Date
July 9, 2025, 1:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.637709] ================================================================== [ 31.638091] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 31.638287] Read of size 1 at addr fff00000c9c23a10 by task kunit_try_catch/291 [ 31.638461] [ 31.638504] CPU: 1 UID: 0 PID: 291 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 31.638638] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.638670] Hardware name: linux,dummy-virt (DT) [ 31.638701] Call trace: [ 31.638734] show_stack+0x20/0x38 (C) [ 31.638786] dump_stack_lvl+0x8c/0xd0 [ 31.639080] print_report+0x118/0x5d0 [ 31.639208] kasan_report+0xdc/0x128 [ 31.639283] __asan_report_load1_noabort+0x20/0x30 [ 31.639542] kasan_strings+0x95c/0xb00 [ 31.639733] kunit_try_run_case+0x170/0x3f0 [ 31.639822] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.639905] kthread+0x328/0x630 [ 31.639952] ret_from_fork+0x10/0x20 [ 31.640311] [ 31.640392] Allocated by task 291: [ 31.640472] kasan_save_stack+0x3c/0x68 [ 31.640569] kasan_save_track+0x20/0x40 [ 31.640613] kasan_save_alloc_info+0x40/0x58 [ 31.640944] __kasan_kmalloc+0xd4/0xd8 [ 31.641031] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.641185] kasan_strings+0xc8/0xb00 [ 31.641243] kunit_try_run_case+0x170/0x3f0 [ 31.641521] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.641714] kthread+0x328/0x630 [ 31.641817] ret_from_fork+0x10/0x20 [ 31.642066] [ 31.642120] Freed by task 291: [ 31.642391] kasan_save_stack+0x3c/0x68 [ 31.642445] kasan_save_track+0x20/0x40 [ 31.642497] kasan_save_free_info+0x4c/0x78 [ 31.642538] __kasan_slab_free+0x6c/0x98 [ 31.642581] kfree+0x214/0x3c8 [ 31.642631] kasan_strings+0x24c/0xb00 [ 31.642679] kunit_try_run_case+0x170/0x3f0 [ 31.642730] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.642787] kthread+0x328/0x630 [ 31.642825] ret_from_fork+0x10/0x20 [ 31.642862] [ 31.642886] The buggy address belongs to the object at fff00000c9c23a00 [ 31.642886] which belongs to the cache kmalloc-32 of size 32 [ 31.642947] The buggy address is located 16 bytes inside of [ 31.642947] freed 32-byte region [fff00000c9c23a00, fff00000c9c23a20) [ 31.643022] [ 31.643064] The buggy address belongs to the physical page: [ 31.643099] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c23 [ 31.643161] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.643212] page_type: f5(slab) [ 31.643264] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 31.643326] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.643385] page dumped because: kasan: bad access detected [ 31.643434] [ 31.643454] Memory state around the buggy address: [ 31.643489] fff00000c9c23900: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.643534] fff00000c9c23980: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.643580] >fff00000c9c23a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.643663] ^ [ 31.643707] fff00000c9c23a80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.643753] fff00000c9c23b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.643794] ==================================================================
[ 26.067560] ================================================================== [ 26.067853] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 26.068222] Read of size 1 at addr ffff88810539c3d0 by task kunit_try_catch/309 [ 26.068585] [ 26.068708] CPU: 1 UID: 0 PID: 309 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 26.068762] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 26.068776] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.068812] Call Trace: [ 26.068831] <TASK> [ 26.068851] dump_stack_lvl+0x73/0xb0 [ 26.068882] print_report+0xd1/0x610 [ 26.068905] ? __virt_addr_valid+0x1db/0x2d0 [ 26.068929] ? kasan_strings+0xcbc/0xe80 [ 26.068949] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.068974] ? kasan_strings+0xcbc/0xe80 [ 26.068996] kasan_report+0x141/0x180 [ 26.069017] ? kasan_strings+0xcbc/0xe80 [ 26.069042] __asan_report_load1_noabort+0x18/0x20 [ 26.069221] kasan_strings+0xcbc/0xe80 [ 26.069246] ? trace_hardirqs_on+0x37/0xe0 [ 26.069271] ? __pfx_kasan_strings+0x10/0x10 [ 26.069291] ? finish_task_switch.isra.0+0x153/0x700 [ 26.069312] ? __switch_to+0x47/0xf80 [ 26.069340] ? __schedule+0x10cc/0x2b60 [ 26.069364] ? __pfx_read_tsc+0x10/0x10 [ 26.069387] ? ktime_get_ts64+0x86/0x230 [ 26.069411] kunit_try_run_case+0x1a5/0x480 [ 26.069434] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.069453] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.069477] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.069501] ? __kthread_parkme+0x82/0x180 [ 26.069521] ? preempt_count_sub+0x50/0x80 [ 26.069544] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.069565] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.069589] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.069614] kthread+0x337/0x6f0 [ 26.069633] ? trace_preempt_on+0x20/0xc0 [ 26.069655] ? __pfx_kthread+0x10/0x10 [ 26.069675] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.069713] ? calculate_sigpending+0x7b/0xa0 [ 26.069738] ? __pfx_kthread+0x10/0x10 [ 26.069759] ret_from_fork+0x116/0x1d0 [ 26.069788] ? __pfx_kthread+0x10/0x10 [ 26.069810] ret_from_fork_asm+0x1a/0x30 [ 26.069841] </TASK> [ 26.069853] [ 26.077293] Allocated by task 309: [ 26.077475] kasan_save_stack+0x45/0x70 [ 26.077674] kasan_save_track+0x18/0x40 [ 26.078033] kasan_save_alloc_info+0x3b/0x50 [ 26.078253] __kasan_kmalloc+0xb7/0xc0 [ 26.078419] __kmalloc_cache_noprof+0x189/0x420 [ 26.078620] kasan_strings+0xc0/0xe80 [ 26.078772] kunit_try_run_case+0x1a5/0x480 [ 26.079042] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.079269] kthread+0x337/0x6f0 [ 26.079384] ret_from_fork+0x116/0x1d0 [ 26.079512] ret_from_fork_asm+0x1a/0x30 [ 26.079645] [ 26.079722] Freed by task 309: [ 26.080063] kasan_save_stack+0x45/0x70 [ 26.080265] kasan_save_track+0x18/0x40 [ 26.080457] kasan_save_free_info+0x3f/0x60 [ 26.080660] __kasan_slab_free+0x56/0x70 [ 26.080865] kfree+0x222/0x3f0 [ 26.081172] kasan_strings+0x2aa/0xe80 [ 26.081367] kunit_try_run_case+0x1a5/0x480 [ 26.081572] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.081764] kthread+0x337/0x6f0 [ 26.081879] ret_from_fork+0x116/0x1d0 [ 26.082006] ret_from_fork_asm+0x1a/0x30 [ 26.082141] [ 26.082230] The buggy address belongs to the object at ffff88810539c3c0 [ 26.082230] which belongs to the cache kmalloc-32 of size 32 [ 26.082752] The buggy address is located 16 bytes inside of [ 26.082752] freed 32-byte region [ffff88810539c3c0, ffff88810539c3e0) [ 26.083109] [ 26.083256] The buggy address belongs to the physical page: [ 26.083503] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10539c [ 26.083983] flags: 0x200000000000000(node=0|zone=2) [ 26.084184] page_type: f5(slab) [ 26.084331] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 26.084556] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.084789] page dumped because: kasan: bad access detected [ 26.085157] [ 26.085266] Memory state around the buggy address: [ 26.085500] ffff88810539c280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.085834] ffff88810539c300: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.086160] >ffff88810539c380: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 26.086480] ^ [ 26.086840] ffff88810539c400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.087123] ffff88810539c480: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 26.087337] ==================================================================