lkft/linux-stable-rc-linux-6.15.y - v6.15.4-264-gf6977c36decb - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf

Date

July 4, 2025, 3:11 p.m.

Environment
e850-96
qemu-x86_64

[   29.490358] ==================================================================
[   29.500231] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   29.506563] Read of size 1 at addr ffff0008018e7000 by task kunit_try_catch/245
[   29.513852] 
[   29.515340] CPU: 2 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   29.515395] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.515410] Hardware name: WinLink E850-96 board (DT)
[   29.515431] Call trace:
[   29.515446]  show_stack+0x20/0x38 (C)
[   29.515482]  dump_stack_lvl+0x8c/0xd0
[   29.515518]  print_report+0x118/0x608
[   29.515549]  kasan_report+0xdc/0x128
[   29.515581]  __kasan_check_byte+0x54/0x70
[   29.515612]  ksize+0x30/0x88
[   29.515640]  ksize_uaf+0x168/0x5f8
[   29.515671]  kunit_try_run_case+0x170/0x3f0
[   29.515711]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.515747]  kthread+0x328/0x630
[   29.515780]  ret_from_fork+0x10/0x20
[   29.515815] 
[   29.579477] Allocated by task 245:
[   29.582865]  kasan_save_stack+0x3c/0x68
[   29.586681]  kasan_save_track+0x20/0x40
[   29.590500]  kasan_save_alloc_info+0x40/0x58
[   29.594753]  __kasan_kmalloc+0xd4/0xd8
[   29.598486]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.603000]  ksize_uaf+0xb8/0x5f8
[   29.606298]  kunit_try_run_case+0x170/0x3f0
[   29.610465]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.615934]  kthread+0x328/0x630
[   29.619145]  ret_from_fork+0x10/0x20
[   29.622705] 
[   29.624181] Freed by task 245:
[   29.627218]  kasan_save_stack+0x3c/0x68
[   29.631038]  kasan_save_track+0x20/0x40
[   29.634857]  kasan_save_free_info+0x4c/0x78
[   29.639024]  __kasan_slab_free+0x6c/0x98
[   29.642930]  kfree+0x214/0x3c8
[   29.645968]  ksize_uaf+0x11c/0x5f8
[   29.649355]  kunit_try_run_case+0x170/0x3f0
[   29.653520]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.658988]  kthread+0x328/0x630
[   29.662200]  ret_from_fork+0x10/0x20
[   29.665759] 
[   29.667238] The buggy address belongs to the object at ffff0008018e7000
[   29.667238]  which belongs to the cache kmalloc-128 of size 128
[   29.679738] The buggy address is located 0 bytes inside of
[   29.679738]  freed 128-byte region [ffff0008018e7000, ffff0008018e7080)
[   29.691801] 
[   29.693279] The buggy address belongs to the physical page:
[   29.698838] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8818e6
[   29.706820] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   29.714458] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   29.721402] page_type: f5(slab)
[   29.724540] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   29.732258] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   29.739985] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   29.747796] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   29.755609] head: 0bfffe0000000001 fffffdffe0063981 00000000ffffffff 00000000ffffffff
[   29.763421] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   29.771228] page dumped because: kasan: bad access detected
[   29.776782] 
[   29.778257] Memory state around the buggy address:
[   29.783040]  ffff0008018e6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.790241]  ffff0008018e6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.797447] >ffff0008018e7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.804646]                    ^
[   29.807862]  ffff0008018e7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.815066]  ffff0008018e7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.822269] ==================================================================
[   29.829629] ==================================================================
[   29.836679] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   29.843014] Read of size 1 at addr ffff0008018e7000 by task kunit_try_catch/245
[   29.850305] 
[   29.851791] CPU: 2 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   29.851840] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.851856] Hardware name: WinLink E850-96 board (DT)
[   29.851876] Call trace:
[   29.851889]  show_stack+0x20/0x38 (C)
[   29.851925]  dump_stack_lvl+0x8c/0xd0
[   29.851961]  print_report+0x118/0x608
[   29.851990]  kasan_report+0xdc/0x128
[   29.852021]  __asan_report_load1_noabort+0x20/0x30
[   29.852056]  ksize_uaf+0x598/0x5f8
[   29.852087]  kunit_try_run_case+0x170/0x3f0
[   29.852121]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.852157]  kthread+0x328/0x630
[   29.852190]  ret_from_fork+0x10/0x20
[   29.852222] 
[   29.913846] Allocated by task 245:
[   29.917235]  kasan_save_stack+0x3c/0x68
[   29.921051]  kasan_save_track+0x20/0x40
[   29.924870]  kasan_save_alloc_info+0x40/0x58
[   29.929123]  __kasan_kmalloc+0xd4/0xd8
[   29.932856]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.937369]  ksize_uaf+0xb8/0x5f8
[   29.940667]  kunit_try_run_case+0x170/0x3f0
[   29.944835]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.950304]  kthread+0x328/0x630
[   29.953515]  ret_from_fork+0x10/0x20
[   29.957075] 
[   29.958550] Freed by task 245:
[   29.961588]  kasan_save_stack+0x3c/0x68
[   29.965408]  kasan_save_track+0x20/0x40
[   29.969227]  kasan_save_free_info+0x4c/0x78
[   29.973394]  __kasan_slab_free+0x6c/0x98
[   29.977300]  kfree+0x214/0x3c8
[   29.980338]  ksize_uaf+0x11c/0x5f8
[   29.983723]  kunit_try_run_case+0x170/0x3f0
[   29.987890]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.993359]  kthread+0x328/0x630
[   29.996570]  ret_from_fork+0x10/0x20
[   30.000130] 
[   30.001605] The buggy address belongs to the object at ffff0008018e7000
[   30.001605]  which belongs to the cache kmalloc-128 of size 128
[   30.014106] The buggy address is located 0 bytes inside of
[   30.014106]  freed 128-byte region [ffff0008018e7000, ffff0008018e7080)
[   30.026171] 
[   30.027649] The buggy address belongs to the physical page:
[   30.033206] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8818e6
[   30.041189] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.048828] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.055773] page_type: f5(slab)
[   30.058906] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   30.066628] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.074354] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   30.082166] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.089979] head: 0bfffe0000000001 fffffdffe0063981 00000000ffffffff 00000000ffffffff
[   30.097791] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.105596] page dumped because: kasan: bad access detected
[   30.111152] 
[   30.112627] Memory state around the buggy address:
[   30.117409]  ffff0008018e6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.124611]  ffff0008018e6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.131815] >ffff0008018e7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.139016]                    ^
[   30.142231]  ffff0008018e7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.149436]  ffff0008018e7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.156638] ==================================================================
[   30.164055] ==================================================================
[   30.171055] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   30.177385] Read of size 1 at addr ffff0008018e7078 by task kunit_try_catch/245
[   30.184675] 
[   30.186159] CPU: 2 UID: 0 PID: 245 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   30.186208] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.186225] Hardware name: WinLink E850-96 board (DT)
[   30.186245] Call trace:
[   30.186256]  show_stack+0x20/0x38 (C)
[   30.186290]  dump_stack_lvl+0x8c/0xd0
[   30.186327]  print_report+0x118/0x608
[   30.186357]  kasan_report+0xdc/0x128
[   30.186386]  __asan_report_load1_noabort+0x20/0x30
[   30.186420]  ksize_uaf+0x544/0x5f8
[   30.186450]  kunit_try_run_case+0x170/0x3f0
[   30.186485]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.186523]  kthread+0x328/0x630
[   30.186556]  ret_from_fork+0x10/0x20
[   30.186588] 
[   30.248216] Allocated by task 245:
[   30.251603]  kasan_save_stack+0x3c/0x68
[   30.255421]  kasan_save_track+0x20/0x40
[   30.259240]  kasan_save_alloc_info+0x40/0x58
[   30.263493]  __kasan_kmalloc+0xd4/0xd8
[   30.267226]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.271740]  ksize_uaf+0xb8/0x5f8
[   30.275038]  kunit_try_run_case+0x170/0x3f0
[   30.279205]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.284674]  kthread+0x328/0x630
[   30.287885]  ret_from_fork+0x10/0x20
[   30.291445] 
[   30.292920] Freed by task 245:
[   30.295958]  kasan_save_stack+0x3c/0x68
[   30.299777]  kasan_save_track+0x20/0x40
[   30.303597]  kasan_save_free_info+0x4c/0x78
[   30.307763]  __kasan_slab_free+0x6c/0x98
[   30.311670]  kfree+0x214/0x3c8
[   30.314708]  ksize_uaf+0x11c/0x5f8
[   30.318093]  kunit_try_run_case+0x170/0x3f0
[   30.322260]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.327728]  kthread+0x328/0x630
[   30.330940]  ret_from_fork+0x10/0x20
[   30.334499] 
[   30.335975] The buggy address belongs to the object at ffff0008018e7000
[   30.335975]  which belongs to the cache kmalloc-128 of size 128
[   30.348475] The buggy address is located 120 bytes inside of
[   30.348475]  freed 128-byte region [ffff0008018e7000, ffff0008018e7080)
[   30.360714] 
[   30.362192] The buggy address belongs to the physical page:
[   30.367750] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8818e6
[   30.375734] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   30.383370] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   30.390314] page_type: f5(slab)
[   30.393452] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   30.401172] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.408898] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   30.416708] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   30.424523] head: 0bfffe0000000001 fffffdffe0063981 00000000ffffffff 00000000ffffffff
[   30.432335] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   30.440140] page dumped because: kasan: bad access detected
[   30.445695] 
[   30.447171] Memory state around the buggy address:
[   30.451952]  ffff0008018e6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.459154]  ffff0008018e6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.466359] >ffff0008018e7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   30.473560]                                                                 ^
[   30.480681]  ffff0008018e7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.487886]  ffff0008018e7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.495089] ==================================================================

Metadata Full log Test run details

[   14.902716] ==================================================================
[   14.903209] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   14.903902] Read of size 1 at addr ffff8881025fa100 by task kunit_try_catch/217
[   14.905011] 
[   14.905510] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   14.905646] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.905678] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.905723] Call Trace:
[   14.905754]  <TASK>
[   14.905794]  dump_stack_lvl+0x73/0xb0
[   14.905874]  print_report+0xd1/0x650
[   14.905944]  ? __virt_addr_valid+0x1db/0x2d0
[   14.905995]  ? ksize_uaf+0x19d/0x6c0
[   14.906025]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.906051]  ? ksize_uaf+0x19d/0x6c0
[   14.906102]  kasan_report+0x141/0x180
[   14.906130]  ? ksize_uaf+0x19d/0x6c0
[   14.906170]  ? ksize_uaf+0x19d/0x6c0
[   14.906201]  __kasan_check_byte+0x3d/0x50
[   14.906353]  ksize+0x20/0x60
[   14.906387]  ksize_uaf+0x19d/0x6c0
[   14.906412]  ? __pfx_ksize_uaf+0x10/0x10
[   14.906438]  ? __schedule+0x10cc/0x2b60
[   14.906466]  ? __pfx_read_tsc+0x10/0x10
[   14.906490]  ? ktime_get_ts64+0x86/0x230
[   14.906519]  kunit_try_run_case+0x1a5/0x480
[   14.906547]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.906571]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.906598]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.906623]  ? __kthread_parkme+0x82/0x180
[   14.906650]  ? preempt_count_sub+0x50/0x80
[   14.906678]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.906703]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.906728]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.906752]  kthread+0x337/0x6f0
[   14.906771]  ? trace_preempt_on+0x20/0xc0
[   14.906797]  ? __pfx_kthread+0x10/0x10
[   14.906817]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.906840]  ? calculate_sigpending+0x7b/0xa0
[   14.906864]  ? __pfx_kthread+0x10/0x10
[   14.906884]  ret_from_fork+0x41/0x80
[   14.906907]  ? __pfx_kthread+0x10/0x10
[   14.906926]  ret_from_fork_asm+0x1a/0x30
[   14.906961]  </TASK>
[   14.906974] 
[   14.922660] Allocated by task 217:
[   14.923062]  kasan_save_stack+0x45/0x70
[   14.923566]  kasan_save_track+0x18/0x40
[   14.924312]  kasan_save_alloc_info+0x3b/0x50
[   14.924604]  __kasan_kmalloc+0xb7/0xc0
[   14.924936]  __kmalloc_cache_noprof+0x189/0x420
[   14.925220]  ksize_uaf+0xaa/0x6c0
[   14.925554]  kunit_try_run_case+0x1a5/0x480
[   14.925847]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.926079]  kthread+0x337/0x6f0
[   14.926691]  ret_from_fork+0x41/0x80
[   14.927318]  ret_from_fork_asm+0x1a/0x30
[   14.927933] 
[   14.928270] Freed by task 217:
[   14.928741]  kasan_save_stack+0x45/0x70
[   14.928911]  kasan_save_track+0x18/0x40
[   14.929010]  kasan_save_free_info+0x3f/0x60
[   14.929444]  __kasan_slab_free+0x56/0x70
[   14.929678]  kfree+0x222/0x3f0
[   14.929969]  ksize_uaf+0x12c/0x6c0
[   14.930271]  kunit_try_run_case+0x1a5/0x480
[   14.930558]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.930828]  kthread+0x337/0x6f0
[   14.931000]  ret_from_fork+0x41/0x80
[   14.931918]  ret_from_fork_asm+0x1a/0x30
[   14.932831] 
[   14.933285] The buggy address belongs to the object at ffff8881025fa100
[   14.933285]  which belongs to the cache kmalloc-128 of size 128
[   14.934347] The buggy address is located 0 bytes inside of
[   14.934347]  freed 128-byte region [ffff8881025fa100, ffff8881025fa180)
[   14.934986] 
[   14.935281] The buggy address belongs to the physical page:
[   14.935741] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025fa
[   14.936620] flags: 0x200000000000000(node=0|zone=2)
[   14.936886] page_type: f5(slab)
[   14.937399] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   14.937963] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   14.938582] page dumped because: kasan: bad access detected
[   14.938710] 
[   14.938765] Memory state around the buggy address:
[   14.938874]  ffff8881025fa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.939008]  ffff8881025fa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.939226] >ffff8881025fa100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.939494]                    ^
[   14.939855]  ffff8881025fa180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.941022]  ffff8881025fa200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.941698] ==================================================================
[   14.942946] ==================================================================
[   14.943247] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   14.943543] Read of size 1 at addr ffff8881025fa100 by task kunit_try_catch/217
[   14.943843] 
[   14.944099] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   14.944187] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.944443] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.944509] Call Trace:
[   14.944545]  <TASK>
[   14.944588]  dump_stack_lvl+0x73/0xb0
[   14.944657]  print_report+0xd1/0x650
[   14.944708]  ? __virt_addr_valid+0x1db/0x2d0
[   14.944757]  ? ksize_uaf+0x5fe/0x6c0
[   14.944796]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.944840]  ? ksize_uaf+0x5fe/0x6c0
[   14.944882]  kasan_report+0x141/0x180
[   14.944923]  ? ksize_uaf+0x5fe/0x6c0
[   14.944974]  __asan_report_load1_noabort+0x18/0x20
[   14.945031]  ksize_uaf+0x5fe/0x6c0
[   14.945090]  ? __pfx_ksize_uaf+0x10/0x10
[   14.945139]  ? __schedule+0x10cc/0x2b60
[   14.945187]  ? __pfx_read_tsc+0x10/0x10
[   14.945229]  ? ktime_get_ts64+0x86/0x230
[   14.945280]  kunit_try_run_case+0x1a5/0x480
[   14.945331]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.945393]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.945443]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.945489]  ? __kthread_parkme+0x82/0x180
[   14.945537]  ? preempt_count_sub+0x50/0x80
[   14.945589]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.945630]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.945668]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.945710]  kthread+0x337/0x6f0
[   14.945745]  ? trace_preempt_on+0x20/0xc0
[   14.945790]  ? __pfx_kthread+0x10/0x10
[   14.945819]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.945853]  ? calculate_sigpending+0x7b/0xa0
[   14.945893]  ? __pfx_kthread+0x10/0x10
[   14.945931]  ret_from_fork+0x41/0x80
[   14.945973]  ? __pfx_kthread+0x10/0x10
[   14.946013]  ret_from_fork_asm+0x1a/0x30
[   14.946069]  </TASK>
[   14.946088] 
[   14.959559] Allocated by task 217:
[   14.959994]  kasan_save_stack+0x45/0x70
[   14.960572]  kasan_save_track+0x18/0x40
[   14.960945]  kasan_save_alloc_info+0x3b/0x50
[   14.961580]  __kasan_kmalloc+0xb7/0xc0
[   14.961957]  __kmalloc_cache_noprof+0x189/0x420
[   14.962534]  ksize_uaf+0xaa/0x6c0
[   14.962714]  kunit_try_run_case+0x1a5/0x480
[   14.963599]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.964024]  kthread+0x337/0x6f0
[   14.964292]  ret_from_fork+0x41/0x80
[   14.964639]  ret_from_fork_asm+0x1a/0x30
[   14.964944] 
[   14.965078] Freed by task 217:
[   14.965244]  kasan_save_stack+0x45/0x70
[   14.965967]  kasan_save_track+0x18/0x40
[   14.966690]  kasan_save_free_info+0x3f/0x60
[   14.967179]  __kasan_slab_free+0x56/0x70
[   14.967720]  kfree+0x222/0x3f0
[   14.968024]  ksize_uaf+0x12c/0x6c0
[   14.968408]  kunit_try_run_case+0x1a5/0x480
[   14.968968]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.969561]  kthread+0x337/0x6f0
[   14.969683]  ret_from_fork+0x41/0x80
[   14.970103]  ret_from_fork_asm+0x1a/0x30
[   14.971080] 
[   14.971626] The buggy address belongs to the object at ffff8881025fa100
[   14.971626]  which belongs to the cache kmalloc-128 of size 128
[   14.972924] The buggy address is located 0 bytes inside of
[   14.972924]  freed 128-byte region [ffff8881025fa100, ffff8881025fa180)
[   14.973958] 
[   14.974095] The buggy address belongs to the physical page:
[   14.974300] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025fa
[   14.975438] flags: 0x200000000000000(node=0|zone=2)
[   14.975892] page_type: f5(slab)
[   14.976632] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   14.977033] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   14.977732] page dumped because: kasan: bad access detected
[   14.978560] 
[   14.978987] Memory state around the buggy address:
[   14.979363]  ffff8881025fa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.979904]  ffff8881025fa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.980516] >ffff8881025fa100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   14.980873]                    ^
[   14.981168]  ffff8881025fa180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.981947]  ffff8881025fa200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.982512] ==================================================================
[   14.984107] ==================================================================
[   14.984787] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   14.985423] Read of size 1 at addr ffff8881025fa178 by task kunit_try_catch/217
[   14.985848] 
[   14.986029] CPU: 0 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   14.986153] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.986182] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.986227] Call Trace:
[   14.986477]  <TASK>
[   14.986548]  dump_stack_lvl+0x73/0xb0
[   14.986618]  print_report+0xd1/0x650
[   14.986668]  ? __virt_addr_valid+0x1db/0x2d0
[   14.986999]  ? ksize_uaf+0x5e4/0x6c0
[   14.987059]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.987106]  ? ksize_uaf+0x5e4/0x6c0
[   14.987131]  kasan_report+0x141/0x180
[   14.987159]  ? ksize_uaf+0x5e4/0x6c0
[   14.987187]  __asan_report_load1_noabort+0x18/0x20
[   14.987210]  ksize_uaf+0x5e4/0x6c0
[   14.987253]  ? __pfx_ksize_uaf+0x10/0x10
[   14.987278]  ? __schedule+0x10cc/0x2b60
[   14.987304]  ? __pfx_read_tsc+0x10/0x10
[   14.987327]  ? ktime_get_ts64+0x86/0x230
[   14.987387]  kunit_try_run_case+0x1a5/0x480
[   14.987426]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.987461]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.987490]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.987515]  ? __kthread_parkme+0x82/0x180
[   14.987541]  ? preempt_count_sub+0x50/0x80
[   14.987569]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.987594]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.987620]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.987644]  kthread+0x337/0x6f0
[   14.987663]  ? trace_preempt_on+0x20/0xc0
[   14.987690]  ? __pfx_kthread+0x10/0x10
[   14.987710]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.987733]  ? calculate_sigpending+0x7b/0xa0
[   14.987757]  ? __pfx_kthread+0x10/0x10
[   14.987777]  ret_from_fork+0x41/0x80
[   14.987799]  ? __pfx_kthread+0x10/0x10
[   14.987818]  ret_from_fork_asm+0x1a/0x30
[   14.987852]  </TASK>
[   14.987865] 
[   14.999127] Allocated by task 217:
[   14.999645]  kasan_save_stack+0x45/0x70
[   15.000040]  kasan_save_track+0x18/0x40
[   15.000487]  kasan_save_alloc_info+0x3b/0x50
[   15.001053]  __kasan_kmalloc+0xb7/0xc0
[   15.003511]  __kmalloc_cache_noprof+0x189/0x420
[   15.005184]  ksize_uaf+0xaa/0x6c0
[   15.005618]  kunit_try_run_case+0x1a5/0x480
[   15.005904]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.006115]  kthread+0x337/0x6f0
[   15.006284]  ret_from_fork+0x41/0x80
[   15.006891]  ret_from_fork_asm+0x1a/0x30
[   15.007099] 
[   15.007276] Freed by task 217:
[   15.007564]  kasan_save_stack+0x45/0x70
[   15.007896]  kasan_save_track+0x18/0x40
[   15.008227]  kasan_save_free_info+0x3f/0x60
[   15.011183]  __kasan_slab_free+0x56/0x70
[   15.011640]  kfree+0x222/0x3f0
[   15.011911]  ksize_uaf+0x12c/0x6c0
[   15.012190]  kunit_try_run_case+0x1a5/0x480
[   15.012584]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.013250]  kthread+0x337/0x6f0
[   15.013622]  ret_from_fork+0x41/0x80
[   15.013943]  ret_from_fork_asm+0x1a/0x30
[   15.014284] 
[   15.015936] The buggy address belongs to the object at ffff8881025fa100
[   15.015936]  which belongs to the cache kmalloc-128 of size 128
[   15.016559] The buggy address is located 120 bytes inside of
[   15.016559]  freed 128-byte region [ffff8881025fa100, ffff8881025fa180)
[   15.017858] 
[   15.018376] The buggy address belongs to the physical page:
[   15.019451] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025fa
[   15.020112] flags: 0x200000000000000(node=0|zone=2)
[   15.020460] page_type: f5(slab)
[   15.020795] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   15.021165] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   15.021953] page dumped because: kasan: bad access detected
[   15.022135] 
[   15.022241] Memory state around the buggy address:
[   15.022892]  ffff8881025fa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.023756]  ffff8881025fa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.024384] >ffff8881025fa100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   15.024665]                                                                 ^
[   15.025160]  ffff8881025fa180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.025764]  ffff8881025fa200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.026394] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo3RZe7grS5yLm55QkyFHIkn0

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo3RZe7grS5yLm55QkyFHIkn0

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/bzImage
sha256sum	ad643dbfee32e66584e4c9d2c429659c8ba2676d0810f502308fa285c8cd4500

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/modules.tar.xz
sha256sum	35aeffff45a548f53709515ae42e284c9946c48678590a5b06349aef329add80

durations

tests

boot	0
kunit	392.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit