lkft/sashal-linus-next - v6.13-rc7-43871-g530dddedcd5a - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-workqueue_uaf

Date

July 18, 2025, 2:09 p.m.

Environment
qemu-arm64
qemu-x86_64

[   17.586283] ==================================================================
[   17.586391] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   17.586646] Read of size 8 at addr fff00000c788db40 by task kunit_try_catch/200
[   17.586704] 
[   17.586765] CPU: 1 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   17.586865] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.586891] Hardware name: linux,dummy-virt (DT)
[   17.586923] Call trace:
[   17.586946]  show_stack+0x20/0x38 (C)
[   17.586998]  dump_stack_lvl+0x8c/0xd0
[   17.587048]  print_report+0x118/0x5d0
[   17.587096]  kasan_report+0xdc/0x128
[   17.587141]  __asan_report_load8_noabort+0x20/0x30
[   17.587193]  workqueue_uaf+0x480/0x4a8
[   17.587238]  kunit_try_run_case+0x170/0x3f0
[   17.587287]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.587806]  kthread+0x328/0x630
[   17.587870]  ret_from_fork+0x10/0x20
[   17.587921] 
[   17.587939] Allocated by task 200:
[   17.587969]  kasan_save_stack+0x3c/0x68
[   17.588012]  kasan_save_track+0x20/0x40
[   17.588052]  kasan_save_alloc_info+0x40/0x58
[   17.588092]  __kasan_kmalloc+0xd4/0xd8
[   17.588129]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.588328]  workqueue_uaf+0x13c/0x4a8
[   17.588542]  kunit_try_run_case+0x170/0x3f0
[   17.588618]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.588682]  kthread+0x328/0x630
[   17.588716]  ret_from_fork+0x10/0x20
[   17.589142] 
[   17.589220] Freed by task 47:
[   17.589261]  kasan_save_stack+0x3c/0x68
[   17.589489]  kasan_save_track+0x20/0x40
[   17.589647]  kasan_save_free_info+0x4c/0x78
[   17.589807]  __kasan_slab_free+0x6c/0x98
[   17.589872]  kfree+0x214/0x3c8
[   17.590176]  workqueue_uaf_work+0x18/0x30
[   17.590333]  process_one_work+0x530/0xf98
[   17.590421]  worker_thread+0x618/0xf38
[   17.590458]  kthread+0x328/0x630
[   17.590637]  ret_from_fork+0x10/0x20
[   17.590817] 
[   17.590911] Last potentially related work creation:
[   17.590969]  kasan_save_stack+0x3c/0x68
[   17.591045]  kasan_record_aux_stack+0xb4/0xc8
[   17.591425]  __queue_work+0x65c/0x1008
[   17.591565]  queue_work_on+0xbc/0xf8
[   17.591623]  workqueue_uaf+0x210/0x4a8
[   17.591805]  kunit_try_run_case+0x170/0x3f0
[   17.591866]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.591908]  kthread+0x328/0x630
[   17.591949]  ret_from_fork+0x10/0x20
[   17.591984] 
[   17.592005] The buggy address belongs to the object at fff00000c788db40
[   17.592005]  which belongs to the cache kmalloc-32 of size 32
[   17.592066] The buggy address is located 0 bytes inside of
[   17.592066]  freed 32-byte region [fff00000c788db40, fff00000c788db60)
[   17.592127] 
[   17.592148] The buggy address belongs to the physical page:
[   17.592405] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10788d
[   17.592497] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.592620] page_type: f5(slab)
[   17.592720] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   17.592773] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   17.593118] page dumped because: kasan: bad access detected
[   17.593174] 
[   17.593210] Memory state around the buggy address:
[   17.593263]  fff00000c788da00: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   17.593400]  fff00000c788da80: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   17.593483] >fff00000c788db00: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   17.593775]                                            ^
[   17.593864]  fff00000c788db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.593975]  fff00000c788dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.594016] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EF25Pp9Vi9nJKRzPLQTha4DW

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EF25Pp9Vi9nJKRzPLQTha4DW

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/Image.gz
sha256sum	0cd43a55510452afcc094a9b71b52e570abcb0018a9c4b3e8c55713d88f43dcd

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303ECYTm040GLO6kXFdSkAckpUQ/modules.tar.xz
sha256sum	1123cbd40eab351130997a1b3dcec1375004e5d45c47d69105fc241be8d9036c

durations

tests

boot	0
kunit	182.38

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   16.996297] ==================================================================
[   16.996420] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   16.996475] Read of size 8 at addr fff00000c794c800 by task kunit_try_catch/200
[   16.996595] 
[   16.996737] CPU: 1 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   16.996871] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.996912] Hardware name: linux,dummy-virt (DT)
[   16.996945] Call trace:
[   16.996990]  show_stack+0x20/0x38 (C)
[   16.997041]  dump_stack_lvl+0x8c/0xd0
[   16.997230]  print_report+0x118/0x5d0
[   16.997279]  kasan_report+0xdc/0x128
[   16.997336]  __asan_report_load8_noabort+0x20/0x30
[   16.997388]  workqueue_uaf+0x480/0x4a8
[   16.997433]  kunit_try_run_case+0x170/0x3f0
[   16.997479]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.997532]  kthread+0x328/0x630
[   16.997573]  ret_from_fork+0x10/0x20
[   16.997796] 
[   16.997815] Allocated by task 200:
[   16.997890]  kasan_save_stack+0x3c/0x68
[   16.997971]  kasan_save_track+0x20/0x40
[   16.998061]  kasan_save_alloc_info+0x40/0x58
[   16.998214]  __kasan_kmalloc+0xd4/0xd8
[   16.998353]  __kmalloc_cache_noprof+0x16c/0x3c0
[   16.998398]  workqueue_uaf+0x13c/0x4a8
[   16.998489]  kunit_try_run_case+0x170/0x3f0
[   16.998530]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   16.998575]  kthread+0x328/0x630
[   16.998607]  ret_from_fork+0x10/0x20
[   16.998836] 
[   16.998906] Freed by task 48:
[   16.999017]  kasan_save_stack+0x3c/0x68
[   16.999184]  kasan_save_track+0x20/0x40
[   16.999232]  kasan_save_free_info+0x4c/0x78
[   16.999274]  __kasan_slab_free+0x6c/0x98
[   16.999310]  kfree+0x214/0x3c8
[   16.999351]  workqueue_uaf_work+0x18/0x30
[   16.999387]  process_one_work+0x530/0xf98
[   16.999447]  worker_thread+0x618/0xf38
[   16.999481]  kthread+0x328/0x630
[   16.999513]  ret_from_fork+0x10/0x20
[   16.999550] 
[   16.999568] Last potentially related work creation:
[   16.999596]  kasan_save_stack+0x3c/0x68
[   16.999683]  kasan_record_aux_stack+0xb4/0xc8
[   16.999790]  __queue_work+0x65c/0x1008
[   16.999862]  queue_work_on+0xbc/0xf8
[   16.999951]  workqueue_uaf+0x210/0x4a8
[   17.000017]  kunit_try_run_case+0x170/0x3f0
[   17.000053]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.000131]  kthread+0x328/0x630
[   17.000183]  ret_from_fork+0x10/0x20
[   17.000226] 
[   17.000247] The buggy address belongs to the object at fff00000c794c800
[   17.000247]  which belongs to the cache kmalloc-32 of size 32
[   17.000308] The buggy address is located 0 bytes inside of
[   17.000308]  freed 32-byte region [fff00000c794c800, fff00000c794c820)
[   17.000400] 
[   17.000422] The buggy address belongs to the physical page:
[   17.000453] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10794c
[   17.000505] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.000554] page_type: f5(slab)
[   17.000638] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   17.000727] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   17.000778] page dumped because: kasan: bad access detected
[   17.000809] 
[   17.000827] Memory state around the buggy address:
[   17.000877]  fff00000c794c700: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   17.000920]  fff00000c794c780: 00 00 00 fc fc fc fc fc 00 00 00 07 fc fc fc fc
[   17.000963] >fff00000c794c800: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   17.001054]                    ^
[   17.001081]  fff00000c794c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.001123]  fff00000c794c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.001161] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MxbItH1xNBq5DVzgi5f9Vk9B

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MxbItH1xNBq5DVzgi5f9Vk9B

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/Image.gz
sha256sum	1d26a50b80602cf96dca0b9e5d4833d551bb9799e3e8f672f61c3fedb7c3633a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MuvPW3SK4gLbQ1ALw5htqwSd/modules.tar.xz
sha256sum	8d3b93659e4b7dd2c56e9a38da739978022e2707277d72909e50cc2549d4beb2

durations

tests

boot	0
kunit	169.06

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   17.019142] ==================================================================
[   17.019232] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8
[   17.019549] Read of size 8 at addr fff00000c7756140 by task kunit_try_catch/200
[   17.019601] 
[   17.019642] CPU: 0 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT 
[   17.019740] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.019766] Hardware name: linux,dummy-virt (DT)
[   17.019933] Call trace:
[   17.019967]  show_stack+0x20/0x38 (C)
[   17.020226]  dump_stack_lvl+0x8c/0xd0
[   17.020278]  print_report+0x118/0x5d0
[   17.020325]  kasan_report+0xdc/0x128
[   17.020370]  __asan_report_load8_noabort+0x20/0x30
[   17.020423]  workqueue_uaf+0x480/0x4a8
[   17.020467]  kunit_try_run_case+0x170/0x3f0
[   17.020516]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.021610]  kthread+0x328/0x630
[   17.021693]  ret_from_fork+0x10/0x20
[   17.022237] 
[   17.022265] Allocated by task 200:
[   17.022391]  kasan_save_stack+0x3c/0x68
[   17.022441]  kasan_save_track+0x20/0x40
[   17.022845]  kasan_save_alloc_info+0x40/0x58
[   17.022899]  __kasan_kmalloc+0xd4/0xd8
[   17.022945]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.023125]  workqueue_uaf+0x13c/0x4a8
[   17.023181]  kunit_try_run_case+0x170/0x3f0
[   17.023222]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.023266]  kthread+0x328/0x630
[   17.023298]  ret_from_fork+0x10/0x20
[   17.023335] 
[   17.023355] Freed by task 75:
[   17.023383]  kasan_save_stack+0x3c/0x68
[   17.023421]  kasan_save_track+0x20/0x40
[   17.023460]  kasan_save_free_info+0x4c/0x78
[   17.023498]  __kasan_slab_free+0x6c/0x98
[   17.023534]  kfree+0x214/0x3c8
[   17.024343]  workqueue_uaf_work+0x18/0x30
[   17.024422]  process_one_work+0x530/0xf98
[   17.024799]  worker_thread+0x618/0xf38
[   17.024860]  kthread+0x328/0x630
[   17.025189]  ret_from_fork+0x10/0x20
[   17.025242] 
[   17.025269] Last potentially related work creation:
[   17.025309]  kasan_save_stack+0x3c/0x68
[   17.025350]  kasan_record_aux_stack+0xb4/0xc8
[   17.025774]  __queue_work+0x65c/0x1008
[   17.025865]  queue_work_on+0xbc/0xf8
[   17.026138]  workqueue_uaf+0x210/0x4a8
[   17.026412]  kunit_try_run_case+0x170/0x3f0
[   17.026462]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.026976]  kthread+0x328/0x630
[   17.027192]  ret_from_fork+0x10/0x20
[   17.027239] 
[   17.027262] The buggy address belongs to the object at fff00000c7756140
[   17.027262]  which belongs to the cache kmalloc-32 of size 32
[   17.027324] The buggy address is located 0 bytes inside of
[   17.027324]  freed 32-byte region [fff00000c7756140, fff00000c7756160)
[   17.027774] 
[   17.027799] The buggy address belongs to the physical page:
[   17.028046] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107756
[   17.028107] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.028162] page_type: f5(slab)
[   17.028810] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000
[   17.029188] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   17.029484] page dumped because: kasan: bad access detected
[   17.030027] 
[   17.030126] Memory state around the buggy address:
[   17.030315]  fff00000c7756000: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   17.030382]  fff00000c7756080: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   17.030425] >fff00000c7756100: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   17.030864]                                            ^
[   17.030917]  fff00000c7756180: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031225]  fff00000c7756200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031267] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T1aQDgvcqrgu9gN0OeLGQz0C

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T1aQDgvcqrgu9gN0OeLGQz0C

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/Image.gz
sha256sum	5b11eefa6d464ac909c4aaf2b2e503862ad9b898749580b0c74823fda864756c

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Syw9B0zr00cacsipIIbuVtmO/modules.tar.xz
sha256sum	5f304fbdafbe519859f7c742752446676e8da2e281160c33189afc6b1f45e458

durations

tests

boot	0
kunit	175.36

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.834560] ==================================================================
[   12.835282] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   12.835517] Read of size 8 at addr ffff88810299c340 by task kunit_try_catch/217
[   12.836847] 
[   12.837220] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.837271] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.837282] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.837304] Call Trace:
[   12.837316]  <TASK>
[   12.837334]  dump_stack_lvl+0x73/0xb0
[   12.837366]  print_report+0xd1/0x610
[   12.837389]  ? __virt_addr_valid+0x1db/0x2d0
[   12.837412]  ? workqueue_uaf+0x4d6/0x560
[   12.837433]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.837455]  ? workqueue_uaf+0x4d6/0x560
[   12.837477]  kasan_report+0x141/0x180
[   12.837498]  ? workqueue_uaf+0x4d6/0x560
[   12.837525]  __asan_report_load8_noabort+0x18/0x20
[   12.837550]  workqueue_uaf+0x4d6/0x560
[   12.837573]  ? __pfx_workqueue_uaf+0x10/0x10
[   12.837596]  ? __schedule+0x10cc/0x2b60
[   12.837618]  ? __pfx_read_tsc+0x10/0x10
[   12.837638]  ? ktime_get_ts64+0x86/0x230
[   12.837663]  kunit_try_run_case+0x1a5/0x480
[   12.837688]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.837710]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.837734]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.837757]  ? __kthread_parkme+0x82/0x180
[   12.837778]  ? preempt_count_sub+0x50/0x80
[   12.837802]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.837825]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.837849]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.837872]  kthread+0x337/0x6f0
[   12.837901]  ? trace_preempt_on+0x20/0xc0
[   12.837925]  ? __pfx_kthread+0x10/0x10
[   12.837945]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.837966]  ? calculate_sigpending+0x7b/0xa0
[   12.837990]  ? __pfx_kthread+0x10/0x10
[   12.838010]  ret_from_fork+0x116/0x1d0
[   12.838028]  ? __pfx_kthread+0x10/0x10
[   12.838048]  ret_from_fork_asm+0x1a/0x30
[   12.838080]  </TASK>
[   12.838091] 
[   12.851503] Allocated by task 217:
[   12.852083]  kasan_save_stack+0x45/0x70
[   12.852607]  kasan_save_track+0x18/0x40
[   12.853070]  kasan_save_alloc_info+0x3b/0x50
[   12.853432]  __kasan_kmalloc+0xb7/0xc0
[   12.853962]  __kmalloc_cache_noprof+0x189/0x420
[   12.854457]  workqueue_uaf+0x152/0x560
[   12.854998]  kunit_try_run_case+0x1a5/0x480
[   12.855344]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.855732]  kthread+0x337/0x6f0
[   12.855864]  ret_from_fork+0x116/0x1d0
[   12.856110]  ret_from_fork_asm+0x1a/0x30
[   12.856720] 
[   12.856992] Freed by task 44:
[   12.857340]  kasan_save_stack+0x45/0x70
[   12.857839]  kasan_save_track+0x18/0x40
[   12.858168]  kasan_save_free_info+0x3f/0x60
[   12.858825]  __kasan_slab_free+0x56/0x70
[   12.859153]  kfree+0x222/0x3f0
[   12.859279]  workqueue_uaf_work+0x12/0x20
[   12.859420]  process_one_work+0x5ee/0xf60
[   12.859683]  worker_thread+0x758/0x1220
[   12.860294]  kthread+0x337/0x6f0
[   12.860616]  ret_from_fork+0x116/0x1d0
[   12.861012]  ret_from_fork_asm+0x1a/0x30
[   12.861454] 
[   12.861617] Last potentially related work creation:
[   12.862027]  kasan_save_stack+0x45/0x70
[   12.862171]  kasan_record_aux_stack+0xb2/0xc0
[   12.862322]  __queue_work+0x626/0xeb0
[   12.862455]  queue_work_on+0xb6/0xc0
[   12.862732]  workqueue_uaf+0x26d/0x560
[   12.863083]  kunit_try_run_case+0x1a5/0x480
[   12.863686]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.864221]  kthread+0x337/0x6f0
[   12.864513]  ret_from_fork+0x116/0x1d0
[   12.864925]  ret_from_fork_asm+0x1a/0x30
[   12.865356] 
[   12.865520] The buggy address belongs to the object at ffff88810299c340
[   12.865520]  which belongs to the cache kmalloc-32 of size 32
[   12.866298] The buggy address is located 0 bytes inside of
[   12.866298]  freed 32-byte region [ffff88810299c340, ffff88810299c360)
[   12.866644] 
[   12.866718] The buggy address belongs to the physical page:
[   12.866911] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10299c
[   12.867180] flags: 0x200000000000000(node=0|zone=2)
[   12.867433] page_type: f5(slab)
[   12.867705] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   12.868044] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   12.868324] page dumped because: kasan: bad access detected
[   12.868577] 
[   12.868679] Memory state around the buggy address:
[   12.868890]  ffff88810299c200: 00 00 00 fc fc fc fc fc 00 00 05 fc fc fc fc fc
[   12.869190]  ffff88810299c280: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   12.869463] >ffff88810299c300: 00 00 00 fc fc fc fc fc fa fb fb fb fc fc fc fc
[   12.869775]                                            ^
[   12.870237]  ffff88810299c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.870699]  ffff88810299c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.870935] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Sxu1j8OyuX5lG527CuRMl0zm

job_id

TEST:linaro@lkft#303T2OzuK6lIw4rRFlSAhCs7bnu

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303T2OzuK6lIw4rRFlSAhCs7bnu

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/bzImage
sha256sum	42041c61d6e46ef309c371e5fe2f53a0c6849e7beec0f7e1f396b9c65c0adbb2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303Szma0mGNAiZG6rKGjPWN7fGT/modules.tar.xz
sha256sum	02cd970151971431ac5e5e4fcd602180a5476f25314259d1f76384cd0f280f1b

durations

tests

boot	0
kunit	226.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.645337] ==================================================================
[   12.646456] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   12.647097] Read of size 8 at addr ffff888102ae5f80 by task kunit_try_catch/218
[   12.647793] 
[   12.647976] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.648022] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.648032] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.648053] Call Trace:
[   12.648065]  <TASK>
[   12.648081]  dump_stack_lvl+0x73/0xb0
[   12.648112]  print_report+0xd1/0x610
[   12.648134]  ? __virt_addr_valid+0x1db/0x2d0
[   12.648156]  ? workqueue_uaf+0x4d6/0x560
[   12.648177]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.648199]  ? workqueue_uaf+0x4d6/0x560
[   12.648220]  kasan_report+0x141/0x180
[   12.648241]  ? workqueue_uaf+0x4d6/0x560
[   12.648267]  __asan_report_load8_noabort+0x18/0x20
[   12.648291]  workqueue_uaf+0x4d6/0x560
[   12.648312]  ? __pfx_workqueue_uaf+0x10/0x10
[   12.648334]  ? __schedule+0x10cc/0x2b60
[   12.648356]  ? __pfx_read_tsc+0x10/0x10
[   12.648377]  ? ktime_get_ts64+0x86/0x230
[   12.648401]  kunit_try_run_case+0x1a5/0x480
[   12.648426]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.648460]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   12.648484]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   12.648507]  ? __kthread_parkme+0x82/0x180
[   12.648526]  ? preempt_count_sub+0x50/0x80
[   12.648551]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.648586]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.648610]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.648637]  kthread+0x337/0x6f0
[   12.648657]  ? trace_preempt_on+0x20/0xc0
[   12.648681]  ? __pfx_kthread+0x10/0x10
[   12.648700]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.648721]  ? calculate_sigpending+0x7b/0xa0
[   12.648745]  ? __pfx_kthread+0x10/0x10
[   12.648766]  ret_from_fork+0x116/0x1d0
[   12.648784]  ? __pfx_kthread+0x10/0x10
[   12.648804]  ret_from_fork_asm+0x1a/0x30
[   12.648836]  </TASK>
[   12.648846] 
[   12.662454] Allocated by task 218:
[   12.662839]  kasan_save_stack+0x45/0x70
[   12.663257]  kasan_save_track+0x18/0x40
[   12.663691]  kasan_save_alloc_info+0x3b/0x50
[   12.663958]  __kasan_kmalloc+0xb7/0xc0
[   12.664094]  __kmalloc_cache_noprof+0x189/0x420
[   12.664253]  workqueue_uaf+0x152/0x560
[   12.664386]  kunit_try_run_case+0x1a5/0x480
[   12.664821]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.665608]  kthread+0x337/0x6f0
[   12.665934]  ret_from_fork+0x116/0x1d0
[   12.666265]  ret_from_fork_asm+0x1a/0x30
[   12.666688] 
[   12.666846] Freed by task 9:
[   12.667116]  kasan_save_stack+0x45/0x70
[   12.667525]  kasan_save_track+0x18/0x40
[   12.667884]  kasan_save_free_info+0x3f/0x60
[   12.668048]  __kasan_slab_free+0x56/0x70
[   12.668186]  kfree+0x222/0x3f0
[   12.668302]  workqueue_uaf_work+0x12/0x20
[   12.668527]  process_one_work+0x5ee/0xf60
[   12.668918]  worker_thread+0x758/0x1220
[   12.669260]  kthread+0x337/0x6f0
[   12.669604]  ret_from_fork+0x116/0x1d0
[   12.670042]  ret_from_fork_asm+0x1a/0x30
[   12.670406] 
[   12.670606] Last potentially related work creation:
[   12.671162]  kasan_save_stack+0x45/0x70
[   12.671602]  kasan_record_aux_stack+0xb2/0xc0
[   12.671876]  __queue_work+0x626/0xeb0
[   12.672010]  queue_work_on+0xb6/0xc0
[   12.672140]  workqueue_uaf+0x26d/0x560
[   12.672271]  kunit_try_run_case+0x1a5/0x480
[   12.672466]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.672661]  kthread+0x337/0x6f0
[   12.672782]  ret_from_fork+0x116/0x1d0
[   12.672977]  ret_from_fork_asm+0x1a/0x30
[   12.673174] 
[   12.673242] The buggy address belongs to the object at ffff888102ae5f80
[   12.673242]  which belongs to the cache kmalloc-32 of size 32
[   12.673992] The buggy address is located 0 bytes inside of
[   12.673992]  freed 32-byte region [ffff888102ae5f80, ffff888102ae5fa0)
[   12.674472] 
[   12.674552] The buggy address belongs to the physical page:
[   12.674832] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ae5
[   12.675136] flags: 0x200000000000000(node=0|zone=2)
[   12.675368] page_type: f5(slab)
[   12.675517] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   12.675749] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   12.676074] page dumped because: kasan: bad access detected
[   12.676669] 
[   12.676746] Memory state around the buggy address:
[   12.676947]  ffff888102ae5e80: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc
[   12.677281]  ffff888102ae5f00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[   12.677670] >ffff888102ae5f80: fa fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   12.677955]                    ^
[   12.678096]  ffff888102ae6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   12.678362]  ffff888102ae6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.678788] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303EBflBPqSbIUkiUzReBHe3YjN

job_id

TEST:linaro@lkft#303EFrR321z66uMtHD4l4dQQryi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303EFrR321z66uMtHD4l4dQQryi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/bzImage
sha256sum	c220f70d9515ab3041e245bb6755df814c152e1bb2b5c646740fe1b3afdde8b5

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303EDHUQV2HWml6WToh69KJUFJb/modules.tar.xz
sha256sum	ab8bf28231ab6c259d2b1478935ea551409070bcef8061d01f520819ad2ce3b6

durations

tests

boot	0
kunit	217.45

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

[   12.833752] ==================================================================
[   12.834887] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x4d6/0x560
[   12.835631] Read of size 8 at addr ffff888103410d40 by task kunit_try_catch/217
[   12.835861] 
[   12.835954] CPU: 1 UID: 0 PID: 217 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6 #1 PREEMPT(voluntary) 
[   12.836004] Tainted: [B]=BAD_PAGE, [N]=TEST
[   12.836025] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   12.836047] Call Trace:
[   12.836061]  <TASK>
[   12.836079]  dump_stack_lvl+0x73/0xb0
[   12.836110]  print_report+0xd1/0x610
[   12.836133]  ? __virt_addr_valid+0x1db/0x2d0
[   12.836156]  ? workqueue_uaf+0x4d6/0x560
[   12.836177]  ? kasan_complete_mode_report_info+0x64/0x200
[   12.836199]  ? workqueue_uaf+0x4d6/0x560
[   12.836220]  kasan_report+0x141/0x180
[   12.836241]  ? workqueue_uaf+0x4d6/0x560
[   12.836266]  __asan_report_load8_noabort+0x18/0x20
[   12.836290]  workqueue_uaf+0x4d6/0x560
[   12.836311]  ? __pfx_workqueue_uaf+0x10/0x10
[   12.836332]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   12.836357]  ? trace_hardirqs_on+0x37/0xe0
[   12.836381]  ? __pfx_read_tsc+0x10/0x10
[   12.836402]  ? ktime_get_ts64+0x86/0x230
[   12.836426]  kunit_try_run_case+0x1a5/0x480
[   12.836451]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.836475]  ? queued_spin_lock_slowpath+0x116/0xb40
[   12.836503]  ? __kthread_parkme+0x82/0x180
[   12.836527]  ? preempt_count_sub+0x50/0x80
[   12.836550]  ? __pfx_kunit_try_run_case+0x10/0x10
[   12.836573]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.836596]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   12.836620]  kthread+0x337/0x6f0
[   12.836638]  ? trace_preempt_on+0x20/0xc0
[   12.836659]  ? __pfx_kthread+0x10/0x10
[   12.836678]  ? _raw_spin_unlock_irq+0x47/0x80
[   12.836699]  ? calculate_sigpending+0x7b/0xa0
[   12.836724]  ? __pfx_kthread+0x10/0x10
[   12.836744]  ret_from_fork+0x116/0x1d0
[   12.836762]  ? __pfx_kthread+0x10/0x10
[   12.836781]  ret_from_fork_asm+0x1a/0x30
[   12.836812]  </TASK>
[   12.836822] 
[   12.851840] Allocated by task 217:
[   12.852437]  kasan_save_stack+0x45/0x70
[   12.852704]  kasan_save_track+0x18/0x40
[   12.852841]  kasan_save_alloc_info+0x3b/0x50
[   12.852998]  __kasan_kmalloc+0xb7/0xc0
[   12.853386]  __kmalloc_cache_noprof+0x189/0x420
[   12.853982]  workqueue_uaf+0x152/0x560
[   12.854438]  kunit_try_run_case+0x1a5/0x480
[   12.854897]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.855382]  kthread+0x337/0x6f0
[   12.855754]  ret_from_fork+0x116/0x1d0
[   12.855915]  ret_from_fork_asm+0x1a/0x30
[   12.856404] 
[   12.856593] Freed by task 44:
[   12.856916]  kasan_save_stack+0x45/0x70
[   12.857426]  kasan_save_track+0x18/0x40
[   12.857631]  kasan_save_free_info+0x3f/0x60
[   12.858019]  __kasan_slab_free+0x56/0x70
[   12.858396]  kfree+0x222/0x3f0
[   12.858735]  workqueue_uaf_work+0x12/0x20
[   12.858923]  process_one_work+0x5ee/0xf60
[   12.859166]  worker_thread+0x758/0x1220
[   12.859569]  kthread+0x337/0x6f0
[   12.859998]  ret_from_fork+0x116/0x1d0
[   12.860688]  ret_from_fork_asm+0x1a/0x30
[   12.860900] 
[   12.860981] Last potentially related work creation:
[   12.861537]  kasan_save_stack+0x45/0x70
[   12.861922]  kasan_record_aux_stack+0xb2/0xc0
[   12.862296]  __queue_work+0x626/0xeb0
[   12.862512]  queue_work_on+0xb6/0xc0
[   12.862960]  workqueue_uaf+0x26d/0x560
[   12.863449]  kunit_try_run_case+0x1a5/0x480
[   12.863763]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   12.864400]  kthread+0x337/0x6f0
[   12.864690]  ret_from_fork+0x116/0x1d0
[   12.864827]  ret_from_fork_asm+0x1a/0x30
[   12.864971] 
[   12.865119] The buggy address belongs to the object at ffff888103410d40
[   12.865119]  which belongs to the cache kmalloc-32 of size 32
[   12.866361] The buggy address is located 0 bytes inside of
[   12.866361]  freed 32-byte region [ffff888103410d40, ffff888103410d60)
[   12.867475] 
[   12.867575] The buggy address belongs to the physical page:
[   12.867751] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103410
[   12.867993] flags: 0x200000000000000(node=0|zone=2)
[   12.868740] page_type: f5(slab)
[   12.869129] raw: 0200000000000000 ffff888100041780 dead000000000122 0000000000000000
[   12.870026] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000
[   12.870730] page dumped because: kasan: bad access detected
[   12.871284] 
[   12.871357] Memory state around the buggy address:
[   12.871726]  ffff888103410c00: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[   12.872446]  ffff888103410c80: 00 00 03 fc fc fc fc fc 00 00 07 fc fc fc fc fc
[   12.872896] >ffff888103410d00: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc
[   12.873396]                                            ^
[   12.873962]  ffff888103410d80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.874551]  ffff888103410e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   12.874772] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

303Mu3ntpbAl90E7xFJwTYkz6hg

job_id

TEST:linaro@lkft#303MyNrXgiUK2WQ9kAj3BzGphCF

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/303MyNrXgiUK2WQ9kAj3BzGphCF

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/bzImage
sha256sum	e715e0f52245accf83f401d29cc1c2f3b2a59bbdf3f5ad590c1c6f981a5169eb

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/303MvjxJUPUp0dSFAYAM6r89zAg/modules.tar.xz
sha256sum	a6fb5fb0c5521f1f236c8b67ce1b76fdcd44954d158362bf4d88d0d9d544c595

durations

tests

boot	0
kunit	233.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.2+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit