Hay
Sign in
Date
June 7, 2025, 10:40 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   26.113505] ==================================================================
[   26.118917] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8
[   26.120374] Read of size 1 at addr fff00000c64bc790 by task kunit_try_catch/248
[   26.123812] 
[   26.124217] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G    B            N 6.14.11-rc1 #1
[   26.124412] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.124482] Hardware name: linux,dummy-virt (DT)
[   26.124567] Call trace:
[   26.124639]  show_stack+0x20/0x38 (C)
[   26.124793]  dump_stack_lvl+0x8c/0xd0
[   26.124985]  print_report+0x118/0x608
[   26.125186]  kasan_report+0xdc/0x128
[   26.125333]  __asan_report_load1_noabort+0x20/0x30
[   26.125478]  strcmp+0xc0/0xc8
[   26.125637]  kasan_strings+0x228/0x8d8
[   26.125734]  kunit_try_run_case+0x170/0x3f0
[   26.125797]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.125865]  kthread+0x318/0x620
[   26.125954]  ret_from_fork+0x10/0x20
[   26.126020] 
[   26.132221] Allocated by task 248:
[   26.132685]  kasan_save_stack+0x3c/0x68
[   26.133221]  kasan_save_track+0x20/0x40
[   26.133760]  kasan_save_alloc_info+0x40/0x58
[   26.134370]  __kasan_kmalloc+0xd4/0xd8
[   26.134814]  __kmalloc_cache_noprof+0x16c/0x3c0
[   26.135451]  kasan_strings+0xb0/0x8d8
[   26.136426]  kunit_try_run_case+0x170/0x3f0
[   26.136979]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.137532]  kthread+0x318/0x620
[   26.138538]  ret_from_fork+0x10/0x20
[   26.139309] 
[   26.139750] Freed by task 248:
[   26.140100]  kasan_save_stack+0x3c/0x68
[   26.140714]  kasan_save_track+0x20/0x40
[   26.141148]  kasan_save_free_info+0x4c/0x78
[   26.141707]  __kasan_slab_free+0x6c/0x98
[   26.142345]  kfree+0x214/0x3c8
[   26.142795]  kasan_strings+0x124/0x8d8
[   26.143704]  kunit_try_run_case+0x170/0x3f0
[   26.144324]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.144973]  kthread+0x318/0x620
[   26.146292]  ret_from_fork+0x10/0x20
[   26.146767] 
[   26.147103] The buggy address belongs to the object at fff00000c64bc780
[   26.147103]  which belongs to the cache kmalloc-32 of size 32
[   26.148242] The buggy address is located 16 bytes inside of
[   26.148242]  freed 32-byte region [fff00000c64bc780, fff00000c64bc7a0)
[   26.149730] 
[   26.150063] The buggy address belongs to the physical page:
[   26.150659] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064bc
[   26.151636] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   26.152408] page_type: f5(slab)
[   26.152894] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   26.154353] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   26.155150] page dumped because: kasan: bad access detected
[   26.155727] 
[   26.156053] Memory state around the buggy address:
[   26.156606]  fff00000c64bc680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   26.157715]  fff00000c64bc700: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   26.158338] >fff00000c64bc780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.159100]                          ^
[   26.159587]  fff00000c64bc800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   26.160421]  fff00000c64bc880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.161928] ==================================================================
Metadata Full log Test run details 

[   20.191011] ==================================================================
[   20.192488] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0
[   20.193103] Read of size 1 at addr ffff888102bd9550 by task kunit_try_catch/267
[   20.193735] 
[   20.194224] CPU: 0 UID: 0 PID: 267 Comm: kunit_try_catch Tainted: G    B            N 6.14.11-rc1 #1
[   20.194342] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.194376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   20.194424] Call Trace:
[   20.194456]  <TASK>
[   20.194499]  dump_stack_lvl+0x73/0xb0
[   20.194566]  print_report+0xd1/0x650
[   20.194630]  ? __virt_addr_valid+0x1db/0x2d0
[   20.194687]  ? strcmp+0xb0/0xc0
[   20.194732]  ? kasan_complete_mode_report_info+0x64/0x200
[   20.194788]  ? strcmp+0xb0/0xc0
[   20.194817]  kasan_report+0x140/0x180
[   20.194847]  ? strcmp+0xb0/0xc0
[   20.194901]  __asan_report_load1_noabort+0x18/0x20
[   20.194934]  strcmp+0xb0/0xc0
[   20.194960]  kasan_strings+0x2d3/0xb60
[   20.194986]  ? __pfx_kasan_strings+0x10/0x10
[   20.195014]  ? __schedule+0xce8/0x2840
[   20.195045]  ? __pfx_read_tsc+0x10/0x10
[   20.195073]  ? ktime_get_ts64+0x86/0x230
[   20.195106]  kunit_try_run_case+0x1a6/0x480
[   20.195136]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.195162]  ? _raw_spin_lock_irqsave+0xa2/0x110
[   20.195192]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   20.195221]  ? __kthread_parkme+0x82/0x160
[   20.195249]  ? preempt_count_sub+0x50/0x80
[   20.195280]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.195323]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.195358]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   20.195390]  kthread+0x324/0x6e0
[   20.195416]  ? trace_preempt_on+0x20/0xc0
[   20.195447]  ? __pfx_kthread+0x10/0x10
[   20.195474]  ? _raw_spin_unlock_irq+0x47/0x80
[   20.195502]  ? calculate_sigpending+0x7b/0xa0
[   20.195530]  ? __pfx_kthread+0x10/0x10
[   20.195558]  ret_from_fork+0x41/0x80
[   20.195582]  ? __pfx_kthread+0x10/0x10
[   20.195610]  ret_from_fork_asm+0x1a/0x30
[   20.195649]  </TASK>
[   20.195664] 
[   20.210128] Allocated by task 267:
[   20.210494]  kasan_save_stack+0x45/0x70
[   20.210901]  kasan_save_track+0x18/0x40
[   20.211230]  kasan_save_alloc_info+0x3b/0x50
[   20.212045]  __kasan_kmalloc+0xb7/0xc0
[   20.212322]  __kmalloc_cache_noprof+0x18a/0x420
[   20.212591]  kasan_strings+0xb9/0xb60
[   20.212944]  kunit_try_run_case+0x1a6/0x480
[   20.213367]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.213895]  kthread+0x324/0x6e0
[   20.214135]  ret_from_fork+0x41/0x80
[   20.214448]  ret_from_fork_asm+0x1a/0x30
[   20.215032] 
[   20.215334] Freed by task 267:
[   20.215735]  kasan_save_stack+0x45/0x70
[   20.216210]  kasan_save_track+0x18/0x40
[   20.216690]  kasan_save_free_info+0x3f/0x60
[   20.217189]  __kasan_slab_free+0x56/0x70
[   20.217432]  kfree+0x224/0x3f0
[   20.217841]  kasan_strings+0x13c/0xb60
[   20.218340]  kunit_try_run_case+0x1a6/0x480
[   20.218796]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   20.219134]  kthread+0x324/0x6e0
[   20.219593]  ret_from_fork+0x41/0x80
[   20.220024]  ret_from_fork_asm+0x1a/0x30
[   20.220457] 
[   20.220897] The buggy address belongs to the object at ffff888102bd9540
[   20.220897]  which belongs to the cache kmalloc-32 of size 32
[   20.221742] The buggy address is located 16 bytes inside of
[   20.221742]  freed 32-byte region [ffff888102bd9540, ffff888102bd9560)
[   20.222567] 
[   20.222746] The buggy address belongs to the physical page:
[   20.223040] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bd9
[   20.223951] flags: 0x200000000000000(node=0|zone=2)
[   20.224933] page_type: f5(slab)
[   20.225464] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   20.225917] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   20.226504] page dumped because: kasan: bad access detected
[   20.227088] 
[   20.227493] Memory state around the buggy address:
[   20.227897]  ffff888102bd9400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   20.228216]  ffff888102bd9480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   20.228883] >ffff888102bd9500: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   20.229427]                                                  ^
[   20.230291]  ffff888102bd9580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   20.230804]  ffff888102bd9600: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   20.231329] ==================================================================
Metadata Full log Test run details