* [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range
@ 2026-03-20 7:53 kernel test robot
2026-03-20 13:32 ` Mike Rapoport
0 siblings, 1 reply; 3+ messages in thread
From: kernel test robot @ 2026-03-20 7:53 UTC (permalink / raw)
To: Mike Rapoport; +Cc: oe-lkp, lkp, Mike Rapoport, oliver.sang
Hello,
kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on:
commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing")
https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3
in testcase: ltp
version:
with following parameters:
test: uevent
config: x86_64-rhel-9.4-ltp
compiler: gcc-14
test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com
kern :err : [ 0.977424] [ T1] BUG: KASAN: use-after-free in memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] Read of size 8 at addr ffff88887f3aa000 by task swapper/0/1
kern :err : [ 0.977424] [ T1] CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc3-00007-gbbe3478393e1 #1 PREEMPT(lazy)
kern :err : [ 0.977424] [ T1] Hardware name: ASUSTeK COMPUTER INC. NUC14RVS-B/NUC14RVSU9, BIOS RVMTL357.0047.2025.0108.1408 01/08/2025
kern :err : [ 0.977424] [ T1] Call Trace:
kern :err : [ 0.977424] [ T1] <TASK>
kern :err : [ 0.977424] [ T1] dump_stack_lvl (lib/dump_stack.c:122)
kern :err : [ 0.977424] [ T1] print_address_description+0x88/0x320
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] print_report (mm/kasan/report.c:483)
kern :err : [ 0.977424] [ T1] ? __virt_addr_valid (include/linux/mmzone.h:2114 (discriminator 1) include/linux/mmzone.h:2196 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] kasan_report (mm/kasan/report.c:597)
kern :err : [ 0.977424] [ T1] ? memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] memblock_isolate_range (mm/memblock.c:828)
kern :err : [ 0.977424] [ T1] memblock_phys_free (mm/memblock.c:875 mm/memblock.c:991)
kern :err : [ 0.977424] [ T1] ? __cpuhp_setup_state_cpuslocked (kernel/cpu.c:2522)
kern :err : [ 0.977424] [ T1] ? __pfx_memblock_phys_free (mm/memblock.c:981)
kern :err : [ 0.977424] [ T1] ? __pfx_buffer_exit_cpu_dead (fs/buffer.c:3051)
kern :err : [ 0.977424] [ T1] ? __cpuhp_setup_state (kernel/cpu.c:2536)
kern :err : [ 0.977424] [ T1] ? buffer_init (fs/buffer.c:3162 (discriminator 1))
kern :err : [ 0.977424] [ T1] memblock_discard (mm/memblock.c:398)
kern :err : [ 0.977424] [ T1] page_alloc_init_late (include/linux/find.h:214 include/linux/nodemask.h:253 mm/mm_init.c:2345)
kern :err : [ 0.977424] [ T1] kernel_init_freeable (init/main.c:1475 init/main.c:1692)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init_freeable (init/main.c:1664)
kern :err : [ 0.977424] [ T1] ? __pfx_schedule_timeout (kernel/time/sleep_timeout.c:62)
kern :err : [ 0.977424] [ T1] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] kernel_init (init/main.c:1584)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ret_from_fork (arch/x86/kernel/process.c:164)
kern :err : [ 0.977424] [ T1] ? __pfx_ret_from_fork (arch/x86/kernel/process.c:153)
kern :err : [ 0.977424] [ T1] ? switch_fpu (arch/x86/include/asm/bitops.h:202 (discriminator 1) arch/x86/include/asm/bitops.h:232 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) include/linux/thread_info.h:133 (discriminator 1) include/linux/sched.h:2064 (discriminator 1) arch/x86/include/asm/fpu/sched.h:34 (discriminator 1))
kern :err : [ 0.977424] [ T1] ? __switch_to (arch/x86/include/asm/cpufeature.h:101 arch/x86/kernel/process_64.c:377 arch/x86/kernel/process_64.c:665)
kern :err : [ 0.977424] [ T1] ? __pfx_kernel_init (init/main.c:1574)
kern :err : [ 0.977424] [ T1] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
kern :err : [ 0.977424] [ T1] </TASK>
kern :err : [ 0.977424] [ T1] The buggy address belongs to the physical page:
kern :warn : [ 0.977424] [ T1] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x87f3aa
kern :warn : [ 0.977424] [ T1] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 0.977424] [ T1] raw: 0017ffffc0000000 ffff88880a4c7f30 ffffea0021fceac8 0000000000000000
kern :warn : [ 0.977424] [ T1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
kern :warn : [ 0.977424] [ T1] page dumped because: kasan: bad access detected
kern :err : [ 0.977424] [ T1] Memory state around the buggy address:
kern :err : [ 0.977424] [ T1] ffff88887f3a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
kern :err : [ 0.977424] [ T1] ffff88887f3a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
kern :err : [ 0.977424] [ T1] >ffff88887f3aa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ^
kern :err : [ 0.977424] [ T1] ffff88887f3aa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ffff88887f3aa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kern :err : [ 0.977424] [ T1] ==================================================================
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260320/202603200841.b2d24d21-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range 2026-03-20 7:53 [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range kernel test robot @ 2026-03-20 13:32 ` Mike Rapoport 2026-03-23 2:28 ` Oliver Sang 0 siblings, 1 reply; 3+ messages in thread From: Mike Rapoport @ 2026-03-20 13:32 UTC (permalink / raw) To: kernel test robot; +Cc: oe-lkp, lkp Hello, On Fri, Mar 20, 2026 at 03:53:54PM +0800, kernel test robot wrote: > > Hello, > > kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on: > > commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing") > https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3 > > in testcase: ltp > version: > with following parameters: > > test: uevent > > > config: x86_64-rhel-9.4-ltp > compiler: gcc-14 > test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory > > (please refer to attached dmesg/kmsg for entire log/backtrace) > > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > the same patch/commit), kindly add following tags > | Reported-by: kernel test robot <oliver.sang@intel.com> > | Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com Thanks for the report! The patch below fixes the issue for me, I'd appreciate if you can verify it on your setup as well: diff --git a/mm/memblock.c b/mm/memblock.c index 780e70d4971a..3e21d6135789 100644 --- a/mm/memblock.c +++ b/mm/memblock.c @@ -985,15 +985,18 @@ void __init_memblock memblock_free(void *ptr, size_t size) int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size) { phys_addr_t end = base + size - 1; + int ret; memblock_dbg("%s: [%pa-%pa] %pS\n", __func__, &base, &end, (void *)_RET_IP_); kmemleak_free_part_phys(base, size); + ret = memblock_remove_range(&memblock.reserved, base, size); + if (slab_is_available()) __free_reserved_area(base, base + size, -1); - return memblock_remove_range(&memblock.reserved, base, size); + return ret; } int __init_memblock __memblock_reserve(phys_addr_t base, phys_addr_t size, -- Sincerely yours, Mike. ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range 2026-03-20 13:32 ` Mike Rapoport @ 2026-03-23 2:28 ` Oliver Sang 0 siblings, 0 replies; 3+ messages in thread From: Oliver Sang @ 2026-03-23 2:28 UTC (permalink / raw) To: Mike Rapoport; +Cc: oe-lkp, lkp, oliver.sang hi, Mike, On Fri, Mar 20, 2026 at 03:32:45PM +0200, Mike Rapoport wrote: > Hello, > > On Fri, Mar 20, 2026 at 03:53:54PM +0800, kernel test robot wrote: > > > > Hello, > > > > kernel test robot noticed "KASAN:use-after-free_in_memblock_isolate_range" on: > > > > commit: bbe3478393e135e2fc98f32fa8ab182de6742136 ("memblock, treewide: make memblock_free() handle late freeing") > > https://git.kernel.org/cgit/linux/kernel/git/rppt/linux.git free-late/v0.3 > > > > in testcase: ltp > > version: > > with following parameters: > > > > test: uevent > > > > > > config: x86_64-rhel-9.4-ltp > > compiler: gcc-14 > > test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory > > > > (please refer to attached dmesg/kmsg for entire log/backtrace) > > > > > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > > the same patch/commit), kindly add following tags > > | Reported-by: kernel test robot <oliver.sang@intel.com> > > | Closes: https://lore.kernel.org/oe-lkp/202603200841.b2d24d21-lkp@intel.com > > Thanks for the report! > > The patch below fixes the issue for me, I'd appreciate if you can verify it > on your setup as well: yes, below patch can fix the issue we reported by same test. thanks Tested-by: kernel test robot <oliver.sang@intel.com> > > > diff --git a/mm/memblock.c b/mm/memblock.c > index 780e70d4971a..3e21d6135789 100644 > --- a/mm/memblock.c > +++ b/mm/memblock.c > @@ -985,15 +985,18 @@ void __init_memblock memblock_free(void *ptr, size_t size) > int __init_memblock memblock_phys_free(phys_addr_t base, phys_addr_t size) > { > phys_addr_t end = base + size - 1; > + int ret; > > memblock_dbg("%s: [%pa-%pa] %pS\n", __func__, > &base, &end, (void *)_RET_IP_); > > kmemleak_free_part_phys(base, size); > + ret = memblock_remove_range(&memblock.reserved, base, size); > + > if (slab_is_available()) > __free_reserved_area(base, base + size, -1); > > - return memblock_remove_range(&memblock.reserved, base, size); > + return ret; > } > > int __init_memblock __memblock_reserve(phys_addr_t base, phys_addr_t size, > > -- > Sincerely yours, > Mike. > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-23 2:28 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-20 7:53 [rppt:free-late/v0.3] [memblock, treewide] bbe3478393: KASAN:use-after-free_in_memblock_isolate_range kernel test robot 2026-03-20 13:32 ` Mike Rapoport 2026-03-23 2:28 ` Oliver Sang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox