lkft/linux-next-master - next-20250711 - log-parser-boot/kasan-bug-kasan-slab-out-of-bounds-in-kmalloc_oob_left

Date

July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   36.826608] ==================================================================
[   36.835869] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320
[   36.842723] Read of size 1 at addr ffff000800ba165f by task kunit_try_catch/222
[   36.850015] 
[   36.851499] CPU: 3 UID: 0 PID: 222 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   36.851551] Tainted: [B]=BAD_PAGE, [N]=TEST
[   36.851569] Hardware name: WinLink E850-96 board (DT)
[   36.851591] Call trace:
[   36.851605]  show_stack+0x20/0x38 (C)
[   36.851642]  dump_stack_lvl+0x8c/0xd0
[   36.851673]  print_report+0x118/0x5d0
[   36.851701]  kasan_report+0xdc/0x128
[   36.851729]  __asan_report_load1_noabort+0x20/0x30
[   36.851763]  kmalloc_oob_left+0x2ec/0x320
[   36.851795]  kunit_try_run_case+0x170/0x3f0
[   36.851833]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   36.851865]  kthread+0x328/0x630
[   36.851893]  ret_from_fork+0x10/0x20
[   36.851926] 
[   36.915377] Allocated by task 12:
[   36.918680]  kasan_save_stack+0x3c/0x68
[   36.922495]  kasan_save_track+0x20/0x40
[   36.926314]  kasan_save_alloc_info+0x40/0x58
[   36.930568]  __kasan_kmalloc+0xd4/0xd8
[   36.934302]  __kmalloc_node_track_caller_noprof+0x194/0x4b8
[   36.939856]  kstrdup+0x54/0xc8
[   36.942894]  kstrdup_const+0x48/0x60
[   36.946453]  __kernfs_new_node+0xb0/0x578
[   36.950446]  kernfs_new_node+0x128/0x1a8
[   36.954352]  kernfs_create_link+0xac/0x228
[   36.958432]  sysfs_do_create_link_sd+0x8c/0x128
[   36.962946]  sysfs_create_link_nowarn+0x48/0xb8
[   36.967461]  link_and_create_debugfs+0x70/0x440
[   36.971974]  _regulator_get_common+0x2ac/0x8d0
[   36.976400]  _regulator_get+0x48/0xa0
[   36.980046]  _devm_regulator_get+0x60/0xd0
[   36.984126]  devm_regulator_get_optional+0x1c/0x30
[   36.988900]  usb_conn_probe+0x21c/0xa80
[   36.992719]  platform_probe+0xcc/0x180
[   36.996452]  really_probe+0x188/0x7f0
[   37.000100]  __driver_probe_device+0x164/0x378
[   37.004525]  driver_probe_device+0x64/0x180
[   37.008692]  __device_attach_driver+0x174/0x280
[   37.013205]  bus_for_each_drv+0x118/0x1b0
[   37.017198]  __device_attach+0x174/0x378
[   37.021105]  device_initial_probe+0x1c/0x30
[   37.025271]  bus_probe_device+0x12c/0x170
[   37.029264]  deferred_probe_work_func+0x140/0x208
[   37.033953]  process_one_work+0x530/0xf98
[   37.037945]  worker_thread+0x618/0xf38
[   37.041677]  kthread+0x328/0x630
[   37.044889]  ret_from_fork+0x10/0x20
[   37.048448] 
[   37.049925] Freed by task 0:
[   37.052792]  kasan_save_stack+0x3c/0x68
[   37.056608]  kasan_save_track+0x20/0x40
[   37.060428]  kasan_save_free_info+0x4c/0x78
[   37.064593]  __kasan_slab_free+0x6c/0x98
[   37.068500]  kfree+0x214/0x3c8
[   37.071538]  kfree_const+0x3c/0x50
[   37.074923]  kernfs_free_rcu+0x4c/0x120
[   37.078743]  rcu_core+0x9f4/0x1e20
[   37.082128]  rcu_core_si+0x18/0x30
[   37.085513]  handle_softirqs+0x374/0xb28
[   37.089421]  __do_softirq+0x1c/0x28
[   37.092892] 
[   37.094371] The buggy address belongs to the object at ffff000800ba1640
[   37.094371]  which belongs to the cache kmalloc-16 of size 16
[   37.106695] The buggy address is located 15 bytes to the right of
[   37.106695]  allocated 16-byte region [ffff000800ba1640, ffff000800ba1650)
[   37.119627] 
[   37.121108] The buggy address belongs to the physical page:
[   37.126663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880ba1
[   37.134647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   37.141158] page_type: f5(slab)
[   37.144293] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000
[   37.152013] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   37.159733] page dumped because: kasan: bad access detected
[   37.165286] 
[   37.166762] Memory state around the buggy address:
[   37.171542]  ffff000800ba1500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   37.178745]  ffff000800ba1580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   37.185954] >ffff000800ba1600: fa fb fc fc fa fb fc fc fa fb fc fc 00 07 fc fc
[   37.193151]                                                     ^
[   37.199231]  ffff000800ba1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.206435]  ffff000800ba1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.213638] ==================================================================

Metadata Full log Test run details

[   30.072525] ==================================================================
[   30.072697] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x2ec/0x320
[   30.072764] Read of size 1 at addr fff00000c918c5df by task kunit_try_catch/169
[   30.072839] 
[   30.072878] CPU: 1 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   30.073068] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.073138] Hardware name: linux,dummy-virt (DT)
[   30.073206] Call trace:
[   30.073281]  show_stack+0x20/0x38 (C)
[   30.073363]  dump_stack_lvl+0x8c/0xd0
[   30.073529]  print_report+0x118/0x5d0
[   30.073651]  kasan_report+0xdc/0x128
[   30.073726]  __asan_report_load1_noabort+0x20/0x30
[   30.073774]  kmalloc_oob_left+0x2ec/0x320
[   30.073819]  kunit_try_run_case+0x170/0x3f0
[   30.073888]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.073938]  kthread+0x328/0x630
[   30.073981]  ret_from_fork+0x10/0x20
[   30.074036] 
[   30.074054] Allocated by task 21:
[   30.074084]  kasan_save_stack+0x3c/0x68
[   30.074125]  kasan_save_track+0x20/0x40
[   30.074162]  kasan_save_alloc_info+0x40/0x58
[   30.074198]  __kasan_kmalloc+0xd4/0xd8
[   30.074234]  __kmalloc_cache_node_noprof+0x178/0x3d0
[   30.074276]  build_sched_domains+0x32c/0x3768
[   30.074318]  partition_sched_domains+0x79c/0x1098
[   30.074369]  rebuild_sched_domains_locked+0x494/0xde0
[   30.074424]  cpuset_handle_hotplug+0xab0/0x1480
[   30.074501]  cpuset_update_active_cpus+0x18/0x30
[   30.074581]  sched_cpu_activate+0x2d0/0x388
[   30.074655]  cpuhp_invoke_callback+0x5b8/0x1620
[   30.074746]  cpuhp_thread_fun+0x230/0x5d8
[   30.074804]  smpboot_thread_fn+0x2e8/0x760
[   30.074915]  kthread+0x328/0x630
[   30.074967]  ret_from_fork+0x10/0x20
[   30.075003] 
[   30.075057] Freed by task 21:
[   30.075294]  kasan_save_stack+0x3c/0x68
[   30.075383]  kasan_save_track+0x20/0x40
[   30.075523]  kasan_save_free_info+0x4c/0x78
[   30.075619]  __kasan_slab_free+0x6c/0x98
[   30.075706]  kfree+0x214/0x3c8
[   30.075797]  build_sched_domains+0x1c64/0x3768
[   30.075844]  partition_sched_domains+0x79c/0x1098
[   30.075884]  rebuild_sched_domains_locked+0x494/0xde0
[   30.075968]  cpuset_handle_hotplug+0xab0/0x1480
[   30.076214]  cpuset_update_active_cpus+0x18/0x30
[   30.076252]  sched_cpu_activate+0x2d0/0x388
[   30.076289]  cpuhp_invoke_callback+0x5b8/0x1620
[   30.076342]  cpuhp_thread_fun+0x230/0x5d8
[   30.076383]  smpboot_thread_fn+0x2e8/0x760
[   30.076422]  kthread+0x328/0x630
[   30.076454]  ret_from_fork+0x10/0x20
[   30.076503] 
[   30.076529] The buggy address belongs to the object at fff00000c918c5c0
[   30.076529]  which belongs to the cache kmalloc-16 of size 16
[   30.076596] The buggy address is located 15 bytes to the right of
[   30.076596]  allocated 16-byte region [fff00000c918c5c0, fff00000c918c5d0)
[   30.076668] 
[   30.076689] The buggy address belongs to the physical page:
[   30.076719] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10918c
[   30.076780] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.076838] page_type: f5(slab)
[   30.076880] raw: 0bfffe0000000000 fff00000c0001640 dead000000000100 dead000000000122
[   30.076929] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   30.076979] page dumped because: kasan: bad access detected
[   30.077014] 
[   30.077032] Memory state around the buggy address:
[   30.077080]  fff00000c918c480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   30.077123]  fff00000c918c500: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   30.077172] >fff00000c918c580: fa fb fc fc fa fb fc fc fa fb fc fc 00 07 fc fc
[   30.077219]                                                     ^
[   30.077271]  fff00000c918c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.077310]  fff00000c918c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.077355] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizOeD8Jm6gvF6WEX3HpY0Yiv3

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizOeD8Jm6gvF6WEX3HpY0Yiv3

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/Image.gz
sha256sum	37d9d8f3bf88d1e931fe46cf36571593b5a433a5d7333af6ff92cab414d2ee0c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/modules.tar.xz
sha256sum	f716ec16fb4ddf54116cb1eb73ee916ed3bd359ff95e4d969af9a161c3cb0a9f

durations

tests

boot	0
kunit	172.65

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   23.073101] ==================================================================
[   23.074306] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_left+0x361/0x3c0
[   23.075147] Read of size 1 at addr ffff88810226ac5f by task kunit_try_catch/188
[   23.076080] 
[   23.076301] CPU: 1 UID: 0 PID: 188 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   23.076362] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.076374] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.076396] Call Trace:
[   23.076411]  <TASK>
[   23.076430]  dump_stack_lvl+0x73/0xb0
[   23.076464]  print_report+0xd1/0x610
[   23.076486]  ? __virt_addr_valid+0x1db/0x2d0
[   23.076511]  ? kmalloc_oob_left+0x361/0x3c0
[   23.076531]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.076560]  ? kmalloc_oob_left+0x361/0x3c0
[   23.076582]  kasan_report+0x141/0x180
[   23.076604]  ? kmalloc_oob_left+0x361/0x3c0
[   23.076628]  __asan_report_load1_noabort+0x18/0x20
[   23.076652]  kmalloc_oob_left+0x361/0x3c0
[   23.076672]  ? __pfx_kmalloc_oob_left+0x10/0x10
[   23.076694]  ? __schedule+0x10cc/0x2b60
[   23.076718]  ? __pfx_read_tsc+0x10/0x10
[   23.076752]  ? ktime_get_ts64+0x86/0x230
[   23.076778]  kunit_try_run_case+0x1a5/0x480
[   23.076802]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.076821]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.076844]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.076867]  ? __kthread_parkme+0x82/0x180
[   23.076888]  ? preempt_count_sub+0x50/0x80
[   23.076911]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.076932]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.076956]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.076981]  kthread+0x337/0x6f0
[   23.077000]  ? trace_preempt_on+0x20/0xc0
[   23.077024]  ? __pfx_kthread+0x10/0x10
[   23.077046]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.077067]  ? calculate_sigpending+0x7b/0xa0
[   23.077091]  ? __pfx_kthread+0x10/0x10
[   23.077113]  ret_from_fork+0x116/0x1d0
[   23.077132]  ? __pfx_kthread+0x10/0x10
[   23.077152]  ret_from_fork_asm+0x1a/0x30
[   23.077183]  </TASK>
[   23.077194] 
[   23.089921] Allocated by task 21:
[   23.090383]  kasan_save_stack+0x45/0x70
[   23.090820]  kasan_save_track+0x18/0x40
[   23.091304]  kasan_save_alloc_info+0x3b/0x50
[   23.091797]  __kasan_kmalloc+0xb7/0xc0
[   23.092207]  __kmalloc_cache_node_noprof+0x188/0x420
[   23.092861]  build_sched_domains+0x38c/0x5dd0
[   23.093373]  partition_sched_domains+0x471/0x9c0
[   23.093860]  rebuild_sched_domains_locked+0x97d/0xd50
[   23.094243]  cpuset_update_active_cpus+0x80f/0x1a90
[   23.094836]  sched_cpu_activate+0x2bf/0x330
[   23.095514]  cpuhp_invoke_callback+0x2a1/0xf00
[   23.095669]  cpuhp_thread_fun+0x2ce/0x5c0
[   23.095817]  smpboot_thread_fn+0x2bc/0x730
[   23.095954]  kthread+0x337/0x6f0
[   23.096068]  ret_from_fork+0x116/0x1d0
[   23.096193]  ret_from_fork_asm+0x1a/0x30
[   23.096787] 
[   23.097197] Freed by task 21:
[   23.097703]  kasan_save_stack+0x45/0x70
[   23.098255]  kasan_save_track+0x18/0x40
[   23.098726]  kasan_save_free_info+0x3f/0x60
[   23.099165]  __kasan_slab_free+0x56/0x70
[   23.099679]  kfree+0x222/0x3f0
[   23.100100]  build_sched_domains+0x1fff/0x5dd0
[   23.100754]  partition_sched_domains+0x471/0x9c0
[   23.101247]  rebuild_sched_domains_locked+0x97d/0xd50
[   23.101781]  cpuset_update_active_cpus+0x80f/0x1a90
[   23.102274]  sched_cpu_activate+0x2bf/0x330
[   23.102450]  cpuhp_invoke_callback+0x2a1/0xf00
[   23.102599]  cpuhp_thread_fun+0x2ce/0x5c0
[   23.102747]  smpboot_thread_fn+0x2bc/0x730
[   23.102882]  kthread+0x337/0x6f0
[   23.102996]  ret_from_fork+0x116/0x1d0
[   23.103122]  ret_from_fork_asm+0x1a/0x30
[   23.103276] 
[   23.103355] The buggy address belongs to the object at ffff88810226ac40
[   23.103355]  which belongs to the cache kmalloc-16 of size 16
[   23.103798] The buggy address is located 15 bytes to the right of
[   23.103798]  allocated 16-byte region [ffff88810226ac40, ffff88810226ac50)
[   23.104931] 
[   23.105098] The buggy address belongs to the physical page:
[   23.105299] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10226a
[   23.105922] flags: 0x200000000000000(node=0|zone=2)
[   23.106201] page_type: f5(slab)
[   23.106415] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   23.107046] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   23.107432] page dumped because: kasan: bad access detected
[   23.107750] 
[   23.108078] Memory state around the buggy address:
[   23.108660]  ffff88810226ab00: fa fb fc fc 00 06 fc fc 00 06 fc fc 00 06 fc fc
[   23.108976]  ffff88810226ab80: fa fb fc fc 00 00 fc fc fa fb fc fc fa fb fc fc
[   23.109268] >ffff88810226ac00: fa fb fc fc fa fb fc fc fa fb fc fc 00 07 fc fc
[   23.109750]                                                     ^
[   23.110003]  ffff88810226ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.110441]  ffff88810226ad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.110767] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizPosnQ5rY23goGLqjSSGUMDT

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizPosnQ5rY23goGLqjSSGUMDT

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/bzImage
sha256sum	0b86f8183e71d185ecf48e91daf338a38748221ed84c99d5fcc0aff2fb4fe4d2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/modules.tar.xz
sha256sum	1cecf8a22d53cbe6f1135ddb095fc53e6fe8ebbda902547c47910320c1d5aa61

durations

tests

boot	0
kunit	220.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit