Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   91.589113] ==================================================================
[   91.590516] BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0xac/0x1b0
[   91.593020] Read of size 1 at addr ffff0000c5fa0000 by task kunit_try_catch/125
[   91.594127] 
[   91.594644] CPU: 1 PID: 125 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   91.596158] Hardware name: linux,dummy-virt (DT)
[   91.597074] Call trace:
[   91.597585]  dump_backtrace+0x9c/0x128
[   91.598350]  show_stack+0x20/0x38
[   91.599129]  dump_stack_lvl+0x60/0xb0
[   91.600063]  print_report+0xf8/0x5e8
[   91.600935]  kasan_report+0xdc/0x128
[   91.601762]  __asan_load1+0x60/0x70
[   91.602546]  kmalloc_pagealloc_uaf+0xac/0x1b0
[   91.603461]  kunit_try_run_case+0x114/0x298
[   91.604446]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   91.605506]  kthread+0x18c/0x1a8
[   91.606203]  ret_from_fork+0x10/0x20
[   91.607173] 
[   91.607679] The buggy address belongs to the physical page:
[   91.608658] page:00000000fbc828a4 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fa0
[   91.609663] flags: 0xbfffc0000000000(node=0|zone=2|lastcpupid=0xffff)
[   91.610137] page_type: 0xffffffff()
[   91.610494] raw: 0bfffc0000000000 fffffc000317e908 ffff0000daa2d4f8 0000000000000000
[   91.611843] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   91.612794] page dumped because: kasan: bad access detected
[   91.613841] 
[   91.614313] Memory state around the buggy address:
[   91.615199]  ffff0000c5f9ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   91.616422]  ffff0000c5f9ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   91.617338] >ffff0000c5fa0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.618397]                    ^
[   91.619040]  ffff0000c5fa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.619642]  ffff0000c5fa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.620085] ==================================================================
Metadata Full log Test run details 

[   33.239185] ==================================================================
[   33.241035] BUG: KASAN: use-after-free in kmalloc_pagealloc_uaf+0xaf/0x1b0
[   33.241896] Read of size 1 at addr ffff888102070000 by task kunit_try_catch/140
[   33.242727] 
[   33.242962] CPU: 0 PID: 140 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   33.244048] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   33.245085] Call Trace:
[   33.245385]  <TASK>
[   33.245729]  dump_stack_lvl+0x4e/0x90
[   33.246208]  print_report+0xd2/0x650
[   33.246734]  ? __virt_addr_valid+0x156/0x1e0
[   33.247249]  ? kmalloc_pagealloc_uaf+0xaf/0x1b0
[   33.247921]  ? kasan_addr_to_slab+0x11/0xb0
[   33.248558]  ? kmalloc_pagealloc_uaf+0xaf/0x1b0
[   33.249156]  kasan_report+0x147/0x180
[   33.249692]  ? kmalloc_pagealloc_uaf+0xaf/0x1b0
[   33.250224]  __asan_load1+0x66/0x70
[   33.250789]  kmalloc_pagealloc_uaf+0xaf/0x1b0
[   33.251306]  ? __pfx_kmalloc_pagealloc_uaf+0x10/0x10
[   33.251979]  ? __pfx_kmalloc_pagealloc_uaf+0x10/0x10
[   33.252491]  ? kunit_try_run_case+0x115/0x290
[   33.253202]  kunit_try_run_case+0x120/0x290
[   33.253726]  ? __pfx_kunit_try_run_case+0x10/0x10
[   33.254263]  ? __kasan_check_write+0x18/0x20
[   33.254774]  ? trace_preempt_on+0x20/0xa0
[   33.255137]  ? __kthread_parkme+0x4f/0xd0
[   33.255453]  ? preempt_count_sub+0x50/0x80
[   33.255985]  ? __pfx_kunit_try_run_case+0x10/0x10
[   33.256509]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   33.257256]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   33.257922]  kthread+0x19e/0x1e0
[   33.258147]  ? __pfx_kthread+0x10/0x10
[   33.258585]  ret_from_fork+0x41/0x70
[   33.259096]  ? __pfx_kthread+0x10/0x10
[   33.259679]  ret_from_fork_asm+0x1b/0x30
[   33.260173]  </TASK>
[   33.260505] 
[   33.260706] The buggy address belongs to the physical page:
[   33.261350] page:(____ptrval____) refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102070
[   33.262178] flags: 0x200000000000000(node=0|zone=2)
[   33.262688] page_type: 0xffffffff()
[   33.263167] raw: 0200000000000000 ffffea0004081d08 ffff88815703c8f8 0000000000000000
[   33.264253] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   33.265073] page dumped because: kasan: bad access detected
[   33.265324] 
[   33.265702] Memory state around the buggy address:
[   33.266238]  ffff88810206ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.267047]  ffff88810206ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.267360] >ffff888102070000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.267661]                    ^
[   33.268100]  ffff888102070080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.268912]  ffff888102070100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.269830] ==================================================================
Metadata Full log Test run details