lkft/linux-next-master - next-20250704 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kasan_strings

Date

July 4, 2025, 11:10 a.m.

Environment
qemu-arm64
qemu-x86_64

[   32.001031] ==================================================================
[   32.001087] BUG: KASAN: slab-use-after-free in kasan_strings+0x95c/0xb00
[   32.001139] Read of size 1 at addr fff00000c5ad9b50 by task kunit_try_catch/292
[   32.001212] 
[   32.001244] CPU: 1 UID: 0 PID: 292 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250704 #1 PREEMPT 
[   32.001338] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.001366] Hardware name: linux,dummy-virt (DT)
[   32.001398] Call trace:
[   32.001437]  show_stack+0x20/0x38 (C)
[   32.001487]  dump_stack_lvl+0x8c/0xd0
[   32.001535]  print_report+0x118/0x608
[   32.001582]  kasan_report+0xdc/0x128
[   32.001640]  __asan_report_load1_noabort+0x20/0x30
[   32.001690]  kasan_strings+0x95c/0xb00
[   32.001737]  kunit_try_run_case+0x170/0x3f0
[   32.001787]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.001841]  kthread+0x328/0x630
[   32.001883]  ret_from_fork+0x10/0x20
[   32.002570] 
[   32.002598] Allocated by task 292:
[   32.002740]  kasan_save_stack+0x3c/0x68
[   32.002827]  kasan_save_track+0x20/0x40
[   32.003005]  kasan_save_alloc_info+0x40/0x58
[   32.003055]  __kasan_kmalloc+0xd4/0xd8
[   32.003257]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.004299] Freed by task 292:
[   32.005493]  kthread+0x328/0x630
[   32.006268] 
[   32.006389] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.006887] 
[   32.007359] >fff00000c5ad9b00: 00 00 07 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   32.010231] Hardware name: linux,dummy-virt (DT)
[   32.013086]  kasan_save_alloc_info+0x40/0x58
[   32.013288]  __kasan_kmalloc+0xd4/0xd8
[   32.013938]  kasan_save_stack+0x3c/0x68
[   32.014361]  ret_from_fork+0x10/0x20
[   32.014624] The buggy address belongs to the physical page:
[   32.015678] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   32.019231] Read of size 1 at addr fff00000c5ad9b50 by task kunit_try_catch/292
[   32.020693]  strnlen+0x80/0x88
[   32.020748]  kasan_strings+0x478/0xb00
[   32.021965]  kasan_save_track+0x20/0x40
[   32.023999]  kasan_save_stack+0x3c/0x68
[   32.025610] 
[   32.025700] The buggy address is located 16 bytes inside of
[   32.025700]  freed 32-byte region [fff00000c5ad9b40, fff00000c5ad9b60)
[   32.027310] Memory state around the buggy address:
[   32.033767]     not ok 62 kasan_strings
[   32.037444] 
[   32.037565] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.039954]  kthread+0x328/0x630
[   32.041210]  __kasan_kmalloc+0xd4/0xd8
[   32.042271]  kthread+0x328/0x630
[   32.043853] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1085e8
[   32.046283] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zPKcyRCCcLXHTLmyDYDrnSncpa

job_id

TEST:linaro@lkft#2zPKilf5MKTJ7lMyJmtgN73Nko7

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPKilf5MKTJ7lMyJmtgN73Nko7

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPKeZVJ6s8BxWIdIAcetHSV2vd/Image.gz
sha256sum	4057f87f22aa3a0c494fa56ac397e1d4208c36e40a654cceb81a6ec11e19d6de

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPKeZVJ6s8BxWIdIAcetHSV2vd/modules.tar.xz
sha256sum	4bc11cd26c298df52c7ec39846a2a9f44ea5a2eb53067e5bc4040ac2b938e942

durations

tests

boot	0
kunit	164.38

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   27.069178] ==================================================================
[   27.069521] BUG: KASAN: slab-use-after-free in kasan_strings+0xcbc/0xe80
[   27.069771] Read of size 1 at addr ffff888105abca90 by task kunit_try_catch/308
[   27.070021] 
[   27.070119] CPU: 0 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc4-next-20250704 #1 PREEMPT(voluntary) 
[   27.070178] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.070193] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.070221] Call Trace:
[   27.070244]  <TASK>
[   27.070267]  dump_stack_lvl+0x73/0xb0
[   27.070299]  print_report+0xd1/0x650
[   27.070325]  ? __virt_addr_valid+0x1db/0x2d0
[   27.070353]  ? kasan_strings+0xcbc/0xe80
[   27.070377]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.070661]  ? kasan_strings+0xcbc/0xe80
[   27.070691]  kasan_report+0x141/0x180
[   27.070718]  ? kasan_strings+0xcbc/0xe80
[   27.070749]  __asan_report_load1_noabort+0x18/0x20
[   27.070778]  kasan_strings+0xcbc/0xe80
[   27.070801]  ? trace_hardirqs_on+0x37/0xe0
[   27.070830]  ? __pfx_kasan_strings+0x10/0x10
[   27.070853]  ? finish_task_switch.isra.0+0x153/0x700
[   27.070879]  ? __switch_to+0x47/0xf50
[   27.070910]  ? __schedule+0x10cc/0x2b60
[   27.070939]  ? __pfx_read_tsc+0x10/0x10
[   27.070965]  ? ktime_get_ts64+0x86/0x230
[   27.070995]  kunit_try_run_case+0x1a5/0x480
[   27.071026]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.071054]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   27.071082]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.071111]  ? __kthread_parkme+0x82/0x180
[   27.071136]  ? preempt_count_sub+0x50/0x80
[   27.071447]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.071479]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.071509]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.071538]  kthread+0x337/0x6f0
[   27.071562]  ? trace_preempt_on+0x20/0xc0
[   27.071589]  ? __pfx_kthread+0x10/0x10
[   27.071613]  ? _raw_spin_unlock_irq+0x47/0x80
[   27.071641]  ? calculate_sigpending+0x7b/0xa0
[   27.071670]  ? __pfx_kthread+0x10/0x10
[   27.071696]  ret_from_fork+0x116/0x1d0
[   27.071719]  ? __pfx_kthread+0x10/0x10
[   27.071744]  ret_from_fork_asm+0x1a/0x30
[   27.071782]  </TASK>
[   27.071797] 
[   27.081699] Allocated by task 308:
[   27.081868]  kasan_save_stack+0x45/0x70
[   27.082107]  kasan_save_track+0x18/0x40
[   27.082545]  kasan_save_alloc_info+0x3b/0x50
[   27.082727]  __kasan_kmalloc+0xb7/0xc0
[   27.082898]  __kmalloc_cache_noprof+0x189/0x420
[   27.083153]  kasan_strings+0xc0/0xe80
[   27.083373]  kunit_try_run_case+0x1a5/0x480
[   27.083652]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.083914]  kthread+0x337/0x6f0
[   27.084118]  ret_from_fork+0x116/0x1d0
[   27.084337]  ret_from_fork_asm+0x1a/0x30
[   27.084564] 
[   27.084643] Freed by task 308:
[   27.084769]  kasan_save_stack+0x45/0x70
[   27.084922]  kasan_save_track+0x18/0x40
[   27.085073]  kasan_save_free_info+0x3f/0x60
[   27.085236]  __kasan_slab_free+0x56/0x70
[   27.085401]  kfree+0x222/0x3f0
[   27.085532]  kasan_strings+0x2aa/0xe80
[   27.085681]  kunit_try_run_case+0x1a5/0x480
[   27.085893]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.086185]  kthread+0x337/0x6f0
[   27.086373]  ret_from_fork+0x116/0x1d0
[   27.086975]  ret_from_fork_asm+0x1a/0x30
[   27.087330] 
[   27.087465] The buggy address belongs to the object at ffff888105abca80
[   27.087465]  which belongs to the cache kmalloc-32 of size 32
[   27.088432] The buggy address is located 16 bytes inside of
[   27.088432]  freed 32-byte region [ffff888105abca80, ffff888105abcaa0)
[   27.089057] 
[   27.089144] The buggy address belongs to the physical page:
[   27.089380] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105abc
[   27.089672] flags: 0x200000000000000(node=0|zone=2)
[   27.089862] page_type: f5(slab)
[   27.090260] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   27.090722] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   27.091121] page dumped because: kasan: bad access detected
[   27.091432] 
[   27.091781] Memory state around the buggy address:
[   27.092234]  ffff888105abc980: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   27.092520]  ffff888105abca00: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   27.092770] >ffff888105abca80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   27.093096]                          ^
[   27.093310]  ffff888105abcb00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   27.093706]  ffff888105abcb80: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   27.094083] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zPKcyRCCcLXHTLmyDYDrnSncpa

job_id

TEST:linaro@lkft#2zPKjpyJJfb0RHWMDdUonKtpYX7

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPKjpyJJfb0RHWMDdUonKtpYX7

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPKg4TX3WzyU2HDTsyrHFy4Y8u/bzImage
sha256sum	3f0d1ff177ab5ba3055e740ba2cf1227dc4607b95078e840d6a28e4500986f57

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPKg4TX3WzyU2HDTsyrHFy4Y8u/modules.tar.xz
sha256sum	ead6c26eb094cd2228a8bb228bc9db0774422a83d6a7934109ba6612b5e4d45b

durations

tests

boot	0
kunit	260.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit