lkft/linux-mainline-master - v6.16-rc5 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf_16

Date

July 6, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
x86

[   16.880254] ==================================================================
[   16.880848] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   16.881179] Read of size 16 at addr fff00000c5fbe800 by task kunit_try_catch/169
[   16.881245] 
[   16.881377] CPU: 0 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.881486] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.881512] Hardware name: linux,dummy-virt (DT)
[   16.881541] Call trace:
[   16.881813]  show_stack+0x20/0x38 (C)
[   16.881902]  dump_stack_lvl+0x8c/0xd0
[   16.881949]  print_report+0x118/0x608
[   16.882287]  kasan_report+0xdc/0x128
[   16.882449]  __asan_report_load16_noabort+0x20/0x30
[   16.882500]  kmalloc_uaf_16+0x3bc/0x438
[   16.882824]  kunit_try_run_case+0x170/0x3f0
[   16.882913]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.882964]  kthread+0x328/0x630
[   16.883016]  ret_from_fork+0x10/0x20
[   16.883087] 
[   16.883108] Allocated by task 169:
[   16.883247]  kasan_save_stack+0x3c/0x68
[   16.883302]  kasan_save_track+0x20/0x40
[   16.883345]  kasan_save_alloc_info+0x40/0x58
[   16.883383]  __kasan_kmalloc+0xd4/0xd8
[   16.883433]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.883471]  kmalloc_uaf_16+0x140/0x438
[   16.883504]  kunit_try_run_case+0x170/0x3f0
[   16.883539]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.884013]  kthread+0x328/0x630
[   16.884051]  ret_from_fork+0x10/0x20
[   16.884250] 
[   16.884270] Freed by task 169:
[   16.884311]  kasan_save_stack+0x3c/0x68
[   16.884389]  kasan_save_track+0x20/0x40
[   16.884530]  kasan_save_free_info+0x4c/0x78
[   16.884568]  __kasan_slab_free+0x6c/0x98
[   16.884609]  kfree+0x214/0x3c8
[   16.884757]  kmalloc_uaf_16+0x190/0x438
[   16.884831]  kunit_try_run_case+0x170/0x3f0
[   16.884924]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.884965]  kthread+0x328/0x630
[   16.885256]  ret_from_fork+0x10/0x20
[   16.885299] 
[   16.885318] The buggy address belongs to the object at fff00000c5fbe800
[   16.885318]  which belongs to the cache kmalloc-16 of size 16
[   16.885374] The buggy address is located 0 bytes inside of
[   16.885374]  freed 16-byte region [fff00000c5fbe800, fff00000c5fbe810)
[   16.885921] 
[   16.885952] The buggy address belongs to the physical page:
[   16.886124] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105fbe
[   16.886188] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.886237] page_type: f5(slab)
[   16.886277] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.886326] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.886364] page dumped because: kasan: bad access detected
[   16.886410] 
[   16.886428] Memory state around the buggy address:
[   16.886459]  fff00000c5fbe700: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.886998]  fff00000c5fbe780: 00 04 fc fc fa fb fc fc fa fb fc fc 00 00 fc fc
[   16.887174] >fff00000c5fbe800: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.887213]                    ^
[   16.887240]  fff00000c5fbe880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.887351]  fff00000c5fbe900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.887735] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP3V1OcVdQ4ohJyYfApbDGj8n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP3V1OcVdQ4ohJyYfApbDGj8n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/Image.gz
sha256sum	0864d91aae8ea4c511d1a9f351fcff12184502f96eb010fa57e7b676cb314913

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/modules.tar.xz
sha256sum	0c1b3d0b6ba49ab3b5a9e851cd596f0896ca4322dc635a39b3037c7d3f3b1d7a

durations

tests

boot	0
kunit	176.95

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   16.830322] ==================================================================
[   16.830555] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   16.830640] Read of size 16 at addr fff00000c1376c00 by task kunit_try_catch/169
[   16.830689] 
[   16.831100] CPU: 1 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   16.831250] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.831633] Hardware name: linux,dummy-virt (DT)
[   16.831785] Call trace:
[   16.831842]  show_stack+0x20/0x38 (C)
[   16.832199]  dump_stack_lvl+0x8c/0xd0
[   16.832261]  print_report+0x118/0x608
[   16.832306]  kasan_report+0xdc/0x128
[   16.832350]  __asan_report_load16_noabort+0x20/0x30
[   16.832459]  kmalloc_uaf_16+0x3bc/0x438
[   16.832870]  kunit_try_run_case+0x170/0x3f0
[   16.832930]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.832997]  kthread+0x328/0x630
[   16.833038]  ret_from_fork+0x10/0x20
[   16.833139] 
[   16.833158] Allocated by task 169:
[   16.833186]  kasan_save_stack+0x3c/0x68
[   16.833231]  kasan_save_track+0x20/0x40
[   16.833390]  kasan_save_alloc_info+0x40/0x58
[   16.833448]  __kasan_kmalloc+0xd4/0xd8
[   16.833549]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.833587]  kmalloc_uaf_16+0x140/0x438
[   16.833621]  kunit_try_run_case+0x170/0x3f0
[   16.833656]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.833736]  kthread+0x328/0x630
[   16.833878]  ret_from_fork+0x10/0x20
[   16.834014] 
[   16.834033] Freed by task 169:
[   16.834058]  kasan_save_stack+0x3c/0x68
[   16.834534]  kasan_save_track+0x20/0x40
[   16.834581]  kasan_save_free_info+0x4c/0x78
[   16.834757]  __kasan_slab_free+0x6c/0x98
[   16.834806]  kfree+0x214/0x3c8
[   16.834856]  kmalloc_uaf_16+0x190/0x438
[   16.834891]  kunit_try_run_case+0x170/0x3f0
[   16.834976]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.835035]  kthread+0x328/0x630
[   16.835066]  ret_from_fork+0x10/0x20
[   16.835100] 
[   16.835371] The buggy address belongs to the object at fff00000c1376c00
[   16.835371]  which belongs to the cache kmalloc-16 of size 16
[   16.835440] The buggy address is located 0 bytes inside of
[   16.835440]  freed 16-byte region [fff00000c1376c00, fff00000c1376c10)
[   16.835604] 
[   16.835687] The buggy address belongs to the physical page:
[   16.835716] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101376
[   16.835769] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.836116] page_type: f5(slab)
[   16.836243] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.836384] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.836423] page dumped because: kasan: bad access detected
[   16.836452] 
[   16.836480] Memory state around the buggy address:
[   16.836564]  fff00000c1376b00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc
[   16.836605]  fff00000c1376b80: fa fb fc fc fa fb fc fc fa fb fc fc 00 00 fc fc
[   16.836646] >fff00000c1376c00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.836682]                    ^
[   16.836718]  fff00000c1376c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.836758]  fff00000c1376d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.836943] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOQt6s929bxgUx38gzHQDeEWi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOQt6s929bxgUx38gzHQDeEWi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/Image.gz
sha256sum	e425e97b4796f84f3684f795a517e91f191e432f98db0542561ded32ae0821b4

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/modules.tar.xz
sha256sum	1aed0961c44960a298f006a14ef5e7bc7416a278296f1682363efc7cf573b276

durations

tests

boot	0
kunit	170.41

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.349410] ==================================================================
[   13.349870] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   13.350125] Read of size 16 at addr ffff888101c6db60 by task kunit_try_catch/186
[   13.350728] 
[   13.350929] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.351008] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.351031] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.351068] Call Trace:
[   13.351093]  <TASK>
[   13.351127]  dump_stack_lvl+0x73/0xb0
[   13.351177]  print_report+0xd1/0x650
[   13.351210]  ? __virt_addr_valid+0x1db/0x2d0
[   13.351244]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.351277]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.351318]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.351350]  kasan_report+0x141/0x180
[   13.351386]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.351431]  __asan_report_load16_noabort+0x18/0x20
[   13.351474]  kmalloc_uaf_16+0x47b/0x4c0
[   13.351512]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   13.351547]  ? __schedule+0x10cc/0x2b60
[   13.351648]  ? __pfx_read_tsc+0x10/0x10
[   13.351684]  ? ktime_get_ts64+0x86/0x230
[   13.351732]  kunit_try_run_case+0x1a5/0x480
[   13.351777]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.351817]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.351860]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.351903]  ? __kthread_parkme+0x82/0x180
[   13.351941]  ? preempt_count_sub+0x50/0x80
[   13.351986]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.352030]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.352062]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.352092]  kthread+0x337/0x6f0
[   13.352145]  ? trace_preempt_on+0x20/0xc0
[   13.352168]  ? __pfx_kthread+0x10/0x10
[   13.352186]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.352205]  ? calculate_sigpending+0x7b/0xa0
[   13.352227]  ? __pfx_kthread+0x10/0x10
[   13.352246]  ret_from_fork+0x116/0x1d0
[   13.352289]  ? __pfx_kthread+0x10/0x10
[   13.352310]  ret_from_fork_asm+0x1a/0x30
[   13.352339]  </TASK>
[   13.352351] 
[   13.364592] Allocated by task 186:
[   13.365013]  kasan_save_stack+0x45/0x70
[   13.365376]  kasan_save_track+0x18/0x40
[   13.365954]  kasan_save_alloc_info+0x3b/0x50
[   13.366397]  __kasan_kmalloc+0xb7/0xc0
[   13.366564]  __kmalloc_cache_noprof+0x189/0x420
[   13.366870]  kmalloc_uaf_16+0x15b/0x4c0
[   13.367109]  kunit_try_run_case+0x1a5/0x480
[   13.367343]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.367579]  kthread+0x337/0x6f0
[   13.367850]  ret_from_fork+0x116/0x1d0
[   13.368036]  ret_from_fork_asm+0x1a/0x30
[   13.368262] 
[   13.369077] Freed by task 186:
[   13.369236]  kasan_save_stack+0x45/0x70
[   13.369391]  kasan_save_track+0x18/0x40
[   13.370412]  kasan_save_free_info+0x3f/0x60
[   13.370645]  __kasan_slab_free+0x56/0x70
[   13.370790]  kfree+0x222/0x3f0
[   13.371000]  kmalloc_uaf_16+0x1d6/0x4c0
[   13.371441]  kunit_try_run_case+0x1a5/0x480
[   13.371882]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.372352]  kthread+0x337/0x6f0
[   13.372848]  ret_from_fork+0x116/0x1d0
[   13.373047]  ret_from_fork_asm+0x1a/0x30
[   13.373921] 
[   13.374028] The buggy address belongs to the object at ffff888101c6db60
[   13.374028]  which belongs to the cache kmalloc-16 of size 16
[   13.374417] The buggy address is located 0 bytes inside of
[   13.374417]  freed 16-byte region [ffff888101c6db60, ffff888101c6db70)
[   13.375254] 
[   13.375450] The buggy address belongs to the physical page:
[   13.376396] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c6d
[   13.376857] flags: 0x200000000000000(node=0|zone=2)
[   13.377072] page_type: f5(slab)
[   13.377731] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.378068] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.378825] page dumped because: kasan: bad access detected
[   13.379026] 
[   13.379116] Memory state around the buggy address:
[   13.379748]  ffff888101c6da00: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc
[   13.380453]  ffff888101c6da80: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   13.380934] >ffff888101c6db00: 00 05 fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   13.381783]                                                        ^
[   13.382088]  ffff888101c6db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.382423]  ffff888101c6dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.383049] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP4XAoGIP10o2o2eFTwBxXj1O

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP4XAoGIP10o2o2eFTwBxXj1O

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/bzImage
sha256sum	83e45577bfc4e73ad09d0c6ce7ad80e5220d321a924d42244cf194a9a5f31985

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/modules.tar.xz
sha256sum	9d7dfab4782ea546a0cc93566204973e529b1d57d997c9435a9a3cc39972abd5

durations

tests

boot	0
kunit	301.94

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.514694] ==================================================================
[   13.515568] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   13.516816] Read of size 16 at addr ffff8881028730e0 by task kunit_try_catch/185
[   13.517176] 
[   13.517292] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   13.517338] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.517353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.517376] Call Trace:
[   13.517390]  <TASK>
[   13.517406]  dump_stack_lvl+0x73/0xb0
[   13.517437]  print_report+0xd1/0x650
[   13.517460]  ? __virt_addr_valid+0x1db/0x2d0
[   13.517484]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.517504]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.517535]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.517556]  kasan_report+0x141/0x180
[   13.517578]  ? kmalloc_uaf_16+0x47b/0x4c0
[   13.517605]  __asan_report_load16_noabort+0x18/0x20
[   13.517629]  kmalloc_uaf_16+0x47b/0x4c0
[   13.517650]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   13.517672]  ? __schedule+0x10cc/0x2b60
[   13.517694]  ? __pfx_read_tsc+0x10/0x10
[   13.517760]  ? ktime_get_ts64+0x86/0x230
[   13.517788]  kunit_try_run_case+0x1a5/0x480
[   13.517814]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.517836]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.517859]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.517882]  ? __kthread_parkme+0x82/0x180
[   13.517903]  ? preempt_count_sub+0x50/0x80
[   13.517927]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.517951]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.517973]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.517997]  kthread+0x337/0x6f0
[   13.518018]  ? trace_preempt_on+0x20/0xc0
[   13.518043]  ? __pfx_kthread+0x10/0x10
[   13.518077]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.518132]  ? calculate_sigpending+0x7b/0xa0
[   13.518158]  ? __pfx_kthread+0x10/0x10
[   13.518180]  ret_from_fork+0x116/0x1d0
[   13.518199]  ? __pfx_kthread+0x10/0x10
[   13.518219]  ret_from_fork_asm+0x1a/0x30
[   13.518252]  </TASK>
[   13.518263] 
[   13.526197] Allocated by task 185:
[   13.526387]  kasan_save_stack+0x45/0x70
[   13.526598]  kasan_save_track+0x18/0x40
[   13.526930]  kasan_save_alloc_info+0x3b/0x50
[   13.527155]  __kasan_kmalloc+0xb7/0xc0
[   13.527295]  __kmalloc_cache_noprof+0x189/0x420
[   13.527457]  kmalloc_uaf_16+0x15b/0x4c0
[   13.527596]  kunit_try_run_case+0x1a5/0x480
[   13.527809]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.528153]  kthread+0x337/0x6f0
[   13.528530]  ret_from_fork+0x116/0x1d0
[   13.528987]  ret_from_fork_asm+0x1a/0x30
[   13.529235] 
[   13.529339] Freed by task 185:
[   13.529575]  kasan_save_stack+0x45/0x70
[   13.529971]  kasan_save_track+0x18/0x40
[   13.530187]  kasan_save_free_info+0x3f/0x60
[   13.530341]  __kasan_slab_free+0x56/0x70
[   13.530482]  kfree+0x222/0x3f0
[   13.530603]  kmalloc_uaf_16+0x1d6/0x4c0
[   13.530759]  kunit_try_run_case+0x1a5/0x480
[   13.531082]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.531498]  kthread+0x337/0x6f0
[   13.531840]  ret_from_fork+0x116/0x1d0
[   13.532212]  ret_from_fork_asm+0x1a/0x30
[   13.532465] 
[   13.532604] The buggy address belongs to the object at ffff8881028730e0
[   13.532604]  which belongs to the cache kmalloc-16 of size 16
[   13.533292] The buggy address is located 0 bytes inside of
[   13.533292]  freed 16-byte region [ffff8881028730e0, ffff8881028730f0)
[   13.533909] 
[   13.534019] The buggy address belongs to the physical page:
[   13.534335] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102873
[   13.534701] flags: 0x200000000000000(node=0|zone=2)
[   13.534883] page_type: f5(slab)
[   13.535016] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   13.535281] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   13.535910] page dumped because: kasan: bad access detected
[   13.536412] 
[   13.536569] Memory state around the buggy address:
[   13.536756]  ffff888102872f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.537166]  ffff888102873000: 00 01 fc fc 00 04 fc fc 00 04 fc fc fa fb fc fc
[   13.537516] >ffff888102873080: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc
[   13.538038]                                                        ^
[   13.538367]  ffff888102873100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.538649]  ffff888102873180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.539136] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOS6brGmeU2EUwnTYWc14gwbn

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOS6brGmeU2EUwnTYWc14gwbn

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/bzImage
sha256sum	a65cd0dbd8dcb4a1aad498bf6d6e54642475ee6492e666cfa11fecda6547fa0b

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/modules.tar.xz
sha256sum	3863d8f18c932bfdc570c4142df231f50aef956846c2ab3b2f15aeea06f45ea4

durations

tests

boot	0
kunit	222.75

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.259101] ==================================================================
[   24.269913] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   24.276699] Read of size 16 at addr ffff888100c91680 by task kunit_try_catch/209
[   24.284091] 
[   24.285594] CPU: 0 UID: 0 PID: 209 Comm: kunit_try_catch Tainted: G S  B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   24.285603] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
[   24.285606] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   24.285609] Call Trace:
[   24.285611]  <TASK>
[   24.285613]  dump_stack_lvl+0x73/0xb0
[   24.285617]  print_report+0xd1/0x650
[   24.285621]  ? __virt_addr_valid+0x1db/0x2d0
[   24.285626]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.285629]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.285634]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.285638]  kasan_report+0x141/0x180
[   24.285642]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.285646]  __asan_report_load16_noabort+0x18/0x20
[   24.285651]  kmalloc_uaf_16+0x47b/0x4c0
[   24.285655]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   24.285659]  ? __schedule+0x10cc/0x2b60
[   24.285663]  ? ktime_get_ts64+0x83/0x230
[   24.285667]  kunit_try_run_case+0x1a2/0x480
[   24.285672]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.285676]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.285680]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.285684]  ? __kthread_parkme+0x82/0x180
[   24.285688]  ? preempt_count_sub+0x50/0x80
[   24.285692]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.285696]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   24.285701]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.285705]  kthread+0x334/0x6f0
[   24.285708]  ? trace_preempt_on+0x20/0xc0
[   24.285712]  ? __pfx_kthread+0x10/0x10
[   24.285716]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.285720]  ? calculate_sigpending+0x7b/0xa0
[   24.285724]  ? __pfx_kthread+0x10/0x10
[   24.285728]  ret_from_fork+0x113/0x1d0
[   24.285731]  ? __pfx_kthread+0x10/0x10
[   24.285735]  ret_from_fork_asm+0x1a/0x30
[   24.285741]  </TASK>
[   24.285742] 
[   24.449259] Allocated by task 209:
[   24.452668]  kasan_save_stack+0x45/0x70
[   24.456513]  kasan_save_track+0x18/0x40
[   24.460363]  kasan_save_alloc_info+0x3b/0x50
[   24.464661]  __kasan_kmalloc+0xb7/0xc0
[   24.468415]  __kmalloc_cache_noprof+0x189/0x420
[   24.472956]  kmalloc_uaf_16+0x15b/0x4c0
[   24.476794]  kunit_try_run_case+0x1a2/0x480
[   24.480979]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   24.486392]  kthread+0x334/0x6f0
[   24.489630]  ret_from_fork+0x113/0x1d0
[   24.493406]  ret_from_fork_asm+0x1a/0x30
[   24.497362] 
[   24.498886] Freed by task 209:
[   24.501946]  kasan_save_stack+0x45/0x70
[   24.505783]  kasan_save_track+0x18/0x40
[   24.509625]  kasan_save_free_info+0x3f/0x60
[   24.513816]  __kasan_slab_free+0x56/0x70
[   24.517743]  kfree+0x222/0x3f0
[   24.520802]  kmalloc_uaf_16+0x1d6/0x4c0
[   24.524642]  kunit_try_run_case+0x1a2/0x480
[   24.528828]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   24.534229]  kthread+0x334/0x6f0
[   24.537460]  ret_from_fork+0x113/0x1d0
[   24.541212]  ret_from_fork_asm+0x1a/0x30
[   24.545140] 
[   24.546637] The buggy address belongs to the object at ffff888100c91680
[   24.546637]  which belongs to the cache kmalloc-16 of size 16
[   24.558972] The buggy address is located 0 bytes inside of
[   24.558972]  freed 16-byte region [ffff888100c91680, ffff888100c91690)
[   24.570967] 
[   24.572466] The buggy address belongs to the physical page:
[   24.578039] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100c91
[   24.586044] flags: 0x200000000000000(node=0|zone=2)
[   24.590925] page_type: f5(slab)
[   24.594073] raw: 0200000000000000 ffff888100042640 dead000000000122 0000000000000000
[   24.601820] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   24.609559] page dumped because: kasan: bad access detected
[   24.615131] 
[   24.616629] Memory state around the buggy address:
[   24.621424]  ffff888100c91580: 00 06 fc fc 00 06 fc fc 00 00 fc fc 00 00 fc fc
[   24.628644]  ffff888100c91600: 00 00 fc fc 00 04 fc fc 00 06 fc fc 00 00 fc fc
[   24.635871] >ffff888100c91680: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.643090]                    ^
[   24.646322]  ffff888100c91700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.653568]  ffff888100c91780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.660785] ==================================================================

Metadata Full log Test run details

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit