lkft/linux-next-master - next-20250724 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf

Date

July 24, 2025, 4:41 a.m.

Environment
qemu-arm64
qemu-x86_64

[   32.793125] ==================================================================
[   32.793184] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   32.793238] Read of size 1 at addr fff00000c9a8b600 by task kunit_try_catch/227
[   32.793680] 
[   32.793726] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250724 #1 PREEMPT 
[   32.793831] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.793860] Hardware name: linux,dummy-virt (DT)
[   32.794242] Call trace:
[   32.794292]  show_stack+0x20/0x38 (C)
[   32.794391]  dump_stack_lvl+0x8c/0xd0
[   32.794439]  print_report+0x118/0x5e8
[   32.794494]  kasan_report+0xdc/0x128
[   32.794537]  __asan_report_load1_noabort+0x20/0x30
[   32.794586]  ksize_uaf+0x598/0x5f8
[   32.794629]  kunit_try_run_case+0x170/0x3f0
[   32.794683]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.794737]  kthread+0x328/0x630
[   32.794788]  ret_from_fork+0x10/0x20
[   32.794836] 
[   32.794855] Allocated by task 227:
[   32.794892]  kasan_save_stack+0x3c/0x68
[   32.794931]  kasan_save_track+0x20/0x40
[   32.795392]  kasan_save_alloc_info+0x40/0x58
[   32.795567]  __kasan_kmalloc+0xd4/0xd8
[   32.795638]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.795819]  ksize_uaf+0xb8/0x5f8
[   32.795898]  kunit_try_run_case+0x170/0x3f0
[   32.796054]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.796129]  kthread+0x328/0x630
[   32.796349]  ret_from_fork+0x10/0x20
[   32.796972] 
[   32.797271] Freed by task 227:
[   32.797350]  kasan_save_stack+0x3c/0x68
[   32.797421]  kasan_save_track+0x20/0x40
[   32.797488]  kasan_save_free_info+0x4c/0x78
[   32.797849]  __kasan_slab_free+0x6c/0x98
[   32.798314]  kfree+0x214/0x3c8
[   32.798398]  ksize_uaf+0x11c/0x5f8
[   32.798666]  kunit_try_run_case+0x170/0x3f0
[   32.798730]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.799138]  kthread+0x328/0x630
[   32.799191]  ret_from_fork+0x10/0x20
[   32.799229] 
[   32.799250] The buggy address belongs to the object at fff00000c9a8b600
[   32.799250]  which belongs to the cache kmalloc-128 of size 128
[   32.799860] The buggy address is located 0 bytes inside of
[   32.799860]  freed 128-byte region [fff00000c9a8b600, fff00000c9a8b680)
[   32.799998] 
[   32.800093] The buggy address belongs to the physical page:
[   32.800179] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8b
[   32.800305] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.800382] page_type: f5(slab)
[   32.800473] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   32.800563] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   32.800865] page dumped because: kasan: bad access detected
[   32.801050] 
[   32.801123] Memory state around the buggy address:
[   32.801535]  fff00000c9a8b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.801694]  fff00000c9a8b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.801829] >fff00000c9a8b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.801871]                    ^
[   32.801919]  fff00000c9a8b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.802135]  fff00000c9a8b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.802181] ==================================================================
[   32.805233] ==================================================================
[   32.805638] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   32.805765] Read of size 1 at addr fff00000c9a8b678 by task kunit_try_catch/227
[   32.805839] 
[   32.805896] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250724 #1 PREEMPT 
[   32.805993] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.806021] Hardware name: linux,dummy-virt (DT)
[   32.806340] Call trace:
[   32.806384]  show_stack+0x20/0x38 (C)
[   32.806435]  dump_stack_lvl+0x8c/0xd0
[   32.806482]  print_report+0x118/0x5e8
[   32.806776]  kasan_report+0xdc/0x128
[   32.807143]  __asan_report_load1_noabort+0x20/0x30
[   32.807275]  ksize_uaf+0x544/0x5f8
[   32.807380]  kunit_try_run_case+0x170/0x3f0
[   32.808040]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.808142]  kthread+0x328/0x630
[   32.808283]  ret_from_fork+0x10/0x20
[   32.808400] 
[   32.808458] Allocated by task 227:
[   32.808488]  kasan_save_stack+0x3c/0x68
[   32.808566]  kasan_save_track+0x20/0x40
[   32.808894]  kasan_save_alloc_info+0x40/0x58
[   32.809039]  __kasan_kmalloc+0xd4/0xd8
[   32.809128]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.809279]  ksize_uaf+0xb8/0x5f8
[   32.809377]  kunit_try_run_case+0x170/0x3f0
[   32.809635]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.809793]  kthread+0x328/0x630
[   32.810053]  ret_from_fork+0x10/0x20
[   32.810154] 
[   32.810209] Freed by task 227:
[   32.810294]  kasan_save_stack+0x3c/0x68
[   32.810344]  kasan_save_track+0x20/0x40
[   32.810418]  kasan_save_free_info+0x4c/0x78
[   32.810457]  __kasan_slab_free+0x6c/0x98
[   32.810869]  kfree+0x214/0x3c8
[   32.810992]  ksize_uaf+0x11c/0x5f8
[   32.811126]  kunit_try_run_case+0x170/0x3f0
[   32.811261]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.811360]  kthread+0x328/0x630
[   32.811602]  ret_from_fork+0x10/0x20
[   32.811795] 
[   32.811882] The buggy address belongs to the object at fff00000c9a8b600
[   32.811882]  which belongs to the cache kmalloc-128 of size 128
[   32.811957] The buggy address is located 120 bytes inside of
[   32.811957]  freed 128-byte region [fff00000c9a8b600, fff00000c9a8b680)
[   32.812190] 
[   32.812786] The buggy address belongs to the physical page:
[   32.812830] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8b
[   32.812887] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.812935] page_type: f5(slab)
[   32.812973] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   32.813026] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   32.813067] page dumped because: kasan: bad access detected
[   32.813099] 
[   32.813118] Memory state around the buggy address:
[   32.813150]  fff00000c9a8b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.813196]  fff00000c9a8b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.813237] >fff00000c9a8b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.813275]                                                                 ^
[   32.813316]  fff00000c9a8b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.813357]  fff00000c9a8b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.813396] ==================================================================
[   32.781213] ==================================================================
[   32.781338] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   32.781446] Read of size 1 at addr fff00000c9a8b600 by task kunit_try_catch/227
[   32.781767] 
[   32.781814] CPU: 0 UID: 0 PID: 227 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250724 #1 PREEMPT 
[   32.781912] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.781940] Hardware name: linux,dummy-virt (DT)
[   32.782096] Call trace:
[   32.782136]  show_stack+0x20/0x38 (C)
[   32.782190]  dump_stack_lvl+0x8c/0xd0
[   32.782235]  print_report+0x118/0x5e8
[   32.782413]  kasan_report+0xdc/0x128
[   32.782759]  __kasan_check_byte+0x54/0x70
[   32.782831]  ksize+0x30/0x88
[   32.782875]  ksize_uaf+0x168/0x5f8
[   32.783228]  kunit_try_run_case+0x170/0x3f0
[   32.783317]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.783450]  kthread+0x328/0x630
[   32.783546]  ret_from_fork+0x10/0x20
[   32.783663] 
[   32.783714] Allocated by task 227:
[   32.783815]  kasan_save_stack+0x3c/0x68
[   32.783856]  kasan_save_track+0x20/0x40
[   32.783919]  kasan_save_alloc_info+0x40/0x58
[   32.783963]  __kasan_kmalloc+0xd4/0xd8
[   32.784386]  __kmalloc_cache_noprof+0x16c/0x3c0
[   32.784528]  ksize_uaf+0xb8/0x5f8
[   32.784645]  kunit_try_run_case+0x170/0x3f0
[   32.784803]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.784901]  kthread+0x328/0x630
[   32.784951]  ret_from_fork+0x10/0x20
[   32.784989] 
[   32.785264] Freed by task 227:
[   32.785420]  kasan_save_stack+0x3c/0x68
[   32.785561]  kasan_save_track+0x20/0x40
[   32.785626]  kasan_save_free_info+0x4c/0x78
[   32.785781]  __kasan_slab_free+0x6c/0x98
[   32.785881]  kfree+0x214/0x3c8
[   32.786155]  ksize_uaf+0x11c/0x5f8
[   32.786328]  kunit_try_run_case+0x170/0x3f0
[   32.786390]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.786565]  kthread+0x328/0x630
[   32.786642]  ret_from_fork+0x10/0x20
[   32.786793] 
[   32.786873] The buggy address belongs to the object at fff00000c9a8b600
[   32.786873]  which belongs to the cache kmalloc-128 of size 128
[   32.787084] The buggy address is located 0 bytes inside of
[   32.787084]  freed 128-byte region [fff00000c9a8b600, fff00000c9a8b680)
[   32.787155] 
[   32.787178] The buggy address belongs to the physical page:
[   32.787459] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a8b
[   32.787531] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.787659] page_type: f5(slab)
[   32.787725] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   32.787849] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   32.787938] page dumped because: kasan: bad access detected
[   32.788061] 
[   32.788094] Memory state around the buggy address:
[   32.788154]  fff00000c9a8b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.788370]  fff00000c9a8b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.788621] >fff00000c9a8b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.788720]                    ^
[   32.788820]  fff00000c9a8b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.788908]  fff00000c9a8b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.788989] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

30J3nY7QtuR6zFySSP24ERynb1Z

job_id

TEST:linaro@lkft#30J3tHAcCAzoumluJGVN0kuxFDU

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/30J3tHAcCAzoumluJGVN0kuxFDU

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/30J3pDsC9KNl7rr3iXBXH40Gq9W/Image.gz
sha256sum	544207c1b5a9d2840223bd62064127622ccefa2f812415650f45a51bca8475e6

rootfs

url	https://storage.tuxboot.com/debian/20250722/trixie/arm64/rootfs.ext4.xz
sha256sum	4416595f610fe19a3fb374a6dd0942354bf27ddb827c7f1e8e5524ec95492466

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/30J3pDsC9KNl7rr3iXBXH40Gq9W/modules.tar.xz
sha256sum	ae69e33cdc746370be45d97b12d0ee81e77ef54ca003ba881eec2f93d7e2865c

durations

tests

boot	0
kunit	170.41

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   27.333420] ==================================================================
[   27.333970] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   27.334198] Read of size 1 at addr ffff888104c4a900 by task kunit_try_catch/244
[   27.334416] 
[   27.334507] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) 
[   27.334560] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   27.334583] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.334604] Call Trace:
[   27.334617]  <TASK>
[   27.334637]  dump_stack_lvl+0x73/0xb0
[   27.334666]  print_report+0xd1/0x640
[   27.334688]  ? __virt_addr_valid+0x1db/0x2d0
[   27.334713]  ? ksize_uaf+0x19d/0x6c0
[   27.334732]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.334757]  ? ksize_uaf+0x19d/0x6c0
[   27.334776]  kasan_report+0x141/0x180
[   27.334797]  ? ksize_uaf+0x19d/0x6c0
[   27.334820]  ? ksize_uaf+0x19d/0x6c0
[   27.334840]  __kasan_check_byte+0x3d/0x50
[   27.334860]  ksize+0x20/0x60
[   27.334880]  ksize_uaf+0x19d/0x6c0
[   27.334900]  ? __pfx_ksize_uaf+0x10/0x10
[   27.334920]  ? __schedule+0x10da/0x2b60
[   27.334945]  ? __pfx_read_tsc+0x10/0x10
[   27.334966]  ? ktime_get_ts64+0x86/0x230
[   27.334991]  kunit_try_run_case+0x1a5/0x480
[   27.335016]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.335037]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   27.335060]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.335084]  ? __kthread_parkme+0x82/0x180
[   27.335105]  ? preempt_count_sub+0x50/0x80
[   27.335128]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.335150]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.335173]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.335195]  kthread+0x337/0x6f0
[   27.335213]  ? trace_preempt_on+0x20/0xc0
[   27.335237]  ? __pfx_kthread+0x10/0x10
[   27.335263]  ? _raw_spin_unlock_irq+0x47/0x80
[   27.335285]  ? calculate_sigpending+0x7b/0xa0
[   27.335309]  ? __pfx_kthread+0x10/0x10
[   27.335329]  ret_from_fork+0x116/0x1d0
[   27.335347]  ? __pfx_kthread+0x10/0x10
[   27.335366]  ret_from_fork_asm+0x1a/0x30
[   27.335398]  </TASK>
[   27.335408] 
[   27.349539] Allocated by task 244:
[   27.349700]  kasan_save_stack+0x45/0x70
[   27.350381]  kasan_save_track+0x18/0x40
[   27.350874]  kasan_save_alloc_info+0x3b/0x50
[   27.351347]  __kasan_kmalloc+0xb7/0xc0
[   27.351722]  __kmalloc_cache_noprof+0x189/0x420
[   27.352214]  ksize_uaf+0xaa/0x6c0
[   27.352418]  kunit_try_run_case+0x1a5/0x480
[   27.352559]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.352741]  kthread+0x337/0x6f0
[   27.353228]  ret_from_fork+0x116/0x1d0
[   27.353566]  ret_from_fork_asm+0x1a/0x30
[   27.354018] 
[   27.354175] Freed by task 244:
[   27.354441]  kasan_save_stack+0x45/0x70
[   27.354803]  kasan_save_track+0x18/0x40
[   27.355233]  kasan_save_free_info+0x3f/0x60
[   27.355645]  __kasan_slab_free+0x56/0x70
[   27.355848]  kfree+0x222/0x3f0
[   27.356119]  ksize_uaf+0x12c/0x6c0
[   27.356442]  kunit_try_run_case+0x1a5/0x480
[   27.356860]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.357173]  kthread+0x337/0x6f0
[   27.357292]  ret_from_fork+0x116/0x1d0
[   27.357418]  ret_from_fork_asm+0x1a/0x30
[   27.357551] 
[   27.357633] The buggy address belongs to the object at ffff888104c4a900
[   27.357633]  which belongs to the cache kmalloc-128 of size 128
[   27.358180] The buggy address is located 0 bytes inside of
[   27.358180]  freed 128-byte region [ffff888104c4a900, ffff888104c4a980)
[   27.358620] 
[   27.358690] The buggy address belongs to the physical page:
[   27.358943] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104c4a
[   27.359287] flags: 0x200000000000000(node=0|zone=2)
[   27.359448] page_type: f5(slab)
[   27.359704] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   27.360095] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   27.360398] page dumped because: kasan: bad access detected
[   27.360638] 
[   27.360724] Memory state around the buggy address:
[   27.361085]  ffff888104c4a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.361372]  ffff888104c4a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.361597] >ffff888104c4a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.361972]                    ^
[   27.362811]  ffff888104c4a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.363376]  ffff888104c4aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.363606] ==================================================================
[   27.390139] ==================================================================
[   27.390464] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   27.390787] Read of size 1 at addr ffff888104c4a978 by task kunit_try_catch/244
[   27.391741] 
[   27.392078] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) 
[   27.392138] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   27.392152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.392270] Call Trace:
[   27.392287]  <TASK>
[   27.392306]  dump_stack_lvl+0x73/0xb0
[   27.392339]  print_report+0xd1/0x640
[   27.392365]  ? __virt_addr_valid+0x1db/0x2d0
[   27.392392]  ? ksize_uaf+0x5e4/0x6c0
[   27.392413]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.392439]  ? ksize_uaf+0x5e4/0x6c0
[   27.392460]  kasan_report+0x141/0x180
[   27.392483]  ? ksize_uaf+0x5e4/0x6c0
[   27.392509]  __asan_report_load1_noabort+0x18/0x20
[   27.392533]  ksize_uaf+0x5e4/0x6c0
[   27.392554]  ? __pfx_ksize_uaf+0x10/0x10
[   27.392584]  ? __schedule+0x10da/0x2b60
[   27.392609]  ? __pfx_read_tsc+0x10/0x10
[   27.392631]  ? ktime_get_ts64+0x86/0x230
[   27.392655]  kunit_try_run_case+0x1a5/0x480
[   27.392680]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.392701]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   27.392725]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.392750]  ? __kthread_parkme+0x82/0x180
[   27.392770]  ? preempt_count_sub+0x50/0x80
[   27.392804]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.392828]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.392850]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.392873]  kthread+0x337/0x6f0
[   27.392893]  ? trace_preempt_on+0x20/0xc0
[   27.392961]  ? __pfx_kthread+0x10/0x10
[   27.392985]  ? _raw_spin_unlock_irq+0x47/0x80
[   27.393008]  ? calculate_sigpending+0x7b/0xa0
[   27.393032]  ? __pfx_kthread+0x10/0x10
[   27.393053]  ret_from_fork+0x116/0x1d0
[   27.393072]  ? __pfx_kthread+0x10/0x10
[   27.393092]  ret_from_fork_asm+0x1a/0x30
[   27.393123]  </TASK>
[   27.393133] 
[   27.401685] Allocated by task 244:
[   27.402118]  kasan_save_stack+0x45/0x70
[   27.402331]  kasan_save_track+0x18/0x40
[   27.402480]  kasan_save_alloc_info+0x3b/0x50
[   27.402684]  __kasan_kmalloc+0xb7/0xc0
[   27.402855]  __kmalloc_cache_noprof+0x189/0x420
[   27.403120]  ksize_uaf+0xaa/0x6c0
[   27.403237]  kunit_try_run_case+0x1a5/0x480
[   27.403383]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.403546]  kthread+0x337/0x6f0
[   27.403719]  ret_from_fork+0x116/0x1d0
[   27.403898]  ret_from_fork_asm+0x1a/0x30
[   27.404184] 
[   27.404326] Freed by task 244:
[   27.404498]  kasan_save_stack+0x45/0x70
[   27.404710]  kasan_save_track+0x18/0x40
[   27.404837]  kasan_save_free_info+0x3f/0x60
[   27.404971]  __kasan_slab_free+0x56/0x70
[   27.405099]  kfree+0x222/0x3f0
[   27.405211]  ksize_uaf+0x12c/0x6c0
[   27.405466]  kunit_try_run_case+0x1a5/0x480
[   27.405841]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.406213]  kthread+0x337/0x6f0
[   27.406380]  ret_from_fork+0x116/0x1d0
[   27.406542]  ret_from_fork_asm+0x1a/0x30
[   27.406726] 
[   27.406792] The buggy address belongs to the object at ffff888104c4a900
[   27.406792]  which belongs to the cache kmalloc-128 of size 128
[   27.407541] The buggy address is located 120 bytes inside of
[   27.407541]  freed 128-byte region [ffff888104c4a900, ffff888104c4a980)
[   27.408140] 
[   27.408239] The buggy address belongs to the physical page:
[   27.408485] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104c4a
[   27.408990] flags: 0x200000000000000(node=0|zone=2)
[   27.409199] page_type: f5(slab)
[   27.409556] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   27.409939] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   27.410367] page dumped because: kasan: bad access detected
[   27.410626] 
[   27.410715] Memory state around the buggy address:
[   27.411015]  ffff888104c4a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.411291]  ffff888104c4a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.411564] >ffff888104c4a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.411772]                                                                 ^
[   27.411974]  ffff888104c4a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.412173]  ffff888104c4aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.412369] ==================================================================
[   27.364210] ==================================================================
[   27.364886] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   27.365739] Read of size 1 at addr ffff888104c4a900 by task kunit_try_catch/244
[   27.366125] 
[   27.366428] CPU: 1 UID: 0 PID: 244 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc7-next-20250724 #1 PREEMPT(voluntary) 
[   27.366481] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   27.366539] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   27.366560] Call Trace:
[   27.366595]  <TASK>
[   27.366614]  dump_stack_lvl+0x73/0xb0
[   27.366645]  print_report+0xd1/0x640
[   27.366668]  ? __virt_addr_valid+0x1db/0x2d0
[   27.366692]  ? ksize_uaf+0x5fe/0x6c0
[   27.366712]  ? kasan_complete_mode_report_info+0x64/0x200
[   27.366737]  ? ksize_uaf+0x5fe/0x6c0
[   27.366782]  kasan_report+0x141/0x180
[   27.366815]  ? ksize_uaf+0x5fe/0x6c0
[   27.366839]  __asan_report_load1_noabort+0x18/0x20
[   27.366864]  ksize_uaf+0x5fe/0x6c0
[   27.366884]  ? __pfx_ksize_uaf+0x10/0x10
[   27.366920]  ? __schedule+0x10da/0x2b60
[   27.366945]  ? __pfx_read_tsc+0x10/0x10
[   27.366967]  ? ktime_get_ts64+0x86/0x230
[   27.366992]  kunit_try_run_case+0x1a5/0x480
[   27.367017]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.367039]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   27.367063]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   27.367088]  ? __kthread_parkme+0x82/0x180
[   27.367108]  ? preempt_count_sub+0x50/0x80
[   27.367131]  ? __pfx_kunit_try_run_case+0x10/0x10
[   27.367154]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.367176]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   27.367199]  kthread+0x337/0x6f0
[   27.367219]  ? trace_preempt_on+0x20/0xc0
[   27.367243]  ? __pfx_kthread+0x10/0x10
[   27.367268]  ? _raw_spin_unlock_irq+0x47/0x80
[   27.367291]  ? calculate_sigpending+0x7b/0xa0
[   27.367314]  ? __pfx_kthread+0x10/0x10
[   27.367335]  ret_from_fork+0x116/0x1d0
[   27.367354]  ? __pfx_kthread+0x10/0x10
[   27.367373]  ret_from_fork_asm+0x1a/0x30
[   27.367405]  </TASK>
[   27.367415] 
[   27.375869] Allocated by task 244:
[   27.376097]  kasan_save_stack+0x45/0x70
[   27.376306]  kasan_save_track+0x18/0x40
[   27.376479]  kasan_save_alloc_info+0x3b/0x50
[   27.376629]  __kasan_kmalloc+0xb7/0xc0
[   27.377089]  __kmalloc_cache_noprof+0x189/0x420
[   27.377479]  ksize_uaf+0xaa/0x6c0
[   27.377660]  kunit_try_run_case+0x1a5/0x480
[   27.377963]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.378182]  kthread+0x337/0x6f0
[   27.378348]  ret_from_fork+0x116/0x1d0
[   27.378690]  ret_from_fork_asm+0x1a/0x30
[   27.378986] 
[   27.379081] Freed by task 244:
[   27.379243]  kasan_save_stack+0x45/0x70
[   27.379506]  kasan_save_track+0x18/0x40
[   27.379699]  kasan_save_free_info+0x3f/0x60
[   27.380013]  __kasan_slab_free+0x56/0x70
[   27.380333]  kfree+0x222/0x3f0
[   27.380546]  ksize_uaf+0x12c/0x6c0
[   27.380726]  kunit_try_run_case+0x1a5/0x480
[   27.381018]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   27.381257]  kthread+0x337/0x6f0
[   27.381422]  ret_from_fork+0x116/0x1d0
[   27.381571]  ret_from_fork_asm+0x1a/0x30
[   27.382129] 
[   27.382269] The buggy address belongs to the object at ffff888104c4a900
[   27.382269]  which belongs to the cache kmalloc-128 of size 128
[   27.382833] The buggy address is located 0 bytes inside of
[   27.382833]  freed 128-byte region [ffff888104c4a900, ffff888104c4a980)
[   27.383389] 
[   27.383485] The buggy address belongs to the physical page:
[   27.383754] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104c4a
[   27.384206] flags: 0x200000000000000(node=0|zone=2)
[   27.384466] page_type: f5(slab)
[   27.384654] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   27.385111] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   27.385444] page dumped because: kasan: bad access detected
[   27.385691] 
[   27.385793] Memory state around the buggy address:
[   27.386061]  ffff888104c4a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.386382]  ffff888104c4a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.386694] >ffff888104c4a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   27.387275]                    ^
[   27.387621]  ffff888104c4a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.388150]  ffff888104c4aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.388358] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

30J3nY7QtuR6zFySSP24ERynb1Z

job_id

TEST:linaro@lkft#30J3uLzhpviDmlOWY3P9BXfcBAH

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/30J3uLzhpviDmlOWY3P9BXfcBAH

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/30J3qksL4GBwzrde5mtPKhFeFEL/bzImage
sha256sum	af4ccad1f72d598f267023cce1cb43d5ed4bda226a707e01686be85dd90634f7

rootfs

url	https://storage.tuxboot.com/debian/20250722/trixie/amd64/rootfs.ext4.xz
sha256sum	f011d4ee6daca8ff6eb107b3ab1eb085d1f77f9019361779f04403719dd7a135

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/30J3qksL4GBwzrde5mtPKhFeFEL/modules.tar.xz
sha256sum	7c95098d7c3fc4ab7a627a48c0cdbf1fa3d50531e33653f38a4f14abeedf82da

durations

tests

boot	0
kunit	254.60

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit