lkft/linux-next-master - next-20250714 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-strlen

Date

July 14, 2025, 10:38 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   56.610076] ==================================================================
[   56.617151] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0
[   56.623053] Read of size 1 at addr ffff000808564890 by task kunit_try_catch/343
[   56.630344] 
[   56.631829] CPU: 2 UID: 0 PID: 343 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   56.631879] Tainted: [B]=BAD_PAGE, [N]=TEST
[   56.631899] Hardware name: WinLink E850-96 board (DT)
[   56.631919] Call trace:
[   56.631933]  show_stack+0x20/0x38 (C)
[   56.631970]  dump_stack_lvl+0x8c/0xd0
[   56.632001]  print_report+0x118/0x5d0
[   56.632032]  kasan_report+0xdc/0x128
[   56.632060]  __asan_report_load1_noabort+0x20/0x30
[   56.632095]  strlen+0xa8/0xb0
[   56.632127]  kasan_strings+0x418/0xb00
[   56.632159]  kunit_try_run_case+0x170/0x3f0
[   56.632197]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   56.632230]  kthread+0x328/0x630
[   56.632261]  ret_from_fork+0x10/0x20
[   56.632296] 
[   56.698400] Allocated by task 343:
[   56.701786]  kasan_save_stack+0x3c/0x68
[   56.705602]  kasan_save_track+0x20/0x40
[   56.709423]  kasan_save_alloc_info+0x40/0x58
[   56.713676]  __kasan_kmalloc+0xd4/0xd8
[   56.717409]  __kmalloc_cache_noprof+0x16c/0x3c0
[   56.721923]  kasan_strings+0xc8/0xb00
[   56.725569]  kunit_try_run_case+0x170/0x3f0
[   56.729735]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   56.735204]  kthread+0x328/0x630
[   56.738416]  ret_from_fork+0x10/0x20
[   56.741974] 
[   56.743450] Freed by task 343:
[   56.746488]  kasan_save_stack+0x3c/0x68
[   56.750308]  kasan_save_track+0x20/0x40
[   56.754127]  kasan_save_free_info+0x4c/0x78
[   56.758294]  __kasan_slab_free+0x6c/0x98
[   56.762200]  kfree+0x214/0x3c8
[   56.765238]  kasan_strings+0x24c/0xb00
[   56.768971]  kunit_try_run_case+0x170/0x3f0
[   56.773137]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   56.778606]  kthread+0x328/0x630
[   56.781818]  ret_from_fork+0x10/0x20
[   56.785377] 
[   56.786852] The buggy address belongs to the object at ffff000808564880
[   56.786852]  which belongs to the cache kmalloc-32 of size 32
[   56.799182] The buggy address is located 16 bytes inside of
[   56.799182]  freed 32-byte region [ffff000808564880, ffff0008085648a0)
[   56.811244] 
[   56.812723] The buggy address belongs to the physical page:
[   56.818278] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888564
[   56.826263] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   56.832772] page_type: f5(slab)
[   56.835907] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000
[   56.843629] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   56.851348] page dumped because: kasan: bad access detected
[   56.856903] 
[   56.858378] Memory state around the buggy address:
[   56.863160]  ffff000808564780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   56.870362]  ffff000808564800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   56.877566] >ffff000808564880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   56.884767]                          ^
[   56.888504]  ffff000808564900: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   56.895708]  ffff000808564980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   56.902910] ==================================================================

Metadata Full log Test run details

[   31.993352] ==================================================================
[   31.993906] BUG: KASAN: slab-use-after-free in strlen+0xa8/0xb0
[   31.993981] Read of size 1 at addr fff00000c65343d0 by task kunit_try_catch/290
[   31.994293] 
[   31.994345] CPU: 0 UID: 0 PID: 290 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   31.994557] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.994683] Hardware name: linux,dummy-virt (DT)
[   31.994720] Call trace:
[   31.994786]  show_stack+0x20/0x38 (C)
[   31.994849]  dump_stack_lvl+0x8c/0xd0
[   31.995141]  print_report+0x118/0x5d0
[   31.995211]  kasan_report+0xdc/0x128
[   31.995437]  __asan_report_load1_noabort+0x20/0x30
[   31.995511]  strlen+0xa8/0xb0
[   31.995691]  kasan_strings+0x418/0xb00
[   31.995755]  kunit_try_run_case+0x170/0x3f0
[   31.995881]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.996162]  kthread+0x328/0x630
[   31.996290]  ret_from_fork+0x10/0x20
[   31.996374] 
[   31.996413] Allocated by task 290:
[   31.996575]  kasan_save_stack+0x3c/0x68
[   31.996625]  kasan_save_track+0x20/0x40
[   31.996884]  kasan_save_alloc_info+0x40/0x58
[   31.997014]  __kasan_kmalloc+0xd4/0xd8
[   31.997156]  __kmalloc_cache_noprof+0x16c/0x3c0
[   31.997310]  kasan_strings+0xc8/0xb00
[   31.997365]  kunit_try_run_case+0x170/0x3f0
[   31.997593]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.997748]  kthread+0x328/0x630
[   31.997810]  ret_from_fork+0x10/0x20
[   31.998187] 
[   31.998229] Freed by task 290:
[   31.998435]  kasan_save_stack+0x3c/0x68
[   31.998627]  kasan_save_track+0x20/0x40
[   31.998699]  kasan_save_free_info+0x4c/0x78
[   31.998899]  __kasan_slab_free+0x6c/0x98
[   31.999099]  kfree+0x214/0x3c8
[   31.999197]  kasan_strings+0x24c/0xb00
[   31.999237]  kunit_try_run_case+0x170/0x3f0
[   31.999415]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.999460]  kthread+0x328/0x630
[   31.999850]  ret_from_fork+0x10/0x20
[   31.999948] 
[   31.999971] The buggy address belongs to the object at fff00000c65343c0
[   31.999971]  which belongs to the cache kmalloc-32 of size 32
[   32.000373] The buggy address is located 16 bytes inside of
[   32.000373]  freed 32-byte region [fff00000c65343c0, fff00000c65343e0)
[   32.000491] 
[   32.000527] The buggy address belongs to the physical page:
[   32.000585] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106534
[   32.000655] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.000707] page_type: f5(slab)
[   32.000861] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   32.001121] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   32.001257] page dumped because: kasan: bad access detected
[   32.001346] 
[   32.001487] Memory state around the buggy address:
[   32.001547]  fff00000c6534280: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   32.001920]  fff00000c6534300: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   32.001996] >fff00000c6534380: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   32.002139]                                                  ^
[   32.002219]  fff00000c6534400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   32.002379]  fff00000c6534480: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   32.002469] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zrVzYzOpEW4XHiYds9jEwikFK7

job_id

TEST:linaro@lkft#2zrW4gkgpPvPvyu1JhrLI5SfZ9n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zrW4gkgpPvPvyu1JhrLI5SfZ9n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW17i5CHwMjQFrMEumC4tgHQD/Image.gz
sha256sum	f1b1de68ab66795221ea7af2c885166039edc905709ae2b868dbc429ffb32d0d

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW17i5CHwMjQFrMEumC4tgHQD/modules.tar.xz
sha256sum	94a5b5b8edfcc1ec8f65ff9d692207a782ba849df77dd9baa05c20bf5972d8f6

durations

tests

boot	0
kunit	174.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   26.340871] ==================================================================
[   26.341401] BUG: KASAN: slab-use-after-free in strlen+0x8f/0xb0
[   26.341685] Read of size 1 at addr ffff888103eba090 by task kunit_try_catch/308
[   26.342392] 
[   26.342502] CPU: 0 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) 
[   26.342555] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   26.342569] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   26.342593] Call Trace:
[   26.342606]  <TASK>
[   26.342627]  dump_stack_lvl+0x73/0xb0
[   26.342671]  print_report+0xd1/0x610
[   26.342696]  ? __virt_addr_valid+0x1db/0x2d0
[   26.342720]  ? strlen+0x8f/0xb0
[   26.342738]  ? kasan_complete_mode_report_info+0x64/0x200
[   26.342763]  ? strlen+0x8f/0xb0
[   26.342781]  kasan_report+0x141/0x180
[   26.342803]  ? strlen+0x8f/0xb0
[   26.342842]  __asan_report_load1_noabort+0x18/0x20
[   26.342865]  strlen+0x8f/0xb0
[   26.342884]  kasan_strings+0x57b/0xe80
[   26.342904]  ? trace_hardirqs_on+0x37/0xe0
[   26.342927]  ? __pfx_kasan_strings+0x10/0x10
[   26.342946]  ? finish_task_switch.isra.0+0x153/0x700
[   26.342968]  ? __switch_to+0x47/0xf80
[   26.342993]  ? __schedule+0x10cc/0x2b60
[   26.343015]  ? __pfx_read_tsc+0x10/0x10
[   26.343037]  ? ktime_get_ts64+0x86/0x230
[   26.343061]  kunit_try_run_case+0x1a5/0x480
[   26.343084]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.343104]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   26.343138]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   26.343161]  ? __kthread_parkme+0x82/0x180
[   26.343185]  ? preempt_count_sub+0x50/0x80
[   26.343207]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.343228]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.343253]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   26.343277]  kthread+0x337/0x6f0
[   26.343297]  ? trace_preempt_on+0x20/0xc0
[   26.343318]  ? __pfx_kthread+0x10/0x10
[   26.343338]  ? _raw_spin_unlock_irq+0x47/0x80
[   26.343359]  ? calculate_sigpending+0x7b/0xa0
[   26.343382]  ? __pfx_kthread+0x10/0x10
[   26.343404]  ret_from_fork+0x116/0x1d0
[   26.343422]  ? __pfx_kthread+0x10/0x10
[   26.343442]  ret_from_fork_asm+0x1a/0x30
[   26.343472]  </TASK>
[   26.343484] 
[   26.350917] Allocated by task 308:
[   26.351120]  kasan_save_stack+0x45/0x70
[   26.351332]  kasan_save_track+0x18/0x40
[   26.351527]  kasan_save_alloc_info+0x3b/0x50
[   26.351743]  __kasan_kmalloc+0xb7/0xc0
[   26.351908]  __kmalloc_cache_noprof+0x189/0x420
[   26.352080]  kasan_strings+0xc0/0xe80
[   26.352205]  kunit_try_run_case+0x1a5/0x480
[   26.352343]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.352556]  kthread+0x337/0x6f0
[   26.352793]  ret_from_fork+0x116/0x1d0
[   26.352982]  ret_from_fork_asm+0x1a/0x30
[   26.353176] 
[   26.353262] Freed by task 308:
[   26.353519]  kasan_save_stack+0x45/0x70
[   26.353776]  kasan_save_track+0x18/0x40
[   26.353905]  kasan_save_free_info+0x3f/0x60
[   26.354230]  __kasan_slab_free+0x56/0x70
[   26.354373]  kfree+0x222/0x3f0
[   26.354822]  kasan_strings+0x2aa/0xe80
[   26.355034]  kunit_try_run_case+0x1a5/0x480
[   26.355220]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.355422]  kthread+0x337/0x6f0
[   26.355537]  ret_from_fork+0x116/0x1d0
[   26.355739]  ret_from_fork_asm+0x1a/0x30
[   26.355958] 
[   26.356049] The buggy address belongs to the object at ffff888103eba080
[   26.356049]  which belongs to the cache kmalloc-32 of size 32
[   26.356533] The buggy address is located 16 bytes inside of
[   26.356533]  freed 32-byte region [ffff888103eba080, ffff888103eba0a0)
[   26.356978] 
[   26.357161] The buggy address belongs to the physical page:
[   26.357371] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103eba
[   26.357671] flags: 0x200000000000000(node=0|zone=2)
[   26.358053] page_type: f5(slab)
[   26.358202] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   26.358427] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   26.358646] page dumped because: kasan: bad access detected
[   26.358871] 
[   26.358959] Memory state around the buggy address:
[   26.359176]  ffff888103eb9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.359487]  ffff888103eba000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.359805] >ffff888103eba080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.360131]                          ^
[   26.360253]  ffff888103eba100: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   26.360458]  ffff888103eba180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.360977] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zrVzYzOpEW4XHiYds9jEwikFK7

job_id

TEST:linaro@lkft#2zrW5XeyUzOSFr9BpBP7b7OYkHS

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zrW5XeyUzOSFr9BpBP7b7OYkHS

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW2SH9xrBCbgawOpHg8puHqCe/bzImage
sha256sum	4565f21e261caec61f0904b87ff9eab2fa750b37970854db3ef378370e96c96a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW2SH9xrBCbgawOpHg8puHqCe/modules.tar.xz
sha256sum	25191cedf68988510c88d39b245d9f83740d3133c412cf5e2b129a6de7adb415

durations

tests

boot	0
kunit	230.83

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit