lkft/linux-mainline-master - v6.16-rc6-237-gc7de79e662b8 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf_16

Date

July 18, 2025, 11:11 p.m.

Environment
qemu-x86_64

[   12.193898] ==================================================================
[   12.195370] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   12.196597] Read of size 16 at addr ffff8881025c74c0 by task kunit_try_catch/187
[   12.197699] 
[   12.197810] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.197917] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.197930] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.197981] Call Trace:
[   12.197993]  <TASK>
[   12.198010]  dump_stack_lvl+0x73/0xb0
[   12.198257]  print_report+0xd1/0x610
[   12.198297]  ? __virt_addr_valid+0x1db/0x2d0
[   12.198320]  ? kmalloc_uaf_16+0x47b/0x4c0
[   12.198340]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.198362]  ? kmalloc_uaf_16+0x47b/0x4c0
[   12.198382]  kasan_report+0x141/0x180
[   12.198403]  ? kmalloc_uaf_16+0x47b/0x4c0
[   12.198428]  __asan_report_load16_noabort+0x18/0x20
[   12.198466]  kmalloc_uaf_16+0x47b/0x4c0
[   12.198486]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   12.198507]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.198533]  ? trace_hardirqs_on+0x37/0xe0
[   12.198557]  ? __pfx_read_tsc+0x10/0x10
[   12.198577]  ? ktime_get_ts64+0x86/0x230
[   12.198602]  kunit_try_run_case+0x1a5/0x480
[   12.198626]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.198649]  ? queued_spin_lock_slowpath+0x116/0xb40
[   12.198674]  ? __kthread_parkme+0x82/0x180
[   12.198694]  ? preempt_count_sub+0x50/0x80
[   12.198718]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.198741]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.198764]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.198787]  kthread+0x337/0x6f0
[   12.198805]  ? trace_preempt_on+0x20/0xc0
[   12.198826]  ? __pfx_kthread+0x10/0x10
[   12.198845]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.198865]  ? calculate_sigpending+0x7b/0xa0
[   12.198889]  ? __pfx_kthread+0x10/0x10
[   12.198909]  ret_from_fork+0x116/0x1d0
[   12.198927]  ? __pfx_kthread+0x10/0x10
[   12.198946]  ret_from_fork_asm+0x1a/0x30
[   12.198977]  </TASK>
[   12.198987] 
[   12.209191] Allocated by task 187:
[   12.209611]  kasan_save_stack+0x45/0x70
[   12.210099]  kasan_save_track+0x18/0x40
[   12.210533]  kasan_save_alloc_info+0x3b/0x50
[   12.210953]  __kasan_kmalloc+0xb7/0xc0
[   12.211417]  __kmalloc_cache_noprof+0x189/0x420
[   12.211886]  kmalloc_uaf_16+0x15b/0x4c0
[   12.212268]  kunit_try_run_case+0x1a5/0x480
[   12.212432]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.212956]  kthread+0x337/0x6f0
[   12.213470]  ret_from_fork+0x116/0x1d0
[   12.213885]  ret_from_fork_asm+0x1a/0x30
[   12.214245] 
[   12.214336] Freed by task 187:
[   12.214452]  kasan_save_stack+0x45/0x70
[   12.214813]  kasan_save_track+0x18/0x40
[   12.215268]  kasan_save_free_info+0x3f/0x60
[   12.215768]  __kasan_slab_free+0x56/0x70
[   12.216218]  kfree+0x222/0x3f0
[   12.216526]  kmalloc_uaf_16+0x1d6/0x4c0
[   12.216666]  kunit_try_run_case+0x1a5/0x480
[   12.216812]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.217004]  kthread+0x337/0x6f0
[   12.217126]  ret_from_fork+0x116/0x1d0
[   12.217257]  ret_from_fork_asm+0x1a/0x30
[   12.217840] 
[   12.218014] The buggy address belongs to the object at ffff8881025c74c0
[   12.218014]  which belongs to the cache kmalloc-16 of size 16
[   12.219303] The buggy address is located 0 bytes inside of
[   12.219303]  freed 16-byte region [ffff8881025c74c0, ffff8881025c74d0)
[   12.220511] 
[   12.220672] The buggy address belongs to the physical page:
[   12.221412] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025c7
[   12.222034] flags: 0x200000000000000(node=0|zone=2)
[   12.222599] page_type: f5(slab)
[   12.222769] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   12.223390] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   12.223995] page dumped because: kasan: bad access detected
[   12.224511] 
[   12.224584] Memory state around the buggy address:
[   12.224741]  ffff8881025c7380: 00 06 fc fc 00 06 fc fc 00 04 fc fc 00 04 fc fc
[   12.224966]  ffff8881025c7400: 00 01 fc fc 00 01 fc fc 00 04 fc fc 00 04 fc fc
[   12.225191] >ffff8881025c7480: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc
[   12.225689]                                            ^
[   12.225870]  ffff8881025c7500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.226186]  ffff8881025c7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.226455] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

304I74qE3r0xJScpa5F21DtNBKi

job_id

TEST:linaro@lkft#304IBtjw5gAFiQFtjheOZVsLnJd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/304IBtjw5gAFiQFtjheOZVsLnJd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/304I8v4gAXANgVsBFBP9Xgpwo9H/bzImage
sha256sum	74b158d3087b541db14488f1c5db89bcaabd464c1e74c13c892d531ea76b1c6d

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/304I8v4gAXANgVsBFBP9Xgpwo9H/modules.tar.xz
sha256sum	82d2eca680645b0e05a8b7307d7b91914de6f6b8f19a6a17cfb131cfaa8719a0

durations

tests

boot	0
kunit	221.87

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit