lkft/linux-next-master - next-20250624 - log-parser-boot/kasan-bug-kasan-use-after-free-in-kmalloc_large_uaf

Date

June 24, 2025, 11:37 a.m.

Environment
dragonboard-845c
qemu-arm64
qemu-x86_64

[   31.076215] ==================================================================
[   31.087866] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   31.094570] Read of size 1 at addr ffff000086418000 by task kunit_try_catch/246
[   31.101977] 
[   31.103509] CPU: 3 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   31.103538] Tainted: [B]=BAD_PAGE, [N]=TEST
[   31.103546] Hardware name: Thundercomm Dragonboard 845c (DT)
[   31.103556] Call trace:
[   31.103562]  show_stack+0x20/0x38 (C)
[   31.103580]  dump_stack_lvl+0x8c/0xd0
[   31.103602]  print_report+0x118/0x608
[   31.103621]  kasan_report+0xdc/0x128
[   31.103640]  __asan_report_load1_noabort+0x20/0x30
[   31.103658]  kmalloc_large_uaf+0x2cc/0x2f8
[   31.103675]  kunit_try_run_case+0x170/0x3f0
[   31.103693]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   31.103714]  kthread+0x328/0x630
[   31.103728]  ret_from_fork+0x10/0x20
[   31.103747] 
[   31.169347] The buggy address belongs to the physical page:
[   31.174996] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106418
[   31.183108] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   31.189736] raw: 0bfffe0000000000 fffffdffc2190808 ffff0000dae08c40 0000000000000000
[   31.197579] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   31.205417] page dumped because: kasan: bad access detected
[   31.211062] 
[   31.212598] Memory state around the buggy address:
[   31.217459]  ffff000086417f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.224781]  ffff000086417f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.232103] >ffff000086418000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   31.239416]                    ^
[   31.242705]  ffff000086418080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   31.250027]  ffff000086418100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   31.257344] ==================================================================

Metadata Full log Test run details

[   32.485218] ==================================================================
[   32.485355] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   32.485483] Read of size 1 at addr fff00000c773c000 by task kunit_try_catch/159
[   32.485593] 
[   32.485671] CPU: 0 UID: 0 PID: 159 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT 
[   32.485900] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.485979] Hardware name: linux,dummy-virt (DT)
[   32.486065] Call trace:
[   32.486129]  show_stack+0x20/0x38 (C)
[   32.486267]  dump_stack_lvl+0x8c/0xd0
[   32.486545]  print_report+0x118/0x608
[   32.487219]  kasan_report+0xdc/0x128
[   32.487532]  __asan_report_load1_noabort+0x20/0x30
[   32.487989]  kmalloc_large_uaf+0x2cc/0x2f8
[   32.488123]  kunit_try_run_case+0x170/0x3f0
[   32.488849]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.489002]  kthread+0x328/0x630
[   32.489109]  ret_from_fork+0x10/0x20
[   32.489235] 
[   32.489291] The buggy address belongs to the physical page:
[   32.489701] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10773c
[   32.489829] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.490191] raw: 0bfffe0000000000 ffffc1ffc31dd608 fff00000da466c80 0000000000000000
[   32.490313] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   32.490422] page dumped because: kasan: bad access detected
[   32.490496] 
[   32.490559] Memory state around the buggy address:
[   32.490731]  fff00000c773bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.490901]  fff00000c773bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.491090] >fff00000c773c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.491192]                    ^
[   32.491332]  fff00000c773c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.491442]  fff00000c773c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.491639] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2yx8iABZYbkBMHz2UfLhbVQFSBc

job_id

TEST:linaro@lkft#2yx8mnha0Lu62FmuY96Pi2IVCX2

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2yx8mnha0Lu62FmuY96Pi2IVCX2

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8jAY6Eu0Ej50xmM9Wq9W9Kum/Image.gz
sha256sum	08cb64e0f154758cad9002b9f9875074fc1caa5b64a173779c23ca529581230a

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8jAY6Eu0Ej50xmM9Wq9W9Kum/modules.tar.xz
sha256sum	1b970a753f25d59f813741ee64d0dae566db66f1284845658803118558976a2f

durations

tests

boot	0
kunit	293.47

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   28.145808] ==================================================================
[   28.146498] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   28.147090] Read of size 1 at addr ffff8881029f4000 by task kunit_try_catch/178
[   28.147660] 
[   28.147983] CPU: 1 UID: 0 PID: 178 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) 
[   28.148096] Tainted: [B]=BAD_PAGE, [N]=TEST
[   28.148127] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   28.148173] Call Trace:
[   28.148209]  <TASK>
[   28.148245]  dump_stack_lvl+0x73/0xb0
[   28.148365]  print_report+0xd1/0x650
[   28.148419]  ? __virt_addr_valid+0x1db/0x2d0
[   28.148476]  ? kmalloc_large_uaf+0x2f1/0x340
[   28.148528]  ? kasan_addr_to_slab+0x11/0xa0
[   28.148597]  ? kmalloc_large_uaf+0x2f1/0x340
[   28.148697]  kasan_report+0x141/0x180
[   28.148759]  ? kmalloc_large_uaf+0x2f1/0x340
[   28.148824]  __asan_report_load1_noabort+0x18/0x20
[   28.148884]  kmalloc_large_uaf+0x2f1/0x340
[   28.148938]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   28.149003]  ? __schedule+0x10cc/0x2b60
[   28.149104]  ? __pfx_read_tsc+0x10/0x10
[   28.149162]  ? ktime_get_ts64+0x86/0x230
[   28.149216]  kunit_try_run_case+0x1a5/0x480
[   28.149272]  ? __pfx_kunit_try_run_case+0x10/0x10
[   28.149321]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   28.149374]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   28.149427]  ? __kthread_parkme+0x82/0x180
[   28.149476]  ? preempt_count_sub+0x50/0x80
[   28.149527]  ? __pfx_kunit_try_run_case+0x10/0x10
[   28.149603]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   28.149659]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   28.149696]  kthread+0x337/0x6f0
[   28.149725]  ? trace_preempt_on+0x20/0xc0
[   28.149757]  ? __pfx_kthread+0x10/0x10
[   28.149783]  ? _raw_spin_unlock_irq+0x47/0x80
[   28.149813]  ? calculate_sigpending+0x7b/0xa0
[   28.149843]  ? __pfx_kthread+0x10/0x10
[   28.149871]  ret_from_fork+0x116/0x1d0
[   28.149896]  ? __pfx_kthread+0x10/0x10
[   28.149922]  ret_from_fork_asm+0x1a/0x30
[   28.149961]  </TASK>
[   28.149975] 
[   28.166446] The buggy address belongs to the physical page:
[   28.167937] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1029f4
[   28.168725] flags: 0x200000000000000(node=0|zone=2)
[   28.169124] raw: 0200000000000000 ffffea00040a7e08 ffff88815b139fc0 0000000000000000
[   28.169597] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   28.170560] page dumped because: kasan: bad access detected
[   28.170845] 
[   28.171063] Memory state around the buggy address:
[   28.171515]  ffff8881029f3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.172212]  ffff8881029f3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.172863] >ffff8881029f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.173340]                    ^
[   28.173746]  ffff8881029f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.174754]  ffff8881029f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   28.175394] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2yx8iABZYbkBMHz2UfLhbVQFSBc

job_id

TEST:linaro@lkft#2yx8nqbxHyU9q5QFLSgoSfpxg7c

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2yx8nqbxHyU9q5QFLSgoSfpxg7c

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8kMWyAcZURSq8fq3I4LTYNnI/bzImage
sha256sum	e4af8fb0c4f818dc00f998896a3bb1036c581a265d8c629b665739ffdae0ee02

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2yx8kMWyAcZURSq8fq3I4LTYNnI/modules.tar.xz
sha256sum	aa90f144ec87f2f93e8f81cdc22f5e1ccf9be8dc2fab92a71c87abdd535262e3

durations

tests

boot	0
kunit	232.61

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit