Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 53.762163] ================================================================== [ 53.769481] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88 [ 53.775575] Read of size 1 at addr ffff000085584210 by task kunit_try_catch/368 [ 53.782976] [ 53.784509] CPU: 6 UID: 0 PID: 368 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 53.784539] Tainted: [B]=BAD_PAGE, [N]=TEST [ 53.784549] Hardware name: Thundercomm Dragonboard 845c (DT) [ 53.784559] Call trace: [ 53.784565] show_stack+0x20/0x38 (C) [ 53.784583] dump_stack_lvl+0x8c/0xd0 [ 53.784601] print_report+0x118/0x608 [ 53.784620] kasan_report+0xdc/0x128 [ 53.784641] __asan_report_load1_noabort+0x20/0x30 [ 53.784658] strnlen+0x80/0x88 [ 53.784674] kasan_strings+0x478/0xb00 [ 53.784689] kunit_try_run_case+0x170/0x3f0 [ 53.784708] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 53.784729] kthread+0x328/0x630 [ 53.784742] ret_from_fork+0x10/0x20 [ 53.784760] [ 53.853083] Allocated by task 368: [ 53.856536] kasan_save_stack+0x3c/0x68 [ 53.860434] kasan_save_track+0x20/0x40 [ 53.864329] kasan_save_alloc_info+0x40/0x58 [ 53.868665] __kasan_kmalloc+0xd4/0xd8 [ 53.872476] __kmalloc_cache_noprof+0x16c/0x3c0 [ 53.877078] kasan_strings+0xc8/0xb00 [ 53.880807] kunit_try_run_case+0x170/0x3f0 [ 53.885060] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 53.890630] kthread+0x328/0x630 [ 53.893914] ret_from_fork+0x10/0x20 [ 53.897549] [ 53.899082] Freed by task 368: [ 53.902190] kasan_save_stack+0x3c/0x68 [ 53.906095] kasan_save_track+0x20/0x40 [ 53.910002] kasan_save_free_info+0x4c/0x78 [ 53.914254] __kasan_slab_free+0x6c/0x98 [ 53.918250] kfree+0x214/0x3c8 [ 53.921371] kasan_strings+0x24c/0xb00 [ 53.925182] kunit_try_run_case+0x170/0x3f0 [ 53.929436] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 53.935006] kthread+0x328/0x630 [ 53.938292] ret_from_fork+0x10/0x20 [ 53.941925] [ 53.943460] The buggy address belongs to the object at ffff000085584200 [ 53.943460] which belongs to the cache kmalloc-32 of size 32 [ 53.955944] The buggy address is located 16 bytes inside of [ 53.955944] freed 32-byte region [ffff000085584200, ffff000085584220) [ 53.968161] [ 53.969686] The buggy address belongs to the physical page: [ 53.975327] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105584 [ 53.983433] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 53.990052] page_type: f5(slab) [ 53.993250] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000 [ 54.001095] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 54.008936] page dumped because: kasan: bad access detected [ 54.014581] [ 54.016113] Memory state around the buggy address: [ 54.020968] ffff000085584100: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 54.028277] ffff000085584180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 54.035596] >ffff000085584200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 54.042908] ^ [ 54.046711] ffff000085584280: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 54.054029] ffff000085584300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 54.061336] ==================================================================
[ 33.321757] ================================================================== [ 33.322281] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88 [ 33.322446] Read of size 1 at addr fff00000c5a8ac90 by task kunit_try_catch/291 [ 33.322632] [ 33.322678] CPU: 0 UID: 0 PID: 291 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.322773] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.323083] Hardware name: linux,dummy-virt (DT) [ 33.323336] Call trace: [ 33.323451] show_stack+0x20/0x38 (C) [ 33.323820] dump_stack_lvl+0x8c/0xd0 [ 33.324045] print_report+0x118/0x608 [ 33.324200] kasan_report+0xdc/0x128 [ 33.324254] __asan_report_load1_noabort+0x20/0x30 [ 33.324878] strnlen+0x80/0x88 [ 33.324942] kasan_strings+0x478/0xb00 [ 33.325014] kunit_try_run_case+0x170/0x3f0 [ 33.325065] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.325356] kthread+0x328/0x630 [ 33.325463] ret_from_fork+0x10/0x20 [ 33.325596] [ 33.325753] Allocated by task 291: [ 33.325878] kasan_save_stack+0x3c/0x68 [ 33.325960] kasan_save_track+0x20/0x40 [ 33.326003] kasan_save_alloc_info+0x40/0x58 [ 33.326045] __kasan_kmalloc+0xd4/0xd8 [ 33.326084] __kmalloc_cache_noprof+0x16c/0x3c0 [ 33.326128] kasan_strings+0xc8/0xb00 [ 33.326167] kunit_try_run_case+0x170/0x3f0 [ 33.326208] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.326431] kthread+0x328/0x630 [ 33.326475] ret_from_fork+0x10/0x20 [ 33.326869] [ 33.326895] Freed by task 291: [ 33.327254] kasan_save_stack+0x3c/0x68 [ 33.327403] kasan_save_track+0x20/0x40 [ 33.327447] kasan_save_free_info+0x4c/0x78 [ 33.327488] __kasan_slab_free+0x6c/0x98 [ 33.327531] kfree+0x214/0x3c8 [ 33.327579] kasan_strings+0x24c/0xb00 [ 33.327618] kunit_try_run_case+0x170/0x3f0 [ 33.328098] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.328483] kthread+0x328/0x630 [ 33.328522] ret_from_fork+0x10/0x20 [ 33.328563] [ 33.328587] The buggy address belongs to the object at fff00000c5a8ac80 [ 33.328587] which belongs to the cache kmalloc-32 of size 32 [ 33.328969] The buggy address is located 16 bytes inside of [ 33.328969] freed 32-byte region [fff00000c5a8ac80, fff00000c5a8aca0) [ 33.329093] [ 33.329117] The buggy address belongs to the physical page: [ 33.329152] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a8a [ 33.329259] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.329490] page_type: f5(slab) [ 33.329630] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 33.329730] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 33.329773] page dumped because: kasan: bad access detected [ 33.329847] [ 33.329879] Memory state around the buggy address: [ 33.329914] fff00000c5a8ab80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.329973] fff00000c5a8ac00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.330074] >fff00000c5a8ac80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.330256] ^ [ 33.330291] fff00000c5a8ad00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 33.330335] fff00000c5a8ad80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 33.330426] ==================================================================
[ 25.151086] ================================================================== [ 25.151405] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80 [ 25.151619] Read of size 1 at addr ffff888105ec6450 by task kunit_try_catch/308 [ 25.151969] [ 25.152073] CPU: 1 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 25.152119] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.152132] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 25.152154] Call Trace: [ 25.152170] <TASK> [ 25.152186] dump_stack_lvl+0x73/0xb0 [ 25.152649] print_report+0xd1/0x650 [ 25.152676] ? __virt_addr_valid+0x1db/0x2d0 [ 25.152699] ? strnlen+0x73/0x80 [ 25.152719] ? kasan_complete_mode_report_info+0x64/0x200 [ 25.152745] ? strnlen+0x73/0x80 [ 25.152765] kasan_report+0x141/0x180 [ 25.152789] ? strnlen+0x73/0x80 [ 25.152815] __asan_report_load1_noabort+0x18/0x20 [ 25.152840] strnlen+0x73/0x80 [ 25.152861] kasan_strings+0x615/0xe80 [ 25.152880] ? trace_hardirqs_on+0x37/0xe0 [ 25.152903] ? __pfx_kasan_strings+0x10/0x10 [ 25.152923] ? finish_task_switch.isra.0+0x153/0x700 [ 25.152944] ? __switch_to+0x47/0xf50 [ 25.152970] ? __schedule+0x10cc/0x2b60 [ 25.152995] ? __pfx_read_tsc+0x10/0x10 [ 25.153016] ? ktime_get_ts64+0x86/0x230 [ 25.153041] kunit_try_run_case+0x1a5/0x480 [ 25.153066] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.153088] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 25.153109] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 25.153134] ? __kthread_parkme+0x82/0x180 [ 25.153193] ? preempt_count_sub+0x50/0x80 [ 25.153215] ? __pfx_kunit_try_run_case+0x10/0x10 [ 25.153241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.153265] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 25.153290] kthread+0x337/0x6f0 [ 25.153309] ? trace_preempt_on+0x20/0xc0 [ 25.153331] ? __pfx_kthread+0x10/0x10 [ 25.153352] ? _raw_spin_unlock_irq+0x47/0x80 [ 25.153374] ? calculate_sigpending+0x7b/0xa0 [ 25.153399] ? __pfx_kthread+0x10/0x10 [ 25.153420] ret_from_fork+0x116/0x1d0 [ 25.153439] ? __pfx_kthread+0x10/0x10 [ 25.153473] ret_from_fork_asm+0x1a/0x30 [ 25.153505] </TASK> [ 25.153515] [ 25.164962] Allocated by task 308: [ 25.165367] kasan_save_stack+0x45/0x70 [ 25.165565] kasan_save_track+0x18/0x40 [ 25.165744] kasan_save_alloc_info+0x3b/0x50 [ 25.165944] __kasan_kmalloc+0xb7/0xc0 [ 25.166116] __kmalloc_cache_noprof+0x189/0x420 [ 25.166705] kasan_strings+0xc0/0xe80 [ 25.166978] kunit_try_run_case+0x1a5/0x480 [ 25.167128] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.167620] kthread+0x337/0x6f0 [ 25.167855] ret_from_fork+0x116/0x1d0 [ 25.168009] ret_from_fork_asm+0x1a/0x30 [ 25.168205] [ 25.168646] Freed by task 308: [ 25.168786] kasan_save_stack+0x45/0x70 [ 25.168974] kasan_save_track+0x18/0x40 [ 25.169240] kasan_save_free_info+0x3f/0x60 [ 25.169704] __kasan_slab_free+0x56/0x70 [ 25.169907] kfree+0x222/0x3f0 [ 25.170043] kasan_strings+0x2aa/0xe80 [ 25.170270] kunit_try_run_case+0x1a5/0x480 [ 25.170470] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 25.170702] kthread+0x337/0x6f0 [ 25.170853] ret_from_fork+0x116/0x1d0 [ 25.171014] ret_from_fork_asm+0x1a/0x30 [ 25.171192] [ 25.171725] The buggy address belongs to the object at ffff888105ec6440 [ 25.171725] which belongs to the cache kmalloc-32 of size 32 [ 25.172340] The buggy address is located 16 bytes inside of [ 25.172340] freed 32-byte region [ffff888105ec6440, ffff888105ec6460) [ 25.172844] [ 25.172929] The buggy address belongs to the physical page: [ 25.173149] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105ec6 [ 25.173858] flags: 0x200000000000000(node=0|zone=2) [ 25.174044] page_type: f5(slab) [ 25.174531] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 25.174908] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 25.175364] page dumped because: kasan: bad access detected [ 25.175590] [ 25.175686] Memory state around the buggy address: [ 25.176124] ffff888105ec6300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.176617] ffff888105ec6380: 00 00 00 fc fc fc fc fc 00 00 00 04 fc fc fc fc [ 25.176998] >ffff888105ec6400: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 25.177278] ^ [ 25.177626] ffff888105ec6480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.177917] ffff888105ec6500: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 25.178209] ==================================================================