Date
July 5, 2025, 11:11 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.242570] ================================================================== [ 20.242634] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.242695] Read of size 1 at addr fff00000c7908000 by task kunit_try_catch/233 [ 20.242744] [ 20.242779] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.243636] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.243863] Hardware name: linux,dummy-virt (DT) [ 20.243947] Call trace: [ 20.243972] show_stack+0x20/0x38 (C) [ 20.244029] dump_stack_lvl+0x8c/0xd0 [ 20.244240] print_report+0x118/0x608 [ 20.244475] kasan_report+0xdc/0x128 [ 20.244553] __asan_report_load1_noabort+0x20/0x30 [ 20.244731] mempool_uaf_helper+0x314/0x340 [ 20.245056] mempool_page_alloc_uaf+0xc0/0x118 [ 20.245194] kunit_try_run_case+0x170/0x3f0 [ 20.245281] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.245374] kthread+0x328/0x630 [ 20.245513] ret_from_fork+0x10/0x20 [ 20.245574] [ 20.245656] The buggy address belongs to the physical page: [ 20.245689] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107908 [ 20.245788] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.245852] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.245903] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.245945] page dumped because: kasan: bad access detected [ 20.245975] [ 20.245994] Memory state around the buggy address: [ 20.246067] fff00000c7907f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.246577] fff00000c7907f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.246981] >fff00000c7908000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.247087] ^ [ 20.247170] fff00000c7908080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.247227] fff00000c7908100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.247265] ================================================================== [ 20.186912] ================================================================== [ 20.187083] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.187442] Read of size 1 at addr fff00000c7904000 by task kunit_try_catch/229 [ 20.187699] [ 20.187735] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.188051] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.188093] Hardware name: linux,dummy-virt (DT) [ 20.188231] Call trace: [ 20.188254] show_stack+0x20/0x38 (C) [ 20.188305] dump_stack_lvl+0x8c/0xd0 [ 20.188351] print_report+0x118/0x608 [ 20.188470] kasan_report+0xdc/0x128 [ 20.188700] __asan_report_load1_noabort+0x20/0x30 [ 20.188801] mempool_uaf_helper+0x314/0x340 [ 20.188908] mempool_kmalloc_large_uaf+0xc4/0x120 [ 20.188987] kunit_try_run_case+0x170/0x3f0 [ 20.189038] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.189090] kthread+0x328/0x630 [ 20.189131] ret_from_fork+0x10/0x20 [ 20.189199] [ 20.189251] The buggy address belongs to the physical page: [ 20.189284] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107904 [ 20.189642] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.190005] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 20.190079] page_type: f8(unknown) [ 20.190119] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.190180] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.190227] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.190284] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.190331] head: 0bfffe0000000002 ffffc1ffc31e4101 00000000ffffffff 00000000ffffffff [ 20.190546] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 20.190897] page dumped because: kasan: bad access detected [ 20.190930] [ 20.191048] Memory state around the buggy address: [ 20.191087] fff00000c7903f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.191131] fff00000c7903f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.191229] >fff00000c7904000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.191500] ^ [ 20.191591] fff00000c7904080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.191658] fff00000c7904100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.191703] ==================================================================
[ 15.357677] ================================================================== [ 15.358288] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.358727] Read of size 1 at addr ffff888103aa8000 by task kunit_try_catch/251 [ 15.359078] [ 15.359212] CPU: 1 UID: 0 PID: 251 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.359267] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.359284] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.359311] Call Trace: [ 15.359328] <TASK> [ 15.359352] dump_stack_lvl+0x73/0xb0 [ 15.359442] print_report+0xd1/0x650 [ 15.359472] ? __virt_addr_valid+0x1db/0x2d0 [ 15.359499] ? mempool_uaf_helper+0x392/0x400 [ 15.359525] ? kasan_addr_to_slab+0x11/0xa0 [ 15.359548] ? mempool_uaf_helper+0x392/0x400 [ 15.359573] kasan_report+0x141/0x180 [ 15.359599] ? mempool_uaf_helper+0x392/0x400 [ 15.359629] __asan_report_load1_noabort+0x18/0x20 [ 15.359656] mempool_uaf_helper+0x392/0x400 [ 15.359681] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.359709] ? __kasan_check_write+0x18/0x20 [ 15.359730] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.359755] ? irqentry_exit+0x2a/0x60 [ 15.359781] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 15.359825] mempool_page_alloc_uaf+0xed/0x140 [ 15.359850] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 15.359878] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 15.359902] ? __pfx_mempool_free_pages+0x10/0x10 [ 15.359925] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 15.359954] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 15.359983] kunit_try_run_case+0x1a5/0x480 [ 15.360011] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.360036] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.360063] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.360088] ? __kthread_parkme+0x82/0x180 [ 15.360111] ? preempt_count_sub+0x50/0x80 [ 15.360138] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.360164] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.360189] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.360215] kthread+0x337/0x6f0 [ 15.360237] ? trace_preempt_on+0x20/0xc0 [ 15.360264] ? __pfx_kthread+0x10/0x10 [ 15.360286] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.360358] ? calculate_sigpending+0x7b/0xa0 [ 15.360385] ? __pfx_kthread+0x10/0x10 [ 15.360409] ret_from_fork+0x116/0x1d0 [ 15.360432] ? __pfx_kthread+0x10/0x10 [ 15.360455] ret_from_fork_asm+0x1a/0x30 [ 15.360489] </TASK> [ 15.360504] [ 15.373992] The buggy address belongs to the physical page: [ 15.374566] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103aa8 [ 15.374960] flags: 0x200000000000000(node=0|zone=2) [ 15.375690] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 15.376027] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 15.377278] page dumped because: kasan: bad access detected [ 15.377568] [ 15.377677] Memory state around the buggy address: [ 15.377938] ffff888103aa7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.379043] ffff888103aa7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.379347] >ffff888103aa8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.379812] ^ [ 15.380070] ffff888103aa8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.380836] ffff888103aa8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.381736] ================================================================== [ 15.277854] ================================================================== [ 15.278767] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 15.279055] Read of size 1 at addr ffff888103aa8000 by task kunit_try_catch/247 [ 15.279323] [ 15.279435] CPU: 1 UID: 0 PID: 247 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 15.279489] Tainted: [B]=BAD_PAGE, [N]=TEST [ 15.279505] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.279532] Call Trace: [ 15.279549] <TASK> [ 15.279572] dump_stack_lvl+0x73/0xb0 [ 15.279608] print_report+0xd1/0x650 [ 15.279636] ? __virt_addr_valid+0x1db/0x2d0 [ 15.279664] ? mempool_uaf_helper+0x392/0x400 [ 15.279690] ? kasan_addr_to_slab+0x11/0xa0 [ 15.279714] ? mempool_uaf_helper+0x392/0x400 [ 15.279739] kasan_report+0x141/0x180 [ 15.279765] ? mempool_uaf_helper+0x392/0x400 [ 15.279810] __asan_report_load1_noabort+0x18/0x20 [ 15.279838] mempool_uaf_helper+0x392/0x400 [ 15.279864] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 15.279891] ? __kasan_check_write+0x18/0x20 [ 15.279914] ? __pfx_sched_clock_cpu+0x10/0x10 [ 15.279939] ? finish_task_switch.isra.0+0x153/0x700 [ 15.279969] mempool_kmalloc_large_uaf+0xef/0x140 [ 15.280067] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 15.280316] ? __pfx_mempool_kmalloc+0x10/0x10 [ 15.280350] ? __pfx_mempool_kfree+0x10/0x10 [ 15.280379] ? __pfx_read_tsc+0x10/0x10 [ 15.280758] ? ktime_get_ts64+0x86/0x230 [ 15.280833] kunit_try_run_case+0x1a5/0x480 [ 15.280877] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.280905] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 15.280934] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 15.281120] ? __kthread_parkme+0x82/0x180 [ 15.281168] ? preempt_count_sub+0x50/0x80 [ 15.281194] ? __pfx_kunit_try_run_case+0x10/0x10 [ 15.281221] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 15.281248] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 15.281274] kthread+0x337/0x6f0 [ 15.281296] ? trace_preempt_on+0x20/0xc0 [ 15.281325] ? __pfx_kthread+0x10/0x10 [ 15.281352] ? _raw_spin_unlock_irq+0x47/0x80 [ 15.281377] ? calculate_sigpending+0x7b/0xa0 [ 15.281405] ? __pfx_kthread+0x10/0x10 [ 15.281430] ret_from_fork+0x116/0x1d0 [ 15.281451] ? __pfx_kthread+0x10/0x10 [ 15.281475] ret_from_fork_asm+0x1a/0x30 [ 15.281511] </TASK> [ 15.281526] [ 15.297395] The buggy address belongs to the physical page: [ 15.298064] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103aa8 [ 15.298778] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 15.299530] flags: 0x200000000000040(head|node=0|zone=2) [ 15.299938] page_type: f8(unknown) [ 15.300432] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.300852] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.301563] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 15.302308] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 15.302865] head: 0200000000000002 ffffea00040eaa01 00000000ffffffff 00000000ffffffff [ 15.303722] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 15.304386] page dumped because: kasan: bad access detected [ 15.304673] [ 15.304778] Memory state around the buggy address: [ 15.304975] ffff888103aa7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.305328] ffff888103aa7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.305683] >ffff888103aa8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.306070] ^ [ 15.306470] ffff888103aa8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.306828] ffff888103aa8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 15.307204] ==================================================================