Date
July 3, 2025, 11:10 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 22.253636] ================================================================== [ 22.253840] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.253992] Read of size 1 at addr fff00000c7958000 by task kunit_try_catch/233 [ 22.254106] [ 22.254281] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 22.254546] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.254626] Hardware name: linux,dummy-virt (DT) [ 22.254703] Call trace: [ 22.254774] show_stack+0x20/0x38 (C) [ 22.254917] dump_stack_lvl+0x8c/0xd0 [ 22.255045] print_report+0x118/0x608 [ 22.255154] kasan_report+0xdc/0x128 [ 22.255255] __asan_report_load1_noabort+0x20/0x30 [ 22.255352] mempool_uaf_helper+0x314/0x340 [ 22.255623] mempool_page_alloc_uaf+0xc0/0x118 [ 22.255758] kunit_try_run_case+0x170/0x3f0 [ 22.255867] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.255965] kthread+0x328/0x630 [ 22.256068] ret_from_fork+0x10/0x20 [ 22.256207] [ 22.256296] The buggy address belongs to the physical page: [ 22.256373] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107958 [ 22.256525] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 22.256779] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 22.256907] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 22.257012] page dumped because: kasan: bad access detected [ 22.257111] [ 22.257156] Memory state around the buggy address: [ 22.257236] fff00000c7957f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.257360] fff00000c7957f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.257452] >fff00000c7958000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.257792] ^ [ 22.257911] fff00000c7958080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.258190] fff00000c7958100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.258286] ================================================================== [ 22.160837] ================================================================== [ 22.161212] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 22.161491] Read of size 1 at addr fff00000c7958000 by task kunit_try_catch/229 [ 22.161699] [ 22.161786] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 22.162361] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.162424] Hardware name: linux,dummy-virt (DT) [ 22.162490] Call trace: [ 22.162729] show_stack+0x20/0x38 (C) [ 22.163488] dump_stack_lvl+0x8c/0xd0 [ 22.163989] print_report+0x118/0x608 [ 22.164581] kasan_report+0xdc/0x128 [ 22.164680] __asan_report_load1_noabort+0x20/0x30 [ 22.164781] mempool_uaf_helper+0x314/0x340 [ 22.164869] mempool_kmalloc_large_uaf+0xc4/0x120 [ 22.164964] kunit_try_run_case+0x170/0x3f0 [ 22.165086] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 22.165191] kthread+0x328/0x630 [ 22.165276] ret_from_fork+0x10/0x20 [ 22.165376] [ 22.165419] The buggy address belongs to the physical page: [ 22.165486] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107958 [ 22.165580] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 22.165664] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 22.166904] page_type: f8(unknown) [ 22.166999] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.167374] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 22.167696] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 22.168008] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 22.168113] head: 0bfffe0000000002 ffffc1ffc31e5601 00000000ffffffff 00000000ffffffff [ 22.168208] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 22.168279] page dumped because: kasan: bad access detected [ 22.168336] [ 22.168366] Memory state around the buggy address: [ 22.168428] fff00000c7957f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.168515] fff00000c7957f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.168612] >fff00000c7958000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.168690] ^ [ 22.168746] fff00000c7958080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.168831] fff00000c7958100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 22.168898] ==================================================================
[ 13.143413] ================================================================== [ 13.144238] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.144672] Read of size 1 at addr ffff888103960000 by task kunit_try_catch/250 [ 13.144981] [ 13.145098] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.145411] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.145428] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.145452] Call Trace: [ 13.145644] <TASK> [ 13.145665] dump_stack_lvl+0x73/0xb0 [ 13.145697] print_report+0xd1/0x650 [ 13.145720] ? __virt_addr_valid+0x1db/0x2d0 [ 13.145744] ? mempool_uaf_helper+0x392/0x400 [ 13.145765] ? kasan_addr_to_slab+0x11/0xa0 [ 13.145785] ? mempool_uaf_helper+0x392/0x400 [ 13.145807] kasan_report+0x141/0x180 [ 13.145828] ? mempool_uaf_helper+0x392/0x400 [ 13.145854] __asan_report_load1_noabort+0x18/0x20 [ 13.145877] mempool_uaf_helper+0x392/0x400 [ 13.145899] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.145923] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.145946] ? finish_task_switch.isra.0+0x153/0x700 [ 13.145972] mempool_page_alloc_uaf+0xed/0x140 [ 13.145996] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.146022] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.146042] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.146063] ? __pfx_read_tsc+0x10/0x10 [ 13.146085] ? ktime_get_ts64+0x86/0x230 [ 13.146108] kunit_try_run_case+0x1a5/0x480 [ 13.146147] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.146169] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.146193] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.146217] ? __kthread_parkme+0x82/0x180 [ 13.146238] ? preempt_count_sub+0x50/0x80 [ 13.146261] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.146284] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.146318] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.146341] kthread+0x337/0x6f0 [ 13.146360] ? trace_preempt_on+0x20/0xc0 [ 13.146384] ? __pfx_kthread+0x10/0x10 [ 13.146404] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.146424] ? calculate_sigpending+0x7b/0xa0 [ 13.146448] ? __pfx_kthread+0x10/0x10 [ 13.146469] ret_from_fork+0x116/0x1d0 [ 13.146487] ? __pfx_kthread+0x10/0x10 [ 13.146506] ret_from_fork_asm+0x1a/0x30 [ 13.146542] </TASK> [ 13.146553] [ 13.159022] The buggy address belongs to the physical page: [ 13.159863] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103960 [ 13.160513] flags: 0x200000000000000(node=0|zone=2) [ 13.160764] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.161072] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.161808] page dumped because: kasan: bad access detected [ 13.162073] [ 13.162498] Memory state around the buggy address: [ 13.162803] ffff88810395ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.163437] ffff88810395ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.163744] >ffff888103960000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.164030] ^ [ 13.164524] ffff888103960080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.164831] ffff888103960100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.165333] ================================================================== [ 13.070902] ================================================================== [ 13.071402] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.071821] Read of size 1 at addr ffff888103960000 by task kunit_try_catch/246 [ 13.072061] [ 13.072176] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.072225] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.072272] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.072295] Call Trace: [ 13.072309] <TASK> [ 13.072325] dump_stack_lvl+0x73/0xb0 [ 13.072399] print_report+0xd1/0x650 [ 13.072421] ? __virt_addr_valid+0x1db/0x2d0 [ 13.072446] ? mempool_uaf_helper+0x392/0x400 [ 13.072478] ? kasan_addr_to_slab+0x11/0xa0 [ 13.072499] ? mempool_uaf_helper+0x392/0x400 [ 13.072520] kasan_report+0x141/0x180 [ 13.072541] ? mempool_uaf_helper+0x392/0x400 [ 13.072567] __asan_report_load1_noabort+0x18/0x20 [ 13.072622] mempool_uaf_helper+0x392/0x400 [ 13.072668] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.072702] ? __kasan_check_write+0x18/0x20 [ 13.072722] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.072745] ? finish_task_switch.isra.0+0x153/0x700 [ 13.072770] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.072793] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.072818] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.072841] ? __pfx_mempool_kfree+0x10/0x10 [ 13.072866] ? __pfx_read_tsc+0x10/0x10 [ 13.072887] ? ktime_get_ts64+0x86/0x230 [ 13.072910] kunit_try_run_case+0x1a5/0x480 [ 13.072934] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.072956] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.072977] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.072999] ? __kthread_parkme+0x82/0x180 [ 13.073019] ? preempt_count_sub+0x50/0x80 [ 13.073041] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.073064] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.073086] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.073108] kthread+0x337/0x6f0 [ 13.073136] ? trace_preempt_on+0x20/0xc0 [ 13.073171] ? __pfx_kthread+0x10/0x10 [ 13.073191] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.073211] ? calculate_sigpending+0x7b/0xa0 [ 13.073235] ? __pfx_kthread+0x10/0x10 [ 13.073256] ret_from_fork+0x116/0x1d0 [ 13.073274] ? __pfx_kthread+0x10/0x10 [ 13.073294] ret_from_fork_asm+0x1a/0x30 [ 13.073324] </TASK> [ 13.073336] [ 13.089117] The buggy address belongs to the physical page: [ 13.089714] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103960 [ 13.090159] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.091103] flags: 0x200000000000040(head|node=0|zone=2) [ 13.091609] page_type: f8(unknown) [ 13.091747] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.091983] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.092278] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.092950] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.093356] head: 0200000000000002 ffffea00040e5801 00000000ffffffff 00000000ffffffff [ 13.093777] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.094282] page dumped because: kasan: bad access detected [ 13.094501] [ 13.094720] Memory state around the buggy address: [ 13.095031] ffff88810395ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.095336] ffff88810395ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.095756] >ffff888103960000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.096212] ^ [ 13.096443] ffff888103960080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.096835] ffff888103960100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.097249] ==================================================================