Date
July 2, 2025, 11:09 p.m.
Environment | |
---|---|
qemu-arm64 | |
qemu-x86_64 |
[ 20.176672] ================================================================== [ 20.176766] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.176912] Read of size 1 at addr fff00000c7938000 by task kunit_try_catch/233 [ 20.176972] [ 20.177013] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.177376] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.177459] Hardware name: linux,dummy-virt (DT) [ 20.177593] Call trace: [ 20.177648] show_stack+0x20/0x38 (C) [ 20.177977] dump_stack_lvl+0x8c/0xd0 [ 20.178147] print_report+0x118/0x608 [ 20.178251] kasan_report+0xdc/0x128 [ 20.178398] __asan_report_load1_noabort+0x20/0x30 [ 20.178529] mempool_uaf_helper+0x314/0x340 [ 20.178737] mempool_page_alloc_uaf+0xc0/0x118 [ 20.178929] kunit_try_run_case+0x170/0x3f0 [ 20.179087] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.179184] kthread+0x328/0x630 [ 20.179760] ret_from_fork+0x10/0x20 [ 20.179870] [ 20.179921] The buggy address belongs to the physical page: [ 20.179986] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107938 [ 20.180122] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 20.180237] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 20.180296] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 20.180344] page dumped because: kasan: bad access detected [ 20.180384] [ 20.180403] Memory state around the buggy address: [ 20.180447] fff00000c7937f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.180496] fff00000c7937f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.180542] >fff00000c7938000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.180591] ^ [ 20.180627] fff00000c7938080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.180679] fff00000c7938100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.180989] ================================================================== [ 20.117497] ================================================================== [ 20.117730] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 20.117917] Read of size 1 at addr fff00000c7934000 by task kunit_try_catch/229 [ 20.117970] [ 20.118007] CPU: 0 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT [ 20.118100] Tainted: [B]=BAD_PAGE, [N]=TEST [ 20.118128] Hardware name: linux,dummy-virt (DT) [ 20.118444] Call trace: [ 20.118564] show_stack+0x20/0x38 (C) [ 20.118654] dump_stack_lvl+0x8c/0xd0 [ 20.118714] print_report+0x118/0x608 [ 20.118761] kasan_report+0xdc/0x128 [ 20.119076] __asan_report_load1_noabort+0x20/0x30 [ 20.119153] mempool_uaf_helper+0x314/0x340 [ 20.119447] mempool_kmalloc_large_uaf+0xc4/0x120 [ 20.119599] kunit_try_run_case+0x170/0x3f0 [ 20.119653] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 20.119713] kthread+0x328/0x630 [ 20.119757] ret_from_fork+0x10/0x20 [ 20.120033] [ 20.120193] The buggy address belongs to the physical page: [ 20.120239] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107934 [ 20.120487] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 20.120558] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 20.120627] page_type: f8(unknown) [ 20.120886] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.121153] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.121227] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 20.121439] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 20.121535] head: 0bfffe0000000002 ffffc1ffc31e4d01 00000000ffffffff 00000000ffffffff [ 20.121718] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 20.121988] page dumped because: kasan: bad access detected [ 20.122174] [ 20.122249] Memory state around the buggy address: [ 20.122285] fff00000c7933f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.122330] fff00000c7933f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.122374] >fff00000c7934000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.122413] ^ [ 20.122452] fff00000c7934080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.122494] fff00000c7934100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.122543] ==================================================================
[ 12.956406] ================================================================== [ 12.957305] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 12.957970] Read of size 1 at addr ffff8881039f4000 by task kunit_try_catch/248 [ 12.958430] [ 12.958689] CPU: 0 UID: 0 PID: 248 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 12.958740] Tainted: [B]=BAD_PAGE, [N]=TEST [ 12.958766] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 12.958788] Call Trace: [ 12.958802] <TASK> [ 12.958819] dump_stack_lvl+0x73/0xb0 [ 12.958852] print_report+0xd1/0x650 [ 12.958875] ? __virt_addr_valid+0x1db/0x2d0 [ 12.958900] ? mempool_uaf_helper+0x392/0x400 [ 12.958922] ? kasan_addr_to_slab+0x11/0xa0 [ 12.958941] ? mempool_uaf_helper+0x392/0x400 [ 12.958962] kasan_report+0x141/0x180 [ 12.958984] ? mempool_uaf_helper+0x392/0x400 [ 12.959011] __asan_report_load1_noabort+0x18/0x20 [ 12.959035] mempool_uaf_helper+0x392/0x400 [ 12.959057] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 12.959080] ? __kasan_check_write+0x18/0x20 [ 12.959099] ? __pfx_sched_clock_cpu+0x10/0x10 [ 12.959121] ? finish_task_switch.isra.0+0x153/0x700 [ 12.959147] mempool_kmalloc_large_uaf+0xef/0x140 [ 12.959169] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 12.959194] ? __pfx_mempool_kmalloc+0x10/0x10 [ 12.959218] ? __pfx_mempool_kfree+0x10/0x10 [ 12.959242] ? __pfx_read_tsc+0x10/0x10 [ 12.959263] ? ktime_get_ts64+0x86/0x230 [ 12.959288] kunit_try_run_case+0x1a5/0x480 [ 12.959315] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.959335] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 12.959359] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 12.959393] ? __kthread_parkme+0x82/0x180 [ 12.959414] ? preempt_count_sub+0x50/0x80 [ 12.959436] ? __pfx_kunit_try_run_case+0x10/0x10 [ 12.959459] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 12.959481] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 12.959505] kthread+0x337/0x6f0 [ 12.959523] ? trace_preempt_on+0x20/0xc0 [ 12.959547] ? __pfx_kthread+0x10/0x10 [ 12.959567] ? _raw_spin_unlock_irq+0x47/0x80 [ 12.959597] ? calculate_sigpending+0x7b/0xa0 [ 12.959622] ? __pfx_kthread+0x10/0x10 [ 12.959642] ret_from_fork+0x116/0x1d0 [ 12.959660] ? __pfx_kthread+0x10/0x10 [ 12.959686] ret_from_fork_asm+0x1a/0x30 [ 12.959717] </TASK> [ 12.959729] [ 12.974054] The buggy address belongs to the physical page: [ 12.974249] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f4 [ 12.974507] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 12.974750] flags: 0x200000000000040(head|node=0|zone=2) [ 12.974956] page_type: f8(unknown) [ 12.975088] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.975320] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.975589] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 12.976219] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 12.976769] head: 0200000000000002 ffffea00040e7d01 00000000ffffffff 00000000ffffffff [ 12.977344] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 12.977640] page dumped because: kasan: bad access detected [ 12.978160] [ 12.978315] Memory state around the buggy address: [ 12.978764] ffff8881039f3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.979521] ffff8881039f3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.979901] >ffff8881039f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.980509] ^ [ 12.980993] ffff8881039f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.981395] ffff8881039f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 12.981670] ================================================================== [ 13.027113] ================================================================== [ 13.027687] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 13.028682] Read of size 1 at addr ffff8881039f4000 by task kunit_try_catch/252 [ 13.029348] [ 13.029507] CPU: 0 UID: 0 PID: 252 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc4 #1 PREEMPT(voluntary) [ 13.029712] Tainted: [B]=BAD_PAGE, [N]=TEST [ 13.029728] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 13.029805] Call Trace: [ 13.029820] <TASK> [ 13.029840] dump_stack_lvl+0x73/0xb0 [ 13.029873] print_report+0xd1/0x650 [ 13.029898] ? __virt_addr_valid+0x1db/0x2d0 [ 13.029922] ? mempool_uaf_helper+0x392/0x400 [ 13.029945] ? kasan_addr_to_slab+0x11/0xa0 [ 13.029966] ? mempool_uaf_helper+0x392/0x400 [ 13.029989] kasan_report+0x141/0x180 [ 13.030011] ? mempool_uaf_helper+0x392/0x400 [ 13.030038] __asan_report_load1_noabort+0x18/0x20 [ 13.030062] mempool_uaf_helper+0x392/0x400 [ 13.030084] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 13.030107] ? __kasan_check_write+0x18/0x20 [ 13.030127] ? __pfx_sched_clock_cpu+0x10/0x10 [ 13.030150] ? finish_task_switch.isra.0+0x153/0x700 [ 13.030176] mempool_page_alloc_uaf+0xed/0x140 [ 13.030198] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 13.030224] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 13.030245] ? __pfx_mempool_free_pages+0x10/0x10 [ 13.030266] ? __pfx_read_tsc+0x10/0x10 [ 13.030287] ? ktime_get_ts64+0x86/0x230 [ 13.030311] kunit_try_run_case+0x1a5/0x480 [ 13.030336] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.030358] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 13.030393] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 13.030415] ? __kthread_parkme+0x82/0x180 [ 13.030436] ? preempt_count_sub+0x50/0x80 [ 13.030459] ? __pfx_kunit_try_run_case+0x10/0x10 [ 13.030482] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 13.030504] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 13.030527] kthread+0x337/0x6f0 [ 13.030546] ? trace_preempt_on+0x20/0xc0 [ 13.030580] ? __pfx_kthread+0x10/0x10 [ 13.030602] ? _raw_spin_unlock_irq+0x47/0x80 [ 13.030622] ? calculate_sigpending+0x7b/0xa0 [ 13.030645] ? __pfx_kthread+0x10/0x10 [ 13.030666] ret_from_fork+0x116/0x1d0 [ 13.030684] ? __pfx_kthread+0x10/0x10 [ 13.030704] ret_from_fork_asm+0x1a/0x30 [ 13.030734] </TASK> [ 13.030745] [ 13.043325] The buggy address belongs to the physical page: [ 13.043793] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1039f4 [ 13.044162] flags: 0x200000000000000(node=0|zone=2) [ 13.044425] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 13.045041] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 13.045446] page dumped because: kasan: bad access detected [ 13.045895] [ 13.046094] Memory state around the buggy address: [ 13.046377] ffff8881039f3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.046987] ffff8881039f3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.047280] >ffff8881039f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.047615] ^ [ 13.047982] ffff8881039f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.048307] ffff8881039f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 13.048916] ==================================================================