lkft/linux-stable-rc-linux-6.15.y - v6.15.3-590-gd93bc5feded1 - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf

Date

June 26, 2025, 11:12 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   29.128310] ==================================================================
[   29.138522] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   29.145029] Read of size 1 at addr ffff000802e0b428 by task kunit_try_catch/233
[   29.152318] 
[   29.153807] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   29.153858] Tainted: [B]=BAD_PAGE, [N]=TEST
[   29.153875] Hardware name: WinLink E850-96 board (DT)
[   29.153897] Call trace:
[   29.153910]  show_stack+0x20/0x38 (C)
[   29.153949]  dump_stack_lvl+0x8c/0xd0
[   29.153988]  print_report+0x118/0x608
[   29.154020]  kasan_report+0xdc/0x128
[   29.154051]  __asan_report_load1_noabort+0x20/0x30
[   29.154091]  kmalloc_uaf+0x300/0x338
[   29.154122]  kunit_try_run_case+0x170/0x3f0
[   29.154161]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.154201]  kthread+0x328/0x630
[   29.154237]  ret_from_fork+0x10/0x20
[   29.154273] 
[   29.216035] Allocated by task 233:
[   29.219421]  kasan_save_stack+0x3c/0x68
[   29.223238]  kasan_save_track+0x20/0x40
[   29.227057]  kasan_save_alloc_info+0x40/0x58
[   29.231310]  __kasan_kmalloc+0xd4/0xd8
[   29.235043]  __kmalloc_cache_noprof+0x16c/0x3c0
[   29.239557]  kmalloc_uaf+0xb8/0x338
[   29.243029]  kunit_try_run_case+0x170/0x3f0
[   29.247195]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.252664]  kthread+0x328/0x630
[   29.255876]  ret_from_fork+0x10/0x20
[   29.259435] 
[   29.260910] Freed by task 233:
[   29.263949]  kasan_save_stack+0x3c/0x68
[   29.267768]  kasan_save_track+0x20/0x40
[   29.271589]  kasan_save_free_info+0x4c/0x78
[   29.275754]  __kasan_slab_free+0x6c/0x98
[   29.279660]  kfree+0x214/0x3c8
[   29.282699]  kmalloc_uaf+0x11c/0x338
[   29.286257]  kunit_try_run_case+0x170/0x3f0
[   29.290424]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   29.295892]  kthread+0x328/0x630
[   29.299105]  ret_from_fork+0x10/0x20
[   29.302663] 
[   29.304140] The buggy address belongs to the object at ffff000802e0b420
[   29.304140]  which belongs to the cache kmalloc-16 of size 16
[   29.316469] The buggy address is located 8 bytes inside of
[   29.316469]  freed 16-byte region [ffff000802e0b420, ffff000802e0b430)
[   29.328444] 
[   29.329925] The buggy address belongs to the physical page:
[   29.335480] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x882e0b
[   29.343466] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   29.349975] page_type: f5(slab)
[   29.353112] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000
[   29.360829] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   29.368548] page dumped because: kasan: bad access detected
[   29.374104] 
[   29.375580] Memory state around the buggy address:
[   29.380360]  ffff000802e0b300: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[   29.387562]  ffff000802e0b380: fa fb fc fc 00 00 fc fc 00 07 fc fc 00 07 fc fc
[   29.394766] >ffff000802e0b400: 00 05 fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   29.401968]                                   ^
[   29.406485]  ffff000802e0b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.413690]  ffff000802e0b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.420891] ==================================================================

Metadata Full log Test run details

[   18.115182] ==================================================================
[   18.115242] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   18.115298] Read of size 1 at addr fff00000c59e55e8 by task kunit_try_catch/186
[   18.115349] 
[   18.115380] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   18.115463] Tainted: [B]=BAD_PAGE, [N]=TEST
[   18.115491] Hardware name: linux,dummy-virt (DT)
[   18.115529] Call trace:
[   18.115564]  show_stack+0x20/0x38 (C)
[   18.115612]  dump_stack_lvl+0x8c/0xd0
[   18.115660]  print_report+0x118/0x608
[   18.115710]  kasan_report+0xdc/0x128
[   18.115756]  __asan_report_load1_noabort+0x20/0x30
[   18.115804]  kmalloc_uaf+0x300/0x338
[   18.115849]  kunit_try_run_case+0x170/0x3f0
[   18.116511]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.116568]  kthread+0x328/0x630
[   18.116616]  ret_from_fork+0x10/0x20
[   18.117087] 
[   18.117143] Allocated by task 186:
[   18.117180]  kasan_save_stack+0x3c/0x68
[   18.117506]  kasan_save_track+0x20/0x40
[   18.117667]  kasan_save_alloc_info+0x40/0x58
[   18.117711]  __kasan_kmalloc+0xd4/0xd8
[   18.117774]  __kmalloc_cache_noprof+0x16c/0x3c0
[   18.118157]  kmalloc_uaf+0xb8/0x338
[   18.118260]  kunit_try_run_case+0x170/0x3f0
[   18.118744]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.118948]  kthread+0x328/0x630
[   18.119034]  ret_from_fork+0x10/0x20
[   18.119079] 
[   18.119429] Freed by task 186:
[   18.119498]  kasan_save_stack+0x3c/0x68
[   18.119598]  kasan_save_track+0x20/0x40
[   18.119918]  kasan_save_free_info+0x4c/0x78
[   18.119995]  __kasan_slab_free+0x6c/0x98
[   18.120120]  kfree+0x214/0x3c8
[   18.120205]  kmalloc_uaf+0x11c/0x338
[   18.120249]  kunit_try_run_case+0x170/0x3f0
[   18.120565]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   18.120723]  kthread+0x328/0x630
[   18.120930]  ret_from_fork+0x10/0x20
[   18.121086] 
[   18.121109] The buggy address belongs to the object at fff00000c59e55e0
[   18.121109]  which belongs to the cache kmalloc-16 of size 16
[   18.121202] The buggy address is located 8 bytes inside of
[   18.121202]  freed 16-byte region [fff00000c59e55e0, fff00000c59e55f0)
[   18.121556] 
[   18.121582] The buggy address belongs to the physical page:
[   18.121903] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1059e5
[   18.122056] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   18.122382] page_type: f5(slab)
[   18.122454] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   18.122754] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   18.122846] page dumped because: kasan: bad access detected
[   18.123101] 
[   18.123165] Memory state around the buggy address:
[   18.123321]  fff00000c59e5480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   18.123406]  fff00000c59e5500: fa fb fc fc 00 04 fc fc fa fb fc fc fa fb fc fc
[   18.123732] >fff00000c59e5580: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   18.123846]                                                           ^
[   18.124002]  fff00000c59e5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.124165]  fff00000c59e5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.124391] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2jyLmJ6z1BqjhwiejBJ9RGyCS

job_id

TEST:linaro@lkft#2z2k2l9byJaNN182er1n5wXsS9a

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2k2l9byJaNN182er1n5wXsS9a

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2jzZjd6XwbIkbAqyFkpO4xknj/Image.gz
sha256sum	4fe981caa8e1ab0677344dea9975703ca09f32389026eeb9f77fae76c6c0e9ba

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2jzZjd6XwbIkbAqyFkpO4xknj/modules.tar.xz
sha256sum	74a01e20d3d706452182b8388f6aa7ab2c9166f6c4a19d7a4587dd3d7a7ca51e

durations

tests

boot	0
kunit	192.49

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   11.159637] ==================================================================
[   11.160825] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   11.161078] Read of size 1 at addr ffff8881025a7fa8 by task kunit_try_catch/203
[   11.161304] 
[   11.161398] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT(voluntary) 
[   11.161446] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.161457] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.161478] Call Trace:
[   11.161492]  <TASK>
[   11.161510]  dump_stack_lvl+0x73/0xb0
[   11.161536]  print_report+0xd1/0x650
[   11.161559]  ? __virt_addr_valid+0x1db/0x2d0
[   11.161581]  ? kmalloc_uaf+0x320/0x380
[   11.161600]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.161624]  ? kmalloc_uaf+0x320/0x380
[   11.161644]  kasan_report+0x141/0x180
[   11.161666]  ? kmalloc_uaf+0x320/0x380
[   11.161691]  __asan_report_load1_noabort+0x18/0x20
[   11.161711]  kmalloc_uaf+0x320/0x380
[   11.161730]  ? __pfx_kmalloc_uaf+0x10/0x10
[   11.161753]  ? __schedule+0x10cc/0x2b60
[   11.161777]  ? __pfx_read_tsc+0x10/0x10
[   11.161798]  ? ktime_get_ts64+0x86/0x230
[   11.161824]  kunit_try_run_case+0x1a5/0x480
[   11.161850]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.161871]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.161895]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.161959]  ? __kthread_parkme+0x82/0x180
[   11.161982]  ? preempt_count_sub+0x50/0x80
[   11.162009]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.162034]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.162057]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.162079]  kthread+0x337/0x6f0
[   11.162096]  ? trace_preempt_on+0x20/0xc0
[   11.162120]  ? __pfx_kthread+0x10/0x10
[   11.162138]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.162159]  ? calculate_sigpending+0x7b/0xa0
[   11.162180]  ? __pfx_kthread+0x10/0x10
[   11.162199]  ret_from_fork+0x41/0x80
[   11.162221]  ? __pfx_kthread+0x10/0x10
[   11.162238]  ret_from_fork_asm+0x1a/0x30
[   11.162282]  </TASK>
[   11.162294] 
[   11.173463] Allocated by task 203:
[   11.173845]  kasan_save_stack+0x45/0x70
[   11.174211]  kasan_save_track+0x18/0x40
[   11.174544]  kasan_save_alloc_info+0x3b/0x50
[   11.175079]  __kasan_kmalloc+0xb7/0xc0
[   11.175627]  __kmalloc_cache_noprof+0x189/0x420
[   11.176076]  kmalloc_uaf+0xaa/0x380
[   11.176499]  kunit_try_run_case+0x1a5/0x480
[   11.177068]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.177717]  kthread+0x337/0x6f0
[   11.178075]  ret_from_fork+0x41/0x80
[   11.178422]  ret_from_fork_asm+0x1a/0x30
[   11.178833] 
[   11.179020] Freed by task 203:
[   11.179385]  kasan_save_stack+0x45/0x70
[   11.179831]  kasan_save_track+0x18/0x40
[   11.180320]  kasan_save_free_info+0x3f/0x60
[   11.180877]  __kasan_slab_free+0x56/0x70
[   11.181266]  kfree+0x222/0x3f0
[   11.181574]  kmalloc_uaf+0x12c/0x380
[   11.182053]  kunit_try_run_case+0x1a5/0x480
[   11.182489]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.183141]  kthread+0x337/0x6f0
[   11.183472]  ret_from_fork+0x41/0x80
[   11.183904]  ret_from_fork_asm+0x1a/0x30
[   11.184348] 
[   11.184582] The buggy address belongs to the object at ffff8881025a7fa0
[   11.184582]  which belongs to the cache kmalloc-16 of size 16
[   11.185805] The buggy address is located 8 bytes inside of
[   11.185805]  freed 16-byte region [ffff8881025a7fa0, ffff8881025a7fb0)
[   11.187053] 
[   11.187213] The buggy address belongs to the physical page:
[   11.187744] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1025a7
[   11.188268] flags: 0x200000000000000(node=0|zone=2)
[   11.188434] page_type: f5(slab)
[   11.188580] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   11.189374] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   11.190079] page dumped because: kasan: bad access detected
[   11.190561] 
[   11.190798] Memory state around the buggy address:
[   11.191239]  ffff8881025a7e80: 00 06 fc fc 00 06 fc fc 00 00 fc fc fa fb fc fc
[   11.191448]  ffff8881025a7f00: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   11.191976] >ffff8881025a7f80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   11.192617]                                   ^
[   11.193058]  ffff8881025a8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.193757]  ffff8881025a8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.194273] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2jyLmJ6z1BqjhwiejBJ9RGyCS

job_id

TEST:linaro@lkft#2z2k43Ith0GXrqHIS1HUQzGmLgm

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2k43Ith0GXrqHIS1HUQzGmLgm

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2k0bZqZSn9XVzQywnOj3pF9S9/bzImage
sha256sum	9197980208d3516ab74c7966c051fb8dc8a70a6c93c6b0af7bd520b43d93459e

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2k0bZqZSn9XVzQywnOj3pF9S9/modules.tar.xz
sha256sum	ead902337972221197eb985803def87a4a8d3b17e572371d2f5392640490b3a8

durations

tests

boot	0
kunit	236.11

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit