Date
July 5, 2025, 5:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.375107] ================================================================== [ 20.375166] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00 [ 20.375219] Read of size 1 at addr fff00000c77d8490 by task kunit_try_catch/259 [ 20.376072] [ 20.376148] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.377276] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.377307] Hardware name: linux,dummy-virt (DT) [ 20.377758] Call trace: [ 20.377912] show_stack+0x20/0x38 (C) [ 20.378280] dump_stack_lvl+0x8c/0xd0 [ 20.378453] print_report+0x118/0x608 [ 20.379022] kasan_report+0xdc/0x128 [ 20.379783] __asan_report_load1_noabort+0x20/0x30 [ 20.380228] kasan_strings+0x95c/0xb00 [ 20.380279] kunit_try_run_case+0x170/0x3f0 [ 20.380330] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.381023] kthread+0x328/0x630 [ 20.381557] ret_from_fork+0x10/0x20 [ 20.381852] [ 20.382122] Allocated by task 259: [ 20.382523] kasan_save_stack+0x3c/0x68 [ 20.382577] kasan_save_track+0x20/0x40 [ 20.382616] kasan_save_alloc_info+0x40/0x58 [ 20.383347] __kasan_kmalloc+0xd4/0xd8 [ 20.383769] __kmalloc_cache_noprof+0x16c/0x3c0 [ 20.384206] kasan_strings+0xc8/0xb00 [ 20.384251] kunit_try_run_case+0x170/0x3f0 [ 20.384354] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.384662] kthread+0x328/0x630 [ 20.385166] ret_from_fork+0x10/0x20 [ 20.385568] [ 20.385631] Freed by task 259: [ 20.385684] kasan_save_stack+0x3c/0x68 [ 20.386140] kasan_save_track+0x20/0x40 [ 20.386620] kasan_save_free_info+0x4c/0x78 [ 20.386715] __kasan_slab_free+0x6c/0x98 [ 20.386969] kfree+0x214/0x3c8 [ 20.387288] kasan_strings+0x24c/0xb00 [ 20.387532] kunit_try_run_case+0x170/0x3f0 [ 20.387579] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.388042] kthread+0x328/0x630 [ 20.388392] ret_from_fork+0x10/0x20 [ 20.388680] [ 20.389030] The buggy address belongs to the object at fff00000c77d8480 [ 20.389030] which belongs to the cache kmalloc-32 of size 32 [ 20.389914] The buggy address is located 16 bytes inside of [ 20.389914] freed 32-byte region [fff00000c77d8480, fff00000c77d84a0) [ 20.390098] [ 20.390532] The buggy address belongs to the physical page: [ 20.390601] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077d8 [ 20.391301] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.391450] page_type: f5(slab) [ 20.391727] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 20.392350] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 20.392962] page dumped because: kasan: bad access detected [ 20.393068] [ 20.393411] Memory state around the buggy address: [ 20.393728] fff00000c77d8380: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 20.394222] fff00000c77d8400: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 20.394794] >fff00000c77d8480: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.395062] ^ [ 20.395101] fff00000c77d8500: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 20.395573] fff00000c77d8580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 20.395621] ==================================================================
[ 13.511571] ================================================================== [ 13.512073] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80 [ 13.512500] Read of size 1 at addr ffff8881031c3250 by task kunit_try_catch/277 [ 13.512918] [ 13.513050] CPU: 0 UID: 0 PID: 277 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.513094] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.513107] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.513127] Call Trace: [ 13.513144] <TASK> [ 13.513159] dump_stack_lvl+0x73/0xb0 [ 13.513238] print_report+0xd1/0x650 [ 13.513266] ? __virt_addr_valid+0x1db/0x2d0 [ 13.513289] ? kasan_strings+0xcbc/0xe80 [ 13.513321] ? kasan_complete_mode_report_info+0x64/0x200 [ 13.513343] ? kasan_strings+0xcbc/0xe80 [ 13.513364] kasan_report+0x141/0x180 [ 13.513403] ? kasan_strings+0xcbc/0xe80 [ 13.513428] __asan_report_load1_noabort+0x18/0x20 [ 13.513463] kasan_strings+0xcbc/0xe80 [ 13.513482] ? trace_hardirqs_on+0x37/0xe0 [ 13.513514] ? __pfx_kasan_strings+0x10/0x10 [ 13.513534] ? finish_task_switch.isra.0+0x153/0x700 [ 13.513555] ? __switch_to+0x47/0xf50 [ 13.513590] ? __schedule+0x10cc/0x2b60 [ 13.513611] ? __pfx_read_tsc+0x10/0x10 [ 13.513632] ? ktime_get_ts64+0x86/0x230 [ 13.513655] kunit_try_run_case+0x1a5/0x480 [ 13.513679] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.513701] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.513723] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.513745] ? __kthread_parkme+0x82/0x180 [ 13.513765] ? preempt_count_sub+0x50/0x80 [ 13.513788] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.513811] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.513833] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.513856] kthread+0x337/0x6f0 [ 13.513876] ? trace_preempt_on+0x20/0xc0 [ 13.513898] ? __pfx_kthread+0x10/0x10 [ 13.513917] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.513947] ? calculate_sigpending+0x7b/0xa0 [ 13.513969] ? __pfx_kthread+0x10/0x10 [ 13.513990] ret_from_fork+0x116/0x1d0 [ 13.514019] ? __pfx_kthread+0x10/0x10 [ 13.514039] ret_from_fork_asm+0x1a/0x30 [ 13.514069] </TASK> [ 13.514080] [ 13.522236] Allocated by task 277: [ 13.522368] kasan_save_stack+0x45/0x70 [ 13.522672] kasan_save_track+0x18/0x40 [ 13.522870] kasan_save_alloc_info+0x3b/0x50 [ 13.523081] __kasan_kmalloc+0xb7/0xc0 [ 13.523266] __kmalloc_cache_noprof+0x189/0x420 [ 13.523497] kasan_strings+0xc0/0xe80 [ 13.523835] kunit_try_run_case+0x1a5/0x480 [ 13.524013] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.524429] kthread+0x337/0x6f0 [ 13.524594] ret_from_fork+0x116/0x1d0 [ 13.524913] ret_from_fork_asm+0x1a/0x30 [ 13.525141] [ 13.525289] Freed by task 277: [ 13.525471] kasan_save_stack+0x45/0x70 [ 13.525668] kasan_save_track+0x18/0x40 [ 13.525854] kasan_save_free_info+0x3f/0x60 [ 13.526061] __kasan_slab_free+0x56/0x70 [ 13.526315] kfree+0x222/0x3f0 [ 13.526501] kasan_strings+0x2aa/0xe80 [ 13.526679] kunit_try_run_case+0x1a5/0x480 [ 13.526898] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.527076] kthread+0x337/0x6f0 [ 13.527199] ret_from_fork+0x116/0x1d0 [ 13.527332] ret_from_fork_asm+0x1a/0x30 [ 13.527511] [ 13.527640] The buggy address belongs to the object at ffff8881031c3240 [ 13.527640] which belongs to the cache kmalloc-32 of size 32 [ 13.528595] The buggy address is located 16 bytes inside of [ 13.528595] freed 32-byte region [ffff8881031c3240, ffff8881031c3260) [ 13.529533] [ 13.529638] The buggy address belongs to the physical page: [ 13.529913] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1031c3 [ 13.530267] flags: 0x200000000000000(node=0|zone=2) [ 13.530570] page_type: f5(slab) [ 13.530818] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 13.531129] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 13.531500] page dumped because: kasan: bad access detected [ 13.531918] [ 13.532090] Memory state around the buggy address: [ 13.532405] ffff8881031c3100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.532683] ffff8881031c3180: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 13.532986] >ffff8881031c3200: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.533618] ^ [ 13.533829] ffff8881031c3280: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 13.534199] ffff8881031c3300: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 13.534678] ==================================================================