Date
Dec. 6, 2024, 3:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 34.300203] ================================================================== [ 34.301299] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88 [ 34.302239] Read of size 1 at addr fff00000c69e4d10 by task kunit_try_catch/248 [ 34.303046] [ 34.303442] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 34.304778] Tainted: [B]=BAD_PAGE, [N]=TEST [ 34.305317] Hardware name: linux,dummy-virt (DT) [ 34.306125] Call trace: [ 34.306532] show_stack+0x20/0x38 (C) [ 34.307151] dump_stack_lvl+0x8c/0xd0 [ 34.307810] print_report+0x118/0x5e0 [ 34.308462] kasan_report+0xc8/0x118 [ 34.309131] __asan_report_load1_noabort+0x20/0x30 [ 34.309869] strnlen+0x80/0x88 [ 34.310456] kasan_strings+0x364/0x8d8 [ 34.311111] kunit_try_run_case+0x14c/0x3d0 [ 34.311734] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.312560] kthread+0x24c/0x2d0 [ 34.313051] ret_from_fork+0x10/0x20 [ 34.313738] [ 34.314112] Allocated by task 248: [ 34.314694] kasan_save_stack+0x3c/0x68 [ 34.315326] kasan_save_track+0x20/0x40 [ 34.316000] kasan_save_alloc_info+0x40/0x58 [ 34.316638] __kasan_kmalloc+0xd4/0xd8 [ 34.317266] __kmalloc_cache_noprof+0x15c/0x3c0 [ 34.317903] kasan_strings+0xb0/0x8d8 [ 34.318538] kunit_try_run_case+0x14c/0x3d0 [ 34.319085] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.319900] kthread+0x24c/0x2d0 [ 34.320483] ret_from_fork+0x10/0x20 [ 34.321101] [ 34.321481] Freed by task 248: [ 34.321927] kasan_save_stack+0x3c/0x68 [ 34.322578] kasan_save_track+0x20/0x40 [ 34.323225] kasan_save_free_info+0x4c/0x78 [ 34.323898] __kasan_slab_free+0x6c/0x98 [ 34.324453] kfree+0x114/0x3c8 [ 34.325044] kasan_strings+0x124/0x8d8 [ 34.325693] kunit_try_run_case+0x14c/0x3d0 [ 34.326250] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 34.327056] kthread+0x24c/0x2d0 [ 34.327661] ret_from_fork+0x10/0x20 [ 34.328144] [ 34.328536] The buggy address belongs to the object at fff00000c69e4d00 [ 34.328536] which belongs to the cache kmalloc-32 of size 32 [ 34.329813] The buggy address is located 16 bytes inside of [ 34.329813] freed 32-byte region [fff00000c69e4d00, fff00000c69e4d20) [ 34.331179] [ 34.331572] The buggy address belongs to the physical page: [ 34.332308] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069e4 [ 34.333222] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 34.333943] page_type: f5(slab) [ 34.334505] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 34.335404] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 34.336227] page dumped because: kasan: bad access detected [ 34.337001] [ 34.337322] Memory state around the buggy address: [ 34.337933] fff00000c69e4c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 34.338771] fff00000c69e4c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 34.339734] >fff00000c69e4d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 34.340457] ^ [ 34.341071] fff00000c69e4d80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 34.341847] fff00000c69e4e00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 34.342681] ==================================================================
[ 27.279376] ================================================================== [ 27.280210] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80 [ 27.281513] Read of size 1 at addr ffff888102481690 by task kunit_try_catch/267 [ 27.282496] [ 27.282695] CPU: 1 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241206 #1 [ 27.284724] Tainted: [B]=BAD_PAGE, [N]=TEST [ 27.285655] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 27.286868] Call Trace: [ 27.287326] <TASK> [ 27.287877] dump_stack_lvl+0x73/0xb0 [ 27.288657] print_report+0xd1/0x640 [ 27.289698] ? __virt_addr_valid+0x1db/0x2d0 [ 27.290788] ? kasan_complete_mode_report_info+0x64/0x200 [ 27.291896] kasan_report+0x102/0x140 [ 27.292605] ? strnlen+0x73/0x80 [ 27.293018] ? strnlen+0x73/0x80 [ 27.293279] __asan_report_load1_noabort+0x18/0x20 [ 27.293585] strnlen+0x73/0x80 [ 27.293755] kasan_strings+0x4c3/0xb60 [ 27.294195] ? __pfx_kasan_strings+0x10/0x10 [ 27.295509] ? __schedule+0xc70/0x27e0 [ 27.296620] ? __pfx_read_tsc+0x10/0x10 [ 27.297342] ? ktime_get_ts64+0x86/0x230 [ 27.297898] kunit_try_run_case+0x1b3/0x490 [ 27.298351] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.299326] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 27.299853] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 27.301122] ? __kthread_parkme+0x82/0x160 [ 27.301558] ? preempt_count_sub+0x50/0x80 [ 27.302130] ? __pfx_kunit_try_run_case+0x10/0x10 [ 27.303024] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 27.303735] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.304379] kthread+0x257/0x310 [ 27.304918] ? __pfx_kthread+0x10/0x10 [ 27.305829] ret_from_fork+0x41/0x80 [ 27.306482] ? __pfx_kthread+0x10/0x10 [ 27.307016] ret_from_fork_asm+0x1a/0x30 [ 27.307999] </TASK> [ 27.308197] [ 27.309436] Allocated by task 267: [ 27.309905] kasan_save_stack+0x3d/0x60 [ 27.310668] kasan_save_track+0x18/0x40 [ 27.311337] kasan_save_alloc_info+0x3b/0x50 [ 27.311774] __kasan_kmalloc+0xb7/0xc0 [ 27.312404] __kmalloc_cache_noprof+0x184/0x410 [ 27.312917] kasan_strings+0xb9/0xb60 [ 27.313981] kunit_try_run_case+0x1b3/0x490 [ 27.314648] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.315158] kthread+0x257/0x310 [ 27.315594] ret_from_fork+0x41/0x80 [ 27.316224] ret_from_fork_asm+0x1a/0x30 [ 27.316562] [ 27.316819] Freed by task 267: [ 27.317330] kasan_save_stack+0x3d/0x60 [ 27.318545] kasan_save_track+0x18/0x40 [ 27.319149] kasan_save_free_info+0x3f/0x60 [ 27.319692] __kasan_slab_free+0x56/0x70 [ 27.320405] kfree+0x123/0x3f0 [ 27.320697] kasan_strings+0x13c/0xb60 [ 27.321246] kunit_try_run_case+0x1b3/0x490 [ 27.322246] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 27.323541] kthread+0x257/0x310 [ 27.324047] ret_from_fork+0x41/0x80 [ 27.324485] ret_from_fork_asm+0x1a/0x30 [ 27.325129] [ 27.325396] The buggy address belongs to the object at ffff888102481680 [ 27.325396] which belongs to the cache kmalloc-32 of size 32 [ 27.327459] The buggy address is located 16 bytes inside of [ 27.327459] freed 32-byte region [ffff888102481680, ffff8881024816a0) [ 27.328993] [ 27.329333] The buggy address belongs to the physical page: [ 27.330218] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102481 [ 27.331071] flags: 0x200000000000000(node=0|zone=2) [ 27.331700] page_type: f5(slab) [ 27.332454] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 27.333513] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 27.334605] page dumped because: kasan: bad access detected [ 27.335305] [ 27.335562] Memory state around the buggy address: [ 27.336053] ffff888102481580: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 27.336634] ffff888102481600: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 27.337397] >ffff888102481680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 27.338522] ^ [ 27.340079] ffff888102481700: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 27.340691] ffff888102481780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 27.342559] ==================================================================