lkft/linux-next-master - next-20250624 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf2

Date

June 24, 2025, 11:37 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   39.654659] ==================================================================
[   39.665960] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   39.672668] Read of size 1 at addr ffff0000948a0f28 by task kunit_try_catch/286
[   39.680078] 
[   39.681612] CPU: 2 UID: 0 PID: 286 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   39.681641] Tainted: [B]=BAD_PAGE, [N]=TEST
[   39.681650] Hardware name: Thundercomm Dragonboard 845c (DT)
[   39.681662] Call trace:
[   39.681669]  show_stack+0x20/0x38 (C)
[   39.681688]  dump_stack_lvl+0x8c/0xd0
[   39.681708]  print_report+0x118/0x608
[   39.681728]  kasan_report+0xdc/0x128
[   39.681746]  __asan_report_load1_noabort+0x20/0x30
[   39.681766]  kmalloc_uaf2+0x3f4/0x468
[   39.681782]  kunit_try_run_case+0x170/0x3f0
[   39.681802]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.681823]  kthread+0x328/0x630
[   39.681840]  ret_from_fork+0x10/0x20
[   39.681858] 
[   39.747036] Allocated by task 286:
[   39.750500]  kasan_save_stack+0x3c/0x68
[   39.754403]  kasan_save_track+0x20/0x40
[   39.758306]  kasan_save_alloc_info+0x40/0x58
[   39.762649]  __kasan_kmalloc+0xd4/0xd8
[   39.766464]  __kmalloc_cache_noprof+0x16c/0x3c0
[   39.771067]  kmalloc_uaf2+0xc4/0x468
[   39.774710]  kunit_try_run_case+0x170/0x3f0
[   39.778967]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.784542]  kthread+0x328/0x630
[   39.787836]  ret_from_fork+0x10/0x20
[   39.791476] 
[   39.793007] Freed by task 286:
[   39.796111]  kasan_save_stack+0x3c/0x68
[   39.800013]  kasan_save_track+0x20/0x40
[   39.803916]  kasan_save_free_info+0x4c/0x78
[   39.808171]  __kasan_slab_free+0x6c/0x98
[   39.812160]  kfree+0x214/0x3c8
[   39.815272]  kmalloc_uaf2+0x134/0x468
[   39.819000]  kunit_try_run_case+0x170/0x3f0
[   39.823256]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   39.828822]  kthread+0x328/0x630
[   39.832118]  ret_from_fork+0x10/0x20
[   39.835760] 
[   39.837290] The buggy address belongs to the object at ffff0000948a0f00
[   39.837290]  which belongs to the cache kmalloc-64 of size 64
[   39.849779] The buggy address is located 40 bytes inside of
[   39.849779]  freed 64-byte region [ffff0000948a0f00, ffff0000948a0f40)
[   39.862004] 
[   39.863531] The buggy address belongs to the physical page:
[   39.869185] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1148a0
[   39.877295] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   39.883914] page_type: f5(slab)
[   39.887123] raw: 0bfffe0000000000 ffff0000800028c0 dead000000000122 0000000000000000
[   39.894964] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   39.902802] page dumped because: kasan: bad access detected
[   39.908451] 
[   39.909982] Memory state around the buggy address:
[   39.914848]  ffff0000948a0e00: 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc fc
[   39.922167]  ffff0000948a0e80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   39.929488] >ffff0000948a0f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   39.936807]                                   ^
[   39.941405]  ffff0000948a0f80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   39.948727]  ffff0000948a1000: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   39.956046] ==================================================================

Metadata Full log Test run details

[   33.249483] ==================================================================
[   33.249558] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468
[   33.249625] Read of size 1 at addr fff00000c77357a8 by task kunit_try_catch/199
[   33.249687] 
[   33.249728] CPU: 0 UID: 0 PID: 199 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   33.249829] Tainted: [B]=BAD_PAGE, [N]=TEST
[   33.249862] Hardware name: linux,dummy-virt (DT)
[   33.249957] Call trace:
[   33.250015]  show_stack+0x20/0x38 (C)
[   33.250268]  dump_stack_lvl+0x8c/0xd0
[   33.250439]  print_report+0x118/0x608
[   33.250554]  kasan_report+0xdc/0x128
[   33.250856]  __asan_report_load1_noabort+0x20/0x30
[   33.251142]  kmalloc_uaf2+0x3f4/0x468
[   33.251222]  kunit_try_run_case+0x170/0x3f0
[   33.251345]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.251608]  kthread+0x328/0x630
[   33.251747]  ret_from_fork+0x10/0x20
[   33.251932] 
[   33.251986] Allocated by task 199:
[   33.252057]  kasan_save_stack+0x3c/0x68
[   33.252159]  kasan_save_track+0x20/0x40
[   33.252324]  kasan_save_alloc_info+0x40/0x58
[   33.252435]  __kasan_kmalloc+0xd4/0xd8
[   33.252642]  __kmalloc_cache_noprof+0x16c/0x3c0
[   33.252777]  kmalloc_uaf2+0xc4/0x468
[   33.253044]  kunit_try_run_case+0x170/0x3f0
[   33.253290]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.253402]  kthread+0x328/0x630
[   33.253487]  ret_from_fork+0x10/0x20
[   33.253622] 
[   33.253673] Freed by task 199:
[   33.253736]  kasan_save_stack+0x3c/0x68
[   33.253845]  kasan_save_track+0x20/0x40
[   33.254412]  kasan_save_free_info+0x4c/0x78
[   33.254529]  __kasan_slab_free+0x6c/0x98
[   33.254636]  kfree+0x214/0x3c8
[   33.254781]  kmalloc_uaf2+0x134/0x468
[   33.254910]  kunit_try_run_case+0x170/0x3f0
[   33.255012]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   33.255138]  kthread+0x328/0x630
[   33.255410]  ret_from_fork+0x10/0x20
[   33.255527] 
[   33.255577] The buggy address belongs to the object at fff00000c7735780
[   33.255577]  which belongs to the cache kmalloc-64 of size 64
[   33.255715] The buggy address is located 40 bytes inside of
[   33.255715]  freed 64-byte region [fff00000c7735780, fff00000c77357c0)
[   33.255863] 
[   33.256452] The buggy address belongs to the physical page:
[   33.256990] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107735
[   33.257647] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   33.259062] page_type: f5(slab)
[   33.259418] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000
[   33.259649] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   33.259793] page dumped because: kasan: bad access detected
[   33.259878] 
[   33.259949] Memory state around the buggy address:
[   33.260301]  fff00000c7735680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.260423]  fff00000c7735700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.260531] >fff00000c7735780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   33.260654]                                   ^
[   33.260903]  fff00000c7735800: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   33.261157]  fff00000c7735880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.261251] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2yx8iABZYbkBMHz2UfLhbVQFSBc

job_id

TEST:linaro@lkft#2yx8mnha0Lu62FmuY96Pi2IVCX2

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2yx8mnha0Lu62FmuY96Pi2IVCX2

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8jAY6Eu0Ej50xmM9Wq9W9Kum/Image.gz
sha256sum	08cb64e0f154758cad9002b9f9875074fc1caa5b64a173779c23ca529581230a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8jAY6Eu0Ej50xmM9Wq9W9Kum/modules.tar.xz
sha256sum	1b970a753f25d59f813741ee64d0dae566db66f1284845658803118558976a2f

durations

tests

boot	0
kunit	293.47

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   29.427612] ==================================================================
[   29.428283] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4a8/0x520
[   29.428955] Read of size 1 at addr ffff888102ddc928 by task kunit_try_catch/218
[   29.429506] 
[   29.429802] CPU: 0 UID: 0 PID: 218 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) 
[   29.429920] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.429947] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   29.429998] Call Trace:
[   29.430030]  <TASK>
[   29.430071]  dump_stack_lvl+0x73/0xb0
[   29.430151]  print_report+0xd1/0x650
[   29.430213]  ? __virt_addr_valid+0x1db/0x2d0
[   29.430281]  ? kmalloc_uaf2+0x4a8/0x520
[   29.430331]  ? kasan_complete_mode_report_info+0x64/0x200
[   29.430390]  ? kmalloc_uaf2+0x4a8/0x520
[   29.430462]  kasan_report+0x141/0x180
[   29.430521]  ? kmalloc_uaf2+0x4a8/0x520
[   29.430605]  __asan_report_load1_noabort+0x18/0x20
[   29.430706]  kmalloc_uaf2+0x4a8/0x520
[   29.430782]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   29.430842]  ? sysvec_apic_timer_interrupt+0x50/0x90
[   29.430942]  ? __pfx_kmalloc_uaf2+0x10/0x10
[   29.431011]  kunit_try_run_case+0x1a5/0x480
[   29.431180]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.431221]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   29.431257]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   29.431291]  ? __kthread_parkme+0x82/0x180
[   29.431320]  ? preempt_count_sub+0x50/0x80
[   29.431352]  ? __pfx_kunit_try_run_case+0x10/0x10
[   29.431383]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.431414]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   29.431445]  kthread+0x337/0x6f0
[   29.431471]  ? trace_preempt_on+0x20/0xc0
[   29.431502]  ? __pfx_kthread+0x10/0x10
[   29.431529]  ? _raw_spin_unlock_irq+0x47/0x80
[   29.431582]  ? calculate_sigpending+0x7b/0xa0
[   29.431614]  ? __pfx_kthread+0x10/0x10
[   29.431655]  ret_from_fork+0x116/0x1d0
[   29.431686]  ? __pfx_kthread+0x10/0x10
[   29.431713]  ret_from_fork_asm+0x1a/0x30
[   29.431753]  </TASK>
[   29.431768] 
[   29.447010] Allocated by task 218:
[   29.447563]  kasan_save_stack+0x45/0x70
[   29.448028]  kasan_save_track+0x18/0x40
[   29.448832]  kasan_save_alloc_info+0x3b/0x50
[   29.449422]  __kasan_kmalloc+0xb7/0xc0
[   29.449881]  __kmalloc_cache_noprof+0x189/0x420
[   29.450300]  kmalloc_uaf2+0xc6/0x520
[   29.450655]  kunit_try_run_case+0x1a5/0x480
[   29.451236]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.451814]  kthread+0x337/0x6f0
[   29.452057]  ret_from_fork+0x116/0x1d0
[   29.452566]  ret_from_fork_asm+0x1a/0x30
[   29.453729] 
[   29.453893] Freed by task 218:
[   29.454337]  kasan_save_stack+0x45/0x70
[   29.454698]  kasan_save_track+0x18/0x40
[   29.455163]  kasan_save_free_info+0x3f/0x60
[   29.455468]  __kasan_slab_free+0x56/0x70
[   29.455892]  kfree+0x222/0x3f0
[   29.456761]  kmalloc_uaf2+0x14c/0x520
[   29.457325]  kunit_try_run_case+0x1a5/0x480
[   29.457960]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   29.458427]  kthread+0x337/0x6f0
[   29.458626]  ret_from_fork+0x116/0x1d0
[   29.458815]  ret_from_fork_asm+0x1a/0x30
[   29.459183] 
[   29.459503] The buggy address belongs to the object at ffff888102ddc900
[   29.459503]  which belongs to the cache kmalloc-64 of size 64
[   29.461145] The buggy address is located 40 bytes inside of
[   29.461145]  freed 64-byte region [ffff888102ddc900, ffff888102ddc940)
[   29.462506] 
[   29.462693] The buggy address belongs to the physical page:
[   29.462942] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ddc
[   29.464016] flags: 0x200000000000000(node=0|zone=2)
[   29.464980] page_type: f5(slab)
[   29.465333] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
[   29.465892] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   29.466407] page dumped because: kasan: bad access detected
[   29.466840] 
[   29.467195] Memory state around the buggy address:
[   29.467781]  ffff888102ddc800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.468194]  ffff888102ddc880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.468939] >ffff888102ddc900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   29.469569]                                   ^
[   29.470024]  ffff888102ddc980: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc
[   29.471202]  ffff888102ddca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.471884] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2yx8iABZYbkBMHz2UfLhbVQFSBc

job_id

TEST:linaro@lkft#2yx8nqbxHyU9q5QFLSgoSfpxg7c

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2yx8nqbxHyU9q5QFLSgoSfpxg7c

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8kMWyAcZURSq8fq3I4LTYNnI/bzImage
sha256sum	e4af8fb0c4f818dc00f998896a3bb1036c581a265d8c629b665739ffdae0ee02

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8kMWyAcZURSq8fq3I4LTYNnI/modules.tar.xz
sha256sum	aa90f144ec87f2f93e8f81cdc22f5e1ccf9be8dc2fab92a71c87abdd535262e3

durations

tests

boot	0
kunit	232.61

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit