lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-strcmp

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   51.999288] ==================================================================
[   52.023450] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8
[   52.029451] Read of size 1 at addr ffff000096c34790 by task kunit_try_catch/345
[   52.036857] 
[   52.038388] CPU: 4 UID: 0 PID: 345 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   52.038422] Tainted: [B]=BAD_PAGE, [N]=TEST
[   52.038431] Hardware name: Thundercomm Dragonboard 845c (DT)
[   52.038445] Call trace:
[   52.038453]  show_stack+0x20/0x38 (C)
[   52.038474]  dump_stack_lvl+0x8c/0xd0
[   52.038494]  print_report+0x118/0x608
[   52.038513]  kasan_report+0xdc/0x128
[   52.038532]  __asan_report_load1_noabort+0x20/0x30
[   52.038548]  strcmp+0xc0/0xc8
[   52.038562]  kasan_strings+0x340/0xb00
[   52.038578]  kunit_try_run_case+0x170/0x3f0
[   52.038599]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.038621]  kthread+0x328/0x630
[   52.038636]  ret_from_fork+0x10/0x20
[   52.038653] 
[   52.106878] Allocated by task 345:
[   52.110332]  kasan_save_stack+0x3c/0x68
[   52.114238]  kasan_save_track+0x20/0x40
[   52.118140]  kasan_save_alloc_info+0x40/0x58
[   52.122474]  __kasan_kmalloc+0xd4/0xd8
[   52.126291]  __kmalloc_cache_noprof+0x16c/0x3c0
[   52.130889]  kasan_strings+0xc8/0xb00
[   52.134616]  kunit_try_run_case+0x170/0x3f0
[   52.138864]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.144433]  kthread+0x328/0x630
[   52.147714]  ret_from_fork+0x10/0x20
[   52.151347] 
[   52.152877] Freed by task 345:
[   52.155983]  kasan_save_stack+0x3c/0x68
[   52.159886]  kasan_save_track+0x20/0x40
[   52.163790]  kasan_save_free_info+0x4c/0x78
[   52.168036]  __kasan_slab_free+0x6c/0x98
[   52.172026]  kfree+0x214/0x3c8
[   52.175139]  kasan_strings+0x24c/0xb00
[   52.178951]  kunit_try_run_case+0x170/0x3f0
[   52.183200]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.188760]  kthread+0x328/0x630
[   52.192042]  ret_from_fork+0x10/0x20
[   52.195673] 
[   52.197196] The buggy address belongs to the object at ffff000096c34780
[   52.197196]  which belongs to the cache kmalloc-32 of size 32
[   52.209672] The buggy address is located 16 bytes inside of
[   52.209672]  freed 32-byte region [ffff000096c34780, ffff000096c347a0)
[   52.221891] 
[   52.223422] The buggy address belongs to the physical page:
[   52.229061] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116c34
[   52.237163] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   52.243774] page_type: f5(slab)
[   52.246976] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000
[   52.254816] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   52.262649] page dumped because: kasan: bad access detected
[   52.268298] 
[   52.269820] Memory state around the buggy address:
[   52.274672]  ffff000096c34680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.281987]  ffff000096c34700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.289300] >ffff000096c34780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.296612]                          ^
[   52.300424]  ffff000096c34800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   52.307738]  ffff000096c34880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.315044] ==================================================================

Metadata Full log Test run details

[   29.079585] ==================================================================
[   29.079648] BUG: KASAN: slab-use-after-free in strcmp+0xc0/0xc8
[   29.079986] Read of size 1 at addr fff00000c5770790 by task kunit_try_catch/271
[   29.080110] 
[   29.080231] CPU: 0 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   29.080347] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.080452] Hardware name: linux,dummy-virt (DT)
[   29.080539] Call trace:
[   29.080614]  show_stack+0x20/0x38 (C)
[   29.080735]  dump_stack_lvl+0x8c/0xd0
[   29.080829]  print_report+0x118/0x608
[   29.080879]  kasan_report+0xdc/0x128
[   29.080927]  __asan_report_load1_noabort+0x20/0x30
[   29.080976]  strcmp+0xc0/0xc8
[   29.081431]  kasan_strings+0x340/0xb00
[   29.081573]  kunit_try_run_case+0x170/0x3f0
[   29.081681]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.081843]  kthread+0x328/0x630
[   29.081986]  ret_from_fork+0x10/0x20
[   29.082191] 
[   29.082242] Allocated by task 271:
[   29.082273]  kasan_save_stack+0x3c/0x68
[   29.082347]  kasan_save_track+0x20/0x40
[   29.082784]  kasan_save_alloc_info+0x40/0x58
[   29.082910]  __kasan_kmalloc+0xd4/0xd8
[   29.083017]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.083166]  kasan_strings+0xc8/0xb00
[   29.083253]  kunit_try_run_case+0x170/0x3f0
[   29.083348]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.083451]  kthread+0x328/0x630
[   29.083486]  ret_from_fork+0x10/0x20
[   29.083551] 
[   29.083738] Freed by task 271:
[   29.083903]  kasan_save_stack+0x3c/0x68
[   29.084158]  kasan_save_track+0x20/0x40
[   29.084244]  kasan_save_free_info+0x4c/0x78
[   29.084306]  __kasan_slab_free+0x6c/0x98
[   29.084375]  kfree+0x214/0x3c8
[   29.084439]  kasan_strings+0x24c/0xb00
[   29.084481]  kunit_try_run_case+0x170/0x3f0
[   29.084523]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.084748]  kthread+0x328/0x630
[   29.084875]  ret_from_fork+0x10/0x20
[   29.084998] 
[   29.085151] The buggy address belongs to the object at fff00000c5770780
[   29.085151]  which belongs to the cache kmalloc-32 of size 32
[   29.085284] The buggy address is located 16 bytes inside of
[   29.085284]  freed 32-byte region [fff00000c5770780, fff00000c57707a0)
[   29.085423] 
[   29.085502] The buggy address belongs to the physical page:
[   29.085570] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105770
[   29.085631] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.085689] page_type: f5(slab)
[   29.085750] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   29.085802] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   29.085842] page dumped because: kasan: bad access detected
[   29.085875] 
[   29.085903] Memory state around the buggy address:
[   29.085937]  fff00000c5770680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.085982]  fff00000c5770700: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   29.086038] >fff00000c5770780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.086089]                          ^
[   29.086121]  fff00000c5770800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.086180]  fff00000c5770880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.086230] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.042875] ==================================================================
[   24.044008] BUG: KASAN: slab-use-after-free in strcmp+0xb0/0xc0
[   24.044371] Read of size 1 at addr ffff888102d5c7d0 by task kunit_try_catch/288
[   24.044671] 
[   24.044790] CPU: 1 UID: 0 PID: 288 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   24.044843] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.044855] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.044880] Call Trace:
[   24.044895]  <TASK>
[   24.044914]  dump_stack_lvl+0x73/0xb0
[   24.044943]  print_report+0xd1/0x650
[   24.044966]  ? __virt_addr_valid+0x1db/0x2d0
[   24.044990]  ? strcmp+0xb0/0xc0
[   24.045008]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.045035]  ? strcmp+0xb0/0xc0
[   24.045053]  kasan_report+0x141/0x180
[   24.045075]  ? strcmp+0xb0/0xc0
[   24.045098]  __asan_report_load1_noabort+0x18/0x20
[   24.045121]  strcmp+0xb0/0xc0
[   24.045141]  kasan_strings+0x431/0xe80
[   24.045162]  ? trace_hardirqs_on+0x37/0xe0
[   24.045186]  ? __pfx_kasan_strings+0x10/0x10
[   24.045205]  ? finish_task_switch.isra.0+0x153/0x700
[   24.045237]  ? __switch_to+0x47/0xf50
[   24.045263]  ? __schedule+0x10cc/0x2b60
[   24.045287]  ? __pfx_read_tsc+0x10/0x10
[   24.045309]  ? ktime_get_ts64+0x86/0x230
[   24.045333]  kunit_try_run_case+0x1a5/0x480
[   24.045358]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.045380]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.045405]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.045429]  ? __kthread_parkme+0x82/0x180
[   24.045449]  ? preempt_count_sub+0x50/0x80
[   24.045471]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.045494]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.045517]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.045541]  kthread+0x337/0x6f0
[   24.045560]  ? trace_preempt_on+0x20/0xc0
[   24.045582]  ? __pfx_kthread+0x10/0x10
[   24.045602]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.045625]  ? calculate_sigpending+0x7b/0xa0
[   24.045648]  ? __pfx_kthread+0x10/0x10
[   24.045669]  ret_from_fork+0x116/0x1d0
[   24.045688]  ? __pfx_kthread+0x10/0x10
[   24.045708]  ret_from_fork_asm+0x1a/0x30
[   24.045739]  </TASK>
[   24.045751] 
[   24.055927] Allocated by task 288:
[   24.056113]  kasan_save_stack+0x45/0x70
[   24.056342]  kasan_save_track+0x18/0x40
[   24.056518]  kasan_save_alloc_info+0x3b/0x50
[   24.056706]  __kasan_kmalloc+0xb7/0xc0
[   24.056888]  __kmalloc_cache_noprof+0x189/0x420
[   24.057582]  kasan_strings+0xc0/0xe80
[   24.057753]  kunit_try_run_case+0x1a5/0x480
[   24.058004]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.058432]  kthread+0x337/0x6f0
[   24.058600]  ret_from_fork+0x116/0x1d0
[   24.058778]  ret_from_fork_asm+0x1a/0x30
[   24.059000] 
[   24.059075] Freed by task 288:
[   24.059338]  kasan_save_stack+0x45/0x70
[   24.059510]  kasan_save_track+0x18/0x40
[   24.059675]  kasan_save_free_info+0x3f/0x60
[   24.059933]  __kasan_slab_free+0x56/0x70
[   24.060165]  kfree+0x222/0x3f0
[   24.060297]  kasan_strings+0x2aa/0xe80
[   24.061209]  kunit_try_run_case+0x1a5/0x480
[   24.061396]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.061655]  kthread+0x337/0x6f0
[   24.061807]  ret_from_fork+0x116/0x1d0
[   24.062057]  ret_from_fork_asm+0x1a/0x30
[   24.062193] 
[   24.062298] The buggy address belongs to the object at ffff888102d5c7c0
[   24.062298]  which belongs to the cache kmalloc-32 of size 32
[   24.062898] The buggy address is located 16 bytes inside of
[   24.062898]  freed 32-byte region [ffff888102d5c7c0, ffff888102d5c7e0)
[   24.063571] 
[   24.064052] The buggy address belongs to the physical page:
[   24.064414] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5c
[   24.064935] flags: 0x200000000000000(node=0|zone=2)
[   24.065267] page_type: f5(slab)
[   24.065576] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   24.065893] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   24.066304] page dumped because: kasan: bad access detected
[   24.066555] 
[   24.066632] Memory state around the buggy address:
[   24.066852]  ffff888102d5c680: fa fb fb fb fc fc fc fc 00 00 00 04 fc fc fc fc
[   24.067168]  ffff888102d5c700: 00 00 07 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   24.067434] >ffff888102d5c780: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.067707]                                                  ^
[   24.067980]  ffff888102d5c800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.068395]  ffff888102d5c880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.068716] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit