lkft/sashal-linus-next - v6.13-rc7-43871-g530dddedcd5a - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf

Date

July 18, 2025, 2:09 p.m.

Environment
qemu-arm64
qemu-x86_64

[   17.137127] ==================================================================
[   17.137241] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   17.137360] Read of size 1 at addr fff00000c5acc108 by task kunit_try_catch/184
[   17.137409] 
[   17.137449] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   17.137544] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.137570] Hardware name: linux,dummy-virt (DT)
[   17.137603] Call trace:
[   17.137626]  show_stack+0x20/0x38 (C)
[   17.137677]  dump_stack_lvl+0x8c/0xd0
[   17.138034]  print_report+0x118/0x5d0
[   17.138144]  kasan_report+0xdc/0x128
[   17.138272]  __asan_report_load1_noabort+0x20/0x30
[   17.138326]  kmalloc_uaf+0x300/0x338
[   17.138534]  kunit_try_run_case+0x170/0x3f0
[   17.138642]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.138753]  kthread+0x328/0x630
[   17.138806]  ret_from_fork+0x10/0x20
[   17.138862] 
[   17.138882] Allocated by task 184:
[   17.138955]  kasan_save_stack+0x3c/0x68
[   17.139001]  kasan_save_track+0x20/0x40
[   17.139058]  kasan_save_alloc_info+0x40/0x58
[   17.139190]  __kasan_kmalloc+0xd4/0xd8
[   17.139258]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.139328]  kmalloc_uaf+0xb8/0x338
[   17.139468]  kunit_try_run_case+0x170/0x3f0
[   17.139506]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.139744]  kthread+0x328/0x630
[   17.139934]  ret_from_fork+0x10/0x20
[   17.140148] 
[   17.140322] Freed by task 184:
[   17.140419]  kasan_save_stack+0x3c/0x68
[   17.140563]  kasan_save_track+0x20/0x40
[   17.140717]  kasan_save_free_info+0x4c/0x78
[   17.140779]  __kasan_slab_free+0x6c/0x98
[   17.140837]  kfree+0x214/0x3c8
[   17.141043]  kmalloc_uaf+0x11c/0x338
[   17.141278]  kunit_try_run_case+0x170/0x3f0
[   17.141441]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.141617]  kthread+0x328/0x630
[   17.141688]  ret_from_fork+0x10/0x20
[   17.141734] 
[   17.141761] The buggy address belongs to the object at fff00000c5acc100
[   17.141761]  which belongs to the cache kmalloc-16 of size 16
[   17.142111] The buggy address is located 8 bytes inside of
[   17.142111]  freed 16-byte region [fff00000c5acc100, fff00000c5acc110)
[   17.142214] 
[   17.142513] The buggy address belongs to the physical page:
[   17.142604] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105acc
[   17.142715] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.142825] page_type: f5(slab)
[   17.142981] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   17.143075] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   17.143227] page dumped because: kasan: bad access detected
[   17.143272] 
[   17.143291] Memory state around the buggy address:
[   17.143332]  fff00000c5acc000: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   17.143552]  fff00000c5acc080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.143901] >fff00000c5acc100: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.144061]                       ^
[   17.144131]  fff00000c5acc180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.144250]  fff00000c5acc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.144443] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EF25Pp9Vi9nJKRzPLQTha4DW

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EF25Pp9Vi9nJKRzPLQTha4DW

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/Image.gz
sha256sum	0cd43a55510452afcc094a9b71b52e570abcb0018a9c4b3e8c55713d88f43dcd

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/modules.tar.xz
sha256sum	1123cbd40eab351130997a1b3dcec1375004e5d45c47d69105fc241be8d9036c

durations

tests

boot	0
kunit	182.38

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   16.764167] ==================================================================
[   16.764232] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.764295] Read of size 1 at addr fff00000c5a02c28 by task kunit_try_catch/184
[   16.764358] 
[   16.764393] CPU: 1 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.764476] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.765205] Hardware name: linux,dummy-virt (DT)
[   16.765243] Call trace:
[   16.765270]  show_stack+0x20/0x38 (C)
[   16.765345]  dump_stack_lvl+0x8c/0xd0
[   16.765422]  print_report+0x118/0x5d0
[   16.765612]  kasan_report+0xdc/0x128
[   16.765901]  __asan_report_load1_noabort+0x20/0x30
[   16.766072]  kmalloc_uaf+0x300/0x338
[   16.766201]  kunit_try_run_case+0x170/0x3f0
[   16.766445]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.766635]  kthread+0x328/0x630
[   16.766744]  ret_from_fork+0x10/0x20
[   16.767077] 
[   16.767129] Allocated by task 184:
[   16.767209]  kasan_save_stack+0x3c/0x68
[   16.767378]  kasan_save_track+0x20/0x40
[   16.767519]  kasan_save_alloc_info+0x40/0x58
[   16.767601]  __kasan_kmalloc+0xd4/0xd8
[   16.767810]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.767970]  kmalloc_uaf+0xb8/0x338
[   16.768034]  kunit_try_run_case+0x170/0x3f0
[   16.768163]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.768244]  kthread+0x328/0x630
[   16.768600]  ret_from_fork+0x10/0x20
[   16.768672] 
[   16.768742] Freed by task 184:
[   16.768792]  kasan_save_stack+0x3c/0x68
[   16.768832]  kasan_save_track+0x20/0x40
[   16.768870]  kasan_save_free_info+0x4c/0x78
[   16.769378]  __kasan_slab_free+0x6c/0x98
[   16.769513]  kfree+0x214/0x3c8
[   16.769549]  kmalloc_uaf+0x11c/0x338
[   16.769770]  kunit_try_run_case+0x170/0x3f0
[   16.769955]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.770018]  kthread+0x328/0x630
[   16.770213]  ret_from_fork+0x10/0x20
[   16.770283] 
[   16.770616] The buggy address belongs to the object at fff00000c5a02c20
[   16.770616]  which belongs to the cache kmalloc-16 of size 16
[   16.771068] The buggy address is located 8 bytes inside of
[   16.771068]  freed 16-byte region [fff00000c5a02c20, fff00000c5a02c30)
[   16.771211] 
[   16.771282] The buggy address belongs to the physical page:
[   16.771540] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105a02
[   16.771618] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.772038] page_type: f5(slab)
[   16.772100] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.772343] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.772404] page dumped because: kasan: bad access detected
[   16.772677] 
[   16.772704] Memory state around the buggy address:
[   16.772763]  fff00000c5a02b00: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc
[   16.772840]  fff00000c5a02b80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.773190] >fff00000c5a02c00: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   16.773348]                                   ^
[   16.773388]  fff00000c5a02c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.773473]  fff00000c5a02d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.773646] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MxbItH1xNBq5DVzgi5f9Vk9B

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MxbItH1xNBq5DVzgi5f9Vk9B

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/Image.gz
sha256sum	1d26a50b80602cf96dca0b9e5d4833d551bb9799e3e8f672f61c3fedb7c3633a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/modules.tar.xz
sha256sum	8d3b93659e4b7dd2c56e9a38da739978022e2707277d72909e50cc2549d4beb2

durations

tests

boot	0
kunit	169.06

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   16.786773] ==================================================================
[   16.786852] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   16.786950] Read of size 1 at addr fff00000c5755e88 by task kunit_try_catch/184
[   16.787029] 
[   16.787063] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.787145] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.787171] Hardware name: linux,dummy-virt (DT)
[   16.787203] Call trace:
[   16.787225]  show_stack+0x20/0x38 (C)
[   16.787313]  dump_stack_lvl+0x8c/0xd0
[   16.787364]  print_report+0x118/0x5d0
[   16.787411]  kasan_report+0xdc/0x128
[   16.787454]  __asan_report_load1_noabort+0x20/0x30
[   16.787639]  kmalloc_uaf+0x300/0x338
[   16.787796]  kunit_try_run_case+0x170/0x3f0
[   16.787991]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.788067]  kthread+0x328/0x630
[   16.788129]  ret_from_fork+0x10/0x20
[   16.788466] 
[   16.788525] Allocated by task 184:
[   16.788592]  kasan_save_stack+0x3c/0x68
[   16.788697]  kasan_save_track+0x20/0x40
[   16.788786]  kasan_save_alloc_info+0x40/0x58
[   16.788853]  __kasan_kmalloc+0xd4/0xd8
[   16.788888]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.789122]  kmalloc_uaf+0xb8/0x338
[   16.789165]  kunit_try_run_case+0x170/0x3f0
[   16.789331]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.789424]  kthread+0x328/0x630
[   16.789555]  ret_from_fork+0x10/0x20
[   16.789614] 
[   16.789637] Freed by task 184:
[   16.789972]  kasan_save_stack+0x3c/0x68
[   16.790086]  kasan_save_track+0x20/0x40
[   16.790135]  kasan_save_free_info+0x4c/0x78
[   16.790189]  __kasan_slab_free+0x6c/0x98
[   16.790227]  kfree+0x214/0x3c8
[   16.790260]  kmalloc_uaf+0x11c/0x338
[   16.790296]  kunit_try_run_case+0x170/0x3f0
[   16.790336]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.790389]  kthread+0x328/0x630
[   16.790421]  ret_from_fork+0x10/0x20
[   16.790458] 
[   16.790478] The buggy address belongs to the object at fff00000c5755e80
[   16.790478]  which belongs to the cache kmalloc-16 of size 16
[   16.790538] The buggy address is located 8 bytes inside of
[   16.790538]  freed 16-byte region [fff00000c5755e80, fff00000c5755e90)
[   16.790597] 
[   16.790633] The buggy address belongs to the physical page:
[   16.790669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105755
[   16.790742] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   16.790789] page_type: f5(slab)
[   16.790828] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   16.790916] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   16.791172] page dumped because: kasan: bad access detected
[   16.791232] 
[   16.791250] Memory state around the buggy address:
[   16.791284]  fff00000c5755d80: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   16.791534]  fff00000c5755e00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   16.791682] >fff00000c5755e80: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.791846]                       ^
[   16.791949]  fff00000c5755f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.792067]  fff00000c5755f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.792205] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T1aQDgvcqrgu9gN0OeLGQz0C

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T1aQDgvcqrgu9gN0OeLGQz0C

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/Image.gz
sha256sum	5b11eefa6d464ac909c4aaf2b2e503862ad9b898749580b0c74823fda864756c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/modules.tar.xz
sha256sum	5f304fbdafbe519859f7c742752446676e8da2e281160c33189afc6b1f45e458

durations

tests

boot	0
kunit	175.36

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.486465] ==================================================================
[   12.488158] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   12.489267] Read of size 1 at addr ffff8881028371e8 by task kunit_try_catch/201
[   12.490196] 
[   12.490307] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.490357] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.490368] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.490391] Call Trace:
[   12.490404]  <TASK>
[   12.490424]  dump_stack_lvl+0x73/0xb0
[   12.490459]  print_report+0xd1/0x610
[   12.490481]  ? __virt_addr_valid+0x1db/0x2d0
[   12.490506]  ? kmalloc_uaf+0x320/0x380
[   12.491134]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.491164]  ? kmalloc_uaf+0x320/0x380
[   12.491186]  kasan_report+0x141/0x180
[   12.491208]  ? kmalloc_uaf+0x320/0x380
[   12.491233]  __asan_report_load1_noabort+0x18/0x20
[   12.491258]  kmalloc_uaf+0x320/0x380
[   12.491277]  ? __pfx_kmalloc_uaf+0x10/0x10
[   12.491297]  ? __schedule+0x10cc/0x2b60
[   12.491321]  ? __pfx_read_tsc+0x10/0x10
[   12.491342]  ? ktime_get_ts64+0x86/0x230
[   12.491369]  kunit_try_run_case+0x1a5/0x480
[   12.491394]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.491415]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.491440]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.491463]  ? __kthread_parkme+0x82/0x180
[   12.491483]  ? preempt_count_sub+0x50/0x80
[   12.491508]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.491543]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.491566]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.491589]  kthread+0x337/0x6f0
[   12.491608]  ? trace_preempt_on+0x20/0xc0
[   12.491632]  ? __pfx_kthread+0x10/0x10
[   12.491651]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.491672]  ? calculate_sigpending+0x7b/0xa0
[   12.491696]  ? __pfx_kthread+0x10/0x10
[   12.491717]  ret_from_fork+0x116/0x1d0
[   12.491735]  ? __pfx_kthread+0x10/0x10
[   12.491754]  ret_from_fork_asm+0x1a/0x30
[   12.491787]  </TASK>
[   12.491798] 
[   12.503445] Allocated by task 201:
[   12.503832]  kasan_save_stack+0x45/0x70
[   12.504187]  kasan_save_track+0x18/0x40
[   12.504362]  kasan_save_alloc_info+0x3b/0x50
[   12.504702]  __kasan_kmalloc+0xb7/0xc0
[   12.504930]  __kmalloc_cache_noprof+0x189/0x420
[   12.505390]  kmalloc_uaf+0xaa/0x380
[   12.505530]  kunit_try_run_case+0x1a5/0x480
[   12.505968]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.506239]  kthread+0x337/0x6f0
[   12.506532]  ret_from_fork+0x116/0x1d0
[   12.506814]  ret_from_fork_asm+0x1a/0x30
[   12.507263] 
[   12.507522] Freed by task 201:
[   12.507936]  kasan_save_stack+0x45/0x70
[   12.508180]  kasan_save_track+0x18/0x40
[   12.508321]  kasan_save_free_info+0x3f/0x60
[   12.508471]  __kasan_slab_free+0x56/0x70
[   12.508929]  kfree+0x222/0x3f0
[   12.509280]  kmalloc_uaf+0x12c/0x380
[   12.509665]  kunit_try_run_case+0x1a5/0x480
[   12.510162]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.510709]  kthread+0x337/0x6f0
[   12.511132]  ret_from_fork+0x116/0x1d0
[   12.511537]  ret_from_fork_asm+0x1a/0x30
[   12.511744] 
[   12.511832] The buggy address belongs to the object at ffff8881028371e0
[   12.511832]  which belongs to the cache kmalloc-16 of size 16
[   12.512212] The buggy address is located 8 bytes inside of
[   12.512212]  freed 16-byte region [ffff8881028371e0, ffff8881028371f0)
[   12.512558] 
[   12.512631] The buggy address belongs to the physical page:
[   12.512806] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102837
[   12.513487] flags: 0x200000000000000(node=0|zone=2)
[   12.514017] page_type: f5(slab)
[   12.514358] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   12.515120] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   12.515862] page dumped because: kasan: bad access detected
[   12.516522] 
[   12.516678] Memory state around the buggy address:
[   12.517222]  ffff888102837080: 00 04 fc fc 00 04 fc fc 00 05 fc fc 00 05 fc fc
[   12.517977]  ffff888102837100: 00 05 fc fc 00 02 fc fc fa fb fc fc 00 05 fc fc
[   12.518706] >ffff888102837180: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   12.519436]                                                           ^
[   12.520114]  ffff888102837200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.520792]  ffff888102837280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.521455] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T2OzuK6lIw4rRFlSAhCs7bnu

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T2OzuK6lIw4rRFlSAhCs7bnu

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/bzImage
sha256sum	42041c61d6e46ef309c371e5fe2f53a0c6849e7beec0f7e1f396b9c65c0adbb2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/modules.tar.xz
sha256sum	02cd970151971431ac5e5e4fcd602180a5476f25314259d1f76384cd0f280f1b

durations

tests

boot	0
kunit	226.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.251724] ==================================================================
[   12.254175] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   12.255543] Read of size 1 at addr ffff888101cb3ce8 by task kunit_try_catch/202
[   12.256134] 
[   12.256306] CPU: 0 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.256354] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.256365] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.256386] Call Trace:
[   12.256399]  <TASK>
[   12.256416]  dump_stack_lvl+0x73/0xb0
[   12.256464]  print_report+0xd1/0x610
[   12.256489]  ? __virt_addr_valid+0x1db/0x2d0
[   12.256514]  ? kmalloc_uaf+0x320/0x380
[   12.256537]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.256563]  ? kmalloc_uaf+0x320/0x380
[   12.256584]  kasan_report+0x141/0x180
[   12.256609]  ? kmalloc_uaf+0x320/0x380
[   12.256639]  __asan_report_load1_noabort+0x18/0x20
[   12.256666]  kmalloc_uaf+0x320/0x380
[   12.256687]  ? __pfx_kmalloc_uaf+0x10/0x10
[   12.256713]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.256743]  ? trace_hardirqs_on+0x37/0xe0
[   12.256774]  ? __pfx_read_tsc+0x10/0x10
[   12.256796]  ? ktime_get_ts64+0x86/0x230
[   12.256821]  kunit_try_run_case+0x1a5/0x480
[   12.256848]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.256873]  ? queued_spin_lock_slowpath+0x116/0xb40
[   12.256906]  ? __kthread_parkme+0x82/0x180
[   12.256930]  ? preempt_count_sub+0x50/0x80
[   12.256957]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.256982]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.257014]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.257042]  kthread+0x337/0x6f0
[   12.257063]  ? trace_preempt_on+0x20/0xc0
[   12.257087]  ? __pfx_kthread+0x10/0x10
[   12.257111]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.257141]  ? calculate_sigpending+0x7b/0xa0
[   12.257172]  ? __pfx_kthread+0x10/0x10
[   12.257195]  ret_from_fork+0x116/0x1d0
[   12.257218]  ? __pfx_kthread+0x10/0x10
[   12.257239]  ret_from_fork_asm+0x1a/0x30
[   12.257276]  </TASK>
[   12.257287] 
[   12.270455] Allocated by task 202:
[   12.270593]  kasan_save_stack+0x45/0x70
[   12.270741]  kasan_save_track+0x18/0x40
[   12.270876]  kasan_save_alloc_info+0x3b/0x50
[   12.271056]  __kasan_kmalloc+0xb7/0xc0
[   12.271239]  __kmalloc_cache_noprof+0x189/0x420
[   12.272212]  kmalloc_uaf+0xaa/0x380
[   12.272400]  kunit_try_run_case+0x1a5/0x480
[   12.272619]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.272913]  kthread+0x337/0x6f0
[   12.273078]  ret_from_fork+0x116/0x1d0
[   12.273217]  ret_from_fork_asm+0x1a/0x30
[   12.273361] 
[   12.273468] Freed by task 202:
[   12.274554]  kasan_save_stack+0x45/0x70
[   12.274766]  kasan_save_track+0x18/0x40
[   12.274951]  kasan_save_free_info+0x3f/0x60
[   12.275135]  __kasan_slab_free+0x56/0x70
[   12.275333]  kfree+0x222/0x3f0
[   12.275526]  kmalloc_uaf+0x12c/0x380
[   12.276569]  kunit_try_run_case+0x1a5/0x480
[   12.276952]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.277168]  kthread+0x337/0x6f0
[   12.277330]  ret_from_fork+0x116/0x1d0
[   12.277523]  ret_from_fork_asm+0x1a/0x30
[   12.278707] 
[   12.278782] The buggy address belongs to the object at ffff888101cb3ce0
[   12.278782]  which belongs to the cache kmalloc-16 of size 16
[   12.279223] The buggy address is located 8 bytes inside of
[   12.279223]  freed 16-byte region [ffff888101cb3ce0, ffff888101cb3cf0)
[   12.279753] 
[   12.279835] The buggy address belongs to the physical page:
[   12.280020] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101cb3
[   12.280374] flags: 0x200000000000000(node=0|zone=2)
[   12.280592] page_type: f5(slab)
[   12.281541] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   12.281898] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   12.282179] page dumped because: kasan: bad access detected
[   12.282417] 
[   12.282522] Memory state around the buggy address:
[   12.282714]  ffff888101cb3b80: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc
[   12.282996]  ffff888101cb3c00: fa fb fc fc fa fb fc fc 00 05 fc fc fa fb fc fc
[   12.283287] >ffff888101cb3c80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   12.284722]                                                           ^
[   12.284946]  ffff888101cb3d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.285271]  ffff888101cb3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.285520] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EFrR321z66uMtHD4l4dQQryi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EFrR321z66uMtHD4l4dQQryi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/bzImage
sha256sum	c220f70d9515ab3041e245bb6755df814c152e1bb2b5c646740fe1b3afdde8b5

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/modules.tar.xz
sha256sum	ab8bf28231ab6c259d2b1478935ea551409070bcef8061d01f520819ad2ce3b6

durations

tests

boot	0
kunit	217.45

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.428407] ==================================================================
[   12.428889] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   12.430513] Read of size 1 at addr ffff888102712168 by task kunit_try_catch/201
[   12.431714] 
[   12.432146] CPU: 1 UID: 0 PID: 201 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.432353] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.432370] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.432407] Call Trace:
[   12.432476]  <TASK>
[   12.432498]  dump_stack_lvl+0x73/0xb0
[   12.432540]  print_report+0xd1/0x610
[   12.432565]  ? __virt_addr_valid+0x1db/0x2d0
[   12.432591]  ? kmalloc_uaf+0x320/0x380
[   12.432610]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.432632]  ? kmalloc_uaf+0x320/0x380
[   12.432652]  kasan_report+0x141/0x180
[   12.432674]  ? kmalloc_uaf+0x320/0x380
[   12.432697]  __asan_report_load1_noabort+0x18/0x20
[   12.432721]  kmalloc_uaf+0x320/0x380
[   12.432741]  ? __pfx_kmalloc_uaf+0x10/0x10
[   12.432761]  ? __schedule+0x10cc/0x2b60
[   12.432783]  ? __pfx_read_tsc+0x10/0x10
[   12.432805]  ? ktime_get_ts64+0x86/0x230
[   12.432830]  kunit_try_run_case+0x1a5/0x480
[   12.432864]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.432886]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.432910]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.432933]  ? __kthread_parkme+0x82/0x180
[   12.432954]  ? preempt_count_sub+0x50/0x80
[   12.432978]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.433035]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.433059]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.433083]  kthread+0x337/0x6f0
[   12.433102]  ? trace_preempt_on+0x20/0xc0
[   12.433126]  ? __pfx_kthread+0x10/0x10
[   12.433146]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.433167]  ? calculate_sigpending+0x7b/0xa0
[   12.433191]  ? __pfx_kthread+0x10/0x10
[   12.433212]  ret_from_fork+0x116/0x1d0
[   12.433231]  ? __pfx_kthread+0x10/0x10
[   12.433250]  ret_from_fork_asm+0x1a/0x30
[   12.433282]  </TASK>
[   12.433293] 
[   12.446856] Allocated by task 201:
[   12.447179]  kasan_save_stack+0x45/0x70
[   12.447583]  kasan_save_track+0x18/0x40
[   12.447718]  kasan_save_alloc_info+0x3b/0x50
[   12.447864]  __kasan_kmalloc+0xb7/0xc0
[   12.447992]  __kmalloc_cache_noprof+0x189/0x420
[   12.448501]  kmalloc_uaf+0xaa/0x380
[   12.448870]  kunit_try_run_case+0x1a5/0x480
[   12.449359]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.450028]  kthread+0x337/0x6f0
[   12.450404]  ret_from_fork+0x116/0x1d0
[   12.450869]  ret_from_fork_asm+0x1a/0x30
[   12.451167] 
[   12.451389] Freed by task 201:
[   12.451743]  kasan_save_stack+0x45/0x70
[   12.452178]  kasan_save_track+0x18/0x40
[   12.452729]  kasan_save_free_info+0x3f/0x60
[   12.453155]  __kasan_slab_free+0x56/0x70
[   12.453486]  kfree+0x222/0x3f0
[   12.453606]  kmalloc_uaf+0x12c/0x380
[   12.453733]  kunit_try_run_case+0x1a5/0x480
[   12.453880]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.454183]  kthread+0x337/0x6f0
[   12.454499]  ret_from_fork+0x116/0x1d0
[   12.454834]  ret_from_fork_asm+0x1a/0x30
[   12.455275] 
[   12.455518] The buggy address belongs to the object at ffff888102712160
[   12.455518]  which belongs to the cache kmalloc-16 of size 16
[   12.456680] The buggy address is located 8 bytes inside of
[   12.456680]  freed 16-byte region [ffff888102712160, ffff888102712170)
[   12.457902] 
[   12.457990] The buggy address belongs to the physical page:
[   12.458396] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102712
[   12.459147] flags: 0x200000000000000(node=0|zone=2)
[   12.459430] page_type: f5(slab)
[   12.459561] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   12.459794] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   12.460075] page dumped because: kasan: bad access detected
[   12.460577] 
[   12.460763] Memory state around the buggy address:
[   12.461284]  ffff888102712000: 00 06 fc fc 00 06 fc fc 00 00 fc fc 00 04 fc fc
[   12.462040]  ffff888102712080: 00 04 fc fc 00 01 fc fc 00 01 fc fc 00 04 fc fc
[   12.463062] >ffff888102712100: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   12.464053]                                                           ^
[   12.464672]  ffff888102712180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.464905]  ffff888102712200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.465600] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MyNrXgiUK2WQ9kAj3BzGphCF

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MyNrXgiUK2WQ9kAj3BzGphCF

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/bzImage
sha256sum	e715e0f52245accf83f401d29cc1c2f3b2a59bbdf3f5ad590c1c6f981a5169eb

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/modules.tar.xz
sha256sum	a6fb5fb0c5521f1f236c8b67ce1b76fdcd44954d158362bf4d88d0d9d544c595

durations

tests

boot	0
kunit	233.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit