lkft/linux-mainline-master - v6.16-rc5 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf2

Date

July 6, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
x86

[   17.021445] ==================================================================
[   17.021505] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   17.021587] Read of size 1 at addr fff00000c69bd428 by task kunit_try_catch/189
[   17.021783] 
[   17.021859] CPU: 0 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.021945] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.021972] Hardware name: linux,dummy-virt (DT)
[   17.022014] Call trace:
[   17.022036]  show_stack+0x20/0x38 (C)
[   17.022088]  dump_stack_lvl+0x8c/0xd0
[   17.022142]  print_report+0x118/0x608
[   17.022188]  kasan_report+0xdc/0x128
[   17.022232]  __asan_report_load1_noabort+0x20/0x30
[   17.022282]  kmalloc_uaf2+0x3f4/0x468
[   17.022323]  kunit_try_run_case+0x170/0x3f0
[   17.022370]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.022426]  kthread+0x328/0x630
[   17.022466]  ret_from_fork+0x10/0x20
[   17.022513] 
[   17.022540] Allocated by task 189:
[   17.022567]  kasan_save_stack+0x3c/0x68
[   17.022639]  kasan_save_track+0x20/0x40
[   17.022681]  kasan_save_alloc_info+0x40/0x58
[   17.022839]  __kasan_kmalloc+0xd4/0xd8
[   17.022890]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.022929]  kmalloc_uaf2+0xc4/0x468
[   17.022961]  kunit_try_run_case+0x170/0x3f0
[   17.023013]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.023056]  kthread+0x328/0x630
[   17.023088]  ret_from_fork+0x10/0x20
[   17.023121] 
[   17.023280] Freed by task 189:
[   17.023353]  kasan_save_stack+0x3c/0x68
[   17.023424]  kasan_save_track+0x20/0x40
[   17.023524]  kasan_save_free_info+0x4c/0x78
[   17.023634]  __kasan_slab_free+0x6c/0x98
[   17.023720]  kfree+0x214/0x3c8
[   17.023789]  kmalloc_uaf2+0x134/0x468
[   17.023841]  kunit_try_run_case+0x170/0x3f0
[   17.023879]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.023922]  kthread+0x328/0x630
[   17.023952]  ret_from_fork+0x10/0x20
[   17.024124] 
[   17.024174] The buggy address belongs to the object at fff00000c69bd400
[   17.024174]  which belongs to the cache kmalloc-64 of size 64
[   17.024327] The buggy address is located 40 bytes inside of
[   17.024327]  freed 64-byte region [fff00000c69bd400, fff00000c69bd440)
[   17.024401] 
[   17.024421] The buggy address belongs to the physical page:
[   17.024451] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1069bd
[   17.024649] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.024739] page_type: f5(slab)
[   17.024814] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   17.024923] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   17.025051] page dumped because: kasan: bad access detected
[   17.025082] 
[   17.025099] Memory state around the buggy address:
[   17.025164]  fff00000c69bd300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.025481]  fff00000c69bd380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.025597] >fff00000c69bd400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.025681]                                   ^
[   17.025807]  fff00000c69bd480: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   17.025851]  fff00000c69bd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.026030] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP3V1OcVdQ4ohJyYfApbDGj8n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP3V1OcVdQ4ohJyYfApbDGj8n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/Image.gz
sha256sum	0864d91aae8ea4c511d1a9f351fcff12184502f96eb010fa57e7b676cb314913

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/modules.tar.xz
sha256sum	0c1b3d0b6ba49ab3b5a9e851cd596f0896ca4322dc635a39b3037c7d3f3b1d7a

durations

tests

boot	0
kunit	176.95

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   17.008010] ==================================================================
[   17.008068] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   17.008120] Read of size 1 at addr fff00000c7772228 by task kunit_try_catch/189
[   17.008189] 
[   17.008221] CPU: 1 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.008303] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.008338] Hardware name: linux,dummy-virt (DT)
[   17.008369] Call trace:
[   17.008390]  show_stack+0x20/0x38 (C)
[   17.008443]  dump_stack_lvl+0x8c/0xd0
[   17.008499]  print_report+0x118/0x608
[   17.008546]  kasan_report+0xdc/0x128
[   17.008590]  __asan_report_load1_noabort+0x20/0x30
[   17.008642]  kmalloc_uaf2+0x3f4/0x468
[   17.008694]  kunit_try_run_case+0x170/0x3f0
[   17.008743]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.008796]  kthread+0x328/0x630
[   17.008836]  ret_from_fork+0x10/0x20
[   17.008883] 
[   17.008900] Allocated by task 189:
[   17.009091]  kasan_save_stack+0x3c/0x68
[   17.009174]  kasan_save_track+0x20/0x40
[   17.009216]  kasan_save_alloc_info+0x40/0x58
[   17.009523]  __kasan_kmalloc+0xd4/0xd8
[   17.009583]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.010019]  kmalloc_uaf2+0xc4/0x468
[   17.010380]  kunit_try_run_case+0x170/0x3f0
[   17.010446]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.010531]  kthread+0x328/0x630
[   17.010635]  ret_from_fork+0x10/0x20
[   17.010701] 
[   17.010720] Freed by task 189:
[   17.010756]  kasan_save_stack+0x3c/0x68
[   17.010795]  kasan_save_track+0x20/0x40
[   17.010832]  kasan_save_free_info+0x4c/0x78
[   17.011161]  __kasan_slab_free+0x6c/0x98
[   17.011303]  kfree+0x214/0x3c8
[   17.011341]  kmalloc_uaf2+0x134/0x468
[   17.011425]  kunit_try_run_case+0x170/0x3f0
[   17.011742]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.011826]  kthread+0x328/0x630
[   17.011988]  ret_from_fork+0x10/0x20
[   17.012076] 
[   17.012183] The buggy address belongs to the object at fff00000c7772200
[   17.012183]  which belongs to the cache kmalloc-64 of size 64
[   17.012320] The buggy address is located 40 bytes inside of
[   17.012320]  freed 64-byte region [fff00000c7772200, fff00000c7772240)
[   17.012791] 
[   17.012862] The buggy address belongs to the physical page:
[   17.013117] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107772
[   17.013270] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.013367] page_type: f5(slab)
[   17.013407] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   17.013735] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   17.013880] page dumped because: kasan: bad access detected
[   17.013979] 
[   17.014041] Memory state around the buggy address:
[   17.014130]  fff00000c7772100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.014284]  fff00000c7772180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.014391] >fff00000c7772200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.014438]                                   ^
[   17.014471]  fff00000c7772280: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   17.014513]  fff00000c7772300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.014553] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOQt6s929bxgUx38gzHQDeEWi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOQt6s929bxgUx38gzHQDeEWi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/Image.gz
sha256sum	e425e97b4796f84f3684f795a517e91f191e432f98db0542561ded32ae0821b4

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/modules.tar.xz
sha256sum	1aed0961c44960a298f006a14ef5e7bc7416a278296f1682363efc7cf573b276

durations

tests

boot	0
kunit	170.41

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.674376] ==================================================================
[   13.675126] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   13.675601] Read of size 1 at addr ffff888102aad228 by task kunit_try_catch/206
[   13.675891] 
[   13.676073] CPU: 0 UID: 0 PID: 206 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.676149] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.676169] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.676204] Call Trace:
[   13.676231]  <TASK>
[   13.676260]  dump_stack_lvl+0x73/0xb0
[   13.676313]  print_report+0xd1/0x650
[   13.676351]  ? __virt_addr_valid+0x1db/0x2d0
[   13.676391]  ? kmalloc_uaf2+0x4a8/0x520
[   13.676426]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.676471]  ? kmalloc_uaf2+0x4a8/0x520
[   13.676504]  kasan_report+0x141/0x180
[   13.676544]  ? kmalloc_uaf2+0x4a8/0x520
[   13.676586]  __asan_report_load1_noabort+0x18/0x20
[   13.676664]  kmalloc_uaf2+0x4a8/0x520
[   13.676701]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   13.676734]  ? finish_task_switch.isra.0+0x153/0x700
[   13.676771]  ? __switch_to+0x47/0xf50
[   13.676820]  ? __schedule+0x10cc/0x2b60
[   13.676858]  ? __pfx_read_tsc+0x10/0x10
[   13.676890]  ? ktime_get_ts64+0x86/0x230
[   13.676927]  kunit_try_run_case+0x1a5/0x480
[   13.676966]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.676997]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.677028]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.677106]  ? __kthread_parkme+0x82/0x180
[   13.677148]  ? preempt_count_sub+0x50/0x80
[   13.677188]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.677233]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.677276]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.677309]  kthread+0x337/0x6f0
[   13.677330]  ? trace_preempt_on+0x20/0xc0
[   13.677352]  ? __pfx_kthread+0x10/0x10
[   13.677370]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.677389]  ? calculate_sigpending+0x7b/0xa0
[   13.677410]  ? __pfx_kthread+0x10/0x10
[   13.677429]  ret_from_fork+0x116/0x1d0
[   13.677445]  ? __pfx_kthread+0x10/0x10
[   13.677463]  ret_from_fork_asm+0x1a/0x30
[   13.677492]  </TASK>
[   13.677507] 
[   13.689707] Allocated by task 206:
[   13.689945]  kasan_save_stack+0x45/0x70
[   13.690354]  kasan_save_track+0x18/0x40
[   13.690830]  kasan_save_alloc_info+0x3b/0x50
[   13.690983]  __kasan_kmalloc+0xb7/0xc0
[   13.691358]  __kmalloc_cache_noprof+0x189/0x420
[   13.692095]  kmalloc_uaf2+0xc6/0x520
[   13.692314]  kunit_try_run_case+0x1a5/0x480
[   13.692463]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.693370]  kthread+0x337/0x6f0
[   13.693781]  ret_from_fork+0x116/0x1d0
[   13.693946]  ret_from_fork_asm+0x1a/0x30
[   13.694424] 
[   13.694541] Freed by task 206:
[   13.694682]  kasan_save_stack+0x45/0x70
[   13.695251]  kasan_save_track+0x18/0x40
[   13.695803]  kasan_save_free_info+0x3f/0x60
[   13.696016]  __kasan_slab_free+0x56/0x70
[   13.696642]  kfree+0x222/0x3f0
[   13.696865]  kmalloc_uaf2+0x14c/0x520
[   13.696997]  kunit_try_run_case+0x1a5/0x480
[   13.697250]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.697614]  kthread+0x337/0x6f0
[   13.697890]  ret_from_fork+0x116/0x1d0
[   13.698239]  ret_from_fork_asm+0x1a/0x30
[   13.698582] 
[   13.698961] The buggy address belongs to the object at ffff888102aad200
[   13.698961]  which belongs to the cache kmalloc-64 of size 64
[   13.699855] The buggy address is located 40 bytes inside of
[   13.699855]  freed 64-byte region [ffff888102aad200, ffff888102aad240)
[   13.700476] 
[   13.700803] The buggy address belongs to the physical page:
[   13.701124] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102aad
[   13.701707] flags: 0x200000000000000(node=0|zone=2)
[   13.701941] page_type: f5(slab)
[   13.702086] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   13.702778] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   13.703320] page dumped because: kasan: bad access detected
[   13.703772] 
[   13.703886] Memory state around the buggy address:
[   13.704214]  ffff888102aad100: 00 00 00 00 02 fc fc fc fc fc fc fc fc fc fc fc
[   13.704600]  ffff888102aad180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.704988] >ffff888102aad200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.705261]                                   ^
[   13.705571]  ffff888102aad280: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   13.705931]  ffff888102aad300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.706165] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP4XAoGIP10o2o2eFTwBxXj1O

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP4XAoGIP10o2o2eFTwBxXj1O

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/bzImage
sha256sum	83e45577bfc4e73ad09d0c6ce7ad80e5220d321a924d42244cf194a9a5f31985

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/modules.tar.xz
sha256sum	9d7dfab4782ea546a0cc93566204973e529b1d57d997c9435a9a3cc39972abd5

durations

tests

boot	0
kunit	301.94

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.852167] ==================================================================
[   13.853403] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   13.854305] Read of size 1 at addr ffff888102c4c328 by task kunit_try_catch/205
[   13.854544] 
[   13.854639] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.854684] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.854696] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.854745] Call Trace:
[   13.854757]  <TASK>
[   13.854772]  dump_stack_lvl+0x73/0xb0
[   13.854801]  print_report+0xd1/0x650
[   13.854822]  ? __virt_addr_valid+0x1db/0x2d0
[   13.854843]  ? kmalloc_uaf2+0x4a8/0x520
[   13.854862]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.854888]  ? kmalloc_uaf2+0x4a8/0x520
[   13.854907]  kasan_report+0x141/0x180
[   13.854928]  ? kmalloc_uaf2+0x4a8/0x520
[   13.854953]  __asan_report_load1_noabort+0x18/0x20
[   13.854976]  kmalloc_uaf2+0x4a8/0x520
[   13.854996]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   13.855014]  ? finish_task_switch.isra.0+0x153/0x700
[   13.855036]  ? __switch_to+0x47/0xf50
[   13.855073]  ? __schedule+0x10cc/0x2b60
[   13.855095]  ? __pfx_read_tsc+0x10/0x10
[   13.855115]  ? ktime_get_ts64+0x86/0x230
[   13.855138]  kunit_try_run_case+0x1a5/0x480
[   13.855161]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.855182]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.855204]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.855226]  ? __kthread_parkme+0x82/0x180
[   13.855245]  ? preempt_count_sub+0x50/0x80
[   13.855267]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.855290]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.855311]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.855333]  kthread+0x337/0x6f0
[   13.855352]  ? trace_preempt_on+0x20/0xc0
[   13.855373]  ? __pfx_kthread+0x10/0x10
[   13.855394]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.855414]  ? calculate_sigpending+0x7b/0xa0
[   13.855437]  ? __pfx_kthread+0x10/0x10
[   13.855458]  ret_from_fork+0x116/0x1d0
[   13.855475]  ? __pfx_kthread+0x10/0x10
[   13.855495]  ret_from_fork_asm+0x1a/0x30
[   13.855525]  </TASK>
[   13.855536] 
[   13.869651] Allocated by task 205:
[   13.869965]  kasan_save_stack+0x45/0x70
[   13.870210]  kasan_save_track+0x18/0x40
[   13.870359]  kasan_save_alloc_info+0x3b/0x50
[   13.870514]  __kasan_kmalloc+0xb7/0xc0
[   13.870651]  __kmalloc_cache_noprof+0x189/0x420
[   13.871298]  kmalloc_uaf2+0xc6/0x520
[   13.871669]  kunit_try_run_case+0x1a5/0x480
[   13.872119]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.872709]  kthread+0x337/0x6f0
[   13.873163]  ret_from_fork+0x116/0x1d0
[   13.873560]  ret_from_fork_asm+0x1a/0x30
[   13.874198] 
[   13.874377] Freed by task 205:
[   13.874684]  kasan_save_stack+0x45/0x70
[   13.874989]  kasan_save_track+0x18/0x40
[   13.875146]  kasan_save_free_info+0x3f/0x60
[   13.875297]  __kasan_slab_free+0x56/0x70
[   13.875437]  kfree+0x222/0x3f0
[   13.875557]  kmalloc_uaf2+0x14c/0x520
[   13.875691]  kunit_try_run_case+0x1a5/0x480
[   13.876648]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.876931]  kthread+0x337/0x6f0
[   13.877454]  ret_from_fork+0x116/0x1d0
[   13.878030]  ret_from_fork_asm+0x1a/0x30
[   13.878306] 
[   13.878388] The buggy address belongs to the object at ffff888102c4c300
[   13.878388]  which belongs to the cache kmalloc-64 of size 64
[   13.879034] The buggy address is located 40 bytes inside of
[   13.879034]  freed 64-byte region [ffff888102c4c300, ffff888102c4c340)
[   13.880928] 
[   13.881295] The buggy address belongs to the physical page:
[   13.882167] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c4c
[   13.882954] flags: 0x200000000000000(node=0|zone=2)
[   13.883150] page_type: f5(slab)
[   13.883283] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   13.883528] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   13.884093] page dumped because: kasan: bad access detected
[   13.884633] 
[   13.884748] Memory state around the buggy address:
[   13.884975]  ffff888102c4c200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.885263]  ffff888102c4c280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.885591] >ffff888102c4c300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   13.885883]                                   ^
[   13.886658]  ffff888102c4c380: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   13.887509]  ffff888102c4c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.888343] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOS6brGmeU2EUwnTYWc14gwbn

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOS6brGmeU2EUwnTYWc14gwbn

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/bzImage
sha256sum	a65cd0dbd8dcb4a1aad498bf6d6e54642475ee6492e666cfa11fecda6547fa0b

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/modules.tar.xz
sha256sum	3863d8f18c932bfdc570c4142df231f50aef956846c2ab3b2f15aeea06f45ea4

durations

tests

boot	0
kunit	222.75

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   28.108890] ==================================================================
[   28.120046] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   28.126666] Read of size 1 at addr ffff8881066f50a8 by task kunit_try_catch/229
[   28.133972] 
[   28.135474] CPU: 3 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G S  B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   28.135482] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
[   28.135485] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   28.135488] Call Trace:
[   28.135490]  <TASK>
[   28.135491]  dump_stack_lvl+0x73/0xb0
[   28.135496]  print_report+0xd1/0x650
[   28.135500]  ? __virt_addr_valid+0x1db/0x2d0
[   28.135504]  ? kmalloc_uaf2+0x4a8/0x520
[   28.135507]  ? kasan_complete_mode_report_info+0x64/0x200
[   28.135512]  ? kmalloc_uaf2+0x4a8/0x520
[   28.135516]  kasan_report+0x141/0x180
[   28.135520]  ? kmalloc_uaf2+0x4a8/0x520
[   28.135524]  __asan_report_load1_noabort+0x18/0x20
[   28.135529]  kmalloc_uaf2+0x4a8/0x520
[   28.135532]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   28.135536]  ? finish_task_switch.isra.0+0x153/0x700
[   28.135540]  ? __switch_to+0x544/0xf50
[   28.135545]  ? __schedule+0x10cc/0x2b60
[   28.135548]  ? ktime_get_ts64+0x83/0x230
[   28.135553]  kunit_try_run_case+0x1a2/0x480
[   28.135557]  ? __pfx_kunit_try_run_case+0x10/0x10
[   28.135561]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   28.135565]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   28.135570]  ? __kthread_parkme+0x82/0x180
[   28.135573]  ? preempt_count_sub+0x50/0x80
[   28.135577]  ? __pfx_kunit_try_run_case+0x10/0x10
[   28.135581]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   28.135585]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   28.135590]  kthread+0x334/0x6f0
[   28.135593]  ? trace_preempt_on+0x20/0xc0
[   28.135597]  ? __pfx_kthread+0x10/0x10
[   28.135601]  ? _raw_spin_unlock_irq+0x47/0x80
[   28.135605]  ? calculate_sigpending+0x7b/0xa0
[   28.135609]  ? __pfx_kthread+0x10/0x10
[   28.135613]  ret_from_fork+0x113/0x1d0
[   28.135616]  ? __pfx_kthread+0x10/0x10
[   28.135620]  ret_from_fork_asm+0x1a/0x30
[   28.135625]  </TASK>
[   28.135627] 
[   28.306915] Allocated by task 229:
[   28.310319]  kasan_save_stack+0x45/0x70
[   28.314187]  kasan_save_track+0x18/0x40
[   28.318025]  kasan_save_alloc_info+0x3b/0x50
[   28.322298]  __kasan_kmalloc+0xb7/0xc0
[   28.326049]  __kmalloc_cache_noprof+0x189/0x420
[   28.330584]  kmalloc_uaf2+0xc6/0x520
[   28.334163]  kunit_try_run_case+0x1a2/0x480
[   28.338367]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   28.343792]  kthread+0x334/0x6f0
[   28.347023]  ret_from_fork+0x113/0x1d0
[   28.350777]  ret_from_fork_asm+0x1a/0x30
[   28.354702] 
[   28.356202] Freed by task 229:
[   28.359260]  kasan_save_stack+0x45/0x70
[   28.363100]  kasan_save_track+0x18/0x40
[   28.366940]  kasan_save_free_info+0x3f/0x60
[   28.371124]  __kasan_slab_free+0x56/0x70
[   28.375051]  kfree+0x222/0x3f0
[   28.378110]  kmalloc_uaf2+0x14c/0x520
[   28.381776]  kunit_try_run_case+0x1a2/0x480
[   28.385962]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   28.391363]  kthread+0x334/0x6f0
[   28.394621]  ret_from_fork+0x113/0x1d0
[   28.398373]  ret_from_fork_asm+0x1a/0x30
[   28.402316] 
[   28.403817] The buggy address belongs to the object at ffff8881066f5080
[   28.403817]  which belongs to the cache kmalloc-64 of size 64
[   28.416158] The buggy address is located 40 bytes inside of
[   28.416158]  freed 64-byte region [ffff8881066f5080, ffff8881066f50c0)
[   28.428241] 
[   28.429737] The buggy address belongs to the physical page:
[   28.435312] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1066f5
[   28.443318] flags: 0x200000000000000(node=0|zone=2)
[   28.448225] page_type: f5(slab)
[   28.451395] raw: 0200000000000000 ffff8881000428c0 dead000000000122 0000000000000000
[   28.459137] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   28.466882] page dumped because: kasan: bad access detected
[   28.472456] 
[   28.473955] Memory state around the buggy address:
[   28.478748]  ffff8881066f4f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.485967]  ffff8881066f5000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.493188] >ffff8881066f5080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   28.500406]                                   ^
[   28.504939]  ffff8881066f5100: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   28.512159]  ffff8881066f5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.519378] ==================================================================

Metadata Full log Test run details

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit