Date
July 12, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.766409] ================================================================== [ 18.766465] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 18.766516] Read of size 1 at addr fff00000c66fec50 by task kunit_try_catch/259 [ 18.766568] [ 18.766600] CPU: 1 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.766684] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.766717] Hardware name: linux,dummy-virt (DT) [ 18.766750] Call trace: [ 18.766775] show_stack+0x20/0x38 (C) [ 18.766825] dump_stack_lvl+0x8c/0xd0 [ 18.766927] print_report+0x118/0x5d0 [ 18.766993] kasan_report+0xdc/0x128 [ 18.767041] __asan_report_load1_noabort+0x20/0x30 [ 18.767096] strlen+0xa8/0xb0 [ 18.767138] kasan_strings+0x418/0xb00 [ 18.767195] kunit_try_run_case+0x170/0x3f0 [ 18.767252] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.767308] kthread+0x328/0x630 [ 18.767582] ret_from_fork+0x10/0x20 [ 18.768453] [ 18.768492] Allocated by task 259: [ 18.768620] kasan_save_stack+0x3c/0x68 [ 18.768734] kasan_save_track+0x20/0x40 [ 18.768836] kasan_save_alloc_info+0x40/0x58 [ 18.768895] __kasan_kmalloc+0xd4/0xd8 [ 18.769366] __kmalloc_cache_noprof+0x16c/0x3c0 [ 18.769611] kasan_strings+0xc8/0xb00 [ 18.769771] kunit_try_run_case+0x170/0x3f0 [ 18.769888] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.770007] kthread+0x328/0x630 [ 18.770114] ret_from_fork+0x10/0x20 [ 18.770291] [ 18.770333] Freed by task 259: [ 18.770581] kasan_save_stack+0x3c/0x68 [ 18.770829] kasan_save_track+0x20/0x40 [ 18.770889] kasan_save_free_info+0x4c/0x78 [ 18.771126] __kasan_slab_free+0x6c/0x98 [ 18.771207] kfree+0x214/0x3c8 [ 18.771382] kasan_strings+0x24c/0xb00 [ 18.771566] kunit_try_run_case+0x170/0x3f0 [ 18.771783] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.772039] kthread+0x328/0x630 [ 18.772198] ret_from_fork+0x10/0x20 [ 18.772392] [ 18.772417] The buggy address belongs to the object at fff00000c66fec40 [ 18.772417] which belongs to the cache kmalloc-32 of size 32 [ 18.772652] The buggy address is located 16 bytes inside of [ 18.772652] freed 32-byte region [fff00000c66fec40, fff00000c66fec60) [ 18.772870] [ 18.772897] The buggy address belongs to the physical page: [ 18.773267] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066fe [ 18.773360] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.773585] page_type: f5(slab) [ 18.773798] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 18.774027] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 18.774235] page dumped because: kasan: bad access detected [ 18.774327] [ 18.774406] Memory state around the buggy address: [ 18.774456] fff00000c66feb00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.774667] fff00000c66feb80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 18.774933] >fff00000c66fec00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 18.774997] ^ [ 18.775188] fff00000c66fec80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 18.775458] fff00000c66fed00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 18.775540] ==================================================================
[ 14.977052] ================================================================== [ 14.977342] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 14.977623] Read of size 1 at addr ffff888103a693d0 by task kunit_try_catch/276 [ 14.977905] [ 14.977989] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.978029] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.978043] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.978064] Call Trace: [ 14.978078] <TASK> [ 14.978091] dump_stack_lvl+0x73/0xb0 [ 14.978118] print_report+0xd1/0x610 [ 14.978140] ? __virt_addr_valid+0x1db/0x2d0 [ 14.978164] ? strlen+0x8f/0xb0 [ 14.978181] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.978205] ? strlen+0x8f/0xb0 [ 14.978225] kasan_report+0x141/0x180 [ 14.978250] ? strlen+0x8f/0xb0 [ 14.978282] __asan_report_load1_noabort+0x18/0x20 [ 14.978308] strlen+0x8f/0xb0 [ 14.978326] kasan_strings+0x57b/0xe80 [ 14.978345] ? trace_hardirqs_on+0x37/0xe0 [ 14.978369] ? __pfx_kasan_strings+0x10/0x10 [ 14.978389] ? finish_task_switch.isra.0+0x153/0x700 [ 14.978412] ? __switch_to+0x47/0xf50 [ 14.978438] ? __schedule+0x10cc/0x2b60 [ 14.978461] ? __pfx_read_tsc+0x10/0x10 [ 14.978482] ? ktime_get_ts64+0x86/0x230 [ 14.978505] kunit_try_run_case+0x1a5/0x480 [ 14.978530] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.978554] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.978578] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.978603] ? __kthread_parkme+0x82/0x180 [ 14.978623] ? preempt_count_sub+0x50/0x80 [ 14.978647] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.978672] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.978697] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.978729] kthread+0x337/0x6f0 [ 14.978748] ? trace_preempt_on+0x20/0xc0 [ 14.978770] ? __pfx_kthread+0x10/0x10 [ 14.978791] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.978813] ? calculate_sigpending+0x7b/0xa0 [ 14.978838] ? __pfx_kthread+0x10/0x10 [ 14.978860] ret_from_fork+0x116/0x1d0 [ 14.978878] ? __pfx_kthread+0x10/0x10 [ 14.978898] ret_from_fork_asm+0x1a/0x30 [ 14.978928] </TASK> [ 14.978938] [ 14.986108] Allocated by task 276: [ 14.986275] kasan_save_stack+0x45/0x70 [ 14.986475] kasan_save_track+0x18/0x40 [ 14.986657] kasan_save_alloc_info+0x3b/0x50 [ 14.986861] __kasan_kmalloc+0xb7/0xc0 [ 14.987025] __kmalloc_cache_noprof+0x189/0x420 [ 14.987245] kasan_strings+0xc0/0xe80 [ 14.987425] kunit_try_run_case+0x1a5/0x480 [ 14.987610] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.987838] kthread+0x337/0x6f0 [ 14.987988] ret_from_fork+0x116/0x1d0 [ 14.988120] ret_from_fork_asm+0x1a/0x30 [ 14.988258] [ 14.988335] Freed by task 276: [ 14.988443] kasan_save_stack+0x45/0x70 [ 14.988633] kasan_save_track+0x18/0x40 [ 14.988824] kasan_save_free_info+0x3f/0x60 [ 14.989035] __kasan_slab_free+0x56/0x70 [ 14.989233] kfree+0x222/0x3f0 [ 14.989410] kasan_strings+0x2aa/0xe80 [ 14.989599] kunit_try_run_case+0x1a5/0x480 [ 14.989792] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.990007] kthread+0x337/0x6f0 [ 14.990127] ret_from_fork+0x116/0x1d0 [ 14.990259] ret_from_fork_asm+0x1a/0x30 [ 14.990421] [ 14.990515] The buggy address belongs to the object at ffff888103a693c0 [ 14.990515] which belongs to the cache kmalloc-32 of size 32 [ 14.991066] The buggy address is located 16 bytes inside of [ 14.991066] freed 32-byte region [ffff888103a693c0, ffff888103a693e0) [ 14.991481] [ 14.991553] The buggy address belongs to the physical page: [ 14.991724] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a69 [ 14.991965] flags: 0x200000000000000(node=0|zone=2) [ 14.992124] page_type: f5(slab) [ 14.992300] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 14.992635] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 14.992967] page dumped because: kasan: bad access detected [ 14.993212] [ 14.993315] Memory state around the buggy address: [ 14.993531] ffff888103a69280: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.993843] ffff888103a69300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.994155] >ffff888103a69380: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.994429] ^ [ 14.994607] ffff888103a69400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 14.994828] ffff888103a69480: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 14.995041] ==================================================================