lkft/linux-mainline-master - v6.16-rc7 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_rcu_uaf

Date

July 20, 2025, 11:12 p.m.

Environment
qemu-arm64
qemu-x86_64

[   17.826414] ==================================================================
[   17.826531] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   17.826609] Read of size 1 at addr fff00000c787e000 by task kunit_try_catch/213
[   17.826670] 
[   17.826712] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   17.826799] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.826827] Hardware name: linux,dummy-virt (DT)
[   17.826861] Call trace:
[   17.826887]  show_stack+0x20/0x38 (C)
[   17.826957]  dump_stack_lvl+0x8c/0xd0
[   17.827008]  print_report+0x118/0x5d0
[   17.827055]  kasan_report+0xdc/0x128
[   17.827102]  __asan_report_load1_noabort+0x20/0x30
[   17.827155]  kmem_cache_rcu_uaf+0x388/0x468
[   17.827201]  kunit_try_run_case+0x170/0x3f0
[   17.827254]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.827311]  kthread+0x328/0x630
[   17.827355]  ret_from_fork+0x10/0x20
[   17.827405] 
[   17.827423] Allocated by task 213:
[   17.827453]  kasan_save_stack+0x3c/0x68
[   17.827498]  kasan_save_track+0x20/0x40
[   17.827536]  kasan_save_alloc_info+0x40/0x58
[   17.827577]  __kasan_slab_alloc+0xa8/0xb0
[   17.827615]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.827657]  kmem_cache_rcu_uaf+0x12c/0x468
[   17.827696]  kunit_try_run_case+0x170/0x3f0
[   17.827733]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.827777]  kthread+0x328/0x630
[   17.827809]  ret_from_fork+0x10/0x20
[   17.827845] 
[   17.827863] Freed by task 0:
[   17.827892]  kasan_save_stack+0x3c/0x68
[   17.827964]  kasan_save_track+0x20/0x40
[   17.828003]  kasan_save_free_info+0x4c/0x78
[   17.828042]  __kasan_slab_free+0x6c/0x98
[   17.828080]  slab_free_after_rcu_debug+0xd4/0x2f8
[   17.828119]  rcu_core+0x9f4/0x1e20
[   17.828156]  rcu_core_si+0x18/0x30
[   17.828190]  handle_softirqs+0x374/0xb28
[   17.828229]  __do_softirq+0x1c/0x28
[   17.828264] 
[   17.828282] Last potentially related work creation:
[   17.828309]  kasan_save_stack+0x3c/0x68
[   17.828346]  kasan_record_aux_stack+0xb4/0xc8
[   17.828387]  kmem_cache_free+0x120/0x468
[   17.828424]  kmem_cache_rcu_uaf+0x16c/0x468
[   17.828463]  kunit_try_run_case+0x170/0x3f0
[   17.828502]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.828544]  kthread+0x328/0x630
[   17.828577]  ret_from_fork+0x10/0x20
[   17.828612] 
[   17.828631] The buggy address belongs to the object at fff00000c787e000
[   17.828631]  which belongs to the cache test_cache of size 200
[   17.828691] The buggy address is located 0 bytes inside of
[   17.828691]  freed 200-byte region [fff00000c787e000, fff00000c787e0c8)
[   17.828752] 
[   17.828775] The buggy address belongs to the physical page:
[   17.828808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10787e
[   17.828867] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.828931] page_type: f5(slab)
[   17.828973] raw: 0bfffe0000000000 fff00000c5905dc0 dead000000000122 0000000000000000
[   17.829026] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   17.829068] page dumped because: kasan: bad access detected
[   17.829100] 
[   17.829119] Memory state around the buggy address:
[   17.829153]  fff00000c787df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.829198]  fff00000c787df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.829243] >fff00000c787e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.829283]                    ^
[   17.829312]  fff00000c787e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   17.829355]  fff00000c787e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.829395] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

309x5ObUbFzpU8LyzOOSdUfjPcK

job_id

TEST:linaro@lkft#309xBIracfhK9V3GlYfC8LOCkkh

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/309xBIracfhK9V3GlYfC8LOCkkh

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309x6r3VkUT5E36FuuEPEjUKxgS/Image.gz
sha256sum	e30740b6a863df299bf79f0e7d1de6310b817cd727f60b2a9a659035822f0af4

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309x6r3VkUT5E36FuuEPEjUKxgS/modules.tar.xz
sha256sum	eefc2a9ac3129ad696f00a71a502b9c132b90c2da1abb5c62a30781dfd11657a

durations

tests

boot	0
kunit	172.17

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   17.805928] ==================================================================
[   17.806048] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   17.806730] Read of size 1 at addr fff00000c666a000 by task kunit_try_catch/213
[   17.806968] 
[   17.807290] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT 
[   17.807610] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.807711] Hardware name: linux,dummy-virt (DT)
[   17.807877] Call trace:
[   17.807914]  show_stack+0x20/0x38 (C)
[   17.808197]  dump_stack_lvl+0x8c/0xd0
[   17.808544]  print_report+0x118/0x5d0
[   17.808598]  kasan_report+0xdc/0x128
[   17.809140]  __asan_report_load1_noabort+0x20/0x30
[   17.809260]  kmem_cache_rcu_uaf+0x388/0x468
[   17.809315]  kunit_try_run_case+0x170/0x3f0
[   17.809455]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.809959]  kthread+0x328/0x630
[   17.810017]  ret_from_fork+0x10/0x20
[   17.810546] 
[   17.810573] Allocated by task 213:
[   17.810615]  kasan_save_stack+0x3c/0x68
[   17.810920]  kasan_save_track+0x20/0x40
[   17.811249]  kasan_save_alloc_info+0x40/0x58
[   17.811434]  __kasan_slab_alloc+0xa8/0xb0
[   17.811770]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.812035]  kmem_cache_rcu_uaf+0x12c/0x468
[   17.812086]  kunit_try_run_case+0x170/0x3f0
[   17.812124]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.812653]  kthread+0x328/0x630
[   17.812978]  ret_from_fork+0x10/0x20
[   17.813040] 
[   17.813059] Freed by task 0:
[   17.813096]  kasan_save_stack+0x3c/0x68
[   17.813133]  kasan_save_track+0x20/0x40
[   17.813170]  kasan_save_free_info+0x4c/0x78
[   17.813213]  __kasan_slab_free+0x6c/0x98
[   17.813253]  slab_free_after_rcu_debug+0xd4/0x2f8
[   17.813470]  rcu_core+0x9f4/0x1e20
[   17.813941]  rcu_core_si+0x18/0x30
[   17.814005]  handle_softirqs+0x374/0xb28
[   17.814159]  __do_softirq+0x1c/0x28
[   17.814237] 
[   17.814274] Last potentially related work creation:
[   17.814301]  kasan_save_stack+0x3c/0x68
[   17.814536]  kasan_record_aux_stack+0xb4/0xc8
[   17.814862]  kmem_cache_free+0x120/0x468
[   17.815113]  kmem_cache_rcu_uaf+0x16c/0x468
[   17.815166]  kunit_try_run_case+0x170/0x3f0
[   17.815207]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.815585]  kthread+0x328/0x630
[   17.815640]  ret_from_fork+0x10/0x20
[   17.815676] 
[   17.815697] The buggy address belongs to the object at fff00000c666a000
[   17.815697]  which belongs to the cache test_cache of size 200
[   17.816070] The buggy address is located 0 bytes inside of
[   17.816070]  freed 200-byte region [fff00000c666a000, fff00000c666a0c8)
[   17.816138] 
[   17.816163] The buggy address belongs to the physical page:
[   17.816592] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10666a
[   17.816692] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.816816] page_type: f5(slab)
[   17.817072] raw: 0bfffe0000000000 fff00000c6670140 dead000000000122 0000000000000000
[   17.817455] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   17.817676] page dumped because: kasan: bad access detected
[   17.817715] 
[   17.817733] Memory state around the buggy address:
[   17.817810]  fff00000c6669f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.817880]  fff00000c6669f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.817933] >fff00000c666a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.817972]                    ^
[   17.818427]  fff00000c666a080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   17.818858]  fff00000c666a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.818942] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

309wVITZ6NBRczMm3nMgYoirFB6

job_id

TEST:linaro@lkft#309wZRni24IYUAnxn7vdfI8LQ8Q

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/309wZRni24IYUAnxn7vdfI8LQ8Q

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309wWVmLM5NBt70nqZVpnGHDPJL/Image.gz
sha256sum	74805294b874e6885a29245bb570f9e3417e9e28c8185f5307cf2eda3ff93fb7

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309wWVmLM5NBt70nqZVpnGHDPJL/modules.tar.xz
sha256sum	6bb50cef8948a7c0cb544b1b2c047ab23cb31154624d745dca93084d8a8a44cc

durations

tests

boot	0
kunit	179.93

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   13.465446] ==================================================================
[   13.465981] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.466836] Read of size 1 at addr ffff888103156000 by task kunit_try_catch/231
[   13.467170] 
[   13.467294] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   13.467364] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.467377] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.467410] Call Trace:
[   13.467424]  <TASK>
[   13.467444]  dump_stack_lvl+0x73/0xb0
[   13.467734]  print_report+0xd1/0x610
[   13.467760]  ? __virt_addr_valid+0x1db/0x2d0
[   13.467785]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.467807]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.467830]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.467853]  kasan_report+0x141/0x180
[   13.467874]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.467903]  __asan_report_load1_noabort+0x18/0x20
[   13.467927]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.467950]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.467973]  ? finish_task_switch.isra.0+0x153/0x700
[   13.467996]  ? __switch_to+0x47/0xf50
[   13.468028]  ? __pfx_read_tsc+0x10/0x10
[   13.468049]  ? ktime_get_ts64+0x86/0x230
[   13.468075]  kunit_try_run_case+0x1a5/0x480
[   13.468100]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.468123]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.468148]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.468171]  ? __kthread_parkme+0x82/0x180
[   13.468192]  ? preempt_count_sub+0x50/0x80
[   13.468216]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.468239]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.468262]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.468286]  kthread+0x337/0x6f0
[   13.468306]  ? trace_preempt_on+0x20/0xc0
[   13.468330]  ? __pfx_kthread+0x10/0x10
[   13.468351]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.468371]  ? calculate_sigpending+0x7b/0xa0
[   13.468409]  ? __pfx_kthread+0x10/0x10
[   13.468432]  ret_from_fork+0x116/0x1d0
[   13.468451]  ? __pfx_kthread+0x10/0x10
[   13.468471]  ret_from_fork_asm+0x1a/0x30
[   13.468504]  </TASK>
[   13.468515] 
[   13.477930] Allocated by task 231:
[   13.478073]  kasan_save_stack+0x45/0x70
[   13.478287]  kasan_save_track+0x18/0x40
[   13.478493]  kasan_save_alloc_info+0x3b/0x50
[   13.478761]  __kasan_slab_alloc+0x91/0xa0
[   13.478960]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.479157]  kmem_cache_rcu_uaf+0x155/0x510
[   13.479305]  kunit_try_run_case+0x1a5/0x480
[   13.479602]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.479960]  kthread+0x337/0x6f0
[   13.480189]  ret_from_fork+0x116/0x1d0
[   13.480385]  ret_from_fork_asm+0x1a/0x30
[   13.480558] 
[   13.480649] Freed by task 0:
[   13.480934]  kasan_save_stack+0x45/0x70
[   13.481219]  kasan_save_track+0x18/0x40
[   13.481420]  kasan_save_free_info+0x3f/0x60
[   13.481640]  __kasan_slab_free+0x56/0x70
[   13.481904]  slab_free_after_rcu_debug+0xe4/0x310
[   13.482471]  rcu_core+0x66f/0x1c40
[   13.482739]  rcu_core_si+0x12/0x20
[   13.482968]  handle_softirqs+0x209/0x730
[   13.483167]  __irq_exit_rcu+0xc9/0x110
[   13.483462]  irq_exit_rcu+0x12/0x20
[   13.483650]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.483893]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.484249] 
[   13.484340] Last potentially related work creation:
[   13.484586]  kasan_save_stack+0x45/0x70
[   13.484743]  kasan_record_aux_stack+0xb2/0xc0
[   13.485138]  kmem_cache_free+0x131/0x420
[   13.485320]  kmem_cache_rcu_uaf+0x194/0x510
[   13.485616]  kunit_try_run_case+0x1a5/0x480
[   13.485845]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.486088]  kthread+0x337/0x6f0
[   13.486224]  ret_from_fork+0x116/0x1d0
[   13.486420]  ret_from_fork_asm+0x1a/0x30
[   13.486691] 
[   13.486780] The buggy address belongs to the object at ffff888103156000
[   13.486780]  which belongs to the cache test_cache of size 200
[   13.487473] The buggy address is located 0 bytes inside of
[   13.487473]  freed 200-byte region [ffff888103156000, ffff8881031560c8)
[   13.488092] 
[   13.488255] The buggy address belongs to the physical page:
[   13.488491] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103156
[   13.489059] flags: 0x200000000000000(node=0|zone=2)
[   13.489407] page_type: f5(slab)
[   13.489584] raw: 0200000000000000 ffff888103153000 dead000000000122 0000000000000000
[   13.489985] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.490434] page dumped because: kasan: bad access detected
[   13.490781] 
[   13.490949] Memory state around the buggy address:
[   13.491185]  ffff888103155f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.491474]  ffff888103155f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.491869] >ffff888103156000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.492212]                    ^
[   13.492388]  ffff888103156080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.492795]  ffff888103156100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.493213] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

309x5ObUbFzpU8LyzOOSdUfjPcK

job_id

TEST:linaro@lkft#309xCSsAm8c1VYb5dcu5sknfgSw

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/309xCSsAm8c1VYb5dcu5sknfgSw

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309x8IF1hI1lZOcQSeL4qqQoUy8/bzImage
sha256sum	e3164212926cde5cf5c2db586c7b527178fd0fcaca68ddebd4f9d3c49dc193c9

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309x8IF1hI1lZOcQSeL4qqQoUy8/modules.tar.xz
sha256sum	e261d4379790c6d3277c083da5e816b60769799af5be4eb5dd36081911673279

durations

tests

boot	0
kunit	214.92

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   13.562237] ==================================================================
[   13.563438] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.564085] Read of size 1 at addr ffff888102a5a000 by task kunit_try_catch/230
[   13.564436] 
[   13.564536] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7 #1 PREEMPT(voluntary) 
[   13.564584] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.564596] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.564618] Call Trace:
[   13.564633]  <TASK>
[   13.564652]  dump_stack_lvl+0x73/0xb0
[   13.564684]  print_report+0xd1/0x610
[   13.564706]  ? __virt_addr_valid+0x1db/0x2d0
[   13.564731]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.564752]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.564774]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.564796]  kasan_report+0x141/0x180
[   13.564817]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.564843]  __asan_report_load1_noabort+0x18/0x20
[   13.564866]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.564888]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.564909]  ? finish_task_switch.isra.0+0x153/0x700
[   13.564933]  ? __switch_to+0x47/0xf50
[   13.564962]  ? __pfx_read_tsc+0x10/0x10
[   13.564982]  ? ktime_get_ts64+0x86/0x230
[   13.565007]  kunit_try_run_case+0x1a5/0x480
[   13.565033]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.565055]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.565079]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.565101]  ? __kthread_parkme+0x82/0x180
[   13.565121]  ? preempt_count_sub+0x50/0x80
[   13.565143]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.565178]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.565200]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.565223]  kthread+0x337/0x6f0
[   13.565242]  ? trace_preempt_on+0x20/0xc0
[   13.565266]  ? __pfx_kthread+0x10/0x10
[   13.565285]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.565306]  ? calculate_sigpending+0x7b/0xa0
[   13.565329]  ? __pfx_kthread+0x10/0x10
[   13.565350]  ret_from_fork+0x116/0x1d0
[   13.565368]  ? __pfx_kthread+0x10/0x10
[   13.565388]  ret_from_fork_asm+0x1a/0x30
[   13.565418]  </TASK>
[   13.565429] 
[   13.572735] Allocated by task 230:
[   13.572991]  kasan_save_stack+0x45/0x70
[   13.573209]  kasan_save_track+0x18/0x40
[   13.573409]  kasan_save_alloc_info+0x3b/0x50
[   13.573613]  __kasan_slab_alloc+0x91/0xa0
[   13.573756]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.573983]  kmem_cache_rcu_uaf+0x155/0x510
[   13.574218]  kunit_try_run_case+0x1a5/0x480
[   13.574465]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.574716]  kthread+0x337/0x6f0
[   13.574960]  ret_from_fork+0x116/0x1d0
[   13.575140]  ret_from_fork_asm+0x1a/0x30
[   13.575292] 
[   13.575383] Freed by task 0:
[   13.575495]  kasan_save_stack+0x45/0x70
[   13.575634]  kasan_save_track+0x18/0x40
[   13.575788]  kasan_save_free_info+0x3f/0x60
[   13.576090]  __kasan_slab_free+0x56/0x70
[   13.576303]  slab_free_after_rcu_debug+0xe4/0x310
[   13.576558]  rcu_core+0x66f/0x1c40
[   13.576737]  rcu_core_si+0x12/0x20
[   13.577213]  handle_softirqs+0x209/0x730
[   13.577424]  __irq_exit_rcu+0xc9/0x110
[   13.577644]  irq_exit_rcu+0x12/0x20
[   13.577915]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.578135]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.578399] 
[   13.578492] Last potentially related work creation:
[   13.578702]  kasan_save_stack+0x45/0x70
[   13.578957]  kasan_record_aux_stack+0xb2/0xc0
[   13.579140]  kmem_cache_free+0x131/0x420
[   13.579365]  kmem_cache_rcu_uaf+0x194/0x510
[   13.579544]  kunit_try_run_case+0x1a5/0x480
[   13.579749]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.580066]  kthread+0x337/0x6f0
[   13.580247]  ret_from_fork+0x116/0x1d0
[   13.580462]  ret_from_fork_asm+0x1a/0x30
[   13.580616] 
[   13.580689] The buggy address belongs to the object at ffff888102a5a000
[   13.580689]  which belongs to the cache test_cache of size 200
[   13.581125] The buggy address is located 0 bytes inside of
[   13.581125]  freed 200-byte region [ffff888102a5a000, ffff888102a5a0c8)
[   13.581697] 
[   13.581795] The buggy address belongs to the physical page:
[   13.582109] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a5a
[   13.582389] flags: 0x200000000000000(node=0|zone=2)
[   13.582632] page_type: f5(slab)
[   13.582806] raw: 0200000000000000 ffff888101231dc0 dead000000000122 0000000000000000
[   13.583566] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.583992] page dumped because: kasan: bad access detected
[   13.584219] 
[   13.584291] Memory state around the buggy address:
[   13.584550]  ffff888102a59f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.585084]  ffff888102a59f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.585419] >ffff888102a5a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.585710]                    ^
[   13.585860]  ffff888102a5a080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.586153]  ffff888102a5a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.586443] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

309wVITZ6NBRczMm3nMgYoirFB6

job_id

TEST:linaro@lkft#309wac02EW3pU2GjOEm7Gie5p7d

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/309wac02EW3pU2GjOEm7Gie5p7d

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309wXPon0kYFkJJI8TrO96Zkm9k/bzImage
sha256sum	7a3c580951afddeb963eaa58a772442036391e058a51e4a72b3fc35151107371

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/309wXPon0kYFkJJI8TrO96Zkm9k/modules.tar.xz
sha256sum	1ece092fe8fa1f4db13c79ba4009b57e1c0b1d389cd2f8e9c3e127922a73f035

durations

tests

boot	0
kunit	209.99

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit