Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.169454] ================================================================== [ 33.169509] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 33.169559] Read of size 1 at addr fff00000c993b210 by task kunit_try_catch/292 [ 33.169612] [ 33.169738] CPU: 1 UID: 0 PID: 292 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 33.169845] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.170058] Hardware name: linux,dummy-virt (DT) [ 33.170130] Call trace: [ 33.170157] show_stack+0x20/0x38 (C) [ 33.170233] dump_stack_lvl+0x8c/0xd0 [ 33.170284] print_report+0x118/0x608 [ 33.170348] kasan_report+0xdc/0x128 [ 33.170399] __asan_report_load1_noabort+0x20/0x30 [ 33.170546] kasan_strings+0x95c/0xb00 [ 33.170595] kunit_try_run_case+0x170/0x3f0 [ 33.170762] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.170846] kthread+0x328/0x630 [ 33.170909] ret_from_fork+0x10/0x20 [ 33.170972] [ 33.171001] Allocated by task 292: [ 33.171035] kasan_save_stack+0x3c/0x68 [ 33.171178] kasan_save_track+0x20/0x40 [ 33.171362] kasan_save_alloc_info+0x40/0x58 [ 33.171437] __kasan_kmalloc+0xd4/0xd8 [ 33.171480] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.171526] kasan_strings+0xc8/0xb00 [ 33.171605] kunit_try_run_case+0x170/0x3f0 [ 33.171730] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.171815] kthread+0x328/0x630 [ 33.171989] ret_from_fork+0x10/0x20 [ 33.172028] [ 33.172053] Freed by task 292: [ 33.172085] kasan_save_stack+0x3c/0x68 [ 33.172251] kasan_save_track+0x20/0x40 [ 33.172302] kasan_save_free_info+0x4c/0x78 [ 33.172343] __kasan_slab_free+0x6c/0x98 [ 33.172426] kfree+0x214/0x3c8 [ 33.172486] kasan_strings+0x24c/0xb00 [ 33.172553] kunit_try_run_case+0x170/0x3f0 [ 33.172641] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.172717] kthread+0x328/0x630 [ 33.172783] ret_from_fork+0x10/0x20 [ 33.172846] [ 33.172898] The buggy address belongs to the object at fff00000c993b200 [ 33.172898] which belongs to the cache kmalloc-32 of size 32 [ 33.173012] The buggy address is located 16 bytes inside of [ 33.173012] freed 32-byte region [fff00000c993b200, fff00000c993b220) [ 33.173095] [ 33.173119] The buggy address belongs to the physical page: [ 33.173160] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10993b [ 33.173443] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.173554] page_type: f5(slab) [ 33.173638] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 33.173706] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.173772] page dumped because: kasan: bad access detected [ 33.173865] [ 33.173886] Memory state around the buggy address: [ 33.173944] fff00000c993b100: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.174028] fff00000c993b180: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.174196] >fff00000c993b200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.174324] ^ [ 33.174387] fff00000c993b280: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.174538] fff00000c993b300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.174628] ==================================================================
[ 25.283793] ================================================================== [ 25.284054] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 25.285344] Read of size 1 at addr ffff888105a1be50 by task kunit_try_catch/308 [ 25.286282] [ 25.286580] CPU: 0 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 25.286641] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.286656] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.286682] Call Trace: [ 25.286698] <TASK> [ 25.286718] dump_stack_lvl+0x73/0xb0 [ 25.286752] print_report+0xd1/0x650 [ 25.286776] ? __virt_addr_valid+0x1db/0x2d0 [ 25.286801] ? kasan_strings+0xcbc/0xe80 [ 25.286822] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.286848] ? kasan_strings+0xcbc/0xe80 [ 25.286869] kasan_report+0x141/0x180 [ 25.286891] ? kasan_strings+0xcbc/0xe80 [ 25.286916] __asan_report_load1_noabort+0x18/0x20 [ 25.286940] kasan_strings+0xcbc/0xe80 [ 25.286960] ? trace_hardirqs_on+0x37/0xe0 [ 25.286984] ? __pfx_kasan_strings+0x10/0x10 [ 25.287005] ? finish_task_switch.isra.0+0x153/0x700 [ 25.287027] ? __switch_to+0x47/0xf50 [ 25.287053] ? __schedule+0x10cc/0x2b60 [ 25.287085] ? __pfx_read_tsc+0x10/0x10 [ 25.287106] ? ktime_get_ts64+0x86/0x230 [ 25.287130] kunit_try_run_case+0x1a5/0x480 [ 25.287158] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.287181] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.287203] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.287225] ? __kthread_parkme+0x82/0x180 [ 25.287245] ? preempt_count_sub+0x50/0x80 [ 25.287268] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.287304] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.287327] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.287352] kthread+0x337/0x6f0 [ 25.287384] ? trace_preempt_on+0x20/0xc0 [ 25.287405] ? __pfx_kthread+0x10/0x10 [ 25.287426] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.287450] ? calculate_sigpending+0x7b/0xa0 [ 25.287474] ? __pfx_kthread+0x10/0x10 [ 25.287496] ret_from_fork+0x116/0x1d0 [ 25.287516] ? __pfx_kthread+0x10/0x10 [ 25.287536] ret_from_fork_asm+0x1a/0x30 [ 25.287566] </TASK> [ 25.287579] [ 25.303533] Allocated by task 308: [ 25.303858] kasan_save_stack+0x45/0x70 [ 25.304189] kasan_save_track+0x18/0x40 [ 25.304805] kasan_save_alloc_info+0x3b/0x50 [ 25.305014] __kasan_kmalloc+0xb7/0xc0 [ 25.305466] __kmalloc_cache_noprof+0x189/0x420 [ 25.305995] kasan_strings+0xc0/0xe80 [ 25.306143] kunit_try_run_case+0x1a5/0x480 [ 25.306357] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.306878] kthread+0x337/0x6f0 [ 25.307316] ret_from_fork+0x116/0x1d0 [ 25.307689] ret_from_fork_asm+0x1a/0x30 [ 25.308093] [ 25.308305] Freed by task 308: [ 25.308463] kasan_save_stack+0x45/0x70 [ 25.308844] kasan_save_track+0x18/0x40 [ 25.309172] kasan_save_free_info+0x3f/0x60 [ 25.309646] __kasan_slab_free+0x56/0x70 [ 25.309795] kfree+0x222/0x3f0 [ 25.309915] kasan_strings+0x2aa/0xe80 [ 25.310043] kunit_try_run_case+0x1a5/0x480 [ 25.310212] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.310433] kthread+0x337/0x6f0 [ 25.310582] ret_from_fork+0x116/0x1d0 [ 25.310762] ret_from_fork_asm+0x1a/0x30 [ 25.310915] [ 25.311019] The buggy address belongs to the object at ffff888105a1be40 [ 25.311019] which belongs to the cache kmalloc-32 of size 32 [ 25.311586] The buggy address is located 16 bytes inside of [ 25.311586] freed 32-byte region [ffff888105a1be40, ffff888105a1be60) [ 25.312172] [ 25.312313] The buggy address belongs to the physical page: [ 25.312490] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a1b [ 25.312827] flags: 0x200000000000000(node=0|zone=2) [ 25.313087] page_type: f5(slab) [ 25.313205] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 25.313677] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 25.314076] page dumped because: kasan: bad access detected [ 25.314441] [ 25.314535] Memory state around the buggy address: [ 25.314762] ffff888105a1bd00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.315120] ffff888105a1bd80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.315846] >ffff888105a1be00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 25.316302] ^ [ 25.316504] ffff888105a1be80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.316859] ffff888105a1bf00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 25.317311] ==================================================================
[ 25.042267] ================================================================== [ 25.042636] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 25.043002] Read of size 1 at addr ffff8881057feed0 by task kunit_try_catch/307 [ 25.043329] [ 25.043428] CPU: 1 UID: 0 PID: 307 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 25.043493] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.043507] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.043528] Call Trace: [ 25.043541] <TASK> [ 25.043555] dump_stack_lvl+0x73/0xb0 [ 25.043592] print_report+0xd1/0x650 [ 25.043615] ? __virt_addr_valid+0x1db/0x2d0 [ 25.043637] ? kasan_strings+0xcbc/0xe80 [ 25.043720] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.043752] ? kasan_strings+0xcbc/0xe80 [ 25.043784] kasan_report+0x141/0x180 [ 25.043806] ? kasan_strings+0xcbc/0xe80 [ 25.043831] __asan_report_load1_noabort+0x18/0x20 [ 25.043867] kasan_strings+0xcbc/0xe80 [ 25.043886] ? trace_hardirqs_on+0x37/0xe0 [ 25.043909] ? __pfx_kasan_strings+0x10/0x10 [ 25.043929] ? finish_task_switch.isra.0+0x153/0x700 [ 25.043951] ? __switch_to+0x47/0xf50 [ 25.043977] ? __schedule+0x10cc/0x2b60 [ 25.043999] ? __pfx_read_tsc+0x10/0x10 [ 25.044020] ? ktime_get_ts64+0x86/0x230 [ 25.044045] kunit_try_run_case+0x1a5/0x480 [ 25.044080] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.044103] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.044124] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.044158] ? __kthread_parkme+0x82/0x180 [ 25.044178] ? preempt_count_sub+0x50/0x80 [ 25.044201] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.044226] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.044251] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.044276] kthread+0x337/0x6f0 [ 25.044295] ? trace_preempt_on+0x20/0xc0 [ 25.044326] ? __pfx_kthread+0x10/0x10 [ 25.044346] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.044369] ? calculate_sigpending+0x7b/0xa0 [ 25.044393] ? __pfx_kthread+0x10/0x10 [ 25.044413] ret_from_fork+0x116/0x1d0 [ 25.044432] ? __pfx_kthread+0x10/0x10 [ 25.044453] ret_from_fork_asm+0x1a/0x30 [ 25.044504] </TASK> [ 25.044515] [ 25.052293] Allocated by task 307: [ 25.052431] kasan_save_stack+0x45/0x70 [ 25.052716] kasan_save_track+0x18/0x40 [ 25.052913] kasan_save_alloc_info+0x3b/0x50 [ 25.053114] __kasan_kmalloc+0xb7/0xc0 [ 25.053292] __kmalloc_cache_noprof+0x189/0x420 [ 25.053514] kasan_strings+0xc0/0xe80 [ 25.053779] kunit_try_run_case+0x1a5/0x480 [ 25.053953] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.054182] kthread+0x337/0x6f0 [ 25.054314] ret_from_fork+0x116/0x1d0 [ 25.054533] ret_from_fork_asm+0x1a/0x30 [ 25.054743] [ 25.054840] Freed by task 307: [ 25.054974] kasan_save_stack+0x45/0x70 [ 25.055160] kasan_save_track+0x18/0x40 [ 25.055399] kasan_save_free_info+0x3f/0x60 [ 25.055565] __kasan_slab_free+0x56/0x70 [ 25.055754] kfree+0x222/0x3f0 [ 25.055873] kasan_strings+0x2aa/0xe80 [ 25.056062] kunit_try_run_case+0x1a5/0x480 [ 25.056292] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.056577] kthread+0x337/0x6f0 [ 25.056928] ret_from_fork+0x116/0x1d0 [ 25.057125] ret_from_fork_asm+0x1a/0x30 [ 25.057331] [ 25.057443] The buggy address belongs to the object at ffff8881057feec0 [ 25.057443] which belongs to the cache kmalloc-32 of size 32 [ 25.058057] The buggy address is located 16 bytes inside of [ 25.058057] freed 32-byte region [ffff8881057feec0, ffff8881057feee0) [ 25.058467] [ 25.058585] The buggy address belongs to the physical page: [ 25.058915] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057fe [ 25.059290] flags: 0x200000000000000(node=0|zone=2) [ 25.059532] page_type: f5(slab) [ 25.059736] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 25.060107] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 25.060422] page dumped because: kasan: bad access detected [ 25.060657] [ 25.060824] Memory state around the buggy address: [ 25.061018] ffff8881057fed80: 00 00 00 fc fc fc fc fc 00 00 00 04 fc fc fc fc [ 25.061341] ffff8881057fee00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.061620] >ffff8881057fee80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.062111] ^ [ 25.062382] ffff8881057fef00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.062675] ffff8881057fef80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 25.063043] ==================================================================