lkft/linux-mainline-master - v6.16-rc5 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf

Date

July 6, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
x86

[   16.996695] ==================================================================
[   16.996892] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.996953] Read of size 1 at addr fff00000c5fbe828 by task kunit_try_catch/185
[   16.997045] 
[   16.997103] CPU: 0 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.997187] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.997213] Hardware name: linux,dummy-virt (DT)
[   16.997338] Call trace:
[   16.997409]  show_stack+0x20/0x38 (C)
[   16.997461]  dump_stack_lvl+0x8c/0xd0
[   16.997505]  print_report+0x118/0x608
[   16.997549]  kasan_report+0xdc/0x128
[   16.997592]  __asan_report_load1_noabort+0x20/0x30
[   16.997758]  kmalloc_uaf+0x300/0x338
[   16.997811]  kunit_try_run_case+0x170/0x3f0
[   16.997882]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.997934]  kthread+0x328/0x630
[   16.997973]  ret_from_fork+0x10/0x20
[   16.998214] 
[   16.998278] Allocated by task 185:
[   16.998338]  kasan_save_stack+0x3c/0x68
[   16.998420]  kasan_save_track+0x20/0x40
[   16.998476]  kasan_save_alloc_info+0x40/0x58
[   16.998538]  __kasan_kmalloc+0xd4/0xd8
[   16.998587]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.998674]  kmalloc_uaf+0xb8/0x338
[   16.998707]  kunit_try_run_case+0x170/0x3f0
[   16.998746]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.998814]  kthread+0x328/0x630
[   16.998846]  ret_from_fork+0x10/0x20
[   16.999056] 
[   16.999133] Freed by task 185:
[   16.999221]  kasan_save_stack+0x3c/0x68
[   16.999315]  kasan_save_track+0x20/0x40
[   16.999441]  kasan_save_free_info+0x4c/0x78
[   16.999544]  __kasan_slab_free+0x6c/0x98
[   16.999583]  kfree+0x214/0x3c8
[   16.999614]  kmalloc_uaf+0x11c/0x338
[   16.999712]  kunit_try_run_case+0x170/0x3f0
[   17.000039]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.000161]  kthread+0x328/0x630
[   17.000239]  ret_from_fork+0x10/0x20
[   17.000375] 
[   17.000433] The buggy address belongs to the object at fff00000c5fbe820
[   17.000433]  which belongs to the cache kmalloc-16 of size 16
[   17.000501] The buggy address is located 8 bytes inside of
[   17.000501]  freed 16-byte region [fff00000c5fbe820, fff00000c5fbe830)
[   17.000685] 
[   17.000717] The buggy address belongs to the physical page:
[   17.000873] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fbe
[   17.000995] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.001076] page_type: f5(slab)
[   17.001134] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   17.001317] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   17.001515] page dumped because: kasan: bad access detected
[   17.001609] 
[   17.001683] Memory state around the buggy address:
[   17.001756]  fff00000c5fbe700: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.001799]  fff00000c5fbe780: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.002088] >fff00000c5fbe800: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   17.002158]                                   ^
[   17.002192]  fff00000c5fbe880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.002262]  fff00000c5fbe900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.002538] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP3V1OcVdQ4ohJyYfApbDGj8n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP3V1OcVdQ4ohJyYfApbDGj8n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/Image.gz
sha256sum	0864d91aae8ea4c511d1a9f351fcff12184502f96eb010fa57e7b676cb314913

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/modules.tar.xz
sha256sum	0c1b3d0b6ba49ab3b5a9e851cd596f0896ca4322dc635a39b3037c7d3f3b1d7a

durations

tests

boot	0
kunit	176.95

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   16.972761] ==================================================================
[   16.972833] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.972887] Read of size 1 at addr fff00000c1376c28 by task kunit_try_catch/185
[   16.972951] 
[   16.972983] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.973070] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.973095] Hardware name: linux,dummy-virt (DT)
[   16.973422] Call trace:
[   16.973702]  show_stack+0x20/0x38 (C)
[   16.973924]  dump_stack_lvl+0x8c/0xd0
[   16.973991]  print_report+0x118/0x608
[   16.974201]  kasan_report+0xdc/0x128
[   16.974258]  __asan_report_load1_noabort+0x20/0x30
[   16.974311]  kmalloc_uaf+0x300/0x338
[   16.974352]  kunit_try_run_case+0x170/0x3f0
[   16.974775]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.974898]  kthread+0x328/0x630
[   16.975091]  ret_from_fork+0x10/0x20
[   16.975277] 
[   16.975346] Allocated by task 185:
[   16.975379]  kasan_save_stack+0x3c/0x68
[   16.975719]  kasan_save_track+0x20/0x40
[   16.975828]  kasan_save_alloc_info+0x40/0x58
[   16.975895]  __kasan_kmalloc+0xd4/0xd8
[   16.976054]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.976231]  kmalloc_uaf+0xb8/0x338
[   16.976340]  kunit_try_run_case+0x170/0x3f0
[   16.976416]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.976822]  kthread+0x328/0x630
[   16.976997]  ret_from_fork+0x10/0x20
[   16.977091] 
[   16.977215] Freed by task 185:
[   16.977294]  kasan_save_stack+0x3c/0x68
[   16.977438]  kasan_save_track+0x20/0x40
[   16.977477]  kasan_save_free_info+0x4c/0x78
[   16.977548]  __kasan_slab_free+0x6c/0x98
[   16.977826]  kfree+0x214/0x3c8
[   16.977903]  kmalloc_uaf+0x11c/0x338
[   16.978039]  kunit_try_run_case+0x170/0x3f0
[   16.978153]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.978268]  kthread+0x328/0x630
[   16.978337]  ret_from_fork+0x10/0x20
[   16.978440] 
[   16.978595] The buggy address belongs to the object at fff00000c1376c20
[   16.978595]  which belongs to the cache kmalloc-16 of size 16
[   16.978762] The buggy address is located 8 bytes inside of
[   16.978762]  freed 16-byte region [fff00000c1376c20, fff00000c1376c30)
[   16.978903] 
[   16.978986] The buggy address belongs to the physical page:
[   16.979049] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101376
[   16.979191] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.979373] page_type: f5(slab)
[   16.979416] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.979507] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.979848] page dumped because: kasan: bad access detected
[   16.979926] 
[   16.980015] Memory state around the buggy address:
[   16.980206]  fff00000c1376b00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc
[   16.980344]  fff00000c1376b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.980402] >fff00000c1376c00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   16.980601]                                   ^
[   16.980861]  fff00000c1376c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.980998]  fff00000c1376d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.981092] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOQt6s929bxgUx38gzHQDeEWi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOQt6s929bxgUx38gzHQDeEWi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/Image.gz
sha256sum	e425e97b4796f84f3684f795a517e91f191e432f98db0542561ded32ae0821b4

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/modules.tar.xz
sha256sum	1aed0961c44960a298f006a14ef5e7bc7416a278296f1682363efc7cf573b276

durations

tests

boot	0
kunit	170.41

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.620338] ==================================================================
[   13.621169] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   13.621551] Read of size 1 at addr ffff888101c6db88 by task kunit_try_catch/202
[   13.621846] 
[   13.621975] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.622033] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.622047] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.622072] Call Trace:
[   13.622090]  <TASK>
[   13.622112]  dump_stack_lvl+0x73/0xb0
[   13.622154]  print_report+0xd1/0x650
[   13.622185]  ? __virt_addr_valid+0x1db/0x2d0
[   13.622218]  ? kmalloc_uaf+0x320/0x380
[   13.622251]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.622286]  ? kmalloc_uaf+0x320/0x380
[   13.622316]  kasan_report+0x141/0x180
[   13.622377]  ? kmalloc_uaf+0x320/0x380
[   13.622433]  __asan_report_load1_noabort+0x18/0x20
[   13.622476]  kmalloc_uaf+0x320/0x380
[   13.622522]  ? __pfx_kmalloc_uaf+0x10/0x10
[   13.622569]  ? __schedule+0x10cc/0x2b60
[   13.622602]  ? __pfx_read_tsc+0x10/0x10
[   13.622645]  ? ktime_get_ts64+0x86/0x230
[   13.622686]  kunit_try_run_case+0x1a5/0x480
[   13.622724]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.622761]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.622804]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.622845]  ? __kthread_parkme+0x82/0x180
[   13.622882]  ? preempt_count_sub+0x50/0x80
[   13.622924]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.622967]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.623008]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.623043]  kthread+0x337/0x6f0
[   13.623074]  ? trace_preempt_on+0x20/0xc0
[   13.623113]  ? __pfx_kthread+0x10/0x10
[   13.623165]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.623206]  ? calculate_sigpending+0x7b/0xa0
[   13.623244]  ? __pfx_kthread+0x10/0x10
[   13.623277]  ret_from_fork+0x116/0x1d0
[   13.623309]  ? __pfx_kthread+0x10/0x10
[   13.623342]  ret_from_fork_asm+0x1a/0x30
[   13.623392]  </TASK>
[   13.623414] 
[   13.632884] Allocated by task 202:
[   13.633110]  kasan_save_stack+0x45/0x70
[   13.633379]  kasan_save_track+0x18/0x40
[   13.633543]  kasan_save_alloc_info+0x3b/0x50
[   13.633875]  __kasan_kmalloc+0xb7/0xc0
[   13.634185]  __kmalloc_cache_noprof+0x189/0x420
[   13.634473]  kmalloc_uaf+0xaa/0x380
[   13.634699]  kunit_try_run_case+0x1a5/0x480
[   13.634991]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.635562]  kthread+0x337/0x6f0
[   13.635920]  ret_from_fork+0x116/0x1d0
[   13.636261]  ret_from_fork_asm+0x1a/0x30
[   13.636511] 
[   13.636680] Freed by task 202:
[   13.637310]  kasan_save_stack+0x45/0x70
[   13.637492]  kasan_save_track+0x18/0x40
[   13.637651]  kasan_save_free_info+0x3f/0x60
[   13.637968]  __kasan_slab_free+0x56/0x70
[   13.638248]  kfree+0x222/0x3f0
[   13.638503]  kmalloc_uaf+0x12c/0x380
[   13.639156]  kunit_try_run_case+0x1a5/0x480
[   13.639519]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.639796]  kthread+0x337/0x6f0
[   13.640043]  ret_from_fork+0x116/0x1d0
[   13.640294]  ret_from_fork_asm+0x1a/0x30
[   13.640485] 
[   13.640644] The buggy address belongs to the object at ffff888101c6db80
[   13.640644]  which belongs to the cache kmalloc-16 of size 16
[   13.641309] The buggy address is located 8 bytes inside of
[   13.641309]  freed 16-byte region [ffff888101c6db80, ffff888101c6db90)
[   13.641830] 
[   13.641968] The buggy address belongs to the physical page:
[   13.642362] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c6d
[   13.643092] flags: 0x200000000000000(node=0|zone=2)
[   13.643723] page_type: f5(slab)
[   13.644033] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.644493] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.644873] page dumped because: kasan: bad access detected
[   13.645161] 
[   13.645331] Memory state around the buggy address:
[   13.645655]  ffff888101c6da80: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   13.646069]  ffff888101c6db00: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   13.646601] >ffff888101c6db80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.646970]                       ^
[   13.647246]  ffff888101c6dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.647639]  ffff888101c6dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.647913] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP4XAoGIP10o2o2eFTwBxXj1O

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP4XAoGIP10o2o2eFTwBxXj1O

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/bzImage
sha256sum	83e45577bfc4e73ad09d0c6ce7ad80e5220d321a924d42244cf194a9a5f31985

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/modules.tar.xz
sha256sum	9d7dfab4782ea546a0cc93566204973e529b1d57d997c9435a9a3cc39972abd5

durations

tests

boot	0
kunit	301.94

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.776584] ==================================================================
[   13.777339] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   13.777818] Read of size 1 at addr ffff888102873108 by task kunit_try_catch/201
[   13.778151] 
[   13.778278] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.778323] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.778335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.778356] Call Trace:
[   13.778369]  <TASK>
[   13.778385]  dump_stack_lvl+0x73/0xb0
[   13.778416]  print_report+0xd1/0x650
[   13.778438]  ? __virt_addr_valid+0x1db/0x2d0
[   13.778461]  ? kmalloc_uaf+0x320/0x380
[   13.778480]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.778506]  ? kmalloc_uaf+0x320/0x380
[   13.778526]  kasan_report+0x141/0x180
[   13.778547]  ? kmalloc_uaf+0x320/0x380
[   13.778573]  __asan_report_load1_noabort+0x18/0x20
[   13.778596]  kmalloc_uaf+0x320/0x380
[   13.778615]  ? __pfx_kmalloc_uaf+0x10/0x10
[   13.778636]  ? __schedule+0x10cc/0x2b60
[   13.778658]  ? __pfx_read_tsc+0x10/0x10
[   13.778678]  ? ktime_get_ts64+0x86/0x230
[   13.778703]  kunit_try_run_case+0x1a5/0x480
[   13.779232]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.779258]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.779283]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.779305]  ? __kthread_parkme+0x82/0x180
[   13.779326]  ? preempt_count_sub+0x50/0x80
[   13.779350]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.779374]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.779396]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.779418]  kthread+0x337/0x6f0
[   13.779438]  ? trace_preempt_on+0x20/0xc0
[   13.779462]  ? __pfx_kthread+0x10/0x10
[   13.779482]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.779503]  ? calculate_sigpending+0x7b/0xa0
[   13.779528]  ? __pfx_kthread+0x10/0x10
[   13.779549]  ret_from_fork+0x116/0x1d0
[   13.779568]  ? __pfx_kthread+0x10/0x10
[   13.779588]  ret_from_fork_asm+0x1a/0x30
[   13.779620]  </TASK>
[   13.779631] 
[   13.790672] Allocated by task 201:
[   13.791315]  kasan_save_stack+0x45/0x70
[   13.791485]  kasan_save_track+0x18/0x40
[   13.791634]  kasan_save_alloc_info+0x3b/0x50
[   13.792384]  __kasan_kmalloc+0xb7/0xc0
[   13.793043]  __kmalloc_cache_noprof+0x189/0x420
[   13.793659]  kmalloc_uaf+0xaa/0x380
[   13.794223]  kunit_try_run_case+0x1a5/0x480
[   13.794855]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.795499]  kthread+0x337/0x6f0
[   13.795644]  ret_from_fork+0x116/0x1d0
[   13.796174]  ret_from_fork_asm+0x1a/0x30
[   13.796835] 
[   13.797066] Freed by task 201:
[   13.797354]  kasan_save_stack+0x45/0x70
[   13.797581]  kasan_save_track+0x18/0x40
[   13.797788]  kasan_save_free_info+0x3f/0x60
[   13.798001]  __kasan_slab_free+0x56/0x70
[   13.798218]  kfree+0x222/0x3f0
[   13.798384]  kmalloc_uaf+0x12c/0x380
[   13.798566]  kunit_try_run_case+0x1a5/0x480
[   13.798776]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.799029]  kthread+0x337/0x6f0
[   13.799975]  ret_from_fork+0x116/0x1d0
[   13.800146]  ret_from_fork_asm+0x1a/0x30
[   13.800605] 
[   13.800954] The buggy address belongs to the object at ffff888102873100
[   13.800954]  which belongs to the cache kmalloc-16 of size 16
[   13.801472] The buggy address is located 8 bytes inside of
[   13.801472]  freed 16-byte region [ffff888102873100, ffff888102873110)
[   13.802318] 
[   13.802662] The buggy address belongs to the physical page:
[   13.803156] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102873
[   13.803604] flags: 0x200000000000000(node=0|zone=2)
[   13.804035] page_type: f5(slab)
[   13.804217] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.804572] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.805288] page dumped because: kasan: bad access detected
[   13.805676] 
[   13.806002] Memory state around the buggy address:
[   13.806365]  ffff888102873000: 00 01 fc fc 00 04 fc fc 00 04 fc fc fa fb fc fc
[   13.806929]  ffff888102873080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   13.807424] >ffff888102873100: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.808026]                       ^
[   13.808182]  ffff888102873180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.808875]  ffff888102873200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.809199] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOS6brGmeU2EUwnTYWc14gwbn

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOS6brGmeU2EUwnTYWc14gwbn

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/bzImage
sha256sum	a65cd0dbd8dcb4a1aad498bf6d6e54642475ee6492e666cfa11fecda6547fa0b

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/modules.tar.xz
sha256sum	3863d8f18c932bfdc570c4142df231f50aef956846c2ab3b2f15aeea06f45ea4

durations

tests

boot	0
kunit	222.75

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   27.285938] ==================================================================
[   27.297973] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   27.304506] Read of size 1 at addr ffff888106713188 by task kunit_try_catch/225
[   27.311812] 
[   27.313314] CPU: 3 UID: 0 PID: 225 Comm: kunit_try_catch Tainted: G S  B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   27.313323] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
[   27.313326] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   27.313329] Call Trace:
[   27.313331]  <TASK>
[   27.313350]  dump_stack_lvl+0x73/0xb0
[   27.313355]  print_report+0xd1/0x650
[   27.313359]  ? __virt_addr_valid+0x1db/0x2d0
[   27.313363]  ? kmalloc_uaf+0x320/0x380
[   27.313379]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.313384]  ? kmalloc_uaf+0x320/0x380
[   27.313388]  kasan_report+0x141/0x180
[   27.313392]  ? kmalloc_uaf+0x320/0x380
[   27.313396]  __asan_report_load1_noabort+0x18/0x20
[   27.313401]  kmalloc_uaf+0x320/0x380
[   27.313404]  ? __pfx_kmalloc_uaf+0x10/0x10
[   27.313408]  ? __schedule+0x10cc/0x2b60
[   27.313412]  ? ktime_get_ts64+0x83/0x230
[   27.313416]  kunit_try_run_case+0x1a2/0x480
[   27.313421]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.313425]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   27.313429]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.313433]  ? __kthread_parkme+0x82/0x180
[   27.313437]  ? preempt_count_sub+0x50/0x80
[   27.313441]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.313445]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   27.313449]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.313453]  kthread+0x334/0x6f0
[   27.313457]  ? trace_preempt_on+0x20/0xc0
[   27.313461]  ? __pfx_kthread+0x10/0x10
[   27.313464]  ? _raw_spin_unlock_irq+0x47/0x80
[   27.313468]  ? calculate_sigpending+0x7b/0xa0
[   27.313473]  ? __pfx_kthread+0x10/0x10
[   27.313476]  ret_from_fork+0x113/0x1d0
[   27.313480]  ? __pfx_kthread+0x10/0x10
[   27.313483]  ret_from_fork_asm+0x1a/0x30
[   27.313489]  </TASK>
[   27.313491] 
[   27.475724] Allocated by task 225:
[   27.479129]  kasan_save_stack+0x45/0x70
[   27.482969]  kasan_save_track+0x18/0x40
[   27.486808]  kasan_save_alloc_info+0x3b/0x50
[   27.491080]  __kasan_kmalloc+0xb7/0xc0
[   27.494833]  __kmalloc_cache_noprof+0x189/0x420
[   27.499379]  kmalloc_uaf+0xaa/0x380
[   27.502879]  kunit_try_run_case+0x1a2/0x480
[   27.507072]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   27.512471]  kthread+0x334/0x6f0
[   27.515703]  ret_from_fork+0x113/0x1d0
[   27.519455]  ret_from_fork_asm+0x1a/0x30
[   27.523402] 
[   27.524899] Freed by task 225:
[   27.527959]  kasan_save_stack+0x45/0x70
[   27.531798]  kasan_save_track+0x18/0x40
[   27.535637]  kasan_save_free_info+0x3f/0x60
[   27.539824]  __kasan_slab_free+0x56/0x70
[   27.543748]  kfree+0x222/0x3f0
[   27.546807]  kmalloc_uaf+0x12c/0x380
[   27.550404]  kunit_try_run_case+0x1a2/0x480
[   27.554592]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   27.559998]  kthread+0x334/0x6f0
[   27.563231]  ret_from_fork+0x113/0x1d0
[   27.566984]  ret_from_fork_asm+0x1a/0x30
[   27.570911] 
[   27.572419] The buggy address belongs to the object at ffff888106713180
[   27.572419]  which belongs to the cache kmalloc-16 of size 16
[   27.584761] The buggy address is located 8 bytes inside of
[   27.584761]  freed 16-byte region [ffff888106713180, ffff888106713190)
[   27.596762] 
[   27.598262] The buggy address belongs to the physical page:
[   27.603836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106713
[   27.611842] flags: 0x200000000000000(node=0|zone=2)
[   27.616723] page_type: f5(slab)
[   27.619868] raw: 0200000000000000 ffff888100042640 dead000000000122 0000000000000000
[   27.627607] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   27.635361] page dumped because: kasan: bad access detected
[   27.640962] 
[   27.642461] Memory state around the buggy address:
[   27.647256]  ffff888106713080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   27.654475]  ffff888106713100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   27.661695] >ffff888106713180: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.668912]                       ^
[   27.672420]  ffff888106713200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.679643]  ffff888106713280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.686862] ==================================================================

Metadata Full log Test run details

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit