lkft/linux-stable-rc-linux-6.15.y - v6.15.3-590-gd93bc5feded1 - log-parser-boot/kasan-bug-kasan-use-after-free-in-kmalloc_large_uaf

Date

June 26, 2025, 11:12 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   21.438786] ==================================================================
[   21.448619] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   21.455212] Read of size 1 at addr ffff000803150000 by task kunit_try_catch/197
[   21.462505] 
[   21.463991] CPU: 0 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   21.464046] Tainted: [B]=BAD_PAGE, [N]=TEST
[   21.464062] Hardware name: WinLink E850-96 board (DT)
[   21.464083] Call trace:
[   21.464097]  show_stack+0x20/0x38 (C)
[   21.464135]  dump_stack_lvl+0x8c/0xd0
[   21.464173]  print_report+0x118/0x608
[   21.464204]  kasan_report+0xdc/0x128
[   21.464232]  __asan_report_load1_noabort+0x20/0x30
[   21.464270]  kmalloc_large_uaf+0x2cc/0x2f8
[   21.464302]  kunit_try_run_case+0x170/0x3f0
[   21.464339]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   21.464376]  kthread+0x328/0x630
[   21.464411]  ret_from_fork+0x10/0x20
[   21.464445] 
[   21.526741] The buggy address belongs to the physical page:
[   21.532299] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x883150
[   21.540282] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   21.546806] raw: 0bfffe0000000000 fffffdffe00c5508 ffff00085af4d0c0 0000000000000000
[   21.554522] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   21.562241] page dumped because: kasan: bad access detected
[   21.567797] 
[   21.569274] Memory state around the buggy address:
[   21.574055]  ffff00080314ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.581255]  ffff00080314ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   21.588461] >ffff000803150000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.595661]                    ^
[   21.598877]  ffff000803150080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.606081]  ffff000803150100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.613282] ==================================================================

Metadata Full log Test run details

[   17.699518] ==================================================================
[   17.699647] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   17.699724] Read of size 1 at addr fff00000c790c000 by task kunit_try_catch/150
[   17.699848] 
[   17.700000] CPU: 0 UID: 0 PID: 150 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT 
[   17.700210] Tainted: [B]=BAD_PAGE, [N]=TEST
[   17.700243] Hardware name: linux,dummy-virt (DT)
[   17.700275] Call trace:
[   17.700297]  show_stack+0x20/0x38 (C)
[   17.700499]  dump_stack_lvl+0x8c/0xd0
[   17.700633]  print_report+0x118/0x608
[   17.700680]  kasan_report+0xdc/0x128
[   17.700940]  __asan_report_load1_noabort+0x20/0x30
[   17.701097]  kmalloc_large_uaf+0x2cc/0x2f8
[   17.701198]  kunit_try_run_case+0x170/0x3f0
[   17.701297]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   17.701460]  kthread+0x328/0x630
[   17.701568]  ret_from_fork+0x10/0x20
[   17.701669] 
[   17.701784] The buggy address belongs to the physical page:
[   17.701872] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10790c
[   17.702001] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   17.702401] raw: 0bfffe0000000000 ffffc1ffc31e4408 fff00000da47ee00 0000000000000000
[   17.702586] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   17.702655] page dumped because: kasan: bad access detected
[   17.702687] 
[   17.703040] Memory state around the buggy address:
[   17.703317]  fff00000c790bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.703405]  fff00000c790bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   17.703769] >fff00000c790c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.703969]                    ^
[   17.704163]  fff00000c790c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.704275]  fff00000c790c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   17.704318] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2z2jyLmJ6z1BqjhwiejBJ9RGyCS

job_id

TEST:linaro@lkft#2z2k2l9byJaNN182er1n5wXsS9a

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2k2l9byJaNN182er1n5wXsS9a

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2jzZjd6XwbIkbAqyFkpO4xknj/Image.gz
sha256sum	4fe981caa8e1ab0677344dea9975703ca09f32389026eeb9f77fae76c6c0e9ba

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2jzZjd6XwbIkbAqyFkpO4xknj/modules.tar.xz
sha256sum	74a01e20d3d706452182b8388f6aa7ab2c9166f6c4a19d7a4587dd3d7a7ca51e

durations

tests

boot	0
kunit	192.49

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   10.412172] ==================================================================
[   10.412643] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   10.413245] Read of size 1 at addr ffff888102890000 by task kunit_try_catch/167
[   10.413833] 
[   10.414020] CPU: 1 UID: 0 PID: 167 Comm: kunit_try_catch Tainted: G    B            N  6.15.4-rc3 #1 PREEMPT(voluntary) 
[   10.414072] Tainted: [B]=BAD_PAGE, [N]=TEST
[   10.414084] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   10.414107] Call Trace:
[   10.414119]  <TASK>
[   10.414139]  dump_stack_lvl+0x73/0xb0
[   10.414168]  print_report+0xd1/0x650
[   10.414193]  ? __virt_addr_valid+0x1db/0x2d0
[   10.414216]  ? kmalloc_large_uaf+0x2f1/0x340
[   10.414237]  ? kasan_addr_to_slab+0x11/0xa0
[   10.414257]  ? kmalloc_large_uaf+0x2f1/0x340
[   10.414278]  kasan_report+0x141/0x180
[   10.414300]  ? kmalloc_large_uaf+0x2f1/0x340
[   10.414326]  __asan_report_load1_noabort+0x18/0x20
[   10.414346]  kmalloc_large_uaf+0x2f1/0x340
[   10.414367]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   10.414388]  ? __schedule+0x10cc/0x2b60
[   10.414411]  ? __pfx_read_tsc+0x10/0x10
[   10.414431]  ? ktime_get_ts64+0x86/0x230
[   10.414456]  kunit_try_run_case+0x1a5/0x480
[   10.414483]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.414504]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   10.414528]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   10.414550]  ? __kthread_parkme+0x82/0x180
[   10.414572]  ? preempt_count_sub+0x50/0x80
[   10.414596]  ? __pfx_kunit_try_run_case+0x10/0x10
[   10.414619]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   10.414641]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   10.414664]  kthread+0x337/0x6f0
[   10.414680]  ? trace_preempt_on+0x20/0xc0
[   10.414703]  ? __pfx_kthread+0x10/0x10
[   10.414721]  ? _raw_spin_unlock_irq+0x47/0x80
[   10.414741]  ? calculate_sigpending+0x7b/0xa0
[   10.414762]  ? __pfx_kthread+0x10/0x10
[   10.414780]  ret_from_fork+0x41/0x80
[   10.414799]  ? __pfx_kthread+0x10/0x10
[   10.414817]  ret_from_fork_asm+0x1a/0x30
[   10.414847]  </TASK>
[   10.414858] 
[   10.425297] The buggy address belongs to the physical page:
[   10.426058] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102890
[   10.426400] flags: 0x200000000000000(node=0|zone=2)
[   10.426880] raw: 0200000000000000 ffffea00040a2508 ffff88815b139a80 0000000000000000
[   10.427382] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   10.428133] page dumped because: kasan: bad access detected
[   10.428492] 
[   10.428703] Memory state around the buggy address:
[   10.428889]  ffff88810288ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.429215]  ffff88810288ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   10.429519] >ffff888102890000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   10.430179]                    ^
[   10.430323]  ffff888102890080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   10.430957]  ffff888102890100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   10.431394] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2z2jyLmJ6z1BqjhwiejBJ9RGyCS

job_id

TEST:linaro@lkft#2z2k43Ith0GXrqHIS1HUQzGmLgm

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2z2k43Ith0GXrqHIS1HUQzGmLgm

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2k0bZqZSn9XVzQywnOj3pF9S9/bzImage
sha256sum	9197980208d3516ab74c7966c051fb8dc8a70a6c93c6b0af7bd520b43d93459e

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2z2k0bZqZSn9XVzQywnOj3pF9S9/modules.tar.xz
sha256sum	ead902337972221197eb985803def87a4a8d3b17e572371d2f5392640490b3a8

durations

tests

boot	0
kunit	236.11

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit