lkft/sashal-linus-next - v6.13-rc7-43871-g530dddedcd5a - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmem_cache_rcu_uaf

Date

July 18, 2025, 2:09 p.m.

Environment
qemu-arm64
qemu-x86_64

[   18.259889] ==================================================================
[   18.260004] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   18.260087] Read of size 1 at addr fff00000c7993000 by task kunit_try_catch/213
[   18.260141] 
[   18.260185] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   18.260270] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.260299] Hardware name: linux,dummy-virt (DT)
[   18.260331] Call trace:
[   18.260357]  show_stack+0x20/0x38 (C)
[   18.260412]  dump_stack_lvl+0x8c/0xd0
[   18.260463]  print_report+0x118/0x5d0
[   18.260512]  kasan_report+0xdc/0x128
[   18.260559]  __asan_report_load1_noabort+0x20/0x30
[   18.260612]  kmem_cache_rcu_uaf+0x388/0x468
[   18.260659]  kunit_try_run_case+0x170/0x3f0
[   18.260709]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.260762]  kthread+0x328/0x630
[   18.260806]  ret_from_fork+0x10/0x20
[   18.260869] 
[   18.260888] Allocated by task 213:
[   18.260919]  kasan_save_stack+0x3c/0x68
[   18.260963]  kasan_save_track+0x20/0x40
[   18.261000]  kasan_save_alloc_info+0x40/0x58
[   18.261041]  __kasan_slab_alloc+0xa8/0xb0
[   18.261078]  kmem_cache_alloc_noprof+0x10c/0x398
[   18.261120]  kmem_cache_rcu_uaf+0x12c/0x468
[   18.261156]  kunit_try_run_case+0x170/0x3f0
[   18.261194]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.261235]  kthread+0x328/0x630
[   18.261268]  ret_from_fork+0x10/0x20
[   18.261303] 
[   18.261321] Freed by task 0:
[   18.261349]  kasan_save_stack+0x3c/0x68
[   18.261385]  kasan_save_track+0x20/0x40
[   18.261425]  kasan_save_free_info+0x4c/0x78
[   18.261464]  __kasan_slab_free+0x6c/0x98
[   18.261514]  slab_free_after_rcu_debug+0xd4/0x2f8
[   18.261555]  rcu_core+0x9f4/0x1e20
[   18.261593]  rcu_core_si+0x18/0x30
[   18.261626]  handle_softirqs+0x374/0xb28
[   18.261665]  __do_softirq+0x1c/0x28
[   18.261698] 
[   18.261719] Last potentially related work creation:
[   18.261744]  kasan_save_stack+0x3c/0x68
[   18.261783]  kasan_record_aux_stack+0xb4/0xc8
[   18.261823]  kmem_cache_free+0x120/0x468
[   18.261868]  kmem_cache_rcu_uaf+0x16c/0x468
[   18.261906]  kunit_try_run_case+0x170/0x3f0
[   18.261944]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.261985]  kthread+0x328/0x630
[   18.262018]  ret_from_fork+0x10/0x20
[   18.262054] 
[   18.262072] The buggy address belongs to the object at fff00000c7993000
[   18.262072]  which belongs to the cache test_cache of size 200
[   18.262129] The buggy address is located 0 bytes inside of
[   18.262129]  freed 200-byte region [fff00000c7993000, fff00000c79930c8)
[   18.262190] 
[   18.262212] The buggy address belongs to the physical page:
[   18.262245] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107993
[   18.262300] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.262354] page_type: f5(slab)
[   18.262398] raw: 0bfffe0000000000 fff00000c7990000 dead000000000122 0000000000000000
[   18.262449] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   18.262491] page dumped because: kasan: bad access detected
[   18.262522] 
[   18.262540] Memory state around the buggy address:
[   18.262573]  fff00000c7992f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.262616]  fff00000c7992f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.262659] >fff00000c7993000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   18.262699]                    ^
[   18.262726]  fff00000c7993080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   18.262768]  fff00000c7993100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.262808] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EF25Pp9Vi9nJKRzPLQTha4DW

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EF25Pp9Vi9nJKRzPLQTha4DW

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/Image.gz
sha256sum	0cd43a55510452afcc094a9b71b52e570abcb0018a9c4b3e8c55713d88f43dcd

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/modules.tar.xz
sha256sum	1123cbd40eab351130997a1b3dcec1375004e5d45c47d69105fc241be8d9036c

durations

tests

boot	0
kunit	182.38

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   17.924989] ==================================================================
[   17.925118] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   17.925201] Read of size 1 at addr fff00000c7997000 by task kunit_try_catch/213
[   17.925253] 
[   17.925300] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   17.925408] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.925434] Hardware name: linux,dummy-virt (DT)
[   17.925472] Call trace:
[   17.925496]  show_stack+0x20/0x38 (C)
[   17.925552]  dump_stack_lvl+0x8c/0xd0
[   17.925603]  print_report+0x118/0x5d0
[   17.925651]  kasan_report+0xdc/0x128
[   17.925696]  __asan_report_load1_noabort+0x20/0x30
[   17.925748]  kmem_cache_rcu_uaf+0x388/0x468
[   17.925797]  kunit_try_run_case+0x170/0x3f0
[   17.925846]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.925899]  kthread+0x328/0x630
[   17.925944]  ret_from_fork+0x10/0x20
[   17.925995] 
[   17.926013] Allocated by task 213:
[   17.926044]  kasan_save_stack+0x3c/0x68
[   17.926086]  kasan_save_track+0x20/0x40
[   17.926124]  kasan_save_alloc_info+0x40/0x58
[   17.926164]  __kasan_slab_alloc+0xa8/0xb0
[   17.926202]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.926244]  kmem_cache_rcu_uaf+0x12c/0x468
[   17.926281]  kunit_try_run_case+0x170/0x3f0
[   17.926332]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.926375]  kthread+0x328/0x630
[   17.926407]  ret_from_fork+0x10/0x20
[   17.926443] 
[   17.926462] Freed by task 0:
[   17.926489]  kasan_save_stack+0x3c/0x68
[   17.926526]  kasan_save_track+0x20/0x40
[   17.926564]  kasan_save_free_info+0x4c/0x78
[   17.926605]  __kasan_slab_free+0x6c/0x98
[   17.926642]  slab_free_after_rcu_debug+0xd4/0x2f8
[   17.926683]  rcu_core+0x9f4/0x1e20
[   17.926719]  rcu_core_si+0x18/0x30
[   17.926754]  handle_softirqs+0x374/0xb28
[   17.926791]  __do_softirq+0x1c/0x28
[   17.926826] 
[   17.926845] Last potentially related work creation:
[   17.926871]  kasan_save_stack+0x3c/0x68
[   17.926910]  kasan_record_aux_stack+0xb4/0xc8
[   17.926948]  kmem_cache_free+0x120/0x468
[   17.926986]  kmem_cache_rcu_uaf+0x16c/0x468
[   17.927021]  kunit_try_run_case+0x170/0x3f0
[   17.927060]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.927102]  kthread+0x328/0x630
[   17.927133]  ret_from_fork+0x10/0x20
[   17.927169] 
[   17.927187] The buggy address belongs to the object at fff00000c7997000
[   17.927187]  which belongs to the cache test_cache of size 200
[   17.927246] The buggy address is located 0 bytes inside of
[   17.927246]  freed 200-byte region [fff00000c7997000, fff00000c79970c8)
[   17.927306] 
[   17.927337] The buggy address belongs to the physical page:
[   17.927371] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107997
[   17.927427] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.927480] page_type: f5(slab)
[   17.927524] raw: 0bfffe0000000000 fff00000c598d500 dead000000000122 0000000000000000
[   17.927575] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   17.927615] page dumped because: kasan: bad access detected
[   17.927647] 
[   17.927665] Memory state around the buggy address:
[   17.927700]  fff00000c7996f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.927745]  fff00000c7996f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.927788] >fff00000c7997000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.927828]                    ^
[   17.927855]  fff00000c7997080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   17.927897]  fff00000c7997100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.927936] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MxbItH1xNBq5DVzgi5f9Vk9B

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MxbItH1xNBq5DVzgi5f9Vk9B

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/Image.gz
sha256sum	1d26a50b80602cf96dca0b9e5d4833d551bb9799e3e8f672f61c3fedb7c3633a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/modules.tar.xz
sha256sum	8d3b93659e4b7dd2c56e9a38da739978022e2707277d72909e50cc2549d4beb2

durations

tests

boot	0
kunit	169.06

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   17.787481] ==================================================================
[   17.787581] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x388/0x468
[   17.787659] Read of size 1 at addr fff00000c775f000 by task kunit_try_catch/213
[   17.787730] 
[   17.787874] CPU: 0 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   17.788056] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.788084] Hardware name: linux,dummy-virt (DT)
[   17.788118] Call trace:
[   17.788141]  show_stack+0x20/0x38 (C)
[   17.788197]  dump_stack_lvl+0x8c/0xd0
[   17.788370]  print_report+0x118/0x5d0
[   17.788546]  kasan_report+0xdc/0x128
[   17.788686]  __asan_report_load1_noabort+0x20/0x30
[   17.788765]  kmem_cache_rcu_uaf+0x388/0x468
[   17.788813]  kunit_try_run_case+0x170/0x3f0
[   17.788862]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.788915]  kthread+0x328/0x630
[   17.788958]  ret_from_fork+0x10/0x20
[   17.789006] 
[   17.789024] Allocated by task 213:
[   17.789056]  kasan_save_stack+0x3c/0x68
[   17.789100]  kasan_save_track+0x20/0x40
[   17.789144]  kasan_save_alloc_info+0x40/0x58
[   17.789370]  __kasan_slab_alloc+0xa8/0xb0
[   17.789585]  kmem_cache_alloc_noprof+0x10c/0x398
[   17.789645]  kmem_cache_rcu_uaf+0x12c/0x468
[   17.790418]  kunit_try_run_case+0x170/0x3f0
[   17.790515]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.790630]  kthread+0x328/0x630
[   17.790737]  ret_from_fork+0x10/0x20
[   17.790860] 
[   17.790883] Freed by task 0:
[   17.790911]  kasan_save_stack+0x3c/0x68
[   17.790951]  kasan_save_track+0x20/0x40
[   17.791303]  kasan_save_free_info+0x4c/0x78
[   17.791346]  __kasan_slab_free+0x6c/0x98
[   17.791381]  slab_free_after_rcu_debug+0xd4/0x2f8
[   17.791422]  rcu_core+0x9f4/0x1e20
[   17.791459]  rcu_core_si+0x18/0x30
[   17.791525]  handle_softirqs+0x374/0xb28
[   17.791583]  __do_softirq+0x1c/0x28
[   17.791982] 
[   17.792002] Last potentially related work creation:
[   17.792031]  kasan_save_stack+0x3c/0x68
[   17.792069]  kasan_record_aux_stack+0xb4/0xc8
[   17.792110]  kmem_cache_free+0x120/0x468
[   17.792147]  kmem_cache_rcu_uaf+0x16c/0x468
[   17.792184]  kunit_try_run_case+0x170/0x3f0
[   17.792221]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.792264]  kthread+0x328/0x630
[   17.792294]  ret_from_fork+0x10/0x20
[   17.792329] 
[   17.792348] The buggy address belongs to the object at fff00000c775f000
[   17.792348]  which belongs to the cache test_cache of size 200
[   17.792438] The buggy address is located 0 bytes inside of
[   17.792438]  freed 200-byte region [fff00000c775f000, fff00000c775f0c8)
[   17.792512] 
[   17.792536] The buggy address belongs to the physical page:
[   17.792596] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10775f
[   17.792653] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.792707] page_type: f5(slab)
[   17.792763] raw: 0bfffe0000000000 fff00000c56bd8c0 dead000000000122 0000000000000000
[   17.792814] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   17.792855] page dumped because: kasan: bad access detected
[   17.792886] 
[   17.792903] Memory state around the buggy address:
[   17.792937]  fff00000c775ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.792982]  fff00000c775ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.793052] >fff00000c775f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   17.793250]                    ^
[   17.793291]  fff00000c775f080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   17.793337]  fff00000c775f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.793409] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T1aQDgvcqrgu9gN0OeLGQz0C

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T1aQDgvcqrgu9gN0OeLGQz0C

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/Image.gz
sha256sum	5b11eefa6d464ac909c4aaf2b2e503862ad9b898749580b0c74823fda864756c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/modules.tar.xz
sha256sum	5f304fbdafbe519859f7c742752446676e8da2e281160c33189afc6b1f45e458

durations

tests

boot	0
kunit	175.36

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   13.011829] ==================================================================
[   13.012449] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.013864] Read of size 1 at addr ffff888102e39000 by task kunit_try_catch/230
[   13.014304] 
[   13.014415] CPU: 0 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   13.014465] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.014476] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.014500] Call Trace:
[   13.014512]  <TASK>
[   13.014531]  dump_stack_lvl+0x73/0xb0
[   13.014566]  print_report+0xd1/0x610
[   13.014589]  ? __virt_addr_valid+0x1db/0x2d0
[   13.014614]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.014704]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.015015]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.015042]  kasan_report+0x141/0x180
[   13.015065]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.015095]  __asan_report_load1_noabort+0x18/0x20
[   13.015120]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.015144]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.015167]  ? finish_task_switch.isra.0+0x153/0x700
[   13.015193]  ? __switch_to+0x47/0xf50
[   13.015224]  ? __pfx_read_tsc+0x10/0x10
[   13.015246]  ? ktime_get_ts64+0x86/0x230
[   13.015272]  kunit_try_run_case+0x1a5/0x480
[   13.015299]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.015322]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.015348]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.015372]  ? __kthread_parkme+0x82/0x180
[   13.015394]  ? preempt_count_sub+0x50/0x80
[   13.015418]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.015442]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.015467]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.015491]  kthread+0x337/0x6f0
[   13.015510]  ? trace_preempt_on+0x20/0xc0
[   13.015720]  ? __pfx_kthread+0x10/0x10
[   13.015747]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.015771]  ? calculate_sigpending+0x7b/0xa0
[   13.015797]  ? __pfx_kthread+0x10/0x10
[   13.015821]  ret_from_fork+0x116/0x1d0
[   13.015842]  ? __pfx_kthread+0x10/0x10
[   13.015864]  ret_from_fork_asm+0x1a/0x30
[   13.015913]  </TASK>
[   13.015925] 
[   13.027261] Allocated by task 230:
[   13.027506]  kasan_save_stack+0x45/0x70
[   13.028094]  kasan_save_track+0x18/0x40
[   13.028282]  kasan_save_alloc_info+0x3b/0x50
[   13.028482]  __kasan_slab_alloc+0x91/0xa0
[   13.029046]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.029400]  kmem_cache_rcu_uaf+0x155/0x510
[   13.029836]  kunit_try_run_case+0x1a5/0x480
[   13.030218]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.030475]  kthread+0x337/0x6f0
[   13.030961]  ret_from_fork+0x116/0x1d0
[   13.031134]  ret_from_fork_asm+0x1a/0x30
[   13.031318] 
[   13.031406] Freed by task 0:
[   13.032057]  kasan_save_stack+0x45/0x70
[   13.032284]  kasan_save_track+0x18/0x40
[   13.032461]  kasan_save_free_info+0x3f/0x60
[   13.033108]  __kasan_slab_free+0x56/0x70
[   13.033354]  slab_free_after_rcu_debug+0xe4/0x310
[   13.033726]  rcu_core+0x66f/0x1c40
[   13.033910]  rcu_core_si+0x12/0x20
[   13.034251]  handle_softirqs+0x209/0x730
[   13.034753]  __irq_exit_rcu+0xc9/0x110
[   13.034972]  irq_exit_rcu+0x12/0x20
[   13.035289]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.035502]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.035742] 
[   13.035827] Last potentially related work creation:
[   13.036862]  kasan_save_stack+0x45/0x70
[   13.037136]  kasan_record_aux_stack+0xb2/0xc0
[   13.037344]  kmem_cache_free+0x131/0x420
[   13.037523]  kmem_cache_rcu_uaf+0x194/0x510
[   13.037710]  kunit_try_run_case+0x1a5/0x480
[   13.037909]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.038795]  kthread+0x337/0x6f0
[   13.039262]  ret_from_fork+0x116/0x1d0
[   13.039459]  ret_from_fork_asm+0x1a/0x30
[   13.039827] 
[   13.039928] The buggy address belongs to the object at ffff888102e39000
[   13.039928]  which belongs to the cache test_cache of size 200
[   13.041011] The buggy address is located 0 bytes inside of
[   13.041011]  freed 200-byte region [ffff888102e39000, ffff888102e390c8)
[   13.041966] 
[   13.042073] The buggy address belongs to the physical page:
[   13.042258] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102e39
[   13.042510] flags: 0x200000000000000(node=0|zone=2)
[   13.042682] page_type: f5(slab)
[   13.042816] raw: 0200000000000000 ffff888101ba63c0 dead000000000122 0000000000000000
[   13.043324] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.043769] page dumped because: kasan: bad access detected
[   13.044403] 
[   13.044640] Memory state around the buggy address:
[   13.045113]  ffff888102e38f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.045405]  ffff888102e38f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.045707] >ffff888102e39000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.046424]                    ^
[   13.046805]  ffff888102e39080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.047511]  ffff888102e39100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.048279] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T2OzuK6lIw4rRFlSAhCs7bnu

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T2OzuK6lIw4rRFlSAhCs7bnu

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/bzImage
sha256sum	42041c61d6e46ef309c371e5fe2f53a0c6849e7beec0f7e1f396b9c65c0adbb2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/modules.tar.xz
sha256sum	02cd970151971431ac5e5e4fcd602180a5476f25314259d1f76384cd0f280f1b

durations

tests

boot	0
kunit	226.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.843709] ==================================================================
[   12.844148] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   12.844408] Read of size 1 at addr ffff8881026ea000 by task kunit_try_catch/231
[   12.844745] 
[   12.844842] CPU: 1 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.844888] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.844899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.844922] Call Trace:
[   12.844934]  <TASK>
[   12.844952]  dump_stack_lvl+0x73/0xb0
[   12.844983]  print_report+0xd1/0x610
[   12.845006]  ? __virt_addr_valid+0x1db/0x2d0
[   12.845031]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   12.845053]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.845075]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   12.845098]  kasan_report+0x141/0x180
[   12.845119]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   12.845153]  __asan_report_load1_noabort+0x18/0x20
[   12.845177]  kmem_cache_rcu_uaf+0x3e3/0x510
[   12.845200]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   12.845222]  ? finish_task_switch.isra.0+0x153/0x700
[   12.845246]  ? __switch_to+0x47/0xf50
[   12.845269]  ? irqentry_exit+0x2a/0x60
[   12.845290]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.845316]  ? irqentry_exit+0x2a/0x60
[   12.845336]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.845358]  ? __pfx_read_tsc+0x10/0x10
[   12.845379]  ? ktime_get_ts64+0x86/0x230
[   12.845404]  kunit_try_run_case+0x1a5/0x480
[   12.845430]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.845463]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.845487]  ? _raw_spin_unlock_irqrestore+0x49/0x90
[   12.845512]  ? preempt_count_sub+0x50/0x80
[   12.845535]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.845625]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.845649]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.845672]  kthread+0x337/0x6f0
[   12.845694]  ? trace_preempt_on+0x20/0xc0
[   12.845717]  ? __pfx_kthread+0x10/0x10
[   12.845737]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.845758]  ? calculate_sigpending+0x7b/0xa0
[   12.845783]  ? __pfx_kthread+0x10/0x10
[   12.845804]  ret_from_fork+0x116/0x1d0
[   12.846044]  ? __pfx_kthread+0x10/0x10
[   12.846065]  ret_from_fork_asm+0x1a/0x30
[   12.846099]  </TASK>
[   12.846109] 
[   12.857959] Allocated by task 231:
[   12.858139]  kasan_save_stack+0x45/0x70
[   12.858326]  kasan_save_track+0x18/0x40
[   12.859046]  kasan_save_alloc_info+0x3b/0x50
[   12.859236]  __kasan_slab_alloc+0x91/0xa0
[   12.859625]  kmem_cache_alloc_noprof+0x123/0x3f0
[   12.859838]  kmem_cache_rcu_uaf+0x155/0x510
[   12.860048]  kunit_try_run_case+0x1a5/0x480
[   12.860226]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.860516]  kthread+0x337/0x6f0
[   12.860814]  ret_from_fork+0x116/0x1d0
[   12.861003]  ret_from_fork_asm+0x1a/0x30
[   12.861188] 
[   12.861280] Freed by task 0:
[   12.861402]  kasan_save_stack+0x45/0x70
[   12.861549]  kasan_save_track+0x18/0x40
[   12.861709]  kasan_save_free_info+0x3f/0x60
[   12.862017]  __kasan_slab_free+0x56/0x70
[   12.862215]  slab_free_after_rcu_debug+0xe4/0x310
[   12.862683]  rcu_core+0x66f/0x1c40
[   12.862822]  rcu_core_si+0x12/0x20
[   12.862968]  handle_softirqs+0x209/0x730
[   12.863196]  __irq_exit_rcu+0xc9/0x110
[   12.863372]  irq_exit_rcu+0x12/0x20
[   12.863632]  sysvec_apic_timer_interrupt+0x81/0x90
[   12.863880]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   12.864128] 
[   12.864218] Last potentially related work creation:
[   12.864531]  kasan_save_stack+0x45/0x70
[   12.864755]  kasan_record_aux_stack+0xb2/0xc0
[   12.864955]  kmem_cache_free+0x131/0x420
[   12.865095]  kmem_cache_rcu_uaf+0x194/0x510
[   12.865247]  kunit_try_run_case+0x1a5/0x480
[   12.865459]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.865740]  kthread+0x337/0x6f0
[   12.865907]  ret_from_fork+0x116/0x1d0
[   12.866293]  ret_from_fork_asm+0x1a/0x30
[   12.866486] 
[   12.866574] The buggy address belongs to the object at ffff8881026ea000
[   12.866574]  which belongs to the cache test_cache of size 200
[   12.867226] The buggy address is located 0 bytes inside of
[   12.867226]  freed 200-byte region [ffff8881026ea000, ffff8881026ea0c8)
[   12.868013] 
[   12.868132] The buggy address belongs to the physical page:
[   12.868369] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026ea
[   12.868782] flags: 0x200000000000000(node=0|zone=2)
[   12.869032] page_type: f5(slab)
[   12.869199] raw: 0200000000000000 ffff8881015ea780 dead000000000122 0000000000000000
[   12.869561] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   12.869972] page dumped because: kasan: bad access detected
[   12.870223] 
[   12.870320] Memory state around the buggy address:
[   12.870571]  ffff8881026e9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.871071]  ffff8881026e9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.871395] >ffff8881026ea000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.871618]                    ^
[   12.871734]  ffff8881026ea080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   12.872045]  ffff8881026ea100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.872719] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EFrR321z66uMtHD4l4dQQryi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EFrR321z66uMtHD4l4dQQryi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/bzImage
sha256sum	c220f70d9515ab3041e245bb6755df814c152e1bb2b5c646740fe1b3afdde8b5

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/modules.tar.xz
sha256sum	ab8bf28231ab6c259d2b1478935ea551409070bcef8061d01f520819ad2ce3b6

durations

tests

boot	0
kunit	217.45

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   13.048230] ==================================================================
[   13.048804] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3e3/0x510
[   13.049277] Read of size 1 at addr ffff88810341e000 by task kunit_try_catch/230
[   13.049668] 
[   13.049769] CPU: 1 UID: 0 PID: 230 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   13.049820] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.049831] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.049854] Call Trace:
[   13.049867]  <TASK>
[   13.049885]  dump_stack_lvl+0x73/0xb0
[   13.049918]  print_report+0xd1/0x610
[   13.049942]  ? __virt_addr_valid+0x1db/0x2d0
[   13.049992]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.050027]  ? kasan_complete_mode_report_info+0x64/0x200
[   13.050050]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.050073]  kasan_report+0x141/0x180
[   13.050095]  ? kmem_cache_rcu_uaf+0x3e3/0x510
[   13.050122]  __asan_report_load1_noabort+0x18/0x20
[   13.050209]  kmem_cache_rcu_uaf+0x3e3/0x510
[   13.050233]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10
[   13.050256]  ? finish_task_switch.isra.0+0x153/0x700
[   13.050282]  ? __switch_to+0x47/0xf50
[   13.050312]  ? __pfx_read_tsc+0x10/0x10
[   13.050333]  ? ktime_get_ts64+0x86/0x230
[   13.050380]  kunit_try_run_case+0x1a5/0x480
[   13.050408]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.050430]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.050455]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.050478]  ? __kthread_parkme+0x82/0x180
[   13.050499]  ? preempt_count_sub+0x50/0x80
[   13.050540]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.050564]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.050587]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.050611]  kthread+0x337/0x6f0
[   13.050629]  ? trace_preempt_on+0x20/0xc0
[   13.050654]  ? __pfx_kthread+0x10/0x10
[   13.050674]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.050694]  ? calculate_sigpending+0x7b/0xa0
[   13.050719]  ? __pfx_kthread+0x10/0x10
[   13.050739]  ret_from_fork+0x116/0x1d0
[   13.050758]  ? __pfx_kthread+0x10/0x10
[   13.050778]  ret_from_fork_asm+0x1a/0x30
[   13.051243]  </TASK>
[   13.051257] 
[   13.061494] Allocated by task 230:
[   13.061711]  kasan_save_stack+0x45/0x70
[   13.062260]  kasan_save_track+0x18/0x40
[   13.062445]  kasan_save_alloc_info+0x3b/0x50
[   13.062664]  __kasan_slab_alloc+0x91/0xa0
[   13.062844]  kmem_cache_alloc_noprof+0x123/0x3f0
[   13.063176]  kmem_cache_rcu_uaf+0x155/0x510
[   13.063651]  kunit_try_run_case+0x1a5/0x480
[   13.063952]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.064204]  kthread+0x337/0x6f0
[   13.064380]  ret_from_fork+0x116/0x1d0
[   13.064751]  ret_from_fork_asm+0x1a/0x30
[   13.065056] 
[   13.065188] Freed by task 0:
[   13.065466]  kasan_save_stack+0x45/0x70
[   13.065670]  kasan_save_track+0x18/0x40
[   13.066002]  kasan_save_free_info+0x3f/0x60
[   13.066390]  __kasan_slab_free+0x56/0x70
[   13.066669]  slab_free_after_rcu_debug+0xe4/0x310
[   13.066882]  rcu_core+0x66f/0x1c40
[   13.067256]  rcu_core_si+0x12/0x20
[   13.067734]  handle_softirqs+0x209/0x730
[   13.067916]  __irq_exit_rcu+0xc9/0x110
[   13.068154]  irq_exit_rcu+0x12/0x20
[   13.068612]  sysvec_apic_timer_interrupt+0x81/0x90
[   13.068813]  asm_sysvec_apic_timer_interrupt+0x1f/0x30
[   13.069120] 
[   13.069510] Last potentially related work creation:
[   13.069724]  kasan_save_stack+0x45/0x70
[   13.069919]  kasan_record_aux_stack+0xb2/0xc0
[   13.070199]  kmem_cache_free+0x131/0x420
[   13.070408]  kmem_cache_rcu_uaf+0x194/0x510
[   13.070635]  kunit_try_run_case+0x1a5/0x480
[   13.070843]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.071102]  kthread+0x337/0x6f0
[   13.071425]  ret_from_fork+0x116/0x1d0
[   13.071704]  ret_from_fork_asm+0x1a/0x30
[   13.071885] 
[   13.071991] The buggy address belongs to the object at ffff88810341e000
[   13.071991]  which belongs to the cache test_cache of size 200
[   13.072660] The buggy address is located 0 bytes inside of
[   13.072660]  freed 200-byte region [ffff88810341e000, ffff88810341e0c8)
[   13.073170] 
[   13.073295] The buggy address belongs to the physical page:
[   13.073738] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10341e
[   13.074087] flags: 0x200000000000000(node=0|zone=2)
[   13.074315] page_type: f5(slab)
[   13.074445] raw: 0200000000000000 ffff888100fa1c80 dead000000000122 0000000000000000
[   13.074792] raw: 0000000000000000 00000000800f000f 00000000f5000000 0000000000000000
[   13.075123] page dumped because: kasan: bad access detected
[   13.075373] 
[   13.075617] Memory state around the buggy address:
[   13.075786]  ffff88810341df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.076159]  ffff88810341df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.076378] >ffff88810341e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   13.076651]                    ^
[   13.076812]  ffff88810341e080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   13.077143]  ffff88810341e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.077430] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MyNrXgiUK2WQ9kAj3BzGphCF

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MyNrXgiUK2WQ9kAj3BzGphCF

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/bzImage
sha256sum	e715e0f52245accf83f401d29cc1c2f3b2a59bbdf3f5ad590c1c6f981a5169eb

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/modules.tar.xz
sha256sum	a6fb5fb0c5521f1f236c8b67ce1b76fdcd44954d158362bf4d88d0d9d544c595

durations

tests

boot	0
kunit	233.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit