lkft/linux-stable-rc-linux-6.15.y - v6.15.4-264-gf6977c36decb - log-parser-boot/kasan-bug-kasan-use-after-free-in-kmalloc_large_uaf

Date

July 4, 2025, 3:11 p.m.

Environment
e850-96
qemu-arm64
qemu-x86_64
x86

[   19.361157] ==================================================================
[   19.370954] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   19.377550] Read of size 1 at addr ffff000805d54000 by task kunit_try_catch/197
[   19.384840] 
[   19.386325] CPU: 1 UID: 0 PID: 197 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   19.386382] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.386399] Hardware name: WinLink E850-96 board (DT)
[   19.386420] Call trace:
[   19.386433]  show_stack+0x20/0x38 (C)
[   19.386469]  dump_stack_lvl+0x8c/0xd0
[   19.386506]  print_report+0x118/0x608
[   19.386535]  kasan_report+0xdc/0x128
[   19.386569]  __asan_report_load1_noabort+0x20/0x30
[   19.386605]  kmalloc_large_uaf+0x2cc/0x2f8
[   19.386637]  kunit_try_run_case+0x170/0x3f0
[   19.386672]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.386710]  kthread+0x328/0x630
[   19.386744]  ret_from_fork+0x10/0x20
[   19.386777] 
[   19.449076] The buggy address belongs to the physical page:
[   19.454632] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x885d54
[   19.462616] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.469140] raw: 0bfffe0000000000 fffffdffe0175608 ffff00085af6f0c0 0000000000000000
[   19.476860] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   19.484577] page dumped because: kasan: bad access detected
[   19.490131] 
[   19.491606] Memory state around the buggy address:
[   19.496389]  ffff000805d53f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.503589]  ffff000805d53f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.510797] >ffff000805d54000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.517995]                    ^
[   19.521211]  ffff000805d54080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.528415]  ffff000805d54100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   19.535618] ==================================================================

Metadata Full log Test run details

[   15.350586] ==================================================================
[   15.350661] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2cc/0x2f8
[   15.350712] Read of size 1 at addr fff00000c6560000 by task kunit_try_catch/153
[   15.350769] 
[   15.350801] CPU: 0 UID: 0 PID: 153 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT 
[   15.350878] Tainted: [B]=BAD_PAGE, [N]=TEST
[   15.350902] Hardware name: linux,dummy-virt (DT)
[   15.350931] Call trace:
[   15.350969]  show_stack+0x20/0x38 (C)
[   15.351016]  dump_stack_lvl+0x8c/0xd0
[   15.351061]  print_report+0x118/0x608
[   15.351137]  kasan_report+0xdc/0x128
[   15.351179]  __asan_report_load1_noabort+0x20/0x30
[   15.351225]  kmalloc_large_uaf+0x2cc/0x2f8
[   15.351269]  kunit_try_run_case+0x170/0x3f0
[   15.351315]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   15.351365]  kthread+0x328/0x630
[   15.351778]  ret_from_fork+0x10/0x20
[   15.351845] 
[   15.351865] The buggy address belongs to the physical page:
[   15.352248] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106560
[   15.352365] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   15.352430] raw: 0bfffe0000000000 ffffc1ffc3195908 fff00000da47de00 0000000000000000
[   15.352478] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   15.352641] page dumped because: kasan: bad access detected
[   15.352671] 
[   15.352689] Memory state around the buggy address:
[   15.352742]  fff00000c655ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.352784]  fff00000c655ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   15.352824] >fff00000c6560000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.352913]                    ^
[   15.352941]  fff00000c6560080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.353116]  fff00000c6560100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   15.353183] ==================================================================

Metadata Full log Test run details

arch

arm64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo2I57qRsZQJxzVxwHE8t7FHh

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo2I57qRsZQJxzVxwHE8t7FHh

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/Image.gz
sha256sum	327dd0d804120b39f71c58ea91214999e4c5cabcfe180191381a33c73e5cbb20

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/arm64/rootfs.ext4.xz
sha256sum	1eaaae772692e22cefec5345d642e254407cec1431dd51a20007af2a1819b610

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnyxYPiqABaJxZ9acDEOmmQzx/modules.tar.xz
sha256sum	3cea64824b7650c49ea1931a18dc99c6bfdf185eb87f64d9aba8bc6614673c1b

durations

tests

boot	0
kunit	198.30

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   13.489769] ==================================================================
[   13.490731] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   13.491079] Read of size 1 at addr ffff8881022a4000 by task kunit_try_catch/169
[   13.492431] 
[   13.492602] CPU: 0 UID: 0 PID: 169 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   13.492698] Tainted: [B]=BAD_PAGE, [N]=TEST
[   13.492721] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   13.492760] Call Trace:
[   13.492785]  <TASK>
[   13.492819]  dump_stack_lvl+0x73/0xb0
[   13.492874]  print_report+0xd1/0x650
[   13.492914]  ? __virt_addr_valid+0x1db/0x2d0
[   13.492951]  ? kmalloc_large_uaf+0x2f1/0x340
[   13.493329]  ? kasan_addr_to_slab+0x11/0xa0
[   13.493400]  ? kmalloc_large_uaf+0x2f1/0x340
[   13.493440]  kasan_report+0x141/0x180
[   13.493478]  ? kmalloc_large_uaf+0x2f1/0x340
[   13.493508]  __asan_report_load1_noabort+0x18/0x20
[   13.493532]  kmalloc_large_uaf+0x2f1/0x340
[   13.493555]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   13.493580]  ? __schedule+0x10cc/0x2b60
[   13.493607]  ? __pfx_read_tsc+0x10/0x10
[   13.493629]  ? ktime_get_ts64+0x86/0x230
[   13.493658]  kunit_try_run_case+0x1a5/0x480
[   13.493686]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.493710]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   13.493737]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   13.493763]  ? __kthread_parkme+0x82/0x180
[   13.493787]  ? preempt_count_sub+0x50/0x80
[   13.493815]  ? __pfx_kunit_try_run_case+0x10/0x10
[   13.493841]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   13.493866]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   13.493892]  kthread+0x337/0x6f0
[   13.493910]  ? trace_preempt_on+0x20/0xc0
[   13.493937]  ? __pfx_kthread+0x10/0x10
[   13.493956]  ? _raw_spin_unlock_irq+0x47/0x80
[   13.493980]  ? calculate_sigpending+0x7b/0xa0
[   13.494004]  ? __pfx_kthread+0x10/0x10
[   13.494024]  ret_from_fork+0x41/0x80
[   13.494046]  ? __pfx_kthread+0x10/0x10
[   13.494068]  ret_from_fork_asm+0x1a/0x30
[   13.494121]  </TASK>
[   13.494142] 
[   13.508792] The buggy address belongs to the physical page:
[   13.509037] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1022a4
[   13.510278] flags: 0x200000000000000(node=0|zone=2)
[   13.510744] raw: 0200000000000000 ffffea000408aa08 ffff88815b039a80 0000000000000000
[   13.511553] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   13.511914] page dumped because: kasan: bad access detected
[   13.512305] 
[   13.512872] Memory state around the buggy address:
[   13.513094]  ffff8881022a3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.514069]  ffff8881022a3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   13.514823] >ffff8881022a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.515491]                    ^
[   13.516090]  ffff8881022a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.516551]  ffff8881022a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   13.516905] ==================================================================

Metadata Full log Test run details

arch

x86_64

host

x86_64

plan

2zPnxoxgfqLIMGwIhjY8YiWerZe

job_id

TEST:linaro@lkft#2zPo3RZe7grS5yLm55QkyFHIkn0

job_url

https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2zPo3RZe7grS5yLm55QkyFHIkn0

artefacts

kernel

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/bzImage
sha256sum	ad643dbfee32e66584e4c9d2c429659c8ba2676d0810f502308fa285c8cd4500

rootfs

url	https://storage.tuxboot.com/debian/20250617/trixie/amd64/rootfs.ext4.xz
sha256sum	a7dcdb286e1265c85a4d6cd5429adc51604a3ebde1d9a3c934aef78862d5fee4

modules

url	https://storage.tuxsuite.com/public/linaro/lkft/builds/2zPnzwF9jjL8P9H5BeuK4WBSmEv/modules.tar.xz
sha256sum	35aeffff45a548f53709515ae42e284c9946c48678590a5b06349aef329add80

durations

tests

boot	0
kunit	392.68

host_arch

amd64

build_name

gcc-13-lkftconfig-kunit

job_status

Complete

qemu_version

1:10.0.0+ds-1

[   20.961202] ==================================================================
[   20.972715] BUG: KASAN: use-after-free in kmalloc_large_uaf+0x2f1/0x340
[   20.979328] Read of size 1 at addr ffff888102a30000 by task kunit_try_catch/191
[   20.986634] 
[   20.988136] CPU: 1 UID: 0 PID: 191 Comm: kunit_try_catch Tainted: G    B            N  6.15.5-rc2 #1 PREEMPT(voluntary) 
[   20.988144] Tainted: [B]=BAD_PAGE, [N]=TEST
[   20.988146] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.7 12/07/2021
[   20.988149] Call Trace:
[   20.988150]  <TASK>
[   20.988152]  dump_stack_lvl+0x73/0xb0
[   20.988156]  print_report+0xd1/0x650
[   20.988160]  ? __virt_addr_valid+0x1db/0x2d0
[   20.988164]  ? kmalloc_large_uaf+0x2f1/0x340
[   20.988168]  ? kasan_addr_to_slab+0x11/0xa0
[   20.988172]  ? kmalloc_large_uaf+0x2f1/0x340
[   20.988176]  kasan_report+0x141/0x180
[   20.988180]  ? kmalloc_large_uaf+0x2f1/0x340
[   20.988185]  __asan_report_load1_noabort+0x18/0x20
[   20.988189]  kmalloc_large_uaf+0x2f1/0x340
[   20.988193]  ? __pfx_kmalloc_large_uaf+0x10/0x10
[   20.988197]  ? __schedule+0x10cc/0x2b60
[   20.988202]  ? ktime_get_ts64+0x83/0x230
[   20.988206]  kunit_try_run_case+0x1a2/0x480
[   20.988211]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.988216]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   20.988220]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   20.988225]  ? __kthread_parkme+0x82/0x180
[   20.988229]  ? preempt_count_sub+0x50/0x80
[   20.988233]  ? __pfx_kunit_try_run_case+0x10/0x10
[   20.988238]  kunit_generic_run_threadfn_adapter+0x82/0xf0
[   20.988242]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   20.988247]  kthread+0x334/0x6f0
[   20.988249]  ? trace_preempt_on+0x20/0xc0
[   20.988254]  ? __pfx_kthread+0x10/0x10
[   20.988257]  ? _raw_spin_unlock_irq+0x47/0x80
[   20.988261]  ? calculate_sigpending+0x7b/0xa0
[   20.988265]  ? __pfx_kthread+0x10/0x10
[   20.988268]  ret_from_fork+0x3e/0x80
[   20.988272]  ? __pfx_kthread+0x10/0x10
[   20.988275]  ret_from_fork_asm+0x1a/0x30
[   20.988281]  </TASK>
[   20.988282] 
[   21.149913] The buggy address belongs to the physical page:
[   21.155487] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a30
[   21.163486] flags: 0x200000000000000(node=0|zone=2)
[   21.168367] raw: 0200000000000000 ffffea0004168608 ffff8882304b9a80 0000000000000000
[   21.176113] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   21.183853] page dumped because: kasan: bad access detected
[   21.189426] 
[   21.190924] Memory state around the buggy address:
[   21.195735]  ffff888102a2ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.202953]  ffff888102a2ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.210173] >ffff888102a30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.217393]                    ^
[   21.220624]  ffff888102a30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.227844]  ffff888102a30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   21.235065] ==================================================================

Metadata Full log Test run details

Metadata

Failure - e850-96 - gcc-13-lkftconfig-kunit

Failure - qemu-arm64 - gcc-13-lkftconfig-kunit

Failure - qemu-x86_64 - gcc-13-lkftconfig-kunit

Failure - x86 - gcc-13-lkftconfig-kunit