lkft/linux-next-master - next-20250715 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf_16

Date

July 15, 2025, 11:35 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   43.773501] ==================================================================
[   43.782609] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   43.789376] Read of size 16 at addr ffff000802d259c0 by task kunit_try_catch/249
[   43.796753] 
[   43.798240] CPU: 2 UID: 0 PID: 249 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   43.798293] Tainted: [B]=BAD_PAGE, [N]=TEST
[   43.798308] Hardware name: WinLink E850-96 board (DT)
[   43.798329] Call trace:
[   43.798341]  show_stack+0x20/0x38 (C)
[   43.798375]  dump_stack_lvl+0x8c/0xd0
[   43.798411]  print_report+0x118/0x5d0
[   43.798438]  kasan_report+0xdc/0x128
[   43.798464]  __asan_report_load16_noabort+0x20/0x30
[   43.798496]  kmalloc_uaf_16+0x3bc/0x438
[   43.798526]  kunit_try_run_case+0x170/0x3f0
[   43.798558]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.798592]  kthread+0x328/0x630
[   43.798618]  ret_from_fork+0x10/0x20
[   43.798651] 
[   43.862031] Allocated by task 249:
[   43.865419]  kasan_save_stack+0x3c/0x68
[   43.869235]  kasan_save_track+0x20/0x40
[   43.873054]  kasan_save_alloc_info+0x40/0x58
[   43.877307]  __kasan_kmalloc+0xd4/0xd8
[   43.881040]  __kmalloc_cache_noprof+0x16c/0x3c0
[   43.885554]  kmalloc_uaf_16+0x140/0x438
[   43.889373]  kunit_try_run_case+0x170/0x3f0
[   43.893540]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.899010]  kthread+0x328/0x630
[   43.902220]  ret_from_fork+0x10/0x20
[   43.905779] 
[   43.907255] Freed by task 249:
[   43.910294]  kasan_save_stack+0x3c/0x68
[   43.914112]  kasan_save_track+0x20/0x40
[   43.917933]  kasan_save_free_info+0x4c/0x78
[   43.922098]  __kasan_slab_free+0x6c/0x98
[   43.926004]  kfree+0x214/0x3c8
[   43.929042]  kmalloc_uaf_16+0x190/0x438
[   43.932862]  kunit_try_run_case+0x170/0x3f0
[   43.937029]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   43.942497]  kthread+0x328/0x630
[   43.945709]  ret_from_fork+0x10/0x20
[   43.949268] 
[   43.950745] The buggy address belongs to the object at ffff000802d259c0
[   43.950745]  which belongs to the cache kmalloc-16 of size 16
[   43.963073] The buggy address is located 0 bytes inside of
[   43.963073]  freed 16-byte region [ffff000802d259c0, ffff000802d259d0)
[   43.975049] 
[   43.976529] The buggy address belongs to the physical page:
[   43.982084] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882d25
[   43.990069] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   43.996578] page_type: f5(slab)
[   43.999714] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000
[   44.007434] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   44.015155] page dumped because: kasan: bad access detected
[   44.020707] 
[   44.022183] Memory state around the buggy address:
[   44.026963]  ffff000802d25880: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   44.034166]  ffff000802d25900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   44.041373] >ffff000802d25980: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc
[   44.048572]                                            ^
[   44.053872]  ffff000802d25a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.061076]  ffff000802d25a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.068276] ==================================================================

Metadata Full log Test run details

[   30.586079] ==================================================================
[   30.586276] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438
[   30.586361] Read of size 16 at addr fff00000c648e3a0 by task kunit_try_catch/200
[   30.586742] 
[   30.586788] CPU: 0 UID: 0 PID: 200 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT 
[   30.587035] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.587063] Hardware name: linux,dummy-virt (DT)
[   30.587100] Call trace:
[   30.587171]  show_stack+0x20/0x38 (C)
[   30.587235]  dump_stack_lvl+0x8c/0xd0
[   30.587399]  print_report+0x118/0x5d0
[   30.587454]  kasan_report+0xdc/0x128
[   30.587497]  __asan_report_load16_noabort+0x20/0x30
[   30.587546]  kmalloc_uaf_16+0x3bc/0x438
[   30.587591]  kunit_try_run_case+0x170/0x3f0
[   30.587646]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.587698]  kthread+0x328/0x630
[   30.588224]  ret_from_fork+0x10/0x20
[   30.588562] 
[   30.588586] Allocated by task 200:
[   30.588615]  kasan_save_stack+0x3c/0x68
[   30.588661]  kasan_save_track+0x20/0x40
[   30.588701]  kasan_save_alloc_info+0x40/0x58
[   30.588739]  __kasan_kmalloc+0xd4/0xd8
[   30.588787]  __kmalloc_cache_noprof+0x16c/0x3c0
[   30.588827]  kmalloc_uaf_16+0x140/0x438
[   30.589057]  kunit_try_run_case+0x170/0x3f0
[   30.589228]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.589270]  kthread+0x328/0x630
[   30.589302]  ret_from_fork+0x10/0x20
[   30.589657] 
[   30.589838] Freed by task 200:
[   30.589905]  kasan_save_stack+0x3c/0x68
[   30.589968]  kasan_save_track+0x20/0x40
[   30.590076]  kasan_save_free_info+0x4c/0x78
[   30.590112]  __kasan_slab_free+0x6c/0x98
[   30.590173]  kfree+0x214/0x3c8
[   30.590207]  kmalloc_uaf_16+0x190/0x438
[   30.590243]  kunit_try_run_case+0x170/0x3f0
[   30.590413]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.590466]  kthread+0x328/0x630
[   30.590498]  ret_from_fork+0x10/0x20
[   30.590532] 
[   30.590552] The buggy address belongs to the object at fff00000c648e3a0
[   30.590552]  which belongs to the cache kmalloc-16 of size 16
[   30.590609] The buggy address is located 0 bytes inside of
[   30.590609]  freed 16-byte region [fff00000c648e3a0, fff00000c648e3b0)
[   30.590889] 
[   30.590911] The buggy address belongs to the physical page:
[   30.590961] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10648e
[   30.591229] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.591452] page_type: f5(slab)
[   30.591547] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   30.591601] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   30.591690] page dumped because: kasan: bad access detected
[   30.591742] 
[   30.591759] Memory state around the buggy address:
[   30.591797]  fff00000c648e280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   30.591887]  fff00000c648e300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   30.592027] >fff00000c648e380: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   30.592065]                                ^
[   30.592131]  fff00000c648e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.592297]  fff00000c648e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   30.592378] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zuS6DosVUhzL9DaDmqO9nLybFJ

job_id

TEST:linaro@lkft#2zuSB6ZD0TprNwndx8osoZfzNbs

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zuSB6ZD0TprNwndx8osoZfzNbs

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS7fFjob8Lq2iSUNxlIF41bYW/Image.gz
sha256sum	118b4ece9a238a43bf808c098cf2bf253d887d33e129eb81e3c965d23e20b8c5

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS7fFjob8Lq2iSUNxlIF41bYW/modules.tar.xz
sha256sum	01435f1d178968cd8186d4f9b9cf47e1273301cd5c54bfdff2cd2593d26e1adb

durations

tests

boot	0
kunit	165.28

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   24.061313] ==================================================================
[   24.061785] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47b/0x4c0
[   24.062100] Read of size 16 at addr ffff888104884640 by task kunit_try_catch/216
[   24.062409] 
[   24.062501] CPU: 1 UID: 0 PID: 216 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc6-next-20250715 #1 PREEMPT(voluntary) 
[   24.062559] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.062572] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.062593] Call Trace:
[   24.062667]  <TASK>
[   24.062688]  dump_stack_lvl+0x73/0xb0
[   24.062720]  print_report+0xd1/0x610
[   24.062743]  ? __virt_addr_valid+0x1db/0x2d0
[   24.062767]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.062787]  ? kasan_complete_mode_report_info+0x64/0x200
[   24.062812]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.062833]  kasan_report+0x141/0x180
[   24.062854]  ? kmalloc_uaf_16+0x47b/0x4c0
[   24.062879]  __asan_report_load16_noabort+0x18/0x20
[   24.062903]  kmalloc_uaf_16+0x47b/0x4c0
[   24.062924]  ? __pfx_kmalloc_uaf_16+0x10/0x10
[   24.062946]  ? __schedule+0x10cc/0x2b60
[   24.062968]  ? __pfx_read_tsc+0x10/0x10
[   24.062989]  ? ktime_get_ts64+0x86/0x230
[   24.063016]  kunit_try_run_case+0x1a5/0x480
[   24.063038]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.063059]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.063081]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.063104]  ? __kthread_parkme+0x82/0x180
[   24.063124]  ? preempt_count_sub+0x50/0x80
[   24.063148]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.063170]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.063196]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.063222]  kthread+0x337/0x6f0
[   24.063241]  ? trace_preempt_on+0x20/0xc0
[   24.063265]  ? __pfx_kthread+0x10/0x10
[   24.063285]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.063309]  ? calculate_sigpending+0x7b/0xa0
[   24.063334]  ? __pfx_kthread+0x10/0x10
[   24.063355]  ret_from_fork+0x116/0x1d0
[   24.063374]  ? __pfx_kthread+0x10/0x10
[   24.063394]  ret_from_fork_asm+0x1a/0x30
[   24.063426]  </TASK>
[   24.063437] 
[   24.070559] Allocated by task 216:
[   24.070697]  kasan_save_stack+0x45/0x70
[   24.070836]  kasan_save_track+0x18/0x40
[   24.070963]  kasan_save_alloc_info+0x3b/0x50
[   24.071169]  __kasan_kmalloc+0xb7/0xc0
[   24.071355]  __kmalloc_cache_noprof+0x189/0x420
[   24.071680]  kmalloc_uaf_16+0x15b/0x4c0
[   24.071879]  kunit_try_run_case+0x1a5/0x480
[   24.072086]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.072310]  kthread+0x337/0x6f0
[   24.072480]  ret_from_fork+0x116/0x1d0
[   24.072758]  ret_from_fork_asm+0x1a/0x30
[   24.072952] 
[   24.073029] Freed by task 216:
[   24.073151]  kasan_save_stack+0x45/0x70
[   24.073279]  kasan_save_track+0x18/0x40
[   24.073405]  kasan_save_free_info+0x3f/0x60
[   24.073625]  __kasan_slab_free+0x56/0x70
[   24.073830]  kfree+0x222/0x3f0
[   24.073989]  kmalloc_uaf_16+0x1d6/0x4c0
[   24.074179]  kunit_try_run_case+0x1a5/0x480
[   24.074382]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.074686]  kthread+0x337/0x6f0
[   24.074820]  ret_from_fork+0x116/0x1d0
[   24.074947]  ret_from_fork_asm+0x1a/0x30
[   24.075086] 
[   24.075149] The buggy address belongs to the object at ffff888104884640
[   24.075149]  which belongs to the cache kmalloc-16 of size 16
[   24.075574] The buggy address is located 0 bytes inside of
[   24.075574]  freed 16-byte region [ffff888104884640, ffff888104884650)
[   24.076096] 
[   24.076181] The buggy address belongs to the physical page:
[   24.076374] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104884
[   24.076616] flags: 0x200000000000000(node=0|zone=2)
[   24.076845] page_type: f5(slab)
[   24.077005] raw: 0200000000000000 ffff888100041640 dead000000000100 dead000000000122
[   24.077331] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   24.080174] page dumped because: kasan: bad access detected
[   24.080877] 
[   24.081041] Memory state around the buggy address:
[   24.081333]  ffff888104884500: 00 06 fc fc 00 06 fc fc 00 06 fc fc 00 00 fc fc
[   24.081557]  ffff888104884580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   24.082979] >ffff888104884600: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc
[   24.084290]                                            ^
[   24.084469]  ffff888104884680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.085764]  ffff888104884700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.086149] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zuS6DosVUhzL9DaDmqO9nLybFJ

job_id

TEST:linaro@lkft#2zuSCDmb4DEQtYONUdNKA0gDr4g

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zuSCDmb4DEQtYONUdNKA0gDr4g

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS8r35xHBxsDmYxAGYTykGzuO/bzImage
sha256sum	c1e74129e828139d1503e1b2906d7bf3cc50987150c7e120efde5dc3ba3dece2

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zuS8r35xHBxsDmYxAGYTykGzuO/modules.tar.xz
sha256sum	c033def305798e90a1dd43392f34d6ac3a5642caf58a41fa7d2b499626275ec8

durations

tests

boot	0
kunit	244.42

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit