lkft/linux-next-master - next-20250617 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf2

Date

June 17, 2025, 6:35 a.m.

Environment
qemu-arm64
qemu-x86_64

[   17.026047] ==================================================================
[   17.026224] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   17.026317] Read of size 1 at addr fff00000c505c7a8 by task kunit_try_catch/197
[   17.026577] 
[   17.026977] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250617 #1 PREEMPT 
[   17.027150] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.027179] Hardware name: linux,dummy-virt (DT)
[   17.027214] Call trace:
[   17.027238]  show_stack+0x20/0x38 (C)
[   17.027295]  dump_stack_lvl+0x8c/0xd0
[   17.027345]  print_report+0x118/0x608
[   17.027406]  kasan_report+0xdc/0x128
[   17.027460]  __asan_report_load1_noabort+0x20/0x30
[   17.027509]  kmalloc_uaf2+0x3f4/0x468
[   17.027558]  kunit_try_run_case+0x170/0x3f0
[   17.027609]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.027663]  kthread+0x328/0x630
[   17.027707]  ret_from_fork+0x10/0x20
[   17.027766] 
[   17.027793] Allocated by task 197:
[   17.027830]  kasan_save_stack+0x3c/0x68
[   17.027884]  kasan_save_track+0x20/0x40
[   17.027938]  kasan_save_alloc_info+0x40/0x58
[   17.027977]  __kasan_kmalloc+0xd4/0xd8
[   17.028015]  __kmalloc_cache_noprof+0x16c/0x3c0
[   17.028066]  kmalloc_uaf2+0xc4/0x468
[   17.028102]  kunit_try_run_case+0x170/0x3f0
[   17.028147]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.028203]  kthread+0x328/0x630
[   17.028237]  ret_from_fork+0x10/0x20
[   17.028273] 
[   17.028292] Freed by task 197:
[   17.028334]  kasan_save_stack+0x3c/0x68
[   17.028380]  kasan_save_track+0x20/0x40
[   17.028428]  kasan_save_free_info+0x4c/0x78
[   17.028466]  __kasan_slab_free+0x6c/0x98
[   17.028504]  kfree+0x214/0x3c8
[   17.028537]  kmalloc_uaf2+0x134/0x468
[   17.028573]  kunit_try_run_case+0x170/0x3f0
[   17.028610]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.028654]  kthread+0x328/0x630
[   17.028687]  ret_from_fork+0x10/0x20
[   17.028722] 
[   17.028742] The buggy address belongs to the object at fff00000c505c780
[   17.028742]  which belongs to the cache kmalloc-64 of size 64
[   17.028811] The buggy address is located 40 bytes inside of
[   17.028811]  freed 64-byte region [fff00000c505c780, fff00000c505c7c0)
[   17.028881] 
[   17.028911] The buggy address belongs to the physical page:
[   17.028989] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10505c
[   17.029384] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.029708] page_type: f5(slab)
[   17.030024] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   17.030081] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   17.030720] page dumped because: kasan: bad access detected
[   17.030786] 
[   17.030837] Memory state around the buggy address:
[   17.030985]  fff00000c505c680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.031054]  fff00000c505c700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.031099] >fff00000c505c780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   17.031165]                                   ^
[   17.031578]  fff00000c505c800: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   17.031652]  fff00000c505c880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031740] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2ycmAbKpM2fPU7JFlL3VFcggZyX

job_id

TEST:linaro@lkft#2ycmGBohWgwDt0q1MSJxRxJ46Gq

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2ycmGBohWgwDt0q1MSJxRxJ46Gq

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ycmC5EhW3BM1tkjhYaNQdm2b7j/Image.gz
sha256sum	0e75f247fcfca828bae2c74673e3187b2cb142639542a20241767255dd2a989b

rootfs

url	https://storage.tuxboot.com/debian/20250605/trixie/arm64/rootfs.ext4.xz
sha256sum	905f5619346e1db164ac162d2472afab1c1502c840ccd8eb365c2a644148903b

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ycmC5EhW3BM1tkjhYaNQdm2b7j/modules.tar.xz
sha256sum	18ad61734b8ac92476de265f77917a21b448a5c78baec17abc62599dfb00aad0

durations

tests

boot	0
kunit	171.74

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   18.427023] ==================================================================
[   18.427908] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   18.428437] Read of size 1 at addr ffff888102aa78a8 by task kunit_try_catch/215
[   18.429000] 
[   18.429242] CPU: 1 UID: 0 PID: 215 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc2-next-20250617 #1 PREEMPT(voluntary) 
[   18.429367] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.429401] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   18.429457] Call Trace:
[   18.429493]  <TASK>
[   18.429538]  dump_stack_lvl+0x73/0xb0
[   18.429626]  print_report+0xd1/0x650
[   18.429704]  ? __virt_addr_valid+0x1db/0x2d0
[   18.429779]  ? kmalloc_uaf2+0x4a8/0x520
[   18.429895]  ? kasan_complete_mode_report_info+0x64/0x200
[   18.429971]  ? kmalloc_uaf2+0x4a8/0x520
[   18.430047]  kasan_report+0x141/0x180
[   18.430118]  ? kmalloc_uaf2+0x4a8/0x520
[   18.430193]  __asan_report_load1_noabort+0x18/0x20
[   18.430317]  kmalloc_uaf2+0x4a8/0x520
[   18.430390]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   18.430453]  ? finish_task_switch.isra.0+0x153/0x700
[   18.430525]  ? __switch_to+0x47/0xf50
[   18.430612]  ? __schedule+0x10cc/0x2b60
[   18.430690]  ? __pfx_read_tsc+0x10/0x10
[   18.430761]  ? ktime_get_ts64+0x86/0x230
[   18.430856]  kunit_try_run_case+0x1a5/0x480
[   18.430939]  ? __pfx_kunit_try_run_case+0x10/0x10
[   18.431009]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   18.431078]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   18.431156]  ? __kthread_parkme+0x82/0x180
[   18.431197]  ? preempt_count_sub+0x50/0x80
[   18.431359]  ? __pfx_kunit_try_run_case+0x10/0x10
[   18.431402]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.431434]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   18.431466]  kthread+0x337/0x6f0
[   18.431493]  ? trace_preempt_on+0x20/0xc0
[   18.431528]  ? __pfx_kthread+0x10/0x10
[   18.431565]  ? _raw_spin_unlock_irq+0x47/0x80
[   18.431599]  ? calculate_sigpending+0x7b/0xa0
[   18.431634]  ? __pfx_kthread+0x10/0x10
[   18.431662]  ret_from_fork+0x116/0x1d0
[   18.431689]  ? __pfx_kthread+0x10/0x10
[   18.431716]  ret_from_fork_asm+0x1a/0x30
[   18.431756]  </TASK>
[   18.431772] 
[   18.450599] Allocated by task 215:
[   18.450913]  kasan_save_stack+0x45/0x70
[   18.451934]  kasan_save_track+0x18/0x40
[   18.452807]  kasan_save_alloc_info+0x3b/0x50
[   18.454289]  __kasan_kmalloc+0xb7/0xc0
[   18.455042]  __kmalloc_cache_noprof+0x189/0x420
[   18.455994]  kmalloc_uaf2+0xc6/0x520
[   18.456239]  kunit_try_run_case+0x1a5/0x480
[   18.456644]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.457110]  kthread+0x337/0x6f0
[   18.457470]  ret_from_fork+0x116/0x1d0
[   18.457777]  ret_from_fork_asm+0x1a/0x30
[   18.458382] 
[   18.458564] Freed by task 215:
[   18.458848]  kasan_save_stack+0x45/0x70
[   18.459600]  kasan_save_track+0x18/0x40
[   18.459945]  kasan_save_free_info+0x3f/0x60
[   18.460502]  __kasan_slab_free+0x56/0x70
[   18.460860]  kfree+0x222/0x3f0
[   18.461114]  kmalloc_uaf2+0x14c/0x520
[   18.461622]  kunit_try_run_case+0x1a5/0x480
[   18.462050]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   18.462643]  kthread+0x337/0x6f0
[   18.462952]  ret_from_fork+0x116/0x1d0
[   18.463708]  ret_from_fork_asm+0x1a/0x30
[   18.464129] 
[   18.464490] The buggy address belongs to the object at ffff888102aa7880
[   18.464490]  which belongs to the cache kmalloc-64 of size 64
[   18.465366] The buggy address is located 40 bytes inside of
[   18.465366]  freed 64-byte region [ffff888102aa7880, ffff888102aa78c0)
[   18.466323] 
[   18.466514] The buggy address belongs to the physical page:
[   18.466868] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102aa7
[   18.467533] flags: 0x200000000000000(node=0|zone=2)
[   18.468521] page_type: f5(slab)
[   18.468872] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   18.469569] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   18.470122] page dumped because: kasan: bad access detected
[   18.470668] 
[   18.470886] Memory state around the buggy address:
[   18.471672]  ffff888102aa7780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.472447]  ffff888102aa7800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.472967] >ffff888102aa7880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   18.473684]                                   ^
[   18.474041]  ffff888102aa7900: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   18.474742]  ffff888102aa7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.475702] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2ycmAbKpM2fPU7JFlL3VFcggZyX

job_id

TEST:linaro@lkft#2ycmHIv4OjqzuY4se718cLGQLXs

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2ycmHIv4OjqzuY4se718cLGQLXs

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ycmDNxoP9hdgB9eqatUl05sOIC/bzImage
sha256sum	e8ff53ed1294ecb6e3942f69c9702cf67245fcd535135359b70f78a45efa657a

rootfs

url	https://storage.tuxboot.com/debian/20250605/trixie/amd64/rootfs.ext4.xz
sha256sum	bb36936f45b20f4af35993e582d98e781104116519f71565c7a97bddc546f892

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2ycmDNxoP9hdgB9eqatUl05sOIC/modules.tar.xz
sha256sum	4b7f7ee9385141e7d851b6b43f3ef6c0857845282181ddc6cfac1e13c3ff02a7

durations

tests

boot	0
kunit	223.55

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit