lkft/linux-stable-rc-linux-6.15.y - v6.15-50-g86677b94d603 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_double_kzfree

Date

June 2, 2025, 2:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   27.917363] ==================================================================
[   27.931136] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   27.938508] Read of size 1 at addr ffff000800a7c640 by task kunit_try_catch/239
[   27.945799] 
[   27.947286] CPU: 2 UID: 0 PID: 239 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT 
[   27.947342] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.947358] Hardware name: WinLink E850-96 board (DT)
[   27.947380] Call trace:
[   27.947395]  show_stack+0x20/0x38 (C)
[   27.947426]  dump_stack_lvl+0x8c/0xd0
[   27.947463]  print_report+0x118/0x608
[   27.947493]  kasan_report+0xdc/0x128
[   27.947523]  __kasan_check_byte+0x54/0x70
[   27.947553]  kfree_sensitive+0x30/0xb0
[   27.947585]  kmalloc_double_kzfree+0x168/0x308
[   27.947619]  kunit_try_run_case+0x170/0x3f0
[   27.947655]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   27.947692]  kthread+0x328/0x630
[   27.947728]  ret_from_fork+0x10/0x20
[   27.947763] 
[   28.013333] Allocated by task 239:
[   28.016720]  kasan_save_stack+0x3c/0x68
[   28.020538]  kasan_save_track+0x20/0x40
[   28.024357]  kasan_save_alloc_info+0x40/0x58
[   28.028610]  __kasan_kmalloc+0xd4/0xd8
[   28.032343]  __kmalloc_cache_noprof+0x16c/0x3c0
[   28.036857]  kmalloc_double_kzfree+0xb8/0x308
[   28.041197]  kunit_try_run_case+0x170/0x3f0
[   28.045364]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.050832]  kthread+0x328/0x630
[   28.054044]  ret_from_fork+0x10/0x20
[   28.057603] 
[   28.059080] Freed by task 239:
[   28.062118]  kasan_save_stack+0x3c/0x68
[   28.065936]  kasan_save_track+0x20/0x40
[   28.069755]  kasan_save_free_info+0x4c/0x78
[   28.073922]  __kasan_slab_free+0x6c/0x98
[   28.077828]  kfree+0x214/0x3c8
[   28.080866]  kfree_sensitive+0x80/0xb0
[   28.084599]  kmalloc_double_kzfree+0x11c/0x308
[   28.089026]  kunit_try_run_case+0x170/0x3f0
[   28.093194]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   28.098661]  kthread+0x328/0x630
[   28.101873]  ret_from_fork+0x10/0x20
[   28.105432] 
[   28.106909] The buggy address belongs to the object at ffff000800a7c640
[   28.106909]  which belongs to the cache kmalloc-16 of size 16
[   28.119236] The buggy address is located 0 bytes inside of
[   28.119236]  freed 16-byte region [ffff000800a7c640, ffff000800a7c650)
[   28.131213] 
[   28.132693] The buggy address belongs to the physical page:
[   28.138249] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x880a7c
[   28.146234] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   28.152742] page_type: f5(slab)
[   28.155881] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000
[   28.163597] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   28.171316] page dumped because: kasan: bad access detected
[   28.176872] 
[   28.178348] Memory state around the buggy address:
[   28.183127]  ffff000800a7c500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   28.190330]  ffff000800a7c580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   28.197536] >ffff000800a7c600: fa fb fc fc fa fb fc fc fa fb fc fc fc fc fc fc
[   28.204736]                                            ^
[   28.210035]  ffff000800a7c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.217239]  ffff000800a7c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   28.224442] ==================================================================

Metadata Full log Test run details

[   19.181013] ==================================================================
[   19.181076] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x168/0x308
[   19.181178] Read of size 1 at addr fff00000c5915980 by task kunit_try_catch/195
[   19.181247] 
[   19.181283] CPU: 1 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B   W        N  6.15.1-rc1 #1 PREEMPT 
[   19.181739] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[   19.181873] Hardware name: linux,dummy-virt (DT)
[   19.182030] Call trace:
[   19.182080]  show_stack+0x20/0x38 (C)
[   19.182216]  dump_stack_lvl+0x8c/0xd0
[   19.182291]  print_report+0x118/0x608
[   19.182336]  kasan_report+0xdc/0x128
[   19.182508]  __kasan_check_byte+0x54/0x70
[   19.182559]  kfree_sensitive+0x30/0xb0
[   19.182746]  kmalloc_double_kzfree+0x168/0x308
[   19.182854]  kunit_try_run_case+0x170/0x3f0
[   19.182963]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.183053]  kthread+0x328/0x630
[   19.183101]  ret_from_fork+0x10/0x20
[   19.183426] 
[   19.183465] Allocated by task 195:
[   19.183531]  kasan_save_stack+0x3c/0x68
[   19.183655]  kasan_save_track+0x20/0x40
[   19.183722]  kasan_save_alloc_info+0x40/0x58
[   19.183782]  __kasan_kmalloc+0xd4/0xd8
[   19.183826]  __kmalloc_cache_noprof+0x16c/0x3c0
[   19.184081]  kmalloc_double_kzfree+0xb8/0x308
[   19.184150]  kunit_try_run_case+0x170/0x3f0
[   19.184311]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.184509]  kthread+0x328/0x630
[   19.184636]  ret_from_fork+0x10/0x20
[   19.184744] 
[   19.184805] Freed by task 195:
[   19.184913]  kasan_save_stack+0x3c/0x68
[   19.185053]  kasan_save_track+0x20/0x40
[   19.185440]  kasan_save_free_info+0x4c/0x78
[   19.185573]  __kasan_slab_free+0x6c/0x98
[   19.185688]  kfree+0x214/0x3c8
[   19.185785]  kfree_sensitive+0x80/0xb0
[   19.185938]  kmalloc_double_kzfree+0x11c/0x308
[   19.186150]  kunit_try_run_case+0x170/0x3f0
[   19.186239]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.186407]  kthread+0x328/0x630
[   19.186477]  ret_from_fork+0x10/0x20
[   19.186599] 
[   19.186624] The buggy address belongs to the object at fff00000c5915980
[   19.186624]  which belongs to the cache kmalloc-16 of size 16
[   19.186692] The buggy address is located 0 bytes inside of
[   19.186692]  freed 16-byte region [fff00000c5915980, fff00000c5915990)
[   19.186969] 
[   19.187036] The buggy address belongs to the physical page:
[   19.187103] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105915
[   19.187234] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.187335] page_type: f5(slab)
[   19.187443] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   19.187505] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   19.187691] page dumped because: kasan: bad access detected
[   19.187812] 
[   19.187857] Memory state around the buggy address:
[   19.187923]  fff00000c5915880: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc
[   19.188023]  fff00000c5915900: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   19.188082] >fff00000c5915980: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.188256]                    ^
[   19.188378]  fff00000c5915a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.188448]  fff00000c5915a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.188550] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2xxIi03DVYToIy9dKnbnDmUoyr6

job_id

TEST:linaro@lkft#2xxImRmF075dm0nsBZ5X666mMHe

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xxImRmF075dm0nsBZ5X666mMHe

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIiyPUR36zsQ0H1UAU7CDbti8/Image.gz
sha256sum	b9a9fd4a9b1eed9b2355eb855fcee61950b1feb6d9174198b03424c9d229f427

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/arm64/rootfs.ext4.xz
sha256sum	1cc8d041751cc9cfe19b957ffa27d6115f076efaeb324bcd0fb145c37c99e1b7

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIiyPUR36zsQ0H1UAU7CDbti8/modules.tar.xz
sha256sum	369c25ed9d51a74f47b283fc088bebcc674124ca3658d6e259bf0d14f2ebcf1f

durations

tests

boot	0
kunit	197.32

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   16.989891] ==================================================================
[   16.991087] BUG: KASAN: slab-use-after-free in kmalloc_double_kzfree+0x19c/0x350
[   16.991819] Read of size 1 at addr ffff888101d9a420 by task kunit_try_catch/213
[   16.993295] 
[   16.993555] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT(voluntary) 
[   16.993952] Tainted: [B]=BAD_PAGE, [N]=TEST
[   16.993974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   16.994002] Call Trace:
[   16.994020]  <TASK>
[   16.994044]  dump_stack_lvl+0x73/0xb0
[   16.994096]  print_report+0xd1/0x650
[   16.994153]  ? __virt_addr_valid+0x1db/0x2d0
[   16.994187]  ? kmalloc_double_kzfree+0x19c/0x350
[   16.994265]  ? kasan_complete_mode_report_info+0x64/0x200
[   16.994307]  ? kmalloc_double_kzfree+0x19c/0x350
[   16.994346]  kasan_report+0x141/0x180
[   16.994382]  ? kmalloc_double_kzfree+0x19c/0x350
[   16.994423]  ? kmalloc_double_kzfree+0x19c/0x350
[   16.994462]  __kasan_check_byte+0x3d/0x50
[   16.994487]  kfree_sensitive+0x22/0x90
[   16.994514]  kmalloc_double_kzfree+0x19c/0x350
[   16.994538]  ? __pfx_kmalloc_double_kzfree+0x10/0x10
[   16.994564]  ? __schedule+0x10cc/0x2b30
[   16.994589]  ? __pfx_read_tsc+0x10/0x10
[   16.994612]  ? ktime_get_ts64+0x86/0x230
[   16.994641]  kunit_try_run_case+0x1a5/0x480
[   16.994668]  ? __pfx_kunit_try_run_case+0x10/0x10
[   16.994690]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   16.994715]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   16.994739]  ? __kthread_parkme+0x82/0x180
[   16.994787]  ? preempt_count_sub+0x50/0x80
[   16.994816]  ? __pfx_kunit_try_run_case+0x10/0x10
[   16.994841]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   16.994866]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   16.994890]  kthread+0x337/0x6f0
[   16.994908]  ? trace_preempt_on+0x20/0xc0
[   16.994934]  ? __pfx_kthread+0x10/0x10
[   16.994954]  ? _raw_spin_unlock_irq+0x47/0x80
[   16.994976]  ? calculate_sigpending+0x7b/0xa0
[   16.995000]  ? __pfx_kthread+0x10/0x10
[   16.995020]  ret_from_fork+0x41/0x80
[   16.995043]  ? __pfx_kthread+0x10/0x10
[   16.995063]  ret_from_fork_asm+0x1a/0x30
[   16.995098]  </TASK>
[   16.995118] 
[   17.010046] Allocated by task 213:
[   17.010684]  kasan_save_stack+0x45/0x70
[   17.011138]  kasan_save_track+0x18/0x40
[   17.011761]  kasan_save_alloc_info+0x3b/0x50
[   17.012137]  __kasan_kmalloc+0xb7/0xc0
[   17.012686]  __kmalloc_cache_noprof+0x189/0x420
[   17.013028]  kmalloc_double_kzfree+0xa9/0x350
[   17.013726]  kunit_try_run_case+0x1a5/0x480
[   17.014323]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.014730]  kthread+0x337/0x6f0
[   17.015086]  ret_from_fork+0x41/0x80
[   17.015567]  ret_from_fork_asm+0x1a/0x30
[   17.015967] 
[   17.016080] Freed by task 213:
[   17.016590]  kasan_save_stack+0x45/0x70
[   17.016984]  kasan_save_track+0x18/0x40
[   17.017649]  kasan_save_free_info+0x3f/0x60
[   17.017885]  __kasan_slab_free+0x56/0x70
[   17.018327]  kfree+0x222/0x3f0
[   17.018788]  kfree_sensitive+0x67/0x90
[   17.019357]  kmalloc_double_kzfree+0x12b/0x350
[   17.019689]  kunit_try_run_case+0x1a5/0x480
[   17.020084]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   17.020567]  kthread+0x337/0x6f0
[   17.020895]  ret_from_fork+0x41/0x80
[   17.021467]  ret_from_fork_asm+0x1a/0x30
[   17.021897] 
[   17.022037] The buggy address belongs to the object at ffff888101d9a420
[   17.022037]  which belongs to the cache kmalloc-16 of size 16
[   17.023004] The buggy address is located 0 bytes inside of
[   17.023004]  freed 16-byte region [ffff888101d9a420, ffff888101d9a430)
[   17.023793] 
[   17.024000] The buggy address belongs to the physical page:
[   17.024666] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101d9a
[   17.025077] flags: 0x200000000000000(node=0|zone=2)
[   17.025907] page_type: f5(slab)
[   17.026209] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   17.026853] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   17.027493] page dumped because: kasan: bad access detected
[   17.027799] 
[   17.027992] Memory state around the buggy address:
[   17.028607]  ffff888101d9a300: 00 01 fc fc 00 01 fc fc fa fb fc fc fa fb fc fc
[   17.028967]  ffff888101d9a380: 00 05 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   17.029826] >ffff888101d9a400: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   17.030325]                                ^
[   17.030553]  ffff888101d9a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031075]  ffff888101d9a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.031510] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2xxIi03DVYToIy9dKnbnDmUoyr6

job_id

TEST:linaro@lkft#2xxInfPddVDXGngffC9JR7X5Cmc

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xxInfPddVDXGngffC9JR7X5Cmc

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIk5ew4LuOqFkcEQccT7nGfYz/bzImage
sha256sum	fa931e11017c8ca987af58467ceac4cfbdb749e86f43584874b54f325b4fc4f3

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/amd64/rootfs.ext4.xz
sha256sum	3e64c22b7a85dd4a60fd0a31f22599e711e865f841aed0d517fae37e9c171158

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIk5ew4LuOqFkcEQccT7nGfYz/modules.tar.xz
sha256sum	7c34359c003080a3ab3b531ece9044002fd87f98de8d7cd8150985fcf69c24ac

durations

tests

boot	0
kunit	459.25

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit