Hay
Sign in
Date
July 23, 2025, 3:10 a.m.

Environment
qemu-arm64
qemu-x86_64 

[   30.158508] ==================================================================
[   30.158567] BUG: KASAN: use-after-free in page_alloc_uaf+0x328/0x350
[   30.158884] Read of size 1 at addr fff00000c9b10000 by task kunit_try_catch/187
[   30.158949] 
[   30.158982] CPU: 0 UID: 0 PID: 187 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250723 #1 PREEMPT 
[   30.159064] Tainted: [B]=BAD_PAGE, [N]=TEST
[   30.159101] Hardware name: linux,dummy-virt (DT)
[   30.159206] Call trace:
[   30.159309]  show_stack+0x20/0x38 (C)
[   30.159367]  dump_stack_lvl+0x8c/0xd0
[   30.159700]  print_report+0x118/0x5e8
[   30.159791]  kasan_report+0xdc/0x128
[   30.159834]  __asan_report_load1_noabort+0x20/0x30
[   30.159881]  page_alloc_uaf+0x328/0x350
[   30.159937]  kunit_try_run_case+0x170/0x3f0
[   30.159994]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   30.160078]  kthread+0x328/0x630
[   30.160119]  ret_from_fork+0x10/0x20
[   30.160166] 
[   30.160185] The buggy address belongs to the physical page:
[   30.160249] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109b10
[   30.160357] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   30.160434] page_type: f0(buddy)
[   30.160670] raw: 0bfffe0000000000 fff00000ff6160e0 fff00000ff6160e0 0000000000000000
[   30.160838] raw: 0000000000000000 0000000000000004 00000000f0000000 0000000000000000
[   30.160917] page dumped because: kasan: bad access detected
[   30.160946] 
[   30.160964] Memory state around the buggy address:
[   30.161005]  fff00000c9b0ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161048]  fff00000c9b0ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161088] >fff00000c9b10000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161376]                    ^
[   30.161415]  fff00000c9b10080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161543]  fff00000c9b10100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   30.161580] ==================================================================
Metadata Full log Test run details 

[   24.658548] ==================================================================
[   24.659205] BUG: KASAN: use-after-free in page_alloc_uaf+0x356/0x3d0
[   24.659640] Read of size 1 at addr ffff8881061f0000 by task kunit_try_catch/203
[   24.659913] 
[   24.660246] CPU: 1 UID: 0 PID: 203 Comm: kunit_try_catch Tainted: G    B            N  6.16.0-rc7-next-20250723 #1 PREEMPT(voluntary) 
[   24.660307] Tainted: [B]=BAD_PAGE, [N]=TEST
[   24.660321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   24.660343] Call Trace:
[   24.660357]  <TASK>
[   24.660376]  dump_stack_lvl+0x73/0xb0
[   24.660409]  print_report+0xd1/0x640
[   24.660690]  ? __virt_addr_valid+0x1db/0x2d0
[   24.660804]  ? page_alloc_uaf+0x356/0x3d0
[   24.660827]  ? kasan_addr_to_slab+0x11/0xa0
[   24.660848]  ? page_alloc_uaf+0x356/0x3d0
[   24.660870]  kasan_report+0x141/0x180
[   24.660892]  ? page_alloc_uaf+0x356/0x3d0
[   24.660918]  __asan_report_load1_noabort+0x18/0x20
[   24.660956]  page_alloc_uaf+0x356/0x3d0
[   24.660978]  ? __pfx_page_alloc_uaf+0x10/0x10
[   24.661000]  ? __schedule+0x10da/0x2b60
[   24.661026]  ? __pfx_read_tsc+0x10/0x10
[   24.661048]  ? ktime_get_ts64+0x86/0x230
[   24.661073]  kunit_try_run_case+0x1a5/0x480
[   24.661100]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.661122]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   24.661158]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   24.661183]  ? __kthread_parkme+0x82/0x180
[   24.661203]  ? preempt_count_sub+0x50/0x80
[   24.661226]  ? __pfx_kunit_try_run_case+0x10/0x10
[   24.661249]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   24.661273]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   24.661295]  kthread+0x337/0x6f0
[   24.661315]  ? trace_preempt_on+0x20/0xc0
[   24.661340]  ? __pfx_kthread+0x10/0x10
[   24.661360]  ? _raw_spin_unlock_irq+0x47/0x80
[   24.661384]  ? calculate_sigpending+0x7b/0xa0
[   24.661407]  ? __pfx_kthread+0x10/0x10
[   24.661429]  ret_from_fork+0x116/0x1d0
[   24.661449]  ? __pfx_kthread+0x10/0x10
[   24.661469]  ret_from_fork_asm+0x1a/0x30
[   24.661501]  </TASK>
[   24.661512] 
[   24.674961] The buggy address belongs to the physical page:
[   24.675639] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1061f0
[   24.675915] flags: 0x200000000000000(node=0|zone=2)
[   24.676084] page_type: f0(buddy)
[   24.676222] raw: 0200000000000000 ffff88817fffb460 ffff88817fffb460 0000000000000000
[   24.676708] raw: 0000000000000000 0000000000000004 00000000f0000000 0000000000000000
[   24.677376] page dumped because: kasan: bad access detected
[   24.677874] 
[   24.678064] Memory state around the buggy address:
[   24.678709]  ffff8881061eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   24.679545]  ffff8881061eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   24.680275] >ffff8881061f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   24.680695]                    ^
[   24.681100]  ffff8881061f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   24.681625]  ffff8881061f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   24.682101] ==================================================================
Metadata Full log Test run details