lkft/linux-stable-rc-linux-6.6.y - v6.6.93-357-g7ef12da06319 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf

Date

June 17, 2025, 3:39 p.m.

Environment
qemu-arm64
qemu-x86_64

[   94.143099] ==================================================================
[   94.144065] BUG: KASAN: slab-use-after-free in ksize_uaf+0x10c/0x2f0
[   94.144880] Read of size 1 at addr ffff0000c60b6f78 by task kunit_try_catch/193
[   94.145646] 
[   94.145852] CPU: 0 PID: 193 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.146823] Hardware name: linux,dummy-virt (DT)
[   94.147334] Call trace:
[   94.147867]  dump_backtrace+0x9c/0x128
[   94.148334]  show_stack+0x20/0x38
[   94.148756]  dump_stack_lvl+0x60/0xb0
[   94.149221]  print_report+0xf8/0x5e8
[   94.150026]  kasan_report+0xdc/0x128
[   94.150554]  __asan_load1+0x60/0x70
[   94.151106]  ksize_uaf+0x10c/0x2f0
[   94.151499]  kunit_try_run_case+0x114/0x298
[   94.152027]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.152750]  kthread+0x18c/0x1a8
[   94.153140]  ret_from_fork+0x10/0x20
[   94.153586] 
[   94.153784] Allocated by task 193:
[   94.154142]  kasan_save_stack+0x3c/0x68
[   94.154658]  kasan_set_track+0x2c/0x40
[   94.155344]  kasan_save_alloc_info+0x24/0x38
[   94.155889]  __kasan_kmalloc+0xd4/0xd8
[   94.156294]  kmalloc_trace+0x68/0x130
[   94.156728]  ksize_uaf+0x9c/0x2f0
[   94.157082]  kunit_try_run_case+0x114/0x298
[   94.157630]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.158257]  kthread+0x18c/0x1a8
[   94.158677]  ret_from_fork+0x10/0x20
[   94.159183] 
[   94.159591] Freed by task 193:
[   94.160056]  kasan_save_stack+0x3c/0x68
[   94.160476]  kasan_set_track+0x2c/0x40
[   94.160906]  kasan_save_free_info+0x38/0x60
[   94.161477]  __kasan_slab_free+0x100/0x170
[   94.161967]  __kmem_cache_free+0x178/0x2c8
[   94.162469]  kfree+0x74/0x138
[   94.163799]  ksize_uaf+0xb8/0x2f0
[   94.164422]  kunit_try_run_case+0x114/0x298
[   94.164981]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.165515]  kthread+0x18c/0x1a8
[   94.165903]  ret_from_fork+0x10/0x20
[   94.166394] 
[   94.166623] The buggy address belongs to the object at ffff0000c60b6f00
[   94.166623]  which belongs to the cache kmalloc-128 of size 128
[   94.167615] The buggy address is located 120 bytes inside of
[   94.167615]  freed 128-byte region [ffff0000c60b6f00, ffff0000c60b6f80)
[   94.168992] 
[   94.169223] The buggy address belongs to the physical page:
[   94.169815] page:00000000abb31ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060b6
[   94.170604] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.171308] page_type: 0xffffffff()
[   94.171793] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000
[   94.172785] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   94.173545] page dumped because: kasan: bad access detected
[   94.174152] 
[   94.174452] Memory state around the buggy address:
[   94.175297]  ffff0000c60b6e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   94.176087]  ffff0000c60b6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.176851] >ffff0000c60b6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.177505]                                                                 ^
[   94.178203]  ffff0000c60b6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.179139]  ffff0000c60b7000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   94.179745] ==================================================================
[   94.106315] ==================================================================
[   94.107174] BUG: KASAN: slab-use-after-free in ksize_uaf+0xe8/0x2f0
[   94.108305] Read of size 1 at addr ffff0000c60b6f00 by task kunit_try_catch/193
[   94.109291] 
[   94.109553] CPU: 0 PID: 193 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.110301] Hardware name: linux,dummy-virt (DT)
[   94.110805] Call trace:
[   94.111236]  dump_backtrace+0x9c/0x128
[   94.111788]  show_stack+0x20/0x38
[   94.112230]  dump_stack_lvl+0x60/0xb0
[   94.112689]  print_report+0xf8/0x5e8
[   94.113150]  kasan_report+0xdc/0x128
[   94.113537]  __asan_load1+0x60/0x70
[   94.114056]  ksize_uaf+0xe8/0x2f0
[   94.114555]  kunit_try_run_case+0x114/0x298
[   94.115009]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.115782]  kthread+0x18c/0x1a8
[   94.116243]  ret_from_fork+0x10/0x20
[   94.116740] 
[   94.116971] Allocated by task 193:
[   94.117331]  kasan_save_stack+0x3c/0x68
[   94.117841]  kasan_set_track+0x2c/0x40
[   94.118331]  kasan_save_alloc_info+0x24/0x38
[   94.118833]  __kasan_kmalloc+0xd4/0xd8
[   94.119216]  kmalloc_trace+0x68/0x130
[   94.119599]  ksize_uaf+0x9c/0x2f0
[   94.120124]  kunit_try_run_case+0x114/0x298
[   94.120725]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.121351]  kthread+0x18c/0x1a8
[   94.121774]  ret_from_fork+0x10/0x20
[   94.122274] 
[   94.122505] Freed by task 193:
[   94.123150]  kasan_save_stack+0x3c/0x68
[   94.123670]  kasan_set_track+0x2c/0x40
[   94.124250]  kasan_save_free_info+0x38/0x60
[   94.124778]  __kasan_slab_free+0x100/0x170
[   94.125334]  __kmem_cache_free+0x178/0x2c8
[   94.125838]  kfree+0x74/0x138
[   94.126201]  ksize_uaf+0xb8/0x2f0
[   94.126620]  kunit_try_run_case+0x114/0x298
[   94.127129]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.127633]  kthread+0x18c/0x1a8
[   94.127961]  ret_from_fork+0x10/0x20
[   94.128327] 
[   94.128533] The buggy address belongs to the object at ffff0000c60b6f00
[   94.128533]  which belongs to the cache kmalloc-128 of size 128
[   94.129232] The buggy address is located 0 bytes inside of
[   94.129232]  freed 128-byte region [ffff0000c60b6f00, ffff0000c60b6f80)
[   94.130648] 
[   94.130980] The buggy address belongs to the physical page:
[   94.131532] page:00000000abb31ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060b6
[   94.132553] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.133376] page_type: 0xffffffff()
[   94.134039] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000
[   94.134838] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   94.135568] page dumped because: kasan: bad access detected
[   94.136250] 
[   94.136627] Memory state around the buggy address:
[   94.137310]  ffff0000c60b6e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   94.138040]  ffff0000c60b6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.138684] >ffff0000c60b6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.139650]                    ^
[   94.140151]  ffff0000c60b6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.140923]  ffff0000c60b7000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   94.141710] ==================================================================
[   94.068573] ==================================================================
[   94.069540] BUG: KASAN: slab-use-after-free in ksize_uaf+0xc8/0x2f0
[   94.070267] Read of size 1 at addr ffff0000c60b6f00 by task kunit_try_catch/193
[   94.071166] 
[   94.071638] CPU: 0 PID: 193 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   94.072638] Hardware name: linux,dummy-virt (DT)
[   94.073010] Call trace:
[   94.073401]  dump_backtrace+0x9c/0x128
[   94.073910]  show_stack+0x20/0x38
[   94.074420]  dump_stack_lvl+0x60/0xb0
[   94.074881]  print_report+0xf8/0x5e8
[   94.075296]  kasan_report+0xdc/0x128
[   94.075796]  __kasan_check_byte+0x54/0x70
[   94.076336]  ksize+0x30/0x88
[   94.076725]  ksize_uaf+0xc8/0x2f0
[   94.077175]  kunit_try_run_case+0x114/0x298
[   94.077694]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.078272]  kthread+0x18c/0x1a8
[   94.078649]  ret_from_fork+0x10/0x20
[   94.079059] 
[   94.079282] Allocated by task 193:
[   94.079672]  kasan_save_stack+0x3c/0x68
[   94.080206]  kasan_set_track+0x2c/0x40
[   94.080663]  kasan_save_alloc_info+0x24/0x38
[   94.081177]  __kasan_kmalloc+0xd4/0xd8
[   94.081653]  kmalloc_trace+0x68/0x130
[   94.082065]  ksize_uaf+0x9c/0x2f0
[   94.082542]  kunit_try_run_case+0x114/0x298
[   94.083123]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.083806]  kthread+0x18c/0x1a8
[   94.084256]  ret_from_fork+0x10/0x20
[   94.084695] 
[   94.084935] Freed by task 193:
[   94.085302]  kasan_save_stack+0x3c/0x68
[   94.085827]  kasan_set_track+0x2c/0x40
[   94.086318]  kasan_save_free_info+0x38/0x60
[   94.087209]  __kasan_slab_free+0x100/0x170
[   94.087716]  __kmem_cache_free+0x178/0x2c8
[   94.088172]  kfree+0x74/0x138
[   94.088537]  ksize_uaf+0xb8/0x2f0
[   94.088960]  kunit_try_run_case+0x114/0x298
[   94.090442]  kunit_generic_run_threadfn_adapter+0x38/0x60
[   94.091172]  kthread+0x18c/0x1a8
[   94.091672]  ret_from_fork+0x10/0x20
[   94.092285] 
[   94.092538] The buggy address belongs to the object at ffff0000c60b6f00
[   94.092538]  which belongs to the cache kmalloc-128 of size 128
[   94.093610] The buggy address is located 0 bytes inside of
[   94.093610]  freed 128-byte region [ffff0000c60b6f00, ffff0000c60b6f80)
[   94.094627] 
[   94.094908] The buggy address belongs to the physical page:
[   94.095764] page:00000000abb31ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1060b6
[   94.096454] flags: 0xbfffc0000000800(slab|node=0|zone=2|lastcpupid=0xffff)
[   94.097077] page_type: 0xffffffff()
[   94.097620] raw: 0bfffc0000000800 ffff0000c00018c0 dead000000000122 0000000000000000
[   94.098136] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   94.098950] page dumped because: kasan: bad access detected
[   94.099465] 
[   94.099743] Memory state around the buggy address:
[   94.100318]  ffff0000c60b6e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   94.101116]  ffff0000c60b6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.101752] >ffff0000c60b6f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.102474]                    ^
[   94.102906]  ffff0000c60b6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.103628]  ffff0000c60b7000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   94.104300] ==================================================================

KNOWN ISSUE - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf: Failure

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2ydqKri1UdmjXvvHPS1m5zd7M5P

job_id

TEST:linaro@lkft#2ydqOXJNF7M7F4QNlIMHkIRtEUt

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2ydqOXJNF7M7F4QNlIMHkIRtEUt

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ydqLXjZVdfECFzPTab64SM2EhS/Image.gz
sha256sum	1a074240ad55cd2bae789e6877924d49b9bcec7b6a6e9732cd66dd2e75996aaf

rootfs

url	https://storage.tuxboot.com/debian/20250605/trixie/arm64/rootfs.ext4.xz
sha256sum	905f5619346e1db164ac162d2472afab1c1502c840ccd8eb365c2a644148903b

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ydqLXjZVdfECFzPTab64SM2EhS/modules.tar.xz
sha256sum	688aba1634f4797df6fa2234a09190adc4bfbf7de9c2cdb2557e9819e6124ec0

durations

tests

boot	0
kunit	482.62

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   35.222677] ==================================================================
[   35.223494] BUG: KASAN: slab-use-after-free in ksize_uaf+0x140/0x310
[   35.224253] Read of size 1 at addr ffff888102897b78 by task kunit_try_catch/208
[   35.224915] 
[   35.225158] CPU: 1 PID: 208 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.225998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.226642] Call Trace:
[   35.226874]  <TASK>
[   35.227132]  dump_stack_lvl+0x4e/0x90
[   35.227567]  print_report+0xd2/0x650
[   35.228057]  ? __virt_addr_valid+0x156/0x1e0
[   35.228619]  ? ksize_uaf+0x140/0x310
[   35.228929]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.229218]  ? ksize_uaf+0x140/0x310
[   35.229416]  kasan_report+0x147/0x180
[   35.229632]  ? ksize_uaf+0x140/0x310
[   35.229880]  __asan_load1+0x66/0x70
[   35.230303]  ksize_uaf+0x140/0x310
[   35.230787]  ? __pfx_ksize_uaf+0x10/0x10
[   35.231091]  ? __schedule+0x715/0x11a0
[   35.231294]  ? ktime_get_ts64+0x118/0x140
[   35.231516]  kunit_try_run_case+0x120/0x290
[   35.231774]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.232034]  ? __kasan_check_write+0x18/0x20
[   35.232500]  ? trace_preempt_on+0x20/0xa0
[   35.233063]  ? __kthread_parkme+0x4f/0xd0
[   35.233584]  ? preempt_count_sub+0x50/0x80
[   35.233850]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.234101]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.234401]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.235055]  kthread+0x19e/0x1e0
[   35.235434]  ? __pfx_kthread+0x10/0x10
[   35.235776]  ret_from_fork+0x41/0x70
[   35.236267]  ? __pfx_kthread+0x10/0x10
[   35.236597]  ret_from_fork_asm+0x1b/0x30
[   35.237006]  </TASK>
[   35.237259] 
[   35.237522] Allocated by task 208:
[   35.237918]  kasan_save_stack+0x44/0x70
[   35.238417]  kasan_set_track+0x29/0x40
[   35.238710]  kasan_save_alloc_info+0x22/0x30
[   35.238957]  __kasan_kmalloc+0xb7/0xc0
[   35.239154]  kmalloc_trace+0x4c/0xb0
[   35.239356]  ksize_uaf+0x9d/0x310
[   35.240128]  kunit_try_run_case+0x120/0x290
[   35.240722]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.241319]  kthread+0x19e/0x1e0
[   35.241783]  ret_from_fork+0x41/0x70
[   35.242206]  ret_from_fork_asm+0x1b/0x30
[   35.242720] 
[   35.242988] Freed by task 208:
[   35.243322]  kasan_save_stack+0x44/0x70
[   35.243904]  kasan_set_track+0x29/0x40
[   35.244330]  kasan_save_free_info+0x2f/0x50
[   35.245319]  ____kasan_slab_free+0x172/0x1d0
[   35.245886]  __kasan_slab_free+0x16/0x20
[   35.246097]  __kmem_cache_free+0x190/0x310
[   35.246304]  kfree+0x7c/0x120
[   35.246721]  ksize_uaf+0xbd/0x310
[   35.247120]  kunit_try_run_case+0x120/0x290
[   35.247641]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.248230]  kthread+0x19e/0x1e0
[   35.248671]  ret_from_fork+0x41/0x70
[   35.249228]  ret_from_fork_asm+0x1b/0x30
[   35.249743] 
[   35.250395] The buggy address belongs to the object at ffff888102897b00
[   35.250395]  which belongs to the cache kmalloc-128 of size 128
[   35.251527] The buggy address is located 120 bytes inside of
[   35.251527]  freed 128-byte region [ffff888102897b00, ffff888102897b80)
[   35.252098] 
[   35.252212] The buggy address belongs to the physical page:
[   35.252666] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102897
[   35.253743] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.254311] page_type: 0xffffffff()
[   35.255132] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000
[   35.256088] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   35.256769] page dumped because: kasan: bad access detected
[   35.257277] 
[   35.257465] Memory state around the buggy address:
[   35.258003]  ffff888102897a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.258657]  ffff888102897a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.259154] >ffff888102897b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.260069]                                                                 ^
[   35.260881]  ffff888102897b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.261649]  ffff888102897c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.262231] ==================================================================
[   35.136334] ==================================================================
[   35.137528] BUG: KASAN: slab-use-after-free in ksize_uaf+0xd4/0x310
[   35.138026] Read of size 1 at addr ffff888102897b00 by task kunit_try_catch/208
[   35.138528] 
[   35.138873] CPU: 1 PID: 208 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.139499] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.140113] Call Trace:
[   35.140323]  <TASK>
[   35.140653]  dump_stack_lvl+0x4e/0x90
[   35.141417]  print_report+0xd2/0x650
[   35.141721]  ? __virt_addr_valid+0x156/0x1e0
[   35.142034]  ? ksize_uaf+0xd4/0x310
[   35.142266]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.142672]  ? ksize_uaf+0xd4/0x310
[   35.142981]  kasan_report+0x147/0x180
[   35.143292]  ? ksize_uaf+0xd4/0x310
[   35.143790]  ? ksize_uaf+0xd4/0x310
[   35.144202]  __kasan_check_byte+0x3d/0x50
[   35.144574]  ksize+0x20/0x60
[   35.145056]  ksize_uaf+0xd4/0x310
[   35.145783]  ? __pfx_ksize_uaf+0x10/0x10
[   35.146115]  ? __schedule+0x715/0x11a0
[   35.146416]  ? ktime_get_ts64+0x118/0x140
[   35.146882]  kunit_try_run_case+0x120/0x290
[   35.147216]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.147711]  ? __kasan_check_write+0x18/0x20
[   35.148069]  ? trace_preempt_on+0x20/0xa0
[   35.148379]  ? __kthread_parkme+0x4f/0xd0
[   35.148844]  ? preempt_count_sub+0x50/0x80
[   35.149190]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.149643]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.150079]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.150905]  kthread+0x19e/0x1e0
[   35.151175]  ? __pfx_kthread+0x10/0x10
[   35.151558]  ret_from_fork+0x41/0x70
[   35.151784]  ? __pfx_kthread+0x10/0x10
[   35.152234]  ret_from_fork_asm+0x1b/0x30
[   35.152648]  </TASK>
[   35.152838] 
[   35.152996] Allocated by task 208:
[   35.153257]  kasan_save_stack+0x44/0x70
[   35.153640]  kasan_set_track+0x29/0x40
[   35.154042]  kasan_save_alloc_info+0x22/0x30
[   35.154636]  __kasan_kmalloc+0xb7/0xc0
[   35.155154]  kmalloc_trace+0x4c/0xb0
[   35.155949]  ksize_uaf+0x9d/0x310
[   35.156155]  kunit_try_run_case+0x120/0x290
[   35.156487]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.157120]  kthread+0x19e/0x1e0
[   35.157617]  ret_from_fork+0x41/0x70
[   35.158143]  ret_from_fork_asm+0x1b/0x30
[   35.158694] 
[   35.158972] Freed by task 208:
[   35.159345]  kasan_save_stack+0x44/0x70
[   35.159898]  kasan_set_track+0x29/0x40
[   35.160113]  kasan_save_free_info+0x2f/0x50
[   35.160362]  ____kasan_slab_free+0x172/0x1d0
[   35.161244]  __kasan_slab_free+0x16/0x20
[   35.161784]  __kmem_cache_free+0x190/0x310
[   35.162250]  kfree+0x7c/0x120
[   35.162660]  ksize_uaf+0xbd/0x310
[   35.163118]  kunit_try_run_case+0x120/0x290
[   35.163596]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.164101]  kthread+0x19e/0x1e0
[   35.164301]  ret_from_fork+0x41/0x70
[   35.164761]  ret_from_fork_asm+0x1b/0x30
[   35.165234] 
[   35.165794] The buggy address belongs to the object at ffff888102897b00
[   35.165794]  which belongs to the cache kmalloc-128 of size 128
[   35.167239] The buggy address is located 0 bytes inside of
[   35.167239]  freed 128-byte region [ffff888102897b00, ffff888102897b80)
[   35.167958] 
[   35.168162] The buggy address belongs to the physical page:
[   35.168887] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102897
[   35.169915] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.170186] page_type: 0xffffffff()
[   35.170799] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000
[   35.171740] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   35.172496] page dumped because: kasan: bad access detected
[   35.173148] 
[   35.173340] Memory state around the buggy address:
[   35.173963]  ffff888102897a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.174578]  ffff888102897a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.175145] >ffff888102897b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.175983]                    ^
[   35.176350]  ffff888102897b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.177262]  ffff888102897c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.178151] ==================================================================
[   35.179341] ==================================================================
[   35.180068] BUG: KASAN: slab-use-after-free in ksize_uaf+0x108/0x310
[   35.180485] Read of size 1 at addr ffff888102897b00 by task kunit_try_catch/208
[   35.181269] 
[   35.181545] CPU: 1 PID: 208 Comm: kunit_try_catch Tainted: G    B            N 6.6.94-rc1 #1
[   35.182451] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   35.183175] Call Trace:
[   35.183325]  <TASK>
[   35.183660]  dump_stack_lvl+0x4e/0x90
[   35.184175]  print_report+0xd2/0x650
[   35.185035]  ? __virt_addr_valid+0x156/0x1e0
[   35.185546]  ? ksize_uaf+0x108/0x310
[   35.186113]  ? kasan_complete_mode_report_info+0x64/0x200
[   35.186742]  ? ksize_uaf+0x108/0x310
[   35.187029]  kasan_report+0x147/0x180
[   35.187244]  ? ksize_uaf+0x108/0x310
[   35.187661]  __asan_load1+0x66/0x70
[   35.188168]  ksize_uaf+0x108/0x310
[   35.188700]  ? __pfx_ksize_uaf+0x10/0x10
[   35.189169]  ? __schedule+0x715/0x11a0
[   35.190037]  ? ktime_get_ts64+0x118/0x140
[   35.190585]  kunit_try_run_case+0x120/0x290
[   35.191089]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.191346]  ? __kasan_check_write+0x18/0x20
[   35.191917]  ? trace_preempt_on+0x20/0xa0
[   35.192432]  ? __kthread_parkme+0x4f/0xd0
[   35.192777]  ? preempt_count_sub+0x50/0x80
[   35.193030]  ? __pfx_kunit_try_run_case+0x10/0x10
[   35.193288]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   35.194065]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.195105]  kthread+0x19e/0x1e0
[   35.195521]  ? __pfx_kthread+0x10/0x10
[   35.196072]  ret_from_fork+0x41/0x70
[   35.196577]  ? __pfx_kthread+0x10/0x10
[   35.197049]  ret_from_fork_asm+0x1b/0x30
[   35.197613]  </TASK>
[   35.197917] 
[   35.198110] Allocated by task 208:
[   35.198318]  kasan_save_stack+0x44/0x70
[   35.198840]  kasan_set_track+0x29/0x40
[   35.199284]  kasan_save_alloc_info+0x22/0x30
[   35.199925]  __kasan_kmalloc+0xb7/0xc0
[   35.200137]  kmalloc_trace+0x4c/0xb0
[   35.200328]  ksize_uaf+0x9d/0x310
[   35.200789]  kunit_try_run_case+0x120/0x290
[   35.201297]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.201987]  kthread+0x19e/0x1e0
[   35.202443]  ret_from_fork+0x41/0x70
[   35.202876]  ret_from_fork_asm+0x1b/0x30
[   35.203303] 
[   35.203498] Freed by task 208:
[   35.203912]  kasan_save_stack+0x44/0x70
[   35.204328]  kasan_set_track+0x29/0x40
[   35.204983]  kasan_save_free_info+0x2f/0x50
[   35.205229]  ____kasan_slab_free+0x172/0x1d0
[   35.205693]  __kasan_slab_free+0x16/0x20
[   35.206148]  __kmem_cache_free+0x190/0x310
[   35.206644]  kfree+0x7c/0x120
[   35.207076]  ksize_uaf+0xbd/0x310
[   35.207524]  kunit_try_run_case+0x120/0x290
[   35.208084]  kunit_generic_run_threadfn_adapter+0x33/0x50
[   35.208706]  kthread+0x19e/0x1e0
[   35.208928]  ret_from_fork+0x41/0x70
[   35.209121]  ret_from_fork_asm+0x1b/0x30
[   35.209329] 
[   35.210127] The buggy address belongs to the object at ffff888102897b00
[   35.210127]  which belongs to the cache kmalloc-128 of size 128
[   35.211610] The buggy address is located 0 bytes inside of
[   35.211610]  freed 128-byte region [ffff888102897b00, ffff888102897b80)
[   35.212963] 
[   35.213220] The buggy address belongs to the physical page:
[   35.213916] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102897
[   35.214322] flags: 0x200000000000800(slab|node=0|zone=2)
[   35.214980] page_type: 0xffffffff()
[   35.215375] raw: 0200000000000800 ffff8881000418c0 dead000000000122 0000000000000000
[   35.216241] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   35.217130] page dumped because: kasan: bad access detected
[   35.217666] 
[   35.217887] Memory state around the buggy address:
[   35.218307]  ffff888102897a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.218943]  ffff888102897a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.219248] >ffff888102897b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   35.219608]                    ^
[   35.220046]  ffff888102897b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.220848]  ffff888102897c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   35.221680] ==================================================================

KNOWN ISSUE - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf: Failure

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2ydqKri1UdmjXvvHPS1m5zd7M5P

job_id

TEST:linaro@lkft#2ydqQ8jMoumsj4asl1U1Cyu6NpV

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2ydqQ8jMoumsj4asl1U1Cyu6NpV

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ydqMIxiimmny4yk0TkSxAkTqD4/bzImage
sha256sum	d6a6b8c0f5387fcb5c10d2304a3d269e50a3a29f9b374580b12d45398b872f02

rootfs

url	https://storage.tuxboot.com/debian/20250605/trixie/amd64/rootfs.ext4.xz
sha256sum	bb36936f45b20f4af35993e582d98e781104116519f71565c7a97bddc546f892

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ydqMIxiimmny4yk0TkSxAkTqD4/modules.tar.xz
sha256sum	4bf483f8f76f40558f12d303ff8b50663cda1be348b1344611dcb9ffc806e0fb

durations

tests

boot	897.00
kunit	0

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit KNOWN ISSUE Automatically assigned

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit KNOWN ISSUE Automatically assigned