Hay
Sign in
Date
July 9, 2025, 2:07 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   17.735709] ==================================================================
[   17.735779] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   17.735994] Read of size 1 at addr fff00000c3f1d788 by task kunit_try_catch/184
[   17.736055] 
[   17.736105] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc5 #1 PREEMPT 
[   17.736196] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   17.736227] Hardware name: linux,dummy-virt (DT)
[   17.736275] Call trace:
[   17.736301]  show_stack+0x20/0x38 (C)
[   17.736361]  dump_stack_lvl+0x8c/0xd0
[   17.736429]  print_report+0x118/0x608
[   17.736600]  kasan_report+0xdc/0x128
[   17.736676]  __asan_report_load1_noabort+0x20/0x30
[   17.736730]  kmalloc_uaf+0x300/0x338
[   17.736792]  kunit_try_run_case+0x170/0x3f0
[   17.736844]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.736919]  kthread+0x328/0x630
[   17.737228]  ret_from_fork+0x10/0x20
[   17.737515] 
[   17.737534] Allocated by task 184:
[   17.737651]  kasan_save_stack+0x3c/0x68
[   17.737697]  kasan_save_track+0x20/0x40
[   17.737877]  kasan_save_alloc_info+0x40/0x58
[   17.737936]  __kasan_kmalloc+0xd4/0xd8
[   17.738074]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.738145]  kmalloc_uaf+0xb8/0x338
[   17.738179]  kunit_try_run_case+0x170/0x3f0
[   17.738236]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.738873]  kthread+0x328/0x630
[   17.739169]  ret_from_fork+0x10/0x20
[   17.739487] 
[   17.739557] Freed by task 184:
[   17.739637]  kasan_save_stack+0x3c/0x68
[   17.739891]  kasan_save_track+0x20/0x40
[   17.740017]  kasan_save_free_info+0x4c/0x78
[   17.740128]  __kasan_slab_free+0x6c/0x98
[   17.740387]  kfree+0x214/0x3c8
[   17.740423]  kmalloc_uaf+0x11c/0x338
[   17.740539]  kunit_try_run_case+0x170/0x3f0
[   17.740658]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.741014]  kthread+0x328/0x630
[   17.741051]  ret_from_fork+0x10/0x20
[   17.741097] 
[   17.741116] The buggy address belongs to the object at fff00000c3f1d780
[   17.741116]  which belongs to the cache kmalloc-16 of size 16
[   17.741179] The buggy address is located 8 bytes inside of
[   17.741179]  freed 16-byte region [fff00000c3f1d780, fff00000c3f1d790)
[   17.741240] 
[   17.741259] The buggy address belongs to the physical page:
[   17.741292] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103f1d
[   17.741438] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.741495] page_type: f5(slab)
[   17.741537] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   17.741641] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   17.741734] page dumped because: kasan: bad access detected
[   17.741768] 
[   17.741786] Memory state around the buggy address:
[   17.741821]  fff00000c3f1d680: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.741864]  fff00000c3f1d700: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.741909] >fff00000c3f1d780: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.741951]                       ^
[   17.741983]  fff00000c3f1d800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.742035]  fff00000c3f1d880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.742077] ==================================================================
Metadata Full log Test run details 

[   13.024247] ==================================================================
[   13.024778] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   13.025216] Read of size 1 at addr ffff888101902a08 by task kunit_try_catch/201
[   13.025762] 
[   13.026082] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.026132] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.026144] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.026164] Call Trace:
[   13.026177]  <TASK>
[   13.026192]  dump_stack_lvl+0x73/0xb0
[   13.026257]  print_report+0xd1/0x650
[   13.026280]  ? __virt_addr_valid+0x1db/0x2d0
[   13.026304]  ? kmalloc_uaf+0x320/0x380
[   13.026322]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.026344]  ? kmalloc_uaf+0x320/0x380
[   13.026363]  kasan_report+0x141/0x180
[   13.026384]  ? kmalloc_uaf+0x320/0x380
[   13.026436]  __asan_report_load1_noabort+0x18/0x20
[   13.026460]  kmalloc_uaf+0x320/0x380
[   13.026480]  ? __pfx_kmalloc_uaf+0x10/0x10
[   13.026500]  ? __schedule+0x10cc/0x2b60
[   13.026522]  ? __pfx_read_tsc+0x10/0x10
[   13.026543]  ? ktime_get_ts64+0x86/0x230
[   13.026567]  kunit_try_run_case+0x1a5/0x480
[   13.026591]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.026626]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.026651]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.026674]  ? __kthread_parkme+0x82/0x180
[   13.026695]  ? preempt_count_sub+0x50/0x80
[   13.026719]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.026742]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.026766]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.026790]  kthread+0x337/0x6f0
[   13.026831]  ? trace_preempt_on+0x20/0xc0
[   13.026855]  ? __pfx_kthread+0x10/0x10
[   13.026875]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.026896]  ? calculate_sigpending+0x7b/0xa0
[   13.026921]  ? __pfx_kthread+0x10/0x10
[   13.026941]  ret_from_fork+0x116/0x1d0
[   13.026958]  ? __pfx_kthread+0x10/0x10
[   13.026978]  ret_from_fork_asm+0x1a/0x30
[   13.027008]  </TASK>
[   13.027018] 
[   13.034760] Allocated by task 201:
[   13.035083]  kasan_save_stack+0x45/0x70
[   13.035582]  kasan_save_track+0x18/0x40
[   13.035940]  kasan_save_alloc_info+0x3b/0x50
[   13.036173]  __kasan_kmalloc+0xb7/0xc0
[   13.036414]  __kmalloc_cache_noprof+0x189/0x420
[   13.036680]  kmalloc_uaf+0xaa/0x380
[   13.036888]  kunit_try_run_case+0x1a5/0x480
[   13.037035]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.037415]  kthread+0x337/0x6f0
[   13.037662]  ret_from_fork+0x116/0x1d0
[   13.037855]  ret_from_fork_asm+0x1a/0x30
[   13.038173] 
[   13.038260] Freed by task 201:
[   13.038435]  kasan_save_stack+0x45/0x70
[   13.038610]  kasan_save_track+0x18/0x40
[   13.038797]  kasan_save_free_info+0x3f/0x60
[   13.039116]  __kasan_slab_free+0x56/0x70
[   13.039357]  kfree+0x222/0x3f0
[   13.039497]  kmalloc_uaf+0x12c/0x380
[   13.039723]  kunit_try_run_case+0x1a5/0x480
[   13.040050]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.040252]  kthread+0x337/0x6f0
[   13.040375]  ret_from_fork+0x116/0x1d0
[   13.040558]  ret_from_fork_asm+0x1a/0x30
[   13.040768] 
[   13.040895] The buggy address belongs to the object at ffff888101902a00
[   13.040895]  which belongs to the cache kmalloc-16 of size 16
[   13.041881] The buggy address is located 8 bytes inside of
[   13.041881]  freed 16-byte region [ffff888101902a00, ffff888101902a10)
[   13.042422] 
[   13.042586] The buggy address belongs to the physical page:
[   13.043354] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101902
[   13.044052] flags: 0x200000000000000(node=0|zone=2)
[   13.044223] page_type: f5(slab)
[   13.044347] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.044576] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.044937] page dumped because: kasan: bad access detected
[   13.045171] 
[   13.045327] Memory state around the buggy address:
[   13.045664]  ffff888101902900: fa fb fc fc 00 02 fc fc 00 05 fc fc 00 02 fc fc
[   13.045929]  ffff888101902980: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc
[   13.046490] >ffff888101902a00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.047018]                       ^
[   13.047195]  ffff888101902a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.047501]  ffff888101902b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.047906] ==================================================================
Metadata Full log Test run details