Date
July 6, 2025, 11:09 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 20.231771] ================================================================== [ 20.231845] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.231914] Read of size 1 at addr fff00000c78e0000 by task kunit_try_catch/233 [ 20.231964] [ 20.232005] CPU: 1 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.232087] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.232114] Hardware name: linux,dummy-virt (DT) [ 20.232148] Call trace: [ 20.232173] show_stack+0x20/0x38 (C) [ 20.235737] dump_stack_lvl+0x8c/0xd0 [ 20.236149] print_report+0x118/0x608 [ 20.236540] kasan_report+0xdc/0x128 [ 20.236773] __asan_report_load1_noabort+0x20/0x30 [ 20.236954] mempool_uaf_helper+0x314/0x340 [ 20.237186] mempool_page_alloc_uaf+0xc0/0x118 [ 20.237254] kunit_try_run_case+0x170/0x3f0 [ 20.237307] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.237361] kthread+0x328/0x630 [ 20.237403] ret_from_fork+0x10/0x20 [ 20.238727] [ 20.239111] The buggy address belongs to the physical page: [ 20.239171] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078e0 [ 20.239467] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.239541] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.239592] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.240142] page dumped because: kasan: bad access detected [ 20.240703] [ 20.240923] Memory state around the buggy address: [ 20.241083] fff00000c78dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.241137] fff00000c78dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.241180] >fff00000c78e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.241228] ^ [ 20.241257] fff00000c78e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.241969] fff00000c78e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.243689] ================================================================== [ 20.158597] ================================================================== [ 20.158655] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.158707] Read of size 1 at addr fff00000c78dc000 by task kunit_try_catch/229 [ 20.158754] [ 20.158783] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.158865] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.158891] Hardware name: linux,dummy-virt (DT) [ 20.158922] Call trace: [ 20.158945] show_stack+0x20/0x38 (C) [ 20.158992] dump_stack_lvl+0x8c/0xd0 [ 20.159037] print_report+0x118/0x608 [ 20.159083] kasan_report+0xdc/0x128 [ 20.159127] __asan_report_load1_noabort+0x20/0x30 [ 20.159207] mempool_uaf_helper+0x314/0x340 [ 20.159262] mempool_kmalloc_large_uaf+0xc4/0x120 [ 20.159434] kunit_try_run_case+0x170/0x3f0 [ 20.159513] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.159568] kthread+0x328/0x630 [ 20.159610] ret_from_fork+0x10/0x20 [ 20.159663] [ 20.159771] The buggy address belongs to the physical page: [ 20.159933] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078dc [ 20.160108] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.160243] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 20.160355] page_type: f8(unknown) [ 20.160401] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.160578] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.160625] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.160673] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.160802] head: 0bfffe0000000002 ffffc1ffc31e3701 00000000ffffffff 00000000ffffffff [ 20.161027] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 20.161068] page dumped because: kasan: bad access detected [ 20.161765] [ 20.161851] Memory state around the buggy address: [ 20.161885] fff00000c78dbf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.161929] fff00000c78dbf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.161971] >fff00000c78dc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.162032] ^ [ 20.162060] fff00000c78dc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.162101] fff00000c78dc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.162139] ==================================================================
[ 13.167481] ================================================================== [ 13.167976] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.168314] Read of size 1 at addr ffff888103af0000 by task kunit_try_catch/246 [ 13.168700] [ 13.168854] CPU: 1 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.168903] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.168917] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.168949] Call Trace: [ 13.168963] <TASK> [ 13.168983] dump_stack_lvl+0x73/0xb0 [ 13.169015] print_report+0xd1/0x650 [ 13.169037] ? __virt_addr_valid+0x1db/0x2d0 [ 13.169063] ? mempool_uaf_helper+0x392/0x400 [ 13.169087] ? kasan_addr_to_slab+0x11/0xa0 [ 13.169119] ? mempool_uaf_helper+0x392/0x400 [ 13.169141] kasan_report+0x141/0x180 [ 13.169164] ? mempool_uaf_helper+0x392/0x400 [ 13.169211] __asan_report_load1_noabort+0x18/0x20 [ 13.169235] mempool_uaf_helper+0x392/0x400 [ 13.169259] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.169296] ? finish_task_switch.isra.0+0x153/0x700 [ 13.169324] mempool_kmalloc_large_uaf+0xef/0x140 [ 13.169348] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 13.169377] ? __pfx_mempool_kmalloc+0x10/0x10 [ 13.169401] ? __pfx_mempool_kfree+0x10/0x10 [ 13.169428] ? __pfx_read_tsc+0x10/0x10 [ 13.169451] ? ktime_get_ts64+0x86/0x230 [ 13.169474] kunit_try_run_case+0x1a5/0x480 [ 13.169501] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.169523] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.169549] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.169573] ? __kthread_parkme+0x82/0x180 [ 13.169595] ? preempt_count_sub+0x50/0x80 [ 13.169626] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.169659] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.169682] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.169706] kthread+0x337/0x6f0 [ 13.169737] ? trace_preempt_on+0x20/0xc0 [ 13.169762] ? __pfx_kthread+0x10/0x10 [ 13.169783] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.169805] ? calculate_sigpending+0x7b/0xa0 [ 13.169829] ? __pfx_kthread+0x10/0x10 [ 13.169851] ret_from_fork+0x116/0x1d0 [ 13.169871] ? __pfx_kthread+0x10/0x10 [ 13.169892] ret_from_fork_asm+0x1a/0x30 [ 13.169923] </TASK> [ 13.169945] [ 13.178668] The buggy address belongs to the physical page: [ 13.179181] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103af0 [ 13.179719] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 13.180008] flags: 0x200000000000040(head|node=0|zone=2) [ 13.180342] page_type: f8(unknown) [ 13.180696] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.180962] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.181591] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 13.181948] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 13.182357] head: 0200000000000002 ffffea00040ebc01 00000000ffffffff 00000000ffffffff [ 13.182762] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 13.183005] page dumped because: kasan: bad access detected [ 13.183579] [ 13.183810] Memory state around the buggy address: [ 13.184049] ffff888103aeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.184328] ffff888103aeff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.184838] >ffff888103af0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.185149] ^ [ 13.185321] ffff888103af0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.185762] ffff888103af0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.186077] ================================================================== [ 13.222651] ================================================================== [ 13.223792] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.224608] Read of size 1 at addr ffff888103af0000 by task kunit_try_catch/250 [ 13.224851] [ 13.224962] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.225009] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.225022] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.225045] Call Trace: [ 13.225067] <TASK> [ 13.225087] dump_stack_lvl+0x73/0xb0 [ 13.225121] print_report+0xd1/0x650 [ 13.225145] ? __virt_addr_valid+0x1db/0x2d0 [ 13.225170] ? mempool_uaf_helper+0x392/0x400 [ 13.225193] ? kasan_addr_to_slab+0x11/0xa0 [ 13.225215] ? mempool_uaf_helper+0x392/0x400 [ 13.225237] kasan_report+0x141/0x180 [ 13.225260] ? mempool_uaf_helper+0x392/0x400 [ 13.225287] __asan_report_load1_noabort+0x18/0x20 [ 13.225312] mempool_uaf_helper+0x392/0x400 [ 13.225335] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.225359] ? __kasan_check_write+0x18/0x20 [ 13.225380] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.225403] ? finish_task_switch.isra.0+0x153/0x700 [ 13.225429] mempool_page_alloc_uaf+0xed/0x140 [ 13.225453] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.225479] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.225501] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.225523] ? __pfx_read_tsc+0x10/0x10 [ 13.225545] ? ktime_get_ts64+0x86/0x230 [ 13.225570] kunit_try_run_case+0x1a5/0x480 [ 13.225596] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.225618] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.225644] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.225668] ? __kthread_parkme+0x82/0x180 [ 13.225691] ? preempt_count_sub+0x50/0x80 [ 13.225714] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.225738] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.225761] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.225784] kthread+0x337/0x6f0 [ 13.225804] ? trace_preempt_on+0x20/0xc0 [ 13.225829] ? __pfx_kthread+0x10/0x10 [ 13.225850] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.225872] ? calculate_sigpending+0x7b/0xa0 [ 13.225896] ? __pfx_kthread+0x10/0x10 [ 13.225918] ret_from_fork+0x116/0x1d0 [ 13.225947] ? __pfx_kthread+0x10/0x10 [ 13.225968] ret_from_fork_asm+0x1a/0x30 [ 13.225999] </TASK> [ 13.226012] [ 13.240070] The buggy address belongs to the physical page: [ 13.240703] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103af0 [ 13.241254] flags: 0x200000000000000(node=0|zone=2) [ 13.241442] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.242226] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.242893] page dumped because: kasan: bad access detected [ 13.243579] [ 13.243660] Memory state around the buggy address: [ 13.243822] ffff888103aeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.244319] ffff888103aeff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.245041] >ffff888103af0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.245745] ^ [ 13.246028] ffff888103af0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.246249] ffff888103af0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.246602] ==================================================================