lkft/linux-next-master - next-20250715 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-krealloc_uaf

Date

July 15, 2025, 11:35 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   42.831204] ==================================================================
[   42.841133] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   42.847723] Read of size 1 at addr ffff000805058400 by task kunit_try_catch/245
[   42.855013] 
[   42.856500] CPU: 3 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   42.856555] Tainted: [B]=BAD_PAGE, [N]=TEST
[   42.856570] Hardware name: WinLink E850-96 board (DT)
[   42.856591] Call trace:
[   42.856605]  show_stack+0x20/0x38 (C)
[   42.856641]  dump_stack_lvl+0x8c/0xd0
[   42.856676]  print_report+0x118/0x5d0
[   42.856702]  kasan_report+0xdc/0x128
[   42.856726]  __kasan_check_byte+0x54/0x70
[   42.856752]  krealloc_noprof+0x44/0x360
[   42.856785]  krealloc_uaf+0x180/0x520
[   42.856817]  kunit_try_run_case+0x170/0x3f0
[   42.856846]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   42.856880]  kthread+0x328/0x630
[   42.856907]  ret_from_fork+0x10/0x20
[   42.856942] 
[   42.923069] Allocated by task 245:
[   42.926457]  kasan_save_stack+0x3c/0x68
[   42.930273]  kasan_save_track+0x20/0x40
[   42.934093]  kasan_save_alloc_info+0x40/0x58
[   42.938346]  __kasan_kmalloc+0xd4/0xd8
[   42.942079]  __kmalloc_cache_noprof+0x16c/0x3c0
[   42.946592]  krealloc_uaf+0xc8/0x520
[   42.950151]  kunit_try_run_case+0x170/0x3f0
[   42.954318]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   42.959786]  kthread+0x328/0x630
[   42.962998]  ret_from_fork+0x10/0x20
[   42.966557] 
[   42.968034] Freed by task 245:
[   42.971073]  kasan_save_stack+0x3c/0x68
[   42.974890]  kasan_save_track+0x20/0x40
[   42.978710]  kasan_save_free_info+0x4c/0x78
[   42.982876]  __kasan_slab_free+0x6c/0x98
[   42.986784]  kfree+0x214/0x3c8
[   42.989821]  krealloc_uaf+0x12c/0x520
[   42.993467]  kunit_try_run_case+0x170/0x3f0
[   42.997633]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.003102]  kthread+0x328/0x630
[   43.006313]  ret_from_fork+0x10/0x20
[   43.009873] 
[   43.011350] The buggy address belongs to the object at ffff000805058400
[   43.011350]  which belongs to the cache kmalloc-256 of size 256
[   43.023851] The buggy address is located 0 bytes inside of
[   43.023851]  freed 256-byte region [ffff000805058400, ffff000805058500)
[   43.035913] 
[   43.037392] The buggy address belongs to the physical page:
[   43.042949] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x885058
[   43.050933] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   43.058573] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   43.065515] page_type: f5(slab)
[   43.068653] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.076371] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.084099] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.091909] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.099722] head: 0bfffe0000000002 fffffdffe0141601 00000000ffffffff 00000000ffffffff
[   43.107534] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   43.115342] page dumped because: kasan: bad access detected
[   43.120895] 
[   43.122370] Memory state around the buggy address:
[   43.127151]  ffff000805058300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.134355]  ffff000805058380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.141558] >ffff000805058400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.148759]                    ^
[   43.151975]  ffff000805058480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.159179]  ffff000805058500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.166382] ==================================================================
[   43.173919] ==================================================================
[   43.180797] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   43.187388] Read of size 1 at addr ffff000805058400 by task kunit_try_catch/245
[   43.194679] 
[   43.196165] CPU: 3 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   43.196218] Tainted: [B]=BAD_PAGE, [N]=TEST
[   43.196234] Hardware name: WinLink E850-96 board (DT)
[   43.196254] Call trace:
[   43.196266]  show_stack+0x20/0x38 (C)
[   43.196298]  dump_stack_lvl+0x8c/0xd0
[   43.196332]  print_report+0x118/0x5d0
[   43.196361]  kasan_report+0xdc/0x128
[   43.196386]  __asan_report_load1_noabort+0x20/0x30
[   43.196415]  krealloc_uaf+0x4c8/0x520
[   43.196446]  kunit_try_run_case+0x170/0x3f0
[   43.196475]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.196507]  kthread+0x328/0x630
[   43.196535]  ret_from_fork+0x10/0x20
[   43.196565] 
[   43.259696] Allocated by task 245:
[   43.263084]  kasan_save_stack+0x3c/0x68
[   43.266900]  kasan_save_track+0x20/0x40
[   43.270719]  kasan_save_alloc_info+0x40/0x58
[   43.274973]  __kasan_kmalloc+0xd4/0xd8
[   43.278705]  __kmalloc_cache_noprof+0x16c/0x3c0
[   43.283220]  krealloc_uaf+0xc8/0x520
[   43.286778]  kunit_try_run_case+0x170/0x3f0
[   43.290945]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.296413]  kthread+0x328/0x630
[   43.299625]  ret_from_fork+0x10/0x20
[   43.303184] 
[   43.304659] Freed by task 245:
[   43.307699]  kasan_save_stack+0x3c/0x68
[   43.311517]  kasan_save_track+0x20/0x40
[   43.315337]  kasan_save_free_info+0x4c/0x78
[   43.319503]  __kasan_slab_free+0x6c/0x98
[   43.323409]  kfree+0x214/0x3c8
[   43.326448]  krealloc_uaf+0x12c/0x520
[   43.330093]  kunit_try_run_case+0x170/0x3f0
[   43.334260]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.339729]  kthread+0x328/0x630
[   43.342940]  ret_from_fork+0x10/0x20
[   43.346500] 
[   43.347976] The buggy address belongs to the object at ffff000805058400
[   43.347976]  which belongs to the cache kmalloc-256 of size 256
[   43.360477] The buggy address is located 0 bytes inside of
[   43.360477]  freed 256-byte region [ffff000805058400, ffff000805058500)
[   43.372540] 
[   43.374020] The buggy address belongs to the physical page:
[   43.379575] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x885058
[   43.387559] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   43.395199] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   43.402141] page_type: f5(slab)
[   43.405279] raw: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.412998] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.420726] head: 0bfffe0000000040 ffff000800002b40 dead000000000122 0000000000000000
[   43.428536] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   43.436349] head: 0bfffe0000000002 fffffdffe0141601 00000000ffffffff 00000000ffffffff
[   43.444161] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   43.451969] page dumped because: kasan: bad access detected
[   43.457521] 
[   43.458997] Memory state around the buggy address:
[   43.463780]  ffff000805058300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.470980]  ffff000805058380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.478185] >ffff000805058400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.485387]                    ^
[   43.488602]  ffff000805058480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   43.495806]  ffff000805058500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   43.503007] ==================================================================

Metadata Full log Test run details

[   30.538916] ==================================================================
[   30.538978] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x180/0x520
[   30.539224] Read of size 1 at addr fff00000c792ec00 by task kunit_try_catch/196
[   30.539348] 
[   30.539402] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   30.539524] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.539550] Hardware name: linux,dummy-virt (DT)
[   30.539579] Call trace:
[   30.539613]  show_stack+0x20/0x38 (C)
[   30.539662]  dump_stack_lvl+0x8c/0xd0
[   30.539780]  print_report+0x118/0x5d0
[   30.539827]  kasan_report+0xdc/0x128
[   30.539992]  __kasan_check_byte+0x54/0x70
[   30.540045]  krealloc_noprof+0x44/0x360
[   30.540092]  krealloc_uaf+0x180/0x520
[   30.540174]  kunit_try_run_case+0x170/0x3f0
[   30.540239]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.540306]  kthread+0x328/0x630
[   30.540368]  ret_from_fork+0x10/0x20
[   30.540417] 
[   30.540447] Allocated by task 196:
[   30.540474]  kasan_save_stack+0x3c/0x68
[   30.540534]  kasan_save_track+0x20/0x40
[   30.540643]  kasan_save_alloc_info+0x40/0x58
[   30.540757]  __kasan_kmalloc+0xd4/0xd8
[   30.540823]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.540866]  krealloc_uaf+0xc8/0x520
[   30.540949]  kunit_try_run_case+0x170/0x3f0
[   30.540985]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.541064]  kthread+0x328/0x630
[   30.541097]  ret_from_fork+0x10/0x20
[   30.541138] 
[   30.541165] Freed by task 196:
[   30.541191]  kasan_save_stack+0x3c/0x68
[   30.541265]  kasan_save_track+0x20/0x40
[   30.541489]  kasan_save_free_info+0x4c/0x78
[   30.541540]  __kasan_slab_free+0x6c/0x98
[   30.541579]  kfree+0x214/0x3c8
[   30.541613]  krealloc_uaf+0x12c/0x520
[   30.541771]  kunit_try_run_case+0x170/0x3f0
[   30.541897]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.541940]  kthread+0x328/0x630
[   30.541999]  ret_from_fork+0x10/0x20
[   30.542035] 
[   30.542056] The buggy address belongs to the object at fff00000c792ec00
[   30.542056]  which belongs to the cache kmalloc-256 of size 256
[   30.542466] The buggy address is located 0 bytes inside of
[   30.542466]  freed 256-byte region [fff00000c792ec00, fff00000c792ed00)
[   30.542642] 
[   30.542727] The buggy address belongs to the physical page:
[   30.542795] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c792e600 pfn:0x10792e
[   30.542899] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.542964] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.543012] page_type: f5(slab)
[   30.543420] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.543519] raw: fff00000c792e600 000000008010000f 00000000f5000000 0000000000000000
[   30.543612] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.543660] head: fff00000c792e600 000000008010000f 00000000f5000000 0000000000000000
[   30.543958] head: 0bfffe0000000001 ffffc1ffc31e4b81 00000000ffffffff 00000000ffffffff
[   30.544057] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.544172] page dumped because: kasan: bad access detected
[   30.544264] 
[   30.544301] Memory state around the buggy address:
[   30.544332]  fff00000c792eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.544383]  fff00000c792eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.544608] >fff00000c792ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.544688]                    ^
[   30.544716]  fff00000c792ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.544985]  fff00000c792ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.545070] ==================================================================
[   30.546202] ==================================================================
[   30.546249] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520
[   30.546297] Read of size 1 at addr fff00000c792ec00 by task kunit_try_catch/196
[   30.546344] 
[   30.546558] CPU: 0 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   30.546663] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.546689] Hardware name: linux,dummy-virt (DT)
[   30.546719] Call trace:
[   30.546762]  show_stack+0x20/0x38 (C)
[   30.546849]  dump_stack_lvl+0x8c/0xd0
[   30.546896]  print_report+0x118/0x5d0
[   30.546940]  kasan_report+0xdc/0x128
[   30.547168]  __asan_report_load1_noabort+0x20/0x30
[   30.547244]  krealloc_uaf+0x4c8/0x520
[   30.547291]  kunit_try_run_case+0x170/0x3f0
[   30.547345]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.547397]  kthread+0x328/0x630
[   30.547450]  ret_from_fork+0x10/0x20
[   30.547497] 
[   30.547522] Allocated by task 196:
[   30.547550]  kasan_save_stack+0x3c/0x68
[   30.547599]  kasan_save_track+0x20/0x40
[   30.547637]  kasan_save_alloc_info+0x40/0x58
[   30.547673]  __kasan_kmalloc+0xd4/0xd8
[   30.547738]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.547932]  krealloc_uaf+0xc8/0x520
[   30.547974]  kunit_try_run_case+0x170/0x3f0
[   30.548074]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.548140]  kthread+0x328/0x630
[   30.548206]  ret_from_fork+0x10/0x20
[   30.548247] 
[   30.548333] Freed by task 196:
[   30.548425]  kasan_save_stack+0x3c/0x68
[   30.548474]  kasan_save_track+0x20/0x40
[   30.548511]  kasan_save_free_info+0x4c/0x78
[   30.548547]  __kasan_slab_free+0x6c/0x98
[   30.548584]  kfree+0x214/0x3c8
[   30.548616]  krealloc_uaf+0x12c/0x520
[   30.548652]  kunit_try_run_case+0x170/0x3f0
[   30.548686]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.549022]  kthread+0x328/0x630
[   30.549160]  ret_from_fork+0x10/0x20
[   30.549196] 
[   30.549215] The buggy address belongs to the object at fff00000c792ec00
[   30.549215]  which belongs to the cache kmalloc-256 of size 256
[   30.549270] The buggy address is located 0 bytes inside of
[   30.549270]  freed 256-byte region [fff00000c792ec00, fff00000c792ed00)
[   30.549556] 
[   30.549653] The buggy address belongs to the physical page:
[   30.549731] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfff00000c792e600 pfn:0x10792e
[   30.549834] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.549916] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.550011] page_type: f5(slab)
[   30.550087] raw: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.550135] raw: fff00000c792e600 000000008010000f 00000000f5000000 0000000000000000
[   30.550182] head: 0bfffe0000000040 fff00000c0001b40 dead000000000122 0000000000000000
[   30.550459] head: fff00000c792e600 000000008010000f 00000000f5000000 0000000000000000
[   30.550606] head: 0bfffe0000000001 ffffc1ffc31e4b81 00000000ffffffff 00000000ffffffff
[   30.550712] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.550830] page dumped because: kasan: bad access detected
[   30.550894] 
[   30.550911] Memory state around the buggy address:
[   30.550941]  fff00000c792eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.550982]  fff00000c792eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.551021] >fff00000c792ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.551255]                    ^
[   30.551334]  fff00000c792ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.551414]  fff00000c792ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.551555] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zuS6DosVUhzL9DaDmqO9nLybFJ

job_id

TEST:linaro@lkft#2zuSB6ZD0TprNwndx8osoZfzNbs

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zuSB6ZD0TprNwndx8osoZfzNbs

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS7fFjob8Lq2iSUNxlIF41bYW/Image.gz
sha256sum	118b4ece9a238a43bf808c098cf2bf253d887d33e129eb81e3c965d23e20b8c5

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS7fFjob8Lq2iSUNxlIF41bYW/modules.tar.xz
sha256sum	01435f1d178968cd8186d4f9b9cf47e1273301cd5c54bfdff2cd2593d26e1adb

durations

tests

boot	0
kunit	165.28

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.013564] ==================================================================
[   24.014103] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x53c/0x5e0
[   24.014372] Read of size 1 at addr ffff8881009a8e00 by task kunit_try_catch/212
[   24.014789] 
[   24.014881] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   24.014930] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.014941] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.014962] Call Trace:
[   24.014975]  <TASK>
[   24.014994]  dump_stack_lvl+0x73/0xb0
[   24.015033]  print_report+0xd1/0x610
[   24.015055]  ? __virt_addr_valid+0x1db/0x2d0
[   24.015079]  ? krealloc_uaf+0x53c/0x5e0
[   24.015099]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.015125]  ? krealloc_uaf+0x53c/0x5e0
[   24.015146]  kasan_report+0x141/0x180
[   24.015167]  ? krealloc_uaf+0x53c/0x5e0
[   24.015194]  __asan_report_load1_noabort+0x18/0x20
[   24.015218]  krealloc_uaf+0x53c/0x5e0
[   24.015239]  ? __pfx_krealloc_uaf+0x10/0x10
[   24.015259]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   24.015288]  ? __pfx_krealloc_uaf+0x10/0x10
[   24.015314]  kunit_try_run_case+0x1a5/0x480
[   24.015336]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.015357]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.015379]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.015401]  ? __kthread_parkme+0x82/0x180
[   24.015421]  ? preempt_count_sub+0x50/0x80
[   24.015444]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.015467]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.015492]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.015530]  kthread+0x337/0x6f0
[   24.015550]  ? trace_preempt_on+0x20/0xc0
[   24.015573]  ? __pfx_kthread+0x10/0x10
[   24.015594]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.015618]  ? calculate_sigpending+0x7b/0xa0
[   24.015643]  ? __pfx_kthread+0x10/0x10
[   24.015664]  ret_from_fork+0x116/0x1d0
[   24.015684]  ? __pfx_kthread+0x10/0x10
[   24.015704]  ret_from_fork_asm+0x1a/0x30
[   24.015736]  </TASK>
[   24.015747] 
[   24.022350] Allocated by task 212:
[   24.022478]  kasan_save_stack+0x45/0x70
[   24.022806]  kasan_save_track+0x18/0x40
[   24.023018]  kasan_save_alloc_info+0x3b/0x50
[   24.023224]  __kasan_kmalloc+0xb7/0xc0
[   24.023392]  __kmalloc_cache_noprof+0x189/0x420
[   24.023593]  krealloc_uaf+0xbb/0x5e0
[   24.023785]  kunit_try_run_case+0x1a5/0x480
[   24.023926]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.024096]  kthread+0x337/0x6f0
[   24.024211]  ret_from_fork+0x116/0x1d0
[   24.024379]  ret_from_fork_asm+0x1a/0x30
[   24.024835] 
[   24.024993] Freed by task 212:
[   24.025304]  kasan_save_stack+0x45/0x70
[   24.025497]  kasan_save_track+0x18/0x40
[   24.025857]  kasan_save_free_info+0x3f/0x60
[   24.026122]  __kasan_slab_free+0x56/0x70
[   24.026313]  kfree+0x222/0x3f0
[   24.026453]  krealloc_uaf+0x13d/0x5e0
[   24.026691]  kunit_try_run_case+0x1a5/0x480
[   24.026870]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.027056]  kthread+0x337/0x6f0
[   24.027169]  ret_from_fork+0x116/0x1d0
[   24.027294]  ret_from_fork_asm+0x1a/0x30
[   24.027427] 
[   24.027513] The buggy address belongs to the object at ffff8881009a8e00
[   24.027513]  which belongs to the cache kmalloc-256 of size 256
[   24.028395] The buggy address is located 0 bytes inside of
[   24.028395]  freed 256-byte region [ffff8881009a8e00, ffff8881009a8f00)
[   24.029250] 
[   24.029333] The buggy address belongs to the physical page:
[   24.029548] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1009a8
[   24.029786] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   24.030152] anon flags: 0x200000000000040(head|node=0|zone=2)
[   24.030422] page_type: f5(slab)
[   24.030601] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.030963] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.031262] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.031527] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.031900] head: 0200000000000001 ffffea0004026a01 00000000ffffffff 00000000ffffffff
[   24.032273] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   24.032679] page dumped because: kasan: bad access detected
[   24.032847] 
[   24.032909] Memory state around the buggy address:
[   24.033056]  ffff8881009a8d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.033352]  ffff8881009a8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.033808] >ffff8881009a8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.034109]                    ^
[   24.034263]  ffff8881009a8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.034477]  ffff8881009a8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.034689] ==================================================================
[   23.990864] ==================================================================
[   23.991403] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x1b8/0x5e0
[   23.992017] Read of size 1 at addr ffff8881009a8e00 by task kunit_try_catch/212
[   23.992316] 
[   23.992416] CPU: 1 UID: 0 PID: 212 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   23.992464] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.992476] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.992496] Call Trace:
[   23.992509]  <TASK>
[   23.992539]  dump_stack_lvl+0x73/0xb0
[   23.992569]  print_report+0xd1/0x610
[   23.992945]  ? __virt_addr_valid+0x1db/0x2d0
[   23.992970]  ? krealloc_uaf+0x1b8/0x5e0
[   23.992990]  ? kasan_complete_mode_report_info+0x64/0x200
[   23.993016]  ? krealloc_uaf+0x1b8/0x5e0
[   23.993038]  kasan_report+0x141/0x180
[   23.993059]  ? krealloc_uaf+0x1b8/0x5e0
[   23.993083]  ? krealloc_uaf+0x1b8/0x5e0
[   23.993104]  __kasan_check_byte+0x3d/0x50
[   23.993126]  krealloc_noprof+0x3f/0x340
[   23.993153]  krealloc_uaf+0x1b8/0x5e0
[   23.993174]  ? __pfx_krealloc_uaf+0x10/0x10
[   23.993194]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   23.993224]  ? __pfx_krealloc_uaf+0x10/0x10
[   23.993250]  kunit_try_run_case+0x1a5/0x480
[   23.993273]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.993294]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.993316]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.993337]  ? __kthread_parkme+0x82/0x180
[   23.993357]  ? preempt_count_sub+0x50/0x80
[   23.993381]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.993403]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.993429]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.993455]  kthread+0x337/0x6f0
[   23.993474]  ? trace_preempt_on+0x20/0xc0
[   23.993497]  ? __pfx_kthread+0x10/0x10
[   23.993531]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.993556]  ? calculate_sigpending+0x7b/0xa0
[   23.993637]  ? __pfx_kthread+0x10/0x10
[   23.993661]  ret_from_fork+0x116/0x1d0
[   23.993680]  ? __pfx_kthread+0x10/0x10
[   23.993700]  ret_from_fork_asm+0x1a/0x30
[   23.993732]  </TASK>
[   23.993743] 
[   24.000965] Allocated by task 212:
[   24.001305]  kasan_save_stack+0x45/0x70
[   24.001500]  kasan_save_track+0x18/0x40
[   24.001677]  kasan_save_alloc_info+0x3b/0x50
[   24.001950]  __kasan_kmalloc+0xb7/0xc0
[   24.002083]  __kmalloc_cache_noprof+0x189/0x420
[   24.002231]  krealloc_uaf+0xbb/0x5e0
[   24.002392]  kunit_try_run_case+0x1a5/0x480
[   24.002626]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.002893]  kthread+0x337/0x6f0
[   24.003056]  ret_from_fork+0x116/0x1d0
[   24.003233]  ret_from_fork_asm+0x1a/0x30
[   24.003418] 
[   24.003482] Freed by task 212:
[   24.003596]  kasan_save_stack+0x45/0x70
[   24.003726]  kasan_save_track+0x18/0x40
[   24.003854]  kasan_save_free_info+0x3f/0x60
[   24.004025]  __kasan_slab_free+0x56/0x70
[   24.004211]  kfree+0x222/0x3f0
[   24.004374]  krealloc_uaf+0x13d/0x5e0
[   24.004730]  kunit_try_run_case+0x1a5/0x480
[   24.004932]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.005149]  kthread+0x337/0x6f0
[   24.005298]  ret_from_fork+0x116/0x1d0
[   24.005465]  ret_from_fork_asm+0x1a/0x30
[   24.005725] 
[   24.005797] The buggy address belongs to the object at ffff8881009a8e00
[   24.005797]  which belongs to the cache kmalloc-256 of size 256
[   24.006344] The buggy address is located 0 bytes inside of
[   24.006344]  freed 256-byte region [ffff8881009a8e00, ffff8881009a8f00)
[   24.006918] 
[   24.007016] The buggy address belongs to the physical page:
[   24.007234] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1009a8
[   24.007555] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   24.007940] anon flags: 0x200000000000040(head|node=0|zone=2)
[   24.008130] page_type: f5(slab)
[   24.008247] raw: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.008531] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.008862] head: 0200000000000040 ffff888100041b40 0000000000000000 dead000000000001
[   24.009548] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   24.010073] head: 0200000000000001 ffffea0004026a01 00000000ffffffff 00000000ffffffff
[   24.010302] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   24.010532] page dumped because: kasan: bad access detected
[   24.010696] 
[   24.010791] Memory state around the buggy address:
[   24.011011]  ffff8881009a8d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.011330]  ffff8881009a8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.011724] >ffff8881009a8e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.012041]                    ^
[   24.012203]  ffff8881009a8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.012527]  ffff8881009a8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.012884] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zuS6DosVUhzL9DaDmqO9nLybFJ

job_id

TEST:linaro@lkft#2zuSCDmb4DEQtYONUdNKA0gDr4g

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zuSCDmb4DEQtYONUdNKA0gDr4g

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS8r35xHBxsDmYxAGYTykGzuO/bzImage
sha256sum	c1e74129e828139d1503e1b2906d7bf3cc50987150c7e120efde5dc3ba3dece2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS8r35xHBxsDmYxAGYTykGzuO/modules.tar.xz
sha256sum	c033def305798e90a1dd43392f34d6ac3a5642caf58a41fa7d2b499626275ec8

durations

tests

boot	0
kunit	244.42

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit