Date
July 3, 2025, 10:10 a.m.
| Environment | |
|---|---|
| dragonboard-845c | |
| qemu-arm64 | |
| qemu-x86_64 |
[ 33.698497] ================================================================== [ 33.713747] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 33.720192] Read of size 1 at addr ffff0000934a0000 by task kunit_try_catch/263 [ 33.727595] [ 33.729130] CPU: 3 UID: 0 PID: 263 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 33.729159] Tainted: [B]=BAD_PAGE, [N]=TEST [ 33.729168] Hardware name: Thundercomm Dragonboard 845c (DT) [ 33.729179] Call trace: [ 33.729186] show_stack+0x20/0x38 (C) [ 33.729204] dump_stack_lvl+0x8c/0xd0 [ 33.729224] print_report+0x118/0x608 [ 33.729245] kasan_report+0xdc/0x128 [ 33.729264] __asan_report_load1_noabort+0x20/0x30 [ 33.729282] page_alloc_uaf+0x328/0x350 [ 33.729299] kunit_try_run_case+0x170/0x3f0 [ 33.729317] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 33.729340] kthread+0x328/0x630 [ 33.729355] ret_from_fork+0x10/0x20 [ 33.729372] [ 33.794725] The buggy address belongs to the physical page: [ 33.800370] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1134a0 [ 33.808474] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 33.815089] page_type: f0(buddy) [ 33.818378] raw: 0bfffe0000000000 ffff0000fd587e48 ffff0000fd587e48 0000000000000000 [ 33.826224] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 33.834066] page dumped because: kasan: bad access detected [ 33.839711] [ 33.841242] Memory state around the buggy address: [ 33.846100] ffff00009349ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.853415] ffff00009349ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.860729] >ffff0000934a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.868041] ^ [ 33.871325] ffff0000934a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.878639] ffff0000934a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 33.885952] ==================================================================
[ 30.815514] ================================================================== [ 30.815588] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350 [ 30.815657] Read of size 1 at addr fff00000c9be0000 by task kunit_try_catch/186 [ 30.815706] [ 30.815994] CPU: 0 UID: 0 PID: 186 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT [ 30.816099] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.816125] Hardware name: linux,dummy-virt (DT) [ 30.816159] Call trace: [ 30.816528] show_stack+0x20/0x38 (C) [ 30.816720] dump_stack_lvl+0x8c/0xd0 [ 30.816918] print_report+0x118/0x608 [ 30.817137] kasan_report+0xdc/0x128 [ 30.817184] __asan_report_load1_noabort+0x20/0x30 [ 30.817454] page_alloc_uaf+0x328/0x350 [ 30.817615] kunit_try_run_case+0x170/0x3f0 [ 30.817765] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.817841] kthread+0x328/0x630 [ 30.818203] ret_from_fork+0x10/0x20 [ 30.818269] [ 30.818290] The buggy address belongs to the physical page: [ 30.818323] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109be0 [ 30.818396] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.818447] page_type: f0(buddy) [ 30.818511] raw: 0bfffe0000000000 fff00000ff616148 fff00000ff616148 0000000000000000 [ 30.818563] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 30.818617] page dumped because: kasan: bad access detected [ 30.818647] [ 30.818665] Memory state around the buggy address: [ 30.818699] fff00000c9bdff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.818742] fff00000c9bdff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.818784] >fff00000c9be0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.818821] ^ [ 30.819379] fff00000c9be0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.819454] fff00000c9be0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.819534] ==================================================================
[ 22.712391] ================================================================== [ 22.712988] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0 [ 22.713247] Read of size 1 at addr ffff888106120000 by task kunit_try_catch/203 [ 22.713547] [ 22.713644] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4-next-20250703 #1 PREEMPT(voluntary) [ 22.713689] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.713701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.713721] Call Trace: [ 22.713735] <TASK> [ 22.713751] dump_stack_lvl+0x73/0xb0 [ 22.713778] print_report+0xd1/0x650 [ 22.713799] ? __virt_addr_valid+0x1db/0x2d0 [ 22.713821] ? page_alloc_uaf+0x356/0x3d0 [ 22.713849] ? kasan_addr_to_slab+0x11/0xa0 [ 22.713876] ? page_alloc_uaf+0x356/0x3d0 [ 22.713897] kasan_report+0x141/0x180 [ 22.713918] ? page_alloc_uaf+0x356/0x3d0 [ 22.713944] __asan_report_load1_noabort+0x18/0x20 [ 22.713967] page_alloc_uaf+0x356/0x3d0 [ 22.713988] ? __pfx_page_alloc_uaf+0x10/0x10 [ 22.714009] ? __schedule+0x10cc/0x2b60 [ 22.714036] ? __pfx_read_tsc+0x10/0x10 [ 22.714057] ? ktime_get_ts64+0x86/0x230 [ 22.714080] kunit_try_run_case+0x1a5/0x480 [ 22.714105] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.714128] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 22.714149] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.714176] ? __kthread_parkme+0x82/0x180 [ 22.714195] ? preempt_count_sub+0x50/0x80 [ 22.714217] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.714241] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.714264] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.714287] kthread+0x337/0x6f0 [ 22.714306] ? trace_preempt_on+0x20/0xc0 [ 22.714328] ? __pfx_kthread+0x10/0x10 [ 22.714349] ? _raw_spin_unlock_irq+0x47/0x80 [ 22.714374] ? calculate_sigpending+0x7b/0xa0 [ 22.714397] ? __pfx_kthread+0x10/0x10 [ 22.714420] ret_from_fork+0x116/0x1d0 [ 22.714438] ? __pfx_kthread+0x10/0x10 [ 22.714499] ret_from_fork_asm+0x1a/0x30 [ 22.714531] </TASK> [ 22.714543] [ 22.721378] The buggy address belongs to the physical page: [ 22.721640] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106120 [ 22.721996] flags: 0x200000000000000(node=0|zone=2) [ 22.722434] page_type: f0(buddy) [ 22.722624] raw: 0200000000000000 ffff88817fffb4a8 ffff88817fffb4a8 0000000000000000 [ 22.722869] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000 [ 22.723121] page dumped because: kasan: bad access detected [ 22.723446] [ 22.723545] Memory state around the buggy address: [ 22.723764] ffff88810611ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.724073] ffff88810611ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.724363] >ffff888106120000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.724658] ^ [ 22.724814] ffff888106120080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.725122] ffff888106120100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.725507] ==================================================================