Date
July 17, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 17.836044] ================================================================== [ 17.836097] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 17.836315] Read of size 1 at addr fff00000c7940d90 by task kunit_try_catch/260 [ 17.836507] [ 17.836563] CPU: 0 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT [ 17.837047] Tainted: [B]=BAD_PAGE, [N]=TEST [ 17.837126] Hardware name: linux,dummy-virt (DT) [ 17.837160] Call trace: [ 17.837208] show_stack+0x20/0x38 (C) [ 17.837280] dump_stack_lvl+0x8c/0xd0 [ 17.837369] print_report+0x118/0x5d0 [ 17.837494] kasan_report+0xdc/0x128 [ 17.837665] __asan_report_load1_noabort+0x20/0x30 [ 17.837780] strcmp+0xc0/0xc8 [ 17.837824] kasan_strings+0x340/0xb00 [ 17.837869] kunit_try_run_case+0x170/0x3f0 [ 17.837919] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.837973] kthread+0x328/0x630 [ 17.838072] ret_from_fork+0x10/0x20 [ 17.838121] [ 17.838141] Allocated by task 260: [ 17.838172] kasan_save_stack+0x3c/0x68 [ 17.838218] kasan_save_track+0x20/0x40 [ 17.838383] kasan_save_alloc_info+0x40/0x58 [ 17.838479] __kasan_kmalloc+0xd4/0xd8 [ 17.838548] __kmalloc_cache_noprof+0x16c/0x3c0 [ 17.838678] kasan_strings+0xc8/0xb00 [ 17.838753] kunit_try_run_case+0x170/0x3f0 [ 17.838805] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.838911] kthread+0x328/0x630 [ 17.838993] ret_from_fork+0x10/0x20 [ 17.839061] [ 17.839083] Freed by task 260: [ 17.839121] kasan_save_stack+0x3c/0x68 [ 17.839210] kasan_save_track+0x20/0x40 [ 17.839250] kasan_save_free_info+0x4c/0x78 [ 17.839293] __kasan_slab_free+0x6c/0x98 [ 17.839357] kfree+0x214/0x3c8 [ 17.839516] kasan_strings+0x24c/0xb00 [ 17.839635] kunit_try_run_case+0x170/0x3f0 [ 17.839685] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 17.839788] kthread+0x328/0x630 [ 17.839825] ret_from_fork+0x10/0x20 [ 17.839861] [ 17.840038] The buggy address belongs to the object at fff00000c7940d80 [ 17.840038] which belongs to the cache kmalloc-32 of size 32 [ 17.840123] The buggy address is located 16 bytes inside of [ 17.840123] freed 32-byte region [fff00000c7940d80, fff00000c7940da0) [ 17.840235] [ 17.840293] The buggy address belongs to the physical page: [ 17.840373] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107940 [ 17.840462] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 17.840580] page_type: f5(slab) [ 17.840668] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 17.840809] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 17.840885] page dumped because: kasan: bad access detected [ 17.840953] [ 17.841049] Memory state around the buggy address: [ 17.841136] fff00000c7940c80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.841182] fff00000c7940d00: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 17.841228] >fff00000c7940d80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.841269] ^ [ 17.841300] fff00000c7940e00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 17.841344] fff00000c7940e80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 17.841387] ==================================================================
[ 14.983771] ================================================================== [ 14.984707] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0 [ 14.984986] Read of size 1 at addr ffff888102a5ed10 by task kunit_try_catch/276 [ 14.985291] [ 14.985390] CPU: 1 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc6 #1 PREEMPT(voluntary) [ 14.985436] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.985448] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.985472] Call Trace: [ 14.985484] <TASK> [ 14.985499] dump_stack_lvl+0x73/0xb0 [ 14.985527] print_report+0xd1/0x610 [ 14.986043] ? __virt_addr_valid+0x1db/0x2d0 [ 14.986081] ? strcmp+0xb0/0xc0 [ 14.986098] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.986124] ? strcmp+0xb0/0xc0 [ 14.986142] kasan_report+0x141/0x180 [ 14.986164] ? strcmp+0xb0/0xc0 [ 14.986187] __asan_report_load1_noabort+0x18/0x20 [ 14.986212] strcmp+0xb0/0xc0 [ 14.986252] kasan_strings+0x431/0xe80 [ 14.986272] ? trace_hardirqs_on+0x37/0xe0 [ 14.986313] ? __pfx_kasan_strings+0x10/0x10 [ 14.986334] ? finish_task_switch.isra.0+0x153/0x700 [ 14.986358] ? __switch_to+0x47/0xf50 [ 14.986383] ? __schedule+0x10cc/0x2b60 [ 14.986421] ? __pfx_read_tsc+0x10/0x10 [ 14.986443] ? ktime_get_ts64+0x86/0x230 [ 14.986467] kunit_try_run_case+0x1a5/0x480 [ 14.986493] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.986517] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.986541] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.986576] ? __kthread_parkme+0x82/0x180 [ 14.986597] ? preempt_count_sub+0x50/0x80 [ 14.986621] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.986646] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.986671] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.986698] kthread+0x337/0x6f0 [ 14.986718] ? trace_preempt_on+0x20/0xc0 [ 14.986740] ? __pfx_kthread+0x10/0x10 [ 14.986761] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.986783] ? calculate_sigpending+0x7b/0xa0 [ 14.986808] ? __pfx_kthread+0x10/0x10 [ 14.986831] ret_from_fork+0x116/0x1d0 [ 14.986851] ? __pfx_kthread+0x10/0x10 [ 14.986872] ret_from_fork_asm+0x1a/0x30 [ 14.986903] </TASK> [ 14.986915] [ 14.996184] Allocated by task 276: [ 14.996490] kasan_save_stack+0x45/0x70 [ 14.996712] kasan_save_track+0x18/0x40 [ 14.996952] kasan_save_alloc_info+0x3b/0x50 [ 14.997262] __kasan_kmalloc+0xb7/0xc0 [ 14.997436] __kmalloc_cache_noprof+0x189/0x420 [ 14.997791] kasan_strings+0xc0/0xe80 [ 14.997998] kunit_try_run_case+0x1a5/0x480 [ 14.998220] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.998407] kthread+0x337/0x6f0 [ 14.998528] ret_from_fork+0x116/0x1d0 [ 14.998771] ret_from_fork_asm+0x1a/0x30 [ 14.999053] [ 14.999151] Freed by task 276: [ 14.999350] kasan_save_stack+0x45/0x70 [ 14.999599] kasan_save_track+0x18/0x40 [ 14.999862] kasan_save_free_info+0x3f/0x60 [ 15.000046] __kasan_slab_free+0x56/0x70 [ 15.000245] kfree+0x222/0x3f0 [ 15.000363] kasan_strings+0x2aa/0xe80 [ 15.000545] kunit_try_run_case+0x1a5/0x480 [ 15.000774] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.001167] kthread+0x337/0x6f0 [ 15.001401] ret_from_fork+0x116/0x1d0 [ 15.001541] ret_from_fork_asm+0x1a/0x30 [ 15.001691] [ 15.001762] The buggy address belongs to the object at ffff888102a5ed00 [ 15.001762] which belongs to the cache kmalloc-32 of size 32 [ 15.002295] The buggy address is located 16 bytes inside of [ 15.002295] freed 32-byte region [ffff888102a5ed00, ffff888102a5ed20) [ 15.002821] [ 15.002905] The buggy address belongs to the physical page: [ 15.003155] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a5e [ 15.003543] flags: 0x200000000000000(node=0|zone=2) [ 15.003835] page_type: f5(slab) [ 15.004026] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 15.004453] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.004792] page dumped because: kasan: bad access detected [ 15.005024] [ 15.005118] Memory state around the buggy address: [ 15.005327] ffff888102a5ec00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.005721] ffff888102a5ec80: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.006002] >ffff888102a5ed00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.006213] ^ [ 15.006340] ffff888102a5ed80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.006850] ffff888102a5ee00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.007155] ==================================================================