Date
July 8, 2025, 7:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 21.630615] ================================================================== [ 21.630910] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0 [ 21.631302] Read of size 1 at addr fff00000c56a2110 by task kunit_try_catch/259 [ 21.631374] [ 21.631409] CPU: 0 UID: 0 PID: 259 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 21.631722] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.631756] Hardware name: linux,dummy-virt (DT) [ 21.632125] Call trace: [ 21.632454] show_stack+0x20/0x38 (C) [ 21.632642] dump_stack_lvl+0x8c/0xd0 [ 21.632895] print_report+0x118/0x608 [ 21.633083] kasan_report+0xdc/0x128 [ 21.633242] __asan_report_load1_noabort+0x20/0x30 [ 21.633355] strlen+0xa8/0xb0 [ 21.633537] kasan_strings+0x418/0xb00 [ 21.633860] kunit_try_run_case+0x170/0x3f0 [ 21.634106] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.634274] kthread+0x328/0x630 [ 21.634359] ret_from_fork+0x10/0x20 [ 21.634742] [ 21.634787] Allocated by task 259: [ 21.634922] kasan_save_stack+0x3c/0x68 [ 21.635049] kasan_save_track+0x20/0x40 [ 21.635327] kasan_save_alloc_info+0x40/0x58 [ 21.635482] __kasan_kmalloc+0xd4/0xd8 [ 21.635730] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.635837] kasan_strings+0xc8/0xb00 [ 21.635976] kunit_try_run_case+0x170/0x3f0 [ 21.636023] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.636069] kthread+0x328/0x630 [ 21.636107] ret_from_fork+0x10/0x20 [ 21.636178] [ 21.636201] Freed by task 259: [ 21.636243] kasan_save_stack+0x3c/0x68 [ 21.636284] kasan_save_track+0x20/0x40 [ 21.636332] kasan_save_free_info+0x4c/0x78 [ 21.636374] __kasan_slab_free+0x6c/0x98 [ 21.636421] kfree+0x214/0x3c8 [ 21.636456] kasan_strings+0x24c/0xb00 [ 21.636494] kunit_try_run_case+0x170/0x3f0 [ 21.636533] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.636579] kthread+0x328/0x630 [ 21.636621] ret_from_fork+0x10/0x20 [ 21.636657] [ 21.636678] The buggy address belongs to the object at fff00000c56a2100 [ 21.636678] which belongs to the cache kmalloc-32 of size 32 [ 21.636750] The buggy address is located 16 bytes inside of [ 21.636750] freed 32-byte region [fff00000c56a2100, fff00000c56a2120) [ 21.636824] [ 21.636857] The buggy address belongs to the physical page: [ 21.636889] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1056a2 [ 21.636942] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.636992] page_type: f5(slab) [ 21.637039] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 21.637094] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.637148] page dumped because: kasan: bad access detected [ 21.637190] [ 21.637209] Memory state around the buggy address: [ 21.637251] fff00000c56a2000: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.637296] fff00000c56a2080: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc [ 21.637350] >fff00000c56a2100: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.637389] ^ [ 21.637422] fff00000c56a2180: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.637475] fff00000c56a2200: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 21.637517] ==================================================================
[ 14.988356] ================================================================== [ 14.988722] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0 [ 14.988978] Read of size 1 at addr ffff888102b12e50 by task kunit_try_catch/276 [ 14.989300] [ 14.989387] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.989430] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.989442] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.989463] Call Trace: [ 14.989479] <TASK> [ 14.989494] dump_stack_lvl+0x73/0xb0 [ 14.989519] print_report+0xd1/0x650 [ 14.989540] ? __virt_addr_valid+0x1db/0x2d0 [ 14.989569] ? strlen+0x8f/0xb0 [ 14.989586] ? kasan_complete_mode_report_info+0x64/0x200 [ 14.989611] ? strlen+0x8f/0xb0 [ 14.989628] kasan_report+0x141/0x180 [ 14.989648] ? strlen+0x8f/0xb0 [ 14.989670] __asan_report_load1_noabort+0x18/0x20 [ 14.989693] strlen+0x8f/0xb0 [ 14.989711] kasan_strings+0x57b/0xe80 [ 14.989730] ? trace_hardirqs_on+0x37/0xe0 [ 14.989753] ? __pfx_kasan_strings+0x10/0x10 [ 14.989772] ? finish_task_switch.isra.0+0x153/0x700 [ 14.989793] ? __switch_to+0x47/0xf50 [ 14.989816] ? __schedule+0x10cc/0x2b60 [ 14.989838] ? __pfx_read_tsc+0x10/0x10 [ 14.989858] ? ktime_get_ts64+0x86/0x230 [ 14.989882] kunit_try_run_case+0x1a5/0x480 [ 14.989904] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.989925] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.989948] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.989970] ? __kthread_parkme+0x82/0x180 [ 14.989989] ? preempt_count_sub+0x50/0x80 [ 14.990012] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.990034] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.990068] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.990091] kthread+0x337/0x6f0 [ 14.990110] ? trace_preempt_on+0x20/0xc0 [ 14.990131] ? __pfx_kthread+0x10/0x10 [ 14.990151] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.990172] ? calculate_sigpending+0x7b/0xa0 [ 14.990195] ? __pfx_kthread+0x10/0x10 [ 14.990216] ret_from_fork+0x116/0x1d0 [ 14.990234] ? __pfx_kthread+0x10/0x10 [ 14.990253] ret_from_fork_asm+0x1a/0x30 [ 14.990283] </TASK> [ 14.990294] [ 14.999037] Allocated by task 276: [ 14.999361] kasan_save_stack+0x45/0x70 [ 14.999924] kasan_save_track+0x18/0x40 [ 15.000257] kasan_save_alloc_info+0x3b/0x50 [ 15.000418] __kasan_kmalloc+0xb7/0xc0 [ 15.000551] __kmalloc_cache_noprof+0x189/0x420 [ 15.000937] kasan_strings+0xc0/0xe80 [ 15.001139] kunit_try_run_case+0x1a5/0x480 [ 15.001346] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.001532] kthread+0x337/0x6f0 [ 15.001903] ret_from_fork+0x116/0x1d0 [ 15.002142] ret_from_fork_asm+0x1a/0x30 [ 15.002310] [ 15.002406] Freed by task 276: [ 15.002541] kasan_save_stack+0x45/0x70 [ 15.002729] kasan_save_track+0x18/0x40 [ 15.002893] kasan_save_free_info+0x3f/0x60 [ 15.003055] __kasan_slab_free+0x56/0x70 [ 15.003192] kfree+0x222/0x3f0 [ 15.003308] kasan_strings+0x2aa/0xe80 [ 15.003442] kunit_try_run_case+0x1a5/0x480 [ 15.003594] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.003844] kthread+0x337/0x6f0 [ 15.004010] ret_from_fork+0x116/0x1d0 [ 15.004566] ret_from_fork_asm+0x1a/0x30 [ 15.004740] [ 15.004813] The buggy address belongs to the object at ffff888102b12e40 [ 15.004813] which belongs to the cache kmalloc-32 of size 32 [ 15.005558] The buggy address is located 16 bytes inside of [ 15.005558] freed 32-byte region [ffff888102b12e40, ffff888102b12e60) [ 15.006260] [ 15.006364] The buggy address belongs to the physical page: [ 15.006624] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102b12 [ 15.006933] flags: 0x200000000000000(node=0|zone=2) [ 15.007114] page_type: f5(slab) [ 15.007236] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000 [ 15.007542] raw: 0000000000000000 0000000000400040 00000000f5000000 0000000000000000 [ 15.007879] page dumped because: kasan: bad access detected [ 15.008492] [ 15.008616] Memory state around the buggy address: [ 15.008800] ffff888102b12d00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.009019] ffff888102b12d80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 15.009250] >ffff888102b12e00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 15.009541] ^ [ 15.009912] ffff888102b12e80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 15.010308] ffff888102b12f00: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc [ 15.010632] ==================================================================