
[   34.220574] page dumped because: kasan: bad access detected
[   34.220993] 
[   34.221204] Memory state around the buggy address:
[   34.221576]  ffff88810214e580: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc
[   34.222147]  ffff88810214e600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   34.222758] >ffff88810214e680: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   34.223292]                                                           ^
[   34.223812]  ffff88810214e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.224227]  ffff88810214e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.224607] ==================================================================
Metadata Full log Test run details