lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-strlen

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   52.626420] ==================================================================
[   52.633736] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0
[   52.639740] Read of size 1 at addr ffff000096c34790 by task kunit_try_catch/345
[   52.647148] 
[   52.648681] CPU: 4 UID: 0 PID: 345 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   52.648710] Tainted: [B]=BAD_PAGE, [N]=TEST
[   52.648719] Hardware name: Thundercomm Dragonboard 845c (DT)
[   52.648730] Call trace:
[   52.648735]  show_stack+0x20/0x38 (C)
[   52.648753]  dump_stack_lvl+0x8c/0xd0
[   52.648772]  print_report+0x118/0x608
[   52.648790]  kasan_report+0xdc/0x128
[   52.648808]  __asan_report_load1_noabort+0x20/0x30
[   52.648825]  strlen+0xa8/0xb0
[   52.648839]  kasan_strings+0x418/0xb00
[   52.648854]  kunit_try_run_case+0x170/0x3f0
[   52.648873]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.648893]  kthread+0x328/0x630
[   52.648907]  ret_from_fork+0x10/0x20
[   52.648923] 
[   52.717157] Allocated by task 345:
[   52.720609]  kasan_save_stack+0x3c/0x68
[   52.724514]  kasan_save_track+0x20/0x40
[   52.728417]  kasan_save_alloc_info+0x40/0x58
[   52.732751]  __kasan_kmalloc+0xd4/0xd8
[   52.736567]  __kmalloc_cache_noprof+0x16c/0x3c0
[   52.741164]  kasan_strings+0xc8/0xb00
[   52.744891]  kunit_try_run_case+0x170/0x3f0
[   52.749140]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.754704]  kthread+0x328/0x630
[   52.757985]  ret_from_fork+0x10/0x20
[   52.761625] 
[   52.763147] Freed by task 345:
[   52.766250]  kasan_save_stack+0x3c/0x68
[   52.770154]  kasan_save_track+0x20/0x40
[   52.774056]  kasan_save_free_info+0x4c/0x78
[   52.778302]  __kasan_slab_free+0x6c/0x98
[   52.782294]  kfree+0x214/0x3c8
[   52.785402]  kasan_strings+0x24c/0xb00
[   52.789215]  kunit_try_run_case+0x170/0x3f0
[   52.793464]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.799028]  kthread+0x328/0x630
[   52.802309]  ret_from_fork+0x10/0x20
[   52.805939] 
[   52.807469] The buggy address belongs to the object at ffff000096c34780
[   52.807469]  which belongs to the cache kmalloc-32 of size 32
[   52.819942] The buggy address is located 16 bytes inside of
[   52.819942]  freed 32-byte region [ffff000096c34780, ffff000096c347a0)
[   52.832162] 
[   52.833685] The buggy address belongs to the physical page:
[   52.839325] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116c34
[   52.847420] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   52.854034] page_type: f5(slab)
[   52.857230] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000
[   52.865070] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   52.872905] page dumped because: kasan: bad access detected
[   52.878547] 
[   52.880074] Memory state around the buggy address:
[   52.884926]  ffff000096c34680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.892241]  ffff000096c34700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.899556] >ffff000096c34780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.906861]                          ^
[   52.910670]  ffff000096c34800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   52.917984]  ffff000096c34880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   52.925293] ==================================================================

Metadata Full log Test run details

[   29.096831] ==================================================================
[   29.097162] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0
[   29.097303] Read of size 1 at addr fff00000c5770790 by task kunit_try_catch/271
[   29.097399] 
[   29.097506] CPU: 0 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   29.097628] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.097675] Hardware name: linux,dummy-virt (DT)
[   29.097710] Call trace:
[   29.097732]  show_stack+0x20/0x38 (C)
[   29.097946]  dump_stack_lvl+0x8c/0xd0
[   29.098043]  print_report+0x118/0x608
[   29.098200]  kasan_report+0xdc/0x128
[   29.098267]  __asan_report_load1_noabort+0x20/0x30
[   29.098321]  strlen+0xa8/0xb0
[   29.098363]  kasan_strings+0x418/0xb00
[   29.098411]  kunit_try_run_case+0x170/0x3f0
[   29.098642]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.098846]  kthread+0x328/0x630
[   29.098906]  ret_from_fork+0x10/0x20
[   29.098959] 
[   29.099018] Allocated by task 271:
[   29.099052]  kasan_save_stack+0x3c/0x68
[   29.099127]  kasan_save_track+0x20/0x40
[   29.099168]  kasan_save_alloc_info+0x40/0x58
[   29.099206]  __kasan_kmalloc+0xd4/0xd8
[   29.099254]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.099296]  kasan_strings+0xc8/0xb00
[   29.099333]  kunit_try_run_case+0x170/0x3f0
[   29.099382]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.099428]  kthread+0x328/0x630
[   29.099462]  ret_from_fork+0x10/0x20
[   29.099500] 
[   29.099528] Freed by task 271:
[   29.099557]  kasan_save_stack+0x3c/0x68
[   29.099598]  kasan_save_track+0x20/0x40
[   29.099635]  kasan_save_free_info+0x4c/0x78
[   29.099672]  __kasan_slab_free+0x6c/0x98
[   29.099722]  kfree+0x214/0x3c8
[   29.099756]  kasan_strings+0x24c/0xb00
[   29.099823]  kunit_try_run_case+0x170/0x3f0
[   29.099867]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.100163]  kthread+0x328/0x630
[   29.100443]  ret_from_fork+0x10/0x20
[   29.100620] 
[   29.100678] The buggy address belongs to the object at fff00000c5770780
[   29.100678]  which belongs to the cache kmalloc-32 of size 32
[   29.100894] The buggy address is located 16 bytes inside of
[   29.100894]  freed 32-byte region [fff00000c5770780, fff00000c57707a0)
[   29.101115] 
[   29.101183] The buggy address belongs to the physical page:
[   29.101287] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105770
[   29.101412] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.101562] page_type: f5(slab)
[   29.101646] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   29.101749] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   29.101848] page dumped because: kasan: bad access detected
[   29.101975] 
[   29.102093] Memory state around the buggy address:
[   29.102344]  fff00000c5770680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.102501]  fff00000c5770700: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   29.102597] >fff00000c5770780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.102712]                          ^
[   29.102899]  fff00000c5770800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.102986]  fff00000c5770880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.103026] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.097202] ==================================================================
[   24.097613] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0
[   24.097921] Read of size 1 at addr ffff888102d5c7d0 by task kunit_try_catch/288
[   24.098285] 
[   24.098375] CPU: 1 UID: 0 PID: 288 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   24.098424] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.098435] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.098457] Call Trace:
[   24.098470]  <TASK>
[   24.098487]  dump_stack_lvl+0x73/0xb0
[   24.098524]  print_report+0xd1/0x650
[   24.098573]  ? __virt_addr_valid+0x1db/0x2d0
[   24.098598]  ? strlen+0x8f/0xb0
[   24.098618]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.098643]  ? strlen+0x8f/0xb0
[   24.098663]  kasan_report+0x141/0x180
[   24.098684]  ? strlen+0x8f/0xb0
[   24.098707]  __asan_report_load1_noabort+0x18/0x20
[   24.098732]  strlen+0x8f/0xb0
[   24.098752]  kasan_strings+0x57b/0xe80
[   24.098772]  ? trace_hardirqs_on+0x37/0xe0
[   24.098795]  ? __pfx_kasan_strings+0x10/0x10
[   24.098851]  ? finish_task_switch.isra.0+0x153/0x700
[   24.098874]  ? __switch_to+0x47/0xf50
[   24.098899]  ? __schedule+0x10cc/0x2b60
[   24.098924]  ? __pfx_read_tsc+0x10/0x10
[   24.098997]  ? ktime_get_ts64+0x86/0x230
[   24.099021]  kunit_try_run_case+0x1a5/0x480
[   24.099054]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.099076]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.099100]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.099125]  ? __kthread_parkme+0x82/0x180
[   24.099146]  ? preempt_count_sub+0x50/0x80
[   24.099168]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.099191]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.099214]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.099249]  kthread+0x337/0x6f0
[   24.099267]  ? trace_preempt_on+0x20/0xc0
[   24.099289]  ? __pfx_kthread+0x10/0x10
[   24.099332]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.099355]  ? calculate_sigpending+0x7b/0xa0
[   24.099378]  ? __pfx_kthread+0x10/0x10
[   24.099399]  ret_from_fork+0x116/0x1d0
[   24.099418]  ? __pfx_kthread+0x10/0x10
[   24.099438]  ret_from_fork_asm+0x1a/0x30
[   24.099468]  </TASK>
[   24.099497] 
[   24.108109] Allocated by task 288:
[   24.108351]  kasan_save_stack+0x45/0x70
[   24.108546]  kasan_save_track+0x18/0x40
[   24.108684]  kasan_save_alloc_info+0x3b/0x50
[   24.108976]  __kasan_kmalloc+0xb7/0xc0
[   24.109269]  __kmalloc_cache_noprof+0x189/0x420
[   24.109507]  kasan_strings+0xc0/0xe80
[   24.109697]  kunit_try_run_case+0x1a5/0x480
[   24.109839]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.110008]  kthread+0x337/0x6f0
[   24.110122]  ret_from_fork+0x116/0x1d0
[   24.110317]  ret_from_fork_asm+0x1a/0x30
[   24.110508] 
[   24.110680] Freed by task 288:
[   24.110902]  kasan_save_stack+0x45/0x70
[   24.111124]  kasan_save_track+0x18/0x40
[   24.111262]  kasan_save_free_info+0x3f/0x60
[   24.111402]  __kasan_slab_free+0x56/0x70
[   24.111532]  kfree+0x222/0x3f0
[   24.111687]  kasan_strings+0x2aa/0xe80
[   24.111866]  kunit_try_run_case+0x1a5/0x480
[   24.112123]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.112379]  kthread+0x337/0x6f0
[   24.112541]  ret_from_fork+0x116/0x1d0
[   24.112722]  ret_from_fork_asm+0x1a/0x30
[   24.112912] 
[   24.112995] The buggy address belongs to the object at ffff888102d5c7c0
[   24.112995]  which belongs to the cache kmalloc-32 of size 32
[   24.113665] The buggy address is located 16 bytes inside of
[   24.113665]  freed 32-byte region [ffff888102d5c7c0, ffff888102d5c7e0)
[   24.114468] 
[   24.114566] The buggy address belongs to the physical page:
[   24.114737] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5c
[   24.114975] flags: 0x200000000000000(node=0|zone=2)
[   24.115141] page_type: f5(slab)
[   24.115268] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   24.116094] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   24.117009] page dumped because: kasan: bad access detected
[   24.117281] 
[   24.117374] Memory state around the buggy address:
[   24.118248]  ffff888102d5c680: fa fb fb fb fc fc fc fc 00 00 00 04 fc fc fc fc
[   24.118545]  ffff888102d5c700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.118832] >ffff888102d5c780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.119427]                                                  ^
[   24.120171]  ffff888102d5c800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.120999]  ffff888102d5c880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.121316] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit