Date
June 26, 2025, 9:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.883635] ================================================================== [ 32.898883] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 32.905325] Read of size 1 at addr ffff0000967b0000 by task kunit_try_catch/240 [ 32.912737] [ 32.914271] CPU: 2 UID: 0 PID: 240 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 32.914299] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.914308] Hardware name: Thundercomm Dragonboard 845c (DT) [ 32.914320] Call trace: [ 32.914329] show_stack+0x20/0x38 (C) [ 32.914347] dump_stack_lvl+0x8c/0xd0 [ 32.914366] print_report+0x118/0x608 [ 32.914385] kasan_report+0xdc/0x128 [ 32.914404] __asan_report_load1_noabort+0x20/0x30 [ 32.914421] page_alloc_uaf+0x328/0x350 [ 32.914438] kunit_try_run_case+0x170/0x3f0 [ 32.914458] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.914481] kthread+0x328/0x630 [ 32.914498] ret_from_fork+0x10/0x20 [ 32.914517] [ 32.979872] The buggy address belongs to the physical page: [ 32.985517] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1167b0 [ 32.993627] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.000249] page_type: f0(buddy) [ 33.003535] raw: 0bfffe0000000000 fffffdffc24e1408 ffff0000fd587da0 0000000000000000 [ 33.011381] raw: 0000000000000000 0000000000000004 00000000f0000000 0000000000000000 [ 33.019218] page dumped because: kasan: bad access detected [ 33.024870] [ 33.026399] Memory state around the buggy address: [ 33.031263] ffff0000967aff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.038585] ffff0000967aff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.045899] >ffff0000967b0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.053219] ^ [ 33.056508] ffff0000967b0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.063822] ffff0000967b0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.071131] ==================================================================
[ 26.616485] ================================================================== [ 26.616540] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 26.616621] Read of size 1 at addr fff00000c64e0000 by task kunit_try_catch/166 [ 26.616675] [ 26.616740] CPU: 0 UID: 0 PID: 166 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT [ 26.616846] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.616872] Hardware name: linux,dummy-virt (DT) [ 26.616901] Call trace: [ 26.616921] show_stack+0x20/0x38 (C) [ 26.616970] dump_stack_lvl+0x8c/0xd0 [ 26.617016] print_report+0x118/0x608 [ 26.617073] kasan_report+0xdc/0x128 [ 26.617118] __asan_report_load1_noabort+0x20/0x30 [ 26.617166] page_alloc_uaf+0x328/0x350 [ 26.617211] kunit_try_run_case+0x170/0x3f0 [ 26.617365] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 26.617419] kthread+0x328/0x630 [ 26.617462] ret_from_fork+0x10/0x20 [ 26.617563] [ 26.617612] The buggy address belongs to the physical page: [ 26.617647] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1064e0 [ 26.617775] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 26.617889] page_type: f0(buddy) [ 26.617985] raw: 0bfffe0000000000 fff00000ff616108 fff00000ff616108 0000000000000000 [ 26.618033] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 26.618081] page dumped because: kasan: bad access detected [ 26.618170] [ 26.618190] Memory state around the buggy address: [ 26.618222] fff00000c64dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.618264] fff00000c64dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.618304] >fff00000c64e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.618358] ^ [ 26.618507] fff00000c64e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.618681] fff00000c64e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.618762] ==================================================================
[ 21.750757] ================================================================== [ 21.751366] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0 [ 21.751970] Read of size 1 at addr ffff888102c20000 by task kunit_try_catch/183 [ 21.752417] [ 21.752529] CPU: 1 UID: 0 PID: 183 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc3-next-20250626 #1 PREEMPT(voluntary) [ 21.752580] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.752594] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.752616] Call Trace: [ 21.752631] <TASK> [ 21.752901] dump_stack_lvl+0x73/0xb0 [ 21.752962] print_report+0xd1/0x650 [ 21.752984] ? __virt_addr_valid+0x1db/0x2d0 [ 21.753010] ? page_alloc_uaf+0x356/0x3d0 [ 21.753147] ? kasan_addr_to_slab+0x11/0xa0 [ 21.753167] ? page_alloc_uaf+0x356/0x3d0 [ 21.753188] kasan_report+0x141/0x180 [ 21.753209] ? page_alloc_uaf+0x356/0x3d0 [ 21.753245] __asan_report_load1_noabort+0x18/0x20 [ 21.753268] page_alloc_uaf+0x356/0x3d0 [ 21.753288] ? __pfx_page_alloc_uaf+0x10/0x10 [ 21.753310] ? __schedule+0x10cc/0x2b60 [ 21.753335] ? __pfx_read_tsc+0x10/0x10 [ 21.753358] ? ktime_get_ts64+0x86/0x230 [ 21.753383] kunit_try_run_case+0x1a5/0x480 [ 21.753410] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.753431] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.753455] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.753480] ? __kthread_parkme+0x82/0x180 [ 21.753501] ? preempt_count_sub+0x50/0x80 [ 21.753523] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.753546] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.753569] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.753592] kthread+0x337/0x6f0 [ 21.753611] ? trace_preempt_on+0x20/0xc0 [ 21.753634] ? __pfx_kthread+0x10/0x10 [ 21.753654] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.753676] ? calculate_sigpending+0x7b/0xa0 [ 21.753700] ? __pfx_kthread+0x10/0x10 [ 21.753721] ret_from_fork+0x116/0x1d0 [ 21.753739] ? __pfx_kthread+0x10/0x10 [ 21.753758] ret_from_fork_asm+0x1a/0x30 [ 21.753790] </TASK> [ 21.753803] [ 21.762262] The buggy address belongs to the physical page: [ 21.762527] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c20 [ 21.762883] flags: 0x200000000000000(node=0|zone=2) [ 21.763245] page_type: f0(buddy) [ 21.763376] raw: 0200000000000000 ffff88817fffb4a8 ffff88817fffb4a8 0000000000000000 [ 21.763669] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 21.764154] page dumped because: kasan: bad access detected [ 21.764328] [ 21.764391] Memory state around the buggy address: [ 21.764713] ffff888102c1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.765032] ffff888102c1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.765286] >ffff888102c20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.765910] ^ [ 21.766059] ffff888102c20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.766368] ffff888102c20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.766644] ==================================================================