Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 40.263083] ================================================================== [ 40.286682] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 40.292580] Read of size 1 at addr ffff000806931190 by task kunit_try_catch/303 [ 40.299871] [ 40.301357] CPU: 2 UID: 0 PID: 303 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 40.301414] Tainted: [B]=BAD_PAGE, [N]=TEST [ 40.301432] Hardware name: WinLink E850-96 board (DT) [ 40.301455] Call trace: [ 40.301470] show_stack+0x20/0x38 (C) [ 40.301509] dump_stack_lvl+0x8c/0xd0 [ 40.301544] print_report+0x118/0x608 [ 40.301582] kasan_report+0xdc/0x128 [ 40.301619] __asan_report_load1_noabort+0x20/0x30 [ 40.301652] strcmp+0xc0/0xc8 [ 40.301682] kasan_strings+0x340/0xb00 [ 40.301712] kunit_try_run_case+0x170/0x3f0 [ 40.301751] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.301793] kthread+0x328/0x630 [ 40.301823] ret_from_fork+0x10/0x20 [ 40.301858] [ 40.367578] Allocated by task 303: [ 40.370966] kasan_save_stack+0x3c/0x68 [ 40.374783] kasan_save_track+0x20/0x40 [ 40.378604] kasan_save_alloc_info+0x40/0x58 [ 40.382856] __kasan_kmalloc+0xd4/0xd8 [ 40.386588] __kmalloc_cache_noprof+0x15c/0x3c0 [ 40.391102] kasan_strings+0xc8/0xb00 [ 40.394748] kunit_try_run_case+0x170/0x3f0 [ 40.398914] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.404383] kthread+0x328/0x630 [ 40.407595] ret_from_fork+0x10/0x20 [ 40.411153] [ 40.412631] Freed by task 303: [ 40.415669] kasan_save_stack+0x3c/0x68 [ 40.419487] kasan_save_track+0x20/0x40 [ 40.423306] kasan_save_free_info+0x4c/0x78 [ 40.427473] __kasan_slab_free+0x6c/0x98 [ 40.431379] kfree+0x214/0x3c8 [ 40.434417] kasan_strings+0x24c/0xb00 [ 40.438150] kunit_try_run_case+0x170/0x3f0 [ 40.442317] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.447787] kthread+0x328/0x630 [ 40.450997] ret_from_fork+0x10/0x20 [ 40.454556] [ 40.456035] The buggy address belongs to the object at ffff000806931180 [ 40.456035] which belongs to the cache kmalloc-32 of size 32 [ 40.468360] The buggy address is located 16 bytes inside of [ 40.468360] freed 32-byte region [ffff000806931180, ffff0008069311a0) [ 40.480423] [ 40.481901] The buggy address belongs to the physical page: [ 40.487459] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886931 [ 40.495444] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 40.501952] page_type: f5(slab) [ 40.505087] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 40.512808] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 40.520528] page dumped because: kasan: bad access detected [ 40.526084] [ 40.527558] Memory state around the buggy address: [ 40.532339] ffff000806931080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.539541] ffff000806931100: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 40.546746] >ffff000806931180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.553947] ^ [ 40.557683] ffff000806931200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 40.564887] ffff000806931280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 40.572089] ==================================================================
[ 28.490495] ================================================================== [ 28.490735] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 28.490972] Read of size 1 at addr fff00000c7895c50 by task kunit_try_catch/260 [ 28.491283] [ 28.491374] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 28.491774] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.491865] Hardware name: linux,dummy-virt (DT) [ 28.492450] Call trace: [ 28.492567] show_stack+0x20/0x38 (C) [ 28.493051] dump_stack_lvl+0x8c/0xd0 [ 28.494069] print_report+0x118/0x608 [ 28.494745] kasan_report+0xdc/0x128 [ 28.495632] __asan_report_load1_noabort+0x20/0x30 [ 28.495813] strcmp+0xc0/0xc8 [ 28.496237] kasan_strings+0x340/0xb00 [ 28.496546] kunit_try_run_case+0x170/0x3f0 [ 28.497218] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.497411] kthread+0x328/0x630 [ 28.498130] ret_from_fork+0x10/0x20 [ 28.498503] [ 28.498608] Allocated by task 260: [ 28.499004] kasan_save_stack+0x3c/0x68 [ 28.499236] kasan_save_track+0x20/0x40 [ 28.499424] kasan_save_alloc_info+0x40/0x58 [ 28.500149] __kasan_kmalloc+0xd4/0xd8 [ 28.500256] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.500365] kasan_strings+0xc8/0xb00 [ 28.500460] kunit_try_run_case+0x170/0x3f0 [ 28.500809] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.501770] kthread+0x328/0x630 [ 28.502732] ret_from_fork+0x10/0x20 [ 28.503841] [ 28.503874] Freed by task 260: [ 28.503955] kasan_save_stack+0x3c/0x68 [ 28.504066] kasan_save_track+0x20/0x40 [ 28.504171] kasan_save_free_info+0x4c/0x78 [ 28.504270] __kasan_slab_free+0x6c/0x98 [ 28.504366] kfree+0x214/0x3c8 [ 28.504460] kasan_strings+0x24c/0xb00 [ 28.504766] kunit_try_run_case+0x170/0x3f0 [ 28.505266] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.505470] kthread+0x328/0x630 [ 28.505604] ret_from_fork+0x10/0x20 [ 28.506109] [ 28.506218] The buggy address belongs to the object at fff00000c7895c40 [ 28.506218] which belongs to the cache kmalloc-32 of size 32 [ 28.506485] The buggy address is located 16 bytes inside of [ 28.506485] freed 32-byte region [fff00000c7895c40, fff00000c7895c60) [ 28.507115] [ 28.507185] The buggy address belongs to the physical page: [ 28.507356] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107895 [ 28.507563] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.507758] page_type: f5(slab) [ 28.507876] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 28.508375] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 28.508559] page dumped because: kasan: bad access detected [ 28.508765] [ 28.508931] Memory state around the buggy address: [ 28.509133] fff00000c7895b00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.509339] fff00000c7895b80: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 28.509857] >fff00000c7895c00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.510025] ^ [ 28.510249] fff00000c7895c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 28.510493] fff00000c7895d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.510793] ==================================================================
[ 21.293668] ================================================================== [ 21.295621] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0 [ 21.296363] Read of size 1 at addr ffff888102b74c50 by task kunit_try_catch/276 [ 21.297003] [ 21.297277] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 21.297417] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.297458] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.297522] Call Trace: [ 21.297552] <TASK> [ 21.297584] dump_stack_lvl+0x73/0xb0 [ 21.297636] print_report+0xd1/0x650 [ 21.297693] ? __virt_addr_valid+0x1db/0x2d0 [ 21.297766] ? strcmp+0xb0/0xc0 [ 21.297818] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.297854] ? strcmp+0xb0/0xc0 [ 21.297901] kasan_report+0x141/0x180 [ 21.297994] ? strcmp+0xb0/0xc0 [ 21.298086] __asan_report_load1_noabort+0x18/0x20 [ 21.298161] strcmp+0xb0/0xc0 [ 21.298231] kasan_strings+0x431/0xe80 [ 21.298307] ? trace_hardirqs_on+0x37/0xe0 [ 21.298385] ? __pfx_kasan_strings+0x10/0x10 [ 21.298459] ? __kasan_check_write+0x18/0x20 [ 21.298521] ? queued_spin_lock_slowpath+0x116/0xb40 [ 21.298568] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 21.298608] ? __pfx_read_tsc+0x10/0x10 [ 21.298639] ? ktime_get_ts64+0x86/0x230 [ 21.298698] kunit_try_run_case+0x1a5/0x480 [ 21.298740] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.298770] ? _raw_spin_lock_irqsave+0xf9/0x100 [ 21.298806] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.298843] ? __kthread_parkme+0x82/0x180 [ 21.298873] ? preempt_count_sub+0x50/0x80 [ 21.298906] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.298935] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.298996] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.299034] kthread+0x337/0x6f0 [ 21.299062] ? trace_preempt_on+0x20/0xc0 [ 21.299093] ? __pfx_kthread+0x10/0x10 [ 21.299122] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.299154] ? calculate_sigpending+0x7b/0xa0 [ 21.299189] ? __pfx_kthread+0x10/0x10 [ 21.299219] ret_from_fork+0x116/0x1d0 [ 21.299246] ? __pfx_kthread+0x10/0x10 [ 21.299275] ret_from_fork_asm+0x1a/0x30 [ 21.299317] </TASK> [ 21.299331] [ 21.318004] Allocated by task 276: [ 21.318636] kasan_save_stack+0x45/0x70 [ 21.319314] kasan_save_track+0x18/0x40 [ 21.319750] kasan_save_alloc_info+0x3b/0x50 [ 21.320296] __kasan_kmalloc+0xb7/0xc0 [ 21.320718] __kmalloc_cache_noprof+0x189/0x420 [ 21.321145] kasan_strings+0xc0/0xe80 [ 21.321558] kunit_try_run_case+0x1a5/0x480 [ 21.322065] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.322622] kthread+0x337/0x6f0 [ 21.323440] ret_from_fork+0x116/0x1d0 [ 21.323773] ret_from_fork_asm+0x1a/0x30 [ 21.324503] [ 21.324707] Freed by task 276: [ 21.325315] kasan_save_stack+0x45/0x70 [ 21.325740] kasan_save_track+0x18/0x40 [ 21.326439] kasan_save_free_info+0x3f/0x60 [ 21.327018] __kasan_slab_free+0x56/0x70 [ 21.327440] kfree+0x222/0x3f0 [ 21.328175] kasan_strings+0x2aa/0xe80 [ 21.328494] kunit_try_run_case+0x1a5/0x480 [ 21.329026] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.329728] kthread+0x337/0x6f0 [ 21.330177] ret_from_fork+0x116/0x1d0 [ 21.330661] ret_from_fork_asm+0x1a/0x30 [ 21.331027] [ 21.331584] The buggy address belongs to the object at ffff888102b74c40 [ 21.331584] which belongs to the cache kmalloc-32 of size 32 [ 21.333331] The buggy address is located 16 bytes inside of [ 21.333331] freed 32-byte region [ffff888102b74c40, ffff888102b74c60) [ 21.334347] [ 21.334583] The buggy address belongs to the physical page: [ 21.335512] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b74 [ 21.336288] flags: 0x200000000000000(node=0|zone=2) [ 21.337190] page_type: f5(slab) [ 21.337508] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.338556] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.338963] page dumped because: kasan: bad access detected [ 21.339175] [ 21.339263] Memory state around the buggy address: [ 21.339434] ffff888102b74b00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.339687] ffff888102b74b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.339936] >ffff888102b74c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.340396] ^ [ 21.341551] ffff888102b74c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.342507] ffff888102b74d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.343350] ==================================================================
[ 67.296722] ================================================================== [ 67.320770] BUG: KASAN: slab-use-after-free in strcmp+0xcc/0xd4 [ 67.326721] Read of size 1 at addr cc90a410 by task kunit_try_catch/311 [ 67.333404] [ 67.334899] CPU: 0 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 67.334930] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 67.334930] Hardware name: Generic DRA74X (Flattened Device Tree) [ 67.334960] Call trace: [ 67.334960] unwind_backtrace from show_stack+0x18/0x1c [ 67.334991] show_stack from dump_stack_lvl+0x70/0x90 [ 67.335021] dump_stack_lvl from print_report+0x158/0x528 [ 67.335052] print_report from kasan_report+0xdc/0x118 [ 67.335052] kasan_report from strcmp+0xcc/0xd4 [ 67.335083] strcmp from kasan_strings+0x490/0xf00 [ 67.335113] kasan_strings from kunit_try_run_case+0x22c/0x5a8 [ 67.335144] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.335174] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 67.335205] kthread from ret_from_fork+0x14/0x20 [ 67.335205] Exception stack(0xf24c3fb0 to 0xf24c3ff8) [ 67.335235] 3fa0: 00000000 00000000 00000000 00000000 [ 67.335235] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 67.335266] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 67.335266] [ 67.444335] Allocated by task 311: [ 67.447753] kasan_save_track+0x30/0x5c [ 67.451629] __kasan_kmalloc+0x8c/0x94 [ 67.455413] kasan_strings+0xe8/0xf00 [ 67.459106] kunit_try_run_case+0x22c/0x5a8 [ 67.463317] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.468872] kthread+0x464/0x810 [ 67.472106] ret_from_fork+0x14/0x20 [ 67.475708] [ 67.477233] Freed by task 311: [ 67.480285] kasan_save_track+0x30/0x5c [ 67.484161] kasan_save_free_info+0x3c/0x48 [ 67.488372] __kasan_slab_free+0x40/0x50 [ 67.492340] kfree+0xe8/0x384 [ 67.495330] kasan_strings+0x310/0xf00 [ 67.499114] kunit_try_run_case+0x22c/0x5a8 [ 67.503326] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.508880] kthread+0x464/0x810 [ 67.512115] ret_from_fork+0x14/0x20 [ 67.515716] [ 67.517242] The buggy address belongs to the object at cc90a400 [ 67.517242] which belongs to the cache kmalloc-64 of size 64 [ 67.528961] The buggy address is located 16 bytes inside of [ 67.528961] freed 64-byte region [cc90a400, cc90a440) [ 67.539733] [ 67.541229] The buggy address belongs to the physical page: [ 67.546844] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c90a [ 67.554107] flags: 0x0(zone=0) [ 67.557189] page_type: f5(slab) [ 67.560363] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 67.568511] raw: 00000000 [ 67.571136] page dumped because: kasan: bad access detected [ 67.576751] [ 67.578247] Memory state around the buggy address: [ 67.583068] cc90a300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.589630] cc90a380: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.596221] >cc90a400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.602783] ^ [ 67.605865] cc90a480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.612426] cc90a500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 67.619018] ==================================================================