lkft/linux-next-master - next-20250714 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-strnlen

Date

July 14, 2025, 10:38 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   56.910296] ==================================================================
[   56.917322] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88
[   56.923309] Read of size 1 at addr ffff000808564890 by task kunit_try_catch/343
[   56.930600] 
[   56.932085] CPU: 2 UID: 0 PID: 343 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   56.932139] Tainted: [B]=BAD_PAGE, [N]=TEST
[   56.932156] Hardware name: WinLink E850-96 board (DT)
[   56.932178] Call trace:
[   56.932193]  show_stack+0x20/0x38 (C)
[   56.932225]  dump_stack_lvl+0x8c/0xd0
[   56.932257]  print_report+0x118/0x5d0
[   56.932286]  kasan_report+0xdc/0x128
[   56.932314]  __asan_report_load1_noabort+0x20/0x30
[   56.932351]  strnlen+0x80/0x88
[   56.932384]  kasan_strings+0x478/0xb00
[   56.932416]  kunit_try_run_case+0x170/0x3f0
[   56.932452]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   56.932487]  kthread+0x328/0x630
[   56.932518]  ret_from_fork+0x10/0x20
[   56.932552] 
[   56.998741] Allocated by task 343:
[   57.002128]  kasan_save_stack+0x3c/0x68
[   57.005946]  kasan_save_track+0x20/0x40
[   57.009766]  kasan_save_alloc_info+0x40/0x58
[   57.014019]  __kasan_kmalloc+0xd4/0xd8
[   57.017752]  __kmalloc_cache_noprof+0x16c/0x3c0
[   57.022265]  kasan_strings+0xc8/0xb00
[   57.025911]  kunit_try_run_case+0x170/0x3f0
[   57.030079]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   57.035547]  kthread+0x328/0x630
[   57.038758]  ret_from_fork+0x10/0x20
[   57.042317] 
[   57.043793] Freed by task 343:
[   57.046831]  kasan_save_stack+0x3c/0x68
[   57.050650]  kasan_save_track+0x20/0x40
[   57.054469]  kasan_save_free_info+0x4c/0x78
[   57.058636]  __kasan_slab_free+0x6c/0x98
[   57.062543]  kfree+0x214/0x3c8
[   57.065581]  kasan_strings+0x24c/0xb00
[   57.069313]  kunit_try_run_case+0x170/0x3f0
[   57.073480]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   57.078948]  kthread+0x328/0x630
[   57.082160]  ret_from_fork+0x10/0x20
[   57.085719] 
[   57.087195] The buggy address belongs to the object at ffff000808564880
[   57.087195]  which belongs to the cache kmalloc-32 of size 32
[   57.099522] The buggy address is located 16 bytes inside of
[   57.099522]  freed 32-byte region [ffff000808564880, ffff0008085648a0)
[   57.111587] 
[   57.113065] The buggy address belongs to the physical page:
[   57.118620] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x888564
[   57.126605] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   57.133114] page_type: f5(slab)
[   57.136249] raw: 0bfffe0000000000 ffff000800002780 dead000000000122 0000000000000000
[   57.143971] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   57.151692] page dumped because: kasan: bad access detected
[   57.157246] 
[   57.158721] Memory state around the buggy address:
[   57.163500]  ffff000808564780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   57.170704]  ffff000808564800: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   57.177909] >ffff000808564880: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   57.185110]                          ^
[   57.188846]  ffff000808564900: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   57.196051]  ffff000808564980: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   57.203252] ==================================================================

Metadata Full log Test run details

[   32.003528] ==================================================================
[   32.003853] BUG: KASAN: slab-use-after-free in strnlen+0x80/0x88
[   32.004200] Read of size 1 at addr fff00000c65343d0 by task kunit_try_catch/290
[   32.004283] 
[   32.004427] CPU: 0 UID: 0 PID: 290 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250714 #1 PREEMPT 
[   32.004552] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.004587] Hardware name: linux,dummy-virt (DT)
[   32.004618] Call trace:
[   32.004644]  show_stack+0x20/0x38 (C)
[   32.004850]  dump_stack_lvl+0x8c/0xd0
[   32.005079]  print_report+0x118/0x5d0
[   32.005163]  kasan_report+0xdc/0x128
[   32.005260]  __asan_report_load1_noabort+0x20/0x30
[   32.005443]  strnlen+0x80/0x88
[   32.005622]  kasan_strings+0x478/0xb00
[   32.005698]  kunit_try_run_case+0x170/0x3f0
[   32.005777]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.006177]  kthread+0x328/0x630
[   32.006406]  ret_from_fork+0x10/0x20
[   32.006722] 
[   32.006892] Allocated by task 290:
[   32.006941]  kasan_save_stack+0x3c/0x68
[   32.007154]  kasan_save_track+0x20/0x40
[   32.007378]  kasan_save_alloc_info+0x40/0x58
[   32.007466]  __kasan_kmalloc+0xd4/0xd8
[   32.007579]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.007685]  kasan_strings+0xc8/0xb00
[   32.007855]  kunit_try_run_case+0x170/0x3f0
[   32.007918]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.007960]  kthread+0x328/0x630
[   32.008075]  ret_from_fork+0x10/0x20
[   32.008117] 
[   32.008150] Freed by task 290:
[   32.008183]  kasan_save_stack+0x3c/0x68
[   32.008471]  kasan_save_track+0x20/0x40
[   32.008647]  kasan_save_free_info+0x4c/0x78
[   32.008848]  __kasan_slab_free+0x6c/0x98
[   32.009081]  kfree+0x214/0x3c8
[   32.009158]  kasan_strings+0x24c/0xb00
[   32.009306]  kunit_try_run_case+0x170/0x3f0
[   32.009419]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.009566]  kthread+0x328/0x630
[   32.009659]  ret_from_fork+0x10/0x20
[   32.009793] 
[   32.009816] The buggy address belongs to the object at fff00000c65343c0
[   32.009816]  which belongs to the cache kmalloc-32 of size 32
[   32.009923] The buggy address is located 16 bytes inside of
[   32.009923]  freed 32-byte region [fff00000c65343c0, fff00000c65343e0)
[   32.010423] 
[   32.010474] The buggy address belongs to the physical page:
[   32.010528] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106534
[   32.010753] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.010812] page_type: f5(slab)
[   32.010988] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   32.011061] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   32.011104] page dumped because: kasan: bad access detected
[   32.011148] 
[   32.011180] Memory state around the buggy address:
[   32.011216]  fff00000c6534280: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   32.011259]  fff00000c6534300: 00 00 00 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   32.011315] >fff00000c6534380: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   32.011365]                                                  ^
[   32.011409]  fff00000c6534400: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   32.011461]  fff00000c6534480: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   32.011502] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zrVzYzOpEW4XHiYds9jEwikFK7

job_id

TEST:linaro@lkft#2zrW4gkgpPvPvyu1JhrLI5SfZ9n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zrW4gkgpPvPvyu1JhrLI5SfZ9n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW17i5CHwMjQFrMEumC4tgHQD/Image.gz
sha256sum	f1b1de68ab66795221ea7af2c885166039edc905709ae2b868dbc429ffb32d0d

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW17i5CHwMjQFrMEumC4tgHQD/modules.tar.xz
sha256sum	94a5b5b8edfcc1ec8f65ff9d692207a782ba849df77dd9baa05c20bf5972d8f6

durations

tests

boot	0
kunit	174.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   26.361513] ==================================================================
[   26.361859] BUG: KASAN: slab-use-after-free in strnlen+0x73/0x80
[   26.362391] Read of size 1 at addr ffff888103eba090 by task kunit_try_catch/308
[   26.362734] 
[   26.362837] CPU: 0 UID: 0 PID: 308 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc6-next-20250714 #1 PREEMPT(voluntary) 
[   26.362889] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   26.362903] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   26.362929] Call Trace:
[   26.362949]  <TASK>
[   26.362968]  dump_stack_lvl+0x73/0xb0
[   26.362997]  print_report+0xd1/0x610
[   26.363022]  ? __virt_addr_valid+0x1db/0x2d0
[   26.363045]  ? strnlen+0x73/0x80
[   26.363063]  ? kasan_complete_mode_report_info+0x64/0x200
[   26.363089]  ? strnlen+0x73/0x80
[   26.363107]  kasan_report+0x141/0x180
[   26.363129]  ? strnlen+0x73/0x80
[   26.363151]  __asan_report_load1_noabort+0x18/0x20
[   26.363175]  strnlen+0x73/0x80
[   26.363195]  kasan_strings+0x615/0xe80
[   26.363215]  ? trace_hardirqs_on+0x37/0xe0
[   26.363240]  ? __pfx_kasan_strings+0x10/0x10
[   26.363259]  ? finish_task_switch.isra.0+0x153/0x700
[   26.363280]  ? __switch_to+0x47/0xf80
[   26.363306]  ? __schedule+0x10cc/0x2b60
[   26.363328]  ? __pfx_read_tsc+0x10/0x10
[   26.363348]  ? ktime_get_ts64+0x86/0x230
[   26.363373]  kunit_try_run_case+0x1a5/0x480
[   26.363395]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.363415]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   26.363438]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   26.363461]  ? __kthread_parkme+0x82/0x180
[   26.363481]  ? preempt_count_sub+0x50/0x80
[   26.363503]  ? __pfx_kunit_try_run_case+0x10/0x10
[   26.363525]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.363549]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   26.363574]  kthread+0x337/0x6f0
[   26.363594]  ? trace_preempt_on+0x20/0xc0
[   26.363615]  ? __pfx_kthread+0x10/0x10
[   26.363636]  ? _raw_spin_unlock_irq+0x47/0x80
[   26.363668]  ? calculate_sigpending+0x7b/0xa0
[   26.363692]  ? __pfx_kthread+0x10/0x10
[   26.363713]  ret_from_fork+0x116/0x1d0
[   26.363732]  ? __pfx_kthread+0x10/0x10
[   26.363825]  ret_from_fork_asm+0x1a/0x30
[   26.363856]  </TASK>
[   26.363867] 
[   26.371711] Allocated by task 308:
[   26.371914]  kasan_save_stack+0x45/0x70
[   26.372098]  kasan_save_track+0x18/0x40
[   26.372238]  kasan_save_alloc_info+0x3b/0x50
[   26.372383]  __kasan_kmalloc+0xb7/0xc0
[   26.372509]  __kmalloc_cache_noprof+0x189/0x420
[   26.372668]  kasan_strings+0xc0/0xe80
[   26.372792]  kunit_try_run_case+0x1a5/0x480
[   26.372930]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.373099]  kthread+0x337/0x6f0
[   26.373217]  ret_from_fork+0x116/0x1d0
[   26.373451]  ret_from_fork_asm+0x1a/0x30
[   26.373639] 
[   26.373812] Freed by task 308:
[   26.373985]  kasan_save_stack+0x45/0x70
[   26.374441]  kasan_save_track+0x18/0x40
[   26.374625]  kasan_save_free_info+0x3f/0x60
[   26.374956]  __kasan_slab_free+0x56/0x70
[   26.375198]  kfree+0x222/0x3f0
[   26.375355]  kasan_strings+0x2aa/0xe80
[   26.375537]  kunit_try_run_case+0x1a5/0x480
[   26.375754]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   26.375932]  kthread+0x337/0x6f0
[   26.376140]  ret_from_fork+0x116/0x1d0
[   26.376321]  ret_from_fork_asm+0x1a/0x30
[   26.376505] 
[   26.376577] The buggy address belongs to the object at ffff888103eba080
[   26.376577]  which belongs to the cache kmalloc-32 of size 32
[   26.377112] The buggy address is located 16 bytes inside of
[   26.377112]  freed 32-byte region [ffff888103eba080, ffff888103eba0a0)
[   26.377516] 
[   26.377584] The buggy address belongs to the physical page:
[   26.377775] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103eba
[   26.378287] flags: 0x200000000000000(node=0|zone=2)
[   26.378679] page_type: f5(slab)
[   26.378941] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   26.379517] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   26.379929] page dumped because: kasan: bad access detected
[   26.380114] 
[   26.380178] Memory state around the buggy address:
[   26.380329]  ffff888103eb9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.380566]  ffff888103eba000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.380888] >ffff888103eba080: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.381203]                          ^
[   26.381378]  ffff888103eba100: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   26.381688]  ffff888103eba180: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
[   26.382090] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zrVzYzOpEW4XHiYds9jEwikFK7

job_id

TEST:linaro@lkft#2zrW5XeyUzOSFr9BpBP7b7OYkHS

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zrW5XeyUzOSFr9BpBP7b7OYkHS

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW2SH9xrBCbgawOpHg8puHqCe/bzImage
sha256sum	4565f21e261caec61f0904b87ff9eab2fa750b37970854db3ef378370e96c96a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zrW2SH9xrBCbgawOpHg8puHqCe/modules.tar.xz
sha256sum	25191cedf68988510c88d39b245d9f83740d3133c412cf5e2b129a6de7adb415

durations

tests

boot	0
kunit	230.83

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit