Hay
Sign in
Date
July 5, 2025, 5:09 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   18.286336] ==================================================================
[   18.286439] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   18.286740] Read of size 16 at addr fff00000c5cb36e0 by task kunit_try_catch/168
[   18.286910] 
[   18.287144] CPU: 1 UID: 0 PID: 168 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT 
[   18.287430] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.287555] Hardware name: linux,dummy-virt (DT)
[   18.287696] Call trace:
[   18.287806]  show_stack+0x20/0x38 (C)
[   18.287999]  dump_stack_lvl+0x8c/0xd0
[   18.288093]  print_report+0x118/0x608
[   18.288382]  kasan_report+0xdc/0x128
[   18.288578]  __asan_report_load16_noabort+0x20/0x30
[   18.288681]  kmalloc_uaf_16+0x3bc/0x438
[   18.288912]  kunit_try_run_case+0x170/0x3f0
[   18.289307]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.289401]  kthread+0x328/0x630
[   18.289531]  ret_from_fork+0x10/0x20
[   18.289697] 
[   18.289757] Allocated by task 168:
[   18.289879]  kasan_save_stack+0x3c/0x68
[   18.289924]  kasan_save_track+0x20/0x40
[   18.290195]  kasan_save_alloc_info+0x40/0x58
[   18.290406]  __kasan_kmalloc+0xd4/0xd8
[   18.290449]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.290504]  kmalloc_uaf_16+0x140/0x438
[   18.290768]  kunit_try_run_case+0x170/0x3f0
[   18.291008]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.291324]  kthread+0x328/0x630
[   18.291466]  ret_from_fork+0x10/0x20
[   18.291515] 
[   18.291767] Freed by task 168:
[   18.291814]  kasan_save_stack+0x3c/0x68
[   18.291965]  kasan_save_track+0x20/0x40
[   18.292101]  kasan_save_free_info+0x4c/0x78
[   18.292494]  __kasan_slab_free+0x6c/0x98
[   18.292775]  kfree+0x214/0x3c8
[   18.293167]  kmalloc_uaf_16+0x190/0x438
[   18.293375]  kunit_try_run_case+0x170/0x3f0
[   18.293452]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.294083]  kthread+0x328/0x630
[   18.294274]  ret_from_fork+0x10/0x20
[   18.294460] 
[   18.294580] The buggy address belongs to the object at fff00000c5cb36e0
[   18.294580]  which belongs to the cache kmalloc-16 of size 16
[   18.294784] The buggy address is located 0 bytes inside of
[   18.294784]  freed 16-byte region [fff00000c5cb36e0, fff00000c5cb36f0)
[   18.294921] 
[   18.294951] The buggy address belongs to the physical page:
[   18.294997] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105cb3
[   18.295050] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.295374] page_type: f5(slab)
[   18.295532] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   18.295687] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   18.295731] page dumped because: kasan: bad access detected
[   18.295949] 
[   18.296144] Memory state around the buggy address:
[   18.296206]  fff00000c5cb3580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   18.296262]  fff00000c5cb3600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   18.296503] >fff00000c5cb3680: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   18.296710]                                                        ^
[   18.296748]  fff00000c5cb3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.297087]  fff00000c5cb3780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.297236] ==================================================================
Metadata Full log Test run details 

[   11.614400] ==================================================================
[   11.615182] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   11.615561] Read of size 16 at addr ffff88810274c220 by task kunit_try_catch/186
[   11.615874] 
[   11.615986] CPU: 1 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4 #1 PREEMPT(voluntary) 
[   11.616029] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.616040] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.616061] Call Trace:
[   11.616073]  <TASK>
[   11.616088]  dump_stack_lvl+0x73/0xb0
[   11.616114]  print_report+0xd1/0x650
[   11.616135]  ? __virt_addr_valid+0x1db/0x2d0
[   11.616157]  ? kmalloc_uaf_16+0x47b/0x4c0
[   11.616176]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.616247]  ? kmalloc_uaf_16+0x47b/0x4c0
[   11.616270]  kasan_report+0x141/0x180
[   11.616291]  ? kmalloc_uaf_16+0x47b/0x4c0
[   11.616316]  __asan_report_load16_noabort+0x18/0x20
[   11.616340]  kmalloc_uaf_16+0x47b/0x4c0
[   11.616360]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   11.616381]  ? __schedule+0x10cc/0x2b60
[   11.616402]  ? __pfx_read_tsc+0x10/0x10
[   11.616423]  ? ktime_get_ts64+0x86/0x230
[   11.616448]  kunit_try_run_case+0x1a5/0x480
[   11.616485]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.616506]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.616528]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.616550]  ? __kthread_parkme+0x82/0x180
[   11.616569]  ? preempt_count_sub+0x50/0x80
[   11.616591]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.616614]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.616636]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.616657]  kthread+0x337/0x6f0
[   11.616676]  ? trace_preempt_on+0x20/0xc0
[   11.616698]  ? __pfx_kthread+0x10/0x10
[   11.616718]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.616738]  ? calculate_sigpending+0x7b/0xa0
[   11.616763]  ? __pfx_kthread+0x10/0x10
[   11.616787]  ret_from_fork+0x116/0x1d0
[   11.616806]  ? __pfx_kthread+0x10/0x10
[   11.616825]  ret_from_fork_asm+0x1a/0x30
[   11.616855]  </TASK>
[   11.616866] 
[   11.625738] Allocated by task 186:
[   11.625945]  kasan_save_stack+0x45/0x70
[   11.626112]  kasan_save_track+0x18/0x40
[   11.626265]  kasan_save_alloc_info+0x3b/0x50
[   11.626620]  __kasan_kmalloc+0xb7/0xc0
[   11.626763]  __kmalloc_cache_noprof+0x189/0x420
[   11.626955]  kmalloc_uaf_16+0x15b/0x4c0
[   11.627143]  kunit_try_run_case+0x1a5/0x480
[   11.627485]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.627755]  kthread+0x337/0x6f0
[   11.627899]  ret_from_fork+0x116/0x1d0
[   11.628030]  ret_from_fork_asm+0x1a/0x30
[   11.628278] 
[   11.628376] Freed by task 186:
[   11.628533]  kasan_save_stack+0x45/0x70
[   11.628668]  kasan_save_track+0x18/0x40
[   11.628870]  kasan_save_free_info+0x3f/0x60
[   11.629070]  __kasan_slab_free+0x56/0x70
[   11.629243]  kfree+0x222/0x3f0
[   11.629386]  kmalloc_uaf_16+0x1d6/0x4c0
[   11.629529]  kunit_try_run_case+0x1a5/0x480
[   11.629671]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.629918]  kthread+0x337/0x6f0
[   11.630305]  ret_from_fork+0x116/0x1d0
[   11.630523]  ret_from_fork_asm+0x1a/0x30
[   11.630677] 
[   11.630787] The buggy address belongs to the object at ffff88810274c220
[   11.630787]  which belongs to the cache kmalloc-16 of size 16
[   11.631269] The buggy address is located 0 bytes inside of
[   11.631269]  freed 16-byte region [ffff88810274c220, ffff88810274c230)
[   11.631821] 
[   11.631913] The buggy address belongs to the physical page:
[   11.632129] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10274c
[   11.632481] flags: 0x200000000000000(node=0|zone=2)
[   11.632644] page_type: f5(slab)
[   11.632785] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   11.633286] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   11.633523] page dumped because: kasan: bad access detected
[   11.633688] 
[   11.633835] Memory state around the buggy address:
[   11.634063]  ffff88810274c100: 00 02 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc
[   11.634376]  ffff88810274c180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   11.634703] >ffff88810274c200: 00 00 fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   11.635239]                                ^
[   11.635425]  ffff88810274c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.635737]  ffff88810274c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.636006] ==================================================================
Metadata Full log Test run details