Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   94.738178] ==================================================================
[   94.739040] BUG: KASAN: slab-use-after-free in strcmp+0x2c/0x78
[   94.740123] Read of size 1 at addr ffff0000c60910d0 by task kunit_try_catch/205
[   94.741505] 
[   94.741977] CPU: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.743277] Hardware name: linux,dummy-virt (DT)
[   94.744095] Call trace:
[   94.744862]  dump_backtrace+0x9c/0x128
[   94.745606]  show_stack+0x20/0x38
[   94.746329]  dump_stack_lvl+0x60/0xb0
[   94.748385]  print_report+0xf8/0x5e8
[   94.749236]  kasan_report+0xdc/0x128
[   94.750030]  __asan_load1+0x60/0x70
[   94.750848]  strcmp+0x2c/0x78
[   94.751964]  kasan_strings+0x12c/0x478
[   94.752683]  kunit_try_run_case+0x114/0x298
[   94.753588]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.754582]  kthread+0x18c/0x1a8
[   94.755276]  ret_from_fork+0x10/0x20
[   94.756135] 
[   94.756525] Allocated by task 205:
[   94.757186]  kasan_save_stack+0x3c/0x68
[   94.758878]  kasan_set_track+0x2c/0x40
[   94.759724]  kasan_save_alloc_info+0x24/0x38
[   94.760571]  __kasan_kmalloc+0xd4/0xd8
[   94.761690]  kmalloc_trace+0x68/0x130
[   94.762431]  kasan_strings+0xa0/0x478
[   94.763167]  kunit_try_run_case+0x114/0x298
[   94.764102]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.765139]  kthread+0x18c/0x1a8
[   94.766427]  ret_from_fork+0x10/0x20
[   94.767586] 
[   94.767960] Freed by task 205:
[   94.768639]  kasan_save_stack+0x3c/0x68
[   94.769544]  kasan_set_track+0x2c/0x40
[   94.770302]  kasan_save_free_info+0x38/0x60
[   94.771113]  __kasan_slab_free+0x100/0x170
[   94.771994]  __kmem_cache_free+0x178/0x2c8
[   94.773871]  kfree+0x74/0x138
[   94.774574]  kasan_strings+0xbc/0x478
[   94.775942]  kunit_try_run_case+0x114/0x298
[   94.776889]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.778026]  kthread+0x18c/0x1a8
[   94.778743]  ret_from_fork+0x10/0x20
[   94.779354] 
[   94.780085] The buggy address belongs to the object at ffff0000c60910c0
[   94.780085]  which belongs to the cache kmalloc-32 of size 32
[   94.781953] The buggy address is located 16 bytes inside of
[   94.781953]  freed 32-byte region [ffff0000c60910c0, ffff0000c60910e0)
[   94.783810] 
[   94.784243] The buggy address belongs to the physical page:
[   94.785103] page:0000000008bc5175 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106091
[   94.786541] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.787657] page_type: 0xffffffff()
[   94.789239] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000
[   94.790691] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   94.792778] page dumped because: kasan: bad access detected
[   94.794008] 
[   94.794385] Memory state around the buggy address:
[   94.796795]  ffff0000c6090f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.799272]  ffff0000c6091000: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc
[   94.801191] >ffff0000c6091080: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   94.803531]                                                  ^
[   94.805388]  ffff0000c6091100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.807057]  ffff0000c6091180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.807987] ==================================================================
Metadata Full log Test run details 

[   35.580140] ==================================================================
[   35.580627] BUG: KASAN: slab-use-after-free in strcmp+0x26/0x60
[   35.581182] Read of size 1 at addr ffff888102869450 by task kunit_try_catch/220
[   35.582036] 
[   35.582419] CPU: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.582944] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.583622] Call Trace:
[   35.583974]  <TASK>
[   35.584262]  dump_stack_lvl+0x4e/0x90
[   35.584676]  print_report+0xd2/0x650
[   35.584910]  ? __virt_addr_valid+0x156/0x1e0
[   35.585470]  ? strcmp+0x26/0x60
[   35.585712]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.586200]  ? strcmp+0x26/0x60
[   35.586458]  kasan_report+0x147/0x180
[   35.587038]  ? strcmp+0x26/0x60
[   35.587411]  __asan_load1+0x66/0x70
[   35.587809]  strcmp+0x26/0x60
[   35.588185]  kasan_strings+0x161/0x510
[   35.588640]  ? __pfx_kasan_strings+0x10/0x10
[   35.589061]  ? __schedule+0x715/0x11a0
[   35.589308]  ? ktime_get_ts64+0x118/0x140
[   35.589596]  kunit_try_run_case+0x120/0x290
[   35.589840]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.590550]  ? __kasan_check_write+0x18/0x20
[   35.591032]  ? trace_preempt_on+0x20/0xa0
[   35.591488]  ? __kthread_parkme+0x4f/0xd0
[   35.591968]  ? preempt_count_sub+0x50/0x80
[   35.592404]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.592915]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.593434]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.593945]  kthread+0x19e/0x1e0
[   35.594183]  ? __pfx_kthread+0x10/0x10
[   35.594607]  ret_from_fork+0x41/0x70
[   35.594823]  ? __pfx_kthread+0x10/0x10
[   35.595122]  ret_from_fork_asm+0x1b/0x30
[   35.595745]  </TASK>
[   35.596054] 
[   35.596292] Allocated by task 220:
[   35.596614]  kasan_save_stack+0x44/0x70
[   35.597021]  kasan_set_track+0x29/0x40
[   35.597406]  kasan_save_alloc_info+0x22/0x30
[   35.597853]  __kasan_kmalloc+0xb7/0xc0
[   35.598233]  kmalloc_trace+0x4c/0xb0
[   35.598628]  kasan_strings+0x9f/0x510
[   35.599014]  kunit_try_run_case+0x120/0x290
[   35.599456]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.599833]  kthread+0x19e/0x1e0
[   35.600112]  ret_from_fork+0x41/0x70
[   35.600606]  ret_from_fork_asm+0x1b/0x30
[   35.601083] 
[   35.601324] Freed by task 220:
[   35.601557]  kasan_save_stack+0x44/0x70
[   35.602028]  kasan_set_track+0x29/0x40
[   35.602259]  kasan_save_free_info+0x2f/0x50
[   35.602508]  ____kasan_slab_free+0x172/0x1d0
[   35.603014]  __kasan_slab_free+0x16/0x20
[   35.603406]  __kmem_cache_free+0x190/0x310
[   35.603851]  kfree+0x7c/0x120
[   35.604199]  kasan_strings+0xc3/0x510
[   35.604596]  kunit_try_run_case+0x120/0x290
[   35.605039]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.605515]  kthread+0x19e/0x1e0
[   35.605906]  ret_from_fork+0x41/0x70
[   35.606282]  ret_from_fork_asm+0x1b/0x30
[   35.606666] 
[   35.606935] The buggy address belongs to the object at ffff888102869440
[   35.606935]  which belongs to the cache kmalloc-32 of size 32
[   35.607967] The buggy address is located 16 bytes inside of
[   35.607967]  freed 32-byte region [ffff888102869440, ffff888102869460)
[   35.608945] 
[   35.609270] The buggy address belongs to the physical page:
[   35.609657] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102869
[   35.610494] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.611001] page_type: 0xffffffff()
[   35.611390] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000
[   35.612128] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   35.612727] page dumped because: kasan: bad access detected
[   35.613178] 
[   35.613306] Memory state around the buggy address:
[   35.613799]  ffff888102869300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.614373]  ffff888102869380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.614928] >ffff888102869400: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   35.615557]                                                  ^
[   35.616239]  ffff888102869480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.616816]  ffff888102869500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.617385] ==================================================================
Metadata Full log Test run details