Date
June 18, 2025, 6:43 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 23.292904] ================================================================== [ 23.293066] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 23.293215] Read of size 1 at addr fff00000c605c810 by task kunit_try_catch/269 [ 23.293345] [ 23.293441] CPU: 0 UID: 0 PID: 269 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc2-next-20250618 #1 PREEMPT [ 23.293686] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 23.293769] Hardware name: linux,dummy-virt (DT) [ 23.293858] Call trace: [ 23.293921] show_stack+0x20/0x38 (C) [ 23.294544] dump_stack_lvl+0x8c/0xd0 [ 23.295205] print_report+0x118/0x608 [ 23.295612] kasan_report+0xdc/0x128 [ 23.295745] __asan_report_load1_noabort+0x20/0x30 [ 23.295868] strcmp+0xc0/0xc8 [ 23.296113] kasan_strings+0x340/0xb00 [ 23.296401] kunit_try_run_case+0x170/0x3f0 [ 23.296697] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.297099] kthread+0x328/0x630 [ 23.297437] ret_from_fork+0x10/0x20 [ 23.297564] [ 23.297705] Allocated by task 269: [ 23.297946] kasan_save_stack+0x3c/0x68 [ 23.298197] kasan_save_track+0x20/0x40 [ 23.298347] kasan_save_alloc_info+0x40/0x58 [ 23.298451] __kasan_kmalloc+0xd4/0xd8 [ 23.298551] __kmalloc_cache_noprof+0x16c/0x3c0 [ 23.298673] kasan_strings+0xc8/0xb00 [ 23.299112] kunit_try_run_case+0x170/0x3f0 [ 23.299373] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.299658] kthread+0x328/0x630 [ 23.299855] ret_from_fork+0x10/0x20 [ 23.299985] [ 23.300298] Freed by task 269: [ 23.300425] kasan_save_stack+0x3c/0x68 [ 23.300695] kasan_save_track+0x20/0x40 [ 23.301060] kasan_save_free_info+0x4c/0x78 [ 23.301229] __kasan_slab_free+0x6c/0x98 [ 23.301333] kfree+0x214/0x3c8 [ 23.301895] kasan_strings+0x24c/0xb00 [ 23.302106] kunit_try_run_case+0x170/0x3f0 [ 23.302210] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 23.302319] kthread+0x328/0x630 [ 23.302417] ret_from_fork+0x10/0x20 [ 23.302522] [ 23.302588] The buggy address belongs to the object at fff00000c605c800 [ 23.302588] which belongs to the cache kmalloc-32 of size 32 [ 23.302755] The buggy address is located 16 bytes inside of [ 23.302755] freed 32-byte region [fff00000c605c800, fff00000c605c820) [ 23.303300] [ 23.303464] The buggy address belongs to the physical page: [ 23.303658] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10605c [ 23.303913] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 23.304251] page_type: f5(slab) [ 23.304451] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 23.304761] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 23.304892] page dumped because: kasan: bad access detected [ 23.304989] [ 23.305052] Memory state around the buggy address: [ 23.305147] fff00000c605c700: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 23.305267] fff00000c605c780: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 23.305392] >fff00000c605c800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 23.305504] ^ [ 23.305585] fff00000c605c880: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 23.305709] fff00000c605c900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 23.305822] ==================================================================
[ 13.074619] ================================================================== [ 13.076627] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0 [ 13.076840] Read of size 1 at addr ffff88810262ad90 by task kunit_try_catch/285 [ 13.077058] [ 13.077139] CPU: 0 UID: 0 PID: 285 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc2-next-20250618 #1 PREEMPT(voluntary) [ 13.077189] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.077201] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.077234] Call Trace: [ 13.077250] <TASK> [ 13.077266] dump_stack_lvl+0x73/0xb0 [ 13.077292] print_report+0xd1/0x650 [ 13.077316] ? __virt_addr_valid+0x1db/0x2d0 [ 13.077340] ? strcmp+0xb0/0xc0 [ 13.077360] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.077385] ? strcmp+0xb0/0xc0 [ 13.077404] kasan_report+0x141/0x180 [ 13.077426] ? strcmp+0xb0/0xc0 [ 13.077449] __asan_report_load1_noabort+0x18/0x20 [ 13.077472] strcmp+0xb0/0xc0 [ 13.077493] kasan_strings+0x431/0xe80 [ 13.077512] ? trace_hardirqs_on+0x37/0xe0 [ 13.077536] ? __pfx_kasan_strings+0x10/0x10 [ 13.077556] ? finish_task_switch.isra.0+0x153/0x700 [ 13.077579] ? __switch_to+0x47/0xf50 [ 13.077604] ? __schedule+0x10cc/0x2b60 [ 13.077626] ? __pfx_read_tsc+0x10/0x10 [ 13.077648] ? ktime_get_ts64+0x86/0x230 [ 13.077672] kunit_try_run_case+0x1a5/0x480 [ 13.077695] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.077717] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.077738] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.077761] ? __kthread_parkme+0x82/0x180 [ 13.077782] ? preempt_count_sub+0x50/0x80 [ 13.077804] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.077827] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.077849] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.077870] kthread+0x337/0x6f0 [ 13.077889] ? trace_preempt_on+0x20/0xc0 [ 13.077911] ? __pfx_kthread+0x10/0x10 [ 13.077931] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.077951] ? calculate_sigpending+0x7b/0xa0 [ 13.077974] ? __pfx_kthread+0x10/0x10 [ 13.077995] ret_from_fork+0x116/0x1d0 [ 13.078013] ? __pfx_kthread+0x10/0x10 [ 13.078033] ret_from_fork_asm+0x1a/0x30 [ 13.078063] </TASK> [ 13.078074] [ 13.088622] Allocated by task 285: [ 13.088756] kasan_save_stack+0x45/0x70 [ 13.088893] kasan_save_track+0x18/0x40 [ 13.089017] kasan_save_alloc_info+0x3b/0x50 [ 13.089154] __kasan_kmalloc+0xb7/0xc0 [ 13.089502] __kmalloc_cache_noprof+0x189/0x420 [ 13.089884] kasan_strings+0xc0/0xe80 [ 13.090228] kunit_try_run_case+0x1a5/0x480 [ 13.090645] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.091117] kthread+0x337/0x6f0 [ 13.091425] ret_from_fork+0x116/0x1d0 [ 13.091774] ret_from_fork_asm+0x1a/0x30 [ 13.092142] [ 13.092311] Freed by task 285: [ 13.092576] kasan_save_stack+0x45/0x70 [ 13.092911] kasan_save_track+0x18/0x40 [ 13.093279] kasan_save_free_info+0x3f/0x60 [ 13.093659] __kasan_slab_free+0x56/0x70 [ 13.094007] kfree+0x222/0x3f0 [ 13.094294] kasan_strings+0x2aa/0xe80 [ 13.094614] kunit_try_run_case+0x1a5/0x480 [ 13.094779] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.094941] kthread+0x337/0x6f0 [ 13.095051] ret_from_fork+0x116/0x1d0 [ 13.095171] ret_from_fork_asm+0x1a/0x30 [ 13.095319] [ 13.095403] The buggy address belongs to the object at ffff88810262ad80 [ 13.095403] which belongs to the cache kmalloc-32 of size 32 [ 13.095818] The buggy address is located 16 bytes inside of [ 13.095818] freed 32-byte region [ffff88810262ad80, ffff88810262ada0) [ 13.096261] [ 13.096352] The buggy address belongs to the physical page: [ 13.096572] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10262a [ 13.096843] flags: 0x200000000000000(node=0|zone=2) [ 13.097011] page_type: f5(slab) [ 13.097172] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.097754] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.098003] page dumped because: kasan: bad access detected [ 13.098420] [ 13.098503] Memory state around the buggy address: [ 13.098702] ffff88810262ac80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.098967] ffff88810262ad00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.099506] >ffff88810262ad80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.099993] ^ [ 13.100353] ffff88810262ae00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.100806] ffff88810262ae80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.101103] ==================================================================