Hay
Sign in
Date
July 2, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   33.182056] ==================================================================
[   33.182131] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88
[   33.182180] Read of size 1 at addr fff00000c993b210 by task kunit_try_catch/292
[   33.182251] 
[   33.182300] CPU: 1 UID: 0 PID: 292 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT 
[   33.182392] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.182546] Hardware name: linux,dummy-virt (DT)
[   33.182681] Call trace:
[   33.182801]  show_stack+0x20/0x38 (C)
[   33.182880]  dump_stack_lvl+0x8c/0xd0
[   33.182945]  print_report+0x118/0x608
[   33.183013]  kasan_report+0xdc/0x128
[   33.183114]  strnlen+0x80/0x88
[   33.183722] Allocated by task 292:
[   33.183757]  kasan_save_stack+0x3c/0x68
[   33.183803]  kasan_save_track+0x20/0x40
[   33.184560]  ret_from_fork+0x10/0x20
[   33.185567]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.185850] The buggy address belongs to the object at fff00000c993b200
[   33.185850]  which belongs to the cache kmalloc-32 of size 32
[   33.186258] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   33.186731]  fff00000c993b300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   33.194843]  dump_stack_lvl+0x8c/0xd0
[   33.194907]  print_report+0x118/0x608
[   33.195137]  kasan_report+0xdc/0x128
[   33.195680]  kasan_bitops_generic+0x110/0x1c8
[   33.196864]  kasan_save_alloc_info+0x40/0x58
[   33.197242]  kthread+0x328/0x630
[   33.197890] The buggy address is located 8 bytes inside of
[   33.197890]  allocated 9-byte region [fff00000c8432ec0, fff00000c8432ec9)
[   33.198963] 
[   33.199450] >fff00000c8432e80: fa fb fc fc fa fb fc fc 00 01 fc fc fa fb fc fc
[   33.201252] ==================================================================
Metadata Full log Test run details 

[   25.339903] ==================================================================
[   25.340269] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80
[   25.340534] Read of size 1 at addr ffff888105a1be50 by task kunit_try_catch/308
[   25.340857] 
[   25.341282] CPU: 0 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) 
[   25.341352] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.341367] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.341392] Call Trace:
[   25.341415]  <TASK>
[   25.341445]  dump_stack_lvl+0x73/0xb0
[   25.341478]  print_report+0xd1/0x650
[   25.341514]  ? __virt_addr_valid+0x1db/0x2d0
[   25.341540]  ? strnlen+0x73/0x80
[   25.341562]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.341590]  ? strnlen+0x73/0x80
[   25.341610]  kasan_report+0x141/0x180
[   25.341641]  ? strnlen+0x73/0x80
[   25.341666]  __asan_report_load1_noabort+0x18/0x20
[   25.341690]  strnlen+0x73/0x80
[   25.341722]  kasan_strings+0x615/0xe80
[   25.341743]  ? trace_hardirqs_on+0x37/0xe0
[   25.341767]  ? __pfx_kasan_strings+0x10/0x10
[   25.341787]  ? finish_task_switch.isra.0+0x153/0x700
[   25.341811]  ? __switch_to+0x47/0xf50
[   25.341843]  ? __schedule+0x10cc/0x2b60
[   25.341865]  ? __pfx_read_tsc+0x10/0x10
[   25.341886]  ? ktime_get_ts64+0x86/0x230
[   25.341910]  kunit_try_run_case+0x1a5/0x480
[   25.341954]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.341977]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.342000]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.342022]  ? __kthread_parkme+0x82/0x180
[   25.342042]  ? preempt_count_sub+0x50/0x80
[   25.342082]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.342107]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.342132]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.342226]  kthread+0x337/0x6f0
[   25.342262]  ? trace_preempt_on+0x20/0xc0
[   25.342285]  ? __pfx_kthread+0x10/0x10
[   25.342305]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.342330]  ? calculate_sigpending+0x7b/0xa0
[   25.342354]  ? __pfx_kthread+0x10/0x10
[   25.342375]  ret_from_fork+0x116/0x1d0
[   25.342404]  ? __pfx_kthread+0x10/0x10
[   25.342426]  ret_from_fork_asm+0x1a/0x30
[   25.342467]  </TASK>
[   25.342480] 
[   25.350284] Allocated by task 308:
[   25.350450]  kasan_save_stack+0x45/0x70
[   25.350654]  kasan_save_track+0x18/0x40
[   25.350800]  kasan_save_alloc_info+0x3b/0x50
[   25.351000]  __kasan_kmalloc+0xb7/0xc0
[   25.351194]  __kmalloc_cache_noprof+0x189/0x420
[   25.351391]  kasan_strings+0xc0/0xe80
[   25.351582]  kunit_try_run_case+0x1a5/0x480
[   25.351765]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.352397]  kthread+0x337/0x6f0
[   25.352560]  ret_from_fork+0x116/0x1d0
[   25.352746]  ret_from_fork_asm+0x1a/0x30
[   25.352971] 
[   25.353068] Freed by task 308:
[   25.353265]  kasan_save_stack+0x45/0x70
[   25.353473]  kasan_save_track+0x18/0x40
[   25.353650]  kasan_save_free_info+0x3f/0x60
[   25.353861]  __kasan_slab_free+0x56/0x70
[   25.354021]  kfree+0x222/0x3f0
[   25.354147]  kasan_strings+0x2aa/0xe80
[   25.354330]  kunit_try_run_case+0x1a5/0x480
[   25.354477]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.354722]  kthread+0x337/0x6f0
[   25.354884]  ret_from_fork+0x116/0x1d0
[   25.355105]  ret_from_fork_asm+0x1a/0x30
[   25.355360] 
[   25.355453] The buggy address belongs to the object at ffff888105a1be40
[   25.355453]  which belongs to the cache kmalloc-32 of size 32
[   25.355991] The buggy address is located 16 bytes inside of
[   25.355991]  freed 32-byte region [ffff888105a1be40, ffff888105a1be60)
[   25.357165] 
[   25.357474] The buggy address belongs to the physical page:
[   25.358147] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a1b
[   25.358673] flags: 0x200000000000000(node=0|zone=2)
[   25.358906] page_type: f5(slab)
[   25.359105] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   25.359489] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000
[   25.359815] page dumped because: kasan: bad access detected
[   25.360101] 
[   25.360260] Memory state around the buggy address:
[   25.360437]  ffff888105a1bd00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   25.360734]  ffff888105a1bd80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   25.361089] >ffff888105a1be00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   25.361384]                                                  ^
[   25.361867]  ffff888105a1be80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   25.362302]  ffff888105a1bf00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   25.362631] ==================================================================
Metadata Full log Test run details 

[   25.083246] ==================================================================
[   25.083630] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80
[   25.083939] Read of size 1 at addr ffff8881057feed0 by task kunit_try_catch/307
[   25.084260] 
[   25.084374] CPU: 1 UID: 0 PID: 307 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) 
[   25.084420] Tainted: [B]=BAD_PAGE, [N]=TEST
[   25.084434] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   25.084455] Call Trace:
[   25.084469]  <TASK>
[   25.084828]  dump_stack_lvl+0x73/0xb0
[   25.084871]  print_report+0xd1/0x650
[   25.084893]  ? __virt_addr_valid+0x1db/0x2d0
[   25.084915]  ? strnlen+0x73/0x80
[   25.084947]  ? kasan_complete_mode_report_info+0x64/0x200
[   25.084974]  ? strnlen+0x73/0x80
[   25.085006]  kasan_report+0x141/0x180
[   25.085027]  ? strnlen+0x73/0x80
[   25.085053]  __asan_report_load1_noabort+0x18/0x20
[   25.085088]  strnlen+0x73/0x80
[   25.085110]  kasan_strings+0x615/0xe80
[   25.085129]  ? trace_hardirqs_on+0x37/0xe0
[   25.085152]  ? __pfx_kasan_strings+0x10/0x10
[   25.085172]  ? finish_task_switch.isra.0+0x153/0x700
[   25.085194]  ? __switch_to+0x47/0xf50
[   25.085220]  ? __schedule+0x10cc/0x2b60
[   25.085241]  ? __pfx_read_tsc+0x10/0x10
[   25.085263]  ? ktime_get_ts64+0x86/0x230
[   25.085287]  kunit_try_run_case+0x1a5/0x480
[   25.085321]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.085345]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   25.085367]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   25.085388]  ? __kthread_parkme+0x82/0x180
[   25.085409]  ? preempt_count_sub+0x50/0x80
[   25.085432]  ? __pfx_kunit_try_run_case+0x10/0x10
[   25.085457]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.085499]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   25.085532]  kthread+0x337/0x6f0
[   25.085552]  ? trace_preempt_on+0x20/0xc0
[   25.085640]  ? __pfx_kthread+0x10/0x10
[   25.085678]  ? _raw_spin_unlock_irq+0x47/0x80
[   25.085702]  ? calculate_sigpending+0x7b/0xa0
[   25.085725]  ? __pfx_kthread+0x10/0x10
[   25.085760]  ret_from_fork+0x116/0x1d0
[   25.085780]  ? __pfx_kthread+0x10/0x10
[   25.085801]  ret_from_fork_asm+0x1a/0x30
[   25.085842]  </TASK>
[   25.085853] 
[   25.093066] Allocated by task 307:
[   25.093191]  kasan_save_stack+0x45/0x70
[   25.093408]  kasan_save_track+0x18/0x40
[   25.093617]  kasan_save_alloc_info+0x3b/0x50
[   25.093823]  __kasan_kmalloc+0xb7/0xc0
[   25.094002]  __kmalloc_cache_noprof+0x189/0x420
[   25.094212]  kasan_strings+0xc0/0xe80
[   25.094396]  kunit_try_run_case+0x1a5/0x480
[   25.094563]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.094736]  kthread+0x337/0x6f0
[   25.094851]  ret_from_fork+0x116/0x1d0
[   25.094975]  ret_from_fork_asm+0x1a/0x30
[   25.095151] 
[   25.095239] Freed by task 307:
[   25.095400]  kasan_save_stack+0x45/0x70
[   25.095652]  kasan_save_track+0x18/0x40
[   25.095863]  kasan_save_free_info+0x3f/0x60
[   25.096067]  __kasan_slab_free+0x56/0x70
[   25.096275]  kfree+0x222/0x3f0
[   25.096443]  kasan_strings+0x2aa/0xe80
[   25.096659]  kunit_try_run_case+0x1a5/0x480
[   25.096864]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   25.097065]  kthread+0x337/0x6f0
[   25.097247]  ret_from_fork+0x116/0x1d0
[   25.097435]  ret_from_fork_asm+0x1a/0x30
[   25.097634] 
[   25.097734] The buggy address belongs to the object at ffff8881057feec0
[   25.097734]  which belongs to the cache kmalloc-32 of size 32
[   25.098229] The buggy address is located 16 bytes inside of
[   25.098229]  freed 32-byte region [ffff8881057feec0, ffff8881057feee0)
[   25.098632] 
[   25.098699] The buggy address belongs to the physical page:
[   25.098866] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057fe
[   25.099099] flags: 0x200000000000000(node=0|zone=2)
[   25.099333] page_type: f5(slab)
[   25.099537] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   25.099929] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000
[   25.100329] page dumped because: kasan: bad access detected
[   25.100603] 
[   25.100691] Memory state around the buggy address:
[   25.100907]  ffff8881057fed80: 00 00 00 fc fc fc fc fc 00 00 00 04 fc fc fc fc
[   25.101215]  ffff8881057fee00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   25.101529] >ffff8881057fee80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   25.101736]                                                  ^
[   25.101913]  ffff8881057fef00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   25.102242]  ffff8881057fef80: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   25.102603] ==================================================================
Metadata Full log Test run details