lkft/linux-next-master - next-20250626 - log-parser-boot/kasan-bug-kasan-use-after-free-in-kmalloc_large_uaf

Date

June 26, 2025, 9:10 a.m.

Environment
dragonboard-845c
juno-r2
qemu-arm64
qemu-x86_64

[   32.444502] ==================================================================
[   32.456144] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   32.462855] Read of size 1 at addr ffff0000962c8000 by task kunit_try_catch/234
[   32.470262] 
[   32.471798] CPU: 6 UID: 0 PID: 234 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   32.471827] Tainted: [B]=BAD_PAGE, [N]=TEST
[   32.471835] Hardware name: Thundercomm Dragonboard 845c (DT)
[   32.471848] Call trace:
[   32.471854]  show_stack+0x20/0x38 (C)
[   32.471871]  dump_stack_lvl+0x8c/0xd0
[   32.471890]  print_report+0x118/0x608
[   32.471908]  kasan_report+0xdc/0x128
[   32.471926]  __asan_report_load1_noabort+0x20/0x30
[   32.471942]  kmalloc_large_uaf+0x2cc/0x2f8
[   32.471957]  kunit_try_run_case+0x170/0x3f0
[   32.471976]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   32.471996]  kthread+0x328/0x630
[   32.472009]  ret_from_fork+0x10/0x20
[   32.472026] 
[   32.537574] The buggy address belongs to the physical page:
[   32.543216] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1162c8
[   32.551316] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   32.557932] raw: 0bfffe0000000000 fffffdffc258b308 ffff0000dae6ec40 0000000000000000
[   32.565773] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   32.573609] page dumped because: kasan: bad access detected
[   32.579249] 
[   32.580779] Memory state around the buggy address:
[   32.585631]  ffff0000962c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.592936]  ffff0000962c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   32.600249] >ffff0000962c8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.607552]                    ^
[   32.610836]  ffff0000962c8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.618150]  ffff0000962c8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   32.625464] ==================================================================

Metadata Full log Test run details

[ 1523.210174] ==================================================================
[ 1523.210202] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[ 1523.210236] Read of size 1 at addr ffff000827890000 by task kunit_try_catch/219
[ 1523.210267] 
[ 1523.210282] CPU: 3 UID: 0 PID: 219 Comm: kunit_try_catch Tainted: G    B   W        N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[ 1523.210341] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[ 1523.210358] Hardware name: ARM Juno development board (r2) (DT)
[ 1523.210379] Call trace:
[ 1523.210390]  show_stack+0x20/0x38 (C)
[ 1523.210426]  dump_stack_lvl+0x8c/0xd0
[ 1523.210465]  print_report+0x118/0x608
[ 1523.210504]  kasan_report+0xdc/0x128
[ 1523.210542]  __asan_report_load1_noabort+0x20/0x30
[ 1523.210577]  kmalloc_large_uaf+0x2cc/0x2f8
[ 1523.210612]  kunit_try_run_case+0x170/0x3f0
[ 1523.210650]  kunit_generic_run_threadfn_adapter+0x88/0x100
[ 1523.210694]  kthread+0x328/0x630
[ 1523.210724]  ret_from_fork+0x10/0x20
[ 1523.210760] 
[ 1523.210770] The buggy address belongs to the physical page:
[ 1523.210787] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8a7890
[ 1523.210819] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 1523.210860] raw: 0bfffe0000000000 fffffdffe09e2508 ffff000935e10c40 0000000000000000
[ 1523.210894] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1523.210919] page dumped because: kasan: bad access detected
[ 1523.210937] 
[ 1523.210946] Memory state around the buggy address:
[ 1523.210965]  ffff00082788ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1523.210994]  ffff00082788ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1523.211023] >ffff000827890000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1523.211047]                    ^
[ 1523.211064]  ffff000827890080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1523.211092]  ffff000827890100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 1523.211116] ==================================================================

Metadata Full log Test run details

[   26.596621] ==================================================================
[   26.596682] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   26.596730] Read of size 1 at addr fff00000c6498000 by task kunit_try_catch/160
[   26.596777] 
[   26.596804] CPU: 0 UID: 0 PID: 160 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT 
[   26.596887] Tainted: [B]=BAD_PAGE, [N]=TEST
[   26.596911] Hardware name: linux,dummy-virt (DT)
[   26.596940] Call trace:
[   26.596960]  show_stack+0x20/0x38 (C)
[   26.597018]  dump_stack_lvl+0x8c/0xd0
[   26.597078]  print_report+0x118/0x608
[   26.597122]  kasan_report+0xdc/0x128
[   26.597166]  __asan_report_load1_noabort+0x20/0x30
[   26.597211]  kmalloc_large_uaf+0x2cc/0x2f8
[   26.597255]  kunit_try_run_case+0x170/0x3f0
[   26.597455]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   26.597507]  kthread+0x328/0x630
[   26.597547]  ret_from_fork+0x10/0x20
[   26.597592] 
[   26.597610] The buggy address belongs to the physical page:
[   26.597639] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106498
[   26.597697] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   26.597754] raw: 0bfffe0000000000 ffffc1ffc3192708 fff00000da466c80 0000000000000000
[   26.597801] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   26.597838] page dumped because: kasan: bad access detected
[   26.597867] 
[   26.597884] Memory state around the buggy address:
[   26.597912]  fff00000c6497f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.598013]  fff00000c6497f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.598061] >fff00000c6498000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   26.598103]                    ^
[   26.598196]  fff00000c6498080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   26.598237]  fff00000c6498100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   26.598372] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VBWOwNE7tln7ibBWNJtNgCdd

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VBWOwNE7tln7ibBWNJtNgCdd

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/Image.gz
sha256sum	42e36f6e4a060d5f9a1060b857a02a69294fe7d2a27b0731adb370bcbc85f1e6

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V7USjjUTWqzxtyXvVloPZLjf/modules.tar.xz
sha256sum	890b3fa8e09fb90f169b09d75de24714d8b16adf2b500a29a27124602d4970e9

durations

tests

boot	0
kunit	167.09

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   21.700590] ==================================================================
[   21.701349] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   21.701646] Read of size 1 at addr ffff888102c88000 by task kunit_try_catch/177
[   21.701971] 
[   21.702099] CPU: 1 UID: 0 PID: 177 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) 
[   21.702322] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.702341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   21.702364] Call Trace:
[   21.702377]  <TASK>
[   21.702410]  dump_stack_lvl+0x73/0xb0
[   21.702443]  print_report+0xd1/0x650
[   21.702566]  ? __virt_addr_valid+0x1db/0x2d0
[   21.702594]  ? kmalloc_large_uaf+0x2f1/0x340
[   21.702614]  ? kasan_addr_to_slab+0x11/0xa0
[   21.702633]  ? kmalloc_large_uaf+0x2f1/0x340
[   21.702664]  kasan_report+0x141/0x180
[   21.702685]  ? kmalloc_large_uaf+0x2f1/0x340
[   21.702709]  __asan_report_load1_noabort+0x18/0x20
[   21.702743]  kmalloc_large_uaf+0x2f1/0x340
[   21.702763]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   21.702835]  ? __schedule+0x10cc/0x2b60
[   21.702874]  ? __pfx_read_tsc+0x10/0x10
[   21.702897]  ? ktime_get_ts64+0x86/0x230
[   21.702923]  kunit_try_run_case+0x1a5/0x480
[   21.702960]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.702981]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   21.703005]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   21.703036]  ? __kthread_parkme+0x82/0x180
[   21.703057]  ? preempt_count_sub+0x50/0x80
[   21.703079]  ? __pfx_kunit_try_run_case+0x10/0x10
[   21.703102]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   21.703125]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   21.703148]  kthread+0x337/0x6f0
[   21.703167]  ? trace_preempt_on+0x20/0xc0
[   21.703192]  ? __pfx_kthread+0x10/0x10
[   21.703214]  ? _raw_spin_unlock_irq+0x47/0x80
[   21.703249]  ? calculate_sigpending+0x7b/0xa0
[   21.703272]  ? __pfx_kthread+0x10/0x10
[   21.703292]  ret_from_fork+0x116/0x1d0
[   21.703311]  ? __pfx_kthread+0x10/0x10
[   21.703331]  ret_from_fork_asm+0x1a/0x30
[   21.703362]  </TASK>
[   21.703374] 
[   21.715396] The buggy address belongs to the physical page:
[   21.715601] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c88
[   21.715863] flags: 0x200000000000000(node=0|zone=2)
[   21.716040] raw: 0200000000000000 ffffea00040b2308 ffff88815b139fc0 0000000000000000
[   21.716709] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   21.717183] page dumped because: kasan: bad access detected
[   21.717447] 
[   21.717555] Memory state around the buggy address:
[   21.717756]  ffff888102c87f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.718145]  ffff888102c87f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   21.718474] >ffff888102c88000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.718713]                    ^
[   21.718949]  ffff888102c88080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.719364]  ffff888102c88100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.719802] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2V64IZ5mZ4pqTgyDjND4po2p7

job_id

TEST:linaro@lkft#2z2VCWzEgPcUDHhhw0N7L6OuTsi

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2VCWzEgPcUDHhhw0N7L6OuTsi

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/bzImage
sha256sum	af9e113be0609efaece1c192f6aceee5e71a8c7326695ad181171f155187f3ab

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2V8vW6OGUdLnT5KmRzpsRviaL/modules.tar.xz
sha256sum	eb3bf6ab4822a4ffbb4c6a0a8f2b0db2418a278c2192667f80b6a1aac6efaa14

durations

tests

boot	0
kunit	146.03

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - dragonboard-845c - gcc-13-lkftconfig-kunit

Failure - juno-r2 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit