Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   94.932640] ==================================================================
[   94.933646] BUG: KASAN: slab-use-after-free in strnlen+0x3c/0x68
[   94.934668] Read of size 1 at addr ffff0000c60910d0 by task kunit_try_catch/205
[   94.937104] 
[   94.937536] CPU: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.938784] Hardware name: linux,dummy-virt (DT)
[   94.939433] Call trace:
[   94.939993]  dump_backtrace+0x9c/0x128
[   94.940879]  show_stack+0x20/0x38
[   94.941820]  dump_stack_lvl+0x60/0xb0
[   94.942618]  print_report+0xf8/0x5e8
[   94.943672]  kasan_report+0xdc/0x128
[   94.944492]  __asan_load1+0x60/0x70
[   94.945271]  strnlen+0x3c/0x68
[   94.946119]  kasan_strings+0x1a4/0x478
[   94.947207]  kunit_try_run_case+0x114/0x298
[   94.948138]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.949250]  kthread+0x18c/0x1a8
[   94.949988]  ret_from_fork+0x10/0x20
[   94.950778] 
[   94.951136] Allocated by task 205:
[   94.951954]  kasan_save_stack+0x3c/0x68
[   94.952796]  kasan_set_track+0x2c/0x40
[   94.953757]  kasan_save_alloc_info+0x24/0x38
[   94.954581]  __kasan_kmalloc+0xd4/0xd8
[   94.955401]  kmalloc_trace+0x68/0x130
[   94.956341]  kasan_strings+0xa0/0x478
[   94.957112]  kunit_try_run_case+0x114/0x298
[   94.958050]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.959183]  kthread+0x18c/0x1a8
[   94.960546]  ret_from_fork+0x10/0x20
[   94.961323] 
[   94.961651] Freed by task 205:
[   94.962131]  kasan_save_stack+0x3c/0x68
[   94.962612]  kasan_set_track+0x2c/0x40
[   94.963678]  kasan_save_free_info+0x38/0x60
[   94.964542]  __kasan_slab_free+0x100/0x170
[   94.965460]  __kmem_cache_free+0x178/0x2c8
[   94.966300]  kfree+0x74/0x138
[   94.966983]  kasan_strings+0xbc/0x478
[   94.967758]  kunit_try_run_case+0x114/0x298
[   94.968812]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.969938]  kthread+0x18c/0x1a8
[   94.970603]  ret_from_fork+0x10/0x20
[   94.971481] 
[   94.972167] The buggy address belongs to the object at ffff0000c60910c0
[   94.972167]  which belongs to the cache kmalloc-32 of size 32
[   94.973381] The buggy address is located 16 bytes inside of
[   94.973381]  freed 32-byte region [ffff0000c60910c0, ffff0000c60910e0)
[   94.975389] 
[   94.975766] The buggy address belongs to the physical page:
[   94.976505] page:0000000008bc5175 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106091
[   94.978189] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.979347] page_type: 0xffffffff()
[   94.980465] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000
[   94.981779] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   94.982734] page dumped because: kasan: bad access detected
[   94.983827] 
[   94.984286] Memory state around the buggy address:
[   94.985143]  ffff0000c6090f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.986738]  ffff0000c6091000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   94.988162] >ffff0000c6091080: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   94.989575]                                                  ^
[   94.990677]  ffff0000c6091100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.991978]  ffff0000c6091180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.993398] ==================================================================
Metadata Full log Test run details 

[   35.693770] ==================================================================
[   35.694935] BUG: KASAN: slab-use-after-free in strnlen+0x31/0x50
[   35.695405] Read of size 1 at addr ffff888102869450 by task kunit_try_catch/220
[   35.696155] 
[   35.696334] CPU: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.697129] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.697818] Call Trace:
[   35.698038]  <TASK>
[   35.698205]  dump_stack_lvl+0x4e/0x90
[   35.699120]  print_report+0xd2/0x650
[   35.699376]  ? __virt_addr_valid+0x156/0x1e0
[   35.699622]  ? strnlen+0x31/0x50
[   35.699817]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.700678]  ? strnlen+0x31/0x50
[   35.701294]  kasan_report+0x147/0x180
[   35.701906]  ? strnlen+0x31/0x50
[   35.702544]  __asan_load1+0x66/0x70
[   35.703170]  strnlen+0x31/0x50
[   35.703850]  kasan_strings+0x21b/0x510
[   35.704408]  ? __pfx_kasan_strings+0x10/0x10
[   35.705063]  ? __schedule+0x715/0x11a0
[   35.705308]  ? ktime_get_ts64+0x118/0x140
[   35.706072]  kunit_try_run_case+0x120/0x290
[   35.707021]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.707698]  ? __kasan_check_write+0x18/0x20
[   35.708247]  ? trace_preempt_on+0x20/0xa0
[   35.708486]  ? __kthread_parkme+0x4f/0xd0
[   35.709378]  ? preempt_count_sub+0x50/0x80
[   35.710100]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.710918]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.711876]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.712396]  kthread+0x19e/0x1e0
[   35.712623]  ? __pfx_kthread+0x10/0x10
[   35.712845]  ret_from_fork+0x41/0x70
[   35.713069]  ? __pfx_kthread+0x10/0x10
[   35.713288]  ret_from_fork_asm+0x1b/0x30
[   35.713526]  </TASK>
[   35.713656] 
[   35.713758] Allocated by task 220:
[   35.714085]  kasan_save_stack+0x44/0x70
[   35.714397]  kasan_set_track+0x29/0x40
[   35.714755]  kasan_save_alloc_info+0x22/0x30
[   35.715261]  __kasan_kmalloc+0xb7/0xc0
[   35.715610]  kmalloc_trace+0x4c/0xb0
[   35.716066]  kasan_strings+0x9f/0x510
[   35.716412]  kunit_try_run_case+0x120/0x290
[   35.717691]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.718609]  kthread+0x19e/0x1e0
[   35.719504]  ret_from_fork+0x41/0x70
[   35.720192]  ret_from_fork_asm+0x1b/0x30
[   35.721482] 
[   35.721936] Freed by task 220:
[   35.722276]  kasan_save_stack+0x44/0x70
[   35.723026]  kasan_set_track+0x29/0x40
[   35.723535]  kasan_save_free_info+0x2f/0x50
[   35.724110]  ____kasan_slab_free+0x172/0x1d0
[   35.724769]  __kasan_slab_free+0x16/0x20
[   35.725426]  __kmem_cache_free+0x190/0x310
[   35.726158]  kfree+0x7c/0x120
[   35.726594]  kasan_strings+0xc3/0x510
[   35.727136]  kunit_try_run_case+0x120/0x290
[   35.727946]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.728706]  kthread+0x19e/0x1e0
[   35.729269]  ret_from_fork+0x41/0x70
[   35.729533]  ret_from_fork_asm+0x1b/0x30
[   35.729831] 
[   35.729979] The buggy address belongs to the object at ffff888102869440
[   35.729979]  which belongs to the cache kmalloc-32 of size 32
[   35.730702] The buggy address is located 16 bytes inside of
[   35.730702]  freed 32-byte region [ffff888102869440, ffff888102869460)
[   35.731889] 
[   35.732016] The buggy address belongs to the physical page:
[   35.732499] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102869
[   35.733051] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.733518] page_type: 0xffffffff()
[   35.733750] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000
[   35.734290] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   35.734817] page dumped because: kasan: bad access detected
[   35.735132] 
[   35.735256] Memory state around the buggy address:
[   35.735607]  ffff888102869300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.736076]  ffff888102869380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.736938] >ffff888102869400: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   35.737459]                                                  ^
[   35.737763]  ffff888102869480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.738234]  ffff888102869500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.738720] ==================================================================
Metadata Full log Test run details