Regressions seen on Linux v6.17-rc3-11-gfab1beda7597 Good: v6.17-rc3-5-gb6add54ba618 Bad: v6.17-rc3-11-gfab1beda7597 Reported-by: Linux Kernel Functional Testing Test Plan Statistics: --------------------- Builds: 14 total (14 pass, 0 fail, 0 skip) - 100.0% success rate Boots: 513 total (513 pass, 0 fail, 0 skip) - 100.0% success rate Test Suites: 509 total (400 pass, 99 fail, 10 unknown) - 78.6% success rate Individual Test Cases: 26975 total (23576 pass, 350 fail, 3049 skip) - 87.4% success rate Boot regression: qemu-arm64, log-parser-boot/exception-warning-cpu-pid-at-libmathint_log-intlog2 Test log: --------- ------------[ cut here ]------------ [ 28.103250] WARNING: CPU: 0 PID: 447 at lib/math/int_log.c:63 intlog2+0xb8/0x118 [ 28.104370] Modules linked in: [ 28.104642] CPU: 0 UID: 0 PID: 447 Comm: kunit_try_catch Tainted: G D N 6.17.0-rc3 #1 PREEMPT [ 28.105106] Tainted: [D]=DIE, [N]=TEST [ 28.105342] Hardware name: linux,dummy-virt (DT) [ 28.105609] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 28.106150] pc : intlog2+0xb8/0x118 [ 28.106526] lr : intlog2_test+0x88/0x180 [ 28.106808] sp : ffff800082167cd0 [ 28.107101] x29: ffff800082167cf0 x28: dfff800000000000 x27: 1ffe0000193fe945 [ 28.107630] x26: fff00000ca00a920 x25: ffff8000800877f8 x24: 0000000000000000 [ 28.108155] x23: dfff800000000000 x22: fff00000c9ff5420 x21: ffff9a1b35223cd0 [ 28.108649] x20: ffff9a1b335fa420 x19: ffff800080087b00 x18: 0000000000000002 [ 28.109335] x17: 0000000000000075 x16: 0000000000000000 x15: 0000000000000001 [ 28.110145] x14: 1ffff34366d0b478 x13: 0000000000000000 x12: 0000000000000000 [ 28.111222] x11: ffff734366d0b479 x10: 0000000000000017 x9 : 0000000000000007 [ 28.112069] x8 : 0000000000000000 x7 : 0000000011dc3097 x6 : 00000000843de2f3 [ 28.112441] x5 : 000000000d16e3da x4 : 0000000000000000 x3 : ffff9a1b3094fab0 [ 28.112811] x2 : 0000000000000000 x1 : 000000000067a638 x0 : 0000000000000000 [ 28.113301] Call trace: [ 28.113480] intlog2+0xb8/0x118 (P) [ 28.113707] intlog2_test+0x88/0x180 [ 28.113934] kunit_try_run_case+0x118/0x31c [ 28.114213] kunit_generic_run_threadfn_adapter+0x84/0x104 [ 28.114586] kthread+0x3f4/0x51c [ 28.114876] ret_from_fork+0x10/0x20 [ 28.115255] ---[ end trace 0000000000000000 ]--- Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29667137/suite/log-parser-boot/test/exception-warning-cpu-pid-at-libmathint_log-intlog2-cc3c1ddd2f52152e38ac42d6899e7f82d94f3731df486bfb4820325bcba7bb70/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29667137/suite/log-parser-boot/test/exception-warning-cpu-pid-at-libmathint_log-intlog2-cc3c1ddd2f52152e38ac42d6899e7f82d94f3731df486bfb4820325bcba7bb70/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/internal-error-oops-oops-smp Test log: --------- [ 27.463493] Internal error: Oops: 0000000096000005 [#1] SMP [ 27.470864] Modules linked in: [ 27.473491] CPU: 1 UID: 0 PID: 339 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #1 PREEMPT [ 27.474500] Tainted: [N]=TEST [ 27.474803] Hardware name: linux,dummy-virt (DT) [ 27.475189] pstate: 82402009 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 27.475496] pc : kunit_test_null_dereference+0x2c/0x114 [ 27.476384] lr : kunit_generic_run_threadfn_adapter+0x84/0x104 [ 27.476709] sp : ffff800080ee7db0 [ 27.476917] x29: ffff800080ee7dc0 x28: dfff800000000000 x27: 1ffe00001937b005 [ 27.477517] x26: fff00000c9b5fa20 x25: ffff800080ed7b48 x24: fff00000c9b62990 [ 27.477973] x23: 1ffe00001936bf31 x22: dfff800000000000 x21: dfff800000000000 [ 27.478432] x20: ffff9a1b313968b0 x19: fff00000c9b5f988 x18: ffff800080097930 [ 27.478882] x17: ffff80008009792c x16: 0000000000000000 x15: 0000000000000001 [ 27.479806] x14: 1ffe00001937b0f3 x13: 0000000000000000 x12: 0000000000000000 [ 27.480223] x11: fffd80001937b0f4 x10: dfff800000000000 x9 : 1ffe00001936bf32 [ 27.480693] x8 : 7d3c67e3eeb57400 x7 : ffff80008009793c x6 : 0000000000000014 [ 27.481148] x5 : fff00000da98c2a0 x4 : ffff800080167a04 x3 : ffff9a1b33471834 [ 27.481945] x2 : 0000000000000001 x1 : 0000000000000001 x0 : ffff800080087b00 [ 27.482421] Call trace: [ 27.482704] kunit_test_null_dereference+0x2c/0x114 (P) [ 27.483115] kunit_generic_run_threadfn_adapter+0x84/0x104 [ 27.483375] kthread+0x3f4/0x51c [ 27.483572] ret_from_fork+0x10/0x20 [ 27.484175] Code: d2d00015 f9426d08 f2fbfff5 f90007e8 (39c002a8) [ 27.484655] ---[ end trace 0000000000000000 ]--- Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29667137/suite/log-parser-boot/test/internal-error-oops-oops-smp-1fee02f38d56f9cadc23d6191b4c502f6b7c854a84457b21b2730df0074a6f81/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29667137/suite/log-parser-boot/test/internal-error-oops-oops-smp-1fee02f38d56f9cadc23d6191b4c502f6b7c854a84457b21b2730df0074a6f81/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-out-of-bounds-in-kasan_atomics_helper Test log: --------- [ 21.984622] ================================================================== [ 21.986132] BUG: KASAN: slab-out-of-bounds in kasan_atomics_helper+0x42d8/0x4858 [ 21.988881] [ 21.988903] The buggy address belongs to the object at fff00000c9bf2380 [ 21.988903] which belongs to the cache kmalloc-64 of size 64 [ 21.989766] page dumped because: kasan: bad access detected [ 21.991747] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 21.992201] kasan_atomics+0x198/0x2e0 [ 21.992251] kunit_try_run_case+0x170/0x3f0 [ 21.992298] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.992352] kthread+0x328/0x630 [ 21.992398] ret_from_fork+0x10/0x20 [ 21.992446] [ 21.992465] Allocated by task 294: [ 21.992505] kasan_save_stack+0x3c/0x68 [ 21.992546] kasan_save_track+0x20/0x40 [ 21.992584] kasan_save_alloc_info+0x40/0x58 [ 21.992632] __kasan_kmalloc+0xd4/0xd8 [ 21.992668] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.992731] kasan_atomics+0xb8/0x2e0 [ 21.992770] kunit_try_run_case+0x170/0x3f0 [ 21.992810] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.992863] kthread+0x328/0x630 [ 21.992898] ret_from_fork+0x10/0x20 [ 21.992934] [ 21.992956] The buggy address belongs to the object at fff00000c9bf2380 [ 21.992956] which belongs to the cache kmalloc-64 of size 64 [ 21.993012] The buggy address is located 0 bytes to the right of [ 21.993012] allocated 48-byte region [fff00000c9bf2380, fff00000c9bf23b0) [ 21.993105] [ 21.993128] The buggy address belongs to the physical page: [ 21.993162] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf2 [ 21.993267] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.993318] page_type: f5(slab) [ 21.993358] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 21.993410] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 21.993877] page dumped because: kasan: bad access detected [ 21.993935] [ 21.993955] Memory state around the buggy address: [ 21.994015] fff00000c9bf2280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.994101] fff00000c9bf2300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 21.994188] >fff00000c9bf2380: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 21.994239] ^ [ 21.994275] fff00000c9bf2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.994338] fff00000c9bf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.995591] Call trace: [ 21.996329] ret_from_fork+0x10/0x20 [ 21.996863] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.998225] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.000598] Write of size 4 at addr fff00000c9bf23b0 by task kunit_try_catch/294 [ 22.000715] [ 22.000753] CPU: 0 UID: 0 PID: 294 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 22.001903] kunit_try_run_case+0x170/0x3f0 [ 22.002776] kunit_try_run_case+0x170/0x3f0 [ 22.002916] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.003027] kthread+0x328/0x630 [ 22.003064] ret_from_fork+0x10/0x20 [ 22.003208] [ 22.003501] The buggy address belongs to the object at fff00000c9bf2380 [ 22.003501] which belongs to the cache kmalloc-64 of size 64 [ 22.003662] The buggy address is located 0 bytes to the right of [ 22.003662] allocated 48-byte region [fff00000c9bf2380, fff00000c9bf23b0) [ 22.003745] [ 22.003769] The buggy address belongs to the physical page: [ 22.003804] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf2 [ 22.003859] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.003944] page_type: f5(slab) [ 22.004077] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 22.004169] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.004304] page dumped because: kasan: bad access detected [ 22.004365] [ 22.004538] Memory state around the buggy address: [ 22.004748] fff00000c9bf2280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.004871] fff00000c9bf2300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.004980] >fff00000c9bf2380: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.005059] ^ [ 22.005145] fff00000c9bf2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.005224] fff00000c9bf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.008894] ret_from_fork+0x10/0x20 [ 22.008940] [ 22.008962] The buggy address belongs to the object at fff00000c9bf2380 [ 22.008962] which belongs to the cache kmalloc-64 of size 64 [ 22.009659] page dumped because: kasan: bad access detected [ 22.011490] BUG: KASAN: slab-out-of-bounds in kasan_atomics_helper+0xad4/0x4858 [ 22.014258] kunit_try_run_case+0x170/0x3f0 [ 22.014419] [ 22.014441] The buggy address belongs to the object at fff00000c9bf2380 [ 22.014441] which belongs to the cache kmalloc-64 of size 64 [ 22.014556] The buggy address is located 0 bytes to the right of [ 22.014556] allocated 48-byte region [fff00000c9bf2380, fff00000c9bf23b0) [ 22.014624] [ 22.014646] The buggy address belongs to the physical page: [ 22.014692] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf2 [ 22.014875] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.015288] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.016954] BUG: KASAN: slab-out-of-bounds in kasan_atomics_helper+0x3dcc/0x4858 [ 22.020302] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.021826] [ 22.022226] fff00000c9bf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.025056] kasan_save_track+0x20/0x40 [ 22.026835] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.027605] fff00000c9bf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.029951] kunit_try_run_case+0x170/0x3f0 [ 22.030543] The buggy address is located 0 bytes to the right of [ 22.030543] allocated 48-byte region [fff00000c9bf2380, fff00000c9bf23b0) [ 22.033049] [ 22.034957] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.037868] The buggy address is located 0 bytes to the right of [ 22.037868] allocated 48-byte region [fff00000c9bf2380, fff00000c9bf23b0) [ 22.039610] BUG: KASAN: slab-out-of-bounds in kasan_atomics_helper+0x3de4/0x4858 [ 22.040827] kasan_atomics+0x198/0x2e0 [ 22.041521] ret_from_fork+0x10/0x20 [ 22.041727] [ 22.042595] fff00000c9bf2300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.044006] Hardware name: linux,dummy-virt (DT) [ 22.046843] The buggy address belongs to the physical page: [ 22.046952] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109bf2 [ 22.047081] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.047208] page_type: f5(slab) [ 22.047295] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 22.047349] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 22.047392] page dumped because: kasan: bad access detected [ 22.047613] [ 22.047788] Memory state around the buggy address: [ 22.047863] fff00000c9bf2280: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.047938] fff00000c9bf2300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 22.048178] >fff00000c9bf2380: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 22.048370] ^ [ 22.048516] fff00000c9bf2400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.048579] fff00000c9bf2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.048719] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-kasan_atomics_helper-772382db47b9e52aec062a035a4b482a5ad3138fbdd4ca6ed943f4734682807f/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-kasan_atomics_helper-772382db47b9e52aec062a035a4b482a5ad3138fbdd4ca6ed943f4734682807f/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-out-of-bounds-in-krealloc_less_oob_helper Test log: --------- [ 19.160166] ================================================================== [ 19.160222] BUG: KASAN: slab-out-of-bounds in krealloc_less_oob_helper+0xa48/0xc50 [ 19.160436] Write of size 1 at addr fff00000c8de80c9 by task kunit_try_catch/187 [ 19.160485] [ 19.160518] CPU: 1 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 19.160644] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.160730] Hardware name: linux,dummy-virt (DT) [ 19.160818] Call trace: [ 19.160840] show_stack+0x20/0x38 (C) [ 19.160887] dump_stack_lvl+0x8c/0xd0 [ 19.160934] print_report+0x118/0x5e8 [ 19.160978] kasan_report+0xdc/0x128 [ 19.161245] __asan_report_store1_noabort+0x20/0x30 [ 19.161326] krealloc_less_oob_helper+0xa48/0xc50 [ 19.161495] krealloc_less_oob+0x20/0x38 [ 19.161596] kunit_try_run_case+0x170/0x3f0 [ 19.161643] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.161767] kthread+0x328/0x630 [ 19.161858] ret_from_fork+0x10/0x20 [ 19.161910] [ 19.161929] Allocated by task 187: [ 19.161957] kasan_save_stack+0x3c/0x68 [ 19.162021] kasan_save_track+0x20/0x40 [ 19.162056] kasan_save_alloc_info+0x40/0x58 [ 19.162092] __kasan_krealloc+0x118/0x178 [ 19.162171] krealloc_noprof+0x128/0x360 [ 19.162222] krealloc_less_oob_helper+0x168/0xc50 [ 19.162263] krealloc_less_oob+0x20/0x38 [ 19.162299] kunit_try_run_case+0x170/0x3f0 [ 19.162334] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.162461] kthread+0x328/0x630 [ 19.162519] ret_from_fork+0x10/0x20 [ 19.162637] [ 19.162726] The buggy address belongs to the object at fff00000c8de8000 [ 19.162726] which belongs to the cache kmalloc-256 of size 256 [ 19.162791] The buggy address is located 0 bytes to the right of [ 19.162791] allocated 201-byte region [fff00000c8de8000, fff00000c8de80c9) [ 19.163006] [ 19.163026] The buggy address belongs to the physical page: [ 19.163062] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108de8 [ 19.163113] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.163157] ksm flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.163207] page_type: f5(slab) [ 19.163245] raw: 0bfffe0000000040 fff00000c0001b40 ffffc1ffc3200380 dead000000000003 [ 19.163292] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.163340] head: 0bfffe0000000040 fff00000c0001b40 ffffc1ffc3200380 dead000000000003 [ 19.163386] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.163432] head: 0bfffe0000000001 ffffc1ffc3237a01 00000000ffffffff 00000000ffffffff [ 19.163479] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 19.163517] page dumped because: kasan: bad access detected [ 19.163546] [ 19.163563] Memory state around the buggy address: [ 19.163595] fff00000c8de7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.163636] fff00000c8de8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 19.163698] >fff00000c8de8080: 00 00 00 00 00 00 00 00 00 01 fc fc fc fc fc fc [ 19.163734] ^ [ 19.163767] fff00000c8de8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.163989] fff00000c8de8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.164144] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-krealloc_less_oob_helper-19404a00e4c0965cbe30f734cc9a6594938e6aa59df7c68b4feb874299a91c35/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-krealloc_less_oob_helper-19404a00e4c0965cbe30f734cc9a6594938e6aa59df7c68b4feb874299a91c35/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-out-of-bounds-in-memcmp Test log: --------- [ 21.571414] ================================================================== [ 21.571474] BUG: KASAN: slab-out-of-bounds in memcmp+0x198/0x1d8 [ 21.571529] Read of size 1 at addr fff00000c9be1e58 by task kunit_try_catch/286 [ 21.571581] [ 21.571614] CPU: 0 UID: 0 PID: 286 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 21.571716] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 21.571749] Hardware name: linux,dummy-virt (DT) [ 21.571794] Call trace: [ 21.571825] show_stack+0x20/0x38 (C) [ 21.571878] dump_stack_lvl+0x8c/0xd0 [ 21.571925] print_report+0x118/0x5e8 [ 21.571975] kasan_report+0xdc/0x128 [ 21.572026] __asan_report_load1_noabort+0x20/0x30 [ 21.572078] memcmp+0x198/0x1d8 [ 21.572124] kasan_memcmp+0x16c/0x300 [ 21.572171] kunit_try_run_case+0x170/0x3f0 [ 21.572231] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.572288] kthread+0x328/0x630 [ 21.572331] ret_from_fork+0x10/0x20 [ 21.572381] [ 21.572411] Allocated by task 286: [ 21.572444] kasan_save_stack+0x3c/0x68 [ 21.572484] kasan_save_track+0x20/0x40 [ 21.572522] kasan_save_alloc_info+0x40/0x58 [ 21.572560] __kasan_kmalloc+0xd4/0xd8 [ 21.572597] __kmalloc_cache_noprof+0x16c/0x3c0 [ 21.572639] kasan_memcmp+0xbc/0x300 [ 21.573095] kunit_try_run_case+0x170/0x3f0 [ 21.573589] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 21.573635] kthread+0x328/0x630 [ 21.573672] ret_from_fork+0x10/0x20 [ 21.573720] [ 21.573742] The buggy address belongs to the object at fff00000c9be1e40 [ 21.573742] which belongs to the cache kmalloc-32 of size 32 [ 21.573836] The buggy address is located 0 bytes to the right of [ 21.573836] allocated 24-byte region [fff00000c9be1e40, fff00000c9be1e58) [ 21.573931] [ 21.574523] The buggy address belongs to the physical page: [ 21.574705] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109be1 [ 21.574876] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 21.575004] page_type: f5(slab) [ 21.575134] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 21.575221] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 21.575638] page dumped because: kasan: bad access detected [ 21.575739] [ 21.575892] Memory state around the buggy address: [ 21.576062] fff00000c9be1d00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.576185] fff00000c9be1d80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.576295] >fff00000c9be1e00: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 21.576354] ^ [ 21.576692] fff00000c9be1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.576778] fff00000c9be1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 21.576935] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-memcmp-b2b9c259cb8d4fca549eb37d22d4ffb495dd1b56fb9b89aa09affe3c572e6460/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-out-of-bounds-in-memcmp-b2b9c259cb8d4fca549eb37d22d4ffb495dd1b56fb9b89aa09affe3c572e6460/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-krealloc_uaf Test log: --------- [ 19.271770] ================================================================== [ 19.272454] BUG: KASAN: slab-use-after-free in krealloc_uaf+0x4c8/0x520 [ 19.272566] Read of size 1 at addr fff00000c8de8200 by task kunit_try_catch/193 [ 19.272627] [ 19.272925] CPU: 1 UID: 0 PID: 193 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 19.273018] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.273047] Hardware name: linux,dummy-virt (DT) [ 19.273426] Call trace: [ 19.273573] show_stack+0x20/0x38 (C) [ 19.273783] dump_stack_lvl+0x8c/0xd0 [ 19.274012] print_report+0x118/0x5e8 [ 19.274550] kasan_report+0xdc/0x128 [ 19.274738] __asan_report_load1_noabort+0x20/0x30 [ 19.274907] krealloc_uaf+0x4c8/0x520 [ 19.274999] kunit_try_run_case+0x170/0x3f0 [ 19.275350] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.275443] kthread+0x328/0x630 [ 19.275510] ret_from_fork+0x10/0x20 [ 19.275859] [ 19.276039] Allocated by task 193: [ 19.276183] kasan_save_stack+0x3c/0x68 [ 19.276389] kasan_save_track+0x20/0x40 [ 19.276468] kasan_save_alloc_info+0x40/0x58 [ 19.276810] __kasan_kmalloc+0xd4/0xd8 [ 19.276967] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.277208] krealloc_uaf+0xc8/0x520 [ 19.277353] kunit_try_run_case+0x170/0x3f0 [ 19.277475] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.277654] kthread+0x328/0x630 [ 19.277794] ret_from_fork+0x10/0x20 [ 19.278173] [ 19.278316] Freed by task 193: [ 19.278431] kasan_save_stack+0x3c/0x68 [ 19.278531] kasan_save_track+0x20/0x40 [ 19.278670] kasan_save_free_info+0x4c/0x78 [ 19.278720] __kasan_slab_free+0x7c/0xa8 [ 19.278952] kfree+0x214/0x3c8 [ 19.279140] krealloc_uaf+0x12c/0x520 [ 19.279436] kunit_try_run_case+0x170/0x3f0 [ 19.279615] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.279703] kthread+0x328/0x630 [ 19.279761] ret_from_fork+0x10/0x20 [ 19.280045] [ 19.280226] The buggy address belongs to the object at fff00000c8de8200 [ 19.280226] which belongs to the cache kmalloc-256 of size 256 [ 19.280406] The buggy address is located 0 bytes inside of [ 19.280406] freed 256-byte region [fff00000c8de8200, fff00000c8de8300) [ 19.280526] [ 19.280620] The buggy address belongs to the physical page: [ 19.280699] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108de8 [ 19.281048] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.281166] ksm flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 19.281404] page_type: f5(slab) [ 19.281493] raw: 0bfffe0000000040 fff00000c0001b40 ffffc1ffc3200380 dead000000000003 [ 19.281718] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.281923] head: 0bfffe0000000040 fff00000c0001b40 ffffc1ffc3200380 dead000000000003 [ 19.282175] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 19.282354] head: 0bfffe0000000001 ffffc1ffc3237a01 00000000ffffffff 00000000ffffffff [ 19.282558] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 19.282602] page dumped because: kasan: bad access detected [ 19.282847] [ 19.282935] Memory state around the buggy address: [ 19.283045] fff00000c8de8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.283256] fff00000c8de8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.283465] >fff00000c8de8200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.283558] ^ [ 19.283764] fff00000c8de8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 19.284015] fff00000c8de8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.284078] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-krealloc_uaf-608a16570b86385122a16fcdd8ce60943dc0d885b07e4852a699b4a46e1a18f7/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-krealloc_uaf-608a16570b86385122a16fcdd8ce60943dc0d885b07e4852a699b4a46e1a18f7/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-rcu_uaf_reclaim Test log: --------- [ 19.745667] ================================================================== [ 19.745806] BUG: KASAN: slab-use-after-free in rcu_uaf_reclaim+0x64/0x70 [ 19.745910] Read of size 4 at addr fff00000c9a82040 by task swapper/1/0 [ 19.745960] [ 19.746006] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 19.746096] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.746128] Hardware name: linux,dummy-virt (DT) [ 19.746161] Call trace: [ 19.746194] show_stack+0x20/0x38 (C) [ 19.746246] dump_stack_lvl+0x8c/0xd0 [ 19.746295] print_report+0x118/0x5e8 [ 19.746340] kasan_report+0xdc/0x128 [ 19.746383] __asan_report_load4_noabort+0x20/0x30 [ 19.746431] rcu_uaf_reclaim+0x64/0x70 [ 19.746486] rcu_core+0x9fc/0x1e98 [ 19.746534] rcu_core_si+0x18/0x30 [ 19.746579] handle_softirqs+0x374/0xb28 [ 19.746625] __do_softirq+0x1c/0x28 [ 19.746666] ____do_softirq+0x18/0x30 [ 19.746731] call_on_irq_stack+0x30/0x48 [ 19.746783] do_softirq_own_stack+0x24/0x38 [ 19.746828] __irq_exit_rcu+0x1fc/0x318 [ 19.746874] irq_exit_rcu+0x1c/0x80 [ 19.746917] el1_interrupt+0x38/0x58 [ 19.746964] el1h_64_irq_handler+0x18/0x28 [ 19.747010] el1h_64_irq+0x6c/0x70 [ 19.747100] arch_local_irq_enable+0x4/0x8 (P) [ 19.747149] do_idle+0x384/0x4e8 [ 19.747203] cpu_startup_entry+0x68/0x80 [ 19.747248] secondary_start_kernel+0x28c/0x340 [ 19.747294] __secondary_switched+0xc0/0xc8 [ 19.747348] [ 19.747366] Allocated by task 227: [ 19.747398] kasan_save_stack+0x3c/0x68 [ 19.747439] kasan_save_track+0x20/0x40 [ 19.747473] kasan_save_alloc_info+0x40/0x58 [ 19.747520] __kasan_kmalloc+0xd4/0xd8 [ 19.747554] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.747612] rcu_uaf+0xb0/0x2d8 [ 19.747648] kunit_try_run_case+0x170/0x3f0 [ 19.748532] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.748577] kthread+0x328/0x630 [ 19.748775] ret_from_fork+0x10/0x20 [ 19.748819] [ 19.748921] Freed by task 0: [ 19.748948] kasan_save_stack+0x3c/0x68 [ 19.748985] kasan_save_track+0x20/0x40 [ 19.749156] kasan_save_free_info+0x4c/0x78 [ 19.749225] __kasan_slab_free+0x7c/0xa8 [ 19.749261] kfree+0x214/0x3c8 [ 19.749297] rcu_uaf_reclaim+0x28/0x70 [ 19.749332] rcu_core+0x9fc/0x1e98 [ 19.749369] rcu_core_si+0x18/0x30 [ 19.749851] handle_softirqs+0x374/0xb28 [ 19.749923] __do_softirq+0x1c/0x28 [ 19.750039] [ 19.750157] Last potentially related work creation: [ 19.750265] kasan_save_stack+0x3c/0x68 [ 19.750309] kasan_record_aux_stack+0xb4/0xc8 [ 19.750354] __call_rcu_common.constprop.0+0x74/0x8c8 [ 19.750515] call_rcu+0x18/0x30 [ 19.750551] rcu_uaf+0x14c/0x2d8 [ 19.750593] kunit_try_run_case+0x170/0x3f0 [ 19.750702] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.750838] kthread+0x328/0x630 [ 19.750972] ret_from_fork+0x10/0x20 [ 19.751014] [ 19.751042] The buggy address belongs to the object at fff00000c9a82040 [ 19.751042] which belongs to the cache kmalloc-32 of size 32 [ 19.751105] The buggy address is located 0 bytes inside of [ 19.751105] freed 32-byte region [fff00000c9a82040, fff00000c9a82060) [ 19.751226] [ 19.751253] The buggy address belongs to the physical page: [ 19.751372] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a82 [ 19.751431] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.751529] page_type: f5(slab) [ 19.751697] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.751748] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.751789] page dumped because: kasan: bad access detected [ 19.752492] [ 19.752555] Memory state around the buggy address: [ 19.752850] fff00000c9a81f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.753105] fff00000c9a81f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 19.753151] >fff00000c9a82000: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 19.753189] ^ [ 19.753236] fff00000c9a82080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.753278] fff00000c9a82100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.753320] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-rcu_uaf_reclaim-d51b19292bb2f0697baf6f74cc8ed08631fc0f76e72f5b1bc3f584832265576c/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-rcu_uaf_reclaim-d51b19292bb2f0697baf6f74cc8ed08631fc0f76e72f5b1bc3f584832265576c/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-workqueue_uaf Test log: --------- [ 19.767573] ================================================================== [ 19.767646] BUG: KASAN: slab-use-after-free in workqueue_uaf+0x480/0x4a8 [ 19.767881] Read of size 8 at addr fff00000c9a82240 by task kunit_try_catch/229 [ 19.768142] [ 19.768290] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 19.768732] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.768770] Hardware name: linux,dummy-virt (DT) [ 19.768802] Call trace: [ 19.768831] show_stack+0x20/0x38 (C) [ 19.768921] dump_stack_lvl+0x8c/0xd0 [ 19.769053] print_report+0x118/0x5e8 [ 19.769099] kasan_report+0xdc/0x128 [ 19.769141] __asan_report_load8_noabort+0x20/0x30 [ 19.769732] workqueue_uaf+0x480/0x4a8 [ 19.769973] kunit_try_run_case+0x170/0x3f0 [ 19.770079] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.770132] kthread+0x328/0x630 [ 19.770173] ret_from_fork+0x10/0x20 [ 19.770255] [ 19.770376] Allocated by task 229: [ 19.770415] kasan_save_stack+0x3c/0x68 [ 19.770458] kasan_save_track+0x20/0x40 [ 19.770494] kasan_save_alloc_info+0x40/0x58 [ 19.770532] __kasan_kmalloc+0xd4/0xd8 [ 19.770616] __kmalloc_cache_noprof+0x16c/0x3c0 [ 19.770719] workqueue_uaf+0x13c/0x4a8 [ 19.770770] kunit_try_run_case+0x170/0x3f0 [ 19.770880] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.770926] kthread+0x328/0x630 [ 19.770967] ret_from_fork+0x10/0x20 [ 19.771109] [ 19.771162] Freed by task 47: [ 19.771234] kasan_save_stack+0x3c/0x68 [ 19.771278] kasan_save_track+0x20/0x40 [ 19.771313] kasan_save_free_info+0x4c/0x78 [ 19.771353] __kasan_slab_free+0x7c/0xa8 [ 19.771387] kfree+0x214/0x3c8 [ 19.771506] workqueue_uaf_work+0x18/0x30 [ 19.771568] process_one_work+0x530/0xf88 [ 19.771784] worker_thread+0x618/0xf38 [ 19.771828] kthread+0x328/0x630 [ 19.771861] ret_from_fork+0x10/0x20 [ 19.771899] [ 19.771918] Last potentially related work creation: [ 19.772211] kasan_save_stack+0x3c/0x68 [ 19.772259] kasan_record_aux_stack+0xb4/0xc8 [ 19.772298] __queue_work+0x65c/0xfe0 [ 19.772335] queue_work_on+0xbc/0xf8 [ 19.772908] workqueue_uaf+0x210/0x4a8 [ 19.773085] kunit_try_run_case+0x170/0x3f0 [ 19.773236] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.773320] kthread+0x328/0x630 [ 19.773357] ret_from_fork+0x10/0x20 [ 19.773395] [ 19.773417] The buggy address belongs to the object at fff00000c9a82240 [ 19.773417] which belongs to the cache kmalloc-32 of size 32 [ 19.773607] The buggy address is located 0 bytes inside of [ 19.773607] freed 32-byte region [fff00000c9a82240, fff00000c9a82260) [ 19.773688] [ 19.773709] The buggy address belongs to the physical page: [ 19.773871] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a82 [ 19.774026] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 19.774089] page_type: f5(slab) [ 19.774129] raw: 0bfffe0000000000 fff00000c0001780 dead000000000122 0000000000000000 [ 19.774576] raw: 0000000000000000 0000000080400040 00000000f5000000 0000000000000000 [ 19.774647] page dumped because: kasan: bad access detected [ 19.774732] [ 19.774750] Memory state around the buggy address: [ 19.774786] fff00000c9a82100: 00 00 00 fc fc fc fc fc 00 00 03 fc fc fc fc fc [ 19.774834] fff00000c9a82180: 00 00 07 fc fc fc fc fc 00 00 00 fc fc fc fc fc [ 19.774880] >fff00000c9a82200: 00 00 00 07 fc fc fc fc fa fb fb fb fc fc fc fc [ 19.774933] ^ [ 19.775023] fff00000c9a82280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.775277] fff00000c9a82300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.775671] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-workqueue_uaf-344cbca85f82fa7d08a39c618b1a68cc317a146039f8c484b0791e690cdac565/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kasan-bug-kasan-slab-use-after-free-in-workqueue_uaf-344cbca85f82fa7d08a39c618b1a68cc317a146039f8c484b0791e690cdac565/attachments/reproducer Boot regression: qemu-arm64, log-parser-boot/kfence-bug-kfence-use-after-free-read-in-kmalloc_uaf Test log: --------- [ 19.468850] ================================================================== [ 19.469035] BUG: KFENCE: use-after-free read in kmalloc_uaf+0x184/0x338 [ 19.469035] [ 19.469206] Use-after-free read at 0x00000000f08eb9ea (in kfence-#93): [ 19.470242] kmalloc_uaf+0x184/0x338 [ 19.470346] kunit_try_run_case+0x170/0x3f0 [ 19.470452] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.470499] kthread+0x328/0x630 [ 19.470912] ret_from_fork+0x10/0x20 [ 19.471031] [ 19.472589] kfence-#93: 0x000000008dd68793-0x00000000832a6d8e, size=10, cache=kmalloc-16 [ 19.472589] [ 19.473641] allocated by task 213 on cpu 1 at 19.466870s (0.006325s ago): [ 19.475750] kmalloc_uaf+0xb8/0x338 [ 19.476341] kunit_try_run_case+0x170/0x3f0 [ 19.476662] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.476744] kthread+0x328/0x630 [ 19.476810] ret_from_fork+0x10/0x20 [ 19.476962] [ 19.477889] freed by task 213 on cpu 1 at 19.466964s (0.010231s ago): [ 19.478381] kmalloc_uaf+0x11c/0x338 [ 19.478598] kunit_try_run_case+0x170/0x3f0 [ 19.478640] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 19.478695] kthread+0x328/0x630 [ 19.478727] ret_from_fork+0x10/0x20 [ 19.478827] [ 19.478911] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G B W N 6.17.0-rc3 #1 PREEMPT [ 19.479010] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 19.479047] Hardware name: linux,dummy-virt (DT) [ 19.479082] ================================================================== Build: ------ - Kernel Config: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/config - Build Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29665928/suite/build/test/gcc-13-lkftconfig/attachments/tuxmake_reproducer.sh - Test Log: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kfence-bug-kfence-use-after-free-read-in-kmalloc_uaf-6598202890479a6807d7adbeb52adee8cca9612992d828dc191eb72ed5b58b38/log - Test Reproducer: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597/testrun/29666916/suite/log-parser-boot/test/kfence-bug-kfence-use-after-free-read-in-kmalloc_uaf-6598202890479a6807d7adbeb52adee8cca9612992d828dc191eb72ed5b58b38/attachments/reproducer Source: ------- - Kernel version: 6.17.0-rc3 - Git Tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git - Git SHA: fab1beda7597fac1cecc01707d55eadb6bbe773c - Git Describe: v6.17-rc3-11-gfab1beda7597 - Test Details: https://qa-reports.linaro.org/~anders.roxell/testtrigger/build/v6.17-rc3-11-gfab1beda7597 -- Linaro LKFT https://lkft.linaro.org