lkft/linux-next-master - next-20250709 - log-parser-boot/kasan-bug-kasan-slab-out-of-bounds-in-kmalloc_oob_left

Date

July 9, 2025, 1:08 p.m.

Environment
qemu-arm64
qemu-x86_64

[   29.013862] ==================================================================
[   29.013918] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320
[   29.013969] Read of size 1 at addr fff00000c592c85f by task kunit_try_catch/170
[   29.014017] 
[   29.014047] CPU: 0 UID: 0 PID: 170 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250709 #1 PREEMPT 
[   29.014296] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.014323] Hardware name: linux,dummy-virt (DT)
[   29.014606] Call trace:
[   29.014638]  show_stack+0x20/0x38 (C)
[   29.014691]  dump_stack_lvl+0x8c/0xd0
[   29.014849]  print_report+0x118/0x5d0
[   29.014949]  kasan_report+0xdc/0x128
[   29.015029]  __asan_report_load1_noabort+0x20/0x30
[   29.015108]  kmalloc_oob_left+0x2ec/0x320
[   29.015163]  kunit_try_run_case+0x170/0x3f0
[   29.015249]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.015302]  kthread+0x328/0x630
[   29.015344]  ret_from_fork+0x10/0x20
[   29.015390] 
[   29.015876] Allocated by task 11:
[   29.015920]  kasan_save_stack+0x3c/0x68
[   29.015964]  kasan_save_track+0x20/0x40
[   29.016002]  kasan_save_alloc_info+0x40/0x58
[   29.016037]  __kasan_kmalloc+0xd4/0xd8
[   29.016140]  __kmalloc_node_track_caller_noprof+0x194/0x4b8
[   29.016189]  kvasprintf+0xe0/0x180
[   29.016222]  __kthread_create_on_node+0x16c/0x350
[   29.016260]  kthread_create_on_node+0xe4/0x130
[   29.016296]  create_worker+0x380/0x6b8
[   29.016448]  worker_thread+0x808/0xf38
[   29.016635]  kthread+0x328/0x630
[   29.016842]  ret_from_fork+0x10/0x20
[   29.016921] 
[   29.017064] The buggy address belongs to the object at fff00000c592c840
[   29.017064]  which belongs to the cache kmalloc-16 of size 16
[   29.017178] The buggy address is located 19 bytes to the right of
[   29.017178]  allocated 12-byte region [fff00000c592c840, fff00000c592c84c)
[   29.017499] 
[   29.017752] The buggy address belongs to the physical page:
[   29.017830] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10592c
[   29.018128] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.018439] page_type: f5(slab)
[   29.018650] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   29.018780] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   29.018820] page dumped because: kasan: bad access detected
[   29.018986] 
[   29.019355] Memory state around the buggy address:
[   29.019496]  fff00000c592c700: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   29.019538]  fff00000c592c780: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   29.019767] >fff00000c592c800: fa fb fc fc fa fb fc fc 00 04 fc fc 00 07 fc fc
[   29.019991]                                                     ^
[   29.020035]  fff00000c592c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.020183]  fff00000c592c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.020220] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zdgcq9j1ujmXwxUxAtmoX2JeBw

job_id

TEST:linaro@lkft#2zdghTlh69PR1QDjNegFtBHq55A

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zdghTlh69PR1QDjNegFtBHq55A

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zdgdlpB9JiVBKeSwABXYd80ypl/Image.gz
sha256sum	9f5eee9957545548ea4e1a38f001ee4d49216581a9ba43dfa3ccfa9e44a80665

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zdgdlpB9JiVBKeSwABXYd80ypl/modules.tar.xz
sha256sum	a00a8fd80d7c3e7553673b7b34ffa080501292edf8c4877ba00c110d5f08ed8f

durations

tests

boot	0
kunit	163.99

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   23.452285] ==================================================================
[   23.452754] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x361/0x3c0
[   23.453472] Read of size 1 at addr ffff88810484f2ff by task kunit_try_catch/188
[   23.454019] 
[   23.454141] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) 
[   23.454193] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.454206] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.454228] Call Trace:
[   23.454243]  <TASK>
[   23.454264]  dump_stack_lvl+0x73/0xb0
[   23.454298]  print_report+0xd1/0x610
[   23.454320]  ? __virt_addr_valid+0x1db/0x2d0
[   23.454345]  ? kmalloc_oob_left+0x361/0x3c0
[   23.454365]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.454390]  ? kmalloc_oob_left+0x361/0x3c0
[   23.454410]  kasan_report+0x141/0x180
[   23.454431]  ? kmalloc_oob_left+0x361/0x3c0
[   23.454455]  __asan_report_load1_noabort+0x18/0x20
[   23.454478]  kmalloc_oob_left+0x361/0x3c0
[   23.454499]  ? __pfx_kmalloc_oob_left+0x10/0x10
[   23.454520]  ? __schedule+0x10cc/0x2b60
[   23.454544]  ? __pfx_read_tsc+0x10/0x10
[   23.454565]  ? ktime_get_ts64+0x86/0x230
[   23.454591]  kunit_try_run_case+0x1a5/0x480
[   23.454614]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.454634]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.454657]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.454680]  ? __kthread_parkme+0x82/0x180
[   23.454713]  ? preempt_count_sub+0x50/0x80
[   23.454737]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.454758]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.454806]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.454831]  kthread+0x337/0x6f0
[   23.454850]  ? trace_preempt_on+0x20/0xc0
[   23.454873]  ? __pfx_kthread+0x10/0x10
[   23.454953]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.454977]  ? calculate_sigpending+0x7b/0xa0
[   23.455002]  ? __pfx_kthread+0x10/0x10
[   23.455023]  ret_from_fork+0x116/0x1d0
[   23.455042]  ? __pfx_kthread+0x10/0x10
[   23.455062]  ret_from_fork_asm+0x1a/0x30
[   23.455094]  </TASK>
[   23.455106] 
[   23.464418] Allocated by task 119:
[   23.464604]  kasan_save_stack+0x45/0x70
[   23.464821]  kasan_save_track+0x18/0x40
[   23.465078]  kasan_save_alloc_info+0x3b/0x50
[   23.465635]  __kasan_kmalloc+0xb7/0xc0
[   23.466003]  __kmalloc_node_track_caller_noprof+0x1cb/0x500
[   23.466369]  kvasprintf+0xc5/0x150
[   23.466524]  kasprintf+0xb6/0xf0
[   23.466678]  miscdev_test_can_open+0x9a/0x2e0
[   23.466897]  miscdev_test_collision_reverse+0x402/0x750
[   23.467426]  kunit_try_run_case+0x1a5/0x480
[   23.467638]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.468159]  kthread+0x337/0x6f0
[   23.468466]  ret_from_fork+0x116/0x1d0
[   23.468656]  ret_from_fork_asm+0x1a/0x30
[   23.468936] 
[   23.469045] Freed by task 75821760:
[   23.469624] ------------[ cut here ]------------
[   23.470053] pool index 100480 out of bounds (154) for stack id ffff8881
[   23.471056] WARNING: lib/stackdepot.c:451 at depot_fetch_stack+0x62/0x80, CPU#1: kunit_try_catch/188
[   23.471478] Modules linked in:
[   23.471752] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) 
[   23.472335] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.472582] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.473039] RIP: 0010:depot_fetch_stack+0x62/0x80
[   23.473492] Code: d2 74 05 c3 cc cc cc cc 90 0f 0b 90 31 c0 e9 55 d6 68 02 55 48 89 e5 90 89 f9 44 89 c2 48 c7 c7 78 d3 78 92 e8 1f 68 bc fe 90 <0f> 0b 90 90 31 c0 5d c3 cc cc cc cc 90 0f 0b 90 31 c0 c3 cc cc cc
[   23.474299] RSP: 0000:ffff888106187b28 EFLAGS: 00010082
[   23.474662] RAX: 0000000000000000 RBX: ffff888106187b50 RCX: 1ffffffff2564b68
[   23.474994] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
[   23.475384] RBP: ffff888106187b28 R08: 0000000000000000 R09: fffffbfff2564b68
[   23.475746] R10: 0000000000000003 R11: 0000000000000001 R12: ffff88810484f2ff
[   23.476163] R13: ffff8881061a2000 R14: ffffea00041213c0 R15: 0000000000000001
[   23.476421] FS:  0000000000000000(0000) GS:ffff8881c732b000(0000) knlGS:0000000000000000
[   23.476825] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   23.477131] CR2: 0000000000000000 CR3: 000000012a2bc000 CR4: 00000000000006f0
[   23.477584] DR0: ffffffff93e9b504 DR1: ffffffff93e9b509 DR2: ffffffff93e9b50a
[   23.477966] DR3: ffffffff93e9b50b DR6: 00000000ffff0ff0 DR7: 0000000000000600
[   23.478511] Call Trace:
[   23.478771]  <TASK>
[   23.478934]  stack_depot_fetch+0x2c/0x60
[   23.479106]  stack_depot_print+0x23/0x50
[   23.479306]  print_report+0x5f8/0x610
[   23.479482]  ? __virt_addr_valid+0x1db/0x2d0
[   23.479713]  ? kmalloc_oob_left+0x361/0x3c0
[   23.479954]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.480475]  ? kmalloc_oob_left+0x361/0x3c0
[   23.480684]  kasan_report+0x141/0x180
[   23.481146]  ? kmalloc_oob_left+0x361/0x3c0
[   23.481354]  __asan_report_load1_noabort+0x18/0x20
[   23.481552]  kmalloc_oob_left+0x361/0x3c0
[   23.481734]  ? __pfx_kmalloc_oob_left+0x10/0x10
[   23.482448]  ? __schedule+0x10cc/0x2b60
[   23.482730]  ? __pfx_read_tsc+0x10/0x10
[   23.483137]  ? ktime_get_ts64+0x86/0x230
[   23.483331]  kunit_try_run_case+0x1a5/0x480
[   23.483524]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.483727]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.484426]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.484718]  ? __kthread_parkme+0x82/0x180
[   23.485276]  ? preempt_count_sub+0x50/0x80
[   23.485554]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.485922]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.486332]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.486579]  kthread+0x337/0x6f0
[   23.486740]  ? trace_preempt_on+0x20/0xc0
[   23.487192]  ? __pfx_kthread+0x10/0x10
[   23.487651]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.488134]  ? calculate_sigpending+0x7b/0xa0
[   23.488347]  ? __pfx_kthread+0x10/0x10
[   23.488523]  ret_from_fork+0x116/0x1d0
[   23.488690]  ? __pfx_kthread+0x10/0x10
[   23.488832]  ret_from_fork_asm+0x1a/0x30
[   23.488976]  </TASK>
[   23.489243] ---[ end trace 0000000000000000 ]---
[   23.489614] ------------[ cut here ]------------
[   23.489782] corrupt handle or use after stack_depot_put()
[   23.489852] WARNING: lib/stackdepot.c:723 at stack_depot_fetch+0x53/0x60, CPU#1: kunit_try_catch/188
[   23.490471] Modules linked in:
[   23.490611] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc5-next-20250709 #1 PREEMPT(voluntary) 
[   23.491323] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   23.491511] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.492326] RIP: 0010:stack_depot_fetch+0x53/0x60
[   23.492614] Code: ff ff ff 48 85 c0 74 14 48 8d 50 20 48 89 13 8b 40 14 48 8b 5d f8 c9 e9 cb d5 68 02 90 48 c7 c7 b0 d3 78 92 e8 9e 67 bc fe 90 <0f> 0b 90 90 31 c0 eb e0 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90
[   23.493734] RSP: 0000:ffff888106187b38 EFLAGS: 00010082
[   23.494245] RAX: 0000000000000000 RBX: ffff888106187b50 RCX: 1ffffffff2564b68
[   23.494709] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000001
[   23.495394] RBP: ffff888106187b40 R08: 0000000000000000 R09: fffffbfff2564b68
[   23.495899] R10: 0000000000000003 R11: 0000000000000001 R12: ffff88810484f2ff
[   23.496370] R13: ffff8881061a2000 R14: ffffea00041213c0 R15: 0000000000000001
[   23.496660] FS:  0000000000000000(0000) GS:ffff8881c732b000(0000) knlGS:0000000000000000
[   23.497071] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   23.497291] CR2: 0000000000000000 CR3: 000000012a2bc000 CR4: 00000000000006f0
[   23.497574] DR0: ffffffff93e9b504 DR1: ffffffff93e9b509 DR2: ffffffff93e9b50a
[   23.498005] DR3: ffffffff93e9b50b DR6: 00000000ffff0ff0 DR7: 0000000000000600
[   23.498249] Call Trace:
[   23.498473]  <TASK>
[   23.498615]  stack_depot_print+0x23/0x50
[   23.498864]  print_report+0x5f8/0x610
[   23.499033]  ? __virt_addr_valid+0x1db/0x2d0
[   23.499384]  ? kmalloc_oob_left+0x361/0x3c0
[   23.499587]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.499871]  ? kmalloc_oob_left+0x361/0x3c0
[   23.500038]  kasan_report+0x141/0x180
[   23.500323]  ? kmalloc_oob_left+0x361/0x3c0
[   23.500554]  __asan_report_load1_noabort+0x18/0x20
[   23.500826]  kmalloc_oob_left+0x361/0x3c0
[   23.500964]  ? __pfx_kmalloc_oob_left+0x10/0x10
[   23.501183]  ? __schedule+0x10cc/0x2b60
[   23.501372]  ? __pfx_read_tsc+0x10/0x10
[   23.501511]  ? ktime_get_ts64+0x86/0x230
[   23.501864]  kunit_try_run_case+0x1a5/0x480
[   23.502175]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.502325]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.502688]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.502989]  ? __kthread_parkme+0x82/0x180
[   23.503151]  ? preempt_count_sub+0x50/0x80
[   23.503333]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.503512]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.503678]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.504171]  kthread+0x337/0x6f0
[   23.504341]  ? trace_preempt_on+0x20/0xc0
[   23.504569]  ? __pfx_kthread+0x10/0x10
[   23.504771]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.505031]  ? calculate_sigpending+0x7b/0xa0
[   23.505174]  ? __pfx_kthread+0x10/0x10
[   23.505299]  ret_from_fork+0x116/0x1d0
[   23.505422]  ? __pfx_kthread+0x10/0x10
[   23.505893]  ret_from_fork_asm+0x1a/0x30
[   23.506267]  </TASK>
[   23.506421] ---[ end trace 0000000000000000 ]---
[   23.506681] 
[   23.506770] The buggy address belongs to the object at ffff88810484f2e0
[   23.506770]  which belongs to the cache kmalloc-16 of size 16
[   23.508003] The buggy address is located 15 bytes to the right of
[   23.508003]  allocated 16-byte region [ffff88810484f2e0, ffff88810484f2f0)
[   23.509136] 
[   23.509496] The buggy address belongs to the physical page:
[   23.510135] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10484f
[   23.510473] flags: 0x200000000000000(node=0|zone=2)
[   23.510703] page_type: f5(slab)
[   23.511147] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   23.511685] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   23.512600] page dumped because: kasan: bad access detected
[   23.513203] 
[   23.513301] Memory state around the buggy address:
[   23.513504]  ffff88810484f180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.514119]  ffff88810484f200: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.514706] >ffff88810484f280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.515298]                                                                 ^
[   23.515595]  ffff88810484f300: 00 07 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.516342]  ffff88810484f380: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   23.516988] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zdgcq9j1ujmXwxUxAtmoX2JeBw

job_id

TEST:linaro@lkft#2zdgiR4lYmFolv6VtPNpXUv6c4T

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zdgiR4lYmFolv6VtPNpXUv6c4T

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zdgeyu2bhhwOi5HT3qnlyin7Ms/bzImage
sha256sum	f7e62367d136756fd78b141e5190ae396942c5b5fabd4fda00971c136430b59f

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zdgeyu2bhhwOi5HT3qnlyin7Ms/modules.tar.xz
sha256sum	4b09f4cdde291b6f441ef91e7389f5ff9bff86967f27fcee3276d7367dea1cc6

durations

tests

boot	0
kunit	223.70

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit