Date
July 16, 2025, 3:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 16.748659] ================================================================== [ 16.748745] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 16.748800] Read of size 1 at addr fff00000c3eef588 by task kunit_try_catch/184 [ 16.748850] [ 16.748883] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 16.748971] Tainted: [B]=BAD_PAGE, [N]=TEST [ 16.749005] Hardware name: linux,dummy-virt (DT) [ 16.749054] Call trace: [ 16.749076] show_stack+0x20/0x38 (C) [ 16.749123] dump_stack_lvl+0x8c/0xd0 [ 16.749180] print_report+0x118/0x5d0 [ 16.749227] kasan_report+0xdc/0x128 [ 16.749276] __asan_report_load1_noabort+0x20/0x30 [ 16.749337] kmalloc_uaf+0x300/0x338 [ 16.749379] kunit_try_run_case+0x170/0x3f0 [ 16.749436] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.749489] kthread+0x328/0x630 [ 16.749532] ret_from_fork+0x10/0x20 [ 16.749578] [ 16.749601] Allocated by task 184: [ 16.749646] kasan_save_stack+0x3c/0x68 [ 16.749692] kasan_save_track+0x20/0x40 [ 16.750097] kasan_save_alloc_info+0x40/0x58 [ 16.750363] __kasan_kmalloc+0xd4/0xd8 [ 16.750438] __kmalloc_cache_noprof+0x16c/0x3c0 [ 16.750481] kmalloc_uaf+0xb8/0x338 [ 16.750540] kunit_try_run_case+0x170/0x3f0 [ 16.750579] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.750643] kthread+0x328/0x630 [ 16.750786] ret_from_fork+0x10/0x20 [ 16.750825] [ 16.750875] Freed by task 184: [ 16.750916] kasan_save_stack+0x3c/0x68 [ 16.751052] kasan_save_track+0x20/0x40 [ 16.751163] kasan_save_free_info+0x4c/0x78 [ 16.751219] __kasan_slab_free+0x6c/0x98 [ 16.751258] kfree+0x214/0x3c8 [ 16.751347] kmalloc_uaf+0x11c/0x338 [ 16.751417] kunit_try_run_case+0x170/0x3f0 [ 16.751485] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 16.751562] kthread+0x328/0x630 [ 16.751699] ret_from_fork+0x10/0x20 [ 16.751851] [ 16.751930] The buggy address belongs to the object at fff00000c3eef580 [ 16.751930] which belongs to the cache kmalloc-16 of size 16 [ 16.751993] The buggy address is located 8 bytes inside of [ 16.751993] freed 16-byte region [fff00000c3eef580, fff00000c3eef590) [ 16.752054] [ 16.752076] The buggy address belongs to the physical page: [ 16.752297] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103eef [ 16.752386] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 16.752488] page_type: f5(slab) [ 16.752572] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 16.752687] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 16.752813] page dumped because: kasan: bad access detected [ 16.752946] [ 16.752996] Memory state around the buggy address: [ 16.753121] fff00000c3eef480: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc [ 16.753211] fff00000c3eef500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 16.753336] >fff00000c3eef580: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.753384] ^ [ 16.753413] fff00000c3eef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.753490] fff00000c3eef680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.753799] ==================================================================
[ 12.813169] ================================================================== [ 12.813608] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380 [ 12.813853] Read of size 1 at addr ffff8881009b2fc8 by task kunit_try_catch/201 [ 12.814077] [ 12.814175] CPU: 0 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 12.814222] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.814233] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.814256] Call Trace: [ 12.814268] <TASK> [ 12.814286] dump_stack_lvl+0x73/0xb0 [ 12.814316] print_report+0xd1/0x610 [ 12.814339] ? __virt_addr_valid+0x1db/0x2d0 [ 12.814362] ? kmalloc_uaf+0x320/0x380 [ 12.814381] ? kasan_complete_mode_report_info+0x64/0x200 [ 12.814403] ? kmalloc_uaf+0x320/0x380 [ 12.814422] kasan_report+0x141/0x180 [ 12.814443] ? kmalloc_uaf+0x320/0x380 [ 12.814466] __asan_report_load1_noabort+0x18/0x20 [ 12.814490] kmalloc_uaf+0x320/0x380 [ 12.814929] ? __pfx_kmalloc_uaf+0x10/0x10 [ 12.814955] ? __schedule+0x10cc/0x2b60 [ 12.815004] ? __pfx_read_tsc+0x10/0x10 [ 12.815027] ? ktime_get_ts64+0x86/0x230 [ 12.815239] kunit_try_run_case+0x1a5/0x480 [ 12.815267] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.815291] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.815317] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.815341] ? __kthread_parkme+0x82/0x180 [ 12.815363] ? preempt_count_sub+0x50/0x80 [ 12.815389] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.815414] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.815460] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.815486] kthread+0x337/0x6f0 [ 12.815505] ? trace_preempt_on+0x20/0xc0 [ 12.815531] ? __pfx_kthread+0x10/0x10 [ 12.815552] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.815573] ? calculate_sigpending+0x7b/0xa0 [ 12.815599] ? __pfx_kthread+0x10/0x10 [ 12.815620] ret_from_fork+0x116/0x1d0 [ 12.815640] ? __pfx_kthread+0x10/0x10 [ 12.815660] ret_from_fork_asm+0x1a/0x30 [ 12.815692] </TASK> [ 12.815704] [ 12.826772] Allocated by task 201: [ 12.826970] kasan_save_stack+0x45/0x70 [ 12.827162] kasan_save_track+0x18/0x40 [ 12.827806] kasan_save_alloc_info+0x3b/0x50 [ 12.828225] __kasan_kmalloc+0xb7/0xc0 [ 12.828530] __kmalloc_cache_noprof+0x189/0x420 [ 12.828837] kmalloc_uaf+0xaa/0x380 [ 12.829163] kunit_try_run_case+0x1a5/0x480 [ 12.829347] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.829644] kthread+0x337/0x6f0 [ 12.829819] ret_from_fork+0x116/0x1d0 [ 12.829979] ret_from_fork_asm+0x1a/0x30 [ 12.830612] [ 12.830711] Freed by task 201: [ 12.831107] kasan_save_stack+0x45/0x70 [ 12.831323] kasan_save_track+0x18/0x40 [ 12.831716] kasan_save_free_info+0x3f/0x60 [ 12.832077] __kasan_slab_free+0x56/0x70 [ 12.832225] kfree+0x222/0x3f0 [ 12.832620] kmalloc_uaf+0x12c/0x380 [ 12.832887] kunit_try_run_case+0x1a5/0x480 [ 12.833312] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.833650] kthread+0x337/0x6f0 [ 12.833793] ret_from_fork+0x116/0x1d0 [ 12.834186] ret_from_fork_asm+0x1a/0x30 [ 12.834509] [ 12.834648] The buggy address belongs to the object at ffff8881009b2fc0 [ 12.834648] which belongs to the cache kmalloc-16 of size 16 [ 12.835725] The buggy address is located 8 bytes inside of [ 12.835725] freed 16-byte region [ffff8881009b2fc0, ffff8881009b2fd0) [ 12.836711] [ 12.837037] The buggy address belongs to the physical page: [ 12.837918] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1009b2 [ 12.838843] flags: 0x200000000000000(node=0|zone=2) [ 12.839022] page_type: f5(slab) [ 12.839784] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 12.840669] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 12.841030] page dumped because: kasan: bad access detected [ 12.841297] [ 12.841390] Memory state around the buggy address: [ 12.841617] ffff8881009b2e80: 00 00 fc fc 00 06 fc fc 00 06 fc fc 00 00 fc fc [ 12.841937] ffff8881009b2f00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 12.842249] >ffff8881009b2f80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc [ 12.842560] ^ [ 12.843415] ffff8881009b3000: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 12.843840] ffff8881009b3080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 12.844488] ==================================================================