lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kasan_strings

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   52.322427] ==================================================================
[   52.329745] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00
[   52.336540] Read of size 1 at addr ffff000096c34790 by task kunit_try_catch/345
[   52.343944] 
[   52.345470] CPU: 4 UID: 0 PID: 345 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   52.345500] Tainted: [B]=BAD_PAGE, [N]=TEST
[   52.345507] Hardware name: Thundercomm Dragonboard 845c (DT)
[   52.345518] Call trace:
[   52.345525]  show_stack+0x20/0x38 (C)
[   52.345543]  dump_stack_lvl+0x8c/0xd0
[   52.345560]  print_report+0x118/0x608
[   52.345578]  kasan_report+0xdc/0x128
[   52.345597]  __asan_report_load1_noabort+0x20/0x30
[   52.345613]  kasan_strings+0x95c/0xb00
[   52.345629]  kunit_try_run_case+0x170/0x3f0
[   52.345645]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.345667]  kthread+0x328/0x630
[   52.345680]  ret_from_fork+0x10/0x20
[   52.345696] 
[   52.410920] Allocated by task 345:
[   52.414372]  kasan_save_stack+0x3c/0x68
[   52.418277]  kasan_save_track+0x20/0x40
[   52.422179]  kasan_save_alloc_info+0x40/0x58
[   52.426513]  __kasan_kmalloc+0xd4/0xd8
[   52.430328]  __kmalloc_cache_noprof+0x16c/0x3c0
[   52.434924]  kasan_strings+0xc8/0xb00
[   52.438651]  kunit_try_run_case+0x170/0x3f0
[   52.442898]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.448458]  kthread+0x328/0x630
[   52.451740]  ret_from_fork+0x10/0x20
[   52.455372] 
[   52.456903] Freed by task 345:
[   52.460007]  kasan_save_stack+0x3c/0x68
[   52.463909]  kasan_save_track+0x20/0x40
[   52.467812]  kasan_save_free_info+0x4c/0x78
[   52.472058]  __kasan_slab_free+0x6c/0x98
[   52.476047]  kfree+0x214/0x3c8
[   52.479159]  kasan_strings+0x24c/0xb00
[   52.482972]  kunit_try_run_case+0x170/0x3f0
[   52.487221]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.492781]  kthread+0x328/0x630
[   52.496062]  ret_from_fork+0x10/0x20
[   52.499702] 
[   52.501225] The buggy address belongs to the object at ffff000096c34780
[   52.501225]  which belongs to the cache kmalloc-32 of size 32
[   52.513702] The buggy address is located 16 bytes inside of
[   52.513702]  freed 32-byte region [ffff000096c34780, ffff000096c347a0)
[   52.525921] 
[   52.527451] The buggy address belongs to the physical page:
[   52.533091] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116c34
[   52.541188] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   52.547798] page_type: f5(slab)
[   52.550998] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000
[   52.558836] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   52.566671] page dumped because: kasan: bad access detected
[   52.572317] 
[   52.573839] Memory state around the buggy address:
[   52.578690]  ffff000096c34680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.586003]  ffff000096c34700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.593318] >ffff000096c34780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.600629]                          ^
[   52.604438]  ffff000096c34800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   52.611752]  ffff000096c34880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.619058] ==================================================================

Metadata Full log Test run details

[   29.089264] ==================================================================
[   29.089317] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00
[   29.089553] Read of size 1 at addr fff00000c5770790 by task kunit_try_catch/271
[   29.089623] 
[   29.089703] CPU: 0 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   29.089794] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.089822] Hardware name: linux,dummy-virt (DT)
[   29.089967] Call trace:
[   29.090147]  show_stack+0x20/0x38 (C)
[   29.090240]  dump_stack_lvl+0x8c/0xd0
[   29.090292]  print_report+0x118/0x608
[   29.090365]  kasan_report+0xdc/0x128
[   29.090439]  __asan_report_load1_noabort+0x20/0x30
[   29.090514]  kasan_strings+0x95c/0xb00
[   29.090561]  kunit_try_run_case+0x170/0x3f0
[   29.090846]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.090953]  kthread+0x328/0x630
[   29.091026]  ret_from_fork+0x10/0x20
[   29.091089] 
[   29.091376] Allocated by task 271:
[   29.091461]  kasan_save_stack+0x3c/0x68
[   29.091526]  kasan_save_track+0x20/0x40
[   29.091593]  kasan_save_alloc_info+0x40/0x58
[   29.091653]  __kasan_kmalloc+0xd4/0xd8
[   29.091693]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.091734]  kasan_strings+0xc8/0xb00
[   29.091770]  kunit_try_run_case+0x170/0x3f0
[   29.091840]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.091890]  kthread+0x328/0x630
[   29.092080]  ret_from_fork+0x10/0x20
[   29.092229] 
[   29.092306] Freed by task 271:
[   29.092337]  kasan_save_stack+0x3c/0x68
[   29.092377]  kasan_save_track+0x20/0x40
[   29.092417]  kasan_save_free_info+0x4c/0x78
[   29.092755]  __kasan_slab_free+0x6c/0x98
[   29.092870]  kfree+0x214/0x3c8
[   29.092983]  kasan_strings+0x24c/0xb00
[   29.093080]  kunit_try_run_case+0x170/0x3f0
[   29.093121]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.093446]  kthread+0x328/0x630
[   29.093534]  ret_from_fork+0x10/0x20
[   29.093648] 
[   29.093727] The buggy address belongs to the object at fff00000c5770780
[   29.093727]  which belongs to the cache kmalloc-32 of size 32
[   29.093837] The buggy address is located 16 bytes inside of
[   29.093837]  freed 32-byte region [fff00000c5770780, fff00000c57707a0)
[   29.093942] 
[   29.094202] The buggy address belongs to the physical page:
[   29.094256] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105770
[   29.094371] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.094424] page_type: f5(slab)
[   29.094462] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   29.094514] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   29.094555] page dumped because: kasan: bad access detected
[   29.094589] 
[   29.095105] Memory state around the buggy address:
[   29.095169]  fff00000c5770680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.095317]  fff00000c5770700: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   29.095428] >fff00000c5770780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.095588]                          ^
[   29.095684]  fff00000c5770800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.095754]  fff00000c5770880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.095871] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.070250] ==================================================================
[   24.070579] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80
[   24.071281] Read of size 1 at addr ffff888102d5c7d0 by task kunit_try_catch/288
[   24.071658] 
[   24.072402] CPU: 1 UID: 0 PID: 288 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   24.072460] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.072474] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.072497] Call Trace:
[   24.072512]  <TASK>
[   24.072532]  dump_stack_lvl+0x73/0xb0
[   24.072565]  print_report+0xd1/0x650
[   24.072589]  ? __virt_addr_valid+0x1db/0x2d0
[   24.072613]  ? kasan_strings+0xcbc/0xe80
[   24.072634]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.072660]  ? kasan_strings+0xcbc/0xe80
[   24.072680]  kasan_report+0x141/0x180
[   24.072701]  ? kasan_strings+0xcbc/0xe80
[   24.072726]  __asan_report_load1_noabort+0x18/0x20
[   24.072750]  kasan_strings+0xcbc/0xe80
[   24.072769]  ? trace_hardirqs_on+0x37/0xe0
[   24.072792]  ? __pfx_kasan_strings+0x10/0x10
[   24.072812]  ? finish_task_switch.isra.0+0x153/0x700
[   24.072834]  ? __switch_to+0x47/0xf50
[   24.072859]  ? __schedule+0x10cc/0x2b60
[   24.072884]  ? __pfx_read_tsc+0x10/0x10
[   24.072906]  ? ktime_get_ts64+0x86/0x230
[   24.072930]  kunit_try_run_case+0x1a5/0x480
[   24.072956]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.072978]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.073003]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.073030]  ? __kthread_parkme+0x82/0x180
[   24.073051]  ? preempt_count_sub+0x50/0x80
[   24.073089]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.073127]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.073151]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.073174]  kthread+0x337/0x6f0
[   24.073193]  ? trace_preempt_on+0x20/0xc0
[   24.073216]  ? __pfx_kthread+0x10/0x10
[   24.073245]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.073269]  ? calculate_sigpending+0x7b/0xa0
[   24.073293]  ? __pfx_kthread+0x10/0x10
[   24.073314]  ret_from_fork+0x116/0x1d0
[   24.073333]  ? __pfx_kthread+0x10/0x10
[   24.073353]  ret_from_fork_asm+0x1a/0x30
[   24.073384]  </TASK>
[   24.073396] 
[   24.084522] Allocated by task 288:
[   24.084889]  kasan_save_stack+0x45/0x70
[   24.085180]  kasan_save_track+0x18/0x40
[   24.085450]  kasan_save_alloc_info+0x3b/0x50
[   24.085614]  __kasan_kmalloc+0xb7/0xc0
[   24.086070]  __kmalloc_cache_noprof+0x189/0x420
[   24.086448]  kasan_strings+0xc0/0xe80
[   24.086623]  kunit_try_run_case+0x1a5/0x480
[   24.087073]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.087338]  kthread+0x337/0x6f0
[   24.087505]  ret_from_fork+0x116/0x1d0
[   24.087649]  ret_from_fork_asm+0x1a/0x30
[   24.087858] 
[   24.087931] Freed by task 288:
[   24.088269]  kasan_save_stack+0x45/0x70
[   24.088420]  kasan_save_track+0x18/0x40
[   24.088549]  kasan_save_free_info+0x3f/0x60
[   24.088749]  __kasan_slab_free+0x56/0x70
[   24.089066]  kfree+0x222/0x3f0
[   24.089253]  kasan_strings+0x2aa/0xe80
[   24.089379]  kunit_try_run_case+0x1a5/0x480
[   24.089661]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.089831]  kthread+0x337/0x6f0
[   24.090036]  ret_from_fork+0x116/0x1d0
[   24.090230]  ret_from_fork_asm+0x1a/0x30
[   24.090427] 
[   24.090517] The buggy address belongs to the object at ffff888102d5c7c0
[   24.090517]  which belongs to the cache kmalloc-32 of size 32
[   24.091014] The buggy address is located 16 bytes inside of
[   24.091014]  freed 32-byte region [ffff888102d5c7c0, ffff888102d5c7e0)
[   24.091708] 
[   24.091870] The buggy address belongs to the physical page:
[   24.092200] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5c
[   24.092526] flags: 0x200000000000000(node=0|zone=2)
[   24.092742] page_type: f5(slab)
[   24.092996] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   24.093254] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   24.093476] page dumped because: kasan: bad access detected
[   24.093745] 
[   24.093833] Memory state around the buggy address:
[   24.094282]  ffff888102d5c680: fa fb fb fb fc fc fc fc 00 00 00 04 fc fc fc fc
[   24.094604]  ffff888102d5c700: fa fb fb fb fc fc fc fc 00 00 07 fc fc fc fc fc
[   24.094925] >ffff888102d5c780: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.095350]                                                  ^
[   24.095535]  ffff888102d5c800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.096088]  ffff888102d5c880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.096445] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit