Hay
Sign in
Date
June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64 

[   94.671885] ==================================================================
[   94.673014] BUG: KASAN: slab-use-after-free in strrchr+0x28/0x58
[   94.674386] Read of size 1 at addr ffff0000c60910d0 by task kunit_try_catch/205
[   94.676147] 
[   94.676597] CPU: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.677725] Hardware name: linux,dummy-virt (DT)
[   94.678540] Call trace:
[   94.679051]  dump_backtrace+0x9c/0x128
[   94.679765]  show_stack+0x20/0x38
[   94.680808]  dump_stack_lvl+0x60/0xb0
[   94.681649]  print_report+0xf8/0x5e8
[   94.682447]  kasan_report+0xdc/0x128
[   94.683228]  __asan_load1+0x60/0x70
[   94.684338]  strrchr+0x28/0x58
[   94.685123]  kasan_strings+0x104/0x478
[   94.685953]  kunit_try_run_case+0x114/0x298
[   94.686820]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.688081]  kthread+0x18c/0x1a8
[   94.688725]  ret_from_fork+0x10/0x20
[   94.689639] 
[   94.690095] Allocated by task 205:
[   94.690889]  kasan_save_stack+0x3c/0x68
[   94.692148]  kasan_set_track+0x2c/0x40
[   94.693006]  kasan_save_alloc_info+0x24/0x38
[   94.693887]  __kasan_kmalloc+0xd4/0xd8
[   94.694758]  kmalloc_trace+0x68/0x130
[   94.695601]  kasan_strings+0xa0/0x478
[   94.696537]  kunit_try_run_case+0x114/0x298
[   94.697668]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.698889]  kthread+0x18c/0x1a8
[   94.699656]  ret_from_fork+0x10/0x20
[   94.700561] 
[   94.701026] Freed by task 205:
[   94.701988]  kasan_save_stack+0x3c/0x68
[   94.702962]  kasan_set_track+0x2c/0x40
[   94.703857]  kasan_save_free_info+0x38/0x60
[   94.704812]  __kasan_slab_free+0x100/0x170
[   94.705586]  __kmem_cache_free+0x178/0x2c8
[   94.706889]  kfree+0x74/0x138
[   94.707647]  kasan_strings+0xbc/0x478
[   94.708623]  kunit_try_run_case+0x114/0x298
[   94.709620]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.710678]  kthread+0x18c/0x1a8
[   94.711636]  ret_from_fork+0x10/0x20
[   94.712552] 
[   94.713221] The buggy address belongs to the object at ffff0000c60910c0
[   94.713221]  which belongs to the cache kmalloc-32 of size 32
[   94.715775] The buggy address is located 16 bytes inside of
[   94.715775]  freed 32-byte region [ffff0000c60910c0, ffff0000c60910e0)
[   94.717515] 
[   94.718118] The buggy address belongs to the physical page:
[   94.718931] page:0000000008bc5175 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106091
[   94.721511] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.722629] page_type: 0xffffffff()
[   94.723396] raw: 0bfffc0000000800 ffff0000c0001500 dead000000000122 0000000000000000
[   94.724693] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   94.725790] page dumped because: kasan: bad access detected
[   94.726364] 
[   94.727262] Memory state around the buggy address:
[   94.728187]  ffff0000c6090f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.729959]  ffff0000c6091000: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc
[   94.731011] >ffff0000c6091080: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   94.732383]                                                  ^
[   94.733394]  ffff0000c6091100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.734544]  ffff0000c6091180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.735731] ==================================================================
Metadata Full log Test run details 

[   35.540119] ==================================================================
[   35.540929] BUG: KASAN: slab-use-after-free in strrchr+0x1e/0x40
[   35.541309] Read of size 1 at addr ffff888102869450 by task kunit_try_catch/220
[   35.542236] 
[   35.542409] CPU: 0 PID: 220 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.543072] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.543826] Call Trace:
[   35.544169]  <TASK>
[   35.544341]  dump_stack_lvl+0x4e/0x90
[   35.544871]  print_report+0xd2/0x650
[   35.545291]  ? __virt_addr_valid+0x156/0x1e0
[   35.545703]  ? strrchr+0x1e/0x40
[   35.545953]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.546622]  ? strrchr+0x1e/0x40
[   35.547041]  kasan_report+0x147/0x180
[   35.547447]  ? strrchr+0x1e/0x40
[   35.547896]  __asan_load1+0x66/0x70
[   35.548316]  strrchr+0x1e/0x40
[   35.548691]  kasan_strings+0x11f/0x510
[   35.549154]  ? __pfx_kasan_strings+0x10/0x10
[   35.549654]  ? __schedule+0x715/0x11a0
[   35.550130]  ? ktime_get_ts64+0x118/0x140
[   35.550585]  kunit_try_run_case+0x120/0x290
[   35.550853]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.551198]  ? __kasan_check_write+0x18/0x20
[   35.551997]  ? trace_preempt_on+0x20/0xa0
[   35.552280]  ? __kthread_parkme+0x4f/0xd0
[   35.552882]  ? preempt_count_sub+0x50/0x80
[   35.553322]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.553854]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.554238]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.554764]  kthread+0x19e/0x1e0
[   35.555183]  ? __pfx_kthread+0x10/0x10
[   35.555675]  ret_from_fork+0x41/0x70
[   35.556148]  ? __pfx_kthread+0x10/0x10
[   35.556589]  ret_from_fork_asm+0x1b/0x30
[   35.556977]  </TASK>
[   35.557394] 
[   35.557510] Allocated by task 220:
[   35.558009]  kasan_save_stack+0x44/0x70
[   35.558502]  kasan_set_track+0x29/0x40
[   35.558935]  kasan_save_alloc_info+0x22/0x30
[   35.559381]  __kasan_kmalloc+0xb7/0xc0
[   35.559833]  kmalloc_trace+0x4c/0xb0
[   35.560259]  kasan_strings+0x9f/0x510
[   35.560638]  kunit_try_run_case+0x120/0x290
[   35.560978]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.561353]  kthread+0x19e/0x1e0
[   35.561884]  ret_from_fork+0x41/0x70
[   35.562260]  ret_from_fork_asm+0x1b/0x30
[   35.562702] 
[   35.563072] Freed by task 220:
[   35.563297]  kasan_save_stack+0x44/0x70
[   35.563725]  kasan_set_track+0x29/0x40
[   35.564102]  kasan_save_free_info+0x2f/0x50
[   35.564361]  ____kasan_slab_free+0x172/0x1d0
[   35.564605]  __kasan_slab_free+0x16/0x20
[   35.565105]  __kmem_cache_free+0x190/0x310
[   35.565615]  kfree+0x7c/0x120
[   35.565802]  kasan_strings+0xc3/0x510
[   35.566057]  kunit_try_run_case+0x120/0x290
[   35.566718]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.567199]  kthread+0x19e/0x1e0
[   35.567610]  ret_from_fork+0x41/0x70
[   35.568014]  ret_from_fork_asm+0x1b/0x30
[   35.568285] 
[   35.568691] The buggy address belongs to the object at ffff888102869440
[   35.568691]  which belongs to the cache kmalloc-32 of size 32
[   35.569553] The buggy address is located 16 bytes inside of
[   35.569553]  freed 32-byte region [ffff888102869440, ffff888102869460)
[   35.570373] 
[   35.570715] The buggy address belongs to the physical page:
[   35.571275] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102869
[   35.571975] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.572617] page_type: 0xffffffff()
[   35.573150] raw: 0200000000000800 ffff888100041500 dead000000000122 0000000000000000
[   35.573696] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[   35.574288] page dumped because: kasan: bad access detected
[   35.574730] 
[   35.574857] Memory state around the buggy address:
[   35.575128]  ffff888102869300: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.575887]  ffff888102869380: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   35.576448] >ffff888102869400: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   35.577056]                                                  ^
[   35.577623]  ffff888102869480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.578184]  ffff888102869500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.578780] ==================================================================
Metadata Full log Test run details