Hay
Sign in
Date
July 11, 2025, 10:11 a.m.

Environment
e850-96
qemu-arm64
qemu-x86_64 

[   38.943837] ==================================================================
[   38.958235] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350
[   38.964566] Read of size 1 at addr ffff0008084e0000 by task kunit_try_catch/238
[   38.971857] 
[   38.973346] CPU: 5 UID: 0 PID: 238 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   38.973406] Tainted: [B]=BAD_PAGE, [N]=TEST
[   38.973421] Hardware name: WinLink E850-96 board (DT)
[   38.973442] Call trace:
[   38.973455]  show_stack+0x20/0x38 (C)
[   38.973492]  dump_stack_lvl+0x8c/0xd0
[   38.973525]  print_report+0x118/0x5d0
[   38.973553]  kasan_report+0xdc/0x128
[   38.973580]  __asan_report_load1_noabort+0x20/0x30
[   38.973613]  page_alloc_uaf+0x328/0x350
[   38.973646]  kunit_try_run_case+0x170/0x3f0
[   38.973684]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   38.973718]  kthread+0x328/0x630
[   38.973748]  ret_from_fork+0x10/0x20
[   38.973782] 
[   39.037049] The buggy address belongs to the physical page:
[   39.042606] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8884e0
[   39.050592] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   39.057100] page_type: f0(buddy)
[   39.060322] raw: 0bfffe0000000000 ffff00087f61bd08 ffff00087f61bd08 0000000000000000
[   39.068042] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000
[   39.075762] page dumped because: kasan: bad access detected
[   39.081317] 
[   39.082792] Memory state around the buggy address:
[   39.087572]  ffff0008084dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   39.094775]  ffff0008084dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   39.101982] >ffff0008084e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   39.109181]                    ^
[   39.112396]  ffff0008084e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   39.119601]  ffff0008084e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   39.126805] ==================================================================
Metadata Full log Test run details 

[   30.157464] ==================================================================
[   30.157590] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350
[   30.157661] Read of size 1 at addr fff00000c9aa0000 by task kunit_try_catch/185
[   30.157720] 
[   30.157760] CPU: 1 UID: 0 PID: 185 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT 
[   30.158061] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.158175] Hardware name: linux,dummy-virt (DT)
[   30.158286] Call trace:
[   30.158435]  show_stack+0x20/0x38 (C)
[   30.158594]  dump_stack_lvl+0x8c/0xd0
[   30.158673]  print_report+0x118/0x5d0
[   30.158782]  kasan_report+0xdc/0x128
[   30.158881]  __asan_report_load1_noabort+0x20/0x30
[   30.159154]  page_alloc_uaf+0x328/0x350
[   30.159282]  kunit_try_run_case+0x170/0x3f0
[   30.159386]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.159525]  kthread+0x328/0x630
[   30.159621]  ret_from_fork+0x10/0x20
[   30.159982] 
[   30.160030] The buggy address belongs to the physical page:
[   30.160168] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109aa0
[   30.160282] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.160351] page_type: f0(buddy)
[   30.160546] raw: 0bfffe0000000000 fff00000ff616148 fff00000ff616148 0000000000000000
[   30.160636] raw: 0000000000000000 0000000000000005 00000000f0000000 0000000000000000
[   30.160749] page dumped because: kasan: bad access detected
[   30.160809] 
[   30.160928] Memory state around the buggy address:
[   30.160966]  fff00000c9a9ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161041]  fff00000c9a9ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161280] >fff00000c9aa0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161458]                    ^
[   30.161515]  fff00000c9aa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161592]  fff00000c9aa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161670] ==================================================================
Metadata Full log Test run details 

[   23.315432] ==================================================================
[   23.316055] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0
[   23.316335] Read of size 1 at addr ffff888102bd0000 by task kunit_try_catch/204
[   23.316933] 
[   23.317052] CPU: 0 UID: 0 PID: 204 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc5-next-20250711 #1 PREEMPT(voluntary) 
[   23.317118] Tainted: [B]=BAD_PAGE, [N]=TEST
[   23.317130] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   23.317152] Call Trace:
[   23.317166]  <TASK>
[   23.317185]  dump_stack_lvl+0x73/0xb0
[   23.317226]  print_report+0xd1/0x610
[   23.317248]  ? __virt_addr_valid+0x1db/0x2d0
[   23.317273]  ? page_alloc_uaf+0x356/0x3d0
[   23.317305]  ? kasan_addr_to_slab+0x11/0xa0
[   23.317325]  ? page_alloc_uaf+0x356/0x3d0
[   23.317346]  kasan_report+0x141/0x180
[   23.317368]  ? page_alloc_uaf+0x356/0x3d0
[   23.317394]  __asan_report_load1_noabort+0x18/0x20
[   23.317417]  page_alloc_uaf+0x356/0x3d0
[   23.317492]  ? __pfx_page_alloc_uaf+0x10/0x10
[   23.317520]  ? __schedule+0x10cc/0x2b60
[   23.317543]  ? __pfx_read_tsc+0x10/0x10
[   23.317590]  ? ktime_get_ts64+0x86/0x230
[   23.317616]  kunit_try_run_case+0x1a5/0x480
[   23.317647]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.317668]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   23.317691]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   23.317715]  ? __kthread_parkme+0x82/0x180
[   23.317746]  ? preempt_count_sub+0x50/0x80
[   23.317770]  ? __pfx_kunit_try_run_case+0x10/0x10
[   23.317792]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   23.317816]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   23.317841]  kthread+0x337/0x6f0
[   23.317861]  ? trace_preempt_on+0x20/0xc0
[   23.317884]  ? __pfx_kthread+0x10/0x10
[   23.317904]  ? _raw_spin_unlock_irq+0x47/0x80
[   23.317925]  ? calculate_sigpending+0x7b/0xa0
[   23.317950]  ? __pfx_kthread+0x10/0x10
[   23.317971]  ret_from_fork+0x116/0x1d0
[   23.317990]  ? __pfx_kthread+0x10/0x10
[   23.318011]  ret_from_fork_asm+0x1a/0x30
[   23.318042]  </TASK>
[   23.318054] 
[   23.326697] The buggy address belongs to the physical page:
[   23.326969] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102bd0
[   23.328953] flags: 0x200000000000000(node=0|zone=2)
[   23.329320] page_type: f0(buddy)
[   23.329444] raw: 0200000000000000 ffff88817fffc460 ffff88817fffc460 0000000000000000
[   23.329667] raw: 0000000000000000 0000000000000004 00000000f0000000 0000000000000000
[   23.330031] page dumped because: kasan: bad access detected
[   23.330230] 
[   23.330356] Memory state around the buggy address:
[   23.330627]  ffff888102bcff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.330978]  ffff888102bcff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.331288] >ffff888102bd0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.331493]                    ^
[   23.332450]  ffff888102bd0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.332670]  ffff888102bd0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   23.333001] ==================================================================
Metadata Full log Test run details