Date
May 23, 2025, 11:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 30.516088] ================================================================== [ 30.516365] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 30.516666] Read of size 1 at addr fff00000c7894000 by task kunit_try_catch/235 [ 30.516941] [ 30.517064] CPU: 0 UID: 0 PID: 235 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 30.517713] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.517804] Hardware name: linux,dummy-virt (DT) [ 30.517909] Call trace: [ 30.518021] show_stack+0x20/0x38 (C) [ 30.518236] dump_stack_lvl+0x8c/0xd0 [ 30.518612] print_report+0x118/0x608 [ 30.518783] kasan_report+0xdc/0x128 [ 30.520004] __asan_report_load1_noabort+0x20/0x30 [ 30.520259] mempool_uaf_helper+0x314/0x340 [ 30.520472] mempool_page_alloc_uaf+0xc0/0x118 [ 30.520883] kunit_try_run_case+0x170/0x3f0 [ 30.521050] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.521259] kthread+0x328/0x630 [ 30.521395] ret_from_fork+0x10/0x20 [ 30.521961] [ 30.522035] The buggy address belongs to the physical page: [ 30.522158] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107894 [ 30.522369] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 30.522691] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 30.522850] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 30.523000] page dumped because: kasan: bad access detected [ 30.523131] [ 30.523241] Memory state around the buggy address: [ 30.523420] fff00000c7893f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.524046] fff00000c7893f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.524121] >fff00000c7894000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.524193] ^ [ 30.524307] fff00000c7894080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.524507] fff00000c7894100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.524648] ================================================================== [ 30.421569] ================================================================== [ 30.421753] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 30.421917] Read of size 1 at addr fff00000c7890000 by task kunit_try_catch/231 [ 30.422065] [ 30.422168] CPU: 0 UID: 0 PID: 231 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT [ 30.422413] Tainted: [B]=BAD_PAGE, [N]=TEST [ 30.422504] Hardware name: linux,dummy-virt (DT) [ 30.422581] Call trace: [ 30.422647] show_stack+0x20/0x38 (C) [ 30.423097] dump_stack_lvl+0x8c/0xd0 [ 30.423650] print_report+0x118/0x608 [ 30.423786] kasan_report+0xdc/0x128 [ 30.423914] __asan_report_load1_noabort+0x20/0x30 [ 30.424122] mempool_uaf_helper+0x314/0x340 [ 30.424518] mempool_kmalloc_large_uaf+0xc4/0x120 [ 30.424877] kunit_try_run_case+0x170/0x3f0 [ 30.425182] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 30.425484] kthread+0x328/0x630 [ 30.425615] ret_from_fork+0x10/0x20 [ 30.425756] [ 30.425822] The buggy address belongs to the physical page: [ 30.425918] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107890 [ 30.426072] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 30.426209] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 30.426600] page_type: f8(unknown) [ 30.427029] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 30.427237] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 30.427488] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 30.427719] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 30.428016] head: 0bfffe0000000002 ffffc1ffc31e2401 00000000ffffffff 00000000ffffffff [ 30.428264] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 30.428484] page dumped because: kasan: bad access detected [ 30.428764] [ 30.428830] Memory state around the buggy address: [ 30.428942] fff00000c788ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.429088] fff00000c788ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.429187] >fff00000c7890000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.429241] ^ [ 30.429287] fff00000c7890080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.429345] fff00000c7890100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 30.429401] ==================================================================
[ 14.187572] ================================================================== [ 14.188740] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.189670] Read of size 1 at addr ffff888103924000 by task kunit_try_catch/248 [ 14.190655] [ 14.191000] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 14.191057] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.191071] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.191093] Call Trace: [ 14.191108] <TASK> [ 14.191126] dump_stack_lvl+0x73/0xb0 [ 14.191169] print_report+0xd1/0x650 [ 14.191192] ? __virt_addr_valid+0x1db/0x2d0 [ 14.191216] ? mempool_uaf_helper+0x392/0x400 [ 14.191237] ? kasan_addr_to_slab+0x11/0xa0 [ 14.191258] ? mempool_uaf_helper+0x392/0x400 [ 14.191281] kasan_report+0x141/0x180 [ 14.191315] ? mempool_uaf_helper+0x392/0x400 [ 14.191341] __asan_report_load1_noabort+0x18/0x20 [ 14.191362] mempool_uaf_helper+0x392/0x400 [ 14.191384] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.191406] ? dequeue_entities+0x852/0x1740 [ 14.191432] ? finish_task_switch.isra.0+0x153/0x700 [ 14.191460] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.191484] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.191507] ? dequeue_task_fair+0x166/0x4e0 [ 14.191532] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.191554] ? __pfx_mempool_kfree+0x10/0x10 [ 14.191577] ? __pfx_read_tsc+0x10/0x10 [ 14.191599] ? ktime_get_ts64+0x86/0x230 [ 14.191626] kunit_try_run_case+0x1a5/0x480 [ 14.191652] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.191674] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.191698] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.191721] ? __kthread_parkme+0x82/0x180 [ 14.191742] ? preempt_count_sub+0x50/0x80 [ 14.191767] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.191790] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.191812] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.191836] kthread+0x337/0x6f0 [ 14.191854] ? trace_preempt_on+0x20/0xc0 [ 14.191878] ? __pfx_kthread+0x10/0x10 [ 14.191897] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.191916] ? calculate_sigpending+0x7b/0xa0 [ 14.191939] ? __pfx_kthread+0x10/0x10 [ 14.191957] ret_from_fork+0x41/0x80 [ 14.191978] ? __pfx_kthread+0x10/0x10 [ 14.191996] ret_from_fork_asm+0x1a/0x30 [ 14.192028] </TASK> [ 14.192041] [ 14.206376] The buggy address belongs to the physical page: [ 14.206758] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103924 [ 14.207181] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.207622] flags: 0x200000000000040(head|node=0|zone=2) [ 14.207859] page_type: f8(unknown) [ 14.208121] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.208469] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.208806] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.209207] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.209564] head: 0200000000000002 ffffea00040e4901 00000000ffffffff 00000000ffffffff [ 14.209897] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.210230] page dumped because: kasan: bad access detected [ 14.210546] [ 14.210664] Memory state around the buggy address: [ 14.210862] ffff888103923f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.211222] ffff888103923f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.211603] >ffff888103924000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.211985] ^ [ 14.212307] ffff888103924080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.212691] ffff888103924100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.213079] ================================================================== [ 14.247840] ================================================================== [ 14.248336] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.248707] Read of size 1 at addr ffff888102ac8000 by task kunit_try_catch/252 [ 14.248962] [ 14.249140] CPU: 1 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.15.0-rc7 #1 PREEMPT(voluntary) [ 14.249222] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.249237] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.249259] Call Trace: [ 14.249271] <TASK> [ 14.249289] dump_stack_lvl+0x73/0xb0 [ 14.249330] print_report+0xd1/0x650 [ 14.249352] ? __virt_addr_valid+0x1db/0x2d0 [ 14.249375] ? mempool_uaf_helper+0x392/0x400 [ 14.249397] ? kasan_addr_to_slab+0x11/0xa0 [ 14.249418] ? mempool_uaf_helper+0x392/0x400 [ 14.249441] kasan_report+0x141/0x180 [ 14.249463] ? mempool_uaf_helper+0x392/0x400 [ 14.249490] __asan_report_load1_noabort+0x18/0x20 [ 14.249510] mempool_uaf_helper+0x392/0x400 [ 14.249533] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.249555] ? dequeue_entities+0x852/0x1740 [ 14.249580] ? finish_task_switch.isra.0+0x153/0x700 [ 14.249607] mempool_page_alloc_uaf+0xed/0x140 [ 14.249627] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.249647] ? dequeue_task_fair+0x166/0x4e0 [ 14.249668] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.249690] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.249713] ? __pfx_read_tsc+0x10/0x10 [ 14.249733] ? ktime_get_ts64+0x86/0x230 [ 14.249759] kunit_try_run_case+0x1a5/0x480 [ 14.249782] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.249804] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.249829] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.249851] ? __kthread_parkme+0x82/0x180 [ 14.249874] ? preempt_count_sub+0x50/0x80 [ 14.249898] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.249922] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.249944] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.249967] kthread+0x337/0x6f0 [ 14.249984] ? trace_preempt_on+0x20/0xc0 [ 14.250009] ? __pfx_kthread+0x10/0x10 [ 14.250027] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.250047] ? calculate_sigpending+0x7b/0xa0 [ 14.250069] ? __pfx_kthread+0x10/0x10 [ 14.250087] ret_from_fork+0x41/0x80 [ 14.250108] ? __pfx_kthread+0x10/0x10 [ 14.250126] ret_from_fork_asm+0x1a/0x30 [ 14.250210] </TASK> [ 14.250225] [ 14.260757] The buggy address belongs to the physical page: [ 14.261130] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ac8 [ 14.261661] flags: 0x200000000000000(node=0|zone=2) [ 14.262173] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.262658] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.263146] page dumped because: kasan: bad access detected [ 14.263411] [ 14.263677] Memory state around the buggy address: [ 14.264156] ffff888102ac7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.264683] ffff888102ac7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.265231] >ffff888102ac8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.265692] ^ [ 14.266038] ffff888102ac8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.266339] ffff888102ac8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.266864] ==================================================================