Date
July 11, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 19.040482] ================================================================== [ 19.040586] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 19.040640] Read of size 1 at addr fff00000c5908250 by task kunit_try_catch/260 [ 19.040741] [ 19.040774] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 19.040870] Tainted: [B]=BAD_PAGE, [N]=TEST [ 19.040899] Hardware name: linux,dummy-virt (DT) [ 19.040931] Call trace: [ 19.041087] show_stack+0x20/0x38 (C) [ 19.041149] dump_stack_lvl+0x8c/0xd0 [ 19.041302] print_report+0x118/0x608 [ 19.041353] kasan_report+0xdc/0x128 [ 19.041571] __asan_report_load1_noabort+0x20/0x30 [ 19.041696] strlen+0xa8/0xb0 [ 19.041743] kasan_strings+0x418/0xb00 [ 19.041789] kunit_try_run_case+0x170/0x3f0 [ 19.041853] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.041908] kthread+0x328/0x630 [ 19.042110] ret_from_fork+0x10/0x20 [ 19.042206] [ 19.042264] Allocated by task 260: [ 19.042359] kasan_save_stack+0x3c/0x68 [ 19.042403] kasan_save_track+0x20/0x40 [ 19.042548] kasan_save_alloc_info+0x40/0x58 [ 19.042686] __kasan_kmalloc+0xd4/0xd8 [ 19.042736] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.042872] kasan_strings+0xc8/0xb00 [ 19.043025] kunit_try_run_case+0x170/0x3f0 [ 19.043146] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.043198] kthread+0x328/0x630 [ 19.043457] ret_from_fork+0x10/0x20 [ 19.043656] [ 19.043726] Freed by task 260: [ 19.043757] kasan_save_stack+0x3c/0x68 [ 19.043796] kasan_save_track+0x20/0x40 [ 19.044046] kasan_save_free_info+0x4c/0x78 [ 19.044174] __kasan_slab_free+0x6c/0x98 [ 19.044258] kfree+0x214/0x3c8 [ 19.044428] kasan_strings+0x24c/0xb00 [ 19.044468] kunit_try_run_case+0x170/0x3f0 [ 19.044520] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.045001] kthread+0x328/0x630 [ 19.045149] ret_from_fork+0x10/0x20 [ 19.045277] [ 19.045485] The buggy address belongs to the object at fff00000c5908240 [ 19.045485] which belongs to the cache kmalloc-32 of size 32 [ 19.045616] The buggy address is located 16 bytes inside of [ 19.045616] freed 32-byte region [fff00000c5908240, fff00000c5908260) [ 19.045679] [ 19.045703] The buggy address belongs to the physical page: [ 19.045735] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105908 [ 19.045960] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.046016] page_type: f5(slab) [ 19.046057] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.046240] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.046316] page dumped because: kasan: bad access detected [ 19.046627] [ 19.046738] Memory state around the buggy address: [ 19.046898] fff00000c5908100: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.047135] fff00000c5908180: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 19.047249] >fff00000c5908200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.047290] ^ [ 19.047485] fff00000c5908280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.047542] fff00000c5908300: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 19.047582] ==================================================================
[ 14.389804] ================================================================== [ 14.390528] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 14.390758] Read of size 1 at addr ffff888102a16ad0 by task kunit_try_catch/276 [ 14.391031] [ 14.391138] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.391178] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.391190] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.391210] Call Trace: [ 14.391224] <TASK> [ 14.391238] dump_stack_lvl+0x73/0xb0 [ 14.391264] print_report+0xd1/0x650 [ 14.391346] ? __virt_addr_valid+0x1db/0x2d0 [ 14.391371] ? strlen+0x8f/0xb0 [ 14.391389] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.391413] ? strlen+0x8f/0xb0 [ 14.391430] kasan_report+0x141/0x180 [ 14.391452] ? strlen+0x8f/0xb0 [ 14.391474] __asan_report_load1_noabort+0x18/0x20 [ 14.391693] strlen+0x8f/0xb0 [ 14.391724] kasan_strings+0x57b/0xe80 [ 14.391744] ? trace_hardirqs_on+0x37/0xe0 [ 14.391779] ? __pfx_kasan_strings+0x10/0x10 [ 14.391799] ? finish_task_switch.isra.0+0x153/0x700 [ 14.391821] ? __switch_to+0x47/0xf50 [ 14.391865] ? __schedule+0x10cc/0x2b60 [ 14.391887] ? __pfx_read_tsc+0x10/0x10 [ 14.391907] ? ktime_get_ts64+0x86/0x230 [ 14.391942] kunit_try_run_case+0x1a5/0x480 [ 14.391966] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.391989] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.392011] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.392110] ? __kthread_parkme+0x82/0x180 [ 14.392130] ? preempt_count_sub+0x50/0x80 [ 14.392153] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.392178] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.392225] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.392251] kthread+0x337/0x6f0 [ 14.392270] ? trace_preempt_on+0x20/0xc0 [ 14.392292] ? __pfx_kthread+0x10/0x10 [ 14.392313] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.392335] ? calculate_sigpending+0x7b/0xa0 [ 14.392359] ? __pfx_kthread+0x10/0x10 [ 14.392400] ret_from_fork+0x116/0x1d0 [ 14.392419] ? __pfx_kthread+0x10/0x10 [ 14.392439] ret_from_fork_asm+0x1a/0x30 [ 14.392471] </TASK> [ 14.392480] [ 14.400023] Allocated by task 276: [ 14.400196] kasan_save_stack+0x45/0x70 [ 14.400398] kasan_save_track+0x18/0x40 [ 14.400579] kasan_save_alloc_info+0x3b/0x50 [ 14.400962] __kasan_kmalloc+0xb7/0xc0 [ 14.401231] __kmalloc_cache_noprof+0x189/0x420 [ 14.401395] kasan_strings+0xc0/0xe80 [ 14.401536] kunit_try_run_case+0x1a5/0x480 [ 14.401680] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.401918] kthread+0x337/0x6f0 [ 14.402100] ret_from_fork+0x116/0x1d0 [ 14.402293] ret_from_fork_asm+0x1a/0x30 [ 14.402656] [ 14.402874] Freed by task 276: [ 14.403115] kasan_save_stack+0x45/0x70 [ 14.403345] kasan_save_track+0x18/0x40 [ 14.403534] kasan_save_free_info+0x3f/0x60 [ 14.403726] __kasan_slab_free+0x56/0x70 [ 14.403945] kfree+0x222/0x3f0 [ 14.404266] kasan_strings+0x2aa/0xe80 [ 14.404456] kunit_try_run_case+0x1a5/0x480 [ 14.404657] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.404960] kthread+0x337/0x6f0 [ 14.405169] ret_from_fork+0x116/0x1d0 [ 14.405303] ret_from_fork_asm+0x1a/0x30 [ 14.405436] [ 14.405521] The buggy address belongs to the object at ffff888102a16ac0 [ 14.405521] which belongs to the cache kmalloc-32 of size 32 [ 14.406060] The buggy address is located 16 bytes inside of [ 14.406060] freed 32-byte region [ffff888102a16ac0, ffff888102a16ae0) [ 14.406627] [ 14.406699] The buggy address belongs to the physical page: [ 14.406863] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a16 [ 14.407411] flags: 0x200000000000000(node=0|zone=2) [ 14.407678] page_type: f5(slab) [ 14.407851] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.408321] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.408660] page dumped because: kasan: bad access detected [ 14.408883] [ 14.409003] Memory state around the buggy address: [ 14.409230] ffff888102a16980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.409572] ffff888102a16a00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.409800] >ffff888102a16a80: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.410320] ^ [ 14.410612] ffff888102a16b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.410877] ffff888102a16b80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.411096] ==================================================================