Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-x86_64 |
[ 51.254304] ================================================================== [ 51.261617] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 51.267622] Read of size 1 at addr ffff000093781910 by task kunit_try_catch/357 [ 51.275020] [ 51.276552] CPU: 6 UID: 0 PID: 357 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 51.276583] Tainted: [B]=BAD_PAGE, [N]=TEST [ 51.276592] Hardware name: Thundercomm Dragonboard 845c (DT) [ 51.276603] Call trace: [ 51.276610] show_stack+0x20/0x38 (C) [ 51.276627] dump_stack_lvl+0x8c/0xd0 [ 51.276645] print_report+0x118/0x608 [ 51.276666] kasan_report+0xdc/0x128 [ 51.276684] __asan_report_load1_noabort+0x20/0x30 [ 51.276701] strlen+0xa8/0xb0 [ 51.276716] kasan_strings+0x418/0xb00 [ 51.276732] kunit_try_run_case+0x170/0x3f0 [ 51.276750] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 51.276770] kthread+0x328/0x630 [ 51.276783] ret_from_fork+0x10/0x20 [ 51.276800] [ 51.345009] Allocated by task 357: [ 51.348461] kasan_save_stack+0x3c/0x68 [ 51.352358] kasan_save_track+0x20/0x40 [ 51.356262] kasan_save_alloc_info+0x40/0x58 [ 51.360598] __kasan_kmalloc+0xd4/0xd8 [ 51.364413] __kmalloc_cache_noprof+0x16c/0x3c0 [ 51.369014] kasan_strings+0xc8/0xb00 [ 51.372741] kunit_try_run_case+0x170/0x3f0 [ 51.376992] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 51.382556] kthread+0x328/0x630 [ 51.385840] ret_from_fork+0x10/0x20 [ 51.389480] [ 51.391014] Freed by task 357: [ 51.394120] kasan_save_stack+0x3c/0x68 [ 51.398024] kasan_save_track+0x20/0x40 [ 51.401921] kasan_save_free_info+0x4c/0x78 [ 51.406165] __kasan_slab_free+0x6c/0x98 [ 51.410155] kfree+0x214/0x3c8 [ 51.413265] kasan_strings+0x24c/0xb00 [ 51.417080] kunit_try_run_case+0x170/0x3f0 [ 51.421331] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 51.426897] kthread+0x328/0x630 [ 51.430179] ret_from_fork+0x10/0x20 [ 51.433810] [ 51.435340] The buggy address belongs to the object at ffff000093781900 [ 51.435340] which belongs to the cache kmalloc-32 of size 32 [ 51.447820] The buggy address is located 16 bytes inside of [ 51.447820] freed 32-byte region [ffff000093781900, ffff000093781920) [ 51.460042] [ 51.461566] The buggy address belongs to the physical page: [ 51.467208] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113781 [ 51.475307] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 51.481920] page_type: f5(slab) [ 51.485116] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000 [ 51.492957] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 51.500794] page dumped because: kasan: bad access detected [ 51.506437] [ 51.507964] Memory state around the buggy address: [ 51.512818] ffff000093781800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.520132] ffff000093781880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 51.527448] >ffff000093781900: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.534756] ^ [ 51.538568] ffff000093781980: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 51.545873] ffff000093781a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 51.553187] ==================================================================
[ 31.720607] ================================================================== [ 31.721207] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 31.721787] Read of size 1 at addr ffff888103b4da50 by task kunit_try_catch/289 [ 31.722531] [ 31.722800] CPU: 1 UID: 0 PID: 289 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 31.722916] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.722947] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 31.722998] Call Trace: [ 31.723041] <TASK> [ 31.723220] dump_stack_lvl+0x73/0xb0 [ 31.723317] print_report+0xd1/0x650 [ 31.723381] ? __virt_addr_valid+0x1db/0x2d0 [ 31.723445] ? strlen+0x8f/0xb0 [ 31.723500] ? kasan_complete_mode_report_info+0x64/0x200 [ 31.723581] ? strlen+0x8f/0xb0 [ 31.723662] kasan_report+0x141/0x180 [ 31.723723] ? strlen+0x8f/0xb0 [ 31.723798] __asan_report_load1_noabort+0x18/0x20 [ 31.723892] strlen+0x8f/0xb0 [ 31.723958] kasan_strings+0x57b/0xe80 [ 31.724028] ? trace_hardirqs_on+0x37/0xe0 [ 31.724252] ? __pfx_kasan_strings+0x10/0x10 [ 31.724289] ? finish_task_switch.isra.0+0x153/0x700 [ 31.724322] ? __switch_to+0x47/0xf50 [ 31.724357] ? __schedule+0x10cc/0x2b60 [ 31.724391] ? __pfx_read_tsc+0x10/0x10 [ 31.724421] ? ktime_get_ts64+0x86/0x230 [ 31.724453] kunit_try_run_case+0x1a5/0x480 [ 31.724488] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.724517] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 31.724570] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 31.724604] ? __kthread_parkme+0x82/0x180 [ 31.724664] ? preempt_count_sub+0x50/0x80 [ 31.724701] ? __pfx_kunit_try_run_case+0x10/0x10 [ 31.724733] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.724765] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 31.724798] kthread+0x337/0x6f0 [ 31.724824] ? trace_preempt_on+0x20/0xc0 [ 31.724855] ? __pfx_kthread+0x10/0x10 [ 31.724881] ? _raw_spin_unlock_irq+0x47/0x80 [ 31.724914] ? calculate_sigpending+0x7b/0xa0 [ 31.724945] ? __pfx_kthread+0x10/0x10 [ 31.724974] ret_from_fork+0x116/0x1d0 [ 31.725000] ? __pfx_kthread+0x10/0x10 [ 31.725026] ret_from_fork_asm+0x1a/0x30 [ 31.725078] </TASK> [ 31.725101] [ 31.741296] Allocated by task 289: [ 31.741729] kasan_save_stack+0x45/0x70 [ 31.742135] kasan_save_track+0x18/0x40 [ 31.742563] kasan_save_alloc_info+0x3b/0x50 [ 31.742863] __kasan_kmalloc+0xb7/0xc0 [ 31.743368] __kmalloc_cache_noprof+0x189/0x420 [ 31.743843] kasan_strings+0xc0/0xe80 [ 31.744178] kunit_try_run_case+0x1a5/0x480 [ 31.744662] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.745167] kthread+0x337/0x6f0 [ 31.746126] ret_from_fork+0x116/0x1d0 [ 31.746775] ret_from_fork_asm+0x1a/0x30 [ 31.747038] [ 31.747210] Freed by task 289: [ 31.747661] kasan_save_stack+0x45/0x70 [ 31.748073] kasan_save_track+0x18/0x40 [ 31.748464] kasan_save_free_info+0x3f/0x60 [ 31.749048] __kasan_slab_free+0x56/0x70 [ 31.749457] kfree+0x222/0x3f0 [ 31.749875] kasan_strings+0x2aa/0xe80 [ 31.750206] kunit_try_run_case+0x1a5/0x480 [ 31.750476] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 31.751430] kthread+0x337/0x6f0 [ 31.751841] ret_from_fork+0x116/0x1d0 [ 31.752427] ret_from_fork_asm+0x1a/0x30 [ 31.752843] [ 31.753073] The buggy address belongs to the object at ffff888103b4da40 [ 31.753073] which belongs to the cache kmalloc-32 of size 32 [ 31.754015] The buggy address is located 16 bytes inside of [ 31.754015] freed 32-byte region [ffff888103b4da40, ffff888103b4da60) [ 31.755058] [ 31.755356] The buggy address belongs to the physical page: [ 31.755870] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b4d [ 31.756311] flags: 0x200000000000000(node=0|zone=2) [ 31.756835] page_type: f5(slab) [ 31.757190] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 31.758416] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.759023] page dumped because: kasan: bad access detected [ 31.759678] [ 31.759863] Memory state around the buggy address: [ 31.760245] ffff888103b4d900: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 31.760907] ffff888103b4d980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.761595] >ffff888103b4da00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.762169] ^ [ 31.763138] ffff888103b4da80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.763790] ffff888103b4db00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 31.764571] ==================================================================