Date
July 12, 2025, 11:09 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 18.450714] ================================================================== [ 18.450808] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.450860] Read of size 1 at addr fff00000c79b4000 by task kunit_try_catch/229 [ 18.451257] [ 18.451388] CPU: 1 UID: 0 PID: 229 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.451602] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.451630] Hardware name: linux,dummy-virt (DT) [ 18.451661] Call trace: [ 18.451684] show_stack+0x20/0x38 (C) [ 18.451734] dump_stack_lvl+0x8c/0xd0 [ 18.451804] print_report+0x118/0x5d0 [ 18.451987] kasan_report+0xdc/0x128 [ 18.452039] __asan_report_load1_noabort+0x20/0x30 [ 18.452092] mempool_uaf_helper+0x314/0x340 [ 18.452190] mempool_kmalloc_large_uaf+0xc4/0x120 [ 18.452260] kunit_try_run_case+0x170/0x3f0 [ 18.452508] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.452579] kthread+0x328/0x630 [ 18.452648] ret_from_fork+0x10/0x20 [ 18.452709] [ 18.452770] The buggy address belongs to the physical page: [ 18.452816] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1079b4 [ 18.452931] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 18.452986] flags: 0xbfffe0000000040(head|node=0|zone=2|lastcpupid=0x1ffff) [ 18.453140] page_type: f8(unknown) [ 18.453339] raw: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.453540] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.453674] head: 0bfffe0000000040 0000000000000000 dead000000000122 0000000000000000 [ 18.453724] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 18.454037] head: 0bfffe0000000002 ffffc1ffc31e6d01 00000000ffffffff 00000000ffffffff [ 18.454487] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 18.454599] page dumped because: kasan: bad access detected [ 18.454632] [ 18.454651] Memory state around the buggy address: [ 18.454695] fff00000c79b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.454823] fff00000c79b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.454864] >fff00000c79b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.454906] ^ [ 18.454935] fff00000c79b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.454978] fff00000c79b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.455017] ================================================================== [ 18.545895] ================================================================== [ 18.545977] BUG: KASAN: use-after-free in mempool_uaf_helper+0x314/0x340 [ 18.546049] Read of size 1 at addr fff00000c7918000 by task kunit_try_catch/233 [ 18.546100] [ 18.546142] CPU: 0 UID: 0 PID: 233 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT [ 18.546247] Tainted: [B]=BAD_PAGE, [N]=TEST [ 18.546273] Hardware name: linux,dummy-virt (DT) [ 18.546308] Call trace: [ 18.546331] show_stack+0x20/0x38 (C) [ 18.546384] dump_stack_lvl+0x8c/0xd0 [ 18.546433] print_report+0x118/0x5d0 [ 18.546480] kasan_report+0xdc/0x128 [ 18.546525] __asan_report_load1_noabort+0x20/0x30 [ 18.546575] mempool_uaf_helper+0x314/0x340 [ 18.546620] mempool_page_alloc_uaf+0xc0/0x118 [ 18.546666] kunit_try_run_case+0x170/0x3f0 [ 18.546715] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 18.546768] kthread+0x328/0x630 [ 18.546810] ret_from_fork+0x10/0x20 [ 18.546858] [ 18.546879] The buggy address belongs to the physical page: [ 18.546914] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107918 [ 18.546973] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 18.547044] raw: 0bfffe0000000000 0000000000000000 dead000000000122 0000000000000000 [ 18.547096] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 18.547137] page dumped because: kasan: bad access detected [ 18.547181] [ 18.547198] Memory state around the buggy address: [ 18.547329] fff00000c7917f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.547382] fff00000c7917f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.547426] >fff00000c7918000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.547465] ^ [ 18.547492] fff00000c7918080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.547535] fff00000c7918100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 18.547573] ==================================================================
[ 14.541251] ================================================================== [ 14.541747] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.542239] Read of size 1 at addr ffff888103b3c000 by task kunit_try_catch/246 [ 14.542572] [ 14.542687] CPU: 0 UID: 0 PID: 246 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.542740] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.542751] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.542773] Call Trace: [ 14.542785] <TASK> [ 14.542800] dump_stack_lvl+0x73/0xb0 [ 14.542844] print_report+0xd1/0x610 [ 14.542867] ? __virt_addr_valid+0x1db/0x2d0 [ 14.542891] ? mempool_uaf_helper+0x392/0x400 [ 14.542929] ? kasan_addr_to_slab+0x11/0xa0 [ 14.542951] ? mempool_uaf_helper+0x392/0x400 [ 14.542975] kasan_report+0x141/0x180 [ 14.543137] ? mempool_uaf_helper+0x392/0x400 [ 14.543168] __asan_report_load1_noabort+0x18/0x20 [ 14.543207] mempool_uaf_helper+0x392/0x400 [ 14.543231] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.543254] ? update_load_avg+0x1be/0x21b0 [ 14.543289] ? dequeue_entities+0x27e/0x1740 [ 14.543324] ? finish_task_switch.isra.0+0x153/0x700 [ 14.543351] mempool_kmalloc_large_uaf+0xef/0x140 [ 14.543387] ? __pfx_mempool_kmalloc_large_uaf+0x10/0x10 [ 14.543415] ? __pfx_mempool_kmalloc+0x10/0x10 [ 14.543440] ? __pfx_mempool_kfree+0x10/0x10 [ 14.543466] ? __pfx_read_tsc+0x10/0x10 [ 14.543488] ? ktime_get_ts64+0x86/0x230 [ 14.543513] kunit_try_run_case+0x1a5/0x480 [ 14.543542] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.543568] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.543595] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.543619] ? __kthread_parkme+0x82/0x180 [ 14.543642] ? preempt_count_sub+0x50/0x80 [ 14.543667] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.543693] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.543718] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.543745] kthread+0x337/0x6f0 [ 14.543764] ? trace_preempt_on+0x20/0xc0 [ 14.543790] ? __pfx_kthread+0x10/0x10 [ 14.543813] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.543835] ? calculate_sigpending+0x7b/0xa0 [ 14.543861] ? __pfx_kthread+0x10/0x10 [ 14.543883] ret_from_fork+0x116/0x1d0 [ 14.543903] ? __pfx_kthread+0x10/0x10 [ 14.543924] ret_from_fork_asm+0x1a/0x30 [ 14.543954] </TASK> [ 14.543965] [ 14.553660] The buggy address belongs to the physical page: [ 14.553925] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103b3c [ 14.554327] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 14.554724] flags: 0x200000000000040(head|node=0|zone=2) [ 14.555283] page_type: f8(unknown) [ 14.555540] raw: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.555806] raw: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.556327] head: 0200000000000040 0000000000000000 dead000000000122 0000000000000000 [ 14.556736] head: 0000000000000000 0000000000000000 00000001f8000000 0000000000000000 [ 14.557185] head: 0200000000000002 ffffea00040ecf01 00000000ffffffff 00000000ffffffff [ 14.557561] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 14.557790] page dumped because: kasan: bad access detected [ 14.558140] [ 14.558236] Memory state around the buggy address: [ 14.558468] ffff888103b3bf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.558697] ffff888103b3bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.558991] >ffff888103b3c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.559539] ^ [ 14.559711] ffff888103b3c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.560111] ffff888103b3c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.560436] ================================================================== [ 14.598083] ================================================================== [ 14.599488] BUG: KASAN: use-after-free in mempool_uaf_helper+0x392/0x400 [ 14.600248] Read of size 1 at addr ffff888102c04000 by task kunit_try_catch/250 [ 14.600783] [ 14.600906] CPU: 1 UID: 0 PID: 250 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc5 #1 PREEMPT(voluntary) [ 14.600953] Tainted: [B]=BAD_PAGE, [N]=TEST [ 14.600967] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 14.600989] Call Trace: [ 14.601002] <TASK> [ 14.601018] dump_stack_lvl+0x73/0xb0 [ 14.601050] print_report+0xd1/0x610 [ 14.601073] ? __virt_addr_valid+0x1db/0x2d0 [ 14.601098] ? mempool_uaf_helper+0x392/0x400 [ 14.601122] ? kasan_addr_to_slab+0x11/0xa0 [ 14.601143] ? mempool_uaf_helper+0x392/0x400 [ 14.601165] kasan_report+0x141/0x180 [ 14.601187] ? mempool_uaf_helper+0x392/0x400 [ 14.601214] __asan_report_load1_noabort+0x18/0x20 [ 14.601240] mempool_uaf_helper+0x392/0x400 [ 14.601275] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 14.601463] ? __kasan_check_write+0x18/0x20 [ 14.601485] ? __pfx_sched_clock_cpu+0x10/0x10 [ 14.601510] ? finish_task_switch.isra.0+0x153/0x700 [ 14.601538] mempool_page_alloc_uaf+0xed/0x140 [ 14.601563] ? __pfx_mempool_page_alloc_uaf+0x10/0x10 [ 14.601624] ? __pfx_mempool_alloc_pages+0x10/0x10 [ 14.601652] ? __pfx_mempool_free_pages+0x10/0x10 [ 14.601679] ? __pfx_read_tsc+0x10/0x10 [ 14.601701] ? ktime_get_ts64+0x86/0x230 [ 14.601727] kunit_try_run_case+0x1a5/0x480 [ 14.601753] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.601777] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 14.601802] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 14.601827] ? __kthread_parkme+0x82/0x180 [ 14.601849] ? preempt_count_sub+0x50/0x80 [ 14.601872] ? __pfx_kunit_try_run_case+0x10/0x10 [ 14.601896] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 14.601922] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 14.601948] kthread+0x337/0x6f0 [ 14.601967] ? trace_preempt_on+0x20/0xc0 [ 14.602003] ? __pfx_kthread+0x10/0x10 [ 14.602025] ? _raw_spin_unlock_irq+0x47/0x80 [ 14.602058] ? calculate_sigpending+0x7b/0xa0 [ 14.602083] ? __pfx_kthread+0x10/0x10 [ 14.602104] ret_from_fork+0x116/0x1d0 [ 14.602123] ? __pfx_kthread+0x10/0x10 [ 14.602144] ret_from_fork_asm+0x1a/0x30 [ 14.602176] </TASK> [ 14.602187] [ 14.614541] The buggy address belongs to the physical page: [ 14.614806] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c04 [ 14.615693] flags: 0x200000000000000(node=0|zone=2) [ 14.615914] raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 [ 14.616668] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 14.617029] page dumped because: kasan: bad access detected [ 14.617281] [ 14.617371] Memory state around the buggy address: [ 14.617574] ffff888102c03f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.617867] ffff888102c03f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.618505] >ffff888102c04000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.618809] ^ [ 14.618961] ffff888102c04080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.619794] ffff888102c04100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 14.620100] ==================================================================