Date
July 2, 2025, 11:10 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.635671] ================================================================== [ 30.635866] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 30.636033] Read of size 1 at addr fff00000c9a40000 by task kunit_try_catch/187 [ 30.636119] [ 30.636153] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 30.636573] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.636644] Hardware name: linux,dummy-virt (DT) [ 30.636753] Call trace: [ 30.636790] show_stack+0x20/0x38 (C) [ 30.636844] dump_stack_lvl+0x8c/0xd0 [ 30.636906] print_report+0x118/0x608 [ 30.636965] kasan_report+0xdc/0x128 [ 30.637012] __asan_report_load1_noabort+0x20/0x30 [ 30.637059] page_alloc_uaf+0x328/0x350 [ 30.637163] kunit_try_run_case+0x170/0x3f0 [ 30.637221] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.637281] kthread+0x328/0x630 [ 30.637324] ret_from_fork+0x10/0x20 [ 30.637382] [ 30.637410] The buggy address belongs to the physical page: [ 30.637450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a40 [ 30.637517] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.637576] page_type: f0(buddy) [ 30.637632] raw: 0bfffe0000000000 fff00000ff6161b0 fff00000ff6161b0 0000000000000000 [ 30.637691] raw: 0000000000000000 0000000000000006 00000000f0000000 0000000000000000 [ 30.637738] page dumped because: kasan: bad access detected [ 30.637769] [ 30.637797] Memory state around the buggy address: [ 30.637829] fff00000c9a3ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.637882] fff00000c9a3ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.637944] >fff00000c9a40000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.637983] ^ [ 30.638017] fff00000c9a40080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.638077] fff00000c9a40100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.638125] ==================================================================
[ 32.441102] ================================================================== [ 32.441173] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 32.441229] Read of size 1 at addr fff00000c9aa0000 by task kunit_try_catch/185 [ 32.441279] [ 32.441312] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT [ 32.441397] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.441424] Hardware name: linux,dummy-virt (DT) [ 32.441456] Call trace: [ 32.441479] show_stack+0x20/0x38 (C) [ 32.441789] dump_stack_lvl+0x8c/0xd0 [ 32.442080] print_report+0x118/0x608 [ 32.442508] kasan_report+0xdc/0x128 [ 32.442747] __asan_report_load1_noabort+0x20/0x30 [ 32.442901] page_alloc_uaf+0x328/0x350 [ 32.442981] kunit_try_run_case+0x170/0x3f0 [ 32.443030] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.443120] kthread+0x328/0x630 [ 32.443174] ret_from_fork+0x10/0x20 [ 32.443221] [ 32.443241] The buggy address belongs to the physical page: [ 32.443311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109aa0 [ 32.443551] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.443705] page_type: f0(buddy) [ 32.443770] raw: 0bfffe0000000000 fff00000ff616148 fff00000ff616148 0000000000000000 [ 32.443820] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 32.444070] page dumped because: kasan: bad access detected [ 32.444104] [ 32.444122] Memory state around the buggy address: [ 32.444166] fff00000c9a9ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.444242] fff00000c9a9ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.444290] >fff00000c9aa0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.444448] ^ [ 32.444541] fff00000c9aa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.444606] fff00000c9aa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.444651] ==================================================================
[ 22.672277] ================================================================== [ 22.673003] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0 [ 22.673223] Read of size 1 at addr ffff8881061e0000 by task kunit_try_catch/202 [ 22.673560] [ 22.673671] CPU: 1 UID: 0 PID: 202 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 22.673722] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.673735] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.673764] Call Trace: [ 22.673778] <TASK> [ 22.673796] dump_stack_lvl+0x73/0xb0 [ 22.673881] print_report+0xd1/0x650 [ 22.673907] ? __virt_addr_valid+0x1db/0x2d0 [ 22.673931] ? page_alloc_uaf+0x356/0x3d0 [ 22.673965] ? kasan_addr_to_slab+0x11/0xa0 [ 22.673984] ? page_alloc_uaf+0x356/0x3d0 [ 22.674006] kasan_report+0x141/0x180 [ 22.674027] ? page_alloc_uaf+0x356/0x3d0 [ 22.674052] __asan_report_load1_noabort+0x18/0x20 [ 22.674075] page_alloc_uaf+0x356/0x3d0 [ 22.674096] ? __pfx_page_alloc_uaf+0x10/0x10 [ 22.674118] ? __schedule+0x10cc/0x2b60 [ 22.674139] ? __pfx_read_tsc+0x10/0x10 [ 22.674160] ? ktime_get_ts64+0x86/0x230 [ 22.674185] kunit_try_run_case+0x1a5/0x480 [ 22.674211] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.674234] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.674255] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.674319] ? __kthread_parkme+0x82/0x180 [ 22.674375] ? preempt_count_sub+0x50/0x80 [ 22.674399] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.674424] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.674447] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.674471] kthread+0x337/0x6f0 [ 22.674501] ? trace_preempt_on+0x20/0xc0 [ 22.674526] ? __pfx_kthread+0x10/0x10 [ 22.674546] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.674570] ? calculate_sigpending+0x7b/0xa0 [ 22.674594] ? __pfx_kthread+0x10/0x10 [ 22.674615] ret_from_fork+0x116/0x1d0 [ 22.674633] ? __pfx_kthread+0x10/0x10 [ 22.674654] ret_from_fork_asm+0x1a/0x30 [ 22.674700] </TASK> [ 22.674713] [ 22.682895] The buggy address belongs to the physical page: [ 22.683238] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061e0 [ 22.684276] flags: 0x200000000000000(node=0|zone=2) [ 22.684595] page_type: f0(buddy) [ 22.684866] raw: 0200000000000000 ffff88817fffc4a8 ffff88817fffc4a8 0000000000000000 [ 22.685451] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 22.685911] page dumped because: kasan: bad access detected [ 22.686179] [ 22.686376] Memory state around the buggy address: [ 22.686564] ffff8881061dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.687080] ffff8881061dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.687495] >ffff8881061e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.688165] ^ [ 22.688335] ffff8881061e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.688868] ffff8881061e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.689353] ==================================================================
[ 22.880955] ================================================================== [ 22.882690] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0 [ 22.882965] Read of size 1 at addr ffff888106180000 by task kunit_try_catch/203 [ 22.884045] [ 22.884416] CPU: 0 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250702 #1 PREEMPT(voluntary) [ 22.884476] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.884490] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.884513] Call Trace: [ 22.884528] <TASK> [ 22.884549] dump_stack_lvl+0x73/0xb0 [ 22.884584] print_report+0xd1/0x650 [ 22.884609] ? __virt_addr_valid+0x1db/0x2d0 [ 22.884634] ? page_alloc_uaf+0x356/0x3d0 [ 22.884655] ? kasan_addr_to_slab+0x11/0xa0 [ 22.884675] ? page_alloc_uaf+0x356/0x3d0 [ 22.884696] kasan_report+0x141/0x180 [ 22.884717] ? page_alloc_uaf+0x356/0x3d0 [ 22.884742] __asan_report_load1_noabort+0x18/0x20 [ 22.884766] page_alloc_uaf+0x356/0x3d0 [ 22.884786] ? __pfx_page_alloc_uaf+0x10/0x10 [ 22.884808] ? __schedule+0x10cc/0x2b60 [ 22.884830] ? __pfx_read_tsc+0x10/0x10 [ 22.884852] ? ktime_get_ts64+0x86/0x230 [ 22.884878] kunit_try_run_case+0x1a5/0x480 [ 22.884905] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.884937] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.884958] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.884980] ? __kthread_parkme+0x82/0x180 [ 22.885001] ? preempt_count_sub+0x50/0x80 [ 22.885025] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.885049] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.885149] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.885193] kthread+0x337/0x6f0 [ 22.885213] ? trace_preempt_on+0x20/0xc0 [ 22.885238] ? __pfx_kthread+0x10/0x10 [ 22.885258] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.885284] ? calculate_sigpending+0x7b/0xa0 [ 22.885308] ? __pfx_kthread+0x10/0x10 [ 22.885330] ret_from_fork+0x116/0x1d0 [ 22.885349] ? __pfx_kthread+0x10/0x10 [ 22.885369] ret_from_fork_asm+0x1a/0x30 [ 22.885400] </TASK> [ 22.885413] [ 22.895797] The buggy address belongs to the physical page: [ 22.896011] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106180 [ 22.896730] flags: 0x200000000000000(node=0|zone=2) [ 22.897312] page_type: f0(buddy) [ 22.897608] raw: 0200000000000000 ffff88817fffb538 ffff88817fffb538 0000000000000000 [ 22.898378] raw: 0000000000000000 0000000000000007 00000000f0000000 0000000000000000 [ 22.898639] page dumped because: kasan: bad access detected [ 22.898804] [ 22.898869] Memory state around the buggy address: [ 22.899197] ffff88810617ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.899864] ffff88810617ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.900611] >ffff888106180000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.901336] ^ [ 22.901687] ffff888106180080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.902010] ffff888106180100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.902369] ==================================================================