Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   93.104754] ==================================================================
[   93.105518] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x108/0x290
[   93.106286] Read of size 1 at addr ffff0000c5f06728 by task kunit_try_catch/167
[   93.106947] 
[   93.107170] CPU: 1 PID: 167 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   93.107956] Hardware name: linux,dummy-virt (DT)
[   93.108494] Call trace:
[   93.108768]  dump_backtrace+0x9c/0x128
[   93.109162]  show_stack+0x20/0x38
[   93.109674]  dump_stack_lvl+0x60/0xb0
[   93.110063]  print_report+0xf8/0x5e8
[   93.110599]  kasan_report+0xdc/0x128
[   93.111133]  __asan_load1+0x60/0x70
[   93.111624]  kmalloc_uaf2+0x108/0x290
[   93.112107]  kunit_try_run_case+0x114/0x298
[   93.112717]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.113227]  kthread+0x18c/0x1a8
[   93.113622]  ret_from_fork+0x10/0x20
[   93.114037] 
[   93.114306] Allocated by task 167:
[   93.114780]  kasan_save_stack+0x3c/0x68
[   93.115330]  kasan_set_track+0x2c/0x40
[   93.115746]  kasan_save_alloc_info+0x24/0x38
[   93.116949]  __kasan_kmalloc+0xd4/0xd8
[   93.117404]  kmalloc_trace+0x68/0x130
[   93.117830]  kmalloc_uaf2+0xb4/0x290
[   93.118283]  kunit_try_run_case+0x114/0x298
[   93.118729]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.119363]  kthread+0x18c/0x1a8
[   93.119787]  ret_from_fork+0x10/0x20
[   93.120250] 
[   93.120455] Freed by task 167:
[   93.120816]  kasan_save_stack+0x3c/0x68
[   93.121317]  kasan_set_track+0x2c/0x40
[   93.122204]  kasan_save_free_info+0x38/0x60
[   93.122661]  __kasan_slab_free+0x100/0x170
[   93.123143]  __kmem_cache_free+0x178/0x2c8
[   93.123648]  kfree+0x74/0x138
[   93.124034]  kmalloc_uaf2+0xc8/0x290
[   93.124547]  kunit_try_run_case+0x114/0x298
[   93.125079]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   93.125737]  kthread+0x18c/0x1a8
[   93.126140]  ret_from_fork+0x10/0x20
[   93.126664] 
[   93.126887] The buggy address belongs to the object at ffff0000c5f06700
[   93.126887]  which belongs to the cache kmalloc-64 of size 64
[   93.127868] The buggy address is located 40 bytes inside of
[   93.127868]  freed 64-byte region [ffff0000c5f06700, ffff0000c5f06740)
[   93.128806] 
[   93.129078] The buggy address belongs to the physical page:
[   93.129615] page:0000000083b08542 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105f06
[   93.130474] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   93.131149] page_type: 0xffffffff()
[   93.131589] raw: 0bfffc0000000800 ffff0000c0001640 dead000000000122 0000000000000000
[   93.132341] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   93.133010] page dumped because: kasan: bad access detected
[   93.133563] 
[   93.133778] Memory state around the buggy address:
[   93.134278]  ffff0000c5f06600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   93.134932]  ffff0000c5f06680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   93.135619] >ffff0000c5f06700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   93.136275]                                   ^
[   93.136766]  ffff0000c5f06780: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   93.137478]  ffff0000c5f06800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   93.138108] ==================================================================
Metadata Full log Test run details 

[   34.273615] ==================================================================
[   34.274841] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x122/0x2b0
[   34.275552] Read of size 1 at addr ffff8881028641a8 by task kunit_try_catch/182
[   34.276212] 
[   34.276428] CPU: 0 PID: 182 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   34.277031] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   34.277417] Call Trace:
[   34.277558]  <TASK>
[   34.277699]  dump_stack_lvl+0x4e/0x90
[   34.278215]  print_report+0xd2/0x650
[   34.278676]  ? __virt_addr_valid+0x156/0x1e0
[   34.279230]  ? kmalloc_uaf2+0x122/0x2b0
[   34.279701]  ? kasan_complete_mode_report_info+0x64/0x200
[   34.280322]  ? kmalloc_uaf2+0x122/0x2b0
[   34.280787]  kasan_report+0x147/0x180
[   34.281225]  ? kmalloc_uaf2+0x122/0x2b0
[   34.281681]  __asan_load1+0x66/0x70
[   34.282125]  kmalloc_uaf2+0x122/0x2b0
[   34.282567]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   34.283065]  ? finish_task_switch.isra.0+0xc8/0x3e0
[   34.283488]  ? __schedule+0x715/0x11a0
[   34.283732]  ? ktime_get_ts64+0x118/0x140
[   34.284222]  kunit_try_run_case+0x120/0x290
[   34.284730]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.285264]  ? __kasan_check_write+0x18/0x20
[   34.285751]  ? trace_preempt_on+0x20/0xa0
[   34.286073]  ? __kthread_parkme+0x4f/0xd0
[   34.286295]  ? preempt_count_sub+0x50/0x80
[   34.286517]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.286876]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   34.287512]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.288120]  kthread+0x19e/0x1e0
[   34.288515]  ? __pfx_kthread+0x10/0x10
[   34.288981]  ret_from_fork+0x41/0x70
[   34.289403]  ? __pfx_kthread+0x10/0x10
[   34.289853]  ret_from_fork_asm+0x1b/0x30
[   34.290341]  </TASK>
[   34.290615] 
[   34.290857] Allocated by task 182:
[   34.291225]  kasan_save_stack+0x44/0x70
[   34.291444]  kasan_set_track+0x29/0x40
[   34.291641]  kasan_save_alloc_info+0x22/0x30
[   34.292143]  __kasan_kmalloc+0xb7/0xc0
[   34.292559]  kmalloc_trace+0x4c/0xb0
[   34.292985]  kmalloc_uaf2+0xb0/0x2b0
[   34.293405]  kunit_try_run_case+0x120/0x290
[   34.293911]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.294479]  kthread+0x19e/0x1e0
[   34.294891]  ret_from_fork+0x41/0x70
[   34.295204]  ret_from_fork_asm+0x1b/0x30
[   34.295418] 
[   34.295519] Freed by task 182:
[   34.295674]  kasan_save_stack+0x44/0x70
[   34.296152]  kasan_set_track+0x29/0x40
[   34.296588]  kasan_save_free_info+0x2f/0x50
[   34.297073]  ____kasan_slab_free+0x172/0x1d0
[   34.297539]  __kasan_slab_free+0x16/0x20
[   34.298010]  __kmem_cache_free+0x190/0x310
[   34.298456]  kfree+0x7c/0x120
[   34.298836]  kmalloc_uaf2+0xd0/0x2b0
[   34.299179]  kunit_try_run_case+0x120/0x290
[   34.299406]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   34.299672]  kthread+0x19e/0x1e0
[   34.300165]  ret_from_fork+0x41/0x70
[   34.300614]  ret_from_fork_asm+0x1b/0x30
[   34.301123] 
[   34.301343] The buggy address belongs to the object at ffff888102864180
[   34.301343]  which belongs to the cache kmalloc-64 of size 64
[   34.302565] The buggy address is located 40 bytes inside of
[   34.302565]  freed 64-byte region [ffff888102864180, ffff8881028641c0)
[   34.303839] 
[   34.304048] The buggy address belongs to the physical page:
[   34.304571] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102864
[   34.305274] flags: 0x200000000000800(slab|node=0|zone=2)
[   34.305709] page_type: 0xffffffff()
[   34.306140] raw: 0200000000000800 ffff888100041640 dead000000000122 0000000000000000
[   34.306485] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   34.306819] page dumped because: kasan: bad access detected
[   34.307483] 
[   34.307906] Memory state around the buggy address:
[   34.308223]  ffff888102864080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.308603]  ffff888102864100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.309328] >ffff888102864180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.310170]                                   ^
[   34.310679]  ffff888102864200: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   34.311290]  ffff888102864280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.311911] ==================================================================
Metadata Full log Test run details