lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-strnlen

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   52.932696] ==================================================================
[   52.940011] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88
[   52.946095] Read of size 1 at addr ffff000096c34790 by task kunit_try_catch/345
[   52.953499] 
[   52.955024] CPU: 4 UID: 0 PID: 345 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   52.955053] Tainted: [B]=BAD_PAGE, [N]=TEST
[   52.955060] Hardware name: Thundercomm Dragonboard 845c (DT)
[   52.955070] Call trace:
[   52.955076]  show_stack+0x20/0x38 (C)
[   52.955093]  dump_stack_lvl+0x8c/0xd0
[   52.955111]  print_report+0x118/0x608
[   52.955129]  kasan_report+0xdc/0x128
[   52.955146]  __asan_report_load1_noabort+0x20/0x30
[   52.955162]  strnlen+0x80/0x88
[   52.955176]  kasan_strings+0x478/0xb00
[   52.955191]  kunit_try_run_case+0x170/0x3f0
[   52.955208]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   52.955228]  kthread+0x328/0x630
[   52.955241]  ret_from_fork+0x10/0x20
[   52.955259] 
[   53.023566] Allocated by task 345:
[   53.027022]  kasan_save_stack+0x3c/0x68
[   53.030927]  kasan_save_track+0x20/0x40
[   53.034827]  kasan_save_alloc_info+0x40/0x58
[   53.039160]  __kasan_kmalloc+0xd4/0xd8
[   53.042976]  __kmalloc_cache_noprof+0x16c/0x3c0
[   53.047579]  kasan_strings+0xc8/0xb00
[   53.051298]  kunit_try_run_case+0x170/0x3f0
[   53.055545]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.061108]  kthread+0x328/0x630
[   53.064389]  ret_from_fork+0x10/0x20
[   53.068020] 
[   53.069543] Freed by task 345:
[   53.072646]  kasan_save_stack+0x3c/0x68
[   53.076549]  kasan_save_track+0x20/0x40
[   53.080452]  kasan_save_free_info+0x4c/0x78
[   53.084698]  __kasan_slab_free+0x6c/0x98
[   53.088688]  kfree+0x214/0x3c8
[   53.091797]  kasan_strings+0x24c/0xb00
[   53.095611]  kunit_try_run_case+0x170/0x3f0
[   53.099859]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   53.105423]  kthread+0x328/0x630
[   53.108705]  ret_from_fork+0x10/0x20
[   53.112346] 
[   53.113875] The buggy address belongs to the object at ffff000096c34780
[   53.113875]  which belongs to the cache kmalloc-32 of size 32
[   53.126359] The buggy address is located 16 bytes inside of
[   53.126359]  freed 32-byte region [ffff000096c34780, ffff000096c347a0)
[   53.138580] 
[   53.140111] The buggy address belongs to the physical page:
[   53.145754] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x116c34
[   53.153854] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   53.160465] page_type: f5(slab)
[   53.163662] raw: 0bfffe0000000000 ffff000080002780 dead000000000122 0000000000000000
[   53.171503] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   53.179339] page dumped because: kasan: bad access detected
[   53.184978] 
[   53.186501] Memory state around the buggy address:
[   53.191361]  ffff000096c34680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   53.198668]  ffff000096c34700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   53.205983] >ffff000096c34780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   53.213298]                          ^
[   53.217109]  ffff000096c34800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   53.224425]  ffff000096c34880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   53.231737] ==================================================================

Metadata Full log Test run details

[   29.104601] ==================================================================
[   29.104652] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88
[   29.104810] Read of size 1 at addr fff00000c5770790 by task kunit_try_catch/271
[   29.104901] 
[   29.104933] CPU: 0 UID: 0 PID: 271 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   29.105241] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.105315] Hardware name: linux,dummy-virt (DT)
[   29.105411] Call trace:
[   29.105437]  show_stack+0x20/0x38 (C)
[   29.105506]  dump_stack_lvl+0x8c/0xd0
[   29.105603]  print_report+0x118/0x608
[   29.105719]  kasan_report+0xdc/0x128
[   29.105772]  __asan_report_load1_noabort+0x20/0x30
[   29.105829]  strnlen+0x80/0x88
[   29.106086]  kasan_strings+0x478/0xb00
[   29.106170]  kunit_try_run_case+0x170/0x3f0
[   29.106314]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.106376]  kthread+0x328/0x630
[   29.106421]  ret_from_fork+0x10/0x20
[   29.106547] 
[   29.106575] Allocated by task 271:
[   29.106623]  kasan_save_stack+0x3c/0x68
[   29.106676]  kasan_save_track+0x20/0x40
[   29.106778]  kasan_save_alloc_info+0x40/0x58
[   29.106822]  __kasan_kmalloc+0xd4/0xd8
[   29.106900]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.107219]  kasan_strings+0xc8/0xb00
[   29.107323]  kunit_try_run_case+0x170/0x3f0
[   29.107400]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.107567]  kthread+0x328/0x630
[   29.107613]  ret_from_fork+0x10/0x20
[   29.107680] 
[   29.107759] Freed by task 271:
[   29.108046]  kasan_save_stack+0x3c/0x68
[   29.108168]  kasan_save_track+0x20/0x40
[   29.108218]  kasan_save_free_info+0x4c/0x78
[   29.108258]  __kasan_slab_free+0x6c/0x98
[   29.108297]  kfree+0x214/0x3c8
[   29.108338]  kasan_strings+0x24c/0xb00
[   29.108377]  kunit_try_run_case+0x170/0x3f0
[   29.108417]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.108463]  kthread+0x328/0x630
[   29.108496]  ret_from_fork+0x10/0x20
[   29.108729] 
[   29.108881] The buggy address belongs to the object at fff00000c5770780
[   29.108881]  which belongs to the cache kmalloc-32 of size 32
[   29.108966] The buggy address is located 16 bytes inside of
[   29.108966]  freed 32-byte region [fff00000c5770780, fff00000c57707a0)
[   29.109211] 
[   29.109467] The buggy address belongs to the physical page:
[   29.109622] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105770
[   29.109788] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.109919] page_type: f5(slab)
[   29.110026] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   29.110111] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   29.110322] page dumped because: kasan: bad access detected
[   29.110419] 
[   29.110459] Memory state around the buggy address:
[   29.110604]  fff00000c5770680: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.110679]  fff00000c5770700: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   29.110840] >fff00000c5770780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.110996]                          ^
[   29.111069]  fff00000c5770800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   29.111242]  fff00000c5770880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   29.111356] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.121887] ==================================================================
[   24.122157] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80
[   24.122469] Read of size 1 at addr ffff888102d5c7d0 by task kunit_try_catch/288
[   24.122764] 
[   24.123057] CPU: 1 UID: 0 PID: 288 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   24.123112] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.123125] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.123147] Call Trace:
[   24.123168]  <TASK>
[   24.123189]  dump_stack_lvl+0x73/0xb0
[   24.123216]  print_report+0xd1/0x650
[   24.123252]  ? __virt_addr_valid+0x1db/0x2d0
[   24.123275]  ? strnlen+0x73/0x80
[   24.123294]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.123320]  ? strnlen+0x73/0x80
[   24.123340]  kasan_report+0x141/0x180
[   24.123361]  ? strnlen+0x73/0x80
[   24.123385]  __asan_report_load1_noabort+0x18/0x20
[   24.123408]  strnlen+0x73/0x80
[   24.123428]  kasan_strings+0x615/0xe80
[   24.123448]  ? trace_hardirqs_on+0x37/0xe0
[   24.123472]  ? __pfx_kasan_strings+0x10/0x10
[   24.123491]  ? finish_task_switch.isra.0+0x153/0x700
[   24.123513]  ? __switch_to+0x47/0xf50
[   24.123538]  ? __schedule+0x10cc/0x2b60
[   24.123562]  ? __pfx_read_tsc+0x10/0x10
[   24.123583]  ? ktime_get_ts64+0x86/0x230
[   24.123608]  kunit_try_run_case+0x1a5/0x480
[   24.123633]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.123655]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.123680]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.123704]  ? __kthread_parkme+0x82/0x180
[   24.123724]  ? preempt_count_sub+0x50/0x80
[   24.123745]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.123769]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.123792]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.123944]  kthread+0x337/0x6f0
[   24.123969]  ? trace_preempt_on+0x20/0xc0
[   24.123991]  ? __pfx_kthread+0x10/0x10
[   24.124012]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.124035]  ? calculate_sigpending+0x7b/0xa0
[   24.124060]  ? __pfx_kthread+0x10/0x10
[   24.124080]  ret_from_fork+0x116/0x1d0
[   24.124099]  ? __pfx_kthread+0x10/0x10
[   24.124119]  ret_from_fork_asm+0x1a/0x30
[   24.124150]  </TASK>
[   24.124161] 
[   24.133982] Allocated by task 288:
[   24.134119]  kasan_save_stack+0x45/0x70
[   24.134283]  kasan_save_track+0x18/0x40
[   24.134433]  kasan_save_alloc_info+0x3b/0x50
[   24.134643]  __kasan_kmalloc+0xb7/0xc0
[   24.135228]  __kmalloc_cache_noprof+0x189/0x420
[   24.135499]  kasan_strings+0xc0/0xe80
[   24.135701]  kunit_try_run_case+0x1a5/0x480
[   24.136252]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.136903]  kthread+0x337/0x6f0
[   24.137183]  ret_from_fork+0x116/0x1d0
[   24.137326]  ret_from_fork_asm+0x1a/0x30
[   24.137460] 
[   24.137526] Freed by task 288:
[   24.137636]  kasan_save_stack+0x45/0x70
[   24.137767]  kasan_save_track+0x18/0x40
[   24.138344]  kasan_save_free_info+0x3f/0x60
[   24.138759]  __kasan_slab_free+0x56/0x70
[   24.139437]  kfree+0x222/0x3f0
[   24.139763]  kasan_strings+0x2aa/0xe80
[   24.140252]  kunit_try_run_case+0x1a5/0x480
[   24.140653]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.141283]  kthread+0x337/0x6f0
[   24.141618]  ret_from_fork+0x116/0x1d0
[   24.141987]  ret_from_fork_asm+0x1a/0x30
[   24.142306] 
[   24.142465] The buggy address belongs to the object at ffff888102d5c7c0
[   24.142465]  which belongs to the cache kmalloc-32 of size 32
[   24.143615] The buggy address is located 16 bytes inside of
[   24.143615]  freed 32-byte region [ffff888102d5c7c0, ffff888102d5c7e0)
[   24.144426] 
[   24.144599] The buggy address belongs to the physical page:
[   24.145048] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102d5c
[   24.145670] flags: 0x200000000000000(node=0|zone=2)
[   24.146012] page_type: f5(slab)
[   24.146369] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   24.147197] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   24.147443] page dumped because: kasan: bad access detected
[   24.147608] 
[   24.147671] Memory state around the buggy address:
[   24.147925]  ffff888102d5c680: fa fb fb fb fc fc fc fc 00 00 00 04 fc fc fc fc
[   24.148639]  ffff888102d5c700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.149369] >ffff888102d5c780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.150033]                                                  ^
[   24.150555]  ffff888102d5c800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   24.151466]  ffff888102d5c880: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   24.152235] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit