lkft/linux-stable-rc-linux-6.15.y - v6.15.4-264-gf6977c36decb - log-parser-boot/kasan-bug-kasan-slab-use-after-free-in-kmalloc_uaf

Date

July 4, 2025, 3:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64

[   27.051706] ==================================================================
[   27.061901] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   27.068406] Read of size 1 at addr ffff000804354aa8 by task kunit_try_catch/233
[   27.075694] 
[   27.077182] CPU: 3 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   27.077237] Tainted: [B]=BAD_PAGE, [N]=TEST
[   27.077253] Hardware name: WinLink E850-96 board (DT)
[   27.077275] Call trace:
[   27.077289]  show_stack+0x20/0x38 (C)
[   27.077326]  dump_stack_lvl+0x8c/0xd0
[   27.077366]  print_report+0x118/0x608
[   27.077398]  kasan_report+0xdc/0x128
[   27.077429]  __asan_report_load1_noabort+0x20/0x30
[   27.077465]  kmalloc_uaf+0x300/0x338
[   27.077498]  kunit_try_run_case+0x170/0x3f0
[   27.077534]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   27.077573]  kthread+0x328/0x630
[   27.077607]  ret_from_fork+0x10/0x20
[   27.077643] 
[   27.139411] Allocated by task 233:
[   27.142796]  kasan_save_stack+0x3c/0x68
[   27.146613]  kasan_save_track+0x20/0x40
[   27.150433]  kasan_save_alloc_info+0x40/0x58
[   27.154686]  __kasan_kmalloc+0xd4/0xd8
[   27.158418]  __kmalloc_cache_noprof+0x16c/0x3c0
[   27.162932]  kmalloc_uaf+0xb8/0x338
[   27.166404]  kunit_try_run_case+0x170/0x3f0
[   27.170571]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   27.176040]  kthread+0x328/0x630
[   27.179252]  ret_from_fork+0x10/0x20
[   27.182810] 
[   27.184288] Freed by task 233:
[   27.187326]  kasan_save_stack+0x3c/0x68
[   27.191144]  kasan_save_track+0x20/0x40
[   27.194963]  kasan_save_free_info+0x4c/0x78
[   27.199130]  __kasan_slab_free+0x6c/0x98
[   27.203036]  kfree+0x214/0x3c8
[   27.206074]  kmalloc_uaf+0x11c/0x338
[   27.209633]  kunit_try_run_case+0x170/0x3f0
[   27.213799]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   27.219270]  kthread+0x328/0x630
[   27.222480]  ret_from_fork+0x10/0x20
[   27.226039] 
[   27.227517] The buggy address belongs to the object at ffff000804354aa0
[   27.227517]  which belongs to the cache kmalloc-16 of size 16
[   27.239845] The buggy address is located 8 bytes inside of
[   27.239845]  freed 16-byte region [ffff000804354aa0, ffff000804354ab0)
[   27.251820] 
[   27.253299] The buggy address belongs to the physical page:
[   27.258857] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x884354
[   27.266839] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   27.273349] page_type: f5(slab)
[   27.276487] raw: 0bfffe0000000000 ffff000800002640 dead000000000122 0000000000000000
[   27.284205] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   27.291926] page dumped because: kasan: bad access detected
[   27.297479] 
[   27.298954] Memory state around the buggy address:
[   27.303736]  ffff000804354980: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   27.310939]  ffff000804354a00: 00 04 fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   27.318145] >ffff000804354a80: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc
[   27.325343]                                   ^
[   27.329861]  ffff000804354b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.337066]  ffff000804354b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   27.344268] ==================================================================

Metadata Full log Test run details

[   15.660765] ==================================================================
[   15.660826] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338
[   15.661063] Read of size 1 at addr fff00000c6271308 by task kunit_try_catch/189
[   15.661215] 
[   15.661259] CPU: 0 UID: 0 PID: 189 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   15.661347] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.661373] Hardware name: linux,dummy-virt (DT)
[   15.661403] Call trace:
[   15.661426]  show_stack+0x20/0x38 (C)
[   15.661506]  dump_stack_lvl+0x8c/0xd0
[   15.661555]  print_report+0x118/0x608
[   15.661599]  kasan_report+0xdc/0x128
[   15.661653]  __asan_report_load1_noabort+0x20/0x30
[   15.661702]  kmalloc_uaf+0x300/0x338
[   15.661758]  kunit_try_run_case+0x170/0x3f0
[   15.661804]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.661856]  kthread+0x328/0x630
[   15.661900]  ret_from_fork+0x10/0x20
[   15.661950] 
[   15.661984] Allocated by task 189:
[   15.662012]  kasan_save_stack+0x3c/0x68
[   15.662051]  kasan_save_track+0x20/0x40
[   15.662086]  kasan_save_alloc_info+0x40/0x58
[   15.662125]  __kasan_kmalloc+0xd4/0xd8
[   15.662158]  __kmalloc_cache_noprof+0x16c/0x3c0
[   15.662193]  kmalloc_uaf+0xb8/0x338
[   15.662229]  kunit_try_run_case+0x170/0x3f0
[   15.662268]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.662310]  kthread+0x328/0x630
[   15.662343]  ret_from_fork+0x10/0x20
[   15.662378] 
[   15.662398] Freed by task 189:
[   15.662432]  kasan_save_stack+0x3c/0x68
[   15.662468]  kasan_save_track+0x20/0x40
[   15.662501]  kasan_save_free_info+0x4c/0x78
[   15.662539]  __kasan_slab_free+0x6c/0x98
[   15.662582]  kfree+0x214/0x3c8
[   15.662614]  kmalloc_uaf+0x11c/0x338
[   15.662932]  kunit_try_run_case+0x170/0x3f0
[   15.662977]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.663021]  kthread+0x328/0x630
[   15.663087]  ret_from_fork+0x10/0x20
[   15.663124] 
[   15.663171] The buggy address belongs to the object at fff00000c6271300
[   15.663171]  which belongs to the cache kmalloc-16 of size 16
[   15.663231] The buggy address is located 8 bytes inside of
[   15.663231]  freed 16-byte region [fff00000c6271300, fff00000c6271310)
[   15.663430] 
[   15.663479] The buggy address belongs to the physical page:
[   15.663722] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106271
[   15.663805] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.663912] page_type: f5(slab)
[   15.664062] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000
[   15.664155] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   15.664195] page dumped because: kasan: bad access detected
[   15.664232] 
[   15.664494] Memory state around the buggy address:
[   15.664618]  fff00000c6271200: fa fb fc fc fa fb fc fc 00 04 fc fc fa fb fc fc
[   15.664701]  fff00000c6271280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   15.664806] >fff00000c6271300: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.664892]                       ^
[   15.664939]  fff00000c6271380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.665179]  fff00000c6271400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.665312] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo2I57qRsZQJxzVxwHE8t7FHh

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo2I57qRsZQJxzVxwHE8t7FHh

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/Image.gz
sha256sum	327dd0d804120b39f71c58ea91214999e4c5cabcfe180191381a33c73e5cbb20

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/modules.tar.xz
sha256sum	3cea64824b7650c49ea1931a18dc99c6bfdf185eb87f64d9aba8bc6614673c1b

durations

tests

boot	0
kunit	198.30

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   14.564951] ==================================================================
[   14.566127] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x320/0x380
[   14.566578] Read of size 1 at addr ffff8881024d25c8 by task kunit_try_catch/205
[   14.566909] 
[   14.567061] CPU: 0 UID: 0 PID: 205 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   14.567158] Tainted: [B]=BAD_PAGE, [N]=TEST
[   14.567387] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   14.567508] Call Trace:
[   14.567544]  <TASK>
[   14.567584]  dump_stack_lvl+0x73/0xb0
[   14.567654]  print_report+0xd1/0x650
[   14.567706]  ? __virt_addr_valid+0x1db/0x2d0
[   14.567758]  ? kmalloc_uaf+0x320/0x380
[   14.567802]  ? kasan_complete_mode_report_info+0x64/0x200
[   14.567847]  ? kmalloc_uaf+0x320/0x380
[   14.567892]  kasan_report+0x141/0x180
[   14.567941]  ? kmalloc_uaf+0x320/0x380
[   14.567996]  __asan_report_load1_noabort+0x18/0x20
[   14.568043]  kmalloc_uaf+0x320/0x380
[   14.568114]  ? __pfx_kmalloc_uaf+0x10/0x10
[   14.568143]  ? __schedule+0x10cc/0x2b60
[   14.568171]  ? __pfx_read_tsc+0x10/0x10
[   14.568195]  ? ktime_get_ts64+0x86/0x230
[   14.568332]  kunit_try_run_case+0x1a5/0x480
[   14.568386]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.568411]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   14.568440]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   14.568466]  ? __kthread_parkme+0x82/0x180
[   14.568492]  ? preempt_count_sub+0x50/0x80
[   14.568521]  ? __pfx_kunit_try_run_case+0x10/0x10
[   14.568546]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.568572]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   14.568599]  kthread+0x337/0x6f0
[   14.568618]  ? trace_preempt_on+0x20/0xc0
[   14.568645]  ? __pfx_kthread+0x10/0x10
[   14.568665]  ? _raw_spin_unlock_irq+0x47/0x80
[   14.568689]  ? calculate_sigpending+0x7b/0xa0
[   14.568714]  ? __pfx_kthread+0x10/0x10
[   14.568734]  ret_from_fork+0x41/0x80
[   14.568756]  ? __pfx_kthread+0x10/0x10
[   14.568776]  ret_from_fork_asm+0x1a/0x30
[   14.568811]  </TASK>
[   14.568823] 
[   14.580758] Allocated by task 205:
[   14.580982]  kasan_save_stack+0x45/0x70
[   14.581244]  kasan_save_track+0x18/0x40
[   14.581450]  kasan_save_alloc_info+0x3b/0x50
[   14.582230]  __kasan_kmalloc+0xb7/0xc0
[   14.582713]  __kmalloc_cache_noprof+0x189/0x420
[   14.583397]  kmalloc_uaf+0xaa/0x380
[   14.583730]  kunit_try_run_case+0x1a5/0x480
[   14.584185]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.584772]  kthread+0x337/0x6f0
[   14.585432]  ret_from_fork+0x41/0x80
[   14.585802]  ret_from_fork_asm+0x1a/0x30
[   14.586333] 
[   14.586465] Freed by task 205:
[   14.586744]  kasan_save_stack+0x45/0x70
[   14.586996]  kasan_save_track+0x18/0x40
[   14.587226]  kasan_save_free_info+0x3f/0x60
[   14.587479]  __kasan_slab_free+0x56/0x70
[   14.587795]  kfree+0x222/0x3f0
[   14.588028]  kmalloc_uaf+0x12c/0x380
[   14.588242]  kunit_try_run_case+0x1a5/0x480
[   14.588664]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   14.589110]  kthread+0x337/0x6f0
[   14.589520]  ret_from_fork+0x41/0x80
[   14.589725]  ret_from_fork_asm+0x1a/0x30
[   14.589924] 
[   14.590128] The buggy address belongs to the object at ffff8881024d25c0
[   14.590128]  which belongs to the cache kmalloc-16 of size 16
[   14.591456] The buggy address is located 8 bytes inside of
[   14.591456]  freed 16-byte region [ffff8881024d25c0, ffff8881024d25d0)
[   14.592618] 
[   14.592864] The buggy address belongs to the physical page:
[   14.593576] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1024d2
[   14.593949] flags: 0x200000000000000(node=0|zone=2)
[   14.594642] page_type: f5(slab)
[   14.594998] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000
[   14.595561] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
[   14.596418] page dumped because: kasan: bad access detected
[   14.596615] 
[   14.596756] Memory state around the buggy address:
[   14.597522]  ffff8881024d2480: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   14.598187]  ffff8881024d2500: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[   14.598700] >ffff8881024d2580: fa fb fc fc 00 05 fc fc fa fb fc fc fc fc fc fc
[   14.599330]                                               ^
[   14.599714]  ffff8881024d2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.600027]  ffff8881024d2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   14.600787] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo3RZe7grS5yLm55QkyFHIkn0

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo3RZe7grS5yLm55QkyFHIkn0

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/bzImage
sha256sum	ad643dbfee32e66584e4c9d2c429659c8ba2676d0810f502308fa285c8cd4500

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/modules.tar.xz
sha256sum	35aeffff45a548f53709515ae42e284c9946c48678590a5b06349aef329add80

durations

tests

boot	0
kunit	392.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit