* [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range
@ 2026-03-20 7:53 kernel test robot
2026-03-20 13:32 ` Mike Rapoport
0 siblings, 1 reply; 3+ messages in thread
From: kernel test robot @ 2026-03-20 7:53 UTC (permalink / raw)
To: Mike Rapoport; +Cc: oe-lkp, lkp, Mike Rapoport, oliver.sang
Hello,
kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on:
commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing")
https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3
in testcase: ltp
version:
with following parameters:
test: uevent
config: x86_64-rhel-9.4-ltp
compiler: gcc-14
test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com
kern :err : [ 0.977424] [ T1] BUG: KASAN: use-after-free in memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] Read of size 8 at addr ffff88887f3aa000 by task swapper/0/1
kern :err : [ 0.977424] [ T1] CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc3-00007-gbbe3478393e1 #1 PREEMPT(lazy)
kern :err : [ 0.977424] [ T1] Hardware name: ASUSTeK COMPUTER INC. NUC14RVS-B/NUC14RVSU9, BIOS RVMTL357.0047.2025.0108.1408 01/08/2025
kern :err : [ 0.977424] [ T1] Call Trace:
kern :err : [ 0.977424] [ T1] <TASK>
kern :err : [ 0.977424] [ T1] dump_stack_lvl (lib/dump_stack.c:122)
kern :err : [ 0.977424] [ T1] print_address_description+0x88/0x320
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] print_report (mm/kasan/report.c:483)
kern :err : [ 0.977424] [ T1] ? __virt_addr_valid (include/linux/mmzone.h:2114 (discriminator 1) include/linux/mmzone.h:2196 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] kasan_report (mm/kasan/report.c:597)
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] memblock_phys_free (mm/memblock.c:875 mm/memblock.c:991)
kern :err : [ 0.977424] [ T1] ? __cpuhp_setup_state_cpuslocked (kernel/cpu.c:2522)
kern :err : [ 0.977424] [ T1] ? __pfx_memblock_phys_free (mm/memblock.c:981)
kern :err : [ 0.977424] [ T1] ? __pfx_buffer_exit_cpu_dead (fs/buffer.c:3051)
kern :err : [ 0.977424] [ T1] ? __cpuhp_setup_state (kernel/cpu.c:2536)
kern :err : [ 0.977424] [ T1] ? buffer_init (fs/buffer.c:3162 (discriminator 1))
kern :err : [ 0.977424] [ T1] memblock_discard (mm/memblock.c:398)
kern :err : [ 0.977424] [ T1] page_alloc_init_late (include/linux/find.h:214 include/linux/nodemask.h:253 mm/mm_init.c:2345)
kern :err : [ 0.977424] [ T1] kernel_init_freeable (init/main.c:1475 init/main.c:1692)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init_freeable (init/main.c:1664)
kern :err : [ 0.977424] [ T1] ? __pfx_schedule_timeout (kernel/time/sleep_timeout.c:62)
kern :err : [ 0.977424] [ T1] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] kernel_init (init/main.c:1584)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ret_from_fork (arch/x86/kernel/process.c:164)
kern :err : [ 0.977424] [ T1] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
kern :err : [ 0.977424] [ T1] ? switch_fpu (arch/x86/include/asm/bitops.h:202 (discriminator 1) arch/x86/include/asm/bitops.h:232 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) include/linux/thread_info.h:133 (discriminator 1) include/linux/sched.h:2064 (discriminator 1) arch/x86/include/asm/fpu/sched.h:34 (discriminator 1))
kern :err : [ 0.977424] [ T1] ? __switch_to (arch/x86/include/asm/cpufeature.h:101 arch/x86/kernel/process_64.c:377 arch/x86/kernel/process_64.c:665)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
kern :err : [ 0.977424] [ T1] </TASK>
kern :err : [ 0.977424] [ T1] The buggy address belongs to the physical page:
kern :warn : [ 0.977424] [ T1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x87f3aa
kern :warn : [ 0.977424] [ T1] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 0.977424] [ T1] raw: 0017ffffc0000000 ffff88880a4c7f30 ffffea0021fceac8 0000000000000000
kern :warn : [ 0.977424] [ T1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
kern :warn : [ 0.977424] [ T1] page dumped because: kasan: bad access detected
kern :err : [ 0.977424] [ T1] Memory state around the buggy address:
kern :err : [ 0.977424] [ T1] ffff88887f3a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
kern :err : [ 0.977424] [ T1] ffff88887f3a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
kern :err : [ 0.977424] [ T1] >ffff88887f3aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ^
kern :err : [ 0.977424] [ T1] ffff88887f3aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ffff88887f3aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ==================================================================
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260320/202603200841.b2d24d21-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range
2026-03-20 7:53 [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range kernel test robot
@ 2026-03-20 13:32 ` Mike Rapoport
2026-03-23 2:28 ` Oliver Sang
0 siblings, 1 reply; 3+ messages in thread
From: Mike Rapoport @ 2026-03-20 13:32 UTC (permalink / raw)
To: kernel test robot; +Cc: oe-lkp, lkp
Hello,
On Fri, Mar 20, 2026 at 03:53:54PM +0800, kernel test robot wrote:
>
> Hello,
>
> kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on:
>
> commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing")
> https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3
>
> in testcase: ltp
> version:
> with following parameters:
>
> test: uevent
>
>
> config: x86_64-rhel-9.4-ltp
> compiler: gcc-14
> test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com
Thanks for the report!
The patch below fixes the issue for me, I'd appreciate if you can verify it
on your setup as well:
diff --git a/mm/memblock.c b/mm/memblock.c
index 780e70d4971a..3e21d6135789 100644
--- a/mm/memblock.c
+++ b/mm/memblock.c
@@ -985,15 +985,18 @@ void __init_memblock memblock_free(void *ptr, size_t size)
int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size)
{
phys_addr_t end = base + size - 1;
+ int ret;
memblock_dbg("%s: [%pa-%pa] %pS\n", __func__,
&base, &end, (void *)_RET_IP_);
kmemleak_free_part_phys(base, size);
+ ret = memblock_remove_range(&memblock.reserved, base, size);
+
if (slab_is_available())
__free_reserved_area(base, base + size, -1);
- return memblock_remove_range(&memblock.reserved, base, size);
+ return ret;
}
int __init_memblock __memblock_reserve(phys_addr_t base, phys_addr_t size,
--
Sincerely yours,
Mike.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range
2026-03-20 13:32 ` Mike Rapoport
@ 2026-03-23 2:28 ` Oliver Sang
0 siblings, 0 replies; 3+ messages in thread
From: Oliver Sang @ 2026-03-23 2:28 UTC (permalink / raw)
To: Mike Rapoport; +Cc: oe-lkp, lkp, oliver.sang
hi, Mike,
On Fri, Mar 20, 2026 at 03:32:45PM +0200, Mike Rapoport wrote:
> Hello,
>
> On Fri, Mar 20, 2026 at 03:53:54PM +0800, kernel test robot wrote:
> >
> > Hello,
> >
> > kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on:
> >
> > commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing")
> > https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3
> >
> > in testcase: ltp
> > version:
> > with following parameters:
> >
> > test: uevent
> >
> >
> > config: x86_64-rhel-9.4-ltp
> > compiler: gcc-14
> > test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@intel.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com
>
> Thanks for the report!
>
> The patch below fixes the issue for me, I'd appreciate if you can verify it
> on your setup as well:
yes, below patch can fix the issue we reported by same test. thanks
Tested-by: kernel test robot <oliver.sang@intel.com>
>
>
> diff --git a/mm/memblock.c b/mm/memblock.c
> index 780e70d4971a..3e21d6135789 100644
> --- a/mm/memblock.c
> +++ b/mm/memblock.c
> @@ -985,15 +985,18 @@ void __init_memblock memblock_free(void *ptr, size_t size)
> int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size)
> {
> phys_addr_t end = base + size - 1;
> + int ret;
>
> memblock_dbg("%s: [%pa-%pa] %pS\n", __func__,
> &base, &end, (void *)_RET_IP_);
>
> kmemleak_free_part_phys(base, size);
> + ret = memblock_remove_range(&memblock.reserved, base, size);
> +
> if (slab_is_available())
> __free_reserved_area(base, base + size, -1);
>
> - return memblock_remove_range(&memblock.reserved, base, size);
> + return ret;
> }
>
> int __init_memblock __memblock_reserve(phys_addr_t base, phys_addr_t size,
>
> --
> Sincerely yours,
> Mike.
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-23 2:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-20 7:53 [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range kernel test robot
2026-03-20 13:32 ` Mike Rapoport
2026-03-23 2:28 ` Oliver Sang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox