Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 40.877159] ================================================================== [ 40.884154] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 40.890053] Read of size 1 at addr ffff000806931190 by task kunit_try_catch/303 [ 40.897344] [ 40.898828] CPU: 2 UID: 0 PID: 303 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 40.898885] Tainted: [B]=BAD_PAGE, [N]=TEST [ 40.898904] Hardware name: WinLink E850-96 board (DT) [ 40.898926] Call trace: [ 40.898940] show_stack+0x20/0x38 (C) [ 40.898975] dump_stack_lvl+0x8c/0xd0 [ 40.899012] print_report+0x118/0x608 [ 40.899047] kasan_report+0xdc/0x128 [ 40.899081] __asan_report_load1_noabort+0x20/0x30 [ 40.899114] strlen+0xa8/0xb0 [ 40.899146] kasan_strings+0x418/0xb00 [ 40.899177] kunit_try_run_case+0x170/0x3f0 [ 40.899212] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 40.899254] kthread+0x328/0x630 [ 40.899283] ret_from_fork+0x10/0x20 [ 40.899316] [ 40.965052] Allocated by task 303: [ 40.968440] kasan_save_stack+0x3c/0x68 [ 40.972257] kasan_save_track+0x20/0x40 [ 40.976077] kasan_save_alloc_info+0x40/0x58 [ 40.980329] __kasan_kmalloc+0xd4/0xd8 [ 40.984062] __kmalloc_cache_noprof+0x15c/0x3c0 [ 40.988576] kasan_strings+0xc8/0xb00 [ 40.992222] kunit_try_run_case+0x170/0x3f0 [ 40.996388] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.001857] kthread+0x328/0x630 [ 41.005069] ret_from_fork+0x10/0x20 [ 41.008628] [ 41.010103] Freed by task 303: [ 41.013141] kasan_save_stack+0x3c/0x68 [ 41.016961] kasan_save_track+0x20/0x40 [ 41.020780] kasan_save_free_info+0x4c/0x78 [ 41.024947] __kasan_slab_free+0x6c/0x98 [ 41.028853] kfree+0x214/0x3c8 [ 41.031891] kasan_strings+0x24c/0xb00 [ 41.035623] kunit_try_run_case+0x170/0x3f0 [ 41.039790] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.045259] kthread+0x328/0x630 [ 41.048471] ret_from_fork+0x10/0x20 [ 41.052030] [ 41.053507] The buggy address belongs to the object at ffff000806931180 [ 41.053507] which belongs to the cache kmalloc-32 of size 32 [ 41.065833] The buggy address is located 16 bytes inside of [ 41.065833] freed 32-byte region [ffff000806931180, ffff0008069311a0) [ 41.077897] [ 41.079376] The buggy address belongs to the physical page: [ 41.084931] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886931 [ 41.092918] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 41.099426] page_type: f5(slab) [ 41.102561] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 41.110282] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 41.118001] page dumped because: kasan: bad access detected [ 41.123557] [ 41.125032] Memory state around the buggy address: [ 41.129810] ffff000806931080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.137015] ffff000806931100: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 41.144219] >ffff000806931180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.151420] ^ [ 41.155158] ffff000806931200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 41.162361] ffff000806931280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.169562] ==================================================================
[ 28.523631] ================================================================== [ 28.523760] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 28.523876] Read of size 1 at addr fff00000c7895c50 by task kunit_try_catch/260 [ 28.523999] [ 28.524070] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 28.524279] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.524364] Hardware name: linux,dummy-virt (DT) [ 28.524490] Call trace: [ 28.524658] show_stack+0x20/0x38 (C) [ 28.525052] dump_stack_lvl+0x8c/0xd0 [ 28.525182] print_report+0x118/0x608 [ 28.525315] kasan_report+0xdc/0x128 [ 28.525439] __asan_report_load1_noabort+0x20/0x30 [ 28.525568] strlen+0xa8/0xb0 [ 28.525712] kasan_strings+0x418/0xb00 [ 28.526062] kunit_try_run_case+0x170/0x3f0 [ 28.526193] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.526329] kthread+0x328/0x630 [ 28.526442] ret_from_fork+0x10/0x20 [ 28.526571] [ 28.526618] Allocated by task 260: [ 28.526747] kasan_save_stack+0x3c/0x68 [ 28.526932] kasan_save_track+0x20/0x40 [ 28.527074] kasan_save_alloc_info+0x40/0x58 [ 28.527246] __kasan_kmalloc+0xd4/0xd8 [ 28.527359] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.527498] kasan_strings+0xc8/0xb00 [ 28.527639] kunit_try_run_case+0x170/0x3f0 [ 28.527876] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.528036] kthread+0x328/0x630 [ 28.528155] ret_from_fork+0x10/0x20 [ 28.528281] [ 28.528342] Freed by task 260: [ 28.528419] kasan_save_stack+0x3c/0x68 [ 28.528538] kasan_save_track+0x20/0x40 [ 28.528754] kasan_save_free_info+0x4c/0x78 [ 28.528871] __kasan_slab_free+0x6c/0x98 [ 28.529016] kfree+0x214/0x3c8 [ 28.529116] kasan_strings+0x24c/0xb00 [ 28.529212] kunit_try_run_case+0x170/0x3f0 [ 28.529348] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.529561] kthread+0x328/0x630 [ 28.529863] ret_from_fork+0x10/0x20 [ 28.530039] [ 28.530127] The buggy address belongs to the object at fff00000c7895c40 [ 28.530127] which belongs to the cache kmalloc-32 of size 32 [ 28.530270] The buggy address is located 16 bytes inside of [ 28.530270] freed 32-byte region [fff00000c7895c40, fff00000c7895c60) [ 28.530425] [ 28.530489] The buggy address belongs to the physical page: [ 28.530740] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107895 [ 28.531469] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.531762] page_type: f5(slab) [ 28.532055] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 28.532188] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 28.532292] page dumped because: kasan: bad access detected [ 28.532381] [ 28.532442] Memory state around the buggy address: [ 28.532522] fff00000c7895b00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 28.532636] fff00000c7895b80: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 28.532817] >fff00000c7895c00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.533015] ^ [ 28.533258] fff00000c7895c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 28.533418] fff00000c7895d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 28.533973] ==================================================================
[ 21.395113] ================================================================== [ 21.395880] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 21.396430] Read of size 1 at addr ffff888102b74c50 by task kunit_try_catch/276 [ 21.397194] [ 21.397528] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 21.397696] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.397800] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.397871] Call Trace: [ 21.397924] <TASK> [ 21.397986] dump_stack_lvl+0x73/0xb0 [ 21.398118] print_report+0xd1/0x650 [ 21.398208] ? __virt_addr_valid+0x1db/0x2d0 [ 21.398299] ? strlen+0x8f/0xb0 [ 21.398371] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.398448] ? strlen+0x8f/0xb0 [ 21.398504] kasan_report+0x141/0x180 [ 21.398541] ? strlen+0x8f/0xb0 [ 21.398574] __asan_report_load1_noabort+0x18/0x20 [ 21.398605] strlen+0x8f/0xb0 [ 21.398751] kasan_strings+0x57b/0xe80 [ 21.398834] ? trace_hardirqs_on+0x37/0xe0 [ 21.398916] ? __pfx_kasan_strings+0x10/0x10 [ 21.399009] ? __kasan_check_write+0x18/0x20 [ 21.399083] ? queued_spin_lock_slowpath+0x116/0xb40 [ 21.399237] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 21.399322] ? __pfx_read_tsc+0x10/0x10 [ 21.399402] ? ktime_get_ts64+0x86/0x230 [ 21.399484] kunit_try_run_case+0x1a5/0x480 [ 21.399527] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.399557] ? _raw_spin_lock_irqsave+0xf9/0x100 [ 21.399592] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.399628] ? __kthread_parkme+0x82/0x180 [ 21.399685] ? preempt_count_sub+0x50/0x80 [ 21.399738] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.399768] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.399803] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.399838] kthread+0x337/0x6f0 [ 21.399865] ? trace_preempt_on+0x20/0xc0 [ 21.399899] ? __pfx_kthread+0x10/0x10 [ 21.399928] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.400053] ? calculate_sigpending+0x7b/0xa0 [ 21.400137] ? __pfx_kthread+0x10/0x10 [ 21.400196] ret_from_fork+0x116/0x1d0 [ 21.400223] ? __pfx_kthread+0x10/0x10 [ 21.400253] ret_from_fork_asm+0x1a/0x30 [ 21.400297] </TASK> [ 21.400312] [ 21.416187] Allocated by task 276: [ 21.416787] kasan_save_stack+0x45/0x70 [ 21.417231] kasan_save_track+0x18/0x40 [ 21.417859] kasan_save_alloc_info+0x3b/0x50 [ 21.418443] __kasan_kmalloc+0xb7/0xc0 [ 21.418933] __kmalloc_cache_noprof+0x189/0x420 [ 21.419428] kasan_strings+0xc0/0xe80 [ 21.420033] kunit_try_run_case+0x1a5/0x480 [ 21.420504] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.421174] kthread+0x337/0x6f0 [ 21.421630] ret_from_fork+0x116/0x1d0 [ 21.422186] ret_from_fork_asm+0x1a/0x30 [ 21.422651] [ 21.423026] Freed by task 276: [ 21.423325] kasan_save_stack+0x45/0x70 [ 21.423643] kasan_save_track+0x18/0x40 [ 21.424024] kasan_save_free_info+0x3f/0x60 [ 21.424461] __kasan_slab_free+0x56/0x70 [ 21.425019] kfree+0x222/0x3f0 [ 21.425415] kasan_strings+0x2aa/0xe80 [ 21.426020] kunit_try_run_case+0x1a5/0x480 [ 21.426479] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.427158] kthread+0x337/0x6f0 [ 21.427448] ret_from_fork+0x116/0x1d0 [ 21.427818] ret_from_fork_asm+0x1a/0x30 [ 21.428314] [ 21.428575] The buggy address belongs to the object at ffff888102b74c40 [ 21.428575] which belongs to the cache kmalloc-32 of size 32 [ 21.429627] The buggy address is located 16 bytes inside of [ 21.429627] freed 32-byte region [ffff888102b74c40, ffff888102b74c60) [ 21.430787] [ 21.431117] The buggy address belongs to the physical page: [ 21.431637] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b74 [ 21.432400] flags: 0x200000000000000(node=0|zone=2) [ 21.433638] page_type: f5(slab) [ 21.434157] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.435101] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.435586] page dumped because: kasan: bad access detected [ 21.436177] [ 21.436442] Memory state around the buggy address: [ 21.437004] ffff888102b74b00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.437770] ffff888102b74b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.438456] >ffff888102b74c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.439132] ^ [ 21.439733] ffff888102b74c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.440410] ffff888102b74d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.441116] ==================================================================
[ 67.935913] ================================================================== [ 67.943176] BUG: KASAN: slab-use-after-free in strlen+0xb0/0xb4 [ 67.949157] Read of size 1 at addr cc90a410 by task kunit_try_catch/311 [ 67.955810] [ 67.957305] CPU: 0 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 67.957336] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 67.957366] Hardware name: Generic DRA74X (Flattened Device Tree) [ 67.957366] Call trace: [ 67.957366] unwind_backtrace from show_stack+0x18/0x1c [ 67.957397] show_stack from dump_stack_lvl+0x70/0x90 [ 67.957427] dump_stack_lvl from print_report+0x158/0x528 [ 67.957458] print_report from kasan_report+0xdc/0x118 [ 67.957458] kasan_report from strlen+0xb0/0xb4 [ 67.957489] strlen from kasan_strings+0x5dc/0xf00 [ 67.957519] kasan_strings from kunit_try_run_case+0x22c/0x5a8 [ 67.957550] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 67.957580] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 67.957611] kthread from ret_from_fork+0x14/0x20 [ 67.957611] Exception stack(0xf24c3fb0 to 0xf24c3ff8) [ 67.957641] 3fa0: 00000000 00000000 00000000 00000000 [ 67.957641] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 67.957672] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 67.957672] [ 68.066741] Allocated by task 311: [ 68.070159] kasan_save_track+0x30/0x5c [ 68.074035] __kasan_kmalloc+0x8c/0x94 [ 68.077819] kasan_strings+0xe8/0xf00 [ 68.081512] kunit_try_run_case+0x22c/0x5a8 [ 68.085723] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 68.091278] kthread+0x464/0x810 [ 68.094512] ret_from_fork+0x14/0x20 [ 68.098114] [ 68.099639] Freed by task 311: [ 68.102691] kasan_save_track+0x30/0x5c [ 68.106567] kasan_save_free_info+0x3c/0x48 [ 68.110778] __kasan_slab_free+0x40/0x50 [ 68.114746] kfree+0xe8/0x384 [ 68.117736] kasan_strings+0x310/0xf00 [ 68.121520] kunit_try_run_case+0x22c/0x5a8 [ 68.125732] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 68.131286] kthread+0x464/0x810 [ 68.134521] ret_from_fork+0x14/0x20 [ 68.138122] [ 68.139648] The buggy address belongs to the object at cc90a400 [ 68.139648] which belongs to the cache kmalloc-64 of size 64 [ 68.151367] The buggy address is located 16 bytes inside of [ 68.151367] freed 64-byte region [cc90a400, cc90a440) [ 68.162139] [ 68.163635] The buggy address belongs to the physical page: [ 68.169219] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c90a [ 68.176513] flags: 0x0(zone=0) [ 68.179595] page_type: f5(slab) [ 68.182769] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 68.190887] raw: 00000000 [ 68.193542] page dumped because: kasan: bad access detected [ 68.199157] [ 68.200653] Memory state around the buggy address: [ 68.205474] cc90a300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.212036] cc90a380: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.218627] >cc90a400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.225189] ^ [ 68.228271] cc90a480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.234832] cc90a500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.241394] ==================================================================