Date
June 16, 2025, 7:07 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.239131] ================================================================== [ 22.239214] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 22.239459] Read of size 1 at addr fff00000c63fb310 by task kunit_try_catch/268 [ 22.239552] [ 22.239646] CPU: 0 UID: 0 PID: 268 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT [ 22.239768] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.239806] Hardware name: linux,dummy-virt (DT) [ 22.239861] Call trace: [ 22.239910] show_stack+0x20/0x38 (C) [ 22.239995] dump_stack_lvl+0x8c/0xd0 [ 22.240064] print_report+0x118/0x608 [ 22.240123] kasan_report+0xdc/0x128 [ 22.240179] __asan_report_load1_noabort+0x20/0x30 [ 22.240239] strcmp+0xc0/0xc8 [ 22.240293] kasan_strings+0x340/0xb00 [ 22.240347] kunit_try_run_case+0x170/0x3f0 [ 22.240411] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.240475] kthread+0x328/0x630 [ 22.240528] ret_from_fork+0x10/0x20 [ 22.240590] [ 22.240620] Allocated by task 268: [ 22.240660] kasan_save_stack+0x3c/0x68 [ 22.240716] kasan_save_track+0x20/0x40 [ 22.240768] kasan_save_alloc_info+0x40/0x58 [ 22.240814] __kasan_kmalloc+0xd4/0xd8 [ 22.241111] __kmalloc_cache_noprof+0x16c/0x3c0 [ 22.241174] kasan_strings+0xc8/0xb00 [ 22.241447] kunit_try_run_case+0x170/0x3f0 [ 22.241676] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.241745] kthread+0x328/0x630 [ 22.241806] ret_from_fork+0x10/0x20 [ 22.241882] [ 22.241912] Freed by task 268: [ 22.241955] kasan_save_stack+0x3c/0x68 [ 22.242006] kasan_save_track+0x20/0x40 [ 22.242058] kasan_save_free_info+0x4c/0x78 [ 22.242104] __kasan_slab_free+0x6c/0x98 [ 22.242157] kfree+0x214/0x3c8 [ 22.242201] kasan_strings+0x24c/0xb00 [ 22.242248] kunit_try_run_case+0x170/0x3f0 [ 22.243488] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.243932] kthread+0x328/0x630 [ 22.244462] ret_from_fork+0x10/0x20 [ 22.244748] [ 22.244783] The buggy address belongs to the object at fff00000c63fb300 [ 22.244783] which belongs to the cache kmalloc-32 of size 32 [ 22.244875] The buggy address is located 16 bytes inside of [ 22.244875] freed 32-byte region [fff00000c63fb300, fff00000c63fb320) [ 22.244954] [ 22.244988] The buggy address belongs to the physical page: [ 22.246044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1063fb [ 22.246376] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.246451] page_type: f5(slab) [ 22.247185] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 22.247784] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 22.248176] page dumped because: kasan: bad access detected [ 22.248368] [ 22.248663] Memory state around the buggy address: [ 22.248935] fff00000c63fb200: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 22.249004] fff00000c63fb280: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 22.249064] >fff00000c63fb300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.249168] ^ [ 22.249457] fff00000c63fb380: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 22.249643] fff00000c63fb400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 22.249974] ==================================================================
[ 13.418378] ================================================================== [ 13.419898] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0 [ 13.420110] Read of size 1 at addr ffff8881028dc250 by task kunit_try_catch/284 [ 13.420322] [ 13.420399] CPU: 1 UID: 0 PID: 284 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250616 #1 PREEMPT(voluntary) [ 13.420445] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.420456] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.420477] Call Trace: [ 13.420489] <TASK> [ 13.420505] dump_stack_lvl+0x73/0xb0 [ 13.420530] print_report+0xd1/0x650 [ 13.420553] ? __virt_addr_valid+0x1db/0x2d0 [ 13.420576] ? strcmp+0xb0/0xc0 [ 13.420595] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.420617] ? strcmp+0xb0/0xc0 [ 13.420637] kasan_report+0x141/0x180 [ 13.420658] ? strcmp+0xb0/0xc0 [ 13.420683] __asan_report_load1_noabort+0x18/0x20 [ 13.420707] strcmp+0xb0/0xc0 [ 13.420729] kasan_strings+0x431/0xe80 [ 13.420748] ? trace_hardirqs_on+0x37/0xe0 [ 13.420772] ? __pfx_kasan_strings+0x10/0x10 [ 13.420792] ? finish_task_switch.isra.0+0x153/0x700 [ 13.420814] ? __switch_to+0x47/0xf50 [ 13.420839] ? __schedule+0x10cc/0x2b60 [ 13.420860] ? __pfx_read_tsc+0x10/0x10 [ 13.420880] ? ktime_get_ts64+0x86/0x230 [ 13.420904] kunit_try_run_case+0x1a5/0x480 [ 13.420927] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.420960] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.420982] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.421004] ? __kthread_parkme+0x82/0x180 [ 13.421023] ? preempt_count_sub+0x50/0x80 [ 13.421045] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.421067] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.421090] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.421112] kthread+0x337/0x6f0 [ 13.421131] ? trace_preempt_on+0x20/0xc0 [ 13.421152] ? __pfx_kthread+0x10/0x10 [ 13.421171] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.421191] ? calculate_sigpending+0x7b/0xa0 [ 13.421214] ? __pfx_kthread+0x10/0x10 [ 13.421235] ret_from_fork+0x116/0x1d0 [ 13.421252] ? __pfx_kthread+0x10/0x10 [ 13.421271] ret_from_fork_asm+0x1a/0x30 [ 13.421301] </TASK> [ 13.421311] [ 13.431815] Allocated by task 284: [ 13.432480] kasan_save_stack+0x45/0x70 [ 13.432655] kasan_save_track+0x18/0x40 [ 13.432788] kasan_save_alloc_info+0x3b/0x50 [ 13.432967] __kasan_kmalloc+0xb7/0xc0 [ 13.433640] __kmalloc_cache_noprof+0x189/0x420 [ 13.433877] kasan_strings+0xc0/0xe80 [ 13.434073] kunit_try_run_case+0x1a5/0x480 [ 13.434280] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.434610] kthread+0x337/0x6f0 [ 13.434845] ret_from_fork+0x116/0x1d0 [ 13.435475] ret_from_fork_asm+0x1a/0x30 [ 13.436549] [ 13.436626] Freed by task 284: [ 13.436736] kasan_save_stack+0x45/0x70 [ 13.436870] kasan_save_track+0x18/0x40 [ 13.437012] kasan_save_free_info+0x3f/0x60 [ 13.437149] __kasan_slab_free+0x56/0x70 [ 13.437278] kfree+0x222/0x3f0 [ 13.437388] kasan_strings+0x2aa/0xe80 [ 13.437512] kunit_try_run_case+0x1a5/0x480 [ 13.437647] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.437819] kthread+0x337/0x6f0 [ 13.437945] ret_from_fork+0x116/0x1d0 [ 13.438070] ret_from_fork_asm+0x1a/0x30 [ 13.438204] [ 13.438269] The buggy address belongs to the object at ffff8881028dc240 [ 13.438269] which belongs to the cache kmalloc-32 of size 32 [ 13.438610] The buggy address is located 16 bytes inside of [ 13.438610] freed 32-byte region [ffff8881028dc240, ffff8881028dc260) [ 13.440485] [ 13.440604] The buggy address belongs to the physical page: [ 13.440970] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1028dc [ 13.441336] flags: 0x200000000000000(node=0|zone=2) [ 13.441578] page_type: f5(slab) [ 13.441749] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.442108] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.442452] page dumped because: kasan: bad access detected [ 13.442705] [ 13.442794] Memory state around the buggy address: [ 13.443177] ffff8881028dc100: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc [ 13.443678] ffff8881028dc180: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.444352] >ffff8881028dc200: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.444648] ^ [ 13.444831] ffff8881028dc280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.445124] ffff8881028dc300: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.445587] ==================================================================