Date
May 30, 2025, 4:14 a.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| x15 |
[ 41.176918] ================================================================== [ 41.183980] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88 [ 41.189963] Read of size 1 at addr ffff000806931190 by task kunit_try_catch/303 [ 41.197254] [ 41.198737] CPU: 2 UID: 0 PID: 303 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 41.198796] Tainted: [B]=BAD_PAGE, [N]=TEST [ 41.198813] Hardware name: WinLink E850-96 board (DT) [ 41.198835] Call trace: [ 41.198849] show_stack+0x20/0x38 (C) [ 41.198886] dump_stack_lvl+0x8c/0xd0 [ 41.198923] print_report+0x118/0x608 [ 41.198960] kasan_report+0xdc/0x128 [ 41.198992] __asan_report_load1_noabort+0x20/0x30 [ 41.199025] strnlen+0x80/0x88 [ 41.199055] kasan_strings+0x478/0xb00 [ 41.199085] kunit_try_run_case+0x170/0x3f0 [ 41.199122] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.199163] kthread+0x328/0x630 [ 41.199192] ret_from_fork+0x10/0x20 [ 41.199227] [ 41.265047] Allocated by task 303: [ 41.268434] kasan_save_stack+0x3c/0x68 [ 41.272252] kasan_save_track+0x20/0x40 [ 41.276073] kasan_save_alloc_info+0x40/0x58 [ 41.280325] __kasan_kmalloc+0xd4/0xd8 [ 41.284057] __kmalloc_cache_noprof+0x15c/0x3c0 [ 41.288571] kasan_strings+0xc8/0xb00 [ 41.292217] kunit_try_run_case+0x170/0x3f0 [ 41.296383] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.301852] kthread+0x328/0x630 [ 41.305064] ret_from_fork+0x10/0x20 [ 41.308623] [ 41.310099] Freed by task 303: [ 41.313138] kasan_save_stack+0x3c/0x68 [ 41.316956] kasan_save_track+0x20/0x40 [ 41.320776] kasan_save_free_info+0x4c/0x78 [ 41.324942] __kasan_slab_free+0x6c/0x98 [ 41.328848] kfree+0x214/0x3c8 [ 41.331886] kasan_strings+0x24c/0xb00 [ 41.335619] kunit_try_run_case+0x170/0x3f0 [ 41.339786] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 41.345254] kthread+0x328/0x630 [ 41.348466] ret_from_fork+0x10/0x20 [ 41.352025] [ 41.353502] The buggy address belongs to the object at ffff000806931180 [ 41.353502] which belongs to the cache kmalloc-32 of size 32 [ 41.365829] The buggy address is located 16 bytes inside of [ 41.365829] freed 32-byte region [ffff000806931180, ffff0008069311a0) [ 41.377893] [ 41.379372] The buggy address belongs to the physical page: [ 41.384927] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886931 [ 41.392913] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 41.399422] page_type: f5(slab) [ 41.402557] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000 [ 41.410278] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 41.417996] page dumped because: kasan: bad access detected [ 41.423553] [ 41.425027] Memory state around the buggy address: [ 41.429808] ffff000806931080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.437010] ffff000806931100: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 41.444215] >ffff000806931180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.451416] ^ [ 41.455153] ffff000806931200: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 41.462357] ffff000806931280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 41.469558] ==================================================================
[ 28.535443] ================================================================== [ 28.535546] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88 [ 28.535664] Read of size 1 at addr fff00000c7895c50 by task kunit_try_catch/260 [ 28.535805] [ 28.535877] CPU: 1 UID: 0 PID: 260 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT [ 28.536074] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.536142] Hardware name: linux,dummy-virt (DT) [ 28.536217] Call trace: [ 28.536279] show_stack+0x20/0x38 (C) [ 28.536397] dump_stack_lvl+0x8c/0xd0 [ 28.536515] print_report+0x118/0x608 [ 28.536630] kasan_report+0xdc/0x128 [ 28.537876] __asan_report_load1_noabort+0x20/0x30 [ 28.538033] strnlen+0x80/0x88 [ 28.538165] kasan_strings+0x478/0xb00 [ 28.538345] kunit_try_run_case+0x170/0x3f0 [ 28.538746] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.538939] kthread+0x328/0x630 [ 28.539060] ret_from_fork+0x10/0x20 [ 28.539207] [ 28.539336] Allocated by task 260: [ 28.539416] kasan_save_stack+0x3c/0x68 [ 28.539544] kasan_save_track+0x20/0x40 [ 28.539888] kasan_save_alloc_info+0x40/0x58 [ 28.540095] __kasan_kmalloc+0xd4/0xd8 [ 28.540197] __kmalloc_cache_noprof+0x15c/0x3c0 [ 28.540366] kasan_strings+0xc8/0xb00 [ 28.540488] kunit_try_run_case+0x170/0x3f0 [ 28.540596] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.540725] kthread+0x328/0x630 [ 28.542438] ret_from_fork+0x10/0x20 [ 28.542583] [ 28.542733] Freed by task 260: [ 28.542839] kasan_save_stack+0x3c/0x68 [ 28.542949] kasan_save_track+0x20/0x40 [ 28.543058] kasan_save_free_info+0x4c/0x78 [ 28.544611] __kasan_slab_free+0x6c/0x98 [ 28.544794] kfree+0x214/0x3c8 [ 28.544950] kasan_strings+0x24c/0xb00 [ 28.545199] kunit_try_run_case+0x170/0x3f0 [ 28.545329] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.545448] kthread+0x328/0x630 [ 28.545540] ret_from_fork+0x10/0x20 [ 28.545636] [ 28.546015] The buggy address belongs to the object at fff00000c7895c40 [ 28.546015] which belongs to the cache kmalloc-32 of size 32 [ 28.547704] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 28.549079] fff00000c7895c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 28.574366] dump_stack_lvl+0x8c/0xd0 [ 28.575544] kthread+0x328/0x630 [ 28.580123] kunit_try_run_case+0x170/0x3f0 [ 28.581628] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 28.585841] fff00000c61bf800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.590218] kasan_report+0xdc/0x128 [ 28.591740] kasan_bitops_generic+0x110/0x1c8 [ 28.592830] [ 28.593384] __kasan_kmalloc+0xd4/0xd8 [ 28.594822] [ 28.596908] fff00000c61bf880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.603850] Call trace: [ 28.605474] kasan_check_range+0x100/0x1a8 [ 28.606493] kasan_bitops_generic+0x110/0x1c8 [ 28.606714] kunit_try_run_case+0x170/0x3f0 [ 28.607301] kthread+0x328/0x630 [ 28.608271] [ 28.608588] kasan_save_stack+0x3c/0x68 [ 28.610864] [ 28.611699] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061bf [ 28.613960] ^ [ 28.617751] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.619419] __asan_report_load8_noabort+0x20/0x30 [ 28.625720] __kasan_kmalloc+0xd4/0xd8 [ 28.627646] [ 28.629075] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 28.639342] kasan_report+0xdc/0x128 [ 28.642895] kthread+0x328/0x630 [ 28.645812] The buggy address is located 8 bytes inside of [ 28.645812] allocated 9-byte region [fff00000c61bf780, fff00000c61bf789) [ 28.651588] [ 28.655183] kasan_check_range+0x100/0x1a8 [ 28.655622] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.657469] [ 28.659938] ==================================================================
[ 21.442285] ================================================================== [ 21.443331] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80 [ 21.443971] Read of size 1 at addr ffff888102b74c50 by task kunit_try_catch/276 [ 21.444698] [ 21.445085] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.15.0-next-20250530 #1 PREEMPT(voluntary) [ 21.445212] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.445254] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.445370] Call Trace: [ 21.445477] <TASK> [ 21.445531] dump_stack_lvl+0x73/0xb0 [ 21.445644] print_report+0xd1/0x650 [ 21.445772] ? __virt_addr_valid+0x1db/0x2d0 [ 21.445899] ? strnlen+0x73/0x80 [ 21.445988] ? kasan_complete_mode_report_info+0x64/0x200 [ 21.446067] ? strnlen+0x73/0x80 [ 21.446126] kasan_report+0x141/0x180 [ 21.446162] ? strnlen+0x73/0x80 [ 21.446195] __asan_report_load1_noabort+0x18/0x20 [ 21.446226] strnlen+0x73/0x80 [ 21.446268] kasan_strings+0x615/0xe80 [ 21.446299] ? trace_hardirqs_on+0x37/0xe0 [ 21.446333] ? __pfx_kasan_strings+0x10/0x10 [ 21.446365] ? __kasan_check_write+0x18/0x20 [ 21.446393] ? queued_spin_lock_slowpath+0x116/0xb40 [ 21.446431] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 21.446467] ? __pfx_read_tsc+0x10/0x10 [ 21.446500] ? ktime_get_ts64+0x86/0x230 [ 21.446533] kunit_try_run_case+0x1a5/0x480 [ 21.446563] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.446591] ? _raw_spin_lock_irqsave+0xf9/0x100 [ 21.446625] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.446691] ? __kthread_parkme+0x82/0x180 [ 21.446735] ? preempt_count_sub+0x50/0x80 [ 21.446770] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.446800] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.446835] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.446872] kthread+0x337/0x6f0 [ 21.446900] ? trace_preempt_on+0x20/0xc0 [ 21.446933] ? __pfx_kthread+0x10/0x10 [ 21.446989] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.447024] ? calculate_sigpending+0x7b/0xa0 [ 21.447058] ? __pfx_kthread+0x10/0x10 [ 21.447087] ret_from_fork+0x116/0x1d0 [ 21.447112] ? __pfx_kthread+0x10/0x10 [ 21.447141] ret_from_fork_asm+0x1a/0x30 [ 21.447184] </TASK> [ 21.447199] [ 21.463531] Allocated by task 276: [ 21.463859] kasan_save_stack+0x45/0x70 [ 21.464410] kasan_save_track+0x18/0x40 [ 21.465126] kasan_save_alloc_info+0x3b/0x50 [ 21.465573] __kasan_kmalloc+0xb7/0xc0 [ 21.466014] __kmalloc_cache_noprof+0x189/0x420 [ 21.467757] kasan_strings+0xc0/0xe80 [ 21.468400] kunit_try_run_case+0x1a5/0x480 [ 21.469638] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.470446] kthread+0x337/0x6f0 [ 21.471109] ret_from_fork+0x116/0x1d0 [ 21.471645] ret_from_fork_asm+0x1a/0x30 [ 21.472255] [ 21.472422] Freed by task 276: [ 21.473093] kasan_save_stack+0x45/0x70 [ 21.473457] kasan_save_track+0x18/0x40 [ 21.474213] kasan_save_free_info+0x3f/0x60 [ 21.474590] __kasan_slab_free+0x56/0x70 [ 21.475493] kfree+0x222/0x3f0 [ 21.476106] kasan_strings+0x2aa/0xe80 [ 21.476447] kunit_try_run_case+0x1a5/0x480 [ 21.477075] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.477551] kthread+0x337/0x6f0 [ 21.477881] ret_from_fork+0x116/0x1d0 [ 21.478407] ret_from_fork_asm+0x1a/0x30 [ 21.479030] [ 21.479244] The buggy address belongs to the object at ffff888102b74c40 [ 21.479244] which belongs to the cache kmalloc-32 of size 32 [ 21.480315] The buggy address is located 16 bytes inside of [ 21.480315] freed 32-byte region [ffff888102b74c40, ffff888102b74c60) [ 21.481328] [ 21.481517] The buggy address belongs to the physical page: [ 21.482143] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b74 [ 21.482829] flags: 0x200000000000000(node=0|zone=2) [ 21.483351] page_type: f5(slab) [ 21.483705] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 21.484251] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.485003] page dumped because: kasan: bad access detected [ 21.485523] [ 21.485809] Memory state around the buggy address: [ 21.486254] ffff888102b74b00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.486969] ffff888102b74b80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.487645] >ffff888102b74c00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.488275] ^ [ 21.488840] ffff888102b74c80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.489504] ffff888102b74d00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 21.490132] ==================================================================
[ 68.248748] ================================================================== [ 68.256011] BUG: KASAN: slab-use-after-free in strnlen+0x94/0x9c [ 68.262054] Read of size 1 at addr cc90a410 by task kunit_try_catch/311 [ 68.268737] [ 68.270233] CPU: 0 UID: 0 PID: 311 Comm: kunit_try_catch Tainted: G B W N 6.15.0-next-20250530 #1 NONE [ 68.270263] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 68.270263] Hardware name: Generic DRA74X (Flattened Device Tree) [ 68.270294] Call trace: [ 68.270294] unwind_backtrace from show_stack+0x18/0x1c [ 68.270324] show_stack from dump_stack_lvl+0x70/0x90 [ 68.270355] dump_stack_lvl from print_report+0x158/0x528 [ 68.270355] print_report from kasan_report+0xdc/0x118 [ 68.270385] kasan_report from strnlen+0x94/0x9c [ 68.270416] strnlen from kasan_strings+0x670/0xf00 [ 68.270446] kasan_strings from kunit_try_run_case+0x22c/0x5a8 [ 68.270477] kunit_try_run_case from kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 68.270507] kunit_generic_run_threadfn_adapter from kthread+0x464/0x810 [ 68.270507] kthread from ret_from_fork+0x14/0x20 [ 68.270538] Exception stack(0xf24c3fb0 to 0xf24c3ff8) [ 68.270568] 3fa0: 00000000 00000000 00000000 00000000 [ 68.270568] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 68.270599] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 68.270599] [ 68.379852] Allocated by task 311: [ 68.383270] kasan_save_track+0x30/0x5c [ 68.387145] __kasan_kmalloc+0x8c/0x94 [ 68.390899] kasan_strings+0xe8/0xf00 [ 68.394622] kunit_try_run_case+0x22c/0x5a8 [ 68.398834] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 68.404357] kthread+0x464/0x810 [ 68.407623] ret_from_fork+0x14/0x20 [ 68.411224] [ 68.412719] Freed by task 311: [ 68.415802] kasan_save_track+0x30/0x5c [ 68.419677] kasan_save_free_info+0x3c/0x48 [ 68.423889] __kasan_slab_free+0x40/0x50 [ 68.427825] kfree+0xe8/0x384 [ 68.430847] kasan_strings+0x310/0xf00 [ 68.434600] kunit_try_run_case+0x22c/0x5a8 [ 68.438842] kunit_generic_run_threadfn_adapter+0xc4/0x128 [ 68.444366] kthread+0x464/0x810 [ 68.447631] ret_from_fork+0x14/0x20 [ 68.451232] [ 68.452728] The buggy address belongs to the object at cc90a400 [ 68.452728] which belongs to the cache kmalloc-64 of size 64 [ 68.464447] The buggy address is located 16 bytes inside of [ 68.464447] freed 64-byte region [cc90a400, cc90a440) [ 68.475219] [ 68.476715] The buggy address belongs to the physical page: [ 68.482330] page: refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x8c90a [ 68.489593] flags: 0x0(zone=0) [ 68.492675] page_type: f5(slab) [ 68.495849] raw: 00000000 c7001300 00000122 00000000 00000000 80200020 f5000000 00000000 [ 68.503997] raw: 00000000 [ 68.506622] page dumped because: kasan: bad access detected [ 68.512237] [ 68.513732] Memory state around the buggy address: [ 68.518585] cc90a300: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.525146] cc90a380: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.531707] >cc90a400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.538299] ^ [ 68.541351] cc90a480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.547943] cc90a500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 68.554504] ==================================================================