Date
June 7, 2025, 10:40 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 25.576158] ================================================================== [ 25.576376] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 25.576646] Read of size 1 at addr fff00000c772d090 by task kunit_try_catch/263 [ 25.576883] [ 25.577047] CPU: 1 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT [ 25.577275] Tainted: [B]=BAD_PAGE, [N]=TEST [ 25.577353] Hardware name: linux,dummy-virt (DT) [ 25.577453] Call trace: [ 25.577520] show_stack+0x20/0x38 (C) [ 25.577644] dump_stack_lvl+0x8c/0xd0 [ 25.577774] print_report+0x118/0x608 [ 25.577893] kasan_report+0xdc/0x128 [ 25.578011] __asan_report_load1_noabort+0x20/0x30 [ 25.578142] strlen+0xa8/0xb0 [ 25.578256] kasan_strings+0x418/0xb00 [ 25.578979] kunit_try_run_case+0x170/0x3f0 [ 25.579370] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.579832] kthread+0x328/0x630 [ 25.579971] ret_from_fork+0x10/0x20 [ 25.580100] [ 25.580150] Allocated by task 263: [ 25.580228] kasan_save_stack+0x3c/0x68 [ 25.580336] kasan_save_track+0x20/0x40 [ 25.580440] kasan_save_alloc_info+0x40/0x58 [ 25.581003] __kasan_kmalloc+0xd4/0xd8 [ 25.581193] __kmalloc_cache_noprof+0x16c/0x3c0 [ 25.581322] kasan_strings+0xc8/0xb00 [ 25.581709] kunit_try_run_case+0x170/0x3f0 [ 25.582057] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.582219] kthread+0x328/0x630 [ 25.582349] ret_from_fork+0x10/0x20 [ 25.582568] [ 25.582668] Freed by task 263: [ 25.582879] kasan_save_stack+0x3c/0x68 [ 25.583338] kasan_save_track+0x20/0x40 [ 25.583587] kasan_save_free_info+0x4c/0x78 [ 25.583708] __kasan_slab_free+0x6c/0x98 [ 25.583928] kfree+0x214/0x3c8 [ 25.584037] kasan_strings+0x24c/0xb00 [ 25.584504] kunit_try_run_case+0x170/0x3f0 [ 25.584641] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 25.584844] kthread+0x328/0x630 [ 25.584928] ret_from_fork+0x10/0x20 [ 25.585013] [ 25.585070] The buggy address belongs to the object at fff00000c772d080 [ 25.585070] which belongs to the cache kmalloc-32 of size 32 [ 25.585231] The buggy address is located 16 bytes inside of [ 25.585231] freed 32-byte region [fff00000c772d080, fff00000c772d0a0) [ 25.585395] [ 25.585463] The buggy address belongs to the physical page: [ 25.585549] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10772d [ 25.585689] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 25.585823] page_type: f5(slab) [ 25.586547] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 25.586845] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 25.586969] page dumped because: kasan: bad access detected [ 25.587037] [ 25.587079] Memory state around the buggy address: [ 25.587599] fff00000c772cf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 25.587726] fff00000c772d000: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 25.587863] >fff00000c772d080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.588066] ^ [ 25.588153] fff00000c772d100: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 25.588822] fff00000c772d180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 25.588963] ==================================================================
[ 15.908353] ================================================================== [ 15.908915] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 15.909278] Read of size 1 at addr ffff8881039f3390 by task kunit_try_catch/279 [ 15.909825] [ 15.909925] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B N 6.15.2-rc1 #1 PREEMPT(voluntary) [ 15.909990] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.910005] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.910030] Call Trace: [ 15.910056] <TASK> [ 15.910080] dump_stack_lvl+0x73/0xb0 [ 15.910115] print_report+0xd1/0x650 [ 15.910141] ? __virt_addr_valid+0x1db/0x2d0 [ 15.910165] ? strlen+0x8f/0xb0 [ 15.910183] ? kasan_complete_mode_report_info+0x64/0x200 [ 15.910208] ? strlen+0x8f/0xb0 [ 15.910227] kasan_report+0x141/0x180 [ 15.910251] ? strlen+0x8f/0xb0 [ 15.910274] __asan_report_load1_noabort+0x18/0x20 [ 15.910296] strlen+0x8f/0xb0 [ 15.910316] kasan_strings+0x57b/0xe80 [ 15.910338] ? trace_hardirqs_on+0x37/0xe0 [ 15.910363] ? __pfx_kasan_strings+0x10/0x10 [ 15.910386] ? finish_task_switch.isra.0+0x153/0x700 [ 15.910410] ? __switch_to+0x5d9/0xf60 [ 15.910431] ? dequeue_task_fair+0x166/0x4e0 [ 15.910456] ? __schedule+0x10cc/0x2b30 [ 15.910479] ? __pfx_read_tsc+0x10/0x10 [ 15.910499] ? ktime_get_ts64+0x86/0x230 [ 15.910526] kunit_try_run_case+0x1a5/0x480 [ 15.910556] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.910600] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.910627] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.910650] ? __kthread_parkme+0x82/0x180 [ 15.910673] ? preempt_count_sub+0x50/0x80 [ 15.910698] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.910722] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.910747] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.910770] kthread+0x337/0x6f0 [ 15.910788] ? trace_preempt_on+0x20/0xc0 [ 15.910812] ? __pfx_kthread+0x10/0x10 [ 15.910832] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.910854] ? calculate_sigpending+0x7b/0xa0 [ 15.910877] ? __pfx_kthread+0x10/0x10 [ 15.910897] ret_from_fork+0x41/0x80 [ 15.910918] ? __pfx_kthread+0x10/0x10 [ 15.910938] ret_from_fork_asm+0x1a/0x30 [ 15.910970] </TASK> [ 15.910983] [ 15.920429] Allocated by task 279: [ 15.920705] kasan_save_stack+0x45/0x70 [ 15.920951] kasan_save_track+0x18/0x40 [ 15.921266] kasan_save_alloc_info+0x3b/0x50 [ 15.921578] __kasan_kmalloc+0xb7/0xc0 [ 15.922146] __kmalloc_cache_noprof+0x189/0x420 [ 15.922551] kasan_strings+0xc0/0xe80 [ 15.922796] kunit_try_run_case+0x1a5/0x480 [ 15.923049] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.923340] kthread+0x337/0x6f0 [ 15.923536] ret_from_fork+0x41/0x80 [ 15.923872] ret_from_fork_asm+0x1a/0x30 [ 15.924156] [ 15.924255] Freed by task 279: [ 15.924420] kasan_save_stack+0x45/0x70 [ 15.924649] kasan_save_track+0x18/0x40 [ 15.924928] kasan_save_free_info+0x3f/0x60 [ 15.925048] __kasan_slab_free+0x56/0x70 [ 15.925255] kfree+0x222/0x3f0 [ 15.925473] kasan_strings+0x2aa/0xe80 [ 15.925675] kunit_try_run_case+0x1a5/0x480 [ 15.925884] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.926070] kthread+0x337/0x6f0 [ 15.926295] ret_from_fork+0x41/0x80 [ 15.926446] ret_from_fork_asm+0x1a/0x30 [ 15.926668] [ 15.926869] The buggy address belongs to the object at ffff8881039f3380 [ 15.926869] which belongs to the cache kmalloc-32 of size 32 [ 15.927206] The buggy address is located 16 bytes inside of [ 15.927206] freed 32-byte region [ffff8881039f3380, ffff8881039f33a0) [ 15.927635] [ 15.928118] The buggy address belongs to the physical page: [ 15.928252] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f3 [ 15.928406] flags: 0x200000000000000(node=0|zone=2) [ 15.928519] page_type: f5(slab) [ 15.928874] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 15.929423] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 15.929757] page dumped because: kasan: bad access detected [ 15.929970] [ 15.930109] Memory state around the buggy address: [ 15.930311] ffff8881039f3280: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.930445] ffff8881039f3300: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 15.931024] >ffff8881039f3380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.931288] ^ [ 15.931452] ffff8881039f3400: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.931637] ffff8881039f3480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.932039] ==================================================================