On 6/5/26 1:55 PM, Alexis Lothoré wrote:
On Fri Jun 5, 2026 at 7:20 PM CEST, Yonghong Song wrote:
[...]
Are you seeing any kasan report when you manually check your kernel
logs, or not at all ? If not at all, are you using the "CI" defconfig ?
I do see one report:
[ 79.503059]
==================================================================
[ 79.503715] BUG: KASAN: slab-use-after-free in
bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
[ 79.503715] Write of size 1 at addr ff11000117210a20 by task test_progs/2153
[ 79.503715] CPU: 6 UID: 0 PID: 2153 Comm: test_progs Tainted: G OE 7.1.0-rc5-gd552a156c2fa #1926 PREEMPT(full)
[ 79.503715] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 79.503715] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 79.503715] Call Trace:
[ 79.503715] <TASK>
[ 79.503715] dump_stack_lvl+0x6d/0xa0
[ 79.503715] print_address_description+0x77/0x200
[ 79.503715] print_report+0x58/0x70
[ 79.503715] ? bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
[ 79.503715] kasan_report+0xa2/0xe0
[ 79.503715] ? bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
[ 79.503715] ? bpf_test_run+0x208/0x770
[ 79.503715] bpf_prog_bb753b2ee1f69aa0_st_not_on_stack+0x115/0x160
[ 79.503715] bpf_test_run+0x472/0x770
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? __lock_acquire+0xe4a/0x2a10
[ 79.503715] ? __pfx___css_rstat_updated+0x10/0x10
[ 79.503715] ? __lock_acquire+0xe4a/0x2a10
[ 79.503715] ? __pfx_bpf_test_run+0x10/0x10
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? lock_acquire+0xfd/0x2b0
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? rcu_is_watching+0x1f/0xa0
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? __kasan_krealloc+0xe9/0x110
[ 79.503715] ? eth_type_trans+0x4b9/0x5f0
[ 79.503715] bpf_prog_test_run_skb+0xddf/0x22f0
[ 79.503715] ? __fget_files+0x29/0x350
[ 79.503715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 79.503715] ? __fget_files+0x29/0x350
[ 79.503715] bpf_prog_test_run+0x1cc/0x2d0
[ 79.503715] __sys_bpf+0x740/0xa30
[ 79.503715] ? __pfx___sys_bpf+0x10/0x10
[ 79.503715] ? _prb_read_valid+0x334/0x770
[ 79.503715] ? handle_mm_fault+0x91b/0xc00
[ 79.503715] __x64_sys_bpf+0xba/0xd0
[ 79.503715] do_syscall_64+0xee/0x400
[ 79.503715] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 79.503715] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 79.503715] RIP: 0033:0x7f92d8cfe1ad
[ 79.503715] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 8
[ 79.503715] RSP: 002b:00007ffe4237fee8 EFLAGS: 00000206 ORIG_RAX:
0000000000000141
[ 79.503715] RAX: ffffffffffffffda RBX: 00007ffe423807b8 RCX: 00007f92d8cfe1ad
[ 79.503715] RDX: 0000000000000050 RSI: 00007ffe4237ff70 RDI: 000000000000000a
[ 79.503715] RBP: 00007ffe4237ff10 R08: 0000000000000000 R09: 0000000000000050
[ 79.503715] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000000
[ 79.503715] R13: 00007ffe423807d8 R14: 00007f92d8eb9000 R15: 00005585778dd150
[ 79.503715] </TASK>
[ 79.503715] Allocated by task 2153:
[ 79.503715] kasan_save_track+0x2f/0x70
[ 79.503715] __kasan_kmalloc+0x72/0x90
[ 79.503715] __kmalloc_node_noprof+0x34c/0x730
[ 79.503715] bpf_map_area_alloc+0x4a/0x110
[ 79.503715] array_map_alloc+0x19e/0x580
[ 79.503715] map_create+0x8b2/0x1500
[ 79.503715] __sys_bpf+0x7ea/0xa30
[ 79.503715] __x64_sys_bpf+0xba/0xd0
[ 79.503715] do_syscall_64+0xee/0x400
[ 79.503715] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 79.503715] The buggy address belongs to the object at ff11000117210800
which belongs to the cache kmalloc-cg-1k of size 1024
[ 79.503715] The buggy address is located 0 bytes to the right of
freed 544-byte region [ff11000117210800, ff11000117210a20)
[ 79.503715] The buggy address belongs to the physical page:
[ 79.503715] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
pfn:0x117210
[ 79.503715] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0
pincount:0
[ 79.503715] memcg:ff11000117210411
[ 79.503715] flags: 0x200000000000040(head|node=0|zone=2)
[ 79.503715] page_type: f5(slab)
[ 79.503715] raw: 0200000000000040 ff11000100072000 dead000000000100
dead000000000122
[ 79.503715] raw: 0000000000000000 0000080000100010 00000000f5000000
ff11000117210411
[ 79.503715] head: 0200000000000040 ff11000100072000 dead000000000100
dead000000000122
[ 79.503715] head: 0000000000000000 0000080000100010 00000000f5000000
ff11000117210411
[ 79.503715] head: 0200000000000003 fffffffffffffe01 00000000ffffffff
00000000ffffffff
[ 79.503715] head: 0000000000000000 0000000000000000 00000000ffffffff
0000000000000008
[ 79.503715] page dumped because: kasan: bad access detected
[ 79.503715] Memory state around the buggy address:
[ 79.503715] ff11000117210900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 79.503715] ff11000117210980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 79.503715] >ff11000117210a00: 00 00 00 00 fb fb fc fc fc fc fc fc fc fc fc
fc
[ 79.503715] ^
[ 79.503715] ff11000117210a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 79.503715] ff11000117210b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 79.503715]
==================================================================
But when I am running another same test './test_progs -t kasan', there is no
kasan reports.
Ok, I guess you are missing kasan_multi_shot on your kernel command
line: without this option, only the first report is generated, then
KASAN does not emit additional report until you restart your kernel.
Could you please try adding it and running the tests again ?
Thanks! Adding 'kasan_multi_shot' to the kernel command line indeed fixed the
problem.
It would be great if you can mention 'kasan_multi_shot' is needed in kernel
command
line in cover letter and in patch 8.
Thanks,
Alexis
cat tools/testing/selftests/bpf/{config,config.vm,config.x86_64} > .config
&& make olddefconfig
If not, would you mind sharing your defconfig ?
Attached.
Thanks,
Alexis
