lkft/linux-mainline-master - v6.16-rc5 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_rcu_uaf

Date

July 6, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
x86

[   18.188556] ==================================================================
[   18.188714] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   18.188792] Read of size 1 at addr fff00000c77a0000 by task kunit_try_catch/214
[   18.188845] 
[   18.188888] CPU: 0 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   18.188971] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.189010] Hardware name: linux,dummy-virt (DT)
[   18.189967] Call trace:
[   18.190031]  show_stack+0x20/0x38 (C)
[   18.190146]  dump_stack_lvl+0x8c/0xd0
[   18.190200]  print_report+0x118/0x608
[   18.190248]  kasan_report+0xdc/0x128
[   18.190362]  __asan_report_load1_noabort+0x20/0x30
[   18.190864]  kmem_cache_rcu_uaf+0x388/0x468
[   18.190918]  kunit_try_run_case+0x170/0x3f0
[   18.190971]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.191395]  kthread+0x328/0x630
[   18.191562]  ret_from_fork+0x10/0x20
[   18.191736] 
[   18.191853] Allocated by task 214:
[   18.191887]  kasan_save_stack+0x3c/0x68
[   18.192203]  kasan_save_track+0x20/0x40
[   18.192451]  kasan_save_alloc_info+0x40/0x58
[   18.192492]  __kasan_slab_alloc+0xa8/0xb0
[   18.192527]  kmem_cache_alloc_noprof+0x10c/0x398
[   18.192574]  kmem_cache_rcu_uaf+0x12c/0x468
[   18.192611]  kunit_try_run_case+0x170/0x3f0
[   18.192647]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.192907]  kthread+0x328/0x630
[   18.192951]  ret_from_fork+0x10/0x20
[   18.193290] 
[   18.193316] Freed by task 0:
[   18.193345]  kasan_save_stack+0x3c/0x68
[   18.193797]  kasan_save_track+0x20/0x40
[   18.194097]  kasan_save_free_info+0x4c/0x78
[   18.194154]  __kasan_slab_free+0x6c/0x98
[   18.194273]  slab_free_after_rcu_debug+0xd4/0x2f8
[   18.194584]  rcu_core+0x9f4/0x1e20
[   18.194750]  rcu_core_si+0x18/0x30
[   18.194788]  handle_softirqs+0x374/0xb28
[   18.194856]  __do_softirq+0x1c/0x28
[   18.194898] 
[   18.194969] Last potentially related work creation:
[   18.195156]  kasan_save_stack+0x3c/0x68
[   18.195311]  kasan_record_aux_stack+0xb4/0xc8
[   18.195390]  kmem_cache_free+0x120/0x468
[   18.195690]  kmem_cache_rcu_uaf+0x16c/0x468
[   18.195944]  kunit_try_run_case+0x170/0x3f0
[   18.196328]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.196445]  kthread+0x328/0x630
[   18.196480]  ret_from_fork+0x10/0x20
[   18.197132] 
[   18.197293] The buggy address belongs to the object at fff00000c77a0000
[   18.197293]  which belongs to the cache test_cache of size 200
[   18.197855] The buggy address is located 0 bytes inside of
[   18.197855]  freed 200-byte region [fff00000c77a0000, fff00000c77a00c8)
[   18.198204] 
[   18.198238] The buggy address belongs to the physical page:
[   18.198444] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077a0
[   18.198758] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.198820] page_type: f5(slab)
[   18.198862] raw: 0bfffe0000000000 fff00000c5d09500 dead000000000122 0000000000000000
[   18.199107] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   18.199205] page dumped because: kasan: bad access detected
[   18.199283] 
[   18.199300] Memory state around the buggy address:
[   18.199337]  fff00000c779ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   18.199381]  fff00000c779ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   18.199423] >fff00000c77a0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.200028]                    ^
[   18.200358]  fff00000c77a0080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   18.200412]  fff00000c77a0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.200453] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP3V1OcVdQ4ohJyYfApbDGj8n

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP3V1OcVdQ4ohJyYfApbDGj8n

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/Image.gz
sha256sum	0864d91aae8ea4c511d1a9f351fcff12184502f96eb010fa57e7b676cb314913

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOzwXJtcwkvIQ83Ezq39U67AP/modules.tar.xz
sha256sum	0c1b3d0b6ba49ab3b5a9e851cd596f0896ca4322dc635a39b3037c7d3f3b1d7a

durations

tests

boot	0
kunit	176.95

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   17.955368] ==================================================================
[   17.956125] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   17.956295] Read of size 1 at addr fff00000c77e1000 by task kunit_try_catch/214
[   17.956350] 
[   17.956631] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT 
[   17.956729] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.956755] Hardware name: linux,dummy-virt (DT)
[   17.956791] Call trace:
[   17.956935]  show_stack+0x20/0x38 (C)
[   17.957305]  dump_stack_lvl+0x8c/0xd0
[   17.957380]  print_report+0x118/0x608
[   17.957431]  kasan_report+0xdc/0x128
[   17.957477]  __asan_report_load1_noabort+0x20/0x30
[   17.957529]  kmem_cache_rcu_uaf+0x388/0x468
[   17.957575]  kunit_try_run_case+0x170/0x3f0
[   17.957623]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.957676]  kthread+0x328/0x630
[   17.957720]  ret_from_fork+0x10/0x20
[   17.957772] 
[   17.957790] Allocated by task 214:
[   17.957819]  kasan_save_stack+0x3c/0x68
[   17.957871]  kasan_save_track+0x20/0x40
[   17.957921]  kasan_save_alloc_info+0x40/0x58
[   17.957973]  __kasan_slab_alloc+0xa8/0xb0
[   17.958157]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.958441]  kmem_cache_rcu_uaf+0x12c/0x468
[   17.958607]  kunit_try_run_case+0x170/0x3f0
[   17.958658]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.959141]  kthread+0x328/0x630
[   17.959340]  ret_from_fork+0x10/0x20
[   17.959425] 
[   17.959733] Freed by task 0:
[   17.959812]  kasan_save_stack+0x3c/0x68
[   17.960223]  kasan_save_track+0x20/0x40
[   17.960313]  kasan_save_free_info+0x4c/0x78
[   17.960550]  __kasan_slab_free+0x6c/0x98
[   17.960730]  slab_free_after_rcu_debug+0xd4/0x2f8
[   17.960787]  rcu_core+0x9f4/0x1e20
[   17.961082]  rcu_core_si+0x18/0x30
[   17.961274]  handle_softirqs+0x374/0xb28
[   17.961501]  __do_softirq+0x1c/0x28
[   17.961617] 
[   17.961770] Last potentially related work creation:
[   17.961828]  kasan_save_stack+0x3c/0x68
[   17.962101]  kasan_record_aux_stack+0xb4/0xc8
[   17.962258]  kmem_cache_free+0x120/0x468
[   17.962381]  kmem_cache_rcu_uaf+0x16c/0x468
[   17.962432]  kunit_try_run_case+0x170/0x3f0
[   17.962472]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.962540]  kthread+0x328/0x630
[   17.962572]  ret_from_fork+0x10/0x20
[   17.962608] 
[   17.962852] The buggy address belongs to the object at fff00000c77e1000
[   17.962852]  which belongs to the cache test_cache of size 200
[   17.963046] The buggy address is located 0 bytes inside of
[   17.963046]  freed 200-byte region [fff00000c77e1000, fff00000c77e10c8)
[   17.963390] 
[   17.963501] The buggy address belongs to the physical page:
[   17.963583] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077e1
[   17.963810] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.963880] page_type: f5(slab)
[   17.963973] raw: 0bfffe0000000000 fff00000c77d93c0 dead000000000122 0000000000000000
[   17.964024] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   17.964065] page dumped because: kasan: bad access detected
[   17.964095] 
[   17.964216] Memory state around the buggy address:
[   17.964283]  fff00000c77e0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.964343]  fff00000c77e0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.964398] >fff00000c77e1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.964452]                    ^
[   17.964481]  fff00000c77e1080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   17.964523]  fff00000c77e1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.964562] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOQt6s929bxgUx38gzHQDeEWi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOQt6s929bxgUx38gzHQDeEWi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/Image.gz
sha256sum	e425e97b4796f84f3684f795a517e91f191e432f98db0542561ded32ae0821b4

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWONz22XAnnmTpBnNGDTTWAndE/modules.tar.xz
sha256sum	1aed0961c44960a298f006a14ef5e7bc7416a278296f1682363efc7cf573b276

durations

tests

boot	0
kunit	170.41

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   14.245921] ==================================================================
[   14.246326] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   14.247099] Read of size 1 at addr ffff888102ab6000 by task kunit_try_catch/231
[   14.247426] 
[   14.248013] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   14.248099] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.248129] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.248163] Call Trace:
[   14.248186]  <TASK>
[   14.248214]  dump_stack_lvl+0x73/0xb0
[   14.248272]  print_report+0xd1/0x650
[   14.248310]  ? __virt_addr_valid+0x1db/0x2d0
[   14.248346]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.248379]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.248413]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.248448]  kasan_report+0x141/0x180
[   14.248481]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.248525]  __asan_report_load1_noabort+0x18/0x20
[   14.248564]  kmem_cache_rcu_uaf+0x3e3/0x510
[   14.248674]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   14.248722]  ? finish_task_switch.isra.0+0x153/0x700
[   14.248756]  ? __switch_to+0x47/0xf50
[   14.248800]  ? __pfx_read_tsc+0x10/0x10
[   14.248830]  ? ktime_get_ts64+0x86/0x230
[   14.248865]  kunit_try_run_case+0x1a5/0x480
[   14.248902]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.248933]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.248969]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.248994]  ? __kthread_parkme+0x82/0x180
[   14.249013]  ? preempt_count_sub+0x50/0x80
[   14.249034]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.249055]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.249076]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.249098]  kthread+0x337/0x6f0
[   14.249121]  ? trace_preempt_on+0x20/0xc0
[   14.249149]  ? __pfx_kthread+0x10/0x10
[   14.249168]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.249186]  ? calculate_sigpending+0x7b/0xa0
[   14.249209]  ? __pfx_kthread+0x10/0x10
[   14.249228]  ret_from_fork+0x116/0x1d0
[   14.249245]  ? __pfx_kthread+0x10/0x10
[   14.249263]  ret_from_fork_asm+0x1a/0x30
[   14.249292]  </TASK>
[   14.249304] 
[   14.259688] Allocated by task 231:
[   14.259885]  kasan_save_stack+0x45/0x70
[   14.260063]  kasan_save_track+0x18/0x40
[   14.260226]  kasan_save_alloc_info+0x3b/0x50
[   14.260404]  __kasan_slab_alloc+0x91/0xa0
[   14.260571]  kmem_cache_alloc_noprof+0x123/0x3f0
[   14.260911]  kmem_cache_rcu_uaf+0x155/0x510
[   14.261222]  kunit_try_run_case+0x1a5/0x480
[   14.261568]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.262169]  kthread+0x337/0x6f0
[   14.262396]  ret_from_fork+0x116/0x1d0
[   14.262718]  ret_from_fork_asm+0x1a/0x30
[   14.263030] 
[   14.263194] Freed by task 0:
[   14.263489]  kasan_save_stack+0x45/0x70
[   14.264279]  kasan_save_track+0x18/0x40
[   14.265289]  kasan_save_free_info+0x3f/0x60
[   14.265458]  __kasan_slab_free+0x56/0x70
[   14.265817]  slab_free_after_rcu_debug+0xe4/0x310
[   14.266275]  rcu_core+0x66f/0x1c40
[   14.266692]  rcu_core_si+0x12/0x20
[   14.266966]  handle_softirqs+0x209/0x730
[   14.267188]  __irq_exit_rcu+0xc9/0x110
[   14.267375]  irq_exit_rcu+0x12/0x20
[   14.267817]  sysvec_apic_timer_interrupt+0x81/0x90
[   14.268470]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   14.268846] 
[   14.269004] Last potentially related work creation:
[   14.269355]  kasan_save_stack+0x45/0x70
[   14.269825]  kasan_record_aux_stack+0xb2/0xc0
[   14.270113]  kmem_cache_free+0x131/0x420
[   14.270311]  kmem_cache_rcu_uaf+0x194/0x510
[   14.270503]  kunit_try_run_case+0x1a5/0x480
[   14.270687]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.270865]  kthread+0x337/0x6f0
[   14.271062]  ret_from_fork+0x116/0x1d0
[   14.271347]  ret_from_fork_asm+0x1a/0x30
[   14.271987] 
[   14.272221] The buggy address belongs to the object at ffff888102ab6000
[   14.272221]  which belongs to the cache test_cache of size 200
[   14.273135] The buggy address is located 0 bytes inside of
[   14.273135]  freed 200-byte region [ffff888102ab6000, ffff888102ab60c8)
[   14.273798] 
[   14.273997] The buggy address belongs to the physical page:
[   14.274233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ab6
[   14.274964] flags: 0x200000000000000(node=0|zone=2)
[   14.275319] page_type: f5(slab)
[   14.275698] raw: 0200000000000000 ffff888100a55c80 dead000000000122 0000000000000000
[   14.276068] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   14.276847] page dumped because: kasan: bad access detected
[   14.277124] 
[   14.277291] Memory state around the buggy address:
[   14.277456]  ffff888102ab5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.278094]  ffff888102ab5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.278478] >ffff888102ab6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.278961]                    ^
[   14.279269]  ffff888102ab6080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   14.279604]  ffff888102ab6100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.280246] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOyuIXq8KfPGezZsACY2h9Py5

job_id

TEST:linaro@lkft#2zWP4XAoGIP10o2o2eFTwBxXj1O

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWP4XAoGIP10o2o2eFTwBxXj1O

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/bzImage
sha256sum	83e45577bfc4e73ad09d0c6ce7ad80e5220d321a924d42244cf194a9a5f31985

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWP11BuUzdrIJpEXMY7APhA7Yy/modules.tar.xz
sha256sum	9d7dfab4782ea546a0cc93566204973e529b1d57d997c9435a9a3cc39972abd5

durations

tests

boot	0
kunit	301.94

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   14.390017] ==================================================================
[   14.390535] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   14.391270] Read of size 1 at addr ffff8881039e8000 by task kunit_try_catch/230
[   14.391679] 
[   14.391795] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   14.391844] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.391857] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.391880] Call Trace:
[   14.391894]  <TASK>
[   14.391912]  dump_stack_lvl+0x73/0xb0
[   14.392254]  print_report+0xd1/0x650
[   14.392289]  ? __virt_addr_valid+0x1db/0x2d0
[   14.392315]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.392338]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.392365]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.392389]  kasan_report+0x141/0x180
[   14.392411]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   14.392439]  __asan_report_load1_noabort+0x18/0x20
[   14.392463]  kmem_cache_rcu_uaf+0x3e3/0x510
[   14.392486]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   14.392509]  ? finish_task_switch.isra.0+0x153/0x700
[   14.392532]  ? __switch_to+0x47/0xf50
[   14.392563]  ? __pfx_read_tsc+0x10/0x10
[   14.392585]  ? ktime_get_ts64+0x86/0x230
[   14.392611]  kunit_try_run_case+0x1a5/0x480
[   14.392637]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.392659]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.392684]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.392706]  ? __kthread_parkme+0x82/0x180
[   14.392727]  ? preempt_count_sub+0x50/0x80
[   14.393019]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.393046]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.393086]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.393110]  kthread+0x337/0x6f0
[   14.393131]  ? trace_preempt_on+0x20/0xc0
[   14.393156]  ? __pfx_kthread+0x10/0x10
[   14.393178]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.393199]  ? calculate_sigpending+0x7b/0xa0
[   14.393226]  ? __pfx_kthread+0x10/0x10
[   14.393248]  ret_from_fork+0x116/0x1d0
[   14.393268]  ? __pfx_kthread+0x10/0x10
[   14.393289]  ret_from_fork_asm+0x1a/0x30
[   14.393323]  </TASK>
[   14.393336] 
[   14.404046] Allocated by task 230:
[   14.404274]  kasan_save_stack+0x45/0x70
[   14.404479]  kasan_save_track+0x18/0x40
[   14.404681]  kasan_save_alloc_info+0x3b/0x50
[   14.405470]  __kasan_slab_alloc+0x91/0xa0
[   14.405871]  kmem_cache_alloc_noprof+0x123/0x3f0
[   14.406113]  kmem_cache_rcu_uaf+0x155/0x510
[   14.406341]  kunit_try_run_case+0x1a5/0x480
[   14.406543]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.407086]  kthread+0x337/0x6f0
[   14.407278]  ret_from_fork+0x116/0x1d0
[   14.407423]  ret_from_fork_asm+0x1a/0x30
[   14.407574] 
[   14.407655] Freed by task 0:
[   14.407783]  kasan_save_stack+0x45/0x70
[   14.407930]  kasan_save_track+0x18/0x40
[   14.408091]  kasan_save_free_info+0x3f/0x60
[   14.408253]  __kasan_slab_free+0x56/0x70
[   14.408404]  slab_free_after_rcu_debug+0xe4/0x310
[   14.408825]  rcu_core+0x66f/0x1c40
[   14.409109]  rcu_core_si+0x12/0x20
[   14.409245]  handle_softirqs+0x209/0x730
[   14.409439]  __irq_exit_rcu+0xc9/0x110
[   14.409588]  irq_exit_rcu+0x12/0x20
[   14.410103]  sysvec_apic_timer_interrupt+0x81/0x90
[   14.410594]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   14.411288] 
[   14.411494] Last potentially related work creation:
[   14.411757]  kasan_save_stack+0x45/0x70
[   14.412169]  kasan_record_aux_stack+0xb2/0xc0
[   14.412609]  kmem_cache_free+0x131/0x420
[   14.413004]  kmem_cache_rcu_uaf+0x194/0x510
[   14.413282]  kunit_try_run_case+0x1a5/0x480
[   14.413612]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.414210]  kthread+0x337/0x6f0
[   14.414490]  ret_from_fork+0x116/0x1d0
[   14.414654]  ret_from_fork_asm+0x1a/0x30
[   14.414983] 
[   14.415189] The buggy address belongs to the object at ffff8881039e8000
[   14.415189]  which belongs to the cache test_cache of size 200
[   14.415985] The buggy address is located 0 bytes inside of
[   14.415985]  freed 200-byte region [ffff8881039e8000, ffff8881039e80c8)
[   14.416359] 
[   14.416440] The buggy address belongs to the physical page:
[   14.416623] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039e8
[   14.417384] flags: 0x200000000000000(node=0|zone=2)
[   14.417918] page_type: f5(slab)
[   14.418354] raw: 0200000000000000 ffff888101601500 dead000000000122 0000000000000000
[   14.419244] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   14.420245] page dumped because: kasan: bad access detected
[   14.420784] 
[   14.421008] Memory state around the buggy address:
[   14.421643]  ffff8881039e7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   14.422146]  ffff8881039e7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   14.422376] >ffff8881039e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.422599]                    ^
[   14.422772]  ffff8881039e8080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   14.423481]  ffff8881039e8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.424294] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zWOMr1is0AX4arj0SYVF5JpOke

job_id

TEST:linaro@lkft#2zWOS6brGmeU2EUwnTYWc14gwbn

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zWOS6brGmeU2EUwnTYWc14gwbn

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/bzImage
sha256sum	a65cd0dbd8dcb4a1aad498bf6d6e54642475ee6492e666cfa11fecda6547fa0b

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zWOOzVyyYIheCiK7TX69oqwQMV/modules.tar.xz
sha256sum	3863d8f18c932bfdc570c4142df231f50aef956846c2ab3b2f15aeea06f45ea4

durations

tests

boot	0
kunit	222.75

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   34.116572] ==================================================================
[   34.128168] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   34.135318] Read of size 1 at addr ffff888103816000 by task kunit_try_catch/254
[   34.142657] 
[   34.144160] CPU: 3 UID: 0 PID: 254 Comm: kunit_try_catch Tainted: G S  B            N  6.16.0-rc5 #1 PREEMPT(voluntary) 
[   34.144170] Tainted: [S]=CPU_OUT_OF_SPEC, [B]=BAD_PAGE, [N]=TEST
[   34.144173] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   34.144176] Call Trace:
[   34.144178]  <TASK>
[   34.144181]  dump_stack_lvl+0x73/0xb0
[   34.144186]  print_report+0xd1/0x650
[   34.144191]  ? __virt_addr_valid+0x1db/0x2d0
[   34.144196]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   34.144200]  ? kasan_complete_mode_report_info+0x64/0x200
[   34.144205]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   34.144210]  kasan_report+0x141/0x180
[   34.144214]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   34.144219]  __asan_report_load1_noabort+0x18/0x20
[   34.144224]  kmem_cache_rcu_uaf+0x3e3/0x510
[   34.144228]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   34.144233]  ? finish_task_switch.isra.0+0x153/0x700
[   34.144237]  ? __switch_to+0x544/0xf50
[   34.144243]  ? ktime_get_ts64+0x83/0x230
[   34.144248]  kunit_try_run_case+0x1a2/0x480
[   34.144253]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.144257]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   34.144262]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   34.144266]  ? __kthread_parkme+0x82/0x180
[   34.144270]  ? preempt_count_sub+0x50/0x80
[   34.144274]  ? __pfx_kunit_try_run_case+0x10/0x10
[   34.144279]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.144283]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   34.144287]  kthread+0x334/0x6f0
[   34.144291]  ? trace_preempt_on+0x20/0xc0
[   34.144295]  ? __pfx_kthread+0x10/0x10
[   34.144299]  ? _raw_spin_unlock_irq+0x47/0x80
[   34.144303]  ? calculate_sigpending+0x7b/0xa0
[   34.144308]  ? __pfx_kthread+0x10/0x10
[   34.144312]  ret_from_fork+0x113/0x1d0
[   34.144315]  ? __pfx_kthread+0x10/0x10
[   34.144319]  ret_from_fork_asm+0x1a/0x30
[   34.144325]  </TASK>
[   34.144327] 
[   34.314466] Allocated by task 254:
[   34.317873]  kasan_save_stack+0x45/0x70
[   34.321721]  kasan_save_track+0x18/0x40
[   34.325559]  kasan_save_alloc_info+0x3b/0x50
[   34.329841]  __kasan_slab_alloc+0x91/0xa0
[   34.333853]  kmem_cache_alloc_noprof+0x123/0x3f0
[   34.338473]  kmem_cache_rcu_uaf+0x155/0x510
[   34.342668]  kunit_try_run_case+0x1a2/0x480
[   34.346860]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.352260]  kthread+0x334/0x6f0
[   34.355491]  ret_from_fork+0x113/0x1d0
[   34.359245]  ret_from_fork_asm+0x1a/0x30
[   34.363173] 
[   34.364672] Freed by task 0:
[   34.367557]  kasan_save_stack+0x45/0x70
[   34.371405]  kasan_save_track+0x18/0x40
[   34.375243]  kasan_save_free_info+0x3f/0x60
[   34.379431]  __kasan_slab_free+0x56/0x70
[   34.383362]  slab_free_after_rcu_debug+0xe4/0x310
[   34.388096]  rcu_core+0x66c/0x1c40
[   34.391503]  rcu_core_si+0x12/0x20
[   34.394909]  handle_softirqs+0x206/0x730
[   34.398835]  __irq_exit_rcu+0xc9/0x110
[   34.402586]  irq_exit_rcu+0x12/0x20
[   34.406081]  sysvec_apic_timer_interrupt+0x81/0x90
[   34.410882]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   34.416019] 
[   34.417520] Last potentially related work creation:
[   34.422403]  kasan_save_stack+0x45/0x70
[   34.426247]  kasan_record_aux_stack+0xb2/0xc0
[   34.430607]  kmem_cache_free+0x131/0x420
[   34.434533]  kmem_cache_rcu_uaf+0x194/0x510
[   34.438726]  kunit_try_run_case+0x1a2/0x480
[   34.442914]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   34.448311]  kthread+0x334/0x6f0
[   34.451546]  ret_from_fork+0x113/0x1d0
[   34.455296]  ret_from_fork_asm+0x1a/0x30
[   34.459224] 
[   34.460723] The buggy address belongs to the object at ffff888103816000
[   34.460723]  which belongs to the cache test_cache of size 200
[   34.473151] The buggy address is located 0 bytes inside of
[   34.473151]  freed 200-byte region [ffff888103816000, ffff8881038160c8)
[   34.485233] 
[   34.486731] The buggy address belongs to the physical page:
[   34.492305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103816
[   34.500312] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   34.507965] flags: 0x200000000000040(head|node=0|zone=2)
[   34.513278] page_type: f5(slab)
[   34.516426] raw: 0200000000000040 ffff888103804f00 dead000000000122 0000000000000000
[   34.524172] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   34.531913] head: 0200000000000040 ffff888103804f00 dead000000000122 0000000000000000
[   34.539746] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   34.547573] head: 0200000000000001 ffffea00040e0581 00000000ffffffff 00000000ffffffff
[   34.555407] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   34.563233] page dumped because: kasan: bad access detected
[   34.568804] 
[   34.570304] Memory state around the buggy address:
[   34.575096]  ffff888103815f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.582316]  ffff888103815f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.589535] >ffff888103816000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.596755]                    ^
[   34.599987]  ffff888103816080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   34.607206]  ffff888103816100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   34.614425] ==================================================================

Metadata Full log Test run details

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit