lkft/linux-next-master - next-20250711 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_rcu_uaf

Date

July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   51.509089] ==================================================================
[   51.509284] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   51.509418] Read of size 1 at addr ffff000801b74000 by task kunit_try_catch/297
[   51.512800] 
[   51.514289] CPU: 4 UID: 0 PID: 297 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   51.514346] Tainted: [B]=BAD_PAGE, [N]=TEST
[   51.514363] Hardware name: WinLink E850-96 board (DT)
[   51.514386] Call trace:
[   51.514401]  show_stack+0x20/0x38 (C)
[   51.514438]  dump_stack_lvl+0x8c/0xd0
[   51.514470]  print_report+0x118/0x5d0
[   51.514501]  kasan_report+0xdc/0x128
[   51.514531]  __asan_report_load1_noabort+0x20/0x30
[   51.514567]  kmem_cache_rcu_uaf+0x388/0x468
[   51.514602]  kunit_try_run_case+0x170/0x3f0
[   51.514639]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   51.514675]  kthread+0x328/0x630
[   51.514703]  ret_from_fork+0x10/0x20
[   51.514738] 
[   51.578339] Allocated by task 297:
[   51.581725]  kasan_save_stack+0x3c/0x68
[   51.585542]  kasan_save_track+0x20/0x40
[   51.589362]  kasan_save_alloc_info+0x40/0x58
[   51.593615]  __kasan_slab_alloc+0xa8/0xb0
[   51.597608]  kmem_cache_alloc_noprof+0x10c/0x398
[   51.602209]  kmem_cache_rcu_uaf+0x12c/0x468
[   51.606376]  kunit_try_run_case+0x170/0x3f0
[   51.610542]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   51.616012]  kthread+0x328/0x630
[   51.619223]  ret_from_fork+0x10/0x20
[   51.622781] 
[   51.624258] Freed by task 0:
[   51.627124]  kasan_save_stack+0x3c/0x68
[   51.630941]  kasan_save_track+0x20/0x40
[   51.634760]  kasan_save_free_info+0x4c/0x78
[   51.638927]  __kasan_slab_free+0x6c/0x98
[   51.642833]  slab_free_after_rcu_debug+0xd4/0x2f8
[   51.647521]  rcu_core+0x9f4/0x1e20
[   51.650906]  rcu_core_si+0x18/0x30
[   51.654292]  handle_softirqs+0x374/0xb28
[   51.658197]  __do_softirq+0x1c/0x28
[   51.661670] 
[   51.663147] Last potentially related work creation:
[   51.668008]  kasan_save_stack+0x3c/0x68
[   51.671826]  kasan_record_aux_stack+0xb4/0xc8
[   51.676168]  kmem_cache_free+0x120/0x468
[   51.680072]  kmem_cache_rcu_uaf+0x16c/0x468
[   51.684239]  kunit_try_run_case+0x170/0x3f0
[   51.688406]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   51.693874]  kthread+0x328/0x630
[   51.697086]  ret_from_fork+0x10/0x20
[   51.700645] 
[   51.702120] The buggy address belongs to the object at ffff000801b74000
[   51.702120]  which belongs to the cache test_cache of size 200
[   51.714537] The buggy address is located 0 bytes inside of
[   51.714537]  freed 200-byte region [ffff000801b74000, ffff000801b740c8)
[   51.726603] 
[   51.728079] The buggy address belongs to the physical page:
[   51.733635] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881b74
[   51.741619] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   51.749258] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   51.756201] page_type: f5(slab)
[   51.759337] raw: 0bfffe0000000040 ffff000801b70140 dead000000000122 0000000000000000
[   51.767057] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   51.774785] head: 0bfffe0000000040 ffff000801b70140 dead000000000122 0000000000000000
[   51.782595] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   51.790408] head: 0bfffe0000000001 fffffdffe006dd01 00000000ffffffff 00000000ffffffff
[   51.798220] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   51.806025] page dumped because: kasan: bad access detected
[   51.811581] 
[   51.813056] Memory state around the buggy address:
[   51.817837]  ffff000801b73f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.825039]  ffff000801b73f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.832246] >ffff000801b74000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.839446]                    ^
[   51.842660]  ffff000801b74080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   51.849865]  ffff000801b74100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   51.857068] ==================================================================

Metadata Full log Test run details

[   31.574754] ==================================================================
[   31.575311] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   31.576268] Read of size 1 at addr fff00000c9ad8000 by task kunit_try_catch/244
[   31.576334] 
[   31.576381] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   31.576606] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.576657] Hardware name: linux,dummy-virt (DT)
[   31.577268] Call trace:
[   31.577299]  show_stack+0x20/0x38 (C)
[   31.577368]  dump_stack_lvl+0x8c/0xd0
[   31.578058]  print_report+0x118/0x5d0
[   31.578110]  kasan_report+0xdc/0x128
[   31.578258]  __asan_report_load1_noabort+0x20/0x30
[   31.578346]  kmem_cache_rcu_uaf+0x388/0x468
[   31.578860]  kunit_try_run_case+0x170/0x3f0
[   31.579283]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.579489]  kthread+0x328/0x630
[   31.580552]  ret_from_fork+0x10/0x20
[   31.580670] 
[   31.580691] Allocated by task 244:
[   31.580725]  kasan_save_stack+0x3c/0x68
[   31.581439]  kasan_save_track+0x20/0x40
[   31.581491]  kasan_save_alloc_info+0x40/0x58
[   31.581797]  __kasan_slab_alloc+0xa8/0xb0
[   31.581865]  kmem_cache_alloc_noprof+0x10c/0x398
[   31.581914]  kmem_cache_rcu_uaf+0x12c/0x468
[   31.582076]  kunit_try_run_case+0x170/0x3f0
[   31.582127]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.582180]  kthread+0x328/0x630
[   31.582228]  ret_from_fork+0x10/0x20
[   31.582319] 
[   31.582490] Freed by task 0:
[   31.582700]  kasan_save_stack+0x3c/0x68
[   31.582977]  kasan_save_track+0x20/0x40
[   31.583217]  kasan_save_free_info+0x4c/0x78
[   31.583444]  __kasan_slab_free+0x6c/0x98
[   31.583588]  slab_free_after_rcu_debug+0xd4/0x2f8
[   31.583631]  rcu_core+0x9f4/0x1e20
[   31.583671]  rcu_core_si+0x18/0x30
[   31.583708]  handle_softirqs+0x374/0xb28
[   31.583746]  __do_softirq+0x1c/0x28
[   31.584134] 
[   31.584180] Last potentially related work creation:
[   31.584209]  kasan_save_stack+0x3c/0x68
[   31.584457]  kasan_record_aux_stack+0xb4/0xc8
[   31.584502]  kmem_cache_free+0x120/0x468
[   31.584901]  kmem_cache_rcu_uaf+0x16c/0x468
[   31.585088]  kunit_try_run_case+0x170/0x3f0
[   31.585131]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.585263]  kthread+0x328/0x630
[   31.585303]  ret_from_fork+0x10/0x20
[   31.585391] 
[   31.585540] The buggy address belongs to the object at fff00000c9ad8000
[   31.585540]  which belongs to the cache test_cache of size 200
[   31.585682] The buggy address is located 0 bytes inside of
[   31.585682]  freed 200-byte region [fff00000c9ad8000, fff00000c9ad80c8)
[   31.585940] 
[   31.586143] The buggy address belongs to the physical page:
[   31.586269] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109ad8
[   31.586750] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.587087] page_type: f5(slab)
[   31.587146] raw: 0bfffe0000000000 fff00000c3e18780 dead000000000122 0000000000000000
[   31.587199] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   31.587392] page dumped because: kasan: bad access detected
[   31.587428] 
[   31.587462] Memory state around the buggy address:
[   31.587497]  fff00000c9ad7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.587549]  fff00000c9ad7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   31.587592] >fff00000c9ad8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.587630]                    ^
[   31.587658]  fff00000c9ad8080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   31.587700]  fff00000c9ad8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.588146] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizOeD8Jm6gvF6WEX3HpY0Yiv3

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizOeD8Jm6gvF6WEX3HpY0Yiv3

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/Image.gz
sha256sum	37d9d8f3bf88d1e931fe46cf36571593b5a433a5d7333af6ff92cab414d2ee0c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/modules.tar.xz
sha256sum	f716ec16fb4ddf54116cb1eb73ee916ed3bd359ff95e4d969af9a161c3cb0a9f

durations

tests

boot	0
kunit	172.65

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.569601] ==================================================================
[   24.570162] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   24.570508] Read of size 1 at addr ffff888104cbf000 by task kunit_try_catch/263
[   24.570822] 
[   24.570917] CPU: 0 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   24.570974] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.570987] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.571011] Call Trace:
[   24.571026]  <TASK>
[   24.571047]  dump_stack_lvl+0x73/0xb0
[   24.571082]  print_report+0xd1/0x610
[   24.571104]  ? __virt_addr_valid+0x1db/0x2d0
[   24.571131]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.571154]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.571180]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.571203]  kasan_report+0x141/0x180
[   24.571226]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   24.571253]  __asan_report_load1_noabort+0x18/0x20
[   24.571276]  kmem_cache_rcu_uaf+0x3e3/0x510
[   24.571299]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   24.571322]  ? finish_task_switch.isra.0+0x153/0x700
[   24.571345]  ? __switch_to+0x47/0xf80
[   24.571375]  ? __pfx_read_tsc+0x10/0x10
[   24.571399]  ? ktime_get_ts64+0x86/0x230
[   24.571427]  kunit_try_run_case+0x1a5/0x480
[   24.571453]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.571474]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.571521]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.571548]  ? __kthread_parkme+0x82/0x180
[   24.571569]  ? preempt_count_sub+0x50/0x80
[   24.571592]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.571614]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.571639]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.571666]  kthread+0x337/0x6f0
[   24.571686]  ? trace_preempt_on+0x20/0xc0
[   24.571711]  ? __pfx_kthread+0x10/0x10
[   24.571743]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.571764]  ? calculate_sigpending+0x7b/0xa0
[   24.571790]  ? __pfx_kthread+0x10/0x10
[   24.571811]  ret_from_fork+0x116/0x1d0
[   24.571831]  ? __pfx_kthread+0x10/0x10
[   24.571853]  ret_from_fork_asm+0x1a/0x30
[   24.571884]  </TASK>
[   24.571897] 
[   24.579333] Allocated by task 263:
[   24.579509]  kasan_save_stack+0x45/0x70
[   24.579718]  kasan_save_track+0x18/0x40
[   24.579881]  kasan_save_alloc_info+0x3b/0x50
[   24.580158]  __kasan_slab_alloc+0x91/0xa0
[   24.580294]  kmem_cache_alloc_noprof+0x123/0x3f0
[   24.580538]  kmem_cache_rcu_uaf+0x155/0x510
[   24.580765]  kunit_try_run_case+0x1a5/0x480
[   24.580962]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.581199]  kthread+0x337/0x6f0
[   24.581604]  ret_from_fork+0x116/0x1d0
[   24.581765]  ret_from_fork_asm+0x1a/0x30
[   24.581904] 
[   24.581969] Freed by task 0:
[   24.582113]  kasan_save_stack+0x45/0x70
[   24.582396]  kasan_save_track+0x18/0x40
[   24.582808]  kasan_save_free_info+0x3f/0x60
[   24.583081]  __kasan_slab_free+0x56/0x70
[   24.583261]  slab_free_after_rcu_debug+0xe4/0x310
[   24.583497]  rcu_core+0x66f/0x1c40
[   24.583830]  rcu_core_si+0x12/0x20
[   24.584001]  handle_softirqs+0x209/0x730
[   24.584136]  __irq_exit_rcu+0xc9/0x110
[   24.584273]  irq_exit_rcu+0x12/0x20
[   24.584478]  sysvec_apic_timer_interrupt+0x81/0x90
[   24.584707]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   24.584887] 
[   24.584954] Last potentially related work creation:
[   24.585555]  kasan_save_stack+0x45/0x70
[   24.585761]  kasan_record_aux_stack+0xb2/0xc0
[   24.585962]  kmem_cache_free+0x131/0x420
[   24.586145]  kmem_cache_rcu_uaf+0x194/0x510
[   24.586330]  kunit_try_run_case+0x1a5/0x480
[   24.587226]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.587432]  kthread+0x337/0x6f0
[   24.587554]  ret_from_fork+0x116/0x1d0
[   24.587680]  ret_from_fork_asm+0x1a/0x30
[   24.587979] 
[   24.588076] The buggy address belongs to the object at ffff888104cbf000
[   24.588076]  which belongs to the cache test_cache of size 200
[   24.588663] The buggy address is located 0 bytes inside of
[   24.588663]  freed 200-byte region [ffff888104cbf000, ffff888104cbf0c8)
[   24.589251] 
[   24.589325] The buggy address belongs to the physical page:
[   24.590500] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104cbf
[   24.590812] flags: 0x200000000000000(node=0|zone=2)
[   24.591509] page_type: f5(slab)
[   24.592067] raw: 0200000000000000 ffff888101b22780 dead000000000122 0000000000000000
[   24.592461] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   24.592921] page dumped because: kasan: bad access detected
[   24.593229] 
[   24.593352] Memory state around the buggy address:
[   24.593837]  ffff888104cbef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.594205]  ffff888104cbef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.594661] >ffff888104cbf000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.594996]                    ^
[   24.595139]  ffff888104cbf080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   24.595418]  ffff888104cbf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.596131] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizPosnQ5rY23goGLqjSSGUMDT

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizPosnQ5rY23goGLqjSSGUMDT

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/bzImage
sha256sum	0b86f8183e71d185ecf48e91daf338a38748221ed84c99d5fcc0aff2fb4fe4d2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/modules.tar.xz
sha256sum	1cecf8a22d53cbe6f1135ddb095fc53e6fe8ebbda902547c47910320c1d5aa61

durations

tests

boot	0
kunit	220.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit