lkft/linux-stable-rc-linux-6.15.y - v6.15.4-264-gf6977c36decb - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_rcu_uaf

Date

July 4, 2025, 3:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   32.316840] ==================================================================
[   32.317030] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   32.317160] Read of size 1 at addr ffff000802604000 by task kunit_try_catch/262
[   32.320545] 
[   32.322032] CPU: 6 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   32.322088] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.322105] Hardware name: WinLink E850-96 board (DT)
[   32.322127] Call trace:
[   32.322140]  show_stack+0x20/0x38 (C)
[   32.322176]  dump_stack_lvl+0x8c/0xd0
[   32.322215]  print_report+0x118/0x608
[   32.322248]  kasan_report+0xdc/0x128
[   32.322276]  __asan_report_load1_noabort+0x20/0x30
[   32.322317]  kmem_cache_rcu_uaf+0x388/0x468
[   32.322349]  kunit_try_run_case+0x170/0x3f0
[   32.322385]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.322424]  kthread+0x328/0x630
[   32.322457]  ret_from_fork+0x10/0x20
[   32.322493] 
[   32.384868] Allocated by task 262:
[   32.388255]  kasan_save_stack+0x3c/0x68
[   32.392071]  kasan_save_track+0x20/0x40
[   32.395891]  kasan_save_alloc_info+0x40/0x58
[   32.400144]  __kasan_slab_alloc+0xa8/0xb0
[   32.404137]  kmem_cache_alloc_noprof+0x10c/0x398
[   32.408738]  kmem_cache_rcu_uaf+0x12c/0x468
[   32.412904]  kunit_try_run_case+0x170/0x3f0
[   32.417071]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.422541]  kthread+0x328/0x630
[   32.425752]  ret_from_fork+0x10/0x20
[   32.429310] 
[   32.430787] Freed by task 0:
[   32.433654]  kasan_save_stack+0x3c/0x68
[   32.437470]  kasan_save_track+0x20/0x40
[   32.441289]  kasan_save_free_info+0x4c/0x78
[   32.445456]  __kasan_slab_free+0x6c/0x98
[   32.449363]  slab_free_after_rcu_debug+0xd4/0x2f8
[   32.454050]  rcu_core+0x9f4/0x1e20
[   32.457435]  rcu_core_si+0x18/0x30
[   32.460820]  handle_softirqs+0x374/0xb28
[   32.464728]  __do_softirq+0x1c/0x28
[   32.468199] 
[   32.469676] Last potentially related work creation:
[   32.474537]  kasan_save_stack+0x3c/0x68
[   32.478355]  kasan_record_aux_stack+0xb4/0xc8
[   32.482696]  kmem_cache_free+0x120/0x468
[   32.486602]  kmem_cache_rcu_uaf+0x16c/0x468
[   32.490768]  kunit_try_run_case+0x170/0x3f0
[   32.494934]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.500403]  kthread+0x328/0x630
[   32.503615]  ret_from_fork+0x10/0x20
[   32.507174] 
[   32.508651] The buggy address belongs to the object at ffff000802604000
[   32.508651]  which belongs to the cache test_cache of size 200
[   32.521066] The buggy address is located 0 bytes inside of
[   32.521066]  freed 200-byte region [ffff000802604000, ffff0008026040c8)
[   32.533128] 
[   32.534608] The buggy address belongs to the physical page:
[   32.540163] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882604
[   32.548149] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   32.555786] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   32.562730] page_type: f5(slab)
[   32.565869] raw: 0bfffe0000000040 ffff000802602000 dead000000000122 0000000000000000
[   32.573586] raw: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   32.581313] head: 0bfffe0000000040 ffff000802602000 dead000000000122 0000000000000000
[   32.589124] head: 0000000000000000 00000000801f001f 00000000f5000000 0000000000000000
[   32.596937] head: 0bfffe0000000001 fffffdffe0098101 00000000ffffffff 00000000ffffffff
[   32.604749] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   32.612557] page dumped because: kasan: bad access detected
[   32.618109] 
[   32.619585] Memory state around the buggy address:
[   32.624364]  ffff000802603f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.631569]  ffff000802603f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.638774] >ffff000802604000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.645974]                    ^
[   32.649189]  ffff000802604080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   32.656395]  ffff000802604100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.663597] ==================================================================

Metadata Full log Test run details

[   16.840494] ==================================================================
[   16.840603] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   16.840702] Read of size 1 at addr fff00000c65a1000 by task kunit_try_catch/218
[   16.840753] 
[   16.840797] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   16.840883] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.840911] Hardware name: linux,dummy-virt (DT)
[   16.840946] Call trace:
[   16.840971]  show_stack+0x20/0x38 (C)
[   16.841022]  dump_stack_lvl+0x8c/0xd0
[   16.841074]  print_report+0x118/0x608
[   16.841120]  kasan_report+0xdc/0x128
[   16.841164]  __asan_report_load1_noabort+0x20/0x30
[   16.841213]  kmem_cache_rcu_uaf+0x388/0x468
[   16.841261]  kunit_try_run_case+0x170/0x3f0
[   16.841313]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.841367]  kthread+0x328/0x630
[   16.841414]  ret_from_fork+0x10/0x20
[   16.841464] 
[   16.841483] Allocated by task 218:
[   16.841514]  kasan_save_stack+0x3c/0x68
[   16.841553]  kasan_save_track+0x20/0x40
[   16.841589]  kasan_save_alloc_info+0x40/0x58
[   16.841660]  __kasan_slab_alloc+0xa8/0xb0
[   16.841698]  kmem_cache_alloc_noprof+0x10c/0x398
[   16.841739]  kmem_cache_rcu_uaf+0x12c/0x468
[   16.841778]  kunit_try_run_case+0x170/0x3f0
[   16.841818]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.841859]  kthread+0x328/0x630
[   16.841893]  ret_from_fork+0x10/0x20
[   16.841929] 
[   16.841946] Freed by task 0:
[   16.841975]  kasan_save_stack+0x3c/0x68
[   16.842009]  kasan_save_track+0x20/0x40
[   16.842044]  kasan_save_free_info+0x4c/0x78
[   16.842082]  __kasan_slab_free+0x6c/0x98
[   16.842118]  slab_free_after_rcu_debug+0xd4/0x2f8
[   16.842155]  rcu_core+0x9f4/0x1e20
[   16.842193]  rcu_core_si+0x18/0x30
[   16.842225]  handle_softirqs+0x374/0xb28
[   16.842261]  __do_softirq+0x1c/0x28
[   16.842294] 
[   16.842313] Last potentially related work creation:
[   16.842339]  kasan_save_stack+0x3c/0x68
[   16.842375]  kasan_record_aux_stack+0xb4/0xc8
[   16.842412]  kmem_cache_free+0x120/0x468
[   16.842448]  kmem_cache_rcu_uaf+0x16c/0x468
[   16.842486]  kunit_try_run_case+0x170/0x3f0
[   16.842525]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.842568]  kthread+0x328/0x630
[   16.842601]  ret_from_fork+0x10/0x20
[   16.842645] 
[   16.842664] The buggy address belongs to the object at fff00000c65a1000
[   16.842664]  which belongs to the cache test_cache of size 200
[   16.842720] The buggy address is located 0 bytes inside of
[   16.842720]  freed 200-byte region [fff00000c65a1000, fff00000c65a10c8)
[   16.842781] 
[   16.842804] The buggy address belongs to the physical page:
[   16.842837] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065a1
[   16.842893] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.842944] page_type: f5(slab)
[   16.842985] raw: 0bfffe0000000000 fff00000c65af280 dead000000000122 0000000000000000
[   16.843036] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   16.843077] page dumped because: kasan: bad access detected
[   16.843108] 
[   16.843126] Memory state around the buggy address:
[   16.843160]  fff00000c65a0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.843204]  fff00000c65a0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.843246] >fff00000c65a1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.843284]                    ^
[   16.843311]  fff00000c65a1080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   16.843353]  fff00000c65a1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.843391] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo2I57qRsZQJxzVxwHE8t7FHh

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo2I57qRsZQJxzVxwHE8t7FHh

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/Image.gz
sha256sum	327dd0d804120b39f71c58ea91214999e4c5cabcfe180191381a33c73e5cbb20

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/modules.tar.xz
sha256sum	3cea64824b7650c49ea1931a18dc99c6bfdf185eb87f64d9aba8bc6614673c1b

durations

tests

boot	0
kunit	198.30

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   15.359677] ==================================================================
[   15.360266] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   15.360785] Read of size 1 at addr ffff888100aba000 by task kunit_try_catch/234
[   15.362005] 
[   15.362807] CPU: 1 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   15.362917] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.362942] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   15.362988] Call Trace:
[   15.363015]  <TASK>
[   15.363054]  dump_stack_lvl+0x73/0xb0
[   15.363124]  print_report+0xd1/0x650
[   15.363170]  ? __virt_addr_valid+0x1db/0x2d0
[   15.363198]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   15.363250]  ? kasan_complete_mode_report_info+0x64/0x200
[   15.363297]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   15.363332]  kasan_report+0x141/0x180
[   15.363388]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   15.363431]  __asan_report_load1_noabort+0x18/0x20
[   15.363466]  kmem_cache_rcu_uaf+0x3e3/0x510
[   15.363500]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   15.363531]  ? finish_task_switch.isra.0+0x153/0x700
[   15.363572]  ? __switch_to+0x5d9/0xf60
[   15.363601]  ? dequeue_task_fair+0x166/0x4e0
[   15.363630]  ? __pfx_read_tsc+0x10/0x10
[   15.363650]  ? ktime_get_ts64+0x86/0x230
[   15.363679]  kunit_try_run_case+0x1a5/0x480
[   15.363707]  ? __pfx_kunit_try_run_case+0x10/0x10
[   15.363728]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   15.363756]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   15.363779]  ? __kthread_parkme+0x82/0x180
[   15.363802]  ? preempt_count_sub+0x50/0x80
[   15.363826]  ? __pfx_kunit_try_run_case+0x10/0x10
[   15.363850]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.363873]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   15.363896]  kthread+0x337/0x6f0
[   15.363914]  ? trace_preempt_on+0x20/0xc0
[   15.363939]  ? __pfx_kthread+0x10/0x10
[   15.363957]  ? _raw_spin_unlock_irq+0x47/0x80
[   15.363979]  ? calculate_sigpending+0x7b/0xa0
[   15.364002]  ? __pfx_kthread+0x10/0x10
[   15.364021]  ret_from_fork+0x41/0x80
[   15.364042]  ? __pfx_kthread+0x10/0x10
[   15.364070]  ret_from_fork_asm+0x1a/0x30
[   15.364116]  </TASK>
[   15.364130] 
[   15.376461] Allocated by task 234:
[   15.377374]  kasan_save_stack+0x45/0x70
[   15.378037]  kasan_save_track+0x18/0x40
[   15.378376]  kasan_save_alloc_info+0x3b/0x50
[   15.378819]  __kasan_slab_alloc+0x91/0xa0
[   15.379140]  kmem_cache_alloc_noprof+0x123/0x3f0
[   15.379719]  kmem_cache_rcu_uaf+0x155/0x510
[   15.379951]  kunit_try_run_case+0x1a5/0x480
[   15.380789]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.381432]  kthread+0x337/0x6f0
[   15.381887]  ret_from_fork+0x41/0x80
[   15.382109]  ret_from_fork_asm+0x1a/0x30
[   15.382567] 
[   15.382797] Freed by task 0:
[   15.383277]  kasan_save_stack+0x45/0x70
[   15.383714]  kasan_save_track+0x18/0x40
[   15.384073]  kasan_save_free_info+0x3f/0x60
[   15.384486]  __kasan_slab_free+0x56/0x70
[   15.385005]  slab_free_after_rcu_debug+0xe4/0x310
[   15.385465]  rcu_core+0x66c/0x1c30
[   15.385697]  rcu_core_si+0x12/0x20
[   15.386000]  handle_softirqs+0x209/0x730
[   15.386380]  __irq_exit_rcu+0xc9/0x110
[   15.387302]  irq_exit_rcu+0x12/0x20
[   15.387811]  sysvec_apic_timer_interrupt+0x81/0x90
[   15.388211]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   15.388842] 
[   15.389065] Last potentially related work creation:
[   15.389321]  kasan_save_stack+0x45/0x70
[   15.389870]  kasan_record_aux_stack+0xb2/0xc0
[   15.390239]  kmem_cache_free+0x131/0x420
[   15.391592]  kmem_cache_rcu_uaf+0x194/0x510
[   15.391909]  kunit_try_run_case+0x1a5/0x480
[   15.392303]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.392774]  kthread+0x337/0x6f0
[   15.393109]  ret_from_fork+0x41/0x80
[   15.393455]  ret_from_fork_asm+0x1a/0x30
[   15.394063] 
[   15.394225] The buggy address belongs to the object at ffff888100aba000
[   15.394225]  which belongs to the cache test_cache of size 200
[   15.395456] The buggy address is located 0 bytes inside of
[   15.395456]  freed 200-byte region [ffff888100aba000, ffff888100aba0c8)
[   15.396721] 
[   15.396915] The buggy address belongs to the physical page:
[   15.397203] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100aba
[   15.398035] flags: 0x200000000000000(node=0|zone=2)
[   15.398367] page_type: f5(slab)
[   15.398818] raw: 0200000000000000 ffff888101c20c80 dead000000000122 0000000000000000
[   15.399630] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   15.400187] page dumped because: kasan: bad access detected
[   15.400614] 
[   15.401112] Memory state around the buggy address:
[   15.401740]  ffff888100ab9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.402221]  ffff888100ab9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.403109] >ffff888100aba000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.403742]                    ^
[   15.404218]  ffff888100aba080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   15.404800]  ffff888100aba100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.405218] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo3RZe7grS5yLm55QkyFHIkn0

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo3RZe7grS5yLm55QkyFHIkn0

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/bzImage
sha256sum	ad643dbfee32e66584e4c9d2c429659c8ba2676d0810f502308fa285c8cd4500

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/modules.tar.xz
sha256sum	35aeffff45a548f53709515ae42e284c9946c48678590a5b06349aef329add80

durations

tests

boot	0
kunit	392.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit