Date
July 12, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.304554] ================================================================== [ 22.304670] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 22.304777] Read of size 1 at addr fff00000c5941f90 by task kunit_try_catch/260 [ 22.305294] [ 22.305476] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 22.306004] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.306285] Hardware name: linux,dummy-virt (DT) [ 22.306567] Call trace: [ 22.306814] show_stack+0x20/0x38 (C) [ 22.307164] dump_stack_lvl+0x8c/0xd0 [ 22.307292] print_report+0x118/0x608 [ 22.307422] kasan_report+0xdc/0x128 [ 22.307547] __asan_report_load1_noabort+0x20/0x30 [ 22.307680] kasan_strings+0x95c/0xb00 [ 22.307791] kunit_try_run_case+0x170/0x3f0 [ 22.308385] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.308683] kthread+0x328/0x630 [ 22.309029] ret_from_fork+0x10/0x20 [ 22.309363] [ 22.309423] Allocated by task 260: [ 22.309511] kasan_save_stack+0x3c/0x68 [ 22.309607] kasan_save_track+0x20/0x40 [ 22.309693] kasan_save_alloc_info+0x40/0x58 [ 22.309915] __kasan_kmalloc+0xd4/0xd8 [ 22.310257] __kmalloc_cache_noprof+0x16c/0x3c0 [ 22.310464] kasan_strings+0xc8/0xb00 [ 22.310655] kunit_try_run_case+0x170/0x3f0 [ 22.310879] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.311049] kthread+0x328/0x630 [ 22.311240] ret_from_fork+0x10/0x20 [ 22.311366] [ 22.311424] Freed by task 260: [ 22.311776] kasan_save_stack+0x3c/0x68 [ 22.311893] kasan_save_track+0x20/0x40 [ 22.311992] kasan_save_free_info+0x4c/0x78 [ 22.312091] __kasan_slab_free+0x6c/0x98 [ 22.312185] kfree+0x214/0x3c8 [ 22.312268] kasan_strings+0x24c/0xb00 [ 22.312349] kunit_try_run_case+0x170/0x3f0 [ 22.312449] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.312550] kthread+0x328/0x630 [ 22.313002] ret_from_fork+0x10/0x20 [ 22.313213] [ 22.313280] The buggy address belongs to the object at fff00000c5941f80 [ 22.313280] which belongs to the cache kmalloc-32 of size 32 [ 22.313423] The buggy address is located 16 bytes inside of [ 22.313423] freed 32-byte region [fff00000c5941f80, fff00000c5941fa0) [ 22.313587] [ 22.313651] The buggy address belongs to the physical page: [ 22.313728] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105941 [ 22.313839] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.313943] page_type: f5(slab) [ 22.314051] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 22.314159] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 22.314369] page dumped because: kasan: bad access detected [ 22.314480] [ 22.314546] Memory state around the buggy address: [ 22.314796] fff00000c5941e80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.314997] fff00000c5941f00: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 22.315243] >fff00000c5941f80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.315459] ^ [ 22.315559] fff00000c5942000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.315670] fff00000c5942080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.315769] ==================================================================
[ 14.582271] ================================================================== [ 14.583335] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 14.583560] Read of size 1 at addr ffff888103acf910 by task kunit_try_catch/277 [ 14.584025] [ 14.584203] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.584248] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.584260] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.584282] Call Trace: [ 14.584300] <TASK> [ 14.584317] dump_stack_lvl+0x73/0xb0 [ 14.584345] print_report+0xd1/0x650 [ 14.584367] ? __virt_addr_valid+0x1db/0x2d0 [ 14.584389] ? kasan_strings+0xcbc/0xe80 [ 14.584410] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.584433] ? kasan_strings+0xcbc/0xe80 [ 14.584454] kasan_report+0x141/0x180 [ 14.584477] ? kasan_strings+0xcbc/0xe80 [ 14.584502] __asan_report_load1_noabort+0x18/0x20 [ 14.584528] kasan_strings+0xcbc/0xe80 [ 14.584547] ? trace_hardirqs_on+0x37/0xe0 [ 14.584571] ? __pfx_kasan_strings+0x10/0x10 [ 14.584592] ? finish_task_switch.isra.0+0x153/0x700 [ 14.584615] ? __switch_to+0x47/0xf50 [ 14.584640] ? __schedule+0x10cc/0x2b60 [ 14.584694] ? __pfx_read_tsc+0x10/0x10 [ 14.584714] ? ktime_get_ts64+0x86/0x230 [ 14.584738] kunit_try_run_case+0x1a5/0x480 [ 14.584771] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.584795] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.584817] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.584842] ? __kthread_parkme+0x82/0x180 [ 14.584862] ? preempt_count_sub+0x50/0x80 [ 14.584886] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.584910] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.584935] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.584961] kthread+0x337/0x6f0 [ 14.584979] ? trace_preempt_on+0x20/0xc0 [ 14.585002] ? __pfx_kthread+0x10/0x10 [ 14.585022] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.585044] ? calculate_sigpending+0x7b/0xa0 [ 14.585067] ? __pfx_kthread+0x10/0x10 [ 14.585089] ret_from_fork+0x116/0x1d0 [ 14.585107] ? __pfx_kthread+0x10/0x10 [ 14.585128] ret_from_fork_asm+0x1a/0x30 [ 14.585157] </TASK> [ 14.585167] [ 14.599868] Allocated by task 277: [ 14.600006] kasan_save_stack+0x45/0x70 [ 14.600148] kasan_save_track+0x18/0x40 [ 14.600278] kasan_save_alloc_info+0x3b/0x50 [ 14.600424] __kasan_kmalloc+0xb7/0xc0 [ 14.600551] __kmalloc_cache_noprof+0x189/0x420 [ 14.600719] kasan_strings+0xc0/0xe80 [ 14.601618] kunit_try_run_case+0x1a5/0x480 [ 14.602099] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.602776] kthread+0x337/0x6f0 [ 14.603390] ret_from_fork+0x116/0x1d0 [ 14.603831] ret_from_fork_asm+0x1a/0x30 [ 14.604414] [ 14.604720] Freed by task 277: [ 14.605316] kasan_save_stack+0x45/0x70 [ 14.605818] kasan_save_track+0x18/0x40 [ 14.606376] kasan_save_free_info+0x3f/0x60 [ 14.607005] __kasan_slab_free+0x56/0x70 [ 14.607439] kfree+0x222/0x3f0 [ 14.607562] kasan_strings+0x2aa/0xe80 [ 14.607722] kunit_try_run_case+0x1a5/0x480 [ 14.608396] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.608956] kthread+0x337/0x6f0 [ 14.609142] ret_from_fork+0x116/0x1d0 [ 14.609361] ret_from_fork_asm+0x1a/0x30 [ 14.609553] [ 14.609646] The buggy address belongs to the object at ffff888103acf900 [ 14.609646] which belongs to the cache kmalloc-32 of size 32 [ 14.610710] The buggy address is located 16 bytes inside of [ 14.610710] freed 32-byte region [ffff888103acf900, ffff888103acf920) [ 14.611220] [ 14.611293] The buggy address belongs to the physical page: [ 14.611460] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103acf [ 14.611962] flags: 0x200000000000000(node=0|zone=2) [ 14.612416] page_type: f5(slab) [ 14.612771] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.613593] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.614587] page dumped because: kasan: bad access detected [ 14.615332] [ 14.615541] Memory state around the buggy address: [ 14.615964] ffff888103acf800: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.616324] ffff888103acf880: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.616533] >ffff888103acf900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.616823] ^ [ 14.617322] ffff888103acf980: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 14.618044] ffff888103acfa00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.618724] ==================================================================