Date
July 3, 2025, 11:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.609507] ================================================================== [ 22.609633] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 22.609779] Read of size 1 at addr fff00000c6376cd0 by task kunit_try_catch/259 [ 22.609881] [ 22.609952] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 22.610155] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.610257] Hardware name: linux,dummy-virt (DT) [ 22.610369] Call trace: [ 22.610449] show_stack+0x20/0x38 (C) [ 22.610562] dump_stack_lvl+0x8c/0xd0 [ 22.610669] print_report+0x118/0x608 [ 22.610769] kasan_report+0xdc/0x128 [ 22.610873] __asan_report_load1_noabort+0x20/0x30 [ 22.610972] strlen+0xa8/0xb0 [ 22.611082] kasan_strings+0x418/0xb00 [ 22.611137] kunit_try_run_case+0x170/0x3f0 [ 22.611192] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.611249] kthread+0x328/0x630 [ 22.611293] ret_from_fork+0x10/0x20 [ 22.611346] [ 22.611368] Allocated by task 259: [ 22.611401] kasan_save_stack+0x3c/0x68 [ 22.611448] kasan_save_track+0x20/0x40 [ 22.611490] kasan_save_alloc_info+0x40/0x58 [ 22.611531] __kasan_kmalloc+0xd4/0xd8 [ 22.611571] __kmalloc_cache_noprof+0x16c/0x3c0 [ 22.611611] kasan_strings+0xc8/0xb00 [ 22.611649] kunit_try_run_case+0x170/0x3f0 [ 22.611690] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.611736] kthread+0x328/0x630 [ 22.611770] ret_from_fork+0x10/0x20 [ 22.611806] [ 22.611829] Freed by task 259: [ 22.611858] kasan_save_stack+0x3c/0x68 [ 22.611898] kasan_save_track+0x20/0x40 [ 22.611936] kasan_save_free_info+0x4c/0x78 [ 22.611978] __kasan_slab_free+0x6c/0x98 [ 22.612017] kfree+0x214/0x3c8 [ 22.612073] kasan_strings+0x24c/0xb00 [ 22.612110] kunit_try_run_case+0x170/0x3f0 [ 22.612149] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.612191] kthread+0x328/0x630 [ 22.612227] ret_from_fork+0x10/0x20 [ 22.612263] [ 22.612284] The buggy address belongs to the object at fff00000c6376cc0 [ 22.612284] which belongs to the cache kmalloc-32 of size 32 [ 22.612344] The buggy address is located 16 bytes inside of [ 22.612344] freed 32-byte region [fff00000c6376cc0, fff00000c6376ce0) [ 22.612408] [ 22.612430] The buggy address belongs to the physical page: [ 22.612465] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106376 [ 22.612533] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.612593] page_type: f5(slab) [ 22.612640] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 22.612696] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 22.612740] page dumped because: kasan: bad access detected [ 22.612775] [ 22.612794] Memory state around the buggy address: [ 22.612827] fff00000c6376b80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 22.612872] fff00000c6376c00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 22.612917] >fff00000c6376c80: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 22.612957] ^ [ 22.612995] fff00000c6376d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.613084] fff00000c6376d80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 22.613175] ==================================================================
[ 13.565806] ================================================================== [ 13.566588] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 13.566986] Read of size 1 at addr ffff8881039c45d0 by task kunit_try_catch/276 [ 13.567633] [ 13.567747] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.567791] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.567803] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.567823] Call Trace: [ 13.567836] <TASK> [ 13.567850] dump_stack_lvl+0x73/0xb0 [ 13.567876] print_report+0xd1/0x650 [ 13.567899] ? __virt_addr_valid+0x1db/0x2d0 [ 13.567921] ? strlen+0x8f/0xb0 [ 13.567938] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.567960] ? strlen+0x8f/0xb0 [ 13.567976] kasan_report+0x141/0x180 [ 13.567998] ? strlen+0x8f/0xb0 [ 13.568019] __asan_report_load1_noabort+0x18/0x20 [ 13.568042] strlen+0x8f/0xb0 [ 13.568059] kasan_strings+0x57b/0xe80 [ 13.568079] ? trace_hardirqs_on+0x37/0xe0 [ 13.568101] ? __pfx_kasan_strings+0x10/0x10 [ 13.568134] ? __kasan_check_write+0x18/0x20 [ 13.568153] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.568175] ? irqentry_exit+0x2a/0x60 [ 13.568195] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 13.568217] ? trace_hardirqs_on+0x37/0xe0 [ 13.568238] ? __pfx_read_tsc+0x10/0x10 [ 13.568259] ? ktime_get_ts64+0x86/0x230 [ 13.568281] kunit_try_run_case+0x1a5/0x480 [ 13.568304] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.568364] ? queued_spin_lock_slowpath+0x116/0xb40 [ 13.568387] ? __kthread_parkme+0x82/0x180 [ 13.568406] ? preempt_count_sub+0x50/0x80 [ 13.568428] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.568452] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.568474] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.568497] kthread+0x337/0x6f0 [ 13.568515] ? trace_preempt_on+0x20/0xc0 [ 13.568536] ? __pfx_kthread+0x10/0x10 [ 13.568556] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.568576] ? calculate_sigpending+0x7b/0xa0 [ 13.568599] ? __pfx_kthread+0x10/0x10 [ 13.568620] ret_from_fork+0x116/0x1d0 [ 13.568637] ? __pfx_kthread+0x10/0x10 [ 13.568657] ret_from_fork_asm+0x1a/0x30 [ 13.568686] </TASK> [ 13.568696] [ 13.577251] Allocated by task 276: [ 13.577582] kasan_save_stack+0x45/0x70 [ 13.577854] kasan_save_track+0x18/0x40 [ 13.578069] kasan_save_alloc_info+0x3b/0x50 [ 13.578297] __kasan_kmalloc+0xb7/0xc0 [ 13.578536] __kmalloc_cache_noprof+0x189/0x420 [ 13.578718] kasan_strings+0xc0/0xe80 [ 13.578850] kunit_try_run_case+0x1a5/0x480 [ 13.579079] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.579496] kthread+0x337/0x6f0 [ 13.579619] ret_from_fork+0x116/0x1d0 [ 13.579797] ret_from_fork_asm+0x1a/0x30 [ 13.580002] [ 13.580134] Freed by task 276: [ 13.580293] kasan_save_stack+0x45/0x70 [ 13.580530] kasan_save_track+0x18/0x40 [ 13.580667] kasan_save_free_info+0x3f/0x60 [ 13.580813] __kasan_slab_free+0x56/0x70 [ 13.581049] kfree+0x222/0x3f0 [ 13.581493] kasan_strings+0x2aa/0xe80 [ 13.581709] kunit_try_run_case+0x1a5/0x480 [ 13.581919] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.582216] kthread+0x337/0x6f0 [ 13.582447] ret_from_fork+0x116/0x1d0 [ 13.582616] ret_from_fork_asm+0x1a/0x30 [ 13.582789] [ 13.582887] The buggy address belongs to the object at ffff8881039c45c0 [ 13.582887] which belongs to the cache kmalloc-32 of size 32 [ 13.583477] The buggy address is located 16 bytes inside of [ 13.583477] freed 32-byte region [ffff8881039c45c0, ffff8881039c45e0) [ 13.583835] [ 13.583931] The buggy address belongs to the physical page: [ 13.584219] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039c4 [ 13.584779] flags: 0x200000000000000(node=0|zone=2) [ 13.585162] page_type: f5(slab) [ 13.585311] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.585940] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.586335] page dumped because: kasan: bad access detected [ 13.586579] [ 13.586729] Memory state around the buggy address: [ 13.586963] ffff8881039c4480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.587279] ffff8881039c4500: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.587623] >ffff8881039c4580: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.587886] ^ [ 13.588170] ffff8881039c4600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.588445] ffff8881039c4680: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.588659] ==================================================================