Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 40.579419] ================================================================== [ 40.586506] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 40.593182] Read of size 1 at addr ffff000806931190 by task kunit_try_catch/303 [ 40.600474] [ 40.601959] CPU: 2 UID: 0 PID: 303 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 40.602011] Tainted: [B]=BAD_PAGE, [N]=TEST [ 40.602029] Hardware name: WinLink E850-96 board (DT) [ 40.602053] Call trace: [ 40.602067] show_stack+0x20/0x38 (C) [ 40.602108] dump_stack_lvl+0x8c/0xd0 [ 40.602146] print_report+0x118/0x608 [ 40.602180] kasan_report+0xdc/0x128 [ 40.602212] __asan_report_load1_noabort+0x20/0x30 [ 40.602245] kasan_strings+0x95c/0xb00 [ 40.602275] kunit_try_run_case+0x170/0x3f0 [ 40.602313] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.602354] kthread+0x328/0x630 [ 40.602383] ret_from_fork+0x10/0x20 [ 40.602416] [ 40.665230] Allocated by task 303: [ 40.668617] kasan_save_stack+0x3c/0x68 [ 40.672435] kasan_save_track+0x20/0x40 [ 40.676255] kasan_save_alloc_info+0x40/0x58 [ 40.680507] __kasan_kmalloc+0xd4/0xd8 [ 40.684240] __kmalloc_cache_noprof+0x15c/0x3c0 [ 40.688754] kasan_strings+0xc8/0xb00 [ 40.692400] kunit_try_run_case+0x170/0x3f0 [ 40.696566] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.702035] kthread+0x328/0x630 [ 40.705247] ret_from_fork+0x10/0x20 [ 40.708806] [ 40.710281] Freed by task 303: [ 40.713321] kasan_save_stack+0x3c/0x68 [ 40.717139] kasan_save_track+0x20/0x40 [ 40.720958] kasan_save_free_info+0x4c/0x78 [ 40.725125] __kasan_slab_free+0x6c/0x98 [ 40.729031] kfree+0x214/0x3c8 [ 40.732069] kasan_strings+0x24c/0xb00 [ 40.735802] kunit_try_run_case+0x170/0x3f0 [ 40.739968] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.745439] kthread+0x328/0x630 [ 40.748649] ret_from_fork+0x10/0x20 [ 40.752208] [ 40.753685] The buggy address belongs to the object at ffff000806931180 [ 40.753685] which belongs to the cache kmalloc-32 of size 32 [ 40.766010] The buggy address is located 16 bytes inside of [ 40.766010] freed 32-byte region [ffff000806931180, ffff0008069311a0) [ 40.778075] [ 40.779555] The buggy address belongs to the physical page: [ 40.785110] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886931 [ 40.793094] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 40.799605] page_type: f5(slab) [ 40.802738] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 40.810460] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 40.818179] page dumped because: kasan: bad access detected [ 40.823735] [ 40.825210] Memory state around the buggy address: [ 40.829990] ffff000806931080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.837193] ffff000806931100: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 40.844399] >ffff000806931180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.851599] ^ [ 40.855336] ffff000806931200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 40.862539] ffff000806931280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.869740] ==================================================================
[ 28.512621] ================================================================== [ 28.512803] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 28.513013] Read of size 1 at addr fff00000c7895c50 by task kunit_try_catch/260 [ 28.513226] [ 28.513331] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 28.513554] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.513627] Hardware name: linux,dummy-virt (DT) [ 28.514148] Call trace: [ 28.514235] show_stack+0x20/0x38 (C) [ 28.514387] dump_stack_lvl+0x8c/0xd0 [ 28.514576] print_report+0x118/0x608 [ 28.514775] kasan_report+0xdc/0x128 [ 28.514842] __asan_report_load1_noabort+0x20/0x30 [ 28.514917] kasan_strings+0x95c/0xb00 [ 28.515173] kunit_try_run_case+0x170/0x3f0 [ 28.515307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.515444] kthread+0x328/0x630 [ 28.515550] ret_from_fork+0x10/0x20 [ 28.515677] [ 28.515748] Allocated by task 260: [ 28.515893] kasan_save_stack+0x3c/0x68 [ 28.516173] kasan_save_track+0x20/0x40 [ 28.516326] kasan_save_alloc_info+0x40/0x58 [ 28.516456] __kasan_kmalloc+0xd4/0xd8 [ 28.516560] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.516668] kasan_strings+0xc8/0xb00 [ 28.516798] kunit_try_run_case+0x170/0x3f0 [ 28.516923] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.517053] kthread+0x328/0x630 [ 28.517147] ret_from_fork+0x10/0x20 [ 28.517255] [ 28.517371] Freed by task 260: [ 28.517478] kasan_save_stack+0x3c/0x68 [ 28.517601] kasan_save_track+0x20/0x40 [ 28.517734] kasan_save_free_info+0x4c/0x78 [ 28.518027] __kasan_slab_free+0x6c/0x98 [ 28.518139] kfree+0x214/0x3c8 [ 28.518237] kasan_strings+0x24c/0xb00 [ 28.518353] kunit_try_run_case+0x170/0x3f0 [ 28.518532] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.518711] kthread+0x328/0x630 [ 28.518840] ret_from_fork+0x10/0x20 [ 28.519211] [ 28.519317] The buggy address belongs to the object at fff00000c7895c40 [ 28.519317] which belongs to the cache kmalloc-32 of size 32 [ 28.519462] The buggy address is located 16 bytes inside of [ 28.519462] freed 32-byte region [fff00000c7895c40, fff00000c7895c60) [ 28.519616] [ 28.519677] The buggy address belongs to the physical page: [ 28.519794] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107895 [ 28.519995] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.520218] page_type: f5(slab) [ 28.520409] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 28.520671] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 28.520820] page dumped because: kasan: bad access detected [ 28.520962] [ 28.521012] Memory state around the buggy address: [ 28.521090] fff00000c7895b00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.521284] fff00000c7895b80: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 28.521591] >fff00000c7895c00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.521951] ^ [ 28.522366] fff00000c7895c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 28.522533] fff00000c7895d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.522696] ==================================================================
[ 21.345109] ================================================================== [ 21.345789] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 21.346343] Read of size 1 at addr ffff888102b74c50 by task kunit_try_catch/276 [ 21.348071] [ 21.348339] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 21.348535] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.348581] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.348643] Call Trace: [ 21.348693] <TASK> [ 21.348805] dump_stack_lvl+0x73/0xb0 [ 21.348922] print_report+0xd1/0x650 [ 21.348992] ? __virt_addr_valid+0x1db/0x2d0 [ 21.349029] ? kasan_strings+0xcbc/0xe80 [ 21.349061] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.349095] ? kasan_strings+0xcbc/0xe80 [ 21.349126] kasan_report+0x141/0x180 [ 21.349159] ? kasan_strings+0xcbc/0xe80 [ 21.349195] __asan_report_load1_noabort+0x18/0x20 [ 21.349225] kasan_strings+0xcbc/0xe80 [ 21.349253] ? trace_hardirqs_on+0x37/0xe0 [ 21.349285] ? __pfx_kasan_strings+0x10/0x10 [ 21.349318] ? __kasan_check_write+0x18/0x20 [ 21.349344] ? queued_spin_lock_slowpath+0x116/0xb40 [ 21.349381] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 21.349419] ? __pfx_read_tsc+0x10/0x10 [ 21.349450] ? ktime_get_ts64+0x86/0x230 [ 21.349483] kunit_try_run_case+0x1a5/0x480 [ 21.349513] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.349539] ? _raw_spin_lock_irqsave+0xf9/0x100 [ 21.349574] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.349609] ? __kthread_parkme+0x82/0x180 [ 21.349638] ? preempt_count_sub+0x50/0x80 [ 21.349693] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.349732] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.349771] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.349807] kthread+0x337/0x6f0 [ 21.349835] ? trace_preempt_on+0x20/0xc0 [ 21.349869] ? __pfx_kthread+0x10/0x10 [ 21.349898] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.349932] ? calculate_sigpending+0x7b/0xa0 [ 21.349991] ? __pfx_kthread+0x10/0x10 [ 21.350023] ret_from_fork+0x116/0x1d0 [ 21.350048] ? __pfx_kthread+0x10/0x10 [ 21.350078] ret_from_fork_asm+0x1a/0x30 [ 21.350119] </TASK> [ 21.350134] [ 21.369863] Allocated by task 276: [ 21.370370] kasan_save_stack+0x45/0x70 [ 21.370860] kasan_save_track+0x18/0x40 [ 21.371290] kasan_save_alloc_info+0x3b/0x50 [ 21.371885] __kasan_kmalloc+0xb7/0xc0 [ 21.372335] __kmalloc_cache_noprof+0x189/0x420 [ 21.372891] kasan_strings+0xc0/0xe80 [ 21.373310] kunit_try_run_case+0x1a5/0x480 [ 21.373756] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.374296] kthread+0x337/0x6f0 [ 21.374648] ret_from_fork+0x116/0x1d0 [ 21.375158] ret_from_fork_asm+0x1a/0x30 [ 21.375646] [ 21.375978] Freed by task 276: [ 21.376243] kasan_save_stack+0x45/0x70 [ 21.376560] kasan_save_track+0x18/0x40 [ 21.376983] kasan_save_free_info+0x3f/0x60 [ 21.377598] __kasan_slab_free+0x56/0x70 [ 21.378177] kfree+0x222/0x3f0 [ 21.378553] kasan_strings+0x2aa/0xe80 [ 21.379160] kunit_try_run_case+0x1a5/0x480 [ 21.379631] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.380254] kthread+0x337/0x6f0 [ 21.380759] ret_from_fork+0x116/0x1d0 [ 21.381202] ret_from_fork_asm+0x1a/0x30 [ 21.381741] [ 21.381986] The buggy address belongs to the object at ffff888102b74c40 [ 21.381986] which belongs to the cache kmalloc-32 of size 32 [ 21.383166] The buggy address is located 16 bytes inside of [ 21.383166] freed 32-byte region [ffff888102b74c40, ffff888102b74c60) [ 21.384186] [ 21.384376] The buggy address belongs to the physical page: [ 21.384842] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b74 [ 21.385749] flags: 0x200000000000000(node=0|zone=2) [ 21.386320] page_type: f5(slab) [ 21.386759] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.387498] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.388174] page dumped because: kasan: bad access detected [ 21.388778] [ 21.389088] Memory state around the buggy address: [ 21.389579] ffff888102b74b00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.390363] ffff888102b74b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.391087] >ffff888102b74c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.391764] ^ [ 21.392368] ffff888102b74c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.393079] ffff888102b74d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.393783] ==================================================================
[ 67.626342] ================================================================== [ 67.633605] BUG: KASAN: slab-use-after-free in kasan_strings+0xd0c/0xf00 [ 67.640380] Read of size 1 at addr cc90a410 by task kunit_try_catch/311 [ 67.647033] [ 67.648529] CPU: 0 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 67.648559] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 67.648590] Hardware name: Generic DRA74X (Flattened Device Tree) [ 67.648590] Call trace: [ 67.648590] unwind_backtrace from show_stack+0x18/0x1c [ 67.648620] show_stack from dump_stack_lvl+0x70/0x90 [ 67.648651] dump_stack_lvl from print_report+0x158/0x528 [ 67.648681] print_report from kasan_report+0xdc/0x118 [ 67.648681] kasan_report from kasan_strings+0xd0c/0xf00 [ 67.648712] kasan_strings from kunit_try_run_case+0x22c/0x5a8 [ 67.648742] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.648773] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 67.648803] kthread from ret_from_fork+0x14/0x20 [ 67.648834] Exception stack(0xf24c3fb0 to 0xf24c3ff8) [ 67.648834] 3fa0: 00000000 00000000 00000000 00000000 [ 67.648864] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 67.648864] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 67.648895] [ 67.753936] Allocated by task 311: [ 67.757354] kasan_save_track+0x30/0x5c [ 67.761230] __kasan_kmalloc+0x8c/0x94 [ 67.764984] kasan_strings+0xe8/0xf00 [ 67.768707] kunit_try_run_case+0x22c/0x5a8 [ 67.772918] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.778442] kthread+0x464/0x810 [ 67.781707] ret_from_fork+0x14/0x20 [ 67.785308] [ 67.786804] Freed by task 311: [ 67.789886] kasan_save_track+0x30/0x5c [ 67.793762] kasan_save_free_info+0x3c/0x48 [ 67.797973] __kasan_slab_free+0x40/0x50 [ 67.801910] kfree+0xe8/0x384 [ 67.804931] kasan_strings+0x310/0xf00 [ 67.808685] kunit_try_run_case+0x22c/0x5a8 [ 67.812927] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.818450] kthread+0x464/0x810 [ 67.821716] ret_from_fork+0x14/0x20 [ 67.825317] [ 67.826812] The buggy address belongs to the object at cc90a400 [ 67.826812] which belongs to the cache kmalloc-64 of size 64 [ 67.838531] The buggy address is located 16 bytes inside of [ 67.838531] freed 64-byte region [cc90a400, cc90a440) [ 67.849304] [ 67.850799] The buggy address belongs to the physical page: [ 67.856414] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c90a [ 67.863677] flags: 0x0(zone=0) [ 67.866760] page_type: f5(slab) [ 67.869934] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 67.878082] raw: 00000000 [ 67.880706] page dumped because: kasan: bad access detected [ 67.886322] [ 67.887817] Memory state around the buggy address: [ 67.892639] cc90a300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.899230] cc90a380: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.905792] >cc90a400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.912353] ^ [ 67.915435] cc90a480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.921997] cc90a500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.928588] ==================================================================