Date
July 9, 2025, 1:08 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.627459] ================================================================== [ 31.627792] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8 [ 31.627952] Read of size 1 at addr fff00000c9c23a10 by task kunit_try_catch/291 [ 31.628270] [ 31.628356] CPU: 1 UID: 0 PID: 291 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5-next-20250709 #1 PREEMPT [ 31.628562] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.628674] Hardware name: linux,dummy-virt (DT) [ 31.628756] Call trace: [ 31.628878] show_stack+0x20/0x38 (C) [ 31.628975] dump_stack_lvl+0x8c/0xd0 [ 31.629327] print_report+0x118/0x5d0 [ 31.629451] kasan_report+0xdc/0x128 [ 31.629614] __asan_report_load1_noabort+0x20/0x30 [ 31.629760] strcmp+0xc0/0xc8 [ 31.629900] kasan_strings+0x340/0xb00 [ 31.630195] kunit_try_run_case+0x170/0x3f0 [ 31.630418] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.630569] kthread+0x328/0x630 [ 31.630628] ret_from_fork+0x10/0x20 [ 31.630679] [ 31.630700] Allocated by task 291: [ 31.630748] kasan_save_stack+0x3c/0x68 [ 31.630806] kasan_save_track+0x20/0x40 [ 31.630847] kasan_save_alloc_info+0x40/0x58 [ 31.630889] __kasan_kmalloc+0xd4/0xd8 [ 31.630930] __kmalloc_cache_noprof+0x16c/0x3c0 [ 31.630974] kasan_strings+0xc8/0xb00 [ 31.631013] kunit_try_run_case+0x170/0x3f0 [ 31.631066] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.631125] kthread+0x328/0x630 [ 31.631161] ret_from_fork+0x10/0x20 [ 31.631210] [ 31.631245] Freed by task 291: [ 31.631291] kasan_save_stack+0x3c/0x68 [ 31.631343] kasan_save_track+0x20/0x40 [ 31.631385] kasan_save_free_info+0x4c/0x78 [ 31.631426] __kasan_slab_free+0x6c/0x98 [ 31.631477] kfree+0x214/0x3c8 [ 31.631530] kasan_strings+0x24c/0xb00 [ 31.631578] kunit_try_run_case+0x170/0x3f0 [ 31.631620] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.632138] kthread+0x328/0x630 [ 31.632283] ret_from_fork+0x10/0x20 [ 31.632329] [ 31.632367] The buggy address belongs to the object at fff00000c9c23a00 [ 31.632367] which belongs to the cache kmalloc-32 of size 32 [ 31.632729] The buggy address is located 16 bytes inside of [ 31.632729] freed 32-byte region [fff00000c9c23a00, fff00000c9c23a20) [ 31.633401] [ 31.633808] The buggy address belongs to the physical page: [ 31.633864] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109c23 [ 31.633939] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.634022] page_type: f5(slab) [ 31.634106] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 31.634446] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 31.634589] page dumped because: kasan: bad access detected [ 31.634715] [ 31.634786] Memory state around the buggy address: [ 31.634878] fff00000c9c23900: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.635177] fff00000c9c23980: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.635345] >fff00000c9c23a00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.635421] ^ [ 31.635615] fff00000c9c23a80: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 31.635733] fff00000c9c23b00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 31.636003] ==================================================================
[ 26.039566] ================================================================== [ 26.041230] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0 [ 26.041439] Read of size 1 at addr ffff88810539c3d0 by task kunit_try_catch/309 [ 26.041657] [ 26.041764] CPU: 1 UID: 0 PID: 309 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) [ 26.041836] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 26.041850] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.041873] Call Trace: [ 26.041888] <TASK> [ 26.041909] dump_stack_lvl+0x73/0xb0 [ 26.041940] print_report+0xd1/0x610 [ 26.041964] ? __virt_addr_valid+0x1db/0x2d0 [ 26.041988] ? strcmp+0xb0/0xc0 [ 26.042006] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.042033] ? strcmp+0xb0/0xc0 [ 26.042052] kasan_report+0x141/0x180 [ 26.042074] ? strcmp+0xb0/0xc0 [ 26.042096] __asan_report_load1_noabort+0x18/0x20 [ 26.042120] strcmp+0xb0/0xc0 [ 26.042139] kasan_strings+0x431/0xe80 [ 26.042158] ? trace_hardirqs_on+0x37/0xe0 [ 26.042182] ? __pfx_kasan_strings+0x10/0x10 [ 26.042201] ? finish_task_switch.isra.0+0x153/0x700 [ 26.042225] ? __switch_to+0x47/0xf80 [ 26.042253] ? __schedule+0x10cc/0x2b60 [ 26.042277] ? __pfx_read_tsc+0x10/0x10 [ 26.042299] ? ktime_get_ts64+0x86/0x230 [ 26.042324] kunit_try_run_case+0x1a5/0x480 [ 26.042349] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.042369] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.042393] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.042416] ? __kthread_parkme+0x82/0x180 [ 26.042438] ? preempt_count_sub+0x50/0x80 [ 26.042460] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.042482] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.042506] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.042531] kthread+0x337/0x6f0 [ 26.042550] ? trace_preempt_on+0x20/0xc0 [ 26.042574] ? __pfx_kthread+0x10/0x10 [ 26.042595] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.042617] ? calculate_sigpending+0x7b/0xa0 [ 26.042641] ? __pfx_kthread+0x10/0x10 [ 26.042664] ret_from_fork+0x116/0x1d0 [ 26.042683] ? __pfx_kthread+0x10/0x10 [ 26.042715] ret_from_fork_asm+0x1a/0x30 [ 26.042746] </TASK> [ 26.042759] [ 26.052157] Allocated by task 309: [ 26.052471] kasan_save_stack+0x45/0x70 [ 26.052681] kasan_save_track+0x18/0x40 [ 26.053038] kasan_save_alloc_info+0x3b/0x50 [ 26.053367] __kasan_kmalloc+0xb7/0xc0 [ 26.053567] __kmalloc_cache_noprof+0x189/0x420 [ 26.053985] kasan_strings+0xc0/0xe80 [ 26.054227] kunit_try_run_case+0x1a5/0x480 [ 26.054529] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.055000] kthread+0x337/0x6f0 [ 26.055194] ret_from_fork+0x116/0x1d0 [ 26.055378] ret_from_fork_asm+0x1a/0x30 [ 26.055556] [ 26.055644] Freed by task 309: [ 26.056054] kasan_save_stack+0x45/0x70 [ 26.056341] kasan_save_track+0x18/0x40 [ 26.056678] kasan_save_free_info+0x3f/0x60 [ 26.057109] __kasan_slab_free+0x56/0x70 [ 26.057302] kfree+0x222/0x3f0 [ 26.057448] kasan_strings+0x2aa/0xe80 [ 26.057620] kunit_try_run_case+0x1a5/0x480 [ 26.058063] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.058558] kthread+0x337/0x6f0 [ 26.058845] ret_from_fork+0x116/0x1d0 [ 26.059288] ret_from_fork_asm+0x1a/0x30 [ 26.059479] [ 26.059568] The buggy address belongs to the object at ffff88810539c3c0 [ 26.059568] which belongs to the cache kmalloc-32 of size 32 [ 26.060475] The buggy address is located 16 bytes inside of [ 26.060475] freed 32-byte region [ffff88810539c3c0, ffff88810539c3e0) [ 26.061351] [ 26.061460] The buggy address belongs to the physical page: [ 26.061706] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10539c [ 26.062440] flags: 0x200000000000000(node=0|zone=2) [ 26.062833] page_type: f5(slab) [ 26.063336] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 26.063671] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 26.064281] page dumped because: kasan: bad access detected [ 26.064637] [ 26.064751] Memory state around the buggy address: [ 26.065240] ffff88810539c280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.065538] ffff88810539c300: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 26.065804] >ffff88810539c380: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 26.066187] ^ [ 26.066412] ffff88810539c400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 26.066746] ffff88810539c480: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 26.067060] ==================================================================