lkft/linux-mainline-master - v6.15-rc3-1-g9d7a0577c9db - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf

Date

April 20, 2025, 11:09 p.m.

Environment
qemu-arm64
qemu-x86_64
rk3399-rock-pi-4b

[   23.464701] ==================================================================
[   23.464819] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   23.464956] Read of size 1 at addr fff00000c412bbc8 by task kunit_try_catch/186
[   23.465084] 
[   23.465158] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT 
[   23.465350] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.465416] Hardware name: linux,dummy-virt (DT)
[   23.465668] Call trace:
[   23.465972]  show_stack+0x20/0x38 (C)
[   23.466974]  dump_stack_lvl+0x8c/0xd0
[   23.467472]  print_report+0x118/0x608
[   23.467679]  kasan_report+0xdc/0x128
[   23.467801]  __asan_report_load1_noabort+0x20/0x30
[   23.467949]  kmalloc_uaf+0x300/0x338
[   23.468105]  kunit_try_run_case+0x170/0x3f0
[   23.468249]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.468598]  kthread+0x328/0x630
[   23.469014]  ret_from_fork+0x10/0x20
[   23.469493] 
[   23.469626] Allocated by task 186:
[   23.469993]  kasan_save_stack+0x3c/0x68
[   23.470418]  kasan_save_track+0x20/0x40
[   23.470822]  kasan_save_alloc_info+0x40/0x58
[   23.471038]  __kasan_kmalloc+0xd4/0xd8
[   23.471597]  __kmalloc_cache_noprof+0x15c/0x3c0
[   23.471736]  kmalloc_uaf+0xb8/0x338
[   23.471831]  kunit_try_run_case+0x170/0x3f0
[   23.471957]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.472473]  kthread+0x328/0x630
[   23.472683]  ret_from_fork+0x10/0x20
[   23.472895] 
[   23.473063] Freed by task 186:
[   23.473226]  kasan_save_stack+0x3c/0x68
[   23.473517]  kasan_save_track+0x20/0x40
[   23.473612]  kasan_save_free_info+0x4c/0x78
[   23.474359]  __kasan_slab_free+0x6c/0x98
[   23.474513]  kfree+0x214/0x3c8
[   23.475021]  kmalloc_uaf+0x11c/0x338
[   23.475156]  kunit_try_run_case+0x170/0x3f0
[   23.475686]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   23.476358]  kthread+0x328/0x630
[   23.476476]  ret_from_fork+0x10/0x20
[   23.476822] 
[   23.477169] The buggy address belongs to the object at fff00000c412bbc0
[   23.477169]  which belongs to the cache kmalloc-16 of size 16
[   23.477349] The buggy address is located 8 bytes inside of
[   23.477349]  freed 16-byte region [fff00000c412bbc0, fff00000c412bbd0)
[   23.477496] 
[   23.478381] The buggy address belongs to the physical page:
[   23.478644] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10412b
[   23.479021] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   23.479680] page_type: f5(slab)
[   23.479832] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   23.480404] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   23.480536] page dumped because: kasan: bad access detected
[   23.481290] 
[   23.481354] Memory state around the buggy address:
[   23.481834]  fff00000c412ba80: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.482096]  fff00000c412bb00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   23.482571] >fff00000c412bb80: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc
[   23.482921]                                               ^
[   23.483416]  fff00000c412bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.483529]  fff00000c412bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.484278] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2w0twD46JnbM3uuwFzFr96Mv09c

job_id

TEST:linaro@lkft#2w0u011gxc9rP28xjZn2LW9dmkk

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2w0u011gxc9rP28xjZn2LW9dmkk

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2w0txFB8nKL1zwrJEbIPml6sHmA/Image.gz
sha256sum	640e60b3f9e880e210b277ab8a14be609af2709a64df1bea735a73952e0c6d8f

rootfs

url	https://storage.tuxboot.com/debian/trixie/arm64/rootfs.ext4.xz
sha256sum	6e7d093e93027c909f889e69aec109c9a1b0ec1ca5f1beffa4bce78be31bff20

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2w0txFB8nKL1zwrJEbIPml6sHmA/modules.tar.xz
sha256sum	34ed11929e5ab442ddd8b3a4d64f3a51c04d9299dcf90df066391ed31be24330

durations

tests

boot	0
kunit	130.18

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:9.2.2+ds-1+b2

[   11.725458] ==================================================================
[   11.725932] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   11.726448] Read of size 1 at addr ffff8881023b8fa8 by task kunit_try_catch/204
[   11.727550] 
[   11.727802] CPU: 1 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT(voluntary) 
[   11.727850] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.727863] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.727884] Call Trace:
[   11.727896]  <TASK>
[   11.727912]  dump_stack_lvl+0x73/0xb0
[   11.728107]  print_report+0xd1/0x650
[   11.728143]  ? __virt_addr_valid+0x1db/0x2d0
[   11.728167]  ? kmalloc_uaf+0x320/0x380
[   11.728187]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.728209]  ? kmalloc_uaf+0x320/0x380
[   11.728230]  kasan_report+0x141/0x180
[   11.728286]  ? kmalloc_uaf+0x320/0x380
[   11.728314]  __asan_report_load1_noabort+0x18/0x20
[   11.728345]  kmalloc_uaf+0x320/0x380
[   11.728366]  ? __pfx_kmalloc_uaf+0x10/0x10
[   11.728439]  ? __schedule+0x10cc/0x2b30
[   11.728466]  ? __pfx_read_tsc+0x10/0x10
[   11.728485]  ? ktime_get_ts64+0x86/0x230
[   11.728510]  kunit_try_run_case+0x1a5/0x480
[   11.728533]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.728556]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.728578]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.728602]  ? __kthread_parkme+0x82/0x180
[   11.728623]  ? preempt_count_sub+0x50/0x80
[   11.728649]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.728672]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.728694]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.728716]  kthread+0x337/0x6f0
[   11.728736]  ? trace_preempt_on+0x20/0xc0
[   11.728759]  ? __pfx_kthread+0x10/0x10
[   11.728781]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.728802]  ? calculate_sigpending+0x7b/0xa0
[   11.728823]  ? __pfx_kthread+0x10/0x10
[   11.728845]  ret_from_fork+0x41/0x80
[   11.728864]  ? __pfx_kthread+0x10/0x10
[   11.728885]  ret_from_fork_asm+0x1a/0x30
[   11.728917]  </TASK>
[   11.728927] 
[   11.740662] Allocated by task 204:
[   11.740838]  kasan_save_stack+0x45/0x70
[   11.741027]  kasan_save_track+0x18/0x40
[   11.741798]  kasan_save_alloc_info+0x3b/0x50
[   11.742062]  __kasan_kmalloc+0xb7/0xc0
[   11.742379]  __kmalloc_cache_noprof+0x189/0x420
[   11.742613]  kmalloc_uaf+0xaa/0x380
[   11.742779]  kunit_try_run_case+0x1a5/0x480
[   11.742972]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.743447]  kthread+0x337/0x6f0
[   11.743755]  ret_from_fork+0x41/0x80
[   11.744110]  ret_from_fork_asm+0x1a/0x30
[   11.744373] 
[   11.744509] Freed by task 204:
[   11.744656]  kasan_save_stack+0x45/0x70
[   11.744837]  kasan_save_track+0x18/0x40
[   11.745014]  kasan_save_free_info+0x3f/0x60
[   11.745780]  __kasan_slab_free+0x56/0x70
[   11.745986]  kfree+0x222/0x3f0
[   11.746319]  kmalloc_uaf+0x12c/0x380
[   11.746640]  kunit_try_run_case+0x1a5/0x480
[   11.746836]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.747067]  kthread+0x337/0x6f0
[   11.747626]  ret_from_fork+0x41/0x80
[   11.747875]  ret_from_fork_asm+0x1a/0x30
[   11.748209] 
[   11.748425] The buggy address belongs to the object at ffff8881023b8fa0
[   11.748425]  which belongs to the cache kmalloc-16 of size 16
[   11.748972] The buggy address is located 8 bytes inside of
[   11.748972]  freed 16-byte region [ffff8881023b8fa0, ffff8881023b8fb0)
[   11.750057] 
[   11.750310] The buggy address belongs to the physical page:
[   11.750789] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1023b8
[   11.751116] flags: 0x200000000000000(node=0|zone=2)
[   11.751794] page_type: f5(slab)
[   11.751961] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   11.752585] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   11.753187] page dumped because: kasan: bad access detected
[   11.753746] 
[   11.753860] Memory state around the buggy address:
[   11.754071]  ffff8881023b8e80: 00 02 fc fc 00 02 fc fc 00 02 fc fc fa fb fc fc
[   11.754859]  ffff8881023b8f00: fa fb fc fc fa fb fc fc 00 05 fc fc fa fb fc fc
[   11.755370] >ffff8881023b8f80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   11.755856]                                   ^
[   11.756064]  ffff8881023b9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.756886]  ffff8881023b9080: fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
[   11.757364] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2w0twD46JnbM3uuwFzFr96Mv09c

job_id

TEST:linaro@lkft#2w0u14eQR7px5dmrFCgo4vyETYO

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2w0u14eQR7px5dmrFCgo4vyETYO

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2w0tyFt71oC7hJPjO2Lp1z5eNSk/bzImage
sha256sum	e1a0a670e3284fb549fd95960a226bdbc1a4af89130c9d16d29bf73d85314532

rootfs

url	https://storage.tuxboot.com/debian/trixie/amd64/rootfs.ext4.xz
sha256sum	46d08c6812c5a56498fb2daa39090f5328578b27d1cc7e901eb03c5578fd0198

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2w0tyFt71oC7hJPjO2Lp1z5eNSk/modules.tar.xz
sha256sum	da9e898c86df01bfb1c22097602c3f24707b53ff8e5ee0c9842a12edfaa298c0

durations

tests

boot	0
kunit	26.78

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:9.2.2+ds-1+b2

[   21.636650] ==================================================================
[   21.637787] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   21.638421] Read of size 1 at addr ffff00000aa08688 by task kunit_try_catch/238
[   21.639100] 
[   21.639266] CPU: 3 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc3 #1 PREEMPT 
[   21.639317] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.639332] Hardware name: Radxa ROCK Pi 4B (DT)
[   21.639350] Call trace:
[   21.639362]  show_stack+0x20/0x38 (C)
[   21.639394]  dump_stack_lvl+0x8c/0xd0
[   21.639426]  print_report+0x118/0x608
[   21.639456]  kasan_report+0xdc/0x128
[   21.639484]  __asan_report_load1_noabort+0x20/0x30
[   21.639518]  kmalloc_uaf+0x300/0x338
[   21.639551]  kunit_try_run_case+0x170/0x3f0
[   21.639586]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.639625]  kthread+0x328/0x630
[   21.639659]  ret_from_fork+0x10/0x20
[   21.639692] 
[   21.645222] Allocated by task 238:
[   21.645549]  kasan_save_stack+0x3c/0x68
[   21.645922]  kasan_save_track+0x20/0x40
[   21.646294]  kasan_save_alloc_info+0x40/0x58
[   21.646707]  __kasan_kmalloc+0xd4/0xd8
[   21.647070]  __kmalloc_cache_noprof+0x15c/0x3c0
[   21.647510]  kmalloc_uaf+0xb8/0x338
[   21.647855]  kunit_try_run_case+0x170/0x3f0
[   21.648263]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.648787]  kthread+0x328/0x630
[   21.649110]  ret_from_fork+0x10/0x20
[   21.649460] 
[   21.649612] Freed by task 238:
[   21.649907]  kasan_save_stack+0x3c/0x68
[   21.650279]  kasan_save_track+0x20/0x40
[   21.650651]  kasan_save_free_info+0x4c/0x78
[   21.651056]  __kasan_slab_free+0x6c/0x98
[   21.651435]  kfree+0x214/0x3c8
[   21.651742]  kmalloc_uaf+0x11c/0x338
[   21.652095]  kunit_try_run_case+0x170/0x3f0
[   21.652500]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.653025]  kthread+0x328/0x630
[   21.653348]  ret_from_fork+0x10/0x20
[   21.653697] 
[   21.653851] The buggy address belongs to the object at ffff00000aa08680
[   21.653851]  which belongs to the cache kmalloc-16 of size 16
[   21.654969] The buggy address is located 8 bytes inside of
[   21.654969]  freed 16-byte region [ffff00000aa08680, ffff00000aa08690)
[   21.656058] 
[   21.656213] The buggy address belongs to the physical page:
[   21.656730] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaa08
[   21.657455] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff)
[   21.658066] page_type: f5(slab)
[   21.658379] raw: 03fffe0000000000 ffff000000402640 dead000000000122 0000000000000000
[   21.659095] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   21.659803] page dumped because: kasan: bad access detected
[   21.660317] 
[   21.660470] Memory state around the buggy address:
[   21.660918]  ffff00000aa08580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   21.661584]  ffff00000aa08600: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   21.662250] >ffff00000aa08680: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.662912]                       ^
[   21.663247]  ffff00000aa08700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.663913]  ffff00000aa08780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.664576] ==================================================================

Metadata Full log Test run details

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - rk3399-rock-pi-4b - gcc-13-lkftconfig-kunit