lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6065525d47bf338646d53182b9bbc4a25ccfda82.camel@mediatek.com>
Date: Mon, 4 Aug 2025 14:03:09 +0000
From: Qun-wei Lin (林群崴) <Qun-wei.Lin@...iatek.com>
To: "linux-arm-kernel@...ts.infradead.org"
	<linux-arm-kernel@...ts.infradead.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
CC: "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
	Andrew Yang (楊智強) <Andrew.Yang@...iatek.com>,
	Chinwen Chang (張錦文)
	<chinwen.chang@...iatek.com>, Casper Li (李中榮)
	<casper.li@...iatek.com>, "andreyknvl@...gle.com" <andreyknvl@...gle.com>,
	"catalin.marinas@....com" <catalin.marinas@....com>, "dvyukov@...gle.com"
	<dvyukov@...gle.com>, "vincenzo.frascino@....com" <vincenzo.frascino@....com>
Subject: [BUG] arm64: KASAN + KASLR may cause reserved page to be released
 during module loading

Hi,
 
We have encountered a kernel panic on arm64 when loading modules with
both KASAN and KASLR enabled.
 
Kernel version:
6.12
(also reproducible on 6.6-based Android common kernel)
 
Config:
CONFIG_KASAN=y
CONFIG_KASAN_GENERIC=y
CONFIG_KASAN_VMALLOC=y
CONFIG_RANDOMIZE_BASE=y
# CONFIG_RANDOMIZE_MODULE_REGION_FULL is not set
 
Reproducible:
~50% of the time, when loading any module with Generic KASAN + KASLR
enabled.
 
The kernel panic log is as follows:
[    7.509660][T00400000001] init: init 6: Loading module
/lib/modules/panel-truly-nt35595-cmd.ko withargs ''
[    7.519549][T00400000079] kworker/4:1: BUG: Bad page state in
processkworker/4:1  pfn:37ddf4
[    7.520776][T00400000079] kworker/4:1: page: refcount:0 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x37ddf4
[    7.521470][T00200000001] init: init 6: Loaded kernel module
/lib/modules/panel-truly-nt35595-cmd.ko
[    7.522212][T00400000079] kworker/4:1: flags:
0x4000000000004000(reserved|zone=1)
[    7.523750][T00200000001] init: init 6: Loading module
/lib/modules/panel-alpha-jdi-nt36672e-vdo-60hz.ko withargs ''
[    7.524512][T00400000079] kworker/4:1: raw: 4000000000004000
fffffffecbf77d08fffffffecbf77d08 0000000000000000
[    7.527422][T00400000079] kworker/4:1: raw: 0000000000000000
0000000000000000 00000000ffffffff 0000000000000000
[    7.528845][T00400000079] kworker/4:1: page dumped because:
PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[    7.530066][T00400000079] kworker/4:1: page_owner info is not
present (never set?)
[    7.531117][T00400000079] kworker/4:1: Modules linked in:
panel_truly_nt35595_cmd(OE) panel_nt37801_cmd_spr(OE)
panel_nt37801_cmd_120hz(OE)
[    7.560646][T00400000079] kworker/4:1: CPU: 4 UID: 0 PID: 79
Comm:kworker/4:1 Tainted: G          OE      6.12.23-android16-5-
g1e57f0e5996f-4k #1 eee834a579887c0f97d696d30c786233f4fbfcdf
[    7.560662][T00400000079] kworker/4:1: Tainted: [O]=OOT_MODULE,
[E]=UNSIGNED_MODULE
[    7.560666][T00400000079] kworker/4:1: Hardware name: MT6993(ENG)
(DT)
[    7.560671][T00400000079] kworker/4:1: Workqueue: events
do_free_init
[    7.560696][T00400000079] kworker/4:1: Call trace:
[    7.560700][T00400000079] kworker/4:1: dump_backtrace+0xf8/0x174
[    7.560714][T00400000079] kworker/4:1: show_stack+0x18/0x24
[    7.560720][T00400000079] kworker/4:1: dump_stack_lvl+0x40/0x9c
[    7.560738][T00400000079] kworker/4:1: dump_stack+0x18/0x24
[    7.560747][T00400000079] kworker/4:1: bad_page+0x194/0x1d0
[    7.560763][T00400000079]
kworker/4:1: free_page_is_bad_report+0x128/0x1ac
[    7.560772][T00400000079] kworker/4:1: free_unref_page+0xb78/0xc70
[    7.560782][T00400000079] kworker/4:1: __free_pages+0xec/0x400
[    7.560790][T00400000079] kworker/4:1: free_pages+0x2c/0x38
[    7.560798][T00400000079]
kworker/4:1: kasan_depopulate_vmalloc_pte+0x90/0xf8
[    7.560809][T00400000079]
kworker/4:1: __apply_to_page_range+0x4a8/0x5bc
[    7.560828][T00400000079]
kworker/4:1: apply_to_existing_page_range+0x14/0x20
[    7.560836][T00400000079]
kworker/4:1: kasan_release_vmalloc+0xa0/0x118
[    7.560842][T00400000079] kworker/4:1: purge_vmap_node+0x1cc/0x76c
[    7.560849][T00400000079]
kworker/4:1: __purge_vmap_area_lazy+0x5b8/0x820
[    7.560856][T00400000079] kworker/4:1: _vm_unmap_aliases+0x71c/0x7f0
[    7.560862][T00400000079] kworker/4:1: vm_reset_perms+0x200/0x2d8
[    7.560867][T00400000079] kworker/4:1: vfree+0x3d0/0x464
[    7.560873][T00400000079] kworker/4:1: execmem_free+0x4c/0x80
[    7.560884][T00400000079] kworker/4:1: do_free_init+0xbc/0xe8
[    7.560889][T00400000079]
kworker/4:1: process_scheduled_works+0x640/0xf80
[    7.560900][T00400000079] kworker/4:1: worker_thread+0x980/0xd1c
[    7.560907][T00400000079] kworker/4:1: kthread+0x2bc/0x494
[    7.560914][T00400000079] kworker/4:1: ret_from_fork+0x10/0x20
[    7.560924][T00400000079] kworker/4:1: Disabling lock debugging due
to kernel taint
[    7.588464][T00400000079] kworker/4:1: Kernel panic - not
syncing:panic_on_taint set ...
[    7.589603][T00400000079] kworker/4:1: CPU: 4 UID: 0 PID: 79
Comm:kworker/4:1 Tainted: G   B      OE     6.12.23-android16-5-
g1e57f0e5996f-4k #1 eee834a579887c0f97d696d30c786233f4fbfcdf
[    7.591913][T00400000079] kworker/4:1: Tainted: [B]=BAD_PAGE,
[O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[    7.593137][T00400000079] kworker/4:1: Hardware name: MT6993(ENG)
(DT)
[    7.594039][T00400000079] kworker/4:1: Workqueue: events
do_free_init
[    7.594937][T00400000079] kworker/4:1: Call trace:
[    7.595598][T00400000079] kworker/4:1: dump_backtrace+0xf8/0x174
[    7.596437][T00400000079] kworker/4:1: show_stack+0x18/0x24
[    7.597226][T00400000079] kworker/4:1: dump_stack_lvl+0x40/0x9c
[    7.598059][T00400000079] kworker/4:1: dump_stack+0x18/0x24
[    7.598849][T00400000079] kworker/4:1: panic+0x228/0x568
[    7.599600][T00400000079] kworker/4:1: add_taint+0xc8/0xe0
[    7.600376][T00400000079] kworker/4:1: bad_page+0xbc/0x1d0
[    7.601158][T00400000079]
kworker/4:1: free_page_is_bad_report+0x128/0x1ac
[    7.602127][T00400000079] kworker/4:1: free_unref_page+0xb78/0xc70
[    7.602996][T00400000079] kworker/4:1: __free_pages+0xec/0x400
[    7.603815][T00400000079] kworker/4:1: free_pages+0x2c/0x38
[    7.604602][T00400000079]
kworker/4:1: kasan_depopulate_vmalloc_pte+0x90/0xf8
[    7.605605][T00400000079]
kworker/4:1: __apply_to_page_range+0x4a8/0x5bc
[    7.606545][T00400000079]
kworker/4:1: apply_to_existing_page_range+0x14/0x20
[    7.607546][T00400000079]
kworker/4:1: kasan_release_vmalloc+0xa0/0x118
[    7.608472][T00400000079] kworker/4:1: purge_vmap_node+0x1cc/0x76c
[    7.609341][T00400000079]
kworker/4:1: __purge_vmap_area_lazy+0x5b8/0x820
[    7.610292][T00400000079]
kworker/4:1: _vm_unmap_aliases+0x71c/000000079] kworker/4:1: CPU
features: 0x0000000,00000014,0613e92c,437e7607
[    7.622275][T00400000079] kworker/4:1: Memory Limit: none
[    7.674062][T00400000079] kworker/4:1: Kernel Offset: 0x1ce7200000
from 0xffffffc080000000
[    7.675208][T00400000079] kworker/4:1: PHYS_OFFSET: 0x80000000
 
If I disable KASLR, the issue does not occur.
 
We are not certain which specific patch introduced this issue, but we
have confirmed that it does not occur on the Android common kernel 6.1
The problem was first observed after upgrading to 6.6-based kernels.
 
Any suggestions or guidance would be appreciated.
Thank you.
 



Best Regards,
 
 
林群崴 (Qun-wei Lin)
Qun-wei.Lin@...iatek.com

 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ