lkft/linux-next-master - next-20250515 - log-parser-test/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf

Date
May 15, 2025, 10:38 a.m.
Environment
e850-96
[   32.277307] ==================================================================
[   32.284400] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   32.290731] Read of size 1 at addr ffff000801f1c478 by task kunit_try_catch/241
[   32.298022] 
[   32.299506] CPU: 7 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250515 #1 PREEMPT 
[   32.299560] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.299575] Hardware name: WinLink E850-96 board (DT)
[   32.299593] Call trace:
[   32.299606]  show_stack+0x20/0x38 (C)
[   32.299639]  dump_stack_lvl+0x8c/0xd0
[   32.299670]  print_report+0x118/0x608
[   32.299703]  kasan_report+0xdc/0x128
[   32.299731]  __asan_report_load1_noabort+0x20/0x30
[   32.299764]  ksize_uaf+0x544/0x5f8
[   32.299791]  kunit_try_run_case+0x170/0x3f0
[   32.299820]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.299857]  kthread+0x328/0x630
[   32.299888]  ret_from_fork+0x10/0x20
[   32.299919] 
[   32.362778] Allocated by task 241:
[   32.366167]  kasan_save_stack+0x3c/0x68
[   32.369983]  kasan_save_track+0x20/0x40
[   32.373803]  kasan_save_alloc_info+0x40/0x58
[   32.378056]  __kasan_kmalloc+0xd4/0xd8
[   32.381788]  __kmalloc_cache_noprof+0x15c/0x3c0
[   32.386302]  ksize_uaf+0xb8/0x5f8
[   32.389601]  kunit_try_run_case+0x170/0x3f0
[   32.393767]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.399237]  kthread+0x328/0x630
[   32.402449]  ret_from_fork+0x10/0x20
[   32.406007] 
[   32.407482] Freed by task 241:
[   32.410521]  kasan_save_stack+0x3c/0x68
[   32.414340]  kasan_save_track+0x20/0x40
[   32.418159]  kasan_save_free_info+0x4c/0x78
[   32.422326]  __kasan_slab_free+0x6c/0x98
[   32.426232]  kfree+0x214/0x3c8
[   32.429270]  ksize_uaf+0x11c/0x5f8
[   32.432656]  kunit_try_run_case+0x170/0x3f0
[   32.436822]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.442291]  kthread+0x328/0x630
[   32.445503]  ret_from_fork+0x10/0x20
[   32.449062] 
[   32.450537] The buggy address belongs to the object at ffff000801f1c400
[   32.450537]  which belongs to the cache kmalloc-128 of size 128
[   32.463039] The buggy address is located 120 bytes inside of
[   32.463039]  freed 128-byte region [ffff000801f1c400, ffff000801f1c480)
[   32.475277] 
[   32.476754] The buggy address belongs to the physical page:
[   32.482312] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881f1c
[   32.490296] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   32.497934] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   32.504878] page_type: f5(slab)
[   32.508011] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   32.515734] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   32.523460] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   32.531272] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   32.539085] head: 0bfffe0000000001 fffffdffe007c701 00000000ffffffff 00000000ffffffff
[   32.546897] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   32.554704] page dumped because: kasan: bad access detected
[   32.560258] 
[   32.561733] Memory state around the buggy address:
[   32.566512]  ffff000801f1c300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.573716]  ffff000801f1c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.580921] >ffff000801f1c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.588122]                                                                 ^
[   32.595244]  ffff000801f1c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.602449]  ffff000801f1c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.609650] ==================================================================
[   31.941783] ==================================================================
[   31.948815] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   31.955146] Read of size 1 at addr ffff000801f1c400 by task kunit_try_catch/241
[   31.962437] 
[   31.963922] CPU: 7 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250515 #1 PREEMPT 
[   31.963975] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.963989] Hardware name: WinLink E850-96 board (DT)
[   31.964012] Call trace:
[   31.964027]  show_stack+0x20/0x38 (C)
[   31.964061]  dump_stack_lvl+0x8c/0xd0
[   31.964091]  print_report+0x118/0x608
[   31.964122]  kasan_report+0xdc/0x128
[   31.964151]  __asan_report_load1_noabort+0x20/0x30
[   31.964185]  ksize_uaf+0x598/0x5f8
[   31.964212]  kunit_try_run_case+0x170/0x3f0
[   31.964244]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.964278]  kthread+0x328/0x630
[   31.964311]  ret_from_fork+0x10/0x20
[   31.964346] 
[   32.027193] Allocated by task 241:
[   32.030581]  kasan_save_stack+0x3c/0x68
[   32.034398]  kasan_save_track+0x20/0x40
[   32.038217]  kasan_save_alloc_info+0x40/0x58
[   32.042471]  __kasan_kmalloc+0xd4/0xd8
[   32.046203]  __kmalloc_cache_noprof+0x15c/0x3c0
[   32.050717]  ksize_uaf+0xb8/0x5f8
[   32.054016]  kunit_try_run_case+0x170/0x3f0
[   32.058182]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.063651]  kthread+0x328/0x630
[   32.066862]  ret_from_fork+0x10/0x20
[   32.070422] 
[   32.071897] Freed by task 241:
[   32.074935]  kasan_save_stack+0x3c/0x68
[   32.078755]  kasan_save_track+0x20/0x40
[   32.082574]  kasan_save_free_info+0x4c/0x78
[   32.086741]  __kasan_slab_free+0x6c/0x98
[   32.090647]  kfree+0x214/0x3c8
[   32.093685]  ksize_uaf+0x11c/0x5f8
[   32.097071]  kunit_try_run_case+0x170/0x3f0
[   32.101237]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.106706]  kthread+0x328/0x630
[   32.109917]  ret_from_fork+0x10/0x20
[   32.113477] 
[   32.114954] The buggy address belongs to the object at ffff000801f1c400
[   32.114954]  which belongs to the cache kmalloc-128 of size 128
[   32.127455] The buggy address is located 0 bytes inside of
[   32.127455]  freed 128-byte region [ffff000801f1c400, ffff000801f1c480)
[   32.139517] 
[   32.140996] The buggy address belongs to the physical page:
[   32.146552] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881f1c
[   32.154537] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   32.162175] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   32.169118] page_type: f5(slab)
[   32.172254] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   32.179975] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   32.187702] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   32.195513] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   32.203326] head: 0bfffe0000000001 fffffdffe007c701 00000000ffffffff 00000000ffffffff
[   32.211138] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   32.218944] page dumped because: kasan: bad access detected
[   32.224499] 
[   32.225974] Memory state around the buggy address:
[   32.230753]  ffff000801f1c300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.237958]  ffff000801f1c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.245162] >ffff000801f1c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   32.252363]                    ^
[   32.255579]  ffff000801f1c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.262784]  ffff000801f1c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   32.269985] ==================================================================
[   31.601493] ==================================================================
[   31.611146] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   31.617479] Read of size 1 at addr ffff000801f1c400 by task kunit_try_catch/241
[   31.624770] 
[   31.626256] CPU: 7 UID: 0 PID: 241 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250515 #1 PREEMPT 
[   31.626316] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.626334] Hardware name: WinLink E850-96 board (DT)
[   31.626355] Call trace:
[   31.626371]  show_stack+0x20/0x38 (C)
[   31.626409]  dump_stack_lvl+0x8c/0xd0
[   31.626442]  print_report+0x118/0x608
[   31.626475]  kasan_report+0xdc/0x128
[   31.626506]  __kasan_check_byte+0x54/0x70
[   31.626537]  ksize+0x30/0x88
[   31.626567]  ksize_uaf+0x168/0x5f8
[   31.626596]  kunit_try_run_case+0x170/0x3f0
[   31.626630]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.626665]  kthread+0x328/0x630
[   31.626700]  ret_from_fork+0x10/0x20
[   31.626733] 
[   31.691611] Allocated by task 241:
[   31.694997]  kasan_save_stack+0x3c/0x68
[   31.698813]  kasan_save_track+0x20/0x40
[   31.702634]  kasan_save_alloc_info+0x40/0x58
[   31.706885]  __kasan_kmalloc+0xd4/0xd8
[   31.710618]  __kmalloc_cache_noprof+0x15c/0x3c0
[   31.715132]  ksize_uaf+0xb8/0x5f8
[   31.718430]  kunit_try_run_case+0x170/0x3f0
[   31.722597]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.728067]  kthread+0x328/0x630
[   31.731277]  ret_from_fork+0x10/0x20
[   31.734836] 
[   31.736313] Freed by task 241:
[   31.739350]  kasan_save_stack+0x3c/0x68
[   31.743170]  kasan_save_track+0x20/0x40
[   31.746989]  kasan_save_free_info+0x4c/0x78
[   31.751156]  __kasan_slab_free+0x6c/0x98
[   31.755062]  kfree+0x214/0x3c8
[   31.758100]  ksize_uaf+0x11c/0x5f8
[   31.761485]  kunit_try_run_case+0x170/0x3f0
[   31.765652]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.771120]  kthread+0x328/0x630
[   31.774332]  ret_from_fork+0x10/0x20
[   31.777891] 
[   31.779369] The buggy address belongs to the object at ffff000801f1c400
[   31.779369]  which belongs to the cache kmalloc-128 of size 128
[   31.791871] The buggy address is located 0 bytes inside of
[   31.791871]  freed 128-byte region [ffff000801f1c400, ffff000801f1c480)
[   31.803934] 
[   31.805412] The buggy address belongs to the physical page:
[   31.810967] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x881f1c
[   31.818952] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   31.826591] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff)
[   31.833535] page_type: f5(slab)
[   31.836673] raw: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   31.844390] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   31.852116] head: 0bfffe0000000040 ffff000800002a00 dead000000000122 0000000000000000
[   31.859928] head: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   31.867741] head: 0bfffe0000000001 fffffdffe007c701 00000000ffffffff 00000000ffffffff
[   31.875553] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   31.883360] page dumped because: kasan: bad access detected
[   31.888914] 
[   31.890389] Memory state around the buggy address:
[   31.895174]  ffff000801f1c300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.902373]  ffff000801f1c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.909579] >ffff000801f1c400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.916778]                    ^
[   31.919993]  ffff000801f1c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.927198]  ffff000801f1c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.934401] ==================================================================
KNOWN ISSUE - log-parser-test/kasan-bug-kasan-slab-use-after-free-in-ksize_uaf: Failure
Metadata Full log Test run details
Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit KNOWN ISSUE
