Date
June 8, 2025, 11:09 p.m.
| Environment | |
|---|---|
| e850-96 | |
| qemu-arm64 | |
| qemu-x86_64 | |
| rk3399-rock-pi-4b |
[ 36.822667] ================================================================== [ 36.831986] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 36.838666] Read of size 1 at addr ffff000806390000 by task kunit_try_catch/276 [ 36.845956] [ 36.847443] CPU: 0 UID: 0 PID: 276 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 36.847495] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.847513] Hardware name: WinLink E850-96 board (DT) [ 36.847538] Call trace: [ 36.847554] show_stack+0x20/0x38 (C) [ 36.847589] dump_stack_lvl+0x8c/0xd0 [ 36.847627] print_report+0x118/0x608 [ 36.847663] kasan_report+0xdc/0x128 [ 36.847698] __asan_report_load1_noabort+0x20/0x30 [ 36.847737] mempool_uaf_helper+0x314/0x340 [ 36.847771] mempool_kmalloc_large_uaf+0xc4/0x120 [ 36.847806] kunit_try_run_case+0x170/0x3f0 [ 36.847843] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 36.847882] kthread+0x328/0x630 [ 36.847911] ret_from_fork+0x10/0x20 [ 36.847945] [ 36.914967] The buggy address belongs to the physical page: [ 36.920526] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x886390 [ 36.928510] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 36.936147] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 36.943090] page_type: f8(unknown) [ 36.946489] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 36.954208] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 36.961937] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 36.969745] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 36.977559] head: 0bfffe0000000002 fffffdffe018e401 00000000ffffffff 00000000ffffffff [ 36.985371] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 36.993175] page dumped because: kasan: bad access detected [ 36.998731] [ 37.000207] Memory state around the buggy address: [ 37.004986] ffff00080638ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.012190] ffff00080638ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.019396] >ffff000806390000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.026595] ^ [ 37.029810] ffff000806390080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.037016] ffff000806390100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.044216] ================================================================== [ 37.382222] ================================================================== [ 37.385970] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 37.392651] Read of size 1 at addr ffff0008051c0000 by task kunit_try_catch/280 [ 37.399941] [ 37.401429] CPU: 4 UID: 0 PID: 280 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 37.401483] Tainted: [B]=BAD_PAGE, [N]=TEST [ 37.401502] Hardware name: WinLink E850-96 board (DT) [ 37.401527] Call trace: [ 37.401543] show_stack+0x20/0x38 (C) [ 37.401579] dump_stack_lvl+0x8c/0xd0 [ 37.401618] print_report+0x118/0x608 [ 37.401656] kasan_report+0xdc/0x128 [ 37.401692] __asan_report_load1_noabort+0x20/0x30 [ 37.401735] mempool_uaf_helper+0x314/0x340 [ 37.401767] mempool_page_alloc_uaf+0xc0/0x118 [ 37.401801] kunit_try_run_case+0x170/0x3f0 [ 37.401841] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 37.401879] kthread+0x328/0x630 [ 37.401911] ret_from_fork+0x10/0x20 [ 37.401949] [ 37.468693] The buggy address belongs to the physical page: [ 37.474248] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8851c0 [ 37.482234] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.488757] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 37.496474] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 37.504195] page dumped because: kasan: bad access detected [ 37.509748] [ 37.511223] Memory state around the buggy address: [ 37.516008] ffff0008051bff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.523206] ffff0008051bff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.530413] >ffff0008051c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.537612] ^ [ 37.540828] ffff0008051c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.548033] ffff0008051c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 37.555235] ==================================================================
[ 28.454308] ================================================================== [ 28.454476] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.454629] Read of size 1 at addr fff00000c786c000 by task kunit_try_catch/229 [ 28.454809] [ 28.454892] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.455177] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.455257] Hardware name: linux,dummy-virt (DT) [ 28.455432] Call trace: [ 28.455488] show_stack+0x20/0x38 (C) [ 28.455693] dump_stack_lvl+0x8c/0xd0 [ 28.455829] print_report+0x118/0x608 [ 28.456031] kasan_report+0xdc/0x128 [ 28.456159] __asan_report_load1_noabort+0x20/0x30 [ 28.456299] mempool_uaf_helper+0x314/0x340 [ 28.456559] mempool_kmalloc_large_uaf+0xc4/0x120 [ 28.456728] kunit_try_run_case+0x170/0x3f0 [ 28.456948] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.457179] kthread+0x328/0x630 [ 28.457367] ret_from_fork+0x10/0x20 [ 28.457578] [ 28.457735] The buggy address belongs to the physical page: [ 28.459156] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786c [ 28.459392] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.459684] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 28.460092] page_type: f8(unknown) [ 28.460280] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.460426] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.460555] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.461243] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.461373] head: 0bfffe0000000002 ffffc1ffc31e1b01 00000000ffffffff 00000000ffffffff [ 28.462148] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 28.462265] page dumped because: kasan: bad access detected [ 28.462347] [ 28.462436] Memory state around the buggy address: [ 28.463241] fff00000c786bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.463554] fff00000c786bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.463779] >fff00000c786c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.463883] ^ [ 28.464263] fff00000c786c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.464388] fff00000c786c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.464486] ================================================================== [ 28.566952] ================================================================== [ 28.567480] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.567655] Read of size 1 at addr fff00000c786c000 by task kunit_try_catch/233 [ 28.567768] [ 28.567861] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.568082] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.568156] Hardware name: linux,dummy-virt (DT) [ 28.568242] Call trace: [ 28.568304] show_stack+0x20/0x38 (C) [ 28.568426] dump_stack_lvl+0x8c/0xd0 [ 28.571233] print_report+0x118/0x608 [ 28.571879] kasan_report+0xdc/0x128 [ 28.572032] __asan_report_load1_noabort+0x20/0x30 [ 28.572173] mempool_uaf_helper+0x314/0x340 [ 28.572296] mempool_page_alloc_uaf+0xc0/0x118 [ 28.572431] kunit_try_run_case+0x170/0x3f0 [ 28.572576] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.572720] kthread+0x328/0x630 [ 28.572845] ret_from_fork+0x10/0x20 [ 28.572997] [ 28.573056] The buggy address belongs to the physical page: [ 28.573136] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10786c [ 28.573275] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.573429] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 28.573553] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 28.573650] page dumped because: kasan: bad access detected [ 28.573731] [ 28.573783] Memory state around the buggy address: [ 28.573868] fff00000c786bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.577046] fff00000c786bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.579626] >fff00000c786c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.579727] ^ [ 28.579807] fff00000c786c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.580297] fff00000c786c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.580520] ==================================================================
[ 28.535336] ================================================================== [ 28.535480] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.535605] Read of size 1 at addr fff00000c7728000 by task kunit_try_catch/229 [ 28.535722] [ 28.535812] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.536034] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.536104] Hardware name: linux,dummy-virt (DT) [ 28.536746] Call trace: [ 28.536984] show_stack+0x20/0x38 (C) [ 28.537161] dump_stack_lvl+0x8c/0xd0 [ 28.537305] print_report+0x118/0x608 [ 28.537438] kasan_report+0xdc/0x128 [ 28.538112] __asan_report_load1_noabort+0x20/0x30 [ 28.538255] mempool_uaf_helper+0x314/0x340 [ 28.538765] mempool_kmalloc_large_uaf+0xc4/0x120 [ 28.538992] kunit_try_run_case+0x170/0x3f0 [ 28.539502] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.540011] kthread+0x328/0x630 [ 28.540152] ret_from_fork+0x10/0x20 [ 28.540737] [ 28.540799] The buggy address belongs to the physical page: [ 28.541000] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107728 [ 28.541469] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 28.541593] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 28.541736] page_type: f8(unknown) [ 28.541866] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.541994] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.542548] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 28.542685] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 28.542833] head: 0bfffe0000000002 ffffc1ffc31dca01 00000000ffffffff 00000000ffffffff [ 28.543118] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 28.543265] page dumped because: kasan: bad access detected [ 28.543676] [ 28.543862] Memory state around the buggy address: [ 28.543944] fff00000c7727f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.544057] fff00000c7727f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.544169] >fff00000c7728000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.544275] ^ [ 28.544371] fff00000c7728080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.544574] fff00000c7728100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.544777] ================================================================== [ 28.639109] ================================================================== [ 28.639304] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 28.639463] Read of size 1 at addr fff00000c7728000 by task kunit_try_catch/233 [ 28.639599] [ 28.639819] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 28.640067] Tainted: [B]=BAD_PAGE, [N]=TEST [ 28.640207] Hardware name: linux,dummy-virt (DT) [ 28.640297] Call trace: [ 28.640361] show_stack+0x20/0x38 (C) [ 28.640511] dump_stack_lvl+0x8c/0xd0 [ 28.640766] print_report+0x118/0x608 [ 28.641073] kasan_report+0xdc/0x128 [ 28.641411] __asan_report_load1_noabort+0x20/0x30 [ 28.641568] mempool_uaf_helper+0x314/0x340 [ 28.641699] mempool_page_alloc_uaf+0xc0/0x118 [ 28.641832] kunit_try_run_case+0x170/0x3f0 [ 28.641997] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 28.642220] kthread+0x328/0x630 [ 28.642360] ret_from_fork+0x10/0x20 [ 28.642601] [ 28.642666] The buggy address belongs to the physical page: [ 28.642746] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107728 [ 28.642907] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 28.643063] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 28.643213] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 28.643390] page dumped because: kasan: bad access detected [ 28.643482] [ 28.643539] Memory state around the buggy address: [ 28.643697] fff00000c7727f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.643829] fff00000c7727f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.643979] >fff00000c7728000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.644244] ^ [ 28.644323] fff00000c7728080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.644436] fff00000c7728100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 28.644550] ==================================================================
[ 21.346357] ================================================================== [ 21.347448] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.348339] Read of size 1 at addr ffff888103ab4000 by task kunit_try_catch/247 [ 21.348902] [ 21.349157] CPU: 0 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 21.349287] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.349327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.349394] Call Trace: [ 21.349441] <TASK> [ 21.349516] dump_stack_lvl+0x73/0xb0 [ 21.349637] print_report+0xd1/0x650 [ 21.349716] ? __virt_addr_valid+0x1db/0x2d0 [ 21.349796] ? mempool_uaf_helper+0x392/0x400 [ 21.349870] ? kasan_addr_to_slab+0x11/0xa0 [ 21.349940] ? mempool_uaf_helper+0x392/0x400 [ 21.350013] kasan_report+0x141/0x180 [ 21.350146] ? mempool_uaf_helper+0x392/0x400 [ 21.350239] __asan_report_load1_noabort+0x18/0x20 [ 21.350323] mempool_uaf_helper+0x392/0x400 [ 21.350401] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.350468] ? update_load_avg+0x1be/0x21b0 [ 21.350574] ? dequeue_entities+0x27e/0x1740 [ 21.350650] ? finish_task_switch.isra.0+0x153/0x700 [ 21.350719] mempool_kmalloc_large_uaf+0xef/0x140 [ 21.350782] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 21.350850] ? __pfx_mempool_kmalloc+0x10/0x10 [ 21.350915] ? __pfx_mempool_kfree+0x10/0x10 [ 21.350979] ? __pfx_read_tsc+0x10/0x10 [ 21.351036] ? ktime_get_ts64+0x86/0x230 [ 21.351098] kunit_try_run_case+0x1a5/0x480 [ 21.351170] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.351237] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.351306] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.351341] ? __kthread_parkme+0x82/0x180 [ 21.351372] ? preempt_count_sub+0x50/0x80 [ 21.351403] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.351439] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.351474] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.351541] kthread+0x337/0x6f0 [ 21.351644] ? trace_preempt_on+0x20/0xc0 [ 21.351698] ? __pfx_kthread+0x10/0x10 [ 21.351729] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.351759] ? calculate_sigpending+0x7b/0xa0 [ 21.351794] ? __pfx_kthread+0x10/0x10 [ 21.351824] ret_from_fork+0x116/0x1d0 [ 21.351850] ? __pfx_kthread+0x10/0x10 [ 21.351879] ret_from_fork_asm+0x1a/0x30 [ 21.351922] </TASK> [ 21.351937] [ 21.378596] The buggy address belongs to the physical page: [ 21.379162] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103ab4 [ 21.380800] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 21.381690] flags: 0x200000000000040(head|node=0|zone=2) [ 21.382236] page_type: f8(unknown) [ 21.382731] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.383338] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.384630] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 21.385536] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 21.386178] head: 0200000000000002 ffffea00040ead01 00000000ffffffff 00000000ffffffff [ 21.387398] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 21.388636] page dumped because: kasan: bad access detected [ 21.389324] [ 21.389556] Memory state around the buggy address: [ 21.390142] ffff888103ab3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.391183] ffff888103ab3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.391608] >ffff888103ab4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.392396] ^ [ 21.392821] ffff888103ab4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.393658] ffff888103ab4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.394310] ================================================================== [ 21.477296] ================================================================== [ 21.478394] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 21.480182] Read of size 1 at addr ffff888103a04000 by task kunit_try_catch/251 [ 21.481288] [ 21.481550] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 21.481699] Tainted: [B]=BAD_PAGE, [N]=TEST [ 21.481741] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 21.481889] Call Trace: [ 21.482024] <TASK> [ 21.482240] dump_stack_lvl+0x73/0xb0 [ 21.482365] print_report+0xd1/0x650 [ 21.482445] ? __virt_addr_valid+0x1db/0x2d0 [ 21.482544] ? mempool_uaf_helper+0x392/0x400 [ 21.482622] ? kasan_addr_to_slab+0x11/0xa0 [ 21.482687] ? mempool_uaf_helper+0x392/0x400 [ 21.482761] kasan_report+0x141/0x180 [ 21.482837] ? mempool_uaf_helper+0x392/0x400 [ 21.483001] __asan_report_load1_noabort+0x18/0x20 [ 21.483039] mempool_uaf_helper+0x392/0x400 [ 21.483074] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 21.483106] ? update_load_avg+0x1be/0x21b0 [ 21.483142] ? update_load_avg+0x1be/0x21b0 [ 21.483174] ? update_curr+0x80/0x810 [ 21.483202] ? __kasan_check_write+0x18/0x20 [ 21.483235] ? irqentry_exit+0x2a/0x60 [ 21.483305] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 21.483345] mempool_page_alloc_uaf+0xed/0x140 [ 21.483380] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 21.483418] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 21.483447] ? __pfx_mempool_free_pages+0x10/0x10 [ 21.483476] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 21.483547] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 21.483630] kunit_try_run_case+0x1a5/0x480 [ 21.483693] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.483729] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 21.483765] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 21.483799] ? __kthread_parkme+0x82/0x180 [ 21.483829] ? preempt_count_sub+0x50/0x80 [ 21.483862] ? __pfx_kunit_try_run_case+0x10/0x10 [ 21.483897] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 21.483931] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 21.483964] kthread+0x337/0x6f0 [ 21.483992] ? trace_preempt_on+0x20/0xc0 [ 21.484026] ? __pfx_kthread+0x10/0x10 [ 21.484054] ? _raw_spin_unlock_irq+0x47/0x80 [ 21.484083] ? calculate_sigpending+0x7b/0xa0 [ 21.484119] ? __pfx_kthread+0x10/0x10 [ 21.484149] ret_from_fork+0x116/0x1d0 [ 21.484176] ? __pfx_kthread+0x10/0x10 [ 21.484204] ret_from_fork_asm+0x1a/0x30 [ 21.484281] </TASK> [ 21.484301] [ 21.511404] The buggy address belongs to the physical page: [ 21.512194] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103a04 [ 21.513099] flags: 0x200000000000000(node=0|zone=2) [ 21.513792] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 21.514752] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 21.515851] page dumped because: kasan: bad access detected [ 21.516485] [ 21.516937] Memory state around the buggy address: [ 21.517492] ffff888103a03f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.518417] ffff888103a03f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.519399] >ffff888103a04000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.520276] ^ [ 21.521030] ffff888103a04080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.521785] ffff888103a04100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 21.522331] ==================================================================
[ 20.290341] ================================================================== [ 20.291762] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.292828] Read of size 1 at addr ffff888103990000 by task kunit_try_catch/251 [ 20.293506] [ 20.293797] CPU: 0 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.293941] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.293981] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.294044] Call Trace: [ 20.294084] <TASK> [ 20.294127] dump_stack_lvl+0x73/0xb0 [ 20.294514] print_report+0xd1/0x650 [ 20.294696] ? __virt_addr_valid+0x1db/0x2d0 [ 20.294780] ? mempool_uaf_helper+0x392/0x400 [ 20.294854] ? kasan_addr_to_slab+0x11/0xa0 [ 20.294944] ? mempool_uaf_helper+0x392/0x400 [ 20.294988] kasan_report+0x141/0x180 [ 20.295022] ? mempool_uaf_helper+0x392/0x400 [ 20.295060] __asan_report_load1_noabort+0x18/0x20 [ 20.295101] mempool_uaf_helper+0x392/0x400 [ 20.295177] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.295212] ? update_load_avg+0x1be/0x21b0 [ 20.295248] ? dequeue_entities+0x27e/0x1740 [ 20.295283] ? finish_task_switch.isra.0+0x153/0x700 [ 20.295319] mempool_page_alloc_uaf+0xed/0x140 [ 20.295353] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 20.295391] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 20.295421] ? __pfx_mempool_free_pages+0x10/0x10 [ 20.295450] ? __pfx_read_tsc+0x10/0x10 [ 20.295480] ? ktime_get_ts64+0x86/0x230 [ 20.295515] kunit_try_run_case+0x1a5/0x480 [ 20.295644] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.295685] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.295721] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.295755] ? __kthread_parkme+0x82/0x180 [ 20.295783] ? preempt_count_sub+0x50/0x80 [ 20.295815] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.295850] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.295908] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.295949] kthread+0x337/0x6f0 [ 20.295978] ? trace_preempt_on+0x20/0xc0 [ 20.296010] ? __pfx_kthread+0x10/0x10 [ 20.296040] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.296070] ? calculate_sigpending+0x7b/0xa0 [ 20.296128] ? __pfx_kthread+0x10/0x10 [ 20.296176] ret_from_fork+0x116/0x1d0 [ 20.296203] ? __pfx_kthread+0x10/0x10 [ 20.296233] ret_from_fork_asm+0x1a/0x30 [ 20.296274] </TASK> [ 20.296288] [ 20.317729] The buggy address belongs to the physical page: [ 20.318206] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103990 [ 20.318997] flags: 0x200000000000000(node=0|zone=2) [ 20.320929] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.321632] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.322775] page dumped because: kasan: bad access detected [ 20.323343] [ 20.323524] Memory state around the buggy address: [ 20.324112] ffff88810398ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.324715] ffff88810398ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.325327] >ffff888103990000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.325919] ^ [ 20.326217] ffff888103990080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.326812] ffff888103990100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.328001] ================================================================== [ 20.172808] ================================================================== [ 20.173713] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 20.174643] Read of size 1 at addr ffff888102a48000 by task kunit_try_catch/247 [ 20.175320] [ 20.175635] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT(voluntary) [ 20.175763] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.175806] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 20.175869] Call Trace: [ 20.175984] <TASK> [ 20.176062] dump_stack_lvl+0x73/0xb0 [ 20.176158] print_report+0xd1/0x650 [ 20.176239] ? __virt_addr_valid+0x1db/0x2d0 [ 20.176379] ? mempool_uaf_helper+0x392/0x400 [ 20.176483] ? kasan_addr_to_slab+0x11/0xa0 [ 20.176713] ? mempool_uaf_helper+0x392/0x400 [ 20.176797] kasan_report+0x141/0x180 [ 20.176893] ? mempool_uaf_helper+0x392/0x400 [ 20.176985] __asan_report_load1_noabort+0x18/0x20 [ 20.177037] mempool_uaf_helper+0x392/0x400 [ 20.177074] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 20.177122] ? __kasan_check_write+0x18/0x20 [ 20.177172] ? __pfx_sched_clock_cpu+0x10/0x10 [ 20.177209] ? finish_task_switch.isra.0+0x153/0x700 [ 20.177247] mempool_kmalloc_large_uaf+0xef/0x140 [ 20.177282] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 20.177319] ? __pfx_mempool_kmalloc+0x10/0x10 [ 20.177355] ? __pfx_mempool_kfree+0x10/0x10 [ 20.177390] ? __pfx_read_tsc+0x10/0x10 [ 20.177420] ? ktime_get_ts64+0x86/0x230 [ 20.177454] kunit_try_run_case+0x1a5/0x480 [ 20.177491] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.177589] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 20.177684] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 20.177731] ? __kthread_parkme+0x82/0x180 [ 20.177798] ? preempt_count_sub+0x50/0x80 [ 20.177835] ? __pfx_kunit_try_run_case+0x10/0x10 [ 20.177873] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 20.177938] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 20.177974] kthread+0x337/0x6f0 [ 20.178004] ? trace_preempt_on+0x20/0xc0 [ 20.178039] ? __pfx_kthread+0x10/0x10 [ 20.178067] ? _raw_spin_unlock_irq+0x47/0x80 [ 20.178111] ? calculate_sigpending+0x7b/0xa0 [ 20.178180] ? __pfx_kthread+0x10/0x10 [ 20.178213] ret_from_fork+0x116/0x1d0 [ 20.178240] ? __pfx_kthread+0x10/0x10 [ 20.178280] ret_from_fork_asm+0x1a/0x30 [ 20.178323] </TASK> [ 20.178337] [ 20.203387] The buggy address belongs to the physical page: [ 20.203973] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102a48 [ 20.204890] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.205700] flags: 0x200000000000040(head|node=0|zone=2) [ 20.206192] page_type: f8(unknown) [ 20.207195] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.208126] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.208905] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.209787] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.210895] head: 0200000000000002 ffffea00040a9201 00000000ffffffff 00000000ffffffff [ 20.211706] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 20.212298] page dumped because: kasan: bad access detected [ 20.212761] [ 20.212994] Memory state around the buggy address: [ 20.214066] ffff888102a47f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.214947] ffff888102a47f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.215683] >ffff888102a48000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.216486] ^ [ 20.216840] ffff888102a48080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.217642] ffff888102a48100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.218207] ==================================================================
[ 22.174667] ================================================================== [ 22.175733] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.176374] Read of size 1 at addr ffff00000e270000 by task kunit_try_catch/282 [ 22.177051] [ 22.177217] CPU: 3 UID: 0 PID: 282 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 22.177266] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.177280] Hardware name: Radxa ROCK Pi 4B (DT) [ 22.177298] Call trace: [ 22.177310] show_stack+0x20/0x38 (C) [ 22.177343] dump_stack_lvl+0x8c/0xd0 [ 22.177379] print_report+0x118/0x608 [ 22.177413] kasan_report+0xdc/0x128 [ 22.177445] __asan_report_load1_noabort+0x20/0x30 [ 22.177482] mempool_uaf_helper+0x314/0x340 [ 22.177512] mempool_kmalloc_large_uaf+0xc4/0x120 [ 22.177544] kunit_try_run_case+0x170/0x3f0 [ 22.177578] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.177616] kthread+0x328/0x630 [ 22.177644] ret_from_fork+0x10/0x20 [ 22.177675] [ 22.183674] The buggy address belongs to the physical page: [ 22.184190] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe270 [ 22.184913] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.185619] flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) [ 22.186270] page_type: f8(unknown) [ 22.186606] raw: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.187320] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 22.188035] head: 03fffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.188758] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 22.189481] head: 03fffe0000000002 fffffdffc0389c01 00000000ffffffff 00000000ffffffff [ 22.190204] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 22.190919] page dumped because: kasan: bad access detected [ 22.191433] [ 22.191586] Memory state around the buggy address: [ 22.192034] ffff00000e26ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.192700] ffff00000e26ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.193366] >ffff00000e270000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.194027] ^ [ 22.194338] ffff00000e270080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.195004] ffff00000e270100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.195665] ================================================================== [ 22.260274] ================================================================== [ 22.261333] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.261976] Read of size 1 at addr ffff00000e1f8000 by task kunit_try_catch/286 [ 22.262651] [ 22.262816] CPU: 0 UID: 0 PID: 286 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc1 #1 PREEMPT [ 22.262867] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.262882] Hardware name: Radxa ROCK Pi 4B (DT) [ 22.262899] Call trace: [ 22.262910] show_stack+0x20/0x38 (C) [ 22.262943] dump_stack_lvl+0x8c/0xd0 [ 22.262979] print_report+0x118/0x608 [ 22.263013] kasan_report+0xdc/0x128 [ 22.263045] __asan_report_load1_noabort+0x20/0x30 [ 22.263082] mempool_uaf_helper+0x314/0x340 [ 22.263112] mempool_page_alloc_uaf+0xc0/0x118 [ 22.263145] kunit_try_run_case+0x170/0x3f0 [ 22.263179] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.263217] kthread+0x328/0x630 [ 22.263243] ret_from_fork+0x10/0x20 [ 22.263275] [ 22.269249] The buggy address belongs to the physical page: [ 22.269764] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe1f8 [ 22.270489] flags: 0x3fffe0000000000(node=0|zone=0|lastcpupid=0x1ffff) [ 22.271111] raw: 03fffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 22.271827] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.272534] page dumped because: kasan: bad access detected [ 22.273049] [ 22.273201] Memory state around the buggy address: [ 22.273650] ffff00000e1f7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.274316] ffff00000e1f7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.274981] >ffff00000e1f8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.275642] ^ [ 22.275952] ffff00000e1f8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.276618] ffff00000e1f8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.277279] ==================================================================