lkft/linux-stable-rc-linux-6.15.y - v6.15-50-g86677b94d603 - log-parser-boot/kasan-bug-kasan-use-after-free-in-kmalloc_large_uaf

Date

June 2, 2025, 2:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   19.317473] ==================================================================
[   19.327446] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   19.334039] Read of size 1 at addr ffff000803264000 by task kunit_try_catch/195
[   19.341328] 
[   19.342816] CPU: 7 UID: 0 PID: 195 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT 
[   19.342870] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.342885] Hardware name: WinLink E850-96 board (DT)
[   19.342906] Call trace:
[   19.342922]  show_stack+0x20/0x38 (C)
[   19.342959]  dump_stack_lvl+0x8c/0xd0
[   19.342994]  print_report+0x118/0x608
[   19.343024]  kasan_report+0xdc/0x128
[   19.343051]  __asan_report_load1_noabort+0x20/0x30
[   19.343085]  kmalloc_large_uaf+0x2cc/0x2f8
[   19.343115]  kunit_try_run_case+0x170/0x3f0
[   19.343154]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.343193]  kthread+0x328/0x630
[   19.343226]  ret_from_fork+0x10/0x20
[   19.343260] 
[   19.405567] The buggy address belongs to the physical page:
[   19.411122] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883264
[   19.419107] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.425629] raw: 0bfffe0000000000 fffffdffe00c9a08 ffff00085b03f040 0000000000000000
[   19.433346] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   19.441065] page dumped because: kasan: bad access detected
[   19.446622] 
[   19.448098] Memory state around the buggy address:
[   19.452877]  ffff000803263f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   19.460079]  ffff000803263f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   19.467284] >ffff000803264000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.474485]                    ^
[   19.477701]  ffff000803264080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.484905]  ffff000803264100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.492108] ==================================================================

Metadata Full log Test run details

[   17.447022] ==================================================================
[   17.447101] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   17.447496] Read of size 1 at addr fff00000c65a4000 by task kunit_try_catch/151
[   17.447854] 
[   17.447935] CPU: 1 UID: 0 PID: 151 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT 
[   17.448020] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.448053] Hardware name: linux,dummy-virt (DT)
[   17.448209] Call trace:
[   17.448311]  show_stack+0x20/0x38 (C)
[   17.448452]  dump_stack_lvl+0x8c/0xd0
[   17.448552]  print_report+0x118/0x608
[   17.448681]  kasan_report+0xdc/0x128
[   17.448725]  __asan_report_load1_noabort+0x20/0x30
[   17.448780]  kmalloc_large_uaf+0x2cc/0x2f8
[   17.449019]  kunit_try_run_case+0x170/0x3f0
[   17.449140]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.449194]  kthread+0x328/0x630
[   17.449246]  ret_from_fork+0x10/0x20
[   17.451762] 
[   17.451807] The buggy address belongs to the physical page:
[   17.451933] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1065a4
[   17.452087] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.452161] raw: 0bfffe0000000000 ffffc1ffc3196a08 fff00000da4a5d80 0000000000000000
[   17.452211] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   17.452250] page dumped because: kasan: bad access detected
[   17.452445] 
[   17.452740] Memory state around the buggy address:
[   17.452787]  fff00000c65a3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.452903]  fff00000c65a3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.452948] >fff00000c65a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.453184]                    ^
[   17.453329]  fff00000c65a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.453436]  fff00000c65a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.453536] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2xxIi03DVYToIy9dKnbnDmUoyr6

job_id

TEST:linaro@lkft#2xxImRmF075dm0nsBZ5X666mMHe

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xxImRmF075dm0nsBZ5X666mMHe

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIiyPUR36zsQ0H1UAU7CDbti8/Image.gz
sha256sum	b9a9fd4a9b1eed9b2355eb855fcee61950b1feb6d9174198b03424c9d229f427

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/arm64/rootfs.ext4.xz
sha256sum	1cc8d041751cc9cfe19b957ffa27d6115f076efaeb324bcd0fb145c37c99e1b7

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIiyPUR36zsQ0H1UAU7CDbti8/modules.tar.xz
sha256sum	369c25ed9d51a74f47b283fc088bebcc674124ca3658d6e259bf0d14f2ebcf1f

durations

tests

boot	0
kunit	197.32

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   15.780711] ==================================================================
[   15.781323] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   15.781846] Read of size 1 at addr ffff888102a80000 by task kunit_try_catch/169
[   15.782667] 
[   15.782939] CPU: 0 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G    B            N  6.15.1-rc1 #1 PREEMPT(voluntary) 
[   15.783042] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.783065] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   15.783105] Call Trace:
[   15.783127]  <TASK>
[   15.783163]  dump_stack_lvl+0x73/0xb0
[   15.783208]  print_report+0xd1/0x650
[   15.783235]  ? __virt_addr_valid+0x1db/0x2d0
[   15.783260]  ? kmalloc_large_uaf+0x2f1/0x340
[   15.783284]  ? kasan_addr_to_slab+0x11/0xa0
[   15.783308]  ? kmalloc_large_uaf+0x2f1/0x340
[   15.783332]  kasan_report+0x141/0x180
[   15.783357]  ? kmalloc_large_uaf+0x2f1/0x340
[   15.783387]  __asan_report_load1_noabort+0x18/0x20
[   15.783410]  kmalloc_large_uaf+0x2f1/0x340
[   15.783433]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   15.783460]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   15.783489]  kunit_try_run_case+0x1a5/0x480
[   15.783517]  ? __pfx_kunit_try_run_case+0x10/0x10
[   15.783541]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   15.783567]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   15.783592]  ? __kthread_parkme+0x82/0x180
[   15.783617]  ? preempt_count_sub+0x50/0x80
[   15.783664]  ? __pfx_kunit_try_run_case+0x10/0x10
[   15.783691]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   15.783716]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   15.783741]  kthread+0x337/0x6f0
[   15.783789]  ? trace_preempt_on+0x20/0xc0
[   15.783836]  ? __pfx_kthread+0x10/0x10
[   15.783871]  ? _raw_spin_unlock_irq+0x47/0x80
[   15.783908]  ? calculate_sigpending+0x7b/0xa0
[   15.783959]  ? __pfx_kthread+0x10/0x10
[   15.783994]  ret_from_fork+0x41/0x80
[   15.784055]  ? __pfx_kthread+0x10/0x10
[   15.784096]  ret_from_fork_asm+0x1a/0x30
[   15.784192]  </TASK>
[   15.784227] 
[   15.795369] The buggy address belongs to the physical page:
[   15.795914] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a80
[   15.796297] flags: 0x200000000000000(node=0|zone=2)
[   15.796588] raw: 0200000000000000 ffffea00040aa108 ffff88815b039a80 0000000000000000
[   15.796915] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   15.797558] page dumped because: kasan: bad access detected
[   15.798018] 
[   15.798263] Memory state around the buggy address:
[   15.798707]  ffff888102a7ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.799278]  ffff888102a7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.799802] >ffff888102a80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.800349]                    ^
[   15.800690]  ffff888102a80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.801189]  ffff888102a80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.801593] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2xxIi03DVYToIy9dKnbnDmUoyr6

job_id

TEST:linaro@lkft#2xxInfPddVDXGngffC9JR7X5Cmc

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2xxInfPddVDXGngffC9JR7X5Cmc

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIk5ew4LuOqFkcEQccT7nGfYz/bzImage
sha256sum	fa931e11017c8ca987af58467ceac4cfbdb749e86f43584874b54f325b4fc4f3

rootfs

url	https://storage.tuxboot.com/debian/20250425/trixie/amd64/rootfs.ext4.xz
sha256sum	3e64c22b7a85dd4a60fd0a31f22599e711e865f841aed0d517fae37e9c171158

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2xxIk5ew4LuOqFkcEQccT7nGfYz/modules.tar.xz
sha256sum	7c34359c003080a3ab3b531ece9044002fd87f98de8d7cd8150985fcf69c24ac

durations

tests

boot	0
kunit	459.25

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit