lkft/linux-next-master - next-20250711 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-krealloc_uaf

Date

July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   42.933526] ==================================================================
[   42.943331] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   42.949922] Read of size 1 at addr ffff0008030fd200 by task kunit_try_catch/248
[   42.957213] 
[   42.958700] CPU: 3 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   42.958761] Tainted: [B]=BAD_PAGE, [N]=TEST
[   42.958776] Hardware name: WinLink E850-96 board (DT)
[   42.958796] Call trace:
[   42.958809]  show_stack+0x20/0x38 (C)
[   42.958844]  dump_stack_lvl+0x8c/0xd0
[   42.958874]  print_report+0x118/0x5d0
[   42.958901]  kasan_report+0xdc/0x128
[   42.958929]  __kasan_check_byte+0x54/0x70
[   42.958965]  krealloc_noprof+0x44/0x360
[   42.959002]  krealloc_uaf+0x180/0x520
[   42.959033]  kunit_try_run_case+0x170/0x3f0
[   42.959072]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   42.959104]  kthread+0x328/0x630
[   42.959135]  ret_from_fork+0x10/0x20
[   42.959171] 
[   43.025270] Allocated by task 248:
[   43.028657]  kasan_save_stack+0x3c/0x68
[   43.032473]  kasan_save_track+0x20/0x40
[   43.036294]  kasan_save_alloc_info+0x40/0x58
[   43.040546]  __kasan_kmalloc+0xd4/0xd8
[   43.044278]  __kmalloc_cache_noprof+0x16c/0x3c0
[   43.048792]  krealloc_uaf+0xc8/0x520
[   43.052351]  kunit_try_run_case+0x170/0x3f0
[   43.056518]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.061986]  kthread+0x328/0x630
[   43.065198]  ret_from_fork+0x10/0x20
[   43.068757] 
[   43.070234] Freed by task 248:
[   43.073273]  kasan_save_stack+0x3c/0x68
[   43.077090]  kasan_save_track+0x20/0x40
[   43.080908]  kasan_save_free_info+0x4c/0x78
[   43.085076]  __kasan_slab_free+0x6c/0x98
[   43.088984]  kfree+0x214/0x3c8
[   43.092020]  krealloc_uaf+0x12c/0x520
[   43.095666]  kunit_try_run_case+0x170/0x3f0
[   43.099833]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.105302]  kthread+0x328/0x630
[   43.108513]  ret_from_fork+0x10/0x20
[   43.112072] 
[   43.113550] The buggy address belongs to the object at ffff0008030fd200
[   43.113550]  which belongs to the cache kmalloc-256 of size 256
[   43.126052] The buggy address is located 0 bytes inside of
[   43.126052]  freed 256-byte region [ffff0008030fd200, ffff0008030fd300)
[   43.138115] 
[   43.139593] The buggy address belongs to the physical page:
[   43.145149] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8830fc
[   43.153133] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   43.160772] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   43.167714] page_type: f5(slab)
[   43.170853] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.178571] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.186298] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.194109] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.201922] head: 0bfffe0000000002 fffffdffe00c3f01 00000000ffffffff 00000000ffffffff
[   43.209734] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   43.217539] page dumped because: kasan: bad access detected
[   43.223094] 
[   43.224570] Memory state around the buggy address:
[   43.229352]  ffff0008030fd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.236553]  ffff0008030fd180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.243758] >ffff0008030fd200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.250959]                    ^
[   43.254175]  ffff0008030fd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.261379]  ffff0008030fd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.268582] ==================================================================
[   43.275964] ==================================================================
[   43.283000] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   43.289587] Read of size 1 at addr ffff0008030fd200 by task kunit_try_catch/248
[   43.296879] 
[   43.298363] CPU: 3 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   43.298416] Tainted: [B]=BAD_PAGE, [N]=TEST
[   43.298431] Hardware name: WinLink E850-96 board (DT)
[   43.298452] Call trace:
[   43.298467]  show_stack+0x20/0x38 (C)
[   43.298498]  dump_stack_lvl+0x8c/0xd0
[   43.298531]  print_report+0x118/0x5d0
[   43.298558]  kasan_report+0xdc/0x128
[   43.298585]  __asan_report_load1_noabort+0x20/0x30
[   43.298614]  krealloc_uaf+0x4c8/0x520
[   43.298644]  kunit_try_run_case+0x170/0x3f0
[   43.298681]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.298713]  kthread+0x328/0x630
[   43.298741]  ret_from_fork+0x10/0x20
[   43.298776] 
[   43.361894] Allocated by task 248:
[   43.365283]  kasan_save_stack+0x3c/0x68
[   43.369100]  kasan_save_track+0x20/0x40
[   43.372919]  kasan_save_alloc_info+0x40/0x58
[   43.377172]  __kasan_kmalloc+0xd4/0xd8
[   43.380905]  __kmalloc_cache_noprof+0x16c/0x3c0
[   43.385419]  krealloc_uaf+0xc8/0x520
[   43.388978]  kunit_try_run_case+0x170/0x3f0
[   43.393145]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.398613]  kthread+0x328/0x630
[   43.401825]  ret_from_fork+0x10/0x20
[   43.405384] 
[   43.406860] Freed by task 248:
[   43.409899]  kasan_save_stack+0x3c/0x68
[   43.413717]  kasan_save_track+0x20/0x40
[   43.417536]  kasan_save_free_info+0x4c/0x78
[   43.421703]  __kasan_slab_free+0x6c/0x98
[   43.425609]  kfree+0x214/0x3c8
[   43.428648]  krealloc_uaf+0x12c/0x520
[   43.432293]  kunit_try_run_case+0x170/0x3f0
[   43.436460]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.441928]  kthread+0x328/0x630
[   43.445140]  ret_from_fork+0x10/0x20
[   43.448699] 
[   43.450175] The buggy address belongs to the object at ffff0008030fd200
[   43.450175]  which belongs to the cache kmalloc-256 of size 256
[   43.462677] The buggy address is located 0 bytes inside of
[   43.462677]  freed 256-byte region [ffff0008030fd200, ffff0008030fd300)
[   43.474740] 
[   43.476220] The buggy address belongs to the physical page:
[   43.481776] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8830fc
[   43.489759] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   43.497399] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   43.504342] page_type: f5(slab)
[   43.507476] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.515198] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.522924] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.530736] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.538549] head: 0bfffe0000000002 fffffdffe00c3f01 00000000ffffffff 00000000ffffffff
[   43.546361] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   43.554166] page dumped because: kasan: bad access detected
[   43.559721] 
[   43.561197] Memory state around the buggy address:
[   43.565977]  ffff0008030fd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.573180]  ffff0008030fd180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.580385] >ffff0008030fd200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.587586]                    ^
[   43.590801]  ffff0008030fd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.598006]  ffff0008030fd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.605207] ==================================================================

Metadata Full log Test run details

[   30.298998] ==================================================================
[   30.299096] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   30.299220] Read of size 1 at addr fff00000c9554c00 by task kunit_try_catch/195
[   30.299364] 
[   30.299483] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   30.299858] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.299884] Hardware name: linux,dummy-virt (DT)
[   30.299990] Call trace:
[   30.300115]  show_stack+0x20/0x38 (C)
[   30.300166]  dump_stack_lvl+0x8c/0xd0
[   30.300218]  print_report+0x118/0x5d0
[   30.300597]  kasan_report+0xdc/0x128
[   30.300983]  __kasan_check_byte+0x54/0x70
[   30.301127]  krealloc_noprof+0x44/0x360
[   30.301354]  krealloc_uaf+0x180/0x520
[   30.301462]  kunit_try_run_case+0x170/0x3f0
[   30.301707]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.301768]  kthread+0x328/0x630
[   30.301810]  ret_from_fork+0x10/0x20
[   30.301986] 
[   30.302007] Allocated by task 195:
[   30.302036]  kasan_save_stack+0x3c/0x68
[   30.302080]  kasan_save_track+0x20/0x40
[   30.302117]  kasan_save_alloc_info+0x40/0x58
[   30.302179]  __kasan_kmalloc+0xd4/0xd8
[   30.302291]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.302354]  krealloc_uaf+0xc8/0x520
[   30.302399]  kunit_try_run_case+0x170/0x3f0
[   30.302520]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.302559]  kthread+0x328/0x630
[   30.302591]  ret_from_fork+0x10/0x20
[   30.302625] 
[   30.302644] Freed by task 195:
[   30.302893]  kasan_save_stack+0x3c/0x68
[   30.302970]  kasan_save_track+0x20/0x40
[   30.303055]  kasan_save_free_info+0x4c/0x78
[   30.303172]  __kasan_slab_free+0x6c/0x98
[   30.303227]  kfree+0x214/0x3c8
[   30.303270]  krealloc_uaf+0x12c/0x520
[   30.303481]  kunit_try_run_case+0x170/0x3f0
[   30.303520]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.303559]  kthread+0x328/0x630
[   30.303597]  ret_from_fork+0x10/0x20
[   30.303869] 
[   30.303892] The buggy address belongs to the object at fff00000c9554c00
[   30.303892]  which belongs to the cache kmalloc-256 of size 256
[   30.304218] The buggy address is located 0 bytes inside of
[   30.304218]  freed 256-byte region [fff00000c9554c00, fff00000c9554d00)
[   30.304280] 
[   30.304313] The buggy address belongs to the physical page:
[   30.304392] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109554
[   30.304819] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.305075] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.305135] page_type: f5(slab)
[   30.305178] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122
[   30.305238] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.305285] head: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122
[   30.305457] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.305541] head: 0bfffe0000000001 ffffc1ffc3255501 00000000ffffffff 00000000ffffffff
[   30.305677] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.305717] page dumped because: kasan: bad access detected
[   30.305784] 
[   30.306008] Memory state around the buggy address:
[   30.306121]  fff00000c9554b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.306163]  fff00000c9554b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.306209] >fff00000c9554c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.306456]                    ^
[   30.306636]  fff00000c9554c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.306684]  fff00000c9554d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.306720] ==================================================================
[   30.307742] ==================================================================
[   30.307794] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   30.308072] Read of size 1 at addr fff00000c9554c00 by task kunit_try_catch/195
[   30.308405] 
[   30.308449] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   30.308534] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.308566] Hardware name: linux,dummy-virt (DT)
[   30.308721] Call trace:
[   30.308743]  show_stack+0x20/0x38 (C)
[   30.308793]  dump_stack_lvl+0x8c/0xd0
[   30.308841]  print_report+0x118/0x5d0
[   30.308883]  kasan_report+0xdc/0x128
[   30.308925]  __asan_report_load1_noabort+0x20/0x30
[   30.308972]  krealloc_uaf+0x4c8/0x520
[   30.309016]  kunit_try_run_case+0x170/0x3f0
[   30.309063]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.309113]  kthread+0x328/0x630
[   30.309153]  ret_from_fork+0x10/0x20
[   30.309199] 
[   30.309224] Allocated by task 195:
[   30.309556]  kasan_save_stack+0x3c/0x68
[   30.309827]  kasan_save_track+0x20/0x40
[   30.309870]  kasan_save_alloc_info+0x40/0x58
[   30.309906]  __kasan_kmalloc+0xd4/0xd8
[   30.310115]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.310184]  krealloc_uaf+0xc8/0x520
[   30.310256]  kunit_try_run_case+0x170/0x3f0
[   30.310295]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.310347]  kthread+0x328/0x630
[   30.310380]  ret_from_fork+0x10/0x20
[   30.310415] 
[   30.310434] Freed by task 195:
[   30.310467]  kasan_save_stack+0x3c/0x68
[   30.310648]  kasan_save_track+0x20/0x40
[   30.310774]  kasan_save_free_info+0x4c/0x78
[   30.310810]  __kasan_slab_free+0x6c/0x98
[   30.310947]  kfree+0x214/0x3c8
[   30.310981]  krealloc_uaf+0x12c/0x520
[   30.311031]  kunit_try_run_case+0x170/0x3f0
[   30.311231]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.311297]  kthread+0x328/0x630
[   30.311345]  ret_from_fork+0x10/0x20
[   30.311379] 
[   30.311398] The buggy address belongs to the object at fff00000c9554c00
[   30.311398]  which belongs to the cache kmalloc-256 of size 256
[   30.311621] The buggy address is located 0 bytes inside of
[   30.311621]  freed 256-byte region [fff00000c9554c00, fff00000c9554d00)
[   30.311687] 
[   30.311706] The buggy address belongs to the physical page:
[   30.311955] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109554
[   30.312289] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.312626] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.312702] page_type: f5(slab)
[   30.313066] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122
[   30.313677] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.313781] head: 0bfffe0000000040 fff00000c0001b40 dead000000000100 dead000000000122
[   30.313828] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   30.313896] head: 0bfffe0000000001 ffffc1ffc3255501 00000000ffffffff 00000000ffffffff
[   30.313943] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.314077] page dumped because: kasan: bad access detected
[   30.314795] 
[   30.314846] Memory state around the buggy address:
[   30.314943]  fff00000c9554b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.315009]  fff00000c9554b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.315059] >fff00000c9554c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.315095]                    ^
[   30.315124]  fff00000c9554c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.315164]  fff00000c9554d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.315199] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizOeD8Jm6gvF6WEX3HpY0Yiv3

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizOeD8Jm6gvF6WEX3HpY0Yiv3

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/Image.gz
sha256sum	37d9d8f3bf88d1e931fe46cf36571593b5a433a5d7333af6ff92cab414d2ee0c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizLHXy0YY4Eb3Uvf7RBZBjPJe/modules.tar.xz
sha256sum	f716ec16fb4ddf54116cb1eb73ee916ed3bd359ff95e4d969af9a161c3cb0a9f

durations

tests

boot	0
kunit	172.65

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   23.682599] ==================================================================
[   23.682894] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0
[   23.683138] Read of size 1 at addr ffff888100a16c00 by task kunit_try_catch/214
[   23.683754] 
[   23.683877] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   23.683927] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.683938] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.683982] Call Trace:
[   23.683997]  <TASK>
[   23.684012]  dump_stack_lvl+0x73/0xb0
[   23.684046]  print_report+0xd1/0x610
[   23.684086]  ? __virt_addr_valid+0x1db/0x2d0
[   23.684110]  ? krealloc_uaf+0x53c/0x5e0
[   23.684130]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.684155]  ? krealloc_uaf+0x53c/0x5e0
[   23.684176]  kasan_report+0x141/0x180
[   23.684197]  ? krealloc_uaf+0x53c/0x5e0
[   23.684222]  __asan_report_load1_noabort+0x18/0x20
[   23.684245]  krealloc_uaf+0x53c/0x5e0
[   23.684312]  ? __pfx_krealloc_uaf+0x10/0x10
[   23.684350]  ? finish_task_switch.isra.0+0x153/0x700
[   23.684386]  ? __switch_to+0x47/0xf80
[   23.684444]  ? __schedule+0x10cc/0x2b60
[   23.684468]  ? __pfx_read_tsc+0x10/0x10
[   23.684490]  ? ktime_get_ts64+0x86/0x230
[   23.684516]  kunit_try_run_case+0x1a5/0x480
[   23.684540]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.684559]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.684582]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.684605]  ? __kthread_parkme+0x82/0x180
[   23.684626]  ? preempt_count_sub+0x50/0x80
[   23.684648]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.684669]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.684693]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.684718]  kthread+0x337/0x6f0
[   23.684748]  ? trace_preempt_on+0x20/0xc0
[   23.684774]  ? __pfx_kthread+0x10/0x10
[   23.684908]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.684932]  ? calculate_sigpending+0x7b/0xa0
[   23.684958]  ? __pfx_kthread+0x10/0x10
[   23.684980]  ret_from_fork+0x116/0x1d0
[   23.685000]  ? __pfx_kthread+0x10/0x10
[   23.685022]  ret_from_fork_asm+0x1a/0x30
[   23.685053]  </TASK>
[   23.685065] 
[   23.696547] Allocated by task 214:
[   23.696684]  kasan_save_stack+0x45/0x70
[   23.697368]  kasan_save_track+0x18/0x40
[   23.697730]  kasan_save_alloc_info+0x3b/0x50
[   23.698134]  __kasan_kmalloc+0xb7/0xc0
[   23.698560]  __kmalloc_cache_noprof+0x189/0x420
[   23.698990]  krealloc_uaf+0xbb/0x5e0
[   23.699557]  kunit_try_run_case+0x1a5/0x480
[   23.699961]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.700537]  kthread+0x337/0x6f0
[   23.700862]  ret_from_fork+0x116/0x1d0
[   23.701205]  ret_from_fork_asm+0x1a/0x30
[   23.701658] 
[   23.701827] Freed by task 214:
[   23.702137]  kasan_save_stack+0x45/0x70
[   23.702561]  kasan_save_track+0x18/0x40
[   23.702953]  kasan_save_free_info+0x3f/0x60
[   23.703485]  __kasan_slab_free+0x56/0x70
[   23.703757]  kfree+0x222/0x3f0
[   23.703870]  krealloc_uaf+0x13d/0x5e0
[   23.703995]  kunit_try_run_case+0x1a5/0x480
[   23.704130]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.704545]  kthread+0x337/0x6f0
[   23.704851]  ret_from_fork+0x116/0x1d0
[   23.705210]  ret_from_fork_asm+0x1a/0x30
[   23.705658] 
[   23.705848] The buggy address belongs to the object at ffff888100a16c00
[   23.705848]  which belongs to the cache kmalloc-256 of size 256
[   23.706979] The buggy address is located 0 bytes inside of
[   23.706979]  freed 256-byte region [ffff888100a16c00, ffff888100a16d00)
[   23.708023] 
[   23.708213] The buggy address belongs to the physical page:
[   23.708636] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a16
[   23.708901] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   23.709122] anon flags: 0x200000000000040(head|node=0|zone=2)
[   23.709588] page_type: f5(slab)
[   23.709927] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   23.710713] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.711605] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   23.712500] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.713463] head: 0200000000000001 ffffea0004028581 00000000ffffffff 00000000ffffffff
[   23.714136] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   23.714680] page dumped because: kasan: bad access detected
[   23.715185] 
[   23.715529] Memory state around the buggy address:
[   23.715855]  ffff888100a16b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.716067]  ffff888100a16b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.716343] >ffff888100a16c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.717183]                    ^
[   23.717515]  ffff888100a16c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.718223]  ffff888100a16d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.719014] ==================================================================
[   23.656869] ==================================================================
[   23.657570] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0
[   23.657907] Read of size 1 at addr ffff888100a16c00 by task kunit_try_catch/214
[   23.658217] 
[   23.658347] CPU: 1 UID: 0 PID: 214 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   23.658500] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.658514] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.658537] Call Trace:
[   23.658551]  <TASK>
[   23.658570]  dump_stack_lvl+0x73/0xb0
[   23.658625]  print_report+0xd1/0x610
[   23.658648]  ? __virt_addr_valid+0x1db/0x2d0
[   23.658671]  ? krealloc_uaf+0x1b8/0x5e0
[   23.658692]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.658717]  ? krealloc_uaf+0x1b8/0x5e0
[   23.658749]  kasan_report+0x141/0x180
[   23.658770]  ? krealloc_uaf+0x1b8/0x5e0
[   23.658794]  ? krealloc_uaf+0x1b8/0x5e0
[   23.658815]  __kasan_check_byte+0x3d/0x50
[   23.658835]  krealloc_noprof+0x3f/0x340
[   23.658862]  krealloc_uaf+0x1b8/0x5e0
[   23.658904]  ? __pfx_krealloc_uaf+0x10/0x10
[   23.658924]  ? finish_task_switch.isra.0+0x153/0x700
[   23.658946]  ? __switch_to+0x47/0xf80
[   23.658972]  ? __schedule+0x10cc/0x2b60
[   23.658996]  ? __pfx_read_tsc+0x10/0x10
[   23.659018]  ? ktime_get_ts64+0x86/0x230
[   23.659044]  kunit_try_run_case+0x1a5/0x480
[   23.659083]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.659103]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.659126]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.659149]  ? __kthread_parkme+0x82/0x180
[   23.659170]  ? preempt_count_sub+0x50/0x80
[   23.659192]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.659213]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.659237]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.659261]  kthread+0x337/0x6f0
[   23.659340]  ? trace_preempt_on+0x20/0xc0
[   23.659363]  ? __pfx_kthread+0x10/0x10
[   23.659384]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.659405]  ? calculate_sigpending+0x7b/0xa0
[   23.659437]  ? __pfx_kthread+0x10/0x10
[   23.659459]  ret_from_fork+0x116/0x1d0
[   23.659478]  ? __pfx_kthread+0x10/0x10
[   23.659499]  ret_from_fork_asm+0x1a/0x30
[   23.659530]  </TASK>
[   23.659541] 
[   23.668207] Allocated by task 214:
[   23.668513]  kasan_save_stack+0x45/0x70
[   23.668711]  kasan_save_track+0x18/0x40
[   23.668852]  kasan_save_alloc_info+0x3b/0x50
[   23.668993]  __kasan_kmalloc+0xb7/0xc0
[   23.669151]  __kmalloc_cache_noprof+0x189/0x420
[   23.669592]  krealloc_uaf+0xbb/0x5e0
[   23.669796]  kunit_try_run_case+0x1a5/0x480
[   23.669998]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.670246]  kthread+0x337/0x6f0
[   23.670534]  ret_from_fork+0x116/0x1d0
[   23.670670]  ret_from_fork_asm+0x1a/0x30
[   23.670866] 
[   23.670980] Freed by task 214:
[   23.671131]  kasan_save_stack+0x45/0x70
[   23.671446]  kasan_save_track+0x18/0x40
[   23.671608]  kasan_save_free_info+0x3f/0x60
[   23.671843]  __kasan_slab_free+0x56/0x70
[   23.672033]  kfree+0x222/0x3f0
[   23.672183]  krealloc_uaf+0x13d/0x5e0
[   23.672452]  kunit_try_run_case+0x1a5/0x480
[   23.672620]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.672832]  kthread+0x337/0x6f0
[   23.673019]  ret_from_fork+0x116/0x1d0
[   23.673209]  ret_from_fork_asm+0x1a/0x30
[   23.673502] 
[   23.673614] The buggy address belongs to the object at ffff888100a16c00
[   23.673614]  which belongs to the cache kmalloc-256 of size 256
[   23.674256] The buggy address is located 0 bytes inside of
[   23.674256]  freed 256-byte region [ffff888100a16c00, ffff888100a16d00)
[   23.674790] 
[   23.674881] The buggy address belongs to the physical page:
[   23.675058] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100a16
[   23.675295] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   23.675766] anon flags: 0x200000000000040(head|node=0|zone=2)
[   23.676051] page_type: f5(slab)
[   23.676220] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   23.677056] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.677482] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   23.677718] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   23.678195] head: 0200000000000001 ffffea0004028581 00000000ffffffff 00000000ffffffff
[   23.678576] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   23.678934] page dumped because: kasan: bad access detected
[   23.679141] 
[   23.679436] Memory state around the buggy address:
[   23.679672]  ffff888100a16b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.679964]  ffff888100a16b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.680488] >ffff888100a16c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.680797]                    ^
[   23.680980]  ffff888100a16c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   23.681365]  ffff888100a16d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.681680] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zizK5DpLdiSo5JTRmUPvSCnGxG

job_id

TEST:linaro@lkft#2zizPosnQ5rY23goGLqjSSGUMDT

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zizPosnQ5rY23goGLqjSSGUMDT

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/bzImage
sha256sum	0b86f8183e71d185ecf48e91daf338a38748221ed84c99d5fcc0aff2fb4fe4d2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zizMF2TFo5wqp9ExxxKcu7DMgd/modules.tar.xz
sha256sum	1cecf8a22d53cbe6f1135ddb095fc53e6fe8ebbda902547c47910320c1d5aa61

durations

tests

boot	0
kunit	220.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit