Date
June 24, 2025, 11:37 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 31.517559] ================================================================== [ 31.532795] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 31.539242] Read of size 1 at addr ffff000095140000 by task kunit_try_catch/252 [ 31.546646] [ 31.548186] CPU: 3 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 31.548215] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.548224] Hardware name: Thundercomm Dragonboard 845c (DT) [ 31.548235] Call trace: [ 31.548242] show_stack+0x20/0x38 (C) [ 31.548261] dump_stack_lvl+0x8c/0xd0 [ 31.548282] print_report+0x118/0x608 [ 31.548302] kasan_report+0xdc/0x128 [ 31.548321] __asan_report_load1_noabort+0x20/0x30 [ 31.548338] page_alloc_uaf+0x328/0x350 [ 31.548357] kunit_try_run_case+0x170/0x3f0 [ 31.548376] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.548399] kthread+0x328/0x630 [ 31.548414] ret_from_fork+0x10/0x20 [ 31.548431] [ 31.613780] The buggy address belongs to the physical page: [ 31.619426] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115140 [ 31.627538] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.634154] page_type: f0(buddy) [ 31.637447] raw: 0bfffe0000000000 ffff0000fd587e70 ffff0000fd587e70 0000000000000000 [ 31.645293] raw: 0000000000000000 0000000000000006 00000000f0000000 0000000000000000 [ 31.653134] page dumped because: kasan: bad access detected [ 31.658784] [ 31.660321] Memory state around the buggy address: [ 31.665186] ffff00009513ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.672499] ffff00009513ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.679814] >ffff000095140000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.687126] ^ [ 31.690417] ffff000095140080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.697730] ffff000095140100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.705050] ==================================================================
[ 32.591395] ================================================================== [ 32.591516] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 32.591643] Read of size 1 at addr fff00000c7770000 by task kunit_try_catch/165 [ 32.591754] [ 32.591830] CPU: 0 UID: 0 PID: 165 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT [ 32.592041] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.592107] Hardware name: linux,dummy-virt (DT) [ 32.592181] Call trace: [ 32.592233] show_stack+0x20/0x38 (C) [ 32.592351] dump_stack_lvl+0x8c/0xd0 [ 32.592468] print_report+0x118/0x608 [ 32.592579] kasan_report+0xdc/0x128 [ 32.594477] __asan_report_load1_noabort+0x20/0x30 [ 32.595453] page_alloc_uaf+0x328/0x350 [ 32.595583] kunit_try_run_case+0x170/0x3f0 [ 32.595717] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.596308] kthread+0x328/0x630 [ 32.596525] ret_from_fork+0x10/0x20 [ 32.596661] [ 32.596718] The buggy address belongs to the physical page: [ 32.596797] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107770 [ 32.598253] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.599022] page_type: f0(buddy) [ 32.599229] raw: 0bfffe0000000000 fff00000ff6160a0 fff00000ff6160a0 0000000000000000 [ 32.599334] raw: 0000000000000000 0000000000000004 00000000f0000000 0000000000000000 [ 32.599389] page dumped because: kasan: bad access detected [ 32.599426] [ 32.599447] Memory state around the buggy address: [ 32.599519] fff00000c776ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.599586] fff00000c776ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.599637] >fff00000c7770000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.599680] ^ [ 32.599717] fff00000c7770080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.599767] fff00000c7770100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.599810] ==================================================================
[ 28.225498] ================================================================== [ 28.226832] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0 [ 28.227680] Read of size 1 at addr ffff888102ce0000 by task kunit_try_catch/184 [ 28.228572] [ 28.228884] CPU: 0 UID: 0 PID: 184 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250624 #1 PREEMPT(voluntary) [ 28.229024] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.229066] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 28.229116] Call Trace: [ 28.229148] <TASK> [ 28.229185] dump_stack_lvl+0x73/0xb0 [ 28.229257] print_report+0xd1/0x650 [ 28.229311] ? __virt_addr_valid+0x1db/0x2d0 [ 28.229373] ? page_alloc_uaf+0x356/0x3d0 [ 28.229422] ? kasan_addr_to_slab+0x11/0xa0 [ 28.229500] ? page_alloc_uaf+0x356/0x3d0 [ 28.229564] kasan_report+0x141/0x180 [ 28.229614] ? page_alloc_uaf+0x356/0x3d0 [ 28.229685] __asan_report_load1_noabort+0x18/0x20 [ 28.229720] page_alloc_uaf+0x356/0x3d0 [ 28.229748] ? __pfx_page_alloc_uaf+0x10/0x10 [ 28.229780] ? __pfx_page_alloc_uaf+0x10/0x10 [ 28.229813] kunit_try_run_case+0x1a5/0x480 [ 28.229846] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.229875] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 28.229907] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 28.229939] ? __kthread_parkme+0x82/0x180 [ 28.229969] ? preempt_count_sub+0x50/0x80 [ 28.229999] ? __pfx_kunit_try_run_case+0x10/0x10 [ 28.230030] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 28.230082] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 28.230138] kthread+0x337/0x6f0 [ 28.230175] ? trace_preempt_on+0x20/0xc0 [ 28.230208] ? __pfx_kthread+0x10/0x10 [ 28.230236] ? _raw_spin_unlock_irq+0x47/0x80 [ 28.230266] ? calculate_sigpending+0x7b/0xa0 [ 28.230297] ? __pfx_kthread+0x10/0x10 [ 28.230324] ret_from_fork+0x116/0x1d0 [ 28.230350] ? __pfx_kthread+0x10/0x10 [ 28.230377] ret_from_fork_asm+0x1a/0x30 [ 28.230416] </TASK> [ 28.230430] [ 28.245171] The buggy address belongs to the physical page: [ 28.245846] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ce0 [ 28.246784] flags: 0x200000000000000(node=0|zone=2) [ 28.247306] page_type: f0(buddy) [ 28.247436] raw: 0200000000000000 ffff88817fffb4a8 ffff88817fffb4a8 0000000000000000 [ 28.248231] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 28.249186] page dumped because: kasan: bad access detected [ 28.249470] [ 28.249696] Memory state around the buggy address: [ 28.250344] ffff888102cdff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.251288] ffff888102cdff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.251866] >ffff888102ce0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.252538] ^ [ 28.252910] ffff888102ce0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.253805] ffff888102ce0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.254419] ==================================================================